Possible efficiency

[hmkash]

From someone dealing with a huge performance impact fom fapolicyd... it seems like some performance could be gained by not computing the mime type of a file unless/until it is required. For example, on a very busy Splunk server, the first rule might be:

allow perm=any dir=/opt/splunk/ : dir=/opt/splunk/ ftype=any trust=0

Yet it still seems like it's computing the ftype of every file that is accessed by Splunk (dozens to hundreds per second) when it doesn't need to. This creates a lot of unnecessary I/O.

[stevegrubb]

This shouldn't be the first rule as it will cause all access to lookup the mime-type. This should be further down like maybe in the 60's. Fapolicyd uses a lazy algorithm which only looks things up when necessary and it caches the results to improve performance. This is why checking the object evictions is important, is when results get evicted it will have look things up from scratch again. The latest release, 1.3.3, improves performance by 5 to 10%. If you can move to it, it should be more efficient.

[hmkash]

Thanks! Moving the rule down to the 60s does make a difference. Can you please expand on why that is? Seems like having it first would be more efficient as it doesn't have to go through all of the other rules to get to the permit rule. Running in debug mode it is still showing the mime type of every file Splunk accesses, but it's not using nearly as much CPU. Unfortunately, I'm stuck with RHEL8 RPMs so can't update to 1.3.3.

[stevegrubb]

There are some accesses that can be ruled on without needing the mime-type. So, let those go ahead. By making it first, all accesses have to look it up even if not needed. The order of the rules makes a difference. It is a top-down first match wins system. Somewhere around the 60's should be the right place because it has already ruled on the system things and this should be where application specific rules live. (Also by being the first rule, all system access has to evaluate the rule even though not applicable to the majority of cases.)

[hmkash]

Thanks for the explanation. This should probably be documented better.