Tutorials.txt

Ideas for (video) tutorials:

Introduction to R and AppArmor (1/3)
-------------------------------

First of a couple of videos to introduce the RAppArmor package.

The RAppArmor package is an R package for Linux to enforce security
policies and hardware restrictions on R sessions.

Available on CRAN and Github

If you want to know more after watching this video
Find references and installation instructions on the Github page.
Also is a draft of a paper.

 - Why security? 
  - Contributed Code.
  - More control over hardware. 
  - Services

Linux kernel loads profiles in the /etc/apparmor.d/ directory. 
Show the usr.r.bin profile: path to R.
whereis R => same path.

  - try reading / /tmp /var/log/syslog, ~/Documents
  - sudo aa-enforce usr.bin.r
  - try again
  
The AppArmor profile makes Linux enforce Mandatory access control.
The process can only access resources explicitly named in the profile.
This is not some trick in R. In fact, R doesn't even know it is being sandboxed.
The Linux operating system is enforcing these restrictions. 

Next video: dynamically apply these security policies to active R process.

  

The RAppArmor package (2/3)
------------------------

 - Switch dynamically into security profiles for part of the sandbox.
 - aa_getcon, aa_change_profile, aa_change_hat, aa_is_enabled
 - rlimit_as, rlimit_cpu, rlimit_nproc
 - setpriority
 - (root) setuid/setgid
 - eval.secure: apply to a single evaluation, without side effects.
 

Profile Design (3/3)
--------------------

 - AppArmor syntax
 - debugging using kern.log, syslog 
 - learning with aa-complain and aa-logprof (not perfect)
 - Capabilities, network rules, etc  
 - Compile/Mem/Exec permissions
 
 
Application: simple reporting server
------------------------------------
 
 - Simple webserver with Rook, Knitr and RAppArmor
 - Secure evaluation