Skip to content

Draft: Userspace-compressed policies

Maxime Bélair requested to merge emixam16/apparmor-kernel:aa-compressed into apparmor-next

Currently, AppArmor loads policies from userspace thanks to the ".load" and ".replace" interfaces. To save up kernel memory, these policies are then zstd-compressed in kernel for storage.

This patch allows policies to be compressed in userspace and be sent to the kernel through the interfaces ".load_compressed" and ".replace_compressed".

The interest of this approach are:

  • Save kernel time when loading policies
  • Allow the userspace to provide a higher level of compression than the one provided by the kernel (ZSTD_CLEVEL_DEFAULT), thus saving space.
  • Allow small embedded systems to only store compressed version of policies in userspace, saving memory.

Userspace-compressed policies improve system time by up to ~10% for big profiles.

Merge request reports