Remapping host directories into the sandbox

I’m trying to package up an application that expects users to provide some proprietary files in a hardcoded directory relative to the main executable. Ideally I suppose the application would use a portal to have the user select the file and then copy it into the sandbox, or maybe read the files from XDG_DATA or something, but it’s not my application, so here we are.

What’s the recommended approach here? I read about --persist being able to map host directories into the sandbox, but it doesn’t seem like it would let me do something like mapping ~/.local/share/$APP_ID/foo to /app/bin/foo in the sandbox, and as far as I can tell the application only needs read access, so giving it write access to the home dir doesn’t sound right.

Another option I’m considering, although I don’t really want to do it, is to write an entrypoint script that uses zenity to have the user select the files from the host, and then copy them into where the application expects them. That would technically work for this case, but it doesn’t really scale. For example, consider a game that lets users provide mods by putting them into some mod directory. The user would need to be able to access the directory themselves.

I’m really interested in two cases:

  1. What’s the recommended approach for proprietary applications or applications that are just not interested in changing in order to work better when run in a sandbox? Could I somehow symlink $XDG_DATA_HOME/foo to /app/foo?
  2. In an ideal world where I can make any changes to the application, what is the best approach when the application wants to access some user-provided files? Tell the user to put them somewhere in $XDG_DATA_HOME?

I don’t know whether this is a recommended approach, but you should be able to install a symlink in /app pointing into /var/data, which is a special way to access XDG_DATA_HOME with a fixed path.