new file mode 100644
@@ -0,0 +1,90 @@
+Taken from upstream:
+<https://github.com/SELinuxProject/selinux/commit/07d6f1cea5a8ec0251606636189bc519d80b0729>.
+
+From 07d6f1cea5a8ec0251606636189bc519d80b0729 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 1 Jul 2021 20:07:07 +0200
+Subject: [PATCH] libsepol: assure string NUL-termination of ibdev_name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Clang complains:
+
+ ibendport_record.c: In function ‘sepol_ibendport_get_ibdev_name’:
+ ibendport_record.c:169:2: error: ‘strncpy’ specified bound 64 equals destination size [-Werror=stringop-truncation]
+ 169 | strncpy(tmp_ibdev_name, ibendport->ibdev_name, IB_DEVICE_NAME_MAX);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ibendport_record.c: In function ‘sepol_ibendport_set_ibdev_name’:
+ ibendport_record.c:189:2: error: ‘strncpy’ specified bound 64 equals destination size [-Werror=stringop-truncation]
+ 189 | strncpy(tmp, ibdev_name, IB_DEVICE_NAME_MAX);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+strncpy(3) does not NUL-terminate the destination if the source is of
+the same length or longer then the specified size.
+The source of these copies are retrieved from
+sepol_ibendport_alloc_ibdev_name(), which allocates a fixed amount of
+IB_DEVICE_NAME_MAX bytes.
+Reduce the size to copy by 1 of all memory regions allocated by
+sepol_ibendport_alloc_ibdev_name().
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ libsepol/src/ibendport_record.c | 8 ++++----
+ libsepol/src/ibendports.c | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/libsepol/src/ibendport_record.c b/libsepol/src/ibendport_record.c
+index adf671615..1eb50914b 100644
+--- a/libsepol/src/ibendport_record.c
++++ b/libsepol/src/ibendport_record.c
+@@ -62,7 +62,7 @@ int sepol_ibendport_key_create(sepol_handle_t *handle,
+ if (sepol_ibendport_alloc_ibdev_name(handle, &tmp_key->ibdev_name) < 0)
+ goto err;
+
+- strncpy(tmp_key->ibdev_name, ibdev_name, IB_DEVICE_NAME_MAX);
++ strncpy(tmp_key->ibdev_name, ibdev_name, IB_DEVICE_NAME_MAX - 1);
+ tmp_key->port = port;
+
+ *key_ptr = tmp_key;
+@@ -166,7 +166,7 @@ int sepol_ibendport_get_ibdev_name(sepol_handle_t *handle,
+ if (sepol_ibendport_alloc_ibdev_name(handle, &tmp_ibdev_name) < 0)
+ goto err;
+
+- strncpy(tmp_ibdev_name, ibendport->ibdev_name, IB_DEVICE_NAME_MAX);
++ strncpy(tmp_ibdev_name, ibendport->ibdev_name, IB_DEVICE_NAME_MAX - 1);
+ *ibdev_name = tmp_ibdev_name;
+ return STATUS_SUCCESS;
+
+@@ -186,7 +186,7 @@ int sepol_ibendport_set_ibdev_name(sepol_handle_t *handle,
+ if (sepol_ibendport_alloc_ibdev_name(handle, &tmp) < 0)
+ goto err;
+
+- strncpy(tmp, ibdev_name, IB_DEVICE_NAME_MAX);
++ strncpy(tmp, ibdev_name, IB_DEVICE_NAME_MAX - 1);
+ free(ibendport->ibdev_name);
+ ibendport->ibdev_name = tmp;
+ return STATUS_SUCCESS;
+@@ -230,7 +230,7 @@ int sepol_ibendport_clone(sepol_handle_t *handle,
+ if (sepol_ibendport_alloc_ibdev_name(handle, &new_ibendport->ibdev_name) < 0)
+ goto omem;
+
+- strncpy(new_ibendport->ibdev_name, ibendport->ibdev_name, IB_DEVICE_NAME_MAX);
++ strncpy(new_ibendport->ibdev_name, ibendport->ibdev_name, IB_DEVICE_NAME_MAX - 1);
+ new_ibendport->port = ibendport->port;
+
+ if (ibendport->con &&
+diff --git a/libsepol/src/ibendports.c b/libsepol/src/ibendports.c
+index 6d56c9a17..ee5cb1930 100644
+--- a/libsepol/src/ibendports.c
++++ b/libsepol/src/ibendports.c
+@@ -34,7 +34,7 @@ static int ibendport_from_record(sepol_handle_t *handle,
+ &ibdev_name) < 0)
+ goto err;
+
+- strncpy(tmp_ibendport->u.ibendport.dev_name, ibdev_name, IB_DEVICE_NAME_MAX);
++ strncpy(tmp_ibendport->u.ibendport.dev_name, ibdev_name, IB_DEVICE_NAME_MAX - 1);
+
+ free(ibdev_name);
+ ibdev_name = NULL;
+
@@ -55,6 +55,10 @@
(url "https://github.com/SELinuxProject/selinux")
(commit version)))
(file-name (git-file-name "selinux" version))
+ (patches
+ (search-patches
+ ;; XXX: Remove patch in next release.
+ "libsepol-fix-stringop-truncation-warning.patch"))
(sha256
(base32
"03p3lmvrvkcvsmiczsjzhyfgxlxdkdyq0p8igv3s3hdak5n92jjn"))))
libsepol fails due to -Werror=stringop-truncation. I attatched a patch that uses an upstream commit to fix the warning, or we could just disable Werror. From 88e6d094bfb5341b0c0fe3a7267396e774b43abb Mon Sep 17 00:00:00 2001 From: Noah Evans <noah@nevans.me> Date: Thu, 19 Aug 2021 17:56:30 -0400 Subject: [PATCH core-updates-frozen] gnu: libsepol: Fix build. --- ...epol-fix-stringop-truncation-warning.patch | 90 +++++++++++++++++++ gnu/packages/selinux.scm | 4 + 2 files changed, 94 insertions(+) create mode 100644 gnu/packages/patches/libsepol-fix-stringop-truncation-warning.patch -- 2.33.0