Open mokurin000 opened 3 years ago
vufa
commented
3 years ago wine 将home目录作为磁盘映射到程序的运行环境,如果这些程序要访问home目录,应该和在windows上没有区别。
用docker容器运行 wine 程序是一个可行的方式,但每个 wine 程序都打包成镜像会十分占用空间,同时维护系统安装包和docker镜像也会使工作量大大增加,也许可以设计一种通用的deepin-wine docker镜像,动态挂载 wine 程序的安装目录和容器目录。
或者可以用linux原生沙箱来实现对目录访问权限的管理
我会持续关注这个问题,或许能找到更为合适的方案
mokurin000
commented
3 years ago https://www.qubes-os.org/intro/ 看了这个OS的安全实践 竟然是多VM……
AsterisMono
commented
3 years ago winecfg里可以设置Linux目录到虚拟Windows磁盘的映射,理论上,在winecfg里删除除虚拟C盘外的目录映射就可以让QQ实现隔离运行。
但deepin原包里的启动脚本(run.sh)会在每次启动时重新解压并覆盖真正的wine程序启动脚本(run_v3.sh,这是什么神仙操作!),在run_v3.sh中有一段代码会在每次运行时重新设置磁盘映射(虚拟C盘映射到C,/home映射到Y,/映射到Z,不得不说安全意识堪忧)。
(run_v3.sh)
cd "${WINEPREFIX}/dosdevices"
rm c: z: y:
ln -s -f ../drive_c c:
ln -s -f / z:
ln -s -f $HOME y:想达成隔离效果,可以修改/opt/apps/com.qq.im.deepin/files/helper_archive.7z,将里面的run_v3.sh中此段代码改为
(run_v3.sh)
cd "${WINEPREFIX}/dosdevices"
rm c: z: y:
ln -s -f ../drive_c c:
# ln -s -f / z:
# ln -s -f $HOME y:重新打包替换原文件,再次启动QQ,在发送文件的对话框里应该看不到Y和Z盘。
如果需要映射其他文件夹方便文件接收,可以在winecfg里设置。
renyuneyun
commented
3 years ago 我支持@AsterisMono 的做法,修改原有的deepin脚本。(虽然我还在为正常启动作斗争。。。) 个人使用firejail的体验一言难尽……东西是管用的,也很强大,但调试profile很麻烦。所以觉得还是尽量依靠wine本身的隔离来完成比较好。
不知道维护者是否有意在整个包中进行修改?就算不完全替换deepin的脚本,至少对这部分入口进行调整? AUR的标准中并没有要求一定要和上游一致,而且不少包都为了arch或其他做了自定义。
如果担心破坏「小白」用户的使用,或许可以考虑为该功能单独维护一个包?PKGBUILD等的代码部分可以通过git的分支来解决。
vufa
commented
3 years ago @renyuneyun 如果 ~/.deepinwine/deepin-wine-helper 不存在或版本比安装包内的 helper_archive.7z 旧,helper_archive.7z 会被解压到该目录,所以可以暂时按照 @poly000 的方法修改 ~/.deepinwine/deepin-wine-helper/run_v3.sh
deepin-wine-qq 自带的 helper_archive.7z 比其他 deepin 打包应用(如 微信)要旧,如果安装了其他应用(如 deepin-wine-wechat),修改会被其他应用自带的 helper_archive.7z 覆盖
sklynic
commented
3 years ago 仅仅移除z:/的映射可能不够 根据winehq wiki: https://wiki.winehq.org/FAQ 原文: 7.4 Is Wine malware-compatible? (省略部分内容) Removing the default Wine Z: drive, which maps to the unix root directory, is a weak defense. It will not prevent Windows applications from reading your entire filesystem, and will prevent you from running Windows applications that aren't reachable from a Wine drive (like C: or D:). A workaround is to copy/move/symlink downloaded installers to ~/.wine/drive_c before you can run them. If you're running applications that you suspect to be infected, run them as their own Linux user or in a virtual machine (the ZeroWine malware analyzer works this way).
7.5 How good is Wine at sandboxing Windows apps?
Wine does not sandbox in any way at all. When run under Wine, a Windows app can do anything your user can. Wine does not (and cannot) stop a Windows app directly making native syscalls, messing with your files, altering your startup scripts, or doing other nasty things.
You need to use AppArmor, SELinux or some type of virtual machine if you want to properly sandbox Windows apps.
Note that the winetricks sandbox verb merely removes the desktop integration and Z: drive symlinks and is not a true sandbox. It protects against errors rather than malice. It's useful for, e.g., keeping games from saving their settings in random subdirectories of your home directory. 另外arch wiki上推荐的方案是使用单独的用户运行win或者使用sandbox
FlyingYu-Z
commented
2 years ago 仅仅移除z:/的映射可能不够 根据winehq wiki: https://wiki.winehq.org/FAQ 原文: 7.4 Is Wine malware-compatible? (省略部分内容) Removing the default Wine Z: drive, which maps to the unix root directory, is a weak defense. It will not prevent Windows applications from reading your entire filesystem, and will prevent you from running Windows applications that aren't reachable from a Wine drive (like C: or D:). A workaround is to copy/move/symlink downloaded installers to ~/.wine/drive_c before you can run them. If you're running applications that you suspect to be infected, run them as their own Linux user or in a virtual machine (the ZeroWine malware analyzer works this way).
7.5 How good is Wine at sandboxing Windows apps?
Wine does not sandbox in any way at all. When run under Wine, a Windows app can do anything your user can. Wine does not (and cannot) stop a Windows app directly making native syscalls, messing with your files, altering your startup scripts, or doing other nasty things.
You need to use AppArmor, SELinux or some type of virtual machine if you want to properly sandbox Windows apps.
Note that the winetricks sandbox verb merely removes the desktop integration and Z: drive symlinks and is not a true sandbox. It protects against errors rather than malice. It's useful for, e.g., keeping games from saving their settings in random subdirectories of your home directory. 另外arch wiki上推荐的方案是使用单独的用户运行win或者使用sandbox
但是wine需要root权限才能运行,所以无法以单独的用户运行
QQ会有扫描浏览器数据的行为 有人发现Firefox也会被害 暂时不清楚wine下运行会不会读home,但似乎是全盘会扫