flatpak-docs
flatpak-docs copied to clipboard
flatpak
document xdg-data/... mount points
xdg-data/... shared paths are also mounted, alongside with standard host's path, to $XDG_DATA_HOME/... mount point within sandbox.
So these paths actually have two mount points of the form $XDG_DATA_HOME/..., where $XDG_DATA_HOME expanded to both host's and sandboxed values.
For example, with --filesystem=xdg-data/flatpak, these mount points would be:
$ grep flatpak /etc/mtab
/dev/sdb1 /home/bam/.local/share/flatpak ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
/dev/sdb1 /home/bam/.var/app/org.kde.discover/data/flatpak ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
This should be documented somewhere
To be clear, what you mean is:
-
If you specify --filesystem=xdg-music, and ~/.config/user-dirs.dirs has XDG_MUSIC_DIR=$HOME/Music, then $HOME/Music gets mounted in the sandbox
-
If you specify --filesystem=xdg-data/subdir, then the host location $XDG_DATA_HOME/subdir gets mounted at the location that corresponds to $XDG_DATA_HOME/subdir inside the sandbox, ie ~/.var/app/$APPID/data/subdir
Where is the second mount point ?
the second mount point is exactly the same as host's location: $XDG_DATA_HOME/subdir, with $XDG_DATA_HOME expanded to host's value.
Neither of them seem documented.
it's documented in the footnote here now https://docs.flatpak.org/en/latest/sandbox-permissions-reference.html#f6
it's documented in the footnote here now https://docs.flatpak.org/en/latest/sandbox-permissions-reference.html#f6
I suppose the link is: https://docs.flatpak.org/en/latest/sandbox-permissions.html#f7
xdg-{cache, config, data} binds mount the paths from host to the per-app sandbox directory. Inside the sandbox $XDG_CACHE_HOME, $XDG_CONFIG_HOME and $XDG_DATA_HOME is set to $HOME/.var/app/
/{cache, config, data}. So this permission is not needed unless access to the host directory, bind mounted to $HOME/.var/app/ /{cache, config, data} is desired.
It still doesn't reflect the fact --filesystem=xdg-data/... ends up at two mount points inside the sandbox, does it?
See the sample in the description:
# For example, with --filesystem=xdg-data/flatpak, these mount points would be:
$ grep flatpak /etc/mtab
/dev/sdb1 /home/bam/.local/share/flatpak ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
/dev/sdb1 /home/bam/.var/app/org.kde.discover/data/flatpak ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
Ok I understood it now. This behaviour is only specific to xdg-data/flatpak and does not happen with any xdg-data/foo any other foo subdir.
Weirdly, I don't see anything on /etc/mtab or /proc/mounts or /proc/$pid/mountinfo on a Fedora 40 and a GNOME OS system (in a VM), but I can see the duplicate mounts from inside the sandbox.
/dev/mapper/luks-a0aa94ec-74fd-46d6-b7bd-d4928e15cfbd /home/bbhtt/.local/share/flatpak btrfs rw,seclabel,nosuid,nodev,relatime,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=256,subvol=/home 0 0
/dev/mapper/luks-a0aa94ec-74fd-46d6-b7bd-d4928e15cfbd /home/bbhtt/.var/app/org.freedesktop.appstream.cli/data/flatpak btrfs rw,seclabel,nosuid,nodev,relatime,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=256,subvol=/home 0 0
I'll investigate what's the cause and document some edge cases like this tomorrow.
Ok I understood it now. This behaviour is only specific to xdg-data/flatpak and does not happen with any xdg-data/foo any other foo subdir.
That's how it works for all of them.
Hm if I do a -vvv I can see the twice --bind-s but my /proc/mounts show a single entry for some reason when it is xdg-data/applications but two for xdg-data/flatpak.