rc.apparmor.functions: take benefit from the parser's automatic parallelization.

parser/rc.apparmor.functions

@@ -169,26 +169,40 @@ parse_profiles() {
 		return 1
 	fi
 
-	for profile in $PROFILE_DIR/*; do
-		skip_profile "${profile}"
-		skip=$?
-		# Ignore skip status == 2 (silent skip)
-		if [ "$skip" -eq 1 ] ; then
-			aa_log_skipped_msg "$profile"
-			logger -t "AppArmor(init)" -p daemon.warn "Skipping profile $profile"
-			STATUS=2
-			continue
-		elif [ "$skip" -ne 0 ]; then
-			continue
-		fi
-		if [ -f "${profile}" ] ; then
-			$PARSER $PARSER_ARGS "$profile" > /dev/null
-			if [ $? -ne 0 ]; then
-				aa_log_failure_msg "$profile failed to load"
-				STATUS=1
+	# Note: the parser automatically skips files that match skip_profile()
+	# when we pass it a directory, but not when we pass it an individual
+	# profile. So we need to use skip_profile only in the latter case,
+	# as long as the parser is in sync' with skip_profile().
+	"$PARSER" $PARSER_ARGS -- "$PROFILE_DIR" || {
+		# FIXME: once the parser properly handles broken profiles
+		# (LP: #1377338), remove the following code and the
+		# skip_profile() function. For now, if the parser returns
+		# an error, just run it again separately on each profile.
+		for profile in $PROFILE_DIR/*; do
+			skip_profile "${profile}"
+			skip=$?
+			# Ignore skip status == 2 (silent skip)
+			if [ "$skip" -eq 1 ] ; then
+				aa_log_skipped_msg "$profile"
+				logger -t "AppArmor(init)" -p daemon.warn \
+					"Skipping profile $profile"
+				continue
+			elif [ "$skip" -ne 0 ]; then
+				continue
 			fi
+			if [ ! -f "${profile}" ] ; then
+				continue
+			fi
+			echo "$profile"
+		done | \
+		# Use xargs to parallelize calls to the parser over all CPUs
+		xargs -n1 -d"\n" --max-procs=$(getconf _NPROCESSORS_ONLN) \
+			"$PARSER" $PARSER_ARGS --
+		if [ $? -ne 0 ]; then
+			STATUS=1
+			aa_log_failure_msg "At least one profile failed to load"
 		fi
-	done
+	}
 	if [ $STATUS -eq 2 ]; then
 		STATUS=0
 	fi