Mock Version: 6.2 Mock Version: 6.2 Mock Version: 6.2 ENTER ['do_with_status'](['bash', '--login', '-c', '/usr/bin/rpmbuild -bs --noclean --target x86_64 --nodeps /builddir/build/SPECS/moby.spec'], chrootPath='/var/lib/mock/dist-an23.4-build-523711-76902/root'env={'TERM': 'vt100', 'SHELL': '/bin/bash', 'HOME': '/builddir', 'HOSTNAME': 'mock', 'PATH': '/usr/bin:/bin:/usr/sbin:/sbin', 'PROMPT_COMMAND': 'printf "\\033]0;\\007"', 'PS1': ' \\s-\\v\\$ ', 'LANG': 'C.UTF-8'}shell=Falselogger=timeout=86400uid=989gid=135user='mockbuild'unshare_net=TrueprintOutput=Falsenspawn_args=['--capability=cap_ipc_lock', '--bind=/tmp/mock-resolv.90sf5d4n:/etc/resolv.conf', '--bind=/dev/mapper/control', '--bind=/dev/fuse', '--bind=/dev/loop-control', '--bind=/dev/loop0', '--bind=/dev/loop1', '--bind=/dev/loop2', '--bind=/dev/loop3', '--bind=/dev/loop4', '--bind=/dev/loop5', '--bind=/dev/loop6', '--bind=/dev/loop7', '--bind=/dev/loop8', '--bind=/dev/loop9', '--bind=/dev/loop10', '--bind=/dev/loop11']) Using nspawn with args ['--capability=cap_ipc_lock', '--bind=/tmp/mock-resolv.90sf5d4n:/etc/resolv.conf', '--bind=/dev/mapper/control', '--bind=/dev/fuse', '--bind=/dev/loop-control', '--bind=/dev/loop0', '--bind=/dev/loop1', '--bind=/dev/loop2', '--bind=/dev/loop3', '--bind=/dev/loop4', '--bind=/dev/loop5', '--bind=/dev/loop6', '--bind=/dev/loop7', '--bind=/dev/loop8', '--bind=/dev/loop9', '--bind=/dev/loop10', '--bind=/dev/loop11'] Executing command: ['/usr/bin/systemd-nspawn', '-q', '-M', 'f438e8544d35424db94b039b6efac606', '-D', '/var/lib/mock/dist-an23.4-build-523711-76902/root', '-a', '-u', 'mockbuild', '--capability=cap_ipc_lock', '--bind=/tmp/mock-resolv.90sf5d4n:/etc/resolv.conf', '--bind=/dev/mapper/control', '--bind=/dev/fuse', '--bind=/dev/loop-control', '--bind=/dev/loop0', '--bind=/dev/loop1', '--bind=/dev/loop2', '--bind=/dev/loop3', '--bind=/dev/loop4', '--bind=/dev/loop5', '--bind=/dev/loop6', '--bind=/dev/loop7', '--bind=/dev/loop8', '--bind=/dev/loop9', '--bind=/dev/loop10', '--bind=/dev/loop11', '--setenv=TERM=vt100', '--setenv=SHELL=/bin/bash', '--setenv=HOME=/builddir', '--setenv=HOSTNAME=mock', '--setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin', '--setenv=PROMPT_COMMAND=printf "\\033]0;\\007"', '--setenv=PS1= \\s-\\v\\$ ', '--setenv=LANG=C.UTF-8', '--resolv-conf=off', 'bash', '--login', '-c', '/usr/bin/rpmbuild -bs --noclean --target x86_64 --nodeps /builddir/build/SPECS/moby.spec'] with env {'TERM': 'vt100', 'SHELL': '/bin/bash', 'HOME': '/builddir', 'HOSTNAME': 'mock', 'PATH': '/usr/bin:/bin:/usr/sbin:/sbin', 'PROMPT_COMMAND': 'printf "\\033]0;\\007"', 'PS1': ' \\s-\\v\\$ ', 'LANG': 'C.UTF-8', 'SYSTEMD_NSPAWN_TMPFS_TMP': '0', 'SYSTEMD_SECCOMP': '0'} and shell False warning: Macro expanded in comment on line 17: %{version}/cli-%{version}.tar.gz warning: Macro expanded in comment on line 19: %{version}/moby-%{version}.tar.gz warning: Macro expanded in comment on line 21: %{version}/tini-0.19.0.tar.gz warning: %patchN is deprecated (1 usages found), use %patch N (or %patch -P N) error: Failed to open shell expansion pipe for command: [ -z "$RPM_BUILD_NCPUS" ] \ && RPM_BUILD_NCPUS="64"; \ ncpus_max=; \ if [ -n "$ncpus_max" ] && [ "$ncpus_max" -gt 0 ] && [ "$RPM_BUILD_NCPUS" -gt "$ncpus_max" ]; then RPM_BUILD_NCPUS="$ncpus_max"; fi; \ echo "$RPM_BUILD_NCPUS";: Operation not permitted 2< (%) 1< (%_smp_build_ncpus) 0< (%_smp_build_nthreads) Building target platforms: x86_64 Building for target x86_64 setting SOURCE_DATE_EPOCH=1775001600 Wrote: /builddir/build/SRPMS/moby-28.3.3-3.an23.src.rpm RPM build warnings: Macro expanded in comment on line 17: %{version}/cli-%{version}.tar.gz Macro expanded in comment on line 19: %{version}/moby-%{version}.tar.gz Macro expanded in comment on line 21: %{version}/tini-0.19.0.tar.gz %patchN is deprecated (1 usages found), use %patch N (or %patch -P N) Child return code was: 0 ENTER ['do_with_status'](['bash', '--login', '-c', '/usr/bin/rpmbuild -bb --noclean --target x86_64 --nodeps /builddir/build/SPECS/moby.spec'], chrootPath='/var/lib/mock/dist-an23.4-build-523711-76902/root'env={'TERM': 'vt100', 'SHELL': '/bin/bash', 'HOME': '/builddir', 'HOSTNAME': 'mock', 'PATH': '/usr/bin:/bin:/usr/sbin:/sbin', 'PROMPT_COMMAND': 'printf "\\033]0;\\007"', 'PS1': ' \\s-\\v\\$ ', 'LANG': 'C.UTF-8'}shell=Falselogger=timeout=86400uid=989gid=135user='mockbuild'unshare_net=TrueprintOutput=Falsenspawn_args=['--capability=cap_ipc_lock', '--bind=/tmp/mock-resolv.90sf5d4n:/etc/resolv.conf', '--bind=/dev/mapper/control', '--bind=/dev/fuse', '--bind=/dev/loop-control', '--bind=/dev/loop0', '--bind=/dev/loop1', '--bind=/dev/loop2', '--bind=/dev/loop3', '--bind=/dev/loop4', '--bind=/dev/loop5', '--bind=/dev/loop6', '--bind=/dev/loop7', '--bind=/dev/loop8', '--bind=/dev/loop9', '--bind=/dev/loop10', '--bind=/dev/loop11']) Using nspawn with args ['--capability=cap_ipc_lock', '--bind=/tmp/mock-resolv.90sf5d4n:/etc/resolv.conf', '--bind=/dev/mapper/control', '--bind=/dev/fuse', '--bind=/dev/loop-control', '--bind=/dev/loop0', '--bind=/dev/loop1', '--bind=/dev/loop2', '--bind=/dev/loop3', '--bind=/dev/loop4', '--bind=/dev/loop5', '--bind=/dev/loop6', '--bind=/dev/loop7', '--bind=/dev/loop8', '--bind=/dev/loop9', '--bind=/dev/loop10', '--bind=/dev/loop11'] Executing command: ['/usr/bin/systemd-nspawn', '-q', '-M', '16399723df9048009e1b40c521f4dbdb', '-D', '/var/lib/mock/dist-an23.4-build-523711-76902/root', '-a', '-u', 'mockbuild', '--capability=cap_ipc_lock', '--bind=/tmp/mock-resolv.90sf5d4n:/etc/resolv.conf', '--bind=/dev/mapper/control', '--bind=/dev/fuse', '--bind=/dev/loop-control', '--bind=/dev/loop0', '--bind=/dev/loop1', '--bind=/dev/loop2', '--bind=/dev/loop3', '--bind=/dev/loop4', '--bind=/dev/loop5', '--bind=/dev/loop6', '--bind=/dev/loop7', '--bind=/dev/loop8', '--bind=/dev/loop9', '--bind=/dev/loop10', '--bind=/dev/loop11', '--setenv=TERM=vt100', '--setenv=SHELL=/bin/bash', '--setenv=HOME=/builddir', '--setenv=HOSTNAME=mock', '--setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin', '--setenv=PROMPT_COMMAND=printf "\\033]0;\\007"', '--setenv=PS1= \\s-\\v\\$ ', '--setenv=LANG=C.UTF-8', '--resolv-conf=off', 'bash', '--login', '-c', '/usr/bin/rpmbuild -bb --noclean --target x86_64 --nodeps /builddir/build/SPECS/moby.spec'] with env {'TERM': 'vt100', 'SHELL': '/bin/bash', 'HOME': '/builddir', 'HOSTNAME': 'mock', 'PATH': '/usr/bin:/bin:/usr/sbin:/sbin', 'PROMPT_COMMAND': 'printf "\\033]0;\\007"', 'PS1': ' \\s-\\v\\$ ', 'LANG': 'C.UTF-8', 'SYSTEMD_NSPAWN_TMPFS_TMP': '0', 'SYSTEMD_SECCOMP': '0'} and shell False warning: Macro expanded in comment on line 17: %{version}/cli-%{version}.tar.gz warning: Macro expanded in comment on line 19: %{version}/moby-%{version}.tar.gz warning: Macro expanded in comment on line 21: %{version}/tini-0.19.0.tar.gz warning: %patchN is deprecated (1 usages found), use %patch N (or %patch -P N) error: Failed to open shell expansion pipe for command: [ -z "$RPM_BUILD_NCPUS" ] \ && RPM_BUILD_NCPUS="64"; \ ncpus_max=; \ if [ -n "$ncpus_max" ] && [ "$ncpus_max" -gt 0 ] && [ "$RPM_BUILD_NCPUS" -gt "$ncpus_max" ]; then RPM_BUILD_NCPUS="$ncpus_max"; fi; \ echo "$RPM_BUILD_NCPUS";: Operation not permitted 2< (%) 1< (%_smp_build_ncpus) 0< (%_smp_build_nthreads) Building target platforms: x86_64 Building for target x86_64 setting SOURCE_DATE_EPOCH=1775001600 error: Failed to open shell expansion pipe for command: [ -z "$RPM_BUILD_NCPUS" ] \ && RPM_BUILD_NCPUS="64"; \ ncpus_max=; \ if [ -n "$ncpus_max" ] && [ "$ncpus_max" -gt 0 ] && [ "$RPM_BUILD_NCPUS" -gt "$ncpus_max" ]; then RPM_BUILD_NCPUS="$ncpus_max"; fi; \ echo "$RPM_BUILD_NCPUS";: Operation not permitted 5< (%) 4< (%_smp_build_ncpus) 3< (%___build_pre_env) RPM_BUILD_NCPUS=" 2< (%___build_pre) RPM_BUILD_NCPUS=" 1< (%__spec_prep_pre) RPM_BUILD_NCPUS=" 0< (%__spec_prep_template) #!/bin/sh RPM_SOURCE_DIR="/builddir/build/SOURCES" RPM_BUILD_DIR="/builddir/build/BUILD" RPM_OPT_FLAGS="-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/anolis/anolis-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/anolis/anolis-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection" RPM_LD_FLAGS="-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/anolis/anolis-hardened-ld -specs=/usr/lib/rpm/anolis/anolis-annobin-cc1 -Wl,--build-id=sha1 " RPM_ARCH="x86_64" RPM_OS="linux" RPM_BUILD_NCPUS=" Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.lPWoEe can't find file to patch at input line 36 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |From a4c717de7807a764b26f2da55011f41b9bb1201e Mon Sep 17 00:00:00 2001 |From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= |Date: Thu, 19 Mar 2026 19:18:23 +0100 |Subject: [PATCH] plugin: Fix off-by-one in privilege validation |MIME-Version: 1.0 |Content-Type: text/plain; charset=UTF-8 |Content-Transfer-Encoding: 8bit | |Fix an off-by-one error in isEqual() where the comparison loop started |at index 1 instead of 0, causing the first privilege (after sorting |alphabetically by name) to never be validated. | |This allowed a malicious plugin to request different values for |whichever privilege sorts first — most notably "allow-all-devices", |which grants unrestricted rwm access to all host devices. | |The bug also meant that plugins requesting exactly one privilege had |zero iterations of the comparison loop, bypassing validation entirely. | |Also fix an existing test case ("diff-order-but-same-value") that only |passed due to the off-by-one bug, and add test cases for single-element |and first-sorted-element mismatches. | |Signed-off-by: Paweł Gronowski |(cherry picked from commit 99a095ecf04e8849318f2811bb3f687905eab09b) |Signed-off-by: Paweł Gronowski |--- | plugin/manager.go | 50 ++++++++++++++++++++++++------------------ | plugin/manager_test.go | 44 +++++++++++++++++++++++++++++++++---- | 2 files changed, 69 insertions(+), 25 deletions(-) | |diff --git a/plugin/manager.go b/plugin/manager.go |index 0a07339..8bc1608 100644 |--- a/plugin/manager.go |+++ b/plugin/manager.go -------------------------- No file to patch. Skipping patch. 2 out of 2 hunks ignored can't find file to patch at input line 118 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff --git a/plugin/manager_test.go b/plugin/manager_test.go |index 4efe76b..7740231 100644 |--- a/plugin/manager_test.go |+++ b/plugin/manager_test.go -------------------------- No file to patch. Skipping patch. 1 out of 1 hunk ignored RPM build warnings: RPM build errors: error: Bad exit status from /var/tmp/rpm-tmp.lPWoEe (%prep) Macro expanded in comment on line 17: %{version}/cli-%{version}.tar.gz Macro expanded in comment on line 19: %{version}/moby-%{version}.tar.gz Macro expanded in comment on line 21: %{version}/tini-0.19.0.tar.gz %patchN is deprecated (1 usages found), use %patch N (or %patch -P N) Failed to open shell expansion pipe for command: [ -z "$RPM_BUILD_NCPUS" ] \ && RPM_BUILD_NCPUS="64"; \ ncpus_max=; \ if [ -n "$ncpus_max" ] && [ "$ncpus_max" -gt 0 ] && [ "$RPM_BUILD_NCPUS" -gt "$ncpus_max" ]; then RPM_BUILD_NCPUS="$ncpus_max"; fi; \ echo "$RPM_BUILD_NCPUS";: Operation not permitted Failed to open shell expansion pipe for command: [ -z "$RPM_BUILD_NCPUS" ] \ && RPM_BUILD_NCPUS="64"; \ ncpus_max=; \ if [ -n "$ncpus_max" ] && [ "$ncpus_max" -gt 0 ] && [ "$RPM_BUILD_NCPUS" -gt "$ncpus_max" ]; then RPM_BUILD_NCPUS="$ncpus_max"; fi; \ echo "$RPM_BUILD_NCPUS";: Operation not permitted Bad exit status from /var/tmp/rpm-tmp.lPWoEe (%prep) Child return code was: 1 EXCEPTION: [Error('Command failed: \n # /usr/bin/systemd-nspawn -q -M 16399723df9048009e1b40c521f4dbdb -D /var/lib/mock/dist-an23.4-build-523711-76902/root -a -u mockbuild --capability=cap_ipc_lock --bind=/tmp/mock-resolv.90sf5d4n:/etc/resolv.conf --bind=/dev/mapper/control --bind=/dev/fuse --bind=/dev/loop-control --bind=/dev/loop0 --bind=/dev/loop1 --bind=/dev/loop2 --bind=/dev/loop3 --bind=/dev/loop4 --bind=/dev/loop5 --bind=/dev/loop6 --bind=/dev/loop7 --bind=/dev/loop8 --bind=/dev/loop9 --bind=/dev/loop10 --bind=/dev/loop11 --setenv=TERM=vt100 --setenv=SHELL=/bin/bash --setenv=HOME=/builddir --setenv=HOSTNAME=mock --setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin \'--setenv=PROMPT_COMMAND=printf "\\033]0;\\007"\' \'--setenv=PS1= \\s-\\v\\$ \' --setenv=LANG=C.UTF-8 --resolv-conf=off bash --login -c \'/usr/bin/rpmbuild -bb --noclean --target x86_64 --nodeps /builddir/build/SPECS/moby.spec\'\n', 1)] Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/mockbuild/trace_decorator.py", line 93, in trace result = func(*args, **kw) File "/usr/lib/python3.6/site-packages/mockbuild/util.py", line 610, in do_with_status raise exception.Error("Command failed: \n # %s\n%s" % (cmd_pretty(command, env), output), child.returncode) mockbuild.exception.Error: Command failed: # /usr/bin/systemd-nspawn -q -M 16399723df9048009e1b40c521f4dbdb -D /var/lib/mock/dist-an23.4-build-523711-76902/root -a -u mockbuild --capability=cap_ipc_lock --bind=/tmp/mock-resolv.90sf5d4n:/etc/resolv.conf --bind=/dev/mapper/control --bind=/dev/fuse --bind=/dev/loop-control --bind=/dev/loop0 --bind=/dev/loop1 --bind=/dev/loop2 --bind=/dev/loop3 --bind=/dev/loop4 --bind=/dev/loop5 --bind=/dev/loop6 --bind=/dev/loop7 --bind=/dev/loop8 --bind=/dev/loop9 --bind=/dev/loop10 --bind=/dev/loop11 --setenv=TERM=vt100 --setenv=SHELL=/bin/bash --setenv=HOME=/builddir --setenv=HOSTNAME=mock --setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin '--setenv=PROMPT_COMMAND=printf "\033]0;\007"' '--setenv=PS1= \s-\v\$ ' --setenv=LANG=C.UTF-8 --resolv-conf=off bash --login -c '/usr/bin/rpmbuild -bb --noclean --target x86_64 --nodeps /builddir/build/SPECS/moby.spec'