From ee5eec582a3946620144482166e9e80a92a29e88 Mon Sep 17 00:00:00 2001
From: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
Date: Fri, 20 Dec 2024 21:00:56 +0100
Subject: [PATCH] test(capabilities): add e2e tests and example pipeline

Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
---
 e2e-tests/capabilities-add-drop-build.yaml    | 31 +++++++++++++++++
 .../capabilities-add-drop-nopkg-test.yaml     | 33 +++++++++++++++++++
 examples/capabilities-add-drop.yaml           | 27 +++++++++++++++
 3 files changed, 91 insertions(+)
 create mode 100644 e2e-tests/capabilities-add-drop-build.yaml
 create mode 100644 e2e-tests/capabilities-add-drop-nopkg-test.yaml
 create mode 100644 examples/capabilities-add-drop.yaml

diff --git a/e2e-tests/capabilities-add-drop-build.yaml b/e2e-tests/capabilities-add-drop-build.yaml
new file mode 100644
index 000000000..fa8f74b1e
--- /dev/null
+++ b/e2e-tests/capabilities-add-drop-build.yaml
@@ -0,0 +1,31 @@
+package:
+  name: busybox
+  description: Capabilities add-drop feature test
+  version: 0.1.0
+  epoch: 0
+
+capabilities:
+  add:
+    - CAP_NET_ADMIN
+  drop:
+    - CAP_SYS_ADMIN
+    - CAP_SYS_CHROOT
+
+environment:
+  contents:
+    packages:
+      - busybox
+      - cmd:capsh
+
+pipeline:
+  - name: Test default effective capability
+    runs: |
+      capsh --decode=$(grep CapEff /proc/self/status | cut -d ':' -f2 | xargs) | grep -i cap_dac_override
+
+  - name: Test added non-default effective capability
+    runs: |
+      capsh --decode=$(grep CapEff /proc/self/status | cut -d ':' -f2 | xargs) | grep -i cap_net_admin
+
+  - name: Test dropped default effective capability
+    runs: |
+      capsh --decode=$(grep CapEff /proc/self/status | cut -d ':' -f2 | xargs) | grep -vi cap_sys_chroot
diff --git a/e2e-tests/capabilities-add-drop-nopkg-test.yaml b/e2e-tests/capabilities-add-drop-nopkg-test.yaml
new file mode 100644
index 000000000..9d9b62f40
--- /dev/null
+++ b/e2e-tests/capabilities-add-drop-nopkg-test.yaml
@@ -0,0 +1,33 @@
+package:
+  name: busybox
+  description: Capabilities add-drop feature test
+  version: 0.1.0
+  epoch: 0
+
+capabilities:
+  add:
+    - CAP_NET_ADMIN
+  drop:
+    - CAP_SYS_ADMIN
+    - CAP_SYS_CHROOT
+
+pipeline:
+
+test:
+  environment:
+    contents:
+      packages:
+        - busybox
+        - cmd:capsh
+  pipeline:
+    - name: Test default effective capability
+      runs: |
+        capsh --decode=$(grep CapEff /proc/self/status | cut -d ':' -f2 | xargs) | grep -i cap_dac_override
+
+    - name: Test added non-default effective capability
+      runs: |
+        capsh --decode=$(grep CapEff /proc/self/status | cut -d ':' -f2 | xargs) | grep -i cap_net_admin
+
+    - name: Test dropped default effective capability
+      runs: |
+        capsh --decode=$(grep CapEff /proc/self/status | cut -d ':' -f2 | xargs) | grep -vi cap_sys_chroot
diff --git a/examples/capabilities-add-drop.yaml b/examples/capabilities-add-drop.yaml
new file mode 100644
index 000000000..d917bb6db
--- /dev/null
+++ b/examples/capabilities-add-drop.yaml
@@ -0,0 +1,27 @@
+package:
+  name: busybox
+  version: 0.1.0
+  epoch: 0
+
+capabilities:
+  add:
+    - CAP_NET_ADMIN
+  drop:
+    - CAP_SYS_ADMIN
+
+pipeline:
+  # Here your build pipeline.
+  # Capabilities are added/dropped to both build and test pipelines.
+
+test:
+  environment:
+    contents:
+      packages:
+        - busybox
+        - iproute2
+  pipeline:
+    # Note: you can't do it with bubblewrap runner,
+    # as it shares the host network namespace.
+    - name: Simulate a test attempting to create network interfaces
+      runs: |
+        ip link add dev myinterface type dummy