rootfs: add default agent policy file

Restricting access to agent endpoints using agent-config.toml is
expected to be deprecated in the main branch. Therefore, in
preparation of merging this script with its main branch version,
install default settings for main branch's kata-opa service.

coco-default.rego blocks access to the same kata agent endpoints
that are blocked by agent-config.toml. For additional information,
search for "default-policy.rego" in main branch's rootfs.sh.

Fixes: #8219

Signed-off-by: Dan Mihai <dmihai@microsoft.com>

src/kata-opa/coco-default.rego

@@ -0,0 +1,40 @@
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true
+
+default ExecProcessRequest := false
+default ReseedRandomDevRequest := false
+default SetPolicyRequest := false

tools/osbuilder/rootfs-builder/rootfs.sh

@@ -667,6 +667,20 @@ EOF
 		chmod g+rx,o+x "${ROOTFS_DIR}"
 	fi
 
+	# Restricting access to agent endpoints using agent-config.toml is expected to
+	# be deprecated in the main branch. Therefore, in preparation of merging this
+	# script with its main branch version, install default settings for main branch's
+	# kata-opa service. coco-default.rego blocks access to the same kata agent
+	# endpoints that are blocked by agent-config.toml. For additional information,
+	# search for "default-policy.rego" in main branch's rootfs.sh.
+	local kata_opa_in_dir="${script_dir}/../../../src/kata-opa"
+	local opa_settings_dir="/etc/kata-opa"
+	local policy_file="coco-default.rego"
+	local policy_dir="${ROOTFS_DIR}/${opa_settings_dir}"
+	mkdir -p "${policy_dir}"
+	install -D -o root -g root -m 0644 "${kata_opa_in_dir}/${policy_file}" -T "${policy_dir}/${policy_file}"
+	ln -sf "${policy_file}" "${policy_dir}/default-policy.rego"
+
 	info "Check init is installed"
 	[ -x "${init}" ] || [ -L "${init}" ] || die "/sbin/init is not installed in ${ROOTFS_DIR}"
 	OK "init is installed"