fix(runtime): enforce offline networking in exec

2026-03-26 21:43:09 +00:00 · 2026-02-25 13:32:39 +01:00 · 2026-02-25 13:32:39 +01:00 · f320608175
commit f320608175
parent e77bc35b2a
2 changed files with 2 additions and 2 deletions
--- a/crates/karapace-runtime/src/namespace.rs
+++ b/crates/karapace-runtime/src/namespace.rs
@ -294,7 +294,7 @@ impl RuntimeBackend for NamespaceBackend {
        let rootfs = image_cache.rootfs_path(&resolved.cache_key);

        let mut sandbox = SandboxConfig::new(rootfs, &spec.env_id, &env_dir);
-        sandbox.isolate_network = spec.manifest.network_isolation;
+        sandbox.isolate_network = spec.offline || spec.manifest.network_isolation;

        let host = compute_host_integration(&spec.manifest);
        sandbox.bind_mounts.extend(host.bind_mounts);
--- a/crates/karapace-runtime/src/oci.rs
+++ b/crates/karapace-runtime/src/oci.rs
@ -416,7 +416,7 @@ impl RuntimeBackend for OciBackend {
        let rootfs = image_cache.rootfs_path(&resolved.cache_key);

        let mut sandbox = SandboxConfig::new(rootfs, &spec.env_id, &env_dir);
-        sandbox.isolate_network = spec.manifest.network_isolation;
+        sandbox.isolate_network = spec.offline || spec.manifest.network_isolation;

        let host = compute_host_integration(&spec.manifest);
        sandbox.bind_mounts.extend(host.bind_mounts);