Add a NixOS test for the sandbox escape

Test that we can't leverage abstract unix domain sockets to leak file descriptors out of the sandbox and modify the path after it has been registered. Co-authored-by: Theophane Hufschmitt <theophane.hufschmitt@tweag.io>
2025-07-07 14:21:48 +02:00 · 2024-03-01 03:42:26 -05:00 · 2024-03-01 03:42:26 -05:00 · f8d20e91a4
commit f8d20e91a4
parent ec177b98f3
4 changed files with 223 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -634,6 +634,8 @@
          ["i686-linux" "x86_64-linux"]
          (system: runNixOSTestFor system ./tests/nixos/setuid.nix);

+        tests.ca-fd-leak = runNixOSTestFor "x86_64-linux" ./tests/nixos/ca-fd-leak;
+

        # Make sure that nix-env still produces the exact same result
        # on a particular version of Nixpkgs.