Charles Davis wrote:
- Make Wine use App Sandbox on Mac OS X.
At the very least, I would like to be able to limit Wine's file-system activity to the prefix.
I'm not familiar with Mac OS X' particular security features, but I wonder why limiting FS activity needs changes in wine? With AppArmor or the like on Linux, you'd define a set of rules living outside of the app.
Limiting to the prefix won't work, because /dev/tty and /tmp/X11.socket etc. need be used.
All my apps are installed in a directory outside any .wine prefix. There's a symlink from within C:\Programs. How would you take that into account?
BTW, I once defined a set of iptable rules to prevent networking for Wine (or was it for a whole user?) based on the consideration that the apps I use have nothing to do with networking. Here too, nothing need be changed in Wine.
Regards, Jörg Höhle
On 29 March 2012 10:01, Joerg-Cyril.Hoehle@t-systems.com wrote:
BTW, I once defined a set of iptable rules to prevent networking for Wine (or was it for a whole user?) based on the consideration that the apps I use have nothing to do with networking. Here too, nothing need be changed in Wine.
You can also add a 'nonet' group, configure an iptables rule to drop all packets from that gid and then use sg to execute wine using that nonet group. Of course this assumes the apps you run don't or can't switch from nonet to another group.
Alex
-
Alex Bradbury -
Joerg-Cyril.Hoehle@t-systems.com