From 66e565d8feb88d0729d81c4705d567cfaee97ff0 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 18 Mar 2021 10:51:25 +0800
Subject: [PATCH] do not create allow file while the command does not exist

Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
 security-tool.sh | 37 +++++++++++++++++++++++++++++++++++++
 security.conf    | 12 +++---------
 2 files changed, 40 insertions(+), 9 deletions(-)

diff --git a/security-tool.sh b/security-tool.sh
index c6bc4e7..e8619f5 100644
--- a/security-tool.sh
+++ b/security-tool.sh
@@ -675,6 +675,35 @@ function fn_handle_ln()
     return $?
 }
 
+#=============================================================================
+# Function Name: fn_handle_allow
+# Returns      : 0 on success, otherwise on fail
+#=============================================================================
+function fn_handle_allow()
+{
+    fn_test_params_num 2
+
+    local rpmname=$1
+    local prename=$2
+    local ret=0
+
+    rpm -q "$rpmname"
+    if [ $? -eq 0 ]; then
+        local denyfile="$ROOTFS/etc/$prename.deny"
+        local allowfile="$ROOTFS/etc/$prename.allow"
+        rm -rf "$denyfile"
+        touch "$allowfile"
+        chown root:root "$allowfile"
+        chmod og-rwx "$allowfile"
+
+    else
+        ret=1
+        fn_error "package $rpmname does not exist"
+    fi
+
+    return $ret
+}
+
 
 #=============================================================================
 # Function Name: fn_harden_rootfs
@@ -759,6 +788,10 @@ function fn_harden_rootfs()
             fn_handle_ln "$f3" "$f4" "$f5"
             status=$?
             ;;
+        allow)
+            fn_handle_allow "$f3" "$f4"
+            status=$?
+            ;;
         *)
             fn_handle_command "$f2" "$f3"
             status=$?
@@ -861,6 +894,10 @@ IFS=$PRE_IFS
             fn_handle_ln "$f3" "$f4" "$f5"
             status=$?
             ;;
+        allow)
+            fn_handle_allow "$f3" "$f4"
+            status=$?
+            ;;
         *)
             fn_handle_command "$f2" "$f3"
             status=$?
diff --git a/security.conf b/security.conf
index 30b9f54..72bb91e 100644
--- a/security.conf
+++ b/security.conf
@@ -140,15 +140,9 @@
 213@chown root:root @/etc/cron.monthly
 213@chmod og-rwx @/etc/cron.monthly
 
-214@rm -f @/etc/at.deny
-214@touch @/etc/at.allow
-214@chown root:root @/etc/at.allow
-214@chmod og-rwx @/etc/at.allow
-
-215@rm -f @/etc/cron.deny
-215@touch @/etc/cron.allow
-215@chown root:root @/etc/cron.allow
-215@chmod og-rwx @/etc/cron.allow
+# limit command permissions
+214@allow@at@at
+215@allow@cronie@cron
 
 #rpm initscripts drop /etc/sysconfig/init defaultly
 216@touch @/etc/sysconfig/init
-- 
1.8.3.1