use bvisor::{linux, macos, wasm, windows};
use bvisor::{Enforcement, RequirementKind, SupportMatrix};
struct HonestyCell {
kind: RequirementKind,
expected: Enforcement,
}
fn table_is_honest(matrix: &SupportMatrix, cells: &[HonestyCell]) -> bool {
cells
.iter()
.all(|cell| matrix.best_case_for(cell.kind).enforcement == cell.expected)
}
fn linux_cells() -> Vec<HonestyCell> {
vec![HonestyCell {
kind: RequirementKind::NetworkAllowList,
expected: Enforcement::Unsupported, }]
}
fn wasm_cells() -> Vec<HonestyCell> {
vec![
HonestyCell {
kind: RequirementKind::ChildSpawnDenyNewTasks,
expected: Enforcement::Unsupported, },
HonestyCell {
kind: RequirementKind::ChildSpawnAllowThreads,
expected: Enforcement::Unsupported, },
HonestyCell {
kind: RequirementKind::ChildSpawnAllowDescendants,
expected: Enforcement::Unsupported, },
HonestyCell {
kind: RequirementKind::Kill,
expected: Enforcement::Unsupported, },
HonestyCell {
kind: RequirementKind::ExposePath,
expected: Enforcement::Unsupported, },
HonestyCell {
kind: RequirementKind::NetworkAllowList,
expected: Enforcement::Unsupported,
},
]
}
fn windows_cells() -> Vec<HonestyCell> {
vec![
HonestyCell {
kind: RequirementKind::ExposePath,
expected: Enforcement::Mediated, },
HonestyCell {
kind: RequirementKind::NetworkAllowList,
expected: Enforcement::Mediated, },
]
}
fn macos_cells() -> Vec<HonestyCell> {
vec![
HonestyCell {
kind: RequirementKind::ExposePath,
expected: Enforcement::Unsupported, },
HonestyCell {
kind: RequirementKind::NetworkAllowList,
expected: Enforcement::Unsupported,
},
HonestyCell {
kind: RequirementKind::Filesystem,
expected: Enforcement::Mediated, },
HonestyCell {
kind: RequirementKind::Kill,
expected: Enforcement::Mediated, },
]
}
#[test]
fn every_platform_table_is_honest_about_load_bearing_cells() {
assert!(
table_is_honest(&linux::support_matrix(), &linux_cells()),
"linux NetworkAllowList must stay Unsupported (v1, no broker)"
);
assert!(
table_is_honest(&wasm::support_matrix(), &wasm_cells()),
"wasm Spawn/Kill/Mount/AllowList must stay structurally Unsupported"
);
assert!(
table_is_honest(&windows::support_matrix(), &windows_cells()),
"windows Mount/AllowList must stay Mediated"
);
assert!(
table_is_honest(&macos::support_matrix(), &macos_cells()),
"macos Mount/AllowList Unsupported + FS/Kill Mediated must hold"
);
}
#[test]
fn honesty_predicate_rejects_a_lying_table() {
let lying = lying_macos_mount_matrix();
assert!(
!table_is_honest(&lying, &macos_cells()),
"honesty predicate MUST reject a table that claims macOS Mount is Enforced"
);
}
fn lying_macos_mount_matrix() -> SupportMatrix {
use bvisor::{EvidenceClaim, SupportVerdict};
use std::collections::BTreeMap;
let mut best = BTreeMap::new();
best.insert(
RequirementKind::ExposePath,
SupportVerdict::new(
Enforcement::Enforced,
[EvidenceClaim::MechanismAttestation].into_iter().collect(),
),
);
SupportMatrix::from_best_case(best)
}
#[cfg(gauntlet_red_fixture)]
#[test]
fn red_fixture_lying_mount_must_escape() {
let lying = lying_macos_mount_matrix();
assert!(
table_is_honest(&lying, &macos_cells()),
"RED FIXTURE: asserts the (illegal) lie-escapes outcome; MUST fail because a biting \
honesty check rejects a macOS-Mount-claimed-Enforced table"
);
}