multiple HOMEDIRS tunable entries can exponentially increase profile loading time

Bug #503869 reported by Sebastien Bacher on 2010-01-06
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
John Johansen

Bug Description

Binary package hint: apparmor

The evince installation sits on "configuring" for several minutes there, a sudo service apparmor reload takes 176 seconds when run on the mini10v config there...

Sebastien Bacher (seb128) wrote :

The configuration is a stock lucid one

Sebastien Bacher (seb128) wrote :

details from the IRC discussion:

* the box is an atom based one with 1gig of ram and ssd drive
* sudo apparmor_parser -S -T /etc/apparmor.d/usr.bin.evince takes some 170 seconds of full cpu use
* sudo apparmor_parser -Br takes less than 1 second

Kees Cook (kees) wrote :

This appears to be mostly an issue with the Atom not dealing well with the profile parsing (in-order execution, byte-wide memory access). jjohansen will be improving the DFA minimization, which should make the (time consuming) table packing do less work, which should cut down on the overall time.

Changed in apparmor (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Kees Cook (kees) on 2010-01-06
Changed in apparmor (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
Kees Cook (kees) wrote :

Things should be much improved in version 2.3.1+bzr1312-0ubuntu1, though the main DFA minimization work still needs to be done. This version just reverts the HOMEDIRS tunable that was changed for likewise-open.

summary: - reload takes ages in lucid
+ multiple HOMEDIRS tunable entries can exponentially increase profile
+ loading time
Sebastien Bacher (seb128) wrote :

the new version dropped the time on the mini from 170 seconds to 22 seconds!

John Johansen (jjohansen) wrote :

This bug has been isolated to the dfa and transition table generation in the apparmor_parser, the HOMEDIRS tunable triggered this by causing many extra states to be generated. The bug is not Atom specific but the Atom doesn't deal well with the current code doing the generation.

There are a couple things that still need to be done to address this bug
- dfa state minimization
- improved dfa table packing

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5~pre+bzr1362-0ubuntu1

apparmor (2.5~pre+bzr1362-0ubuntu1) lucid; urgency=low

  [ Kees Cook ]
  * Update to upstream bzr revision 1362.
    - This release includes DFA minimization, transition table compression,
      and improved partitioning performance (LP: #503869).
    - drop 0001-tunable-alias.patch, now upstream.
  * debian/apparmor.postinst: update home.d template to note the trailing
    slash, even if the debconf template mentions it too.
  * debian/apparmor.functions: go fully parallel with parsing to use all
    CPUs in the case of needing to regenerate caches.
  * debian/rules: enable library testsuite during build.
  * debian/control: add dejagnu for library testsuite.
  * debian/{rules,control}: use chrpath to drop rpath in libapparmor-perl.

  [ Jamie Strandboge ]
  * debian/control: add apparmor-notify
  * add debian/notify/notify.conf
  * add debian/notify/90apparmor-notify
  * add debian/apparmor-notify.install: install notify.conf to /etc/apparmor
    and 90apparmor-notify to /etc/X11/Xsession.d
  * debian/rules:
    - remove upstream notify.conf since we will install our own via debhelper
    - move apparmor_notify script and man pages to apparmor-notify
 -- Kees Cook <email address hidden> Sat, 13 Feb 2010 12:19:30 -0800

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers