1FLATPAK RUN(1) flatpak run FLATPAK RUN(1)
2
3
4
6 flatpak-run - Run an application or open a shell in a runtime
7
9 flatpak run [OPTION...] REF [ARG...]
10
12 If REF names an installed application, flatpak runs the application in
13 a sandboxed environment. Extra arguments are passed on to the
14 application.
15
16 If REF names a runtime, a shell is opened in the runtime. This is
17 useful for development and testing.
18
19 By default, flatpak will look for the application or runtime in all
20 per-user and system installations. This can be overridden with the
21 --user, --system and --installation options.
22
23 flatpak creates a sandboxed environment for the application to run in
24 by mounting the right runtime at /usr and a writable directory at /var,
25 whose content is preserved between application runs. The application
26 itself is mounted at /app.
27
28 The details of the sandboxed environment are controlled by the
29 application metadata and various options like --share and --socket that
30 are passed to the run command: Access is allowed if it was requested
31 either in the application metadata file or with an option and the user
32 hasn't overridden it.
33
34 The remaining arguments are passed to the command that gets run in the
35 sandboxed environment. See the --file-forwarding option for handling of
36 file arguments.
37
38 Environment variables are generally passed on to the sandboxed
39 application, with certain exceptions. The application metadata can
40 override environment variables, as well as the --env option. Apart from
41 that, Flatpak always unsets or overrides the following variables, since
42 their session values are likely to interfere with the functioning of
43 the sandbox:
44 PATH
45 LD_LIBRARY_PATH
46 XDG_CONFIG_DIRS
47 XDG_DATA_DIRS
48 SHELL
49 TMPDIR
50 PYTHONPATH
51 PERLLIB
52 PERL5LIB
53 XCURSOR_PATH
54
55 Flatpak also overrides the XDG environment variables to point sandboxed
56 applications at their writable filesystem locations below
57 ~/.var/app/$APPID/:
58 XDG_DATA_HOME
59 XDG_CONFIG_HOME
60 XDG_CACHE_HOME
61
62 The host values of these variables are made available inside the
63 sandbox via these HOST_-prefixed variables:
64 HOST_XDG_DATA_HOME
65 HOST_XDG_CONFIG_HOME
66 HOST_XDG_CACHE_HOME
67
68 Flatpak sets the environment variable FLATPAK_ID to the application ID
69 of the running app.
70
72 The following options are understood:
73
74 -h, --help
75 Show help options and exit.
76
77 --user
78 Look for the application and runtime in per-user installations.
79
80 --system
81 Look for the application and runtime in the default system-wide
82 installations.
83
84 --installation=NAME
85 Look for the application and runtime in the system-wide
86 installation specified by NAME among those defined in
87 /etc/flatpak/installations.d/. Using --installation=default is
88 equivalent to using --system.
89
90 -v, --verbose
91 Print debug information during command processing.
92
93 --ostree-verbose
94 Print OSTree debug information during command processing.
95
96 --arch=ARCH
97 The architecture to install for.
98
99 --command=COMMAND
100 The command to run instead of the one listed in the application
101 metadata.
102
103 --cwd=DIR
104 The directory to run the command in. Note that this must be a
105 directory inside the sandbox.
106
107 --branch=BRANCH
108 The branch to use.
109
110 -d, --devel
111 Use the devel runtime that is specified in the application metadata
112 instead of the regular runtime, and use a seccomp profile that is
113 less likely to break development tools.
114
115 --runtime=RUNTIME
116 Use this runtime instead of the one that is specified in the
117 application metadata. This is a full tuple, like for example
118 org.freedesktop.Sdk/x86_64/1.2, but partial tuples are allowed. Any
119 empty or missing parts are filled in with the corresponding values
120 specified by the app.
121
122 --runtime-version=VERSION
123 Use this version of the runtime instead of the one that is
124 specified in the application metadata. This overrides any version
125 specified with the --runtime option.
126
127 --share=SUBSYSTEM
128 Share a subsystem with the host session. This overrides the Context
129 section from the application metadata. SUBSYSTEM must be one of:
130 network, ipc. This option can be used multiple times.
131
132 --unshare=SUBSYSTEM
133 Don't share a subsystem with the host session. This overrides the
134 Context section from the application metadata. SUBSYSTEM must be
135 one of: network, ipc. This option can be used multiple times.
136
137 --socket=SOCKET
138 Expose a well known socket to the application. This overrides to
139 the Context section from the application metadata. SOCKET must be
140 one of: x11, wayland, fallback-x11, pulseaudio, system-bus,
141 session-bus, ssh-auth. This option can be used multiple times.
142
143 --nosocket=SOCKET
144 Don't expose a well known socket to the application. This overrides
145 to the Context section from the application metadata. SOCKET must
146 be one of: x11, wayland, fallback-x11, pulseaudio, system-bus,
147 session-bus, ssh-auth. This option can be used multiple times.
148
149 --device=DEVICE
150 Expose a device to the application. This overrides to the Context
151 section from the application metadata. DEVICE must be one of: dri,
152 kvm, all. This option can be used multiple times.
153
154 --nodevice=DEVICE
155 Don't expose a device to the application. This overrides to the
156 Context section from the application metadata. DEVICE must be one
157 of: dri, kvm, all. This option can be used multiple times.
158
159 --allow=FEATURE
160 Allow access to a specific feature. This overrides to the Context
161 section from the application metadata. FEATURE must be one of:
162 devel, multiarch, bluetooth. This option can be used multiple
163 times.
164
165 See flatpak-build-finish(1) for the meaning of the various
166 features.
167
168 --disallow=FEATURE
169 Disallow access to a specific feature. This overrides to the
170 Context section from the application metadata. FEATURE must be one
171 of: devel, multiarch, bluetooth. This option can be used multiple
172 times.
173
174 --filesystem=FILESYSTEM
175 Allow the application access to a subset of the filesystem. This
176 overrides to the Context section from the application metadata.
177 FILESYSTEM can be one of: home, host, xdg-desktop, xdg-documents,
178 xdg-download, xdg-music, xdg-pictures, xdg-public-share,
179 xdg-templates, xdg-videos, xdg-run, xdg-config, xdg-cache,
180 xdg-data, an absolute path, or a homedir-relative path like ~/dir
181 or paths relative to the xdg dirs, like xdg-download/subdir. The
182 optional :ro suffix indicates that the location will be read-only.
183 The optional :create suffix indicates that the location will be
184 read-write and created if it doesn't exist. This option can be used
185 multiple times.
186
187 --nofilesystem=FILESYSTEM
188 Remove access to the specified subset of the filesystem from the
189 application. This overrides to the Context section from the
190 application metadata. FILESYSTEM can be one of: home, host,
191 xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures,
192 xdg-public-share, xdg-templates, xdg-videos, an absolute path, or a
193 homedir-relative path like ~/dir. This option can be used multiple
194 times.
195
196 --add-policy=SUBSYSTEM.KEY=VALUE
197 Add generic policy option. For example,
198 "--add-policy=subsystem.key=v1 --add-policy=subsystem.key=v2" would
199 map to this metadata:
200
201 [Policy subsystem]
202 key=v1;v2;
203
204
205 This option can be used multiple times.
206
207 --remove-policy=SUBSYSTEM.KEY=VALUE
208 Remove generic policy option. This option can be used multiple
209 times.
210
211 --env=VAR=VALUE
212 Set an environment variable in the application. This overrides to
213 the Context section from the application metadata. This option can
214 be used multiple times.
215
216 --own-name=NAME
217 Allow the application to own the well known name NAME on the
218 session bus. If NAME ends with .*, it allows the application to own
219 all matching names. This overrides to the Context section from the
220 application metadata. This option can be used multiple times.
221
222 --talk-name=NAME
223 Allow the application to talk to the well known name NAME on the
224 session bus. If NAME ends with .*, it allows the application to
225 talk to all matching names. This overrides to the Context section
226 from the application metadata. This option can be used multiple
227 times.
228
229 --system-own-name=NAME
230 Allow the application to own the well known name NAME on the system
231 bus. If NAME ends with .*, it allows the application to own all
232 matching names. This overrides to the Context section from the
233 application metadata. This option can be used multiple times.
234
235 --system-talk-name=NAME
236 Allow the application to talk to the well known name NAME on the
237 system bus. If NAME ends with .*, it allows the application to talk
238 to all matching names. This overrides to the Context section from
239 the application metadata. This option can be used multiple times.
240
241 --persist=FILENAME
242 If the application doesn't have access to the real homedir, make
243 the (homedir-relative) path FILENAME a bind mount to the
244 corresponding path in the per-application directory, allowing that
245 location to be used for persistent data. This overrides to the
246 Context section from the application metadata. This option can be
247 used multiple times.
248
249 --log-session-bus
250 Log session bus traffic. This can be useful to see what access you
251 need to allow in your D-Bus policy.
252
253 --log-system-bus
254 Log system bus traffic. This can be useful to see what access you
255 need to allow in your D-Bus policy.
256
257 -p, --die-with-parent
258 Kill the entire sandbox when the launching process dies.
259
260 --file-forwarding
261 If this option is specified, the remaining arguments are scanned,
262 and all arguments that are enclosed between a pair of '@@'
263 arguments are interpreted as file paths, exported in the document
264 store, and passed to the command in the form of the resulting
265 document path. Arguments between '@@u' and '@@' are considered
266 uris, and any file: uris are exported. The exports are
267 non-persistent and with read and write permissions for the
268 application.
269
271 $ flatpak run org.gnome.GEdit
272
273 $ flatpak run --devel --command=bash org.gnome.Builder
274
275 $ flatpak run --command=bash org.gnome.Sdk
276
278 flatpak(1), flatpak-override(1), flatpak-enter(1)
279
280
281
282flatpak FLATPAK RUN(1)