mirror of
https://github.com/flatpak/flatpak.git
synced 2026-03-14 21:18:11 -04:00
fe2536b844
These are subsets of the host keyword, which provide access to operating system files but not to users' personal files. In particular, the experimental support for namespace-based sandboxes in the Steam Runtime[1] uses the graphics stack from the host system, which requires access to the host /usr/libQUAL, /libQUAL (even if the host OS has undergone the /usr merge, the canonical paths of ELF interpreters start with /lib), /etc/ld.so.cache, and for some libraries on Debian-based systems, /etc/alternatives. It will not be possible to do similar things in Flatpak without either allowing full host filesystem access (which exposes personal files, and in any case cannot be done by the Steam app because it is incompatible with --persist=.), or adding the ability to expose /usr and related directories without including the rest of the host filesystem. To the best of my knowledge, host-etc is not necessary for anything; I've mainly provided it for symmetry, since it's the other significant thing that we mount in /run/host and cannot get via --filesystem=/path. Some notes on the security/privacy implications of the new keywords: - Neither new keyword allows anything that was not already allowed by "host". - Neither new keyword can allow anything that was not already allowed to the user outside the sandbox. - "host-os" allows enumeration of the installed packages on the host system, and often their version numbers too. A malicious app could use this to look for exploitable security vulnerabilities on the host system. An app could also use this for fingerprinting, although this is not a regression, because the systemd/D-Bus machine ID, MAC addresses, hostname, kernel boot UUID, DMI product ID and many other unique or relatively unique properties are already available inside the sandbox. - "host-os" allows read access, and possibly write access (if the user has it outside the sandbox, for example members of group 'staff' in older Debian installations), to /usr/local. - "host-etc" allows reading configuration files whose contents might be considered sensitive, such as /etc/passwd. [1] https://steamcommunity.com/app/221410/discussions/0/1638675549018366706/ Signed-off-by: Simon McVittie <smcv@collabora.com>
400 lines
17 KiB
XML
400 lines
17 KiB
XML
<?xml version='1.0'?> <!--*-nxml-*-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
<refentry id="flatpak-override">
|
|
|
|
<refentryinfo>
|
|
<title>flatpak override</title>
|
|
<productname>flatpak</productname>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<contrib>Developer</contrib>
|
|
<firstname>Alexander</firstname>
|
|
<surname>Larsson</surname>
|
|
<email>alexl@redhat.com</email>
|
|
</author>
|
|
</authorgroup>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>flatpak override</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>flatpak-override</refname>
|
|
<refpurpose>Override application requirements</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>flatpak override</command>
|
|
<arg choice="opt" rep="repeat">OPTION</arg>
|
|
<arg choice="opt">APP</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>
|
|
Overrides the application specified runtime requirements. This can be used
|
|
to grant a sandboxed application more or less resources than it requested.
|
|
</para>
|
|
<para>
|
|
By default the application gets access to the resources it
|
|
requested when it is started. But the user can override it
|
|
on a particular instance by specifying extra arguments to
|
|
flatpak run, or every time by using flatpak override.
|
|
</para>
|
|
<para>
|
|
If the application id is not specified then the overrides affect all applications,
|
|
but the per-application overrides can override the global overrides.
|
|
</para>
|
|
<para>
|
|
Unless overridden with the <option>--user</option> or <option>--installation</option> options, this command
|
|
changes the default system-wide installation.
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
|
|
<para>The following options are understood:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>-h</option></term>
|
|
<term><option>--help</option></term>
|
|
|
|
<listitem><para>
|
|
Show help options and exit.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--user</option></term>
|
|
|
|
<listitem><para>
|
|
Update a per-user installation.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--system</option></term>
|
|
|
|
<listitem><para>
|
|
Update the default system-wide installation.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--installation=NAME</option></term>
|
|
|
|
<listitem><para>
|
|
Updates a system-wide installation specified by <arg choice="plain">NAME</arg>
|
|
among those defined in <filename>/etc/flatpak/installations.d/</filename>.
|
|
Using <option>--installation=default</option> is equivalent to using
|
|
<option>--system</option>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--share=SUBSYSTEM</option></term>
|
|
|
|
<listitem><para>
|
|
Share a subsystem with the host session. This overrides
|
|
the Context section from the application metadata.
|
|
<arg choice="plain">SUBSYSTEM</arg> must be one of: network, ipc.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--unshare=SUBSYSTEM</option></term>
|
|
|
|
<listitem><para>
|
|
Don't share a subsystem with the host session. This overrides
|
|
the Context section from the application metadata.
|
|
<arg choice="plain">SUBSYSTEM</arg> must be one of: network, ipc.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--socket=SOCKET</option></term>
|
|
|
|
<listitem><para>
|
|
Expose a well-known socket to the application. This overrides to
|
|
the Context section from the application metadata.
|
|
<arg choice="plain">SOCKET</arg> must be one of: x11, wayland, fallback-x11, pulseaudio, system-bus, session-bus,
|
|
ssh-auth, pcsc, cups.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--nosocket=SOCKET</option></term>
|
|
|
|
<listitem><para>
|
|
Don't expose a well-known socket to the application. This overrides to
|
|
the Context section from the application metadata.
|
|
<arg choice="plain">SOCKET</arg> must be one of: x11, wayland, fallback-x11, pulseaudio, system-bus, session-bus,
|
|
ssh-auth, pcsc, cups.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--device=DEVICE</option></term>
|
|
|
|
<listitem><para>
|
|
Expose a device to the application. This overrides to
|
|
the Context section from the application metadata.
|
|
<arg choice="plain">DEVICE</arg> must be one of: dri, kvm, shm, all.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--nodevice=DEVICE</option></term>
|
|
|
|
<listitem><para>
|
|
Don't expose a device to the application. This overrides to
|
|
the Context section from the application metadata.
|
|
<arg choice="plain">DEVICE</arg> must be one of: dri, kvm, shm, all.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--allow=FEATURE</option></term>
|
|
|
|
<listitem><para>
|
|
Allow access to a specific feature. This updates
|
|
the [Context] group in the metadata.
|
|
<arg choice="plain">FEATURE</arg> must be one of: devel, multiarch, bluetooth, canbus.
|
|
This option can be used multiple times.
|
|
</para><para>
|
|
See <citerefentry><refentrytitle>flatpak-build-finish</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
for the meaning of the various features.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--disallow=FEATURE</option></term>
|
|
|
|
<listitem><para>
|
|
Disallow access to a specific feature. This updates
|
|
the [Context] group in the metadata.
|
|
<arg choice="plain">FEATURE</arg> must be one of: devel, multiarch, bluetooth, canbus.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--filesystem=FILESYSTEM</option></term>
|
|
|
|
<listitem><para>
|
|
Allow the application access to a subset of the filesystem.
|
|
This overrides to the Context section from the application metadata.
|
|
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
|
|
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos, xdg-run,
|
|
xdg-config, xdg-cache, xdg-data,
|
|
an absolute path, or a homedir-relative path like ~/dir or paths
|
|
relative to the xdg dirs, like xdg-download/subdir.
|
|
The optional :ro suffix indicates that the location will be read-only.
|
|
The optional :create suffix indicates that the location will be read-write and created if it doesn't exist.
|
|
This option can be used multiple times.
|
|
See the "[Context] filesystems" list in
|
|
<citerefentry><refentrytitle>flatpak-metadata</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for details of the meanings of these filesystems.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--nofilesystem=FILESYSTEM</option></term>
|
|
|
|
<listitem><para>
|
|
Remove access to the specified subset of the filesystem from
|
|
the application. This overrides to the Context section from the
|
|
application metadata.
|
|
<arg choice="plain">FILESYSTEM</arg> can be one of: home, host, host-os, host-etc, xdg-desktop, xdg-documents, xdg-download,
|
|
xdg-music, xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
|
|
an absolute path, or a homedir-relative path like ~/dir.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--add-policy=SUBSYSTEM.KEY=VALUE</option></term>
|
|
|
|
<listitem><para>
|
|
Add generic policy option. For example, "--add-policy=subsystem.key=v1 --add-policy=subsystem.key=v2" would map to this metadata:
|
|
<programlisting>
|
|
[Policy subsystem]
|
|
key=v1;v2;
|
|
</programlisting>
|
|
</para></listitem>
|
|
<listitem><para>
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--remove-policy=SUBSYSTEM.KEY=VALUE</option></term>
|
|
|
|
<listitem><para>
|
|
Remove generic policy option. This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--env=VAR=VALUE</option></term>
|
|
|
|
<listitem><para>
|
|
Set an environment variable in the application.
|
|
This overrides to the Context section from the application metadata.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--own-name=NAME</option></term>
|
|
|
|
<listitem><para>
|
|
Allow the application to own the well-known name <arg choice="plain">NAME</arg> on the session bus.
|
|
This overrides to the Context section from the application metadata.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--talk-name=NAME</option></term>
|
|
|
|
<listitem><para>
|
|
Allow the application to talk to the well-known name <arg choice="plain">NAME</arg> on the session bus.
|
|
This overrides to the Context section from the application metadata.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--no-talk-name=NAME</option></term>
|
|
|
|
<listitem><para>
|
|
Don't allow the application to talk to the well-known name <arg choice="plain">NAME</arg> on the session bus.
|
|
This overrides to the Context section from the application metadata.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--system-own-name=NAME</option></term>
|
|
|
|
<listitem><para>
|
|
Allow the application to own the well known name <arg choice="plain">NAME</arg> on the system bus.
|
|
If <arg choice="plain">NAME</arg> ends with .*, it allows the application to own all matching names.
|
|
This overrides to the Context section from the application metadata.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--system-talk-name=NAME</option></term>
|
|
|
|
<listitem><para>
|
|
Allow the application to talk to the well known name <arg choice="plain">NAME</arg> on the system bus.
|
|
If <arg choice="plain">NAME</arg> ends with .*, it allows the application to talk to all matching names.
|
|
This overrides to the Context section from the application metadata.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--system-no-talk-name=NAME</option></term>
|
|
|
|
<listitem><para>
|
|
Don't allow the application to talk to the well known name <arg choice="plain">NAME</arg> on the system bus.
|
|
If <arg choice="plain">NAME</arg> ends with .*, it allows the application to talk to all matching names.
|
|
This overrides to the Context section from the application metadata.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--persist=FILENAME</option></term>
|
|
|
|
<listitem><para>
|
|
If the application doesn't have access to the real homedir, make the (homedir-relative) path
|
|
<arg choice="plain">FILENAME</arg> a bind mount to the corresponding path in the per-application directory,
|
|
allowing that location to be used for persistent data.
|
|
This overrides to the Context section from the application metadata.
|
|
This option can be used multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--reset</option></term>
|
|
|
|
<listitem><para>
|
|
Remove overrides. If an <arg choice="plain">APP</arg> is given, remove the overrides for that
|
|
application, otherwise remove the global overrides.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--show</option></term>
|
|
|
|
<listitem><para>
|
|
Shows overrides. If an <arg choice="plain">APP</arg> is given, shows the overrides for that
|
|
application, otherwise shows the global overrides.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>-v</option></term>
|
|
<term><option>--verbose</option></term>
|
|
|
|
<listitem><para>
|
|
Print debug information during command processing.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--ostree-verbose</option></term>
|
|
|
|
<listitem><para>
|
|
Print OSTree debug information during command processing.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Examples</title>
|
|
|
|
<para>
|
|
<command>$ flatpak override --nosocket=wayland org.gnome.gedit</command>
|
|
</para>
|
|
<para>
|
|
<command>$ flatpak override --filesystem=home org.mozilla.Firefox</command>
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See also</title>
|
|
|
|
<para>
|
|
<citerefentry><refentrytitle>flatpak</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>flatpak-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
</refentry>
|