Adding binfmt configuration to official Wine packages
Rosanne DiMesio
dimesio at earthlink.net
Mon Aug 22 09:57:32 CDT 2016
On Mon, 22 Aug 2016 15:28:39 +0200
Jens Reyer <jre.winesim at gmail.com> wrote:
> >
> > What are the security implications? Won't this make it easier for malware to execute without being Wine-aware, or am I just being paranoid?
>
> We don't enable binfmt in Debian for exactly this reason (see
> https://bugs.debian.org/819255). So I'd also be interested in other
> opinions.
>
It's good to know I'm not just imagining things. :-)
> E.g. above mentioned bug already states: "[binfmt] is also helpful for
> security because it allows each Windows program to be run with different
> AppArmor profile."
> However this doesn't require automatically enabled binfmt support, just
> the possibility to do so.
>
IMO, the majority of users aren't using AppArmor, and we shouldn't be creating security risks for them. I also think that users who are technically skilled enough to create multiple AppArmor profiles should also be capable of following instructions for enabling binfmt support themselves. The actual problem for this user (who started on the forum, btw) is that I have been unable to find step-by-step instructions for Ubuntu. (There are instructions on the Arch wiki, but the user reported they didn't work on Ubuntu.)
My preferred resolution to bug 39884 would be WONTFIX with an explanation of why, but it would be nice if someone could come up with step-by-step instructions for enabling binfmt support for Wine on Ubuntu that we could link to or add to our Ubuntu wiki page (with a warning about the risks).
--
Rosanne DiMesio
dimesio at earthlink.net
More information about the wine-devel
mailing list