fix(macos): harden exec allowlist shell-chain checks

2026-04-19 21:28:37 +00:00 · 2026-02-21 16:27:05 +01:00
parent 8178ea472d
commit 5da03e6221
9 changed files with 507 additions and 133 deletions
--- a/apps/macos/Sources/OpenClaw/NodeMode/MacNodeRuntime.swift
+++ b/apps/macos/Sources/OpenClaw/NodeMode/MacNodeRuntime.swift
@@ -454,18 +454,23 @@ actor MacNodeRuntime {
            : self.mainSessionKey
        let runId = UUID().uuidString
        let env = Self.sanitizedEnv(params.env)
-        let resolution = ExecCommandResolution.resolve(
+        let allowlistResolutions = ExecCommandResolution.resolveForAllowlist(
            command: command,
            rawCommand: params.rawCommand,
            cwd: params.cwd,
            env: env)
-        let allowlistMatch = security == .allowlist
-            ? ExecAllowlistMatcher.match(entries: approvals.allowlist, resolution: resolution)
-            : nil
+        let resolution = allowlistResolutions.first
+        let allowlistMatches = security == .allowlist
+            ? ExecAllowlistMatcher.matchAll(entries: approvals.allowlist, resolutions: allowlistResolutions)
+            : []
+        let allowlistSatisfied = security == .allowlist &&
+            !allowlistResolutions.isEmpty &&
+            allowlistMatches.count == allowlistResolutions.count
+        let allowlistMatch = allowlistSatisfied ? allowlistMatches.first : nil
        let skillAllow: Bool
-        if autoAllowSkills, let name = resolution?.executableName {
+        if autoAllowSkills, !allowlistResolutions.isEmpty {
            let bins = await SkillBinsCache.shared.currentBins()
-            skillAllow = bins.contains(name)
+            skillAllow = allowlistResolutions.allSatisfy { bins.contains($0.executableName) }
        } else {
            skillAllow = false
        }
@@ -501,13 +506,14 @@ actor MacNodeRuntime {
        if let response = approval.response { return response }
        let approvedByAsk = approval.approvedByAsk
        let persistAllowlist = approval.persistAllowlist
-        if persistAllowlist, security == .allowlist,
-           let pattern = ExecApprovalHelpers.allowlistPattern(command: command, resolution: resolution)
-        {
-            ExecApprovalsStore.addAllowlistEntry(agentId: agentId, pattern: pattern)
-        }
+        self.persistAllowlistPatterns(
+            persistAllowlist: persistAllowlist,
+            security: security,
+            agentId: agentId,
+            command: command,
+            allowlistResolutions: allowlistResolutions)

-        if security == .allowlist, allowlistMatch == nil, !skillAllow, !approvedByAsk {
+        if security == .allowlist, !allowlistSatisfied, !skillAllow, !approvedByAsk {
            await self.emitExecEvent(
                "exec.denied",
                payload: ExecEventPayload(
@@ -522,79 +528,32 @@ actor MacNodeRuntime {
                message: "SYSTEM_RUN_DENIED: allowlist miss")
        }

-        if let match = allowlistMatch {
-            ExecApprovalsStore.recordAllowlistUse(
-                agentId: agentId,
-                pattern: match.pattern,
-                command: displayCommand,
-                resolvedPath: resolution?.resolvedPath)
+        self.recordAllowlistMatches(
+            security: security,
+            allowlistSatisfied: allowlistSatisfied,
+            agentId: agentId,
+            allowlistMatches: allowlistMatches,
+            allowlistResolutions: allowlistResolutions,
+            displayCommand: displayCommand)
+
+        if let permissionResponse = await self.validateScreenRecordingIfNeeded(
+            req: req,
+            needsScreenRecording: params.needsScreenRecording,
+            sessionKey: sessionKey,
+            runId: runId,
+            displayCommand: displayCommand)
+        {
+            return permissionResponse
        }

-        if params.needsScreenRecording == true {
-            let authorized = await PermissionManager
-                .status([.screenRecording])[.screenRecording] ?? false
-            if !authorized {
-                await self.emitExecEvent(
-                    "exec.denied",
-                    payload: ExecEventPayload(
-                        sessionKey: sessionKey,
-                        runId: runId,
-                        host: "node",
-                        command: displayCommand,
-                        reason: "permission:screenRecording"))
-                return Self.errorResponse(
-                    req,
-                    code: .unavailable,
-                    message: "PERMISSION_MISSING: screenRecording")
-            }
-        }
-
-        let timeoutSec = params.timeoutMs.flatMap { Double($0) / 1000.0 }
-        await self.emitExecEvent(
-            "exec.started",
-            payload: ExecEventPayload(
-                sessionKey: sessionKey,
-                runId: runId,
-                host: "node",
-                command: displayCommand))
-        let result = await ShellExecutor.runDetailed(
+        return try await self.executeSystemRun(
+            req: req,
+            params: params,
            command: command,
-            cwd: params.cwd,
            env: env,
-            timeout: timeoutSec)
-        let combined = [result.stdout, result.stderr, result.errorMessage]
-            .compactMap(\.self)
-            .filter { !$0.isEmpty }
-            .joined(separator: "\n")
-        await self.emitExecEvent(
-            "exec.finished",
-            payload: ExecEventPayload(
-                sessionKey: sessionKey,
-                runId: runId,
-                host: "node",
-                command: displayCommand,
-                exitCode: result.exitCode,
-                timedOut: result.timedOut,
-                success: result.success,
-                output: ExecEventPayload.truncateOutput(combined)))
-
-        struct RunPayload: Encodable {
-            var exitCode: Int?
-            var timedOut: Bool
-            var success: Bool
-            var stdout: String
-            var stderr: String
-            var error: String?
-        }
-
-        let payload = try Self.encodePayload(RunPayload(
-            exitCode: result.exitCode,
-            timedOut: result.timedOut,
-            success: result.success,
-            stdout: result.stdout,
-            stderr: result.stderr,
-            error: result.errorMessage))
-        return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
+            sessionKey: sessionKey,
+            runId: runId,
+            displayCommand: displayCommand)
    }

    private func handleSystemWhich(_ req: BridgeInvokeRequest) async throws -> BridgeInvokeResponse {
@@ -835,6 +794,132 @@ actor MacNodeRuntime {
 }

 extension MacNodeRuntime {
+    private func persistAllowlistPatterns(
+        persistAllowlist: Bool,
+        security: ExecSecurity,
+        agentId: String?,
+        command: [String],
+        allowlistResolutions: [ExecCommandResolution])
+    {
+        guard persistAllowlist, security == .allowlist else { return }
+        var seenPatterns = Set<String>()
+        for candidate in allowlistResolutions {
+            guard let pattern = ExecApprovalHelpers.allowlistPattern(command: command, resolution: candidate) else {
+                continue
+            }
+            if seenPatterns.insert(pattern).inserted {
+                ExecApprovalsStore.addAllowlistEntry(agentId: agentId, pattern: pattern)
+            }
+        }
+    }
+
+    private func recordAllowlistMatches(
+        security: ExecSecurity,
+        allowlistSatisfied: Bool,
+        agentId: String?,
+        allowlistMatches: [ExecAllowlistEntry],
+        allowlistResolutions: [ExecCommandResolution],
+        displayCommand: String)
+    {
+        guard security == .allowlist, allowlistSatisfied else { return }
+        var seenPatterns = Set<String>()
+        for (idx, match) in allowlistMatches.enumerated() {
+            if !seenPatterns.insert(match.pattern).inserted {
+                continue
+            }
+            let resolvedPath = idx < allowlistResolutions.count ? allowlistResolutions[idx].resolvedPath : nil
+            ExecApprovalsStore.recordAllowlistUse(
+                agentId: agentId,
+                pattern: match.pattern,
+                command: displayCommand,
+                resolvedPath: resolvedPath)
+        }
+    }
+
+    private func validateScreenRecordingIfNeeded(
+        req: BridgeInvokeRequest,
+        needsScreenRecording: Bool?,
+        sessionKey: String,
+        runId: String,
+        displayCommand: String) async -> BridgeInvokeResponse?
+    {
+        guard needsScreenRecording == true else { return nil }
+        let authorized = await PermissionManager
+            .status([.screenRecording])[.screenRecording] ?? false
+        if authorized {
+            return nil
+        }
+        await self.emitExecEvent(
+            "exec.denied",
+            payload: ExecEventPayload(
+                sessionKey: sessionKey,
+                runId: runId,
+                host: "node",
+                command: displayCommand,
+                reason: "permission:screenRecording"))
+        return Self.errorResponse(
+            req,
+            code: .unavailable,
+            message: "PERMISSION_MISSING: screenRecording")
+    }
+
+    private func executeSystemRun(
+        req: BridgeInvokeRequest,
+        params: OpenClawSystemRunParams,
+        command: [String],
+        env: [String: String],
+        sessionKey: String,
+        runId: String,
+        displayCommand: String) async throws -> BridgeInvokeResponse
+    {
+        let timeoutSec = params.timeoutMs.flatMap { Double($0) / 1000.0 }
+        await self.emitExecEvent(
+            "exec.started",
+            payload: ExecEventPayload(
+                sessionKey: sessionKey,
+                runId: runId,
+                host: "node",
+                command: displayCommand))
+        let result = await ShellExecutor.runDetailed(
+            command: command,
+            cwd: params.cwd,
+            env: env,
+            timeout: timeoutSec)
+        let combined = [result.stdout, result.stderr, result.errorMessage]
+            .compactMap(\.self)
+            .filter { !$0.isEmpty }
+            .joined(separator: "\n")
+        await self.emitExecEvent(
+            "exec.finished",
+            payload: ExecEventPayload(
+                sessionKey: sessionKey,
+                runId: runId,
+                host: "node",
+                command: displayCommand,
+                exitCode: result.exitCode,
+                timedOut: result.timedOut,
+                success: result.success,
+                output: ExecEventPayload.truncateOutput(combined)))
+
+        struct RunPayload: Encodable {
+            var exitCode: Int?
+            var timedOut: Bool
+            var success: Bool
+            var stdout: String
+            var stderr: String
+            var error: String?
+        }
+        let runPayload = RunPayload(
+            exitCode: result.exitCode,
+            timedOut: result.timedOut,
+            success: result.success,
+            stdout: result.stdout,
+            stderr: result.stderr,
+            error: result.errorMessage)
+        let payload = try Self.encodePayload(runPayload)
+        return BridgeInvokeResponse(id: req.id, ok: true, payloadJSON: payload)
+    }
+
    private static func decodeParams<T: Decodable>(_ type: T.Type, from json: String?) throws -> T {
        guard let json, let data = json.data(using: .utf8) else {
            throw NSError(domain: "Gateway", code: 20, userInfo: [