Also restrict SUID/GSID writes in sandbox

Library/Homebrew/sandbox.rb

@@ -290,6 +290,7 @@ class Sandbox
           (regex #"^/dev/tty[a-z0-9]*$")
           )
       (deny file-write*) ; deny non-allowlist file write operations
+      (deny file-write-setugid) ; deny non-allowlist file write SUID/SGID operations
       (deny file-write-mode) ; deny non-allowlist file write mode operations
       (allow process-exec
           (literal "/bin/ps")

Library/Homebrew/test/sandbox_spec.rb

@@ -60,14 +60,28 @@ RSpec.describe Sandbox, :needs_macos do
 
   describe "#disallow chmod on some directory" do
     it "formula does a chmod to opt" do
-      expect { sandbox.exec "chmod", "ug-w", HOMEBREW_PREFIX}.to raise_error(ErrorDuringExecution)
+      expect { sandbox.exec "chmod", "ug-w", HOMEBREW_PREFIX }.to raise_error(ErrorDuringExecution)
     end
 
     it "allows chmod on a path allowed to write" do
       mktmpdir do |path|
         FileUtils.touch path/"foo"
         sandbox.allow_write_path(path)
-        expect { sandbox.exec "chmod", "ug-w", path/"foo"}.not_to raise_error(ErrorDuringExecution)
+        expect { sandbox.exec "chmod", "ug-w", path/"foo" }.not_to raise_error(ErrorDuringExecution)
+      end
+    end
+  end
+
+  describe "#disallow chmod SUID or SGID on some directory" do
+    it "formula does a chmod 4000 to opt" do
+      expect { sandbox.exec "chmod", "4000", HOMEBREW_PREFIX }.to raise_error(ErrorDuringExecution)
+    end
+
+    it "allows chmod 4000 on a path allowed to write" do
+      mktmpdir do |path|
+        FileUtils.touch path/"foo"
+        sandbox.allow_write_path(path)
+        expect { sandbox.exec "chmod", "4000", path/"foo" }.not_to raise_error(ErrorDuringExecution)
       end
     end
   end