this post was submitted on 17 Nov 2023
12 points (77.3% liked)

Linux Gaming

15797 readers
26 users here now

Gaming on the GNU/Linux operating system.

Recommended news sources:

Related chat:

Related Communities:

Please be nice to other members. Anyone not being nice will be banned. Keep it fun, respectful and just be awesome to each other.

founded 4 years ago
MODERATORS
 

I already have heared about Bottles sandboxing capabilities, but, how this differs from standard Flatpak sandboxing system? Is really secure execute any Windows Software using Bottles? (yes, every machine have his vulnerabilities blah blah)

all 14 comments
sorted by: hot top controversial new old
[–] [email protected] 20 points 11 months ago (1 children)

No, not at all. Bottles just helps you setting up different environments for running programs with Wine. They are not sandboxed in any way. The only thing they do is tell Wine "use this folder as the Windows-C-Drive". And by default the whole root system is exposed as Z to the Wine environment (with the usual Linux permissions). And even if the root drive were not exposed there are not any mechanisms in Wine to prevent a malware from gaining access.

[–] [email protected] 1 points 11 months ago* (last edited 11 months ago) (1 children)

So... That means the current only way to keep the main system is through Virtual Machines?

[–] [email protected] 5 points 11 months ago (1 children)

Honestly, I wouldn't even trust them. If the malware's goal is to get into your local network it will have achieved that on a virtual machine. And as far as I know there have also been ways to break out of a virtual machine. Probably fixed by now, but who knows what else lurks there.

Just don't run software you don't trust.

[–] [email protected] 1 points 11 months ago (1 children)

I don't trust in any Windows Application at all, but I think this doesn't mean I need to live under a rock. This is the reason because I open this Post. So thank you for you help and your time :) You are very cool.

I think is a good option play videogames in a Virtual Machine when is possible. But I just want to feel "more secure" when I need to play in my host machine, for example, using sandboxing.

[–] [email protected] 2 points 11 months ago

There's a difference between telemetry/tracking which can at least be limited using an isolated VM, and malware which will attempt to take over your computer/network, so it really depends on why you don't trust the program.

Imo, if you just want to run a program that's made for windows (and you trust that it isn't malware), then a VM or potentially even wine by itself would be sufficient. If you want to run something you think might be malware, don't. No amount of virtual isolation will guarantee protection from malware.

[–] [email protected] 12 points 11 months ago (1 children)

Most malware is written for Windows, especially when it's distributed as a Windows executable. (Almost) no Windows malware targets Wine specifically. However, Wine on its own is not a sandboxing tool, and Windows ransomware will ruin your day.

Bottles does two things for security:

  1. Separate wineprefixes
  2. Being a flatpak

By separating wineprefixes, as long as the host filesystem is not directly exposed (which iirc is default for bottles), any malware not written with Wine in mind will only affect its own "bottle".

By being a flatpak, even if some Windows malware specifically targets Wine, it would still have to escape the flatpak sandbox for elevated permissions. If the bottles flatpak has no access to personal files, "Wine-aware" malware won't either.

Although malware can still do damage, even in its own sandbox. For example, botnet type malware would still function. The host system is "safe", but the damage can still be done externally. Usually application-defined "autostarting" of applications is broken under Wine (iirc), which means all non "Wine-aware" malware will only start when an infected windows application is started in bottles.

Any sandbox will eventually be escaped, and malware sophisticated enough will be able to get access to everything on the host system. The chances of running into malware like this in the wild are extremely small.

  • Is it fully secure? No.
  • Is your virtual Windows environment safe? No.
  • Are other "bottles" safe? Likely, as long as the malware isn't aware of Wine.
  • Is your Linux host safe? Most likely, depending on your flatpak settings. (and the malware has to specifically target Wine under Flatpak).
[–] [email protected] 4 points 11 months ago* (last edited 11 months ago)

These are pretty good news! Thank you for explain in a better form the context of situation.

Actually, sounds cool. Now feel sure I can run cs1.6 no steam with 18 trojans detected by VirusTotal from a pakistani server and don't scare me because I will use Bottles into a Arch Linux Virtual Machine lmao (this is just a sarcasm, in any case, I also bought cs1.6. I think there are only hackers anyways)

[–] [email protected] 7 points 11 months ago* (last edited 11 months ago) (1 children)

As others have said, no it's not really secure.

But you could always use something like Firejail or Bubblejail to properly sandbox your applications. Also, using technologies like SELinux or AppArmor helps improve your security profile and could protect you against unknown/future exploits.

But most importantly, the best security measure you can take is keeping your system up-to-date, especially kernel updates. Unfortunately, if you're using some small-time distro, they may not update frequently or may not be as quick to respond to security incidents. Even some old-time reputable distros have been pretty bad at updating, like Linux Mint for example.

Also, consider using an immutable distro for added security, preferably one which has SELinux enabled and configured out-of-the-box, such as Bazzite.

[–] [email protected] 2 points 11 months ago

I forgot Firejail and Bubblejail. These are good tools. I mean, only need to learn use it xd But actually sounds good.

[–] [email protected] 7 points 11 months ago (2 children)

Huh? Why do you compare bottles, which is a way of simplifying running windows applications via wine, with flatpaks which contains native linux applications?

[–] [email protected] 5 points 11 months ago (1 children)

Because Bottles is distributed via Flatpak, which is...

Safe. Sandboxed.

Because...

Your bottles are isolated from the system and will only hit your personal files when you decide.

The full-sandbox is provided and pre-configured only using the Flatpak package (highly recommended).

All other packages still have access to the partial sandbox which isolates the bottle files and prevents them from accessing your homedir.

(This is a extract from the official homepage in the last section)

[–] [email protected] -1 points 11 months ago

Apparently the "logic" behind this is simply, "because both isolate stuff".