From 1f32c1175e080da201ce010c1f3650dab34e1a92 Mon Sep 17 00:00:00 2001 From: Ryan Lee Date: Tue, 1 Apr 2025 11:49:35 -0700 Subject: [PATCH 1/2] parser: move error count print of equality tesets to run_tests end The original location in the middle of the priority function helper was completely nonsensical. We can instead do this check just once after running all the tests. Signed-off-by: Ryan Lee --- parser/tst/equality.sh | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh index 5ee69b079..86a7eb2da 100755 --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh @@ -912,12 +912,6 @@ verify_binary_equality "'$p1'x'$p2' mount specific deny doesn't affect non-overl "/t { $p2 audit deny mount /s/** -> /**, mount options=bind /e/ -> /**, }" -if [ $fails -ne 0 ] || [ $errors -ne 0 ] -then - printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 1>&2 - exit $((fails + errors)) -fi - ## priority override equivalence tests ## compare single rule, to multi-rule profile where one rule overrides @@ -1109,8 +1103,13 @@ run_tests() done [ -z "${verbose}" ] && printf "\n" - printf "PASS\n" - exit 0 + if [ $fails -ne 0 ] || [ $errors -ne 0 ]; then + printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 1>&2 + exit $((fails + errors)) + else + printf "PASS\n" + exit 0 + fi } From 6da10ef98f424e13fcbec4e189c79ccf6e8fa5a5 Mon Sep 17 00:00:00 2001 From: Ryan Lee Date: Tue, 1 Apr 2025 11:59:51 -0700 Subject: [PATCH 2/2] parser: move equality tests not using priorities outside of priority helper Signed-off-by: Ryan Lee --- parser/tst/equality.sh | 45 +++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh index 86a7eb2da..abce2e920 100755 --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh @@ -879,28 +879,6 @@ verify_binary_equality "'$p1'x'$p2' link rules slash filtering" \ @{BAR}=/mnt/ /t { $p2 link @{FOO}/foo -> @{BAR}/bar, }" -verify_binary_equality "'$p1'x'$p2' attachment slash filtering" \ - "/t /bin/foo { }" \ - "/t /bin//foo { }" \ - "@{BAR}=/bin/ - /t @{BAR}/foo { }" \ - "@{FOO}=/foo - /t /bin/@{FOO} { }" \ - "@{BAR}=/bin/ - @{FOO}=/foo - /t @{BAR}/@{FOO} { }" - -# verify comment at end of variable assignment is not treated as a value -verify_binary_equality "comment at end of set var" \ - "/t { /bin/ r, }" \ - "@{BAR}=/bin/ #a tail comment - /t { @{BAR} r, }" - -verify_binary_equality "value like comment at end of set var" \ - "/t { /{bin/,#value} r, }" \ - "@{BAR}=bin/ \#value - /t { /@{BAR} r, }" - # This can potentially fail as ideally it requires a better dfa comparison # routine as it can generates hormomorphic dfas. The enumeration of the @@ -1076,6 +1054,29 @@ run_tests() "/t { /a r, }" \ "/t { priority=-1 audit deny /* rwxlk, /a r, }" + # Tests that do not use priority keywords at all + + verify_binary_equality "attachment slash filtering" \ + "/t /bin/foo { }" \ + "/t /bin//foo { }" \ + "@{BAR}=/bin/ + /t @{BAR}/foo { }" \ + "@{FOO}=/foo + /t /bin/@{FOO} { }" \ + "@{BAR}=/bin/ + @{FOO}=/foo + /t @{BAR}/@{FOO} { }" + # verify comment at end of variable assignment is not treated as a value + verify_binary_equality "comment at end of set var" \ + "/t { /bin/ r, }" \ + "@{BAR}=/bin/ #a tail comment + /t { @{BAR} r, }" + + verify_binary_equality "value like comment at end of set var" \ + "/t { /{bin/,#value} r, }" \ + "@{BAR}=bin/ \#value + /t { /@{BAR} r, }" + # verify combinations of different priority levels # for single rule comparisons, rules should keep same expected result # even when the priorities are different.