Another virus-in-wine story

> This is about the fifth article of this sort, so it's not really news
> anymore, but it's still fun to read about.
>
> TFA is clueless about how to clean up a wine
> installation (he thought uninstalling wine would do it),
> buts lots of readers supply the missing clue.
>
> http://linux.slashdot.org/story/09/10/24/1759213/Now-Linux-Can-Get-Viruses-Via-Wine
>
>
>

> A few months ago there was a topic in wine-devel on the same subject. A
> toggle switch for portions of the wine API (i.e. networking), WINEPREFIX,
> and SELinux seems to make this a non-issue.
>
> The default wine SELinux configuration for Fedora 11 denies quite a bit of
> behavior. (Try compiling and using HEAD without setting the security context
> or entering permissive mode and you'll see what I mean).
>
> Does this even need to be handled at the wine level to prevent system-wide
> corruption? It seems like other security technologies already provide this
> protection.

> On Sat, Oct 24, 2009 at 10:47 PM, Nicholas LaRoche <nlaroche@...> wrote:
>> A few months ago there was a topic in wine-devel on the same subject. A
>> toggle switch for portions of the wine API (i.e. networking), WINEPREFIX,
>> and SELinux seems to make this a non-issue.
>>
>> The default wine SELinux configuration for Fedora 11 denies quite a bit of
>> behavior. (Try compiling and using HEAD without setting the security context
>> or entering permissive mode and you'll see what I mean).
>>
>> Does this even need to be handled at the wine level to prevent system-wide
>> corruption? It seems like other security technologies already provide this
>> protection.
>
> We may want to lend a hand.  For instance, I could imagine
> the system needing some help to figure out how to allow
> certain windows apps access to the network, and deny it
> to others.  And I think sandboxing a la chromium might end
> up being a useful technique that would require some work on
> wine's part to work well.
> - Dan
>

> Dan Kegel wrote:
>> On Sat, Oct 24, 2009 at 10:47 PM, Nicholas LaRoche <nlaroche@...> wrote:
>>> A few months ago there was a topic in wine-devel on the same subject. A
>>> toggle switch for portions of the wine API (i.e. networking), WINEPREFIX,
>>> and SELinux seems to make this a non-issue.
>>>
>>> The default wine SELinux configuration for Fedora 11 denies quite a bit of
>>> behavior. (Try compiling and using HEAD without setting the security context
>>> or entering permissive mode and you'll see what I mean).
>>>
>>> Does this even need to be handled at the wine level to prevent system-wide
>>> corruption? It seems like other security technologies already provide this
>>> protection.
>> We may want to lend a hand.  For instance, I could imagine
>> the system needing some help to figure out how to allow
>> certain windows apps access to the network, and deny it
>> to others.  And I think sandboxing a la chromium might end
>> up being a useful technique that would require some work on
>> wine's part to work well.
>> - Dan
>>
>
> Sandboxing is certainly an interesting idea if we want to expand the
> role of Wine-specific packages (a la Picassa).  I've been experimenting
> with shipping a Windows (or winelib) app via a distro package configured
> to run in its own prefix.  This in particular could benefit from
> sandboxing, as then security holes in that application wouldn't take
> down the rest of the user folder.
>
> Many apps don't need to view the user folder for documents but also
> employ programmable scripting engines - a good example are games.  It
> would be much more convenient to pass some sort of "sandbox me, allow
> network, deny home folder access" switch to Wine than to muck about with
> stuff like AppArmor profiles.
>
> Thanks,
> Scott Ritchie
>

>
> Am 25.10.2009 um 10:57 schrieb Scott Ritchie:
>> Many apps don't need to view the user folder for documents but also
>> employ programmable scripting engines - a good example are games.  It
>> would be much more convenient to pass some sort of "sandbox me, allow
>> network, deny home folder access" switch to Wine than to muck about with
>> stuff like AppArmor profiles.
> The usual reply to this is that Windows apps in Wine can just issue
> Linux system calls, so any Wine-based sandboxing is security by
> obscurity. You need something at the syscall layer.
>

> Stefan Dösinger wrote:
>> Am 25.10.2009 um 10:57 schrieb Scott Ritchie:
>>> Many apps don't need to view the user folder for documents but also
>>> employ programmable scripting engines - a good example are games.  It
>>> would be much more convenient to pass some sort of "sandbox me, allow
>>> network, deny home folder access" switch to Wine than to muck about with
>>> stuff like AppArmor profiles.
>> The usual reply to this is that Windows apps in Wine can just issue
>> Linux system calls, so any Wine-based sandboxing is security by
>> obscurity. You need something at the syscall layer.
>>
>
> Could Wine ship two binaries, one with an AppArmor profile blocking
> syscalls and one without?  Then a simple switch could tell Wine which
> one to use and that functionality wouldn't need to be duplicated elsewhere.
>
> Thanks,
> Scott Ritchie
>
>

> Scott Ritchie wrote:
>>
>> Stefan Dösinger wrote:
>>>
>>> Am 25.10.2009 um 10:57 schrieb Scott Ritchie:
>>>>
>>>> Many apps don't need to view the user folder for documents but also
>>>> employ programmable scripting engines - a good example are games.  It
>>>> would be much more convenient to pass some sort of "sandbox me, allow
>>>> network, deny home folder access" switch to Wine than to muck about with
>>>> stuff like AppArmor profiles.
>>>
>>> The usual reply to this is that Windows apps in Wine can just issue
>>> Linux system calls, so any Wine-based sandboxing is security by
>>> obscurity. You need something at the syscall layer.
>>>
>>
>> Could Wine ship two binaries, one with an AppArmor profile blocking
>> syscalls and one without?  Then a simple switch could tell Wine which
>> one to use and that functionality wouldn't need to be duplicated
>> elsewhere.
>>
>> Thanks,
>> Scott Ritchie
>>
>>
> Is there any valid use for syscalls in wine?
>
> Most of the functionality that might be gained by using a syscall directly
> probably already exists in libc or some other library. These libraries can
> have granular security policies applied to them as opposed to granting full
> access to the core wine binary.
>
> -Nick
>
>
>

> Stefan Dösinger wrote:
> >
> > Am 25.10.2009 um 10:57 schrieb Scott Ritchie:
> >> Many apps don't need to view the user folder for documents but also
> >> employ programmable scripting engines - a good example are games.  It
> >> would be much more convenient to pass some sort of "sandbox me, allow
> >> network, deny home folder access" switch to Wine than to muck about with
> >> stuff like AppArmor profiles.
> > The usual reply to this is that Windows apps in Wine can just issue
> > Linux system calls, so any Wine-based sandboxing is security by
> > obscurity. You need something at the syscall layer.
> >
>
> Could Wine ship two binaries, one with an AppArmor profile blocking
> syscalls and one without?  Then a simple switch could tell Wine which
> one to use and that functionality wouldn't need to be duplicated elsewhere.