1 files changed, 20 insertions, 12 deletions

diff --git a/internal/namespace/namespace.go b/internal/namespace/namespace.go
index a50f70a..45eba73 100644
--- a/internal/namespace/namespace.go
+++ b/internal/namespace/namespace.go
@@ -26,9 +26,9 @@ import (
 	"fmt"
 	"net"
 	"os"
-	"os/exec"
 	"syscall"
 
+	"git.theodohertyfamily.com/wg-wrap/internal/network"
 	"golang.org/x/sys/unix"
 )
 
@@ -50,21 +50,29 @@ func VerifyIsolation() (bool, string) {
 
 	// 2. Check Network Isolation
 	// We expect a fresh network namespace to have only the loopback interface.
-	// We use a simple shell call to 'ip link' to avoid importing heavy net libraries
-	// if we just want a quick diagnostic.
-	cmd := exec.Command("ip", "link")
-	out, err := cmd.CombinedOutput()
+	interfaces, err := network.ListInterfaces()
 	if err != nil {
-		return false, fmt.Sprintf("failed to execute ip link: %v", err)
+		return false, fmt.Sprintf("failed to list interfaces: %v", err)
 	}
 
 	// In a fresh netns, we typically only see 'lo'.
-	// We check if any common host interfaces (eth, wlan, br, enp) appear.
-	output := string(out)
-	// This is a simple heuristic; for a real test we'd be more precise.
-	// We are looking for evidence of host interfaces.
-	if len(output) == 0 {
-		return false, "ip link returned no output"
+	// If we see more than just loopback, or loopback is missing, it might not be isolated.
+	if len(interfaces) == 0 {
+		return false, "no network interfaces found"
+	}
+
+	hasLo := false
+	for _, iface := range interfaces {
+		if iface.Name == "lo" {
+			hasLo = true
+		} else {
+			// If we find any other interface (eth0, wlan0, etc.), we aren't isolated.
+			return false, fmt.Sprintf("detected non-isolated interface: %s", iface.Name)
+		}
+	}
+
+	if !hasLo {
+		return false, "loopback interface missing"
 	}
 
 	// 3. Check Filesystem Transparency