https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c2 --- Comment #2 from Jeff Mahoney 2011-07-20 18:38:02 UTC --- # opreport $(which apparmor_parser) --symbols Overflow stats not available CPU: AMD64 family10, speed 800 MHz (estimated) Counted CPU_CLK_UNHALTED events (Cycles outside of halt state) with a unit mask of 0x00 (No unit mask) count 100000 samples % symbol name 83003 45.6710 __cxxabiv1::__si_class_type_info::__do_dyncast(long, __cxxabiv1::__class_type_info::__sub_kind, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info::__dyncast_result&) const 17957 9.8805 __gxx_exception_cleanup(_Unwind_Reason_Code, _Unwind_Exception*) 15586 8.5759 __cxa_call_unexpected 12571 6.9170 __dynamic_cast 8855 4.8723 __cxxabiv1::__class_type_info::__do_dyncast(long, __cxxabiv1::__class_type_info::__sub_kind, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info::__dyncast_result&) const 6884 3.7878 __cxa_throw 6209 3.4164 __gxx_personality_v0 5419 2.9817 simplify_tree_base(Node*, int, bool&) 3880 2.1349 operator new(unsigned long) 3209 1.7657 normalize_tree(Node*, int) 2725 1.4994 __cxa_rethrow 1629 0.8963 basic_simplify(Node*, int) 820 0.4512 std::_Rb_tree_increment(std::_Rb_tree_node_base*) 715 0.3934 regexp_parse(Node**, char const*) 693 0.3813 yylex 588 0.3235 CatNode::eq(Node*) 547 0.3010 CharNode::eq(Node*) 507 0.2790 TransitionTable::flex_table(std::ostream&, char const*) 489 0.2691 std::_Rb_tree_insert_and_rebalance(bool, std::_Rb_tree_node_base*, std::_Rb_tree_node_base*, std::_Rb_tree_node_base&) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c4 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #4 from Christian Boltz 2011-09-16 17:22:34 CEST --- Factory has AppArmor 2.7 beta1 since some days (and will be updated to 2.7 beta2 in some hours). Do you still see the performance problems with this version? (Testing with 2.7 beta1 is ok, there were no parser-related changes for beta2.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c6 --- Comment #6 from Christian Boltz 2011-10-05 22:54:34 CEST --- quote from the duplicate (bug 722292)

a) move profiles into the actual packages where the binaries are

That would cause a maintenance hell :-( I spent several evenings to push lots of openSUSE profile patches upstream. The profiles in the apparmor-profiles package are directly taken from upstream (one or two are still patched). I also unified the profile for /usr/sbin/nscd which was shipped in the nscd/unscd packages before - I merged the differences and moved it back to the apparmor-profiles package. The nscd profile(s) already showed the (IMHO usual) problem with having a profile in the same package as the binary: it gets outdated and doesn't get updates from upstream (for example /var/run vs. /run was solved upstream, but not in the *nscd package). Moving each profile to the package with the binary would mean that each of those packages would need to include updated profiles from upstream on new apparmor releases - and I'm afraid most would forget to do it and ship outdated profiles. If you have an idea how to include the latest profiles in each binary package _automatically_, please tell me ;-)

or create subpackages that supplement them.

This would result in about 20 subpackages for /etc/apparmor.d/*, most of them with only one file. I'd guess those packages would need more space in the rpm database than in /etc/ ;-)

b) speed up apparmor_parser

That's an ongoing task upstream, and there were big improvements since the 2.3 release. But yes, there's still lots of room for optimization ;-) John just told me in #apparmor that several patches are in the works (including a rewrite of the code where most dynamic casts are), but they won't make it into apparmor 2.7. He'll probably add a comment with more details soon. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c8 --- Comment #8 from John Johansen 2011-10-05 21:18:15 UTC --- To turn profile caching on by default in AppArmor 2.7 (this does not work in earlier versions) Add the line write-cache to /etc/apparmor/parser.conf See man apparmor_parser for more details -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c10 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jeffm@suse.com |suse-beta@cboltz.de --- Comment #10 from Christian Boltz 2011-10-06 01:14:56 CEST --- .. and funnily the parser doesn't warn if the cache directory doesn't exist (will be fixed soon, John promised to send a patch). So make sure to run mkdir /etc/apparmor/cache ;-) I just tested caching on my factory system, which has only the upstream profiles. Time needed for "rcapparmor reload": - without caching: 7.5s - caching enabled, first run (= write the cache files): 10s - caching enabled, next runs: 0.3 to 0.4s :-) In other words: if the profiles are unchanged, caching makes loading the profiles 20 times faster :-) Needless to say that I will enable caching by default in the apparmor package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c12 --- Comment #12 from Ludwig Nussel 2011-10-06 13:38:57 CEST --- (In reply to comment #7)

Currently precompiled policy is stored in /etc/apparmor.d/cache (Not the ideal place I know)

Certainly the wrong place. What about using /var/cache/apparmor? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c14 --- Comment #14 from Christian Boltz 2011-10-10 12:25:15 CEST --- (In reply to comment #12)

(In reply to comment #7)

...

Currently precompiled policy is stored in /etc/apparmor.d/cache (Not the ideal place I know)

Certainly the wrong place. What about using /var/cache/apparmor?

That's what I use now. Upstream will probably also change the path to /var/cache/apparmor - but not in AppArmor 2.7. For 11.2 I'm using a symlink /etc/apparmor.d/cache -> /var/cache/apparmor. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.