Is it possible to sandbox / firewall a virtual drive?

Författare Svar
guises Friday 29 January 2016 at 16:25

I'd like to run some Windows software which is probably not trustworthy and putting it in a Playonlinux virtual drive seems like a good way to do that. I'd like to sandbox it though, if that can be done without too much difficulty, but at the very least I need to firewall it - is that possible? Can I just block network access for the whole of that virtual drive?

petch Friday 29 January 2016 at 16:58

guises Friday 29 January 2016 at 17:28

Er, right. I'm aware that Wine is not security software, that's not what I'm asking.

All right forget the sandboxing part, let me try again: I need to run some software using Wine and I need to prevent that software from connecting to the network. Is there any good way for me to do that using Playonlinux?

petch Friday 29 January 2016 at 19:11

Not using Wine, and not using PlayOnLinux, virtual drives are not security boundaries so that's none of their business.

Maybe using network namespaces, if you're using Linux, but I have no personal experience with that.


guises Friday 29 January 2016 at 19:18

Okay, thanks. I thought I could just run Wine with the networking component disabled or something, but I guess it's not that easy. I don't have a strong understanding of how Wine functions.

petch Saturday 30 January 2016 at 10:51

It's an API translator, basically the windows application and Wine together behave like a Linux application, the main "networking component" is the hosting system.

I guess what you describe could be done, but it's not the best place to do that, would have costs, so it's not part of Wine features.

guises Monday 1 February 2016 at 10:52

Hm. I guess I had envisioned it as more of a virtual machine. Even though, yes, it is Not an Emulator.

I've had a little luck using firejail, so I'll keep playing with it and maybe work something out. Thanks again.

appoloin Wednesday 2 March 2016 at 12:14

Would this work

mviereck Wednesday 30 November 2016 at 14:55

As a sandbox solution, you can use playonlinux in docker. As a tool to run GUI applications like playonlinux in docker, I've scripted a tool x11docker

I've published example images containing wine and playonlinux on a dockered LXDE or Xfce desktop:

Docker image containing wine and PlayOnLinux on an LXDE desktop

Docker image containing wine and PlayOnLinux on an Xfce desktop

See for x11docker for usage details. As for short, run playonlinux with command

x11docker --hostuser --home x11docker/xfce-wine-playonlinux playonlinux

To disable internet access, you can run playonlinux in docker with command

x11docker --hostuser --home --  --net=none x11docker/xfce-wine-playonlinux playonlinux
xuancong Monday 19 February 2018 at 7:53

For blocking network access, you can use unshare, e.g.:

unshare -n <your-command-line>
unshare -n wine <your-program.exe>
unshare -n playonlinux --run "<your-program>"

If you unshare to run playonlinux:

unshare -n playonlinux

then, all the launched programs will not be able to access network.