-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD+p2QACgkQrlYvE4MpobNHdgCgt6a3x83ZaBU7iewgyTwSRr5q
408AoMmlncdTp3PYSeGJoox5L3CvgWJf
=Tk3C
-----END PGP SIGNATURE-----
>From 3a27bbc9805071b5c93bb80c2f7ae1af96269dee Mon Sep 17 00:00:00 2001
From: rhatdan <dwalsh@xxxxxxxxxx>
Date: Thu, 25 Oct 2012 07:40:27 -0400
Subject: [PATCH 48/84] policycoreutils: qualifier to shred content
Add a new sandbox option to run /usr/bin/shred on all files in the temp
directories before thye are deleted.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
policycoreutils/sandbox/sandbox | 14 ++++++++++++++
policycoreutils/sandbox/sandbox.8 | 7 +++++--
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 6760bc1..b629006 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -309,6 +309,9 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
parser.add_option("-S", "--session", action="store_true", dest="session",
default=False, help=_("run complete desktop session within sandbox"))
+ parser.add_option("-s", "--shred", action="store_true", dest="shred",
+ default=False, help=_("Shred content before tempory directories are removed"))
+
parser.add_option("-X", dest="X_ind",
action="callback", callback=self.__x_callback,
default=False, help=_("run X application within a sandbox"))
@@ -466,9 +469,20 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
savefile(dest, i, self.__options.X_ind)
if self.__homedir and not self.__options.homedir:
+ if self.__options.shred:
+ self.shred(self.__homedir)
shutil.rmtree(self.__homedir)
if self.__tmpdir and not self.__options.tmpdir:
+ if self.__options.shred:
+ self.shred(self.__homedir)
shutil.rmtree(self.__tmpdir)
+
+ def shred(self, path):
+ for root, dirs, files in os.walk(path):
+ for f in files:
+ dest = root + "/" + f
+ subprocess.Popen(["/usr/bin/shred",dest]).wait()
+
def main(self):
try:
self.__parse_options()
diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
index 00d9b37..521afcd 100644
--- a/policycoreutils/sandbox/sandbox.8
+++ b/policycoreutils/sandbox/sandbox.8
@@ -3,11 +3,11 @@
sandbox \- Run cmd under an SELinux sandbox
.SH SYNOPSIS
.B sandbox
-[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+[-C] [-c] [-s] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
.br
.B sandbox
-[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
+[-C] [-c] [-s] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
.br
.SH DESCRIPTION
.PP
@@ -39,6 +39,9 @@ Specify the MLS/MCS Security Level to run the sandbox with. Defaults to random.
\fB\-M\fR
Create a Sandbox with temporary files for $HOME and /tmp.
.TP
+\fB\-s\fR \fB\--shred\fR
+Shred temporary files created in $HOME and /tmp, before deleting.
+.TP
\fB\-t type\fR
Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X.
--
1.8.1
