Another virus-in-wine story
Marcus Meissner
marcus at jet.franken.de
Mon Oct 26 04:38:21 CDT 2009
On Sun, Oct 25, 2009 at 06:14:34PM -0700, Scott Ritchie wrote:
> Stefan Dösinger wrote:
> >
> > Am 25.10.2009 um 10:57 schrieb Scott Ritchie:
> >> Many apps don't need to view the user folder for documents but also
> >> employ programmable scripting engines - a good example are games. It
> >> would be much more convenient to pass some sort of "sandbox me, allow
> >> network, deny home folder access" switch to Wine than to muck about with
> >> stuff like AppArmor profiles.
> > The usual reply to this is that Windows apps in Wine can just issue
> > Linux system calls, so any Wine-based sandboxing is security by
> > obscurity. You need something at the syscall layer.
> >
>
> Could Wine ship two binaries, one with an AppArmor profile blocking
> syscalls and one without? Then a simple switch could tell Wine which
> one to use and that functionality wouldn't need to be duplicated elsewhere.
AppArmor does not do system call level blocking.
You could use AA to confine an app to write just in $HOME/.wine/ itself.
Ciao, Marcus
More information about the wine-devel
mailing list