Remove unused code from sepgsql

danielgustafsson · danielgustafsson · commit d885a6b612cf · 2022-09-02T20:38:34.000+02:00
Commit 4232c4b removed all callers of sepgsql_check_perms but left the function in place. This removes the function as well. Reviewed-by: Robert Haas <robertmhaas@gmail.com> Discussion: https://postgr.es/m/3BD5C3BF-FECA-4496-AE53-5E447997AA0B@yesql.se
diff --git a/contrib/sepgsql/selinux.c b/contrib/sepgsql/selinux.c
@@ -886,69 +886,3 @@ sepgsql_compute_create(const char *scontext,
 
 	return result;
 }
-
-/*
- * sepgsql_check_perms
- *
- * It makes access control decision without userspace caching mechanism.
- * If SELinux denied the required accesses on the pair of security labels,
- * it raises an error or returns false.
- *
- * scontext: security label of the subject (mostly, peer process)
- * tcontext: security label of the object being referenced
- * tclass: class code (SEPG_CLASS_*) of the object being referenced
- * required: a mask of required permissions (SEPG_<class>__<perm>)
- * audit_name: a human-readable object name for audit logs, or NULL.
- * abort_on_violation: true, if error shall be raised on access violation
- */
-bool
-sepgsql_check_perms(const char *scontext,
-					const char *tcontext,
-					uint16 tclass,
-					uint32 required,
-					const char *audit_name,
-					bool abort_on_violation)
-{
-	struct av_decision avd;
-	uint32		denied;
-	uint32		audited;
-	bool		result = true;
-	bool		enforcing;
-
-	sepgsql_compute_avd(scontext, tcontext, tclass, &avd);
-
-	denied = required & ~avd.allowed;
-
-	if (sepgsql_get_debug_audit())
-		audited = (denied ? denied : required);
-	else
-		audited = (denied ? (denied & avd.auditdeny)
-				   : (required & avd.auditallow));
-
-	enforcing = sepgsql_getenforce() > 0 &&
-		(avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0;
-
-	if (denied && enforcing)
-		result = false;
-
-	/*
-	 * It records a security audit for the request, if needed. But, when
-	 * SE-PgSQL performs 'internal' mode, it needs to keep silent.
-	 */
-	if (audited && sepgsql_mode != SEPGSQL_MODE_INTERNAL)
-	{
-		sepgsql_audit_log(denied,
-						  enforcing,
-						  scontext,
-						  tcontext,
-						  tclass,
-						  audited,
-						  audit_name);
-	}
-
-	if (!result && abort_on_violation)
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("SELinux: security policy violation")));
-	return result;
-}
diff --git a/contrib/sepgsql/sepgsql.h b/contrib/sepgsql/sepgsql.h
@@ -244,13 +244,6 @@ extern char *sepgsql_compute_create(const char *scontext,
 									uint16 tclass,
 									const char *objname);
 
-extern bool sepgsql_check_perms(const char *scontext,
-								const char *tcontext,
-								uint16 tclass,
-								uint32 required,
-								const char *audit_name,
-								bool abort_on_violation);
-
 /*
  * uavc.c
  */
