From 51cda5866b38ee992633aebc7069cab2819b24d5 Mon Sep 17 00:00:00 2001
From: Radon Rosborough <radon.neon@gmail.com>
Date: Fri, 1 Jul 2022 22:06:52 -0700
Subject: [PATCH] Deny access to network due to abuse reports

---
 system/src/riju-system-privileged.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/system/src/riju-system-privileged.c b/system/src/riju-system-privileged.c
index 91f2025..b3bf6a6 100644
--- a/system/src/riju-system-privileged.c
+++ b/system/src/riju-system-privileged.c
@@ -240,6 +240,13 @@ void session(char *uuid, char *lang, char *imageHash)
         "4000",
         "--cgroup-parent",
         "riju.slice",
+        // Deny access to outside networking for now in order to limit
+        // abuse, as we've received abuse reports from AWS. We should
+        // be able to remove this (and indeed we'll *want* to, in
+        // order to support package installation) by replacing it with
+        // a more fine-grained network control such as limiting
+        // outbound bandwidth.
+        "--network=none",
         "--label",
         "riju.category=user-session",
         "--label",
@@ -250,6 +257,7 @@ void session(char *uuid, char *lang, char *imageHash)
         (char *)sentinel_bash,
         NULL,
     };
+
     execvp(argv[0], argv);
     die("execvp failed");
   }