apply_default_acl_ex: don't loop through the ACL unless we're masking exec.

diff --git a/src/libadacl.c b/src/libadacl.c
index 0d07f2c6d0126880b59e830011fcbbefc75e797f..e75fdece6a36edd7ece544944ffa920a64970d04 100644 (file)
--- a/src/libadacl.c
+++ b/src/libadacl.c
@@ -889,7 +889,13 @@ int apply_default_acl_ex(const char* path,
   */
 
   /* Now we potentially need to mask the execute permissions in the
-     ACL on fd. First obtain the current one... */
+     ACL on fd; or maybe now. */
+  if (allow_exec) {
+    goto cleanup;
+  }
+
+  /* OK, we need to mask some execute permissions. First obtain the
+     current ACL... */
   new_acl = acl_get_fd(fd);
   if (new_acl == (acl_t)NULL) {
     perror("apply_default_acl_ex (acl_get_fd)");
@@ -933,21 +939,19 @@ int apply_default_acl_ex(const char* path,
         tag == ACL_GROUP_OBJ ||
         tag == ACL_OTHER) {
 
-      if (!allow_exec) {
-        /* The mask doesn't affect acl_user_obj, acl_group_obj (in
-           minimal ACLs) or acl_other entries, so if execute should be
-           masked, we have to do it manually. */
-        if (acl_delete_perm(permset, ACL_EXECUTE) == ACL_ERROR) {
-          perror("apply_default_acl_ex (acl_delete_perm)");
-          result = ACL_ERROR;
-          goto cleanup;
-        }
-
-        if (acl_set_permset(entry, permset) == ACL_ERROR) {
-          perror("apply_default_acl_ex (acl_set_permset)");
-          result = ACL_ERROR;
-          goto cleanup;
-        }
+      /* The mask doesn't affect acl_user_obj, acl_group_obj (in
+         minimal ACLs) or acl_other entries, so if execute should be
+         masked, we have to do it manually. */
+      if (acl_delete_perm(permset, ACL_EXECUTE) == ACL_ERROR) {
+        perror("apply_default_acl_ex (acl_delete_perm)");
+        result = ACL_ERROR;
+        goto cleanup;
+      }
+
+      if (acl_set_permset(entry, permset) == ACL_ERROR) {
+        perror("apply_default_acl_ex (acl_set_permset)");
+        result = ACL_ERROR;
+        goto cleanup;
       }
     }