script_core 0.2.2 → 0.2.7

data/ext/enterprise_script_service/libseccomp/src/gen_bpf.h

@@ -36,7 +36,8 @@ struct bpf_program {
 #define BPF_PGM_SIZE(x) \
 	((x)->blk_cnt * sizeof(*((x)->blks)))
 
-struct bpf_program *gen_bpf_generate(const struct db_filter_col *col);
+int gen_bpf_generate(const struct db_filter_col *col,
+		     struct bpf_program **prgm_ptr);
 void gen_bpf_release(struct bpf_program *program);
 
 #endif

data/ext/enterprise_script_service/libseccomp/src/gen_pfc.c

@@ -87,6 +87,8 @@ static const char *_pfc_arch(const struct arch_def *arch)
 		return "s390x";
 	case SCMP_ARCH_S390:
 		return "s390";
+	case SCMP_ARCH_RISCV64:
+		return "riscv64";
 	default:
 		return "UNKNOWN";
 	}
@@ -241,68 +243,163 @@ static void _gen_pfc_chain(const struct arch_def *arch,
  *
  */
 static void _gen_pfc_syscall(const struct arch_def *arch,
-			     const struct db_sys_list *sys, FILE *fds)
+			     const struct db_sys_list *sys, FILE *fds,
+			     int lvl)
 {
 	unsigned int sys_num = sys->num;
 	const char *sys_name = arch_syscall_resolve_num(arch, sys_num);
 
-	_indent(fds, 1);
+	_indent(fds, lvl);
 	fprintf(fds, "# filter for syscall \"%s\" (%u) [priority: %d]\n",
 		(sys_name ? sys_name : "UNKNOWN"), sys_num, sys->priority);
-	_indent(fds, 1);
+	_indent(fds, lvl);
 	fprintf(fds, "if ($syscall == %u)\n", sys_num);
 	if (sys->chains == NULL) {
-		_indent(fds, 2);
+		_indent(fds, lvl + 1);
 		_pfc_action(fds, sys->action);
 	} else
-		_gen_pfc_chain(arch, sys->chains, 2, fds);
+		_gen_pfc_chain(arch, sys->chains, lvl + 1, fds);
 }
 
-/**
- * Generate pseudo filter code for an architecture
- * @param col the seccomp filter collection
- * @param db the single seccomp filter
- * @param fds the file stream to send the output
- *
- * This function generates a pseudo filter code representation of the given
- * filter DB and writes it to the given output stream.  Returns zero on
- * success, negative values on failure.
- *
- */
-static int _gen_pfc_arch(const struct db_filter_col *col,
-			 const struct db_filter *db, FILE *fds)
+#define SYSCALLS_PER_NODE		(4)
+static int _get_bintree_levels(unsigned int syscall_cnt,
+			       uint32_t optimize)
+{
+	unsigned int i = 0, max_level;
+
+	if (optimize != 2)
+		/* Only use a binary tree if requested */
+		return 0;
+
+	do {
+		max_level = SYSCALLS_PER_NODE << i;
+		i++;
+	} while(max_level < syscall_cnt);
+
+	return i;
+}
+
+static int _get_bintree_syscall_num(const struct pfc_sys_list *cur,
+				    int lookahead_cnt,
+				    int *const num)
 {
-	int rc = 0;
+	while (lookahead_cnt > 0 && cur != NULL) {
+		cur = cur->next;
+		lookahead_cnt--;
+	}
+
+	if (cur == NULL)
+		return -EFAULT;
+
+	*num = cur->sys->num;
+	return 0;
+}
+
+static int _sys_num_sort(struct db_sys_list *syscalls,
+			 struct pfc_sys_list **p_head)
+{
+	struct pfc_sys_list *p_iter = NULL, *p_new, *p_prev;
 	struct db_sys_list *s_iter;
-	struct pfc_sys_list *p_iter = NULL, *p_new, *p_head = NULL, *p_prev;
 
-	/* sort the syscall list */
-	db_list_foreach(s_iter, db->syscalls) {
+	db_list_foreach(s_iter, syscalls) {
 		p_new = zmalloc(sizeof(*p_new));
 		if (p_new == NULL) {
-			rc = -ENOMEM;
-			goto arch_return;
+			return -ENOMEM;
 		}
 		p_new->sys = s_iter;
 
 		p_prev = NULL;
-		p_iter = p_head;
+		p_iter = *p_head;
+		while (p_iter != NULL &&
+		       s_iter->num < p_iter->sys->num) {
+			p_prev = p_iter;
+			p_iter = p_iter->next;
+		}
+		if (*p_head == NULL)
+			*p_head = p_new;
+		else if (p_prev == NULL) {
+			p_new->next = *p_head;
+			*p_head = p_new;
+		} else {
+			p_new->next = p_iter;
+			p_prev->next = p_new;
+		}
+	}
+
+	return 0;
+}
+
+static int _sys_priority_sort(struct db_sys_list *syscalls,
+			      struct pfc_sys_list **p_head)
+{
+	struct pfc_sys_list *p_iter = NULL, *p_new, *p_prev;
+	struct db_sys_list *s_iter;
+
+	db_list_foreach(s_iter, syscalls) {
+		p_new = zmalloc(sizeof(*p_new));
+		if (p_new == NULL) {
+			return -ENOMEM;
+		}
+		p_new->sys = s_iter;
+
+		p_prev = NULL;
+		p_iter = *p_head;
 		while (p_iter != NULL &&
 		       s_iter->priority < p_iter->sys->priority) {
 			p_prev = p_iter;
 			p_iter = p_iter->next;
 		}
-		if (p_head == NULL)
-			p_head = p_new;
+		if (*p_head == NULL)
+			*p_head = p_new;
 		else if (p_prev == NULL) {
-			p_new->next = p_head;
-			p_head = p_new;
+			p_new->next = *p_head;
+			*p_head = p_new;
 		} else {
 			p_new->next = p_iter;
 			p_prev->next = p_new;
 		}
 	}
 
+	return 0;
+}
+
+static int _sys_sort(struct db_sys_list *syscalls,
+		     struct pfc_sys_list **p_head,
+		     uint32_t optimize)
+{
+	if (optimize != 2)
+		return _sys_priority_sort(syscalls, p_head);
+	else
+		/* sort by number for the binary tree */
+		return _sys_num_sort(syscalls, p_head);
+}
+
+/**
+ * Generate pseudo filter code for an architecture
+ * @param col the seccomp filter collection
+ * @param db the single seccomp filter
+ * @param fds the file stream to send the output
+ *
+ * This function generates a pseudo filter code representation of the given
+ * filter DB and writes it to the given output stream.  Returns zero on
+ * success, negative values on failure.
+ *
+ */
+static int _gen_pfc_arch(const struct db_filter_col *col,
+			 const struct db_filter *db, FILE *fds,
+			 uint32_t optimize)
+{
+	int rc = 0, i = 0, lookahead_num;
+	unsigned int syscall_cnt = 0, bintree_levels, level, indent = 1;
+	struct pfc_sys_list *p_iter = NULL, *p_head = NULL;
+
+	/* sort the syscall list */
+	rc = _sys_sort(db->syscalls, &p_head, optimize);
+	if (rc < 0)
+		goto arch_return;
+
+	bintree_levels = _get_bintree_levels(db->syscall_cnt, optimize);
+
 	fprintf(fds, "# filter for arch %s (%u)\n",
 		_pfc_arch(db->arch), db->arch->token_bpf);
 	fprintf(fds, "if ($arch == %u)\n", db->arch->token_bpf);
@@ -312,8 +409,40 @@ static int _gen_pfc_arch(const struct db_filter_col *col,
 			p_iter = p_iter->next;
 			continue;
 		}
-		_gen_pfc_syscall(db->arch, p_iter->sys, fds);
+
+		for (i = bintree_levels - 1; i > 0; i--) {
+			level = SYSCALLS_PER_NODE << i;
+
+			if (syscall_cnt == 0 || (syscall_cnt % level) == 0) {
+				rc = _get_bintree_syscall_num(p_iter, level / 2,
+							      &lookahead_num);
+				if (rc < 0)
+					/* We have reached the end of the bintree.
+					 * There aren't enough syscalls to construct
+					 * any more if-elses.
+					 */
+					continue;
+				_indent(fds, indent);
+				fprintf(fds, "if ($syscall > %u)\n", lookahead_num);
+				indent++;
+			} else if ((syscall_cnt % (level / 2)) == 0) {
+				lookahead_num = p_iter->sys->num;
+				_indent(fds, indent - 1);
+				fprintf(fds, "else # ($syscall <= %u)\n",
+					p_iter->sys->num);
+			}
+
+		}
+
+		_gen_pfc_syscall(db->arch, p_iter->sys, fds, indent);
+		syscall_cnt++;
 		p_iter = p_iter->next;
+
+		/* undo the indentations as the else statements complete */
+		for (i = 0; i < bintree_levels; i++) {
+			if (syscall_cnt % ((SYSCALLS_PER_NODE * 2) << i) == 0)
+				indent--;
+		}
 	}
 	_indent(fds, 1);
 	fprintf(fds, "# default action\n");
@@ -328,7 +457,6 @@ arch_return:
 	}
 	return rc;
 }
-
 /**
  * Generate a pseudo filter code string representation
  * @param col the seccomp filter collection
@@ -336,23 +464,22 @@ arch_return:
  *
  * This function generates a pseudo filter code representation of the given
  * filter collection and writes it to the given fd.  Returns zero on success,
- * negative values on failure.
+ * negative errno values on failure.
  *
  */
 int gen_pfc_generate(const struct db_filter_col *col, int fd)
 {
-	int rc = 0;
 	int newfd;
 	unsigned int iter;
 	FILE *fds;
 
 	newfd = dup(fd);
 	if (newfd < 0)
-		return errno;
+		return -errno;
 	fds = fdopen(newfd, "a");
 	if (fds == NULL) {
 		close(newfd);
-		return errno;
+		return -errno;
 	}
 
 	/* generate the pfc */
@@ -361,7 +488,8 @@ int gen_pfc_generate(const struct db_filter_col *col, int fd)
 	fprintf(fds, "#\n");
 
 	for (iter = 0; iter < col->filter_cnt; iter++)
-		_gen_pfc_arch(col, col->filters[iter], fds);
+		_gen_pfc_arch(col, col->filters[iter], fds,
+			      col->attr.optimize);
 
 	fprintf(fds, "# invalid architecture action\n");
 	_pfc_action(fds, col->attr.act_badarch);
@@ -372,5 +500,5 @@ int gen_pfc_generate(const struct db_filter_col *col, int fd)
 	fflush(fds);
 	fclose(fds);
 
-	return rc;
+	return 0;
 }

data/ext/enterprise_script_service/libseccomp/src/python/libseccomp.pxd

@@ -19,7 +19,8 @@
 # along with this library; if not, see <http://www.gnu.org/licenses>.
 #
 
-from libc.stdint cimport uint8_t, uint32_t, uint64_t
+from libc.stdint cimport int8_t, int16_t, int32_t, int64_t
+from libc.stdint cimport uint8_t, uint16_t, uint32_t, uint64_t
 
 cdef extern from "seccomp.h":
 
@@ -50,6 +51,7 @@ cdef extern from "seccomp.h":
         SCMP_ARCH_PPC64LE
         SCMP_ARCH_S390
         SCMP_ARCH_S390X
+        SCMP_ARCH_RISCV64
 
     cdef enum scmp_filter_attr:
         SCMP_FLTATR_ACT_DEFAULT
@@ -58,6 +60,9 @@ cdef extern from "seccomp.h":
         SCMP_FLTATR_CTL_TSYNC
         SCMP_FLTATR_API_TSKIP
         SCMP_FLTATR_CTL_LOG
+        SCMP_FLTATR_CTL_SSB
+        SCMP_FLTATR_CTL_OPTIMIZE
+        SCMP_FLTATR_API_SYSRAWRC
 
     cdef enum scmp_compare:
         SCMP_CMP_NE
@@ -74,6 +79,7 @@ cdef extern from "seccomp.h":
         SCMP_ACT_TRAP
         SCMP_ACT_LOG
         SCMP_ACT_ALLOW
+        SCMP_ACT_NOTIFY
     unsigned int SCMP_ACT_ERRNO(int errno)
     unsigned int SCMP_ACT_TRACE(int value)
 
@@ -85,6 +91,29 @@ cdef extern from "seccomp.h":
         scmp_datum_t datum_a
         scmp_datum_t datum_b
 
+    cdef struct seccomp_data:
+        int nr
+        uint32_t arch
+        uint64_t instruction_pointer
+        uint64_t args[6]
+
+    cdef struct seccomp_notif_sizes:
+        uint16_t seccomp_notif
+        uint16_t seccomp_notif_resp
+        uint16_t seccomp_data
+
+    cdef struct seccomp_notif:
+        uint64_t id
+        uint32_t pid
+        uint32_t flags
+        seccomp_data data
+
+    cdef struct seccomp_notif_resp:
+        uint64_t id
+        int64_t val
+        int32_t error
+        uint32_t flags
+
     scmp_version *seccomp_version()
 
     unsigned int seccomp_api_get()
@@ -129,6 +158,13 @@ cdef extern from "seccomp.h":
                                      unsigned int arg_cnt,
                                      scmp_arg_cmp *arg_array)
 
+    int seccomp_notify_alloc(seccomp_notif **req, seccomp_notif_resp **resp)
+    void seccomp_notify_free(seccomp_notif *req, seccomp_notif_resp *resp)
+    int seccomp_notify_receive(int fd, seccomp_notif *req)
+    int seccomp_notify_respond(int fd, seccomp_notif_resp *resp)
+    int seccomp_notify_id_valid(int fd, uint64_t id)
+    int seccomp_notify_fd(scmp_filter_ctx ctx)
+
     int seccomp_export_pfc(scmp_filter_ctx ctx, int fd)
     int seccomp_export_bpf(scmp_filter_ctx ctx, int fd)
 

data/ext/enterprise_script_service/libseccomp/src/python/seccomp.pyx

@@ -36,6 +36,7 @@ Filter action values:
     LOG - allow the syscall to be executed after the action has been logged
     ALLOW - allow the syscall to execute
     TRAP - a SIGSYS signal will be thrown
+    NOTIFY - a notification event will be sent via the notification API
     ERRNO(x) - syscall will return (x)
     TRACE(x) - if the process is being traced, (x) will be returned to the
                tracing process via PTRACE_EVENT_SECCOMP and the
@@ -60,13 +61,18 @@ Example:
     # create a filter object with a default KILL action
     f = SyscallFilter(defaction=KILL)
 
+    # add some basic syscalls which python typically wants
+    f.add_rule(ALLOW, "rt_sigaction")
+    f.add_rule(ALLOW, "rt_sigreturn")
+    f.add_rule(ALLOW, "exit_group")
+    f.add_rule(ALLOW, "brk")
+
     # add syscall filter rules to allow certain syscalls
     f.add_rule(ALLOW, "open")
     f.add_rule(ALLOW, "close")
-    f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin))
-    f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout))
-    f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr))
-    f.add_rule(ALLOW, "rt_sigreturn")
+    f.add_rule(ALLOW, "read", Arg(0, EQ, sys.stdin.fileno()))
+    f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stdout.fileno()))
+    f.add_rule(ALLOW, "write", Arg(0, EQ, sys.stderr.fileno()))
 
     # load the filter into the kernel
     f.load()
@@ -75,7 +81,9 @@ __author__ =  'Paul Moore <paul@paul-moore.com>'
 __date__ = "3 February 2017"
 
 from cpython.version cimport PY_MAJOR_VERSION
-from libc.stdint cimport uint32_t
+from libc.stdint cimport int8_t, int16_t, int32_t, int64_t
+from libc.stdint cimport uint8_t, uint16_t, uint32_t, uint64_t
+from libc.stdlib cimport free
 import errno
 
 cimport libseccomp
@@ -102,6 +110,7 @@ KILL = libseccomp.SCMP_ACT_KILL
 TRAP = libseccomp.SCMP_ACT_TRAP
 LOG = libseccomp.SCMP_ACT_LOG
 ALLOW = libseccomp.SCMP_ACT_ALLOW
+NOTIFY = libseccomp.SCMP_ACT_NOTIFY
 def ERRNO(int errno):
     """The action ERRNO(x) means that the syscall will return (x).
     To conform to Linux syscall calling conventions, the syscall return
@@ -205,6 +214,7 @@ cdef class Arch:
     PARISC64 - 64-bit PA-RISC
     PPC64 - 64-bit PowerPC
     PPC - 32-bit PowerPC
+    RISCV64 - 64-bit RISC-V
     """
 
     cdef int _token
@@ -228,6 +238,7 @@ cdef class Arch:
     PPC64LE = libseccomp.SCMP_ARCH_PPC64LE
     S390 = libseccomp.SCMP_ARCH_S390
     S390X = libseccomp.SCMP_ARCH_S390X
+    RISCV64 = libseccomp.SCMP_ARCH_RISCV64
 
     def __cinit__(self, arch=libseccomp.SCMP_ARCH_NATIVE):
         """ Initialize the architecture object.
@@ -303,6 +314,15 @@ cdef class Attr:
     ACT_BADARCH - the filter's bad architecture action
     CTL_NNP - the filter's "no new privileges" flag
     CTL_NNP - the filter's thread sync flag
+    CTL_TSYNC - sync threads on filter load
+    CTL_TSKIP - allow rules with a -1 syscall number
+    CTL_LOG - log not-allowed actions
+    CTL_SSB - disable SSB mitigations
+    CTL_OPTIMIZE - the filter's optimization level:
+                   0: currently unused
+                   1: rules weighted by priority and complexity (DEFAULT)
+                   2: binary tree sorted by syscall number
+    API_SYSRAWRC - return the raw syscall codes
     """
     ACT_DEFAULT = libseccomp.SCMP_FLTATR_ACT_DEFAULT
     ACT_BADARCH = libseccomp.SCMP_FLTATR_ACT_BADARCH
@@ -310,6 +330,9 @@ cdef class Attr:
     CTL_TSYNC = libseccomp.SCMP_FLTATR_CTL_TSYNC
     API_TSKIP = libseccomp.SCMP_FLTATR_API_TSKIP
     CTL_LOG = libseccomp.SCMP_FLTATR_CTL_LOG
+    CTL_SSB = libseccomp.SCMP_FLTATR_CTL_SSB
+    CTL_OPTIMIZE = libseccomp.SCMP_FLTATR_CTL_OPTIMIZE
+    API_SYSRAWRC = libseccomp.SCMP_FLTATR_API_SYSRAWRC
 
 cdef class Arg:
     """ Python object representing a SyscallFilter syscall argument.
@@ -344,6 +367,218 @@ cdef class Arg:
         """
         return self._arg
 
+cdef class Notification:
+    """ Python object representing a seccomp notification.
+    """
+    cdef uint64_t _id
+    cdef uint32_t _pid
+    cdef uint32_t _flags
+    cdef int _syscall
+    cdef uint32_t _syscall_arch
+    cdef uint64_t _syscall_ip
+    cdef uint64_t _syscall_args[6]
+
+    def __cinit__(self, id, pid, flags, syscall, arch, ip, args):
+        """ Initialize the notification.
+
+        Arguments:
+        id - the notification ID
+        pid - the process ID
+        flags - the notification flags
+        syscall - the syscall number
+        ip - the instruction pointer
+        args - list of the six syscall arguments
+
+        Description:
+        Create a seccomp Notification object.
+        """
+        self._id = id
+        self._pid = pid
+        self._flags = flags
+        self._syscall = syscall
+        self._syscall_arch = arch
+        self._syscall_ip = ip
+        self._syscall_args[0] = args[0]
+        self._syscall_args[1] = args[1]
+        self._syscall_args[2] = args[2]
+        self._syscall_args[3] = args[3]
+        self._syscall_args[4] = args[4]
+        self._syscall_args[5] = args[5]
+
+    @property
+    def id(self):
+        """ Get the seccomp notification ID.
+
+        Description:
+        Get the seccomp notification ID.
+        """
+        return self._id
+
+    @property
+    def pid(self):
+        """ Get the seccomp notification process ID.
+
+        Description:
+        Get the seccomp notification process ID.
+        """
+        return self._pid
+
+    @property
+    def flags(self):
+        """ Get the seccomp notification flags.
+
+        Description:
+        Get the seccomp notification flags.
+        """
+        return self._flags
+
+    @property
+    def syscall(self):
+        """ Get the seccomp notification syscall.
+
+        Description:
+        Get the seccomp notification syscall.
+        """
+        return self._syscall
+
+    @property
+    def syscall_arch(self):
+        """ Get the seccomp notification syscall architecture.
+
+        Description:
+        Get the seccomp notification syscall architecture.
+        """
+        return self._syscall_arch
+
+    @property
+    def syscall_ip(self):
+        """ Get the seccomp notification syscall instruction pointer.
+
+        Description:
+        Get the seccomp notification syscall instruction pointer.
+        """
+        return self._syscall_ip
+
+    @property
+    def syscall_args(self):
+        """ Get the seccomp notification syscall arguments.
+
+        Description:
+        Get the seccomp notification syscall arguments in a six element list.
+        """
+        return [self._syscall_args[0], self._syscall_args[1],
+                self._syscall_args[2], self._syscall_args[3],
+                self._syscall_args[4], self._syscall_args[5]]
+
+cdef class NotificationResponse:
+    """ Python object representing a seccomp notification response.
+    """
+    cdef uint64_t _id
+    cdef int64_t _val
+    cdef int32_t _error
+    cdef uint32_t _flags
+
+    def __cinit__(self, notify, val = 0, error = 0, flags = 0):
+        """ Initialize the notification response.
+
+        Arguments:
+        notify - a Notification object
+        val - the notification response value
+        error - the notification response error
+        flags - the notification response flags
+
+        Description:
+        Create a seccomp NotificationResponse object.
+        """
+        self._id = notify.id
+        self._val = val
+        self._error = error
+        self._flags = flags
+
+    @property
+    def id(self):
+        """ Get the seccomp notification response ID.
+
+        Description:
+        Get the seccomp notification response ID.
+        """
+        return self._id
+
+    @id.setter
+    def id(self, value):
+        """ Set the seccomp notification response ID.
+
+        Arguments:
+        id - the notification response ID
+
+        Description:
+        Set the seccomp notification response ID.
+        """
+        self._id = value
+
+    @property
+    def val(self):
+        """ Get the seccomp notification response value.
+
+        Description:
+        Get the seccomp notification response value.
+        """
+        return self._val
+
+    @val.setter
+    def val(self, value):
+        """ Set the seccomp notification response value.
+
+        Arguments:
+        val - the notification response value
+
+        Description:
+        Set the seccomp notification response value.
+        """
+        self._val = value
+
+    @property
+    def error(self):
+        """ Get the seccomp notification response error.
+
+        Description:
+        Get the seccomp notification response error.
+        """
+        return self._error
+
+    @error.setter
+    def error(self, value):
+        """ Set the seccomp notification response error.
+
+        Arguments:
+        error - the notification response error
+
+        Description:
+        Set the seccomp notification response error.
+        """
+        self._error = value
+
+    @property
+    def flags(self):
+        """ Get the seccomp notification response flags.
+
+        Description:
+        Get the seccomp notification response flags.
+        """
+        return self._flags
+
+    @flags.setter
+    def flags(self, value):
+        """ Set the seccomp notification response flags.
+
+        Arguments:
+        flags - the notification response flags
+
+        Description:
+        Set the seccomp notification response flags.
+        """
+        self._flags = value
+
 cdef class SyscallFilter:
     """ Python object representing a seccomp syscall filter. """
     cdef int _defaction
@@ -712,6 +947,60 @@ cdef class SyscallFilter:
         if rc != 0:
             raise RuntimeError(str.format("Library error (errno = {0})", rc))
 
+    def receive_notify(self):
+        """ Receive seccomp notifications.
+
+        Description:
+        Receive a seccomp notification from the system, requires the use of
+        the NOTIFY action.
+        """
+        cdef libseccomp.seccomp_notif *req
+
+        fd = libseccomp.seccomp_notify_fd(self._ctx)
+        if fd < 0:
+            raise RuntimeError("Notifications not enabled/active")
+        rc = libseccomp.seccomp_notify_alloc(&req, NULL)
+        if rc < 0:
+            raise RuntimeError(str.format("Library error (errno = {0})", rc))
+        rc = libseccomp.seccomp_notify_receive(fd, req)
+        if rc < 0:
+            raise RuntimeError(str.format("Library error (errno = {0})", rc))
+        rc = libseccomp.seccomp_notify_id_valid(fd, req.id)
+        if rc < 0:
+            raise RuntimeError(str.format("Library error (errno = {0})", rc))
+        notify = Notification(req.id, req.pid, req.flags, req.data.nr,
+                              req.data.arch, req.data.instruction_pointer,
+                              [req.data.args[0], req.data.args[1],
+                               req.data.args[2], req.data.args[3],
+                               req.data.args[4], req.data.args[5]])
+        free(req)
+        return notify
+
+    def respond_notify(self, response):
+        """ Send a seccomp notification response.
+
+        Arguments:
+        response - the response to send to the system
+
+        Description:
+        Respond to a seccomp notification.
+        """
+        cdef libseccomp.seccomp_notif_resp *resp
+
+        fd = libseccomp.seccomp_notify_fd(self._ctx)
+        if fd < 0:
+            raise RuntimeError("Notifications not enabled/active")
+        rc = libseccomp.seccomp_notify_alloc(NULL, &resp)
+        if rc < 0:
+            raise RuntimeError(str.format("Library error (errno = {0})", rc))
+        resp.id = response.id
+        resp.val = response.val
+        resp.error = response.error
+        resp.flags = response.flags
+        rc = libseccomp.seccomp_notify_respond(fd, resp)
+        if rc < 0:
+            raise RuntimeError(str.format("Library error (errno = {0})", rc))
+
     def export_pfc(self, file):
         """ Export the filter in PFC format.
 
@@ -733,6 +1022,7 @@ cdef class SyscallFilter:
         Arguments:
         file - the output file
 
+        Description:
         Output the filter in Berkley Packet Filter (BPF) to the given
         file.  The output is identical to what is loaded into the
         Linux Kernel.