Check EGID of the client when deciding whether to send a message
Currently D-Bus daemon checks only primary GID and supplementary groups of a client process when deciding whether to allow to send some message.
So if some privileged process made setegid() (and not setgid()) to launch some privileged child. Then this child would be unable to use restricted D-Bus API because it would still have unprivileged real GID. But since all GIDS (real, effective and supplementary) should be treated equally I suggest to check EGID too.
There was a previous discussion of the topic here: https://bugs.freedesktop.org/show_bug.cgi?format=multiple&id=97821
Which resulted in adding of the support of supplementary groups handling: https://bugs.freedesktop.org/show_bug.cgi?id=103737
But the EGID is still ignored.