microsoft · sprt · Feb 14, 2024 · Sep 1, 2022 · Jan 23, 2024 · Jan 30, 2024
@@ -40,7 +40,7 @@ rootfs_type=@DEFROOTFSTYPE@
 # * Intel TDX
 #
 # Default false
-confidential_guest = true
+#confidential_guest = true
 
 # Enable running clh VMM as a non-root user.
 # By default clh VMM run as root. When this is set to true, clh VMM process runs as

@@ -60,6 +60,7 @@ func sandboxDevices() []specs.LinuxDeviceCgroup {
 		"/dev/zero",
 		"/dev/urandom",
 		"/dev/console",
+		"/dev/ptmx",
 	}
 
 	// Processes running in a device-cgroup are constrained, they have acccess

@@ -33,7 +33,7 @@ AGENT_POLICY_FILE=${AGENT_POLICY_FILE:-"allow-all.rego"}
 lib_file="${script_dir}/../scripts/lib.sh"
 source "$lib_file"
 
-agent_policy_file="$(readlink -f "${script_dir}/../../../src/kata-opa/${AGENT_POLICY_FILE}")"
+[ "${AGENT_POLICY}" == "yes" ] && agent_policy_file="$(readlink -f "${script_dir}/../../../src/kata-opa/${AGENT_POLICY_FILE}")"
 
 #For cross build
 CROSS_BUILD=${CROSS_BUILD:-false}
@@ -330,7 +330,7 @@ check_env_variables()
 
 	[ -n "${KERNEL_MODULES_DIR}" ] && [ ! -d "${KERNEL_MODULES_DIR}" ] && die "KERNEL_MODULES_DIR defined but is not an existing directory"
 
-	[ ! -f "${agent_policy_file}" ] && die "agent policy file not found in '${agent_policy_file}'"
+	[ "${AGENT_POLICY}" == "yes" ] && [ ! -f "${agent_policy_file}" ] && die "agent policy file not found in '${agent_policy_file}'"
 
 	[ -n "${OSBUILDER_VERSION}" ] || die "need osbuilder version"
 }