@@ -, +, @@ --- man/make.conf.5 | 4 ++++ pym/portage/const.py | 3 ++- pym/portage/package/ebuild/doebuild.py | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) --- a/man/make.conf.5 +++ a/man/make.conf.5 @@ -415,6 +415,10 @@ isn't a symlink to /usr/lib64. To find the bad packages, we have a portage feature called \fImultilib\-strict\fR. It will prevent emerge from putting 64bit libraries into anything other than (/usr)/lib64. .TP +.B network\-sandbox +Isolate the ebuild phase functions from host network interfaces. +Supported only on Linux. Requires network namespace support in kernel. +.TP .B news Enable GLEP 42 news support. See \fIhttp://www.gentoo.org/proj/en/glep/glep-0042.html\fR. --- a/pym/portage/const.py +++ a/pym/portage/const.py @@ -104,7 +104,8 @@ SUPPORTED_FEATURES = frozenset([ "fail-clean", "force-mirror", "force-prefix", "getbinpkg", "installsources", "keeptemp", "keepwork", "fixlafiles", "lmirror", "merge-sync", - "metadata-transfer", "mirror", "multilib-strict", "news", + "metadata-transfer", "mirror", "multilib-strict", + "network-sandbox", "news", "noauto", "noclean", "nodoc", "noinfo", "noman", "nostrip", "notitles", "parallel-fetch", "parallel-install", "prelink-checksums", "preserve-libs", --- a/pym/portage/package/ebuild/doebuild.py +++ a/pym/portage/package/ebuild/doebuild.py @@ -1460,7 +1460,7 @@ def spawn(mystring, mysettings, debug=0, free=0, droppriv=0, sesandbox=0, fakero features = mysettings.features # Unshare network namespace to keep ebuilds sanitized - if not networked and uid == 0 and platform.system() == 'Linux': + if not networked and uid == 0 and platform.system() == 'Linux' and "network-sandbox" in features: keywords['unshare_net'] = True # TODO: Enable fakeroot to be used together with droppriv. The --