core: check selinux access on each unit when listing

Units might have different access rules, so check the access on each
unit when querying the full list.

diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 78cab48f852fc35a5772631531f799a5c166f00f..5a7f70d78bf6f7a742af4d0ab063c83f6a096ccf 100644 (file)
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1265,10 +1265,6 @@ static int list_units_filtered(sd_bus_message *message, void *userdata, sd_bus_e
 
         /* Anyone can call this method */
 
-        r = mac_selinux_access_check(message, "status", reterr_error);
-        if (r < 0)
-                return r;
-
         r = sd_bus_message_new_method_return(message, &reply);
         if (r < 0)
                 return r;
@@ -1281,6 +1277,10 @@ static int list_units_filtered(sd_bus_message *message, void *userdata, sd_bus_e
                 if (k != u->id)
                         continue;
 
+                r = mac_selinux_unit_access_check(u, message, "status", /* reterr_error= */ NULL);
+                if (r < 0)
+                        continue; /* silently skip units the caller is not allowed to see */
+
                 if (!unit_passes_filter(u, states, patterns))
                         continue;