|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO | NOTES | COLOPHON |
|
|
|
FLATPAK RUN(1) flatpak run FLATPAK RUN(1)
flatpak-run - Run an application or open a shell in a runtime
flatpak run [OPTION...] REF [ARG...]
If REF names an installed application, Flatpak runs the
application in a sandboxed environment. Extra arguments are passed
on to the application. The current branch and arch of the
application is used unless otherwise specified with --branch or
--arch. See flatpak-make-current(1).
If REF names a runtime, a shell is opened in the runtime. This is
useful for development and testing. If there is ambiguity about
which branch to use, you will be prompted to choose. Use --branch
to avoid this. The primary arch is used unless otherwise specified
with --arch.
By default, Flatpak will look for the application or runtime in
the per-user installation first, then in all system installations.
This can be overridden with the --user, --system and
--installation options.
Flatpak creates a sandboxed environment for the application to run
in by mounting the right runtime at /usr and a writable directory
at /var, whose content is preserved between application runs. The
application itself is mounted at /app.
The details of the sandboxed environment are controlled by the
application metadata and various options like --share and --socket
that are passed to the run command: Access is allowed if it was
requested either in the application metadata file or with an
option and the user hasn't overridden it.
The remaining arguments are passed to the command that gets run in
the sandboxed environment. See the --file-forwarding option for
handling of file arguments.
Environment variables are generally passed on to the sandboxed
application, with certain exceptions. The application metadata can
override environment variables, as well as the --env option. Apart
from that, Flatpak always unsets or overrides the following
variables, since their session values are likely to interfere with
the functioning of the sandbox:
PATH
LD_LIBRARY_PATH
LD_PRELOAD
LD_AUDIT
XDG_CONFIG_DIRS
XDG_DATA_DIRS
SHELL
TEMP
TEMPDIR
TMP
TMPDIR
XDG_RUNTIME_DIR
container
TZDIR
PYTHONPATH
PYTHONPYCACHEPREFIX
PERLLIB
PERL5LIB
XCURSOR_PATH
GST_PLUGIN_PATH_1_0
GST_REGISTRY
GST_REGISTRY_1_0
GST_PLUGIN_PATH
GST_PLUGIN_SYSTEM_PATH
GST_PLUGIN_SCANNER
GST_PLUGIN_SCANNER_1_0
GST_PLUGIN_SYSTEM_PATH_1_0
GST_PRESET_PATH
GST_PTP_HELPER
GST_PTP_HELPER_1_0
GST_INSTALL_PLUGINS_HELPER
KRB5CCNAME
XKB_CONFIG_ROOT
GIO_EXTRA_MODULES
GDK_BACKEND
VK_ADD_DRIVER_FILES
VK_ADD_LAYER_PATH
VK_DRIVER_FILES
VK_ICD_FILENAMES
VK_LAYER_PATH
__EGL_EXTERNAL_PLATFORM_CONFIG_DIRS
__EGL_EXTERNAL_PLATFORM_CONFIG_FILENAMES
__EGL_VENDOR_LIBRARY_DIRS
__EGL_VENDOR_LIBRARY_FILENAMES
Also several environment variables with the prefix "GST_" that are
used by gstreamer are unset (since Flatpak 1.12.5).
Flatpak also overrides the XDG environment variables to point
sandboxed applications at their writable filesystem locations
below ~/.var/app/$APPID/:
XDG_DATA_HOME
XDG_CONFIG_HOME
XDG_CACHE_HOME
XDG_STATE_HOME (since Flatpak 1.13)
Apps can use the --persist=.local/state and
--unset-env=XDG_STATE_HOME options to get a Flatpak
1.13-compatible ~/.local/state on older versions of Flatpak.
The host values of these variables are made available inside the
sandbox via these HOST_-prefixed variables:
HOST_XDG_DATA_HOME
HOST_XDG_CONFIG_HOME
HOST_XDG_CACHE_HOME
HOST_XDG_STATE_HOME (since Flatpak 1.13)
Flatpak sets the environment variable FLATPAK_ID to the
application ID of the running app.
Flatpak also bind-mounts as read-only the host's /etc/os-release
(if available, or /usr/lib/os-release as a fallback) to
/run/host/os-release in accordance with the os-release
specification[1].
If parental controls support is enabled, flatpak will check the
current user’s parental controls settings, and will refuse to run
an app if it is blocklisted for the current user.
The following options are understood:
-h, --help
Show help options and exit.
-u, --user
Look for the application and runtime in per-user
installations.
--system
Look for the application and runtime in the default
system-wide installations.
--installation=NAME
Look for the application and runtime in the system-wide
installation specified by NAME among those defined in
/etc/flatpak/installations.d/. Using --installation=default is
equivalent to using --system.
-v, --verbose
Print debug information during command processing.
--ostree-verbose
Print OSTree debug information during command processing.
--arch=ARCH
The architecture to run. See flatpak --supported-arches for
architectures supported by the host.
--command=COMMAND
The command to run instead of the one listed in the
application metadata.
--cwd=DIR
The directory to run the command in. Note that this must be a
directory inside the sandbox.
--branch=BRANCH
The branch to use.
-d, --devel
Use the devel runtime that is specified in the application
metadata instead of the regular runtime, and use a seccomp
profile that is less likely to break development tools.
--runtime=RUNTIME
Use this runtime instead of the one that is specified in the
application metadata. This is a full tuple, like for example
org.freedesktop.Sdk/x86_64/1.2, but partial tuples are
allowed. Any empty or missing parts are filled in with the
corresponding values specified by the app.
--runtime-version=VERSION
Use this version of the runtime instead of the one that is
specified in the application metadata. This overrides any
version specified with the --runtime option.
--share=SUBSYSTEM
Share a subsystem with the host session. This overrides the
Context section from the application metadata. SUBSYSTEM must
be one of: network, ipc. This option can be used multiple
times.
--unshare=SUBSYSTEM
Don't share a subsystem with the host session. This overrides
the Context section from the application metadata. SUBSYSTEM
must be one of: network, ipc. This option can be used multiple
times.
--socket=SOCKET
Expose a well known socket to the application. This overrides
to the Context section from the application metadata. SOCKET
must be one of: x11, wayland, fallback-x11, pulseaudio,
system-bus, session-bus, ssh-auth, pcsc, cups, gpg-agent,
inherit-wayland-socket. This option can be used multiple
times.
--nosocket=SOCKET
Don't expose a well known socket to the application. This
overrides to the Context section from the application
metadata. SOCKET must be one of: x11, wayland, fallback-x11,
pulseaudio, system-bus, session-bus, ssh-auth, pcsc, cups,
gpg-agent, inherit-wayland-socket. This option can be used
multiple times.
--device=DEVICE
Expose a device to the application. This overrides to the
Context section from the application metadata. DEVICE must be
one of: dri, usb, input, kvm, shm, all. This option can be
used multiple times.
--nodevice=DEVICE
Don't expose a device to the application. This overrides to
the Context section from the application metadata. DEVICE
must be one of: dri, usb, input, kvm, shm, all. This option
can be used multiple times.
--allow=FEATURE
Allow access to a specific feature. This overrides to the
Context section from the application metadata. FEATURE must
be one of: devel, multiarch, bluetooth. This option can be
used multiple times.
See flatpak-build-finish(1) for the meaning of the various
features.
--disallow=FEATURE
Disallow access to a specific feature. This overrides to the
Context section from the application metadata. FEATURE must
be one of: devel, multiarch, bluetooth. This option can be
used multiple times.
--filesystem=FILESYSTEM
Allow the application access to a subset of the filesystem.
This overrides to the Context section from the application
metadata. FILESYSTEM can be one of: home, host, host-os,
host-etc, xdg-desktop, xdg-documents, xdg-download, xdg-music,
xdg-pictures, xdg-public-share, xdg-templates, xdg-videos,
xdg-run, xdg-config, xdg-cache, xdg-data, an absolute path, or
a homedir-relative path like ~/dir or paths relative to the
xdg dirs, like xdg-download/subdir. The optional :ro suffix
indicates that the location will be read-only. The optional
:create suffix indicates that the location will be read-write
and created if it doesn't exist. This option can be used
multiple times. See the "[Context] filesystems" list in
flatpak-metadata(5) for details of the meanings of these
filesystems.
--nofilesystem=FILESYSTEM
Undo the effect of a previous --filesystem=FILESYSTEM in the
app's manifest and/or the overrides set up with
flatpak-override(1). This overrides the Context section of the
application metadata. FILESYSTEM can take the same values as
for --filesystem, but the :ro and :create suffixes are not
used here. This option can be used multiple times.
This option does not prevent access to a more narrowly-scoped
--filesystem. For example, if an application has the
equivalent of --filesystem=xdg-config/MyApp in its manifest or
as a system-wide override, and flatpak override --user
--nofilesystem=home as a per-user override, then it will be
prevented from accessing most of the home directory, but it
will still be allowed to access $XDG_CONFIG_HOME/MyApp.
As a special case, --nofilesystem=host:reset will ignore all
--filesystem permissions inherited from the app manifest or
flatpak-override(1), in addition to having the behaviour of
--nofilesystem=host.
--add-policy=SUBSYSTEM.KEY=VALUE
Add generic policy option. For example,
"--add-policy=subsystem.key=v1 --add-policy=subsystem.key=v2"
would map to this metadata:
[Policy subsystem]
key=v1;v2;
This option can be used multiple times.
--remove-policy=SUBSYSTEM.KEY=VALUE
Remove generic policy option. This option can be used multiple
times.
--usb=TYPE[:DATA]
Adds a USB device query to the application metadata. This
allows device enumeration and usage by the USB portal. TYPE
must be one of: all, cls, dev, vnd.
all
Match all devices.
cls
A device class and subclass query. DATA must be in the
form of CLASS:SUBCLASS where both CLASS and SUBCLASS must
be a valid 2-digit hexadecimal class id number.
Alternatively, SUBCLASS may be * to match all subclasses.
dev
A device product id query. DATA must be a valid 4-digit
hexadecimal product id number, for example 0a1b. It
requires a vnd filter in the query.
vnd
A device vendor id query. DATA must be a valid 4-digit
hexadecimal vendor id number greater than zero, for
example 0fab.
It is possible to compose multiple device queries together
with the + sign, for example --usb=vnd:0123+dev:4567. The dev
filter requires a vnd. Available since 1.15.11.
--nousb=VENDOR_ID:PRODUCT_ID
Adds a blocking USB device query to the application metadata.
Blocked devices take precedence over allowed devices. The
syntax is exactly equal to --usb. Available since 1.15.11.
--env=VAR=VALUE
Set an environment variable in the application. This overrides
to the Context section from the application metadata. This
option can be used multiple times.
--unset-env=VAR
Unset an environment variable in the application. This
overrides the unset-environment entry in the [Context] group
of the metadata, and the [Environment] group. This option can
be used multiple times.
--env-fd=FD
Read environment variables from the file descriptor FD, and
set them as if via --env. This can be used to avoid
environment variables and their values becoming visible to
other users.
Each environment variable is in the form VAR=VALUE followed by
a zero byte. This is the same format used by env -0 and
/proc/*/environ.
--own-name=NAME
Allow the application to own the well known name NAME on the
session bus. If NAME ends with .*, it allows the application
to own all matching names. This overrides to the Context
section from the application metadata. This option can be used
multiple times.
--talk-name=NAME
Allow the application to talk to the well known name NAME on
the session bus. If NAME ends with .*, it allows the
application to talk to all matching names. This overrides to
the Context section from the application metadata. This option
can be used multiple times.
--no-talk-name=NAME
Don't allow the application to talk to the well known name
NAME on the session bus. If NAME ends with .*, it allows the
application to talk to all matching names. This overrides to
the Context section from the application metadata. This option
can be used multiple times.
--system-own-name=NAME
Allow the application to own the well known name NAME on the
system bus. If NAME ends with .*, it allows the application to
own all matching names. This overrides to the Context section
from the application metadata. This option can be used
multiple times.
--system-talk-name=NAME
Allow the application to talk to the well known name NAME on
the system bus. If NAME ends with .*, it allows the
application to talk to all matching names. This overrides to
the Context section from the application metadata. This option
can be used multiple times.
--system-no-talk-name=NAME
Don't allow the application to talk to the well known name
NAME on the system bus. If NAME ends with .*, it allows the
application to talk to all matching names. This overrides to
the Context section from the application metadata. This option
can be used multiple times.
--a11y-own-name=NAME
Allow the application to own the well known name NAME on the
a11y bus. If NAME ends with .*, it allows the application to
own all matching names. This overrides to the Context section
from the application metadata. This option can be used
multiple times.
--persist=FILENAME
If the application doesn't have access to the real homedir,
make the (homedir-relative) path FILENAME a bind mount to the
corresponding path in the per-application directory, allowing
that location to be used for persistent data. This overrides
to the Context section from the application metadata. This
option can be used multiple times.
--no-session-bus
Run this instance without the filtered access to the session
dbus connection. Note, this is the default when run with
--sandbox.
--session-bus
Allow filtered access to the session dbus connection. This is
the default, except when run with --sandbox.
In sandbox mode, even if you allow access to the session bus
the sandbox cannot talk to or own the application ids
(org.the.App.*) on the bus (unless explicitly added), only
names in the .Sandboxed subset (org.the.App.Sandboxed.* and
org.mpris.MediaPlayer2.org.the.App.Sandboxed.*).
--no-a11y-bus
Run this instance without the access to the accessibility bus.
Note, this is the default when run with --sandbox.
--a11y-bus
Allow access to the accessibility bus. This is the default,
except when run with --sandbox.
--sandbox
Run the application in sandboxed mode, which means dropping
all the extra permissions it would otherwise have, as well as
access to the session/system/a11y busses and document portal.
--log-session-bus
Log session bus traffic. This can be useful to see what access
you need to allow in your D-Bus policy.
--log-system-bus
Log system bus traffic. This can be useful to see what access
you need to allow in your D-Bus policy.
-p, --die-with-parent
Kill the entire sandbox when the launching process dies.
--parent-pid=PID
Specifies the pid of the "parent" flatpak, used by
--parent-expose-pids and --parent-share-pids.
--parent-expose-pids
Make the processes of the new sandbox visible in the sandbox
of the parent flatpak, as defined by --parent-pid.
--parent-share-pids
Use the same process ID namespace for the processes of the new
sandbox and the sandbox of the parent flatpak, as defined by
--parent-pid. Implies --parent-expose-pids.
--instance-id-fd
Write the instance ID string to the given file descriptor.
--file-forwarding
If this option is specified, the remaining arguments are
scanned, and all arguments that are enclosed between a pair of
'@@' arguments are interpreted as file paths, exported in the
document store, and passed to the command in the form of the
resulting document path. Arguments between "@@u" and "@@" are
considered URIs, and any "file:" URIs are exported. The
exports are non-persistent and with read and write permissions
for the application.
--app-path=PATH
Instead of mounting the app's content on /app in the sandbox,
mount PATH on /app, and the app's content on /run/parent/app.
If the app has extensions, they will also be redirected into
/run/parent/app, and will not be included in the
LD_LIBRARY_PATH inside the sandbox.
--app-path=
As a special case, --app-path= (with an empty PATH) results in
an empty directory being mounted on /app.
--usr-path=PATH
Instead of mounting the runtime's files on /usr in the
sandbox, mount PATH on /usr, and the runtime's normal files on
/run/parent/usr. If the runtime has extensions, they will also
be redirected into /run/parent/usr, and will not be included
in the LD_LIBRARY_PATH inside the sandbox.
This option will usually only be useful if it is combined with
--app-path= and --env=LD_LIBRARY_PATH=....
$ flatpak run org.gnome.gedit
$ flatpak run --devel --command=bash org.gnome.Builder
$ flatpak run --command=bash org.gnome.Sdk
$ flatpak run org.gnome.Boxes --nousb=0fd9:*
flatpak(1), flatpak-override(1), flatpak-enter(1)
1. os-release specification
https://www.freedesktop.org/software/systemd/man/os-release.html
This page is part of the flatpak (a tool for building and
distributing desktop applications on Linux) project. Information
about the project can be found at ⟨http://flatpak.org/⟩. It is
not known how to report bugs for this man page; if you know,
please send a mail to man-pages@man7.org. This page was obtained
from the project's upstream Git repository
⟨https://github.com/flatpak/flatpak⟩ on 2025-08-11. (At that
time, the date of the most recent commit that was found in the
repository was 2025-08-06.) If you discover any rendering
problems in this HTML version of the page, or you believe there is
a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
man-pages@man7.org
flatpak FLATPAK RUN(1)
Pages that refer to this page: flatpak(1), flatpak-enter(1), flatpak-kill(1), flatpak-override(1), flatpak-ps(1), flatpak-spawn(1), flatpak-metadata(5)
|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|