1FLATPAK OVERRIDE(1) flatpak override FLATPAK OVERRIDE(1)
2
6 flatpak-override - Override application requirements
7
9 flatpak override [OPTION...] [APP]
10
12 Overrides the application specified runtime requirements. This can be
13 used to grant a sandboxed application more or less resources than it
14 requested.
15 By default the application gets access to the resources it requested
17 when it is started. But the user can override it on a particular
18 instance by specifying extra arguments to flatpak run, or every time by
19 using flatpak override.
20 If the application ID APP is not specified then the overrides affect
22 all applications, but the per-application overrides can override the
23 global overrides.
24 Unless overridden with the --user or --installation options, this
26 command changes the default system-wide installation.
27
29 The following options are understood:
30 -h, --help
32 Show help options and exit.
33 -u, --user
35 Update a per-user installation.
36 --system
38 Update the default system-wide installation.
39 --installation=NAME
41 Updates a system-wide installation specified by NAME among those
42 defined in /etc/flatpak/installations.d/. Using
43 --installation=default is equivalent to using --system.
44 --share=SUBSYSTEM
46 Share a subsystem with the host session. This overrides the Context
47 section from the application metadata. SUBSYSTEM must be one of:
48 network, ipc. This option can be used multiple times.
49 --unshare=SUBSYSTEM
51 Don't share a subsystem with the host session. This overrides the
52 Context section from the application metadata. SUBSYSTEM must be
53 one of: network, ipc. This option can be used multiple times.
54 --socket=SOCKET
56 Expose a well-known socket to the application. This overrides to
57 the Context section from the application metadata. SOCKET must be
58 one of: x11, wayland, fallback-x11, pulseaudio, system-bus,
59 session-bus, ssh-auth, pcsc, cups, gpg-agent. This option can be
60 used multiple times.
61 --nosocket=SOCKET
63 Don't expose a well-known socket to the application. This overrides
64 to the Context section from the application metadata. SOCKET must
65 be one of: x11, wayland, fallback-x11, pulseaudio, system-bus,
66 session-bus, ssh-auth, pcsc, cups, gpg-agent. This option can be
67 used multiple times.
68 --device=DEVICE
70 Expose a device to the application. This overrides to the Context
71 section from the application metadata. DEVICE must be one of: dri,
72 kvm, shm, all. This option can be used multiple times.
73 --nodevice=DEVICE
75 Don't expose a device to the application. This overrides to the
76 Context section from the application metadata. DEVICE must be one
77 of: dri, kvm, shm, all. This option can be used multiple times.
78 --allow=FEATURE
80 Allow access to a specific feature. This updates the [Context]
81 group in the metadata. FEATURE must be one of: devel, multiarch,
82 bluetooth, canbus, per-app-dev-shm. This option can be used
83 multiple times.
84 See flatpak-build-finish(1) for the meaning of the various
86 features.
87 --disallow=FEATURE
89 Disallow access to a specific feature. This updates the [Context]
90 group in the metadata. FEATURE must be one of: devel, multiarch,
91 bluetooth, canbus, per-app-dev-shm. This option can be used
92 multiple times.
93 --filesystem=FILESYSTEM
95 Allow the application access to a subset of the filesystem. This
96 overrides to the Context section from the application metadata.
97 FILESYSTEM can be one of: home, host, host-os, host-etc,
98 xdg-desktop, xdg-documents, xdg-download, xdg-music, xdg-pictures,
99 xdg-public-share, xdg-templates, xdg-videos, xdg-run, xdg-config,
100 xdg-cache, xdg-data, an absolute path, or a homedir-relative path
101 like ~/dir or paths relative to the xdg dirs, like
102 xdg-download/subdir. The optional :ro suffix indicates that the
103 location will be read-only. The optional :create suffix indicates
104 that the location will be read-write and created if it doesn't
105 exist. This option can be used multiple times. See the "[Context]
106 filesystems" list in flatpak-metadata(5) for details of the
107 meanings of these filesystems.
108 --nofilesystem=FILESYSTEM
110 Undo the effect of a previous --filesystem=FILESYSTEM in the app's
111 manifest or a lower-precedence layer of overrides, and/or remove a
112 previous --filesystem=FILESYSTEM from this layer of overrides. This
113 overrides the Context section of the application metadata.
114 FILESYSTEM can take the same values as for --filesystem, but the
115 :ro and :create suffixes are not used here. This option can be used
116 multiple times.
117 This option does not prevent access to a more narrowly-scoped
119 --filesystem. For example, if an application has the equivalent of
120 --filesystem=xdg-config/MyApp in its manifest or as a system-wide
121 override, and flatpak override --user --nofilesystem=home as a
122 per-user override, then it will be prevented from accessing most of
123 the home directory, but it will still be allowed to access
124 $XDG_CONFIG_HOME/MyApp.
125 As a special case, --nofilesystem=host:reset will ignore all
127 --filesystem permissions inherited from the app manifest or a
128 lower-precedence layer of overrides, in addition to having the
129 behaviour of --nofilesystem=host.
130 --add-policy=SUBSYSTEM.KEY=VALUE
132 Add generic policy option. For example,
133 "--add-policy=subsystem.key=v1 --add-policy=subsystem.key=v2" would
134 map to this metadata:
135 [Policy subsystem]
137 key=v1;v2;
138 This option can be used multiple times.
141 --remove-policy=SUBSYSTEM.KEY=VALUE
143 Remove generic policy option. This option can be used multiple
144 times.
145 --env=VAR=VALUE
147 Set an environment variable in the application. This overrides to
148 the Context section from the application metadata. This option can
149 be used multiple times.
150 --unset-env=VAR
152 Unset an environment variable in the application. This overrides
153 the unset-environment entry in the [Context] group of the metadata,
154 and the [Environment] group. This option can be used multiple
155 times.
156 --env-fd=FD
158 Read environment variables from the file descriptor FD, and set
159 them as if via --env. This can be used to avoid environment
160 variables and their values becoming visible to other users.
161 Each environment variable is in the form VAR=VALUE followed by a
163 zero byte. This is the same format used by env -0 and
164 /proc/*/environ.
165 --own-name=NAME
167 Allow the application to own the well-known name NAME on the
168 session bus. This overrides to the Context section from the
169 application metadata. This option can be used multiple times.
170 --talk-name=NAME
172 Allow the application to talk to the well-known name NAME on the
173 session bus. This overrides to the Context section from the
174 application metadata. This option can be used multiple times.
175 --no-talk-name=NAME
177 Don't allow the application to talk to the well-known name NAME on
178 the session bus. This overrides to the Context section from the
179 application metadata. This option can be used multiple times.
180 --system-own-name=NAME
182 Allow the application to own the well known name NAME on the system
183 bus. If NAME ends with .*, it allows the application to own all
184 matching names. This overrides to the Context section from the
185 application metadata. This option can be used multiple times.
186 --system-talk-name=NAME
188 Allow the application to talk to the well known name NAME on the
189 system bus. If NAME ends with .*, it allows the application to talk
190 to all matching names. This overrides to the Context section from
191 the application metadata. This option can be used multiple times.
192 --system-no-talk-name=NAME
194 Don't allow the application to talk to the well known name NAME on
195 the system bus. If NAME ends with .*, it allows the application to
196 talk to all matching names. This overrides to the Context section
197 from the application metadata. This option can be used multiple
198 times.
199 --persist=FILENAME
201 If the application doesn't have access to the real homedir, make
202 the (homedir-relative) path FILENAME a bind mount to the
203 corresponding path in the per-application directory, allowing that
204 location to be used for persistent data. This overrides to the
205 Context section from the application metadata. This option can be
206 used multiple times.
207 --reset
209 Remove overrides. If an APP is given, remove the overrides for that
210 application, otherwise remove the global overrides.
211 --show
213 Shows overrides. If an APP is given, shows the overrides for that
214 application, otherwise shows the global overrides.
215 -v, --verbose
217 Print debug information during command processing.
218 --ostree-verbose
220 Print OSTree debug information during command processing.
221
223 $ flatpak override --nosocket=wayland org.gnome.gedit
224 $ flatpak override --filesystem=home org.mozilla.Firefox
226
228 flatpak(1), flatpak-run(1)
229flatpak FLATPAK OVERRIDE(1)