Option to disable network access in the sandbox

[comunidadio]

Summary

It's not obvious right now how to launch a sandbox without any network access.
It seems the easiest workaround would be --allow-host with a non-existing host... but that looks a bit ugly.

Why

Some usages do not, or should not, have (external) network access at all.
Eg. running a command in a sandbox and getting results via stdout.

How (optional)

Perhaps --deny-net option in the CLI, DenyNetwork: bool in SDK's Config objects.

Not sure if it's doable or sensible to not have eth0 at all inside the VM (just lo) ?
If not possible due to host<->agent comm, perhaps eth0 could be limited to the guest-agent cgroup in this case?

Regardless if keeping eth0 in sandbox is necessary or makes sense, the option would completely disable network egress.

[jingkaihe]

@comunidadio this is on main now. As for now the solution is to not give a network interface at all.

Note that there is a breaking changes introduced in the recent 0.1.23 release with a new overlay fs backend. I'd advice you to do:

• matchlock kill --all
• matchlock prune
• rm -rf ~/.matchlock
• rm -rf ~/.cache/matchlock

As the release note has suggested.

Will defo avoid breaking changes once things are stablised. Admittedly right now it is still at alpha stage, perhaps this is something I should make it clear from the semver from the get-go.

[comunidadio]

@jingkaihe Thanks for the heads up, I would have certainly missed the cleanup steps. ADR-003 looks interesting, I'll read up on that and erofs.

Tested --no-network. Works great!

Added a couple minor comments on the PR that may be worth to consider:
#64 (comment)
#64 (comment)

[comunidadio]

Interesting sidenote, with --no-network a limited user can now run matchlock without CAP_NET_ADMIN - sidestepping #45 if the use case only requires i/o via stdout/mounts.