security: Validate and disallow tasks that have the name "alloc"

.changelog/27001.txt

@@ -0,0 +1,3 @@
+```release-note:security
+job: Disallow tasks using the name "alloc" which breaks inter-task filesystem isolation
+```

nomad/structs/structs.go

@@ -8113,6 +8113,12 @@ func (t *Task) Validate(jobType string, tg *TaskGroup) error {
 	if t.Name == "" {
 		mErr.Errors = append(mErr.Errors, errors.New("Missing task name"))
 	}
+
+	// Tasks cannot be named "alloc" as this conflicts with and breaks task
+	// filesystem isolation features.
+	if t.Name == "alloc" {
+		mErr.Errors = append(mErr.Errors, errors.New("Task cannot be named \"alloc\""))
+	}
 	if strings.ContainsAny(t.Name, `/\`) {
 		// We enforce this so that when creating the directory on disk it will
 		// not have any slashes.

nomad/structs/structs_test.go

@@ -2237,6 +2237,10 @@ func TestTask_Validate(t *testing.T) {
 		"task level: distinct_hosts",
 		"task level: distinct_property",
 	)
+
+	// Ensure the task name "alloc" is invalid.
+	invalidAllocName := &Task{Name: "alloc"}
+	must.ErrorContains(t, invalidAllocName.Validate(JobTypeBatch, tg), "Task cannot be named")
 }
 
 func TestTask_Validate_Resources(t *testing.T) {