I’ve been running a few OpenClaw agents on my home Proxmox cluster for a few months now, mostly monitoring internal services. I’m comfortable with the basic setup, but the security side has always made me a bit nervous. I see a lot of talk about “least privilege” for these agents, but not many concrete examples of how to actually apply it.

I wanted to share my process for locking one down, focusing on three layers: a strict seccomp filter, a custom AppArmor profile, and making the agent’s root filesystem read-only. I’m still a beginner, so I’d appreciate feedback on whether I’m on the right track or if I’ve missed something obvious.

My goal was to prevent the agent process from doing anything outside its narrow job—no writes to the host, no unexpected network calls, no forking shells. I started with the agent running in a dedicated LXC container. The seccomp profile blocks syscalls like `mount`, `ptrace`, and `keyctl`. The AppArmor profile denies writes everywhere except `/tmp` and `/var/log/openclaw`, and also denies any network access except for a single, specific IP address for reporting. Finally, I made the container’s root filesystem read-only at boot, with only a few directories (`/tmp`, `/var/log`, `/run`) bind-mounted as tmpfs.

The biggest challenge was figuring out which syscalls the agent actually needs. I used `strace` for a while, but I’m sure my list isn’t perfect. I’m also not entirely clear on what each blocked syscall actually “buys” me in terms of stopping a real attack. For example, does blocking `personality` actually matter if the agent is already in a container?

Has anyone else gone through this exercise? I’m particularly interested in whether a read-only rootfs is overkill if you already have a tight AppArmor profile.

Paul