github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-01 00:31:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(macos): harden exec approvals socket path and permissions

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-01 23:37:07 +00:00
parent 6c5633598e
commit 912ddba81e
4 changed files with 226 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
apps/macos/Sources/OpenClaw/ExecApprovals.swift
View File

@@ -226,6 +226,7 @@ enum ExecApprovalsStore {
private static let defaultAsk: ExecAsk = .onMiss
private static let defaultAskFallback: ExecSecurity = .deny
private static let defaultAutoAllowSkills = false
private static let secureStateDirPermissions = 0o700
static func fileURL() -> URL {
OpenClawPaths.stateDirURL.appendingPathComponent("exec-approvals.json")
@@ -332,6 +333,7 @@ enum ExecApprovalsStore {
encoder.outputFormatting = [.prettyPrinted, .sortedKeys]
let data = try encoder.encode(file)
let url = self.fileURL()
self.ensureSecureStateDirectory()
try FileManager().createDirectory(
at: url.deletingLastPathComponent(),
withIntermediateDirectories: true)
@@ -343,6 +345,7 @@ enum ExecApprovalsStore {
}
static func ensureFile() -> ExecApprovalsFile {
self.ensureSecureStateDirectory()
let url = self.fileURL()
let existed = FileManager().fileExists(atPath: url.path)
let loaded = self.loadFile()
@@ -524,6 +527,18 @@ enum ExecApprovalsStore {
self.saveFile(file)
}
private static func ensureSecureStateDirectory() {
let url = OpenClawPaths.stateDirURL
do {
try FileManager().createDirectory(at: url, withIntermediateDirectories: true)
try FileManager().setAttributes(
[.posixPermissions: self.secureStateDirPermissions],
ofItemAtPath: url.path)
} catch {
self.logger.warning("exec approvals state dir permission hardening failed: \(error.localizedDescription, privacy: .public)")
}
}
private static func generateToken() -> String {
var bytes = [UInt8](repeating: 0, count: 24)
let status = SecRandomCopyBytes(kSecRandomDefault, bytes.count, &bytes)