Supplementing Maxime's answer: ## Goals/Optimization/cpu time/memory usage
Maxime covered more generically some of the ideas/work to address this. I will get a little more specific. We can split there into stuff that is already a wip, and future work. The current wip is expected to land early in the 26.04 cycle, it just wasn't ready by FF for this cycle. For wip performance we have - rewrite of expr tree factoring. This will be most relevant for individual profiles that already take a fairly long time to compile. It should help reduce the pathelogical node expansion cases, that result in significantly more nodes than final states. Its not yet to where I can give you concrete figures, but should be by release. - diff-encoding. Provides up to about 50% performance improvement, but can also cause 2x slowdown. We are tinker with heuristics to auto tune when it is applied. - user space zstd compression. This technically slows down the compile, but speeds up the load. But these are usually seen together as a single operation. In the compile and load case we see a small performance improvement when using similar compression levels as the kernel currently uses. However this gives us the ability to tune for performance (lower compression levels), or size (higher compression levels). Reloads of policy is always faster as it removes the compression phase from policy load. Note: this compressed policy is used for criu support, we compress it to reduce kernel memory impact. - front end driver rework to allow better sharing of between parses. I don't have a figure for this one yet, but it should be fairly significant for large policy sets like apparmor.d, as abstractions will get read once instead of thousands of times. - jobs reuse (depends on front end driver rework). Will Reduce forks to a fixed amount (default nproc), instead of 1 per file (so apparmor.d ~1600). Size/Memory use - diff-encoding. Currently giving an average of about ~30% size reduction on the apparmor.d profile set. - zstd compression. Tuning this to the higher ends we are seeing ~33% improvement in the criu policy size. Mid term: We have several improvements that are questionable as to whether they can be landed for 25.04. - shared resources between profiles. Kernel side a lot of support for this has already landed. There is a little more to do here, and work in the compiler. Technically it will incure a small increase in mediation time. As each shared resource must be consulted, instead of doing a single lookout. So its a balancing act between policy size, policy compile time and run time cost. - precompiled headers/abstractions (self explanatory) - triggers for kernel install to launch a policy pre-compile in background. The install it self doesn't need to block on the policy compile as worst case is the cache isn't fully compiled and it is then done at boot. - splitting policy up to reduce the presence of extra profiles. Longer term: There are a lot of improvements, and tuning. I could provide a list but it is likely to change some etc, and non of it will land before 26.04. Why not ship the profiles with each src package in ubuntu? Have the pros and cons been discussed somewhere?: yes. Generally speaking it comes to package maintenance, profile maintenance and syncing. Ideally profiles for a given src would be shipped with source, and also the profile is tracked and updated upstream to be able to get improvements from other distros etc. It then comes down to keeping the package and upstream in sync. Alex Murray wrote a doc around this, I will dig it out. There is certainly work to do around embedding profiles in src packages. There is also work to be done in splitting the profiles that don't get embedded into smaller more target sets, eg. server, desktop, ... instead of the current all in one. The all in one can then become a meta package for those who want an easy way to do that. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2121409 Title: [FFE] add a new apparmor.d package containing several apparmor profiles Status in apparmor package in Ubuntu: Triaged Bug description: ## FFE ## This is a Feature Freeze Exception request for questing for the apparmor package and for a new source package called apparmor.d: I'd like to add a new source package called apparmor.d which contains over 1500 profiles from the upstream project apparmor.d [1] These profiles will be added in "complain" mode, which means that for a given action, if the profile rules do not grant permission the action will be allowed, but the violation will be logged with a tag of the access being ALLOWED. This is done because we want to test these profiles and enable others to test and add new rules to eventually improve the profiles. By adding these profiles in a new package which is not installed by default, regular users will not be affected. But users that would like to test and contribute to the profiles can install it. We want to add these profiles, even in complain mode, as a new package (and not part of the apparmor package) because labeling certain binaries could cause issues with existing policy, specially those that use "peer". Additionally, the large amount of profiles do take a while to compile by the parser in the first boot. After that, a cached version of the profiles can be loaded directly into the kernel by the parser which takes considerably less time. Note again that apparmor.d will not be installed by default, so this will only affect users that choose to install it. The benefits of this change is the ability to increase the amount of testing for these profiles, which will then enable us to eventually ship them in enforce mode. More profiles means more confined applications, which could lead to higher security. This is the first step towards that. This FFE also includes the apparmor package because we want to change the suggestion from the apparmor-profiles-extra package, which is no longer maintained and will be deprecated in the future, to the new apparmor.d. This is the PPA containing a built version of apparmor and apparmor.d: https://launchpad.net/~georgiag/+archive/ubuntu/apparmor.dinapparmor5/ These are the installation logs: georgia@sec2-questing-amd64:~/qrt-test-apparmor$ sudo apt install apparmor.d The following packages were automatically installed and are no longer required: apg libllvm19 linux-headers-6.15.0-3-generic xbitmaps cpp-14 libopengl0 linux-modules-6.15.0-3-generic xinit cpp-14-x86-64-linux-gnu libsframe1 linux-tools-6.15.0-3 xorg gcc-14-base libxcb-damage0 linux-tools-6.15.0-3-generic libclang1-19 libxkbcommon-x11-0 x11-apps libglu1-mesa linux-headers-6.15.0-3 x11-session-utils Use 'sudo apt autoremove' to remove them. Upgrading: apparmor Installing: apparmor.d Summary: Upgrading: 1, Installing: 1, Removing: 0, Not Upgrading: 86 Download size: 1,116 kB Space needed: 3,418 kB / 6,269 MB available Continue? [Y/n] WARNING: The following packages cannot be authenticated! apparmor apparmor.d Install these packages without verification? [y/N] y Get:1 http://192.168.122.1/debs/testing questing/ apparmor 5.0.0~alpha1-0ubuntu5 [853 kB] Get:2 http://192.168.122.1/debs/testing questing/ apparmor.d 0.015-1ubuntu1 [264 kB] Fetched 1,116 kB in 0s (20.6 MB/s) Preconfiguring packages ... (Reading database ... 240702 files and directories currently installed.) Preparing to unpack .../apparmor_5.0.0~alpha1-0ubuntu5_amd64.deb ... Unpacking apparmor (5.0.0~alpha1-0ubuntu5) over (5.0.0~alpha1-0ubuntu4) ... Selecting previously unselected package apparmor.d. Preparing to unpack .../apparmor.d_0.015-1ubuntu1_amd64.deb ... Unpacking apparmor.d (0.015-1ubuntu1) ... Setting up apparmor (5.0.0~alpha1-0ubuntu5) ... Installing new version of config file /etc/apparmor.d/hostname ... Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: brave Skipping profile in /etc/apparmor.d/disable: chrome Skipping profile in /etc/apparmor.d/disable: chromium Skipping profile in /etc/apparmor.d/disable: dig Skipping profile in /etc/apparmor.d/disable: element-desktop Skipping profile in /etc/apparmor.d/disable: epiphany Skipping profile in /etc/apparmor.d/disable: firefox Skipping profile in /etc/apparmor.d/disable: flatpak Skipping profile in /etc/apparmor.d/disable: foliate Skipping profile in /etc/apparmor.d/disable: free Skipping profile in /etc/apparmor.d/disable: fusermount3 Skipping profile in /etc/apparmor.d/disable: hostname Skipping profile in /etc/apparmor.d/disable: locale Skipping profile in /etc/apparmor.d/disable: loupe Skipping profile in /etc/apparmor.d/disable: lsblk Skipping profile in /etc/apparmor.d/disable: lsusb Skipping profile in /etc/apparmor.d/disable: msedge Skipping profile in /etc/apparmor.d/disable: nslookup Skipping profile in /etc/apparmor.d/disable: openvpn Skipping profile in /etc/apparmor.d/disable: opera Skipping profile in /etc/apparmor.d/disable: os-prober Skipping profile in /etc/apparmor.d/disable: plasmashell Skipping profile in /etc/apparmor.d/disable: signal-desktop Skipping profile in /etc/apparmor.d/disable: slirp4netns Skipping profile in /etc/apparmor.d/disable: steam Skipping profile in /etc/apparmor.d/disable: systemd-coredump Skipping profile in /etc/apparmor.d/disable: systemd-detect-virt Skipping profile in /etc/apparmor.d/disable: thunderbird Skipping profile in /etc/apparmor.d/disable: transmission Skipping profile in /etc/apparmor.d/disable: unix-chkpwd Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode Warning from /etc/apparmor.d (/etc/apparmor.d/usr.sbin.sssd line 69): Caching disabled for: 'usr.sb in.sssd' due to force complain Skipping profile in /etc/apparmor.d/disable: virtiofsd Skipping profile in /etc/apparmor.d/disable: wg Skipping profile in /etc/apparmor.d/disable: wg-quick Skipping profile in /etc/apparmor.d/disable: who Setting up apparmor.d (0.015-1ubuntu1) ... Processing triggers for systemd (257.7-1ubuntu3) ... Processing triggers for man-db (2.13.1-1) ... Processing triggers for procps (2:4.0.4-8ubuntu2) ... georgia@sec2-questing-amd64:~/qrt-test-apparmor$ systemctl status apparmor \u25cf apparmor.service - Load AppArmor profiles Loaded: loaded (/usr/lib/systemd/system/apparmor.service; enabled; preset: enabled) Active: active (exited) since Fri 2025-08-29 12:09:41 -03; 21min ago Invocation: 7acd3f71e5084f50a7893334f2c2addf Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ Process: 13802 ExecReload=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS) Main PID: 535 (code=exited, status=0/SUCCESS) Mem peak: 156.1M (swap: 268K) CPU: 5min 18.046s Aug 29 12:29:57 sec2-questing-amd64 apparmor.systemd[15293]: Skipping profile in /etc/apparmor.d/d> Aug 29 12:30:02 sec2-questing-amd64 apparmor.systemd[15328]: Skipping profile in /etc/apparmor.d/d> Aug 29 12:30:05 sec2-questing-amd64 apparmor.systemd[15373]: Skipping profile in /etc/apparmor.d/d> Aug 29 12:30:08 sec2-questing-amd64 apparmor.systemd[15437]: Warning: found usr.sbin.sssd in /etc/> Aug 29 12:30:08 sec2-questing-amd64 apparmor.systemd[15437]: Warning from /etc/apparmor.d (/etc/ap> Aug 29 12:30:13 sec2-questing-amd64 apparmor.systemd[15456]: Skipping profile in /etc/apparmor.d/d> Aug 29 12:30:19 sec2-questing-amd64 apparmor.systemd[15483]: Skipping profile in /etc/apparmor.d/d> Aug 29 12:30:19 sec2-questing-amd64 apparmor.systemd[15484]: Skipping profile in /etc/apparmor.d/d> Aug 29 12:30:19 sec2-questing-amd64 apparmor.systemd[15492]: Skipping profile in /etc/apparmor.d/d> Aug 29 12:30:31 sec2-questing-amd64 systemd[1]: Reloaded apparmor.service - Load AppArmor profiles. For testing, I ran the QA Regression Tests [2]: Steps: $ git clone https://git.launchpad.net/qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py Copying: test-apparmor.py Copying: testlib.py Copying: install-packages Copying: packages-helper Copying: apparmor/ Test files: /tmp/qrt-test-apparmor.tar.gz To run, first install the apparmor.d package introduced in this FFE, then copy the tarball somewhere, then do: $ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ ./test-apparmor.py -v This script runs various tests against the installed apparmor package The result was: FAILED: disconnected_mount_complain socketpair make: *** [Makefile:487: alltests] Error 1 ---------------------------------------------------------------------- Ran 62 tests in 3949.185s FAILED (failures=1, skipped=4) Note that these failures are not related to the apparmor.d package and are also reproducible with apparmor version 5.0.0~alpha1-0ubuntu4 from the archive. [1] https://github.com/roddhjav/apparmor.d [2] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2121409/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
