71

I installed Elisa music player from Flathub, but it refuses to see my Music partition, so I can't add any music to it's library unless I copy it to /home/my_user/.

Is there a way to give a Flatpak application permission to access non canonical addresses?

Aside from specifying it when compiling it...

eridani
  • 1,624

4 Answers4

91

To add to the other answer, another solution that worked for me was installing Flatseal. It makes setting permissions super easy and also has the added benefit of making the existing permissions really clear. Here's what adding a directory to steam looks like in Flatseal:

Adding extra directory to steam in Flatseal

I added the directory "MediaSSD" there, everything else is default.

Hassan
  • 1,143
  • 1
    Changing permissions might also reset all the preferences, at least this is what happened with Thunderbird. All the account settings were done, but, at least, now I can drag/drop files to attach them to messages! – Cosmin Saveanu Nov 13 '20 at 11:09
  • 3
    Because this tool downloads more than 200 megabytes of data in my case, it is possibly better to use other methods that does not require any further data installed. – 16851556 Mar 22 '22 at 15:05
  • Excuse me but what the hell is Red Alert bro is it like a alarm for the rise of the USSR or something – Missing User Jan 05 '25 at 23:16
83

This can be done via the command line. All the below commands will likely need to be run as root.

Granting Access

The specific command to grant permission to a particular path/folder is:

flatpak override <Application ID> --filesystem=<path_here>

To find the Application ID, as Johnny Baloney notes in the comments, use "flatpak list" (you'll probably want to combine with grep):

flatpak list | grep <part of program name (e.g. "elisa")>

The Application ID will look something like "org.kde.elisa".

If you have an odd path and get back an error about an "unexpected filesystem suffix", try putting the path in quotes:

flatpak override <Application ID> --filesystem="<unusual_path_here>"

You can also grant read-only access by appending ":ro" at the end of the path:

--filesystem=<path_here>:ro

Exceptions/limitations on what filesystem access can be granted are noted in the docs under Reserved Paths (see Dane Rossenrode's comment below for a quick reference).

Removing/Prevent Access

If you wish to block access to a particular path, use "--nofilesystem":

flatpak override <Application ID> --nofilesystem=<path_here>

Or you may use the "--reset" command to return ALL permissions to default (Warning! If you do not supply an Application ID with this command, permissions will be reset on ALL installed Flatpaks!):

flatpak override --reset <Application ID>

Other

Use "--show" to display edited permissions (including filesystem access):

flatpak override --show <Application ID>

and use "info --show-permissions" to list all permissions:

flatpak info --show-permissions <Application ID>

A more complete list of permissions/commands is found in the documentation for sandbox permissions and Flatpak commands.

Pockets
  • 1,233
  • Thanks, I can add Dropbox folder to the WPS Office path – Indacochea Wachín Apr 19 '19 at 14:35
  • I did this with --filesystem=/home/myuser and it worked. I then tried with / to beeing able to access my shares at /mnt and from now on, when I try to start the app I get wrap: Can't create file at /run/user/1000/bus: No such device or address. My app is Flacon (I need it for splitting a large flac file`). – bomben Jul 12 '21 at 15:24
  • Found a solution - flatpak override <package_name_here> --nofilesystem=<path_here>. So for you, do flatpak override com.github.Flacon --nofilesystem=/. – Pockets Jul 13 '21 at 17:49
  • 1
    Note that, according to the official docs, these directories are blacklisted: /lib, /lib32, /lib64, /bin, /sbin, /usr, /boot, /root, /tmp, /etc, /app, /run, /proc, /sys, /dev, /var, meaning you can't give an app access to them even using the override method. – Dane Rossenrode Aug 14 '21 at 07:44
  • 1
    What's missing from this answer is a way to check the current filesystem permissions. I couldn't find it in the linked documentation. – andrybak Feb 12 '22 at 11:47
  • 2
    $ flatpak list to get the package name. – Johnny Baloney Dec 23 '22 at 16:33
11

Run once to allow access to normal files on the host, not including host OS or system internals:

sudo flatpak override ApplicationIDHere --filesystem=host

ApplicationID is shown using command: sudo flatpak list

Then:

flatpak run ApplicationIDHere
16851556
  • 697
  • This was the only thing that worked for me for PPSSPP flatpak not being able to access $USER/.var/app/org.ppsspp.PPSSPP (which was a symlinked folder, but both the base folder and symlinked folder had correct permissions). – ipkpjersi May 01 '22 at 18:49
0

To add to this answer, which is similar to what Hassan said. I tried installing WhatsApp Web as a PWA. I needed to add these lines into Flatseal in order for Chrome being able to create a shortcut with a matching icon:

~/.local/share/applications

~/.local/share/icons

Remember to restart Chrome for the changes to take effect

Flatseal Chrome - File system - Other files - Entries

HotFix
  • 101