Policy Structure

Overview

BlueRock protection policies are configured using a JSON-based policy definition. This JSON file defines the runtime enforcement behavior for:

MCP connection controls
Tool, prompt, and resource restrictions
Pattern-based detection
Execution controls
Optional sandbox and network settings

All runtime behavior is determined by this policy configuration.

Policies are generated and signed using the TREX tool before being uploaded to S3 and consumed by the BlueRock Control Plane.

High-Level Policy Structure

A typical policy contains the following top-level sections:

{
  "mcp": {},
  "exec": {},
  "options": {},
  "network": {}
}

Section

Purpose

mcp

MCP client-server protection policies

exec

Execution control configuration

options

Sandbox and namespace settings

network

Firewall enforcement configuration

MCP Protection Configuration

Enable MCP Protection

"mcp": {
  "enable": true,
  "remediate": true
}

Parameter

Description

enable

Activates MCP policy evaluation

remediate: true

Enforce mode (block violations)

remediate: false

Observe mode (log violations only)

HTTP / SSE Connection Control

"http_servers": {
  "deny_http": false,
  "deny_sse": false,
  "exception_list": [],
  "force_authentication": true
}

Parameter

Description

deny_http

Block HTTP transport

deny_sse

Block SSE transport

exception_list

Allow specific URLs

force_authentication

Require authenticated HTTP connections

stdio Transport Control

"stdio": {
  "deny_stdio": true,
  "exception_list": [
    {
      "command": "python",
      "args": "mcp_test_server.py"
    }
  ]
}

Blocks stdio-based MCP server connections. Allows only explicitly listed command/argument combinations.

Tool Execution Policies

Deny Specific Tool

"tools": {
  "Linux admin Server": {
    "deny_list": ["run_command"]
  }
}

Blocks execution of specific tools from a defined MCP server.

Tool Argument Pattern Detection

"forbidden_tool_argument_patterns": [
  "[;&|`$]\\s*(?:whoami|id|pwd|ls|cat|curl|wget|nc|bash|sh|cmd\\.exe|powershell)",
  "\\$\\((?:cmd\\.exe|powershell).*?\\)",
  "(?:curl|wget|nc|netcat).*?(?:-X\\s+POST|-d|--data).*?(?:(?i)https?://|[0-9]{1,3}\\.[0-9]{1,3})",
  "(?i)(?:~/.ssh/|\\.ssh/)(?:id_rsa|id_ecdsa|id_ed25519|authorized_keys|known_hosts)",
  "\\b(?:sudo|su|doas)\\s+\\w+",
  "shell_exec\\s*\\(",
  "\\b(?:bash|sh|zsh|fish|csh|tcsh)\\b",
  "\\b(?:ls|cat|grep|ps|rm|mv|cp|chmod|chown)\\b"
]

If a tool argument matches these patterns:

Enforce mode → Execution blocked
Observe mode → Execution allowed, violation logged

Tool Response Pattern Detection

"forbidden_tool_response_patterns": [
  "[;&|`$]\\s*(?:whoami|id|pwd|ls|cat|curl|wget|nc|bash|sh|cmd\\.exe|powershell)",
  "\\$\\((?:cmd\\.exe|powershell).*?\\)",
  "(?:curl|wget|nc|netcat).*?(?:-X\\s+POST|-d|--data).*?(?:(?i)https?://|[0-9]{1,3}\\.[0-9]{1,3})",
  "(?i)(?:~/.ssh/|\\.ssh/)(?:id_rsa|id_ecdsa|id_ed25519|authorized_keys|known_hosts)",
  "\\b(?:sudo|su|doas)\\s+\\w+",
  "shell_exec\\s*\\(",
  "\\b(?:bash|sh|zsh|fish|csh|tcsh)\\b",
  "\\b(?:ls|cat|grep|ps|rm|mv|cp|chmod|chown)\\b",
  "\\b(?:curl|wget|ssh|scp|rsync|nc|netcat)\\b",
  "\\b(?:systemctl|mount|umount|fdisk|lsblk)\\b",
  "\\b(?:iptables|ufw|firewall-cmd)\\b"
]

Prevents sensitive or high-risk content in tool output.

Resource Access Control

"resources": {
  "Linux admin Server": {
    "deny_list": ["file://"]
  }
}

Restricts file-based or URI-based resource access.

Prompt Execution Policies

Deny Specific Prompt

"prompts": {
  "Linux admin Server": {
    "deny_list": ["useful_helper_prompt"]
  }
}

Prompt Argument Pattern Detection

"forbidden_prompt_arg_patterns": [
  "\\b(?:bash|sh|curl|wget|nc)\\b"
]

Prompt Response Pattern Detection

"forbidden_prompt_response_patterns": [
  "\\b(?:curl|wget|ssh|nc)\\b"
]

Execution and Sandbox Configuration

The following sections configure execution and sandbox enforcement. Detailed runtime behavior is documented separately under BRACE runtime documentation.

Execution Policy (`exec`)

Controls binary execution behavior.

"exec": {
  "enable": true,
  "remediate": true,
  "is_deny_list": false,
  "match_list": []
}

Field

Description

enable

Enables execution control

remediate

Enforce or observe mode

is_deny_list

true → block listed binaries

match_list

Binaries to allow or deny

Sandbox Options (`options`)

Defines namespace and bind mount settings.

"options": {
  "bind_mount": {
    "enable": true,
    "mount_proc": true,
    "mounts": []
  },
  "pid_ns": true,
  "root": false
}

Controls filesystem isolation and namespace configuration.

Network Firewall Configuration (`network`)

"network": {
  "enable": true,
  "general": {},
  "firewall": {}
}

Defines network firewall enforcement rules used by runtime policies.

Complete Example Policy

Below is a minimal production-style policy configuration:

{
  "mcp": {
    "enable": true,
    "remediate": true,
    "client": {
      "tools": {
        "Linux admin Server": {
          "deny_list": ["run_command"]
        }
      },
      "prompts": {},
      "resources": {},
      "http_servers": {
        "deny_http": false,
        "deny_sse": false,
        "exception_list": [],
        "force_authentication": true
      },
      "stdio": {
        "deny_stdio": true,
        "exception_list": []
      }
    }
  },
  "exec": {
    "enable": true,
    "remediate": true,
    "is_deny_list": false,
    "match_list": ["/usr/bin/date"]
  },
  "options": {
    "bind_mount": {
      "enable": true,
      "mount_proc": true,
      "mounts": []
    },
    "pid_ns": true,
    "root": false
  },
  "network": {
    "enable": false
  }
}

PreviousPolicy Builder NextPolicy Life cycle

Last updated 2 months ago

Overview

High-Level Policy Structure

MCP Protection Configuration

Enable MCP Protection

HTTP / SSE Connection Control

stdio Transport Control

Tool Execution Policies

Deny Specific Tool

Tool Argument Pattern Detection

Tool Response Pattern Detection

Resource Access Control

Prompt Execution Policies

Deny Specific Prompt

Prompt Argument Pattern Detection

Prompt Response Pattern Detection

Execution and Sandbox Configuration

Execution Policy (exec)

Sandbox Options (options)

Network Firewall Configuration (network)

Complete Example Policy

Execution Policy (`exec`)

Sandbox Options (`options`)

Network Firewall Configuration (`network`)