core: check selinux/polkit access on varlink SetProperty

Reported on yeswehack.com as:
YWH-PGM9780-92

Follow-up for 0e1c4de235908dfe507fbbddb06ad49b53ccb86b

diff --git a/src/core/varlink-unit.c b/src/core/varlink-unit.c
index b3375aebfe88f9670e1ccaa3e28dc4b6d94a21c9..c554a11f5e463e096824bc7261fee109f17496cc 100644 (file)
--- a/src/core/varlink-unit.c
+++ b/src/core/varlink-unit.c
@@ -3,6 +3,7 @@
 #include "sd-json.h"
 
 #include "bitfield.h"
+#include "bus-polkit.h"
 #include "cgroup.h"
 #include "condition.h"
 #include "dbus-job.h"
@@ -667,6 +668,19 @@ int vl_method_set_unit_properties(sd_varlink *link, sd_json_variant *parameters,
         if (r < 0)
                 return r;
 
+        r = mac_selinux_unit_access_check_varlink(unit, link, "start");
+        if (r < 0)
+                return sd_varlink_error(link, SD_VARLINK_ERROR_PERMISSION_DENIED, NULL);
+
+        r = varlink_verify_polkit_async(
+                        link,
+                        manager->system_bus,
+                        "org.freedesktop.systemd1.manage-units",
+                        /* details= */ NULL,
+                        &manager->polkit_registry);
+        if (r <= 0)
+                return r;
+
         if (p.markers_found)
                 unit->markers = unit_normalize_markers((unit->markers & ~p.markers_mask), p.markers);