[apparmor] [Bug 2025030] Re: apparmor_parser -O no-expr-simplify problematic
Michael Vogt
2025030 at bugs.launchpad.net
Mon Jun 26 08:53:34 UTC 2023
Just another data point, it seems some expressions are quite
pathological, e.g. removing
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/config r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/revision r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/resource r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/irq r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/boot_vga r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/{,subsystem_}class r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/{,subsystem_}device r,
/sys/devices/{,*pcie-controller/,platform/{soc,scb}/*.pcie/}pci[0-9a-f]*/**/{,subsystem_}vendor r,
/sys/devices/**/drm{,_dp_aux_dev}/** r,
makes the profile generation go down from 44s -> 10s so it seems some
specific lines are most likly causing this issue.
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2025030
Title:
apparmor_parser -O no-expr-simplify problematic
Status in snapd:
New
Bug description:
There was a recent issue with a core refresh that caused breakage.
Upon further investigation it turns out that the apparmor_parser uses
an substantial of memory.
Upon some more investigation it turns out that that -O no-expr-
simplify makes both time to compile and memory usage increase 10x.
Tested with 22.04 but I see the same ballpark results with 16.04:
$ /usr/bin/time --verbose apparmor_parser -S 2.59/profiles/snap.screenly-client.command-executor > /dev/null
Command being timed: "apparmor_parser -S 2.59/profiles/snap.screenly-client.command-executor"
User time (seconds): 4.32
Maximum resident set size (kbytes): 117392
$ /usr/bin/time --verbose apparmor_parser -O no-expr-simplify -S 2.59/profiles/snap.screenly-client.command-executor > /dev/null
Command being timed: "apparmor_parser -O no-expr-simplify -S 2.59/profiles/snap.screenly-client.command-executor"
User time (seconds): 40.64
Maximum resident set size (kbytes): 1015816
Profile is attached.
It seems like we seriously need to consider dropping "-O no-expr-simplify".
For context:
https://bugs.launchpad.net/ubuntu-rtm/+source/apparmor/+bug/1383858
is why it was added in the first place
And some recent work to make things faster:
https://gitlab.com/apparmor/apparmor/-/merge_requests/711
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/2025030/+subscriptions
More information about the AppArmor
mailing list