Fix orientation detection for Asus Transformer T100TAF, copied T100TA rule

Many sandboxing options add implicit DeviceAllow rules, which might be confusing
for users running systemd-analyze security and not expecting it.
Print the list.

Fixes https://github.com/systemd/systemd/issues/23185

hwdb.d/60-sensor.hwdb

@@ -123,6 +123,7 @@ sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:pnT300CHI:*
 
 sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnM80TA:*
 sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnT100TA:*
+sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnT100TAF:*
 sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:pnT200TA:*
  ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1
 

src/analyze/analyze-security.c

@@ -100,7 +100,7 @@ typedef struct SecurityInfo {
 
         bool delegate;
         char *device_policy;
-        bool device_allow_non_empty;
+        char **device_allow;
 
         Set *system_call_architectures;
 
@@ -168,6 +168,7 @@ static SecurityInfo *security_info_free(SecurityInfo *i) {
         free(i->notify_access);
 
         free(i->device_policy);
+        strv_free(i->device_allow);
 
         strv_free(i->supplementary_groups);
         set_free(i->system_call_architectures);
@@ -539,19 +540,16 @@ static int assess_system_call_architectures(
                 uint64_t *ret_badness,
                 char **ret_description) {
 
-        uint32_t native = 0;
         char *d;
         uint64_t b;
 
         assert(ret_badness);
         assert(ret_description);
 
-        assert_se(seccomp_arch_from_string("native", &native) >= 0);
-
         if (set_isempty(info->system_call_architectures)) {
                 b = 10;
                 d = strdup("Service may execute system calls with all ABIs");
-        } else if (set_contains(info->system_call_architectures, UINT32_TO_PTR(native + 1)) &&
+        } else if (set_contains(info->system_call_architectures, "native") &&
                    set_size(info->system_call_architectures) == 1) {
                 b = 0;
                 d = strdup("Service may execute system calls only with native ABI");
@@ -723,8 +721,14 @@ static int assess_device_allow(
 
         if (STRPTR_IN_SET(info->device_policy, "strict", "closed")) {
 
-                if (info->device_allow_non_empty) {
+                if (!strv_isempty(info->device_allow)) {
-                        d = strdup("Service has a device ACL with some special devices");
+                        _cleanup_free_ char *join = NULL;
+
+                        join = strv_join(info->device_allow, " ");
+                        if (!join)
+                                return log_oom();
+
+                        d = strjoin("Service has a device ACL with some special devices: ", join);
                         b = 5;
                 } else {
                         d = strdup("Service has a minimal device ACL");
@@ -2262,7 +2266,6 @@ static int property_read_device_allow(
                 void *userdata) {
 
         SecurityInfo *info = userdata;
-        size_t n = 0;
         int r;
 
         assert(bus);
@@ -2282,11 +2285,11 @@ static int property_read_device_allow(
                 if (r == 0)
                         break;
 
-                n++;
+                r = strv_extendf(&info->device_allow, "%s:%s", name, policy);
+                if (r < 0)
+                        return r;
         }
 
-        info->device_allow_non_empty = n > 0;
-
         return sd_bus_message_exit_container(m);
 }
 
@@ -2574,11 +2577,20 @@ static int get_security_info(Unit *u, ExecContext *c, CGroupContext *g, Security
                                 return log_oom();
                 }
                 info->_umask = c->umask;
-                if (c->syscall_archs) {
+
-                        info->system_call_architectures = set_copy(c->syscall_archs);
+#if HAVE_SECCOMP
-                        if (!info->system_call_architectures)
+                SET_FOREACH(key, c->syscall_archs) {
+                        const char *name;
+
+                        name = seccomp_arch_to_string(PTR_TO_UINT32(key) - 1);
+                        if (!name)
+                                continue;
+
+                        if (set_put_strdup(&info->system_call_architectures, name) < 0)
                                 return log_oom();
                 }
+#endif
+
                 info->system_call_filter_allow_list = c->syscall_allow_list;
                 if (c->syscall_filter) {
                         info->system_call_filter = hashmap_copy(c->syscall_filter);
@@ -2616,7 +2628,13 @@ static int get_security_info(Unit *u, ExecContext *c, CGroupContext *g, Security
 
                 info->ip_filters_custom_ingress = !strv_isempty(g->ip_filters_ingress);
                 info->ip_filters_custom_egress = !strv_isempty(g->ip_filters_egress);
-                info->device_allow_non_empty = !LIST_IS_EMPTY(g->device_allow);
+
+                LIST_FOREACH(device_allow, a, g->device_allow)
+                        if (strv_extendf(&info->device_allow,
+                                         "%s:%s%s%s",
+                                         a->path,
+                                         a->r ? "r" : "", a->w ? "w" : "", a->m ? "m" : "") < 0)
+                                return log_oom();
         }
 
         *ret_info = TAKE_PTR(info);

src/basic/stat-util.c

@@ -106,7 +106,7 @@ int dir_is_empty_at(int dir_fd, const char *path) {
         msan_unpoison(&buffer, n);
 
         FOREACH_DIRENT_IN_BUFFER(de, &buffer.de, n)
-                if (!dot_or_dot_dot(de->d_name))
+                if (!hidden_or_backup_file(de->d_name))
                         return 0;
 
         return 1;

src/test/test-stat-util.c

@@ -151,7 +151,7 @@ TEST(fd_is_ns) {
 
 TEST(dir_is_empty) {
         _cleanup_(rm_rf_physical_and_freep) char *empty_dir = NULL;
-        _cleanup_free_ char *j = NULL, *jj = NULL;
+        _cleanup_free_ char *j = NULL, *jj = NULL, *jjj = NULL;
 
         assert_se(dir_is_empty_at(AT_FDCWD, "/proc") == 0);
         assert_se(dir_is_empty_at(AT_FDCWD, "/icertainlydontexistdoi") == -ENOENT);
@@ -169,11 +169,17 @@ TEST(dir_is_empty) {
         assert_se(jj);
         assert_se(touch(jj) >= 0);
 
+        jjj = path_join(empty_dir, ".qqq");
+        assert_se(jjj);
+        assert_se(touch(jjj) >= 0);
+
         assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) == 0);
         assert_se(unlink(j) >= 0);
         assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) == 0);
         assert_se(unlink(jj) >= 0);
         assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) > 0);
+        assert_se(unlink(jjj) >= 0);
+        assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) > 0);
 }
 
 static int intro(void) {

test/units/testsuite-65.sh

@@ -68,6 +68,7 @@ rm /tmp/testfile2.service
 cat <<EOF >/tmp/testfile.service
 [Service]
 ExecStart = echo hello
+DeviceAllow=/dev/sda
 EOF
 
 # Prevent regression from #13380 and #20859 where we can't verify hidden files
@@ -94,6 +95,9 @@ systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service \
     && { echo 'unexpected success'; exit 1; }
 set -e
 
+# Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185
+systemd-analyze security --offline=true /tmp/testfile.service | grep -q -F "/dev/sda"
+
 rm /tmp/testfile.service
 
 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
@@ -600,6 +604,8 @@ if systemd-analyze --version | grep -q -F "+ELFUTILS"; then
     systemd-analyze inspect-elf --json=short /lib/systemd/systemd | grep -q -F '"elfType":"executable"'
 fi
 
+systemd-analyze --threshold=90 security systemd-journald.service
+
 systemd-analyze log-level info
 
 echo OK >/testok