!37 rewrite patch: do not create allow file while the command does not exist

From: @gys66
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001

do-not-create-allow-file-while-the-command-does-not-.patch

@@ -1,19 +1,19 @@
-From 33a1b6f6006a6481de1b59ee3a8d5c0706830b71 Mon Sep 17 00:00:00 2001
+From 66e565d8feb88d0729d81c4705d567cfaee97ff0 Mon Sep 17 00:00:00 2001
 From: guoxiaoqi <guoxiaoqi2@huawei.com>
-Date: Thu, 4 Mar 2021 09:31:35 +0800
+Date: Thu, 18 Mar 2021 10:51:25 +0800
 Subject: [PATCH] do not create allow file while the command does not exist
 
 Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
 ---
- security-tool.sh | 35 +++++++++++++++++++++++++++++++++++
+ security-tool.sh | 37 +++++++++++++++++++++++++++++++++++++
  security.conf    | 12 +++---------
- 2 files changed, 38 insertions(+), 9 deletions(-)
+ 2 files changed, 40 insertions(+), 9 deletions(-)
 
 diff --git a/security-tool.sh b/security-tool.sh
-index c6bc4e7..60e25f8 100644
+index c6bc4e7..e8619f5 100644
 --- a/security-tool.sh
 +++ b/security-tool.sh
-@@ -675,6 +675,33 @@ function fn_handle_ln()
+@@ -675,6 +675,35 @@ function fn_handle_ln()
      return $?
  }
  
@@ -23,15 +23,16 @@ index c6bc4e7..60e25f8 100644
 +#=============================================================================
 +function fn_handle_allow()
 +{
-+    fn_test_params_num 1
++    fn_test_params_num 2
 +
 +    local rpmname=$1
++    local prename=$2
 +    local ret=0
 +
 +    rpm -q "$rpmname"
 +    if [ $? -eq 0 ]; then
-+        local denyfile="$ROOTFS/etc/$rpmname.deny"
++        local denyfile="$ROOTFS/etc/$prename.deny"
-+        local allowfile="$ROOTFS/etc/$rpmname.allow"
++        local allowfile="$ROOTFS/etc/$prename.allow"
 +        rm -rf "$denyfile"
 +        touch "$allowfile"
 +        chown root:root "$allowfile"
@@ -44,33 +45,34 @@ index c6bc4e7..60e25f8 100644
 +
 +    return $ret
 +}
++
  
  #=============================================================================
  # Function Name: fn_harden_rootfs
-@@ -759,6 +786,10 @@ function fn_harden_rootfs()
+@@ -759,6 +788,10 @@ function fn_harden_rootfs()
              fn_handle_ln "$f3" "$f4" "$f5"
              status=$?
              ;;
 +        allow)
-+            fn_handle_allow "$f3"
++            fn_handle_allow "$f3" "$f4"
 +            status=$?
 +            ;;
          *)
              fn_handle_command "$f2" "$f3"
              status=$?
-@@ -861,6 +892,10 @@ IFS=$PRE_IFS
+@@ -861,6 +894,10 @@ IFS=$PRE_IFS
              fn_handle_ln "$f3" "$f4" "$f5"
              status=$?
              ;;
 +        allow)
-+            fn_handle_allow "$f3"
++            fn_handle_allow "$f3" "$f4"
 +            status=$?
 +            ;;
          *)
              fn_handle_command "$f2" "$f3"
              status=$?
 diff --git a/security.conf b/security.conf
-index 30b9f54..75b6ba3 100644
+index 30b9f54..72bb91e 100644
 --- a/security.conf
 +++ b/security.conf
 @@ -140,15 +140,9 @@
@@ -87,10 +89,11 @@ index 30b9f54..75b6ba3 100644
 -215@chown root:root @/etc/cron.allow
 -215@chmod og-rwx @/etc/cron.allow
 +# limit command permissions
-+214@allow@at
++214@allow@at@at
-+215@allow@cron
++215@allow@cronie@cron
  
  #rpm initscripts drop /etc/sysconfig/init defaultly
  216@touch @/etc/sysconfig/init
 -- 
 1.8.3.1
+

security-tool.spec

@@ -1,7 +1,7 @@
 Summary: openEuler Security Tool
 Name   : security-tool
 Version: 2.0
-Release: 1.73
+Release: 1.74
 Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz
 License: Mulan PSL v2
 URL: https://gitee.com/openeuler/security-tool
@@ -119,6 +119,9 @@ fi
 %attr(0500,root,root) %{_sbindir}/security-tool.sh
 
 %changelog
+* Thu May 27 2021 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.74
+- rewrite patch: do not create allow file while the command does not exist
+
 * Wed Mar 17 2021 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.73
 - do not create allow file while the command does not exist