diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
index 3db3ed3dc7..a781b4e06e 100644
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -15,7 +15,7 @@ default AddSwapRequest := false
 default CloseStdinRequest := false
 default CopyFileRequest := false
 default CreateContainerRequest := false
-default CreateSandboxRequest := true
+default CreateSandboxRequest := false
 default DestroySandboxRequest := true
 default ExecProcessRequest := false
 default GetOOMEventRequest := true
@@ -1117,6 +1117,9 @@ CreateSandboxRequest {
     print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path)
     count(input.guest_hook_path) == 0
 
+    print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules)
+    count(input.kernel_modules) == 0
+
     i_pidns := input.sandbox_pidns
     print("CreateSandboxRequest: i_pidns =", i_pidns)
     i_pidns == false
diff --git a/src/tools/genpolicy/tests/testdata/createsandbox/testcases.json b/src/tools/genpolicy/tests/testdata/createsandbox/testcases.json
index 4a024221b1..430c1d7af3 100644
--- a/src/tools/genpolicy/tests/testdata/createsandbox/testcases.json
+++ b/src/tools/genpolicy/tests/testdata/createsandbox/testcases.json
@@ -5,5 +5,28 @@
     "request": {
       "sandbox_pidns": false
     }
+  },
+  {
+    "description": "pidns",
+    "allowed": false,
+    "request": {
+      "sandbox_pidns": true
+    }
+  },
+  {
+    "description": "kernel modules",
+    "allowed": false,
+    "request": {
+      "sandbox_pidns": false,
+      "kernel_modules": [{"name": "evil.ko"}]
+    }
+  },
+  {
+    "description": "guest hooks",
+    "allowed": false,
+    "request": {
+      "sandbox_pidns": false,
+      "guest_hook_path": "/attacker/controlled/path"
+    }
   }
 ]