Add a NixOS test for the sandbox escape

Test that we can't leverage abstract unix domain sockets to leak file descriptors out of the sandbox and modify the path after it has been registered.
2025-06-25 02:21:16 +02:00 · 2024-02-12 21:28:20 +01:00 · 2024-02-12 21:28:20 +01:00 · a55c6a0f47
commit a55c6a0f47
parent 864fc85fc8
4 changed files with 224 additions and 1 deletions
--- a/tests/nixos/default.nix
+++ b/tests/nixos/default.nix
@ -109,7 +109,7 @@ in
      nix.package = lib.mkForce pkgs.nixVersions.nix_2_13;
    };
  };
-  
+
  # TODO: (nixpkgs update) remoteBuildsSshNg_remote_2_18 = ...

  # Test our Nix as a builder for clients that are older
@ -156,4 +156,6 @@ in
    (system: runNixOSTestFor system ./setuid.nix);

  fetch-git = runNixOSTestFor "x86_64-linux" ./fetch-git;
+
+  ca-fd-leak = runNixOSTestFor "x86_64-linux" ./ca-fd-leak;
 }