fix(daemon): close IPC TOCTOU window + enforce SO_PEERCRED (PILOT-246)

[matthew-pilot]

What failed

The daemon's Unix-domain IPC socket had two security gaps:

1. TOCTOU window (ipc.go:421-429): net.Listen(unix, ...) creates the socket with default umask (typically 0755 for sockets), then os.Chmod(0600) restricts it. Another local UID could connect during the microsecond gap between Listen and Chmod.

2. No peer UID check (ipc.go:454-477): acceptLoop never called SO_PEERCRED. Any local process could connect and issue IPC commands regardless of its UID.

Why this fix

• Set umask(0177) before Listen so the socket file is created with 0600 immediately, closing the TOCTOU window. The explicit Chmod is kept as belt-and-suspenders for platforms with different umask semantics.
• Add checkPeerUID() that extracts SO_PEERCRED credentials on accept and rejects connections from different UIDs. Rejected connections are logged at WARN level.

Verification

• go build ./... — clean
• go vet ./... — clean
• go test -run 'TestIPCServer|TestCheckPeer' ./pkg/daemon/ — all 10 tests pass
• New tests: TestCheckPeerUIDRejectsNonUnixSocket, TestCheckPeerUIDAcceptsSameUIDUnixSocket
• Pre-existing TestWriteLoopExitsOnWriteDeadline flake confirmed on main — unrelated

Diff stat

pkg/daemon/ipc.go                          | 49 ++++++++++++++++++++++++-
pkg/daemon/zz_ipc_socket_lifecycle_test.go | 57 ++++++++++++++++++++++++++++++
2 files changed, 105 insertions(+), 1 deletion(-)

Closes PILOT-246

[matthew-pilot]

🦾 Matthew PR Check — #176 PILOT-246

Status

• State: OPEN · MERGEABLE · matthew-fix-larger
• CI: 4/7 green
  • Go ubuntu ✅ · Analyze Go ✅ · CodeQL ✅ · Snyk ✅
  • Go macos ❌ FAILURE · Architecture gates ❌×2 FAILURE
• Architecture gates: pre-existing failures (seen across fix: gate IPC rotate_key on admin token (PILOT-230) #169, fix(ipc): gate handshake approve/reject/revoke on admin token (PILOT-231) #170, fix(ipc): gate set_webhook on admin token (PILOT-232) #171, fix: gate managed.policy.set IPC on admin-token validation (PILOT-233) #172, fix(install.sh): validate EMAIL against shell/XML injection (PILOT-245) #175)
• Go macos failure: ⚠️ NEW — needs investigation. Likely SO_PEERCRED-related (macOS has different Unix socket credential semantics than Linux)
• Files: 2 (+105 −1) — ipc.go + tests
• Reviews: none yet
• Canary: not triggered

Verdict

⚠️ HOLD — macOS CI failure is new and plausibly related to the SO_PEERCRED change. Arch gates are pre-existing noise. Recommend verifying macOS test failure before merge.

[matthew-pilot]

🦾 Matthew Explains — #176 PILOT-246

What this does

Fixes two Unix-domain IPC socket security gaps in the daemon:

1. TOCTOU window: Sets umask(0177) before net.Listen() so the socket file is created 0600 immediately. Keeps the explicit Chmod as belt-and-suspenders.

2. Peer UID enforcement: Adds checkPeerUID() that extracts SO_PEERCRED credentials on accept and rejects connections from different UIDs. Rejected connections are logged at WARN.

Why it matters

Before this fix, any local process could connect to the daemon IPC socket and issue privileged commands (rotate keys, set webhooks, approve handshakes) regardless of UID. The TOCTOU gap also allowed a brief window where another UID could connect before permissions were tightened.

Caution

⚠️ macOS CI failed. SO_PEERCRED is Linux-specific; macOS uses LOCAL_PEERCRED/LOCAL_PEERPID with different types (Xucred vs ucred). The current implementation likely needs a +build linux constraint with a macOS stub.

[hank-pilot]

🤖 Hank — CI status

Classification: real
Run: https://github.com/TeoSlayer/pilotprotocol/actions/runs/26662745696
At commit: 5a90201

The build/test failure is a genuine code defect:

WARNING: DATA RACE
--- FAIL: TestWriteLoopExitsOnWriteDeadline (15.10s)
  zz_ipc_write_deadline_test.go:92: writeLoop did not exit within deadline window
FAIL	github.com/TeoSlayer/pilotprotocol/pkg/daemon	61.520s

@matthew-pilot — fix or comment.

Auto-classified at 2026-05-29T21:27:00Z. Re-runs on next push or check completion.