[apparmor] patch - fix some bugs which appear to be the performance bug I was looking for

Peter Maloney peter.maloney at brockmann-consult.de
Tue Nov 25 17:26:56 UTC 2014 

Using the new hasher() from my previous patch, I found some problems.

One fix is here:

-                            if aa[profile][hat][incname]:
+                            if aa[profile][hat]['include'].get(incname,
False):
                                 continue

I believe the old line would have created a new hasher (defaultdict) in
the wrong place. The dict where it should have been needs to be fetched
with the key 'include'. So this created lots of garbage in the aa[...]
dict, plus would always return False, so the "continue" which was likely
a performance optimization, was never called.

And another here:
-                                    if
aa[profile][hat]['allow']['path'][path].get('mode', False):
-                                        mode |=
aa[profile][hat]['allow']['path'][path]['mode']
+                                    if path in
aa[profile][hat]['allow']['path']:
+                                        if
aa[profile][hat]['allow']['path'][path].get('mode', False):
+                                            mode |=
aa[profile][hat]['allow']['path'][path]['mode']

And here:
-        if include[incfile][incfile][allow]['path'][path]:
+        if path in include[incfile][incfile][allow]['path']:

This one just prevents creating extra paths while looking them up. I
believe this had a significant impact on performance, because it was
going through more paths than it had to, to match against regexes, to
find the modes, to " |= " them to a list. But the resulting dict was
empty, so it would just add nothing and waste time.

The first fix uses get(...,"False") because we want the value, which is
either True or False. The others return strings or dicts. I don't
understand why get('mode'), False) should be done instead of "if 'mode'
in ..." but I left it the way it was since I think it works.



And FYI the performance bug I was looking for makes it take way longer
than 1 hour to process some interactive commands in aa-logprof, like
when you say "(I)nherit" for an exec, on a very large audit.log, >50 MB.
(for example firefox will do this reliably). I'm not completely sure
this patch fixes it... I'm still working on it. I'm going to test the
patch on firefox again today on my desktop since firefox won't run in my
apparmor dev vm due to stupid bugs.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: p3-performance.patch
Type: text/x-patch
Size: 2476 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141125/3a92b11a/attachment.bin>

More information about the AppArmor mailing list