[0/1] Cover letter

Message

Anil Altinay Feb. 16, 2023, 9:46 p.m. UTC

We were informed that "git status" takes longer sys time(9s vs 1s) with kernel 5.10 when we run "time git status" on a container with apparmor enabled on a machine with 96vCPU and 384GB memory. This test was performed on a large project like chromium. We think that the commit: df323337e507a0009d3db1ea25948d4c7f320d62 which landed on 5.5 started this regression. We tested the attached patch we found at https://lore.kernel.org/lkml/cfd5cc6f-5943-2e06-1dbe-f4b4ad5c1fa1@canonical.com/ on 5.10 and 5.15 and confirmed that it fixes the regression.

We did not have a chance to perform the same test on the 6.2 but confirmed that the kernel builds using the arch/x86/configs/x86_64_defconfig with the following configs enabled:
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_LSM="apparmor"

Anil Altinay (1):
  apparmor: cache buffers on percpu list if there is lock contention

 security/apparmor/lsm.c | 73 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 68 insertions(+), 5 deletions(-)