'\" t
.\"     Title: flatpak override
.\"    Author: Alexander Larsson <alexl@redhat.com>
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 03/27/2024
.\"    Manual: flatpak override
.\"    Source: flatpak
.\"  Language: English
.\"
.TH "FLATPAK OVERRIDE" "1" "" "flatpak" "flatpak override"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
flatpak-override \- Override application requirements
.SH "SYNOPSIS"
.HP \w'\fBflatpak\ override\fR\ 'u
\fBflatpak override\fR [OPTION...] [APP]
.SH "DESCRIPTION"
.PP
Overrides the application specified runtime requirements\&. This can be used to grant a sandboxed application more or less resources than it requested\&.
.PP
By default the application gets access to the resources it requested when it is started\&. But the user can override it on a particular instance by specifying extra arguments to
\fBflatpak run\fR, or every time by using
\fBflatpak override\fR\&.
.PP
The application overrides are saved in text files residing in $XDG_DATA_HOME/flatpak/overrides in user mode\&.
.PP
If the application ID
APP
is not specified then the overrides affect all applications, but the per\-application overrides can override the global overrides\&.
.PP
Unless overridden with the
\fB\-\-user\fR
or
\fB\-\-installation\fR
options, this command changes the default system\-wide installation\&.
.SH "OPTIONS"
.PP
The following options are understood:
.PP
\fB\-h\fR, \fB\-\-help\fR
.RS 4
Show help options and exit\&.
.RE
.PP
\fB\-u\fR, \fB\-\-user\fR
.RS 4
Update a per\-user installation\&.
.RE
.PP
\fB\-\-system\fR
.RS 4
Update the default system\-wide installation\&.
.RE
.PP
\fB\-\-installation=NAME\fR
.RS 4
Updates a system\-wide installation specified by
NAME
among those defined in
/etc/flatpak/installations\&.d/\&. Using
\fB\-\-installation=default\fR
is equivalent to using
\fB\-\-system\fR\&.
.RE
.PP
\fB\-\-share=SUBSYSTEM\fR
.RS 4
Share a subsystem with the host session\&. This overrides the Context section from the application metadata\&.
SUBSYSTEM
must be one of: network, ipc\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-unshare=SUBSYSTEM\fR
.RS 4
Don\*(Aqt share a subsystem with the host session\&. This overrides the Context section from the application metadata\&.
SUBSYSTEM
must be one of: network, ipc\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-socket=SOCKET\fR
.RS 4
Expose a well\-known socket to the application\&. This overrides to the Context section from the application metadata\&.
SOCKET
must be one of: x11, wayland, fallback\-x11, pulseaudio, system\-bus, session\-bus, ssh\-auth, pcsc, cups, gpg\-agent, inherit\-wayland\-socket\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-nosocket=SOCKET\fR
.RS 4
Don\*(Aqt expose a well\-known socket to the application\&. This overrides to the Context section from the application metadata\&.
SOCKET
must be one of: x11, wayland, fallback\-x11, pulseaudio, system\-bus, session\-bus, ssh\-auth, pcsc, cups, gpg\-agent, inherit\-wayland\-socket\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-device=DEVICE\fR
.RS 4
Expose a device to the application\&. This overrides to the Context section from the application metadata\&.
DEVICE
must be one of: dri, input, kvm, shm, all\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-nodevice=DEVICE\fR
.RS 4
Don\*(Aqt expose a device to the application\&. This overrides to the Context section from the application metadata\&.
DEVICE
must be one of: dri, input, kvm, shm, all\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-allow=FEATURE\fR
.RS 4
Allow access to a specific feature\&. This updates the [Context] group in the metadata\&.
FEATURE
must be one of: devel, multiarch, bluetooth, canbus, per\-app\-dev\-shm\&. This option can be used multiple times\&.
.sp
See
\fBflatpak-build-finish\fR(1)
for the meaning of the various features\&.
.RE
.PP
\fB\-\-disallow=FEATURE\fR
.RS 4
Disallow access to a specific feature\&. This updates the [Context] group in the metadata\&.
FEATURE
must be one of: devel, multiarch, bluetooth, canbus, per\-app\-dev\-shm\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-filesystem=FILESYSTEM\fR
.RS 4
Allow the application access to a subset of the filesystem\&. This overrides to the Context section from the application metadata\&.
FILESYSTEM
can be one of: home, host, host\-os, host\-etc, xdg\-desktop, xdg\-documents, xdg\-download, xdg\-music, xdg\-pictures, xdg\-public\-share, xdg\-templates, xdg\-videos, xdg\-run, xdg\-config, xdg\-cache, xdg\-data, an absolute path, or a homedir\-relative path like ~/dir or paths relative to the xdg dirs, like xdg\-download/subdir\&. The optional :ro suffix indicates that the location will be read\-only\&. The optional :create suffix indicates that the location will be read\-write and created if it doesn\*(Aqt exist\&. This option can be used multiple times\&. See the "[Context] filesystems" list in
\fBflatpak-metadata\fR(5)
for details of the meanings of these filesystems\&.
.RE
.PP
\fB\-\-nofilesystem=FILESYSTEM\fR
.RS 4
Undo the effect of a previous
\fB\-\-filesystem=\fRFILESYSTEM
in the app\*(Aqs manifest or a lower\-precedence layer of overrides, and/or remove a previous
\fB\-\-filesystem=\fRFILESYSTEM
from this layer of overrides\&. This overrides the Context section of the application metadata\&.
FILESYSTEM
can take the same values as for
\fB\-\-filesystem\fR, but the
:ro
and
:create
suffixes are not used here\&. This option can be used multiple times\&.
.sp
This option does not prevent access to a more narrowly\-scoped
\fB\-\-filesystem\fR\&. For example, if an application has the equivalent of
\fB\-\-filesystem=xdg\-config/MyApp\fR
in its manifest or as a system\-wide override, and
flatpak override \-\-user \-\-nofilesystem=home
as a per\-user override, then it will be prevented from accessing most of the home directory, but it will still be allowed to access
$XDG_CONFIG_HOME/MyApp\&.
.sp
As a special case,
\fB\-\-nofilesystem=host:reset\fR
will ignore all
\fB\-\-filesystem\fR
permissions inherited from the app manifest or a lower\-precedence layer of overrides, in addition to having the behaviour of
\fB\-\-nofilesystem=host\fR\&.
.RE
.PP
\fB\-\-add\-policy=SUBSYSTEM\&.KEY=VALUE\fR
.RS 4
Add generic policy option\&. For example, "\-\-add\-policy=subsystem\&.key=v1 \-\-add\-policy=subsystem\&.key=v2" would map to this metadata:
.sp
.if n \{\
.RS 4
.\}
.nf
[Policy subsystem]
key=v1;v2;
.fi
.if n \{\
.RE
.\}
.sp
This option can be used multiple times\&.
.RE
.PP
\fB\-\-remove\-policy=SUBSYSTEM\&.KEY=VALUE\fR
.RS 4
Remove generic policy option\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-env=VAR=VALUE\fR
.RS 4
Set an environment variable in the application\&. This overrides to the Context section from the application metadata\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-unset\-env=VAR\fR
.RS 4
Unset an environment variable in the application\&. This overrides the unset\-environment entry in the [Context] group of the metadata, and the [Environment] group\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-env\-fd=\fR\fB\fIFD\fR\fR
.RS 4
Read environment variables from the file descriptor
\fIFD\fR, and set them as if via
\fB\-\-env\fR\&. This can be used to avoid environment variables and their values becoming visible to other users\&.
.sp
Each environment variable is in the form
\fIVAR\fR=\fIVALUE\fR
followed by a zero byte\&. This is the same format used by
env \-0
and
/proc/*/environ\&.
.RE
.PP
\fB\-\-own\-name=NAME\fR
.RS 4
Allow the application to own the well\-known name
NAME
on the session bus\&. This overrides to the Context section from the application metadata\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-talk\-name=NAME\fR
.RS 4
Allow the application to talk to the well\-known name
NAME
on the session bus\&. This overrides to the Context section from the application metadata\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-no\-talk\-name=NAME\fR
.RS 4
Don\*(Aqt allow the application to talk to the well\-known name
NAME
on the session bus\&. This overrides to the Context section from the application metadata\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-system\-own\-name=NAME\fR
.RS 4
Allow the application to own the well known name
NAME
on the system bus\&. If
NAME
ends with \&.*, it allows the application to own all matching names\&. This overrides to the Context section from the application metadata\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-system\-talk\-name=NAME\fR
.RS 4
Allow the application to talk to the well known name
NAME
on the system bus\&. If
NAME
ends with \&.*, it allows the application to talk to all matching names\&. This overrides to the Context section from the application metadata\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-system\-no\-talk\-name=NAME\fR
.RS 4
Don\*(Aqt allow the application to talk to the well known name
NAME
on the system bus\&. If
NAME
ends with \&.*, it allows the application to talk to all matching names\&. This overrides to the Context section from the application metadata\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-persist=FILENAME\fR
.RS 4
If the application doesn\*(Aqt have access to the real homedir, make the (homedir\-relative) path
FILENAME
a bind mount to the corresponding path in the per\-application directory, allowing that location to be used for persistent data\&. This overrides to the Context section from the application metadata\&. This option can be used multiple times\&.
.RE
.PP
\fB\-\-reset\fR
.RS 4
Remove overrides\&. If an
APP
is given, remove the overrides for that application, otherwise remove the global overrides\&.
.RE
.PP
\fB\-\-show\fR
.RS 4
Shows overrides\&. If an
APP
is given, shows the overrides for that application, otherwise shows the global overrides\&.
.RE
.PP
\fB\-v\fR, \fB\-\-verbose\fR
.RS 4
Print debug information during command processing\&.
.RE
.PP
\fB\-\-ostree\-verbose\fR
.RS 4
Print OSTree debug information during command processing\&.
.RE
.SH "EXAMPLES"
.PP
\fB$ flatpak override \-\-nosocket=wayland org\&.gnome\&.gedit\fR
.PP
\fB$ flatpak override \-\-filesystem=home org\&.mozilla\&.Firefox\fR
.SH "SEE ALSO"
.PP
\fBflatpak\fR(1),
\fBflatpak-run\fR(1)