Merge pull request #675 from ivan-hc/dev

Improve "--sandbox"

APP-MANAGER

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-AMVERSION="6.12-1"
+AMVERSION="6.12.1"
 
 # Determine main repository and branch
 AMREPO="https://github.com/ivan-hc/AM/main"
@@ -30,8 +30,7 @@ function _clean_amcachedir() {
 }
 
 APPMANCONFIG="$CONFIGDIR/appman"
-
-export SCRIPTDIR="$(if command -v xdg-user-dir &>/dev/null; then xdg-user-dir DESKTOP; else echo $HOME; fi)"
+export SCRIPTDIR="$(xdg-user-dir DESKTOP 2>/dev/null || echo "$HOME")"
 
 # Determine sytem package manager
 function _system_package_manager_check() {

README.md

@@ -40,7 +40,7 @@ You can consult the entire **list of managed apps** at [**portable-linux-apps.gi
 - [Backup and restore installed apps using snapshots](#backup-and-restore-installed-apps-using-snapshots)
 - [Remove one or more applications](#remove-one-or-more-applications)
 - [Convert Type2 AppImages requiring libfuse2 to Type3 AppImages](#convert-type2-appimages-requiring-libfuse2-to-type3-appimages)
-- [Drag local AppImages to integrate them into the application menu](#drag-local-appimages-to-integrate-them-into-the-application-menu)
+- [Integrate local AppImages into the menu by dragging and dropping them, as you do with AppImageLauncher](#integrate-local-appimages-into-the-menu-by-dragging-and-dropping-them-as-you-do-with-appimagelauncher)
 - [How to use "AM" in non-privileged mode, like "AppMan"](#how-to-use-am-in-non-privileged-mode-like-appman)
 - [Sandbox an AppImage](#sandbox-an-appimage)
 - [How to enable bash completion](#how-to-enable-bash-completion)
@@ -699,7 +699,7 @@ This section is committed to giving small demonstrations of each available optio
   - [Backup and restore installed apps using snapshots](#backup-and-restore-installed-apps-using-snapshots)
   - [Remove one or more applications](#remove-one-or-more-applications)
   - [Convert Type2 AppImages requiring libfuse2 to Type3 AppImages](#convert-type2-appimages-requiring-libfuse2-to-type3-appimages)
-  - [Drag local AppImages to integrate them into the application menu](#drag-local-appimages-to-integrate-them-into-the-application-menu)
+  - [Integrate local AppImages into the menu by dragging and dropping them, as you do with AppImageLauncher](#integrate-local-appimages-into-the-menu-by-dragging-and-dropping-them-as-you-do-with-appimagelauncher)
   - [How to use "AM" in non-privileged mode, like "AppMan"](#how-to-use-am-in-non-privileged-mode-like-appman)
   - [Sandbox an AppImage](#sandbox-an-appimage)
   - [How to enable bash completion](#how-to-enable-bash-completion)
@@ -852,7 +852,7 @@ If also the second step does not succeed either, the process will end with an er
 ------------------------------------------------------------------------
 
 __________________________________________________________________________
-### Drag local AppImages to integrate them into the application menu
+### Integrate local AppImages into the menu by dragging and dropping them, as you do with AppImageLauncher
 If you are a user who is used to dragging your local AppImages scattered around the system and if you are a user who likes clutter and wants to place their packages in different places... this option is for you.
 
 The option `--launcher` allows you to drag and drop a local AppImage to create a launcher to place in the menu, like [AppImageLauncher](https://github.com/TheAssassin/AppImageLauncher) or [Gear Lever](https://github.com/mijorus/gearlever), or any other classic AppImage package helper would... but in SHELL.
@@ -908,6 +908,7 @@ or
 appman --sandbox $APP
 ```
 - if the "aisap" package is not installed, you will be asked if you want to install it via "AM"/AppMan;
+- you will be asked if your AppImages can have access to the main XDG directories (Pictures, Videos, Documents... using the system language);
 - requires replacing the symlink in $PATH with a script ("AM" users will need the root password);
 - to work, the Appimage will be set to "not executable", and the AM-updater will also have its `chmod` command set to `a-x` instead of `a+x`.
 
@@ -917,9 +918,11 @@ To restore the use of the AppImage without sandbox, you need to run the applicat
 ```
 $APP --disable-sandbox
 ```
-https://github.com/ivan-hc/AM/assets/88724353/420bfa1c-274f-4ac3-a79f-78ad64f01254
+In the video we will use "Baobab" (GTK3 version), a disk space analyzer, available in the database as "baobab-gtk3", and giving it read/write permissions only in "Video" (the Italian for "Videos") :
 
-For more information aboit "Aisap", visit https://github.com/mgord9518/aisap
+https://github.com/ivan-hc/AM/assets/88724353/79c1b4af-53d8-4175-9a28-136804059f6e
+
+For more information about "Aisap", visit https://github.com/mgord9518/aisap
 
 Available profiles are listed at https://github.com/mgord9518/aisap/tree/main/profiles
 

modules/sandboxes.am

@@ -42,15 +42,14 @@ case "$1" in
 			echo " '$2' is not a valid argument or is not installed."; exit
 		elif [ "$2" = "aisap" ]; then
 			echo " Error: You can't sandbox aisap"; exit 1
-		elif ! command -v am 1>/dev/null && ! command -v appman 1>/dev/null; then
-			echo -e " Error: You need AM or AppMan for this script work\nInstall AM/AppMan and try again"; exit 1
 		elif ! command -v aisap 1>/dev/null; then
-			echo -e " Error: You need aisap for this script work\n"
-			read -p " ◆ DO YOU WISH TO INSTALL AISAP (y,n)?: " yn
-			if echo "$yn" | grep -i '^y' >/dev/null 2>&1; then
-				$AMCLIPATH -i aisap >/dev/null 2>&1
+			printf '\n%s\n\n' " Error: You need aisap for this script work"
+			read -p " ◆ DO YOU WISH TO INSTALL AISAP? Install size <5 MIB, (Y/n)?: " yn
+			if echo "$yn" | grep -i '^n' >/dev/null 2>&1; then
+				printf '\n%s\n\n' "Installation aborted"; exit 1
 			fi
-			command -v aisap 1>/dev/null && echo " aisap installed successfully" || exit 1
+			$AMCLIPATH -i aisap >/dev/null 2>&1
+			command -v aisap 1>/dev/null && printf '\n%s\n\n' " aisap installed successfully" || exit 1
 		fi
 
 		# Set variables
@@ -70,15 +69,26 @@ case "$1" in
 			echo " $TARGET doesn't look like an AppImage, aborting"; exit 1
 		fi
 
-		# Remove the exec permission from the AppImage and its updater for better safety™
-		$SUDOCOMMAND rm -f "$TARGET" &&
-		chmod a-x "$APPIMAGE" &&
-		sed -i 's|chmod a+x|chmod a-x|g' "$APPIMAGEPATH/AM-updater" || exit 1
-
 		# Check if we are using AM or AppMan
-		echo -e "\n Making aisap script for \"$(echo "$AMCLI" | tr a-z A-Z)\"..."
+		printf '\n%s\n' " Making aisap script for \"$(echo "$AMCLI" | tr a-z A-Z)\"..."
 
+		rm -Rf "$AMCACHEDIR/sandbox-scripts"
 		mkdir -p "$AMCACHEDIR/sandbox-scripts"
+
+		# Get xdg variables
+		XDG_DOWNLOAD_DIR="$(xdg-user-dir DOWNLOAD 2>/dev/null)"
+		XDG_MUSIC_DIR="$(xdg-user-dir MUSIC 2>/dev/null)"
+		XDG_PICTURES_DIR="$(xdg-user-dir PICTURES 2>/dev/null)"
+		XDG_VIDEOS_DIR="$(xdg-user-dir VIDEOS 2>/dev/null)"
+		XDG_DOCUMENTS_DIR="$(xdg-user-dir DOCUMENTS 2>/dev/null)"
+
+		# Unset the xdg variable if it equals to $HOME
+		if [ "$XDG_DOWNLOAD_DIR" = "$HOME" ] || [ "$XDG_DOWNLOAD_DIR" = "$HOME/" ]; then XDG_DOWNLOAD_DIR=""; fi
+		if [ "$XDG_MUSIC_DIR" = "$HOME" ] || [ "$XDG_MUSIC_DIR" = "$HOME/" ]; then XDG_MUSIC_DIR=""; fi
+		if [ "$XDG_PICTURES_DIR" = "$HOME" ] || [ "$XDG_PICTURES_DIR" = "$HOME/" ]; then XDG_PICTURES_DIR=""; fi
+		if [ "$XDG_VIDEOS_DIR" = "$HOME" ] || [ "$XDG_VIDEOS_DIR" = "$HOME/" ]; then XDG_VIDEOS_DIR=""; fi
+		if [ "$XDG_DOCUMENTS_DIR" = "$HOME" ] || [ "$XDG_DOCUMENTS_DIR" = "$HOME/" ]; then XDG_DOCUMENTS_DIR=""; fi
+
 		cat <<-"HEREDOC" >> "$AMCACHEDIR/sandbox-scripts/$2"
 		#!/bin/sh
 
@@ -100,50 +110,108 @@ case "$1" in
 		DATADIR="${XDG_DATA_HOME:-$HOME/.local/share}"
 		CONFIGDIR="${XDG_CONFIG_HOME:-$HOME/.config}"
 		CACHEDIR="${XDG_CACHE_HOME:-$HOME/.cache}"
+
+		XDG_DOWNLOAD_DIR="$(xdg-user-dir DOWNLOAD 2>/dev/null)"
+		XDG_MUSIC_DIR="$(xdg-user-dir MUSIC 2>/dev/null)"
+		XDG_PICTURES_DIR="$(xdg-user-dir PICTURES 2>/dev/null)"
+		XDG_VIDEOS_DIR="$(xdg-user-dir VIDEOS 2>/dev/null)"
+		XDG_DOCUMENTS_DIR="$(xdg-user-dir DOCUMENTS 2>/dev/null)"
+
+		if [ "$XDG_DOWNLOAD_DIR" = "$HOME" ] || [ "$XDG_DOWNLOAD_DIR" = "$HOME/" ]; then XDG_DOWNLOAD_DIR=""; fi
+		if [ "$XDG_MUSIC_DIR" = "$HOME" ] || [ "$XDG_MUSIC_DIR" = "$HOME/" ]; then XDG_MUSIC_DIR=""; fi
+		if [ "$XDG_PICTURES_DIR" = "$HOME" ] || [ "$XDG_PICTURES_DIR" = "$HOME/" ]; then XDG_PICTURES_DIR=""; fi
+		if [ "$XDG_VIDEOS_DIR" = "$HOME" ] || [ "$XDG_VIDEOS_DIR" = "$HOME/" ]; then XDG_VIDEOS_DIR=""; fi
+		if [ "$XDG_DOCUMENTS_DIR" = "$HOME" ] || [ "$XDG_DOCUMENTS_DIR" = "$HOME/" ]; then XDG_DOCUMENTS_DIR=""; fi
+
+		# Try to find the right name of the app xdg directories, as sometimes it is not the same as $APPNAME
+		APPDATA=$( ls "$DATADIR" | grep -i "$APPNAME" | head -1 )
+		APPCONF=$( ls "$CONFIGDIR" | grep -i "$APPNAME" | head -1 ) 
+
 		mkdir -p "$SANDBOXDIR/$APPNAME"
 		if [ "$1" = "--disable-sandbox" ]; then
 			APPIMAGEPATH="$(echo ${APPEXEC%/*})"
-			echo "\n Giving exec permissions back to $APPEXEC..."
+			printf '\n%s' " Giving exec permissions back to $APPEXEC..."
 			chmod a+x "$APPEXEC" || exit 1
-			echo " Patching $APPIMAGEPATH/AM-updater to give permissions back..."
+			printf '\n%s' " Patching $APPIMAGEPATH/AM-updater to give permissions back..."
 			sed -i 's|chmod a-x|chmod a+x|g' "$APPIMAGEPATH/AM-updater" || exit 1
 			THISFILE="$(realpath "$0")"
-			echo " Replacing $THISFILE with a link to the AppImage...\n"
+			printf '\n%s\n' " Replacing $THISFILE with a link to the AppImage..."
 			SUDO ln -sf "$APPEXEC" "$THISFILE" || exit 1
-			echo " \033[32m$APPEXEC successfully unsandboxed!\n"
+			printf '\033[32m\n%s\n\n' " $APPEXEC successfully unsandboxed!"
 			exit 0
 		fi
+		if [ -z "$APPNAME" ]; then exit 1; fi
 
 		# Start at sandboxed home
 		# Edit below this to add or remove access to parts of the system
 		exec aisap --trust-once --level 2 \
 		--data-dir "$SANDBOXDIR/$APPNAME" \
-		--add-file "$DATADIR/$APPNAME":rw \
+		--add-file "$DATADIR/${APPDATA:-$APPNAME}":rw \
 		--add-file "$DATADIR"/themes \
 		--add-file "$DATADIR"/icons \
-		--add-file "$CONFIGDIR/$APPNAME":rw \
+		--add-file "$CONFIGDIR/${APPCONF:-$APPNAME}":rw \
+		--add-file "$CONFIGDIR"/dconf \
 		--add-file "$CONFIGDIR"/gtk3.0 \
 		--add-file "$CONFIGDIR"/gtk4.0 \
 		--add-file "$CONFIGDIR"/kdeglobals \
 		--add-file "$CONFIGDIR"/qt5ct \
 		--add-file "$CONFIGDIR"/qt6ct \
 		--add-file "$CONFIGDIR"/Kvantum \
 		--add-file "$HOME"/.local/lib \
+		--add-file /usr/share \
+		--rm-file "${XDG_DOWNLOAD_DIR:-~/Downloads}" \
+		--rm-file "${XDG_MUSIC_DIR:-~/Music}" \
+		--rm-file "${XDG_PICTURES_DIR:-~/Pictures}" \
+		--rm-file "${XDG_VIDEOS_DIR:-~/Videos}" \
+		--rm-file "${XDG_DOCUMENTS_DIR:-~/Documents}" \
+		--add-socket dbus \
 		--add-socket x11 \
 		--add-socket wayland \
 		--add-socket pulseaudio \
 		--add-socket network \
 		--add-device dri -- \
 		"$APPEXEC" "$@"
 		HEREDOC
+		printf '\033[36m\n'
+		read -p " Allow $2 access to ${XDG_DOWNLOAD_DIR:-~/Downloads}? (y/N): " yn
+		if echo "$yn" | grep -i '^y' >/dev/null 2>&1; then
+			sed -i 's|--rm-file "${XDG_DOWNLOAD_DIR:-~/Downloads}"|--add-file "${XDG_DOWNLOAD_DIR:-~/Downloads}":rw|g' "$AMCACHEDIR/sandbox-scripts/$2" || exit 1
+		fi
+		read -p " Allow $2 access to ${XDG_DOCUMENTS_DIR:-~/Documents}? (y/N): " yn
+		if echo "$yn" | grep -i '^y' >/dev/null 2>&1; then
+			sed -i 's|--rm-file "${XDG_DOCUMENTS_DIR:-~/Documents}"|--add-file "${XDG_DOCUMENTS_DIR:-~/Documents}":rw|g' "$AMCACHEDIR/sandbox-scripts/$2" || exit 1
+		fi
+		read -p " Allow $2 access to ${XDG_MUSIC_DIR:-~/Music} (y/N): " yn
+		if echo "$yn" | grep -i '^y' >/dev/null 2>&1; then
+			sed -i 's|--rm-file "${XDG_MUSIC_DIR:-~/Music}"|--add-file "${XDG_MUSIC_DIR:-~/Music}":rw|g' "$AMCACHEDIR/sandbox-scripts/$2" || exit 1
+		fi
+		read -p " Allow $2 access to ${XDG_PICTURES_DIR:-~/Pictures} (y/N): " yn
+		if echo "$yn" | grep -i '^y' >/dev/null 2>&1; then
+			sed -i 's|--rm-file "${XDG_PICTURES_DIR:-~/Pictures}"|--add-file "${XDG_PICTURES_DIR:-~/Pictures}":rw|g' "$AMCACHEDIR/sandbox-scripts/$2" || exit 1
+		fi
+		read -p " Allow $2 access to ${XDG_VIDEOS_DIR:-~/Videos} (y/N): " yn
+		if echo "$yn" | grep -i '^y' >/dev/null 2>&1; then
+			sed -i 's|--rm-file "${XDG_VIDEOS_DIR:-~/Videos}"|--add-file "${XDG_VIDEOS_DIR:-~/Videos}":rw|g' "$AMCACHEDIR/sandbox-scripts/$2" || exit 1
+		fi
+		printf '\n\033[33m%s\n' " User directories access configured successfully!"
+
+		chmod a+x "$AMCACHEDIR/sandbox-scripts/$2" && sed -i "s|DUMMY|$APPIMAGE|g; s|SUDO |$SUDOCOMMAND |g" "$AMCACHEDIR/sandbox-scripts/$2" || exit 1
+
+		# Remove the exec permission from the AppImage and its updater for better safety™
+		$SUDOCOMMAND rm -f "$TARGET" && chmod a-x "$APPIMAGE" &&
+		sed -i 's|chmod a+x|chmod a-x|g' "$APPIMAGEPATH/AM-updater" || exit 1
+
+		# Put sandbox script in the place of the appimage symlink
 		$SUDOCOMMAND mv "$AMCACHEDIR/sandbox-scripts/$2" "$TARGET" && rmdir "$AMCACHEDIR/sandbox-scripts" || exit 1
-		$SUDOCOMMAND chmod a+x "$TARGET" && $SUDOCOMMAND sed -i "s|DUMMY|$APPIMAGE|g; s|SUDO |$SUDOCOMMAND |g" "$TARGET" || exit 1
-		echo -e "\n \033[33m\"$2\" successfully sandboxed!"
-		echo -e "\n \033[0mThe sandboxed app home will be in "${SANDBOXDIR:-$HOME/.local/am-sandboxes}" once launched"
-		echo -e "\n This location can be moved by setting the 'SANDBOXDIR' env variable"
-		echo -e "\n --------------------------------------------------------------------------"
-		echo -e "\n \033[33mUse the --disable-sandbox flag if you want to revert the changes"
-		echo -e "\n \033[0mIn this case that is: \033[33m$2 --disable-sandbox\n"
+
+		printf '\n%s\n' " \"$2\" successfully sandboxed!"
+		printf '\n\033[0m%s\n' " The app will be sandboxed in \"${SANDBOXDIR:-$HOME/.local/am-sandboxes}\" once launched"
+		printf '\n%s\n' " This location can be moved by setting the 'SANDBOXDIR' env variable"
+		printf '\n%s\n' " --------------------------------------------------------------------------"
+		printf '\n\033[33m%s\n' " Use the --disable-sandbox flag if you want to revert the changes"
+		printf '\n\033[0m%s' " In this case that is:"
+		printf '\033[33m%s\033[36m\n\n' " $2 --disable-sandbox"
+
 		exit 0
 	done