github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-18 22:37:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden macos rawCommand allowlist resolution

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 19:16:15 +01:00
parent 5e423b596c
commit 4c1dd9d068
3 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/platforms/macos.md
View File

@@ -103,6 +103,7 @@ Example:
Notes:
- `allowlist` entries are glob patterns for resolved binary paths.
- Raw shell command text that contains shell control or expansion syntax (`&&`, `||`, `;`, `|`, `` ` ``, `$`, `<`, `>`, `(`, `)`) is treated as an allowlist miss and requires explicit approval (or allowlisting the shell binary).
- Choosing “Always Allow” in the prompt adds that command to the allowlist.
- `system.run` environment overrides are filtered (drops `PATH`, `DYLD_*`, `LD_*`, `NODE_OPTIONS`, `PYTHON*`, `PERL*`, `RUBYOPT`) and then merged with the apps environment.