From 3ce9f8542a33d07d5fdd7251eb21830c571daefe Mon Sep 17 00:00:00 2001
From: lifubang <lifubang@acmcoder.com>
Date: Wed, 9 Oct 2024 10:12:46 +0800
Subject: [PATCH] capability: we should only raise ambient cap for our own
 process

Signed-off-by: lifubang <lifubang@acmcoder.com>
---
 capability/capability_linux.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/capability/capability_linux.go b/capability/capability_linux.go
index 7fc5c9d..fa0c456 100644
--- a/capability/capability_linux.go
+++ b/capability/capability_linux.go
@@ -367,6 +367,9 @@ func (c *capsV3) Apply(kind CapType) error {
 	}
 
 	if kind&AMBS == AMBS {
+		if c.hdr.pid != 0 {
+			return errors.New("not support to raise ambient cap for other process")
+		}
 		// Ignore EINVAL as not supported on kernels before 4.3
 		err = ignoreEINVAL(ambientClearAll())
 		if err != nil {