R interfaces to Linux and AppArmor security methods
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
R
debian
examples
inst
man
paper
src
tests
tools
vignettes
.Rbuildignore
.gitignore
.project
.travis.yml
DESCRIPTION
Debian.txt
NAMESPACE
NEWS
OpenSuse.txt
README.md
Tutorials.txt
cleanup
configure

README.md

RAppArmor

A Modern and Flexible Web Client for R

Build Status Coverage Status CRAN_Status_Badge CRAN RStudio mirror downloads Research software impact Github Stars

The R package RAppArmor interfaces to a number of security related methods in the Linux kernel. It supports the following functionality:

  • loading and changing AppArmor profiles and hats to enforce advanced security policies
  • setting RLIMIT values to restrict usage of memory, cpu, disk, etc
  • setting the process priority
  • switching uid/gid of the current process
  • setting the affinity mask of the current process
  • calling an R command with a 'timeout' to kill if it does not return with in n seconds
  • doing all of the above dynamically for a single R call using the eval.secure function

This can be useful for example if to host a public service for users to run R code, or if you are paranoid about running contributed code on your machine.

Documentation

About the R package:

Hello World

Use the eval.secure function to dynamically evaluate a call with a certain AppArmor profile or hardware limits:

list.files("/")
eval.secure(list.files("/"), profile="r-user")

To set hardware limits, use the RLIMIT_XXX arguments:

A <- matrix(rnorm(1e7), 1e4);
B <- eval.secure(matrix(rnorm(1e7), 1e4), RLIMIT_AS = 100*1024*1024);

Installation

The AppArmor linux module is available on the following distributions:

Installing the R package requires libapparmor-dev. The apparmor-utils package is also recommended.

sudo apt-get install -y libapparmor-dev apparmor-utils

One this is installed we can install the R package:

install.packages("RAppArmor")

The R package comes with some handly AppArmor profiles that you need to install manually:

#Install the profiles
cd /usr/local/lib/R/site-library/RAppArmor/
sudo cp -Rf profiles/debian/* /etc/apparmor.d/

#Load the profiles into the kernel
sudo service apparmor restart

#To disable enforcing the global R profile
sudo aa-disable usr.bin.r

To start enforcing the standard R policy:

sudo aa-enforce usr.bin.r

To stop enforcing of the standard policy:

sudo aa-disable usr.bin.r

Please have a look at the JSS paper to understand how to use the software.

Citing

To cite RAppArmor in publications use:

Jeroen Ooms (2013). The RAppArmor Package: Enforcing Security Policies in R Using Dynamic Sandboxing
on Linux. Journal of Statistical Software, 55(7), 1-34. URL http://www.jstatsoft.org/v55/i07/.

A BibTeX entry for LaTeX users is

@Article{RAppArmor,
  title = {The {RAppArmor} Package: Enforcing Security Policies in {R} Using Dynamic Sandboxing on Linux},
  author = {Jeroen Ooms},
  journal = {Journal of Statistical Software},
  year = {2013},
  volume = {55},
  number = {7},
  pages = {1--34},
  url = {http://www.jstatsoft.org/v55/i07/},
}