| eval.secure {RAppArmor} | R Documentation |
Evaluate in a sandboxed environment.
eval.secure(..., uid, gid, priority, profile, timeout = 60, silent = FALSE, verbose = FALSE, affinity, closeAllConnections = FALSE, RLIMIT_AS, RLIMIT_CORE, RLIMIT_CPU, RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_MEMLOCK, RLIMIT_MSGQUEUE, RLIMIT_NICE, RLIMIT_NOFILE, RLIMIT_NPROC, RLIMIT_RTPRIO, RLIMIT_RTTIME, RLIMIT_SIGPENDING, RLIMIT_STACK)
... |
arguments passed on to |
uid |
integer or name of linux user. See |
gid |
integer or name of linux group. See |
priority |
priority. Value between -20 and 20. See |
profile |
AppArmor security profile. Has to be preloaded by Linux.
See |
timeout |
timeout in seconds. |
silent |
suppress output on stdout. See |
verbose |
print some C output (TRUE/FALSE) |
affinity |
which cpu(s) to use. See |
closeAllConnections |
closes (and destroys) all user connections.
See |
RLIMIT_AS |
hard limit passed on to |
RLIMIT_CORE |
hard limit passed on to |
RLIMIT_CPU |
hard limit passed on to |
RLIMIT_DATA |
hard limit passed on to |
RLIMIT_FSIZE |
hard limit passed on to |
RLIMIT_MEMLOCK |
hard limit passed on to |
RLIMIT_MSGQUEUE |
hard limit passed on to |
RLIMIT_NICE |
hard limit passed on to |
RLIMIT_NOFILE |
hard limit passed on to |
RLIMIT_NPROC |
hard limit passed on to |
RLIMIT_RTPRIO |
hard limit passed on to |
RLIMIT_RTTIME |
hard limit passed on to |
RLIMIT_SIGPENDING |
hard limit passed on to |
RLIMIT_STACK |
hard limit passed on to |
This function creates a fork, then sets rlimits, uid, gid, priority,
apparmor profile where specified, and then evaluates the expression
inside the fork. The return object of the evaluation is copied to
the parent process and returned by eval.secure. After
evaluation is done, the fork is immediately killed. If the timeout is
reached the fork is also killed and an error is raised.
Evaluation of an expression using eval.secure has no
side effects on the current R session. Any assignments to the global
environment, changes in options, or library loadings done by the
evaluation will get lost, as we explicitly want to prevent this.
Only the return value of the expression will be copied to the
main process. Files saved to disk by the sandboxed evaluation (where
allowed by apparmor profile, etc) will also persist.
Note that if the initial process does not have superuser rights, rlimits can only be decreased and setuid/setgid might not work. In this case, specifying an RLIMIT higher than the current value will result in an error. Some of the rlimits can also be specified inside of the apparmor profile. When a rlimit is set both in the profile and through R, the more restrictive one will be effective.
Jeroen Ooms (2013). The RAppArmor Package: Enforcing Security Policies in R Using Dynamic Sandboxing on Linux. Journal of Statistical Software, 55(7), 1-34. http://www.jstatsoft.org/v55/i07/.
## Not run:
## Restricting file access ##
eval.secure(list.files("/"))
eval.secure(list.files("/"), profile="r-base")
eval.secure(system("ls /", intern=TRUE))
eval.secure(system("ls /", intern=TRUE), profile="r-base")
## Limiting CPU time ##
cputest <- function(){
A <- matrix(rnorm(1e7), 1e3);
B <- svd(A);
}
## setTimeLimit doesn't always work:
setTimeLimit(5);
cputest();
setTimeLimit();
#timeout does work:
eval.secure(cputest(), timeout=5)
## Limiting memory ##
A <- matrix(rnorm(1e8), 1e4);
B <- eval.secure(matrix(rnorm(1e8), 1e4), RLIMIT_AS = 100*1024*1024)
## Limiting procs ##
forkbomb <- function(){
repeat{
parallel::mcparallel(forkbomb());
}
}
## Forkbomb is mitigated ##
eval.secure(forkbomb(), RLIMIT_NPROC=10)
## End(Not run)