Fix orientation detection for Asus Transformer T100TAF, copied T100TA rule

analyze security: print DeviceAllow list
Many sandboxing options add implicit DeviceAllow rules, which might be confusing for users running systemd-analyze security and not expecting it. Print the list. Fixes https://github.com/systemd/systemd/issues/23185
2026-04-26 00:45:09 +02:00 · 2022-05-01 13:43:17 +09:00 · 2022-05-01 13:43:01 +09:00 · 2022-05-01 11:47:44 +09:00 · 2022-05-01 11:41:43 +09:00
5 changed files with 48 additions and 17 deletions
--- a/hwdb.d/60-sensor.hwdb
+++ b/hwdb.d/60-sensor.hwdb
@ -123,6 +123,7 @@ sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:pnT300CHI:*

 sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnM80TA:*
 sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnT100TA:*
+sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnT100TAF:*
 sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:pnT200TA:*
 ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1

--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@ -100,7 +100,7 @@ typedef struct SecurityInfo {

        bool delegate;
        char *device_policy;
-        bool device_allow_non_empty;
+        char **device_allow;

        Set *system_call_architectures;

@ -168,6 +168,7 @@ static SecurityInfo *security_info_free(SecurityInfo *i) {
        free(i->notify_access);

        free(i->device_policy);
+        strv_free(i->device_allow);

        strv_free(i->supplementary_groups);
        set_free(i->system_call_architectures);
@ -539,19 +540,16 @@ static int assess_system_call_architectures(
                uint64_t *ret_badness,
                char **ret_description) {

-        uint32_t native = 0;
        char *d;
        uint64_t b;

        assert(ret_badness);
        assert(ret_description);

-        assert_se(seccomp_arch_from_string("native", &native) >= 0);
-
        if (set_isempty(info->system_call_architectures)) {
                b = 10;
                d = strdup("Service may execute system calls with all ABIs");
-        } else if (set_contains(info->system_call_architectures, UINT32_TO_PTR(native + 1)) &&
+        } else if (set_contains(info->system_call_architectures, "native") &&
                   set_size(info->system_call_architectures) == 1) {
                b = 0;
                d = strdup("Service may execute system calls only with native ABI");
@ -723,8 +721,14 @@ static int assess_device_allow(

        if (STRPTR_IN_SET(info->device_policy, "strict", "closed")) {

-                if (info->device_allow_non_empty) {
-                        d = strdup("Service has a device ACL with some special devices");
+                if (!strv_isempty(info->device_allow)) {
+                        _cleanup_free_ char *join = NULL;
+
+                        join = strv_join(info->device_allow, " ");
+                        if (!join)
+                                return log_oom();
+
+                        d = strjoin("Service has a device ACL with some special devices: ", join);
                        b = 5;
                } else {
                        d = strdup("Service has a minimal device ACL");
@ -2262,7 +2266,6 @@ static int property_read_device_allow(
                void *userdata) {

        SecurityInfo *info = userdata;
-        size_t n = 0;
        int r;

        assert(bus);
@ -2282,11 +2285,11 @@ static int property_read_device_allow(
                if (r == 0)
                        break;

-                n++;
+                r = strv_extendf(&info->device_allow, "%s:%s", name, policy);
+                if (r < 0)
+                        return r;
        }

-        info->device_allow_non_empty = n > 0;
-
        return sd_bus_message_exit_container(m);
 }

@ -2574,11 +2577,20 @@ static int get_security_info(Unit *u, ExecContext *c, CGroupContext *g, Security
                                return log_oom();
                }
                info->_umask = c->umask;
-                if (c->syscall_archs) {
-                        info->system_call_architectures = set_copy(c->syscall_archs);
-                        if (!info->system_call_architectures)
+
+#if HAVE_SECCOMP
+                SET_FOREACH(key, c->syscall_archs) {
+                        const char *name;
+
+                        name = seccomp_arch_to_string(PTR_TO_UINT32(key) - 1);
+                        if (!name)
+                                continue;
+
+                        if (set_put_strdup(&info->system_call_architectures, name) < 0)
                                return log_oom();
                }
+#endif
+
                info->system_call_filter_allow_list = c->syscall_allow_list;
                if (c->syscall_filter) {
                        info->system_call_filter = hashmap_copy(c->syscall_filter);
@ -2616,7 +2628,13 @@ static int get_security_info(Unit *u, ExecContext *c, CGroupContext *g, Security

                info->ip_filters_custom_ingress = !strv_isempty(g->ip_filters_ingress);
                info->ip_filters_custom_egress = !strv_isempty(g->ip_filters_egress);
-                info->device_allow_non_empty = !LIST_IS_EMPTY(g->device_allow);
+
+                LIST_FOREACH(device_allow, a, g->device_allow)
+                        if (strv_extendf(&info->device_allow,
+                                         "%s:%s%s%s",
+                                         a->path,
+                                         a->r ? "r" : "", a->w ? "w" : "", a->m ? "m" : "") < 0)
+                                return log_oom();
        }

        *ret_info = TAKE_PTR(info);
--- a/src/basic/stat-util.c
+++ b/src/basic/stat-util.c
@ -106,7 +106,7 @@ int dir_is_empty_at(int dir_fd, const char *path) {
        msan_unpoison(&buffer, n);

        FOREACH_DIRENT_IN_BUFFER(de, &buffer.de, n)
-                if (!dot_or_dot_dot(de->d_name))
+                if (!hidden_or_backup_file(de->d_name))
                        return 0;

        return 1;
--- a/src/test/test-stat-util.c
+++ b/src/test/test-stat-util.c
@ -151,7 +151,7 @@ TEST(fd_is_ns) {

 TEST(dir_is_empty) {
        _cleanup_(rm_rf_physical_and_freep) char *empty_dir = NULL;
-        _cleanup_free_ char *j = NULL, *jj = NULL;
+        _cleanup_free_ char *j = NULL, *jj = NULL, *jjj = NULL;

        assert_se(dir_is_empty_at(AT_FDCWD, "/proc") == 0);
        assert_se(dir_is_empty_at(AT_FDCWD, "/icertainlydontexistdoi") == -ENOENT);
@ -169,11 +169,17 @@ TEST(dir_is_empty) {
        assert_se(jj);
        assert_se(touch(jj) >= 0);

+        jjj = path_join(empty_dir, ".qqq");
+        assert_se(jjj);
+        assert_se(touch(jjj) >= 0);
+
        assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) == 0);
        assert_se(unlink(j) >= 0);
        assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) == 0);
        assert_se(unlink(jj) >= 0);
        assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) > 0);
+        assert_se(unlink(jjj) >= 0);
+        assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) > 0);
 }

 static int intro(void) {
--- a/test/units/testsuite-65.sh
+++ b/test/units/testsuite-65.sh
@ -68,6 +68,7 @@ rm /tmp/testfile2.service
 cat <<EOF >/tmp/testfile.service
 [Service]
 ExecStart = echo hello
+DeviceAllow=/dev/sda
 EOF

 # Prevent regression from #13380 and #20859 where we can't verify hidden files
@ -94,6 +95,9 @@ systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service \
    && { echo 'unexpected success'; exit 1; }
 set -e

+# Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185
+systemd-analyze security --offline=true /tmp/testfile.service | grep -q -F "/dev/sda"
+
 rm /tmp/testfile.service

 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
@ -600,6 +604,8 @@ if systemd-analyze --version | grep -q -F "+ELFUTILS"; then
    systemd-analyze inspect-elf --json=short /lib/systemd/systemd | grep -q -F '"elfType":"executable"'
 fi

+systemd-analyze --threshold=90 security systemd-journald.service
+
 systemd-analyze log-level info

 echo OK >/testok
Author	SHA1	Message	Date
techtino	ad44259225	Fix orientation detection for Asus Transformer T100TAF, copied T100TA rule	2022-05-01 13:43:17 +09:00
Luca Boccassi	6a59dfa108	analyze security: print DeviceAllow list Many sandboxing options add implicit DeviceAllow rules, which might be confusing for users running systemd-analyze security and not expecting it. Print the list. Fixes https://github.com/systemd/systemd/issues/23185	2022-05-01 13:43:01 +09:00
Luca Boccassi	444d9abd06	analyze: fix crash with online security check 1449b0f8a96b27 fixed seccomp arch check for the offline case, but broke it for the normal case, as when coming from D-Bus the list of seccomp architectures is already converted to string. Fixes https://github.com/systemd/systemd/issues/23224	2022-05-01 11:47:44 +09:00
Luca Boccassi	f470cb6d13	stat-util: ignore hidden_or_backup_file when checking if dir is empty Commit https://github.com/systemd/systemd/commit/a068aceafbf changed dir_is_emtpy_at to use FOREACH_DIRENT_IN_BUFFER instead of FOREACH_DIRENT, but used dot_or_dotdot which just checks if the name is literally '.' or '..' which is not enough, previous behaviour was to ignore all hidden files, so restore that and add a test case. Fixes https://github.com/systemd/systemd/issues/23220	2022-05-01 11:41:43 +09:00