From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Mon, 13 Apr 2026 21:11:27 +0000 (+0100)
Subject: core: check selinux access on each unit when listing
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04f32dddd7221de01c4da70128bd5fb21bc53427;p=thirdparty%2Fsystemd.git

core: check selinux access on each unit when listing

Units might have different access rules, so check the access on each
unit when querying the full list.
---

diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 78cab48f852..5a7f70d78bf 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1265,10 +1265,6 @@ static int list_units_filtered(sd_bus_message *message, void *userdata, sd_bus_e
 
         /* Anyone can call this method */
 
-        r = mac_selinux_access_check(message, "status", reterr_error);
-        if (r < 0)
-                return r;
-
         r = sd_bus_message_new_method_return(message, &reply);
         if (r < 0)
                 return r;
@@ -1281,6 +1277,10 @@ static int list_units_filtered(sd_bus_message *message, void *userdata, sd_bus_e
                 if (k != u->id)
                         continue;
 
+                r = mac_selinux_unit_access_check(u, message, "status", /* reterr_error= */ NULL);
+                if (r < 0)
+                        continue; /* silently skip units the caller is not allowed to see */
+
                 if (!unit_passes_filter(u, states, patterns))
                         continue;