Hello wine developers,
I'm running Wine on Linux. Is there a way to restrict wine from accessing some folders and/or resources? Ideally have Wine restraint in its WINEPREFIX directory and configure what resources it could access (like network for instance).
I've seen few talks on having a 'sandbox' that date back to 2002 and most conclusions suggest that access restrictions should be made on the host OS. If that's the case, any tips on how one could do that in Linux would be appreciated.
Thanks.
-Ioannis
On Thu, Jul 05, 2007 at 03:03:27PM +0100, Ioannis Nousias wrote:
Hello wine developers,
I'm running Wine on Linux. Is there a way to restrict wine from accessing some folders and/or resources? Ideally have Wine restraint in its WINEPREFIX directory and configure what resources it could access (like network for instance).
I've seen few talks on having a 'sandbox' that date back to 2002 and most conclusions suggest that access restrictions should be made on the host OS. If that's the case, any tips on how one could do that in Linux would be appreciated.
AppArmor, SELinux.
Or use a seperate "Wine" user and use ssh -X wineuser@localhost (but this one could break out of it too).
Ciao, Marcus
ok, so there isn't a wine specific way to do that. A separate 'wine' user is indeed a simple solution to avoid messing with my normal user-account files, but I still need to prevent it from accessing certain resources. Time to learn SELinux I guess :)
thanks
Marcus Meissner wrote:
On Thu, Jul 05, 2007 at 03:03:27PM +0100, Ioannis Nousias wrote:
Hello wine developers,
I'm running Wine on Linux. Is there a way to restrict wine from accessing some folders and/or resources? Ideally have Wine restraint in its WINEPREFIX directory and configure what resources it could access (like network for instance).
I've seen few talks on having a 'sandbox' that date back to 2002 and most conclusions suggest that access restrictions should be made on the host OS. If that's the case, any tips on how one could do that in Linux would be appreciated.
AppArmor, SELinux.
Or use a seperate "Wine" user and use ssh -X wineuser@localhost (but this one could break out of it too).
Ciao, Marcus
Hello,
You might be interested in this question on launchpad: https://answers.launchpad.net/ubuntu/+question/8686
It describes how to run Internet Explorer in wine as a separated user.
Le jeudi 05 juillet 2007 à 15:03 +0100, Ioannis Nousias a écrit :
Hello wine developers,
I'm running Wine on Linux. Is there a way to restrict wine from accessing some folders and/or resources? Ideally have Wine restraint in its WINEPREFIX directory and configure what resources it could access (like network for instance).
I've seen few talks on having a 'sandbox' that date back to 2002 and most conclusions suggest that access restrictions should be made on the host OS. If that's the case, any tips on how one could do that in Linux would be appreciated.
Thanks.
-Ioannis
Am Donnerstag, 5. Juli 2007 16:03 schrieb Ioannis Nousias:
Hello wine developers,
I'm running Wine on Linux. Is there a way to restrict wine from accessing some folders and/or resources? Ideally have Wine restraint in its WINEPREFIX directory and configure what resources it could access (like network for instance).
Wine isn't a sandbox, and can't be used as one. The Windows App's code runs like any Linux native code, and thus it can call any Linux command. Most importantly, it can use Linux syscalls via int 0x80. So any security limitations imposed by Wine can be bypassed. You have to use things like chroot or a different user to restrict the Windows app.
-
Ioannis Nousias -
leszek -
Marcus Meissner -
Stefan Dösinger