From 4ca1f0db91cf72340ee07d8cd4225443acedd17b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
Date: Sat, 17 Aug 2013 20:18:35 +0200
Subject: [PATCH 2/4] Disable networking only if FEATURES=network-sandbox.

---
 man/make.conf.5                        | 4 ++++
 pym/portage/const.py                   | 3 ++-
 pym/portage/package/ebuild/doebuild.py | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/man/make.conf.5 b/man/make.conf.5
index 63e2097..461172c 100644
--- a/man/make.conf.5
+++ b/man/make.conf.5
@@ -415,6 +415,10 @@ isn't a symlink to /usr/lib64. To find the bad packages, we have a
 portage feature called \fImultilib\-strict\fR. It will prevent emerge
 from putting 64bit libraries into anything other than (/usr)/lib64.
 .TP
+.B network\-sandbox
+Isolate the ebuild phase functions from host network interfaces.
+Supported only on Linux. Requires network namespace support in kernel.
+.TP
 .B news
 Enable GLEP 42 news support. See
 \fIhttp://www.gentoo.org/proj/en/glep/glep-0042.html\fR.
diff --git a/pym/portage/const.py b/pym/portage/const.py
index bd55cb1..cde0079 100644
--- a/pym/portage/const.py
+++ b/pym/portage/const.py
@@ -104,7 +104,8 @@ SUPPORTED_FEATURES       = frozenset([
                            "fail-clean", "force-mirror", "force-prefix", "getbinpkg",
                            "installsources", "keeptemp", "keepwork", "fixlafiles", "lmirror",
                            "merge-sync",
-                           "metadata-transfer", "mirror", "multilib-strict", "news",
+                           "metadata-transfer", "mirror", "multilib-strict",
+                           "network-sandbox", "news",
                            "noauto", "noclean", "nodoc", "noinfo", "noman",
                            "nostrip", "notitles", "parallel-fetch", "parallel-install",
                            "prelink-checksums", "preserve-libs",
diff --git a/pym/portage/package/ebuild/doebuild.py b/pym/portage/package/ebuild/doebuild.py
index 59a0474..a35e717 100644
--- a/pym/portage/package/ebuild/doebuild.py
+++ b/pym/portage/package/ebuild/doebuild.py
@@ -1460,7 +1460,7 @@ def spawn(mystring, mysettings, debug=0, free=0, droppriv=0, sesandbox=0, fakero
 	features = mysettings.features
 
 	# Unshare network namespace to keep ebuilds sanitized
-	if not networked and uid == 0 and platform.system() == 'Linux':
+	if not networked and uid == 0 and platform.system() == 'Linux' and "network-sandbox" in features:
 		keywords['unshare_net'] = True
 
 	# TODO: Enable fakeroot to be used together with droppriv.  The
-- 
1.8.3.2