# # spec file for package python3-seccomp # # Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %global pname libseccomp %global lname libseccomp2 %global flavor %nil %if "%flavor" == "python3" Name: python3-seccomp Summary: Python 3 bindings for seccomp Group: Development/Tools/Debuggers %else Name: libseccomp Summary: A Seccomp (mode 2) helper library Group: Development/Libraries/C and C++ %endif Version: 2.6.0 Release: 2.2 License: LGPL-2.1-only URL: https://github.com/seccomp/libseccomp Source: https://github.com/seccomp/libseccomp/releases/download/v%version/libseccomp-%version.tar.gz Source2: https://github.com/seccomp/libseccomp/releases/download/v%version/libseccomp-%version.tar.gz.asc Source3: %pname.keyring Source99: baselibs.conf Patch1: make-python-build.patch Patch2: 62-sim-arch_transactions-remove-fuzzer.patch BuildRequires: autoconf BuildRequires: automake >= 1.11 BuildRequires: fdupes BuildRequires: libtool >= 2 BuildRequires: pkgconfig %if "%flavor" == "python3" BuildRequires: python-rpm-macros BuildRequires: python3-Cython >= 0.29 BuildRequires: python3-setuptools %endif %description The libseccomp library provides an interface to the Linux Kernel's syscall filtering mechanism, seccomp. The libseccomp API abstracts away the underlying BPF-based syscall filter language and presents a more conventional function-call based filtering interface. %if "%flavor" == "python3" This subpackage contains the python3 bindings for seccomp. %endif %package -n %lname Summary: An enhanced Seccomp (mode 2) helper library Group: System/Libraries %description -n %lname The libseccomp library provides an interface to the Linux Kernel's syscall filtering mechanism, seccomp. The libseccomp API abstracts away the underlying BPF-based syscall filter language and presents a more conventional function-call based filtering interface. %package devel Summary: Development files for libseccomp, an enhanced Seccomp (mode 2) helper library Group: Development/Libraries/C and C++ Requires: %lname = %version %description devel The libseccomp library provides an interface to the Linux Kernel's syscall filtering mechanism, seccomp. The libseccomp API abstracts away the underlying BPF-based syscall filter language and presents a more conventional function-call based filtering interface. This package contains the development files for libseccomp. %package tools Summary: Utilities for the seccomp API Group: Development/Tools/Debuggers %description tools The libseccomp library provides an interface to the Linux Kernel's syscall filtering mechanism, seccomp. This subpackage contains debug utilities for the seccomp interface. %prep %autosetup -p1 -n %pname-%version %if 0%{?qemu_user_space_build} # The qemu linux-user emulation does not allow executing # prctl(PR_SET_SECCOMP), which breaks these tests. Stub them out. echo 'int main () { return 0; }' >tests/11-basic-basic_errors.c echo 'int main () { return 0; }' >tests/52-basic-load.c %endif %build autoreconf -fiv %configure \ --includedir="%_includedir/%pname" \ %if "%flavor" == "python3" --enable-python \ %endif --disable-static \ --disable-silent-rules \ GPERF=/bin/true %make_build %install %make_install find "%buildroot/%_libdir" -type f -name "*.la" -delete rm -fv %buildroot/%python3_sitearch/install_files.txt %if "%flavor" == "python3" rm %buildroot/%_libdir/%pname.so* rm -r %buildroot/%_mandir/ rm -r %buildroot/%_includedir/%pname/ rm -r %buildroot/%_libdir/pkgconfig rm -r %buildroot/%_bindir/ %endif %fdupes %buildroot/%_prefix %if "%flavor" != "python3" %check export LD_LIBRARY_PATH="$PWD/src/.libs" make check %endif %ldconfig_scriptlets -n %lname %if "%flavor" == "python3" %files %python3_sitearch/seccomp* %else %files -n %lname %_libdir/%pname.so.2* %license LICENSE %files devel %_mandir/man3/seccomp_*.3* %_includedir/%pname/ %_libdir/%pname.so %_libdir/pkgconfig/%pname.pc %files tools %_bindir/scmp_sys_resolver %_mandir/man1/scmp_sys_resolver.1* %endif %changelog * Tue Feb 4 2025 Christian Boltz - add 62-sim-arch_transactions-remove-fuzzer.patch to fix s390x build (https://github.com/seccomp/libseccomp/issues/455) * Fri Jan 24 2025 Jan Engelhardt - Update to release 2.6.0 * Multiplexed syscall support for ppc * Add support for the SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag * Add support for transactions with the seccomp_transaction_start(), seccomp_transaction_commit(), and seccomp_transaction_reject() APIs * Add support for binary tree filters without syscalls * Add support for the kernel’s implementation change of SECCOMP_IOCTL_NOTIF_ID_VALID * Sat Dec 2 2023 Jan Engelhardt - Update to release 2.5.5 * Update the syscall table for Linux v6.7-rc3 * Fri Jul 1 2022 Marcus Rueckert - fix build of python3 bindings so that the debug* package names do not overlay with the main package * Wed Jun 29 2022 Robert Frohl - Use multibuild to get python3 support back * Sat Apr 30 2022 Jan Engelhardt - Deactive python3 by default, it's just not a good idea for ring0. * Thu Apr 21 2022 Jan Engelhardt - Update to release 2.5.4 * Update the syscall table for Linux v5.17. * Fix minor issues with binary tree testing and with empty binary trees. * Minor documentation improvements including retiring the mailing list. * Mon Jan 17 2022 Marcus Meissner - buildrequire python-rpm-macros * Thu Dec 2 2021 Marcus Rueckert - reenable python bindings at least for the distro default python3 package: - adds make-python-build.patch * Sun Nov 7 2021 Jan Engelhardt - Update to release 2.5.3 * Update the syscall table for Linux v5.15 * Fix issues with multiplexed syscalls on mipsel introduced in v2.5.2 * Document that seccomp_rule_add() may return -EACCES * Mon Sep 13 2021 Andreas Schwab - Skip 11-basic-basic_errors test on qemu linux-user emulation * Wed Sep 1 2021 Jan Engelhardt - Update to release 2.5.2 * Update the syscall table for Linux v5.14-rc7 * Add a function, get_notify_fd(), to the Python bindings to get the nofication file descriptor. * Consolidate multiplexed syscall handling for all architectures into one location. * Add multiplexed syscall support to PPC and MIPS * The meaning of SECCOMP_IOCTL_NOTIF_ID_VALID changed within the kernel. libseccomp's fd notification logic was modified to support the kernel's previous and new usage of SECCOMP_IOCTL_NOTIF_ID_VALID. * Sat Nov 21 2020 Dirk Mueller - update to 2.5.1: * Fix a bug where seccomp_load() could only be called once * Change the notification fd handling to only request a notification fd if * the filter has a _NOTIFY action * Add documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule(3) manpage * Clarify the maintainers' GPG keys - remove testsuite-riscv64-missing-syscalls.patch * Wed Sep 9 2020 Dominique Leuenberger - Do not rely on gperf: pass GPERF=/bin/true to configure and remove gperf BuildRequires. The syscalls.perf file it would generate is part of the tarball already. * Tue Sep 8 2020 Andreas Schwab - testsuite-riscv64-missing-syscalls.patch: Fix testsuite failure on riscv64 - Ignore failure of tests/52-basic-load on qemu linux-user emulation * Tue Sep 8 2020 Ralf Haferkamp - Update to release 2.5.0 * Add support for the seccomp user notifications, see the seccomp_notify_alloc(3), seccomp_notify_receive(3), seccomp_notify_respond(3) manpages for more information * Add support for new filter optimization approaches, including a balanced tree optimization, see the SCMP_FLTATR_CTL_OPTIMIZE filter attribute for more information * Add support for the 64-bit RISC-V architecture * Performance improvements when adding new rules to a filter thanks to the use of internal shadow transactions and improved syscall lookup tables * Properly document the libseccomp API return values and include them in the stable API promise * Improvements to the s390 and s390x multiplexed syscall handling * Multiple fixes and improvements to the libseccomp manpages * Moved from manually maintained syscall tables to an automatically generated syscall table in CSV format * Update the syscall tables to Linux v5.8.0-rc5 * Python bindings and build now default to Python 3.x * Improvements to the tests have boosted code coverage to over 93%% - libseccomp.keyring: replaced by Paul Moore key. * Fri Jun 5 2020 Jan Engelhardt - Update to release 2.4.3 * Add list of authorized release signatures to README.md * Fix multiplexing issue with s390/s390x shm* syscalls * Remove the static flag from libseccomp tools compilation * Add define for __SNR_ppoll * Fix potential memory leak identified by clang in the scmp_bpf_sim tool - Drop no-static.diff, libseccomp-fix_aarch64-test.patch, SNR_ppoll.patch (merged) * Mon Feb 17 2020 Tomáš Chvátal - Add patch to fix ntpsec and others build (accidental drop of symbols): * SNR_ppoll.patch * Tue Jan 7 2020 Andreas Schwab - Tests are passing on all architectures * Mon Jan 6 2020 Guillaume GARDET - Backport patch to fix test on aarch64: * libseccomp-fix_aarch64-test.patch * Thu Dec 19 2019 Jan Engelhardt - Update to release 2.4.2 * Add support for io-uring related system calls * Wed Jul 24 2019 Michel Normand - ignore make check error for ppc64/ppc64le, bypass boo#1142614 * Sun Jun 2 2019 Jan Engelhardt - Update to new upstream release 2.4.1 * Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. * Sun Mar 17 2019 Marcus Meissner - updated to 2.4.0 (bsc#1128828 CVE-2019-9893) - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92%% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates - now gpg signed, added key of Paul Moore from keyserver. * Mon Jan 14 2019 kukuk@suse.de - Use %%license instead of %%doc [bsc#1082318] * Sat Feb 24 2018 asarai@suse.com - Update to release 2.3.3: * Updated the syscall table for Linux v4.15-rc7 * Sun May 21 2017 jengelh@inai.de - Unconditionally rerun autoreconf because of patches * Sun May 21 2017 tchvatal@suse.com - Update to release 2.3.2: * Achieved full compliance with the CII Best Practices program * Added Travis CI builds to the GitHub repository * Added code coverage reporting with the "--enable-code-coverage" configure flag and added Coveralls to the GitHub repository * Updated the syscall tables to match Linux v4.10-rc6+ * Support for building with Python v3.x * Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is set to true * Several small documentation fixes - Remove service file as we are not based on git * Sat May 7 2016 jengelh@inai.de - Update to new upstream release 2.3.1 * arch: fix the multiplexed ipc() syscalls * s390: handle multiplexed syscalls correctly - Remove 0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch, 0001-tests-replace-socket-syscall-references-in-15-basic-.patch (fixed upstream) * Tue Apr 19 2016 jengelh@inai.de - Add 0001-tests-replace-socket-syscall-references-in-15-basic-.patch * Sun Apr 10 2016 jengelh@inai.de - Add 0001-arch-fix-a-number-of-32-bit-x86-failures-related-to-.patch * Wed Mar 23 2016 meissner@suse.com - updated to final 2.3.0 release - builderror-k316.diff: fixed upstream - i586 testsuite fails, disable for now * Wed Feb 24 2016 jengelh@inai.de - Update to git snapshot 2.3.0~g96 * have libseccomp build with newer linux-glibc-devel; "multiplexed and direct socket syscalls" - Drop libseccomp-s390x-support.patch, libseccomp-ppc64le.patch (no longer apply - merged upstream) - Add builderror-k316.diff * Fri Sep 25 2015 dimstar@opensuse.org - Add baselibs.conf: systemd-32bit-224+ links against libseccomp.so.2. * Mon Aug 31 2015 jengelh@inai.de - Update to new upstream release 2.2.3 * Fix a problem with the masked equality operator * Fix a problem on x86_64/x32 involving invalid architectures * Fix a problem with the ARM specific syscalls * Sat May 30 2015 jengelh@inai.de - Update to new upstream release 2.2.1 * Fix a problem with syscall argument filtering on 64-bit systems * Fix some problems with the 32-bit ARM syscall table - Drop 0001-tools-add-the-missing-elf.h-header-file.patch, libseccomp-arm-syscall-fixes.patch (applied upstream) * Mon Apr 13 2015 dvaleev@suse.com - Fix ppc64le build: libseccomp-ppc64le.patch * Fri Apr 10 2015 afaerber@suse.de - Fix some arm syscall constants libseccomp-arm-syscall-fixes.patch * Sun Mar 29 2015 jengelh@inai.de - Update to new upstream release 2.2.0 * Added support for aarch64, mips, mips64, mips64n32 (BE/LE). * Added support for using the new seccomp() syscall and the thread sync functionality. * Added Python bindings - Remove 0001-build-use-autotools-as-build-system.patch (merged). Add no-static.diff. Add 0001-tools-add-the-missing-elf.h-header-file.patch * Sat Jul 12 2014 meissner@suse.com - updated ppc64le patch * Wed Mar 5 2014 meissner@suse.com - libseccomp-s390x-support.patch: support s390,s390x,ppc,ppc64 too. bnc#866526 (arm64 not yet done) - disabled testsuite on the new platforms, as there are still some failures. s390 32bit: passed: 3823 / failed: 91 / errored: 43 s390x: passed: 2410 / failed: 879 / errored: 68 ppc64le: passed: 3914 / failed: 0 / errored: 43 * Tue Jun 18 2013 jengelh@inai.de - Update to new upstream release 2.1.0 * Add support for the x32 and ARM architectures * More verbose PFC output, including translation of syscall numbers to names * Several assorted bugfixes affecting the seccomp BPF generation * The syscall number/name resolver tool is now installed * Fixes for the x86 multiplexed syscalls * Additions to the API to better support non-native architecures * Additions to the API to support multiple architecures in one filter * Additions to the API to resolve syscall name/number mappings - Remove 0001-build-use-ac-variables-in-pkgconfig-file.patch (merged into 0001-build-use-autotools-as-build-system.patch) * Fri Dec 21 2012 jengelh@inai.de - Make 0001-build-use-autotools-as-build-system.patch apply again * Fri Dec 14 2012 dvaleev@suse.com - code is only x86 capable. Set ExclusiveArch: %%{ix86} x86_64 * Thu Nov 15 2012 jengelh@inai.de - Restore autotools patch (0001-build-use-autotools-as-build-system.patch) that was previously embodied in the files in the tarball * Tue Nov 13 2012 meissner@suse.com - updated to 1.0.1 release - The header file is now easier to use with C++ compilers - Minor documentation fixes - Minor memory leak fixes - Corrected x86 filter generation on x86_64 systems - Corrected problems with small filters and filters with arguments - use public downloadable tarball * Sat Sep 8 2012 jengelh@inai.de - Initial package (version 1.0.0) for build.opensuse.org