Is there a way to restrict Wine in it's wineprefix so that it can't read files outside it?
Which is a good way to complete secure my system from potentially malicious software that can be run through wine, if is it possible at all?
I just want to avoid my home directory being wiped by random windows .exe.
Reading your question I agreed with your concern and I think that it is easer safer and the default behaviour when you run windows applications into a virtual machine (such as virtualbox [0] for example) that can be or totally insulated from your system (and from the network) or with a limited set of shared folders.
On the other side it is always possible to run wine as a different user, let we say MrWine in a group different than yours, then to give to that user the access to your local wine path, close your directories and files for the group of MrWine (simply for the others of the unix world [1] as it is by default). You can close yourself but you will still have some part of the system accessible to wine. It's rare that a malware could be projected or effective for this, but if you want to be more sure you need again to run in a separate closed environment such as a virtual machine.
Searching on internet I found an interesting link [2] that is in agreement with this line and that give a step by step procedure, with the difference that it will use the wine directory of the MrWine user. Below the steps, with some untested modifications, so you can refer directly to the old original post too.
Create and set up an account for MrWine (the command should be different)
sudo adduser --disabled-login --shell /sbin/nologin MrWine
sudo usermod --append --groups audio wine
Permit your own user account to launch commands under the Mrwine account with sudo
sudo env VISUAL=/usr/bin/gedit visudo # maybe sudo visudo is enough
FedComp ALL=(MrWine) NOPASSWD: ALL # Use your linux names here
Stop Wine being used by any other user accounts, so you cannot run wine for error without sudo and with your own user
sudo chown -R MrWine:MrWine ~/.wine
sudo chmod -R o-rwx ~/.wine
# The following lines can be dangerous if there are files
# called wine* in /usr/bin directory that are not of the wine program
sudo chown root:wine /usr/bin/wine*
sudo chmod o-x /usr/bin/wine*
You may want to change the umask form 022 to 027
umask 027
Create your launcher for wine in which you give the graphical access for MrWine to X server (with xhost +SI:FedComp:MrWine). Better in a script similar to the following one (let's call it RunWine.sh, chmod u+x RunWine.sh)
#!/bin/bash
xhost +SI:FedCom:MrWine # use the couple of your username
# and the one you chose for wine
EnvOptions="HOME=/home/MrWine USER=MrWine USERNAME=MrWine LOGNAME=MrWine "
sudo -u MrWine env "$EnvOptions" wine "$@"
Install and run a program as MrWine
sudo chown MrWine:MrWine /home/MrWine/.wine/drive_c/My\ Installer.exe
~/RunWine.sh "C:\My Installer.exe"
~/RunWine.sh "C:\Program Files\ProgDir\ProgName.exe"
Please refer to the original blog to further explanations [2].