Add internal linux-sandbox option to create a network namespace with no loopback device, for sandboxed workers.

PiperOrigin-RevId: 515033155
Change-Id: I50eb94b9796eee237360aba97f855741a13ffeec
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxCommandLineBuilder.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxCommandLineBuilder.java
index f84c051..21609de 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxCommandLineBuilder.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxCommandLineBuilder.java
@@ -14,6 +14,9 @@
 
 package com.google.devtools.build.lib.sandbox;
 
+import static com.google.devtools.build.lib.sandbox.LinuxSandboxCommandLineBuilder.NetworkNamespace.NETNS;
+import static com.google.devtools.build.lib.sandbox.LinuxSandboxCommandLineBuilder.NetworkNamespace.NETNS_WITH_LOOPBACK;
+
 import com.google.auto.value.AutoValue;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.ImmutableList;
@@ -61,7 +64,7 @@
   private List<BindMount> bindMounts = ImmutableList.of();
   private Path statisticsPath;
   private boolean useFakeHostname = false;
-  private boolean createNetworkNamespace = false;
+  private NetworkNamespace createNetworkNamespace = NetworkNamespace.NO_NETNS;
   private boolean useFakeRoot = false;
   private boolean useFakeUsername = false;
   private boolean enablePseudoterminal = false;
@@ -183,9 +186,10 @@
     return this;
   }
 
-  /** Sets whether to create a new network namespace. */
+  /** Sets whether and how to create a new network namespace. */
   @CanIgnoreReturnValue
-  public LinuxSandboxCommandLineBuilder setCreateNetworkNamespace(boolean createNetworkNamespace) {
+  public LinuxSandboxCommandLineBuilder setCreateNetworkNamespace(
+      NetworkNamespace createNetworkNamespace) {
     this.createNetworkNamespace = createNetworkNamespace;
     return this;
   }
@@ -288,8 +292,10 @@
     if (useFakeHostname) {
       commandLineBuilder.add("-H");
     }
-    if (createNetworkNamespace) {
+    if (createNetworkNamespace == NETNS_WITH_LOOPBACK) {
       commandLineBuilder.add("-N");
+    } else if (createNetworkNamespace == NETNS) {
+      commandLineBuilder.add("-n");
     }
     if (useFakeRoot) {
       commandLineBuilder.add("-R");
@@ -317,4 +323,14 @@
 
     return commandLineBuilder.build();
   }
+
+  /** Enum for the possibilities for creating a network namespace in the sandbox. */
+  public enum NetworkNamespace {
+    /** No network namespace will be created, sandboxed processes can access the network freely. */
+    NO_NETNS,
+    /** A fresh network namespace will be created. */
+    NETNS,
+    /** A fresh network namespace will be created, and a loopback device will be set up in it. */
+    NETNS_WITH_LOOPBACK,
+  }
 }