[apparmor] [Bug 2025030] Re: apparmor_parser -O no-expr-simplify problematic

Ondrej Kubik 2025030 at bugs.launchpad.net
Thu Jul 6 17:07:04 UTC 2023 

@Alex Murray <alex.murray at canonical.com>  github action is good idea to
optimise on the interface level and PR I open is trying to do that (though
I have done it manually)
But this has limitation as this optimisation can be done only per interface.
Preprocessing the full profile has the potential to optimise
cross-interfaces when multiple interfaces could define the same expression.
But one can argue that apparmor_parser should have this as the first step
before even parsing the profile, dummy dedupe and simplification of the
profile before building the tree.
it seems a lot cheaper as pre-processing step


On Tue, 4 Jul 2023 at 04:25, John Johansen <2025030 at bugs.launchpad.net>
wrote:

> so I think this is largely because the apparmor version snap is using is
> not running rule deduplication on mount rules.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2025030
>
> Title:
>   apparmor_parser -O no-expr-simplify problematic
>
> Status in snapd:
>   In Progress
>
> Bug description:
>   There was a recent issue with a core refresh that caused breakage.
>   Upon further investigation it turns out that the apparmor_parser uses
>   an substantial of memory.
>
>   Upon some more investigation it turns out that that -O no-expr-
>   simplify makes both time to compile and memory usage increase 10x.
>   Tested with 22.04 but I see the same ballpark results with 16.04:
>
>   $ /usr/bin/time --verbose apparmor_parser -S
> 2.59/profiles/snap.screenly-client.command-executor > /dev/null
>       Command being timed: "apparmor_parser -S
> 2.59/profiles/snap.screenly-client.command-executor"
>       User time (seconds): 4.32
>       Maximum resident set size (kbytes): 117392
>
>   $ /usr/bin/time --verbose apparmor_parser  -O no-expr-simplify -S
> 2.59/profiles/snap.screenly-client.command-executor > /dev/null
>       Command being timed: "apparmor_parser -O no-expr-simplify -S
> 2.59/profiles/snap.screenly-client.command-executor"
>       User time (seconds): 40.64
>       Maximum resident set size (kbytes): 1015816
>
>   Profile is attached.
>
>
>   It seems like we seriously need to consider dropping "-O
> no-expr-simplify".
>
>   For context:
>   https://bugs.launchpad.net/ubuntu-rtm/+source/apparmor/+bug/1383858
>   is why it was added in the first place
>
>   And some recent work to make things faster:
>   https://gitlab.com/apparmor/apparmor/-/merge_requests/711
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/snapd/+bug/2025030/+subscriptions
>
>

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2025030

Title:
  apparmor_parser -O no-expr-simplify problematic

Status in snapd:
  In Progress

Bug description:
  There was a recent issue with a core refresh that caused breakage.
  Upon further investigation it turns out that the apparmor_parser uses
  an substantial of memory.

  Upon some more investigation it turns out that that -O no-expr-
  simplify makes both time to compile and memory usage increase 10x.
  Tested with 22.04 but I see the same ballpark results with 16.04:

  $ /usr/bin/time --verbose apparmor_parser -S 2.59/profiles/snap.screenly-client.command-executor > /dev/null
      Command being timed: "apparmor_parser -S 2.59/profiles/snap.screenly-client.command-executor"
      User time (seconds): 4.32
      Maximum resident set size (kbytes): 117392

  $ /usr/bin/time --verbose apparmor_parser  -O no-expr-simplify -S 2.59/profiles/snap.screenly-client.command-executor > /dev/null
      Command being timed: "apparmor_parser -O no-expr-simplify -S 2.59/profiles/snap.screenly-client.command-executor"
      User time (seconds): 40.64
      Maximum resident set size (kbytes): 1015816

  Profile is attached.

  
  It seems like we seriously need to consider dropping "-O no-expr-simplify". 

  For context:
  https://bugs.launchpad.net/ubuntu-rtm/+source/apparmor/+bug/1383858
  is why it was added in the first place

  And some recent work to make things faster:
  https://gitlab.com/apparmor/apparmor/-/merge_requests/711

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/2025030/+subscriptions

More information about the AppArmor mailing list