pythonPackages: add new 'seccomp' library

As requested in #99553. Closes #99553.

Libraries that install python modules as part of the build are
problematic, because they either

  - only support a single python version, because the input for
    pythonPackages gets fixed in all-packages.nix, or

  - need to be rebuild the underlying C code for *every* python version
    resulting in libfoo-python37, libfoo-python38, and so on

We would prefer to use the second approach because it works correctly
for all versions of python. However, it creates duplicate copies of
libseccomp.so and that can be expensive. Instead we 'deduplicate' the
copies of libseccomp.so by

  - attaching a new $pythonsrc output to the libseccomp deriv, and
  - exposing a new 'seccomp' package in python-packages.nix using
    libseccomp as input, and
  - having a custom python.nix derivation that builds the cython
    extension using libseccomp to get the python source and the
    package version

This means we build 1 copy of the seccomp python package, one for each
version of python, but all of those packages refer to a single instance
of the libseccomp C library, giving us the best of both worlds.

NOTE: because this requires changing the postInstall of libseccomp, it
requires a mass rebuild.

Signed-off-by: Austin Seipp <aseipp@pobox.com>

pkgs/development/libraries/libseccomp/default.nix

@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1wql62cg8f95cwpy057cl764nni9g4sdn5lqj68x22kjs8w71yhz";
   };
 
-  outputs = [ "out" "lib" "dev" "man" ];
+  outputs = [ "out" "lib" "dev" "man" "pythonsrc" ];
 
   nativeBuildInputs = [ gperf ];
   buildInputs = [ getopt ];
@@ -24,6 +24,13 @@ stdenv.mkDerivation rec {
   # Hack to ensure that patchelf --shrink-rpath get rids of a $TMPDIR reference.
   preFixup = "rm -rfv src";
 
+  # Copy the python module code into a tarball that we can export and use as the
+  # src input for buildPythonPackage calls
+  postInstall = ''
+    cp -R ./src/python/ tmp-pythonsrc/
+    tar -zcf $pythonsrc --transform s/tmp-pythonsrc/python-foundationdb/ ./tmp-pythonsrc/
+  '';
+
   meta = with stdenv.lib; {
     description = "High level library for the Linux Kernel seccomp filter";
     homepage = "https://github.com/seccomp/libseccomp";

pkgs/development/python-modules/seccomp/default.nix

@@ -0,0 +1,29 @@
+{ buildPythonPackage, lib
+, cython, libseccomp
+}:
+
+buildPythonPackage rec {
+  pname   = "libseccomp";
+  version = libseccomp.version;
+  src     = libseccomp.pythonsrc;
+
+  VERSION_RELEASE = version; # used by build system
+
+  nativeBuildInputs = [ cython ];
+  buildInputs = [ libseccomp ];
+
+  unpackCmd = "tar xf $curSrc";
+  doInstallCheck = true;
+
+  postPatch = ''
+    substituteInPlace ./setup.py \
+      --replace 'extra_objects=["../.libs/libseccomp.a"]' \
+                'libraries=["seccomp"]'
+  '';
+
+  meta = with lib; {
+    description = "Python bindings for libseccomp";
+    license     = with licenses; [ lgpl21 ];
+    maintainers = with maintainers; [ thoughtpolice ];
+  };
+}

pkgs/top-level/python-packages.nix

@@ -6529,6 +6529,8 @@ in {
 
   seabreeze = callPackage ../development/python-modules/seabreeze { };
 
+  seccomp = callPackage ../development/python-modules/seccomp { };
+
   secp256k1 = callPackage ../development/python-modules/secp256k1 { inherit (pkgs) secp256k1 pkgconfig; };
 
   secretstorage = if isPy3k then