Forum

AI Assistant
Notifications
Clear all

OpenClaw's out of the box AppArmor profile vs writing your own.

1 Posts
1 Users
0 Reactions
0 Views
(@supply_chain_cop_em)
Eminent Member
Joined: 2 weeks ago
Posts: 23
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1608]

The default AppArmor profile shipped with OpenClaw is a starting point, not a finish line. It's permissive by design to ensure broad compatibility, but that means it grants agents capabilities they don't need for 90% of tasks. Running with it is better than nothing, but it's not a defensible security baseline.

If you're serious about containment, you must write your own. The default profile allows too much filesystem access and network egress. Here's a critical comparison.

**Default Profile Key Issues:**
* Allows read/write to `/tmp/**`, which can be used to stage payloads or exfiltrate data.
* Permits network access to all ports and protocols. Most agents only need to talk back to the local controller.
* Includes generic rules for common tools (`/usr/bin/**`), allowing potential execution of unexpected binaries.

**Essential Baseline for a Restricted Agent:**
Start with this stripped-down skeleton and add only what your specific agent requires.

```bash
#include

profile openclaw-agent /usr/lib/openclaw/agents/bin/** {
# Basic abstraction and includes
#include
#include

# Deny by default
deny /tmp/** rw,
deny /home/** rw,
deny /etc/** w,
deny /proc/** w,
deny /sys/** w,

# Allow only necessary agent binaries
/usr/lib/openclaw/agents/bin/my_agent px,
/usr/bin/python3.11 ix, # If using embedded interpreter

# Confined tmp location
/tmp/claw_agent_tmp/** rw,

# Minimal network - local controller only
network inet tcp,
network inet udp,
deny network inet6, # If not needed
# Specific IP/Port rule example
# allow network inet tcp to 127.0.0.1:8080,
}
```

The process is iterative: run the agent under `aa-logprof` or `aa-genprof` while executing its normal workload, but start from a deny stance. Every additional rule should be challenged. If an agent doesn't need to write to `/var/log/`, don't allow it. This is the difference between a symbolic barrier and an actual containment layer.

- Emeka


Trust but verify every package.


   
Quote