From e127ed5aea69eef93dcf856c75ffbd12878babcb Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Wed, 8 Apr 2026 21:59:19 +0200
Subject: [PATCH] run: Add bind-fd and ro-bind-fd binds after all other binds

This is only moving it a bit down because
flatpak_run_add_environment_args still adds a whole bunch of binds which
then can over-mount the user requested binds (bind-fd, ro-bind-fd).
---
 common/flatpak-run.c | 68 ++++++++++++++++++++++----------------------
 1 file changed, 34 insertions(+), 34 deletions(-)

diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index a02e404c..25736469 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -3696,40 +3696,6 @@ flatpak_run_app (FlatpakDecomposed   *app_ref,
       flatpak_bwrap_add_arg_printf (bwrap, "/run/user/%d", getuid ());
     }
 
-  for (i = 0; bind_fds && i < bind_fds->len; i++)
-    {
-      int fd = g_array_index (bind_fds, int, i);
-      g_autofree char *path = NULL;
-
-      /* We get the path the fd refers to, to determine to mount point
-       * destination inside the sandbox */
-      path = get_path_for_fd (fd, error);
-      if (!path)
-        return FALSE;
-
-      if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
-                                               "--bind-fd", fd, path,
-                                               error))
-        return FALSE;
-    }
-
-  for (i = 0; ro_bind_fds && i < ro_bind_fds->len; i++)
-    {
-      int fd = g_array_index (ro_bind_fds, int, i);
-      g_autofree char *path = NULL;
-
-      /* We get the path the fd refers to, to determine to mount point
-       * destination inside the sandbox */
-      path = get_path_for_fd (fd, error);
-      if (!path)
-        return FALSE;
-
-      if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
-                                               "--ro-bind-fd", fd, path,
-                                               error))
-        return FALSE;
-    }
-
   if (!flatpak_run_add_dconf_args (bwrap, app_id, metakey, error))
     return FALSE;
 
@@ -3764,6 +3730,40 @@ flatpak_run_app (FlatpakDecomposed   *app_ref,
                           "--symlink", "/usr/lib/debug/source", "/run/build-runtime",
                           NULL);
 
+  for (i = 0; bind_fds && i < bind_fds->len; i++)
+    {
+      int fd = g_array_index (bind_fds, int, i);
+      g_autofree char *path = NULL;
+
+      /* We get the path the fd refers to, to determine to mount point
+       * destination inside the sandbox */
+      path = get_path_for_fd (fd, error);
+      if (!path)
+        return FALSE;
+
+      if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
+                                               "--bind-fd", fd, path,
+                                               error))
+        return FALSE;
+    }
+
+  for (i = 0; ro_bind_fds && i < ro_bind_fds->len; i++)
+    {
+      int fd = g_array_index (ro_bind_fds, int, i);
+      g_autofree char *path = NULL;
+
+      /* We get the path the fd refers to, to determine to mount point
+       * destination inside the sandbox */
+      path = get_path_for_fd (fd, error);
+      if (!path)
+        return FALSE;
+
+      if (!flatpak_bwrap_add_args_data_fd_dup (bwrap,
+                                               "--ro-bind-fd", fd, path,
+                                               error))
+        return FALSE;
+    }
+
   if (cwd)
     flatpak_bwrap_add_args (bwrap, "--chdir", cwd, NULL);