Wine is not a Sandbox but come on. Everyone has been using it as if it was.
Even Bottles was only a prefix-manager until a couple months ago.
I think it should be and also disallow Linux syscalls and Z: drive accesses by default from within the "sandbox" on top of that in order to reduce the attack surface.
> I think it should be and also disallow Linux syscalls and Z: drive accesses by default from within the "sandbox" on top of that in order to reduce the attack surface.
This is not even remotely sufficient. A malicious application could modify the memory pages of WINE code and execute direct syscalls anyway.
If you want sandboxing, use a Linux sandboxing solution on WINE. It's far too late to try to bolt on sandboxing now.
