cmd/snap-discard-ns: asssert process capabilities

[bboozzoo]

Assert process capabilities, to ensure correctness when invoked from snap-confine.

Cherry picked from #15094. This is a preparatory step for having snap-discard-ns be invoked by a user with privileges carried by capabilities.

Related: SNAPDENG-34419

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.07%. Comparing base (a272aac) to head (15d2157).
Report is 76 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff            @@
##           master   #15144    +/-   ##
========================================
  Coverage   78.07%   78.07%            
========================================
  Files        1182     1184     +2     
  Lines      157743   158224   +481     
========================================
+ Hits       123154   123538   +384     
- Misses      26943    27005    +62     
- Partials     7646     7681    +35     

Flag	Coverage Δ
unittests	78.07% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Fri Feb 28 09:55:13 UTC 2025
The following results are from: https://github.com/canonical/snapd/actions/runs/13583880631

Failures:

Preparing:

• google-core:ubuntu-core-24-64:tests/main/snap-user-dir-perms-fixed:test
• google-core:ubuntu-core-24-64:tests/main/snap-user-dir-perms-fixed:root
• google-core:ubuntu-core-24-64:tests/main/interfaces-desktop-host-fonts-core
• google-core:ubuntu-core-24-64:tests/regression/lp-1797556

Executing:

• google-core:ubuntu-core-24-64:tests/main/interfaces-many-core-provided
• google-core:ubuntu-core-24-64:tests/main/interfaces-shared-memory-private
• google-core:ubuntu-core-24-64:tests/main/interfaces-personal-files
• google-core:ubuntu-core-24-64:tests/core/remove-user
• google-core:ubuntu-core-24-64:tests/main/parallel-install-store
• google-core:ubuntu-core-24-64:tests/main/refresh-app-awareness:strict
• google-core:ubuntu-core-24-64:tests/main/snap-debug-stacktrace
• google-core:ubuntu-core-24-64:tests/main/snap-session-agent-service-control
• google-core:ubuntu-core-24-64:tests/main/snap-confine-tmp-mount
• google-core:ubuntu-core-24-64:tests/main/snap-download
• google-core:ubuntu-core-24-64:tests/main/snap-user-service
• google-core:ubuntu-core-24-64:tests/main/snap-user-service-start-on-install
• google-core:ubuntu-core-24-64:tests/main/cgroup-tracking:root
• google-core:ubuntu-core-24-64:tests/main/snap-routine-portal-info
• google-core:ubuntu-core-24-64:tests/main/snapshot-users
• google-core:ubuntu-core-24-64:tests/main/interfaces-browser-support:disallow
• google-core:ubuntu-core-24-64:tests/main/snap-user-service-socket-activation
• google-core:ubuntu-core-24-64:tests/main/system-usernames:snap_daemon
• google-core:ubuntu-core-24-64:tests/main/snap-session-agent-unavailable-to-snaps
• google-core:ubuntu-core-24-64:tests/main/interfaces-mount-observe
• google-core:ubuntu-core-24-64:tests/main/interfaces-browser-support:allow
• google-core:ubuntu-core-24-64:tests/main/regression-home-snap-root-owned
• google-core:ubuntu-core-24-64:tests/main/sudo-env
• google-core:ubuntu-core-24-64:tests/main/snapshot-cross-revno
• google-core:ubuntu-core-24-64:tests/main/snap-user-service-restart-on-upgrade
• google-core:ubuntu-core-24-64:tests/core/xdg-open-on-core
• google-core:ubuntu-core-24-64:tests/main/snap-session-agent-socket-activation
• google-core:ubuntu-core-24-64:tests/main/system-usernames:daemon
• google-core:ubuntu-core-24-64:tests/main/dbus-activation-session
• google-core:ubuntu-core-24-64:tests/main/snap-user-service-upgrade-failure
• google-core:ubuntu-core-24-64:tests/core/create-user-2
• google-core:ubuntu-core-24-64:tests/main/snap-remove-terminate:fork_bomb
• google-core:ubuntu-core-24-64:tests/main/parallel-install-basic
• google-core:ubuntu-core-24-64:tests/main/parallel-install-local
• google-core:ubuntu-core-24-64:tests/main/snap-confine-undesired-mode-group
• google-core:ubuntu-core-24-64:tests/main/interfaces-system-observe
• google-core:ubuntu-core-24-64:tests/smoke/sandbox
• google-core:ubuntu-core-24-64:tests/smoke/install
• google-core:ubuntu-core-24-64:tests/regression/lp-1813365
• google-core:ubuntu-core-24-64:tests/regression/lp-2065077
• google:ubuntu-20.04-64:tests/unit/go:gcc
• google:ubuntu-24.10-64:tests/main/cloud-init

Restoring:

• google-core:ubuntu-core-24-64:tests/main/snap-routine-portal-info
• google-core:ubuntu-core-24-64:tests/main/snap-user-dir-perms-fixed:test
• google-core:ubuntu-core-24-64:tests/main/snap-user-dir-perms-fixed:root
• google-core:ubuntu-core-24-64:tests/regression/lp-1797556

[zyga]

LGTM with a typo fix inline.

[zyga]

Suggested change

	/* TODO: drop superfluous capabiltiies and keep only the ones that are
	/* TODO: drop superfluous capabilities and keep only the ones that are

[alexmurray]

Due to a typo assert_caps() repeatedly queries for only CAP_SYS_ADMIN rather than each cap in expected_caps.

[alexmurray]

This looks like a typo - I am guessing CAP_SYS_ADMIN be cap so we query each capability rather than repeatedly querying for CAP_SYS_ADMIN.

[bboozzoo]

Thanks for catching. I've pushed a fixup.

[alexmurray]

LGTM!