+ std::vector<gid_t> actualGids(ret);
+ ret = getgroups(ret, actualGids.data());
+ RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
+
+ // remove groups unrelated to privileges
+ const auto allPrivGids = policy.getGid();
+ auto notPrivGid = [&](gid_t gid){
+ return std::find(allPrivGids.begin(), allPrivGids.end(), gid) == allPrivGids.end();
+ };
+ actualGids.erase(std::remove_if(actualGids.begin(), actualGids.end(), notPrivGid),
+ actualGids.end());
+ std::sort(actualGids.begin(), actualGids.end());
+
+ // expected but not allowed
+ std::vector<gid_t> notAllowedGids;
+ std::set_difference(expectedGids.begin(), expectedGids.end(),
+ actualGids.begin(), actualGids.end(),
+ std::back_inserter(notAllowedGids));
+
+ RUNNER_ASSERT_MSG(notAllowedGids.empty(),
+ notAllowedGids.size() << " expected groups were not assigned");
+
+ // allowed but not expected
+ std::vector<gid_t> notDeniedGids;
+ std::set_difference(actualGids.begin(), actualGids.end(),
+ expectedGids.begin(), expectedGids.end(),
+ std::back_inserter(notDeniedGids));
+
+ RUNNER_ASSERT_MSG(notDeniedGids.empty(),
+ notDeniedGids.size() << " unexpected groups were assigned");