core: add missing SELinux access checks when listing units

Add mac_selinux_unit_access_check_varlink() to the unit enumeration
loop in vl_method_list_units(), silently skipping units the caller
is not permitted to see, matching the D-Bus ListUnits behavior.
Add mac_selinux_access_check_varlink() to vl_method_describe_manager().

Follow-up for 472abf7bec89caeb1cc413c1de17984ab8ccb5d6
Follow-up for 736349958efe34089131ca88950e2e5bb391d36a

diff --git a/src/core/varlink-manager.c b/src/core/varlink-manager.c
index 997bdc08d01220ac00a75b01212451ed1aae21ea..6ae837376a9700383a353034a61bcf99b75858d3 100644 (file)
--- a/src/core/varlink-manager.c
+++ b/src/core/varlink-manager.c
@@ -207,6 +207,10 @@ int vl_method_describe_manager(sd_varlink *link, sd_json_variant *parameters, sd
         if (r != 0)
                 return r;
 
+        r = mac_selinux_access_check_varlink(link, "status");
+        if (r < 0)
+                return r;
+
         r = sd_json_buildo(
                         &v,
                         SD_JSON_BUILD_PAIR_CALLBACK("context", manager_context_build_json, manager),

diff --git a/src/core/varlink-unit.c b/src/core/varlink-unit.c
index 2404c553d7fc9c9993b61523b4533c0c26123864..e8b86845a20e5d880b846f275f1411adb8fb5569 100644 (file)
--- a/src/core/varlink-unit.c
+++ b/src/core/varlink-unit.c
@@ -523,6 +523,10 @@ int vl_method_list_units(sd_varlink *link, sd_json_variant *parameters, sd_varli
                 if (k != unit->id)
                         continue;
 
+                r = mac_selinux_unit_access_check_varlink(unit, link, "status");
+                if (r < 0)
+                        continue; /* silently skip units the caller is not allowed to see */
+
                 r = list_unit_one(link, unit);
                 if (r < 0)
                         return r;