bool delegate;
char *device_policy;
- bool device_allow_non_empty;
+ char **device_allow;
Set *system_call_architectures;
free(i->notify_access);
free(i->device_policy);
+ strv_free(i->device_allow);
strv_free(i->supplementary_groups);
set_free(i->system_call_architectures);
if (STRPTR_IN_SET(info->device_policy, "strict", "closed")) {
- if (info->device_allow_non_empty) {
- d = strdup("Service has a device ACL with some special devices");
+ if (!strv_isempty(info->device_allow)) {
+ _cleanup_free_ char *join = NULL;
+
+ join = strv_join(info->device_allow, " ");
+ if (!join)
+ return log_oom();
+
+ d = strjoin("Service has a device ACL with some special devices: ", join);
b = 5;
} else {
d = strdup("Service has a minimal device ACL");
void *userdata) {
SecurityInfo *info = userdata;
- size_t n = 0;
int r;
assert(bus);
if (r == 0)
break;
- n++;
+ r = strv_extendf(&info->device_allow, "%s:%s", name, policy);
+ if (r < 0)
+ return r;
}
- info->device_allow_non_empty = n > 0;
-
return sd_bus_message_exit_container(m);
}
info->ip_filters_custom_ingress = !strv_isempty(g->ip_filters_ingress);
info->ip_filters_custom_egress = !strv_isempty(g->ip_filters_egress);
- info->device_allow_non_empty = !LIST_IS_EMPTY(g->device_allow);
+
+ LIST_FOREACH(device_allow, a, g->device_allow)
+ if (strv_extendf(&info->device_allow,
+ "%s:%s%s%s",
+ a->path,
+ a->r ? "r" : "", a->w ? "w" : "", a->m ? "m" : "") < 0)
+ return log_oom();
}
*ret_info = TAKE_PTR(info);
cat <<EOF >/tmp/testfile.service
[Service]
ExecStart = echo hello
+DeviceAllow=/dev/sda
EOF
# Prevent regression from #13380 and #20859 where we can't verify hidden files
&& { echo 'unexpected success'; exit 1; }
set -e
+# Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185
+systemd-analyze security --offline=true /tmp/testfile.service | grep -q -F "/dev/sda"
+
rm /tmp/testfile.service
cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
projects / thirdparty / systemd.git / commitdiff
