add test process_capabilities_fail

tests/contest/contest/src/main.rs

@@ -22,6 +22,7 @@ use crate::tests::mounts_recursive::get_mounts_recursive_test;
 use crate::tests::no_pivot::get_no_pivot_test;
 use crate::tests::pidfile::get_pidfile_test;
 use crate::tests::process::get_process_test;
+use crate::tests::process_capabilities_fail::get_process_capabilities_fail_test;
 use crate::tests::process_oom_score_adj::get_process_oom_score_adj_test;
 use crate::tests::process_rlimits::get_process_rlimits_test;
 use crate::tests::process_user::get_process_user_test;
@@ -125,6 +126,7 @@ fn main() -> Result<()> {
     let process_rlimtis = get_process_rlimits_test();
     let no_pivot = get_no_pivot_test();
     let process_oom_score_adj = get_process_oom_score_adj_test();
+    let process_capabilities_fail = get_process_capabilities_fail_test();
 
     tm.add_test_group(Box::new(cl));
     tm.add_test_group(Box::new(cc));
@@ -154,6 +156,7 @@ fn main() -> Result<()> {
     tm.add_test_group(Box::new(process_rlimtis));
     tm.add_test_group(Box::new(no_pivot));
     tm.add_test_group(Box::new(process_oom_score_adj));
+    tm.add_test_group(Box::new(process_capabilities_fail));
 
     tm.add_test_group(Box::new(io_priority_test));
     tm.add_cleanup(Box::new(cgroups::cleanup_v1));

tests/contest/contest/src/tests/mod.rs

@@ -12,6 +12,7 @@ pub mod mounts_recursive;
 pub mod no_pivot;
 pub mod pidfile;
 pub mod process;
+pub mod process_capabilities_fail;
 pub mod process_oom_score_adj;
 pub mod process_rlimits;
 pub mod process_user;

tests/contest/contest/src/tests/process_capabilities_fail/mod.rs

@@ -0,0 +1,2 @@
+mod process_capabilities_fail_test;
+pub use process_capabilities_fail_test::get_process_capabilities_fail_test;

tests/contest/contest/src/tests/process_capabilities_fail/process_capabilities_fail_test.rs

@@ -0,0 +1,56 @@
+use anyhow::{anyhow, Context, Ok, Result};
+use oci_spec::runtime::{Capability, LinuxCapabilitiesBuilder, ProcessBuilder, Spec, SpecBuilder};
+use std::collections::HashSet;
+use std::str::FromStr;
+use test_framework::{test_result, Test, TestGroup, TestResult};
+
+use crate::utils::test_inside_container;
+use crate::utils::test_utils::CreateOptions;
+
+fn create_spec() -> Result<Spec> {
+    let cap_test = Capability::from_str("CAP_TEST").context("invalid capability: CAP_TEST")?;
+
+    let linux_capability = LinuxCapabilitiesBuilder::default()
+        .bounding(HashSet::from([cap_test]))
+        // .bounding(HashSet::from([Capability::from_str("CAP_TEST")]))
+        .build()?;
+
+    let process = ProcessBuilder::default()
+        .args(vec![
+            "runtimetest".to_string(),
+            "process_capabilities_fail".to_string(),
+        ])
+        .capabilities(linux_capability)
+        .build()
+        .expect("error in creating process config");
+
+    let spec = SpecBuilder::default()
+        .process(process)
+        .build()
+        .context("failed to build spec")?;
+
+    Ok(spec)
+}
+
+fn process_capabilities_fail_test() -> TestResult {
+    let spec = test_result!(create_spec());
+
+    let result = test_inside_container(spec, &CreateOptions::default(), &|_| Ok(()));
+
+    match result {
+        TestResult::Failed(_) => TestResult::Passed,
+        TestResult::Passed => TestResult::Failed(anyhow!("test unexpectedly passed.")),
+        _ => TestResult::Failed(anyhow!("test result was unexpected.")),
+    }
+}
+
+pub fn get_process_capabilities_fail_test() -> TestGroup {
+    let mut process_capabilities_fail_test_group = TestGroup::new("process_capabilities_fail");
+    let test = Test::new(
+        "process_capabilities_fail_test",
+        Box::new(process_capabilities_fail_test),
+    );
+    process_capabilities_fail_test_group.add(vec![Box::new(test)]);
+
+    process_capabilities_fail_test_group
+}