From bf7b80c478071382c8ef9aef3905a32597ae9e1f Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Tue, 17 Dec 2024 08:21:20 -0800
Subject: [PATCH] parser: equality tests: fix r carve out tests

Similar to the deny x permission tests, the tests that test carving
out r permissions need to be updated to be conditional on what
priority is being used on the rule.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/tst/equality.sh | 35 ++++++++++++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
index 73ce43a91..556582191 100755
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@@ -686,20 +686,49 @@ do
 done
 
 #Test deny carves out permission
-verify_binary_inequality "'$p1'x'$p2' Deny removes r perm" \
+if priority_gt "$p1" "" ; then
+	verify_binary_equality "'$p1'x'$p2' Deny removes r perm" \
 		       "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \
 		       "/t { $p2 /foo/[abc] r, }"
 
-verify_binary_equality "'$p1'x'$p2' Deny removes r perm" \
+	verify_binary_inequality "'$p1'x'$p2' Deny removes r perm" \
 		       "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \
 		       "/t { $p2 /foo/[ac] r, }"
 
 #this one may not be true in the future depending on if the compiled profile
 #is explicitly including deny permissions for dynamic composition
-verify_binary_equality "'$p1'x'$p2' Deny of ungranted perm" \
+	verify_binary_equality "'$p1'x'$p2' Deny of ungranted perm" \
 		       "/t { $p1 /foo/[abc] r, audit deny /foo/b w, }" \
 		       "/t { $p2 /foo/[abc] r, }"
+elif priority_eq "$p1" "" ; then
+	verify_binary_inequality "'$p1'x'$p2' Deny removes r perm" \
+		       "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \
+		       "/t { $p2 /foo/[abc] r, }"
 
+	verify_binary_equality "'$p1'x'$p2' Deny removes r perm" \
+		       "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \
+		       "/t { $p2 /foo/[ac] r, }"
+
+#this one may not be true in the future depending on if the compiled profile
+#is explicitly including deny permissions for dynamic composition
+	verify_binary_equality "'$p1'x'$p2' Deny of ungranted perm" \
+		       "/t { $p1 /foo/[abc] r, audit deny /foo/b w, }" \
+		       "/t { $p2 /foo/[abc] r, }"
+else
+	verify_binary_inequality "'$p1'x'$p2' Deny removes r perm" \
+		       "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \
+		       "/t { $p2 /foo/[abc] r, }"
+
+	verify_binary_equality "'$p1'x'$p2' Deny removes r perm" \
+		       "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \
+		       "/t { $p2 /foo/[ac] r, }"
+
+#this one may not be true in the future depending on if the compiled profile
+#is explicitly including deny permissions for dynamic composition
+	verify_binary_inequality "'$p1'x'$p2' Deny of ungranted perm" \
+		       "/t { $p1 /foo/[abc] r, audit deny /foo/b w, }" \
+		       "/t { $p2 /foo/[abc] r, }"
+fi
 
 verify_binary_equality "'$p1'x'$p2' change_profile == change_profile -> **" \
 		       "/t { $p1 change_profile, }" \