Is it possible to sandbox / firewall a virtual drive?

Auteur Réponses
guises Vendredi 29 Janvier 2016 à 16:25

I'd like to run some Windows software which is probably not trustworthy and putting it in a Playonlinux virtual drive seems like a good way to do that. I'd like to sandbox it though, if that can be done without too much difficulty, but at the very least I need to firewall it - is that possible? Can I just block network access for the whole of that virtual drive?

petch Vendredi 29 Janvier 2016 à 16:58

guises Vendredi 29 Janvier 2016 à 17:28

Er, right. I'm aware that Wine is not security software, that's not what I'm asking.

All right forget the sandboxing part, let me try again: I need to run some software using Wine and I need to prevent that software from connecting to the network. Is there any good way for me to do that using Playonlinux?

petch Vendredi 29 Janvier 2016 à 19:11

Not using Wine, and not using PlayOnLinux, virtual drives are not security boundaries so that's none of their business.

Maybe using network namespaces, if you're using Linux, but I have no personal experience with that.


guises Vendredi 29 Janvier 2016 à 19:18

Okay, thanks. I thought I could just run Wine with the networking component disabled or something, but I guess it's not that easy. I don't have a strong understanding of how Wine functions.

petch Samedi 30 Janvier 2016 à 10:51

It's an API translator, basically the windows application and Wine together behave like a Linux application, the main "networking component" is the hosting system.

I guess what you describe could be done, but it's not the best place to do that, would have costs, so it's not part of Wine features.

guises Lundi 1 Février 2016 à 10:52

Hm. I guess I had envisioned it as more of a virtual machine. Even though, yes, it is Not an Emulator.

I've had a little luck using firejail, so I'll keep playing with it and maybe work something out. Thanks again.

appoloin Mercredi 2 Mars 2016 à 12:14

Would this work

mviereck Mercredi 30 Novembre 2016 à 14:55

As a sandbox solution, you can use playonlinux in docker. As a tool to run GUI applications like playonlinux in docker, I've scripted a tool x11docker

I've published example images containing wine and playonlinux on a dockered LXDE or Xfce desktop:

Docker image containing wine and PlayOnLinux on an LXDE desktop

Docker image containing wine and PlayOnLinux on an Xfce desktop

See for x11docker for usage details. As for short, run playonlinux with command

x11docker --hostuser --home x11docker/xfce-wine-playonlinux playonlinux

To disable internet access, you can run playonlinux in docker with command

x11docker --hostuser --home --  --net=none x11docker/xfce-wine-playonlinux playonlinux
xuancong Lundi 19 Février 2018 à 7:53

For blocking network access, you can use unshare, e.g.:

unshare -n <your-command-line>
unshare -n wine <your-program.exe>
unshare -n playonlinux --run "<your-program>"

If you unshare to run playonlinux:

unshare -n playonlinux

then, all the launched programs will not be able to access network.