Sandbox Permissions Reference¶
Sandbox permissions can be configured from an application manifest file
(see Manifests). They can also be set with the build-finish
,
run
and override
commands.
The following list includes many of the most useful permission options. A
complete list can be viewed using flatpak build-finish --help
.
--socket=x11 |
Show windows using X11 |
--socket=fallback-x11 |
Grant X11 access when Wayland is not available |
--share=ipc |
Share IPC namespace with the host [1] |
--allow=bluetooth |
Allow access to Bluetooth |
--device=dri |
OpenGL rendering |
--socket=wayland |
Show windows using Wayland |
--socket=pulseaudio |
Play sounds using PulseAudio |
--share=network |
Access the network [2] |
--talk-name=org.freedesktop.secrets |
Talk to a named service on the session bus |
--system-talk-name=org.freedesktop.GeoClue2 |
Talk to a named service on the system bus |
--socket=cups |
Talk to the CUPS printing system |
--socket=gpg-agent |
Talk to the GPG agent |
--socket=pcsc |
Grant access to smart card |
--socket=ssh-auth |
SSH authentication |
--socket=session-bus |
Unlimited access to user’s D-Bus session |
--socket=system-bus |
Unlimited access to all of D-Bus |
Filesystem permissions¶
Each of the following permissions configure filesystem access, and should
be added to --filesystem=
:
host |
Access all files [3] |
host-etc |
Access all files in /etc |
home |
Access the home directory |
/some/dir |
Access an arbitrary path |
~/some/dir |
Access an arbitrary path relative to the home directory |
xdg-desktop |
Access the XDG desktop directory |
xdg-documents |
Access the XDG documents directory |
xdg-download |
Access the XDG download directory |
xdg-music |
Access the XDG music directory |
xdg-pictures |
Access the XDG pictures directory |
xdg-public-share |
Access the XDG public directory |
xdg-videos |
Access the XDG videos directory |
xdg-templates |
Access the XDG templates directory |
xdg-config |
Access the XDG config directory |
xdg-cache |
Access the XDG cache directory |
xdg-data |
Access the XDG data directory |
xdg-run/path |
Access subdirectories of the XDG runtime directory (where path is any subdirectory) |
Paths can be added to all the above filesystem options. For example,
--filesystem=xdg-documents/path
. The following permission options can
also be added:
:ro
- read-only access:rw
- read/write access (this is the default):create
- read/write access, and create the directory if it doesn’t exist
Footnotes
[1] | This is not necessarily required, but without it the X11 shared memory extension will not work, which is very bad for X11 performance. |
[2] | Giving network access also grants access to all host services listening on abstract Unix sockets (due to how network namespaces work), and these have no permission checks. This unfortunately affects e.g. the X server and the session bus which listens to abstract sockets by default. A secure distribution should disable these and just use regular sockets. |
[3] | Except for the blacklisted paths mentioned in Sandbox Permissions. |