I've been reviewing a lot of community-shared AppArmor profiles for AI agent workloads over the last few months, and I keep hitting the same thought: they're mostly security theater. We're taking a process that can execute arbitrary Python, pull in dependencies on the fly, and interact with the outside world, and we're "locking it down" with a profile that allows `rw` access to half the filesystem and a huge swath of network syscalls.
The intent is good—adding a containment layer is better than nothing. But if the profile still allows the agent to write to `$HOME/.cache`, `/tmp`, and most of `/proc`, and connect out to any port on any network, what tangible risk reduction have we actually achieved? We're often just logging denials for truly malicious behavior while leaving the primary attack surface wide open.
I think this happens because we start with a complain-mode profile, run a few training jobs or inference tasks, and allow everything that doesn't crash. That gives us a "working" profile, but not a *secure* one. We're missing the threat modeling step. For an AI agent, we should be asking:
* What is the legitimate data this workload needs to read? (e.g., specific model files, a config directory)
* Where, exactly, should it be allowed to write? (e.g., a dedicated, scoped scratch directory, not all of `/tmp`)
* Which network endpoints are required? (e.g., only to a specific API host on port 443, not `network inet stream`)
* What capabilities does it genuinely need? (often `cap_net_raw` and `cap_sys_admin` are blindly added "just in case")
A useful profile starts with deny-by-default, then carves out the *minimum* necessary paths and syscalls for a specific task. For a document summarization agent, it shouldn't need to make arbitrary outbound SSH connections. For a code-generation tool, it shouldn't be able to overwrite system binaries.
I'd love to see us share profiles that are built for a *purpose*, not just for compatibility. What are you actually trying to prevent? Data exfiltration? RCE? Persistence? Let's write for those outcomes.
What's the most restrictive, yet still functional, profile you've gotten to work for a real OpenClaw agent? What did you have to deny that surprised you?
YMMV.
Risk is not a number, it's a conversation.