From c8d2c0c81d1b7430079dd8990b41029faf7056e1 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Fri, 2 Sep 2022 11:52:14 +0200
Subject: [PATCH v1] Remove dead code from sepgsql

Commit 4232c4b40 removed all callers of sepgsql_check_perms but left
the function in place. Remove the function as well as it's dead code.
---
 contrib/sepgsql/selinux.c | 66 ---------------------------------------
 contrib/sepgsql/sepgsql.h |  7 -----
 2 files changed, 73 deletions(-)

diff --git a/contrib/sepgsql/selinux.c b/contrib/sepgsql/selinux.c
index 4fe30465d7..d4713e7419 100644
--- a/contrib/sepgsql/selinux.c
+++ b/contrib/sepgsql/selinux.c
@@ -886,69 +886,3 @@ sepgsql_compute_create(const char *scontext,
 
 	return result;
 }
-
-/*
- * sepgsql_check_perms
- *
- * It makes access control decision without userspace caching mechanism.
- * If SELinux denied the required accesses on the pair of security labels,
- * it raises an error or returns false.
- *
- * scontext: security label of the subject (mostly, peer process)
- * tcontext: security label of the object being referenced
- * tclass: class code (SEPG_CLASS_*) of the object being referenced
- * required: a mask of required permissions (SEPG_<class>__<perm>)
- * audit_name: a human-readable object name for audit logs, or NULL.
- * abort_on_violation: true, if error shall be raised on access violation
- */
-bool
-sepgsql_check_perms(const char *scontext,
-					const char *tcontext,
-					uint16 tclass,
-					uint32 required,
-					const char *audit_name,
-					bool abort_on_violation)
-{
-	struct av_decision avd;
-	uint32		denied;
-	uint32		audited;
-	bool		result = true;
-	bool		enforcing;
-
-	sepgsql_compute_avd(scontext, tcontext, tclass, &avd);
-
-	denied = required & ~avd.allowed;
-
-	if (sepgsql_get_debug_audit())
-		audited = (denied ? denied : required);
-	else
-		audited = (denied ? (denied & avd.auditdeny)
-				   : (required & avd.auditallow));
-
-	enforcing = sepgsql_getenforce() > 0 &&
-		(avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0;
-
-	if (denied && enforcing)
-		result = false;
-
-	/*
-	 * It records a security audit for the request, if needed. But, when
-	 * SE-PgSQL performs 'internal' mode, it needs to keep silent.
-	 */
-	if (audited && sepgsql_mode != SEPGSQL_MODE_INTERNAL)
-	{
-		sepgsql_audit_log(denied,
-						  enforcing,
-						  scontext,
-						  tcontext,
-						  tclass,
-						  audited,
-						  audit_name);
-	}
-
-	if (!result && abort_on_violation)
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("SELinux: security policy violation")));
-	return result;
-}
diff --git a/contrib/sepgsql/sepgsql.h b/contrib/sepgsql/sepgsql.h
index 70f6203496..f2a2c795bf 100644
--- a/contrib/sepgsql/sepgsql.h
+++ b/contrib/sepgsql/sepgsql.h
@@ -244,13 +244,6 @@ extern char *sepgsql_compute_create(const char *scontext,
 									uint16 tclass,
 									const char *objname);
 
-extern bool sepgsql_check_perms(const char *scontext,
-								const char *tcontext,
-								uint16 tclass,
-								uint32 required,
-								const char *audit_name,
-								bool abort_on_violation);
-
 /*
  * uavc.c
  */
-- 
2.32.1 (Apple Git-133)