flatpak-run

Run an installed application

$ flatpak run [com.example.app]

$ flatpak run --branch=[stable|beta|master|...] [com.example.app]

$ flatpak run --command=[sh] [com.example.app]

$ flatpak run --runtime-version=[24.08|master|stable|...] [com.example.app]

$ flatpak run --runtime=[org.freedesktop.Sdk] [com.example.app]

flatpak run [OPTIONS...] APPLICATION_ID [ARGUMENTS...]
flatpak run --command=COMMAND APPLICATION_ID [ARGUMENTS...]

APPLICATION_ID
    The unique identifier of the Flatpak application to run (e.g., org.mozilla.Firefox). This ID can include optional architecture and branch information (e.g., org.mozilla.Firefox/x86_64/stable).

ARGUMENTS...
    Any arguments supplied after the APPLICATION_ID are passed directly to the application being launched.

--command=COMMAND
    Runs a specific COMMAND inside the Flatpak application's sandbox instead of the default executable defined in its metadata. This is useful for running development tools or alternative executables packaged within the Flatpak.

--file-forwarding
    A special mode used primarily by desktop environments or other Flatpak applications to pass file descriptors to the application being launched, enabling seamless file opening or interaction.

--verbose
    Increases the verbosity of the output, displaying debug information useful for troubleshooting issues with Flatpak or the application's sandbox setup.

--arch=ARCH
    Specifies the architecture for the application to run, if multiple architectures are available for the same APPLICATION_ID (e.g., x86_64, aarch64).

--branch=BRANCH
    Specifies the branch of the application to run, if multiple branches (e.g., stable, beta, nightly) are available for the same APPLICATION_ID.

--filesystem=PATH
    Grants the application read-only or read/write access to a specific PATH on the host filesystem beyond its default sandbox permissions. This is a common option for granting access to user data directories or specific external drives.

--socket=SOCKET_NAME
    Grants the application access to a specific system socket, such as x11, pulseaudio, or wayland. This is typically managed by the Flatpak manifest, but can be overridden or granted ad-hoc for debugging or specific use cases.

flatpak-run is a core subcommand of the Flatpak system, designed to execute an installed Flatpak application within its isolated sandbox environment. This process automatically sets up the necessary permissions and resource limitations as defined by the application's manifest, ensuring that the application operates securely without direct access to the host system or other applications. This strong isolation is a cornerstone of Flatpak's security model. When invoked, flatpak-run launches the application's main executable or a specified command within this confined space. It's the primary method for command-line execution of Flatpak applications, providing a controlled and secure execution environment while protecting the integrity of your operating system.

Due to the sandboxing, Flatpak applications launched with flatpak-run have restricted access to the host system. This means they may not be able to access files outside their designated directories, interact with arbitrary system services, or use certain hardware devices unless explicitly granted permission. While this enhances security, it can sometimes lead to unexpected behavior or limitations compared to natively installed applications. Performance overhead is generally minimal but can be noticeable in resource-intensive scenarios.

The primary function of flatpak-run is to enforce strong sandbox isolation. Each application runs in a containerized environment with a predefined set of permissions. This prevents applications from accessing or modifying system resources without explicit consent, significantly enhancing system security and stability by isolating potential vulnerabilities or malicious behavior within the application's own sandbox.

It's important to note that any arguments provided after the APPLICATION_ID in the flatpak run command line are passed directly to the application's executable. For example, flatpak run org.kde.krita --debug would launch Krita and pass --debug as an argument to Krita itself, allowing you to control the application's specific behavior.

Flatpak, initially known as xdg-app, was conceived by Lennart Poettering in 2015. flatpak-run has been a foundational component since its inception, embodying the core principle of executing applications within a robustly contained environment. Its evolution closely mirrors the development of Flatpak itself, continuously refining its sandboxing capabilities and integration with the broader Linux desktop ecosystem to provide a secure and consistent application distribution model.

flatpak(1), flatpak-install(1), flatpak-list(1), flatpak-update(1), bwrap(1)