solver: net host with basic entitlements support

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-08-04 12:42:01 -07:00 · 2018-08-04 12:42:01 -07:00 · 130f5f5ab0
parent 785436a312
commit 130f5f5ab0
20 changed files with 599 additions and 216 deletions
--- a/api/services/control/control.pb.go
+++ b/api/services/control/control.pb.go
@ -35,6 +35,7 @@ import pb "github.com/moby/buildkit/solver/pb"
 import moby_buildkit_v1_types "github.com/moby/buildkit/api/types"

 import time "time"
+import github_com_moby_buildkit_util_entitlements "github.com/moby/buildkit/util/entitlements"
 import github_com_opencontainers_go_digest "github.com/opencontainers/go-digest"

 import context "golang.org/x/net/context"
@ -225,14 +226,15 @@ func (m *UsageRecord) GetShared() bool {
 }

 type SolveRequest struct {
-	Ref           string            `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
-	Definition    *pb.Definition    `protobuf:"bytes,2,opt,name=Definition" json:"Definition,omitempty"`
-	Exporter      string            `protobuf:"bytes,3,opt,name=Exporter,proto3" json:"Exporter,omitempty"`
-	ExporterAttrs map[string]string `protobuf:"bytes,4,rep,name=ExporterAttrs" json:"ExporterAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	Session       string            `protobuf:"bytes,5,opt,name=Session,proto3" json:"Session,omitempty"`
-	Frontend      string            `protobuf:"bytes,6,opt,name=Frontend,proto3" json:"Frontend,omitempty"`
-	FrontendAttrs map[string]string `protobuf:"bytes,7,rep,name=FrontendAttrs" json:"FrontendAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	Cache         CacheOptions      `protobuf:"bytes,8,opt,name=Cache" json:"Cache"`
+	Ref           string                                                   `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
+	Definition    *pb.Definition                                           `protobuf:"bytes,2,opt,name=Definition" json:"Definition,omitempty"`
+	Exporter      string                                                   `protobuf:"bytes,3,opt,name=Exporter,proto3" json:"Exporter,omitempty"`
+	ExporterAttrs map[string]string                                        `protobuf:"bytes,4,rep,name=ExporterAttrs" json:"ExporterAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Session       string                                                   `protobuf:"bytes,5,opt,name=Session,proto3" json:"Session,omitempty"`
+	Frontend      string                                                   `protobuf:"bytes,6,opt,name=Frontend,proto3" json:"Frontend,omitempty"`
+	FrontendAttrs map[string]string                                        `protobuf:"bytes,7,rep,name=FrontendAttrs" json:"FrontendAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Cache         CacheOptions                                             `protobuf:"bytes,8,opt,name=Cache" json:"Cache"`
+	Entitlements  []github_com_moby_buildkit_util_entitlements.Entitlement `protobuf:"bytes,9,rep,name=Entitlements,customtype=github.com/moby/buildkit/util/entitlements.Entitlement" json:"Entitlements,omitempty"`
 }

 func (m *SolveRequest) Reset()                    { *m = SolveRequest{} }
@ -1238,6 +1240,21 @@ func (m *SolveRequest) MarshalTo(dAtA []byte) (int, error) {
 		return 0, err
 	}
 	i += n4
+	if len(m.Entitlements) > 0 {
+		for _, s := range m.Entitlements {
+			dAtA[i] = 0x4a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
 	return i, nil
 }

@ -1833,6 +1850,12 @@ func (m *SolveRequest) Size() (n int) {
 	}
 	l = m.Cache.Size()
 	n += 1 + l + sovControl(uint64(l))
+	if len(m.Entitlements) > 0 {
+		for _, s := range m.Entitlements {
+			l = len(s)
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
 	return n
 }

@ -3111,6 +3134,35 @@ func (m *SolveRequest) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Entitlements", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Entitlements = append(m.Entitlements, github_com_moby_buildkit_util_entitlements.Entitlement(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipControl(dAtA[iNdEx:])
@ -4779,83 +4831,85 @@ var (
 func init() { proto.RegisterFile("control.proto", fileDescriptorControl) }

 var fileDescriptorControl = []byte{
-	// 1241 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x57, 0xcf, 0x6f, 0x1b, 0xc5,
-	0x17, 0xef, 0xda, 0x8e, 0xed, 0x7d, 0x76, 0xaa, 0x7c, 0xe7, 0x0b, 0xd5, 0x6a, 0x81, 0xc4, 0x2c,
-	0x20, 0x59, 0x55, 0xbb, 0xdb, 0x06, 0x2a, 0xa1, 0x08, 0x55, 0xad, 0xe3, 0x22, 0x12, 0x25, 0xa2,
-	0xac, 0x13, 0x2a, 0x71, 0x5b, 0xdb, 0x13, 0x67, 0xe5, 0xf5, 0xce, 0x32, 0x33, 0x1b, 0x6a, 0xfe,
-	0x00, 0xce, 0x1c, 0xf8, 0x4f, 0x38, 0xf0, 0x17, 0x20, 0xe5, 0xc8, 0x99, 0x43, 0x8a, 0x72, 0x87,
-	0x3b, 0x37, 0x34, 0x3f, 0xd6, 0x5e, 0xc7, 0x4e, 0x9c, 0xa4, 0xa7, 0xcc, 0x7b, 0xfe, 0xbc, 0xcf,
-	0xbe, 0x5f, 0x33, 0xef, 0x05, 0x56, 0x7b, 0x24, 0xe6, 0x94, 0x44, 0x6e, 0x42, 0x09, 0x27, 0x68,
-	0x6d, 0x44, 0xba, 0x63, 0xb7, 0x9b, 0x86, 0x51, 0x7f, 0x18, 0x72, 0xf7, 0xe4, 0xb1, 0xfd, 0x70,
-	0x10, 0xf2, 0xe3, 0xb4, 0xeb, 0xf6, 0xc8, 0xc8, 0x1b, 0x90, 0x01, 0xf1, 0x24, 0xb0, 0x9b, 0x1e,
-	0x49, 0x49, 0x0a, 0xf2, 0xa4, 0x08, 0xec, 0x8d, 0x01, 0x21, 0x83, 0x08, 0x4f, 0x51, 0x3c, 0x1c,
-	0x61, 0xc6, 0x83, 0x51, 0xa2, 0x01, 0x0f, 0x72, 0x7c, 0xe2, 0x63, 0x5e, 0xf6, 0x31, 0x8f, 0x91,
-	0xe8, 0x04, 0x53, 0x2f, 0xe9, 0x7a, 0x24, 0x61, 0x1a, 0xed, 0x5d, 0x8a, 0x0e, 0x92, 0xd0, 0xe3,
-	0xe3, 0x04, 0x33, 0xef, 0x07, 0x42, 0x87, 0x98, 0x2a, 0x03, 0xe7, 0x27, 0x03, 0xea, 0x2f, 0x69,
-	0x1a, 0x63, 0x1f, 0x7f, 0x9f, 0x62, 0xc6, 0xd1, 0x3d, 0x28, 0x1f, 0x85, 0x11, 0xc7, 0xd4, 0x32,
-	0x1a, 0xc5, 0xa6, 0xe9, 0x6b, 0x09, 0xad, 0x41, 0x31, 0x88, 0x22, 0xab, 0xd0, 0x30, 0x9a, 0x55,
-	0x5f, 0x1c, 0x51, 0x13, 0xea, 0x43, 0x8c, 0x93, 0x76, 0x4a, 0x03, 0x1e, 0x92, 0xd8, 0x2a, 0x36,
-	0x8c, 0x66, 0xb1, 0x55, 0x3a, 0x3d, 0xdb, 0x30, 0xfc, 0x99, 0x5f, 0x90, 0x03, 0xa6, 0x90, 0x5b,
-	0x63, 0x8e, 0x99, 0x55, 0xca, 0xc1, 0xa6, 0x6a, 0xe7, 0x3e, 0xac, 0xb5, 0x43, 0x36, 0x3c, 0x64,
-	0xc1, 0x60, 0x99, 0x2f, 0xce, 0x2e, 0xfc, 0x2f, 0x87, 0x65, 0x09, 0x89, 0x19, 0x46, 0x4f, 0xa0,
-	0x4c, 0x71, 0x8f, 0xd0, 0xbe, 0x04, 0xd7, 0x36, 0x3f, 0x70, 0x2f, 0xd6, 0xc6, 0xd5, 0x06, 0x02,
-	0xe4, 0x6b, 0xb0, 0xf3, 0x6f, 0x01, 0x6a, 0x39, 0x3d, 0xba, 0x0b, 0x85, 0x9d, 0xb6, 0x65, 0x34,
-	0x8c, 0xa6, 0xe9, 0x17, 0x76, 0xda, 0xc8, 0x82, 0xca, 0x7e, 0xca, 0x83, 0x6e, 0x84, 0x75, 0xec,
-	0x99, 0x88, 0xde, 0x81, 0x95, 0x9d, 0xf8, 0x90, 0x61, 0x19, 0x78, 0xd5, 0x57, 0x02, 0x42, 0x50,
-	0xea, 0x84, 0x3f, 0x62, 0x15, 0xa6, 0x2f, 0xcf, 0x22, 0x8e, 0x97, 0x01, 0xc5, 0x31, 0xb7, 0x56,
-	0x24, 0xaf, 0x96, 0x50, 0x0b, 0xcc, 0x6d, 0x8a, 0x03, 0x8e, 0xfb, 0xcf, 0xb9, 0x55, 0x6e, 0x18,
-	0xcd, 0xda, 0xa6, 0xed, 0xaa, 0x86, 0x70, 0xb3, 0x86, 0x70, 0x0f, 0xb2, 0x86, 0x68, 0x55, 0x4f,
-	0xcf, 0x36, 0xee, 0xfc, 0xfc, 0x46, 0xe4, 0x6d, 0x62, 0x86, 0x9e, 0x01, 0xec, 0x05, 0x8c, 0x1f,
-	0x32, 0x49, 0x52, 0x59, 0x4a, 0x52, 0x92, 0x04, 0x39, 0x1b, 0xb4, 0x0e, 0x20, 0x13, 0xb0, 0x4d,
-	0xd2, 0x98, 0x5b, 0x55, 0xe9, 0x77, 0x4e, 0x83, 0x1a, 0x50, 0x6b, 0x63, 0xd6, 0xa3, 0x61, 0x22,
-	0xcb, 0x6c, 0xca, 0x10, 0xf2, 0x2a, 0xc1, 0xa0, 0xb2, 0x77, 0x30, 0x4e, 0xb0, 0x05, 0x12, 0x90,
-	0xd3, 0x88, 0xf8, 0x3b, 0xc7, 0x01, 0xc5, 0x7d, 0xab, 0x26, 0x53, 0xa5, 0x25, 0xe7, 0x97, 0x12,
-	0xd4, 0x3b, 0xa2, 0x8b, 0xb3, 0x82, 0xaf, 0x41, 0xd1, 0xc7, 0x47, 0x3a, 0xfb, 0xe2, 0x88, 0x5c,
-	0x80, 0x36, 0x3e, 0x0a, 0xe3, 0x50, 0x7e, 0xbb, 0x20, 0xc3, 0xbb, 0xeb, 0x26, 0x5d, 0x77, 0xaa,
-	0xf5, 0x73, 0x08, 0x64, 0x43, 0xf5, 0xc5, 0xeb, 0x84, 0x50, 0xd1, 0x34, 0x45, 0x49, 0x33, 0x91,
-	0xd1, 0x2b, 0x58, 0xcd, 0xce, 0xcf, 0x39, 0xa7, 0xa2, 0x15, 0x45, 0xa3, 0x3c, 0x9e, 0x6f, 0x94,
-	0xbc, 0x53, 0xee, 0x8c, 0xcd, 0x8b, 0x98, 0xd3, 0xb1, 0x3f, 0xcb, 0x23, 0x7a, 0xa4, 0x83, 0x19,
-	0x13, 0x1e, 0xaa, 0x02, 0x67, 0xa2, 0x70, 0xe7, 0x4b, 0x4a, 0x62, 0x8e, 0xe3, 0xbe, 0x2c, 0xb0,
-	0xe9, 0x4f, 0x64, 0xe1, 0x4e, 0x76, 0x56, 0xee, 0x54, 0xae, 0xe5, 0xce, 0x8c, 0x8d, 0x76, 0x67,
-	0x46, 0x87, 0xb6, 0x60, 0x65, 0x3b, 0xe8, 0x1d, 0x63, 0x59, 0xcb, 0xda, 0xe6, 0xfa, 0x3c, 0xa1,
-	0xfc, 0xf9, 0x6b, 0x59, 0x3c, 0x26, 0xaf, 0xe2, 0x1d, 0x5f, 0x99, 0xd8, 0xcf, 0x00, 0xcd, 0xc7,
-	0x2b, 0xea, 0x32, 0xc4, 0xe3, 0xac, 0x2e, 0x43, 0x3c, 0x16, 0xcd, 0x7f, 0x12, 0x44, 0xa9, 0xba,
-	0x14, 0xa6, 0xaf, 0x84, 0xad, 0xc2, 0xe7, 0x86, 0x60, 0x98, 0x77, 0xf1, 0x26, 0x0c, 0xce, 0x1b,
-	0x03, 0xea, 0x79, 0x0f, 0xd1, 0xfb, 0x60, 0x2a, 0xa7, 0xa6, 0xcd, 0x31, 0x55, 0x88, 0xee, 0xdb,
-	0x19, 0x69, 0x81, 0x59, 0x05, 0xf9, 0x52, 0xe4, 0x34, 0xe8, 0x1b, 0xa8, 0x29, 0xb0, 0xca, 0x72,
-	0x51, 0x66, 0xd9, 0xbb, 0x3a, 0x29, 0x6e, 0xce, 0x42, 0xe5, 0x38, 0xcf, 0x61, 0x3f, 0x85, 0xb5,
-	0x8b, 0x80, 0x1b, 0x45, 0xf8, 0x9b, 0x01, 0xab, 0xba, 0xa8, 0xfa, 0xf5, 0x0a, 0x32, 0x46, 0x4c,
-	0x33, 0x9d, 0x7e, 0xc7, 0x9e, 0x5c, 0xda, 0x0f, 0x0a, 0xe6, 0x5e, 0xb4, 0x53, 0xfe, 0xce, 0xd1,
-	0xd9, 0xdb, 0xf0, 0xee, 0x42, 0xe8, 0x8d, 0x3c, 0xff, 0x10, 0x56, 0x3b, 0x3c, 0xe0, 0x29, 0xbb,
-	0xf4, 0xca, 0x3a, 0xbf, 0x1a, 0x70, 0x37, 0xc3, 0xe8, 0xe8, 0x3e, 0x83, 0xea, 0x09, 0xa6, 0x1c,
-	0xbf, 0xc6, 0x4c, 0x47, 0x65, 0xcd, 0x47, 0xf5, 0xad, 0x44, 0xf8, 0x13, 0x24, 0xda, 0x82, 0x2a,
-	0x93, 0x3c, 0x58, 0x95, 0x75, 0x61, 0x2b, 0x2b, 0x2b, 0xfd, 0xbd, 0x09, 0x1e, 0x79, 0x50, 0x8a,
-	0xc8, 0x20, 0xab, 0xf6, 0x7b, 0x97, 0xd9, 0xed, 0x91, 0x81, 0x2f, 0x81, 0xce, 0x59, 0x01, 0xca,
-	0x4a, 0x87, 0x76, 0xa1, 0xdc, 0x0f, 0x07, 0x98, 0x71, 0x15, 0x55, 0x6b, 0x53, 0x5c, 0x90, 0x3f,
-	0xcf, 0x36, 0xee, 0xe7, 0x86, 0x2b, 0x49, 0x70, 0x2c, 0x56, 0x81, 0x20, 0x8c, 0x31, 0x65, 0xde,
-	0x80, 0x3c, 0x54, 0x26, 0x6e, 0x5b, 0xfe, 0xf1, 0x35, 0x83, 0xe0, 0x0a, 0xe3, 0x24, 0xe5, 0xba,
-	0x31, 0x6f, 0xc7, 0xa5, 0x18, 0xc4, 0x68, 0x89, 0x83, 0x11, 0xd6, 0xef, 0x9a, 0x3c, 0x8b, 0xa7,
-	0xb5, 0x27, 0xfa, 0xb6, 0x2f, 0x07, 0x4e, 0xd5, 0xd7, 0x12, 0xda, 0x82, 0x0a, 0xe3, 0x01, 0xe5,
-	0xb8, 0x2f, 0x9f, 0xa4, 0xeb, 0xcc, 0x84, 0xcc, 0x00, 0x3d, 0x05, 0xb3, 0x47, 0x46, 0x49, 0x84,
-	0x85, 0x75, 0xf9, 0x9a, 0xd6, 0x53, 0x13, 0xd1, 0x3d, 0x98, 0x52, 0x42, 0xe5, 0x34, 0x32, 0x7d,
-	0x25, 0x38, 0xff, 0x14, 0xa0, 0x9e, 0x2f, 0xd6, 0xdc, 0xa4, 0xdd, 0x85, 0xb2, 0x2a, 0xbd, 0xea,
-	0xba, 0xdb, 0xa5, 0x4a, 0x31, 0x2c, 0x4c, 0x95, 0x05, 0x95, 0x5e, 0x4a, 0xe5, 0x18, 0x56, 0xc3,
-	0x39, 0x13, 0x85, 0xc3, 0x9c, 0xf0, 0x20, 0x92, 0xa9, 0x2a, 0xfa, 0x4a, 0x10, 0xd3, 0x79, 0xb2,
-	0x8c, 0xdd, 0x6c, 0x3a, 0x4f, 0xcc, 0xf2, 0x65, 0xa8, 0xbc, 0x55, 0x19, 0xaa, 0x37, 0x2e, 0x83,
-	0xf3, 0xbb, 0x01, 0xe6, 0xa4, 0xcb, 0x73, 0xd9, 0x35, 0xde, 0x3a, 0xbb, 0x33, 0x99, 0x29, 0xdc,
-	0x2e, 0x33, 0xf7, 0xa0, 0xcc, 0x38, 0xc5, 0xc1, 0x48, 0xed, 0x8d, 0xbe, 0x96, 0xc4, 0x7b, 0x32,
-	0x62, 0x03, 0x59, 0xa1, 0xba, 0x2f, 0x8e, 0x8e, 0x03, 0x75, 0xb9, 0x22, 0xee, 0x63, 0x26, 0x96,
-	0x12, 0x51, 0xdb, 0x7e, 0xc0, 0x03, 0x19, 0x47, 0xdd, 0x97, 0x67, 0xe7, 0x01, 0xa0, 0xbd, 0x90,
-	0xf1, 0x57, 0x72, 0xb5, 0x65, 0xcb, 0xf6, 0xc7, 0x0e, 0xfc, 0x7f, 0x06, 0xad, 0x5f, 0xa9, 0x2f,
-	0x2e, 0x6c, 0x90, 0x1f, 0xcf, 0xbf, 0x1a, 0x72, 0x83, 0x76, 0x95, 0xe1, 0xec, 0x22, 0xb9, 0xf9,
-	0x77, 0x11, 0x2a, 0xdb, 0xea, 0x9f, 0x03, 0x74, 0x00, 0xe6, 0x64, 0x41, 0x45, 0xce, 0x3c, 0xcd,
-	0xc5, 0x4d, 0xd7, 0xfe, 0xe8, 0x4a, 0x8c, 0xf6, 0xef, 0x2b, 0x58, 0x91, 0xab, 0x3a, 0x5a, 0xf0,
-	0x0c, 0xe6, 0x77, 0x78, 0xfb, 0xea, 0xd5, 0xf7, 0x91, 0x21, 0x98, 0xe4, 0x0c, 0x59, 0xc4, 0x94,
-	0x5f, 0x36, 0xec, 0x8d, 0x25, 0xc3, 0x07, 0xed, 0x43, 0x59, 0x5f, 0xe7, 0x45, 0xd0, 0xfc, 0xa4,
-	0xb0, 0x1b, 0x97, 0x03, 0x14, 0xd9, 0x23, 0x03, 0xed, 0x4f, 0x36, 0xa9, 0x45, 0xae, 0xe5, 0xdb,
-	0xc0, 0x5e, 0xf2, 0x7b, 0xd3, 0x78, 0x64, 0xa0, 0xef, 0xa0, 0x96, 0x2b, 0x34, 0x5a, 0x50, 0xd0,
-	0xf9, 0xae, 0xb1, 0x3f, 0x59, 0x82, 0x52, 0xce, 0xb6, 0xea, 0xa7, 0xe7, 0xeb, 0xc6, 0x1f, 0xe7,
-	0xeb, 0xc6, 0x5f, 0xe7, 0xeb, 0x46, 0xb7, 0x2c, 0xfb, 0xfe, 0xd3, 0xff, 0x02, 0x00, 0x00, 0xff,
-	0xff, 0x61, 0x35, 0x4d, 0x35, 0x20, 0x0e, 0x00, 0x00,
+	// 1279 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x57, 0x4f, 0x6f, 0x1b, 0x45,
+	0x14, 0xef, 0xda, 0x89, 0xed, 0x7d, 0x76, 0xaa, 0x30, 0x40, 0xb5, 0x5a, 0x20, 0x31, 0x0b, 0x48,
+	0x56, 0xd5, 0xee, 0xb6, 0x81, 0x22, 0x14, 0xa1, 0xaa, 0x75, 0x5c, 0x44, 0xaa, 0x46, 0x94, 0x49,
+	0x4b, 0x25, 0x0e, 0x48, 0x6b, 0x7b, 0xe2, 0xae, 0xb2, 0xde, 0x59, 0x66, 0x66, 0x43, 0xcd, 0x07,
+	0xe0, 0xcc, 0x77, 0xe1, 0xc0, 0x27, 0x40, 0xea, 0x91, 0x73, 0x0f, 0x29, 0xea, 0x1d, 0x4e, 0x5c,
+	0xb8, 0xa1, 0xf9, 0xb3, 0xce, 0x38, 0x76, 0xea, 0xa6, 0x3d, 0x65, 0xde, 0xe4, 0xf7, 0x7e, 0xfb,
+	0xfe, 0xcd, 0x7b, 0xcf, 0xb0, 0x36, 0xa0, 0x99, 0x60, 0x34, 0x0d, 0x73, 0x46, 0x05, 0x45, 0xeb,
+	0x63, 0xda, 0x9f, 0x84, 0xfd, 0x22, 0x49, 0x87, 0x87, 0x89, 0x08, 0x8f, 0xae, 0xfb, 0x57, 0x47,
+	0x89, 0x78, 0x5c, 0xf4, 0xc3, 0x01, 0x1d, 0x47, 0x23, 0x3a, 0xa2, 0x91, 0x02, 0xf6, 0x8b, 0x03,
+	0x25, 0x29, 0x41, 0x9d, 0x34, 0x81, 0xbf, 0x39, 0xa2, 0x74, 0x94, 0x92, 0x13, 0x94, 0x48, 0xc6,
+	0x84, 0x8b, 0x78, 0x9c, 0x1b, 0xc0, 0x15, 0x8b, 0x4f, 0x7e, 0x2c, 0x2a, 0x3f, 0x16, 0x71, 0x9a,
+	0x1e, 0x11, 0x16, 0xe5, 0xfd, 0x88, 0xe6, 0xdc, 0xa0, 0xa3, 0x33, 0xd1, 0x71, 0x9e, 0x44, 0x62,
+	0x92, 0x13, 0x1e, 0xfd, 0x44, 0xd9, 0x21, 0x61, 0x5a, 0x21, 0xf8, 0xc5, 0x81, 0xd6, 0x7d, 0x56,
+	0x64, 0x04, 0x93, 0x1f, 0x0b, 0xc2, 0x05, 0xba, 0x04, 0xb5, 0x83, 0x24, 0x15, 0x84, 0x79, 0x4e,
+	0xbb, 0xda, 0x71, 0xb1, 0x91, 0xd0, 0x3a, 0x54, 0xe3, 0x34, 0xf5, 0x2a, 0x6d, 0xa7, 0xd3, 0xc0,
+	0xf2, 0x88, 0x3a, 0xd0, 0x3a, 0x24, 0x24, 0xef, 0x15, 0x2c, 0x16, 0x09, 0xcd, 0xbc, 0x6a, 0xdb,
+	0xe9, 0x54, 0xbb, 0x2b, 0x4f, 0x8f, 0x37, 0x1d, 0x3c, 0xf3, 0x1f, 0x14, 0x80, 0x2b, 0xe5, 0xee,
+	0x44, 0x10, 0xee, 0xad, 0x58, 0xb0, 0x93, 0xeb, 0xe0, 0x32, 0xac, 0xf7, 0x12, 0x7e, 0xf8, 0x90,
+	0xc7, 0xa3, 0x65, 0xb6, 0x04, 0x77, 0xe1, 0x2d, 0x0b, 0xcb, 0x73, 0x9a, 0x71, 0x82, 0x6e, 0x40,
+	0x8d, 0x91, 0x01, 0x65, 0x43, 0x05, 0x6e, 0x6e, 0x7d, 0x10, 0x9e, 0xce, 0x4d, 0x68, 0x14, 0x24,
+	0x08, 0x1b, 0x70, 0xf0, 0x5f, 0x05, 0x9a, 0xd6, 0x3d, 0xba, 0x08, 0x95, 0xdd, 0x9e, 0xe7, 0xb4,
+	0x9d, 0x8e, 0x8b, 0x2b, 0xbb, 0x3d, 0xe4, 0x41, 0x7d, 0xaf, 0x10, 0x71, 0x3f, 0x25, 0xc6, 0xf7,
+	0x52, 0x44, 0xef, 0xc0, 0xea, 0x6e, 0xf6, 0x90, 0x13, 0xe5, 0x78, 0x03, 0x6b, 0x01, 0x21, 0x58,
+	0xd9, 0x4f, 0x7e, 0x26, 0xda, 0x4d, 0xac, 0xce, 0xd2, 0x8f, 0xfb, 0x31, 0x23, 0x99, 0xf0, 0x56,
+	0x15, 0xaf, 0x91, 0x50, 0x17, 0xdc, 0x1d, 0x46, 0x62, 0x41, 0x86, 0xb7, 0x85, 0x57, 0x6b, 0x3b,
+	0x9d, 0xe6, 0x96, 0x1f, 0xea, 0x82, 0x08, 0xcb, 0x82, 0x08, 0x1f, 0x94, 0x05, 0xd1, 0x6d, 0x3c,
+	0x3d, 0xde, 0xbc, 0xf0, 0xeb, 0x73, 0x19, 0xb7, 0xa9, 0x1a, 0xba, 0x05, 0x70, 0x2f, 0xe6, 0xe2,
+	0x21, 0x57, 0x24, 0xf5, 0xa5, 0x24, 0x2b, 0x8a, 0xc0, 0xd2, 0x41, 0x1b, 0x00, 0x2a, 0x00, 0x3b,
+	0xb4, 0xc8, 0x84, 0xd7, 0x50, 0x76, 0x5b, 0x37, 0xa8, 0x0d, 0xcd, 0x1e, 0xe1, 0x03, 0x96, 0xe4,
+	0x2a, 0xcd, 0xae, 0x72, 0xc1, 0xbe, 0x92, 0x0c, 0x3a, 0x7a, 0x0f, 0x26, 0x39, 0xf1, 0x40, 0x01,
+	0xac, 0x1b, 0xe9, 0xff, 0xfe, 0xe3, 0x98, 0x91, 0xa1, 0xd7, 0x54, 0xa1, 0x32, 0x52, 0xf0, 0xef,
+	0x0a, 0xb4, 0xf6, 0x65, 0x15, 0x97, 0x09, 0x5f, 0x87, 0x2a, 0x26, 0x07, 0x26, 0xfa, 0xf2, 0x88,
+	0x42, 0x80, 0x1e, 0x39, 0x48, 0xb2, 0x44, 0x7d, 0xbb, 0xa2, 0xdc, 0xbb, 0x18, 0xe6, 0xfd, 0xf0,
+	0xe4, 0x16, 0x5b, 0x08, 0xe4, 0x43, 0xe3, 0xce, 0x93, 0x9c, 0x32, 0x59, 0x34, 0x55, 0x45, 0x33,
+	0x95, 0xd1, 0x23, 0x58, 0x2b, 0xcf, 0xb7, 0x85, 0x60, 0xb2, 0x14, 0x65, 0xa1, 0x5c, 0x9f, 0x2f,
+	0x14, 0xdb, 0xa8, 0x70, 0x46, 0xe7, 0x4e, 0x26, 0xd8, 0x04, 0xcf, 0xf2, 0xc8, 0x1a, 0xd9, 0x27,
+	0x9c, 0x4b, 0x0b, 0x75, 0x82, 0x4b, 0x51, 0x9a, 0xf3, 0x15, 0xa3, 0x99, 0x20, 0xd9, 0x50, 0x25,
+	0xd8, 0xc5, 0x53, 0x59, 0x9a, 0x53, 0x9e, 0xb5, 0x39, 0xf5, 0x57, 0x32, 0x67, 0x46, 0xc7, 0x98,
+	0x33, 0x73, 0x87, 0xb6, 0x61, 0x75, 0x27, 0x1e, 0x3c, 0x26, 0x2a, 0x97, 0xcd, 0xad, 0x8d, 0x79,
+	0x42, 0xf5, 0xef, 0x6f, 0x54, 0xf2, 0xb8, 0x7a, 0x8a, 0x17, 0xb0, 0x56, 0x41, 0x3f, 0x40, 0xeb,
+	0x4e, 0x26, 0x12, 0x91, 0x92, 0x31, 0xc9, 0x04, 0xf7, 0x5c, 0xf9, 0xf0, 0xba, 0xdb, 0xcf, 0x8e,
+	0x37, 0x3f, 0x3f, 0xb3, 0xb5, 0x14, 0x22, 0x49, 0x23, 0x62, 0x69, 0x85, 0x16, 0x05, 0x9e, 0xe1,
+	0xf3, 0x6f, 0x01, 0x9a, 0x8f, 0xa7, 0xcc, 0xfb, 0x21, 0x99, 0x94, 0x79, 0x3f, 0x24, 0x13, 0xf9,
+	0xb8, 0x8e, 0xe2, 0xb4, 0xd0, 0x8f, 0xce, 0xc5, 0x5a, 0xd8, 0xae, 0x7c, 0xe1, 0x48, 0x86, 0xf9,
+	0x10, 0x9c, 0x87, 0x21, 0x78, 0xee, 0x40, 0xcb, 0x8e, 0x00, 0x7a, 0x1f, 0x5c, 0x6d, 0xd4, 0x49,
+	0xf1, 0x9d, 0x5c, 0xc8, 0xea, 0xde, 0x1d, 0x1b, 0x81, 0x7b, 0x15, 0xd5, 0x89, 0xac, 0x1b, 0xf4,
+	0x2d, 0x34, 0x35, 0x58, 0x67, 0xb1, 0xaa, 0xb2, 0x18, 0xbd, 0x3c, 0xe8, 0xa1, 0xa5, 0xa1, 0x73,
+	0x68, 0x73, 0xf8, 0x37, 0x61, 0xfd, 0x34, 0xe0, 0x5c, 0x1e, 0xfe, 0xee, 0xc0, 0x9a, 0x29, 0x1a,
+	0xd3, 0x1d, 0xe3, 0x92, 0x91, 0xb0, 0xf2, 0xce, 0xf4, 0xc9, 0x1b, 0x67, 0xd6, 0x9b, 0x86, 0x85,
+	0xa7, 0xf5, 0xb4, 0xbd, 0x73, 0x74, 0xfe, 0x0e, 0xbc, 0xbb, 0x10, 0x7a, 0x2e, 0xcb, 0x3f, 0x84,
+	0xb5, 0x7d, 0x11, 0x8b, 0x82, 0x9f, 0xd9, 0x12, 0x82, 0xdf, 0x1c, 0xb8, 0x58, 0x62, 0x8c, 0x77,
+	0x9f, 0x41, 0xe3, 0x88, 0x30, 0x41, 0x9e, 0x10, 0x6e, 0xbc, 0xf2, 0xe6, 0xbd, 0xfa, 0x4e, 0x21,
+	0xf0, 0x14, 0x89, 0xb6, 0xa1, 0xc1, 0x15, 0x0f, 0xd1, 0x69, 0x5d, 0xf8, 0x54, 0xb4, 0x96, 0xf9,
+	0xde, 0x14, 0x8f, 0x22, 0x58, 0x49, 0xe9, 0xa8, 0xcc, 0xf6, 0x7b, 0x67, 0xe9, 0xdd, 0xa3, 0x23,
+	0xac, 0x80, 0xc1, 0x71, 0x05, 0x6a, 0xfa, 0x0e, 0xdd, 0x85, 0xda, 0x30, 0x19, 0x11, 0x2e, 0xb4,
+	0x57, 0xdd, 0x2d, 0xf9, 0x00, 0x9f, 0x1d, 0x6f, 0x5e, 0xb6, 0x5e, 0x18, 0xcd, 0x49, 0x26, 0x57,
+	0x8d, 0x38, 0xc9, 0x08, 0xe3, 0xd1, 0x88, 0x5e, 0xd5, 0x2a, 0x61, 0x4f, 0xfd, 0xc1, 0x86, 0x41,
+	0x72, 0x25, 0x59, 0x5e, 0x08, 0x53, 0x98, 0xaf, 0xc7, 0xa5, 0x19, 0xe4, 0xe8, 0xca, 0xe2, 0x31,
+	0x31, 0x7d, 0x53, 0x9d, 0x65, 0xeb, 0x1e, 0xc8, 0xba, 0x1d, 0xaa, 0x81, 0xd6, 0xc0, 0x46, 0x42,
+	0xdb, 0x50, 0xe7, 0x22, 0x66, 0x82, 0x0c, 0x55, 0xcb, 0x7b, 0x95, 0x99, 0x53, 0x2a, 0xa0, 0x9b,
+	0xe0, 0x0e, 0xe8, 0x38, 0x4f, 0x89, 0xd4, 0xae, 0xbd, 0xa2, 0xf6, 0x89, 0x8a, 0xac, 0x1e, 0xc2,
+	0x18, 0x65, 0x6a, 0xda, 0xb9, 0x58, 0x0b, 0xc1, 0x3f, 0x15, 0x68, 0xd9, 0xc9, 0x9a, 0x9b, 0xe4,
+	0x77, 0xa1, 0xa6, 0x53, 0xaf, 0xab, 0xee, 0xf5, 0x42, 0xa5, 0x19, 0x16, 0x86, 0xca, 0x83, 0xfa,
+	0xa0, 0x60, 0x6a, 0xcc, 0xeb, 0xe1, 0x5f, 0x8a, 0xd2, 0x60, 0x41, 0x45, 0x9c, 0xaa, 0x50, 0x55,
+	0xb1, 0x16, 0xe4, 0xf4, 0x9f, 0x2e, 0x7b, 0xe7, 0x9b, 0xfe, 0x53, 0x35, 0x3b, 0x0d, 0xf5, 0x37,
+	0x4a, 0x43, 0xe3, 0xdc, 0x69, 0x08, 0xfe, 0x70, 0xc0, 0x9d, 0x56, 0xb9, 0x15, 0x5d, 0xe7, 0x8d,
+	0xa3, 0x3b, 0x13, 0x99, 0xca, 0xeb, 0x45, 0xe6, 0x12, 0xd4, 0xb8, 0x60, 0x24, 0x1e, 0xeb, 0xbd,
+	0x14, 0x1b, 0x49, 0xf6, 0x93, 0x31, 0x1f, 0xa9, 0x0c, 0xb5, 0xb0, 0x3c, 0x06, 0x01, 0xb4, 0xd4,
+	0x0a, 0xba, 0x47, 0xb8, 0x5c, 0x7a, 0x64, 0x6e, 0x87, 0xb1, 0x88, 0x95, 0x1f, 0x2d, 0xac, 0xce,
+	0xc1, 0x15, 0x40, 0xf7, 0x12, 0x2e, 0x1e, 0xa9, 0xd5, 0x99, 0x2f, 0xdb, 0x4f, 0xf7, 0xe1, 0xed,
+	0x19, 0xb4, 0xe9, 0x52, 0x5f, 0x9e, 0xda, 0x50, 0x3f, 0x9e, 0xef, 0x1a, 0x6a, 0x43, 0x0f, 0xb5,
+	0xe2, 0xec, 0xa2, 0xba, 0xf5, 0x77, 0x15, 0xea, 0x3b, 0xfa, 0xc7, 0x07, 0x7a, 0x00, 0xee, 0x74,
+	0x01, 0x46, 0xc1, 0x3c, 0xcd, 0xe9, 0x4d, 0xda, 0xff, 0xe8, 0xa5, 0x18, 0x63, 0xdf, 0xd7, 0xb0,
+	0xaa, 0x7e, 0x0a, 0xa0, 0x05, 0x6d, 0xd0, 0xfe, 0x8d, 0xe0, 0xbf, 0x7c, 0xb5, 0xbe, 0xe6, 0x48,
+	0x26, 0x35, 0x43, 0x16, 0x31, 0xd9, 0xcb, 0x8c, 0xbf, 0xb9, 0x64, 0xf8, 0xa0, 0x3d, 0xa8, 0x99,
+	0xe7, 0xbc, 0x08, 0x6a, 0x4f, 0x0a, 0xbf, 0x7d, 0x36, 0x40, 0x93, 0x5d, 0x73, 0xd0, 0xde, 0x74,
+	0x53, 0x5b, 0x64, 0x9a, 0x5d, 0x06, 0xfe, 0x92, 0xff, 0x77, 0x9c, 0x6b, 0x0e, 0xfa, 0x1e, 0x9a,
+	0x56, 0xa2, 0xd1, 0x82, 0x84, 0xce, 0x57, 0x8d, 0xff, 0xc9, 0x12, 0x94, 0x36, 0xb6, 0xdb, 0x7a,
+	0xfa, 0x62, 0xc3, 0xf9, 0xf3, 0xc5, 0x86, 0xf3, 0xd7, 0x8b, 0x0d, 0xa7, 0x5f, 0x53, 0x75, 0xff,
+	0xe9, 0xff, 0x01, 0x00, 0x00, 0xff, 0xff, 0xfe, 0x98, 0x98, 0x82, 0x80, 0x0e, 0x00, 0x00,
 }
--- a/api/services/control/control.proto
+++ b/api/services/control/control.proto
@ -62,6 +62,7 @@ message SolveRequest {
 	string Frontend = 6;
 	map<string, string> FrontendAttrs = 7;
 	CacheOptions Cache = 8 [(gogoproto.nullable) = false];
+	repeated string Entitlements = 9 [(gogoproto.customtype) = "github.com/moby/buildkit/util/entitlements.Entitlement" ];
 }

 message CacheOptions {
--- a/client/client_test.go
+++ b/client/client_test.go
@ -61,6 +61,7 @@ func TestClientIntegration(t *testing.T) {
 		testParallelLocalBuilds,
 		testSecretMounts,
 		testExtraHosts,
+		testNetworkMode,
 	})
 }

@ -81,6 +82,36 @@ func testExtraHosts(t *testing.T, sb integration.Sandbox) {
 	require.NoError(t, err)
 }

+func testNetworkMode(t *testing.T, sb integration.Sandbox) {
+	t.Parallel()
+
+	c, err := New(context.TODO(), sb.Address())
+	require.NoError(t, err)
+	defer c.Close()
+
+	st := llb.Image("busybox:latest").
+		Run(llb.Shlex(`sh -c 'wget https://example.com 2>&1 | grep "wget: bad address"'`), llb.Network(llb.NetModeNone))
+
+	def, err := st.Marshal()
+	require.NoError(t, err)
+
+	_, err = c.Solve(context.TODO(), def, SolveOpt{}, nil)
+	require.NoError(t, err)
+
+	st2 := llb.Image("busybox:latest").
+		Run(llb.Shlex(`ifconfig`), llb.Network(llb.NetModeHost))
+
+	def, err = st2.Marshal()
+	require.NoError(t, err)
+
+	_, err = c.Solve(context.TODO(), def, SolveOpt{
+		// Currently disabled globally by default
+		// AllowedEntitlements: []entitlements.Entitlement{entitlements.EntitlementNetworkHost},
+	}, nil)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "network.host is not allowed")
+}
+
 func testSecretMounts(t *testing.T, sb integration.Sandbox) {
 	t.Parallel()

--- a/client/llb/exec.go
+++ b/client/llb/exec.go
@ -17,6 +17,7 @@ type Meta struct {
 	User       string
 	ProxyEnv   *ProxyEnv
 	ExtraHosts []HostIP
+	Network    pb.NetMode
 }

 func NewExecOp(root Output, meta Meta, readOnly bool, c Constraints) *ExecOp {
@ -144,7 +145,11 @@ func (e *ExecOp) Marshal(c *Constraints) (digest.Digest, []byte, *pb.OpMetadata,
 	}

 	peo := &pb.ExecOp{
-		Meta: meta,
+		Meta:    meta,
+		Network: e.meta.Network,
+	}
+	if e.meta.Network != NetModeSandbox {
+		addCap(&e.constraints, pb.CapExecMetaNetwork)
 	}

 	if p := e.meta.ProxyEnv; p != nil {
@ -357,6 +362,12 @@ func (fn runOptionFunc) SetRunOption(ei *ExecInfo) {
 	fn(ei)
 }

+func Network(n pb.NetMode) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = network(n)(ei.State)
+	})
+}
+
 func Shlex(str string) RunOption {
 	return Shlexf(str)
 }
@ -509,3 +520,9 @@ const (
 	CacheMountPrivate
 	CacheMountLocked
 )
+
+const (
+	NetModeSandbox = pb.NetMode_UNSET
+	NetModeHost    = pb.NetMode_HOST
+	NetModeNone    = pb.NetMode_NONE
+)
--- a/client/llb/meta.go
+++ b/client/llb/meta.go
@ -7,6 +7,7 @@ import (

 	"github.com/containerd/containerd/platforms"
 	"github.com/google/shlex"
+	"github.com/moby/buildkit/solver/pb"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 )

@ -19,6 +20,7 @@ var (
 	keyUser      = contextKeyT("llb.exec.user")
 	keyExtraHost = contextKeyT("llb.exec.extrahost")
 	keyPlatform  = contextKeyT("llb.platform")
+	keyNetwork   = contextKeyT("llb.network")
 )

 func addEnv(key, value string) StateOption {
@ -145,6 +147,21 @@ type HostIP struct {
 	IP   net.IP
 }

+func network(v pb.NetMode) StateOption {
+	return func(s State) State {
+		return s.WithValue(keyNetwork, v)
+	}
+}
+
+func getNetwork(s State) pb.NetMode {
+	v := s.Value(keyNetwork)
+	if v != nil {
+		n := v.(pb.NetMode)
+		return n
+	}
+	return NetModeSandbox
+}
+
 type EnvList []KeyValue

 type KeyValue struct {
--- a/client/llb/state.go
+++ b/client/llb/state.go
@ -188,6 +188,7 @@ func (s State) Run(ro ...RunOption) ExecState {
 		User:       getUser(ei.State),
 		ProxyEnv:   ei.ProxyEnv,
 		ExtraHosts: getExtraHosts(ei.State),
+		Network:    getNetwork(ei.State),
 	}

 	exec := NewExecOp(s.Output(), meta, ei.ReadonlyRootFS, ei.Constraints)
@ -249,6 +250,14 @@ func (s State) GetPlatform() *specs.Platform {
 	return getPlatform(s)
 }

+func (s State) Network(n pb.NetMode) State {
+	return network(n)(s)
+}
+
+func (s State) GetNetwork() pb.NetMode {
+	return getNetwork(s)
+}
+
 func (s State) With(so ...StateOption) State {
 	for _, o := range so {
 		s = o(s)
--- a/client/solve.go
+++ b/client/solve.go
@ -15,6 +15,7 @@ import (
 	"github.com/moby/buildkit/session/filesync"
 	"github.com/moby/buildkit/session/grpchijack"
 	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/entitlements"
 	opentracing "github.com/opentracing/opentracing-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@ -22,18 +23,19 @@ import (
 )

 type SolveOpt struct {
-	Exporter          string
-	ExporterAttrs     map[string]string
-	ExporterOutput    io.WriteCloser // for ExporterOCI and ExporterDocker
-	ExporterOutputDir string         // for ExporterLocal
-	LocalDirs         map[string]string
-	SharedKey         string
-	Frontend          string
-	FrontendAttrs     map[string]string
-	ExportCache       string
-	ExportCacheAttrs  map[string]string
-	ImportCache       []string
-	Session           []session.Attachable
+	Exporter            string
+	ExporterAttrs       map[string]string
+	ExporterOutput      io.WriteCloser // for ExporterOCI and ExporterDocker
+	ExporterOutputDir   string         // for ExporterLocal
+	LocalDirs           map[string]string
+	SharedKey           string
+	Frontend            string
+	FrontendAttrs       map[string]string
+	ExportCache         string
+	ExportCacheAttrs    map[string]string
+	ImportCache         []string
+	Session             []session.Attachable
+	AllowedEntitlements []entitlements.Entitlement
 }

 // Solve calls Solve on the controller.
@ -137,6 +139,7 @@ func (c *Client) Solve(ctx context.Context, def *llb.Definition, opt SolveOpt, s
 				ImportRefs:  opt.ImportCache,
 				ExportAttrs: opt.ExportCacheAttrs,
 			},
+			Entitlements: opt.AllowedEntitlements,
 		})
 		if err != nil {
 			return errors.Wrap(err, "failed to solve")
--- a/control/control.go
+++ b/control/control.go
@ -216,7 +216,7 @@ func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (*
 		Exporter:        expi,
 		CacheExporter:   cacheExporter,
 		CacheExportMode: parseCacheExporterOpt(req.Cache.ExportAttrs),
-	})
+	}, req.Entitlements)
 	if err != nil {
 		return nil, err
 	}
--- a/executor/containerdexecutor/executor.go
+++ b/executor/containerdexecutor/executor.go
@ -15,6 +15,7 @@ import (
 	"github.com/moby/buildkit/executor/oci"
 	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/network"
 	"github.com/moby/buildkit/util/system"
 	"github.com/pkg/errors"
@ -78,17 +79,27 @@ func (w containerdExecutor) Exec(ctx context.Context, meta executor.Meta, root c
 		lm.Unmount()
 	}

-	hostNetworkEnabled := true
 	var iface network.Interface
-	if w.networkProvider != nil {
-		iface, err = w.networkProvider.NewInterface()
-		if err == nil && iface != nil {
-			hostNetworkEnabled = false
+	// FIXME: still uses host if no provider configured
+	if meta.NetMode == pb.NetMode_UNSET {
+		if w.networkProvider != nil {
+			var err error
+			iface, err = w.networkProvider.NewInterface()
+			if err != nil || iface == nil {
+				meta.NetMode = pb.NetMode_HOST
+			}
+		} else {
+			meta.NetMode = pb.NetMode_HOST
 		}
 	}
-	if hostNetworkEnabled {
+	if meta.NetMode == pb.NetMode_HOST {
 		logrus.Info("enabling HostNetworking")
 	}
+	defer func() {
+		if iface != nil {
+			w.networkProvider.Release(iface)
+		}
+	}()

 	opts := []containerdoci.SpecOpts{oci.WithUIDGID(uid, gid, sgids)}
 	if meta.ReadonlyRootFS {
@ -97,7 +108,7 @@ func (w containerdExecutor) Exec(ctx context.Context, meta executor.Meta, root c
 	if system.SeccompSupported() {
 		opts = append(opts, seccomp.WithDefaultProfile())
 	}
-	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, hostNetworkEnabled, opts...)
+	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, meta.NetMode == pb.NetMode_HOST, opts...)
 	if err != nil {
 		return err
 	}
@ -134,7 +145,6 @@ func (w containerdExecutor) Exec(ctx context.Context, meta executor.Meta, root c
 	defer func() {
 		if iface != nil {
 			iface.Remove(int(task.Pid()))
-			w.networkProvider.Release(iface)
 		}

 		if _, err1 := task.Delete(context.TODO()); err == nil && err1 != nil {
--- a/executor/executor.go
+++ b/executor/executor.go
@ -6,6 +6,7 @@ import (
 	"net"

 	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/solver/pb"
 )

 type Meta struct {
@ -15,9 +16,8 @@ type Meta struct {
 	Cwd            string
 	Tty            bool
 	ReadonlyRootFS bool
-	// DisableNetworking bool
-
-	ExtraHosts []HostIP
+	ExtraHosts     []HostIP
+	NetMode        pb.NetMode
 }

 type Mount struct {
--- a/executor/runcexecutor/executor.go
+++ b/executor/runcexecutor/executor.go
@ -22,6 +22,7 @@ import (
 	"github.com/moby/buildkit/executor"
 	"github.com/moby/buildkit/executor/oci"
 	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/network"
 	rootlessspecconv "github.com/moby/buildkit/util/rootless/specconv"
 	"github.com/moby/buildkit/util/system"
@ -106,16 +107,20 @@ func New(opt Opt, networkProvider network.Provider) (executor.Executor, error) {
 }

 func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.Mountable, mounts []executor.Mount, stdin io.ReadCloser, stdout, stderr io.WriteCloser) error {
-	hostNetworkEnabled := true
 	var iface network.Interface
-	if w.networkProvider != nil {
-		var err error
-		iface, err = w.networkProvider.NewInterface()
-		if err == nil && iface != nil {
-			hostNetworkEnabled = false
+	// FIXME: still uses host if no provider configured
+	if meta.NetMode == pb.NetMode_UNSET {
+		if w.networkProvider != nil {
+			var err error
+			iface, err = w.networkProvider.NewInterface()
+			if err != nil || iface == nil {
+				meta.NetMode = pb.NetMode_HOST
+			}
+		} else {
+			meta.NetMode = pb.NetMode_HOST
 		}
 	}
-	if hostNetworkEnabled {
+	if meta.NetMode == pb.NetMode_HOST {
 		logrus.Info("enabling HostNetworking")
 	}
 	defer func() {
@ -182,7 +187,7 @@ func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.
 	if meta.ReadonlyRootFS {
 		opts = append(opts, containerdoci.WithRootFSReadonly())
 	}
-	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, hostNetworkEnabled, opts...)
+	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, meta.NetMode == pb.NetMode_HOST, opts...)
 	if err != nil {
 		return err
 	}
--- a/solver/jobs.go
+++ b/solver/jobs.go
@ -21,6 +21,7 @@ type ResolveOpFunc func(Vertex, Builder) (Op, error)
 type Builder interface {
 	Build(ctx context.Context, e Edge) (CachedResult, error)
 	Context(ctx context.Context) context.Context
+	EachValue(ctx context.Context, key string, fn func(interface{}) error) error
 }

 // Solver provides a shared graph of all the vertexes currently being
@ -169,10 +170,22 @@ func (sb *subBuilder) Context(ctx context.Context) context.Context {
 	return progress.WithProgress(ctx, sb.mpw)
 }

+func (sb *subBuilder) EachValue(ctx context.Context, key string, fn func(interface{}) error) error {
+	sb.mu.Lock()
+	defer sb.mu.Lock()
+	for j := range sb.jobs {
+		if err := j.EachValue(ctx, key, fn); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 type Job struct {
-	list *Solver
-	pr   *progress.MultiReader
-	pw   progress.Writer
+	list   *Solver
+	pr     *progress.MultiReader
+	pw     progress.Writer
+	values sync.Map

 	progressCloser func()
 	SessionID      string
@ -446,6 +459,18 @@ func (j *Job) Context(ctx context.Context) context.Context {
 	return progress.WithProgress(ctx, j.pw)
 }

+func (j *Job) SetValue(key string, v interface{}) {
+	j.values.Store(key, v)
+}
+
+func (j *Job) EachValue(ctx context.Context, key string, fn func(interface{}) error) error {
+	v, ok := j.values.Load(key)
+	if ok {
+		return fn(v)
+	}
+	return nil
+}
+
 type cacheMapResp struct {
 	*CacheMap
 	complete bool
--- a/solver/llbsolver/bridge.go
+++ b/solver/llbsolver/bridge.go
@ -75,7 +75,12 @@ func (b *llbBridge) Solve(ctx context.Context, req frontend.SolveRequest) (res *
 	}

 	if req.Definition != nil && req.Definition.Def != nil {
-		edge, err := Load(req.Definition, WithCacheSources(cms), RuntimePlatforms(b.platforms), WithValidateCaps())
+		ent, err := loadEntitlements(b.builder)
+		if err != nil {
+			return nil, err
+		}
+
+		edge, err := Load(req.Definition, ValidateEntitlements(ent), WithCacheSources(cms), RuntimePlatforms(b.platforms), WithValidateCaps())
 		if err != nil {
 			return nil, err
 		}
--- a/solver/llbsolver/ops/exec.go
+++ b/solver/llbsolver/ops/exec.go
@ -527,6 +527,7 @@ func (e *execOp) Exec(ctx context.Context, inputs []solver.Result) ([]solver.Res
 		User:           e.op.Meta.User,
 		ReadonlyRootFS: readonlyRootFS,
 		ExtraHosts:     extraHosts,
+		NetMode:        e.op.Network,
 	}

 	if e.op.Meta.ProxyEnv != nil {
--- a/solver/llbsolver/solver.go
+++ b/solver/llbsolver/solver.go
@ -12,6 +12,7 @@ import (
 	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/moby/buildkit/util/progress"
 	"github.com/moby/buildkit/worker"
 	digest "github.com/opencontainers/go-digest"
@ -19,6 +20,8 @@ import (
 	"github.com/pkg/errors"
 )

+const keyEntitlements = "llb.entitlements"
+
 type ExporterRequest struct {
 	Exporter        exporter.ExporterInstance
 	CacheExporter   remotecache.Exporter
@ -78,12 +81,19 @@ func (s *Solver) Bridge(b solver.Builder) frontend.FrontendLLBBridge {
 	}
 }

-func (s *Solver) Solve(ctx context.Context, id string, req frontend.SolveRequest, exp ExporterRequest) (*client.SolveResponse, error) {
+func (s *Solver) Solve(ctx context.Context, id string, req frontend.SolveRequest, exp ExporterRequest, ent []entitlements.Entitlement) (*client.SolveResponse, error) {
+	set, err := entitlements.WhiteList(ent, supportedEntitlements())
+	if err != nil {
+		return nil, err
+	}
+
 	j, err := s.solver.NewJob(id)
 	if err != nil {
 		return nil, err
 	}

+	j.SetValue(keyEntitlements, set)
+
 	defer j.Discard()

 	j.SessionID = session.FromContext(ctx)
@ -232,3 +242,31 @@ func notifyCompleted(ctx context.Context, v *client.Vertex, err error, cached bo
 	}
 	pw.Write(v.Digest.String(), *v)
 }
+
+var AllowNetworkHostUnstable = false // TODO: enable in constructor
+
+func supportedEntitlements() []entitlements.Entitlement {
+	out := []entitlements.Entitlement{} // nil means no filter
+	if AllowNetworkHostUnstable {
+		out = append(out, entitlements.EntitlementNetworkHost)
+	}
+	return out
+}
+
+func loadEntitlements(b solver.Builder) (entitlements.Set, error) {
+	var ent entitlements.Set = map[entitlements.Entitlement]struct{}{}
+	err := b.EachValue(context.TODO(), keyEntitlements, func(v interface{}) error {
+		set, ok := v.(entitlements.Set)
+		if !ok {
+			return errors.Errorf("invalid entitlements %T", v)
+		}
+		for k := range set {
+			ent[k] = struct{}{}
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return ent, nil
+}
--- a/solver/llbsolver/vertex.go
+++ b/solver/llbsolver/vertex.go
@ -7,6 +7,7 @@ import (
 	"github.com/moby/buildkit/solver"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/source"
+	"github.com/moby/buildkit/util/entitlements"
 	digest "github.com/opencontainers/go-digest"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@ -99,6 +100,25 @@ func RuntimePlatforms(p []specs.Platform) LoadOpt {
 	}
 }

+func ValidateEntitlements(ent entitlements.Set) LoadOpt {
+	return func(op *pb.Op, _ *pb.OpMetadata, opt *solver.VertexOptions) error {
+		switch op := op.Op.(type) {
+		case *pb.Op_Exec:
+			if op.Exec.Network == pb.NetMode_HOST {
+				if !ent.Allowed(entitlements.EntitlementNetworkHost) {
+					return errors.Errorf("%s is not allowed", entitlements.EntitlementNetworkHost)
+				}
+			}
+			if op.Exec.Network == pb.NetMode_NONE {
+				if !ent.Allowed(entitlements.EntitlementNetworkNone) {
+					return errors.Errorf("%s is not allowed", entitlements.EntitlementNetworkNone)
+				}
+			}
+		}
+		return nil
+	}
+}
+
 func Load(def *pb.Definition, opts ...LoadOpt) (solver.Edge, error) {
 	return loadLLB(def, func(dgst digest.Digest, pbOp *pb.Op, load func(digest.Digest) (solver.Vertex, error)) (solver.Vertex, error) {
 		opMetadata := def.Metadata[dgst]
--- a/solver/pb/caps.go
+++ b/solver/pb/caps.go
@ -32,6 +32,7 @@ const (

 	CapExecMetaBase          apicaps.CapID = "exec.meta.base"
 	CapExecMetaProxy         apicaps.CapID = "exec.meta.proxyenv"
+	CapExecMetaNetwork       apicaps.CapID = "exec.meta.network"
 	CapExecMountBind         apicaps.CapID = "exec.mount.bind"
 	CapExecMountCache        apicaps.CapID = "exec.mount.cache"
 	CapExecMountCacheSharing apicaps.CapID = "exec.mount.cache.sharing"
@ -162,6 +163,12 @@ func init() {
 		Status:  apicaps.CapStatusExperimental,
 	})

+	Caps.Init(apicaps.Cap{
+		ID:      CapExecMetaNetwork,
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
 	Caps.Init(apicaps.Cap{
 		ID:      CapExecMountBind,
 		Enabled: true,
--- a/solver/pb/ops.pb.go
+++ b/solver/pb/ops.pb.go
@ -54,6 +54,30 @@ var _ = math.Inf
 // proto package needs to be updated.
 const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package

+type NetMode int32
+
+const (
+	NetMode_UNSET NetMode = 0
+	NetMode_HOST  NetMode = 1
+	NetMode_NONE  NetMode = 2
+)
+
+var NetMode_name = map[int32]string{
+	0: "UNSET",
+	1: "HOST",
+	2: "NONE",
+}
+var NetMode_value = map[string]int32{
+	"UNSET": 0,
+	"HOST":  1,
+	"NONE":  2,
+}
+
+func (x NetMode) String() string {
+	return proto.EnumName(NetMode_name, int32(x))
+}
+func (NetMode) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{0} }
+
 // MountType defines a type of a mount from a supported set
 type MountType int32

@ -83,7 +107,7 @@ var MountType_value = map[string]int32{
 func (x MountType) String() string {
 	return proto.EnumName(MountType_name, int32(x))
 }
-func (MountType) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{0} }
+func (MountType) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{1} }

 // CacheSharingOpt defines different sharing modes for cache mount
 type CacheSharingOpt int32
@ -111,7 +135,7 @@ var CacheSharingOpt_value = map[string]int32{
 func (x CacheSharingOpt) String() string {
 	return proto.EnumName(CacheSharingOpt_name, int32(x))
 }
-func (CacheSharingOpt) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{1} }
+func (CacheSharingOpt) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{2} }

 // Op represents a vertex of the LLB DAG.
 type Op struct {
@ -388,8 +412,9 @@ func (*Input) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{2}

 // ExecOp executes a command in a container.
 type ExecOp struct {
-	Meta   *Meta    `protobuf:"bytes,1,opt,name=meta" json:"meta,omitempty"`
-	Mounts []*Mount `protobuf:"bytes,2,rep,name=mounts" json:"mounts,omitempty"`
+	Meta    *Meta    `protobuf:"bytes,1,opt,name=meta" json:"meta,omitempty"`
+	Mounts  []*Mount `protobuf:"bytes,2,rep,name=mounts" json:"mounts,omitempty"`
+	Network NetMode  `protobuf:"varint,3,opt,name=network,proto3,enum=pb.NetMode" json:"network,omitempty"`
 }

 func (m *ExecOp) Reset()                    { *m = ExecOp{} }
@ -411,6 +436,13 @@ func (m *ExecOp) GetMounts() []*Mount {
 	return nil
 }

+func (m *ExecOp) GetNetwork() NetMode {
+	if m != nil {
+		return m.Network
+	}
+	return NetMode_UNSET
+}
+
 // Meta is a set of arguments for ExecOp.
 // Meta is unrelated to LLB metadata.
 // FIXME: rename (ExecContext? ExecArgs?)
@ -917,6 +949,7 @@ func init() {
 	proto.RegisterType((*WorkerConstraints)(nil), "pb.WorkerConstraints")
 	proto.RegisterType((*Definition)(nil), "pb.Definition")
 	proto.RegisterType((*HostIP)(nil), "pb.HostIP")
+	proto.RegisterEnum("pb.NetMode", NetMode_name, NetMode_value)
 	proto.RegisterEnum("pb.MountType", MountType_name, MountType_value)
 	proto.RegisterEnum("pb.CacheSharingOpt", CacheSharingOpt_name, CacheSharingOpt_value)
 }
@ -1156,6 +1189,11 @@ func (m *ExecOp) MarshalTo(dAtA []byte) (int, error) {
 			i += n
 		}
 	}
+	if m.Network != 0 {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Network))
+	}
 	return i, nil
 }

@ -1988,6 +2026,9 @@ func (m *ExecOp) Size() (n int) {
 			n += 1 + l + sovOps(uint64(l))
 		}
 	}
+	if m.Network != 0 {
+		n += 1 + sovOps(uint64(m.Network))
+	}
 	return n
 }

@ -2967,6 +3008,25 @@ func (m *ExecOp) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Network", wireType)
+			}
+			m.Network = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Network |= (NetMode(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipOps(dAtA[iNdEx:])
@ -5603,91 +5663,94 @@ var (
 func init() { proto.RegisterFile("ops.proto", fileDescriptorOps) }

 var fileDescriptorOps = []byte{
-	// 1371 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0xcb, 0x6f, 0xdb, 0x46,
-	0x13, 0x37, 0xa9, 0x87, 0xc5, 0xa1, 0xed, 0xe8, 0xdb, 0x3c, 0x3e, 0x7d, 0xfe, 0x52, 0xdb, 0x65,
-	0x8a, 0xc2, 0xb1, 0x63, 0x19, 0x50, 0x80, 0x24, 0xe8, 0x21, 0xa8, 0xf5, 0x08, 0xac, 0xa6, 0xa9,
-	0x8c, 0x95, 0xe1, 0x1e, 0x03, 0x9a, 0x5a, 0xc9, 0x44, 0x64, 0x2e, 0x41, 0xae, 0x52, 0xeb, 0xd2,
-	0x43, 0xfe, 0x82, 0x02, 0x05, 0x7a, 0xef, 0xb1, 0x97, 0xfe, 0x07, 0xbd, 0xe7, 0xd8, 0x6b, 0x7b,
-	0x48, 0x8b, 0xf4, 0x1f, 0x29, 0x66, 0x76, 0x29, 0x32, 0x8f, 0xa2, 0x09, 0xda, 0x13, 0x67, 0xe7,
-	0xf1, 0xdb, 0xdd, 0xdf, 0xcc, 0xce, 0x10, 0x1c, 0x19, 0xa7, 0xcd, 0x38, 0x91, 0x4a, 0x32, 0x3b,
-	0x3e, 0x5d, 0xdf, 0x9b, 0x84, 0xea, 0x6c, 0x76, 0xda, 0x0c, 0xe4, 0xf9, 0xfe, 0x44, 0x4e, 0xe4,
-	0x3e, 0x99, 0x4e, 0x67, 0x63, 0x5a, 0xd1, 0x82, 0x24, 0x1d, 0xe2, 0x7d, 0x6f, 0x83, 0x3d, 0x88,
-	0xd9, 0x87, 0x50, 0x0d, 0xa3, 0x78, 0xa6, 0xd2, 0x86, 0xb5, 0x55, 0xda, 0x76, 0x5b, 0x4e, 0x33,
-	0x3e, 0x6d, 0xf6, 0x51, 0xc3, 0x8d, 0x81, 0x6d, 0x41, 0x59, 0x5c, 0x88, 0xa0, 0x61, 0x6f, 0x59,
-	0xdb, 0x6e, 0x0b, 0xd0, 0xa1, 0x77, 0x21, 0x82, 0x41, 0x7c, 0xb8, 0xc4, 0xc9, 0xc2, 0x3e, 0x86,
-	0x6a, 0x2a, 0x67, 0x49, 0x20, 0x1a, 0x25, 0xf2, 0x59, 0x41, 0x9f, 0x21, 0x69, 0xc8, 0xcb, 0x58,
-	0x11, 0x29, 0x90, 0xf1, 0xbc, 0x51, 0xce, 0x91, 0x3a, 0x32, 0x9e, 0x6b, 0x24, 0xb4, 0xb0, 0x1b,
-	0x50, 0x39, 0x9d, 0x85, 0xd3, 0x51, 0xa3, 0x42, 0x2e, 0x2e, 0xba, 0xb4, 0x51, 0x41, 0x3e, 0xda,
-	0xc6, 0xb6, 0xa1, 0x16, 0x4f, 0x7d, 0x35, 0x96, 0xc9, 0x79, 0x03, 0xf2, 0x0d, 0x8f, 0x8c, 0x8e,
-	0x2f, 0xac, 0xec, 0x2e, 0xb8, 0x81, 0x8c, 0x52, 0x95, 0xf8, 0x61, 0xa4, 0xd2, 0x86, 0x4b, 0xce,
-	0x57, 0xd1, 0xf9, 0x4b, 0x99, 0x3c, 0x11, 0x49, 0x27, 0x37, 0xf2, 0xa2, 0x67, 0xbb, 0x0c, 0xb6,
-	0x8c, 0xbd, 0xef, 0x2c, 0xa8, 0x65, 0xa8, 0xcc, 0x83, 0x95, 0x83, 0x24, 0x38, 0x0b, 0x95, 0x08,
-	0xd4, 0x2c, 0x11, 0x0d, 0x6b, 0xcb, 0xda, 0x76, 0xf8, 0x2b, 0x3a, 0xb6, 0x06, 0xf6, 0x60, 0x48,
-	0x44, 0x39, 0xdc, 0x1e, 0x0c, 0x59, 0x03, 0x96, 0x4f, 0xfc, 0x24, 0xf4, 0x23, 0x45, 0xcc, 0x38,
-	0x3c, 0x5b, 0xb2, 0xeb, 0xe0, 0x0c, 0x86, 0x27, 0x22, 0x49, 0x43, 0x19, 0x11, 0x1f, 0x0e, 0xcf,
-	0x15, 0x6c, 0x03, 0x60, 0x30, 0x7c, 0x20, 0x7c, 0x04, 0x4d, 0x1b, 0x95, 0xad, 0xd2, 0xb6, 0xc3,
-	0x0b, 0x1a, 0xef, 0x6b, 0xa8, 0x50, 0x8e, 0xd8, 0x67, 0x50, 0x1d, 0x85, 0x13, 0x91, 0x2a, 0x7d,
-	0x9c, 0x76, 0xeb, 0xf9, 0x8b, 0xcd, 0xa5, 0x5f, 0x5f, 0x6c, 0xee, 0x14, 0x8a, 0x41, 0xc6, 0x22,
-	0x0a, 0x64, 0xa4, 0xfc, 0x30, 0x12, 0x49, 0xba, 0x3f, 0x91, 0x7b, 0x3a, 0xa4, 0xd9, 0xa5, 0x0f,
-	0x37, 0x08, 0xec, 0x26, 0x54, 0xc2, 0x68, 0x24, 0x2e, 0xe8, 0xfc, 0xa5, 0xf6, 0x65, 0x03, 0xe5,
-	0x0e, 0x66, 0x2a, 0x9e, 0xa9, 0x3e, 0x9a, 0xb8, 0xf6, 0xf0, 0xfa, 0x50, 0xd5, 0x25, 0xc0, 0xae,
-	0x43, 0xf9, 0x5c, 0x28, 0x9f, 0xb6, 0x77, 0x5b, 0x35, 0xa4, 0xf6, 0x91, 0x50, 0x3e, 0x27, 0x2d,
-	0x56, 0xd7, 0xb9, 0x9c, 0x21, 0xf5, 0x76, 0x5e, 0x5d, 0x8f, 0x50, 0xc3, 0x8d, 0xc1, 0xfb, 0xc1,
-	0x82, 0x32, 0x46, 0x30, 0x06, 0x65, 0x3f, 0x99, 0xe8, 0x3a, 0x74, 0x38, 0xc9, 0xac, 0x0e, 0x25,
-	0x11, 0x3d, 0xa5, 0x60, 0x87, 0xa3, 0x88, 0x9a, 0xe0, 0xab, 0x91, 0x61, 0x13, 0x45, 0x8c, 0x9b,
-	0xa5, 0x22, 0x31, 0x24, 0x92, 0xcc, 0x6e, 0x82, 0x13, 0x27, 0xf2, 0x62, 0xfe, 0x18, 0xa3, 0x2b,
-	0x85, 0x12, 0x41, 0x65, 0x2f, 0x7a, 0xca, 0x6b, 0xb1, 0x91, 0xd8, 0x0e, 0x80, 0xb8, 0x50, 0x89,
-	0x7f, 0x28, 0x53, 0x95, 0x36, 0xaa, 0x74, 0x4c, 0xaa, 0x4c, 0x54, 0xf4, 0x8f, 0x78, 0xc1, 0xea,
-	0xfd, 0x68, 0x43, 0x85, 0x4e, 0xcf, 0xb6, 0x91, 0xab, 0x78, 0xa6, 0x69, 0x2f, 0xb5, 0x99, 0xe1,
-	0x0a, 0x28, 0x2b, 0x0b, 0xaa, 0x30, 0x43, 0xeb, 0x50, 0x4b, 0xc5, 0x54, 0x04, 0x4a, 0x26, 0xa6,
-	0x30, 0x16, 0x6b, 0x3c, 0xfa, 0x08, 0x73, 0xa7, 0x6f, 0x43, 0x32, 0xdb, 0x85, 0xaa, 0x24, 0xc2,
-	0xe9, 0x42, 0x7f, 0x91, 0x06, 0xe3, 0x82, 0xe0, 0x89, 0xf0, 0x47, 0x32, 0x9a, 0xce, 0xe9, 0x9a,
-	0x35, 0xbe, 0x58, 0xb3, 0x5d, 0x70, 0x88, 0xe2, 0xe3, 0x79, 0x2c, 0x1a, 0xd5, 0x2d, 0x6b, 0x7b,
-	0xad, 0xb5, 0xba, 0xa0, 0x1f, 0x95, 0x3c, 0xb7, 0xe3, 0x93, 0x0a, 0xfc, 0xe0, 0x4c, 0x0c, 0x62,
-	0xd5, 0xb8, 0x92, 0xf3, 0xd5, 0x31, 0x3a, 0xbe, 0xb0, 0x22, 0x6c, 0x2a, 0x82, 0x44, 0x28, 0x74,
-	0xbd, 0x4a, 0xae, 0x04, 0x3b, 0xcc, 0x94, 0x3c, 0xb7, 0x7b, 0x7d, 0xa8, 0x65, 0x10, 0xf8, 0x36,
-	0xfa, 0x5d, 0xf3, 0x6a, 0xec, 0x7e, 0x97, 0xed, 0xc1, 0x72, 0x7a, 0xe6, 0x27, 0x61, 0x34, 0x21,
-	0x5e, 0xd6, 0x5a, 0x97, 0x17, 0x3b, 0x0e, 0xb5, 0x1e, 0xc1, 0x32, 0x1f, 0x4f, 0x82, 0xb3, 0xd8,
-	0xe2, 0x0d, 0xac, 0x3a, 0x94, 0x66, 0xe1, 0x88, 0x70, 0x56, 0x39, 0x8a, 0xa8, 0x99, 0x84, 0xba,
-	0x4e, 0x56, 0x39, 0x8a, 0x48, 0xf6, 0xb9, 0x1c, 0x09, 0xa2, 0x75, 0x95, 0x93, 0x8c, 0xfc, 0xc9,
-	0x58, 0x85, 0x32, 0xf2, 0xa7, 0x19, 0x7f, 0xd9, 0xda, 0xbb, 0x0f, 0x55, 0xdd, 0x9c, 0xd8, 0x16,
-	0x94, 0xd2, 0x24, 0x30, 0x0d, 0x72, 0x2d, 0xeb, 0x5a, 0xba, 0xbf, 0x71, 0x34, 0x2d, 0x12, 0x69,
-	0xe7, 0x89, 0xf4, 0x38, 0x40, 0xee, 0xf6, 0xef, 0x14, 0x8c, 0xf7, 0xad, 0x05, 0xb5, 0xac, 0xaf,
-	0x62, 0x93, 0x08, 0x47, 0x22, 0x52, 0xe1, 0x38, 0x14, 0x89, 0x21, 0xa3, 0xa0, 0x61, 0x7b, 0x50,
-	0xf1, 0x95, 0x4a, 0xb2, 0xb7, 0xf7, 0xdf, 0x62, 0x53, 0x6e, 0x1e, 0xa0, 0xa5, 0x17, 0xa9, 0x64,
-	0xce, 0xb5, 0xd7, 0xfa, 0x3d, 0x80, 0x5c, 0x89, 0xfc, 0x3d, 0x11, 0x73, 0x83, 0x8a, 0x22, 0xbb,
-	0x02, 0x95, 0xa7, 0xfe, 0x74, 0x26, 0xcc, 0xa1, 0xf4, 0xe2, 0x13, 0xfb, 0x9e, 0xe5, 0xfd, 0x64,
-	0xc3, 0xb2, 0x69, 0xd2, 0xec, 0x16, 0x2c, 0x53, 0x93, 0x36, 0x27, 0x7a, 0xfb, 0x4d, 0x33, 0x17,
-	0xb6, 0xbf, 0x98, 0x3e, 0x85, 0x33, 0x1a, 0x28, 0x3d, 0x85, 0xcc, 0x19, 0xf3, 0x59, 0x54, 0x1a,
-	0x89, 0xb1, 0x19, 0x33, 0x94, 0x8a, 0xae, 0x18, 0x87, 0x51, 0x88, 0x39, 0xe3, 0x68, 0x62, 0xb7,
-	0xb2, 0x5b, 0x97, 0x09, 0xf1, 0x5a, 0x11, 0xf1, 0xcd, 0x4b, 0xf7, 0xc1, 0x2d, 0x6c, 0xf3, 0x96,
-	0x5b, 0x7f, 0x54, 0xbc, 0xb5, 0xd9, 0x92, 0xe0, 0xf4, 0x8c, 0xcc, 0x59, 0xf8, 0x07, 0xfc, 0xdd,
-	0x01, 0xc8, 0x21, 0xdf, 0xbd, 0x52, 0xbc, 0x67, 0x25, 0x80, 0x41, 0x8c, 0xcd, 0x73, 0xe4, 0x53,
-	0xb3, 0x5d, 0x09, 0x27, 0x91, 0x4c, 0xc4, 0x63, 0x7a, 0xac, 0x14, 0x5f, 0xe3, 0xae, 0xd6, 0xd1,
-	0xbb, 0x62, 0x07, 0xe0, 0x8e, 0x44, 0x1a, 0x24, 0x21, 0x15, 0xb9, 0x21, 0x7d, 0x13, 0xef, 0x94,
-	0xe3, 0x34, 0xbb, 0xb9, 0x87, 0xe6, 0xaa, 0x18, 0xc3, 0x5a, 0xb0, 0x22, 0x2e, 0x62, 0x99, 0x28,
-	0xb3, 0x8b, 0x9e, 0xe5, 0x97, 0xf4, 0x5f, 0x01, 0xea, 0x69, 0x27, 0xee, 0x8a, 0x7c, 0xc1, 0x7c,
-	0x28, 0x07, 0x7e, 0xac, 0x07, 0x99, 0xdb, 0x6a, 0xbc, 0xb6, 0x5f, 0xc7, 0x8f, 0x35, 0x69, 0xed,
-	0xdb, 0x78, 0xd7, 0x67, 0xbf, 0x6d, 0xee, 0x16, 0xa6, 0xd7, 0xb9, 0x3c, 0x9d, 0xef, 0x53, 0xbd,
-	0x3c, 0x09, 0xd5, 0xfe, 0x4c, 0x85, 0xd3, 0x7d, 0x3f, 0x0e, 0x11, 0x0e, 0x03, 0xfb, 0x5d, 0x4e,
-	0xd0, 0xeb, 0xf7, 0xa1, 0xfe, 0xfa, 0xb9, 0xdf, 0x27, 0x07, 0xeb, 0x77, 0xc1, 0x59, 0x9c, 0xe3,
-	0xef, 0x02, 0x6b, 0xc5, 0xe4, 0xdd, 0x00, 0xb7, 0x70, 0x6f, 0x74, 0x3c, 0x21, 0x47, 0xcd, 0xbe,
-	0x5e, 0x78, 0xcf, 0xf0, 0x47, 0x22, 0x9b, 0x38, 0x1f, 0x00, 0x9c, 0x29, 0x15, 0x3f, 0xa6, 0x11,
-	0x64, 0x36, 0x71, 0x50, 0x43, 0x1e, 0x6c, 0x13, 0x5c, 0x5c, 0xa4, 0xc6, 0xae, 0x4f, 0x4a, 0x11,
-	0xa9, 0x76, 0xf8, 0x3f, 0x38, 0xe3, 0x45, 0xb8, 0x1e, 0x1d, 0xb5, 0x71, 0x16, 0xfd, 0x3f, 0xa8,
-	0x45, 0xd2, 0xd8, 0xf4, 0x44, 0x5c, 0x8e, 0x24, 0x99, 0xbc, 0x5d, 0xf8, 0xcf, 0x1b, 0x7f, 0x3d,
-	0xec, 0x1a, 0x54, 0xc7, 0xe1, 0x54, 0xd1, 0x73, 0xc5, 0x21, 0x6b, 0x56, 0xde, 0x2f, 0x16, 0x40,
-	0xfe, 0xb4, 0x90, 0x11, 0x7c, 0x77, 0xe8, 0xb3, 0xa2, 0xdf, 0xd9, 0x14, 0x6a, 0xe7, 0x26, 0x83,
-	0xa6, 0x8e, 0xae, 0xbf, 0xfa, 0x1c, 0x9b, 0x59, 0x82, 0x75, 0x6e, 0x5b, 0x26, 0xb7, 0xef, 0xf3,
-	0x67, 0xb2, 0xd8, 0x61, 0xfd, 0x21, 0xac, 0xbe, 0x02, 0xf7, 0x8e, 0x2f, 0x35, 0xaf, 0xb2, 0x62,
-	0xca, 0x6e, 0x41, 0x55, 0x0f, 0x77, 0xec, 0xdb, 0x28, 0x19, 0x18, 0x92, 0x69, 0xb6, 0x1c, 0x65,
-	0xff, 0x70, 0xfd, 0xa3, 0x9d, 0x4f, 0xc1, 0x59, 0x8c, 0x4c, 0x56, 0x83, 0x72, 0xbb, 0xff, 0x45,
-	0xb7, 0xbe, 0xc4, 0x00, 0xaa, 0xc3, 0x5e, 0x87, 0xf7, 0x8e, 0xeb, 0x16, 0x5b, 0x86, 0xd2, 0x70,
-	0x78, 0x58, 0xb7, 0x99, 0x03, 0x95, 0xce, 0x41, 0xe7, 0xb0, 0x57, 0x2f, 0xa1, 0x78, 0xfc, 0xe8,
-	0xe8, 0xc1, 0xb0, 0x5e, 0xde, 0xb9, 0x03, 0x97, 0x5e, 0x1b, 0x6b, 0x14, 0x7d, 0x78, 0xc0, 0x7b,
-	0x88, 0xe4, 0xc2, 0xf2, 0x11, 0xef, 0x9f, 0x1c, 0x1c, 0xf7, 0xea, 0x16, 0x1a, 0x3e, 0x1f, 0x74,
-	0x1e, 0xf6, 0xba, 0x75, 0xbb, 0x5d, 0x7f, 0xfe, 0x72, 0xc3, 0xfa, 0xf9, 0xe5, 0x86, 0xf5, 0xfb,
-	0xcb, 0x0d, 0xeb, 0x9b, 0x3f, 0x36, 0x96, 0x4e, 0xab, 0xf4, 0xef, 0x7e, 0xfb, 0xcf, 0x00, 0x00,
-	0x00, 0xff, 0xff, 0x5f, 0x7b, 0x2c, 0xa4, 0xfb, 0x0b, 0x00, 0x00,
+	// 1415 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x57, 0xcd, 0x6f, 0x1b, 0x45,
+	0x14, 0x8f, 0xd7, 0x9f, 0xfb, 0x9c, 0xa4, 0x66, 0xfa, 0x81, 0x09, 0x25, 0x09, 0x5b, 0x40, 0x69,
+	0xd2, 0x38, 0x92, 0x2b, 0xb5, 0x15, 0x87, 0x8a, 0xf8, 0xa3, 0x8a, 0x29, 0x89, 0xa3, 0x71, 0x08,
+	0xc7, 0x6a, 0xb3, 0x1e, 0x3b, 0xab, 0x38, 0x3b, 0xab, 0xdd, 0x71, 0x1b, 0x5f, 0x38, 0xf4, 0x2f,
+	0x40, 0x42, 0xe2, 0xce, 0x91, 0x0b, 0xff, 0x01, 0xf7, 0x1e, 0xb9, 0xc2, 0xa1, 0xa0, 0xf2, 0x8f,
+	0xa0, 0xf7, 0x66, 0xd6, 0xbb, 0xfd, 0x40, 0xb4, 0x82, 0x93, 0xdf, 0xbc, 0xf7, 0x9b, 0xdf, 0xcc,
+	0xfc, 0xde, 0x9b, 0x79, 0x6b, 0xb0, 0x65, 0x18, 0x37, 0xc2, 0x48, 0x2a, 0xc9, 0xac, 0xf0, 0x64,
+	0x65, 0x7b, 0xec, 0xab, 0xd3, 0xe9, 0x49, 0xc3, 0x93, 0xe7, 0x3b, 0x63, 0x39, 0x96, 0x3b, 0x14,
+	0x3a, 0x99, 0x8e, 0x68, 0x44, 0x03, 0xb2, 0xf4, 0x14, 0xe7, 0x47, 0x0b, 0xac, 0x7e, 0xc8, 0x3e,
+	0x86, 0x92, 0x1f, 0x84, 0x53, 0x15, 0xd7, 0x73, 0xeb, 0xf9, 0x8d, 0x6a, 0xd3, 0x6e, 0x84, 0x27,
+	0x8d, 0x1e, 0x7a, 0xb8, 0x09, 0xb0, 0x75, 0x28, 0x88, 0x0b, 0xe1, 0xd5, 0xad, 0xf5, 0xdc, 0x46,
+	0xb5, 0x09, 0x08, 0xe8, 0x5e, 0x08, 0xaf, 0x1f, 0xee, 0x2d, 0x70, 0x8a, 0xb0, 0xcf, 0xa0, 0x14,
+	0xcb, 0x69, 0xe4, 0x89, 0x7a, 0x9e, 0x30, 0x8b, 0x88, 0x19, 0x90, 0x87, 0x50, 0x26, 0x8a, 0x4c,
+	0x9e, 0x0c, 0x67, 0xf5, 0x42, 0xca, 0xd4, 0x96, 0xe1, 0x4c, 0x33, 0x61, 0x84, 0xdd, 0x80, 0xe2,
+	0xc9, 0xd4, 0x9f, 0x0c, 0xeb, 0x45, 0x82, 0x54, 0x11, 0xd2, 0x42, 0x07, 0x61, 0x74, 0x8c, 0x6d,
+	0x40, 0x25, 0x9c, 0xb8, 0x6a, 0x24, 0xa3, 0xf3, 0x3a, 0xa4, 0x0b, 0x1e, 0x1a, 0x1f, 0x9f, 0x47,
+	0xd9, 0x5d, 0xa8, 0x7a, 0x32, 0x88, 0x55, 0xe4, 0xfa, 0x81, 0x8a, 0xeb, 0x55, 0x02, 0x5f, 0x45,
+	0xf0, 0x37, 0x32, 0x3a, 0x13, 0x51, 0x3b, 0x0d, 0xf2, 0x2c, 0xb2, 0x55, 0x00, 0x4b, 0x86, 0xce,
+	0x0f, 0x39, 0xa8, 0x24, 0xac, 0xcc, 0x81, 0xc5, 0xdd, 0xc8, 0x3b, 0xf5, 0x95, 0xf0, 0xd4, 0x34,
+	0x12, 0xf5, 0xdc, 0x7a, 0x6e, 0xc3, 0xe6, 0x2f, 0xf9, 0xd8, 0x32, 0x58, 0xfd, 0x01, 0x09, 0x65,
+	0x73, 0xab, 0x3f, 0x60, 0x75, 0x28, 0x1f, 0xbb, 0x91, 0xef, 0x06, 0x8a, 0x94, 0xb1, 0x79, 0x32,
+	0x64, 0xd7, 0xc1, 0xee, 0x0f, 0x8e, 0x45, 0x14, 0xfb, 0x32, 0x20, 0x3d, 0x6c, 0x9e, 0x3a, 0xd8,
+	0x2a, 0x40, 0x7f, 0xf0, 0x40, 0xb8, 0x48, 0x1a, 0xd7, 0x8b, 0xeb, 0xf9, 0x0d, 0x9b, 0x67, 0x3c,
+	0xce, 0xb7, 0x50, 0xa4, 0x1c, 0xb1, 0x2f, 0xa1, 0x34, 0xf4, 0xc7, 0x22, 0x56, 0x7a, 0x3b, 0xad,
+	0xe6, 0xb3, 0xe7, 0x6b, 0x0b, 0xbf, 0x3f, 0x5f, 0xdb, 0xcc, 0x14, 0x83, 0x0c, 0x45, 0xe0, 0xc9,
+	0x40, 0xb9, 0x7e, 0x20, 0xa2, 0x78, 0x67, 0x2c, 0xb7, 0xf5, 0x94, 0x46, 0x87, 0x7e, 0xb8, 0x61,
+	0x60, 0x37, 0xa1, 0xe8, 0x07, 0x43, 0x71, 0x41, 0xfb, 0xcf, 0xb7, 0x2e, 0x1b, 0xaa, 0x6a, 0x7f,
+	0xaa, 0xc2, 0xa9, 0xea, 0x61, 0x88, 0x6b, 0x84, 0x13, 0x42, 0x49, 0x97, 0x00, 0xbb, 0x0e, 0x85,
+	0x73, 0xa1, 0x5c, 0x5a, 0xbe, 0xda, 0xac, 0xa0, 0xb4, 0xfb, 0x42, 0xb9, 0x9c, 0xbc, 0x58, 0x5d,
+	0xe7, 0x72, 0x8a, 0xd2, 0x5b, 0x69, 0x75, 0xed, 0xa3, 0x87, 0x9b, 0x00, 0xfb, 0x14, 0xca, 0x81,
+	0x50, 0x4f, 0x64, 0x74, 0x46, 0x12, 0x2d, 0xeb, 0x9c, 0x1f, 0x08, 0xb5, 0x2f, 0x87, 0x82, 0x27,
+	0x31, 0xe7, 0xa7, 0x1c, 0x14, 0x90, 0x98, 0x31, 0x28, 0xb8, 0xd1, 0x58, 0x97, 0xab, 0xcd, 0xc9,
+	0x66, 0x35, 0xc8, 0x8b, 0xe0, 0x31, 0xad, 0x61, 0x73, 0x34, 0xd1, 0xe3, 0x3d, 0x19, 0x1a, 0xd1,
+	0xd1, 0xc4, 0x79, 0xd3, 0x58, 0x44, 0x46, 0x6b, 0xb2, 0xd9, 0x4d, 0xb0, 0xc3, 0x48, 0x5e, 0xcc,
+	0x1e, 0xe1, 0xec, 0x62, 0xa6, 0x92, 0xd0, 0xd9, 0x0d, 0x1e, 0xf3, 0x4a, 0x68, 0x2c, 0xb6, 0x09,
+	0x20, 0x2e, 0x54, 0xe4, 0xee, 0xc9, 0x58, 0xc5, 0xf5, 0x12, 0x9d, 0x86, 0x0a, 0x18, 0x1d, 0xbd,
+	0x43, 0x9e, 0x89, 0x3a, 0x3f, 0x5b, 0x50, 0xa4, 0x43, 0xb2, 0x0d, 0x94, 0x34, 0x9c, 0xea, 0xec,
+	0xe4, 0x5b, 0xcc, 0x48, 0x0a, 0x94, 0xbc, 0xb9, 0xa2, 0x98, 0xc8, 0x15, 0xa8, 0xc4, 0x62, 0x22,
+	0x3c, 0x25, 0x23, 0x53, 0x3f, 0xf3, 0x31, 0x6e, 0x7d, 0x88, 0x29, 0xd6, 0xa7, 0x21, 0x9b, 0x6d,
+	0x41, 0x49, 0x52, 0x5e, 0xe8, 0x40, 0xff, 0x90, 0x2d, 0x03, 0x41, 0xf2, 0x48, 0xb8, 0x43, 0x19,
+	0x4c, 0x66, 0x74, 0xcc, 0x0a, 0x9f, 0x8f, 0xd9, 0x16, 0xd8, 0x94, 0x89, 0xa3, 0x59, 0x28, 0xea,
+	0x25, 0xca, 0xc0, 0xd2, 0x3c, 0x4b, 0xe8, 0xe4, 0x69, 0x1c, 0x6f, 0x9e, 0xe7, 0x7a, 0xa7, 0xa2,
+	0x1f, 0xaa, 0xfa, 0x95, 0x54, 0xaf, 0xb6, 0xf1, 0xf1, 0x79, 0x14, 0x69, 0x63, 0xe1, 0x45, 0x42,
+	0x21, 0xf4, 0x2a, 0x41, 0x89, 0x76, 0x90, 0x38, 0x79, 0x1a, 0x77, 0x7a, 0x50, 0x49, 0x28, 0xf0,
+	0x0a, 0xf5, 0x3a, 0xe6, 0x72, 0x59, 0xbd, 0x0e, 0xdb, 0x86, 0x72, 0x7c, 0xea, 0x46, 0x7e, 0x30,
+	0x26, 0x5d, 0x96, 0x9b, 0x97, 0xe7, 0x2b, 0x0e, 0xb4, 0x1f, 0xc9, 0x12, 0x8c, 0x23, 0xc1, 0x9e,
+	0x2f, 0xf1, 0x1a, 0x57, 0x0d, 0xf2, 0x53, 0x7f, 0x48, 0x3c, 0x4b, 0x1c, 0x4d, 0xf4, 0x8c, 0x7d,
+	0x5d, 0x27, 0x4b, 0x1c, 0x4d, 0x14, 0xfb, 0x5c, 0x0e, 0x05, 0xc9, 0xba, 0xc4, 0xc9, 0x46, 0xfd,
+	0x64, 0xa8, 0x7c, 0x19, 0xb8, 0x93, 0x44, 0xbf, 0x64, 0xec, 0xdc, 0x87, 0x92, 0x7e, 0xc3, 0xd8,
+	0x3a, 0xe4, 0xe3, 0xc8, 0x33, 0xef, 0xe8, 0x72, 0xf2, 0xb8, 0xe9, 0x67, 0x90, 0x63, 0x68, 0x9e,
+	0x48, 0x2b, 0x4d, 0xa4, 0xc3, 0x01, 0x52, 0xd8, 0xff, 0x53, 0x30, 0xce, 0xf7, 0x39, 0xa8, 0x24,
+	0xcf, 0x2f, 0xbe, 0x25, 0xfe, 0x50, 0x04, 0xca, 0x1f, 0xf9, 0x22, 0x32, 0x62, 0x64, 0x3c, 0x6c,
+	0x1b, 0x8a, 0xae, 0x52, 0x51, 0x72, 0x45, 0xdf, 0xcf, 0xbe, 0xdd, 0x8d, 0x5d, 0x8c, 0x74, 0x03,
+	0x15, 0xcd, 0xb8, 0x46, 0xad, 0xdc, 0x03, 0x48, 0x9d, 0xa8, 0xdf, 0x99, 0x98, 0x19, 0x56, 0x34,
+	0xd9, 0x15, 0x28, 0x3e, 0x76, 0x27, 0x53, 0x61, 0x36, 0xa5, 0x07, 0x9f, 0x5b, 0xf7, 0x72, 0xce,
+	0x2f, 0x16, 0x94, 0xcd, 0x5b, 0xce, 0x6e, 0x41, 0x99, 0xde, 0x72, 0xb3, 0xa3, 0x37, 0x9f, 0x34,
+	0x81, 0xb0, 0x9d, 0x79, 0x93, 0xca, 0xec, 0xd1, 0x50, 0xe9, 0x66, 0x65, 0xf6, 0x98, 0xb6, 0xac,
+	0xfc, 0x50, 0x8c, 0x4c, 0x37, 0xa2, 0x54, 0x74, 0xc4, 0xc8, 0x0f, 0x7c, 0xcc, 0x19, 0xc7, 0x10,
+	0xbb, 0x95, 0x9c, 0xba, 0x40, 0x8c, 0xd7, 0xb2, 0x8c, 0xaf, 0x1f, 0xba, 0x07, 0xd5, 0xcc, 0x32,
+	0x6f, 0x38, 0xf5, 0x27, 0xd9, 0x53, 0x9b, 0x25, 0x89, 0x4e, 0xb7, 0xd2, 0x54, 0x85, 0xff, 0xa0,
+	0xdf, 0x1d, 0x80, 0x94, 0xf2, 0xed, 0x2b, 0xc5, 0x79, 0x9a, 0x07, 0xe8, 0x87, 0xf8, 0x78, 0x0e,
+	0x5d, 0x7a, 0x93, 0x17, 0xfd, 0x71, 0x20, 0x23, 0xf1, 0x88, 0x2e, 0x2b, 0xcd, 0xaf, 0xf0, 0xaa,
+	0xf6, 0xd1, 0xbd, 0x62, 0xbb, 0x50, 0x1d, 0x8a, 0xd8, 0x8b, 0x7c, 0x2a, 0x72, 0x23, 0xfa, 0x1a,
+	0x9e, 0x29, 0xe5, 0x69, 0x74, 0x52, 0x84, 0xd6, 0x2a, 0x3b, 0x87, 0x35, 0x61, 0x51, 0x5c, 0x84,
+	0x32, 0x52, 0x66, 0x15, 0xdd, 0xf2, 0x2f, 0xe9, 0x8f, 0x07, 0xf4, 0xd3, 0x4a, 0xbc, 0x2a, 0xd2,
+	0x01, 0x73, 0xa1, 0xe0, 0xb9, 0xa1, 0xee, 0x77, 0xd5, 0x66, 0xfd, 0x95, 0xf5, 0xda, 0x6e, 0xa8,
+	0x45, 0x6b, 0xdd, 0xc6, 0xb3, 0x3e, 0xfd, 0x63, 0x6d, 0x2b, 0xd3, 0xe4, 0xce, 0xe5, 0xc9, 0x6c,
+	0x87, 0xea, 0xe5, 0xcc, 0x57, 0x3b, 0x53, 0xe5, 0x4f, 0x76, 0xdc, 0xd0, 0x47, 0x3a, 0x9c, 0xd8,
+	0xeb, 0x70, 0xa2, 0x5e, 0xb9, 0x0f, 0xb5, 0x57, 0xf7, 0xfd, 0x2e, 0x39, 0x58, 0xb9, 0x0b, 0xf6,
+	0x7c, 0x1f, 0xff, 0x36, 0xb1, 0x92, 0x4d, 0xde, 0x0d, 0xa8, 0x66, 0xce, 0x8d, 0xc0, 0x63, 0x02,
+	0x6a, 0xf5, 0xf5, 0xc0, 0x79, 0x8a, 0xdf, 0x1b, 0x49, 0xc7, 0xf9, 0x08, 0xe0, 0x54, 0xa9, 0xf0,
+	0x11, 0xb5, 0x20, 0xb3, 0x88, 0x8d, 0x1e, 0x42, 0xb0, 0x35, 0xa8, 0xe2, 0x20, 0x36, 0x71, 0xbd,
+	0x53, 0x9a, 0x11, 0x6b, 0xc0, 0x87, 0x60, 0x8f, 0xe6, 0xd3, 0x75, 0xeb, 0xa8, 0x8c, 0x92, 0xd9,
+	0x1f, 0x40, 0x25, 0x90, 0x26, 0xa6, 0x3b, 0x62, 0x39, 0x90, 0x14, 0x72, 0xb6, 0xe0, 0xbd, 0xd7,
+	0x3e, 0x8e, 0xd8, 0x35, 0x28, 0x8d, 0xfc, 0x89, 0xa2, 0xeb, 0x8a, 0x4d, 0xd6, 0x8c, 0x9c, 0xdf,
+	0x72, 0x00, 0xe9, 0xd5, 0x42, 0x45, 0xf0, 0xde, 0x21, 0x66, 0x51, 0xdf, 0xb3, 0x09, 0x54, 0xce,
+	0x4d, 0x06, 0x4d, 0x1d, 0x5d, 0x7f, 0xf9, 0x3a, 0x36, 0x92, 0x04, 0xeb, 0xdc, 0x36, 0x4d, 0x6e,
+	0xdf, 0xe5, 0x03, 0x66, 0xbe, 0xc2, 0xca, 0x43, 0x58, 0x7a, 0x89, 0xee, 0x2d, 0x6f, 0x6a, 0x5a,
+	0x65, 0xd9, 0x94, 0xdd, 0x82, 0x92, 0x6e, 0xee, 0xf8, 0x6e, 0xa3, 0x65, 0x68, 0xc8, 0xa6, 0xde,
+	0x72, 0x98, 0x7c, 0xea, 0xf5, 0x0e, 0x37, 0x37, 0xa0, 0x6c, 0x3e, 0x5a, 0x98, 0x0d, 0xc5, 0xaf,
+	0x0f, 0x06, 0xdd, 0xa3, 0xda, 0x02, 0xab, 0x40, 0x61, 0xaf, 0x3f, 0x38, 0xaa, 0xe5, 0xd0, 0x3a,
+	0xe8, 0x1f, 0x74, 0x6b, 0xd6, 0xe6, 0x17, 0x60, 0xcf, 0x9b, 0x2b, 0xba, 0x5b, 0xbd, 0x83, 0x4e,
+	0x6d, 0x81, 0x01, 0x94, 0x06, 0xdd, 0x36, 0xef, 0x22, 0xb8, 0x0c, 0xf9, 0xc1, 0x60, 0xaf, 0x66,
+	0x21, 0x55, 0x7b, 0xb7, 0xbd, 0xd7, 0xad, 0xe5, 0xd1, 0x3c, 0xda, 0x3f, 0x7c, 0x30, 0xa8, 0x15,
+	0x36, 0xef, 0xc0, 0xa5, 0x57, 0x1a, 0x20, 0xcd, 0xde, 0xdb, 0xe5, 0x5d, 0x64, 0xaa, 0x42, 0xf9,
+	0x90, 0xf7, 0x8e, 0x77, 0x8f, 0xba, 0xb5, 0x1c, 0x06, 0xbe, 0xea, 0xb7, 0x1f, 0x76, 0x3b, 0x35,
+	0xab, 0x55, 0x7b, 0xf6, 0x62, 0x35, 0xf7, 0xeb, 0x8b, 0xd5, 0xdc, 0x9f, 0x2f, 0x56, 0x73, 0xdf,
+	0xfd, 0xb5, 0xba, 0x70, 0x52, 0xa2, 0x3f, 0x03, 0xb7, 0xff, 0x0e, 0x00, 0x00, 0xff, 0xff, 0x8c,
+	0x1e, 0x1e, 0x98, 0x4c, 0x0c, 0x00, 0x00,
 }
--- a/solver/pb/ops.proto
+++ b/solver/pb/ops.proto
@ -41,6 +41,7 @@ message Input {
 message ExecOp {
 	Meta meta = 1;
 	repeated Mount mounts = 2;
+	NetMode network = 3;
 }

 // Meta is a set of arguments for ExecOp.
@ -55,6 +56,12 @@ message Meta {
 	repeated HostIP extraHosts = 6;
 }

+enum NetMode {
+	UNSET = 0; // sandbox
+	HOST = 1;
+	NONE = 2;
+}
+
 // Mount specifies how to mount an input Op as a filesystem.
 message Mount {
 	int64 input = 1 [(gogoproto.customtype) = "InputIndex", (gogoproto.nullable) = false];
--- a/util/entitlements/entitlements.go
+++ b/util/entitlements/entitlements.go
@ -0,0 +1,70 @@
+package entitlements
+
+import "github.com/pkg/errors"
+
+type Entitlement string
+
+const (
+	EntitlementSecurityConfined   Entitlement = "security.confined"
+	EntitlementSecurityUnconfined Entitlement = "security.unconfined" // unimplemented
+	EntitlementNetworkHost        Entitlement = "network.host"
+	EntitlementNetworkNone        Entitlement = "network.none"
+)
+
+var all = map[Entitlement]struct{}{
+	EntitlementSecurityConfined:   {},
+	EntitlementSecurityUnconfined: {},
+	EntitlementNetworkHost:        {},
+	EntitlementNetworkNone:        {},
+}
+
+var defaults = map[Entitlement]struct{}{
+	EntitlementSecurityConfined: {},
+	EntitlementNetworkNone:      {},
+}
+
+func Parse(s string) (Entitlement, error) {
+	_, ok := all[Entitlement(s)]
+	if !ok {
+		return "", errors.Errorf("unknown entitlement %s", s)
+	}
+	return Entitlement(s), nil
+}
+
+func WhiteList(allowed, supported []Entitlement) (Set, error) {
+	m := map[Entitlement]struct{}{}
+
+	var supm Set
+	if supported != nil {
+		var err error
+		supm, err = WhiteList(supported, nil)
+		if err != nil { // should not happen
+			return nil, err
+		}
+	}
+
+	for _, e := range allowed {
+		e, err := Parse(string(e))
+		if err != nil {
+			return nil, err
+		}
+		if supported != nil {
+			if !supm.Allowed(e) {
+				return nil, errors.Errorf("entitlement %s is not allowed", e)
+			}
+		}
+		m[e] = struct{}{}
+	}
+
+	for e := range defaults {
+		m[e] = struct{}{}
+	}
+	return Set(m), nil
+}
+
+type Set map[Entitlement]struct{}
+
+func (s Set) Allowed(e Entitlement) bool {
+	_, ok := s[e]
+	return ok
+}