From 95d7f560b8805ef507b53103de3702bcc0dd3cd8 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 16 Sep 2024 22:13:41 +0200
Subject: [PATCH] jsauthority: do not query NoNewPrivileges for non-service
 units

It is only defined for service type units, and an error is returned
otherwise, so check before querying.

Follow-up for a23d9ce375dcbc64aade92f3e082182b993c1169
---
 src/polkitbackend/polkitbackendcommon.c | 53 ++++++++++++++-----------
 1 file changed, 29 insertions(+), 24 deletions(-)

diff --git a/src/polkitbackend/polkitbackendcommon.c b/src/polkitbackend/polkitbackendcommon.c
index 349242f6..47ef0b7b 100644
--- a/src/polkitbackend/polkitbackendcommon.c
+++ b/src/polkitbackend/polkitbackendcommon.c
@@ -609,31 +609,38 @@ polkit_backend_common_pidfd_to_systemd_unit (gint      pidfd,
 
   /* Check for NoNewPrivileges property being set on the unit via D-Bus, and
    * return if it is not. This protects against PID changes, as if unset the
-   * unit could use a setuid binary. */
-  no_new_privs_result = g_dbus_connection_call_sync (connection,
-        "org.freedesktop.systemd1",         /* name */
-        unit_path,                          /* object path */
-        "org.freedesktop.DBus.Properties",  /* interface name */
-        "Get",                              /* method */
-        g_variant_new ("(ss)", "org.freedesktop.systemd1.Service", "NoNewPrivileges"),
-        G_VARIANT_TYPE ("(v)"),
-        G_DBUS_CALL_FLAGS_NONE,
-        -1,
-        NULL,
-        &error);
-
-  if (no_new_privs_result == NULL)
+   * unit could use a setuid binary. It is only valid for service units. */
+  if (g_str_has_suffix (unit, ".service"))
     {
-      g_warning ("Error calling Get on NoNewPrivileges property for unit %s: %s", unit, error->message);
-      goto out;
-    }
+      no_new_privs_result = g_dbus_connection_call_sync (connection,
+            "org.freedesktop.systemd1",         /* name */
+            unit_path,                          /* object path */
+            "org.freedesktop.DBus.Properties",  /* interface name */
+            "Get",                              /* method */
+            g_variant_new ("(ss)", "org.freedesktop.systemd1.Service", "NoNewPrivileges"),
+            G_VARIANT_TYPE ("(v)"),
+            G_DBUS_CALL_FLAGS_NONE,
+            -1,
+            NULL,
+            &error);
+
+      if (no_new_privs_result == NULL)
+        {
+          g_warning ("Error calling Get on NoNewPrivileges property for unit %s: %s", unit, error->message);
+          goto out;
+        }
 
-  g_variant_get (no_new_privs_result, "(v)", &no_new_privis_value);
-  if (no_new_privis_value == NULL)
-    {
-      g_warning ("Error getting value for NoNewPrivileges property for unit %s", unit);
-      goto out;
+      g_variant_get (no_new_privs_result, "(v)", &no_new_privis_value);
+      if (no_new_privis_value == NULL)
+        {
+          g_warning ("Error getting value for NoNewPrivileges property for unit %s", unit);
+          goto out;
+        }
+
+     *ret_no_new_privs = g_variant_get_boolean (no_new_privis_value);
     }
+  else
+    *ret_no_new_privs = FALSE;
 
   *ret_unit = strdup (unit);
   if (!*ret_unit)
@@ -642,8 +649,6 @@ polkit_backend_common_pidfd_to_systemd_unit (gint      pidfd,
       goto out;
     }
 
-  *ret_no_new_privs = g_variant_get_boolean (no_new_privis_value);
-
  out:
   if (tmp_context)
     {