touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #28247
[Bug 1383858] Re: improve click apparmor policy times by using 'no-expr-simplify' parser option for click policy
** Description changed:
AppArmor has several optimization options that can be used to help speed
up policy compiles for certain types of policy. Currently, we are using
expr tree simplification option by default, which has dramatic affects
on policy compiles for the evince profile. However, with click profiles
not using expr tree simplification (ie, adding the '-O no-expr-simplify'
- option) can improve click policy generation by 44%.
+ option) can improve click policy generation by 44% (375 vs 210 seconds).
Short term for rtm is to to use '-O no-expr-simplify' when compiling
policy in /var/lib/apparmor/profiles but leave /etc/apparmor.d alone. We
can do the same with click-apparmor.
The long term fix is to adjust expr tree simplification to be more
efficient (at least as fast as without) and drop the '-O no-expr-
simplify' option.
+
+ Justification: apparmor policy recompilation is not expected to happen
+ as part of the normal user experience (see bug #1350598 for a lot of
+ detail) and it is expected to only happen on upgrades from 14.10 to
+ 15.04 or to fix very serious apparmor or apparmor policy bugs. None of
+ these bugs are currently scheduled for OTA. However, *if* we ever need
+ to fix one of these, policy will have to be recompiled.
+
+ Choices:
+ 1. do nothing for RTM since policy recompiles are expected to be rare, but do apply this change to 15.04. Policy is expected to be recompiled on upgrades to 15.04 and upgrades would use the new option
+ 2. apply this change in OTA. This is problematic because this change alone will trigger a policy recompilation that would not otherwise be needed. Optionally, this change could accompany a severe bug fix
+
+ Risk:
+ The change consists of a small modification to the apparmor upstart job and a change to the arguments click-apparmor gives to apparmor_parser. The risk assessment is considered low because of the size of the change and the simple test case will immediately indicate if either were applied incorrectly.
+
+ Test case:
+ 1. run aa-status | wc -l and note the result
+ 2. install the new apparmor and click-apparmor packages and verify there are no errors during installation
+ 3. reboot
+ 4. run aa-status | wc -l and compare to '1'
+
+ If they are the same, it indicates the upstart job is properly loading
+ the profiles generated by click apparmor.
** Description changed:
AppArmor has several optimization options that can be used to help speed
up policy compiles for certain types of policy. Currently, we are using
expr tree simplification option by default, which has dramatic affects
on policy compiles for the evince profile. However, with click profiles
not using expr tree simplification (ie, adding the '-O no-expr-simplify'
option) can improve click policy generation by 44% (375 vs 210 seconds).
Short term for rtm is to to use '-O no-expr-simplify' when compiling
policy in /var/lib/apparmor/profiles but leave /etc/apparmor.d alone. We
can do the same with click-apparmor.
The long term fix is to adjust expr tree simplification to be more
efficient (at least as fast as without) and drop the '-O no-expr-
simplify' option.
Justification: apparmor policy recompilation is not expected to happen
as part of the normal user experience (see bug #1350598 for a lot of
detail) and it is expected to only happen on upgrades from 14.10 to
15.04 or to fix very serious apparmor or apparmor policy bugs. None of
these bugs are currently scheduled for OTA. However, *if* we ever need
to fix one of these, policy will have to be recompiled.
Choices:
1. do nothing for RTM since policy recompiles are expected to be rare, but do apply this change to 15.04. Policy is expected to be recompiled on upgrades to 15.04 and upgrades would use the new option
2. apply this change in OTA. This is problematic because this change alone will trigger a policy recompilation that would not otherwise be needed. Optionally, this change could accompany a severe bug fix
Risk:
The change consists of a small modification to the apparmor upstart job and a change to the arguments click-apparmor gives to apparmor_parser. The risk assessment is considered low because of the size of the change and the simple test case will immediately indicate if either were applied incorrectly.
Test case:
1. run aa-status | wc -l and note the result
2. install the new apparmor and click-apparmor packages and verify there are no errors during installation
3. reboot
4. run aa-status | wc -l and compare to '1'
If they are the same, it indicates the upstart job is properly loading
the profiles generated by click apparmor.
+
+ While these changes may occur separately, landing them at the same time
+ along with a regenerated custom tarball (for preinstalled policy) will
+ reduce policy recompiles.
** Summary changed:
- improve click apparmor policy times by using 'no-expr-simplify' parser option for click policy
+ expr-simplify optimization slows click policy compilation
** Also affects: apparmor
Importance: Undecided
Status: New
** Changed in: apparmor
Status: New => Triaged
** Changed in: apparmor
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1383858
Title:
expr-simplify optimization slows click policy compilation
Status in AppArmor Linux application security framework:
Triaged
Status in “apparmor” package in Ubuntu:
Triaged
Status in “click-apparmor” package in Ubuntu:
Triaged
Bug description:
AppArmor has several optimization options that can be used to help
speed up policy compiles for certain types of policy. Currently, we
are using expr tree simplification option by default, which has
dramatic affects on policy compiles for the evince profile. However,
with click profiles not using expr tree simplification (ie, adding the
'-O no-expr-simplify' option) can improve click policy generation by
44% (375 vs 210 seconds).
Short term for rtm is to to use '-O no-expr-simplify' when compiling
policy in /var/lib/apparmor/profiles but leave /etc/apparmor.d alone.
We can do the same with click-apparmor.
The long term fix is to adjust expr tree simplification to be more
efficient (at least as fast as without) and drop the '-O no-expr-
simplify' option.
Justification: apparmor policy recompilation is not expected to happen
as part of the normal user experience (see bug #1350598 for a lot of
detail) and it is expected to only happen on upgrades from 14.10 to
15.04 or to fix very serious apparmor or apparmor policy bugs. None of
these bugs are currently scheduled for OTA. However, *if* we ever need
to fix one of these, policy will have to be recompiled.
Choices:
1. do nothing for RTM since policy recompiles are expected to be rare, but do apply this change to 15.04. Policy is expected to be recompiled on upgrades to 15.04 and upgrades would use the new option
2. apply this change in OTA. This is problematic because this change alone will trigger a policy recompilation that would not otherwise be needed. Optionally, this change could accompany a severe bug fix
Risk:
The change consists of a small modification to the apparmor upstart job and a change to the arguments click-apparmor gives to apparmor_parser. The risk assessment is considered low because of the size of the change and the simple test case will immediately indicate if either were applied incorrectly.
Test case:
1. run aa-status | wc -l and note the result
2. install the new apparmor and click-apparmor packages and verify there are no errors during installation
3. reboot
4. run aa-status | wc -l and compare to '1'
If they are the same, it indicates the upstart job is properly loading
the profiles generated by click apparmor.
While these changes may occur separately, landing them at the same
time along with a regenerated custom tarball (for preinstalled policy)
will reduce policy recompiles.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1383858/+subscriptions
References
