https://bugs.winehq.org/show_bug.cgi?id=49024
Paul Gofman gofmanp@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gofmanp@gmail.com
--- Comment #3 from Paul Gofman gofmanp@gmail.com --- As Rosanne said in comment #1, Wine is absolutely not a sandbox and is not pretending to be one. As a very rough analogy, python is capable of running python scripts, but do you expect it to protect you from some unwanted things that scripts can do?
Probably the easiest and most lightweight thing you can do to limit the potential impact of unwanted Windows programs under Wine is to run it under separate user which does not have any excessive rights and does not have access to any personal files or write access to anything besides its own files. Then (unless the malware is specifically designed for Wine and will exploit host security somehow) no software run in the prefix will be able to do what your describe. There are other limitations which can be imposed, like disabling access to network through iptables. Of course, this is still not a perfect sandbox which might be not very easy to do right, but it will avoid many of practical threats and won’t impose any performance penalty.