core/dbus-manager: check for runtime scope first for system-wide operations

It's pointless to do selinux or /run/ space checks
for user managers.

diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 5304edbc74ed55b6b32d410aa29334c38ca3dd84..ddc721f5d19774643f8d9d68ca64832c0222981d 100644 (file)
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1688,14 +1688,14 @@ static int method_reboot(sd_bus_message *message, void *userdata, sd_bus_error *
 
         assert(message);
 
-        r = mac_selinux_access_check(message, "reboot", error);
-        if (r < 0)
-                return r;
-
         if (!MANAGER_IS_SYSTEM(m))
                 return sd_bus_error_set(error, SD_BUS_ERROR_NOT_SUPPORTED,
                                         "Reboot is only supported by system manager.");
 
+        r = mac_selinux_access_check(message, "reboot", error);
+        if (r < 0)
+                return r;
+
         m->objective = MANAGER_REBOOT;
 
         return sd_bus_reply_method_return(message, NULL);
@@ -1746,14 +1746,14 @@ static int method_poweroff(sd_bus_message *message, void *userdata, sd_bus_error
 
         assert(message);
 
-        r = mac_selinux_access_check(message, "halt", error);
-        if (r < 0)
-                return r;
-
         if (!MANAGER_IS_SYSTEM(m))
                 return sd_bus_error_set(error, SD_BUS_ERROR_NOT_SUPPORTED,
                                         "Powering off is only supported by system manager.");
 
+        r = mac_selinux_access_check(message, "halt", error);
+        if (r < 0)
+                return r;
+
         m->objective = MANAGER_POWEROFF;
 
         return sd_bus_reply_method_return(message, NULL);
@@ -1765,14 +1765,14 @@ static int method_halt(sd_bus_message *message, void *userdata, sd_bus_error *er
 
         assert(message);
 
-        r = mac_selinux_access_check(message, "halt", error);
-        if (r < 0)
-                return r;
-
         if (!MANAGER_IS_SYSTEM(m))
                 return sd_bus_error_set(error, SD_BUS_ERROR_NOT_SUPPORTED,
                                         "Halt is only supported by system manager.");
 
+        r = mac_selinux_access_check(message, "halt", error);
+        if (r < 0)
+                return r;
+
         m->objective = MANAGER_HALT;
 
         return sd_bus_reply_method_return(message, NULL);
@@ -1784,14 +1784,14 @@ static int method_kexec(sd_bus_message *message, void *userdata, sd_bus_error *e
 
         assert(message);
 
-        r = mac_selinux_access_check(message, "reboot", error);
-        if (r < 0)
-                return r;
-
         if (!MANAGER_IS_SYSTEM(m))
                 return sd_bus_error_set(error, SD_BUS_ERROR_NOT_SUPPORTED,
                                         "KExec is only supported by system manager.");
 
+        r = mac_selinux_access_check(message, "reboot", error);
+        if (r < 0)
+                return r;
+
         m->objective = MANAGER_KEXEC;
 
         return sd_bus_reply_method_return(message, NULL);
@@ -1805,6 +1805,10 @@ static int method_switch_root(sd_bus_message *message, void *userdata, sd_bus_er
 
         assert(message);
 
+        if (!MANAGER_IS_SYSTEM(m))
+                return sd_bus_error_set(error, SD_BUS_ERROR_NOT_SUPPORTED,
+                                        "Root switching is only supported by system manager.");
+
         r = verify_run_space_permissive("root switching may fail", error);
         if (r < 0)
                 return r;
@@ -1813,10 +1817,6 @@ static int method_switch_root(sd_bus_message *message, void *userdata, sd_bus_er
         if (r < 0)
                 return r;
 
-        if (!MANAGER_IS_SYSTEM(m))
-                return sd_bus_error_set(error, SD_BUS_ERROR_NOT_SUPPORTED,
-                                        "Root switching is only supported by system manager.");
-
         r = sd_bus_message_read(message, "ss", &root, &init);
         if (r < 0)
                 return r;