Flatpak: Disable sandbox for app

Created on 22 May 2018 · 5Comments · Source: flatpak/flatpak

Atom packages require access to external binaries (for eg., linter-php requires access to the PHP executable) and I can't find a way to add an exemption for this or better yet disable sandbox for a particular app.

Source

pandaway

Most helpful comment

Is there anything else that can be done to give more permissions, such as access to applications on host

You can do things on the host by granting the --talk-name=org.freedesktop.Flatpak permission and using flatpak-spawn --host in the sandbox.

or are terminal emulators in Flatpak just a terrible idea?

Tricky to get right but doable. gnome-builder opens a tty on the host and forwards it into the sandbox (see its source for actual details). It would definitely require modifying the source of the application but that is the only good way to accomplish it. If you don't plan on going that far I would say don't do it.

TingPing on 8 Aug 2018

👍2

All 5 comments

If you give flatpak access to the org.freedesktop.Flatpak.Development then you can use flatpak-spawn --host to run a command on the host. Its not really possible to run a binary from the host inside the sandbox though, because it depends on the libraries on the host, which may not be compatible with the ones in the sandbox.

alexlarsson on 30 May 2018

Can't I disable sandbox (preferably for only one package?

pandaway on 16 Jul 2018

No, the sandbox isn't optional. You can only poke holes in it.

TingPing on 16 Jul 2018

I created a quick Flatpak for the terminal emulator Kitty and realized just how limiting the sandbox is for this kind of application. Is there anything else that can be done to give more permissions, such as access to applications on host, or are terminal emulators in Flatpak just a terrible idea?

My manifest:
https://gitlab.com/Limero/Flatpaks/blob/master/kitty/net.kovidgoyal.kitty.json