nm-sudo: rename to nm-priv-helper

The name "nm-sudo" reminds of the "sudo" tool, and this is a bit confusing because it's not related. Rename the service to "nm-priv-helper", which stands for "NM privileged helper". https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/938
2021-12-13 16:06:16 +01:00
parent 9f3d2a09ea
commit d68ab6b8f0
27 changed files with 275 additions and 254 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -71,8 +71,8 @@ test-*.trs
 /src/nm-dispatcher/org.freedesktop.nm_dispatcher.service
 /src/nm-dispatcher/tests/test-dispatcher-envp
-/src/nm-sudo/nm-sudo
+/src/nm-priv-helper/nm-priv-helper
-/src/nm-sudo/org.freedesktop.nm.sudo.service
+/src/nm-priv-helper/org.freedesktop.nm-priv-helper.service
 /data/NetworkManager.service
 /data/NetworkManager-wait-online.service
@@ -82,6 +82,7 @@ test-*.trs
 /data/org.freedesktop.NetworkManager.policy
 /data/org.freedesktop.NetworkManager.policy.in
 /data/nm-sudo.service
 /data/nm-priv-helper.service
 /docs/api/version.xml
 /docs/api/settings-spec.html
@@ -436,6 +437,8 @@ test-*.trs
 /src/ndisc/tests/test-ndisc-linux
 /src/nm-daemon-helper/nm-daemon-helper
 /src/nm-iface-helper
 /src/nm-sudo/nm-sudo
 /src/nm-sudo/org.freedesktop.nm.sudo.service
 /src/platform/tests/dump
 /src/platform/tests/monitor
 /src/platform/tests/platform
--- a/Makefile.am
+++ b/Makefile.am
@@ -506,8 +506,8 @@ src_libnm_base_libnm_base_la_SOURCES = \
 	src/libnm-base/nm-ethtool-utils-base.h \
 	src/libnm-base/nm-net-aux.c \
 	src/libnm-base/nm-net-aux.h \
-	src/libnm-base/nm-sudo-utils.c \
+	src/libnm-base/nm-priv-helper-utils.c \
-	src/libnm-base/nm-sudo-utils.h \
+	src/libnm-base/nm-priv-helper-utils.h \
 	$(NULL)
 src_libnm_base_libnm_base_la_LDFLAGS = \
@@ -2590,8 +2590,8 @@ src_core_libNetworkManager_la_SOURCES = \
 	src/core/nm-rfkill-manager.h \
 	src/core/nm-session-monitor.c \
 	src/core/nm-session-monitor.h \
-	src/core/nm-sudo-call.c \
+	src/core/nm-priv-helper-call.c \
-	src/core/nm-sudo-call.h \
+	src/core/nm-priv-helper-call.h \
 	src/core/nm-keep-alive.c \
 	src/core/nm-keep-alive.h \
 	src/core/nm-sleep-monitor.c \
@@ -4555,16 +4555,16 @@ EXTRA_DIST += \
 	$(NULL)
 ###############################################################################
-# src/nm-sudo
+# src/nm-priv-helper
 ###############################################################################
-libexec_PROGRAMS += src/nm-sudo/nm-sudo
+libexec_PROGRAMS += src/nm-priv-helper/nm-priv-helper
-src_nm_sudo_nm_sudo_SOURCES = \
+src_nm_priv_helper_nm_priv_helper_SOURCES = \
-	src/nm-sudo/nm-sudo.c \
+	src/nm-priv-helper/nm-priv-helper.c \
 	$(NULL)
-src_nm_sudo_nm_sudo_CPPFLAGS = \
+src_nm_priv_helper_nm_priv_helper_CPPFLAGS = \
 	$(dflt_cppflags) \
 	-I$(builddir)/src/libnm-core-public \
 	-I$(srcdir)/src/libnm-core-public \
@@ -4575,12 +4575,12 @@ src_nm_sudo_nm_sudo_CPPFLAGS = \
 	$(GLIB_CFLAGS) \
 	$(NULL)
-src_nm_sudo_nm_sudo_LDFLAGS = \
+src_nm_priv_helper_nm_priv_helper_LDFLAGS = \
 	-Wl,--version-script="$(srcdir)/linker-script-binary.ver" \
 	$(SANITIZER_EXEC_LDFLAGS) \
 	$(NULL)
-src_nm_sudo_nm_sudo_LDADD = \
+src_nm_priv_helper_nm_priv_helper_LDADD = \
 	src/libnm-base/libnm-base.la \
 	src/libnm-glib-aux/libnm-glib-aux.la \
 	src/libnm-std-aux/libnm-std-aux.la \
@@ -4588,20 +4588,20 @@ src_nm_sudo_nm_sudo_LDADD = \
 	$(GLIB_LIBS) \
 	$(NULL)
-src/nm-sudo/org.freedesktop.nm.sudo.service: $(srcdir)/src/nm-sudo/org.freedesktop.nm.sudo.service.in
+src/nm-priv-helper/org.freedesktop.nm-priv-helper.service: $(srcdir)/src/nm-priv-helper/org.freedesktop.nm-priv-helper.service.in
 	@sed \
 	-e 's|@libexecdir[@]|$(libexecdir)|g' \
 	$< >$@
-dbusactivation_DATA += src/nm-sudo/org.freedesktop.nm.sudo.service
+dbusactivation_DATA += src/nm-priv-helper/org.freedesktop.nm-priv-helper.service
-CLEANFILES += src/nm-sudo/org.freedesktop.nm.sudo.service
+CLEANFILES += src/nm-priv-helper/org.freedesktop.nm-priv-helper.service
-dbusservice_DATA += src/nm-sudo/nm-sudo.conf
+dbusservice_DATA += src/nm-priv-helper/nm-priv-helper.conf
 EXTRA_DIST += \
-	src/nm-sudo/nm-sudo.conf \
+	src/nm-priv-helper/nm-priv-helper.conf \
-	src/nm-sudo/org.freedesktop.nm.sudo.service.in \
+	src/nm-priv-helper/org.freedesktop.nm-priv-helper.service.in \
-	src/nm-sudo/meson.build \
+	src/nm-priv-helper/meson.build \
 	$(NULL)
 ###############################################################################
@@ -5294,7 +5294,7 @@ systemdsystemunit_DATA += \
 	data/NetworkManager.service \
 	data/NetworkManager-wait-online.service \
 	data/NetworkManager-dispatcher.service \
-	data/nm-sudo.service \
+	data/nm-priv-helper.service \
 	$(NULL)
 data/NetworkManager.service: $(srcdir)/data/NetworkManager.service.in
@@ -5311,7 +5311,7 @@ endif
 data/NetworkManager-dispatcher.service: $(srcdir)/data/NetworkManager-dispatcher.service.in
 	$(AM_V_GEN) $(data_edit) $< >$@
-data/nm-sudo.service: $(srcdir)/data/nm-sudo.service.in
+data/nm-priv-helper.service: $(srcdir)/data/nm-priv-helper.service.in
 	$(AM_V_GEN) $(data_edit) $< >$@
 endif
@@ -5343,7 +5343,7 @@ EXTRA_DIST += \
 	data/NetworkManager-wait-online-systemd-pre200.service.in \
 	data/NetworkManager-wait-online.service.in \
 	data/NetworkManager.service.in \
-	data/nm-sudo.service.in \
+	data/nm-priv-helper.service.in \
 	data/meson.build \
 	data/nm-shared.xml \
 	data/server.conf.in \
@@ -5353,7 +5353,7 @@ CLEANFILES += \
 	data/NetworkManager-dispatcher.service \
 	data/NetworkManager-wait-online.service \
 	data/NetworkManager.service \
-	data/nm-sudo.service \
+	data/nm-priv-helper.service \
 	data/server.conf \
 	$(NULL)
--- a/4
+++ b/4
@@ -30,8 +30,8 @@ Overview of changes since NetworkManager-1.32
  Adjust the "dns-priority" to your liking after import yourself.
 * NetworkManager no longer listens for netlink events for traffic
  control objects (qdiscs and filters).
-* core: add internal nm-sudo service for separating privileges and have
+* core: add internal nm-priv-helper service for separating privileges
-  a way to drop capabilities from NetworkManager daemon.
+  and have a way to drop capabilities from NetworkManager daemon.
 * bond: add support for setting queue-id of bond port.
 * dns: support configuring DNS over TLS (DoT) with systemd-resolved.
 * nmtui: add support for WireGuard profiles.
--- a/contrib/fedora/rpm/NetworkManager.spec
+++ b/contrib/fedora/rpm/NetworkManager.spec
@@ -40,7 +40,7 @@
 %global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[0-9][0-9]*\\)\\.[0-9][0-9]*$/\\1/p')
-%global systemd_units NetworkManager.service NetworkManager-wait-online.service NetworkManager-dispatcher.service nm-sudo.service
+%global systemd_units NetworkManager.service NetworkManager-wait-online.service NetworkManager-dispatcher.service nm-priv-helper.service
 %global systemd_units_cloud_setup nm-cloud-setup.service nm-cloud-setup.timer
@@ -943,7 +943,7 @@ if [ $1 -eq 0 ]; then
    /usr/sbin/update-alternatives --remove ifup %{_libexecdir}/nm-ifup >/dev/null 2>&1 || :
 fi
-%systemd_preun NetworkManager-wait-online.service NetworkManager-dispatcher.service nm-sudo.service
+%systemd_preun NetworkManager-wait-online.service NetworkManager-dispatcher.service nm-priv-helper.service
 %if %{with nm_cloud_setup}
@@ -977,7 +977,7 @@ fi
 %files
 %{dbus_sys_dir}/org.freedesktop.NetworkManager.conf
 %{dbus_sys_dir}/nm-dispatcher.conf
-%{dbus_sys_dir}/nm-sudo.conf
+%{dbus_sys_dir}/nm-priv-helper.conf
 %{dbus_sys_dir}/nm-ifcfg-rh.conf
 %{_sbindir}/%{name}
 %{_bindir}/nmcli
@@ -1002,7 +1002,7 @@ fi
 %{_libexecdir}/nm-dispatcher
 %{_libexecdir}/nm-initrd-generator
 %{_libexecdir}/nm-daemon-helper
-%{_libexecdir}/nm-sudo
+%{_libexecdir}/nm-priv-helper
 %dir %{_libdir}/%{name}
 %dir %{nmplugindir}
 %{nmplugindir}/libnm-settings-plugin*.so
@@ -1026,7 +1026,7 @@ fi
 %dir %{_localstatedir}/lib/NetworkManager
 %dir %{_sysconfdir}/sysconfig/network-scripts
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_dispatcher.service
-%{_datadir}/dbus-1/system-services/org.freedesktop.nm.sudo.service
+%{_datadir}/dbus-1/system-services/org.freedesktop.nm-priv-helper.service
 %{_datadir}/polkit-1/actions/*.policy
 %{_prefix}/lib/udev/rules.d/*.rules
 %if %{with firewalld_zone}
@@ -1036,7 +1036,7 @@ fi
 %{systemd_dir}/NetworkManager.service
 %{systemd_dir}/NetworkManager-wait-online.service
 %{systemd_dir}/NetworkManager-dispatcher.service
-%{systemd_dir}/nm-sudo.service
+%{systemd_dir}/nm-priv-helper.service
 %dir %{_datadir}/doc/NetworkManager/examples
 %{_datadir}/doc/NetworkManager/examples/server.conf
 %doc NEWS AUTHORS README CONTRIBUTING.md TODO
--- a/data/meson.build
+++ b/data/meson.build
@@ -11,7 +11,7 @@ if install_systemdunitdir
  services = [
    'NetworkManager-dispatcher.service.in',
    'NetworkManager.service.in',
-    'nm-sudo.service.in',
+    'nm-priv-helper.service.in',
  ]
  if have_systemd_200
--- a/data/nm-priv-helper.service.in
+++ b/data/nm-priv-helper.service.in
@@ -0,0 +1,79 @@
 [Unit]
 Description=NetworkManager Privileged Helper
 #
 # nm-priv-helper exists for privilege separation. It allows to run
 # NetworkManager without certain capabilities, and ask nm-priv-helper
 # for special operations where more privileges are required.
 #
 # While nm-priv-helper has privileges that NetworkManager has not, it
 # does not mean that itself should run totally unconstrained. On the
 # contrary, it also should only have permissions it requires.
 #
 # nm-priv-helper rejects all requests that come from any other than the
 # name owner of "org.freedesktop.NetworkManager" (that is,
 # NetworkManager process itself). It is thus only an implementation
 # detail and provides no public API to the user.
 [Service]
 Type=dbus
 BusName=org.freedesktop.nm-priv-helper
 ExecStart=@libexecdir@/nm-priv-helper
 NotifyAccess=main
 # Extra configuration options. Set via `systemctl edit
 # nm-priv-helper.service`:
 #
 # FOR TESTING ONLY: disable authentication to allow requests from
 # everybody. Don't set this outside of testing!
 #Environment=NM_PRIV_HELPER_NO_AUTH_FOR_TESTING=1
 #
 # The logging level for debug messages (to stdout).
 #Environment=NM_PRIV_HELPER_LOG=TRACE
 #
 # nm-priv-helper will exit on idle after timeout. Set timeout here or
 # set to 2147483647 for infinity.
 #Environment=NM_PRIV_HELPER_IDLE_TIMEOUT_MSEC=10000
 # Restrict:
 AmbientCapabilities=
 CapabilityBoundingSet=
 PrivateDevices=true
 PrivateMounts=true
 PrivateNetwork=true
 PrivateTmp=true
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectSystem=strict
 RestrictAddressFamilies=
 RestrictNamespaces=true
 SystemCallFilter=~@clock
 SystemCallFilter=~@cpu-emulation
 SystemCallFilter=~@debug
 SystemCallFilter=~@module
 SystemCallFilter=~@mount
 SystemCallFilter=~@obsolete
 SystemCallFilter=~@privileged
 SystemCallFilter=~@raw-io
 SystemCallFilter=~@reboot
 SystemCallFilter=~@swap
 NoNewPrivileges=true
 SupplementaryGroups=
 # Grant:
 CapabilityBoundingSet=CAP_DAC_OVERRIDE
 PrivateUsers=no
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=@resources
 [Install]
 Alias=dbus-org.freedesktop.nm-priv-helper.service
--- a/data/nm-sudo.service.in
+++ b/data/nm-sudo.service.in
@@ -1,75 +0,0 @@
 [Unit]
 Description=NetworkManager Sudo Helper
 #
 # nm-sudo exists for privilege separation. It allows to run NetworkManager
 # without certain capabilities, and ask nm-sudo for special operations
 # where more privileges are required.
 #
 # While nm-sudo has privileges that NetworkManager has not, it does not
 # mean that itself should run totally unconstrained. On the contrary, it
 # also should only have permissions it requires.
 #
 # nm-sudo rejects all requests that come from any other than the name
 # owner of "org.freedesktop.NetworkManager" (that is, NetworkManager process
 # itself). It is thus only an implementation detail and provides no public
 # API to the user.
 [Service]
 Type=dbus
 BusName=org.freedesktop.nm.sudo
 ExecStart=@libexecdir@/nm-sudo
 NotifyAccess=main
 # Extra configuration options. Set via `systemctl edit nm-sudo.service`:
 #
 # FOR TESTING ONLY: disable authentication to allow requests from
 # everybody. Don't set this outside of testing!
 #Environment=NM_SUDO_NO_AUTH_FOR_TESTING=1
 #
 # The logging level for debug messages (to stdout).
 #Environment=NM_SUDO_LOG=TRACE
 #
 # nm-sudo will exit on idle after timeout. Set timeout here
 # or set to 2147483647 for infinity.
 #Environment=NM_SUDO_IDLE_TIMEOUT_MSEC=10000
 # Restrict:
 AmbientCapabilities=
 CapabilityBoundingSet=
 PrivateDevices=true
 PrivateMounts=true
 PrivateNetwork=true
 PrivateTmp=true
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectSystem=strict
 RestrictAddressFamilies=
 RestrictNamespaces=true
 SystemCallFilter=~@clock
 SystemCallFilter=~@cpu-emulation
 SystemCallFilter=~@debug
 SystemCallFilter=~@module
 SystemCallFilter=~@mount
 SystemCallFilter=~@obsolete
 SystemCallFilter=~@privileged
 SystemCallFilter=~@raw-io
 SystemCallFilter=~@reboot
 SystemCallFilter=~@swap
 NoNewPrivileges=true
 SupplementaryGroups=
 # Grant:
 CapabilityBoundingSet=CAP_DAC_OVERRIDE
 PrivateUsers=no
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=@resources
 [Install]
 Alias=dbus-org.freedesktop.nm.sudo.service
--- a/po/POTFILES.skip
+++ b/po/POTFILES.skip
@@ -2,7 +2,7 @@ contrib/fedora/rpm/
 data/NetworkManager-dispatcher.service.in
 data/NetworkManager-wait-online.service.in
 data/NetworkManager.service.in
-data/nm-sudo.service.in
+data/nm-priv-helper.service.in
 data/org.freedesktop.NetworkManager.policy.in
 examples/python/NetworkManager.py
 examples/python/systray/eggtrayicon.c
--- a/src/README.md
+++ b/src/README.md
@@ -27,7 +27,7 @@ Read the individual README.md files in the subdirectories for details:
 | [nm-initrd-generator/](nm-initrd-generator/)         | generates NetworkManager configuration by parsing kernel command line options for dracut/initrd |
 | [nm-dispatcher/](nm-dispatcher/)                     | NetworkManager-dispatcher service to run user scripts |
 | [nm-online/](nm-online/)                             | application which checks whether NetworkManager is done, for implementing NetworkManager-wait-online.service |
-| [nm-sudo/](nm-sudo/)                                 | internal service for privileged operations |
+| [nm-priv-helper/](nm-priv-helper/)                   | internal service for privileged operations |
 | [nm-daemon-helper/](nm-daemon-helper/)               | internal helper binary spawned by NetworkManager |
 |                                                      | |
 | [libnm-std-aux/](libnm-std-aux/)                     | internal helper library for standard C |
--- a/src/core/devices/ovs/nm-ovsdb.c
+++ b/src/core/devices/ovs/nm-ovsdb.c
@@ -17,7 +17,7 @@
 #include "devices/nm-device.h"
 #include "nm-manager.h"
 #include "nm-setting-ovs-external-ids.h"
-#include "nm-sudo-call.h"
+#include "nm-priv-helper-call.h"
 /*****************************************************************************/
@@ -2384,7 +2384,7 @@ _ovsdb_connect_complete_with_fd(NMOvsdb *self, int fd_take)
 }
 static void
-_ovsdb_connect_sudo_cb(int fd_take, GError *error, gpointer user_data)
+_ovsdb_connect_priv_helper_cb(int fd_take, GError *error, gpointer user_data)
 {
    nm_auto_close int fd = fd_take;
    NMOvsdb          *self;
@@ -2395,12 +2395,12 @@ _ovsdb_connect_sudo_cb(int fd_take, GError *error, gpointer user_data)
    self = user_data;
    if (error) {
-        _LOGT("connect: failure to get FD from nm-sudo: %s", error->message);
+        _LOGT("connect: failure to get FD from nm-priv-helper: %s", error->message);
        ovsdb_disconnect(self, FALSE, FALSE);
        return;
    }
-    _LOGT("connect: connected successfully with FD from nm-sudo");
+    _LOGT("connect: connected successfully with FD from nm-priv-helper");
    _ovsdb_connect_complete_with_fd(self, nm_steal_fd(&fd));
 }
@@ -2418,20 +2418,20 @@ _ovsdb_connect_idle(gpointer user_data, GCancellable *cancellable)
    self = user_data;
    priv = NM_OVSDB_GET_PRIVATE(self);
-    fd = nm_sudo_utils_open_fd(NM_SUDO_GET_FD_TYPE_OVSDB_SOCKET, &error);
+    fd = nm_priv_helper_utils_open_fd(NM_PRIV_HELPER_GET_FD_TYPE_OVSDB_SOCKET, &error);
    if (fd == -ENOENT) {
        _LOGT("connect: opening %s failed (\"%s\")", NM_OVSDB_SOCKET, error->message);
        ovsdb_disconnect(self, FALSE, FALSE);
        return;
    }
    if (fd < 0) {
-        _LOGT("connect: opening %s failed (\"%s\"). Retry with nm-sudo",
+        _LOGT("connect: opening %s failed (\"%s\"). Retry with nm-priv-helper",
              NM_OVSDB_SOCKET,
              error->message);
-        nm_sudo_call_get_fd(NM_SUDO_GET_FD_TYPE_OVSDB_SOCKET,
+        nm_priv_helper_call_get_fd(NM_PRIV_HELPER_GET_FD_TYPE_OVSDB_SOCKET,
-                            priv->conn_cancellable,
+                                   priv->conn_cancellable,
-                            _ovsdb_connect_sudo_cb,
+                                   _ovsdb_connect_priv_helper_cb,
-                            self);
+                                   self);
        return;
    }
--- a/src/core/meson.build
+++ b/src/core/meson.build
@@ -170,7 +170,7 @@ libNetworkManager = static_library(
    'nm-rfkill-manager.c',
    'nm-session-monitor.c',
    'nm-sleep-monitor.c',
-    'nm-sudo-call.c',
+    'nm-priv-helper-call.c',
  ),
  dependencies: nm_deps,
  link_with: [
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@@ -41,10 +41,10 @@
 #include "nm-hostname-manager.h"
 #include "nm-keep-alive.h"
 #include "nm-policy.h"
 #include "nm-priv-helper-call.h"
 #include "nm-rfkill-manager.h"
 #include "nm-session-monitor.h"
 #include "nm-sleep-monitor.h"
 #include "nm-sudo-call.h"
 #include "settings/nm-settings-connection.h"
 #include "settings/nm-settings.h"
 #include "vpn/nm-vpn-manager.h"
@@ -216,8 +216,8 @@ typedef struct {
 #if WITH_OPENVSWITCH
    /* these fields only serve the purpose to use the symbols.*/
-    void (*_use_symbol_nm_sudo_call_get_fd)(void);
+    void (*_use_symbol_nm_priv_helper_call_get_fd)(void);
-    void (*_use_symbol_nm_sudo_utils_open_fd)(void);
+    void (*_use_symbol_nm_priv_helper_utils_open_fd)(void);
 #endif
 } NMManagerClass;
@@ -8532,8 +8532,10 @@ nm_manager_class_init(NMManagerClass *manager_class)
    /* Use the symbols. These symbols are in NetworkManager binary but will be
     * used by the OVS device plugin. If we don't use the symbol here, it will
     * be wrongly dropped. */
-    manager_class->_use_symbol_nm_sudo_call_get_fd   = (void (*)(void)) nm_sudo_call_get_fd;
+    manager_class->_use_symbol_nm_priv_helper_call_get_fd =
-    manager_class->_use_symbol_nm_sudo_utils_open_fd = (void (*)(void)) nm_sudo_utils_open_fd;
+        (void (*)(void)) nm_priv_helper_call_get_fd;
    manager_class->_use_symbol_nm_priv_helper_utils_open_fd =
        (void (*)(void)) nm_priv_helper_utils_open_fd;
 #endif
    dbus_object_class->export_path     = NM_DBUS_EXPORT_PATH_STATIC(NM_DBUS_PATH);
--- a/src/core/nm-priv-helper-call.c
+++ b/src/core/nm-priv-helper-call.c
@@ -2,7 +2,7 @@
 #include "src/core/nm-default-daemon.h"
-#include "nm-sudo-call.h"
+#include "nm-priv-helper-call.h"
 #include <gio/gunixfdlist.h>
@@ -11,14 +11,14 @@
 /*****************************************************************************/
 static void
-_nm_sudo_call_get_fd_cb(GObject *source, GAsyncResult *res, gpointer user_data)
+_nm_priv_helper_call_get_fd_cb(GObject *source, GAsyncResult *res, gpointer user_data)
 {
-    NMSudoCallGetFDCallback      callback;
+    NMPrivHelperCallGetFDCallback callback;
-    gpointer                     callback_data;
+    gpointer                      callback_data;
-    gs_unref_variant GVariant   *ret     = NULL;
+    gs_unref_variant GVariant    *ret     = NULL;
-    gs_free_error GError        *error   = NULL;
+    gs_free_error GError         *error   = NULL;
-    gs_unref_object GUnixFDList *fd_list = NULL;
+    gs_unref_object GUnixFDList  *fd_list = NULL;
-    gs_free int                 *fd_arr  = NULL;
+    gs_free int                  *fd_arr  = NULL;
    nm_utils_user_data_unpack(user_data, &callback, &callback_data);
@@ -35,7 +35,7 @@ _nm_sudo_call_get_fd_cb(GObject *source, GAsyncResult *res, gpointer user_data)
    if (!fd_list || g_unix_fd_list_get_length(fd_list) != 1) {
        nm_utils_error_set(&error,
                           NM_UTILS_ERROR_UNKNOWN,
-                           "Unexpectedly not one FD is returned by nm-sudo GetFD()");
+                           "Unexpectedly not one FD is returned by nm-priv-helper GetFD()");
        callback(-1, error, callback_data);
        return;
    }
@@ -47,46 +47,48 @@ _nm_sudo_call_get_fd_cb(GObject *source, GAsyncResult *res, gpointer user_data)
 }
 static gboolean
-_nm_sudo_call_get_fd_fail_on_idle(gpointer user_data)
+_nm_priv_helper_call_get_fd_fail_on_idle(gpointer user_data)
 {
    gs_unref_object GCancellable *cancellable = NULL;
-    NMSudoCallGetFDCallback       callback;
+    NMPrivHelperCallGetFDCallback callback;
    gpointer                      callback_data;
    gs_free_error GError         *error = NULL;
    nm_utils_user_data_unpack(user_data, &cancellable, &callback, &callback_data);
    if (!g_cancellable_set_error_if_cancelled(cancellable, &error))
-        nm_utils_error_set(&error, NM_UTILS_ERROR_UNKNOWN, "Cannot talk to nm-sudo without D-Bus");
+        nm_utils_error_set(&error,
                           NM_UTILS_ERROR_UNKNOWN,
                           "Cannot talk to nm-priv-helper without D-Bus");
    callback(-1, error, callback_data);
    return G_SOURCE_REMOVE;
 }
 void
-nm_sudo_call_get_fd(NMSudoGetFDType         fd_type,
+nm_priv_helper_call_get_fd(NMPrivHelperGetFDType         fd_type,
-                    GCancellable           *cancellable,
+                           GCancellable                 *cancellable,
-                    NMSudoCallGetFDCallback callback,
+                           NMPrivHelperCallGetFDCallback callback,
-                    gpointer                user_data)
+                           gpointer                      user_data)
 {
    GDBusConnection *dbus_connection;
-    nm_assert(NM_IN_SET(fd_type, NM_SUDO_GET_FD_TYPE_OVSDB_SOCKET));
+    nm_assert(NM_IN_SET(fd_type, NM_PRIV_HELPER_GET_FD_TYPE_OVSDB_SOCKET));
    nm_assert(!cancellable || G_IS_CANCELLABLE(cancellable));
    nm_assert(callback);
    dbus_connection = NM_MAIN_DBUS_CONNECTION_GET;
    if (!dbus_connection) {
-        nm_g_idle_add(_nm_sudo_call_get_fd_fail_on_idle,
+        nm_g_idle_add(_nm_priv_helper_call_get_fd_fail_on_idle,
                      nm_utils_user_data_pack(g_object_ref(cancellable), callback, user_data));
        return;
    }
    g_dbus_connection_call_with_unix_fd_list(dbus_connection,
-                                             NM_SUDO_DBUS_BUS_NAME,
+                                             NM_PRIV_HELPER_DBUS_BUS_NAME,
-                                             NM_SUDO_DBUS_OBJECT_PATH,
+                                             NM_PRIV_HELPER_DBUS_OBJECT_PATH,
-                                             NM_SUDO_DBUS_IFACE_NAME,
+                                             NM_PRIV_HELPER_DBUS_IFACE_NAME,
                                             "GetFD",
                                             g_variant_new("(u)", fd_type),
                                             G_VARIANT_TYPE("()"),
@@ -94,6 +96,6 @@ nm_sudo_call_get_fd(NMSudoGetFDType         fd_type,
                                             10000,
                                             NULL,
                                             cancellable,
-                                             _nm_sudo_call_get_fd_cb,
+                                             _nm_priv_helper_call_get_fd_cb,
                                             nm_utils_user_data_pack(callback, user_data));
 }
--- a/src/core/nm-priv-helper-call.h
+++ b/src/core/nm-priv-helper-call.h
@@ -0,0 +1,15 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #ifndef __NM_PRIV_HELPER_CALL_H__
 #define __NM_PRIV_HELPER_CALL_H__
 #include "../libnm-base/nm-priv-helper-utils.h"
 typedef void (*NMPrivHelperCallGetFDCallback)(int fd_take, GError *error, gpointer user_data);
 void nm_priv_helper_call_get_fd(NMPrivHelperGetFDType         fd_type,
                                GCancellable                 *cancellable,
                                NMPrivHelperCallGetFDCallback callback,
                                gpointer                      user_data);
 #endif /* __NM_PRIV_HELPER_CALL_H__ */
--- a/src/core/nm-sudo-call.h
+++ b/src/core/nm-sudo-call.h
@@ -1,15 +0,0 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #ifndef __NM_SUDO_CALL_H__
 #define __NM_SUDO_CALL_H__
 #include "libnm-base/nm-sudo-utils.h"
 typedef void (*NMSudoCallGetFDCallback)(int fd_take, GError *error, gpointer user_data);
 void nm_sudo_call_get_fd(NMSudoGetFDType         fd_type,
                         GCancellable           *cancellable,
                         NMSudoCallGetFDCallback callback,
                         gpointer                user_data);
 #endif /* __NM_SUDO_CALL_H__ */
--- a/src/libnm-base/meson.build
+++ b/src/libnm-base/meson.build
@@ -5,7 +5,7 @@ libnm_base = static_library(
  sources: files(
    'nm-ethtool-base.c',
    'nm-net-aux.c',
-    'nm-sudo-utils.c',
+    'nm-priv-helper-utils.c',
  ),
  include_directories: [
    src_inc,
--- a/src/libnm-base/nm-priv-helper-utils.c
+++ b/src/libnm-base/nm-priv-helper-utils.c
@@ -2,7 +2,7 @@
 #include "libnm-glib-aux/nm-default-glib-i18n-lib.h"
-#include "nm-sudo-utils.h"
+#include "nm-priv-helper-utils.h"
 #include <sys/socket.h>
 #include <sys/un.h>
@@ -12,14 +12,14 @@
 /*****************************************************************************/
 int
-nm_sudo_utils_open_fd(NMSudoGetFDType fd_type, GError **error)
+nm_priv_helper_utils_open_fd(NMPrivHelperGetFDType fd_type, GError **error)
 {
    nm_auto_close int fd = -1;
    int               r;
    int               errsv;
    switch (fd_type) {
-    case NM_SUDO_GET_FD_TYPE_OVSDB_SOCKET:
+    case NM_PRIV_HELPER_GET_FD_TYPE_OVSDB_SOCKET:
    {
        struct sockaddr_un sock;
        int                sock_len;
@@ -48,7 +48,7 @@ nm_sudo_utils_open_fd(NMSudoGetFDType fd_type, GError **error)
        return nm_steal_fd(&fd);
    }
-    case NM_SUDO_GET_FD_TYPE_NONE:
+    case NM_PRIV_HELPER_GET_FD_TYPE_NONE:
    default:
        nm_utils_error_set(error, NM_UTILS_ERROR_UNKNOWN, "invalid fd_type");
        return -EINVAL;
--- a/src/libnm-base/nm-priv-helper-utils.h
+++ b/src/libnm-base/nm-priv-helper-utils.h
@@ -0,0 +1,23 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #ifndef __NM_PRIV_HELPER_UTILS_H__
 #define __NM_PRIV_HELPER_UTILS_H__
 /*****************************************************************************/
 #define NM_PRIV_HELPER_DBUS_BUS_NAME    "org.freedesktop.nm-priv-helper"
 #define NM_PRIV_HELPER_DBUS_OBJECT_PATH "/org/freedesktop/nm-priv-helper"
 #define NM_PRIV_HELPER_DBUS_IFACE_NAME  "org.freedesktop.nm-priv-helper"
 /*****************************************************************************/
 #define NM_OVSDB_SOCKET RUNSTATEDIR "/openvswitch/db.sock"
 typedef enum {
    NM_PRIV_HELPER_GET_FD_TYPE_NONE         = 0,
    NM_PRIV_HELPER_GET_FD_TYPE_OVSDB_SOCKET = 1,
 } NMPrivHelperGetFDType;
 int nm_priv_helper_utils_open_fd(NMPrivHelperGetFDType fd_type, GError **error);
 #endif /* __NM_PRIV_HELPER_UTILS_H__ */
--- a/src/libnm-base/nm-sudo-utils.h
+++ b/src/libnm-base/nm-sudo-utils.h
@@ -1,23 +0,0 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #ifndef __NM_SUDO_UTILS_H__
 #define __NM_SUDO_UTILS_H__
 /*****************************************************************************/
 #define NM_SUDO_DBUS_BUS_NAME    "org.freedesktop.nm.sudo"
 #define NM_SUDO_DBUS_OBJECT_PATH "/org/freedesktop/nm/sudo"
 #define NM_SUDO_DBUS_IFACE_NAME  "org.freedesktop.nm.sudo"
 /*****************************************************************************/
 #define NM_OVSDB_SOCKET RUNSTATEDIR "/openvswitch/db.sock"
 typedef enum {
    NM_SUDO_GET_FD_TYPE_NONE         = 0,
    NM_SUDO_GET_FD_TYPE_OVSDB_SOCKET = 1,
 } NMSudoGetFDType;
 int nm_sudo_utils_open_fd(NMSudoGetFDType fd_type, GError **error);
 #endif /* __NM_SUDO_UTILS_H__ */
--- a/src/meson.build
+++ b/src/meson.build
@@ -93,7 +93,7 @@ if enable_nmtui
 endif
 subdir('nmcli')
 subdir('nm-dispatcher')
-subdir('nm-sudo')
+subdir('nm-priv-helper')
 subdir('nm-daemon-helper')
 subdir('nm-online')
 if enable_nmtui
--- a/src/nm-priv-helper/README.md
+++ b/src/nm-priv-helper/README.md
@@ -0,0 +1,24 @@
 nm-priv-helper
 ==============
 This is a D-Bus activatable, exit-on-idle service, which
 provides an internal API to NetworkManager daemon.
 This has no purpose for the user, it is an implementation detail
 of the daemon.
 The purpose is that `nm-priv-helper` can execute certain
 privileged operations which NetworkManager process is not
 allowed to. We want to sandbox NetworkManager as much as
 possible, and nm-priv-helper provides a controlled way to
 perform some very specific operations.
 As such, nm-priv-helper should still be sandboxed too to only
 being able to execute the operations that are necessary for
 NetworkManager.
 nm-priv-helper will reject all D-Bus requests that are not
 originating from the current name owner of
 "org.freedesktop.NetworkManager".  That is, it is supposed to
 only reply to NetworkManager daemon and as such is not useful to
 the user directly.
--- a/src/nm-priv-helper/meson.build
+++ b/src/nm-priv-helper/meson.build
@@ -1,20 +1,20 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 configure_file(
-  input: 'org.freedesktop.nm.sudo.service.in',
+  input: 'org.freedesktop.nm-priv-helper.service.in',
  output: '@BASENAME@',
  install_dir: dbus_system_bus_services_dir,
  configuration: data_conf,
 )
 install_data(
-  'nm-sudo.conf',
+  'nm-priv-helper.conf',
  install_dir: dbus_conf_dir,
 )
 executable(
-  'nm-sudo',
+  'nm-priv-helper',
-  'nm-sudo.c',
+  'nm-priv-helper.c',
  include_directories : [
    src_inc,
    top_inc,
--- a/src/nm-priv-helper/nm-priv-helper.c
+++ b/src/nm-priv-helper/nm-priv-helper.c
@@ -5,15 +5,15 @@
 #include <gio/gunixfdlist.h>
 #include "c-list/src/c-list.h"
-#include "libnm-base/nm-sudo-utils.h"
+#include "libnm-base/nm-priv-helper-utils.h"
 #include "libnm-glib-aux/nm-dbus-aux.h"
 #include "libnm-glib-aux/nm-io-utils.h"
 #include "libnm-glib-aux/nm-logging-base.h"
 #include "libnm-glib-aux/nm-shared-utils.h"
 #include "libnm-glib-aux/nm-time-utils.h"
-/* nm-sudo doesn't link with libnm-core nor libnm-base, but these headers
+/* nm-priv-helper doesn't link with libnm-core nor libnm-base, but these
- * can be used independently. */
+ * headers can be used independently. */
 #include "libnm-core-public/nm-dbus-interface.h"
 /*****************************************************************************/
@@ -57,7 +57,7 @@ struct _GlobalData {
    bool name_owner_initialized;
-    /* This is controlled by $NM_SUDO_NO_AUTH_FOR_TESTING. It disables authentication
+    /* This is controlled by $NM_PRIV_HELPER_NO_AUTH_FOR_TESTING. It disables authentication
     * of the request, so it is ONLY for testing. */
    bool no_auth_for_testing;
@@ -116,10 +116,10 @@ _handle_get_fd(GlobalData *gl, GDBusMethodInvocation *invocation, guint32 fd_typ
    gs_unref_object GUnixFDList *fd_list = NULL;
    gs_free_error GError        *error   = NULL;
-    if (fd_type != (NMSudoGetFDType) fd_type)
+    if (fd_type != (NMPrivHelperGetFDType) fd_type)
-        fd_type = NM_SUDO_GET_FD_TYPE_NONE;
+        fd_type = NM_PRIV_HELPER_GET_FD_TYPE_NONE;
-    fd = nm_sudo_utils_open_fd(fd_type, &error);
+    fd = nm_priv_helper_utils_open_fd(fd_type, &error);
    if (fd < 0) {
        g_dbus_method_invocation_take_error(invocation, g_steal_pointer(&error));
        return;
@@ -275,8 +275,8 @@ _bus_method_call(GDBusConnection       *connection,
    const char *arg_s;
    guint32     arg_u;
-    nm_assert(nm_streq(object_path, NM_SUDO_DBUS_OBJECT_PATH));
+    nm_assert(nm_streq(object_path, NM_PRIV_HELPER_DBUS_OBJECT_PATH));
-    nm_assert(nm_streq(interface_name, NM_SUDO_DBUS_IFACE_NAME));
+    nm_assert(nm_streq(interface_name, NM_PRIV_HELPER_DBUS_IFACE_NAME));
    if (!gl->no_auth_for_testing && !nm_streq0(sender, gl->name_owner)) {
        _LOGT("dbus: request sender=%s, %s%s, ACCESS DENIED",
@@ -312,7 +312,7 @@ _bus_method_call(GDBusConnection       *connection,
          method_name,
          g_variant_get_type_string(parameters));
-    if (!nm_streq(interface_name, NM_SUDO_DBUS_IFACE_NAME))
+    if (!nm_streq(interface_name, NM_PRIV_HELPER_DBUS_IFACE_NAME))
        goto out_unknown_method;
    if (nm_streq(method_name, "GetFD")) {
@@ -335,7 +335,7 @@ out_unknown_method:
 }
 static GDBusInterfaceInfo *const interface_info = NM_DEFINE_GDBUS_INTERFACE_INFO(
-    NM_SUDO_DBUS_IFACE_NAME,
+    NM_PRIV_HELPER_DBUS_IFACE_NAME,
    .methods = NM_DEFINE_GDBUS_METHOD_INFOS(
        NM_DEFINE_GDBUS_METHOD_INFO(
            "Ping",
@@ -360,25 +360,27 @@ _bus_register_service(GlobalData *gl)
    gl->service_regist_id =
        g_dbus_connection_register_object(gl->dbus_connection,
-                                          NM_SUDO_DBUS_OBJECT_PATH,
+                                          NM_PRIV_HELPER_DBUS_OBJECT_PATH,
                                          interface_info,
                                          NM_UNCONST_PTR(GDBusInterfaceVTable, &interface_vtable),
                                          gl,
                                          NULL,
                                          &error);
    if (gl->service_regist_id == 0) {
-        _LOGE("dbus: error registering object %s: %s", NM_SUDO_DBUS_OBJECT_PATH, error->message);
+        _LOGE("dbus: error registering object %s: %s",
              NM_PRIV_HELPER_DBUS_OBJECT_PATH,
              error->message);
        return FALSE;
    }
-    _LOGD("dbus: object %s registered", NM_SUDO_DBUS_OBJECT_PATH);
+    _LOGD("dbus: object %s registered", NM_PRIV_HELPER_DBUS_OBJECT_PATH);
    /* regardless whether the request is successful, after we start calling
     * RequestName, we remember that we need to ReleaseName it. */
    gl->name_requested = TRUE;
    nm_dbus_connection_call_request_name(gl->dbus_connection,
-                                         NM_SUDO_DBUS_BUS_NAME,
+                                         NM_PRIV_HELPER_DBUS_BUS_NAME,
                                         DBUS_NAME_FLAG_ALLOW_REPLACEMENT
                                             | DBUS_NAME_FLAG_REPLACE_EXISTING,
                                         10000,
@@ -396,7 +398,7 @@ _bus_register_service(GlobalData *gl)
        return FALSE;
    if (error) {
-        _LOGE("d-bus: failed to request name %s: %s", NM_SUDO_DBUS_BUS_NAME, error->message);
+        _LOGE("d-bus: failed to request name %s: %s", NM_PRIV_HELPER_DBUS_BUS_NAME, error->message);
        return FALSE;
    }
@@ -404,12 +406,12 @@ _bus_register_service(GlobalData *gl)
    if (ret_val != DBUS_REQUEST_NAME_REPLY_PRIMARY_OWNER) {
        _LOGW("dbus: request name for %s failed to take name (response %u)",
-              NM_SUDO_DBUS_BUS_NAME,
+              NM_PRIV_HELPER_DBUS_BUS_NAME,
              ret_val);
        return FALSE;
    }
-    _LOGD("dbus: request name for %s succeeded", NM_SUDO_DBUS_BUS_NAME);
+    _LOGD("dbus: request name for %s succeeded", NM_PRIV_HELPER_DBUS_BUS_NAME);
    return TRUE;
 }
@@ -538,7 +540,7 @@ _bus_release_name(GlobalData *gl)
                           DBUS_PATH_DBUS,
                           DBUS_INTERFACE_DBUS,
                           "ReleaseName",
-                           g_variant_new("(s)", NM_SUDO_DBUS_BUS_NAME),
+                           g_variant_new("(s)", NM_PRIV_HELPER_DBUS_BUS_NAME),
                           G_VARIANT_TYPE("(u)"),
                           G_DBUS_CALL_FLAGS_NONE,
                           10000,
@@ -554,12 +556,17 @@ static void
 _initial_setup(GlobalData *gl)
 {
    gl->no_auth_for_testing =
-        _nm_utils_ascii_str_to_int64(g_getenv(_ENV("NM_SUDO_NO_AUTH_FOR_TESTING")), 0, 0, 1, 0);
+        _nm_utils_ascii_str_to_int64(g_getenv(_ENV("NM_PRIV_HELPER_NO_AUTH_FOR_TESTING")),
-    gl->timeout_msec = _nm_utils_ascii_str_to_int64(g_getenv(_ENV("NM_SUDO_IDLE_TIMEOUT_MSEC")),
+                                     0,
-                                                    0,
+                                     0,
-                                                    0,
+                                     1,
-                                                    G_MAXINT32,
+                                     0);
-                                                    IDLE_TIMEOUT_MSEC);
+    gl->timeout_msec =
        _nm_utils_ascii_str_to_int64(g_getenv(_ENV("NM_PRIV_HELPER_IDLE_TIMEOUT_MSEC")),
                                     0,
                                     0,
                                     G_MAXINT32,
                                     IDLE_TIMEOUT_MSEC);
    gl->quit_cancellable = g_cancellable_new();
@@ -580,17 +587,17 @@ main(int argc, char **argv)
    int               exit_code;
    int               r = 0;
-    _nm_logging_enabled_init(g_getenv(_ENV("NM_SUDO_LOG")));
+    _nm_logging_enabled_init(g_getenv(_ENV("NM_PRIV_HELPER_LOG")));
    gl->start_timestamp_msec = nm_utils_clock_gettime_msec(CLOCK_BOOTTIME);
-    _LOGD("starting nm-sudo (%s)", NM_DIST_VERSION);
+    _LOGD("starting nm-priv-helper (%s)", NM_DIST_VERSION);
    _initial_setup(gl);
    if (gl->no_auth_for_testing) {
        _LOGW("WARNING: running in debug mode without authentication "
-              "(NM_SUDO_NO_AUTH_FOR_TESTING). ");
+              "(NM_PRIV_HELPER_NO_AUTH_FOR_TESTING). ");
    }
    if (gl->timeout_msec != IDLE_TIMEOUT_INFINITY)
--- a/src/nm-priv-helper/nm-priv-helper.conf
+++ b/src/nm-priv-helper/nm-priv-helper.conf
@@ -3,11 +3,11 @@
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
    <policy user="root">
-        <allow own="org.freedesktop.nm.sudo"/>
+        <allow own="org.freedesktop.nm.priv-helper"/>
-        <allow send_destination="org.freedesktop.nm.sudo"/>
+        <allow send_destination="org.freedesktop.nm.priv-helper"/>
    </policy>
    <policy context="default">
-        <deny own="org.freedesktop.nm.sudo"/>
+        <deny own="org.freedesktop.nm.priv-helper"/>
-        <deny send_destination="org.freedesktop.nm.sudo"/>
+        <deny send_destination="org.freedesktop.nm.priv-helper"/>
    </policy>
 </busconfig>
--- a/src/nm-priv-helper/org.freedesktop.nm-priv-helper.service.in
+++ b/src/nm-priv-helper/org.freedesktop.nm-priv-helper.service.in
@@ -0,0 +1,5 @@
 [D-BUS Service]
 Name=org.freedesktop.nm-priv-helper
 Exec=@libexecdir@/nm-priv-helper
 User=root
 SystemdService=dbus-org.freedesktop.nm-priv-helper.service
--- a/src/nm-sudo/README.md
+++ b/src/nm-sudo/README.md
@@ -1,21 +0,0 @@
 nm-sudo
 =======
 This is a D-Bus activatable, exit-on-idle service, which
 provides an internal API to NetworkManager daemon.
 This has no purpose for the user, it is an implementation detail
 of the daemon.
 The purpose is that `nm-sudo` can execute certain operations,
 which NetworkManager process is not allowed to. We want to
 sandbox NetworkManager as much as possible, and nm-sudo provides
 a controlled way to perform some very specific operations.
 As such, nm-sudo should still be sandboxed too to only being
 able to execute the operations that are necessary for NetworkManager.
 nm-sudo will reject all D-Bus requests that are not originating
 from the current name owner of "org.freedesktop.NetworkManager".
 That is, it is supposed to only reply to NetworkManager daemon
 and as such is not useful to the user directly.
--- a/src/nm-sudo/org.freedesktop.nm.sudo.service.in
+++ b/src/nm-sudo/org.freedesktop.nm.sudo.service.in
@@ -1,5 +0,0 @@
 [D-BUS Service]
 Name=org.freedesktop.nm.sudo
 Exec=@libexecdir@/nm-sudo
 User=root
 SystemdService=dbus-org.freedesktop.nm.sudo.service