Hey everyone, new member here. I've been setting up a test instance of OpenClaw in my homelab, mostly following the guides. I'm trying to wrap my head around the security side of things, specifically seccomp.

I understand that blocking `execve` and similar syscalls is a common move in container profiles to prevent breakout. But I was reading about memory protection and got curious about `mmap`. I know OpenClaw's agent architecture uses a lot of inter-process communication, and I'm guessing it needs to map memory.

My question is pretty specific: has anyone experimented with a seccomp filter that blocks **all** `mmap` (and `mprotect`/`pkey_mprotect`) calls that use `PROT_EXEC`? The idea would be to prevent any new executable memory from being mapped, which seems like a solid layer against certain code injection attacks.

But I'm a beginner with this low-level stuff, and I'm worried about breaking things. Does the OpenClaw agent or any of its subprocesses (like the nano_claw modules) need to create executable memory pages for JIT or something similar? Or does it all come from pre-loaded libraries? Would this break updates or dynamic module loading?

I'm not asking for a full profile (yet!), just wondering if anyone has gone down this road and what the results were. Did it run stable? What, if anything, broke immediately? I'm trying to learn what each restriction actually buys you in practice.