From 69b9cd8e2bfba5bd38e5fba2899343d2038f561a Mon Sep 17 00:00:00 2001
From: lfbzhm <lifubang@acmcoder.com>
Date: Fri, 27 Sep 2024 14:07:44 +0000
Subject: [PATCH] add a test for ambient not in permitted

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
---
 tests/integration/capabilities.bats | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/tests/integration/capabilities.bats b/tests/integration/capabilities.bats
index 5d1178b7c1a..5f05f0fe79d 100644
--- a/tests/integration/capabilities.bats
+++ b/tests/integration/capabilities.bats
@@ -116,3 +116,23 @@ function teardown() {
 	[[ "${output}" == *"CapBnd:	0000000400000021"* ]]
 	[[ "${output}" == *"CapAmb:	0000000400000001"* ]]
 }
+
+@test "runc run with ambient not in permitted" {
+	update_config '.process.capabilities.inheritable = ["CAP_CHOWN", "CAP_SYSLOG"]
+			| .process.capabilities.permitted = ["CAP_KILL"]
+			| .process.capabilities.effective = ["CAP_KILL"]
+			| .process.capabilities.bounding = ["CAP_KILL", "CAP_CHOWN", "CAP_SYSLOG"]
+			| .process.capabilities.ambient = ["CAP_CHOWN"]'
+	runc run test_some_caps
+	[ "$status" -eq 0 ]
+	# Check that ambient cap set is null.
+	#
+	# CAP_CHOWN is 0, the bit mask is 0x1 (1 << 0)
+	# CAP_KILL is 5, the bit mask is 0x20 (1 << 5).
+	# CAP_SYSLOG is 34, the bit mask is 0x400000000 (1 << 34).
+	[[ "${output}" == *"CapInh:	0000000400000001"* ]]
+	[[ "${output}" == *"CapPrm:	0000000000000020"* ]]
+	[[ "${output}" == *"CapEff:	0000000000000020"* ]]
+	[[ "${output}" == *"CapBnd:	0000000400000021"* ]]
+	[[ "${output}" == *"CapAmb:	0000000000000000"* ]]
+}