linuxdeepin · deepin-bot · Nov 4, 2025 · Oct 28, 2025 · Oct 29, 2025 · Oct 29, 2025
diff --git a/assets/dbus/org.deepin.Filemanager.DiskEncrypt.xml b/assets/dbus/org.deepin.Filemanager.DiskEncrypt.xml
@@ -43,17 +43,14 @@
     </method>
     <method name="Decryption">
       <arg type="b" direction="out"/>
-      <arg name="args" type="a{sv}" direction="in"/>
-      <annotation name="org.qtproject.QtDBus.QtTypeName.In0" value="QVariantMap"/>
+      <arg name="credentialsFd" type="h" direction="in"/>
     </method>
     <method name="ChangePassphrase">
       <arg type="b" direction="out"/>
-      <arg name="args" type="a{sv}" direction="in"/>
-      <annotation name="org.qtproject.QtDBus.QtTypeName.In0" value="QVariantMap"/>
+      <arg name="credentialsFd" type="h" direction="in"/>
     </method>
     <method name="SetupAuthArgs">
-      <arg name="args" type="a{sv}" direction="in"/>
-      <annotation name="org.qtproject.QtDBus.QtTypeName.In0" value="QVariantMap"/>
+      <arg name="credentialsFd" type="h" direction="in"/>
     </method>
     <method name="IgnoreAuthSetup">
     </method>

diff --git a/debian/dde-file-manager-services-plugins.install b/debian/dde-file-manager-services-plugins.install
@@ -7,5 +7,5 @@ usr/share/dbus-1/system-services/*.service
 usr/share/dbus-1/system.d/org.deepin.filemanager.diskencrypt.conf
 usr/share/dbus-1/services/org.deepin.Filemanager.TextIndex.service
 etc/systemd/system/deepin-service-group@.service.d/*
-etc/polkit-1/localauthority/10-vendor.d/99-dde-file-manager-encrypt.pkla
+usr/share/polkit-1/rules.d/99-dde-file-manager-encrypt.rules
 etc/udev/rules.d/*.rules
diff --git a/src/plugins/filemanager/dfmplugin-disk-encrypt-entry/menu/diskencryptmenuscene.cpp b/src/plugins/filemanager/dfmplugin-disk-encrypt-entry/menu/diskencryptmenuscene.cpp
@@ -23,14 +23,17 @@
 #include <QDBusInterface>
 #include <QDBusReply>
 #include <QApplication>
 #include <QJsonDocument>
 #include <QJsonObject>
 #include <QJsonParseError>
+#include <QDBusUnixFileDescriptor>
+#include <QDataStream>
 
 #include <ddialog.h>
 #include <dconfig.h>
 
 #include <fstab.h>
+#include <unistd.h>
 
 DFMBASE_USE_NAMESPACE
 using namespace dfmplugin_diskenc;
@@ -395,23 +398,24 @@
                          kDaemonBusPath,
                          kDaemonBusIface,
                          QDBusConnection::systemBus());
-    if (iface.isValid()) {
-        QVariantMap params {
-            { encrypt_param_keys::kKeyDevice, param.devDesc },
-            { encrypt_param_keys::kKeyPassphrase, toBase64(param.key) },
-            { encrypt_param_keys::kKeyExportToPath, param.exportPath },
-        };
-        if (!tpmToken.isEmpty()) params.insert(encrypt_param_keys::kKeyTPMToken, tpmToken);
-
-        fmDebug() << "Starting device re-encryption";
-        QDBusReply<bool> ret = iface.call("SetupAuthArgs", params);
-        if (ret.value()) {
-            QApplication::setOverrideCursor(Qt::WaitCursor);
-        } else {
-            fmCritical() << "Re-encryption setup failed";
-        }
-    } else {
+    if (!iface.isValid()) {
         fmCritical() << "Failed to create D-Bus interface for re-encryption";
+        return;
+    }
+
+    // Prepare credentials data
+    QVariantMap params {
+        { encrypt_param_keys::kKeyDevice, param.devDesc },
+        { encrypt_param_keys::kKeyPassphrase, toBase64(param.key) },
+        { encrypt_param_keys::kKeyExportToPath, param.exportPath },
+    };
+    if (!tpmToken.isEmpty())
+        params.insert(encrypt_param_keys::kKeyTPMToken, tpmToken);
+
+    // Send credentials via fd
+    fmDebug() << "Starting device re-encryption via fd";
+    if (sendCredentialsViaFd(iface, "SetupAuthArgs", params, true)) {
+        QApplication::setOverrideCursor(Qt::WaitCursor);
     }
 }
 
@@ -421,25 +425,26 @@
                          kDaemonBusPath,
                          kDaemonBusIface,
                          QDBusConnection::systemBus());
-    if (iface.isValid()) {
-        QVariantMap params {
-            { encrypt_param_keys::kKeyJobType, param.jobType },
-            { encrypt_param_keys::kKeyDevice, param.devDesc },
-            { encrypt_param_keys::kKeyDeviceName, param.deviceDisplayName },
-            { encrypt_param_keys::kKeyPassphrase, toBase64(param.key) }
-        };
+    if (!iface.isValid()) {
+        fmCritical() << "Failed to create D-Bus interface for decryption";
+        return;
+    }
 
-        fmDebug() << "Calling Decryption D-Bus method";
-        QDBusReply<bool> ret = iface.call("Decryption", params);
-        if (ret.value()) {
-            QApplication::setOverrideCursor(Qt::WaitCursor);
-        } else {
-            fmCritical() << "Decryption failed to start";
-        }
+    // Prepare credentials data
+    QVariantMap params {
+        { encrypt_param_keys::kKeyJobType, param.jobType },
+        { encrypt_param_keys::kKeyDevice, param.devDesc },
+        { encrypt_param_keys::kKeyDeviceName, param.deviceDisplayName },
+        { encrypt_param_keys::kKeyPassphrase, toBase64(param.key) }
+    };
 
+    // Send credentials via fd
+    fmDebug() << "Calling Decryption D-Bus method via fd";
+    if (sendCredentialsViaFd(iface, "Decryption", params, false)) {
+        QApplication::setOverrideCursor(Qt::WaitCursor);
         EventsHandler::instance()->autoStartDFM();
     } else {
-        fmCritical() << "Failed to create D-Bus interface for decryption";
+        fmCritical() << "Decryption failed to start";
     }
 }
 
@@ -474,6 +479,16 @@
                          kDaemonBusIface,
                          QDBusConnection::systemBus());
     if (iface.isValid()) {
+        // Create anonymous pipe for secure credential transmission
+        int pipefd[2];
+        if (pipe(pipefd) == -1) {
+            fmCritical() << "Failed to create anonymous pipe for credentials";
+            return;
+        }
+
+        // Prepare credentials data using QDataStream for reliable serialization
+        QByteArray credentials;
+        QDataStream stream(&credentials, QIODevice::WriteOnly);
         QVariantMap params {
             { encrypt_param_keys::kKeyDevice, param.devDesc },
             { encrypt_param_keys::kKeyPassphrase, toBase64(param.newKey) },
@@ -482,14 +497,36 @@
             { encrypt_param_keys::kKeyTPMToken, token },
             { encrypt_param_keys::kKeyDeviceName, param.deviceDisplayName }
         };
+        stream << params;
+
+        // Write credentials to pipe and close write end immediately
+        ssize_t written = write(pipefd[1], credentials.constData(), credentials.size());
+        close(pipefd[1]);   // Close write end immediately after writing
+
+        if (written != credentials.size()) {
+            fmCritical() << "Failed to write credentials to pipe, written:" << written << "expected:" << credentials.size();
+            close(pipefd[0]);
+            return;
+        }
-        // Write credentials to pipe and close write end immediately
-        ssize_t written = write(pipefd[1], credentials.constData(), credentials.size());
-        close(pipefd[1]);   // Close write end immediately after writing
-
-        if (written != credentials.size()) {
-            fmCritical() << "Failed to write credentials to pipe, written:" << written << "expected:" << credentials.size();
-            close(pipefd[0]);
-            return;
-        }
+        // Write credentials to pipe and close write end immediately
+        const char* buf = credentials.constData();
+        qint64 totalWritten = 0;
+        qint64 toWrite = credentials.size();
+        while (totalWritten < toWrite) {
+            ssize_t written = write(pipefd[1], buf + totalWritten, toWrite - totalWritten);
+            if (written < 0) {
+                fmCritical() << "Error writing credentials to pipe:" << strerror(errno);
+                close(pipefd[1]);
+                close(pipefd[0]);
+                return;
+            }
+            totalWritten += written;
+        }
+        close(pipefd[1]);   // Close write end immediately after writing
+
+        if (totalWritten != credentials.size()) {
+            fmCritical() << "Failed to write all credentials to pipe, written:" << totalWritten << "expected:" << credentials.size();
+            close(pipefd[0]);
+            return;
+        }
-        // Write credentials to pipe and close write end immediately
-        ssize_t written = write(pipefd[1], credentials.constData(), credentials.size());
-        close(pipefd[1]);   // Close write end immediately after writing
-
-        if (written != credentials.size()) {
-            fmCritical() << "Failed to write credentials to pipe, written:" << written << "expected:" << credentials.size();
-            close(pipefd[0]);
-            return;
-        }
+        // Write credentials to pipe and close write end immediately
+        const char* buf = credentials.constData();
+        qint64 totalWritten = 0;
+        qint64 toWrite = credentials.size();
+        while (totalWritten < toWrite) {
+            ssize_t written = write(pipefd[1], buf + totalWritten, toWrite - totalWritten);
+            if (written < 0) {
+                fmCritical() << "Error writing credentials to pipe:" << strerror(errno);
+                close(pipefd[1]);
+                close(pipefd[0]);
+                return;
+            }
+            totalWritten += written;
+        }
+        close(pipefd[1]);   // Close write end immediately after writing
+
+        if (totalWritten != credentials.size()) {
+            fmCritical() << "Failed to write all credentials to pipe, written:" << totalWritten << "expected:" << credentials.size();
+            close(pipefd[0]);
+            return;
+        }
+
+        // Create file descriptor for D-Bus transmission
+        QDBusUnixFileDescriptor fd(pipefd[0]);
+        if (!fd.isValid()) {
+            fmCritical() << "Failed to create valid file descriptor from pipe";
+            close(pipefd[0]);
+            return;
+        }
 
-        fmDebug() << "Calling ChangePassphrase D-Bus method";
-        QDBusReply<bool> ret = iface.call("ChangePassphrase", params);
+        fmDebug() << "Calling ChangePassphrase D-Bus method via fd";
+        QDBusReply<bool> ret = iface.call("ChangePassphrase", QVariant::fromValue(fd));
         if (ret.value()) {
             QApplication::setOverrideCursor(Qt::WaitCursor);
         } else {
             fmCritical() << "Passphrase change failed to start";
         }
+
+        // Close read end (D-Bus service will have its own copy)
+        close(pipefd[0]);
     } else {
         fmCritical() << "Failed to create D-Bus interface for passphrase change";
     }
@@ -563,6 +600,54 @@
     return QString(contents.toBase64());
 }
 
+bool DiskEncryptMenuScene::sendCredentialsViaFd(QDBusInterface &iface, const QString &method,
+                                                  const QVariantMap &params, bool asyncCall)
+{
+    // Create anonymous pipe for secure credential transmission
+    int pipefd[2];
+    if (pipe(pipefd) == -1) {
+        fmCritical() << "[sendCredentialsViaFd] Failed to create anonymous pipe for credentials";
+        return false;
+    }
+
+    // Prepare credentials data using QDataStream for reliable serialization
+    QByteArray credentials;
+    QDataStream stream(&credentials, QIODevice::WriteOnly);
+    stream << params;
+
+    // Write credentials to pipe and close write end immediately
+    ssize_t written = write(pipefd[1], credentials.constData(), credentials.size());
+    close(pipefd[1]);   // Close write end immediately after writing
+
+    if (written != credentials.size()) {
+        fmCritical() << "[sendCredentialsViaFd] Failed to write credentials to pipe, written:" << written << "expected:" << credentials.size();
+        close(pipefd[0]);
+        return false;
+    }
+
+    // Create file descriptor for D-Bus transmission
+    QDBusUnixFileDescriptor fd(pipefd[0]);
+    if (!fd.isValid()) {
+        fmCritical() << "[sendCredentialsViaFd] Failed to create valid file descriptor from pipe";
+        close(pipefd[0]);
+        return false;
+    }
+
+    // Call D-Bus method with file descriptor
+    fmDebug() << "[sendCredentialsViaFd] Calling D-Bus method:" << method << "via fd";
+    if (asyncCall) {
+        iface.asyncCall(method, QVariant::fromValue(fd));
+    } else {
+        QDBusReply<bool> reply = iface.call(method, QVariant::fromValue(fd));
+        close(pipefd[0]);
+        return reply.value();
+    }
+
+    // Close read end (D-Bus service will have its own copy)
+    close(pipefd[0]);
+    return true;
+}
+
 void DiskEncryptMenuScene::onUnlocked(bool ok, dfmmount::OperationErrorInfo info, QString clearDev)
 {
     QApplication::restoreOverrideCursor();

diff --git a/src/plugins/filemanager/dfmplugin-disk-encrypt-entry/menu/diskencryptmenuscene.h b/src/plugins/filemanager/dfmplugin-disk-encrypt-entry/menu/diskencryptmenuscene.h
@@ -10,9 +10,10 @@
 #include <dfm-base/interfaces/abstractmenuscene.h>
 #include <dfm-base/interfaces/abstractscenecreator.h>

 #include <dfm-mount/dmount.h>
 
 #include <QUrl>
+#include <QDBusInterface>
 
 class QAction;
 
@@ -60,6 +61,10 @@
     static QString generateTPMToken(const QString &device, bool pin);
     static QString getBase64Of(const QString &fileName);
 
+    // Send credentials via file descriptor for secure D-Bus transmission
+    static bool sendCredentialsViaFd(QDBusInterface &iface, const QString &method,
+                                     const QVariantMap &params, bool asyncCall = false);
+
     static void onUnlocked(bool ok, dfmmount::OperationErrorInfo, QString);
     static void onMounted(bool ok, dfmmount::OperationErrorInfo, QString);
 

diff --git a/src/services/diskencrypt/CMakeLists.txt b/src/services/diskencrypt/CMakeLists.txt
@@ -27,7 +27,11 @@ install(FILES org.deepin.Filemanager.DiskEncrypt.service DESTINATION share/dbus-
 install(FILES ${CMAKE_SOURCE_DIR}/assets/rules/99-dfm-encrypt.rules DESTINATION /etc/udev/rules.d)
 
 set(PolicyDir "${CMAKE_INSTALL_PREFIX}/share/polkit-1/actions")
+set(RulesDir "${CMAKE_INSTALL_PREFIX}/share/polkit-1/rules.d")
+
 install(FILES polkit/policy/org.deepin.filemanager.diskencrypt.policy
     DESTINATION ${PolicyDir})
-install(FILES polkit/rules/99-dde-file-manager-encrypt.pkla
-    DESTINATION /etc/polkit-1/localauthority/10-vendor.d)
+
+# Install polkit rules (JavaScript format, replaces deprecated .pkla)
+install(FILES polkit/rules/99-dde-file-manager-encrypt.rules
+    DESTINATION ${RulesDir})