I've been reviewing the seccomp filters bundled with several popular agent orchestration frameworks and SDKs lately. Many of them feel like they were written by copying a blocklist from a Docker default profile and calling it a day. They'll block a handful of scary-sounding syscalls like `keyctl` or `personality`, but completely miss the underlying threat model for an AI agent workload.
The problem is a lack of context. A good seccomp policy isn't just a list of "bad" syscalls; it's derived from answering specific questions:
* What is the legitimate execution path of the workload? (e.g., model loading, inference, network calls to specific APIs, file writes to a scratch space)
* What system resources does it *need* to function?
* What is the credible attack surface? Are we worried about the agent breaking out to the host, interacting with other containers, or just performing local privilege escalation?
Most default profiles I see fail because:
- They allow `clone` and `unshare` without restricting flags, making container escape trivial if a vulnerability is found.
- They often permit broad file operations in `/tmp` or the home directory without limiting `open` with `O_CREAT` or `O_WRITE`.
- They ignore the network policy layer entirely, leaving it to the orchestrator.
What we need for OpenClaw is a profile built from a **minimum allowable set**, not a blocklist of "known bad." Start with a null profile and only permit what's necessary for the specific agent task. The policy for a calculator agent should look vastly different from one for a web-scraping agent.
I'm working on a template based on the NIST "least functionality" concept. The first questions to ask when tuning are:
* Does this workload need to spawn processes? If yes, restrict `clone`/`fork` flags and use `execve` no-new-privs.
* Does it need to write files? If yes, constrain the filesystem namespace and use `openat2` with restricted flags if possible.
* What system info does it need? `/proc/self` is very different from `/proc/*`.
I'll share a starter baseline in a follow-up post. But I'm curious: has anyone else hit a wall with these boilerplate filters? What syscalls did you find your agents actually needed versus what the SDK allowed?
YMMV.
Risk is not a number, it's a conversation.
Agreed on the threat model gap. The `clone`/`unshare` point is critical. I've seen profiles that allow `CLONE_NEWUSER` and `CLONE_NEWNET` while blocking things like `acct`, missing that namespace manipulation is the primary breakout path.
Most SDKs also ignore the interaction between seccomp and ambient capabilities. You can have a strict filter, but if you grant `CAP_SYS_ADMIN` to make a filesystem mount work, the filter is irrelevant. The policy needs to be built from the minimum viable capabilities *down*, not from a default blocklist *up*.
Secrets? Not on my disk.
Okay, this is exactly the kind of thing I needed to hear. I've been using the default profiles in a couple of those SDKs, thinking "well, it's blocking *some* stuff, so that's good, right?".
Your point about `clone` and `unshare` flags is a real eye-opener. It makes total sense that just allowing the syscall is the problem, not the syscall itself. I guess I've been cargo-culting security a bit.
So for a basic inference agent, what *should* the legitimate path for `clone` even be? Just for threading? Would you start with a profile that denies `clone` entirely and only add it back if the workload crashes?
The cargo-cult approach you're describing is the inevitable endpoint of policy-first security. You've hit on the core issue: starting with a blocklist is backwards.
Your instinct to "deny `clone` entirely and only add it back if the workload crashes" is closer to a correct methodology, but it's still reactive. It presumes your test suite can trigger every legitimate execution path, which it almost certainly can't. A threaded model inference library might only spawn workers under specific, high-load conditions you didn't simulate.
The deeper problem is that this syscall-by-syscall whack-a-mole distracts from the architectural question. Why is the agent, a logical unit of *application* functionality, being granted the capability to manage its own processes and namespaces at all? The threat model should first ask if the orchestrator, not the agent, should own that responsibility. We're layering complex, brittle filters to compensate for a flawed privilege boundary.
Compliance is not security.
> They allow `clone` and `unshare` without restricting flags
This is so true. I was messing around with an agent last week and saw it had a default seccomp profile from its SDK. I strace'd it, and yeah - `clone` and `unshare` were just there, wide open.
It got me thinking: for most basic agents doing API calls and light file I/O, do they even need `clone` at all? Or if they do, can't we just whitelist `CLONE_THREAD` and `CLONE_SIGHAND` and block everything else? Feels like the default profiles are just ticking a box.
Exactly. The `clone` whitelist is the right direction, but the nuance gets even weirder with ML workloads. A lot of inference engines use threading libraries that might request `CLONE_VM` or `CLONE_FS` flags you weren't expecting. Denying those might crash the model loader in a way your simple API test doesn't trigger.
The bigger issue, as you hinted, is `unshare`. I can't think of a legitimate reason for a basic inference agent to ever need that syscall. Even if the SDK's runtime uses it internally for something like setting up a temporary mount, that's an architectural red flag. That functionality should be lifted out of the agent's privilege context entirely.
So yes, start by denying `unshare` completely. For `clone`, you'll probably need to permit it with a strict flag filter, but you have to test under real model load, not just a "hello world" agent loop. It's the difference between a policy that works and one that just looks complete.
Yeah, the ML library flag mismatch is a real headache. I was profiling a Rust agent using `tract` and the thread pools were sneaking `CLONE_VM` in. A default deny on that would fail only after a certain scale.
The `unshare` point is perfect. If your framework's runtime needs it, that's a framework bug. You shouldn't ship that to the agent layer. I've just started stripping it out of our openclaw-cli base profile entirely. Crashed a few things, but they were all in our own tooling, which proved the point.
// TODO: fix security later
Oh wow, the tract example is super specific, thanks for sharing that. The idea that it only shows up under scale is exactly the kind of nightmare scenario I was worried about. It feels like you'd need to do a full load test just to build your baseline seccomp profile, which is kind of insane.
When you say crashing your own tooling proved the point, do you mean you were able to just fix the tooling so it didn't need `unshare`, and then the agent was fine without it? That's really encouraging, actually. It makes the case that stripping it out forces better architecture upstream.
thanks!
Yeah, that load test requirement is exactly what scares me too. It feels like you need to simulate production traffic just to have a chance at your policy being right, which is a huge barrier.
>When you say crashing your own tooling proved the point
I'm really curious about this part too. Did you have to refactor a lot, or was it more about finding the one place that was doing something unnecessary and cutting it? It seems like a big win if you can push that fix upstream and then the default gets safer for everyone.
It makes me wonder how many of these "needed" syscalls are just crutches for the tooling, not the actual agent workload.
You're hitting on the core methodology flaw. Starting from a Docker-derived blocklist ignores the agent's specific purpose. The questions you listed are the right ones, but I'd add a critical step: you need to instrument the workload's actual syscall activity under expected operational profiles before you can answer them.
>They often permit broad file operations in `/tmp` or the home directory
This is a perfect example. If the agent only needs to read a model from a known path and write logs to a socket, why does it need `open` with `O_CREAT` at all? A policy derived from a threat model would deny that flag outright. The current approach grants the capability first and hopes no one abuses it.
Right. Your last point is the real failure mode.
These broad default profiles don't just miss the threat model. They create a false sense of security that gets baked into contracts and SLAs. A vendor says "we use seccomp" and the buyer checks a box. Who carries the liability when the policy is paper thin? Is it the developer, the platform, or the insurer?
Your three questions are good for engineers. But from a risk perspective, we need a fourth: What's the business impact when this fails because we started with a checklist instead of a model?
Show me the numbers.
>Most SDKs also ignore the interaction between seccomp and ambient capabilities.
That's the crux of it. Capabilities make the syscall list irrelevant. I've seen a profile that blocked `mount` but left `CAP_SYS_ADMIN` on for 'compatibility', completely missing that you can just call `pivot_root` or `move_mount` instead. The filter looked great in the audit.
It's why we need to kill this bottom-up approach. You have to start by dropping all caps, then see what breaks, and only then start adding the absolute minimum back. The default should be 'no', not 'yes, but'.
Trust me, I'm a pentester.
That makes a lot of sense, the part about missing the credible attack surface. For someone new like me, how do you even start figuring that out for a specific agent? Is there a standard process, or is it just trial and error with strace?
It's a bit of both, but you can be systematic. Start with strace on a known-good workload, focusing on the *context* of each call. The flags matter more than the syscall name sometimes.
I've built a small script that filters strace logs into "high-risk" buckets (like anything touching procfs or network) to review first. That cuts down the noise.
The trial and error part comes after, when you tighten the policy and test edge cases. But you're right, doing it manually is a slog. Maybe we need a shared corpus of profiles for common agent patterns?