http://bugs.winehq.org/show_bug.cgi?id=19732
--- Comment #9 from Alexandre Julliard julliard@winehq.org 2009-08-17 04:38:23 --- (In reply to comment #8)
I thought the security of CAP_SYS_RAWIO rather than mmap_min_addr wasn't to make Wine more secure, but to make the system more secure when Wine isn't running. The kernel bug above, for instance, was exploitable by non-wine programs if the user merely had Wine installed.
Yes, but it doesn't make much difference, because all you have to do is to wrap the exploit in a DOS binary and run it with Wine. Either way, if Wine is installed you can exploit the bug. Dropping the caps wouldn't really help either, since you can't distinguish a malicious DOS app from a legitimate one. The only way is to not support DOS apps at all.