mss · May 26, 2025 15:17 · Oct 20, 2023 · Oct 20, 2023
diff --git a/flatpak-spawn-host.md b/flatpak-spawn-host.md
@@ -2,6 +2,6 @@ Let's say you don't want to install Visual Studio Code from their package reposi
 
 After lots of digging I found [this](https://www.reddit.com/r/flatpak/comments/vchjua/comment/icgw1a2/) solution from the [qutebrowser flatpak](https://flathub.org/apps/org.qutebrowser.qutebrowser) maintainer. Just in case Reddit dies a copy can be found below.
 
-I assumed that the mentioned `flatpak-spawn-wrapper` was a feature shipped in all flatpaks but it looks like only `flatpak-spawn` is included and that wrapper is a [script](https://github.com/flathub/org.qutebrowser.qutebrowser/blob/master/flatpak-spawn-wrapper/wrapper) which is part of the qutebwowser flatpak. To make the magic fully work the manifest also adds the path `/var/data/bin` to the `PATH` environment.
+I assumed that the mentioned `flatpak-spawn-wrapper` was a feature shipped in all flatpaks but it looks like only `flatpak-spawn` is included and that wrapper is a [script](https://github.com/flathub/org.qutebrowser.qutebrowser/blob/master/flatpak-spawn-wrapper/wrapper) which is part of the qutebrowser flatpak. To make the magic fully work the manifest also adds the path `/var/data/bin` to the `PATH` environment.
 
 So nothing which can be used in any flatpak without some hacking.
diff --git a/flatpak-spawn-host.md b/flatpak-spawn-host.md
@@ -0,0 +1,7 @@
+Let's say you don't want to install Visual Studio Code from their package repository but use the [flatpak](https://flathub.org/apps/com.visualstudio.code) package instead. This works but as soon as you try to execute any binaries from your regular `PATH` they won't be found since that's blocked by the sandbox. Even giving full host filesystem access won't work reliably because that filesystem will be mounted under `/run/host` which messes up any absolute paths which are often baked into the most unexpected places.
+
+After lots of digging I found [this](https://www.reddit.com/r/flatpak/comments/vchjua/comment/icgw1a2/) solution from the [qutebrowser flatpak](https://flathub.org/apps/org.qutebrowser.qutebrowser) maintainer. Just in case Reddit dies a copy can be found below.
+
+I assumed that the mentioned `flatpak-spawn-wrapper` was a feature shipped in all flatpaks but it looks like only `flatpak-spawn` is included and that wrapper is a [script](https://github.com/flathub/org.qutebrowser.qutebrowser/blob/master/flatpak-spawn-wrapper/wrapper) which is part of the qutebwowser flatpak. To make the magic fully work the manifest also adds the path `/var/data/bin` to the `PATH` environment.
+
+So nothing which can be used in any flatpak without some hacking.
diff --git a/icgw1a2.md b/icgw1a2.md
@@ -0,0 +1,16 @@
+It's an undocumented feature of the Flatpak app, as it was, and a bit still is a WIP, but it's definitely possible. You need first to allow access to org.freedesktop.Flatpak, and then create a symlink to the flatpak-spawn wrapper.
+
+Step 1: Create a Flatpak override for running commands on the host
+
+```
+flatpak override --user --talk-name=org.freedesktop.Flatpak org.qutebrowser.qutebrowser
+```
+
+Step 2: Create the symlink to the wrapper
+
+```
+mkdir ~/.var/app/org.qutebrowser.qutebrowser/data/bin
+ln -s /app/lib/flatpak-spawn-wrapper/wrapper ~/.var/app/org.qutebrowser.qutebrowser/data/bin/gvim
+```
+
+And as said by others, this is not a small hole in the sandbox, it allows running any command on the host, including suid binaries.
No results found