Het forum

Is it possible to sandbox / firewall a virtual drive?

Auteur Antwoorden
guises Vrijdag 29 Januari 2016 om 16:25

I'd like to run some Windows software which is probably not trustworthy and putting it in a Playonlinux virtual drive seems like a good way to do that. I'd like to sandbox it though, if that can be done without too much difficulty, but at the very least I need to firewall it - is that possible? Can I just block network access for the whole of that virtual drive?

petch Vrijdag 29 Januari 2016 om 16:58

guises Vrijdag 29 Januari 2016 om 17:28

Er, right. I'm aware that Wine is not security software, that's not what I'm asking.

All right forget the sandboxing part, let me try again: I need to run some software using Wine and I need to prevent that software from connecting to the network. Is there any good way for me to do that using Playonlinux?

petch Vrijdag 29 Januari 2016 om 19:11

Not using Wine, and not using PlayOnLinux, virtual drives are not security boundaries so that's none of their business.

Maybe using network namespaces, if you're using Linux, but I have no personal experience with that.


guises Vrijdag 29 Januari 2016 om 19:18

Okay, thanks. I thought I could just run Wine with the networking component disabled or something, but I guess it's not that easy. I don't have a strong understanding of how Wine functions.

petch Zaterdag 30 Januari 2016 om 10:51

It's an API translator, basically the windows application and Wine together behave like a Linux application, the main "networking component" is the hosting system.

I guess what you describe could be done, but it's not the best place to do that, would have costs, so it's not part of Wine features.

guises Maandag 1 Februari 2016 om 10:52

Hm. I guess I had envisioned it as more of a virtual machine. Even though, yes, it is Not an Emulator.

I've had a little luck using firejail, so I'll keep playing with it and maybe work something out. Thanks again.

appoloin Woensdag 2 Maart 2016 om 12:14

Would this work




mviereck Woensdag 30 November 2016 om 14:55

As a sandbox solution, you can use playonlinux in docker. As a tool to run GUI applications like playonlinux in docker, I've scripted a tool x11docker

I've published example images containing wine and playonlinux on a dockered LXDE or Xfce desktop:

Docker image containing wine and PlayOnLinux on an LXDE desktop

Docker image containing wine and PlayOnLinux on an Xfce desktop

See README.md for x11docker for usage details. As for short, run playonlinux with command

x11docker --hostuser --home x11docker/xfce-wine-playonlinux playonlinux

To disable internet access, you can run playonlinux in docker with command

x11docker --hostuser --home --  --net=none x11docker/xfce-wine-playonlinux playonlinux
xuancong Maandag 19 Februari 2018 om 7:53

For blocking network access, you can use unshare, e.g.:

unshare -n <your-command-line>
unshare -n wine <your-program.exe>
unshare -n playonlinux --run "<your-program>"

If you unshare to run playonlinux:

unshare -n playonlinux

then, all the launched programs will not be able to access network.