diff --git a/crypto/fipsmodule/rand/snapsafe_detect_test.cc b/crypto/fipsmodule/rand/snapsafe_detect_test.cc
index 666b8e9539..e1ec097c7a 100644
--- a/crypto/fipsmodule/rand/snapsafe_detect_test.cc
+++ b/crypto/fipsmodule/rand/snapsafe_detect_test.cc
@@ -90,6 +90,28 @@ TEST(SnapsafeGenerationTest, DISABLED_SysGenIDretrievalTesting) {
     EXPECT_EQ(new_sysgenid_value_hint, current_snapsafe_gen_num);
   }
 }
+
+// This test verifies that AWS-LC properly handles the case where /dev/sysgenid
+// exists but cannot be opened due to permission restrictions.
+TEST(SnapsafePermissionTest, DISABLED_PermissionDeniedTest) {
+  // Verify the file was created and initially accessible
+  const char* sysgenid_path = CRYPTO_get_sysgenid_path();
+  struct stat file_stat;
+  ASSERT_EQ(0, stat(sysgenid_path, &file_stat));
+
+  // Make file unreadable by anyone
+  ASSERT_EQ(0, chmod(sysgenid_path, 0000));
+
+  // There is support, but it's not active due to read failure
+  EXPECT_EQ(1, CRYPTO_get_snapsafe_supported());
+  EXPECT_EQ(0, CRYPTO_get_snapsafe_active());
+
+  // Should return 0 (failure) and set generation number to 0
+  uint32_t gen_num = 0xFFFFFFFF;
+  EXPECT_EQ(0, CRYPTO_get_snapsafe_generation(&gen_num));
+  EXPECT_EQ(0U, gen_num);
+}
+
 #elif defined(OPENSSL_LINUX)
 TEST(SnapsafeGenerationTest, SysGenIDretrievalLinux) {
   uint32_t current_snapsafe_gen_num = 0xffffffff;
diff --git a/util/all_tests.json b/util/all_tests.json
index 246b5af026..f4a1398c0f 100644
--- a/util/all_tests.json
+++ b/util/all_tests.json
@@ -51,6 +51,12 @@
     "skip_valgrind": true,
     "target_arch": "x86"
   },
+  {
+    "comment": "Run snapsafe permissions test suite",
+    "cmd": ["crypto/crypto_test",  "--gtest_also_run_disabled_tests", "--gtest_filter=SnapsafePermissionTest.*"],
+    "skip_valgrind": true,
+    "shard": false
+  },
   {
     "comment": "Run snapsafe detection test suite",
     "cmd": ["crypto/crypto_test",  "--gtest_also_run_disabled_tests", "--gtest_filter=SnapsafeGenerationTest.*"],