From b4aa2cfde47d30d343538a0f2914b8e2e09014f5 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Tue, 17 Dec 2024 07:55:43 -0800
Subject: [PATCH] parser: equality tests: update deny x perm carve out test

With priority rules, deny does not carve out permissions from the
higher priority rule. Technically it doesn't from lower priority either
as it completely overrides them, but that case already results in
an inequality so does not cause the tests to fail.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 25f16b239d735023f2010d43f529fd79cd28326b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/tst/equality.sh | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
index f549d9e98..73ce43a91 100755
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@@ -671,9 +671,17 @@ do
 				"/t { $p2 /f* ${perm1}, /a px -> b, /c px -> /t//b, }"
 		fi
 	done
-	verify_binary_inequality "'$p1'x'$p2' Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
-		"/t { $p1 /* ${perm1}, audit deny /f x, }" \
-		"/t { $p2 /* ${perm1}, }"
+	if priority_gt "$p1" "" ; then
+		# priority stops permission carve out
+		verify_binary_equality "'$p1'x'$p2' Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
+			"/t { $p1 /* ${perm1}, audit deny /f x, }" \
+			"/t { $p2 /* ${perm1}, }"
+	else
+		# deny rule carves out some of the match
+		verify_binary_inequality "'$p1'x'$p2' Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
+			"/t { $p1 /* ${perm1}, audit deny /f x, }" \
+			"/t { $p2 /* ${perm1}, }"
+	fi
 
 done