Skip to content

Commit d885a6b

Browse files
danielgustafssondanielgustafsson
committed
Remove unused code from sepgsql
Commit 4232c4b removed all callers of sepgsql_check_perms but left the function in place. This removes the function as well. Reviewed-by: Robert Haas <robertmhaas@gmail.com> Discussion: https://postgr.es/m/3BD5C3BF-FECA-4496-AE53-5E447997AA0B@yesql.se
1 parent 1c3aa54 commit d885a6b

File tree

2 files changed

+0
-73
lines changed

2 files changed

+0
-73
lines changed

contrib/sepgsql/selinux.c

Lines changed: 0 additions & 66 deletions
Original file line numberDiff line numberDiff line change
@@ -886,69 +886,3 @@ sepgsql_compute_create(const char *scontext,
886886

887887
return result;
888888
}
889-
890-
/*
891-
* sepgsql_check_perms
892-
*
893-
* It makes access control decision without userspace caching mechanism.
894-
* If SELinux denied the required accesses on the pair of security labels,
895-
* it raises an error or returns false.
896-
*
897-
* scontext: security label of the subject (mostly, peer process)
898-
* tcontext: security label of the object being referenced
899-
* tclass: class code (SEPG_CLASS_*) of the object being referenced
900-
* required: a mask of required permissions (SEPG_<class>__<perm>)
901-
* audit_name: a human-readable object name for audit logs, or NULL.
902-
* abort_on_violation: true, if error shall be raised on access violation
903-
*/
904-
bool
905-
sepgsql_check_perms(const char *scontext,
906-
const char *tcontext,
907-
uint16 tclass,
908-
uint32 required,
909-
const char *audit_name,
910-
bool abort_on_violation)
911-
{
912-
struct av_decision avd;
913-
uint32 denied;
914-
uint32 audited;
915-
bool result = true;
916-
bool enforcing;
917-
918-
sepgsql_compute_avd(scontext, tcontext, tclass, &avd);
919-
920-
denied = required & ~avd.allowed;
921-
922-
if (sepgsql_get_debug_audit())
923-
audited = (denied ? denied : required);
924-
else
925-
audited = (denied ? (denied & avd.auditdeny)
926-
: (required & avd.auditallow));
927-
928-
enforcing = sepgsql_getenforce() > 0 &&
929-
(avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0;
930-
931-
if (denied && enforcing)
932-
result = false;
933-
934-
/*
935-
* It records a security audit for the request, if needed. But, when
936-
* SE-PgSQL performs 'internal' mode, it needs to keep silent.
937-
*/
938-
if (audited && sepgsql_mode != SEPGSQL_MODE_INTERNAL)
939-
{
940-
sepgsql_audit_log(denied,
941-
enforcing,
942-
scontext,
943-
tcontext,
944-
tclass,
945-
audited,
946-
audit_name);
947-
}
948-
949-
if (!result && abort_on_violation)
950-
ereport(ERROR,
951-
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
952-
errmsg("SELinux: security policy violation")));
953-
return result;
954-
}

contrib/sepgsql/sepgsql.h

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -244,13 +244,6 @@ extern char *sepgsql_compute_create(const char *scontext,
244244
uint16 tclass,
245245
const char *objname);
246246

247-
extern bool sepgsql_check_perms(const char *scontext,
248-
const char *tcontext,
249-
uint16 tclass,
250-
uint32 required,
251-
const char *audit_name,
252-
bool abort_on_violation);
253-
254247
/*
255248
* uavc.c
256249
*/

0 commit comments

Comments
 (0)