From e0a6005daa6b51fde662d832123f9a64d5c33b09 Mon Sep 17 00:00:00 2001
From: mtelvers <mark.elvers@tunbury.org>
Date: Mon, 11 Nov 2024 18:22:31 +0000
Subject: [PATCH] Create a restricted network when asked

---
 lib/qemu_sandbox.ml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/qemu_sandbox.ml b/lib/qemu_sandbox.ml
index 4fd9800e..e6d15cf3 100644
--- a/lib/qemu_sandbox.ml
+++ b/lib/qemu_sandbox.ml
@@ -67,11 +67,14 @@ let run ~cancelled ?stdin ~log t config result_tmp =
                    "-kernel"; "/usr/lib/u-boot/qemu-riscv64_smode/uboot.elf";
                    "-device"; "virtio-net-device,netdev=net0";
                    "-serial"; "none"] in
+  let network = match config.network with
+    | [ "host" ] -> ""
+    | _ -> "restrict=yes," in
   let cmd = qemu_binary @ [
               "-monitor"; "stdio";
               "-m"; (string_of_int t.qemu_memory) ^ "G";
               "-smp"; string_of_int t.qemu_cpus;
-              "-netdev"; "user,id=net0,hostfwd=tcp::" ^ port ^ "-:22";
+              "-netdev"; "user,id=net0," ^ network ^ "hostfwd=tcp::" ^ port ^ "-:22";
               "-drive"; "file=" ^ result_tmp / "rootfs" / "image.qcow2" ^ ",if=virtio" ]
               @ extra_mounts in
   let _, proc = Os.open_process ~stdin:qemu_stdin ~stdout:`Dev_null ~pp cmd in