add test for apply bounding or ambient caps for other process

Signed-off-by: lifubang <lifubang@acmcoder.com>

capability/capability_test.go

@@ -2,13 +2,13 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package capability_test
+package capability
 
 import (
+	"errors"
+	"os/exec"
 	"runtime"
 	"testing"
-
-	. "github.com/moby/sys/capability"
 )
 
 // Based on the fact Go 1.18+ supports Linux >= 2.6.32, and
@@ -151,3 +151,51 @@ func TestAmbientCapSet(t *testing.T) {
 		}
 	}
 }
+
+func TestApplyCapsForOtherProcess(t *testing.T) {
+	if runtime.GOOS != "linux" {
+		return
+	}
+	requirePCapSet(t)
+
+	pid0, err := NewPid(0)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	list := []Cap{CAP_KILL, CAP_CHOWN, CAP_SYS_CHROOT}
+	pid0.Set(CAPS|AMBIENT, list...)
+	if err = pid0.Apply(BOUNDING | CAPS | AMBIENT); err != nil {
+		t.Fatal(err)
+	}
+
+	cmd := exec.Command("sleep", "sleep", "infinity")
+	if err = cmd.Start(); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		_ = cmd.Process.Kill()
+		_, _ = cmd.Process.Wait()
+	}()
+
+	pid, err := NewPid(cmd.Process.Pid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err = pid.Load(); err != nil {
+		t.Fatal(err)
+	}
+	err = pid.Apply(BOUNDING)
+	if !errors.Is(err, errBoundingNotMine) {
+		t.Fatalf("expected not support error when drop bounding caps for other process, but got: %v", err)
+	}
+	err = pid.Apply(CAPS)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = pid.Apply(AMBIENT)
+	if !errors.Is(err, errAmbientNotMine) {
+		t.Fatalf("expected not support error when rasing ambient caps for other process, but got: %v", err)
+	}
+}