Use /var/lib/snapd/bpf/*.{src,bin} for the seccomp profilesseccomp-bpf

The binary bpf seccomp profiles will be stored in the .bin file, the source in the .src file. 

13 files changed, 77 insertions, 70 deletions

diff --git a/cmd/snap-confine/seccomp-support.c b/cmd/snap-confine/seccomp-support.c
index ef6a2a23ed..2264a956d7 100644
--- a/cmd/snap-confine/seccomp-support.c
+++ b/cmd/snap-confine/seccomp-support.c
@@ -33,7 +33,7 @@
 #include "../libsnap-confine-private/string-utils.h"
 #include "../libsnap-confine-private/utils.h"
 
-static char *filter_profile_dir = "/var/lib/snapd/seccomp/profiles.bpf/";
+static char *filter_profile_dir = "/var/lib/snapd/seccomp/bpf/";
 
 // MAX_BPF_SIZE is an arbitrary limit.
 const int MAX_BPF_SIZE = 32 * 1024;
@@ -106,7 +106,7 @@ int sc_apply_seccomp_bpf(const char *filter_profile)
	debug("loading bpf program for security tag %s", filter_profile);
 
	char profile_path[512];	// arbitrary path name limit
-	sc_must_snprintf(profile_path, sizeof(profile_path), "%s/%s.bpf",
+	sc_must_snprintf(profile_path, sizeof(profile_path), "%s/%s.bin",
 filter_profile_dir, filter_profile);
 
	// validate '/' down to profile_path are root-owned and not
diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in
index 95693f30c1..0807d21b97 100644
--- a/cmd/snap-confine/snap-confine.apparmor.in
+++ b/cmd/snap-confine/snap-confine.apparmor.in
@@ -89,7 +89,7 @@
 # change_profile unsafe /** -> **,
 
 # reading seccomp filters
- /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/profiles.bpf/*.bpf r,
+ /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r,
 
 # reading mount profiles
 /{tmp/snap.rootfs_*/,}var/lib/snapd/mount/*.fstab r,
diff --git a/cmd/snap-confine/snap-confine.rst b/cmd/snap-confine/snap-confine.rst
index ded08a1c5c..7048f7ce91 100644
--- a/cmd/snap-confine/snap-confine.rst
+++ b/cmd/snap-confine/snap-confine.rst
@@ -47,13 +47,17 @@ extensive dbus mediation. Refer to apparmor documentation for more details.
 Seccomp profiles
 ----------------
 
-`snap-confine` looks for the `/var/lib/snapd/seccomp/profiles.bpf/$SECURITY_TAG.bpf`
-file. This file is **mandatory** and `snap-confine` will refuse to run without
-it.
-
-The file is read and parsed using a custom syntax that describes the set of
-allowed system calls and optionally their arguments. The profile is then used
-to confine the started application.
+`snap-confine` looks for the
+`/var/lib/snapd/seccomp/bpf/$SECURITY_TAG.bin` file. This file is
+**mandatory** and `snap-confine` will refuse to run without it. This
+file contains the seccomp bpf binary program that is loaded into the
+kernel by snap-confine.
+
+The file is generated with the /usr/lib/snapd/snap-seccomp compiler
+from the `$SECURITY_TAG.src` file that uses a custom syntax that
+describes the set of allowed system calls and optionally their
+arguments. The profile is then used to confine the started
+application.
 
 As a security precaution disallowed system calls cause the started application
 executable to be killed by the kernel. In the future this restriction may be
@@ -129,11 +133,13 @@ FILES
 
	Description of the mount profile.
 
-`/var/lib/snapd/seccomp/profiles.bpf/*`:
+`/var/lib/snapd/seccomp/bpf/*.src`:
 
	Input for the /usr/lib/snapd/snap-seccomp profile compiler.
 
-	Compiled seccomp profile program have the extension .bpf.
+`/var/lib/snapd/seccomp/bpf/*.bin`:
+
+	Compiled seccomp bpf profile programs.
 
 `/run/snapd/ns/`:
 
diff --git a/dirs/dirs.go b/dirs/dirs.go
index a24ec8e980..dd996d09a6 100644
--- a/dirs/dirs.go
+++ b/dirs/dirs.go
@@ -144,7 +144,7 @@ func SetRootDir(rootdir string) {
	SnapAppArmorDir = filepath.Join(rootdir, snappyDir, "apparmor", "profiles")
	AppArmorCacheDir = filepath.Join(rootdir, "/var/cache/apparmor")
	SnapAppArmorAdditionalDir = filepath.Join(rootdir, snappyDir, "apparmor", "additional")
-	SnapSeccompDir = filepath.Join(rootdir, snappyDir, "seccomp", "profiles.bpf")
+	SnapSeccompDir = filepath.Join(rootdir, snappyDir, "seccomp", "bpf")
	SnapMountPolicyDir = filepath.Join(rootdir, snappyDir, "mount")
	SnapMetaDir = filepath.Join(rootdir, snappyDir, "meta")
	SnapBlobDir = filepath.Join(rootdir, snappyDir, "snaps")
diff --git a/interfaces/seccomp/backend.go b/interfaces/seccomp/backend.go
index 706aae4b75..42125e1e4c 100644
--- a/interfaces/seccomp/backend.go
+++ b/interfaces/seccomp/backend.go
@@ -28,7 +28,7 @@
 // There is no binary cache for seccomp, each time the launcher starts an
 // application the profile is parsed and re-compiled.
 //
-// The actual profiles are stored in /var/lib/snappy/seccomp/profiles.bpf.
+// The actual profiles are stored in /var/lib/snappy/seccomp/bpf/*.{src,bin}.
 // This directory is hard-coded in ubuntu-core-launcher.
 package seccomp
 
@@ -110,7 +110,7 @@ func (b *Backend) Setup(snapInfo *snap.Info, opts interfaces.ConfinementOptions,
 
	for baseName := range content {
	in := filepath.Join(dirs.SnapSeccompDir, baseName)
-	out := filepath.Join(dirs.SnapSeccompDir, baseName+".bpf")
+	out := filepath.Join(dirs.SnapSeccompDir, strings.TrimSuffix(baseName, ".src")+".bin")
 
	seccompToBpf := seccompToBpfPath()
	cmd := exec.Command(seccompToBpf, "compile", in, out)
@@ -174,7 +174,8 @@ func addContent(securityTag string, opts interfaces.ConfinementOptions, snippetF
	buffer.WriteString(bindSyscallWorkaround)
	}
 
-	content[securityTag] = &osutil.FileState{
+	path := fmt.Sprintf("%s.src", securityTag)
+	content[path] = &osutil.FileState{
	Content: buffer.Bytes(),
	Mode: 0644,
	}
diff --git a/interfaces/seccomp/backend_test.go b/interfaces/seccomp/backend_test.go
index 39a8bb4d86..116a15bf92 100644
--- a/interfaces/seccomp/backend_test.go
+++ b/interfaces/seccomp/backend_test.go
@@ -81,11 +81,11 @@ func (s *backendSuite) TestInstallingSnapWritesProfiles(c *C) {
	s.InstallSnap(c, interfaces.ConfinementOptions{}, ifacetest.SambaYamlV1, 0)
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
	// file called "snap.sambda.smbd" was created
-	_, err := os.Stat(profile)
+	_, err := os.Stat(profile + ".src")
	c.Check(err, IsNil)
	// and got compiled
	c.Check(s.snapSeccomp.Calls(), DeepEquals, [][]string{
-	{"snap-seccomp", "compile", profile, profile + ".bpf"},
+	{"snap-seccomp", "compile", profile + ".src", profile + ".bin"},
	})
 }
 
@@ -94,11 +94,11 @@ func (s *backendSuite) TestInstallingSnapWritesHookProfiles(c *C) {
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.foo.hook.configure")
 
	// Verify that profile named "snap.foo.hook.configure" was created.
-	_, err := os.Stat(profile)
+	_, err := os.Stat(profile + ".src")
	c.Check(err, IsNil)
	// and got compiled
	c.Check(s.snapSeccomp.Calls(), DeepEquals, [][]string{
-	{"snap-seccomp", "compile", profile, profile + ".bpf"},
+	{"snap-seccomp", "compile", profile + ".src", profile + ".bin"},
	})
 }
 
@@ -119,13 +119,13 @@ func (s *backendSuite) TestInstallingSnapWritesProfilesWithReexec(c *C) {
	s.InstallSnap(c, interfaces.ConfinementOptions{}, ifacetest.SambaYamlV1, 0)
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
	// file called "snap.sambda.smbd" was created
-	_, err = os.Stat(profile)
+	_, err = os.Stat(profile + ".src")
	c.Check(err, IsNil)
	// ensure the snap-seccomp from the regular path was *not* used
	c.Check(s.snapSeccomp.Calls(), HasLen, 0)
	// ensure the snap-seccomp from the core snap was used instead
	c.Check(snapSeccompOnCore.Calls(), DeepEquals, [][]string{
-	{"snap-seccomp", "compile", profile, profile + ".bpf"},
+	{"snap-seccomp", "compile", profile + ".src", profile + ".bin"},
	})
 }
 
@@ -135,7 +135,7 @@ func (s *backendSuite) TestRemovingSnapRemovesProfiles(c *C) {
	s.RemoveSnap(c, snapInfo)
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
	// file called "snap.sambda.smbd" was removed
-	_, err := os.Stat(profile)
+	_, err := os.Stat(profile + ".src")
	c.Check(os.IsNotExist(err), Equals, true)
	}
 }
@@ -147,7 +147,7 @@ func (s *backendSuite) TestRemovingSnapRemovesHookProfiles(c *C) {
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.foo.hook.configure")
 
	// Verify that profile "snap.foo.hook.configure" was removed.
-	_, err := os.Stat(profile)
+	_, err := os.Stat(profile + ".src")
	c.Check(os.IsNotExist(err), Equals, true)
	}
 }
@@ -157,11 +157,11 @@ func (s *backendSuite) TestUpdatingSnapToOneWithMoreApps(c *C) {
	snapInfo := s.InstallSnap(c, opts, ifacetest.SambaYamlV1, 0)
	snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1WithNmbd, 0)
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.nmbd")
-	_, err := os.Stat(profile)
+	_, err := os.Stat(profile + ".src")
	// file called "snap.sambda.nmbd" was created
	c.Check(err, IsNil)
	// and got compiled
-	c.Check(s.snapSeccomp.Calls(), testutil.DeepContains, []string{"snap-seccomp", "compile", profile, profile + ".bpf"})
+	c.Check(s.snapSeccomp.Calls(), testutil.DeepContains, []string{"snap-seccomp", "compile", profile + ".src", profile + ".bin"})
	s.snapSeccomp.ForgetCalls()
 
	s.RemoveSnap(c, snapInfo)
@@ -174,11 +174,11 @@ func (s *backendSuite) TestUpdatingSnapToOneWithHooks(c *C) {
	snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlWithHook, 0)
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.hook.configure")
 
-	_, err := os.Stat(profile)
+	_, err := os.Stat(profile + ".src")
	// Verify that profile "snap.samba.hook.configure" was created.
	c.Check(err, IsNil)
	// and got compiled
-	c.Check(s.snapSeccomp.Calls(), testutil.DeepContains, []string{"snap-seccomp", "compile", profile, profile + ".bpf"})
+	c.Check(s.snapSeccomp.Calls(), testutil.DeepContains, []string{"snap-seccomp", "compile", profile + ".src", profile + ".bin"})
	s.snapSeccomp.ForgetCalls()
 
	s.RemoveSnap(c, snapInfo)
@@ -191,7 +191,7 @@ func (s *backendSuite) TestUpdatingSnapToOneWithFewerApps(c *C) {
	snapInfo = s.UpdateSnap(c, snapInfo, opts, ifacetest.SambaYamlV1, 0)
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.nmbd")
	// file called "snap.sambda.nmbd" was removed
-	_, err := os.Stat(profile)
+	_, err := os.Stat(profile + ".src")
	c.Check(os.IsNotExist(err), Equals, true)
	s.RemoveSnap(c, snapInfo)
	}
@@ -204,7 +204,7 @@ func (s *backendSuite) TestUpdatingSnapToOneWithNoHooks(c *C) {
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.hook.configure")
 
	// Verify that profile snap.samba.hook.configure was removed.
-	_, err := os.Stat(profile)
+	_, err := os.Stat(profile + ".src")
	c.Check(os.IsNotExist(err), Equals, true)
	s.RemoveSnap(c, snapInfo)
	}
@@ -216,7 +216,7 @@ func (s *backendSuite) TestRealDefaultTemplateIsNormallyUsed(c *C) {
	err := s.Backend.Setup(snapInfo, interfaces.ConfinementOptions{}, s.Repo)
	c.Assert(err, IsNil)
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
-	data, err := ioutil.ReadFile(profile)
+	data, err := ioutil.ReadFile(profile + ".src")
	c.Assert(err, IsNil)
	for _, line := range []string{
	// NOTE: a few randomly picked lines from the real profile. Comments
@@ -276,10 +276,10 @@ func (s *backendSuite) TestCombineSnippets(c *C) {
 
	snapInfo := s.InstallSnap(c, scenario.opts, ifacetest.SambaYamlV1, 0)
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
-	data, err := ioutil.ReadFile(profile)
+	data, err := ioutil.ReadFile(profile + ".src")
	c.Assert(err, IsNil)
	c.Check(string(data), Equals, scenario.content)
-	stat, err := os.Stat(profile)
+	stat, err := os.Stat(profile + ".src")
	c.Assert(err, IsNil)
	c.Check(stat.Mode(), Equals, os.FileMode(0644))
	s.RemoveSnap(c, snapInfo)
@@ -318,10 +318,10 @@ func (s *backendSuite) TestCombineSnippetsOrdering(c *C) {
 
	s.InstallSnap(c, interfaces.ConfinementOptions{}, snapYaml, 0)
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.foo.foo")
-	data, err := ioutil.ReadFile(profile)
+	data, err := ioutil.ReadFile(profile + ".src")
	c.Assert(err, IsNil)
	c.Check(string(data), Equals, "default\naaa\nzzz\n")
-	stat, err := os.Stat(profile)
+	stat, err := os.Stat(profile + ".src")
	c.Assert(err, IsNil)
	c.Check(stat.Mode(), Equals, os.FileMode(0644))
 }
@@ -335,7 +335,7 @@ func (s *backendSuite) TestBindIsAddedForForcedDevModeSystems(c *C) {
	err := s.Backend.Setup(snapInfo, interfaces.ConfinementOptions{}, s.Repo)
	c.Assert(err, IsNil)
	profile := filepath.Join(dirs.SnapSeccompDir, "snap.samba.smbd")
-	data, err := ioutil.ReadFile(profile)
+	data, err := ioutil.ReadFile(profile + ".src")
	c.Assert(err, IsNil)
	c.Assert(string(data), testutil.Contains, "\nbind\n")
 }
diff --git a/packaging/fedora/snap-mgmt.sh b/packaging/fedora/snap-mgmt.sh
index 1d738870fe..a363472a3d 100644
--- a/packaging/fedora/snap-mgmt.sh
+++ b/packaging/fedora/snap-mgmt.sh
@@ -102,7 +102,7 @@ purge() {
 
 echo "Removing leftover snap shared state data"
 rm -rf /var/lib/snapd/desktop/applications/*
- rm -rf /var/lib/snapd/seccomp/profiles.bpf/*
+ rm -rf /var/lib/snapd/seccomp/bpf/*
 rm -rf /var/lib/snapd/device/*
 rm -rf /var/lib/snapd/assertions/*
 }
diff --git a/packaging/fedora/snapd.spec b/packaging/fedora/snapd.spec
index dd67189b2c..7c768cfd84 100644
--- a/packaging/fedora/snapd.spec
+++ b/packaging/fedora/snapd.spec
@@ -390,7 +390,7 @@ install -d -p %{buildroot}%{_sharedstatedir}/snapd/desktop/applications
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/device
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/hostfs
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/mount
-install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/profiles.bpf
+install -d -p %{buildroot}%{_sharedstatedir}/snapd/seccomp/bpf
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/snaps
 install -d -p %{buildroot}%{_sharedstatedir}/snapd/snap/bin
 install -d -p %{buildroot}%{_localstatedir}/snap
@@ -536,7 +536,7 @@ popd
 %dir %{_sharedstatedir}/snapd/hostfs
 %dir %{_sharedstatedir}/snapd/mount
 %dir %{_sharedstatedir}/snapd/seccomp
-%dir %{_sharedstatedir}/snapd/seccomp/profiles.bpf
+%dir %{_sharedstatedir}/snapd/seccomp/bpf
 %dir %{_sharedstatedir}/snapd/snaps
 %dir %{_sharedstatedir}/snapd/snap
 %ghost %dir %{_sharedstatedir}/snapd/snap/bin
diff --git a/packaging/opensuse-42.2/snapd.spec b/packaging/opensuse-42.2/snapd.spec
index b425551fc2..10f88856fd 100644
--- a/packaging/opensuse-42.2/snapd.spec
+++ b/packaging/opensuse-42.2/snapd.spec
@@ -192,7 +192,7 @@ rm -f %{?buildroot}/usr/bin/ubuntu-core-launcher
 # shutdown process and thus can be left out of the distribution package.
 rm -f %{?buildroot}/usr/lib/snapd/system-shutdown
 # Install the directories that snapd creates by itself so that they can be a part of the package
-install -d %buildroot/var/lib/snapd/{assertions,desktop/applications,device,hostfs,mount,apparmor/profiles,seccomp/profiles.bpf,snaps}
+install -d %buildroot/var/lib/snapd/{assertions,desktop/applications,device,hostfs,mount,apparmor/profiles,seccomp/bpf,snaps}
 install -d %buildroot/snap/bin
 # Install local permissions policy for snap-confine. This should be removed
 # once snap-confine is added to the permissions package. This is done following
@@ -256,7 +256,7 @@ esac
 %dir /var/lib/snapd/hostfs
 %dir /var/lib/snapd/mount
 %dir /var/lib/snapd/seccomp
-%dir /var/lib/snapd/seccomp/profiles.bpf
+%dir /var/lib/snapd/seccomp/bpf
 %dir /var/lib/snapd/snaps
 %verify(not user group mode) %attr(04755,root,root) /usr/lib/snapd/snap-confine
 %{_mandir}/man5/snap-confine.5.gz
diff --git a/tests/main/op-install-failed-undone/task.yaml b/tests/main/op-install-failed-undone/task.yaml
index ba5cf87a1d..bbd65d31f2 100644
--- a/tests/main/op-install-failed-undone/task.yaml
+++ b/tests/main/op-install-failed-undone/task.yaml
@@ -48,6 +48,6 @@ execute: |
 echo "And the Security Profiles Setup subtask is actually undone"
 snap change $failed_task_id | grep -Pq "Undone +.*?Setup snap \"test-snapd-tools\" \(unset\) security profiles"
 check_empty_glob /var/lib/snapd/apparmor/profiles snap.test-snapd-tools.*
- check_empty_glob /var/lib/snapd/seccomp/profiles.bpf snap.test-snapd-tools.*
+ check_empty_glob /var/lib/snapd/seccomp/bpf snap.test-snapd-tools.*
 check_empty_glob /etc/dbus-1/system.d snap.test-snapd-tools.*.conf
 check_empty_glob /etc/udev/rules.d 70-snap.test-snapd-tools.*.rules
diff --git a/tests/main/security-profiles/task.yaml b/tests/main/security-profiles/task.yaml
index 1ecde061ba..abc503ca81 100644
--- a/tests/main/security-profiles/task.yaml
+++ b/tests/main/security-profiles/task.yaml
@@ -10,7 +10,7 @@ execute: |
 exit 0
 fi
 
- seccomp_profile_directory="/var/lib/snapd/seccomp/profiles.bpf"
+ seccomp_profile_directory="/var/lib/snapd/seccomp/bpf"
 
 echo "Security profiles are generated and loaded for apps"
 . $TESTSLIB/snaps.sh
@@ -20,7 +20,7 @@ execute: |
 for profile in snap.test-snapd-tools.block snap.test-snapd-tools.cat snap.test-snapd-tools.echo snap.test-snapd-tools.fail snap.test-snapd-tools.success
 do
 MATCH "^${profile} \(enforce\)$" <<<"$loaded_profiles"
- [ -f "$seccomp_profile_directory/${profile}.bpf" ]
+ [ -f "$seccomp_profile_directory/${profile}.bin" ]
 done
 
 echo "Security profiles are generated and loaded for hooks"
@@ -28,4 +28,4 @@ execute: |
 loaded_profiles=$(cat /sys/kernel/security/apparmor/profiles)
 
 echo "$loaded_profiles" | MATCH "^snap.basic-hooks.hook.configure \(enforce\)$"
- [ -f "$seccomp_profile_directory/snap.basic-hooks.hook.configure.bpf" ]
+ [ -f "$seccomp_profile_directory/snap.basic-hooks.hook.configure.bin" ]
diff --git a/tests/main/snap-seccomp/task.yaml b/tests/main/snap-seccomp/task.yaml
index 1fe42459da..d6dbe14f09 100644
--- a/tests/main/snap-seccomp/task.yaml
+++ b/tests/main/snap-seccomp/task.yaml
@@ -1,7 +1,7 @@
 summary: Ensure that the snap-seccomp bpf handling works
 
 environment:
- PROFILE: /var/lib/snapd/seccomp/profiles.bpf/snap.test-snapd-tools.echo
+ PROFILE: /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.echo
 SNAP_SECCOMP: /usr/lib/snapd/snap-seccomp
 
 execute: |
@@ -16,18 +16,18 @@ execute: |
 
 # from the old test_complain
 echo "Test that the @complain keyword works"
- rm -f ${PROFILE}.bpf
- cat >"${PROFILE}" <<EOF
+ rm -f ${PROFILE}.bin
+ cat >"${PROFILE}.src" <<EOF
 # some comment
 @complain
 EOF
- $SNAP_SECCOMP compile ${PROFILE} ${PROFILE}.bpf
+ $SNAP_SECCOMP compile ${PROFILE}.src ${PROFILE}.bin
 echo "Ensure the code still runs"
 test-snapd-tools.echo hello | MATCH hello
 
 # from the old test_complain_missed
- rm -f ${PROFILE}.bpf
- cat >"${PROFILE}" <<EOF
+ rm -f ${PROFILE}.bin
+ cat >"${PROFILE}.src" <<EOF
 # super strict filter
 @complai
 @complaim
@@ -35,7 +35,7 @@ execute: |
 @COMPLAIN
 complain
 EOF
- $SNAP_SECCOMP compile ${PROFILE} ${PROFILE}.bpf
+ $SNAP_SECCOMP compile ${PROFILE}.src ${PROFILE}.bin
 echo "Ensure the code cannot not run due to impossible filtering"
 if test-snapd-tools.echo hello; then
 echo "filtering broken: program should have failed to run"
@@ -44,18 +44,18 @@ execute: |
 
 # from the old test_unrestricted
 echo "Test that the @unrestricted keyword works"
- rm -f ${PROFILE}.bpf
- cat >"${PROFILE}" <<EOF
+ rm -f ${PROFILE}.bin
+ cat >"${PROFILE}.src" <<EOF
 # some comment
 @unrestricted
 EOF
- $SNAP_SECCOMP compile ${PROFILE} ${PROFILE}.bpf
+ $SNAP_SECCOMP compile ${PROFILE}.src ${PROFILE}.bin
 echo "Ensure the code still runs"
 test-snapd-tools.echo hello | MATCH hello
 
 # from the old test_unrestricted_missed
- rm -f ${PROFILE}.bpf
- cat >"${PROFILE}" <<EOF
+ rm -f ${PROFILE}.bin
+ cat >"${PROFILE}.src" <<EOF
 # super strict filter
 @unrestricte
 @unrestrictes
@@ -63,7 +63,7 @@ execute: |
 @UNRESTRICTED
 unrestricted
 EOF
- $SNAP_SECCOMP compile ${PROFILE} ${PROFILE}.bpf
+ $SNAP_SECCOMP compile ${PROFILE}.src ${PROFILE}.bin
 echo "Ensure the code cannot not run due to impossible filtering"
 if test-snapd-tools.echo hello; then
 echo "filtering broken: program should have failed to run"
@@ -71,23 +71,23 @@ execute: |
 fi
 
 # from the old test_noprofile
- rm -f ${PROFILE}.bpf
+ rm -f ${PROFILE}.bin
 echo "Ensure the code cannot not run due to missing filter"
 if test-snapd-tools.echo hello; then
 echo "filtering broken: program should have failed to run"
 exit 1
 fi
 
- echo "Break snapd.test-snapd-tools.bpf to ensure (kernel) validation works"
- dd if=/dev/urandom of=${PROFILE}.bpf count=1 bs=1024
+ echo "Break snapd.test-snapd-tools.bin to ensure (kernel) validation works"
+ dd if=/dev/urandom of=${PROFILE}.bin count=1 bs=1024
 if output=$(test-snapd-tools.echo hello 2>&1 ); then
 echo "test-snapd-tools.echo should fail with invalid seccomp profile"
 exit 1
 fi
 echo $output | MATCH "prctl.*Invalid argument"
 
- echo "Add huge snapd.test-snapd-tools.bpf to ensure size limit works"
- dd if=/dev/zero of=${PROFILE}.bpf count=50 bs=1M
+ echo "Add huge snapd.test-snapd-tools.bin to ensure size limit works"
+ dd if=/dev/zero of=${PROFILE}.bin count=50 bs=1M
 if output=$(test-snapd-tools.echo hello 2>&1 ); then
 echo "test-snapd-tools.echo should fail with big seccomp profile"
 exit 1
@@ -95,17 +95,17 @@ execute: |
 echo $output | MATCH "profile .* exceeds .* bytes"
 
 
- echo "Ensure the code cannot not run with a missing .bpf profile"
- rm -f ${PROFILE}.bpf
+ echo "Ensure the code cannot not run with a missing .bin profile"
+ rm -f ${PROFILE}.bin
 if test-snapd-tools.echo hello; then
 echo "filtering broken: program should have failed to run"
 exit 1
 fi
 
 echo "Ensure the code cannot not run with an empty seccomp profile"
- rm -f ${PROFILE}.bpf
- echo "" > ${PROFILE}
- $SNAP_SECCOMP compile ${PROFILE} ${PROFILE}.bpf
+ rm -f ${PROFILE}.bin
+ echo "" > ${PROFILE}.src
+ $SNAP_SECCOMP compile ${PROFILE}.src ${PROFILE}.bin
 if test-snapd-tools.echo hello; then
 echo "filtering broken: program should have failed to run"
 exit 1
diff --git a/tests/regression/lp-1641885/task.yaml b/tests/regression/lp-1641885/task.yaml
index ff728bb08e..62b2546acd 100644
--- a/tests/regression/lp-1641885/task.yaml
+++ b/tests/regression/lp-1641885/task.yaml
@@ -18,11 +18,11 @@ execute: |
 echo "Ensure that the apparmor profile doesn't use the complain mode"
 grep attach_disconnected /var/lib/snapd/apparmor/profiles/snap.test-snapd-devmode.test-snapd-devmode | MATCH -v complain
 echo "Ensure that the seccomp profile doesn't use the complain mode"
- MATCH -v '@complain' < /var/lib/snapd/seccomp/profiles.bpf/snap.test-snapd-devmode.test-snapd-devmode
+ MATCH -v '@complain' < /var/lib/snapd/seccomp/bpf/snap.test-snapd-devmode.test-snapd-devmode.src
 restore: |
 rm -f ./test-snapd-devmode_1.0_all.snap
 debug: |
 echo "Apparmor profile (first 30 lines)"
 head -n 30 /var/lib/snapd/apparmor/profiles/snap.test-snapd-devmode.test-snapd-devmode || true
 echo "Seccomp profile (first 30 lines)"
- head -n 30 /var/lib/snapd/seccomp/profiles.bpf/snap.test-snapd-devmode.test-snapd-devmode || true
+ head -n 30 /var/lib/snapd/seccomp/bpf/snap.test-snapd-devmode.test-snapd-devmode.src || true