From f069ca6834d6caeb3e85eb55e57fdcc846ad4a6e Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Wed, 3 Jun 2026 11:48:57 +0100
Subject: [PATCH] Dockerfile.sdk-*: Disable Portage sandboxes during all image
 builds

In #3955, I stopped disabling these sandboxes permanently, but they
still need to be disabled temporarily during all the (unprivileged)
image builds, not just Dockerfile.sdk-update.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 sdk_lib/Dockerfile.lean-arch  | 3 ++-
 sdk_lib/Dockerfile.sdk-build  | 3 ++-
 sdk_lib/Dockerfile.sdk-import | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/sdk_lib/Dockerfile.lean-arch b/sdk_lib/Dockerfile.lean-arch
index 6819233e536..c650caf91bd 100644
--- a/sdk_lib/Dockerfile.lean-arch
+++ b/sdk_lib/Dockerfile.lean-arch
@@ -5,7 +5,8 @@ ARG RMARCH
 ARG RMCROSS
 
 RUN if [ -n "$RMCROSS" ]; then \
-        sudo crossdev --clean --force "$RMCROSS"; \
+        FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox" \
+            sudo crossdev --clean --force "$RMCROSS"; \
     fi
 
 RUN if [ -n "$RMARCH" ]; then \
diff --git a/sdk_lib/Dockerfile.sdk-build b/sdk_lib/Dockerfile.sdk-build
index d532f700651..8217ea14fad 100644
--- a/sdk_lib/Dockerfile.sdk-build
+++ b/sdk_lib/Dockerfile.sdk-build
@@ -7,7 +7,8 @@ ARG OFFICIAL=0
 # mark build as official where appropriate
 RUN echo "export COREOS_OFFICIAL=$OFFICIAL" > /mnt/host/source/.env
 
-RUN /home/sdk/sdk_entry.sh ./sdk_lib/setup_boards.sh start "${BINHOST}"
+RUN FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox" \
+        /home/sdk/sdk_entry.sh ./sdk_lib/setup_boards.sh start "${BINHOST}"
 
 RUN rm /mnt/host/source/.env
 RUN rm -rf /home/sdk/toolchain-pkgs
diff --git a/sdk_lib/Dockerfile.sdk-import b/sdk_lib/Dockerfile.sdk-import
index a8e75e5d121..a7e11ef9acc 100644
--- a/sdk_lib/Dockerfile.sdk-import
+++ b/sdk_lib/Dockerfile.sdk-import
@@ -48,7 +48,8 @@ RUN chmod 755 /home/sdk/sdk_entry.sh
 
 # This should be a NOP; if you see packages being rebuilt
 #  it's likely that scripts and SDK tarball are out of sync
-RUN /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr"
+RUN FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox" \
+        /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr"
 
 # Clean up ephemeral key directory variables that were added during build
 RUN sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \