3 files changed, 79 insertions, 12 deletions
diff --git a/test/syscalls/linux/BUILD b/test/syscalls/linux/BUILD
index d9095c95f..837e56042 100644
--- a/test/syscalls/linux/BUILD
+++ b/test/syscalls/linux/BUILD
@@ -365,6 +365,7 @@ cc_binary(
         ":socket_test_util",
         "//test/util:file_descriptor",
         gtest,
+        "//test/util:temp_umask",
         "//test/util:test_main",
         "//test/util:test_util",
     ],
diff --git a/test/syscalls/linux/pipe.cc b/test/syscalls/linux/pipe.cc
index 67228b66b..34291850d 100644
--- a/test/syscalls/linux/pipe.cc
+++ b/test/syscalls/linux/pipe.cc
@@ -631,11 +631,14 @@ INSTANTIATE_TEST_SUITE_P(
             "namednonblocking",
             [](int fds[2], bool* is_blocking, bool* is_namedpipe) {
               // Create a new file-based pipe (non-blocking).
-              auto file = ASSERT_NO_ERRNO_AND_VALUE(TempPath::CreateFile());
-              ASSERT_THAT(unlink(file.path().c_str()), SyscallSucceeds());
-              SKIP_IF(mkfifo(file.path().c_str(), 0644) != 0);
-              fds[0] = open(file.path().c_str(), O_NONBLOCK | O_RDONLY);
-              fds[1] = open(file.path().c_str(), O_NONBLOCK | O_WRONLY);
+              std::string path;
+              {
+                auto file = ASSERT_NO_ERRNO_AND_VALUE(TempPath::CreateFile());
+                path = file.path();
+              }
+              SKIP_IF(mkfifo(path.c_str(), 0644) != 0);
+              fds[0] = open(path.c_str(), O_NONBLOCK | O_RDONLY);
+              fds[1] = open(path.c_str(), O_NONBLOCK | O_WRONLY);
               MaybeSave();
               *is_blocking = false;
               *is_namedpipe = true;
@@ -645,13 +648,15 @@ INSTANTIATE_TEST_SUITE_P(
             "namedblocking",
             [](int fds[2], bool* is_blocking, bool* is_namedpipe) {
               // Create a new file-based pipe (blocking).
-              auto file = ASSERT_NO_ERRNO_AND_VALUE(TempPath::CreateFile());
-              ASSERT_THAT(unlink(file.path().c_str()), SyscallSucceeds());
-              SKIP_IF(mkfifo(file.path().c_str(), 0644) != 0);
-              ScopedThread t([&file, &fds]() {
-                fds[1] = open(file.path().c_str(), O_WRONLY);
-              });
-              fds[0] = open(file.path().c_str(), O_RDONLY);
+              std::string path;
+              {
+                auto file = ASSERT_NO_ERRNO_AND_VALUE(TempPath::CreateFile());
+                path = file.path();
+              }
+              SKIP_IF(mkfifo(path.c_str(), 0644) != 0);
+              ScopedThread t(
+                  [&path, &fds]() { fds[1] = open(path.c_str(), O_WRONLY); });
+              fds[0] = open(path.c_str(), O_RDONLY);
               t.Join();
               MaybeSave();
               *is_blocking = true;
diff --git a/test/syscalls/linux/socket.cc b/test/syscalls/linux/socket.cc
index 3a07ac8d2..703d594a2 100644
--- a/test/syscalls/linux/socket.cc
+++ b/test/syscalls/linux/socket.cc
@@ -13,11 +13,14 @@
 // limitations under the License.
 
 #include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/types.h>
 #include <unistd.h>
 
 #include "gtest/gtest.h"
 #include "test/syscalls/linux/socket_test_util.h"
 #include "test/util/file_descriptor.h"
+#include "test/util/temp_umask.h"
 #include "test/util/test_util.h"
 
 namespace gvisor {
@@ -58,11 +61,69 @@ TEST(SocketTest, ProtocolInet) {
   }
 }
 
+TEST(SocketTest, UnixSocketFileMode) {
+  // TODO(gvisor.dev/issue/1624): Re-enable this test once VFS1 is deleted. It
+  // should pass in VFS2.
+  SKIP_IF(IsRunningOnGvisor());
+
+  FileDescriptor bound =
+      ASSERT_NO_ERRNO_AND_VALUE(Socket(AF_UNIX, SOCK_STREAM, PF_UNIX));
+
+  // The permissions of the file created with bind(2) should be defined by the
+  // permissions of the bound socket and the umask.
+  mode_t sock_perm = 0765, mask = 0123;
+  ASSERT_THAT(fchmod(bound.get(), sock_perm), SyscallSucceeds());
+  TempUmask m(mask);
+
+  struct sockaddr_un addr =
+      ASSERT_NO_ERRNO_AND_VALUE(UniqueUnixAddr(/*abstract=*/false, AF_UNIX));
+  ASSERT_THAT(bind(bound.get(), reinterpret_cast<struct sockaddr*>(&addr),
+                   sizeof(addr)),
+              SyscallSucceeds());
+
+  struct stat statbuf = {};
+  ASSERT_THAT(stat(addr.sun_path, &statbuf), SyscallSucceeds());
+  EXPECT_EQ(statbuf.st_mode, S_IFSOCK | sock_perm & ~mask);
+}
+
+TEST(SocketTest, UnixConnectNeedsWritePerm) {
+  // TODO(gvisor.dev/issue/1624): Re-enable this test once VFS1 is deleted. It
+  // should succeed in VFS2.
+  SKIP_IF(IsRunningOnGvisor());
+
+  FileDescriptor bound =
+      ASSERT_NO_ERRNO_AND_VALUE(Socket(AF_UNIX, SOCK_STREAM, PF_UNIX));
+
+  struct sockaddr_un addr =
+      ASSERT_NO_ERRNO_AND_VALUE(UniqueUnixAddr(/*abstract=*/false, AF_UNIX));
+  ASSERT_THAT(bind(bound.get(), reinterpret_cast<struct sockaddr*>(&addr),
+                   sizeof(addr)),
+              SyscallSucceeds());
+  ASSERT_THAT(listen(bound.get(), 1), SyscallSucceeds());
+
+  // Connect should fail without write perms.
+  ASSERT_THAT(chmod(addr.sun_path, 0500), SyscallSucceeds());
+  FileDescriptor client =
+      ASSERT_NO_ERRNO_AND_VALUE(Socket(AF_UNIX, SOCK_STREAM, PF_UNIX));
+  EXPECT_THAT(connect(client.get(), reinterpret_cast<struct sockaddr*>(&addr),
+                      sizeof(addr)),
+              SyscallFailsWithErrno(EACCES));
+
+  // Connect should succeed with write perms.
+  ASSERT_THAT(chmod(addr.sun_path, 0200), SyscallSucceeds());
+  EXPECT_THAT(connect(client.get(), reinterpret_cast<struct sockaddr*>(&addr),
+                      sizeof(addr)),
+              SyscallSucceeds());
+}
+
 using SocketOpenTest = ::testing::TestWithParam<int>;
 
 // UDS cannot be opened.
 TEST_P(SocketOpenTest, Unix) {
   // FIXME(b/142001530): Open incorrectly succeeds on gVisor.
+  //
+  // TODO(gvisor.dev/issue/1624): Re-enable this test once VFS1 is deleted. It
+  // should succeed in VFS2.
   SKIP_IF(IsRunningOnGvisor());
 
   FileDescriptor bound =