Stefan Dösinger wrote: > > Am 25.10.2009 um 10:57 schrieb Scott Ritchie: >> Many apps don't need to view the user folder for documents but also >> employ programmable scripting engines - a good example are games. It >> would be much more convenient to pass some sort of "sandbox me, allow >> network, deny home folder access" switch to Wine than to muck about with >> stuff like AppArmor profiles. > The usual reply to this is that Windows apps in Wine can just issue > Linux system calls, so any Wine-based sandboxing is security by > obscurity. You need something at the syscall layer. >
Could Wine ship two binaries, one with an AppArmor profile blocking syscalls and one without? Then a simple switch could tell Wine which one to use and that functionality wouldn't need to be duplicated elsewhere. Thanks, Scott Ritchie
