PGP: Enable creating a UID directory for GnuGP agent socket in /run/gnupg/user

librepo used to precreate the directory in /run/user to make sure
a GnuPG agent executed by GPGME library, one of librepo's PGP
backends, places its socket there.

The UID directories there are normally created and removed by systemd
(logind PAM session). librepo created them for a case when a package
manager is invoked out of systemd session, before the super user logs
in. E.g. by a timer job to cache repository metadata.

A problem was when this out-of-session process was a SELinux-confined
process creating files with its own SELinux label. Then the UID
directory was created with a SELinux label different from the one expected
by systemd.

Later, the mismatching label interfered with systemd when logging out
a corresponding user.

This patch fixes it by creating the UID directories in a different
path which is not managed by systemd. That path is /run/gnupg/user.
GnuPG recognizes the path if it is compiled with
--enable-run-gnupg-user-socket option.

Unfortunatelly, this patch cannot keep precreating directories in the
old /run/user path for compatibility with GnuPG built without that
option because that would still break systemd. Also GPGME does not
provide a way for checking how GnuPG was configured. Therefore
users who rely on precreating the directories by librepo need to
keep their librepo and GnuPG in synchronization. So this patch adds
a new -DUSE_RUN_GNUPG_USER_SOCKET=ON CMake option to use
/run/gnupg/user. A default behavior is using the old /run/user.

https://issues.redhat.com/browse/RHEL-10720

Author: ppisar

CMakeLists.txt

@@ -6,6 +6,7 @@ OPTION (ENABLE_DOCS "Build docs?" ON)
 OPTION (WITH_ZCHUNK "Build with zchunk support" ON)
 OPTION (ENABLE_PYTHON "Build Python bindings" ON)
 OPTION (USE_GPGME "Use GpgMe (instead of rpm library) for OpenPGP key support" ON)
+OPTION (USE_RUN_GNUPG_USER_SOCKET "Create a directory for gpg-agent socket in /run/gnugp/user (instead of /run/user)" OFF)
 
 INCLUDE (${CMAKE_SOURCE_DIR}/VERSION.cmake)
 SET (VERSION "${LIBREPO_MAJOR}.${LIBREPO_MINOR}.${LIBREPO_PATCH}")
@@ -59,6 +60,11 @@ ELSE (USE_GPGME)
     UNSET(CMAKE_REQUIRED_LIBRARIES)
 ENDIF (USE_GPGME)
 
+IF (USE_RUN_GNUPG_USER_SOCKET)
+    SET (CMAKE_C_FLAGS          "${CMAKE_C_FLAGS} -DUSE_RUN_GNUPG_USER_SOCKET")
+    SET (CMAKE_C_FLAGS_DEBUG    "${CMAKE_C_FLAGS_DEBUG} -DUSE_RUN_GNUPG_USER_SOCKET")
+ENDIF (USE_RUN_GNUPG_USER_SOCKET)
+
 IF (WITH_ZCHUNK)
 PKG_CHECK_MODULES(ZCHUNKLIB zck>=0.9.11 REQUIRED)
 SET (CMAKE_C_FLAGS          "${CMAKE_C_FLAGS} -DWITH_ZCHUNK")

librepo.spec

@@ -14,6 +14,9 @@
 %bcond_without use_gpgme
 %endif
 
+# Needs to match how gnupg2 is compiled
+%bcond_with run_gnupg_user_socket
+
 %global dnf_conflict 2.8.8
 
 Name:           librepo
@@ -78,7 +81,8 @@ Python 3 bindings for the librepo library.
 %build
 %cmake \
     -DWITH_ZCHUNK=%{?with_zchunk:ON}%{!?with_zchunk:OFF} \
-    -DUSE_GPGME=%{?with_use_gpgme:ON}%{!?with_use_gpgme:OFF}
+    -DUSE_GPGME=%{?with_use_gpgme:ON}%{!?with_use_gpgme:OFF} \
+    -DUSE_RUN_GNUPG_USER_SOCKET=%{?with_run_gnupg_user_socket:ON}%{!?with_run_gnupg_user_socket:OFF}
 %cmake_build
 
 %check

librepo/gpg_gpgme.c

@@ -25,6 +25,7 @@
 #include <fcntl.h>
 #include <errno.h>
 #include <gpgme.h>
+#include <stdint.h>
 #include <unistd.h>
 
 #include "gpg.h"
@@ -33,9 +34,9 @@
 #include "util.h"
 
 /*
- * Creates the '/run/user/$UID' directory if it doesn't exist. If this
+ * Creates the '/run/gnupg/user/$UID' directory if it doesn't exist. If this
  * directory exists, gpgagent will create its sockets under
- * '/run/user/$UID/gnupg'.
+ * '/run/gnupg/user/$UID/gnupg'.
  *
  * If this directory doesn't exist, gpgagent will create its sockets in gpg
  * home directory, which is under '/var/cache/yum/metadata/' and this was
@@ -44,22 +45,45 @@
  * Previous solution was to send the agent a "KILLAGENT" message, but that
  * would cause a race condition with calling gpgme_release(), see [2], [3].
  *
+ * Another previous solution used /run/user/$UID which showed problematic when
+ * this library was used out of an systemd-logind session. Then /run/user/$UID,
+ * normally maintained by systemd, was assigned a SELinux label unexpected by
+ * systemd causing errors on a user logout [4].
+ *
  * Since the agent doesn't clean up its sockets properly, by creating this
  * directory we make sure they are in a place that is not causing trouble with
  * container images.
  *
  * [1] https://bugzilla.redhat.com/show_bug.cgi?id=1650266
  * [2] https://bugzilla.redhat.com/show_bug.cgi?id=1769831
  * [3] https://github.com/rpm-software-management/microdnf/issues/50
+ * [4] https://issues.redhat.com/browse/RHEL-6421
  */
 static void
 lr_gpg_ensure_socket_dir_exists()
 {
+#ifdef DUSE_RUN_GNUPG_USER_SOCKET
+    const char *templates[] = { "/run/gnupg", "/run/gnupg/user", "/run/gnupg/user/%ju", NULL };
+    const mode_t modes[] = { 0755, 0755, 0700, 0 };
+#else
+    const char *templates[] = { "/run/user/%ju", NULL };
+    const mode_t modes[] = { 0700, 0 };
+#endif
+    const uid_t uid = getuid();
     char dirname[32];
-    snprintf(dirname, sizeof(dirname), "/run/user/%u", getuid());
-    int res = mkdir(dirname, 0700);
-    if (res != 0 && errno != EEXIST) {
-        g_debug("Failed to create \"%s\": %d - %s\n", dirname, errno, strerror(errno));
+    int res;
+
+    for (int i = 0; templates[i] != NULL; i++) {
+        res = snprintf(dirname, sizeof(dirname), templates[i], (uintmax_t)uid);
+        if (res >= sizeof(dirname)) {
+            g_debug("Failed to format a GnuPG agent socket path because of a small buffer");
+            return;
+        }
+        res = mkdir(dirname, modes[i]);
+        if (res != 0 && errno != EEXIST) {
+            g_debug("Failed to create \"%s\": %d - %s\n", dirname, errno, strerror(errno));
+            return;
+        }
     }
 }