feat(electron): refine Linux sandbox handling and format copy filter

4gray · 4gray · commit 4d9ef79b439a · 2025-12-13T18:30:05.000+01:00
Improve sandbox handling on Linux by detecting Snap, Flatpak,
and AppImage environments and applying appropriate Chromium
command-line switches:

- If running in Snap or Flatpak, disable Chromium's sandbox
  (--no-sandbox) to avoid conflicts with the distribution's
  own sandboxing.
- Otherwise (traditional packages and AppImage), disable the
  SUID sandbox and prefer the user namespace sandbox
  (--disable-setuid-sandbox). This avoids requiring a SUID
  chrome-sandbox binary and aligns with modern Linux best
  practices.

Also adjust apps/electron-backend/src/main.ts to only apply
these changes on Linux (process.platform === 'linux').

Minor formatting: expand the package.json copy "filter" array
to a multiline style for readability.
diff --git a/.gitignore b/.gitignore
@@ -1,8 +1,7 @@
 # See http://help.github.com/ignore-files/ for more about ignoring files. 
 
 #compiled output 
-/dist 
-/build 
+/dist  
 /tmp 
 /out-tsc 
 /app-builds 
diff --git a/apps/electron-backend/src/main.ts b/apps/electron-backend/src/main.ts
@@ -14,15 +14,25 @@ import SquirrelEvents from './app/events/squirrel.events';
 import StalkerEvents from './app/events/stalker.events';
 import XtreamEvents from './app/events/xtream.events';
 
-// Detect if running in Snap or AppImage environment
-const isSnap = process.env.SNAP !== undefined;
-const isAppImage = process.env.APPIMAGE !== undefined;
+// Handle sandboxing for Linux
+if (process.platform === 'linux') {
+    // Detect if running in Snap, Flatpak, or AppImage environment
+    const isSnap = process.env.SNAP !== undefined;
+    const isFlatpak = process.env.FLATPAK_ID !== undefined;
+    const isAppImage = process.env.APPIMAGE !== undefined;
 
-// Handle sandbox for Snap and AppImage
-if (isSnap || isAppImage) {
-    // Disable GPU sandbox which often conflicts with snap/AppImage confinement
-    //app.commandLine.appendSwitch('disable-gpu-sandbox');
-    app.commandLine.appendSwitch('--no-sandbox');
+    if (isSnap || isFlatpak || isAppImage) {
+        // Snap and Flatpak provide their own sandboxing
+        // AppImage is a portable format that often has issues with chrome-sandbox permissions
+        // Disable Chromium's sandbox for these environments
+        app.commandLine.appendSwitch('--no-sandbox');
+    } else {
+        // For traditional packages (deb, rpm, pacman):
+        // Use user namespace sandbox instead of SUID sandbox
+        // This doesn't require chrome-sandbox to have SUID permissions (chmod 4755)
+        // and is the recommended approach for modern Linux systems
+        app.commandLine.appendSwitch('--disable-setuid-sandbox');
+    }
 }
 
 app.setName('iptvnator');
diff --git a/build/linux-postinstall.sh b/build/linux-postinstall.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# Post-install script for IPTVnator .deb package
+# Sets proper permissions on chrome-sandbox to enable sandboxing
+
+if [ -f "/opt/IPTVnator/chrome-sandbox" ]; then
+    # Set owner to root and permissions to 4755 (SUID)
+    chown root:root "/opt/IPTVnator/chrome-sandbox" 2>/dev/null || true
+    chmod 4755 "/opt/IPTVnator/chrome-sandbox" 2>/dev/null || true
+fi
+
+exit 0
diff --git a/package.json b/package.json
@@ -31,7 +31,9 @@
             {
                 "from": "dist/apps/remote-control-web",
                 "to": "remote-control-web",
-                "filter": ["**/*"]
+                "filter": [
+                    "**/*"
+                ]
             },
             "electron-backend/**/*",
             "web/**/*",
@@ -67,31 +69,48 @@
             "target": [
                 {
                     "target": "AppImage",
-                    "arch": ["x64", "armv7l", "arm64"]
+                    "arch": [
+                        "x64",
+                        "armv7l",
+                        "arm64"
+                    ]
                 },
                 {
                     "target": "deb",
-                    "arch": ["x64", "armv7l", "arm64"]
+                    "arch": [
+                        "x64",
+                        "armv7l",
+                        "arm64"
+                    ]
                 },
                 {
                     "target": "Snap",
-                    "arch": ["x64"] 
+                    "arch": [
+                        "x64"
+                    ]
                 },
                 {
                     "target": "rpm",
-                    "arch": ["x64"]
+                    "arch": [
+                        "x64"
+                    ]
                 },
                 {
                     "target": "pacman",
-                    "arch": ["x64"]
+                    "arch": [
+                        "x64"
+                    ]
                 },
                 {
                     "target": "flatpak",
-                    "arch": ["x64"]
+                    "arch": [
+                        "x64"
+                    ]
                 }
             ],
             "artifactName": "${name}-${version}-${os}-${arch}.${ext}",
-            "icon": "apps/web/src/assets/icons"
+            "icon": "apps/web/src/assets/icons",
+            "afterInstall": "build/linux-postinstall.sh"
         },
         "win": {
             "compression": "maximum",
