On the encouragement from mvo, I made a small tool that can optimize a generated snapd apparmor profile. By using the profile from this bug, I can see almost 50% improvement in cpu time and memory time. It was just a small side-project while I was working.
https://github.com/Meulengracht/aa-preprocess Profile used (https://launchpadlibrarian.net/674087996/snap.screenly- client.command-executor) Before running the tool User time (seconds): 6.73 Maximum resident set size (kbytes): 294408 After running the tool Optimized profile here (https://paste.ubuntu.com/p/GCt6j4zrzW/) User time (seconds): 3.56 Maximum resident set size (kbytes): 167712 Both times are run with "apparmor_parser -O no-expr-simplify". The tool is not that sophisticated and simply consolidates lines that match each other in permissions and wildcards to reduce the number of lines in the apparmor profile. Maybe it's something that can be considered somewhere to increase performance? -- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2025030 Title: apparmor_parser -O no-expr-simplify problematic Status in snapd: In Progress Bug description: There was a recent issue with a core refresh that caused breakage. Upon further investigation it turns out that the apparmor_parser uses an substantial of memory. Upon some more investigation it turns out that that -O no-expr- simplify makes both time to compile and memory usage increase 10x. Tested with 22.04 but I see the same ballpark results with 16.04: $ /usr/bin/time --verbose apparmor_parser -S 2.59/profiles/snap.screenly-client.command-executor > /dev/null Command being timed: "apparmor_parser -S 2.59/profiles/snap.screenly-client.command-executor" User time (seconds): 4.32 Maximum resident set size (kbytes): 117392 $ /usr/bin/time --verbose apparmor_parser -O no-expr-simplify -S 2.59/profiles/snap.screenly-client.command-executor > /dev/null Command being timed: "apparmor_parser -O no-expr-simplify -S 2.59/profiles/snap.screenly-client.command-executor" User time (seconds): 40.64 Maximum resident set size (kbytes): 1015816 Profile is attached. It seems like we seriously need to consider dropping "-O no-expr-simplify". For context: https://bugs.launchpad.net/ubuntu-rtm/+source/apparmor/+bug/1383858 is why it was added in the first place And some recent work to make things faster: https://gitlab.com/apparmor/apparmor/-/merge_requests/711 To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/2025030/+subscriptions
