internal/pkg: optionally measure exec artifact

Useful for verifying deterministic output without enabling network access.

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/pkg/exec.go

@@ -167,6 +167,9 @@ var _ fmt.Stringer = new(execArtifact)
 type execNetArtifact struct {
 	checksum Checksum
 
+	// Whether to keep host net namespace.
+	hostNet bool
+
 	execArtifact
 }
 
@@ -175,15 +178,24 @@ var _ KnownChecksum = new(execNetArtifact)
 // Checksum returns the caller-supplied checksum.
 func (a *execNetArtifact) Checksum() Checksum { return a.checksum }
 
-// Kind returns the hardcoded [Kind] constant.
-func (*execNetArtifact) Kind() Kind { return KindExecNet }
+// Kind returns [KindExecNet], or [KindExec] if hostNet is false.
+func (a *execNetArtifact) Kind() Kind {
+	if a == nil || a.hostNet {
+		return KindExecNet
+	}
+	return KindExec
+}
 
 // Cure cures the [Artifact] in the container described by the caller. The
 // container retains host networking.
 func (a *execNetArtifact) Cure(f *FContext) error {
-	return a.cure(f, true)
+	return a.cure(f, a.hostNet)
 }
 
+// ErrNetChecksum is panicked by [NewExec] if host net namespace is requested
+// with a nil checksum.
+var ErrNetChecksum = errors.New("attempting to keep net namespace without checksum")
+
 // NewExec returns a new [Artifact] that executes the program path in a
 // container with specified paths bind mounted read-only in order. A private
 // instance of /proc and /dev is made available to the container.
@@ -197,7 +209,7 @@ func (a *execNetArtifact) Cure(f *FContext) error {
 // regular or symlink.
 //
 // If checksum is non-nil, the resulting [Artifact] implements [KnownChecksum]
-// and its container runs in the host net namespace.
+// and its container optionally runs in the host net namespace.
 //
 // The container is allowed to run for the specified duration before the initial
 // process and all processes originating from it is terminated. A zero or
@@ -211,7 +223,7 @@ func NewExec(
 	name, arch string,
 	checksum *Checksum,
 	timeout time.Duration,
-	exclusive bool,
+	hostNet, exclusive bool,
 
 	dir *check.Absolute,
 	env []string,
@@ -234,9 +246,12 @@ func NewExec(
 	}
 	a := execArtifact{name, arch, paths, dir, env, pathname, args, timeout, exclusive}
 	if checksum == nil {
+		if hostNet {
+			panic(ErrNetChecksum)
+		}
 		return &a
 	}
-	return &execNetArtifact{*checksum, a}
+	return &execNetArtifact{*checksum, hostNet, a}
 }
 
 // Kind returns the hardcoded [Kind] constant.
@@ -361,22 +376,17 @@ func readExecArtifact(r *IRReader, net bool) Artifact {
 	exclusive := r.ReadUint32() != 0
 
 	checksum, ok := r.Finalise()
-
 	var checksumP *Checksum
-	if net {
-		if !ok {
-			panic(ErrExpectedChecksum)
-		}
-		checksumVal := checksum.Value()
-		checksumP = &checksumVal
-	} else {
-		if ok {
-			panic(ErrUnexpectedChecksum)
-		}
+	if ok {
+		checksumP = new(checksum.Value())
+	}
+
+	if net && !ok {
+		panic(ErrExpectedChecksum)
 	}
 
 	return NewExec(
-		name, arch, checksumP, timeout, exclusive, dir, env, pathname, args, paths...,
+		name, arch, checksumP, timeout, net, exclusive, dir, env, pathname, args, paths...,
 	)
 }
 
@@ -590,7 +600,7 @@ func (c *Cache) EnterExec(
 
 	case *execNetArtifact:
 		e = &f.execArtifact
-		hostNet = true
+		hostNet = f.hostNet
 
 	default:
 		return ErrNotExec