flatpak-run

Run an installed application

$ flatpak run [com.example.app]

$ flatpak run --branch=[stable|beta|master|...] [com.example.app]

$ flatpak run --command=[sh] [com.example.app]

$ flatpak run --runtime-version=[24.08|master|stable|...] [com.example.app]

$ flatpak run --runtime=[org.freedesktop.Sdk] [com.example.app]

flatpak-run [OPTION...] [<REMOTE>:]<APP-ID> [<ARG>...]

--arg=<ARG>
    Pass <ARG> to the application before app args

--bind-mount=<PATH>
    Bind mount host <PATH> into sandbox at same path

--branch=<BRANCH>
    Use specific branch of the app

--bundle-sources[=<BALLOT|BOOL>]
    Bundle source files in tar archive

--command=<COMMAND>
    Run <COMMAND> instead of main app binary

--devel
    Enable development features like mutable /app

--device=<DEVICE>
    Expose <DEVICE> node to the sandbox

--env=<VAR>=<VALUE>
    Set environment variable in sandbox

--exec-path=<PATH>
    Directory for helper executable search

--filesystem[=<SUBPATH>]:<PATH>
    Grant access to host filesystem path

--help, -h
    Show help and exit

--host
    Share all host filesystems (dangerous)

--inherit-env[=<VAR>]
    Inherit environment variables from host

--no-apps
    List app IDs without running

--no-desktop-lint
    Skip desktop file linting

--no-talks
    Disable D-Bus activation talks

--profile=<PROFILE>
    Enable runtime profile (perf/debug/etc)

--share=<NET|IPC|PID>
    Share host capabilities with sandbox

--socket=<TYPE>
    Expose socket (x11/wayland/pulseaudio/system-bus/session-bus/fallback-x11)

--talk-name=<NAME>
    Allow D-Bus talk with <NAME>

--user
    Use user installation, not system

--verbose, -v
    Increase verbosity

--version
    Show version and exit

flatpak-run is a core command in the Flatpak utility suite, designed to execute applications packaged and installed via Flatpak. Flatpak provides a secure, universal deployment method for Linux desktop apps, isolating them in a sandbox to prevent interference with the host system. This command launches the specified app in its sandboxed environment, leveraging technologies like bubblewrap (bwrap) for namespacing, seccomp, and mount namespaces.

When invoked, flatpak-run resolves the application ID (REF), typically in the form remote:app-id, mounts necessary runtimes and app data, and executes the app's main binary. It respects permissions defined in the app's metadata, such as filesystem access, network, devices, and IPC. Users can customize the sandbox via options to grant additional privileges, like exposing host directories or environment variables, balancing usability and security.

This makes it ideal for running third-party apps without risking system stability. For example, flatpak-run org.firefox.Firefox starts Firefox in isolation. It's commonly used after installing apps with flatpak install, supporting both system-wide and user-specific installations. The command ensures apps see only permitted resources, enhancing privacy and mitigating vulnerabilities.

Broad options like --host or --filesystem=host weaken sandboxing and increase security risks.
App must be installed first; use flatpak list to verify.
Conflicts possible with conflicting permissions or Wayland/X11 setups.

Sandbox uses OSTree for immutability, bubblewrap for isolation. Permissions via flatpak permissions tool or overrides. Network access default; override for finer control.
Audit logs via flatpak --verbose.

flatpak-run com.spotify.Client
flatpak-run --filesystem=home --socket=wayland org.telegram.desktop
flatpak-run flathub org.videolan.VLC ~/.avi

Flatpak originated in 2015 as 'xdg-app' by Alex Larsson at Red Hat for GNOME. Renamed Flatpak in 2016, with flatpak-run stabilizing in early releases (0.6+). Gained traction via Flathub repository (2017), now standard in Fedora, Ubuntu, etc. Evolved with OSTree for efficient updates.

flatpak(1), flatpak-install(1), flatpak-update(1), flatpak-override(1), bubblewrap(1)