[apparmor] Apparmor : wild cards/CPU spike
John Johansen
john.johansen at canonical.com
Thu May 5 23:50:22 UTC 2022
On 5/5/22 11:34, Murali Selvaraj wrote:
> Hi All,
>
> I have enabled Apparmor in my embedded system running in 4.9 Kernel and 4 processes are running in enforce mode.
>
> I have an entry in all four profiles ( */tmp/** rw*). Do you think it will cause the CPU spike?
it should not. The additional mediation beyond DAC does cause some additional overhead. How much depends on
the test/syscall but generally the value is small on the order of 1% or in stastically noise.
> If we have multiple wild card entries in the profile, will it really cause the CPU spike.
>
no more than any other rule. AppArmor policy goes throw a compile that builds a minimized state
machine. This means that the runtime cost does not vary by the number of rules, or the type
of rules used. Whether you have 1 rule or 10k rules whether they are all just name matches or
all the rules are using wild cards.
The time taken to do a match is based on the length of the path being matched and is similar to
the cost of string compare.
> I compared profiles in enforce vs disable; I could see the overall CPU usage around 1% difference.
> Do we have any CPU threshold impact as expected by enabling Apparmor?
>
It very much depends on the workload and I will add the caveat that I haven't done any performance
overhead testing recently, but around 1% is was what testing averaged last I looked. I should also
note that unconfined generally doesn't have measurable overhead as it is treated specially to
minimize time in the apparmor code. This means that only applications that are confined should see
mediation overhead.
> Please share your suggestions.
>
> Thanks
> Murali.S
More information about the AppArmor
mailing list