[Feature]: Path-scoped RWX permissions for exec and file tools

[subrih]

Summary

Replace the binary-level exec allowlist with a path-keyed RWX permission map so agents
inherit read/write/execute rights from the target path, not from which binary is running —
identical in spirit to Unix DAC.

Problem to solve

Today, allowing /bin/ls on ~/workspace also allows /bin/ls on ~/.openclaw and
~/.ssh. There is no way to scope execution by path. The only guardrail is SOUL.md prompt
instructions — which are not enforcement. As documented in #12202, model compliance varies
across providers and A2A requests can silently bypass user-facing refusals.

This is especially acute in single-OS-user setups (gateway + agent sharing the same
account) where the tool execution layer is the only practical enforcement boundary.

Proposed solution

Replace the binary-level allowlist with a path-keyed RWX permission map. The binary is
irrelevant; what matters is what operations are permitted on a given path:

"permissions": {
  "filesystem": {
    "rules": {
      "~/workspace/**":       "rw-",
      "~/workspace/bin/**":   "r-x",
      "~/documents/**":       "rw-",
      "/tmp/openclaw/**":     "rwx"
    },
    "deny": [
      "~/.openclaw/**",
      "~/.ssh/**",
      "~/.gnupg/**"
    ],
    "default": "---"
  }
}

Permission bits:

• r — agent may read the path (file tools: read; exec: cat, grep, ls, find, etc.)
• w — agent may write/modify the path (file tools: write, edit; exec: cp, mv, rm, etc.)
• x — agent may execute files at this path (exec tool only)
• - — deny that operation

Evaluation logic:

1. For any tool invocation (read, write, edit, exec), extract the target path(s)
2. Find the most specific matching rule (longest glob wins)
3. Check the required permission bit for the operation type
4. If the bit is -, or the path matches a deny entry → block before execution
5. deny always wins over rules on conflict
6. Unmatched paths fall through to default (recommended: ---)

This applies uniformly across file tools and exec — no special-casing per binary.

Alternatives considered

A binary-scoped model (e.g. "allow /bin/cat on these paths") is incomplete:

• It requires enumerating every binary that could touch a path
• Shell builtins, aliases, and piped commands make binary extraction unreliable
• The path is the resource being protected — that's where the policy belongs

Path-keyed RWX is simpler to reason about, simpler to configure, and matches the mental
model operators already have from Unix.

Impact

Affected: All single-OS-user gateway+agent deployments (the recommended/default setup)
Severity: Blocks meaningful security hardening — there is currently no reliable way to
restrict which paths an agent can touch via exec
Frequency: Constant — every exec invocation operates under an all-or-nothing binary allowlist
Consequence: Agents with exec access to any binary can reach sensitive paths
(~/.openclaw, ~/.ssh, credentials/) — the only mitigation today is prompt instructions,
which are demonstrably unreliable across model providers and invisible to A2A callers

Evidence/examples

Example 1 — Allow most system binaries but restrict specific ones:

"permissions": {
  "filesystem": {
    "rules": {
      "/usr/bin/**":          "r-x",
      "/usr/bin/grep":        "r--",
      "/usr/bin/curl":        "---",
      "~/workspace/**":       "rw-",
      "~/workspace/bin/**":   "r-x"
    },
    "deny": ["~/.ssh/**", "~/.openclaw/**"],
    "default": "---"
  }
}

/usr/bin/ls → r-x (inherits wildcard)
/usr/bin/grep → r-- (readable, not executable — more specific rule wins)
/usr/bin/curl → --- (explicitly locked out)
~/.ssh/id_rsa → blocked (deny wins over everything)

Example 2 — Read-only agent:

"rules": {
  "~/workspace/**":   "r--",
  "~/documents/**":   "r--",
  "/usr/bin/**":      "r-x"
},
"default": "---"

Example 3 — Locked-down agent with single writable scratch dir:

"rules": {
  "~/workspace/**":         "r--",
  "~/workspace/scratch/**": "rwx",
  "/usr/bin/**":            "r-x",
  "/usr/bin/curl":          "---",
  "/usr/bin/wget":          "---"
},
"deny": ["~/.openclaw/**", "~/.ssh/**", "~/.gnupg/**"],
"default": "---"

Precedence:

1. deny list — always blocks, no override
2. Most specific rules match — longest glob wins
3. Wildcard rules match — fallback within rules
4. default — catch-all (recommend ---)

Related: #12202, #513, #9348, #7284

Additional information

The path extraction approach prototyped in #12202 for file tools could be reused here for
the exec surface. The key extension is evaluating the extracted paths against the RWX
permission map rather than a simple allowlist/denylist.

Must remain backward-compatible with existing exec allowlist config keys.

[subrih]

One concrete symptom of this gap: users running security-conscious single-OS-user setups end up reaching for Docker sandbox mode not because they want container isolation, but because exec-approvals are too coarse to trust on the host (or too painful to manage - approve "ls", approve "grep" etc.). The container becomes a substitute for path policy — which is the wrong layer for it, and comes with real operational overhead.

Path-scoped RWX would make host: "gateway" viable for these deployments and eliminate the incentive to use Docker as a blunt workaround for what is fundamentally a permissions problem.

[subrih]

I have a working implementation ready if there's appetite for a PR. Quick summary of where it landed vs. the original proposal:

• Config location: sidecar file (~/.openclaw/access-policy.json) rather than inline in openclaw.json - keeps the main config clean and allows per-agent blocks without bloating global config.
• Additive, not a replacement: path-level RWX checks layer on top of the existing exec allowlist - fully backward-compatible, zero behavior change for users without the sidecar file (except a warning in gateway.log).
• Two enforcement layers: tool-level checks (read/write/edit/exec tools) + macOS sandbox-exec (seatbelt) profile generation for OS-level exec enforcement. Linux bwrap path also wired up.
• Per-agent overrides: agents can narrow (but not widen) the default deny list.
• Unit tests included.

The sidecar format — base apply to all agents, named agent blocks narrow further. 'deny' is additive. 'agents' blocks can only extend it, never remove entries:

{
  "version": 1,
  "base": {
    "rules": {
      "/**":    "r--",
      "/tmp/":  "rwx",
      "~/":     "rw-",
      "~/dev/": "rwx",
      "~/.openclaw/": "r--"
    },
    "deny": ["~/.ssh/", "~/.aws/", "~/.openclaw/access-policy.json", "~/.openclaw/exec-approvals.json"],
    "default": "---"
  },
  "agents": {
    "myagent": { "rules": { "~/private/": "rw-" } },
    "operator": { "rules": { "~/.openclaw/**": "rw-", "~/private/": "r--" } }
  }
}

Happy to open a draft PR if the approach looks reasonable.

[jlwestsr]

The two-layer approach is the right call — bwrap/seatbelt at the OS level catches what the tool-layer can't statically analyze, and the schema design (deny-additive, agents can only narrow) is the correct trust hierarchy for a multi-agent environment.

A few things worth thinking through before opening the draft PR:

Glob-to-mount-point derivation at exec time (bwrap-specific)

The path rules are glob patterns (~/dev/**, /tmp/). At exec-call time, bwrap needs a concrete bind-mount list — not globs. The derivation pass has to:

1. Expand ~ to the actual home dir for the invoking user
2. Enumerate existing directories that match each allow pattern (at call time, not startup)
3. Decide what to do with patterns that don't resolve to existing paths (fail open? fail closed? skip?)

A rule like "~/dev/": "rwx" is straightforward. But "~/workspace/**": "rw-" at depth means bwrap gets a bind list that was accurate when the call started but may not cover paths the subprocess creates during execution. The common case (fixed project directories) is fine. The edge case (scripts that create their own temp directories and then write sensitive data there) is worth documenting as an explicit out-of-scope.

Seatbelt symlink handling (macOS)

macOS sandbox profiles evaluate paths before symlink resolution in some contexts. A profile allowing ~/workspace/scratch read/write doesn't automatically allow the resolved target if scratch is a symlink outside the allowed tree. The deny list (~/.ssh/, ~/.aws/) is the more important case: ln -s ~/.ssh/id_rsa ~/workspace/scratch/k in an allowed path, then cat ~/workspace/scratch/k via a tool call, may pass the profile check depending on how the seatbelt rule is written. Worth an explicit test case in the unit suite.

A2A trust scope (your original issue + the schema)

The "agents can only narrow" constraint in the schema is exactly right for intra-config overrides. But the gap is cross-agent at runtime: an orchestrator agent running with ~/workspace/** rwx can invoke a subagent — the subagent's access-policy entry narrows it, but does the orchestrator's tool invocation on behalf of the subagent bypass the subagent's block? The MCP A2A spec doesn't define this. A conservative answer: subagent-initiated tool calls use the subagent's block, orchestrator-delegated calls use the orchestrator's block (with no automatic narrowing). The agents block should probably add an explicit delegation field (inherit | restrict | deny) with a safe default.

Pre-init capability declaration (complementary, not in scope)

The per-call enforcement is the right place to block. A useful companion: allowing an agent to declare its required paths at init time — before any tool call — so the user sees the full scope footprint before approving. The schema already has the right shape for this (the agents block maps to agent identity). That's a separate issue, but path-RWX is the prerequisite.

The bwrap+seatbelt two-layer design is genuinely the right architecture here. Happy to see the draft PR — the file-tool layer is probably clean, and the unit tests will tell you quickly where the bwrap bind-list derivation needs hardening.

[subrih]

@jlwestsr — thanks for the thorough review, really appreciated the specificity. Addressed everything before opening the draft:

Glob-to-mount-point (bwrap): The implementation strips trailing wildcards to get the concrete path prefix and uses --bind-try/--ro-bind-try on the directory tree, so runtime-created subdirectories are covered. I did find a real bug in reviewing this: Object.entries() order could cause a broad rw bind to emit after a narrow ro bind, wiping out the restriction. Fixed by sorting rule entries by concrete path length ascending before emitting bwrap args, so broader mounts always come first. Test case added that deliberately reverses insertion order to prove the sort is what fixes it.

Seatbelt symlink handling: Confirmed working — QA tested symlinks in allowed paths pointing to denied targets and they're blocked at the syscall level (seatbelt evaluates the resolved path). Added explicit unit test coverage for: deny-list target via symlink, restrictive-rule subdir via symlink, and the resolved-path vs symlink-source policy divergence.

A2A trust scope: Documented as a known limitation. Standard subagent spawning is handled correctly (subagent's own policy block governs). Cross-agent MCP tool delegation uses the calling agent's identity — no automatic narrowing. Flagged the delegation: inherit|restrict|deny field as a follow-up issue.

No approval flow: Documented explicitly. Fail-closed for now; interactive on-miss semantics mirroring exec-approvals is Phase 2.

Draft PR: #42653

[subrih]

One thing I didn't explicitly address in my earlier reply: the pre-init capability declaration point. Agreed it's the natural Phase 2 companion — an agent declaring its required path scope at init time, before any tool call, so the user can review the full footprint upfront rather than hitting per-call denials. The agents block already maps to agent identity, so the schema is already the right shape for it.

Tracking it as a follow-up; path-RWX enforcement in #42653 is the prerequisite layer it would build on.

[subrih]

@jlwestsr — one more thing worth your perspective while #42653 is in review.

A natural extension of the path-RWX layer is per-script execution policy overrides. The idea: trusted scripts that need more access than the agent's base policy (or should be locked down further) can have an override entry keyed by their absolute resolved path (argv[0] after symlink resolution):

{
  "version": 1,
  "base": { "rules": { "/**": "r--", "/tmp/**": "rw-" }, "deny": ["~/.ssh/**"], "default": "---" },
  "agents": {
    "myagent": {
      "rules": { "~/workspace/**": "rwx" },
      "scripts": {
        "/path/to/read-secrets.py": {
          "sha256": "abc123...",
          "rules": { "~/.openclaw/credentials/": "r--" }
        },
        "/path/to/locked-down.sh": {
          "rules": { "/tmp/**": "r--" },
          "deny": ["~/.ssh/**"]
        }
      }
    }
  }
}

Key design decisions made:

argv[0]-only matching — no interpreter parsing, no flag scanning. If a script needs elevation, make it executable and invoke it directly (exec /path/to/script.py). node script.js matches node, not the script — that's intentional. Eliminates argv injection attacks entirely.

sha256 verification — optional but recommended for elevation. Prevents script swap attacks where an agent modifies the script before invoking it.

Seatbelt/bwrap coverage — the grant applies at the OS level to the entire subprocess tree of the wrapped command. A script spawning keychain-exec as a child gets the same grant. That's correct behavior.

scripts block stripped from result — the overlay doesn't bleed into future unrelated exec calls in the same agent turn. Each exec gets a fresh policy lookup.

Scope stays per-agent — pulling scripts to the top level would lose agent identity as a dimension. Shared overrides across agents go through agents["*"] as the shared middle layer.

Curious whether the argv[0]-only constraint feels too restrictive in practice, or whether the sha256 approach is the right mitigation for script swap vs. something lighter (mtime + inode?). Also open to pushback on the design if there's a cleaner seam for this.

Note: while I have a working code base for this extension this is not included in the current PR. Just needed your opinion on the approach for now.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 13, 2026, 8:52 AM ET / 12:52 UTC.

Summary
Keep open: current main and v2026.6.6 still provide binary-scoped exec approvals plus workspace-only filesystem guards, not the requested path-keyed RWX policy; the attempted implementation PRs are closed unmerged after security-review concerns, and a later duplicate points back to this issue as the canonical path-scoped policy thread.

Reproducibility: not applicable. as a bug reproduction, but source inspection gives a high-confidence current-state check: OpenClaw has binary exec approvals and workspace-only filesystem guards, not path-scoped RWX enforcement.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.
• Include redacted logs or terminal output.

Next step
Manual security/product review is needed because the remaining work defines a new config and authorization boundary rather than a narrow repair.

Security
Needs attention: The issue is security-sensitive because it proposes a new filesystem and exec authorization boundary that must be threat-modeled before implementation.

Review details

Best possible solution:

Define an owner-reviewed security design, then implement one canonical path policy contract with compatibility, docs, doctor validation, canonical path handling, file-tool and exec enforcement, and regression tests for known bypass classes.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction, but source inspection gives a high-confidence current-state check: OpenClaw has binary exec approvals and workspace-only filesystem guards, not path-scoped RWX enforcement.

Is this the best way to solve the issue?

Unclear as an implementation shape: the security direction is aligned, but the exact config location, compatibility plan, canonicalization rules, and OS enforcement guarantees need maintainer security/product design before code is safe to land.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• A path-RWX policy becomes a real authorization boundary, so symlink canonicalization, interpreter inline execution, shell operand extraction, apply_patch read/write semantics, and OS-layer fallback behavior need explicit threat review.
• The requested config surface must preserve existing exec approvals and needs schema, docs, validation, and doctor or migration decisions before runtime expectations change.
• Cross-platform enforcement parity across macOS, Linux with and without bwrap, Windows, sandbox, gateway-host, node-host, and A2A delegation remains unresolved.

Codex review notes: model internal, reasoning high; reviewed against 4c23d1d5978e.

Label changes

Label changes:

• remove clawsweeper:fix-shape-clear: Current issue advisory state no longer selects this label.

Label justifications:

• P2: This is important host tool-execution hardening, but it is a planned feature/design item rather than an urgent regression or outage.
• impact:security: The issue directly concerns filesystem authorization, exec containment, sensitive paths, and sandbox/tool security boundaries.

Evidence reviewed

Security concerns:

• [high] Design the RWX policy as a real authorization boundary
  The requested feature would decide which paths agents may read, write, and execute, so maintainers need explicit guarantees for canonical paths, symlink handling, interpreter and shell bypasses, and OS-level fallback behavior.
  Confidence: 0.94
• [medium] Preserve compatibility for existing exec approvals — src/infra/exec-approvals.ts:243
  The issue requires backward compatibility with current exec allowlist keys, so any implementation needs an upgrade, validation, and documentation plan before adding or moving policy state.
  Confidence: 0.9

What I checked:

• current exec approvals are allowlist-scoped: ExecApprovalsAgent and ExecApprovalsResolved carry exec defaults plus allowlist entries, with no filesystem rules, deny list, default permission, or RWX map. (src/infra/exec-approvals.ts:243, 4c23d1d5978e)
• current config has no path-RWX surface: ExecToolConfig contains host/mode/security/safe-bin/apply_patch settings, and FsToolsConfig contains only workspaceOnly for filesystem tools. (src/config/types.tools.ts:314, 4c23d1d5978e)
• current filesystem policy is workspace-only: ToolFsPolicy is only { workspaceOnly: boolean }, and createToolFsPolicy only resolves that single boolean. (src/agents/tool-fs-policy.types.ts:1, 4c23d1d5978e)
• tool construction does not pass RWX policy: createOpenClawCodingTools resolves fsPolicy from workspaceOnly and wires exec config separately; exec creation receives no filesystem permission map. (src/agents/agent-tools.ts:703, 4c23d1d5978e)
• docs describe the remaining exec/file boundary gap: The exec docs state exec can mutate wherever the selected host or sandbox filesystem permits, and HTTP tool docs warn that denying write/edit/apply_patch does not make exec read-only. Public docs: docs/tools/exec.md. (docs/tools/exec.md:9, 4c23d1d5978e)
• latest release has same unresolved shape: v2026.6.6 still has the same ExecToolConfig/FsToolsConfig and ToolFsPolicy shapes, so the requested path-RWX contract is not shipped in the latest release. (src/config/types.tools.ts:314, 8c802aa68351)

Likely related people:

• steipete: Commit history shows Peter Steinberger introduced the exec host approvals flow and optional workspace-only filesystem guards, both central current surfaces for this request. (role: exec approval and filesystem guard introducer; confidence: high; commits: efdb33c97587, 5e7c3250cb16, 61718d2da55d; files: src/infra/exec-approvals.ts, src/agents/tool-fs-policy.ts, src/agents/agent-tools.ts)
• vincentkoc: Recent commits extracted exec approval allowlist types and repaired remote approval behavior, adjacent to the compatibility boundary this issue must preserve. (role: recent exec approval/config contributor; confidence: medium; commits: d9a3ecd109ee, 2d53ffdec1da; files: src/infra/exec-approvals.ts, src/config/types.tools.ts, src/agents/bash-tools.exec-host-gateway.ts)
• gumadeiras: Recent merged work unified effective exec approval policy reporting and fixed policy-source attribution, which are adjacent to any new authorization policy reporting surface. (role: exec approval lifecycle contributor; confidence: medium; commits: ba735d015809, f69570f82020; files: src/infra/exec-approvals.ts, src/agents/bash-tools.exec-host-gateway.ts)
• amknight: Recent security work changed tool policy and root-expansion behavior in tool-fs-policy, close to the path-scoping and tool exposure decisions here. (role: recent tool policy hardening contributor; confidence: medium; commits: 4aa08e9d7946; files: src/agents/tool-fs-policy.ts, src/agents/pi-tools.policy.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.