Casual Sandboxing for Wine

For anyone who, like me, uses a variety of applications on Wine, it soon becomes obvious that Wine seems to trust Windows applications a little too much. Little or no support for automatically removing .desktop files created by a Windows installer, full access to the system via Z: without the application even having to try to be nefarious, and telling Windows applications to use places like ~/Documents may help to integrate Windows applications better into a Linux desktop, but they also allow Windows applications’ slothful, sloppy habits to run rampant in your nice, tidy user profile.

IMPORTANT: This will not improve your security. This is only to limit Windows applications’ ability to cause innocent mayhem because their developers didn’t think before they coded.

The hardest to discover (because, when I asked for it, Alexandre Julliard firmly declared it WONTFIX) but most useful trick (especially if you uninstall stuff more frequently than “never”)  is to kill off start menu icon generation so applications can’t leave cruft in your nice clean launcher menu. (Especially if you’re on a DE without a menu-editing GUI, which seemed to be everything but KDE 4 last I checked)

Simply set WINEDLLOVERRIDES="winemenubuilder.exe=d" as an environment variable. Wine will complain to stderr, but otherwise nothing bad will happen.

Next trick: Keeping your Wine applications from “helping” by adding new clutter to your profile. (eg. new folders inside My Documents, new samples in My Music, etc.)

This one is simply a matter of either going into your Wine profile and replacing the relevant symlinks or opening up winecfg and using the Desktop Integration tab.

If you’re really in a hurry, you can also brute-force it by turning all symlinks in your Wine prefix’s C: into folders with this command:

find ${WINEPREFIX:-~/.wine}/drive_c -type l -exec sh -c 'rm "{}"; mkdir "{}"' \;

Finally, while it’s not really a supported thing, I’ve had no problems with deleting the ~/.wine/dosdevices/z: symlink to give programs one less way to innocently mess up my files like some A.I. baby doodling on the wall in permanent marker.

If you really want security though (of the type that actually protects against certain types of exploits), research using cgroups to tie your filesystem in knots. It’s like chroot without the migraine.

CC BY-SA 4.0 Casual Sandboxing for Wine by Stephan Sokolow is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

This entry was posted in Geek Stuff. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution under the same terms as the associated post.

All comments are moderated. If your comment is generic enough to apply to any post, it will be assumed to be spam. Borderline comments will have their URL field erased before being approved.