genpolicy-msft: remove settings patch for env

The genpolicy-settings.json allow overriding the permissible set of
environment variables, and come with a generic list of env vars suitable
for the AKS environment.

We want to have a dev setting that allows debugging (e.g. pod network
settings like iptables), but that is otherwise as close to the upstream
as possible. Environment variable allowlists are generated by genpolicy,
and should thus not need blanket exemptions. As a consequence of
removing the env var exemptions from the dev settings, our coordinator
will become compatible with the vanilla upstream settings.

A notable special case is the PATH environment variable. Although
nowhere specified explicitly, it appears to be customary that OCI
runtime clients (i.e., CRI implementations) add a PATH to the
environment when there is none in the image [1]. This is currently
missing from the genpolicy tool, and the reason why we can't deploy the
coordinator with the upstream policy: the PATH added by the runtime is
rejected by the agent. However we can work around this by just including
a dummy PATH env var.

[1]: https://github.com/opencontainers/runtime-tools/blob/408c51e/generate/generate.go#L78

packages/default.nix

@@ -89,6 +89,7 @@ rec {
     copyToRoot = with dockerTools; [ caCertificates ];
     config = {
       Cmd = [ "${nunki.coordinator}/bin/coordinator" ];
+      Env = [ "PATH=/bin" ]; # This is only here for policy generation.
     };
   };
   initializer = dockerTools.buildImage {
@@ -97,6 +98,7 @@ rec {
     copyToRoot = with dockerTools; [ caCertificates ];
     config = {
       Cmd = [ "${nunki.initializer}/bin/initializer" ];
+      Env = [ "PATH=/bin" ]; # This is only here for policy generation.
     };
   };
 
@@ -106,6 +108,7 @@ rec {
     copyToRoot = [ openssl bash coreutils ncurses bashInteractive vim procps ];
     config = {
       Cmd = [ "bash" ];
+      Env = [ "PATH=/bin" ];
     };
   };
   port-forwarder = dockerTools.buildImage {

packages/genpolicy_msft.nix

@@ -49,6 +49,7 @@ rustPlatform.buildRustPackage rec {
       postFetch = "install -D $downloadedFile $out/genpolicy-settings.json";
     };
 
+    # Settings that allow exec into CVM pods - not safe for production use!
     settings-dev = applyPatches {
       src = settings;
       patches = [ ./genpolicy_msft_settings_dev.patch ];

packages/genpolicy_msft_settings_dev.patch

@@ -4,27 +4,6 @@ new mode 100644
 index 7a732b1..0dd0457
 --- a/genpolicy-settings.json
 +++ b/genpolicy-settings.json
-@@ -282,19 +282,7 @@
-     "request_defaults": {
-         "CreateContainerRequest": {
-             "allow_env_regex": [
--                "^HOSTNAME=$(dns_label)$",
--                "^$(svc_name)_PORT_$(ip_p)_TCP=tcp://$(ipv4_a):$(ip_p)$",
--                "^$(svc_name)_PORT_$(ip_p)_TCP_PROTO=tcp$",
--                "^$(svc_name)_PORT_$(ip_p)_TCP_PORT=$(ip_p)$",
--                "^$(svc_name)_PORT_$(ip_p)_TCP_ADDR=$(ipv4_a)$",
--                "^$(svc_name)_SERVICE_HOST=$(ipv4_a)$",
--                "^$(svc_name)_SERVICE_PORT=$(ip_p)$",
--                "^$(svc_name)_SERVICE_PORT_$(dns_label)=$(ip_p)$",
--                "^$(svc_name)_PORT=tcp://$(ipv4_a):$(ip_p)$",
--                "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
--                "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
--                "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
--                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$"
-+                ".*"
-             ]
-         },
-         "CopyFileRequest": [
 @@ -302,10 +290,12 @@
          ],
          "ExecProcessRequest": {