© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
(In reply to comment #8)
> I thought the security of CAP_SYS_RAWIO rather than mmap_min_addr wasn't to
> make Wine more secure, but to make the system more secure when Wine isn't
> running. The kernel bug above, for instance, was exploitable by non-wine
> programs if the user merely had Wine installed.
Yes, but it doesn't make much difference, because all you have to do is to wrap the exploit in a DOS binary and run it with Wine. Either way, if Wine is installed you can exploit the bug. Dropping the caps wouldn't really help either, since you can't distinguish a malicious DOS app from a legitimate one. The only way is to not support DOS apps at all.