From 959a8e49f4e2f5676a360f8b41f096c77ba029ce Mon Sep 17 00:00:00 2001 From: Ivan Kruglov Date: Wed, 16 Jul 2025 07:06:55 -0700 Subject: [PATCH] core: enable SELinux checks in io.systemd.Unit.List --- src/core/varlink-unit.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/core/varlink-unit.c b/src/core/varlink-unit.c index f71c3d7e33e..b193753c01d 100644 --- a/src/core/varlink-unit.c +++ b/src/core/varlink-unit.c @@ -12,6 +12,7 @@ #include "manager.h" #include "path-util.h" #include "pidref.h" +#include "selinux-access.h" #include "set.h" #include "strv.h" #include "unit.h" @@ -330,6 +331,21 @@ static int list_unit_one(sd_varlink *link, Unit *unit, bool more) { return sd_varlink_reply(link, v); } +static int list_unit_one_with_selinux_access_check(sd_varlink *link, Unit *unit, bool more) { + int r; + + assert(link); + assert(unit); + + r = mac_selinux_unit_access_check_varlink(unit, link, "status"); + if (r < 0) + /* If mac_selinux_unit_access_check_varlink() returned a error, + * it means that SELinux enforce is on. It also does all the logging(). */ + return sd_varlink_error(link, SD_VARLINK_ERROR_PERMISSION_DENIED, NULL); + + return list_unit_one(link, unit, more); +} + static int lookup_unit_by_pidref(sd_varlink *link, Manager *manager, PidRef *pidref, Unit **ret_unit) { _cleanup_(pidref_done) PidRef peer = PIDREF_NULL; Unit *unit; @@ -472,7 +488,7 @@ int vl_method_list_units(sd_varlink *link, sd_json_variant *parameters, sd_varli if (r < 0) return r; if (unit) - return list_unit_one(link, unit, /* more = */ false); + return list_unit_one_with_selinux_access_check(link, unit, /* more = */ false); if (!FLAGS_SET(flags, SD_VARLINK_METHOD_MORE)) return sd_varlink_error(link, SD_VARLINK_ERROR_EXPECTED_MORE, NULL); -- 2.47.3