core: add missing SELinux access checks when listing units

Add mac_selinux_unit_access_check_varlink() to the unit enumeration
loop in vl_method_list_units(), silently skipping units the caller
is not permitted to see, matching the D-Bus ListUnits behavior.
Add mac_selinux_access_check_varlink() to vl_method_describe_manager().

Follow-up for 472abf7bec89caeb1cc413c1de17984ab8ccb5d6
Follow-up for 736349958efe34089131ca88950e2e5bb391d36a

(cherry picked from commit 26fd286210964a76c5e1a52a416626f7dde53936)

diff --git a/src/core/varlink-manager.c b/src/core/varlink-manager.c
index d00f7e5a248a7de17fa22924b0cb5447acf445ea..91d9fad1a9e5ef8c4ed67eb52857f5928eb7dd4c 100644 (file)
--- a/src/core/varlink-manager.c
+++ b/src/core/varlink-manager.c
@@ -201,6 +201,10 @@ int vl_method_describe_manager(sd_varlink *link, sd_json_variant *parameters, sd
         if (r != 0)
                 return r;
 
+        r = mac_selinux_access_check_varlink(link, "status");
+        if (r < 0)
+                return r;
+
         r = sd_json_buildo(
                         &v,
                         SD_JSON_BUILD_PAIR_CALLBACK("context", manager_context_build_json, manager),

diff --git a/src/core/varlink-unit.c b/src/core/varlink-unit.c
index daaf5cb5b5aeac1c2ed8264f999e974f8f80f2af..18e4778bf823b80e412bb0814b13ba6819974a39 100644 (file)
--- a/src/core/varlink-unit.c
+++ b/src/core/varlink-unit.c
@@ -523,6 +523,10 @@ int vl_method_list_units(sd_varlink *link, sd_json_variant *parameters, sd_varli
                 if (k != unit->id)
                         continue;
 
+                r = mac_selinux_unit_access_check_varlink(unit, link, "status");
+                if (r < 0)
+                        continue; /* silently skip units the caller is not allowed to see */
+
                 r = list_unit_one(link, unit);
                 if (r < 0)
                         return r;