Adding binfmt configuration to official Wine packages

Jens Reyer jre.winesim at gmail.com
Mon Aug 22 10:57:05 CDT 2016 

On 22.08.2016 16:57, Rosanne DiMesio wrote:
> On Mon, 22 Aug 2016 15:28:39 +0200
> Jens Reyer <jre.winesim at gmail.com> wrote:
> 
>>>
>>> What are the security implications? Won't this make it easier for malware to execute without being Wine-aware, or am I just being paranoid?
>>
>> We don't enable binfmt in Debian for exactly this reason (see
>> https://bugs.debian.org/819255). So I'd also be interested in other
>> opinions.
>>
> 
> It's good to know I'm not just imagining things. :-)
> 
>> E.g. above mentioned bug already states: "[binfmt] is also helpful for
>> security because it allows each Windows program to be run with different
>> AppArmor profile."
>> However this doesn't require automatically enabled binfmt support, just
>> the possibility to do so.
>>
> 
> IMO, the majority of users aren't using AppArmor, and we shouldn't be creating security risks for them. I also think that users who are technically skilled enough to create multiple AppArmor profiles should also be capable of following instructions for enabling binfmt support themselves. The actual problem for this user (who started on the forum, btw) is that I have been unable to find step-by-step instructions for Ubuntu. (There are instructions on the Arch wiki, but the user reported they didn't work on Ubuntu.) 
> 
> My preferred resolution to bug 39884 would be WONTFIX with an explanation of why, but it would be nice if someone could come up with step-by-step instructions for enabling binfmt support for Wine on Ubuntu that we could link to or add to our Ubuntu wiki page (with a warning about the risks). 

Assuming you have /usr/bin/wine (the winehq- packages):

First install a file /usr/share/binfmts/wine:
~~~~~
package wine
interpreter /usr/bin/wine
magic MZ
~~~~~

Then execute:
$ sudo update-binfmts --import wine


Winehq might

* add this file to the Winehq packaging, but install it to
  another place and use "--importdir /path/to/file" in the
  instructions (I suggest to *not* change the interpreter
  (e.g. to /opt/wine-devel/bin/wine), to avoid any conflicts
  with other wine package which might activate binfmt
  support), or

* also create a package wine-binfmt as we have in Debian, or

* just recommend to install our "wine-binfmt".


Note 1: I'll bring that up in another mail, but we might make the
winehq-* packages co-installable with the Debian packages, because
Debian now uses the Debian "alternatives" system, which allows the user
to choose which package is to provide the commands in /usr/bin/ by
making them automatically handled symlinks pointing to the binaries from
the chosen package. A file in /usr/share/binfmts/wine would then
unnecessarily create a conflict between the Winehq and Debian packages
again.

Note 2: Ubuntu is probably moving to the Debian packages.


This is what we have in the README.debian:
~~~~~
[...]
To configure backend support for that, you'll need to install the
wine-binfmt package first and then execute:
$ sudo update-binfmts --import wine

This change increases the risk of inadvertently launching Windows
malware, so please make sure that you understand the security risks
before blindly setting this up.

To remove the support again execute:
$ sudo update-binfmts --package wine --remove wine /usr/bin/wine
~~~~~

Greets
jre

More information about the wine-devel mailing list