From f32060817552f381d3c34e93e0bdcd10d1050b07 Mon Sep 17 00:00:00 2001
From: Marco Allegretti <marco@karapace.dev>
Date: Wed, 25 Feb 2026 13:32:39 +0100
Subject: [PATCH] fix(runtime): enforce offline networking in exec

---
 crates/karapace-runtime/src/namespace.rs | 2 +-
 crates/karapace-runtime/src/oci.rs       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/crates/karapace-runtime/src/namespace.rs b/crates/karapace-runtime/src/namespace.rs
index 4538c87..314a88f 100644
--- a/crates/karapace-runtime/src/namespace.rs
+++ b/crates/karapace-runtime/src/namespace.rs
@@ -294,7 +294,7 @@ impl RuntimeBackend for NamespaceBackend {
         let rootfs = image_cache.rootfs_path(&resolved.cache_key);
 
         let mut sandbox = SandboxConfig::new(rootfs, &spec.env_id, &env_dir);
-        sandbox.isolate_network = spec.manifest.network_isolation;
+        sandbox.isolate_network = spec.offline || spec.manifest.network_isolation;
 
         let host = compute_host_integration(&spec.manifest);
         sandbox.bind_mounts.extend(host.bind_mounts);
diff --git a/crates/karapace-runtime/src/oci.rs b/crates/karapace-runtime/src/oci.rs
index 098e020..1700d70 100644
--- a/crates/karapace-runtime/src/oci.rs
+++ b/crates/karapace-runtime/src/oci.rs
@@ -416,7 +416,7 @@ impl RuntimeBackend for OciBackend {
         let rootfs = image_cache.rootfs_path(&resolved.cache_key);
 
         let mut sandbox = SandboxConfig::new(rootfs, &spec.env_id, &env_dir);
-        sandbox.isolate_network = spec.manifest.network_isolation;
+        sandbox.isolate_network = spec.offline || spec.manifest.network_isolation;
 
         let host = compute_host_integration(&spec.manifest);
         sandbox.bind_mounts.extend(host.bind_mounts);