← Back to team overview

touch-packages team mailing list archive

[Bug 1383858] Re: expr-simplify optimization slows click policy compilation

 

** Branch linked: lp:ubuntu/apparmor

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to click-apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1383858

Title:
  expr-simplify optimization slows click policy compilation

Status in AppArmor Linux application security framework:
  Triaged
Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “click-apparmor” package in Ubuntu:
  Fix Released
Status in “apparmor” package in Ubuntu RTM:
  Fix Released
Status in “click-apparmor” package in Ubuntu RTM:
  Fix Released

Bug description:
  AppArmor has several optimization options that can be used to help
  speed up policy compiles for certain types of policy. Currently, we
  are using expr tree simplification option by default, which has
  dramatic affects on policy compiles for the evince profile. However,
  with click profiles not using expr tree simplification (ie, adding the
  '-O no-expr-simplify' option) can improve click policy generation by
  44% (375 vs 210 seconds).

  On Krillin, the difference is even more substantial: 636 vs 233
  seconds (63%).

  Short term for rtm is to to use '-O no-expr-simplify' when compiling
  policy in /var/lib/apparmor/profiles but leave /etc/apparmor.d alone.
  We can do the same with click-apparmor. Note: the fix for bug #1385947
  must be included with this fix.

  The long term fix is to adjust expr tree simplification to be more
  efficient (at least as fast as without) and drop the '-O no-expr-
  simplify' option.

  Justification: apparmor policy recompilation is not expected to happen
  as part of the normal user experience (see bug #1350598 for a lot of
  detail) and it is expected to only happen on upgrades from 14.10 to
  15.04 or to fix very serious apparmor or apparmor policy bugs. None of
  these bugs are currently scheduled for OTA. However, *if* we ever need
  to fix one of these, policy will have to be recompiled.

  Choices:
  1. do nothing for RTM since policy recompiles are expected to be rare, but do apply this change to 15.04. Policy is expected to be recompiled on upgrades to 15.04 and upgrades would use the new option
  2. apply this change in OTA. This is problematic because this change alone will trigger a policy recompilation that would not otherwise be needed. Optionally, this change could accompany a severe bug fix

  Risk:
  The change consists of a small modification to the apparmor upstart job and a change to the arguments click-apparmor gives to apparmor_parser. The risk assessment is considered low because of the size of the change and the simple test case will immediately indicate if either were applied incorrectly.

  Test case:
  1. run aa-status | wc -l and note the result
  2. install the new apparmor and click-apparmor packages and verify there are no errors during installation
  3. reboot
  4. run aa-status | wc -l and compare to '1'
  5. run 'sudo start apparmor' and make sure it finishes in a few seconds

  If they are the same, it indicates the upstart job is properly loading
  the profiles generated by click apparmor.

  While these changes may occur separately, landing them at the same
  time along with a regenerated custom tarball (for preinstalled policy)
  will reduce policy recompiles.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1383858/+subscriptions


References