RFE: Python bindings that expose notification file descriptor

[Melab]

Looking at seccomp.pyx, I can't find anyway to get the seccomp notification FD. Having this file descriptor is necessary to pass the handling of a program's system calls off to another program, such as when a container in LXC/LXD calls mount and the container software redirects the mount operation to software that has mount privileges.

[pcmoore]

Hi @Melab

Looking quickly at the code, I agree, there doesn't appear to be an easy way to extract the FD from the Python object for use by other processes. I guess I always assumed in this case developers would be using the native/C library and not the Python bindings.

I've added this as a issue for the next v2.5.x release, thanks for bringing this up.

[pcmoore]

As this is the only outstanding issue in the v2.5.2 milestone I'll go ahead and claim this issue and start working on it.

[pcmoore]

Given we already have a C/native API for this with seccomp_notify_fd() it seems like the Python API should stick to that as much as possible. What do you think of the snippet below @Melab @drakenclimber for the SyscallFilter class?

    def get_notify_fd(self):
        """ Get the seccomp notification file descriptor

        Description:
        Returns the seccomp listener file descriptor that was generated when
        the seccomp policy was loaded. This is only valid after load() with a
        filter that makes use of the NOTIFY action.
        """
        fd = libseccomp.seccomp_notify_fd(self._ctx)
        if fd < 0:
            raise RuntimeError("Notifications not enabled/active")
        return fd

[pcmoore]

FYI, PR #332 is basically the code snippet above turned into a PR.

[pcmoore]

Resolved withPR #332.