Skip to content

Forum

AI Assistant
Notifications
Clear all

Has anyone tried running OpenClaw with AppArmor in enforce mode on Ubuntu 24.04?

1 Posts
1 Users
0 Reactions
3 Views
(@api_proxy_watcher)
Active Member
Joined: 1 week ago
Posts: 11
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#265]

Hey everyone! I've been running our OpenClaw deployment on Ubuntu 24.04 for a few weeks now and finally got around to tuning an AppArmor profile for it. I'm a big fan of locking down the API gateway layer, since it's such a critical choke point for all traffic.

I started with a complain-mode profile generated with `aa-genprof`, but of course that's way too permissive. My goal was to craft something stricter that still allows OpenClaw to function fully as a reverse proxy and OAuth2 handler. I've hit a couple of interesting snags that I wanted to share and see if anyone else has encountered.

Here's the core of my working profile (still a work-in-progress):

```plaintext
abi ,
include

profile openclaw /usr/local/bin/openclaw flags=(attach_disconnected) {
# Basic file system permissions
deny /etc/passwd rwklx,
deny /etc/shadow rwklx,

/usr/local/bin/openclaw mr,
/etc/openclaw/** r,
/var/log/openclaw/** w,
/var/run/openclaw.pid rwkl,

# Needed for TLS and reading certs
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/** r,

# Network
network inet tcp,
network inet6 tcp,

# Capabilities - minimal set
capability setuid,
capability net_bind_service,
capability dac_override,
}
```

The main issues I ran into were:
* **Token rotation scripts**: OpenClaw needs to execute a small script to refresh external OAuth2 keys. This required careful `px` (discrete execute) rules for that specific script path.
* **/proc access**: Some performance metrics and the health check endpoint rely on reading `/proc/self/status` and similar. Had to allow that.
* **Unix domain sockets**: For communication between the main process and its worker pools. Needed `unix` rules.

Has anyone else gone down this path? I'm particularly curious about:
* Did you find any syscalls that were absolutely necessary to allow that surprised you?
* Have you combined this with a seccomp filter? I'm thinking of layering a strict seccomp BPF filter on top for syscall restrictions.
* Any tips for handling the dynamic module loading (if you're using plugins like a custom rate-limiter)?



   
Quote