rootfs: add default agent policy file

Restricting access to agent endpoints using agent-config.toml is expected to be deprecated in the main branch. Therefore, in preparation of merging this script with its main branch version, install default settings for main branch's kata-opa service. coco-default.rego blocks access to the same kata agent endpoints that are blocked by agent-config.toml. For additional information, search for "default-policy.rego" in main branch's rootfs.sh. Fixes: #8219 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-08-19 00:17:54 +00:00 · 2023-10-12 23:31:41 +00:00 · 2023-10-12 23:31:41 +00:00 · 159bc2713f
commit 159bc2713f
parent 3bd72b9a0d
2 changed files with 54 additions and 0 deletions
--- a/src/kata-opa/coco-default.rego
+++ b/src/kata-opa/coco-default.rego
@ -0,0 +1,40 @@
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
+
+default ExecProcessRequest := false
+default ReseedRandomDevRequest := false
+default SetPolicyRequest := false
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@ -667,6 +667,20 @@ EOF
 		chmod g+rx,o+x "${ROOTFS_DIR}"
 	fi

+	# Restricting access to agent endpoints using agent-config.toml is expected to
+	# be deprecated in the main branch. Therefore, in preparation of merging this
+	# script with its main branch version, install default settings for main branch's
+	# kata-opa service. coco-default.rego blocks access to the same kata agent
+	# endpoints that are blocked by agent-config.toml. For additional information,
+	# search for "default-policy.rego" in main branch's rootfs.sh.
+	local kata_opa_in_dir="${script_dir}/../../../src/kata-opa"
+	local opa_settings_dir="/etc/kata-opa"
+	local policy_file="coco-default.rego"
+	local policy_dir="${ROOTFS_DIR}/${opa_settings_dir}"
+	mkdir -p "${policy_dir}"
+	install -D -o root -g root -m 0644 "${kata_opa_in_dir}/${policy_file}" -T "${policy_dir}/${policy_file}"
+	ln -sf "${policy_file}" "${policy_dir}/default-policy.rego"
+
 	info "Check init is installed"
 	[ -x "${init}" ] || [ -L "${init}" ] || die "/sbin/init is not installed in ${ROOTFS_DIR}"
 	OK "init is installed"