From f125143d64c3fac8c9576a55b48331cbf6096460 Mon Sep 17 00:00:00 2001
From: Reepca Russelstein <reepca@russelstein.xyz>
Date: Sat, 19 Oct 2024 20:48:29 -0500
Subject: [PATCH] build: Restrict access to daemon socket in tests.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With the weak isolation available to the test daemon, it is essential to
disallow untrusted access to it, as otherwise another local user can gain our
user's credentials easily.

* build-aux/test-env.in: ensure the daemon-socket directory is freshly-created
  with 0700 permissions.

Change-Id: I742f70fc6fc28e5b4dc88d590eef3daf1b964670
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
 build-aux/test-env.in | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/build-aux/test-env.in b/build-aux/test-env.in
index ca786437e9..9caa29da58 100644
--- a/build-aux/test-env.in
+++ b/build-aux/test-env.in
@@ -97,6 +97,11 @@ then
         GUIX_ALLOW_UNAUTHENTICATED_SUBSTITUTES			\
         GUIX_CONFIGURATION_DIRECTORY XDG_CACHE_HOME
 
+    # Create a fresh directory with restrictive permissions so that our test
+    # daemon's weak isolation can't be exploited by other users
+    rm -rf "$GUIX_STATE_DIRECTORY/daemon-socket"
+    mkdir -m 0700 "$GUIX_STATE_DIRECTORY/daemon-socket"
+
     # Launch the daemon without chroot support because is may be
     # unavailable, for instance if we're not running as root.
     "@abs_top_builddir@/pre-inst-env"				\