Add a NixOS test for the sandbox escape

Test that we can't leverage abstract unix domain sockets to leak file descriptors out of the sandbox and modify the path after it has been registered.
2025-07-08 19:23:54 +02:00 · 2024-02-12 21:28:20 +01:00 · 2024-02-12 21:28:20 +01:00 · 4645652975
commit 4645652975
parent 584d64bebc
4 changed files with 224 additions and 1 deletions
--- a/tests/nixos/default.nix
+++ b/tests/nixos/default.nix
@ -109,7 +109,7 @@ in
      nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
    };
  };
-  
+
  # TODO: (nixpkgs update) remoteBuildsSshNg_remote_2_18 = ...

  # Test our Nix as a builder for clients that are older
@ -156,4 +156,6 @@ in
    (system: runNixOSTestFor system ./setuid.nix);

  fetch-git = runNixOSTestFor "x86_64-linux" ./fetch-git;
+
+  ca-fd-leak = runNixOSTestFor "x86_64-linux" ./ca-fd-leak;
 }