Sandbox Permissions Reference#

Sandbox permissions can be configured from an application manifest file (see Manifest 파일들). They can also be set with the build-finish, run and override commands.

The following list includes many of the most useful permission options. A complete list can be viewed using flatpak build-finish --help.

--socket=x11

Show windows using X11

--socket=fallback-x11

Grant X11 access when Wayland is not available

--share=ipc

Share IPC namespace with the host [1]

--allow=bluetooth

Allow access to Bluetooth

--device=dri

OpenGL rendering

--socket=wayland

Show windows using Wayland

--socket=pulseaudio

Play sounds using PulseAudio

--share=network

Access the network [2]

--talk-name=org.freedesktop.secrets

Talk to a named service on the session bus

--system-talk-name=org.freedesktop.GeoClue2

Talk to a named service on the system bus

--socket=cups

Talk to the CUPS printing system

--socket=gpg-agent

Talk to the GPG agent

--socket=pcsc

Grant access to smart card

--socket=ssh-auth

SSH authentication

--socket=session-bus

Unlimited access to user’s D-Bus session

--socket=system-bus

Unlimited access to all of D-Bus

Filesystem permissions#

Each of the following permissions configure filesystem access, and should be added to --filesystem=:

host

Access all files [3]

host-etc

Access all files in /etc

home

Access the home directory

/some/dir

Access an arbitrary path [4] [5]

~/some/dir

Access an arbitrary path relative to the home directory [5]

xdg-desktop

Access the XDG desktop directory

$XDG_DESKTOP_DIR or $HOME/Desktop

xdg-documents

Access the XDG documents directory

$XDG_DOCUMENTS_DIR or $HOME/Documents

xdg-download

Access the XDG download directory

$XDG_DOWNLOAD_DIR or $HOME/Downloads

xdg-music

Access the XDG music directory

$XDG_MUSIC_DIR or $HOME/Music

xdg-pictures

Access the XDG pictures directory

$XDG_PICTURES_DIR or $HOME/Pictures

xdg-public-share

Access the XDG public directory

$XDG_PUBLICSHARE_DIR or $HOME/Public

xdg-videos

Access the XDG videos directory

$XDG_VIDEOS_DIR or $HOME/Videos

xdg-templates

Access the XDG templates directory

$XDG_TEMPLATES_DIR or $HOME/Templates

xdg-config

Access the XDG config directory [6]

$XDG_CONFIG_HOME or $HOME/.config

xdg-cache

Access the XDG cache directory [6]

$XDG_CACHE_HOME or $HOME/.cache

xdg-data

Access the XDG data directory [6]

$XDG_DATA_HOME or $HOME/.local/share

xdg-run/path

Access subdirectories of the XDG runtime directory

$XDG_RUNTIME_DIR/path (/run/user/$UID/path)

Paths can be added to all the above filesystem options. For example, --filesystem=xdg-documents/path. The following permission options can also be added:

  • :ro - read-only access

  • :rw - read/write access (this is the default)

  • :create - read/write access, and create the directory if it doesn’t exist

Footnotes