What would the best approach for adding securing Wine and is it a reasonable goal?

Thu Aug 27 19:44:24 CDT 2015

Hello,

I noticed that CreateRestrictedToken basically just duplicates the token and
doesn't do anything. This makes sense as Wine is implemented as a compatibility
library and program loader and not as a virtual machine and Windows programs
running on Wine can break out and access Linux system calls so making
CreateRestrictedToken do anything more wouldn't accomplish anything. I think it
would be really cool though if CreateRestrictedToken and similar sandboxing APIs
actually accomplished something in Wine though.

What would the best approach for securing Wine be and is it a reasonable goal?
First, see http://wiki.winehq.org/SecuringWine. So far, I can think of a few
approaches. The first approach is to make a whole operating system such as
ReactOS. The second approach is making a whole operating system that only has
device drivers for working on top of virtual machines or hypervisors. The third
approach is making a kernel that runs as a normal user process on top of a full
OS (similar to User-Mode Linux or a weekend project I am working on at
https://gitlab.com/sstewartgallus/wum, also see the Chrome sandbox at
https://www.chromium.org/developers/design-documents/sandbox,
https://code.google.com/p/chromium/wiki/LinuxSandboxing and
https://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design).
The fourth approach is to abandon securing Wine itself and simply run Wine
programs inside separate sandboxes.

ReactOS already serves as an example of the first approach.

The second approach is basically similar to ReactOS.

My project at https://gitlab.com/sstewartgallus/wum serves as a tiny example of
of the third approach might work.

The fourth approach of separate sandboxes is actually very simple. One possible
implementation of this fourth approach on Linux might be to use a script like
the sandbox-X.sh script shown below and remove the Z: symlink in dosdevices
(this isn't actually needed or improves security but just looks nice.) Note that
to make this script work I had to do some configuration to let my automatically
su into the sandbox account. As well, I also had to download a dummy Xorg
configuration to the home directory of the sandbox account.

Thank you,
Steven Stewart-Gallus

sandbox-X.sh:
#! /bin/sh

set -e
set -C
set -u

exec su -l -c 'exec sh <&3' sstewartgallus-sandbox 3<<'EOF'
set -e
set -C
set -u

exec 3<&-

export DISPLAY=':76'
export XPRA_SOCKET_DIR='/tmp'
exec xpra\
    start\
    ${DISPLAY}\
    --xvfb="Xorg -noreset +extension GLX +extension RANDR +extension RENDER
-logfile ./${DISPLAY}.log -config ./xorg.conf"\
    "--no-daemon"\
    "--mmap-group"\
    "--no-sharing"\
    "--bell"\
    "--system-tray"\
    "--xsettings"\
    "--cursors"\
    "--encoding=rgb"\
    "--clipboard"\
    --start-child=xterm