Skip to content

Writing policies

Tyr policies are YAML documents. The server compiles them to Cedar (for expressive userspace evaluation) and BPF map entries (for kernel-level enforcement).

Minimal example

apiVersion: tyr.dev/v1
kind: Policy
metadata:
name: my-first-policy
spec:
rules:
- name: block-writes-to-etc
action: file_write
resource_pattern: "/etc/*"
verdict: deny
severity: high

Apply it:

Terminal window
tyr policy apply -f my-policy.yaml

Schema

Top-level

FieldTypeRequiredDescription
apiVersionstringyesAlways tyr.dev/v1 today
kindstringyesAlways Policy
metadataobjectyessee below
specobjectyessee below

metadata

FieldTypeDescription
namestringHuman identifier; shown in UI and diffs
labelsmap<string,str>Arbitrary labels, used for filtering
descriptionstringFree-form description

spec.rules[]

Each rule matches an action against a resource pattern and emits a verdict.

FieldTypeDescription
namestringUnique within the policy
actionenumfile_read, file_write, exec, net_connect, tls_connect
resource_patternstringGlob for file_*, exact binary for exec, ip/cidr for net_connect, SNI pattern for tls_connect
verdictenumallow, deny, alert
severityenumlow, medium, high, critical
binaries[]strOptional filter — only apply when the calling binary matches
agent_types[]strOptional filter — only apply when calling agent is of this type
conditioncedarOptional free-form Cedar condition for userspace evaluation

Rule ordering

Rules are evaluated top-to-bottom, first match wins within a given action.

rules:
- name: allow-project-dir
action: file_read
resource_pattern: "/home/alice/project/*"
verdict: allow
severity: low
- name: deny-ssh-keys
action: file_read
resource_pattern: "/home/*/.ssh/*"
verdict: deny
severity: critical
- name: default-read
action: file_read
resource_pattern: "*"
verdict: allow
severity: low

A read of /home/alice/project/src/main.rs matches rule 1 → allow. A read of /home/alice/.ssh/id_ed25519 doesn’t match rule 1, matches rule 2 → deny.

Globs

  • * — any run of characters except /
  • ** — any run including /
  • ? — single character
  • [abc] — character class

Examples:

  • /etc/* — direct children of /etc
  • /etc/** — anything under /etc
  • /home/*/.ssh/** — SSH dirs of any user

Agent-type overlays

Overlays are policies assigned to an agent_type rather than a daemon. They’re merged on top of the base:

# base policy for all daemons
rules:
- { name: allow-read-repo, action: file_read, resource_pattern: "/workspace/**", verdict: allow }
# overlay for agent_type = cursor
rules:
- { name: cursor-no-dotfiles, action: file_read, resource_pattern: "*/.*", verdict: deny }

Assign both:

Terminal window
tyr policy assign --target-type daemon --target-id <uuid> --version 1
tyr policy assign --target-type agent-type --target-id cursor --version 2

Cursor processes see the merged effective policy. Non-Cursor processes see only the base.

Inspect:

Terminal window
tyr policy effective <daemon-uuid>

Cedar conditions

For anything path-based, stick with resource_pattern — it compiles to a fast BPF trie. For richer rules, drop into Cedar:

- name: cursor-deny-prod-reads
action: file_read
condition: |
principal.agent_type == "cursor" &&
resource.path like "/prod/*" &&
context.time_of_day in ["nights", "weekends"]
verdict: deny
severity: high

Cedar conditions are evaluated in userspace. They’re slower than the BPF path, so reserve them for rules you can’t express any other way. See Cedar’s policy language docs.

Versions, rollback, diff

Terminal window
tyr policy list # see all versions
tyr policy show 3 # yaml + compiled cedar
tyr policy diff --from 2 --to 3 # unified diff
tyr policy rollback 2 # re-apply v2 as a new version (v4)

Tips

  • Start in audit-only mode. Set all rules to verdict: alert first. Watch for a week. Then flip the dangerous ones to deny.
  • One policy per concern. Splitting file, exec, and network into different policies makes overlays cleaner.
  • Test in a VM first. A wrong deny rule on file_read /usr/** will brick your shell.
  • Check effective policy often. When overlays are layered, the actual behavior can surprise you.

→ Next: Policy YAML reference · Upgrading