When working with seccomp userspace notifications (https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html) via SECCOMP_RET_USER_NOTIF I found the PID as part of the seccomp_notif struct extremely useful for some filtering decisions. In ebpf filters helper functions, like bpf_get_current_pid_tgid(), can be used to obtain such information. But since seccomp only seems to support the classic BPF I was wondering if there is another way. Inside a seccomp filter as far as I know it is only possible to access the seccomp_data structure. Is there a way to get specific information like the PID inside a seccomp filter directly?
No, you cannot get that information from the seccomp filter itself unless it is part of the syscall arguments. To retrieve the PID, you would have to e.g. give control to a userspace ptracer process or rely on SECCOMP_RET_USER_NOTIF as you mentioned.