analyze security: print DeviceAllow list

Many sandboxing options add implicit DeviceAllow rules, which might be confusing for users running systemd-analyze security and not expecting it. Print the list. Fixes https://github.com/systemd/systemd/issues/23185
author: Luca Boccassi <bluca@debian.org> 2022-05-01 00:29:10 +0200
committer: Yu Watanabe <watanabe.yu+github@gmail.com> 2022-05-01 06:43:01 +0200
commit: 6a59dfa108997f5022e1d0fd9acc4ed79c9686b8 (patch)
tree: 2624b5221e366071232c8f2e64c5cfbf8d54de1a /test
parent: analyze: fix crash with online security check (diff)
download: systemd-6a59dfa108997f5022e1d0fd9acc4ed79c9686b8.tar.xz
systemd-6a59dfa108997f5022e1d0fd9acc4ed79c9686b8.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh
index 38403a45b7..393297b17f 100755
--- a/test/units/testsuite-65.sh
+++ b/test/units/testsuite-65.sh
@@ -68,6 +68,7 @@ rm /tmp/testfile2.service
 cat <<EOF >/tmp/testfile.service
 [Service]
 ExecStart = echo hello
+DeviceAllow=/dev/sda
 EOF
 
 # Prevent regression from #13380 and #20859 where we can't verify hidden files
@@ -94,6 +95,9 @@ systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service \
     && { echo 'unexpected success'; exit 1; }
 set -e
 
+# Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185
+systemd-analyze security --offline=true /tmp/testfile.service | grep -q -F "/dev/sda"
+
 rm /tmp/testfile.service
 
 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
author	Luca Boccassi <bluca@debian.org>	2022-05-01 00:29:10 +0200
committer	Yu Watanabe <watanabe.yu+github@gmail.com>	2022-05-01 06:43:01 +0200
commit	6a59dfa108997f5022e1d0fd9acc4ed79c9686b8 (patch)
tree	2624b5221e366071232c8f2e64c5cfbf8d54de1a /test
parent	analyze: fix crash with online security check (diff)
download	systemd-6a59dfa108997f5022e1d0fd9acc4ed79c9686b8.tar.xz systemd-6a59dfa108997f5022e1d0fd9acc4ed79c9686b8.zip