Tomoyo for sandboxing wine applications

Questions about Wine on Linux
Locked
etwineb
Level 4
Level 4
Posts: 101
Joined: Wed Dec 10, 2008 12:05 pm

Tomoyo for sandboxing wine applications

Post by etwineb »

I was wondering if anyone has experience with using Tomoyo to sandbox Wine applications.
Do you tried? There are problems? Any suggestion?

I usually start each application in its own directory (WINEPREFIX) after using wine sandbox, but still it is not a real protection. Isn't it?


Tomoyo homepage:
http://tomoyo.sourceforge.jp/

Edit: sorry, please move this thread in the Linux subsection.
oiaohm
Level 8
Level 8
Posts: 1020
Joined: Fri Feb 29, 2008 2:54 am

Re: Tomoyo for sandboxing wine applications

Post by oiaohm »

etwineb
I usually start each application in its own directory (WINEPREFIX) after using wine sandbox, but still it is not a real protection. Isn't it?
I am going to say what sandbox. Wine does not have a sandbox in any major sence of the word. Wine creates a stack load of virtual contructs but that just window dressing. Does not stop application from doing bad things to system unless the application is believing the virtual contructs.

http://wiki.winehq.org/SecuringWine this does need to be expanded on. If you do get Tomoyo to work please do update the SecuringWine page.

http://zerowine.sourceforge.net/ This is a special sub form for reversing malware. Yes there is the posibltiy of malware designed to detect and breach wine. Yes it possible for an application running in wine that knows it running in wine detect that z: is missing and restore it. This is one of the big secuirty issues depending on wine. What ever setting you can set the application running in wine can set it as well. There is no user seperation in wine itself.
User avatar
DanKegel
Moderator
Moderator
Posts: 1164
Joined: Wed May 14, 2008 11:44 am

Re: Tomoyo for sandboxing wine applications

Post by DanKegel »

Tomoyo looks like a good native sandbox.
It would be interesting to see Wine running in it.
I haven't tried it, don't know what configuration would be needed.
Locked