Skip to content
/ bwrap-mc-java Public

Tries to sandbox Minecraft in a per instance way in PrismLauncher

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Trains77/bwrap-mc-java

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
bwrap-mc-java
bwrap-mc-java
 
 

Repository files navigation

bwrap-mc-java

Tries to sandbox Minecraft in a per instance way in PrismLauncher

  • Does not work with Flatpak version of the launcher

The goal of the script is to provide stronger sandboxing by isolating just the Minecraft game itself, and not the launcher

The script requires both bwrap and slirp4netns, can also optionally use Sommelier for X11 sandboxing,

To use the script, set it to be the wrapper command in your launcher's settings

Do note this script is made primarily made for my own personal use, so there are some things in it that I use/want that you may want to change or remove

  • Sandbox assumes by default that the vpn interface is wg0-mullvad, and non-vpn interface is wlan0, you can set these 2 variables near the top of the script
  • The current users uid is by default mapped to 3581 in the sandbox, which shouldn't break anyhting but you can change it to be the user's normal uid near the top of the script
  • Discord's socket is not bound in the sandbox, you would need to add that argument yourself
  • Instances whose paths include a space do not work
  • Some versions or mods may not work with the sandbox
    • Mods that self update themselves may not work
  • The script will try to load a seccomp filter from ~/.sandboxing/seccomp_default_filter.bpf if it exists

Variables

Additionally, the scripts accepts settings in the form of environment variables set within the launcher, the following are:

AUDIO_BACKEND - Can be "pipewire", "pulseaudio", "none", or "both" defines which audio system to share with the sandbox, defaults to "none"

DISABLE_LOOPBACK - Can be either "true" or "false", defines Whether or not the sandbox should be able to reach the host's loopback address, defaults to "true"

DISABLE_NETWORKING - Can be either either "true" or "false", defines whether or not the sandbox should get any networking, defaults to false

SHARE_X11 - Can be "true", "sommelier", or "false". Defines whether or not the sandbox should get direct access to the X11 server, a sandboxed X11 server through Sommelier, or no X11 server at all, defaults to false

MORE_VERBOSE - Does nothing, defaults to false

VPN_CONNECT_ONLY - Can be either "true", "force-disabled", or "false", Defines if Minecraft should be forced to use a vpn connection, force-disabled tries to force the sandbox to not use the vpn, defaults to false

BIND_HOME_MINECRAFT_FOLDER_ITEMS - If the following folders in ~/.minecraft should be bound into the sandbox: screenshots, saves, shaderpacks, optionsof.txt, and read-only resourcepacks, useful if you want to share these folders between instances, defaults to false

BIND_ADDITIONAL_FOLDERS - Mount additional space-seperated files and folders into the sandbox, does not support paths with a space in them

BIND_ADDITIONAL_FOLDERS_RO - Same as BIND_ADDITIONAL_FOLDERS but bind as read only

About

Tries to sandbox Minecraft in a per instance way in PrismLauncher

Topics

minecraft sandboxing bwrap prismlauncher

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages