Feature: add an option to disable Internet/network access during build/testing

[mgorny]

Having an option to completely cut off build/test command execution from network access (whenever possible) would help finding if we aren't e.g. incidentally letting build systems download missing stuff, or tests access third-party servers (see e.g. conda-forge/torchvision-feedstock#107 (comment)).

In Gentoo Portage, we're using unshare(CLONE_NEWNET | CLONE_NEWUTS), followed by the equivalent of ifconfig lo up (so things dependent on running their own services on lo work) and setting hostname to localhost.

(you can grep https://gitweb.gentoo.org/proj/portage.git/tree/lib/portage/process.py for unshare_net, but warning: GPLv2)

[baszalmstra]

We are looking into running the build script in a sandbox to limit its access to the network, but also to the local system. We want to use this to provide better guarantees that “the outside world” does not leak into the built artifacts.

See #1178 for an early experiment.