You are not logged in.

#1 2017-11-06 20:50:47

crontab
Member
Registered: 2017-11-06
Posts: 3

Kinda "sandboxing" wine for lazy

Hi all. Kept thinking for a while about sandboxing wine to be sure that nothing will mess up the system. But I (really!) don't have any desire to deal with any kind of sandbox-patched kernels etc, so that's the question - what if I just keep wine out of the system?

I mean, what if I make wine from source or just extract multilib repo package to ~/.wine-$winever and then run win applications as something like WINEPREFIX=~/.someprefix ~/.wine-winever/blah/blah/wine ~/.someprefix/blah/blah/app.exe? Sure, I gonna miss all wine deps in this case, so I'll make with pkgbuild and install empty package (something like wine-deps-1.0.0.pkg) having all wine deps as its own.

Now if something undesired from windows world is about to run itself with wine, it will be punched right in the face with bash: wine: command not found. I tried it, it seems to work. And I know, that it is not sandboxing in any way, that's why this thread has quotes around sandboxing in its name. And I know, that if in this case app itself is about to mess up the system, it most likely will do it.

So, what do you think of that?.. Besides that I'm too stupid and too lazy, of course. Thanks in advance.

Last edited by crontab (2017-11-06 21:15:15)

Offline

#2 2017-11-06 23:47:39

i_love_r34
Member
From: Mexico
Registered: 2016-02-14
Posts: 87

Re: Kinda "sandboxing" wine for lazy

You can always try to run wine with another user with low permissions. If any case of a windows program try to execute a malware for wine, this will only found writeable access to the user home folder.
More information here: https://wiki.archlinux.org/index.php/wi … er_account

For keeping wine out of the system you can always try a container software like LXC but I see this a little difficulty and maybe you will need to patch the kernel.

Regards!

Offline

#3 2017-11-07 16:52:32

crontab
Member
Registered: 2017-11-06
Posts: 3

Re: Kinda "sandboxing" wine for lazy

i_love_r34 wrote:

You can always try to run wine with another user with low permissions.

Well that's true, but this solution has certain limitations. For example, I often have to use a few windows CAD things, and I need them to have r-w access to ~/Documents/blah/blah/CAD folder in my /home, so they must be executed under my user exactly. And this leaves wine in the system too, making wine command theoretically accessible - I really want to avoid it.

So the actual question is - can some malware from windows world be executed without my direct command or permission, if wine is out of the system (but located somewhere else) and can't be run as $ wine somemalwareapp.exe?

Last edited by crontab (2017-11-07 16:57:52)

Offline

#4 2017-11-07 16:57:35

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,422

Re: Kinda "sandboxing" wine for lazy

And what danger do you expect from something calling wine? If you run a windows application in wine it will be able to call other windows applications without calling wine anyway. And it will be able to remove stuff in your $HOME without calling wine anyway and this will be no different whether your path is adjusted or not. You're preventing exactly nothing with your method. Wine doesn't have write access to the rest of your system due to the simple fact that it runs as your user and is only capable of what is allowed within those bounds, it does matter absolutely zilch if the binary originally resided in your home dir or not.

If you actually want to sandbox wine, then sandbox wine. Start with the predefined firejail profile, no kernel patches required.

Last edited by V1del (2017-11-07 17:03:50)

Online

Board footer

Powered by FluxBB