Merge pull request #1180 from ivan-hc/dev

"AM" 9.3, allow enable sandoxing when installing AppImages

APP-MANAGER

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-AMVERSION="9.2"
+AMVERSION="9.3"
 
 # Determine main repository and branch
 AMREPO="https://raw.githubusercontent.com/ivan-hc/AM/main"
@@ -383,7 +383,7 @@ available_options="about add apikey backup clean config disable downgrade downlo
 	install install-appimage launcher list lock neodb newrepo nolibfuse off on overwrite purge query remove sandbox \
 	select sync template test unlock update --all --appimages --apps --byname --config --convert --debug \
 	--devmode-disable --devmode-enable --disable-notifications --enable-notifications --force-latest --home --icons \
-	--launcher --less --pkg --rollback --disable-sandbox --sandbox --system --toolpack --user"
+	-ias --launcher --less --pkg --rollback --disable-sandbox --sandbox --system --toolpack --user"
 
 function _completion_lists() {
 	# Remove existing lists and download new ones
@@ -1072,7 +1072,7 @@ case "$1" in
 		;;
 	'download'|'-d'|\
 	'extra'|'-e'|\
-	'install'|'-i'|\
+	'install'|'-i'|'-ias'|\
 	'install-appimage'|'-ia')
 		MODULE="install.am"
 		_online_check
@@ -1224,18 +1224,21 @@ case "$1" in
 					${LightBlue}$AMCLI -i {PROGRAM}
 					${LightBlue}$AMCLI -i --debug {PROGRAM}
 					${LightBlue}$AMCLI -i --force-latest {PROGRAM}
-					${LightBlue}$AMCLI -i --icons {PROGRAM}\033[0m
+					${LightBlue}$AMCLI -i --icons {PROGRAM}
+					${LightBlue}$AMCLI -i --sandbox {PROGRAM}\033[0m
 
-			Description: Install one or more programs or libraries from the list. With the \"--debug\" option you can see log messages to debug the script. For more details on \"--force-latest\", see the dedicated option, below. Use the \"--icons\" flag to allow the program to use icon themes. It can also be extended with additional flags (see \"--toolpack\").
+			Description: Install one or more programs or libraries from the list. With the \"--debug\" option you can see log messages to debug the script. For more details on \"--force-latest\", see the dedicated option, below. Use the \"--icons\" flag to allow the program to use icon themes. It can also be extended with additional flags (see \"--toolpack\"). The \"--sandbox\" flag allows you to set sandboxes for AppImage packages.
 
-			${Gold}install-appimage, -ia\033[0m
+			${Gold}install-appimage, -ia, -ias\033[0m
 
 					${LightBlue}$AMCLI -ia {PROGRAM}
 					${LightBlue}$AMCLI -ia --debug {PROGRAM}
 					${LightBlue}$AMCLI -ia --force-latest {PROGRAM}
-					${LightBlue}$AMCLI -ia --icons {PROGRAM}\033[0m
+					${LightBlue}$AMCLI -ia --icons {PROGRAM}
+					${LightBlue}$AMCLI -ia --sandbox {PROGRAM}
+					${LightBlue}$AMCLI -ias {PROGRAM}\033[0m
 
-			Description: Same as \"install\" (see above) but for AppImages only.
+			Description: Same as \"install\" (see above) but for AppImages only. Option \"-ias\" (aka Install AppImage & Sandox) is equivalent to \"-ia --sandbox\", to set sandboxes for AppImage packages.
 
 			${Gold}lock\033[0m
 
@@ -1302,6 +1305,8 @@ case "$1" in
 
 			Description: Run an AppImage in a sandbox using Aisap.
 
+			NOTE, \"--sandbox\" can be used as a flag in \"-i\" and \"-ia\" or can be replaced using the option \"-ias\" (aka Install AppImage & Sandox).
+
 			${Gold}sync, -s\033[0m
 
 					${LightBlue}$AMCLI -s\033[0m

README.md

@@ -404,24 +404,27 @@ Allow installed apps to use system icon themes. You can specify the name of the
  		am -i --debug {PROGRAM}
  		am -i --force-latest {PROGRAM}
  		am -i --icons {PROGRAM}
+ 		am -i --sandbox {PROGRAM}
 
 **Description**:
 
-Install one or more programs or libraries from the list. With the "`--debug`" option you can see log messages to debug the script. For more details on "`--force-latest`", see the dedicated option, below. Use the "`--icons`" flag to allow the program to use icon themes. It can also be extended with additional flags (see "`--toolpack`").
+Install one or more programs or libraries from the list. With the "`--debug`" option you can see log messages to debug the script. For more details on "`--force-latest`", see the dedicated option, below. Use the "`--icons`" flag to allow the program to use icon themes. It can also be extended with additional flags (see "`--toolpack`"). The "`--sandbox`" flag allows you to set sandboxes for AppImage packages.
 
 NOTE: Since this is an "install" option, you can add the "`--user`" flag to install apps locally. See "`--user`" at the bottom to learn more.
 
 ------------------------------------------------------------------------
-### `install-appimage`, `-ia`
+### `install-appimage`, `-ia`, `-ias`
 
  		am -ia {PROGRAM}
  		am -ia --debug {PROGRAM}
  		am -ia --force-latest {PROGRAM}
  		am -ia --icons {PROGRAM}
+ 		am -ia --sandbox {PROGRAM}
+ 		am -ias {PROGRAM}
 
 **Description**:
 
-Same as "install" (see above) but for AppImages only.
+Same as "install" (see above) but for AppImages only.  Option "`-ias`" (aka Install AppImage & Sandox) is equivalent to "`-ia --sandbox`", to set sandboxes for AppImage packages.
 
 ------------------------------------------------------------------------
 ### `lock`
@@ -513,6 +516,8 @@ Removes one or more apps without asking.
 
 Run an AppImage in a sandbox using Aisap.
 
+NOTE, "`--sandbox`" can be used as a flag in "`-i`" and "`-ia`" or can be replaced using the option "`-ias`" (aka Install AppImage & Sandox).
+
 ------------------------------------------------------------------------
 ### `sync`, `-s`
 
@@ -705,6 +710,7 @@ Below you can access the documentation pages related to the use of "AM", complet
 ------------------------------------------------------------------------
 - [Install applications](docs/guides-and-tutorials/install.md)
 - [Install only AppImages](docs/guides-and-tutorials/install-appimage.md)
+  - [Install and sandbox AppImages in one go](docs/guides-and-tutorials/install-appimage.md#install-and-sandbox-appimages-in-one-go)
 - [Install AppImages not listed in this database but available in other github repos](docs/guides-and-tutorials/extra.md)
 - [List the installed applications](docs/guides-and-tutorials/files.md)
 - [List and query all the applications available on the database](docs/guides-and-tutorials/list-and-query.md)

docs/guides-and-tutorials/install-appimage.md

@@ -8,21 +8,50 @@ All flags for the `-i`/`install` option can be used here as well.
 ```
 am -ia --debug {PROGRAM}
 am -ia --force-latest {PROGRAM}
-am -ia --user --debug {PROGRAM}
-am -ia --user --force-latest {PROGRAM}
+am -ia --sandbox {PROGRAM}
 ```
 Same for AppMan.
 ```
 appman -ia {PROGRAM}
 appman -ia --debug {PROGRAM}
 appman -ia --force-latest {PROGRAM}
+appman -ia --sandbox {PROGRAM}
 ```
 In this example, I run the script `brave-appimage` but running `brave`, that instead is the original upstream package.
 
 https://github.com/user-attachments/assets/b938430c-ec0b-4b90-850f-1332063d5e53
 
 In the video above, before proceeding I use the command `am -q` and `am -q --appimages` to show the difference between `brave` and `brave-appimage` in the lists.
 
+------------------------------------------------------------------------
+## Install and sandbox AppImages in one go
+There is also a declination of `-ia`, namely `-ias` (Install AppImage & Sandox) which is equivalent to `-ia --sandbox` to start the sandbox configuration process via Aisap/Bubblewrap at the end of each installation
+```
+am -ias {PROGRAM}
+am -ias --user {PROGRAM}
+```
+or
+```
+appman -ias {PROGRAM}
+```
+
+https://github.com/user-attachments/assets/151b5400-415c-48c5-81dd-65a7be1a9b06
+
+NOTE, **`-ia --sandbox` and `-ias` are only for the AppImages listed in the "AM" database!**
+
+To Install and Sandbox other AppImages from local scripts and third-party/custom databases, **use the `-i --sandbox` combination instead**
+```
+am -i --sandbox {PROGRAM}
+am -i --user --sandbox {PROGRAM}
+```
+or
+```
+appman -i --sandbox {PROGRAM}
+```
+Sandboxing of other formats is not supported.
+
+See also how sandboxing works in "AM", at "[Sandboxing](./sandbox.md)".
+
 ------------------------------------------------------------------------
 
 | [Back to "Guides and tutorials"](../../README.md#guides-and-tutorials) | [Back to "Main Index"](../../README.md#main-index) | ["Portable Linux Apps"](https://portable-linux-apps.github.io/) | [ "AppMan" ](https://github.com/ivan-hc/AppMan) |

docs/guides-and-tutorials/install.md

@@ -3,6 +3,7 @@ The option `-i` or `install` is the one responsible of the installation of apps
 
 https://github.com/user-attachments/assets/62bc7444-8b1f-4db2-b23b-db7219eec15d
 
+----------------------------------------------------
 ### Install, normal behaviour
 This is the normal syntax.
 ```
@@ -18,6 +19,7 @@ appman -i {PROGRAM}
 ```
 Since version 9, "AM" also covers locally installed apps. It is therefore not necessary to add a root password, once the `--user` flag is added. And this can also be used in conjunction with the other flags below.
 
+----------------------------------------------------
 ### Install, debug an installation script
 The "install.am" module contains some patches to disable long messages. You can see them with the `--debug` flag.
 
@@ -32,7 +34,7 @@ or
 appman -i --debug {PROGRAM}
 ```
 
-
+----------------------------------------------------
 ### Install the "latest" stable release instead of the latest "unstable"
 By default, many installation scripts for apps hosted on github will point to the more recent generic release instead of "latest", which is normally used to indicate that the build is "stable". This is because upstream developers do not always guarantee a certain packaging format in "latest", sometimes they may only publish packages for Windows or macOS, so pointing to "latest" would not guarantee that any package for Linux will be installed.
 
@@ -48,6 +50,28 @@ appman -i --force-latest {PROGRAM}
 
 https://github.com/user-attachments/assets/ee29adfd-90e1-46f7-aed9-b9c410f68776
 
+----------------------------------------------------
+### Install and Sandbox AppImages
+Since version 9.3 it is possible to use the "`--sandbox`" flag to sandbox only AppImages during the installation process
+```
+am -i --sandbox {PROGRAM}
+am -i --user --sandbox {PROGRAM}
+```
+or
+```
+appman -i --sandbox {PROGRAM}
+```
+
+![Istantanea_2024-12-02_03-50-43-2](https://github.com/user-attachments/assets/da90b4ea-f199-469c-b2a3-e410577f3847)
+
+...note that sandboxing only works for AppImages (see "[Sandboxing](./sandbox.md)"), for other programs it will not work.
+
+NOTE, **it is recommended to use the `-i --sandbox` combination only if you have local and custom scripts to install.**
+
+If you rely on the AppImages listed in the "AM" database, use the `-ia --sandbox` combination or even better `-ias` (Install AppImage & Sandox).
+
+See more at "[Install only AppImages](./install-appimage.md)".
+
 ------------------------------------------------------------------------
 
 | [Back to "Guides and tutorials"](../../README.md#guides-and-tutorials) | [Back to "Main Index"](../../README.md#main-index) | ["Portable Linux Apps"](https://portable-linux-apps.github.io/) | [ "AppMan" ](https://github.com/ivan-hc/AppMan) |

docs/guides-and-tutorials/sandbox.md

@@ -1,4 +1,6 @@
 ## Sandbox an AppImage
+This page explains in detail how AppImage sandboxing works individually in "AM". To apply them during installation, go to the related guide "[Install and sandbox AppImages in one go](./install-appimage.md#install-and-sandbox-appimages-in-one-go)" instead.
+
 Since version 6.12, "AM"/"AppMan" uses Bubblewrap for sandboxing AppImage packages, thanks to "[Aisap](https://github.com/mgord9518/aisap)", a highly intuitive and configurable command line solution.
 
 The option "`--sandbox`", which since version 5.3 was using Firejail, has taken on a completely different appearance and usability, thanks to the intense work of @Samueru-sama, who managed to extend and enhance "Aisap", making it extremely easy to use in our project, to the point of making us forget that we are using a command line utility.
@@ -7,6 +9,7 @@ The option "`--sandbox`", which since version 5.3 was using Firejail, has taken
 
 In this sense, "Aisap" may be considered a reference point for the future of AppImages sandboxing!
 
+----------------------------------------------------
 #### How to enable a sandbox
 This method works as follows:
 ```
@@ -28,19 +31,22 @@ We will first compile the Aisap script in a non-privileged, easy-to-access direc
 
 NOTE, the default location for the sandboxed homes is at $HOME/.local/am-sandboxes, but that location can be changed by setting the $SANDBOXDIR environemt variable.
 
+----------------------------------------------------
 #### How to disable a sandbox
 To remove the sandbox just run the command of the AppImage with the flag "--disable-sandbox", like this:
 ```
 $APP --disable-sandbox
 ```
 
+----------------------------------------------------
 #### Sandboxing example
 In the video below we will use "Baobab" (GTK3 version), a disk space analyzer, available in the database as "baobab-gtk3".
 
 Among the XDG directories we will authorize "Images" (Pictures) and "Videos" (Videos), while manually we will authorize "Public". The test will be carried out in normal mode, then in sandbox and again without sandbox:
 
 https://github.com/ivan-hc/AM/assets/88724353/dd193943-7b08-474a-bbbb-4a6906de8b24
 
+----------------------------------------------------
 #### About Aisap sandboxing
 For more information about "Aisap", visit https://github.com/mgord9518/aisap
 
@@ -55,4 +61,4 @@ EXTRA: The behavior of this option can be tested in a completely standalone way
 | [Back to "Guides and tutorials"](../../README.md#guides-and-tutorials) | [Back to "Main Index"](../../README.md#main-index) | ["Portable Linux Apps"](https://portable-linux-apps.github.io/) | [ "AppMan" ](https://github.com/ivan-hc/AppMan) |
 | - | - | - | - |
 
-------------------------------------------------------------------------
+------------------------------------------------------------------------

modules/database.am

@@ -293,7 +293,9 @@ _files_appimage_type_notes() {
 
 _files_total_size() {
 	printf "\n"
-	command -v aisap >/dev/null 2>&1 && printf '%s\n\n' " AppImages with 🔒 are sandboxed with aisap"
+	if command -v aisap >/dev/null 2>&1 && grep -qe "appimage🔒" "$AMCACHEDIR"/files*; then
+		printf '%s\n\n' " AppImages with 🔒 are sandboxed with aisap"
+	fi
 	TOTAL_SIZE=$(du -shc $(find "$APPSPATH" -maxdepth 2 -type f -name 'remove' -printf "%h\n" 2>/dev/null) | tail -n1 | awk 'END {print $1"iB"}' | sed 's/...$/ &/')
 	echo " TOTAL SIZE: $TOTAL_SIZE of disk space in use"
 	printf "\n"

modules/install.am

@@ -101,8 +101,8 @@ _check_if_script_installs_a_metapackage() {
 			if [ -d "$APPSPATH"/"$metapackage"/tmp ]; then
 				$SUDOCMD "$APPSPATH"/"$metapackage"/remove 2> /dev/null
 			elif [ -d "$APPSPATH"/"$metapackage" ]; then
-				METAPACKAGE_NAME=$(echo "$metapackage" | tr '[:lower:]' '[:upper:]')
-				echo " ◆ $APPNAME IS PART OF \"$METAPACKAGE_NAME\", ALREADY INSTALLED"
+				LASTDIR=$(echo "$metapackage" | tr '[:lower:]' '[:upper:]')
+				echo " ◆ $APPNAME IS PART OF \"$LASTDIR\", ALREADY INSTALLED"
 				return 1
 			fi
 		fi
@@ -360,7 +360,7 @@ case "$1" in
 		fi
 		;;
 
-	'install'|'-i'|\
+	'install'|'-i'|'-ias'|\
 	'install-appimage'|'-ia')
 		[ "$AMCLI" = "am" ] && echo "$@" | grep -q -- "--user" && _appman
 
@@ -370,6 +370,7 @@ case "$1" in
 			echo " USAGE: $AMCLI $1 --debug [ARGUMENT]"
 			echo " USAGE: $AMCLI $1 --force-latest [ARGUMENT]"
 			echo " USAGE: $AMCLI $1 --icons [ARGUMENT]"
+			echo " USAGE: $AMCLI $1 --sandbox [ARGUMENT]"
 			[ "$AMCLI" = "am" ] && echo " USAGE: $AMCLI $1 --user [ARGUMENT]"
 			exit 1
 			;;
@@ -389,6 +390,7 @@ case "$1" in
 		METAPACKAGES="kdegames kdeutils node platform-tools"
 
 		if [ "$1" = "-ia" ] || [ "$1" = "install-appimage" ]; then _install_appimage; fi
+		if [ "$1" = "-ias" ]; then FLAGS=$(printf "%b\n--sandbox\n" "$FLAGS"); _install_appimage; fi
 
 		for arg in $entries; do
 			echo ""
@@ -423,12 +425,28 @@ case "$1" in
 			else
 				echo "💀 ERROR: \"$arg\" does NOT exist in the \"AM\" database, $(printf "please check the list, run the \"%b$AMCLIPATH_ORIGIN -l\033[0m\" command.\n\n" "${Gold}")" | fold -sw 72 | sed 's/^/ /g'
 			fi
+			# Sandbox argument
+			if echo "$FLAGS" | grep -q -- "--sandbox" && [ "$LASTDIR" != aisap ]; then
+				if [ -f "$APPSPATH/$LASTDIR/$LASTDIR" ]; then
+					if ! command -v aisap >/dev/null 2>&1; then
+						mv "$AMCACHEDIR"/installed "$CACHEDIR"/installed.backup.am 2>/dev/null
+						"$AMCLIPATH_ORIGIN" --sandbox "$LASTDIR"
+						sort "$AMCACHEDIR"/installed >> "$CACHEDIR"/installed.backup.am 2>/dev/null
+						mv "$CACHEDIR"/installed.backup.am "$AMCACHEDIR"/installed 2>/dev/null
+					else
+						echo ""
+						"$AMCLIPATH_ORIGIN" --sandbox "$LASTDIR"
+					fi
+				else
+					printf "\n ERROR: \"%b\" is NOT an AppImage\n" "$LASTDIR"
+				fi
+			fi
 			echo "____________________________________________________________________________"
 		done
 		echo "============================================================================"
 		printf "\n                  %bEND OF ALL INSTALLATION PROCESSES\n\033[0m" "${LightBlue}"
 		[ -f "$AMCACHEDIR"/installed ] && printf "\n             The following new programs have been installed:\n\n" \
-		&& grep -w -v "◆ am" 0<"$AMCACHEDIR"/installed
+		&& sort "$AMCACHEDIR"/installed | grep -w -v "◆ am"
 		printf "\n============================================================================\n"
 		exit 0
 		;;

modules/sandboxes.am

@@ -4,6 +4,9 @@
 # THIS MODULE INCLUDES ALL ACTIONS INTENDED TO ISOLATE DOTFILES OR CONTAINERIZE INSTALLED APPIMAGES
 ###################################################################################################
 
+AMCLIPATH_ORIGIN="$AMCLIPATH"
+SUDOCMD_ORIGIN="$SUDOCMD"
+
 # Get xdg variables for _configure_dirs_access
 for DIR in DESKTOP DOCUMENTS DOWNLOAD GAMES MUSIC PICTURES VIDEOS; do
 	eval XDG_DIR="$(xdg-user-dir $DIR 2>/dev/null)"
@@ -70,14 +73,26 @@ _check_aisap() {
 			echo " OPERATION ABORTED!"
 			return 1
 		fi
-		"$AMCLIPATH" -i aisap >/dev/null 2>&1
+		if [ "$CLI" = am ] && [ -f "$APPMANCONFIG"/appman-config ]; then
+			read -r -p " ◆ DO YOU WISH TO INSTALL AISAP LOCALLY? (Y/n) " yn
+			if echo "$yn" | grep -i '^n' >/dev/null 2>&1; then
+				"$AMCLIPATH_ORIGIN" -i aisap >/dev/null 2>&1
+			else
+				"$AMCLIPATH_ORIGIN" -i --user aisap >/dev/null 2>&1
+			fi
+		else
+			"$AMCLIPATH_ORIGIN" -i aisap >/dev/null 2>&1
+		fi
 		command -v aisap 1>/dev/null || return 1
 		echo " aisap installed successfully!"
-	fi	
+	fi
 	if grep "aisap-am" "$TARGET" >/dev/null 2>&1; then
 		echo " $1 is already sandboxed!"
 		return 1
 	fi
+	if [ -f "$BINDIR"/"$1" ]; then
+		SUDOCMD=""
+	fi
 }
 
 _generate_sandbox_script() {
@@ -239,6 +254,7 @@ _install_sandbox_script() {
 	printf '\033[0m%s\033[33m\n' " to revert the changes, in this case that is:"
 	printf '\033[33m%s\033[0m' " $1 --disable-sandbox"
 	printf '%s\033[33m%s\n\033[0m\n' " or " "$AMCLI --disable-sandbox $1"
+	SUDOCMD="$SUDOCMD_ORIGIN"
 }
 
 # Main logic