smack-test: add smack tests from meta-intel-iot-security

ported over smack tests

Signed-off-by: Armin Kuster <akuster808@gmail.com>

15 files changed, 835 insertions, 0 deletions

diff --git a/recipes-mac/smack/mmap-smack-test/mmap.c b/recipes-mac/smack/mmap-smack-test/mmap.c
new file mode 100644
index 0000000..f358d27
--- /dev/null
+++ b/recipes-mac/smack/mmap-smack-test/mmap.c
@@ -0,0 +1,7 @@
+#include <stdio.h>
+
+int main(int argc, char **argv)
+{
+    printf("Original test program removed while investigating its license.\n");
+    return 1;
+}
diff --git a/recipes-mac/smack/mmap-smack-test_1.0.bb b/recipes-mac/smack/mmap-smack-test_1.0.bb
new file mode 100644
index 0000000..9d11509
--- /dev/null
+++ b/recipes-mac/smack/mmap-smack-test_1.0.bb
@@ -0,0 +1,16 @@
+SUMMARY = "Mmap binary used to test smack mmap attribute"
+DESCRIPTION = "Mmap binary used to test smack mmap attribute"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://mmap.c" 
+
+S = "${WORKDIR}"
+do_compile() {
+    ${CC} mmap.c ${LDFLAGS} -o mmap_test
+}
+
+do_install() {
+    install -d ${D}${bindir}
+    install -m 0755 mmap_test ${D}${bindir}
+}
diff --git a/recipes-mac/smack/smack-test/notroot.py b/recipes-mac/smack/smack-test/notroot.py
new file mode 100644
index 0000000..f0eb0b5
--- /dev/null
+++ b/recipes-mac/smack/smack-test/notroot.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+#
+# Script used for running executables with custom labels, as well as custom uid/gid
+# Process label is changed by writing to /proc/self/attr/curent
+#
+# Script expects user id and group id to exist, and be the same.
+#
+# From adduser manual: 
+# """By  default,  each  user  in Debian GNU/Linux is given a corresponding group 
+# with the same name. """
+#
+# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
+# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
+#
+# Author: Alexandru Cornea <alexandru.cornea@intel.com>
+import os
+import sys
+
+try:
+        uid = int(sys.argv[1])
+        sys.argv.pop(1)
+        label = sys.argv[1]
+        sys.argv.pop(1)
+        open("/proc/self/attr/current", "w").write(label)
+        path=sys.argv[1]
+        sys.argv.pop(0)
+        os.setgid(uid)
+        os.setuid(uid)  
+        os.execv(path,sys.argv)
+
+except Exception,e:
+        print e.message
+        sys.exit(1)
diff --git a/recipes-mac/smack/smack-test/smack_test_file_access.sh b/recipes-mac/smack/smack-test/smack_test_file_access.sh
new file mode 100644
index 0000000..5a0ce84
--- /dev/null
+++ b/recipes-mac/smack/smack-test/smack_test_file_access.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+RC=0
+TMP="/tmp"
+test_file=$TMP/smack_test_access_file
+CAT=`which cat`
+ECHO=`which echo`
+uid=1000
+initial_label=`cat /proc/self/attr/current`
+python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
+chsmack -a "TheOther" $test_file
+
+#        12345678901234567890123456789012345678901234567890123456
+delrule="TheOne                  TheOther                -----"
+rule_ro="TheOne                  TheOther                r----"
+
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
+if [ $RC -ne 0 ]; then
+        echo "Process with different label than the test file and no read access on it can read it"
+        exit $RC
+fi
+
+# adding read access
+echo -n "$rule_ro" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+        echo "Process with different label than the test file but with read access on it cannot read it"
+        exit $RC
+fi
+
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+# changing label of test file to *
+# according to SMACK documentation, read access on a * object is always permitted
+chsmack -a '*' $test_file
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+        echo  "Process cannot read file with * label"
+        exit $RC
+fi
+
+# changing subject label to *
+# according to SMACK documentation, every access requested by a star labeled subject is rejected
+TOUCH=`which touch`
+python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
+ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
+if [ $RC -ne 0 ];then
+        echo "Process with label '*' should not have any access"
+        exit $RC
+fi
+exit 0
diff --git a/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh b/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh
new file mode 100644
index 0000000..26d9e9d
--- /dev/null
+++ b/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+initial_label=`cat /proc/self/attr/current 2>/dev/null`
+modified_label="test_label"
+
+echo "$modified_label" >/proc/self/attr/current 2>/dev/null
+
+new_label=`cat /proc/self/attr/current 2>/dev/null`
+
+if [ "$new_label" != "$modified_label" ]; then
+        # restore proper label
+        echo $initial_label >/proc/self/attr/current
+        echo "Privileged process could not change its label"
+        exit 1
+fi
+
+echo "$initial_label" >/proc/self/attr/current 2>/dev/null
+exit 0
\ No newline at end of file
diff --git a/recipes-mac/smack/smack-test/test_smack_onlycap.sh b/recipes-mac/smack/smack-test/test_smack_onlycap.sh
new file mode 100644
index 0000000..1c4a93a
--- /dev/null
+++ b/recipes-mac/smack/smack-test/test_smack_onlycap.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+RC=0
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'`
+test_label="test_label"
+onlycap_initial=`cat $SMACK_PATH/onlycap`               
+smack_initial=`cat /proc/self/attr/current`
+
+# need to set out label to be the same as onlycap, otherwise we lose our smack privileges
+# even if we are root
+echo "$test_label" > /proc/self/attr/current
+
+echo "$test_label" > $SMACK_PATH/onlycap || RC=$?
+if [ $RC -ne 0 ]; then
+        echo "Onlycap label could not be set"
+        return $RC
+fi
+
+if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then
+        echo "Onlycap label was not set correctly."
+        return 1
+fi
+
+# resetting original onlycap label
+echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null
+
+# resetting our initial's process label
+echo "$smack_initial" > /proc/self/attr/current
diff --git a/recipes-mac/smack/smack-test_1.0.bb b/recipes-mac/smack/smack-test_1.0.bb
new file mode 100644
index 0000000..7cf8f2e
--- /dev/null
+++ b/recipes-mac/smack/smack-test_1.0.bb
@@ -0,0 +1,21 @@
+SUMMARY = "Smack test scripts"
+DESCRIPTION = "Smack scripts"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = " \
+           file://notroot.py \
+           file://smack_test_file_access.sh \
+           file://test_privileged_change_self_label.sh \
+           file://test_smack_onlycap.sh \
+" 
+
+S = "${WORKDIR}"
+
+do_install() {
+    install -d ${D}${sbindir}
+    install -m 0755 notroot.py ${D}${sbindir}
+    install -m 0755 *.sh ${D}${sbindir}
+}
+
+RDEPENDS_${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test"
diff --git a/recipes-mac/smack/tcp-smack-test/tcp_client.c b/recipes-mac/smack/tcp-smack-test/tcp_client.c
new file mode 100644
index 0000000..185f973
--- /dev/null
+++ b/recipes-mac/smack/tcp-smack-test/tcp_client.c
@@ -0,0 +1,111 @@
+// (C) Copyright 2015 Intel Corporation

+//

+// Permission is hereby granted, free of charge, to any person obtaining a copy

+// of this software and associated documentation files (the "Software"), to deal

+// in the Software without restriction, including without limitation the rights

+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

+// copies of the Software, and to permit persons to whom the Software is

+// furnished to do so, subject to the following conditions:

+//

+// The above copyright notice and this permission notice shall be included in

+// all copies or substantial portions of the Software.

+//

+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

+// THE SOFTWARE.

+#include <stdio.h>

+#include <sys/socket.h>

+#include <sys/types.h>

+#include <errno.h>

+#include <netinet/in.h>

+#include <unistd.h>

+#include <netdb.h>

+#include <string.h>

+#include <sys/xattr.h>

+

+int main(int argc, char* argv[])

+{

+

+        int sock;

+        char message[255] = "hello";

+        struct sockaddr_in server_addr;

+        char* label_in;

+        char* label_out;

+        char* attr_out = "security.SMACK64IPOUT";

+        char* attr_in = "security.SMACK64IPIN";

+        char out[256];

+        int port;

+

+        struct timeval timeout;

+        timeout.tv_sec = 15;

+        timeout.tv_usec = 0;

+

+        struct hostent*  host = gethostbyname("localhost");

+

+        if (argc != 4)

+        {

+                perror("Client: Arguments missing, please provide socket labels");

+                return 2;

+        }

+

+        port = atoi(argv[1]);

+        label_in = argv[2];

+        label_out = argv[3];

+

+        if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)

+        {

+                perror("Client: Socket failure");

+                return 2;

+        }

+

+

+        if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)

+        {

+                perror("Client: Unable to set attribute SMACK64IPOUT");

+                return 2;

+        }

+

+        if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)

+        {

+                perror("Client: Unable to set attribute SMACK64IPIN");

+                return 2;

+        }

+

+        server_addr.sin_family = AF_INET;

+        server_addr.sin_port = htons(port);

+        bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);

+        bzero(&(server_addr.sin_zero),8);

+        

+        if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)

+        {

+                perror("Client: Set timeout failed\n");

+                return 2;

+        }

+        

+        if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)

+        {

+                perror("Client: Connection failure");

+                        close(sock);

+                return 1;

+        }

+

+

+        if(write(sock, message, strlen(message)) < 0)

+        {

+                perror("Client: Error sending data\n");

+                close(sock);

+                return 1;

+        }

+        close(sock);

+        return 0;

+}

+

+

+

+

+

+

diff --git a/recipes-mac/smack/tcp-smack-test/tcp_server.c b/recipes-mac/smack/tcp-smack-test/tcp_server.c
new file mode 100644
index 0000000..9285dc6
--- /dev/null
+++ b/recipes-mac/smack/tcp-smack-test/tcp_server.c
@@ -0,0 +1,118 @@
+// (C) Copyright 2015 Intel Corporation

+//

+// Permission is hereby granted, free of charge, to any person obtaining a copy

+// of this software and associated documentation files (the "Software"), to deal

+// in the Software without restriction, including without limitation the rights

+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

+// copies of the Software, and to permit persons to whom the Software is

+// furnished to do so, subject to the following conditions:

+//

+// The above copyright notice and this permission notice shall be included in

+// all copies or substantial portions of the Software.

+//

+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

+// THE SOFTWARE.

+#include <stdio.h>

+#include <sys/socket.h>

+#include <sys/types.h>

+#include <errno.h>

+#include <netinet/in.h>

+#include <unistd.h>

+#include <string.h>

+

+int main(int argc, char* argv[])

+{

+

+        int sock;

+        int clientsock;

+        char message[255];

+        socklen_t client_length;

+        struct sockaddr_in server_addr, client_addr;

+        char* label_in;

+        char* attr_in = "security.SMACK64IPIN";

+        int port;

+

+        struct timeval timeout;

+        timeout.tv_sec = 15;

+        timeout.tv_usec = 0;

+

+        if (argc != 3)

+        {

+                perror("Server: Argument missing please provide port and label for SMACK64IPIN");

+                return 2;

+        }

+        

+        port = atoi(argv[1]);

+        label_in = argv[2];

+        bzero(message,255);

+

+        

+        if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)

+        {

+                perror("Server: Socket failure");

+                return 2;

+        }

+        

+        

+        if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)

+        {

+                perror("Server: Unable to set attribute ipin 2");

+                return 2;

+        }

+

+        server_addr.sin_family = AF_INET;         

+        server_addr.sin_port = htons(port);     

+        server_addr.sin_addr.s_addr = INADDR_ANY; 

+        bzero(&(server_addr.sin_zero),8); 

+

+        if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)

+        {

+                perror("Server: Set timeout failed\n");

+                return 2;

+        }

+

+        if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)

+        {

+                perror("Server: Bind failure ");

+                return 2;

+        }

+

+        listen(sock, 1);

+        client_length = sizeof(client_addr);

+

+        clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);

+

+        if (clientsock < 0)

+        {

+                perror("Server: Connection failed");

+                close(sock);

+                return 1;

+        }

+        

+

+        if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)

+        {

+                perror(" Server: Unable to set attribute ipin 2");

+                close(sock);

+                return 2;

+        }

+

+        if(read(clientsock, message, 254) < 0)

+        {

+                perror("Server: Error when reading from socket");

+                close(clientsock);

+                close(sock);

+                return 1;

+        }

+

+

+        close(clientsock);

+        close(sock);

+

+        return 0;

+}

diff --git a/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh b/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh
new file mode 100644
index 0000000..ed18f23
--- /dev/null
+++ b/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh
@@ -0,0 +1,108 @@
+#!/bin/sh
+RC=0
+test_file=/tmp/smack_socket_tcp
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+# make sure no access is granted
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  -----" > $SMACK_PATH/load
+
+tcp_server=`which tcp_server`
+if [ -z $tcp_server ]; then
+        if [ -f "/tmp/tcp_server" ]; then
+                tcp_server="/tmp/tcp_server"
+        else
+                echo "tcp_server binary not found"
+                exit 1
+        fi
+fi
+tcp_client=`which tcp_client`
+if [ -z $tcp_client ]; then
+        if [ -f "/tmp/tcp_client" ]; then
+                tcp_client="/tmp/tcp_client"
+        else
+                echo "tcp_client binary not found"
+                exit 1
+        fi
+fi
+
+# checking access for sockets with different labels
+$tcp_server 50016 label1 &>/dev/null &
+server_pid=$!
+sleep 2
+$tcp_client 50016 label2 label1 &>/dev/null &
+client_pid=$!
+
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+
+if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
+        echo "Sockets with different labels should not communicate on tcp"
+        exit 1
+fi
+
+# granting access between different labels
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$tcp_server 50017 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50017 label2 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+        echo "Sockets with different labels, but having rw access, should communicate on tcp"
+        exit 1
+fi
+
+# checking access for sockets with the same label
+$tcp_server 50018 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50018 label1 label1  2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+        echo "Sockets with same labels should communicate on tcp"
+        exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$tcp_server 50019 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50019 label1 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+        echo "Should have access on tcp socket labeled star (*)"
+        exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$tcp_server 50020 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50020 label1 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 -o  $client_rv -eq 0 ]; then
+        echo "Socket labeled star should not have access to any tcp socket"
+        exit 1
+fi
diff --git a/recipes-mac/smack/tcp-smack-test_1.0.bb b/recipes-mac/smack/tcp-smack-test_1.0.bb
new file mode 100644
index 0000000..d2b3f6b
--- /dev/null
+++ b/recipes-mac/smack/tcp-smack-test_1.0.bb
@@ -0,0 +1,24 @@
+SUMMARY = "Binary used to test smack tcp sockets"
+DESCRIPTION = "Server and client binaries used to test smack attributes on TCP sockets"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://tcp_server.c \
+           file://tcp_client.c \
+           file://test_smack_tcp_sockets.sh \
+" 
+
+S = "${WORKDIR}"
+
+do_compile() {
+    ${CC} tcp_client.c ${LDFLAGS} -o tcp_client
+    ${CC} tcp_server.c ${LDFLAGS} -o tcp_server
+}
+
+do_install() {
+    install -d ${D}${bindir}
+    install -d ${D}${sbindir}
+    install -m 0755 tcp_server ${D}${bindir}
+    install -m 0755 tcp_client ${D}${bindir}
+    install -m 0755 test_smack_tcp_sockets.sh ${D}${sbindir}
+}
diff --git a/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh b/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh
new file mode 100644
index 0000000..419ab9f
--- /dev/null
+++ b/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh
@@ -0,0 +1,107 @@
+#!/bin/sh
+RC=0
+test_file="/tmp/smack_socket_udp"
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+
+udp_server=`which udp_server`
+if [ -z $udp_server ]; then
+        if [ -f "/tmp/udp_server" ]; then
+                udp_server="/tmp/udp_server"
+        else
+                echo "udp_server binary not found"
+                exit 1
+        fi
+fi
+udp_client=`which udp_client`
+if [ -z $udp_client ]; then
+        if [ -f "/tmp/udp_client" ]; then
+                udp_client="/tmp/udp_client"
+        else
+                echo "udp_client binary not found"
+                exit 1
+        fi
+fi
+
+# make sure no access is granted
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  -----" > $SMACK_PATH/load
+
+# checking access for sockets with different labels
+$udp_server 50021 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50021 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+        echo "Sockets with different labels should not communicate on udp"
+        exit 1
+fi
+
+# granting access between different labels
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$udp_server 50022 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50022 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+        echo "Sockets with different labels, but having rw access, should communicate on udp"
+        exit 1
+fi
+
+# checking access for sockets with the same label
+$udp_server 50023 label1 &
+server_pid=$!
+sleep 1
+$udp_client 50023 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+        echo "Sockets with same labels should communicate on udp"
+        exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$udp_server 50024 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50024 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+        echo "Should have access on udp socket labeled star (*)"
+        exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$udp_server 50025 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50025 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+        echo "Socket labeled star should not have access to any udp socket"
+        exit 1
+fi
diff --git a/recipes-mac/smack/udp-smack-test/udp_client.c b/recipes-mac/smack/udp-smack-test/udp_client.c
new file mode 100644
index 0000000..4d3afbe
--- /dev/null
+++ b/recipes-mac/smack/udp-smack-test/udp_client.c
@@ -0,0 +1,75 @@
+// (C) Copyright 2015 Intel Corporation

+//

+// Permission is hereby granted, free of charge, to any person obtaining a copy

+// of this software and associated documentation files (the "Software"), to deal

+// in the Software without restriction, including without limitation the rights

+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

+// copies of the Software, and to permit persons to whom the Software is

+// furnished to do so, subject to the following conditions:

+//

+// The above copyright notice and this permission notice shall be included in

+// all copies or substantial portions of the Software.

+//

+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

+// THE SOFTWARE.

+#include <sys/socket.h>

+#include <stdio.h>

+#include <netinet/in.h>

+#include <netdb.h>

+#include <string.h>

+

+int main(int argc, char* argv[])

+{

+        char* message = "hello";

+        int sock, ret;

+        struct sockaddr_in server_addr;

+        struct hostent*  host = gethostbyname("localhost");

+        char* label;

+        char* attr = "security.SMACK64IPOUT";

+        int port;

+        if (argc != 3)

+        {

+                perror("Client: Argument missing, please provide port and  label for SMACK64IPOUT");

+                return 2;

+        }

+

+        port = atoi(argv[1]);

+        label = argv[2];

+        sock = socket(AF_INET, SOCK_DGRAM,0);

+        if(sock < 0)

+        {

+                perror("Client: Socket failure");

+                return 2;

+        }

+        

+

+        if(fsetxattr(sock, attr, label, strlen(label),0) < 0)

+        {

+                perror("Client: Unable to set attribute ");

+                return 2;

+        }

+

+

+        server_addr.sin_family = AF_INET;

+        server_addr.sin_port = htons(port);

+        bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);

+        bzero(&(server_addr.sin_zero),8);

+        

+        ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,

+                        sizeof(struct sockaddr_in));

+

+        close(sock);

+        if(ret < 0)

+        {

+                perror("Client: Error sending message\n");

+                return 1;

+        }

+        

+        return 0;

+}

+

diff --git a/recipes-mac/smack/udp-smack-test/udp_server.c b/recipes-mac/smack/udp-smack-test/udp_server.c
new file mode 100644
index 0000000..cbab71e
--- /dev/null
+++ b/recipes-mac/smack/udp-smack-test/udp_server.c
@@ -0,0 +1,93 @@
+// (C) Copyright 2015 Intel Corporation

+//

+// Permission is hereby granted, free of charge, to any person obtaining a copy

+// of this software and associated documentation files (the "Software"), to deal

+// in the Software without restriction, including without limitation the rights

+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

+// copies of the Software, and to permit persons to whom the Software is

+// furnished to do so, subject to the following conditions:

+//

+// The above copyright notice and this permission notice shall be included in

+// all copies or substantial portions of the Software.

+//

+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

+// THE SOFTWARE.

+#include <sys/socket.h>

+#include <stdio.h>

+#include <netinet/in.h>

+#include <netdb.h>

+#include <string.h>

+

+int main(int argc, char* argv[])

+{

+        int sock,ret;

+        struct sockaddr_in server_addr, client_addr;

+        socklen_t len;

+        char message[5];

+        char* label;

+        char* attr = "security.SMACK64IPIN";

+        int port;

+

+        if(argc != 3)

+        {

+                perror("Server: Argument missing, please provide port and label for SMACK64IPIN");

+                return 2;

+        }

+        

+        port = atoi(argv[1]);

+        label = argv[2];

+

+        struct timeval timeout;

+        timeout.tv_sec = 15;

+        timeout.tv_usec = 0;

+

+        sock = socket(AF_INET,SOCK_DGRAM,0);

+        if(sock < 0)

+        {

+                perror("Server: Socket error");

+                return 2;

+        }

+        

+

+        if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)

+        {

+                perror("Server: Unable to set attribute ");

+                return 2;

+        }

+

+        server_addr.sin_family = AF_INET;         

+        server_addr.sin_port = htons(port);     

+        server_addr.sin_addr.s_addr = INADDR_ANY; 

+        bzero(&(server_addr.sin_zero),8); 

+        

+

+        if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)

+        {

+                perror("Server: Set timeout failed\n");

+                return 2;

+        }

+

+        if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)

+        {

+                perror("Server: Bind failure");

+                return 2;

+        }

+

+        len = sizeof(client_addr);

+        ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,

+                                        &len);

+        close(sock);

+        if(ret < 0)

+        {

+                perror("Server: Error receiving");

+                return 1;

+

+        }

+        return 0;

+}

+

diff --git a/recipes-mac/smack/udp-smack-test_1.0.bb b/recipes-mac/smack/udp-smack-test_1.0.bb
new file mode 100644
index 0000000..9193f89
--- /dev/null
+++ b/recipes-mac/smack/udp-smack-test_1.0.bb
@@ -0,0 +1,23 @@
+SUMMARY = "Binary used to test smack udp sockets"
+DESCRIPTION = "Server and client binaries used to test smack attributes on UDP sockets"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://udp_server.c \
+           file://udp_client.c \
+           file://test_smack_udp_sockets.sh \
+" 
+
+S = "${WORKDIR}"
+do_compile() {
+    ${CC} udp_client.c ${LDFLAGS} -o udp_client
+    ${CC} udp_server.c ${LDFLAGS} -o udp_server
+}
+
+do_install() {
+    install -d ${D}${bindir}
+    install -d ${D}${sbindir}
+    install -m 0755 udp_server ${D}${bindir}
+    install -m 0755 udp_client ${D}${bindir}
+    install -m 0755 test_smack_udp_sockets.sh ${D}${sbindir}
+}