Some questions about wine and security

Message

pizza-rat · Post by **pizza-rat** » Fri Feb 24, 2023 10:07 pm

I often run closed-source Windows games via wine (usually either through Steam or Lutris for convenience) and I was thinking lately about what kind of access wine might have in the off-chance that any one of these games had some malicious code hiding in it. So, a few questions...

#1. Can a program launched through wine read any file it wants anywhere on my filesystem? Of course, it can't write to anything that requires root permissions (I assume) but couldn't it read text files, or even things like Firefox and Thunderbird profiles entirely?

#2. Does unmapping the rest of the linux filesystem (ie what's often mapped to Z: by default whenever you set up a new wine prefix) actually reliably prevent #1? What about winetricks's sandbox (or lutris's sandbox) option?

#3. Why does unmapping Z: break some games?

#4. What are other reliable options for preventing applications run through wine from having access to anything outside of their prefix? I have heard of firejail (neither the default lutris or steam profiles work for me, the former seems to have no access to Vulkan and the latter spits an error about an integer parameter out of range), flatpak, apparmor and running wine as a separate user.

I know some of this is paranoid, and I know "just dont run closed source software ever

))" is one kind of solution, too, but I'm curious about all of this. Using a VM would probably be a solution too but as far as I'm aware most games require you to have a second GPU to feed to the VM, don't they?

Post by Hu » Fri Feb 24, 2023 10:43 pm

Wine is not a sandbox. Any file that your user can access with a native Linux command can be accessed by a Windows program running under Wine.
This mitigates it a little bit, but only a little. A determined program could still do anything that your Linux user has permission to do.
Unknown. This should not happen.
Use a sandboxing mechanism, such as Firejail, so that the kernel enforces that the confined application cannot access the target resource.

sdauth · Post by **sdauth** » Fri Feb 24, 2023 11:08 pm

Code: Select all

as far as I'm aware most games require you to have a second GPU to feed to the VM, don't they?

GPU passthrough is indeed the best solution but it requires of course to have a second gpu.

Otherwise, you could give a try to qemu with USE=virgl enabled.
This will enable media-libs/virglrenderer (library used to implement a virtual 3D GPU used by qemu)
Then setup a minimal vm with the os of your choice and use wine in the vm. Performance was quite good (much better than using standard qxl) last time I tried. (more than a year ago)

pizza-rat · Post by **pizza-rat** » Sat Feb 25, 2023 12:16 am

Hu wrote:
Wine is not a sandbox. Any file that your user can access with a native Linux command can be accessed by a Windows program running under Wine.
This mitigates it a little bit, but only a little. A determined program could still do anything that your Linux user has permission to do.
Unknown. This should not happen.
Use a sandboxing mechanism, such as Firejail, so that the kernel enforces that the confined application cannot access the target resource.

It sounds like Firejail, or perhaps Flatpak or Apparmor are the way to go for my setup. Is one recommended over the others for such a use case, before I make another thread asking for help configuring Firejail?