From 8573ff915890043a2e26c15c0897655e9c57f10f Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@dalby.cc>
Date: Mon, 23 Mar 2026 08:22:26 +0000
Subject: [PATCH] policy/v2: fix grant-only policies returning FilterAllowAll

compileFilterRules checked only pol.ACLs == nil to decide whether
to return FilterAllowAll (permit-any). Policies that use only Grants
(no ACLs) had nil ACLs, so the function short-circuited before
compiling any CapGrant rules. This meant cap/relay, cap/drive, and
any other App-based grant capabilities were silently ignored.

Check both ACLs and Grants are empty before returning FilterAllowAll.

Updates #2180
---
 hscontrol/policy/v2/filter.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hscontrol/policy/v2/filter.go b/hscontrol/policy/v2/filter.go
index df2b6826..e7cb1d5c 100644
--- a/hscontrol/policy/v2/filter.go
+++ b/hscontrol/policy/v2/filter.go
@@ -137,7 +137,7 @@ func (pol *Policy) compileFilterRules(
 	users types.Users,
 	nodes views.Slice[types.NodeView],
 ) ([]tailcfg.FilterRule, error) {
-	if pol == nil || pol.ACLs == nil {
+	if pol == nil || (pol.ACLs == nil && len(pol.Grants) == 0) {
 		return tailcfg.FilterAllowAll, nil
 	}