{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreifntgihzq3eo5tdjvaw7jpqbcrs4gdmd5ascbwhiq7x5qse7gtq7u",
"uri": "at://did:plc:yrn4rbgwenb6lfhhzjegbtnc/app.bsky.feed.post/3mkslsnjkdhb2"
},
"path": "/t/permanently-punching-through-flatpak-sandbox-how-do-you-get-dynamic-read-write-access/12075#post_1",
"publishedAt": "2026-05-01T08:13:56.000Z",
"site": "https://discourse.flathub.org",
"textContent": "Hi,\n\nI am developing a mod manager app for Linux, developed with Python and GTK4.\n\nI wanted my app to be available as a Flatpak, and seeing as the whole point is to sandbox the app, I want to try and do this as much as possible to reassure the user.\n\nMy app needs access to a few very specific paths which are defined in my finish-args like so:\n\n\n # Heroic\n - --filesystem=~/.config/heroic:ro # Standard\n - --filesystem=~/.var/app/com.heroicgameslauncher.hgl/config/heroic:ro # Flatpak\n # Steam\n - --filesystem=~/.local/share/Steam:ro # Standard\n - --filesystem=~/.var/app/com.valvesoftware.Steam:ro # Flatpak\n\n\nThese work just fine!\n\nHowever, during the app’s first startup I also want the user to define two paths which are custom and can be set wherever they want.\n\nAfter the user has selected those paths, I need read/write access to them.\n\nTo do this, I am using a standard `Gtk.FileDialog` which from what I understood is meant to punch through the flatpack sandbox, which it doesn’t do. Or at the very least not in the way I expected?\n\nHere’s a snippet of what I currently do:\n\n\n def on_select_downloads_folder_clicked(self, btn):\n dialog = Gtk.FileDialog(title=_(\"Select Mod Downloads Folder\"))\n dialog.select_folder(self.win, None, self.on_downloads_folder_selected_callback)\n\n\nMy problem here is twofold:\n\n 1. This returns an internal flatpak sandboxed path, which is unuseable for me (`run/user/1000/...`) → this is my biggest problem\n 2. This does not actually give me write or even read access to that path (at least it’s not visible when I check with Flatseal).\n * This I could potentially find a way to workaround by generating a command for the user to execute in their terminal that will give me read/write access to the path they have provided\n\n\n\nAfter a bit more research I’ve come to understand that the file picker only temporarily punches through the portal to get access to a single file, and then the access is immediately lost or some such.\n\nThen how am I supposed to do what I’m trying to?\n\nam I forced to simply have ` - --filesystem=host` ?\n\nThis seems to defeat the entire purpose of sandboxing…\n\nIs there any way to just ask the user to confirm that I should have access to a specific path?\n\nThank you for any help.",
"title": "Permanently punching through Flatpak Sandbox (how do you get \"dynamic\" read/write access?)"
}