fix: set restrictive permissions (0600) on gRPC Unix socket

The Unix socket created at /var/run/tracee.sock was using default
umask permissions, potentially allowing unauthorized local users to
connect. Now explicitly sets 0600 permissions after socket creation
to restrict access to owner only.

Author: yanivagman

pkg/server/grpc/server.go

@@ -3,6 +3,7 @@ package grpc
 import (
 	"context"
 	"net"
+	"os"
 	"time"
 
 	"google.golang.org/grpc"
@@ -38,6 +39,16 @@ func (s *Server) Start(ctx context.Context, t *tracee.Tracee, e *engine.Engine)
 	}
 	s.listener = lis
 
+	// Set restrictive permissions on Unix socket
+	if s.protocol == "unix" {
+		err = os.Chmod(s.listenAddr, 0600)
+		if err != nil {
+			logger.Errorw("Failed to set permissions on Unix socket. This may leave the socket with insecure permissions and allow unauthorized access.", "path", s.listenAddr, "error", err)
+			lis.Close()
+			return
+		}
+	}
+
 	srvCtx, srvCancel := context.WithCancel(ctx)
 	defer srvCancel()