[apparmor] [Bug 2025030] Re: apparmor_parser -O no-expr-simplify problematic

Philip Meulengracht 2025030 at bugs.launchpad.net
Mon Jul 3 08:12:29 UTC 2023 

On the encouragement from mvo, I made a small tool that can optimize a
generated snapd apparmor profile. By using the profile from this bug, I
can see almost 50% improvement in cpu time and memory time. It was just
a small side-project while I was working.

https://github.com/Meulengracht/aa-preprocess

Profile used (https://launchpadlibrarian.net/674087996/snap.screenly-
client.command-executor)

Before running the tool

User time (seconds): 6.73
Maximum resident set size (kbytes): 294408

After running the tool
Optimized profile here (https://paste.ubuntu.com/p/GCt6j4zrzW/)

User time (seconds): 3.56
Maximum resident set size (kbytes): 167712


Both times are run with "apparmor_parser -O no-expr-simplify". The tool is not that sophisticated and simply consolidates lines that match each other in permissions and wildcards to reduce the number of lines in the apparmor profile. Maybe it's something that can be considered somewhere to increase performance?

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2025030

Title:
  apparmor_parser -O no-expr-simplify problematic

Status in snapd:
  In Progress

Bug description:
  There was a recent issue with a core refresh that caused breakage.
  Upon further investigation it turns out that the apparmor_parser uses
  an substantial of memory.

  Upon some more investigation it turns out that that -O no-expr-
  simplify makes both time to compile and memory usage increase 10x.
  Tested with 22.04 but I see the same ballpark results with 16.04:

  $ /usr/bin/time --verbose apparmor_parser -S 2.59/profiles/snap.screenly-client.command-executor > /dev/null
      Command being timed: "apparmor_parser -S 2.59/profiles/snap.screenly-client.command-executor"
      User time (seconds): 4.32
      Maximum resident set size (kbytes): 117392

  $ /usr/bin/time --verbose apparmor_parser  -O no-expr-simplify -S 2.59/profiles/snap.screenly-client.command-executor > /dev/null
      Command being timed: "apparmor_parser -O no-expr-simplify -S 2.59/profiles/snap.screenly-client.command-executor"
      User time (seconds): 40.64
      Maximum resident set size (kbytes): 1015816

  Profile is attached.

  
  It seems like we seriously need to consider dropping "-O no-expr-simplify". 

  For context:
  https://bugs.launchpad.net/ubuntu-rtm/+source/apparmor/+bug/1383858
  is why it was added in the first place

  And some recent work to make things faster:
  https://gitlab.com/apparmor/apparmor/-/merge_requests/711

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/2025030/+subscriptions

More information about the AppArmor mailing list