parser: equality tests: update deny x perm carve out test

With priority rules, deny does not carve out permissions from the higher priority rule. Technically it doesn't from lower priority either as it completely overrides them, but that case already results in an inequality so does not cause the tests to fail. Signed-off-by: John Johansen <john.johansen@canonical.com> (cherry picked from commit 25f16b239d735023f2010d43f529fd79cd28326b) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-22 18:17:09 +00:00 · 2024-12-17 07:55:43 -08:00 · 2024-12-17 07:55:43 -08:00 · b4aa2cfde4
commit b4aa2cfde4
parent 86273b746a
1 changed files with 11 additions and 3 deletions
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@ -671,9 +671,17 @@ do
 				"/t { $p2 /f* ${perm1}, /a px -> b, /c px -> /t//b, }"
 		fi
 	done
+	if priority_gt "$p1" "" ; then
+		# priority stops permission carve out
+		verify_binary_equality "'$p1'x'$p2' Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
+			"/t { $p1 /* ${perm1}, audit deny /f x, }" \
+			"/t { $p2 /* ${perm1}, }"
+	else
+		# deny rule carves out some of the match
 		verify_binary_inequality "'$p1'x'$p2' Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
 			"/t { $p1 /* ${perm1}, audit deny /f x, }" \
 			"/t { $p2 /* ${perm1}, }"
+	fi

 done