2026-04-26 17:04:50 +02:00
5 changed files with 17 additions and 48 deletions
--- a/hwdb.d/60-sensor.hwdb
+++ b/hwdb.d/60-sensor.hwdb
@ -123,7 +123,6 @@ sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:pnT300CHI:*

 sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnM80TA:*
 sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnT100TA:*
-sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnT100TAF:*
 sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:pnT200TA:*
 ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1

--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@ -100,7 +100,7 @@ typedef struct SecurityInfo {

        bool delegate;
        char *device_policy;
-        char **device_allow;
+        bool device_allow_non_empty;

        Set *system_call_architectures;

@ -168,7 +168,6 @@ static SecurityInfo *security_info_free(SecurityInfo *i) {
        free(i->notify_access);

        free(i->device_policy);
-        strv_free(i->device_allow);

        strv_free(i->supplementary_groups);
        set_free(i->system_call_architectures);
@ -540,16 +539,19 @@ static int assess_system_call_architectures(
                uint64_t *ret_badness,
                char **ret_description) {

+        uint32_t native = 0;
        char *d;
        uint64_t b;

        assert(ret_badness);
        assert(ret_description);

+        assert_se(seccomp_arch_from_string("native", &native) >= 0);
+
        if (set_isempty(info->system_call_architectures)) {
                b = 10;
                d = strdup("Service may execute system calls with all ABIs");
-        } else if (set_contains(info->system_call_architectures, "native") &&
+        } else if (set_contains(info->system_call_architectures, UINT32_TO_PTR(native + 1)) &&
                   set_size(info->system_call_architectures) == 1) {
                b = 0;
                d = strdup("Service may execute system calls only with native ABI");
@ -721,14 +723,8 @@ static int assess_device_allow(

        if (STRPTR_IN_SET(info->device_policy, "strict", "closed")) {

-                if (!strv_isempty(info->device_allow)) {
-                        _cleanup_free_ char *join = NULL;
-
-                        join = strv_join(info->device_allow, " ");
-                        if (!join)
-                                return log_oom();
-
-                        d = strjoin("Service has a device ACL with some special devices: ", join);
+                if (info->device_allow_non_empty) {
+                        d = strdup("Service has a device ACL with some special devices");
                        b = 5;
                } else {
                        d = strdup("Service has a minimal device ACL");
@ -2266,6 +2262,7 @@ static int property_read_device_allow(
                void *userdata) {

        SecurityInfo *info = userdata;
+        size_t n = 0;
        int r;

        assert(bus);
@ -2285,11 +2282,11 @@ static int property_read_device_allow(
                if (r == 0)
                        break;

-                r = strv_extendf(&info->device_allow, "%s:%s", name, policy);
-                if (r < 0)
-                        return r;
+                n++;
        }

+        info->device_allow_non_empty = n > 0;
+
        return sd_bus_message_exit_container(m);
 }

@ -2577,20 +2574,11 @@ static int get_security_info(Unit *u, ExecContext *c, CGroupContext *g, Security
                                return log_oom();
                }
                info->_umask = c->umask;
-
-#if HAVE_SECCOMP
-                SET_FOREACH(key, c->syscall_archs) {
-                        const char *name;
-
-                        name = seccomp_arch_to_string(PTR_TO_UINT32(key) - 1);
-                        if (!name)
-                                continue;
-
-                        if (set_put_strdup(&info->system_call_architectures, name) < 0)
+                if (c->syscall_archs) {
+                        info->system_call_architectures = set_copy(c->syscall_archs);
+                        if (!info->system_call_architectures)
                                return log_oom();
                }
-#endif
-
                info->system_call_filter_allow_list = c->syscall_allow_list;
                if (c->syscall_filter) {
                        info->system_call_filter = hashmap_copy(c->syscall_filter);
@ -2628,13 +2616,7 @@ static int get_security_info(Unit *u, ExecContext *c, CGroupContext *g, Security

                info->ip_filters_custom_ingress = !strv_isempty(g->ip_filters_ingress);
                info->ip_filters_custom_egress = !strv_isempty(g->ip_filters_egress);
-
-                LIST_FOREACH(device_allow, a, g->device_allow)
-                        if (strv_extendf(&info->device_allow,
-                                         "%s:%s%s%s",
-                                         a->path,
-                                         a->r ? "r" : "", a->w ? "w" : "", a->m ? "m" : "") < 0)
-                                return log_oom();
+                info->device_allow_non_empty = !LIST_IS_EMPTY(g->device_allow);
        }

        *ret_info = TAKE_PTR(info);
--- a/src/basic/stat-util.c
+++ b/src/basic/stat-util.c
@ -106,7 +106,7 @@ int dir_is_empty_at(int dir_fd, const char *path) {
        msan_unpoison(&buffer, n);

        FOREACH_DIRENT_IN_BUFFER(de, &buffer.de, n)
-                if (!hidden_or_backup_file(de->d_name))
+                if (!dot_or_dot_dot(de->d_name))
                        return 0;

        return 1;
--- a/src/test/test-stat-util.c
+++ b/src/test/test-stat-util.c
@ -151,7 +151,7 @@ TEST(fd_is_ns) {

 TEST(dir_is_empty) {
        _cleanup_(rm_rf_physical_and_freep) char *empty_dir = NULL;
-        _cleanup_free_ char *j = NULL, *jj = NULL, *jjj = NULL;
+        _cleanup_free_ char *j = NULL, *jj = NULL;

        assert_se(dir_is_empty_at(AT_FDCWD, "/proc") == 0);
        assert_se(dir_is_empty_at(AT_FDCWD, "/icertainlydontexistdoi") == -ENOENT);
@ -169,17 +169,11 @@ TEST(dir_is_empty) {
        assert_se(jj);
        assert_se(touch(jj) >= 0);

-        jjj = path_join(empty_dir, ".qqq");
-        assert_se(jjj);
-        assert_se(touch(jjj) >= 0);
-
        assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) == 0);
        assert_se(unlink(j) >= 0);
        assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) == 0);
        assert_se(unlink(jj) >= 0);
        assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) > 0);
-        assert_se(unlink(jjj) >= 0);
-        assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) > 0);
 }

 static int intro(void) {
--- a/test/units/testsuite-65.sh
+++ b/test/units/testsuite-65.sh
@ -68,7 +68,6 @@ rm /tmp/testfile2.service
 cat <<EOF >/tmp/testfile.service
 [Service]
 ExecStart = echo hello
-DeviceAllow=/dev/sda
 EOF

 # Prevent regression from #13380 and #20859 where we can't verify hidden files
@ -95,9 +94,6 @@ systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service \
    && { echo 'unexpected success'; exit 1; }
 set -e

-# Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185
-systemd-analyze security --offline=true /tmp/testfile.service | grep -q -F "/dev/sda"
-
 rm /tmp/testfile.service

 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
@ -604,8 +600,6 @@ if systemd-analyze --version | grep -q -F "+ELFUTILS"; then
    systemd-analyze inspect-elf --json=short /lib/systemd/systemd | grep -q -F '"elfType":"executable"'
 fi

-systemd-analyze --threshold=90 security systemd-journald.service
-
 systemd-analyze log-level info

 echo OK >/testok