On Mon, 12 Aug 2013 23:29:51 JST achurch+wine-devel@achurch.org (Andrew Church) wrote:
Note that removing the default "z:" drive mapping will NOT prevent Windows applications from reading your entire filesystem! In addition to the Windows share, malicious programs could detect that they are running under Wine and execute native Linux system calls to get around any restrictions imposed by Wine. Consider running programs you don't trust in a virtual machine instead. """
Already in the FAQ:
11.2. How good is Wine at sandboxing Windows apps?
Wine does not sandbox in any way at all. When run under Wine, a Windows app can do anything your user can. Wine does not (and cannot) stop a Windows app directly making native syscalls, messing with your files, altering your startup scripts, or doing other nasty things.
You need to use AppArmor, SELinux or some type of virtual machine if you want to properly sandbox Windows apps.