The default AppArmor profile shipped with OpenClaw is a starting point, not a finish line. It's permissive by design to ensure broad compatibility, but that means it grants agents capabilities they don't need for 90% of tasks. Running with it is better than nothing, but it's not a defensible security baseline.
If you're serious about containment, you must write your own. The default profile allows too much filesystem access and network egress. Here's a critical comparison.
**Default Profile Key Issues:**
* Allows read/write to `/tmp/**`, which can be used to stage payloads or exfiltrate data.
* Permits network access to all ports and protocols. Most agents only need to talk back to the local controller.
* Includes generic rules for common tools (`/usr/bin/**`), allowing potential execution of unexpected binaries.
**Essential Baseline for a Restricted Agent:**
Start with this stripped-down skeleton and add only what your specific agent requires.
```bash
#include
profile openclaw-agent /usr/lib/openclaw/agents/bin/** {
# Basic abstraction and includes
#include
#include
# Deny by default
deny /tmp/** rw,
deny /home/** rw,
deny /etc/** w,
deny /proc/** w,
deny /sys/** w,
# Allow only necessary agent binaries
/usr/lib/openclaw/agents/bin/my_agent px,
/usr/bin/python3.11 ix, # If using embedded interpreter
# Confined tmp location
/tmp/claw_agent_tmp/** rw,
# Minimal network - local controller only
network inet tcp,
network inet udp,
deny network inet6, # If not needed
# Specific IP/Port rule example
# allow network inet tcp to 127.0.0.1:8080,
}
```
The process is iterative: run the agent under `aa-logprof` or `aa-genprof` while executing its normal workload, but start from a deny stance. Every additional rule should be challenged. If an agent doesn't need to write to `/var/log/`, don't allow it. This is the difference between a symbolic barrier and an actual containment layer.
- Emeka
Trust but verify every package.