From 5c02ef133570f7390d7fd880b4cdae4802ddb7d3 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Thu, 25 Jun 2026 16:40:33 +0100 Subject: [PATCH] genpolicy: add missing default rules for AgentService RPCs Six AgentService RPC request types were missing default rule entries in rules.rego, meaning genpolicy-generated policies would not include them in their output and the entries would be absent from reference policies. All six already have is_allowed gates in the agent RPC handlers. Add the missing defaults and set them all to false Generated-By: IBM Bob Signed-off-by: stevenhorsman --- src/tools/genpolicy/rules.rego | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index d7f32fdeaf..c44c513923 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -14,6 +14,7 @@ default GetDiagnosticDataRequest := false # Default values, returned by OPA when rules cannot be evaluated to true. default AddARPNeighborsRequest := false +default AddSwapPathRequest := false default AddSwapRequest := false default CloseStdinRequest := false default CopyFileRequest := false @@ -21,6 +22,8 @@ default CreateContainerRequest := false default CreateSandboxRequest := false default DestroySandboxRequest := true default ExecProcessRequest := false +default GetIPTablesRequest := false +default GetMetricsRequest := false default GetOOMEventRequest := true default GuestDetailsRequest := true default ListInterfacesRequest := false @@ -34,8 +37,10 @@ default ReadStreamRequest := false default RemoveContainerRequest := true default RemoveStaleVirtiofsShareMountsRequest := true default ReseedRandomDevRequest := false +default ResizeVolumeRequest := false default ResumeContainerRequest := false default SetGuestDateTimeRequest := false +default SetIPTablesRequest := false default SetPolicyRequest := false default SignalProcessRequest := true default StartContainerRequest := true @@ -47,6 +52,7 @@ default UpdateContainerRequest := false default UpdateEphemeralMountsRequest := false default UpdateInterfaceRequest := false default UpdateRoutesRequest := false +default VolumeStatsRequest := false default WaitProcessRequest := true default WriteStreamRequest := false