In profile set A I have 120 profiles then in profile set B I have the same 120 profile names but with different rules. If I use apparmor_parser -r on A, then B, then A, etc, eventually OOM is triggered.
Reproducer (I did it with a 768M i386 17.10 desktop install in a VM, but am told that amd64 is affected too, just takes longer):
$ wget http://people.canonical.com/~jamie/aa/bug.tar.gz
$ tar -zxvf ./bug.tar.gz
$ while /bin/true ; do for i in bug/orig/* bug/new/* ; do sudo apparmor_parser --write-cache -O no-expr-simplify --cache-loc=/var/cache/apparmor --quiet -r $i ; done ; done
I tested this with the 4.13 artful release and -updates kernels (ie, before meltdown/spectre and after) with the same result. I'm told the bionic kernel is also affected. 4.10 may also be affected.
First reported here: https://forum.snapcraft.io/t/oom-for-interfaces-many-on-bionic-i386/4101
From IRC:
07:06 <@jdstrand> mvo: hey, so jjohansen looked at the memory issue quite a bit yesterday. the summary is that the profiles themselves are is a small leak (*much* smaller than 30M; on the order of 2M after processing all the profiles in /var (if I'm reading jj's numbers right))
07:07 <@jdstrand> mvo: so it seems that the system was already under memory pressure, and that straw caused it to oom, but it was simply the straw that broke the camel's back. there were many more straws before it
07:08 <@jdstrand> mvo: jjohansen said he'll contine searching for that small leak. he's also investigating reducing that 30M by quite a bit