Add a NixOS test for the sandbox escape

Test that we can't leverage abstract unix domain sockets to leak file descriptors out of the sandbox and modify the path after it has been registered.
2025-07-07 01:51:47 +02:00 · 2024-02-12 21:28:20 +01:00 · 2024-02-12 21:28:20 +01:00 · ca05f6d203
commit ca05f6d203
parent d829c21ef3
4 changed files with 223 additions and 0 deletions
--- a/tests/nixos/default.nix
+++ b/tests/nixos/default.nix
@ -40,4 +40,6 @@ in
  setuid = lib.genAttrs
    ["i686-linux" "x86_64-linux"]
    (system: runNixOSTestFor system ./setuid.nix);
+
+  ca-fd-leak = runNixOSTestFor "x86_64-linux" ./ca-fd-leak;
 }