From 1818dc3a4c744af0e5b964ad7ca8baad2159be4a Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Tue, 25 Feb 2025 01:11:05 +0900
Subject: [PATCH] system/acl: do not fail gone revert target

A removed file effectively already has its ACLs stripped, so failing this makes no sense. Still print a message to warn about it.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 system/acl.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/system/acl.go b/system/acl.go
index 8cd49cb..e6ae7d2 100644
--- a/system/acl.go
+++ b/system/acl.go
@@ -1,7 +1,9 @@
 package system
 
 import (
+	"errors"
 	"fmt"
+	"os"
 	"slices"
 
 	"git.gensokyo.uk/security/fortify/acl"
@@ -41,7 +43,13 @@ func (a *ACL) apply(sys *I) error {
 func (a *ACL) revert(sys *I, ec *Criteria) error {
 	if ec.hasType(a) {
 		sys.println("stripping ACL", a)
-		return sys.wrapErrSuffix(acl.Update(a.path, sys.uid),
+		err := acl.Update(a.path, sys.uid)
+		if errors.Is(err, os.ErrNotExist) {
+			// the ACL is effectively stripped if the file no longer exists
+			sys.printf("target of ACL %s no longer exists", a)
+			err = nil
+		}
+		return sys.wrapErrSuffix(err,
 			fmt.Sprintf("cannot strip ACL entry from %q:", a.path))
 	} else {
 		sys.println("skipping ACL", a)