device interface denied list: keep order

qubes/api/admin.py

@@ -1659,9 +1659,6 @@ async def vm_device_denied_add(self, untrusted_payload):
         payload = untrusted_payload.decode("ascii", errors="strict")
         to_add = DeviceInterface.from_str_bulk(payload)
 
-        if not to_add:
-            return
-
         if len(set(to_add)) != len(to_add):
             raise qubes.exc.QubesValueError(
                 "Duplicated device interfaces in payload.")
@@ -1695,9 +1692,6 @@ async def vm_device_denied_remove(self, untrusted_payload):
         else:
             to_remove = denied.copy()
 
-        if not to_remove:
-            return
-
         if len(set(to_remove)) != len(to_remove):
             raise qubes.exc.QubesValueError(
                 "Duplicated device interfaces in payload.")

qubes/tests/api_admin.py

@@ -3938,7 +3938,7 @@ def test_663_vm_device_denied_add_multiple(self):
         self.call_mgmt_func(b"admin.vm.device.denied.Add", b"test-vm1",
                             b"", b"uabcdefm******")
         self.assertEqual(self.vm.devices_denied,
-                         "b******p012345p53**2*uabcdefm******")
+                         "b******m******p012345p53**2*uabcdef")
         self.assertTrue(self.app.save.called)
 
     def test_664_vm_device_denied_add_repeated(self):

qubes/vm/qubesvm.py

@@ -141,7 +141,8 @@ def _setter_denied_list(self, prop, value):
         return value
 
     # remove duplicates
-    value = "".join(map(repr, set(DeviceInterface.from_str_bulk(value))))
+    value = "".join(
+        sorted(map(repr, set(DeviceInterface.from_str_bulk(value)))))
 
     # The requirements for the interface encoding are more relaxed
     #   in the DeviceInterface class compared to the denied list.