From 408f72d5d2e8f4613740ea426007c2759bbc25b6 Mon Sep 17 00:00:00 2001
From: Piotr Bartman-Szwarc <prbartman@invisiblethingslab.com>
Date: Mon, 6 Jan 2025 14:45:41 +0100
Subject: [PATCH] device interface denied list: keep order

---
 qubes/api/admin.py       | 6 ------
 qubes/tests/api_admin.py | 2 +-
 qubes/vm/qubesvm.py      | 3 ++-
 3 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/qubes/api/admin.py b/qubes/api/admin.py
index 1713916a4..6f4d22bed 100644
--- a/qubes/api/admin.py
+++ b/qubes/api/admin.py
@@ -1659,9 +1659,6 @@ async def vm_device_denied_add(self, untrusted_payload):
         payload = untrusted_payload.decode("ascii", errors="strict")
         to_add = DeviceInterface.from_str_bulk(payload)
 
-        if not to_add:
-            return
-
         if len(set(to_add)) != len(to_add):
             raise qubes.exc.QubesValueError(
                 "Duplicated device interfaces in payload.")
@@ -1695,9 +1692,6 @@ async def vm_device_denied_remove(self, untrusted_payload):
         else:
             to_remove = denied.copy()
 
-        if not to_remove:
-            return
-
         if len(set(to_remove)) != len(to_remove):
             raise qubes.exc.QubesValueError(
                 "Duplicated device interfaces in payload.")
diff --git a/qubes/tests/api_admin.py b/qubes/tests/api_admin.py
index 314fa23c8..ad9bc8b0d 100644
--- a/qubes/tests/api_admin.py
+++ b/qubes/tests/api_admin.py
@@ -3938,7 +3938,7 @@ def test_663_vm_device_denied_add_multiple(self):
         self.call_mgmt_func(b"admin.vm.device.denied.Add", b"test-vm1",
                             b"", b"uabcdefm******")
         self.assertEqual(self.vm.devices_denied,
-                         "b******p012345p53**2*uabcdefm******")
+                         "b******m******p012345p53**2*uabcdef")
         self.assertTrue(self.app.save.called)
 
     def test_664_vm_device_denied_add_repeated(self):
diff --git a/qubes/vm/qubesvm.py b/qubes/vm/qubesvm.py
index c578e251e..aa896f328 100644
--- a/qubes/vm/qubesvm.py
+++ b/qubes/vm/qubesvm.py
@@ -141,7 +141,8 @@ def _setter_denied_list(self, prop, value):
         return value
 
     # remove duplicates
-    value = "".join(map(repr, set(DeviceInterface.from_str_bulk(value))))
+    value = "".join(
+        sorted(map(repr, set(DeviceInterface.from_str_bulk(value)))))
 
     # The requirements for the interface encoding are more relaxed
     #   in the DeviceInterface class compared to the denied list.