sandwine is a command-line tool to run Windows applications on GNU/Linux that offers more isolation than raw Wine and more convenience than raw bubblewrap. It uses Wine and bubblewrap (>=0.8.0), it does not replace them. sandwine is Software Libre written in Python 3, and is licensed under the "GPL v3 or later" license.
# pip3 install sandwine
~/*
files# cd ~/Downloads/
# sha256sum -c <(echo 'ac70a0c8a2928c91400b9ac3774b331f1d700f3486bab674dbd09da6b31fe130 winamp566_full_en-us.exe')
# WINEDEBUG=-all sandwine --dotwine winamp/:rw ./winamp566_full_en-us.exe /S /D='C:\Program' 'Files' '(x86)\Winamp' '5.66'
(The weird quoting in /D='C:\Program' 'Files' '(x86)\Winamp' '5.66'
is documented behavior
for NSIS.)
~/*
file access# sandwine --pulseaudio --x11 --dotwine winamp/:rw --pass ~/Music/:ro --configure -- winamp
Argument --configure
will bring up winecfg
prior to Winamp so that you have a chance at
unchecking these two boxes:
Graphics
:
Allow the window manage to *decorate* the windows
Allow the window manage to *control* the windows
If Winamp crashes right after showing the main window, run it once more, there is some Wine bug at work here.
~/*
file accesssandwine --host-x11-danger-danger --pulseaudio --retry -- ./geiss.scr /S
--host-x11-danger-danger
make sandwine talk to the host X11 server, which would
expose you to keyloggers
so please re-visit your threat model before using --host-x11-danger-danger
.
--retry
is used to start programs a second time that consistently
crash from graphics issues in a fresh Wine environment
the first but not the second time.
Potentially a bug in Wine, needs more investigation.
PS: The Geiss Screensaver has its GitHub home at https://github.com/geissomatik/geiss .
~/*
files# sandwine --network --no-wine -- wget -S -O/dev/null https://blog.hartwork.org/
Argument --no-wine
is mostly intended for debugging,
but is needed here to invoke non-Wine wget.
sandwine aims to protect against Windows applications that:
To achieve that, by default the launched application:
${HOME}
and/or /home/
(unless you pass --pass PATH:{ro,rw}
for a related directory).--network
).So what is shared with the application by default then?
Path | Content |
---|---|
/ |
new tmpfs |
/bin |
read-only bind mount |
/dev |
new devtmpfs |
/dev/dri |
read-write bind mount with device access |
/etc |
read-only bind mount |
${HOME} |
new tmpfs |
${HOME}/.wine |
new tmpfs |
/lib |
read-only bind mount |
/lib32 |
read-only bind mount |
/lib64 |
read-only bind mount |
/proc |
new procfs |
/sys |
read-only bind mount |
/tmp |
new tmpfs |
/usr |
read-only bind mount |
${DISPLAY}
${HOME}
${HOSTNAME}
(with random 12-hex-digits value)${PATH}
(with known-unavailable entries removed)${TERM}
${USER}
sandwine features include:
/etc/resolv.conf
provided by:
--seccomp
and --add-seccomp-fd
to go further
on that end, but sandwine does not use them so far./etc
that contain credentials but are readable by
unprivileged users, sandwine will do nothing to block that read access.If you think you found a vulnerability in sandwine, please reach out via e-mail so we can have a closer look and coordinate disclosure.
Sebastian Pipping, Berlin, 2023