[PR PATCH] apparmor: load profiles in parallel

[PR PATCH] apparmor: load profiles in parallel

[thypon]

[-- Attachment #1: Type: text/plain, Size: 389 bytes --]

There is a new pull request by thypon against master on the void-packages repository

https://github.com/thypon/void-packages apparmor-parallel
https://github.com/void-linux/void-packages/pull/28766

apparmor: load profiles in parallel
Just a quick mod for parallelizing apparmor profiles on load.

A patch file from https://github.com/void-linux/void-packages/pull/28766.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-parallel-28766.patch --]
[-- Type: text/x-diff, Size: 1724 bytes --]

From 0585ebbc1ec27087f3e1d90f910d24c44c244aec Mon Sep 17 00:00:00 2001
From: Andrea Brancaleoni <abc@pompel.me>
Date: Sun, 14 Feb 2021 21:39:38 +0000
Subject: [PATCH] apparmor: load profiles in parallel

---
 srcpkgs/apparmor/template               |  2 +-
 srcpkgs/runit-void/files/09-apparmor.sh | 12 +++---------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 6e7300cff1e..dfbd3ef472f 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=2
+revision=3
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
diff --git a/srcpkgs/runit-void/files/09-apparmor.sh b/srcpkgs/runit-void/files/09-apparmor.sh
index 7d8d09ee80f..e5ce9e9af72 100644
--- a/srcpkgs/runit-void/files/09-apparmor.sh
+++ b/srcpkgs/runit-void/files/09-apparmor.sh
@@ -18,15 +18,9 @@ if [ -n "$APPARMOR" ]; then
 	[ "$APPARMOR" = "complain" ] && AACOMPLAIN="-C"
 
 	if [ -d /etc/apparmor.d -a -x /usr/bin/apparmor_parser ]; then
-		for profile in /etc/apparmor.d/*; do
-		case "$profile" in
-			*.new-*_*) continue ;;
-		esac
-		if [ -f "$profile" ]; then
-			printf '* Load profile %s: %s\n' "($APPARMOR)" "$profile"
-			apparmor_parser -a $AACOMPLAIN "$profile"
-		fi
-		done
+		find /etc/apparmor.d -maxdepth 1 -type f ! -name '*.new-*_*' |\
+			xargs -d"\n" -I{} --max-procs="$(grep -c ^processor /proc/cpuinfo)" \
+				bash -c "printf '* Load profile %s: %s\n' '($APPARMOR)' '{}'; apparmor_parser -a $AACOMPLAIN '{}'"
 	else
 		printf '! AppArmor installation problem - ensure you have installed apparmor package\n'
 	fi

Re: [PR PATCH] [Updated] apparmor: load profiles in parallel

[thypon]

[-- Attachment #1: Type: text/plain, Size: 394 bytes --]

There is an updated pull request by thypon against master on the void-packages repository

https://github.com/thypon/void-packages apparmor-parallel
https://github.com/void-linux/void-packages/pull/28766

apparmor: load profiles in parallel
Just a quick mod for parallelizing apparmor profiles on load.

A patch file from https://github.com/void-linux/void-packages/pull/28766.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-parallel-28766.patch --]
[-- Type: text/x-diff, Size: 1722 bytes --]

From dc89b6e9c48aac3618e7872fd5e90826a09e542f Mon Sep 17 00:00:00 2001
From: Andrea Brancaleoni <abc@pompel.me>
Date: Sun, 14 Feb 2021 21:39:38 +0000
Subject: [PATCH] apparmor: load profiles in parallel

---
 srcpkgs/apparmor/template               |  2 +-
 srcpkgs/runit-void/files/09-apparmor.sh | 12 +++---------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 6e7300cff1e..dfbd3ef472f 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=2
+revision=3
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
diff --git a/srcpkgs/runit-void/files/09-apparmor.sh b/srcpkgs/runit-void/files/09-apparmor.sh
index 7d8d09ee80f..f18074dfe90 100644
--- a/srcpkgs/runit-void/files/09-apparmor.sh
+++ b/srcpkgs/runit-void/files/09-apparmor.sh
@@ -18,15 +18,9 @@ if [ -n "$APPARMOR" ]; then
 	[ "$APPARMOR" = "complain" ] && AACOMPLAIN="-C"
 
 	if [ -d /etc/apparmor.d -a -x /usr/bin/apparmor_parser ]; then
-		for profile in /etc/apparmor.d/*; do
-		case "$profile" in
-			*.new-*_*) continue ;;
-		esac
-		if [ -f "$profile" ]; then
-			printf '* Load profile %s: %s\n' "($APPARMOR)" "$profile"
-			apparmor_parser -a $AACOMPLAIN "$profile"
-		fi
-		done
+		find /etc/apparmor.d -maxdepth 1 -type f ! -name '*.new-*_*' |\
+			xargs -d"\n" -I{} --max-procs="$(grep -c ^processor /proc/cpuinfo)" \
+				sh -c "printf '* Load profile %s: %s\n' '($APPARMOR)' '{}'; apparmor_parser -a $AACOMPLAIN '{}'"
 	else
 		printf '! AppArmor installation problem - ensure you have installed apparmor package\n'
 	fi

Re: [PR REVIEW] apparmor: load profiles in parallel

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 251 bytes --]

New review comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/28766#discussion_r575869673

Comment:
`nproc` https://www.flamingspork.com/blog/2020/11/25/why-you-should-use-nproc-and-not-grep-proc-cpuinfo/

Re: apparmor: load profiles in parallel

[thypon]

[-- Attachment #1: Type: text/plain, Size: 286 bytes --]

New comment by thypon on void-packages repository

https://github.com/void-linux/void-packages/pull/28766#issuecomment-778847529

Comment:
it's all in findutils (xargs and find) which are installed if you have `base-system` `base-minimal` or `base-chroot`. No need to specify anything.

Re: [PR PATCH] [Updated] apparmor: load profiles in parallel

[thypon]

[-- Attachment #1: Type: text/plain, Size: 432 bytes --]

There is an updated pull request by thypon against master on the void-packages repository

https://github.com/thypon/void-packages apparmor-parallel
https://github.com/void-linux/void-packages/pull/28766

apparmor: load profiles in parallel
Just a quick mod for parallelizing apparmor profiles on load.

Cc: @Gottox @ericonr @CameronNemo 

A patch file from https://github.com/void-linux/void-packages/pull/28766.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-parallel-28766.patch --]
[-- Type: text/x-diff, Size: 1695 bytes --]

From 02e299da42f8c400083d55728690481e6a6f4ab4 Mon Sep 17 00:00:00 2001
From: Andrea Brancaleoni <abc@pompel.me>
Date: Sun, 14 Feb 2021 21:39:38 +0000
Subject: [PATCH] apparmor: load profiles in parallel

---
 srcpkgs/apparmor/template               |  2 +-
 srcpkgs/runit-void/files/09-apparmor.sh | 12 +++---------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 6e7300cff1e..dfbd3ef472f 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=2
+revision=3
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
diff --git a/srcpkgs/runit-void/files/09-apparmor.sh b/srcpkgs/runit-void/files/09-apparmor.sh
index 7d8d09ee80f..5951c35e5ea 100644
--- a/srcpkgs/runit-void/files/09-apparmor.sh
+++ b/srcpkgs/runit-void/files/09-apparmor.sh
@@ -18,15 +18,9 @@ if [ -n "$APPARMOR" ]; then
 	[ "$APPARMOR" = "complain" ] && AACOMPLAIN="-C"
 
 	if [ -d /etc/apparmor.d -a -x /usr/bin/apparmor_parser ]; then
-		for profile in /etc/apparmor.d/*; do
-		case "$profile" in
-			*.new-*_*) continue ;;
-		esac
-		if [ -f "$profile" ]; then
-			printf '* Load profile %s: %s\n' "($APPARMOR)" "$profile"
-			apparmor_parser -a $AACOMPLAIN "$profile"
-		fi
-		done
+		find /etc/apparmor.d -maxdepth 1 -type f ! -name '*.new-*_*' |\
+			xargs -d"\n" -I{} --max-procs="$(nproc)" \
+				sh -c "printf '* Load profile %s: %s\n' '($APPARMOR)' '{}'; apparmor_parser -a $AACOMPLAIN '{}'"
 	else
 		printf '! AppArmor installation problem - ensure you have installed apparmor package\n'
 	fi

Re: [PR REVIEW] apparmor: load profiles in parallel

[Gottox]

[-- Attachment #1: Type: text/plain, Size: 273 bytes --]

New review comment by Gottox on void-packages repository

https://github.com/void-linux/void-packages/pull/28766#discussion_r575870502

Comment:
Allows command injection. I'm not considering this an attack vector, as the files are root writeable, nevertheless, avoid this.

Re: apparmor: load profiles in parallel

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 1022 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/pull/28766#issuecomment-778850010

Comment:
Upstream has optimized code to do this (`/usr/lib/apparmor/rc.apparmor.functions` `parse_profiles()`).

Currently we fudge it up with our custom one-by-one loading. Now we are reimplementing?

Can we deprecate the runit "complain" mode and direct users to the `aa-complain(8)` utility? It would bring us closer to upstream and other distros.

Minimal example of what using the upstream provided code would look like (they make you define log functions):

```
set -e

test -d /sys/kernel/security/apparmor

AA_FUNCTIONS=/usr/lib/apparmor/rc.apparmor.functions
test -r "$AA_FUNCTIONS"

aa_action() { :; }
aa_log_warning_msg() { :; }
aa_log_failure_msg() { :; }
aa_log_action_start() { :; }
aa_log_action_end() { :; }
aa_log_daemon_msg() { :; }
aa_log_skipped_msg() { :; }
aa_log_end_msg() { :; }

set +e
. "$AA_FUNCTIONS"
apparmor_restart
exit $?
```

Re: [PR REVIEW] apparmor: load profiles in parallel

[thypon]

[-- Attachment #1: Type: text/plain, Size: 365 bytes --]

New review comment by thypon on void-packages repository

https://github.com/void-linux/void-packages/pull/28766#discussion_r575874468

Comment:
Command injection? You mean shell spawning or in general? I don't see command injection here. I mean, even $APPARMOR without anything else in a shell script it can be a command injection if you don't control the source.

Re: apparmor: load profiles in parallel

[thypon]

[-- Attachment #1: Type: text/plain, Size: 336 bytes --]

New comment by thypon on void-packages repository

https://github.com/void-linux/void-packages/pull/28766#issuecomment-778852486

Comment:
I perfectly agree with @CameronNemo on long term using the upstream version.
For now I just ported from the official script the xargs command so that we can have parallelism with minimal changes.

Re: apparmor: load profiles in parallel

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 250 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/28766#issuecomment-778852792

Comment:
apparmror_parser already parses profiles in parallel, just pass everything to it and forget about the printf.

Re: apparmor: load profiles in parallel

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 354 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/28766#issuecomment-778853658

Comment:
If we patch in our .new- suffix we can just pass the directory and just pass the directory to it will be fast and simple.
https://gitlab.com/apparmor/apparmor/-/blob/master/libraries/libapparmor/src/private.c#L65

Re: apparmor: load profiles in parallel

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 327 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/28766#issuecomment-778853658

Comment:
If we patch in our .new- suffix we can just pass the directory and it will be fast and simple.
https://gitlab.com/apparmor/apparmor/-/blob/master/libraries/libapparmor/src/private.c#L65

Re: [PR PATCH] [Updated] apparmor: load profiles in parallel

[thypon]

[-- Attachment #1: Type: text/plain, Size: 432 bytes --]

There is an updated pull request by thypon against master on the void-packages repository

https://github.com/thypon/void-packages apparmor-parallel
https://github.com/void-linux/void-packages/pull/28766

apparmor: load profiles in parallel
Just a quick mod for parallelizing apparmor profiles on load.

Cc: @Gottox @ericonr @CameronNemo 

A patch file from https://github.com/void-linux/void-packages/pull/28766.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-parallel-28766.patch --]
[-- Type: text/x-diff, Size: 1695 bytes --]

From d5d52ad5f52e807cc424e06cc4bef0089011fdd1 Mon Sep 17 00:00:00 2001
From: Andrea Brancaleoni <abc@pompel.me>
Date: Sun, 14 Feb 2021 21:39:38 +0000
Subject: [PATCH] apparmor: load profiles in parallel

---
 srcpkgs/apparmor/template               |  2 +-
 srcpkgs/runit-void/files/09-apparmor.sh | 12 +++---------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 6e7300cff1e..dfbd3ef472f 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=2
+revision=3
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
diff --git a/srcpkgs/runit-void/files/09-apparmor.sh b/srcpkgs/runit-void/files/09-apparmor.sh
index 7d8d09ee80f..5951c35e5ea 100644
--- a/srcpkgs/runit-void/files/09-apparmor.sh
+++ b/srcpkgs/runit-void/files/09-apparmor.sh
@@ -18,15 +18,9 @@ if [ -n "$APPARMOR" ]; then
 	[ "$APPARMOR" = "complain" ] && AACOMPLAIN="-C"
 
 	if [ -d /etc/apparmor.d -a -x /usr/bin/apparmor_parser ]; then
-		for profile in /etc/apparmor.d/*; do
-		case "$profile" in
-			*.new-*_*) continue ;;
-		esac
-		if [ -f "$profile" ]; then
-			printf '* Load profile %s: %s\n' "($APPARMOR)" "$profile"
-			apparmor_parser -a $AACOMPLAIN "$profile"
-		fi
-		done
+		find /etc/apparmor.d -maxdepth 1 -type f ! -name '*.new-*_*' |\
+			xargs -d"\n" -I{} --max-procs="$(nproc)" \
+				sh -c "printf '* Load profile %s: %s\n' '($APPARMOR)' '{}'; apparmor_parser -a $AACOMPLAIN '{}'"
 	else
 		printf '! AppArmor installation problem - ensure you have installed apparmor package\n'
 	fi

Re: apparmor: load profiles in parallel

[thypon]

[-- Attachment #1: Type: text/plain, Size: 188 bytes --]

New comment by thypon on void-packages repository

https://github.com/void-linux/void-packages/pull/28766#issuecomment-778857261

Comment:
The last version removes the superfluous logging

Re: [PR PATCH] [Updated] apparmor: load profiles in parallel

[thypon]

[-- Attachment #1: Type: text/plain, Size: 432 bytes --]

There is an updated pull request by thypon against master on the void-packages repository

https://github.com/thypon/void-packages apparmor-parallel
https://github.com/void-linux/void-packages/pull/28766

apparmor: load profiles in parallel
Just a quick mod for parallelizing apparmor profiles on load.

Cc: @Gottox @ericonr @CameronNemo 

A patch file from https://github.com/void-linux/void-packages/pull/28766.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-parallel-28766.patch --]
[-- Type: text/x-diff, Size: 1574 bytes --]

From daea4138ee2d29b540718b655e89db2862e9902b Mon Sep 17 00:00:00 2001
From: Andrea Brancaleoni <abc@pompel.me>
Date: Sun, 14 Feb 2021 21:39:38 +0000
Subject: [PATCH] apparmor: load profiles in parallel

---
 srcpkgs/apparmor/template               |  2 +-
 srcpkgs/runit-void/files/09-apparmor.sh | 10 +---------
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 6e7300cff1e..dfbd3ef472f 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=2
+revision=3
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
diff --git a/srcpkgs/runit-void/files/09-apparmor.sh b/srcpkgs/runit-void/files/09-apparmor.sh
index 7d8d09ee80f..b99afbab046 100644
--- a/srcpkgs/runit-void/files/09-apparmor.sh
+++ b/srcpkgs/runit-void/files/09-apparmor.sh
@@ -18,15 +18,7 @@ if [ -n "$APPARMOR" ]; then
 	[ "$APPARMOR" = "complain" ] && AACOMPLAIN="-C"
 
 	if [ -d /etc/apparmor.d -a -x /usr/bin/apparmor_parser ]; then
-		for profile in /etc/apparmor.d/*; do
-		case "$profile" in
-			*.new-*_*) continue ;;
-		esac
-		if [ -f "$profile" ]; then
-			printf '* Load profile %s: %s\n' "($APPARMOR)" "$profile"
-			apparmor_parser -a $AACOMPLAIN "$profile"
-		fi
-		done
+		apparmor_parse -a $AACOMPLAIN $(find /etc/apparmor.d -type f -maxdepth 1 ! -name '*.new-*_*')
 	else
 		printf '! AppArmor installation problem - ensure you have installed apparmor package\n'
 	fi

Re: [PR PATCH] [Updated] apparmor: load profiles in parallel

[thypon]

[-- Attachment #1: Type: text/plain, Size: 432 bytes --]

There is an updated pull request by thypon against master on the void-packages repository

https://github.com/thypon/void-packages apparmor-parallel
https://github.com/void-linux/void-packages/pull/28766

apparmor: load profiles in parallel
Just a quick mod for parallelizing apparmor profiles on load.

Cc: @Gottox @ericonr @CameronNemo 

A patch file from https://github.com/void-linux/void-packages/pull/28766.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-parallel-28766.patch --]
[-- Type: text/x-diff, Size: 1575 bytes --]

From 9dd2431b09cebc888be257341e4888408aebc8aa Mon Sep 17 00:00:00 2001
From: Andrea Brancaleoni <abc@pompel.me>
Date: Sun, 14 Feb 2021 21:39:38 +0000
Subject: [PATCH] apparmor: load profiles in parallel

---
 srcpkgs/apparmor/template               |  2 +-
 srcpkgs/runit-void/files/09-apparmor.sh | 10 +---------
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 6e7300cff1e..dfbd3ef472f 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=2
+revision=3
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
diff --git a/srcpkgs/runit-void/files/09-apparmor.sh b/srcpkgs/runit-void/files/09-apparmor.sh
index 7d8d09ee80f..1d24b4e349c 100644
--- a/srcpkgs/runit-void/files/09-apparmor.sh
+++ b/srcpkgs/runit-void/files/09-apparmor.sh
@@ -18,15 +18,7 @@ if [ -n "$APPARMOR" ]; then
 	[ "$APPARMOR" = "complain" ] && AACOMPLAIN="-C"
 
 	if [ -d /etc/apparmor.d -a -x /usr/bin/apparmor_parser ]; then
-		for profile in /etc/apparmor.d/*; do
-		case "$profile" in
-			*.new-*_*) continue ;;
-		esac
-		if [ -f "$profile" ]; then
-			printf '* Load profile %s: %s\n' "($APPARMOR)" "$profile"
-			apparmor_parser -a $AACOMPLAIN "$profile"
-		fi
-		done
+		apparmor_parser -a $AACOMPLAIN $(find /etc/apparmor.d -maxdepth 1 -type f ! -name '*.new-*_*')
 	else
 		printf '! AppArmor installation problem - ensure you have installed apparmor package\n'
 	fi

Re: [PR PATCH] [Merged]: apparmor: load profiles in parallel

[thypon]

[-- Attachment #1: Type: text/plain, Size: 268 bytes --]

There's a merged pull request on the void-packages repository

apparmor: load profiles in parallel
https://github.com/void-linux/void-packages/pull/28766

Description:
Just a quick mod for parallelizing apparmor profiles on load.

Cc: @Gottox @ericonr @CameronNemo