+int apply_default_acl(const char* path, bool recursive) {
+
+ if (path == NULL) {
+ errno = EINVAL;
+ perror("apply_default_acl (args)");
+ return ACL_ERROR;
+ }
+
+ /* Define these next three variables here because we may have to
+ * jump to the cleanup routine which expects them to exist.
+ */
+
+ /* Our return value. */
+ int result = ACL_SUCCESS;
+
+ /* The file descriptor corresponding to "path" */
+ int fd = 0;
+
+ /* The file descriptor for the directory containing "path" */
+ int parent_fd = 0;
+
+ /* dirname() and basename() mangle their arguments, so we need
+ to make copies of "path" before using them. */
+ char* dirname_path_copy = NULL;
+ char* basename_path_copy = NULL;
+
+ /* Get the parent directory of "path" with dirname(), which happens
+ * to murder its argument and necessitates a path_copy. */
+ dirname_path_copy = strdup(path);
+ if (dirname_path_copy == NULL) {
+ perror("apply_default_acl (strdup)");
+ return ACL_ERROR;
+ }
+ char* parent = dirname(dirname_path_copy);
+
+ /* Just kidding, if the path is ".", then dirname will do the wrong
+ * thing and give us "." as its parent, too. So, we handle that as a
+ * special case.
+ *
+ * WARNING: it is important that "parent" itself is not used after
+ * this point; otherwise we would need to store the correct parent
+ * path in there. But since everything uses file descriptors from
+ * now on, we only need to ensure that we get the correct parent_fd
+ * below. */
+ if (strcmp(path, ".") == 0 && strcmp(parent, ".") == 0) {
+ parent_fd = safe_open("..", O_DIRECTORY | O_NOFOLLOW);
+ }
+ else {
+ parent_fd = safe_open(parent, O_DIRECTORY | O_NOFOLLOW);
+ }
+ if (parent_fd == OPEN_ERROR) {
+ if (errno == ELOOP || errno == ENOTDIR) {
+ /* We hit a symlink, either in the last path component (ELOOP)
+ or higher up (ENOTDIR). */
+ result = ACL_FAILURE;
+ goto cleanup;
+ }
+ else {
+ perror("apply_default_acl (open parent fd)");
+ result = ACL_ERROR;
+ goto cleanup;
+ }
+ }
+
+ /* We already obtained the parent fd safely, so if we use the
+ basename of path here instead of the full thing, then we can get
+ away with using openat() and spare ourselves the slowness of
+ another safe_open(). */
+ basename_path_copy = strdup(path);
+ if (basename_path_copy == NULL) {
+ perror("apply_default_acl (strdup)");
+ result = ACL_ERROR;
+ goto cleanup;
+ }
+
+ /* If the basename is ".", then we don't want to open "." relative
+ to the parent_fd, so we need another special case for that
+ path. */
+ if (strcmp(path, ".") == 0 && strcmp(parent, ".") == 0) {
+ fd = open(".", O_NOFOLLOW);
+ }
+ else {
+ fd = openat(parent_fd, basename(basename_path_copy), O_NOFOLLOW);
+ }
+ if (fd == OPEN_ERROR) {
+ if (errno == ELOOP || errno == ENOTDIR) {
+ /* We hit a symlink, either in the last path component (ELOOP)
+ or higher up (ENOTDIR). */
+ result = ACL_FAILURE;
+ goto cleanup;
+ }
+ else {
+ perror("apply_default_acl (open fd)");
+ result = ACL_ERROR;
+ goto cleanup;
+ }
+ }
+
+ result = apply_default_acl_fds(parent_fd, fd, recursive);
+
+ cleanup:
+ free(dirname_path_copy);
+ free(basename_path_copy);
+
+ if (parent_fd > 0 && close(parent_fd) == CLOSE_ERROR) {
+ perror("apply_default_acl (close parent_fd)");
+ result = ACL_ERROR;
+ }
+ if (fd > 0 && close(fd) == CLOSE_ERROR) {
+ perror("apply_default_acl (close fd)");
+ result = ACL_ERROR;
+ }
+ return result;