mpeter
April 14, 2025, 9:24am
1
Over at the KeepassXC password manager we had an issue for a longer time, where the Firefox addon used to access our passwords was only operational if the Firefox/Librewolf flatpak app was started after KeepassXC.
Recently we figured out the reason it worked this way. We wanted to make filesystem access so tight that we only passed in the Unix socket file with the filesystem override configuration:
flatpak override --filesystem=xdg-run/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer org.mozilla.firefox
But it turns out that this socket file gets recreated when Keepass starts up, even if it exists already. After that happens, software in the flatpak environment cant connect to the socket anymore.
My question is, what can we do to give access to this file for the flatpak app, but only this one, while making it so that it is reflected in the app’s view when it is recreated?
Currently we solve it by passing in the file by its parent directory that is not normally recreated, like this:
flatpak override --filesystem=xdg-run/app/org.keepassxc.KeePassXC/:create org.mozilla.firefox
But we treat this as a workaround for giving the app unnecessarily broad access.
If this is not the right place for asking this, please let me know.
3 Likes
mpeter
April 14, 2025, 9:27am
2
There was a post on this forum that is somewhat similar to this issue, but it did not receive a response.
Hi,
I tried the following perms:
–filesystem=~/.app.cfg
–filesystem=xdg-documents
and they work…as long as ~/.app.cfg already exists. If it does not, the file ~/.app.cfg does not get created and the write fails. Note that the application chooses that name prefixed with a dot.
Any ideas on how to allow it to be created? The ‘:create’ suffix does not work…it creates a DIRECTORY named .app.cfg.
Thanks, Patrick
rugk
April 14, 2025, 4:01pm
3
Ah note flatpak is not Flathub, so I’m indeed not sure this is the correct community forum.
Anyway, I’ve found an issue on flatpak which may be related here:
opened 06:26PM - 28 Mar 23 UTC
bug
wontfix
sandbox
### Checklist
- [X] I agree to follow the [Code of Conduct](https://github.co… m/flatpak/flatpak/blob/main/CODE_OF_CONDUCT.md) that this project adheres to.
- [X] I have searched the [issue tracker](https://www.github.com/flatpak/flatpak/issues) for a bug that matches the one I want to file, without success.
- [X] If this is an issue with a particular app, I have tried filing it in the appropriate issue tracker for the app (e.g. under https://github.com/flathub/) and determined that it is an issue with Flatpak itself.
- [X] This issue is not a report of a security vulnerability (see [here](https://github.com/flatpak/flatpak/blob/main/SECURITY.md) if you need to report a security issue).
### Flatpak version
1.15.4
### What Linux distribution are you using?
Arch Linux
### Linux distribution version
Linux arch-inspiron 6.2.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 13 Mar 2023 17:02:08 +0000 x86_64 GNU/Linux
### What architecture are you using?
x86_64
### How to reproduce
1. install a random app
2. make sure there's no ~/.config/test
3. flatpak run --command=sh --filesystem=xdg-config/test:ro [app]
4. Create ~/.config/test file on the host
5. cat ~/.config/test in the container, "no file exists".
6. quit container
7. create ~/.config/test with content `echo abcd > ~/.config/test`
8. flatpak run --command=sh --filesystem=xdg-config/test:ro [app]
9. cat ~/.config/test in the container, shows "abcd"
10. delete and recreate ~/.config/test on the host: `rm ~/.config/test; echo efgh > ~/.config/test`
11. cat ~/.config/test, still shows "abcd"
### Expected Behavior
The xdg-config/file should always in-sync with the host filesystem.
### Actual Behavior
xdg-config/file seems to be snapshot when the app starts.
### Additional Information
There are lots of KDE apps passes xdg-config/kdeglobals:ro to obtain the colorscheme. But changing colorscheme doesn't work since kdeglobals in the container is not updated.
This explains the cause and could be it, is not it?
mpeter
April 14, 2025, 4:36pm
4
oh well, I could have paid a little more attention…
but that github issues seems to be it!