From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Mon, 13 Apr 2026 21:11:27 +0000 (+0100)
Subject: core: check selinux access on each unit when listing
X-Git-Tag: v260.2~253
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0952b4e793bfddd9a769514a434e14c3aaf682fa;p=thirdparty%2Fsystemd.git

core: check selinux access on each unit when listing

Units might have different access rules, so check the access on each
unit when querying the full list.

(cherry picked from commit 04f32dddd7221de01c4da70128bd5fb21bc53427)
---

diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 5e02d189072..a64405de3b1 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1265,10 +1265,6 @@ static int list_units_filtered(sd_bus_message *message, void *userdata, sd_bus_e
 
         /* Anyone can call this method */
 
-        r = mac_selinux_access_check(message, "status", reterr_error);
-        if (r < 0)
-                return r;
-
         r = sd_bus_message_new_method_return(message, &reply);
         if (r < 0)
                 return r;
@@ -1281,6 +1277,10 @@ static int list_units_filtered(sd_bus_message *message, void *userdata, sd_bus_e
                 if (k != u->id)
                         continue;
 
+                r = mac_selinux_unit_access_check(u, message, "status", /* reterr_error= */ NULL);
+                if (r < 0)
+                        continue; /* silently skip units the caller is not allowed to see */
+
                 if (!unit_passes_filter(u, states, patterns))
                         continue;