Skip to content

feat: Add Landlock LSM sandbox for filesystem isolation #11013

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Baughn wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: Add Landlock LSM sandbox for filesystem isolation #11013

Baughn wants to merge 1 commit into from
+343 −0

Conversation

@Baughn
Copy link
Contributor

@Baughn Baughn commented Dec 1, 2025
edited
Loading

Implements Linux Landlock sandboxing to restrict filesystem access when ComfyUI is running. This provides defense-in-depth against malicious custom nodes or workflows that attempt to access sensitive files.

The sandbox is disabled by default, and (at least at the moment) is likely to cause some problems if enabled, but should work fine in most cases. Any such problems can generally be fixed by adding to the default read or write-access list. Since this is a whitelist, not a blacklist, I kind of expect the flag to be a source of bug reports for a while.

I tested this by writing a custom module that attempts to scrape my bookmarks from Firefox, delete my .bash_history, and launch Nethack. None of it worked.

Limitations:

  • This commit does not attempt to limit network access, though doing so is possible.
  • I'm not landlocking quite early enough, so some pycache directories get created. This indicates that code run at import time could break the sandbox. I'm not sure what the right spot is, but "as early in startup as possible" seems like a good idea; ideally that would be from a launcher.py that does not import anything else.

How it works:

  • Uses Linux Landlock LSM (kernel 5.13+) via direct syscalls. (I couldn't find a library which is both decent quality and currently maintained, and the Linux syscall ABI is guaranteed not to change.)
  • Restricts write access to specific directories (output, input, temp, user)
  • Restricts read access to only what's needed (codebase, models, system libs)
  • Handles ABI versions 1-5, including IOCTL_DEV for GPU access on v5+
  • Exits with error if --enable-landlock is set but Landlock unavailable

Issues expected:

  • AMD or Intel-based based systems haven't been tested.
  • Or non-NixOS, although I expect that will work fine.
  • Some custom modules expect to write to their codebase, e.g. because they store config files there. RES4LYF, for instance, currently fails to load. I could give it write access to itself, but that doesn't belong in the defaults.
  • The sandbox will certainly stop ComfyUI-Manager from working.

Write access granted to:

  • ComfyUI output, input, temp, and user directories
  • System temp directory (for torch/backends)
  • SQLite database directory (if configured)
  • Paths specified via --landlock-allow-writable

Read access granted to:

  • ComfyUI codebase directory
  • All configured model directories (including extra_model_paths.yaml)
  • Python installation and site-packages
  • System libraries (/usr, /lib, /lib64, /opt, /etc, /proc, /sys)
  • /nix (on NixOS systems)
  • /dev (with ioctl for GPU access)
  • Paths specified via --landlock-allow-readable

Usage:
python main.py --enable-landlock python main.py --enable-landlock --landlock-allow-writable /extra/dir --landlock-allow-readable ~/.cache/huggingface

Requirements:

  • Linux with kernel 5.13+ (fails with error on unsupported systems)

🤖 Generated with Claude Code

@Baughn Baughn requested a review from Kosinkadink as a code owner December 1, 2025 01:34
@Baughn Baughn force-pushed the landlock branch 2 times, most recently from 4ea4964 to 2c8e1e8 Compare December 1, 2025 01:46
@Baughn @claude
feat: Add Landlock LSM sandbox for filesystem isolation
ce44526 
Implements Linux Landlock sandboxing to restrict filesystem access when
ComfyUI is running. This provides defense-in-depth against malicious
custom nodes or workflows that attempt to access sensitive files.

How it works:
- Uses Linux Landlock LSM (kernel 5.13+) via direct syscalls
- Restricts write access to specific directories (output, input, temp, user)
- Restricts read access to only what's needed (codebase, models, system libs)
- Handles ABI versions 1-5, including IOCTL_DEV for GPU access on v5+
- Exits with error if --enable-landlock is set but Landlock unavailable

Write access granted to:
- ComfyUI output, input, temp, and user directories
- System temp directory (for torch/backends)
- SQLite database directory (if configured)
- Paths specified via --landlock-allow-writable

Read access granted to:
- ComfyUI codebase directory
- All configured model directories (including extra_model_paths.yaml)
- Python installation and site-packages
- System libraries (/usr, /lib, /lib64, /opt, /etc, /proc, /sys)
- /nix (on NixOS systems)
- /dev (with ioctl for GPU access)
- Paths specified via --landlock-allow-readable

Usage:
  python main.py --enable-landlock
  python main.py --enable-landlock --landlock-allow-writable /extra/dir
  python main.py --enable-landlock --landlock-allow-readable ~/.cache/huggingface

Requirements:
- Linux with kernel 5.13+ (fails with error on unsupported systems)
- Once enabled, restrictions cannot be lifted for the process lifetime
- Network access is not restricted (Landlock FS only)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@Baughn
Copy link
Contributor Author

Baughn commented Dec 1, 2025

The presubmit error is from .ci/windows_amd_base_files/README_VERY_IMPORTANT.txt, which is quite unrelated. You might want to exclude it from the test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kosinkadink Kosinkadink Awaiting requested review from Kosinkadink Kosinkadink is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Baughn