How to execute binaries from $PATH from flatpak applications

flatpak-spawn-host.md

Let's say you don't want to install Visual Studio Code from their package repository but use the flatpak package instead. This works but as soon as you try to execute any binaries from your regular PATH they won't be found since that's blocked by the sandbox. Even giving full host filesystem access won't work reliably because that filesystem will be mounted under /run/host which messes up any absolute paths which are often baked into the most unexpected places.

After lots of digging I found this solution from the qutebrowser flatpak maintainer. Just in case Reddit dies a copy can be found below.

I assumed that the mentioned flatpak-spawn-wrapper was a feature shipped in all flatpaks but it looks like only flatpak-spawn is included and that wrapper is a script which is part of the qutebrowser flatpak. To make the magic fully work the manifest also adds the path /var/data/bin to the PATH environment.

So nothing which can be used in any flatpak without some hacking.

icgw1a2.md

It's an undocumented feature of the Flatpak app, as it was, and a bit still is a WIP, but it's definitely possible. You need first to allow access to org.freedesktop.Flatpak, and then create a symlink to the flatpak-spawn wrapper.

Step 1: Create a Flatpak override for running commands on the host

flatpak override --user --talk-name=org.freedesktop.Flatpak org.qutebrowser.qutebrowser

Step 2: Create the symlink to the wrapper

mkdir ~/.var/app/org.qutebrowser.qutebrowser/data/bin
ln -s /app/lib/flatpak-spawn-wrapper/wrapper ~/.var/app/org.qutebrowser.qutebrowser/data/bin/gvim

And as said by others, this is not a small hole in the sandbox, it allows running any command on the host, including suid binaries.