core: check selinux access on each unit when listing

Units might have different access rules, so check the access on each
unit when querying the full list.

(cherry picked from commit 04f32dddd7221de01c4da70128bd5fb21bc53427)

diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 5e02d189072e2d7d244df4d2d7db399592f49a23..a64405de3b13c40b1df79d29707cedd98f45cbc8 100644 (file)
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1265,10 +1265,6 @@ static int list_units_filtered(sd_bus_message *message, void *userdata, sd_bus_e
 
         /* Anyone can call this method */
 
-        r = mac_selinux_access_check(message, "status", reterr_error);
-        if (r < 0)
-                return r;
-
         r = sd_bus_message_new_method_return(message, &reply);
         if (r < 0)
                 return r;
@@ -1281,6 +1277,10 @@ static int list_units_filtered(sd_bus_message *message, void *userdata, sd_bus_e
                 if (k != u->id)
                         continue;
 
+                r = mac_selinux_unit_access_check(u, message, "status", /* reterr_error= */ NULL);
+                if (r < 0)
+                        continue; /* silently skip units the caller is not allowed to see */
+
                 if (!unit_passes_filter(u, states, patterns))
                         continue;