policycoreutils: qualifier to shred content

Add a new sandbox option to run /usr/bin/shred on all files in the temp directories before they are deleted. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-10-25 07:40:27 -04:00 · 2012-10-25 07:40:27 -04:00 · 9786fde981
parent 13b599d7b8
commit 9786fde981
2 changed files with 19 additions and 2 deletions
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@ -309,6 +309,9 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
        parser.add_option("-S", "--session", action="store_true",  dest="session", 
                          default=False,  help=_("run complete desktop session within sandbox"))

+        parser.add_option("-s", "--shred", action="store_true",  dest="shred", 
+                          default=False,  help=_("Shred content before tempory directories are removed"))
+
        parser.add_option("-X", dest="X_ind", 
                          action="callback", callback=self.__x_callback, 
                          default=False,  help=_("run X application within a sandbox"))
@ -466,9 +469,20 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
                                savefile(dest, i, self.__options.X_ind)

                  if self.__homedir and not self.__options.homedir: 
+                         if self.__options.shred:
+                                self.shred(self.__homedir)
                         shutil.rmtree(self.__homedir)
                  if self.__tmpdir and not self.__options.tmpdir:
+                         if self.__options.shred:
+                                self.shred(self.__homedir)
                         shutil.rmtree(self.__tmpdir)
+
+    def shred(self, path):
+        for root, dirs, files in os.walk(path):
+            for f in files:
+                dest = root + "/" + f
+                subprocess.Popen(["/usr/bin/shred",dest]).wait()
+
    def main(self):
        try:
               self.__parse_options()
--- a/policycoreutils/sandbox/sandbox.8
+++ b/policycoreutils/sandbox/sandbox.8
@ -3,11 +3,11 @@
 sandbox \- Run cmd under an SELinux sandbox
 .SH SYNOPSIS
 .B sandbox
-[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+[-C] [-c] [-s] [ -d DPI ] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd

 .br
 .B sandbox
-[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
+[-C] [-c] [-s] [ -d DPI ] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
 .br
 .SH DESCRIPTION
 .PP
@ -39,6 +39,9 @@ Specify the MLS/MCS Security Level to run the sandbox with.  Defaults to random.
 \fB\-M\fR
 Create a Sandbox with temporary files for $HOME and /tmp.
 .TP
+\fB\-s\fR  \fB\--shred\fR
+Shred temporary files created in $HOME and /tmp, before deleting.
+.TP
 \fB\-t type\fR
 Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X.