Sandbox Permissions Reference¶
Sandbox permissions can be configured from an application manifest file
(see Manifests). They can also be set with the build-finish
,
run
and override
commands.
The following list includes many of the most useful permission options. A
complete list can be viewed using flatpak build-finish --help
.
|
Show windows using X11 |
|
Grant X11 access when Wayland is not available |
|
Share IPC namespace with the host [1] |
|
Allow access to Bluetooth |
|
OpenGL rendering |
|
Show windows using Wayland |
|
Play sounds using PulseAudio |
|
Access the network [2] |
|
Talk to a named service on the session bus |
|
Talk to a named service on the system bus |
|
Talk to the CUPS printing system |
|
Talk to the GPG agent |
|
Grant access to smart card |
|
SSH authentication |
|
Unlimited access to user’s D-Bus session |
|
Unlimited access to all of D-Bus |
Filesystem permissions¶
Each of the following permissions configure filesystem access, and should
be added to --filesystem=
:
|
Access all files [3] |
|
|
Access all files in /etc |
|
|
Access the home directory |
|
|
||
|
Access an arbitrary path relative to the home directory [5] |
|
|
Access the XDG desktop directory |
|
|
Access the XDG documents directory |
|
|
Access the XDG download directory |
|
|
Access the XDG music directory |
|
|
Access the XDG pictures directory |
|
|
Access the XDG public directory |
|
|
Access the XDG videos directory |
|
|
Access the XDG templates directory |
|
|
Access the XDG config directory [6] |
|
|
Access the XDG cache directory [6] |
|
|
Access the XDG data directory [6] |
|
|
Access subdirectories of the XDG runtime directory |
|
Paths can be added to all the above filesystem options. For example,
--filesystem=xdg-documents/path
. The following permission options can
also be added:
:ro
- read-only access:rw
- read/write access (this is the default):create
- read/write access, and create the directory if it doesn’t exist
Footnotes