flatpak-builder icon indicating copy to clipboard operation
flatpak-builder copied to clipboard
verified publisher icon flatpak

--run unclear

Open vinipsmaker opened this issue 5 years ago • 5 comments

The documentation states (emphasis mine):

Run a command in a sandbox based on the build dir. [...] and the same permissions the final app will have (except filesystem permissions)

What exactly are the exceptions? Has every app that I've run through --run been executed outside of a sandbox? It's unclear to me what are the exceptions and I can't find this info anywhere.

vinipsmaker avatar May 16 '20 13:05 vinipsmaker

Its certainly in a sandbox.

The exact line that comment is talking about is here: https://github.com/flatpak/flatpak-builder/blob/aec06b39452539fb894c4b222c980763642066e8/src/builder-manifest.c#L4123-L4141

TingPing avatar May 17 '20 00:05 TingPing

Its certainly in a sandbox.

If so, how did the application managed to write to .local/share/[redacted] w/o a matching --persist in my "finish-args"?

vinipsmaker avatar May 17 '20 00:05 vinipsmaker

Sandbox is a broad term. It is in a sandbox, its permissions just aren't what you expect. I don't think its documented sadly.

TingPing avatar May 17 '20 01:05 TingPing

The exact line that comment is talking about is here:

I don't understand how this piece of code relates to give full-access to my home dir (making the whole point of sandbox moot). You sure this is the line? Care to explain how permissions leak from my specification out of that?

vinipsmaker avatar May 17 '20 01:05 vinipsmaker

I think the missing sandbox is a bug. You can work around it by adding --nofilesystem=host.

cxrvh avatar Sep 25 '20 19:09 cxrvh