QemuHCK: Map the current user to nobody for smbd

Signed-off-by: Akihiko Odaki <[email protected]>
HCK-CI · May 4, 2024 · c9576f0 · c9576f0
1 parent 981eb2b
commit c9576f0
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 5 deletions.
diff --git a/bin/ns b/bin/ns
@@ -44,7 +44,8 @@ fork do
     # Call newgidmap so that virtiofsd can use setgroups() to drop subgroups.
     # unshare command in util-linux 2.38 can call newgidmap by its own, but
     # unfortunately it is not available on some supported systems.
-    system 'newgidmap', parent.to_s, subid_start, subid_start, subid_count, exception: true
+    system 'newgidmap', parent.to_s, '0', Process.gid.to_s, '1',
+           subid_start, subid_start, subid_count, exception: true
   end
 
   slirp = spawn('slirp4netns', '-r', r_write.fileno.to_s,

diff --git a/lib/setupmanagers/qemuhck/network_manager.json b/lib/setupmanagers/qemuhck/network_manager.json
@@ -29,5 +29,29 @@
       "ip link set @bridge_name@ txqueuelen 11000",
       "ethtool -K ${1} tx off"
     ]
-  }
+  },
+  "smb": [
+    "[global]",
+    "private dir=@net_smb_private@",
+    "interfaces=127.0.0.1",
+    "bind interfaces only=yes",
+    "pid directory=@net_smb_private@",
+    "lock directory=@net_smb_private@",
+    "state directory=@net_smb_private@",
+    "cache directory=@net_smb_private@",
+    "ncalrpc dir=@net_smb_private@/ncalrpc",
+    "log file=@net_smb_private@/log.smbd",
+    "smb passwd file=@net_smb_private@/smbpasswd",
+    "security = user",
+    "map to guest = Bad User",
+    "load printers = no",
+    "printing = bsd",
+    "disable spoolss = yes",
+    "usershare max shares = 0",
+    "[qemu]",
+    "path=@net_smb_share@",
+    "read only=no",
+    "guest ok=yes",
+    "force user=nobody"
+  ]
 }
diff --git a/lib/setupmanagers/qemuhck/network_manager.rb b/lib/setupmanagers/qemuhck/network_manager.rb
@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'shellwords'
 require_relative '../../auxiliary/json_helper'
 require_relative '../../auxiliary/host_helper'
 require_relative '../../auxiliary/string_helper'
@@ -83,7 +84,7 @@ def device_command_info(type, device_name, command_options, qemu_replacement_lis
 
         replacement_list = device_replacement_list(type, device, type_config, qemu_replacement_list)
         replacement_list.merge! command_options
-        device_command = replace_string_recursive(device['command_line'].join(' '), replacement_list)
+        device_command = create_cmd(device['command_line'].join(' '), replacement_list)
 
         @logger.debug("Device #{device_name} used as #{type} device")
         @logger.debug("Device command: #{device_command}")
@@ -100,6 +101,14 @@ def create_net_up_script(replacement_list)
         FileUtils.chmod(0o755, full_name)
       end
 
+      def create_net_smb(replacement_list)
+        content_template = @config['smb'].join('\n')
+        content = replace_string_recursive(content_template, replacement_list)
+        path = replace_string_recursive('@net_smb_private@', replacement_list)
+        FileUtils.mkdir_p(path)
+        File.write File.join(path, 'smb.conf'), content
+      end
+
       def control_device_command(device_name, qemu_replacement_list = {})
         type = __method__.to_s.split('_').first
 
@@ -159,15 +168,28 @@ def transfer_device_command(device_name, transfer_net, share_path, qemu_replacem
         net_base = "#{transfer_net}.0/24"
         smb_server = "#{transfer_net}.4"
 
-        netdev_options = "net=#{net_base},smb=#{path},smbserver=#{smb_server},restrict=on,ifname=@net_if_name@"
+        net_smb_private = replace_string_recursive('@workspace@/smb_@run_id@', qemu_replacement_list)
+        net_smb_private_shellescaped = net_smb_private.shellescape
+
+        # Mapping the current user to root will make smbd assume it can drop and
+        # re-add supplementary groups. However, re-adding supplementary groups
+        # do not work because they are typically not mapped in the current user
+        # namespace. Map the current user to nobody when running smbd so that
+        # smbd will run in the non-root mode.
+        net_smb_cmd = "unshare --map-user=nobody smbd -l #{net_smb_private_shellescaped} -s #{net_smb_private_shellescaped}/smb.conf"
+
+        netdev_options = ",net=#{net_base},guestfwd=:#{smb_server}:445-cmd:#{net_smb_cmd},restrict=on"
         network_backend = 'user'
 
         options = {
           '@network_backend@' => network_backend,
-          '@netdev_options@' => netdev_options
+          '@netdev_options@' => netdev_options,
+          '@net_smb_private@' => net_smb_private,
+          '@net_smb_share@' => path
         }
 
         cmd, = device_command_info(type, device_name, options, qemu_replacement_list)
+        create_net_smb(qemu_replacement_list.merge(options))
 
         cmd
       end