Re: [meta-virtualization][scarthgap][PATCH 2/2] docker-moby: Fix CVE-2026-34040

[Bruce Ashfield <bruce.ashfield@gmail.com>]

merged.

Bruce

In message: [meta-virtualization][scarthgap][PATCH 2/2] docker-moby: Fix CVE-2026-34040
on 13/05/2026 Deepak Rathore via lists.yoctoproject.org wrote:

> From: Deepak Rathore <deeratho@cisco.com>
> 
> The upstream fix [3] & [4] referenced in the Debian security
> advisory [5] is present in the v25.0 branch, which aligns with the
> scarthgap branch so pick the corresponding commit [1] & [2] to apply
> the CVE fix.
> 
> [1] https://github.com/moby/moby/commit/553e8214614ee0d65ee309f148a8e865634cc291
> [2] https://github.com/moby/moby/commit/4d0135c2d25b89ecc62a15277f20177150195695
> [3] https://github.com/moby/moby/commit/6d311e0d8d4174a6347942db78c553fb7dc3762e
> [4] https://github.com/moby/moby/commit/db7dadaca041953430d1e2144088c311b78b96d7
> [5] https://security-tracker.debian.org/tracker/CVE-2026-34040
> 
> Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> 
> diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
> index 26dce276..eb493a43 100644
> --- a/recipes-containers/docker/docker-moby_git.bb
> +++ b/recipes-containers/docker/docker-moby_git.bb
> @@ -57,6 +57,8 @@ SRC_URI = "\
>          file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
>          file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
>  		file://CVE-2026-33997.patch;patchdir=src/import \
> +		file://CVE-2026-34040_p1.patch;patchdir=src/import \
> +		file://CVE-2026-34040_p2.patch;patchdir=src/import \
>  	"
>  
>  DOCKER_COMMIT = "${SRCREV_moby}"
> diff --git a/recipes-containers/docker/files/CVE-2026-34040_p1.patch b/recipes-containers/docker/files/CVE-2026-34040_p1.patch
> new file mode 100644
> index 00000000..9fb96ab0
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2026-34040_p1.patch
> @@ -0,0 +1,215 @@
> +From b2ff8a60155731641418d1a8b9efaf9e044e1971 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
> +Date: Mon, 16 Feb 2026 14:15:24 +0100
> +Subject: [PATCH 1/2] pkg/authz: Reject requests exceeding body size limit
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Previously, the authorization system would silently skip body inspection when
> +request bodies exceeded the maximum size limit (1MiB).
> +
> +The authorization plugins would receive an empty body for inspection
> +while the actual large payload would still be processed by the Docker
> +daemon, allowing malicious requests to circumvent plugin-based security
> +controls.
> +
> +CVE: CVE-2026-34040
> +Upstream-Status: Backport [https://github.com/moby/moby/commit/553e8214614ee0d65ee309f148a8e865634cc291]
> +
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +(cherry picked from commit 7a767b27fd1238c89a5cc926c39e27d3bcf58e35)
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +(cherry picked from commit 553e8214614ee0d65ee309f148a8e865634cc291)
> +Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> +---
> + pkg/authorization/authz.go           | 56 ++++++-----------
> + pkg/authorization/authz_unix_test.go | 93 +++++++++++++++++++---------
> + 2 files changed, 83 insertions(+), 66 deletions(-)
> +
> +diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
> +index d568a2b597..3bc30f61cf 100644
> +--- a/pkg/authorization/authz.go
> ++++ b/pkg/authorization/authz.go
> +@@ -55,28 +55,31 @@ type Ctx struct {
> + 	authReq *Request
> + }
> + 
> +-func isChunked(r *http.Request) bool {
> +-	// RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
> +-	if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") {
> +-		return true
> +-	}
> +-	for _, v := range r.TransferEncoding {
> +-		if strings.EqualFold(v, "chunked") {
> +-			return true
> +-		}
> +-	}
> +-	return false
> +-}
> +-
> + // AuthZRequest authorized the request to the docker daemon using authZ plugins
> + func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
> + 	var body []byte
> +-	if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
> +-		var err error
> +-		body, r.Body, err = drainBody(r.Body)
> +-		if err != nil {
> ++	if sendBody(ctx.requestURI, r.Header) {
> ++		// Wrap the original request body in a buffered reader so we can inspect
> ++		// the prefix without consuming bytes from the downstream reader.
> ++		// `Peek(maxBodySize + 1)` is used as a size check:
> ++		//   - err == nil means at least maxBodySize+1 bytes are buffered/available,
> ++		//     so the payload exceeds the plugin limit and is rejected.
> ++		//   - otherwise, `peeked` contains the complete body bytes currently available
> ++		//     (for short bodies this is the full payload), and reads from r.Body still
> ++		//     stream the original body unchanged.
> ++		bufBody := bufio.NewReaderSize(r.Body, maxBodySize+1)
> ++		r.Body = ioutils.NewReadCloserWrapper(bufBody, r.Body.Close)
> ++
> ++		peeked, err := bufBody.Peek(maxBodySize + 1)
> ++		if err == nil {
> ++			// Successfully peeked maxBodySize+1 bytes, so body is too large
> ++			// TODO: Allows plugin to opt in
> ++			return fmt.Errorf("request body too large for authorization plugin: size exceeds %d bytes", maxBodySize)
> ++		} else if err != io.EOF {
> + 			return err
> + 		}
> ++
> ++		body = peeked
> + 	}
> + 
> + 	var h bytes.Buffer
> +@@ -142,25 +145,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
> + 	return nil
> + }
> + 
> +-// drainBody dump the body (if its length is less than 1MB) without modifying the request state
> +-func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
> +-	bufReader := bufio.NewReaderSize(body, maxBodySize)
> +-	newBody := ioutils.NewReadCloserWrapper(bufReader, func() error { return body.Close() })
> +-
> +-	data, err := bufReader.Peek(maxBodySize)
> +-	// Body size exceeds max body size
> +-	if err == nil {
> +-		log.G(context.TODO()).Warnf("Request body is larger than: '%d' skipping body", maxBodySize)
> +-		return nil, newBody, nil
> +-	}
> +-	// Body size is less than maximum size
> +-	if err == io.EOF {
> +-		return data, newBody, nil
> +-	}
> +-	// Unknown error
> +-	return nil, newBody, err
> +-}
> +-
> + func isAuthEndpoint(urlPath string) (bool, error) {
> + 	// eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
> + 	matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath)
> +diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
> +index 66b4d20452..c726e5f79a 100644
> +--- a/pkg/authorization/authz_unix_test.go
> ++++ b/pkg/authorization/authz_unix_test.go
> +@@ -139,36 +139,69 @@ func TestResponseModifier(t *testing.T) {
> + 	}
> + }
> + 
> +-func TestDrainBody(t *testing.T) {
> +-	tests := []struct {
> +-		length             int // length is the message length send to drainBody
> +-		expectedBodyLength int // expectedBodyLength is the expected body length after drainBody is called
> +-	}{
> +-		{10, 10},                           // Small message size
> +-		{maxBodySize - 1, maxBodySize - 1}, // Max message size
> +-		{maxBodySize * 2, 0},               // Large message size (skip copying body)
> +-
> +-	}
> +-
> +-	for _, test := range tests {
> +-		msg := strings.Repeat("a", test.length)
> +-		body, closer, err := drainBody(io.NopCloser(bytes.NewReader([]byte(msg))))
> +-		if err != nil {
> +-			t.Fatal(err)
> +-		}
> +-		if len(body) != test.expectedBodyLength {
> +-			t.Fatalf("Body must be copied, actual length: '%d'", len(body))
> +-		}
> +-		if closer == nil {
> +-			t.Fatal("Closer must not be nil")
> +-		}
> +-		modified, err := io.ReadAll(closer)
> +-		if err != nil {
> +-			t.Fatalf("Error must not be nil: '%v'", err)
> +-		}
> +-		if len(modified) != len(msg) {
> +-			t.Fatalf("Result should not be truncated. Original length: '%d', new length: '%d'", len(msg), len(modified))
> +-		}
> ++type recordingPlugin struct {
> ++	recordedRequest Request
> ++}
> ++
> ++func (p *recordingPlugin) Name() string { return "recording-plugin" }
> ++
> ++func (p *recordingPlugin) AuthZRequest(authReq *Request) (*Response, error) {
> ++	p.recordedRequest = *authReq
> ++	p.recordedRequest.RequestBody = bytes.Clone(authReq.RequestBody)
> ++	return &Response{Allow: true}, nil
> ++}
> ++
> ++func (p *recordingPlugin) AuthZResponse(_ *Request) (*Response, error) {
> ++	return &Response{Allow: true}, nil
> ++}
> ++
> ++func TestAuthZRequestBodyWithinLimit(t *testing.T) {
> ++	payload := strings.Repeat("a", maxBodySize)
> ++	plugin := &recordingPlugin{}
> ++	ctx := NewCtx([]Plugin{plugin}, "user", "tls", http.MethodPost, "/containers/create")
> ++
> ++	req := httptest.NewRequest(http.MethodPost, "http://example.com/containers/create", strings.NewReader(payload))
> ++	req.Header.Set("Content-Type", "application/json")
> ++
> ++	if err := ctx.AuthZRequest(httptest.NewRecorder(), req); err != nil {
> ++		t.Fatalf("AuthZRequest failed: %v", err)
> ++	}
> ++
> ++	if string(plugin.recordedRequest.RequestBody) != payload {
> ++		t.Fatalf("expected full request body to be sent to plugin, got length %d, expected %d", len(plugin.recordedRequest.RequestBody), len(payload))
> ++	}
> ++
> ++	remaining, err := io.ReadAll(req.Body)
> ++	if err != nil {
> ++		t.Fatalf("failed to read request body after authz: %v", err)
> ++	}
> ++	if string(remaining) != payload {
> ++		t.Fatalf("request body should be preserved for downstream readers")
> ++	}
> ++}
> ++
> ++func TestAuthZRequestBodyOverLimit(t *testing.T) {
> ++	payload := strings.Repeat("a", maxBodySize+1)
> ++	plugin := &recordingPlugin{}
> ++	ctx := NewCtx([]Plugin{plugin}, "user", "tls", http.MethodPost, "/containers/create")
> ++
> ++	req := httptest.NewRequest(http.MethodPost, "http://example.com/containers/create", strings.NewReader(payload))
> ++	req.Header.Set("Content-Type", "application/json")
> ++
> ++	err := ctx.AuthZRequest(httptest.NewRecorder(), req)
> ++	if err == nil {
> ++		t.Fatal("expected AuthZRequest to reject body over max size")
> ++	}
> ++	if !strings.Contains(err.Error(), "request body too large for authorization plugin") {
> ++		t.Fatalf("unexpected error: %v", err)
> ++	}
> ++
> ++	remaining, readErr := io.ReadAll(req.Body)
> ++	if readErr != nil {
> ++		t.Fatalf("failed to read request body after authz error: %v", readErr)
> ++	}
> ++	if string(remaining) != payload {
> ++		t.Fatalf("request body should still be preserved after over-limit check")
> + 	}
> + }
> + 
> +-- 
> +2.44.4
> +
> diff --git a/recipes-containers/docker/files/CVE-2026-34040_p2.patch b/recipes-containers/docker/files/CVE-2026-34040_p2.patch
> new file mode 100644
> index 00000000..00a264f0
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2026-34040_p2.patch
> @@ -0,0 +1,39 @@
> +From f24fa983ccaa393b64724292a49270ab46b49c06 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
> +Date: Mon, 16 Feb 2026 14:16:06 +0100
> +Subject: [PATCH 2/2] pkg/authz: Increase body limit to 4 MiB
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Some endpoint could potentially use a body request than 1 MiB without
> +malicious intent.
> +
> +CVE: CVE-2026-34040
> +Upstream-Status: Backport [https://github.com/moby/moby/commit/4d0135c2d25b89ecc62a15277f2017715019569]
> +
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +(cherry picked from commit ec76e941838797fc762185c556c152f0a032d387)
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +(cherry picked from commit 4d0135c2d25b89ecc62a15277f20177150195695)
> +Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> +---
> + pkg/authorization/authz.go | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
> +index 3bc30f61cf..e9221307a7 100644
> +--- a/pkg/authorization/authz.go
> ++++ b/pkg/authorization/authz.go
> +@@ -16,7 +16,7 @@ import (
> + 	"github.com/docker/docker/pkg/ioutils"
> + )
> + 
> +-const maxBodySize = 1048576 // 1MB
> ++const maxBodySize = 4 * 1024 * 1024 // 4MiB
> + 
> + // NewCtx creates new authZ context, it is used to store authorization information related to a specific docker
> + // REST http session
> +-- 
> +2.44.4
> +
> -- 
> 2.35.6
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9795): https://lists.yoctoproject.org/g/meta-virtualization/message/9795
> Mute This Topic: https://lists.yoctoproject.org/mt/119298582/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 


In message: [meta-virtualization][scarthgap][PATCH 1/2] docker-moby: Fix CVE-2026-33997
on 13/05/2026 Deepak Rathore via lists.yoctoproject.org wrote:

> From: Deepak Rathore <deeratho@cisco.com>
> 
> Pick the version-specific cherry-pick [1] of the upstream fix [2] mentioned in [3].
> 
> [1] https://github.com/moby/moby/commit/d5986c0430124d82ce87b439638d8ebb16916e40
> [2] https://github.com/moby/moby/commit/99a095ecf04e8849318f2811bb3f687905eab09b
> [3] https://security-tracker.debian.org/tracker/CVE-2026-33997
> 
> Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> 
> diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
> index e66416db..26dce276 100644
> --- a/recipes-containers/docker/docker-moby_git.bb
> +++ b/recipes-containers/docker/docker-moby_git.bb
> @@ -56,6 +56,7 @@ SRC_URI = "\
>  	file://0001-libnetwork-use-GO-instead-of-go.patch \
>          file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
>          file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
> +		file://CVE-2026-33997.patch;patchdir=src/import \
>  	"
>  
>  DOCKER_COMMIT = "${SRCREV_moby}"
> diff --git a/recipes-containers/docker/files/CVE-2026-33997.patch b/recipes-containers/docker/files/CVE-2026-33997.patch
> new file mode 100644
> index 00000000..9da4b3cf
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2026-33997.patch
> @@ -0,0 +1,179 @@
> +From 7e35ad066ee0c89e15fca9e9b95933b79ba315b7 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
> +Date: Thu, 19 Mar 2026 19:18:23 +0100
> +Subject: [PATCH] plugin: Fix off-by-one in privilege validation
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Fix an off-by-one error in isEqual() where the comparison loop started
> +at index 1 instead of 0, causing the first privilege (after sorting
> +alphabetically by name) to never be validated.
> +
> +This allowed a malicious plugin to request different values for
> +whichever privilege sorts first — most notably "allow-all-devices",
> +which grants unrestricted rwm access to all host devices.
> +
> +The bug also meant that plugins requesting exactly one privilege had
> +zero iterations of the comparison loop, bypassing validation entirely.
> +
> +Also fix an existing test case ("diff-order-but-same-value") that only
> +passed due to the off-by-one bug, and add test cases for single-element
> +and first-sorted-element mismatches.
> +
> +CVE: CVE-2026-33997
> +Upstream-Status: Backport [https://github.com/moby/moby/commit/d5986c0430124d82ce87b439638d8ebb16916e40]
> +
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +(cherry picked from commit 99a095ecf04e8849318f2811bb3f687905eab09b)
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +(cherry picked from commit d5986c0430124d82ce87b439638d8ebb16916e40)
> +Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> +---
> + plugin/manager.go      | 50 ++++++++++++++++++++++++------------------
> + plugin/manager_test.go | 44 +++++++++++++++++++++++++++++++++----
> + 2 files changed, 69 insertions(+), 25 deletions(-)
> +
> +diff --git a/plugin/manager.go b/plugin/manager.go
> +index 81f3d67b80..d98b968c7d 100644
> +--- a/plugin/manager.go
> ++++ b/plugin/manager.go
> +@@ -1,14 +1,14 @@
> + package plugin // import "github.com/docker/docker/plugin"
> + 
> + import (
> ++	"cmp"
> + 	"context"
> + 	"encoding/json"
> + 	"io"
> + 	"os"
> + 	"path/filepath"
> +-	"reflect"
> + 	"regexp"
> +-	"sort"
> ++	"slices"
> + 	"strings"
> + 	"sync"
> + 	"syscall"
> +@@ -331,34 +331,42 @@ func makeLoggerStreams(id string) (stdout, stderr io.WriteCloser) {
> + }
> + 
> + func validatePrivileges(requiredPrivileges, privileges types.PluginPrivileges) error {
> +-	if !isEqual(requiredPrivileges, privileges, isEqualPrivilege) {
> ++	if len(requiredPrivileges) != len(privileges) {
> + 		return errors.New("incorrect privileges")
> + 	}
> + 
> +-	return nil
> +-}
> +-
> +-func isEqual(arrOne, arrOther types.PluginPrivileges, compare func(x, y types.PluginPrivilege) bool) bool {
> +-	if len(arrOne) != len(arrOther) {
> +-		return false
> +-	}
> +-
> +-	sort.Sort(arrOne)
> +-	sort.Sort(arrOther)
> ++	a := normalizePrivileges(requiredPrivileges)
> ++	b := normalizePrivileges(privileges)
> + 
> +-	for i := 1; i < arrOne.Len(); i++ {
> +-		if !compare(arrOne[i], arrOther[i]) {
> +-			return false
> ++	for i := range a {
> ++		if a[i].Name != b[i].Name {
> ++			return errors.New("incorrect privileges")
> ++		}
> ++		if !slices.Equal(a[i].Value, b[i].Value) {
> ++			return errors.New("incorrect privileges")
> + 		}
> + 	}
> + 
> +-	return true
> ++	return nil
> + }
> + 
> +-func isEqualPrivilege(a, b types.PluginPrivilege) bool {
> +-	if a.Name != b.Name {
> +-		return false
> ++// normalizePrivileges returns a normalized copy of privileges with privilege names
> ++// and each privilege's values sorted for order-insensitive comparison.
> ++// The input is not mutated.
> ++func normalizePrivileges(privileges types.PluginPrivileges) types.PluginPrivileges {
> ++	normalized := make(types.PluginPrivileges, len(privileges))
> ++	for i, privilege := range privileges {
> ++		normalized[i] = types.PluginPrivilege{
> ++			Name:        privilege.Name,
> ++			Description: privilege.Description,
> ++			Value:       slices.Clone(privilege.Value),
> ++		}
> ++		slices.Sort(normalized[i].Value)
> + 	}
> + 
> +-	return reflect.DeepEqual(a.Value, b.Value)
> ++	slices.SortFunc(normalized, func(a, b types.PluginPrivilege) int {
> ++		return cmp.Compare(a.Name, b.Name)
> ++	})
> ++
> ++	return normalized
> + }
> +diff --git a/plugin/manager_test.go b/plugin/manager_test.go
> +index 62ccf2149d..6d58865044 100644
> +--- a/plugin/manager_test.go
> ++++ b/plugin/manager_test.go
> +@@ -44,12 +44,48 @@ func TestValidatePrivileges(t *testing.T) {
> + 			},
> + 			result: true,
> + 		},
> ++		"single-element-same": {
> ++			requiredPrivileges: []types.PluginPrivilege{
> ++				{Name: "allow-all-devices", Description: "Description", Value: []string{"true"}},
> ++			},
> ++			privileges: []types.PluginPrivilege{
> ++				{Name: "allow-all-devices", Description: "Description", Value: []string{"true"}},
> ++			},
> ++			result: true,
> ++		},
> ++		"single-element-diff-value": {
> ++			requiredPrivileges: []types.PluginPrivilege{
> ++				{Name: "allow-all-devices", Description: "Description", Value: []string{"false"}},
> ++			},
> ++			privileges: []types.PluginPrivilege{
> ++				{Name: "allow-all-devices", Description: "Description", Value: []string{"true"}},
> ++			},
> ++			result: false,
> ++		},
> ++		"first-sorted-element-diff-value": {
> ++			requiredPrivileges: []types.PluginPrivilege{
> ++				{Name: "allow-all-devices", Description: "Description", Value: []string{"false"}},
> ++				{Name: "network", Description: "Description", Value: []string{"host"}},
> ++			},
> ++			privileges: []types.PluginPrivilege{
> ++				{Name: "allow-all-devices", Description: "Description", Value: []string{"true"}},
> ++				{Name: "network", Description: "Description", Value: []string{"host"}},
> ++			},
> ++			result: false,
> ++		},
> ++		"empty-privileges": {
> ++			requiredPrivileges: []types.PluginPrivilege{},
> ++			privileges:         []types.PluginPrivilege{},
> ++			result:             true,
> ++		},
> + 	}
> + 
> + 	for key, data := range testData {
> +-		err := validatePrivileges(data.requiredPrivileges, data.privileges)
> +-		if (err == nil) != data.result {
> +-			t.Fatalf("Test item %s expected result to be %t, got %t", key, data.result, (err == nil))
> +-		}
> ++		t.Run(key, func(t *testing.T) {
> ++			err := validatePrivileges(data.requiredPrivileges, data.privileges)
> ++			if (err == nil) != data.result {
> ++				t.Fatalf("expected result to be %t, got %t", data.result, (err == nil))
> ++			}
> ++		})
> + 	}
> + }
> +-- 
> +2.44.4
> +
> -- 
> 2.35.6
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9794): https://lists.yoctoproject.org/g/meta-virtualization/message/9794
> Mute This Topic: https://lists.yoctoproject.org/mt/119298567/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>