scripts: build_image: Disable network access
Call ReExecuteWithNamespace for build_image to disable network access
by enabling the network namespace as the root user.
BUG=b:233635037
TEST=CQ
Cq-Depend: chromium:3710502
Change-Id: I60db80499fa4341782e1a3916dfa6cbd87b08394
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/chromite/+/3836499
Tested-by: Cindy Lin <xcl@google.com>
Commit-Queue: Cindy Lin <xcl@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
diff --git a/scripts/build_api.py b/scripts/build_api.py
index 4b76f1d..b7d8d94 100644
--- a/scripts/build_api.py
+++ b/scripts/build_api.py
@@ -6,6 +6,7 @@
import logging
import os
+import sys
from chromite.api import api_config as api_config_lib
from chromite.api import controller
@@ -14,6 +15,7 @@
from chromite.api.gen.chromite.api import build_api_config_pb2
from chromite.lib import commandline
from chromite.lib import cros_build_lib
+from chromite.lib import namespaces
from chromite.utils import matching
@@ -146,6 +148,10 @@
router = router_lib.GetRouter()
opts = _ParseArgs(argv, router)
+ # For build_image, make sure we run with network disabled to prevent leakage.
+ if opts.service_method == 'chromite.api.ImageService/Create':
+ namespaces.ReExecuteWithNamespace(sys.argv)
+
if opts.config.log_path:
logging.warning('Ignoring log_path config option')
if 'BUILD_API_TEE_LOG_FILE' in os.environ: