genpolicy: harden CreateSandboxRequest checks

Hooks are executed on the host, so we don't expect to run hooks and thus
require that no hook paths are set.

Additional Kernel modules expand the attack surface, so require that
none are set. If a use case arises, modules should be allowlisted via
settings.

Signed-off-by: Markus Rudy <mr@edgeless.systems>

src/tools/genpolicy/rules.rego

@@ -15,7 +15,7 @@ default AddSwapRequest := false
 default CloseStdinRequest := false
 default CopyFileRequest := false
 default CreateContainerRequest := false
-default CreateSandboxRequest := true
+default CreateSandboxRequest := false
 default DestroySandboxRequest := true
 default ExecProcessRequest := false
 default GetOOMEventRequest := true
@@ -1117,6 +1117,9 @@ CreateSandboxRequest {
     print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path)
     count(input.guest_hook_path) == 0
 
+    print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules)
+    count(input.kernel_modules) == 0
+
     i_pidns := input.sandbox_pidns
     print("CreateSandboxRequest: i_pidns =", i_pidns)
     i_pidns == false

src/tools/genpolicy/tests/testdata/createsandbox/testcases.json

@@ -5,5 +5,28 @@
     "request": {
       "sandbox_pidns": false
     }
+  },
+  {
+    "description": "pidns",
+    "allowed": false,
+    "request": {
+      "sandbox_pidns": true
+    }
+  },
+  {
+    "description": "kernel modules",
+    "allowed": false,
+    "request": {
+      "sandbox_pidns": false,
+      "kernel_modules": [{"name": "evil.ko"}]
+    }
+  },
+  {
+    "description": "guest hooks",
+    "allowed": false,
+    "request": {
+      "sandbox_pidns": false,
+      "guest_hook_path": "/attacker/controlled/path"
+    }
   }
 ]