build: Restrict access to daemon socket in tests.

Reepca Russelstein · civodul · commit f125143d64c3 · 2024-10-24T14:50:09.000+02:00
With the weak isolation available to the test daemon, it is essential to
disallow untrusted access to it, as otherwise another local user can gain our
user's credentials easily.

* build-aux/test-env.in: ensure the daemon-socket directory is freshly-created
  with 0700 permissions.

Change-Id: I742f70fc6fc28e5b4dc88d590eef3daf1b964670
Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
diff --git a/build-aux/test-env.in b/build-aux/test-env.in
@@ -97,6 +97,11 @@ then
         GUIX_ALLOW_UNAUTHENTICATED_SUBSTITUTES			\
         GUIX_CONFIGURATION_DIRECTORY XDG_CACHE_HOME
 
+    # Create a fresh directory with restrictive permissions so that our test
+    # daemon's weak isolation can't be exploited by other users
+    rm -rf "$GUIX_STATE_DIRECTORY/daemon-socket"
+    mkdir -m 0700 "$GUIX_STATE_DIRECTORY/daemon-socket"
+
     # Launch the daemon without chroot support because is may be
     # unavailable, for instance if we're not running as root.
     "@abs_top_builddir@/pre-inst-env"				\
