Wine being targeted for adware

Austin English austinenglish at gmail.com
Wed Jan 14 23:14:51 CST 2009 

On Wed, Jan 14, 2009 at 7:23 PM, Eduardo Menezes
<companheiro.vermelho at gmail.com> wrote:
> I think a "isolate prefix" option in winecfg (or even winetricks) would be
> very useful.
> Undoing symlinks and editing the registry to take out the reference to the
> root is boring (and I'm not sure only doing this is entirely safe) and this
> kind of option would make it possible to run untrusted software without
> worrying.
> I even ran some malwares in isolated wine prefixes and used diff to see what
> it did. Learned a lot from this.
> Anyway, a "nice to have" feature.
>
> Best wishes and thanks for this amazing software,
>
> 2009/1/14 <wine-devel-request at winehq.org>
>>
>> Date: Wed, 14 Jan 2009 15:07:06 -0500
>> From: Nicholas LaRoche <nlaroche at vt.edu>
>> Subject: Re: Wine being targeted for adware
>> To: Stefan D?singer <stefan at codeweavers.com>
>> Cc: wine-devel at winehq.org
>> Message-ID: <496E45EA.9060603 at vt.edu>
>> Content-Type: text/plain; charset=windows-1252; format=flowed
>>
>> Stefan D?singer wrote:
>> >> As long as the facilities exist for keeping an entire wine bottle
>> >> isolated from other bottles (and ~/) I don't see this being a major
>> >> issue.
>> > They don't.
>> >
>> > Even if you don't have a drive link pointing out of a bottle, a Windows
>> > app
>> > running in Wine can still call Linux syscalls(int 0x80). This is
>> > possible/needed because Windows apps run as a regular Linux process that
>> > links in Linux libraries which perform linux syscalls.
>> >
>> > So any Windows malware can break out of the Wine "sandbox"(which isn't a
>> > sandbox really) by simply using linux syscalls.
>> >
>> >
>> >
>>
>> On more recent distros (FC9/10) SELinux is enabled by default. Rolling a
>> policy specifically for an untrusted bottle would severely limit the
>> damage it could do. It could restrict all unnecessary read/write/execute
>> access outside of the ~/.wine folder for wineserver and the program.
>>
>> I see your point though, since none of the aforementioned security
>> precautions are commonplace or specifically targeted to wine.
>>
>
> --
> Eduardo
> "Toda Revolução é IMPOSSÍVEL até que se torne INEVITÁVEL!!!" (Leon Trotsky)
>
>
>
>

Windows doesn't provide this, why would wine?

P.S., please bottom post on wine mailing lists.

-- 
-Austin

More information about the wine-devel mailing list