python: Expose API level functionality

Allow Python applications to get and set the API level using global
functions.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx
index 275019a08bc410c8071817c8a766835ce02a54ee..27e374f5c889cf209b4bbe46ada916511666ae0a 100644 (file)
--- a/src/python/seccomp.pyx
+++ b/src/python/seccomp.pyx
@@ -150,6 +150,35 @@ def resolve_syscall(arch, syscall):
     else:
         raise TypeError("Syscall must either be an int or str type")
 
+def get_api():
+    """ Query the level of API support
+
+    Description:
+    Returns the API level value indicating the current supported
+    functionality.
+    """
+    level = libseccomp.seccomp_api_get()
+    if level < 0:
+        raise RuntimeError(str.format("Library error (errno = {0})", level))
+
+    return level
+
+def set_api(unsigned int level):
+    """ Set the level of API support
+
+    Arguments:
+    level - the API level
+
+    Description:
+    This function forcibly sets the API level at runtime.  General use
+    of this function is strongly discouraged.
+    """
+    rc = libseccomp.seccomp_api_set(level)
+    if rc == -errno.EINVAL:
+        raise ValueError("Invalid level")
+    elif rc != 0:
+        raise RuntimeError(str.format("Library error (errno = {0})", rc))
+
 cdef class Arch:
     """ Python object representing the SyscallFilter architecture values.
 

diff --git a/tests/39-basic-api_level.py b/tests/39-basic-api_level.py
index e958bf1e71d905126ed7c892efbb7458d044ed43..49d23f2ab67706a0e60dfb45e6ca7b33fda14cdb 100755 (executable)
--- a/tests/39-basic-api_level.py
+++ b/tests/39-basic-api_level.py
@@ -4,7 +4,9 @@
 # Seccomp Library test program
 #
 # Copyright (c) 2016 Red Hat <pmoore@redhat.com>
-# Author: Paul Moore <paul@paul-moore.com>
+# Copyright (c) 2017 Canonical Ltd.
+# Authors: Paul Moore <paul@paul-moore.com>
+#          Tyler Hicks <tyhicks@canonical.com>
 #
 
 #
@@ -28,8 +30,34 @@ import util
 
 from seccomp import *
 
-# NOTE: this is a NULL test since we don't support the seccomp_version() API
-#       via the libseccomp python bindings
+def test():
+    api = get_api()
+    if (api < 1):
+        raise RuntimeError("Failed getting initial API level")
+
+    set_api(1)
+    api = get_api()
+    if api != 1:
+        raise RuntimeError("Failed getting API level 1")
+
+    set_api(2)
+    api = get_api()
+    if api != 2:
+        raise RuntimeError("Failed getting API level 2")
+
+    # Attempt to set a high, invalid API level
+    try:
+        set_api(1024)
+    except ValueError:
+        pass
+    else:
+        raise RuntimeError("Missing failure when setting invalid API level")
+    # Ensure that the previously set API level didn't change
+    api = get_api()
+    if api != 2:
+        raise RuntimeError("Failed getting old API level after setting an invalid API level")
+
+test()
 
 # kate: syntax python;
 # kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;