From c5925fd185dfd0436429a5d209c5de1880dde3c9 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Tue, 28 Jul 2020 13:00:45 +0200
Subject: [PATCH] buildroot: unshare the network

Run the container in a new network namespace, to isolate the host's
network from that of the container. Stages, assemblers and the tools
they execute are not supposed to assume network access is available
and this isolation will make sure of that.
---
 osbuild/buildroot.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/osbuild/buildroot.py b/osbuild/buildroot.py
index 486d8e73..e9220b2a 100644
--- a/osbuild/buildroot.py
+++ b/osbuild/buildroot.py
@@ -188,6 +188,7 @@ class BuildRoot(contextlib.AbstractContextManager):
             "--setenv", "PYTHONPATH", "/run/osbuild/lib",
             "--unshare-ipc",
             "--unshare-pid",
+            "--unshare-net"
         ]
 
         cmd += mounts