commit 75529d1824a1e6602524cb6d6892aae315e75514 Author: Jonathan Schleifer Date: Fri Aug 6 20:35:21 2021 +0200 Initial commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..063853b --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +bubblewine is a wrapper around wine that uses bubblewrap to properly sandbox +wine. By default, wine gives full access to the entire file system, while many +Windows binaries are potentially untrustworthy. The aim of bubblewine is to +properly sandbox wine so that one can execute Windows binaries on Linux with +ease of mind that it is unlikely the system gets compromized. diff --git a/bubblewine b/bubblewine new file mode 100755 index 0000000..d21f9a0 --- /dev/null +++ b/bubblewine @@ -0,0 +1,65 @@ +#!/bin/sh +# +# Copyright (c) 2021 Jonathan Schleifer +# +# https://github.com/Midar/bubblewine +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice is present in all copies. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +set -eu + +if ! type bwrap >/dev/null 2>&1; then + echo "You don't have bubblewrap installed." 2>&1 + echo "Please install bubblewrap." 2>&1 + exit 1 +fi + +# Create the wine prefix outside the sandbox. For some reason, it hangs when +# creating it inside the sandbox. +if [ ! -d "$HOME/.bubblewine" ]; then + WINEPREFIX="$HOME/.bubblewine" wineboot + WINEPREFIX="$HOME/.bubblewine" wineserver -k +fi + +bwrap \ + --unshare-user \ + --unshare-ipc \ + --unshare-pid \ + --unshare-uts \ + --unshare-cgroup \ + --new-session \ + --die-with-parent \ + --ro-bind /usr/bin/wine /usr/bin/wine \ + --ro-bind /usr/bin/wine-preloader /usr/bin/wine-preloader \ + --ro-bind /usr/bin/wine32 /usr/bin/wine32 \ + --ro-bind /usr/bin/wine32-preloader /usr/bin/wine32-preloader \ + --ro-bind /usr/bin/wine64 /usr/bin/wine64 \ + --ro-bind /usr/bin/wine64-preloader /usr/bin/wine64-preloader \ + --ro-bind /usr/bin/wineserver /usr/bin/wineserver \ + --ro-bind /usr/bin/wineserver32 /usr/bin/wineserver32 \ + --ro-bind /usr/bin/wineserver64 /usr/bin/wineserver64 \ + --ro-bind /usr/lib /usr/lib \ + --ro-bind /usr/lib64 /usr/lib64 \ + --ro-bind /usr/share/wine /usr/share/wine \ + --symlink usr/lib /lib \ + --symlink usr/lib64 /lib64 \ + --proc /proc \ + --tmpfs /tmp \ + --bind "$HOME/.bubblewine" /wineprefix \ + --setenv WINEPREFIX /wineprefix \ + wine "$@"