On 5/5/22 11:34, Murali Selvaraj wrote: > Hi All, > > I have enabled Apparmor in my embedded system running in 4.9 Kernel and 4 > processes are running in enforce mode. > > I have an entry in all four profiles ( */tmp/** rw*). Do you think it will > cause the CPU spike?
it should not. The additional mediation beyond DAC does cause some additional overhead. How much depends on the test/syscall but generally the value is small on the order of 1% or in stastically noise. > If we have multiple wild card entries in the profile, will it really cause > the CPU spike. > no more than any other rule. AppArmor policy goes throw a compile that builds a minimized state machine. This means that the runtime cost does not vary by the number of rules, or the type of rules used. Whether you have 1 rule or 10k rules whether they are all just name matches or all the rules are using wild cards. The time taken to do a match is based on the length of the path being matched and is similar to the cost of string compare. > I compared profiles in enforce vs disable; I could see the overall CPU usage > around 1% difference. > Do we have any CPU threshold impact as expected by enabling Apparmor? > It very much depends on the workload and I will add the caveat that I haven't done any performance overhead testing recently, but around 1% is was what testing averaged last I looked. I should also note that unconfined generally doesn't have measurable overhead as it is treated specially to minimize time in the apparmor code. This means that only applications that are confined should see mediation overhead. > Please share your suggestions. > > Thanks > Murali.S
