From: Luca Boccassi Date: Mon, 13 Apr 2026 19:21:25 +0000 (+0100) Subject: core: add missing SELinux access checks when listing units X-Git-Tag: v260.2~254 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de05ec8318d39e9cc3090632792ec37aeb946460;p=thirdparty%2Fsystemd.git core: add missing SELinux access checks when listing units Add mac_selinux_unit_access_check_varlink() to the unit enumeration loop in vl_method_list_units(), silently skipping units the caller is not permitted to see, matching the D-Bus ListUnits behavior. Add mac_selinux_access_check_varlink() to vl_method_describe_manager(). Follow-up for 472abf7bec89caeb1cc413c1de17984ab8ccb5d6 Follow-up for 736349958efe34089131ca88950e2e5bb391d36a (cherry picked from commit 26fd286210964a76c5e1a52a416626f7dde53936) --- diff --git a/src/core/varlink-manager.c b/src/core/varlink-manager.c index d00f7e5a248..91d9fad1a9e 100644 --- a/src/core/varlink-manager.c +++ b/src/core/varlink-manager.c @@ -201,6 +201,10 @@ int vl_method_describe_manager(sd_varlink *link, sd_json_variant *parameters, sd if (r != 0) return r; + r = mac_selinux_access_check_varlink(link, "status"); + if (r < 0) + return r; + r = sd_json_buildo( &v, SD_JSON_BUILD_PAIR_CALLBACK("context", manager_context_build_json, manager), diff --git a/src/core/varlink-unit.c b/src/core/varlink-unit.c index daaf5cb5b5a..18e4778bf82 100644 --- a/src/core/varlink-unit.c +++ b/src/core/varlink-unit.c @@ -523,6 +523,10 @@ int vl_method_list_units(sd_varlink *link, sd_json_variant *parameters, sd_varli if (k != unit->id) continue; + r = mac_selinux_unit_access_check_varlink(unit, link, "status"); + if (r < 0) + continue; /* silently skip units the caller is not allowed to see */ + r = list_unit_one(link, unit); if (r < 0) return r;