Add low integrity sandbox behind --enable-sandbox flag #8351
Conversation
deepanjanroy
requested review from
Kosinkadink,
christian-byrne,
comfyanonymous,
ltdrdata,
pythongosssss,
robinjhuang,
webfiltered and
yoland68
as code owners
deepanjanroy
force-pushed
the
in-process-sandbox
branch
from
5a8067e to
7fdb4b7
Compare
yoland68
added
Core
|
(Automated Bot Message) CI Tests are running, you can view the results at https://ci.comfy.org/?branch=8351%2Fmerge |
.ci/update_windows/update.py
Outdated
| pass | ||
|
|
||
|
|
||
| print("Copying windows base files") |
There was a problem hiding this comment.
This block should go in a separate PR.
There was a problem hiding this comment.
Done. Also note that I pulled the subprocess import to the top of the file - hope that's ok.
deepanjanroy
force-pushed
the
in-process-sandbox
branch
from
14d75bf to
fc47bd2
Compare
maludwig
left a comment
maludwig
left a comment
There was a problem hiding this comment.
I am unclear about the purpose of sandbox mode, but currently, it seems that if a custom node contained malicious code, it could overwrite the code of every other custom node by writing over the .py files. The permissions script will not work if there are spaces in the comfyui install path.
| LOW_INTEGRITY_SID_STRING = "S-1-16-4096" | ||
|
|
||
| # Use absolute path to prevent command injection | ||
| ICACLS_PATH = r"C:\Windows\System32\icacls.exe" |
There was a problem hiding this comment.
This assumes that Windows is installed there, recommend using:
ICACLS_PATH = os.path.join(win32api.GetSystemDirectory(), "icacls.exe")
| import folder_paths | ||
|
|
||
|
|
||
| LOW_INTEGRITY_SID_STRING = "S-1-16-4096" |
There was a problem hiding this comment.
Consider adding a comment here explaining what "S-1-16-4096" means.
| @@ -0,0 +1,172 @@ | |||
| import logging | |||
There was a problem hiding this comment.
Consider adding a docstring to the top of the file to explain the file, since it's pretty far off in the weeds of win32. Perhaps something like:
"""
Sandboxing Utilities for Low-Integrity Process Execution on Windows
===================================================================
This module enables a sandboxed execution environment by lowering the
integrity level of the current process to "Low", which restricts file system
and registry access for enhanced security. It ensures that specific
directories are writable even under this constrained execution mode.
"""| ICACLS_PATH = r"C:\Windows\System32\icacls.exe" | ||
|
|
||
|
|
||
| def set_process_integrity_level_to_low(): |
There was a problem hiding this comment.
Consider docstrings for each of these, since they're modestly advances win32, like:
"""
Set the current process to run at a low integrity level.
This restricts the process's permissions, creating a sandboxed environment
to limit potential damage if compromised.
"""| Checks if an icacls output indicates that the path is writable by low | ||
| integrity processes. | ||
| Note that currently it is a bit of a crude check - it is possible for |
There was a problem hiding this comment.
I would elaborate on when this fails, if you know offhand.
| openapi.yaml | ||
| filtered-openapi.yaml | ||
| uv.lock | ||
| /write-permitted/ |
There was a problem hiding this comment.
Presumably also remove /temp/, if you're moving it. I wouldn't personally remove temp, see my later comment in folder_paths.py
| "--enable-sandbox", | ||
| default=False, | ||
| action="store_true", | ||
| help="Enable sandbox mode.", |
There was a problem hiding this comment.
I would elaborate in this help entry about what use case sandbox mode is intended for. Some people might assume that it would be a security feature that allows them to safely execute malicious code. Consider a more specific name, like: "--limit-write-access" or something, rather than "sandbox".
| # Note: If we ever support custom directories, we should warn users if | ||
| # the directories are in a senstive location (e.g. a high level | ||
| # directory like C:\ or the user's home directory). | ||
| raise Exception("Sandbox mode is not supported when using --output-directory, " |
There was a problem hiding this comment.
This is a really good note. Setting the user's entire home directory to Low would be horrendous.
| from sandbox import windows_sandbox | ||
| try_enable_sandbox() | ||
| else: | ||
| logging.warning("Sandbox mode is not supported on non-windows platforms." |
| proc_info = shell.ShellExecuteEx(**execute_info) | ||
| hProcess = proc_info["hProcess"] | ||
|
|
||
| # Setup script should less than a second. Time out at 10 seconds. |
There was a problem hiding this comment.
If the user hums and has at the UAC prompt for a moment, or the ACLs take a while to apply, then do you really want to quit halfway through? I would consider a much longer timeout.
|
Related: #11013 kinda does this on Linux. I just spotted your PR. |
5 participants
Design
setup_sandbox_permissions.batfile. This should be a one time thing.user,custom_nodes, andoutputare lowered in integrity level, along with a new directorywrite-permitted.custom_nodeslow integrity means any custom nodes that want to write to its own directory continues functioning. Tested with comfyui-manager. It also means if there is a binary inside a custom_node it will always run with low integrity.tempdirectory is moved inside the newwrite-permittedfolder because we have code that deletes and recreated the entire directory.write-permittedto keep things simple.Manual tests performed:
Work to do in follow up PRs:
(^ this is a photo because it's hard to take a screenshot of the elevation screen)