Can you say more about the goal? Even if you block docker cp, people can still use the docker commands to copy files into containers or copy files out (if “tar” is available in the container). If your user has access to Docker, the user can get root privileges, so you would also need to deal with that as anyone with root privileges can override what you do.
This is what I recommended in other topics too. Sadly I never used it you need to protect the API first and then you restrict what someone can do with the API without root privileges.
As rimelek said, I don’t think that is possible, after all, you’re trying to prevent people from copying/moving files that are already on their machine
Instead, if you want to protect your code from being visible to the eyes of others, you can compile it into a binary, or expose it as an API, thus never sending it to the clients, rather having the clients request functionality from your servers
If it’s supposed to be a general rule, it might even work with the normal docker.sock binding.
If it’s supposed to be a rule for specific users, you will need to remove the docker.sock binding (or at least prevent access to it), add a tcp binding protected via mtls (see: Protect the Docker daemon socket | Docker Docs) to facilitate authentication based on certificates. The OPA Rules can then be applied per user.