scripts.write-coordinator-yaml: use coordinator specific rules+settings

... on bare metal. We already do this on AKS, we also need this on
bare metal.

packages/by-name/kata/genpolicy/genpolicy_rules_coordinator.patch

@@ -2,7 +2,7 @@ diff --git a/genpolicy-rules.rego b/genpolicy-rules.rego
 index c3eb334..a796740 100644
 --- a/genpolicy-rules.rego
 +++ b/genpolicy-rules.rego
-@@ -164,9 +164,9 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) {
+@@ -202,9 +202,9 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) {
      p_namespace := p_oci.Annotations[s_namespace]
      i_namespace := i_oci.Annotations[s_namespace]
      print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace)
@@ -11,5 +11,5 @@ index c3eb334..a796740 100644
 
 -    allow_by_container_types(p_oci, i_oci, s_name, p_namespace)
 +    allow_by_container_types(p_oci, i_oci, s_name, i_namespace)
-     allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)
+     allow_by_bundle_or_sandbox_id(p_container, i_oci, i_storages)
      allow_process(p_oci, i_oci, s_name)

packages/scripts.nix

@@ -177,8 +177,8 @@
           ${pkgs.microsoft.genpolicy}/bin/genpolicy < "$tmpdir/coordinator_base.yml"
         ;;
         "k3s-qemu-snp"|"k3s-qemu-tdx"|"rke2-qemu-tdx")
-          cp ${pkgs.kata.genpolicy.rules}/genpolicy-rules.rego rules.rego
-          cp ${pkgs.kata.genpolicy.settings}/genpolicy-settings.json .
+          cp ${pkgs.kata.genpolicy.rules-coordinator}/genpolicy-rules.rego rules.rego
+          cp ${pkgs.kata.genpolicy.settings-coordinator}/genpolicy-settings.json .
           ${pkgs.kata.genpolicy}/bin/genpolicy < "$tmpdir/coordinator_base.yml"
         ;;
         *)