From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Tue, 24 Feb 2026 15:38:47 +0000 (+0000)
Subject: core: check selinux/polkit access on varlink SetProperty
X-Git-Tag: v260-rc1~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=882cf2d94359cff975265814d65aeb08427be0d1;p=thirdparty%2Fsystemd.git

core: check selinux/polkit access on varlink SetProperty

Reported on yeswehack.com as:
YWH-PGM9780-92

Follow-up for 0e1c4de235908dfe507fbbddb06ad49b53ccb86b
---

diff --git a/src/core/varlink-unit.c b/src/core/varlink-unit.c
index b3375aebfe8..c554a11f5e4 100644
--- a/src/core/varlink-unit.c
+++ b/src/core/varlink-unit.c
@@ -3,6 +3,7 @@
 #include "sd-json.h"
 
 #include "bitfield.h"
+#include "bus-polkit.h"
 #include "cgroup.h"
 #include "condition.h"
 #include "dbus-job.h"
@@ -667,6 +668,19 @@ int vl_method_set_unit_properties(sd_varlink *link, sd_json_variant *parameters,
         if (r < 0)
                 return r;
 
+        r = mac_selinux_unit_access_check_varlink(unit, link, "start");
+        if (r < 0)
+                return sd_varlink_error(link, SD_VARLINK_ERROR_PERMISSION_DENIED, NULL);
+
+        r = varlink_verify_polkit_async(
+                        link,
+                        manager->system_bus,
+                        "org.freedesktop.systemd1.manage-units",
+                        /* details= */ NULL,
+                        &manager->polkit_registry);
+        if (r <= 0)
+                return r;
+
         if (p.markers_found)
                 unit->markers = unit_normalize_markers((unit->markers & ~p.markers_mask), p.markers);