Bindings to AppArmor and Security Related Linux Tools

Bindings to various methods in the kernel for enforcing security restrictions. AppArmor can apply mandatory access control (MAC) policies on a given task (process) via security profiles with detailed ACL definitions. In addition the package has kernel bindings for setting the process hardware resource limits (rlimit), uid, gid, affinity and priority. The high level R function '' builds on these methods to do dynamic sandboxing: it evaluates a single R expression within a temporary fork which acts as a sandbox by enforcing fine grained restrictions without affecting the main R process. Recent versions on this package can also be installed on systems without libapparmor, in which case some features are automatically disabled.



  • Advertise that package can be installed on non-apparmor systems
  • Improve onAttach message on non-apparmor systems


  • Configure script automatically sets NO_APPARMOR if kernel was built without AppArmor
  • Disable unit tests for CMD check due to CRAN issues


  • Complete rewrite using .Call instead of .C interface
  • Use configure-vars='NO_APPARMOR=1' to build on Fedora / CentOS 7
  • Workaround for race condition in parallel::mccollect()


  • Add timer to for better error messages
  • Add 0.01s of pause in
  • Fix some unit tests
  • Change closeAllConnections default to FALSE


  • changed method to find in configure file to work on recent distributions.
  • adding closeAllConnections argument to


  • Remove setInteractive code. CRAN no longer allows this, and mcparallel now disables interactivity by default.
  • Move 'debian' dir from root into /tools/
  • Added JSS PDF and CITATION files
  • Bump to 1.0.0 to official release with JSS publication.


  • wrapped rlimit examples in \dontrun{} blocks.
  • wrapped setaffinity example in \dontrun() block.
  • updated and renamed vignette.


  • modified license.
  • turned JSS paper into vignette


  • minor improvement to kill child of


  • Bump version to signify release to CRAN.


  • added unittests function
  • added stuff to prevent interactivity in
  • small fixes and renames


  • added setinteractive function
  • added 'interactive' parameter to
  • more unit tests


  • Started adding unit tests
  • New internal function errno()
  • Linux error messages for all calls (based on errno.h)


  • Added .onAttach diagnostics
  • Added error messages to aa_getcon and aa_is_enabled.


  • added setaffinity, getaffinity, getaffinity_count, nproc
  • updated to support affinity
  • updated URL and OS_type fields in DESCRIPTION
  • added some references to the documentation


  • using pgid to kill potential forks
  • added verbose parameters to suppress C output
  • bugfix when the output has multiple classes

Reference manual

It appears you don't have a PDF plugin for this browser. You can click here to download the reference manual.


2.0.2 by Jeroen Ooms, 2 years ago

Report a bug at

Browse source code at

Authors: Jeroen Ooms

Documentation:   PDF Manual  

Apache License (== 2.0) license

Imports parallel

Depends on tools

Suggests testthat, R.rsp

System requirements: linux (>= 3.0), libapparmor-dev (optional)

See at CRAN