Bindings to AppArmor and Security Related Linux Tools

Bindings to kernel methods for enforcing security restrictions. AppArmor can apply mandatory access control (MAC) policies on a given task (process) via security profiles with detailed ACL definitions. In addition this package implements bindings for setting process resource limits (rlimit), uid, gid, affinity and priority. The high level R function 'eval.secure' builds on these methods to perform dynamic sandboxing: it evaluates a single R expression within a temporary fork which acts as a sandbox by enforcing fine grained restrictions without affecting the main R process. A portable version of this function is now available in the 'unix' package.


News

3.2

  • Move unix from Imports to Depends because many old examples from the paper assume that the rlimit_ functions are attached when using RAppArmor.

3.1

  • Build (mostly dummy) on MacOS so that other packages can depend on RAppArmor and use it on supported systems. Neither apparmor nor affinity works on MacOS but rlimit and priority does work.

3.0

  • The non-apparmor functions have been split out into a separate 'unix' package
  • Replace 'parallel' with the new 'sys::eval_fork()' for eval.secure

2.0.2

  • Advertise that package can be installed on non-apparmor systems
  • Improve onAttach message on non-apparmor systems

2.0.1

  • Configure script automatically sets NO_APPARMOR if kernel was built without AppArmor
  • Disable unit tests for CMD check due to CRAN issues

2.0.0

  • Complete rewrite using .Call instead of .C interface
  • Use configure-vars='NO_APPARMOR=1' to build on Fedora / CentOS 7
  • Workaround for race condition in parallel::mccollect()

1.0.2

  • Add timer to eval.secure for better error messages
  • Add 0.01s of pause in eval.secure
  • Fix some unit tests
  • Change closeAllConnections default to FALSE

1.0.1

  • changed method to find libapparmor.so in configure file to work on recent distributions.
  • adding closeAllConnections argument to eval.secure

1.0.0

  • Remove setInteractive code. CRAN no longer allows this, and mcparallel now disables interactivity by default.
  • Move 'debian' dir from root into /tools/
  • Added JSS PDF and CITATION files
  • Bump to 1.0.0 to official release with JSS publication.

0.8.3:

  • wrapped rlimit examples in \dontrun{} blocks.
  • wrapped setaffinity example in \dontrun() block.
  • updated and renamed vignette.

0.8.2:

  • modified license.
  • turned JSS paper into vignette

0.8.1:

  • minor improvement to kill child of eval.secure

0.8.0:

  • Bump version to signify release to CRAN.

0.7.4:

  • added unittests function
  • added stuff to prevent interactivity in eval.secure
  • small fixes and renames

0.7.3:

  • added setinteractive function
  • added 'interactive' parameter to eval.secure
  • more unit tests

0.7.2:

  • Started adding unit tests
  • New internal function errno()
  • Linux error messages for all calls (based on errno.h)

0.7.1:

  • Added .onAttach diagnostics
  • Added error messages to aa_getcon and aa_is_enabled.

0.7.0:

  • added setaffinity, getaffinity, getaffinity_count, nproc
  • updated eval.secure to support affinity
  • updated URL and OS_type fields in DESCRIPTION
  • added some references to the documentation

0.6.0:

  • using pgid to kill potential forks
  • added verbose parameters to suppress C output
  • bugfix when the output has multiple classes

Reference manual

It appears you don't have a PDF plugin for this browser. You can click here to download the reference manual.

install.packages("RAppArmor")

3.2 by Jeroen Ooms, 5 months ago


http://www.jstatsoft.org/v55/i07/ (paper), http://github.com/jeroen/RAppArmor#readme (devel)


Report a bug at http://github.com/jeroen/RAppArmor/issues


Browse source code at https://github.com/cran/RAppArmor


Authors: Jeroen Ooms [aut, cre]


Documentation:   PDF Manual  


Apache License 2.0 license


Depends on unix

Suggests testthat, R.rsp

System requirements: linux (>= 3.0), libapparmor-dev


See at CRAN