Draft: Initial support for compressed policies. (!1148) · Merge requests · AppArmor / apparmor

Maxime Bélair requested to merge emixam16/apparmor:compressed into master Feb 06, 2024

Currently, AppArmor loads policies from userspace thanks to the ".load" and ".replace" interfaces. To save up kernel memory, these policies are then zstd-compressed in kernel for storage. This patch allows policies to be compressed in userspace and be sent to the kernel through the interfaces ".load_compressed" and ".replace_compressed". The interest of this approach are:

Save kernel time when loading policies
Allow the userspace to provide a higher level of compression than the one provided by the kernel (ZSTD_CLEVEL_DEFAULT), thus saving space.
Allow small embedded systems to only store compressed version of policies in userspace, saving memory.

Userspace-compressed policies improve system time by up to ~30%.

This commit requires apparmor-kernel!7 or similar to work.

Draft: Initial support for compressed policies.

Merge request reports