Comment 7 for bug 2025030

Revision history for this message
Philip Meulengracht (the-meulengracht) wrote (last edit ):

On the encouragement from mvo, I made a small tool that can optimize a generated snapd apparmor profile. By using the profile from this bug, I can see almost 50% improvement in cpu time and memory time. It was just a small side-project while I was working.

https://github.com/Meulengracht/aa-preprocess

Profile used (https://launchpadlibrarian.net/674087996/snap.screenly-client.command-executor)

Before running the tool

User time (seconds): 6.73
Maximum resident set size (kbytes): 294408

After running the tool
Optimized profile here (https://paste.ubuntu.com/p/GCt6j4zrzW/)

User time (seconds): 3.56
Maximum resident set size (kbytes): 167712

Both times are run with "apparmor_parser -O no-expr-simplify". The tool is not that sophisticated and simply consolidates lines that match each other in permissions and wildcards to reduce the number of lines in the apparmor profile. It also only runs on lines starting with /sys/devices currently, but could be extended to others. The resulting profile is not extensively tested either, so take this with a grain of salt as well.

Maybe it's something that can be considered somewhere to increase performance?