github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-19 04:17:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(security): clarify gateway-node trust boundary in docs

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 01:35:40 +00:00
parent 1f81677093
commit f0f886ecc4
4 changed files with 37 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
docs/tools/exec-approvals.md
View File

@@ -25,6 +25,12 @@ Exec approvals are enforced locally on the execution host:
- **gateway host** → `openclaw` process on the gateway machine
- **node host** → node runner (macOS companion app or headless node host)
Trust model note:
- Gateway-authenticated callers are trusted operators for that Gateway.
- Paired nodes extend that trusted operator capability onto the node host.
- Exec approvals reduce accidental execution risk, but are not a per-user auth boundary.
macOS split:
- **node host service** forwards `system.run` to the **macOS app** over local IPC.
@@ -119,6 +125,12 @@ When **Auto-allow skill CLIs** is enabled, executables referenced by known skill
are treated as allowlisted on nodes (macOS node or headless node host). This uses
`skills.bins` over the Gateway RPC to fetch the skill bin list. Disable this if you want strict manual allowlists.
Important trust notes:
- This is an **implicit convenience allowlist**, separate from manual path allowlist entries.
- It is intended for trusted operator environments where Gateway and node are in the same trust boundary.
- If you require strict explicit trust, keep `autoAllowSkills: false` and use manual path allowlist entries only.
## Safe bins (stdin-only)
`tools.exec.safeBins` defines a small list of **stdin-only** binaries (for example `jq`)

5
docs/tools/exec.md
View File

@@ -122,12 +122,15 @@ running after `tools.exec.approvalRunningNoticeMs`, a single `Exec running` noti
## Allowlist + safe bins
Allowlist enforcement matches **resolved binary paths only** (no basename matches). When
Manual allowlist enforcement matches **resolved binary paths only** (no basename matches). When
`security=allowlist`, shell commands are auto-allowed only if every pipeline segment is
allowlisted or a safe bin. Chaining (`;`, `&&`, `||`) and redirections are rejected in
allowlist mode unless every top-level segment satisfies the allowlist (including safe bins).
Redirections remain unsupported.
`autoAllowSkills` is a separate convenience path in exec approvals. It is not the same as
manual path allowlist entries. For strict explicit trust, keep `autoAllowSkills` disabled.
Use the two controls for different jobs:
- `tools.exec.safeBins`: small, stdin-only stream filters.