I just checked the code - see aa.py do_logprof_pass(). Shortened quote
(comments removed):
log_reader = apparmor.logparser.ReadLog(pid, filename, existing_profiles,
profile_dir, log)
log = log_reader.read_log(logmark)
for root in log:
handle_children('', '', root)
for pid in sorted(profile_changes.keys()):
set_process(pid, profile_changes[pid])
collapse_log()
So it seems first the full log is read, then handle_children processes
the log entries, set_process() changes the profiles of running processes
(if they have null-XY subprofiles) and finally collapse_log() is called.
handle_children() loops over all log events, so it should be easy to
change it to get one call per log entry.
handle_children() changes profile_changes at various places, so integrating
set_process() causes some work. The solution is probably to change all
"profile_changes[pid] = ..." to call a helper function that
- checks if profile_changes[pid] is already set and, if it is, is identical to
the new value
- if there is a real change, call set_process() for that pid
- and of course include profile_changes[pid] = ...
After that, integrating collapse_log() shouldn't be too hard.
With this change, only events that cause questions for profile changes
will be kept in memory.
** Changed in: apparmor
Status: Incomplete => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/387657
Title:
aa-logprof: doesn't handle large logs
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/387657/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
