+static int rename_service(sd_bus *a, sd_bus *b) {
+ _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
+ _cleanup_free_ char *p = NULL, *name = NULL;
+ const char *comm;
+ char **cmdline;
+ uid_t uid;
+ pid_t pid;
+ int r;
+
+ assert(a);
+ assert(b);
+
+ r = sd_bus_get_owner_creds(b, SD_BUS_CREDS_UID|SD_BUS_CREDS_PID|SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_COMM|SD_BUS_CREDS_AUGMENT, &creds);
+ if (r < 0)
+ return r;
+
+ r = sd_bus_creds_get_uid(creds, &uid);
+ if (r < 0)
+ return r;
+
+ r = sd_bus_creds_get_pid(creds, &pid);
+ if (r < 0)
+ return r;
+
+ r = sd_bus_creds_get_cmdline(creds, &cmdline);
+ if (r < 0)
+ return r;
+
+ r = sd_bus_creds_get_comm(creds, &comm);
+ if (r < 0)
+ return r;
+
+ name = uid_to_name(uid);
+ if (!name)
+ return -ENOMEM;
+
+ p = strv_join(cmdline, " ");
+ if (!p)
+ return -ENOMEM;
+
+ /* The status string gets the full command line ... */
+ sd_notifyf(false,
+ "STATUS=Processing requests from client PID "PID_FMT" (%s); UID "UID_FMT" (%s)",
+ pid, p,
+ uid, name);
+
+ /* ... and the argv line only the short comm */
+ if (arg_command_line_buffer) {
+ size_t m, w;
+
+ m = strlen(arg_command_line_buffer);
+ w = snprintf(arg_command_line_buffer, m,
+ "[PID "PID_FMT"/%s; UID "UID_FMT"/%s]",
+ pid, comm,
+ uid, name);
+
+ if (m > w)
+ memzero(arg_command_line_buffer + w, m - w);
+ }
+
+ log_debug("Running on behalf of PID "PID_FMT" (%s), UID "UID_FMT" (%s), %s",
+ pid, p,
+ uid, name,
+ a->unique_name);
+
+ return 0;
+}
+
+static int handle_policy_error(sd_bus_message *m, int r) {
+ if (r == -ESRCH || r == -ENXIO)
+ return synthetic_reply_method_errorf(m, SD_BUS_ERROR_NAME_HAS_NO_OWNER, "Name %s is currently not owned by anyone.", m->destination);
+
+ return r;
+}
+
+static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *policy, const struct ucred *our_ucred, Set *owned_names) {
+ int r;
+
+ assert(from);
+ assert(to);
+ assert(m);
+
+ if (!policy)
+ return 0;
+
+ /*
+ * dbus-1 distinguishes expected and non-expected replies by tracking
+ * method-calls and timeouts. By default, DENY rules are *NEVER* applied
+ * on expected replies, unless explicitly specified. But we dont track
+ * method-calls, thus, we cannot know whether a reply is expected.
+ * Fortunately, the kdbus forbids non-expected replies, so we can safely
+ * ignore any policy on those and let the kernel deal with it.
+ *
+ * TODO: To be correct, we should only ignore policy-tags that are
+ * applied on non-expected replies. However, so far we don't parse those
+ * tags so we let everything pass. I haven't seen a DENY policy tag on
+ * expected-replies, ever, so don't bother..
+ */
+ if (m->reply_cookie > 0)
+ return 0;
+
+ if (from->is_kernel) {
+ uid_t sender_uid = UID_INVALID;
+ gid_t sender_gid = GID_INVALID;
+ char **sender_names = NULL;
+ bool granted = false;
+
+ /* Driver messages are always OK */
+ if (streq_ptr(m->sender, "org.freedesktop.DBus"))
+ return 0;
+
+ /* The message came from the kernel, and is sent to our legacy client. */
+ sd_bus_creds_get_well_known_names(&m->creds, &sender_names);
+
+ (void) sd_bus_creds_get_uid(&m->creds, &sender_uid);
+ (void) sd_bus_creds_get_gid(&m->creds, &sender_gid);
+
+ if (sender_uid == UID_INVALID || sender_gid == GID_INVALID) {
+ _cleanup_bus_creds_unref_ sd_bus_creds *sender_creds = NULL;
+
+ /* If the message came from another legacy
+ * client, then the message creds will be
+ * missing, simply because on legacy clients
+ * per-message creds were unknown. In this
+ * case, query the creds of the peer
+ * instead. */
+
+ r = bus_get_name_creds_kdbus(from, m->sender, SD_BUS_CREDS_UID|SD_BUS_CREDS_GID, true, &sender_creds);
+ if (r < 0)
+ return handle_policy_error(m, r);
+
+ (void) sd_bus_creds_get_uid(sender_creds, &sender_uid);
+ (void) sd_bus_creds_get_gid(sender_creds, &sender_gid);
+ }
+
+ /* First check whether the sender can send the message to our name */
+ if (set_isempty(owned_names)) {
+ if (policy_check_send(policy, sender_uid, sender_gid, m->header->type, NULL, m->path, m->interface, m->member, false))
+ granted = true;
+ } else {
+ Iterator i;
+ char *n;
+
+ SET_FOREACH(n, owned_names, i)
+ if (policy_check_send(policy, sender_uid, sender_gid, m->header->type, n, m->path, m->interface, m->member, false)) {
+ granted = true;
+ break;
+ }
+ }
+
+ if (granted) {
+ /* Then check whether us (the recipient) can receive from the sender's name */
+ if (strv_isempty(sender_names)) {
+ if (policy_check_recv(policy, our_ucred->uid, our_ucred->gid, m->header->type, NULL, m->path, m->interface, m->member, false))
+ return 0;
+ } else {
+ char **n;
+
+ STRV_FOREACH(n, sender_names) {
+ if (policy_check_recv(policy, our_ucred->uid, our_ucred->gid, m->header->type, *n, m->path, m->interface, m->member, false))
+ return 0;
+ }
+ }
+ }
+
+ /* Return an error back to the caller */
+ if (m->header->type == SD_BUS_MESSAGE_METHOD_CALL)
+ return synthetic_reply_method_errorf(m, SD_BUS_ERROR_ACCESS_DENIED, "Access prohibited by XML receiver policy.");
+
+ /* Return 1, indicating that the message shall not be processed any further */
+ return 1;
+ }
+
+ if (to->is_kernel) {
+ _cleanup_bus_creds_unref_ sd_bus_creds *destination_creds = NULL;
+ uid_t destination_uid = UID_INVALID;
+ gid_t destination_gid = GID_INVALID;
+ const char *destination_unique = NULL;
+ char **destination_names = NULL;
+ bool granted = false;
+
+ /* Driver messages are always OK */
+ if (streq_ptr(m->destination, "org.freedesktop.DBus"))
+ return 0;
+
+ /* The message came from the legacy client, and is sent to kdbus. */
+ if (m->destination) {
+ r = bus_get_name_creds_kdbus(to, m->destination,
+ SD_BUS_CREDS_WELL_KNOWN_NAMES|SD_BUS_CREDS_UNIQUE_NAME|
+ SD_BUS_CREDS_UID|SD_BUS_CREDS_GID|SD_BUS_CREDS_PID,
+ true, &destination_creds);
+ if (r < 0)
+ return handle_policy_error(m, r);
+
+ r = sd_bus_creds_get_unique_name(destination_creds, &destination_unique);
+ if (r < 0)
+ return handle_policy_error(m, r);
+
+ sd_bus_creds_get_well_known_names(destination_creds, &destination_names);
+
+ (void) sd_bus_creds_get_uid(destination_creds, &destination_uid);
+ (void) sd_bus_creds_get_gid(destination_creds, &destination_gid);
+ }
+
+ /* First check if we (the sender) can send to this name */
+ if (strv_isempty(destination_names)) {
+ if (policy_check_send(policy, our_ucred->uid, our_ucred->gid, m->header->type, NULL, m->path, m->interface, m->member, true))
+ granted = true;
+ } else {
+ char **n;
+
+ STRV_FOREACH(n, destination_names) {
+ if (policy_check_send(policy, our_ucred->uid, our_ucred->gid, m->header->type, *n, m->path, m->interface, m->member, true)) {
+
+ /* If we made a receiver decision,
+ then remember which name's policy
+ we used, and to which unique ID it
+ mapped when we made the
+ decision. Then, let's pass this to
+ the kernel when sending the
+ message, so that it refuses the
+ operation should the name and
+ unique ID not map to each other
+ anymore. */
+
+ r = free_and_strdup(&m->destination_ptr, *n);
+ if (r < 0)
+ return r;
+
+ r = bus_kernel_parse_unique_name(destination_unique, &m->verify_destination_id);
+ if (r < 0)
+ break;
+
+ granted = true;
+ break;
+ }
+ }
+ }
+
+ /* Then check if the recipient can receive from our name */
+ if (granted) {
+ if (sd_bus_message_is_signal(m, NULL, NULL)) {
+ /* If we forward a signal from dbus-1 to kdbus,
+ * we have no idea who the recipient is.
+ * Therefore, we cannot apply any dbus-1
+ * receiver policies that match on receiver
+ * credentials. We know sd-bus always sets
+ * KDBUS_MSG_SIGNAL, so the kernel applies
+ * receiver policies to the message. Therefore,
+ * skip policy checks in this case. */
+ return 0;
+ } else if (set_isempty(owned_names)) {
+ if (policy_check_recv(policy, destination_uid, destination_gid, m->header->type, NULL, m->path, m->interface, m->member, true))
+ return 0;
+ } else {
+ Iterator i;
+ char *n;
+
+ SET_FOREACH(n, owned_names, i)
+ if (policy_check_recv(policy, destination_uid, destination_gid, m->header->type, n, m->path, m->interface, m->member, true))
+ return 0;
+ }
+ }
+
+ /* Return an error back to the caller */
+ if (m->header->type == SD_BUS_MESSAGE_METHOD_CALL)
+ return synthetic_reply_method_errorf(m, SD_BUS_ERROR_ACCESS_DENIED, "Access prohibited by XML sender policy.");
+
+ /* Return 1, indicating that the message shall not be processed any further */
+ return 1;
+ }
+
+ return 0;
+}
+
+static int process_hello(sd_bus *a, sd_bus *b, sd_bus_message *m, bool *got_hello) {
+ _cleanup_bus_message_unref_ sd_bus_message *n = NULL;
+ bool is_hello;
+ int r;
+
+ assert(a);
+ assert(b);
+ assert(m);
+ assert(got_hello);
+
+ /* As reaction to hello we need to respond with two messages:
+ * the callback reply and the NameAcquired for the unique
+ * name, since hello is otherwise obsolete on kdbus. */
+
+ is_hello =
+ sd_bus_message_is_method_call(m, "org.freedesktop.DBus", "Hello") &&
+ streq_ptr(m->destination, "org.freedesktop.DBus");
+
+ if (!is_hello) {
+
+ if (*got_hello)
+ return 0;
+
+ log_error("First packet isn't hello (it's %s.%s), aborting.", m->interface, m->member);
+ return -EIO;
+ }
+
+ if (*got_hello) {
+ log_error("Got duplicate hello, aborting.");
+ return -EIO;
+ }
+
+ *got_hello = true;
+
+ if (!a->is_kernel)
+ return 0;
+
+ r = sd_bus_message_new_method_return(m, &n);
+ if (r < 0)
+ return log_error_errno(r, "Failed to generate HELLO reply: %m");
+
+ r = sd_bus_message_append(n, "s", a->unique_name);
+ if (r < 0)
+ return log_error_errno(r, "Failed to append unique name to HELLO reply: %m");
+
+ r = bus_message_append_sender(n, "org.freedesktop.DBus");
+ if (r < 0)
+ return log_error_errno(r, "Failed to append sender to HELLO reply: %m");
+
+ r = bus_seal_synthetic_message(b, n);
+ if (r < 0)
+ return log_error_errno(r, "Failed to seal HELLO reply: %m");
+
+ r = sd_bus_send(b, n, NULL);
+ if (r < 0)
+ return log_error_errno(r, "Failed to send HELLO reply: %m");
+
+ n = sd_bus_message_unref(n);
+ r = sd_bus_message_new_signal(
+ b,
+ &n,
+ "/org/freedesktop/DBus",
+ "org.freedesktop.DBus",
+ "NameAcquired");
+ if (r < 0)
+ return log_error_errno(r, "Failed to allocate initial NameAcquired message: %m");
+
+ r = sd_bus_message_append(n, "s", a->unique_name);
+ if (r < 0)
+ return log_error_errno(r, "Failed to append unique name to NameAcquired message: %m");
+
+ r = bus_message_append_sender(n, "org.freedesktop.DBus");
+ if (r < 0)
+ return log_error_errno(r, "Failed to append sender to NameAcquired message: %m");
+
+ r = bus_seal_synthetic_message(b, n);
+ if (r < 0)
+ return log_error_errno(r, "Failed to seal NameAcquired message: %m");
+
+ r = sd_bus_send(b, n, NULL);
+ if (r < 0)
+ return log_error_errno(r, "Failed to send NameAcquired message: %m");
+
+ return 1;
+}
+
+static int patch_sender(sd_bus *a, sd_bus_message *m) {
+ char **well_known = NULL;
+ sd_bus_creds *c;
+ int r;
+
+ assert(a);
+ assert(m);
+
+ if (!a->is_kernel)
+ return 0;
+
+ /* We will change the sender of messages from the bus driver
+ * so that they originate from the bus driver. This is a
+ * speciality originating from dbus1, where the bus driver did
+ * not have a unique id, but only the well-known name. */
+
+ c = sd_bus_message_get_creds(m);
+ if (!c)
+ return 0;
+
+ r = sd_bus_creds_get_well_known_names(c, &well_known);
+ if (r < 0)
+ return r;
+
+ if (strv_contains(well_known, "org.freedesktop.DBus"))
+ m->sender = "org.freedesktop.DBus";
+
+ return 0;
+}
+
+static int bus_new_destination(sd_bus **out, struct ucred *ucred, const char *peersec, bool negotiate_fds) {
+ _cleanup_bus_close_unref_ sd_bus *a = NULL;
+ int r;
+
+ r = sd_bus_new(&a);
+ if (r < 0)
+ return log_error_errno(r, "Failed to allocate bus: %m");
+
+ r = sd_bus_set_description(a, "sd-proxy");
+ if (r < 0)
+ return log_error_errno(r, "Failed to set bus name: %m");
+
+ r = sd_bus_set_address(a, arg_address);
+ if (r < 0)
+ return log_error_errno(r, "Failed to set address to connect to: %m");
+
+ r = sd_bus_negotiate_fds(a, negotiate_fds);
+ if (r < 0)
+ return log_error_errno(r, "Failed to set FD negotiation: %m");
+
+ r = sd_bus_negotiate_creds(a, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_PID|SD_BUS_CREDS_GID|SD_BUS_CREDS_SELINUX_CONTEXT);
+ if (r < 0)
+ return log_error_errno(r, "Failed to set credential negotiation: %m");
+
+ if (ucred->pid > 0) {
+ a->fake_pids.pid = ucred->pid;
+ a->fake_pids_valid = true;
+
+ a->fake_creds.uid = ucred->uid;
+ a->fake_creds.euid = UID_INVALID;
+ a->fake_creds.suid = UID_INVALID;
+ a->fake_creds.fsuid = UID_INVALID;
+ a->fake_creds.gid = ucred->gid;
+ a->fake_creds.egid = GID_INVALID;
+ a->fake_creds.sgid = GID_INVALID;
+ a->fake_creds.fsgid = GID_INVALID;
+ a->fake_creds_valid = true;
+ }
+
+ if (peersec) {
+ a->fake_label = strdup(peersec);
+ if (!a->fake_label)
+ return log_oom();
+ }
+
+ a->manual_peer_interface = true;
+
+ r = sd_bus_start(a);
+ if (r < 0)
+ return log_error_errno(r, "Failed to start bus client: %m");
+
+ *out = a;
+ a = NULL;
+ return 0;
+}
+
+static int bus_new_local(sd_bus **out, sd_bus *dest, int in_fd, int out_fd, bool negotiate_fds) {
+ _cleanup_bus_close_unref_ sd_bus *b = NULL;