#!/usr/bin/env bash
set -u

UNPRIVILEGED_USERNS_ENABLED=$(cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null)
RESTRICT_UNPRIVILEGED_USERNS=$(cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns 2>/dev/null)

SCRIPT_PATH="${BASH_SOURCE[0]}"
if command -v readlink >/dev/null 2>&1; then
    RESOLVED_SCRIPT_PATH=$(readlink -f "$SCRIPT_PATH" 2>/dev/null || true)
    if [ -n "$RESOLVED_SCRIPT_PATH" ]; then
        SCRIPT_PATH="$RESOLVED_SCRIPT_PATH"
    fi
fi

SCRIPT_DIR="$(cd "$(dirname "$SCRIPT_PATH")" && pwd)"

APPLY_NO_SANDBOX_FLAG=0
if [ "$UNPRIVILEGED_USERNS_ENABLED" != 1 ] || [ "$RESTRICT_UNPRIVILEGED_USERNS" = 1 ]; then
    APPLY_NO_SANDBOX_FLAG=1
fi

if [ "$SCRIPT_DIR" = "/usr/bin" ]; then
    SCRIPT_DIR="/opt/IPTVnator"
fi

EXEC_ARGS=()
if [ "$APPLY_NO_SANDBOX_FLAG" = 1 ]; then
    echo "Note: Running with --no-sandbox since unprivileged_userns_clone is disabled or apparmor_restrict_unprivileged_userns is enabled."
    EXEC_ARGS+=(--no-sandbox)
fi

exec "$SCRIPT_DIR/iptvnator.bin" "${EXEC_ARGS[@]}" "$@"
