Allowing initiation external tasks to use network (to download stuff).

recodex-worker.spec

@@ -1,8 +1,8 @@
 %define name recodex-worker
 %define short_name worker
 %define version 1.6.5
-%define unmangled_version 7c6d02cb9c89bc57e9b8be21f34ba6aff405b965
-%define release 2
+%define unmangled_version 26e4021a8a3afdd51cee8e1ff68d3b95dd1de03a
+%define release 3
 
 %define spdlog_name spdlog
 %define spdlog_version 0.13.0

src/sandbox/isolate_sandbox.cpp

@@ -332,7 +332,10 @@ char **isolate_sandbox::isolate_run_args(const std::string &binary, const std::v
 	} else {
 		vargs.push_back("--processes=" + std::to_string(limits_.processes));
 	}
-	if (limits_.share_net) { vargs.push_back("--share-net"); }
+	if (limits_.share_net) {
+		vargs.push_back("--share-net");
+		vargs.push_back("--dir=/etc"); // shared network requires /etc to work properly
+	}
 	for (auto &i : limits_.environ_vars) { vargs.push_back("--env=" + i.first + "=" + i.second); }
 	for (auto &i : limits_.bound_dirs) {
 		std::string mode = "";

src/tasks/external_task.cpp

@@ -4,6 +4,8 @@
 #include "helpers/filesystem.h"
 #include <fstream>
 #include <algorithm>
+#include <memory>
+#include <string>
 #define BOOST_FILESYSTEM_NO_DEPRECATED
 #define BOOST_NO_CXX11_SCOPED_ENUMS
 #include <boost/filesystem.hpp>
@@ -47,8 +49,12 @@ void external_task::sandbox_init()
 {
 #ifndef _WIN32
 	if (task_meta_->sandbox->name == "isolate") {
+		sandbox_limits limits(*limits_);
+		if (this->get_type() == task_type::INITIATION) {
+			limits.share_net = true; // initiation (compilation) tasks may use internet to download stuff
+		}
 		sandbox_ = std::make_shared<isolate_sandbox>(
-			sandbox_config_, *limits_, worker_config_->get_worker_id(), temp_dir_, evaluation_dir_.string(), logger_);
+			sandbox_config_, limits, worker_config_->get_worker_id(), temp_dir_, evaluation_dir_.string(), logger_);
 	}
 #endif
 }