On Wed, Jan 14, 2009 at 7:23 PM, Eduardo Menezes <companheiro.verme...@gmail.com> wrote: > I think a "isolate prefix" option in winecfg (or even winetricks) would be > very useful. > Undoing symlinks and editing the registry to take out the reference to the > root is boring (and I'm not sure only doing this is entirely safe) and this > kind of option would make it possible to run untrusted software without > worrying. > I even ran some malwares in isolated wine prefixes and used diff to see what > it did. Learned a lot from this. > Anyway, a "nice to have" feature. > > Best wishes and thanks for this amazing software, > > 2009/1/14 <wine-devel-requ...@winehq.org> >> >> Date: Wed, 14 Jan 2009 15:07:06 -0500 >> From: Nicholas LaRoche <nlaro...@vt.edu> >> Subject: Re: Wine being targeted for adware >> To: Stefan D?singer <ste...@codeweavers.com> >> Cc: wine-devel@winehq.org >> Message-ID: <496e45ea.9060...@vt.edu> >> Content-Type: text/plain; charset=windows-1252; format=flowed >> >> Stefan D?singer wrote: >> >> As long as the facilities exist for keeping an entire wine bottle >> >> isolated from other bottles (and ~/) I don't see this being a major >> >> issue. >> > They don't. >> > >> > Even if you don't have a drive link pointing out of a bottle, a Windows >> > app >> > running in Wine can still call Linux syscalls(int 0x80). This is >> > possible/needed because Windows apps run as a regular Linux process that >> > links in Linux libraries which perform linux syscalls. >> > >> > So any Windows malware can break out of the Wine "sandbox"(which isn't a >> > sandbox really) by simply using linux syscalls. >> > >> > >> > >> >> On more recent distros (FC9/10) SELinux is enabled by default. Rolling a >> policy specifically for an untrusted bottle would severely limit the >> damage it could do. It could restrict all unnecessary read/write/execute >> access outside of the ~/.wine folder for wineserver and the program. >> >> I see your point though, since none of the aforementioned security >> precautions are commonplace or specifically targeted to wine. >> > > -- > Eduardo > "Toda Revolução é IMPOSSÍVEL até que se torne INEVITÁVEL!!!" (Leon Trotsky) > > > >
Windows doesn't provide this, why would wine? P.S., please bottom post on wine mailing lists. -- -Austin
