Files
2026-07-13 13:16:30 +08:00

69 lines
3.1 KiB
Markdown

# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 1.0.x | :white_check_mark: |
## Reporting a Vulnerability
**Please do NOT open a public GitHub issue for security vulnerabilities.**
Instead, please report them responsibly:
1. **GitHub**: Use [GitHub Security Advisories](https://github.com/AidanPark/openclaw-android/security/advisories/new)
### What to Include
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Suggested fix (if any)
### Response Timeline
- **Acknowledgment**: Within 48 hours
- **Assessment**: Within 1 week
- **Fix**: Within 2 weeks for critical issues
## Security Architecture
OpenClaw on Android runs standard Linux binaries on Android without proot-distro. The security model is shaped by this unique execution environment.
### Execution Isolation
```
┌─────────────────────────────────────────────┐
│ Android Kernel (SELinux enforced) │
│ ┌─────────────────────────────────────────┐ │
│ │ Termux sandbox (/data/data/com.termux) │ │
│ │ ┌─────────────────────────────────────┐ │ │
│ │ │ glibc-runner (ld.so userspace only) │ │ │
│ │ │ Node.js → OpenClaw │ │ │
│ │ └─────────────────────────────────────┘ │ │
│ └─────────────────────────────────────────┘ │
└─────────────────────────────────────────────┘
```
### Isolation Layers
1. **Android app sandbox** — Termux runs in its own Linux user namespace; no access to other app data
2. **SELinux** — Android's mandatory access control applies to all Termux processes
3. **No root required** — The entire stack runs as a regular unprivileged user
4. **No proot** — No filesystem translation layer; glibc-runner provides only the dynamic linker
5. **Path conversion** — Standard Linux paths (`/tmp`, `/bin/sh`) are mapped to Termux equivalents at install time, not at runtime via syscall interception
### What We Protect Against
- Unauthorized access to Android system or other app data (enforced by Android sandbox)
- Arbitrary code execution outside Termux (prevented by SELinux + app sandbox)
- Path traversal from Termux into Android system paths (Termux prefix isolation)
### What Is Out of Scope
- Vulnerabilities in OpenClaw core (report to [OpenClaw upstream](https://github.com/openclaw/openclaw))
- Vulnerabilities in Termux (report to [Termux](https://github.com/termux/termux-app))
- Vulnerabilities in glibc-runner (report to [termux-pacman](https://github.com/AidanPark/openclaw-android))
- Device-level security (rooted devices, unlocked bootloaders)