Tell us the problem or your need
Hello everyone!
Recently, I was studying the self-restriction measures in OpenBSD and GNU/Linux (specifically, pledge and unveil for OpenBSD and seccomp and Landlock for GNU/Linux). These mechanisms allow a process to impose self-restrictions (for syscall and file access) that cannot be removed and are inherited by child processes created after enabling restrictions. This can enhance the security of managed Wine prefixes.
Describe the solution you'd like
I'd like to propose adding support for unprivileged sandboxing using seccomp and Landlock for GNU/Linux systems (I'm currently looking for a way to implement it and it's possible that I'll add a pull request soon). I'm thinking of creating a syscall whitelist and file access whitelist that can be managed through Bottles GUI.
Other solutions?
Another security option is using mandatory access control systems (such as SELinux and AppArmor). However, since reconfiguring them requires root privileges, the only option is to switch to pre-loaded dedicated profile for Wine apps. This can be used in addition to seccomp and Landlock.
Additional context and references
seccomp is a Linux kernel feature that allows a process to restrict its access to a defined set of syscalls. Once a filter has been installed, it can never be removed and it's inherited by all child processes created after installation of a filter. A process that is restricted by seccomp (in filter mode) can install additional filter -- in this case, the only syscalls that will be available are syscalls that are allowed by all installed filters.
Landlock is a Linux security module that allows a process to restrict its file access to a defined set of paths. Like seccomp, these restrictions are also un-removable, can be stacked and are inherited by child processes.
Tell us the problem or your need
Hello everyone!
Recently, I was studying the self-restriction measures in OpenBSD and GNU/Linux (specifically, pledge and unveil for OpenBSD and seccomp and Landlock for GNU/Linux). These mechanisms allow a process to impose self-restrictions (for syscall and file access) that cannot be removed and are inherited by child processes created after enabling restrictions. This can enhance the security of managed Wine prefixes.
Describe the solution you'd like
I'd like to propose adding support for unprivileged sandboxing using seccomp and Landlock for GNU/Linux systems (I'm currently looking for a way to implement it and it's possible that I'll add a pull request soon). I'm thinking of creating a syscall whitelist and file access whitelist that can be managed through Bottles GUI.
Other solutions?
Another security option is using mandatory access control systems (such as SELinux and AppArmor). However, since reconfiguring them requires root privileges, the only option is to switch to pre-loaded dedicated profile for Wine apps. This can be used in addition to seccomp and Landlock.
Additional context and references
seccomp is a Linux kernel feature that allows a process to restrict its access to a defined set of syscalls. Once a filter has been installed, it can never be removed and it's inherited by all child processes created after installation of a filter. A process that is restricted by seccomp (in filter mode) can install additional filter -- in this case, the only syscalls that will be available are syscalls that are allowed by all installed filters.
Landlock is a Linux security module that allows a process to restrict its file access to a defined set of paths. Like seccomp, these restrictions are also un-removable, can be stacked and are inherited by child processes.