[apparmor] patch - fix some bugs which appear to be the performance bug I was looking for

Christian Boltz apparmor at cboltz.de
Wed Nov 26 19:33:51 UTC 2014 

Hello,

Am Dienstag, 25. November 2014 schrieb Peter Maloney:
> Using the new hasher() from my previous patch, I found some problems.
> 
> One fix is here:
> 
> -                            if aa[profile][hat][incname]:
> +                            if
> aa[profile][hat]['include'].get(incname, False):
>                                  continue
> 
> I believe the old line would have created a new hasher (defaultdict)
> in the wrong place. The dict where it should have been needs to be
> fetched with the key 'include'. So this created lots of garbage in
> the aa[...] dict, plus would always return False, so the "continue"
> which was likely a performance optimization, was never called.

Indeed, nice catch!

> And another here:
> -                                    if
> aa[profile][hat]['allow']['path'][path].get('mode', False):
> -                                        mode |=
> aa[profile][hat]['allow']['path'][path]['mode']
> +                                    if path in
> aa[profile][hat]['allow']['path']:
> +                                        if
> aa[profile][hat]['allow']['path'][path].get('mode', False):
> +                                            mode |=
> aa[profile][hat]['allow']['path'][path]['mode']
> 
> And here:
> -        if include[incfile][incfile][allow]['path'][path]:
> +        if path in include[incfile][incfile][allow]['path']:
> 
> This one just prevents creating extra paths while looking them up. I
> believe this had a significant impact on performance, because it was
> going through more paths than it had to, to match against regexes, to
> find the modes, to " |= " them to a list. But the resulting dict was
> empty, so it would just add nothing and waste time.

Indeed.
 
> The first fix uses get(...,"False") because we want the value, which
> is either True or False. The others return strings or dicts. I don't
> understand why get('mode'), False) should be done instead of "if
> 'mode' in ..." but I left it the way it was since I think it works.

Those little changes bring a massive performance improvement - on my 
laptop, it did speedup aa-logprof (3.5 MB audit.log, without any 
questions asked) from 14 to 3.5 seconds :-)

Thanks for your patch!

For completeness, I should note that the patch also adds the filename in 
the "Can't find system log" exception. (I changed it back to '...' 
quotes.)


That said:
Acked-By: Christian Boltz <apparmor at cboltz.de>

I'll commit it to bzr in a minute.


Regards,

Christian Boltz
-- 
Personal Firewall bietet Schutz vor klassischen Angriffen -- Was hat
man unter "klassischen Angriffen" zu verstehen? -- Seltsam angezogene
Fremde rollen ein riesiges Holzpferd vor Deine Haustür...
[Johannes Sackmann, Heiko Schlenker, Ralf Bürckner]

More information about the AppArmor mailing list