parser: equality tests: update deny x perm carve out test

With priority rules, deny does not carve out permissions from the higher priority rule. Technically it doesn't from lower priority either as it completely overrides them, but that case already results in an inequality so does not cause the tests to fail. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-29 13:28:19 +00:00 · 2024-12-17 07:55:43 -08:00 · 2024-12-17 07:55:43 -08:00 · 25f16b239d
commit 25f16b239d
parent 369029dc07
1 changed files with 11 additions and 3 deletions
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@ -671,9 +671,17 @@ do
 				"/t { $p2 /f* ${perm1}, /a px -> b, /c px -> /t//b, }"
 		fi
 	done
+	if priority_gt "$p1" "" ; then
+		# priority stops permission carve out
+		verify_binary_equality "'$p1'x'$p2' Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
+			"/t { $p1 /* ${perm1}, audit deny /f x, }" \
+			"/t { $p2 /* ${perm1}, }"
+	else
+		# deny rule carves out some of the match
 		verify_binary_inequality "'$p1'x'$p2' Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
 			"/t { $p1 /* ${perm1}, audit deny /f x, }" \
 			"/t { $p2 /* ${perm1}, }"
+	fi

 done