69 lines
3.1 KiB
Markdown
69 lines
3.1 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| 1.0.x | :white_check_mark: |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Please do NOT open a public GitHub issue for security vulnerabilities.**
|
|
|
|
Instead, please report them responsibly:
|
|
|
|
1. **GitHub**: Use [GitHub Security Advisories](https://github.com/AidanPark/openclaw-android/security/advisories/new)
|
|
|
|
### What to Include
|
|
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Impact assessment
|
|
- Suggested fix (if any)
|
|
|
|
### Response Timeline
|
|
|
|
- **Acknowledgment**: Within 48 hours
|
|
- **Assessment**: Within 1 week
|
|
- **Fix**: Within 2 weeks for critical issues
|
|
|
|
## Security Architecture
|
|
|
|
OpenClaw on Android runs standard Linux binaries on Android without proot-distro. The security model is shaped by this unique execution environment.
|
|
|
|
### Execution Isolation
|
|
|
|
```
|
|
┌─────────────────────────────────────────────┐
|
|
│ Android Kernel (SELinux enforced) │
|
|
│ ┌─────────────────────────────────────────┐ │
|
|
│ │ Termux sandbox (/data/data/com.termux) │ │
|
|
│ │ ┌─────────────────────────────────────┐ │ │
|
|
│ │ │ glibc-runner (ld.so userspace only) │ │ │
|
|
│ │ │ Node.js → OpenClaw │ │ │
|
|
│ │ └─────────────────────────────────────┘ │ │
|
|
│ └─────────────────────────────────────────┘ │
|
|
└─────────────────────────────────────────────┘
|
|
```
|
|
|
|
### Isolation Layers
|
|
|
|
1. **Android app sandbox** — Termux runs in its own Linux user namespace; no access to other app data
|
|
2. **SELinux** — Android's mandatory access control applies to all Termux processes
|
|
3. **No root required** — The entire stack runs as a regular unprivileged user
|
|
4. **No proot** — No filesystem translation layer; glibc-runner provides only the dynamic linker
|
|
5. **Path conversion** — Standard Linux paths (`/tmp`, `/bin/sh`) are mapped to Termux equivalents at install time, not at runtime via syscall interception
|
|
|
|
### What We Protect Against
|
|
|
|
- Unauthorized access to Android system or other app data (enforced by Android sandbox)
|
|
- Arbitrary code execution outside Termux (prevented by SELinux + app sandbox)
|
|
- Path traversal from Termux into Android system paths (Termux prefix isolation)
|
|
|
|
### What Is Out of Scope
|
|
|
|
- Vulnerabilities in OpenClaw core (report to [OpenClaw upstream](https://github.com/openclaw/openclaw))
|
|
- Vulnerabilities in Termux (report to [Termux](https://github.com/termux/termux-app))
|
|
- Vulnerabilities in glibc-runner (report to [termux-pacman](https://github.com/AidanPark/openclaw-android))
|
|
- Device-level security (rooted devices, unlocked bootloaders)
|