base: Support network isolation with cbuildrt

managarm · Feb 14, 2024 · 04c72bc · 04c72bc
1 parent 1d43a2a
commit 04c72bc
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/xbstrap/base.py b/xbstrap/base.py
@@ -342,6 +342,12 @@ def mandate_hashes_for_archives(self):
             return False
         return self._root_yml["general"].get("mandate_hashes_for_archives", False)
 
+    @property
+    def enable_network_isolation(self):
+        if "general" not in self._root_yml:
+            return False
+        return self._root_yml["general"].get("enable_network_isolation", False)
+
     @property
     def xbstrap_mirror(self):
         return self._commit_yml.get("general", dict()).get("xbstrap_mirror", None)
@@ -587,6 +593,10 @@ def workdir(self):
     def containerless(self):
         return self._step_yml.get("containerless", False) or self._containerless
 
+    @property
+    def isolate_network(self):
+        return self._step_yml.get("isolate_network")
+
     @property
     def quiet(self):
         if "quiet" not in self._step_yml:
@@ -1747,6 +1757,7 @@ def run_program(
     extra_environ=dict(),
     for_package=False,
     containerless=False,
+    isolate_network=False,
     quiet=False,
     cargo_home=True,
 ):
@@ -2009,6 +2020,7 @@ def run_program(
                 "user": {"uid": container_yml["uid"], "gid": container_yml["gid"]},
                 "process": {"args": ["xbstrap", "execute-manifest", "-c", yaml.dump(manifest)]},
                 "rootfs": container_yml["rootfs"],
+                "isolateNetwork": isolate_network,
                 "bindMounts": [
                     {"destination": container_yml["src_mount"], "source": cfg.source_root},
                     {"destination": container_yml["build_mount"], "source": cfg.build_root},
@@ -2041,6 +2053,9 @@ def run_program(
 
 
 def run_step(cfg, context, subject, step, tool_pkgs, virtual_tools, for_package=False):
+    isolate_network = step.isolate_network
+    if isolate_network is None:
+        isolate_network = cfg.enable_network_isolation
     run_program(
         cfg,
         context,
@@ -2052,6 +2067,7 @@ def run_step(cfg, context, subject, step, tool_pkgs, virtual_tools, for_package=
         extra_environ=step.environ,
         for_package=for_package,
         containerless=step.containerless,
+        isolate_network=isolate_network,
         quiet=step.quiet and not verbosity,
         cargo_home=step.cargo_home,
     )

diff --git a/xbstrap/schema.yml b/xbstrap/schema.yml
@@ -136,6 +136,7 @@ definitions:
                     additionalProperties:
                         type: string
                 'containerless': { type: boolean }
+                'isolate_network': { type: boolean }
                 'quiet':
                     type: boolean
                 'cargo_home':
@@ -161,6 +162,8 @@ properties:
                 type: string
             'everything_by_default':
                 type: boolean
+            'enable_network_isolation':
+                type: boolean
             'mandate_hashes_for_archives':
                 type: boolean
             'cargo':