docs/fix: remove domain blocking hacks on macOS and add dashboard warning

leos565 · leos565 · commit 3ca2e5338a90 · 2026-02-25T22:04:10.000+02:00
diff --git a/builder/compiler.py b/builder/compiler.py
@@ -146,10 +146,10 @@ def compile_macos_seatbelt(rules: dict[str, Any]) -> str:
                     )
 
     # Seatbelt does not support hostname-based filters; domain blocking is
-    # enforced at the application layer by log_tailer.py / openclaw wrapper.
+    # currently unsupported on macOS (no kernel-level hostname enforcement).
     blocked_domains = rules.get("blocked_domains", {})
     if blocked_domains:
-        lines.append(";;; --- Blocked domains (enforced by log_tailer.py, not kernel-level) ---")
+        lines.append(";;; --- Blocked domains (Unsupported on macOS) ---")
         for rule_id, domain in blocked_domains.items():
             lines.append(f';;;   [{rule_id}] {domain}')
 
diff --git a/deploy/dashboard/app.py b/deploy/dashboard/app.py
@@ -205,11 +205,22 @@ def _trigger_enforcement():
     def _run():
         if platform.system() == "Darwin":
             # Re-generate the Seatbelt profile and notify user
-            apply_script = os.path.join(os.path.dirname(__file__), "..", "apply_macos_policy.py")
-            if os.path.exists(apply_script):
+            # Try both the development layout and the installed flat layout
+            base_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
+            candidates = [
+                os.path.join(base_dir, "macos", "apply_macos_policy.py"),
+                os.path.join(base_dir, "apply_macos_policy.py"),
+            ]
+            apply_script = None
+            for c in candidates:
+                if os.path.exists(c):
+                    apply_script = c
+                    break
+            
+            if apply_script:
                 try:
                     subprocess.run(["python3", apply_script], check=True, capture_output=True)
-                    logger.info("Triggered macOS policy applicator")
+                    logger.info("Triggered macOS policy applicator: %s", apply_script)
                 except subprocess.CalledProcessError as e:
                     logger.error("Failed to apply macOS policy: %s", e.stderr.decode() if e.stderr else str(e))
         else:
diff --git a/deploy/dashboard/templates/index.html b/deploy/dashboard/templates/index.html
@@ -1286,7 +1286,14 @@ <h2 id="modalTitle">Add Custom Rule</h2>
                                         d="M12 2a15.3 15.3 0 0 1 4 10 15.3 15.3 0 0 1-4 10 15.3 15.3 0 0 1-4-10 15.3 15.3 0 0 1 4-10z">
                                     </path>
                                 </svg></div>
-                            <div class="type-name">Domain/IP</div>
+                            <div class="type-name">Domain/IP <svg width="14" height="14" viewBox="0 0 24 24" fill="none"
+                                    stroke="currentColor" stroke-width="2"
+                                    style="display:inline; margin-left:4px; opacity:0.6;"
+                                    title="Supported on Linux (eBPF). Not supported on macOS kernel.">
+                                    <circle cx="12" cy="12" r="10"></circle>
+                                    <line x1="12" y1="16" x2="12" y2="12"></line>
+                                    <line x1="12" y1="8" x2="12.01" y2="8"></line>
+                                </svg></div>
                         </div>
                         <div class="type-card" data-type="hash" onclick="selectType('hash')">
                             <div class="type-icon"><svg width="24" height="24" viewBox="0 0 24 24" fill="none"
@@ -1322,6 +1329,20 @@ <h2 id="modalTitle">Add Custom Rule</h2>
                     <div class="form-hint" id="ruleHint">Select a rule type above</div>
                     <div class="form-error" id="ruleError"></div>
                 </div>
+                <div class="form-group" id="macDomainWarning" style="display:none; margin-top:12px;">
+                    <div
+                        style="background: rgba(255, 171, 0, 0.1); border-left: 4px solid #ffab00; padding: 12px; border-radius: 4px; display:flex; gap:12px; align-items:center;">
+                        <svg width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="#ffab00" stroke-width="2">
+                            <circle cx="12" cy="12" r="10"></circle>
+                            <line x1="12" y1="8" x2="12" y2="12"></line>
+                            <line x1="12" y1="16" x2="12.01" y2="16"></line>
+                        </svg>
+                        <div style="color: #ffab00; font-size: 13px; font-weight: 500;">
+                            Domain blocking is currently only supported on Linux (eBPF). macOS Seatbelt sandboxing
+                            limitation prevents kernel-level hostname enforcement.
+                        </div>
+                    </div>
+                </div>
                 <div class="form-group">
                     <label class="form-label" for="rulePlatform">Platform</label>
                     <select class="form-select" id="rulePlatform">
@@ -1627,6 +1648,7 @@ <h2 id="modalTitle">Add Custom Rule</h2>
             const sel = document.querySelector(`.type-card[data-type="${rule.type}"]`);
             if (sel) { sel.style.opacity = '1'; }
             document.getElementById('ruleHint').textContent = TYPE_HINTS[rule.type] || '';
+            document.getElementById('macDomainWarning').style.display = (rule.type === 'domain') ? 'block' : 'none';
             document.getElementById('ruleModal').classList.add('open');
         }
 
@@ -1639,6 +1661,7 @@ <h2 id="modalTitle">Add Custom Rule</h2>
             document.getElementById('ruleHint').textContent = TYPE_HINTS[type] || '';
             document.getElementById('ruleError').classList.remove('visible');
             document.getElementById('ruleValue').placeholder = TYPE_HINTS[type] || 'Enter value...';
+            document.getElementById('macDomainWarning').style.display = (type === 'domain') ? 'block' : 'none';
             document.getElementById('ruleValue').focus();
         }
 
diff --git a/deploy/install.sh b/deploy/install.sh
@@ -359,7 +359,7 @@ INNER
         if [ ! -e "$path" ]; then return 0; fi
         log "Installing ClawEDR wrapper at $path"
         rm -f "$path"
-        cat > "$path" <<'WRAPPER'
+cat > "$path" <<'WRAPPER'
 #!/usr/bin/env sh
 # openclaw — ClawEDR Zero-Habit Hijack wrapper (macOS)
 CLAWEDR_SB="/usr/local/share/clawedr/clawedr.sb"
diff --git a/deploy/linux/monitor.py b/deploy/linux/monitor.py
@@ -413,8 +413,6 @@ def apply_policy(policy: dict) -> None:
 
             if rtype == "executable":
                 policy.setdefault("blocked_executables", {})[rid] = val
-            elif rtype == "domain":
-                policy.setdefault("blocked_domains", {})[rid] = val
             elif rtype == "hash":
                 policy.setdefault("malicious_hashes", {})[rid] = val.removeprefix("sha256:")
             elif rtype == "path":
diff --git a/deploy/macos/apply_macos_policy.py b/deploy/macos/apply_macos_policy.py
@@ -87,16 +87,6 @@ def generate_seatbelt(policy: dict, exempted: set[str]) -> str:
                         f'(deny process-exec (literal "{prefix}{name}"))'
                     )
 
-    # ── Blocked domains (comment-only, enforced by log_tailer.py) ──
-    blocked_domains = policy.get("blocked_domains", {})
-    if blocked_domains:
-        lines.append(";;; --- Blocked domains (enforced by log_tailer.py, not kernel-level) ---")
-        for rule_id, domain in blocked_domains.items():
-            if rule_id in exempted:
-                lines.append(f";;;   [{rule_id}] EXEMPTED by user: {domain}")
-            else:
-                lines.append(f";;;   [{rule_id}] {domain}")
-
     # ── Custom deny rules ──
     custom_rules = policy.get("deny_rules", {}).get("macos", {})
     if custom_rules:
@@ -171,8 +161,6 @@ def main() -> int:
 
             if rtype == "executable":
                 policy.setdefault("blocked_executables", {})[rid] = val
-            elif rtype == "domain":
-                policy.setdefault("blocked_domains", {})[rid] = val
             elif rtype == "path":
                 policy.setdefault("blocked_paths", {}).setdefault("macos", {})[rid] = val
             elif rtype == "argument":
diff --git a/deploy/macos/clawedr.sb b/deploy/macos/clawedr.sb
@@ -224,7 +224,7 @@
 (deny process-exec (literal "/usr/local/bin/ptrace"))
 (deny process-exec (literal "/opt/homebrew/bin/ptrace"))
 (deny process-exec (literal "/opt/local/bin/ptrace"))
-;;; --- Blocked domains (enforced by log_tailer.py, not kernel-level) ---
+;;; --- Blocked domains (Unsupported on macOS) ---
 ;;;   [DOM-001] pool.supportxmr.com
 ;;;   [DOM-002] pool.minexmr.com
 ;;;   [DOM-003] xmr.pool.minergate.com
diff --git a/deploy/macos/log_tailer.py b/deploy/macos/log_tailer.py
@@ -64,10 +64,6 @@ def _load_policy_rule_index() -> dict:
                 
             if rtype == "executable":
                 policy.setdefault("blocked_executables", {})[rid] = val
-            elif rtype == "domain":
-                policy.setdefault("blocked_domains", {})[rid] = val
-            elif rtype == "path":
-                policy.setdefault("blocked_paths", {}).setdefault("macos", {})[rid] = val
             elif rtype == "argument":
                 policy.setdefault("deny_rules", {}).setdefault("macos", {})[rid] = val
                 
@@ -146,6 +142,7 @@ def tail_sandbox_log():
                             if isinstance(directive, str) and target in directive:
                                 rule_id = rid
                                 break
+                    
 
                     # Discard system-wide sandbox noise that isn't ours
                     if not rule_id:
