From ebb2593df1df93007705a62527f40845330277ca Mon Sep 17 00:00:00 2001 From: Tom Hromatka Date: Wed, 9 Jul 2025 12:50:44 -0600 Subject: [PATCH 1/4] python: Rename setup.py to setup.py.in Rename setup.py to setup.py.in so that the version variables can be autopopulated by automake/m4. This will be used in subsequent commits for building python wheels. Wheels are often built in containers, and the build containers don't have knowledge of automake, its configurations, and its environment variables, so we need to pre-populate the version information. Signed-off-by: Tom Hromatka --- configure.ac | 1 + src/python/.gitignore | 1 + src/python/{setup.py => setup.py.in} | 5 +++-- 3 files changed, 5 insertions(+), 2 deletions(-) rename src/python/{setup.py => setup.py.in} (89%) diff --git a/configure.ac b/configure.ac index f2f68621..7d96fc86 100644 --- a/configure.ac +++ b/configure.ac @@ -146,6 +146,7 @@ dnl #### AC_CONFIG_FILES([ libseccomp.pc include/seccomp.h + src/python/setup.py ]) dnl #### diff --git a/src/python/.gitignore b/src/python/.gitignore index fc8966d1..81a6ba58 100644 --- a/src/python/.gitignore +++ b/src/python/.gitignore @@ -1,2 +1,3 @@ build seccomp.c +setup.py diff --git a/src/python/setup.py b/src/python/setup.py.in similarity index 89% rename from src/python/setup.py rename to src/python/setup.py.in index 46f9a731..05d07b5f 100755 --- a/src/python/setup.py +++ b/src/python/setup.py.in @@ -3,8 +3,9 @@ # # Enhanced Seccomp Library Python Module Build Script # -# Copyright (c) 2012 Red Hat +# Copyright (c) 2012-2025 Red Hat # Author: Paul Moore +# Author: Tom Hromatka # # @@ -29,7 +30,7 @@ setup( name = "seccomp", - version = os.environ["VERSION_RELEASE"], + version = "@VERSION_MAJOR@.@VERSION_MINOR@.@VERSION_MICRO@", description = "Python binding for libseccomp", long_description = "Python API for the Linux Kernel's syscall filtering capability, seccomp.", url = "https://github.com/seccomp/libseccomp", From 4dc94a03baba4468efd739ed6804570c6280255c Mon Sep 17 00:00:00 2001 From: Tom Hromatka Date: Wed, 9 Jul 2025 12:53:24 -0600 Subject: [PATCH 2/4] include: Change how seccomp-syscalls.h is included Change the include of seccomp-syscalls.h from: #include to: #include "seccomp-syscalls.h Change the include directive of seccomp-syscalls.h to be a local (rather than system-wide) include. This change is required for building python wheels inside of containers where the system-wide include path will likely not include the local path to seccomp-syscalls.h Signed-off-by: Tom Hromatka --- include/seccomp.h.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/seccomp.h.in b/include/seccomp.h.in index 38c50d29..e3d7f539 100644 --- a/include/seccomp.h.in +++ b/include/seccomp.h.in @@ -897,7 +897,7 @@ int seccomp_precompute(const scmp_filter_ctx ctx); #define __NR_SCMP_ERROR -1 #define __NR_SCMP_UNDEF -2 -#include +#include "seccomp-syscalls.h" #ifdef __cplusplus } From bf319cff47d85b16c5a27045256f9b6744514b66 Mon Sep 17 00:00:00 2001 From: Tom Hromatka Date: Wed, 9 Jul 2025 13:08:24 -0600 Subject: [PATCH 3/4] python: Add support for building python wheels Add two new make targets: python-wheel: build a python wheel for this system python-wheels: build the series of python wheels for pip When building the wheels for pip, cibuildwheel utilizes Docker containers. Because of this, it cannot reach outside of the build directory, src/python, so any files outside of this folder - libseccomp.a, seccomp.h, etc. - must be copied into the src/python folder. Signed-off-by: Tom Hromatka --- Makefile.am | 10 ++++++++++ src/python/.gitignore | 8 +++++++- src/python/MANIFEST.in | 6 ++++++ src/python/Makefile.am | 14 +++++++++++++- src/python/__init__.py | 0 src/python/pyproject.toml | 2 ++ src/python/setup.py.in | 9 ++++++--- 7 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 src/python/MANIFEST.in create mode 100644 src/python/__init__.py create mode 100644 src/python/pyproject.toml diff --git a/Makefile.am b/Makefile.am index 5e8aa835..c0f97a89 100644 --- a/Makefile.am +++ b/Makefile.am @@ -75,6 +75,14 @@ coverity-tarball: coverity-build ls -l libseccomp-coverity_$$rev.tar.gz endif +if ENABLE_PYTHON +python-wheel: all + ${MAKE} ${AM_MAKEFLAGS} -C src/python $@ + +python-wheels: all + ${MAKE} ${AM_MAKEFLAGS} -C src/python $@ +endif + help: @echo "libseccomp build system" @echo " make targets:" @@ -86,6 +94,8 @@ help: @echo " distcheck: verify the build for distribution" @echo " dist-gzip: build a release tarball" @echo " coverity-tarball: build a tarball for use with Coverity (opt)" + @echo " python-wheel: build a python wheel for this system" + @echo " python-wheels: build python wheels for distribution to pip" clean-local: ${RM} -rf cov-int libseccomp-coverity_*.tar.gz diff --git a/src/python/.gitignore b/src/python/.gitignore index 81a6ba58..f36e5783 100644 --- a/src/python/.gitignore +++ b/src/python/.gitignore @@ -1,3 +1,9 @@ -build +build/ +dist/ +libseccomp.a seccomp.c +seccomp.h +seccomp-syscalls.h +seccomp.egg-info/ setup.py +wheelhouse/ diff --git a/src/python/MANIFEST.in b/src/python/MANIFEST.in new file mode 100644 index 00000000..f3414130 --- /dev/null +++ b/src/python/MANIFEST.in @@ -0,0 +1,6 @@ +include seccomp.pyx +include libseccomp.pxd +include libseccomp.a +include seccomp.h +include seccomp-syscalls.h +include __init__.py diff --git a/src/python/Makefile.am b/src/python/Makefile.am index c858832e..e68d3b4b 100644 --- a/src/python/Makefile.am +++ b/src/python/Makefile.am @@ -31,22 +31,34 @@ PY_BUILD = ${PY_BUILD_@AM_V@} PY_INSTALL = ${PY_DISTUTILS} install -EXTRA_DIST = libseccomp.pxd seccomp.pyx setup.py +EXTRA_DIST = libseccomp.pxd seccomp.pyx setup.py __init__.py MANIFEST.in pyproject.toml all-local: build build: ../libseccomp.la libseccomp.pxd seccomp.pyx setup.py [ ${srcdir} = ${builddir} ] || cp ${srcdir}/seccomp.pyx ${builddir} + cp ${srcdir}/../.libs/libseccomp.a ${builddir} + cp ${top_srcdir}/include/seccomp.h ${builddir} + cp ${top_srcdir}/include/seccomp-syscalls.h ${builddir} ${PY_BUILD} && touch build install-exec-local: build ${PY_INSTALL} --install-lib=${DESTDIR}/${pyexecdir} \ --record=${DESTDIR}/${pyexecdir}/install_files.txt +python-wheel: build + ${PYTHON} -m build + +python-wheels: build + ${PYTHON} -m cibuildwheel --output-dir wheelhouse + uninstall-local: cat ${DESTDIR}/${pyexecdir}/install_files.txt | xargs ${RM} -f ${RM} -f ${DESTDIR}/${pyexecdir}/install_files.txt clean-local: [ ${srcdir} = ${builddir} ] || ${RM} -f ${builddir}/seccomp.pyx + ${RM} -f ${builddir}/libseccomp.a + ${RM} -f ${builddir}/seccomp.h + ${RM} -f ${builddir}/seccomp-syscalls.h ${RM} -rf seccomp.c build dist seccomp.egg-info diff --git a/src/python/__init__.py b/src/python/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/src/python/pyproject.toml b/src/python/pyproject.toml new file mode 100644 index 00000000..1f88263e --- /dev/null +++ b/src/python/pyproject.toml @@ -0,0 +1,2 @@ +[build-system] +requires = ["cython", "setuptools"] diff --git a/src/python/setup.py.in b/src/python/setup.py.in index 05d07b5f..4276709e 100755 --- a/src/python/setup.py.in +++ b/src/python/setup.py.in @@ -36,11 +36,14 @@ setup( url = "https://github.com/seccomp/libseccomp", maintainer = "Paul Moore", maintainer_email = "paul@paul-moore.com", - license = "LGPLv2.1", + license = "LGPL-2.1", platforms = "Linux", ext_modules = cythonize([ Extension("seccomp", ["seccomp.pyx"], - # unable to handle libtool libraries directly - extra_objects=["../.libs/libseccomp.a"]), + # Unable to handle libtool libraries directly. Also note that + # python wheel builds cannot use files outside of the build + # directory, so libseccomp.a is manually copied into src/python + # by Makefile.am + extra_objects=["libseccomp.a"]), ]) ) From c6483a36cf403753d6521736630be369f971511b Mon Sep 17 00:00:00 2001 From: Tom Hromatka Date: Wed, 9 Jul 2025 13:12:32 -0600 Subject: [PATCH 4/4] github: Add Python continuous integration Add three python continuous integration jobs: build-wheel: Build a wheel for the native build system build-wheels: Build wheels suitable for uploading to pip flake: Python lint checker Signed-off-by: Tom Hromatka --- .github/actions/setup/action.yml | 8 +++- .github/workflows/python-ci.yml | 75 ++++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/python-ci.yml diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index d51400d5..014b398b 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -28,10 +28,14 @@ runs: shell: bash - run: sudo apt-get install -y build-essential valgrind clang-tools lcov gperf astyle codespell shell: bash + - name: Set up Python environment + uses: actions/setup-python@v5 + with: + python-version: '3.13' - run: | - sudo apt-get install -y python3 python3-setuptools python3-pip - python3 -m pip install --upgrade pip + python3 -m pip install build python3 -m pip install cython + python3 -m pip install setuptools # Add cython to the path echo "$HOME/.local/bin" >> $GITHUB_PATH shell: bash diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml new file mode 100644 index 00000000..f6b703f5 --- /dev/null +++ b/.github/workflows/python-ci.yml @@ -0,0 +1,75 @@ +# +# Continuous Integration Workflow libseccomp Python Code +# +# Copyright (c) 2025 Oracle and/or its affiliates. +# Author: Tom Hromatka +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License as +# published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License +# for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see . +# + +name: Python Continuous Integration +on: ["push", "pull_request"] + +jobs: + build-wheel: + name: Build Wheel + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Initialize libseccomp + uses: ./.github/actions/setup + - name: Build libseccomp + run: | + ./configure --enable-python + make check-build + - name: Build wheel + run: make python-wheel + + build-wheels: + name: Build Wheels + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-24.04, ubuntu-24.04-arm, ubuntu-22.04, ubuntu-22.04-arm] + steps: + - uses: actions/checkout@v2 + - name: Initialize libseccomp + uses: ./.github/actions/setup + - name: Install cibuildwheel + run: python -m pip install cibuildwheel + - name: Build libseccomp + run: | + ./configure --enable-python + make check-build + - name: Build wheels + run: make python-wheels + - uses: actions/upload-artifact@v4 + with: + name: cibw-wheels-${{ matrix.os }}-${{ strategy.job-index }} + path: src/python/wheelhouse/*.whl + + flake: + name: Run Flake + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Initialize libseccomp + uses: ./.github/actions/setup + - name: Install Flake Dependencies + run: sudo apt-get install python3-flake8-quotes + - name: flake8 Lint + uses: reviewdog/action-flake8@v3 + with: + github_token: ${{ secrets.GITHUB_TOKEN }}