1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
|
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>-</title>
<style>
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
span.underline{text-decoration: underline;}
div.column{display: inline-block; vertical-align: top; width: 50%;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
ul.task-list{list-style: none;}
</style>
<link rel="stylesheet" href="data:text/css,%3Aroot%20%7B%0A%2D%2Dtext%2Dcolor%3A%20%2324292e%3B%0A%2D%2Dbackground%2Dcolor%3A%20%23ffffff%3B%0A%2D%2Dalt%2Dbackground%2Dcolor%3A%20%23f6f8fa%3B%0A%2D%2Dlink%2Dcolor%3A%20%230366d6%3B%0A%2D%2Dblockquote%2Dtext%2Dcolor%3A%20%236a737d%3B%0A%2D%2Dblockquote%2Dborder%2Dcolor%3A%20%23dfe2e5%3B%0A%2D%2Dheader%2Dborder%2Dcolor%3A%20%23eaecef%3B%0A%2D%2Dhr%2Dbackground%2Dcolor%3A%20%23e1e4e8%3B%0A%2D%2Dtable%2Dtr%2Dborder%2Dcolor%3A%20%23c6cbd1%3B%0A%2D%2Dtable%2Dtd%2Dborder%2Dcolor%3A%20%23dfe2e5%3B%0A%2D%2Dkbd%2Dtext%2Dcolor%3A%20%23444d56%3B%0A%2D%2Dkbd%2Dbackground%2Dcolor%3A%20%23fafbfc%3B%0A%2D%2Dkbd%2Dborder%2Dcolor%3A%20%23c6cbd1%3B%0A%2D%2Dkbd%2Dshadow%2Dcolor%3A%20%23959da5%3B%0A%7D%0A%2A%20%7B%0Abox%2Dsizing%3A%20border%2Dbox%3B%0A%7D%0Ahtml%20%7B%0Afont%2Dsize%3A%2016px%3B%0A%7D%0Abody%20%7B%0Acolor%3A%20var%28%2D%2Dtext%2Dcolor%29%3B%0Abackground%2Dcolor%3A%20var%28%2D%2Dbackground%2Dcolor%29%3B%0Afont%2Dfamily%3A%20%22Fira%20Sans%22%2C%20fira%2Dsans%2C%20sans%2Dserif%2C%20color%2Demoji%3B%0Aline%2Dheight%3A%201%2E5%3B%0Aword%2Dwrap%3A%20break%2Dword%3B%0Amax%2Dwidth%3A%20980px%3B%0Amargin%3A%20auto%3B%0Apadding%3A%204em%3B%0A%7D%0A%40media%20screen%20and%20%28max%2Dwidth%3A%20799px%29%20%7B%0Ahtml%20%7B%0Afont%2Dsize%3A%2014px%3B%0A%7D%0Abody%20%7B%0Apadding%3A%201em%3B%0A%7D%0A%7D%0A%40media%20screen%20and%20%28min%2Dwidth%3A%201280px%29%20%7B%0Ahtml%20%7B%0Afont%2Dsize%3A%2018px%3B%0A%7D%0A%7D%0Aa%20%7B%0Abackground%2Dcolor%3A%20transparent%3B%0Acolor%3A%20var%28%2D%2Dlink%2Dcolor%29%3B%0Atext%2Ddecoration%3A%20none%3B%0A%7D%0Aa%3Aactive%2C%0Aa%3Ahover%20%7B%0Aoutline%2Dwidth%3A%200%3B%0A%7D%0Aa%3Ahover%20%7B%0Atext%2Ddecoration%3A%20underline%3B%0A%7D%0Astrong%20%7B%0Afont%2Dweight%3A%20600%3B%0A%7D%0Aimg%20%7B%0Aborder%2Dstyle%3A%20none%3B%0A%7D%0Ahr%20%7B%0Abox%2Dsizing%3A%20content%2Dbox%3B%0Aheight%3A%200%2E25em%3B%0Apadding%3A%200%3B%0Amargin%3A%201%2E5em%200%3B%0Aoverflow%3A%20hidden%3B%0Abackground%2Dcolor%3A%20var%28%2D%2Dhr%2Dbackground%2Dcolor%29%3B%0Aborder%3A%200%3B%0A%7D%0Ahr%3A%3Abefore%20%7B%0Adisplay%3A%20table%3B%0Acontent%3A%20%22%22%3B%0A%7D%0Ahr%3A%3Aafter%20%7B%0Adisplay%3A%20table%3B%0Aclear%3A%20both%3B%0Acontent%3A%20%22%22%3B%0A%7D%0Ainput%20%7B%0Afont%2Dfamily%3A%20inherit%3B%0Afont%2Dsize%3A%20inherit%3B%0Aline%2Dheight%3A%20inherit%3B%0Amargin%3A%200%3B%0Aoverflow%3A%20visible%3B%0A%7D%0A%5Btype%3D%22checkbox%22%5D%20%7B%0Abox%2Dsizing%3A%20border%2Dbox%3B%0Apadding%3A%200%3B%0A%7D%0Atable%20%7B%0Aborder%2Dspacing%3A%200%3B%0Aborder%2Dcollapse%3A%20collapse%3B%0A%7D%0Atd%2C%0Ath%20%7B%0Apadding%3A%200%3B%0A%7D%0Ah1%2C%0Ah2%2C%0Ah3%2C%0Ah4%2C%0Ah5%2C%0Ah6%20%7B%0Afont%2Dweight%3A%20600%3B%0Amargin%3A%200%3B%0A%7D%0Ah1%20%7B%0Afont%2Dsize%3A%202em%3B%0A%7D%0Ah2%20%7B%0Afont%2Dsize%3A%201%2E5em%3B%0A%7D%0Ah3%20%7B%0Afont%2Dsize%3A%201%2E25em%3B%0A%7D%0Ah4%20%7B%0Afont%2Dsize%3A%201em%3B%0A%7D%0Ah5%20%7B%0Afont%2Dsize%3A%200%2E875em%3B%0A%7D%0Ah6%20%7B%0Afont%2Dsize%3A%200%2E85em%3B%0A%7D%0Ap%20%7B%0Amargin%2Dtop%3A%200%3B%0Amargin%2Dbottom%3A%200%2E625em%3B%0A%7D%0Ablockquote%20%7B%0Amargin%3A%200%3B%0A%7D%0Aul%2C%0Aol%20%7B%0Apadding%2Dleft%3A%200%3B%0Amargin%2Dtop%3A%200%3B%0Amargin%2Dbottom%3A%200%3B%0A%7D%0Aol%20ol%2C%0Aul%20ol%20%7B%0Alist%2Dstyle%2Dtype%3A%20lower%2Droman%3B%0A%7D%0Aul%20ul%20ol%2C%0Aul%20ol%20ol%2C%0Aol%20ul%20ol%2C%0Aol%20ol%20ol%20%7B%0Alist%2Dstyle%2Dtype%3A%20lower%2Dalpha%3B%0A%7D%0Add%20%7B%0Amargin%2Dleft%3A%200%3B%0A%7D%0Acode%2C%0Akbd%2C%0Apre%20%7B%0Afont%2Dfamily%3A%20%22Fira%20Mono%22%2C%20fira%2Dmono%2C%20monospace%2C%20color%2Demoji%3B%0Afont%2Dsize%3A%201em%3B%0Aword%2Dwrap%3A%20normal%3B%0A%7D%0Acode%20%7B%0Aborder%2Dradius%3A%200%2E1875em%3B%0Afont%2Dsize%3A%200%2E85em%3B%0Apadding%3A%200%2E2em%200%2E4em%3B%0Amargin%3A%200%3B%0A%7D%0Apre%20%7B%0Amargin%2Dtop%3A%200%3B%0Amargin%2Dbottom%3A%200%3B%0Afont%2Dsize%3A%200%2E75em%3B%0A%7D%0Apre%3Ecode%20%7B%0Apadding%3A%200%3B%0Amargin%3A%200%3B%0Afont%2Dsize%3A%201em%3B%0Aword%2Dbreak%3A%20normal%3B%0Awhite%2Dspace%3A%20pre%3B%0Abackground%3A%20transparent%3B%0Aborder%3A%200%3B%0A%7D%0A%2Ehighlight%20%7B%0Amargin%2Dbottom%3A%201em%3B%0A%7D%0A%2Ehighlight%20pre%20%7B%0Amargin%2Dbottom%3A%200%3B%0Aword%2Dbreak%3A%20normal%3B%0A%7D%0A%2Ehighlight%20pre%2C%0Apre%20%7B%0Apadding%3A%201em%3B%0Aoverflow%3A%20auto%3B%0Afont%2Dsize%3A%200%2E85em%3B%0Aline%2Dheight%3A%201%2E5%3B%0Abackground%2Dcolor%3A%20var%28%2D%2Dalt%2Dbackground%2Dcolor%29%3B%0Aborder%2Dradius%3A%200%2E1875em%3B%0A%7D%0Apre%20code%20%7B%0Abackground%2Dcolor%3A%20transparent%3B%0Aborder%3A%200%3B%0Adisplay%3A%20inline%3B%0Apadding%3A%200%3B%0Amargin%3A%200%3B%0Aoverflow%3A%20visible%3B%0Aline%2Dheight%3A%20inherit%3B%0Aword%2Dwrap%3A%20normal%3B%0A%7D%0A%2Epl%2D0%20%7B%0Apadding%2Dleft%3A%200%20%21important%3B%0A%7D%0A%2Epl%2D1%20%7B%0Apadding%2Dleft%3A%200%2E25em%20%21important%3B%0A%7D%0A%2Epl%2D2%20%7B%0Apadding%2Dleft%3A%200%2E5em%20%21important%3B%0A%7D%0A%2Epl%2D3%20%7B%0Apadding%2Dleft%3A%201em%20%21important%3B%0A%7D%0A%2Epl%2D4%20%7B%0Apadding%2Dleft%3A%201%2E5em%20%21important%3B%0A%7D%0A%2Epl%2D5%20%7B%0Apadding%2Dleft%3A%202em%20%21important%3B%0A%7D%0A%2Epl%2D6%20%7B%0Apadding%2Dleft%3A%202%2E5em%20%21important%3B%0A%7D%0A%2Emarkdown%2Dbody%3A%3Abefore%20%7B%0Adisplay%3A%20table%3B%0Acontent%3A%20%22%22%3B%0A%7D%0A%2Emarkdown%2Dbody%3A%3Aafter%20%7B%0Adisplay%3A%20table%3B%0Aclear%3A%20both%3B%0Acontent%3A%20%22%22%3B%0A%7D%0A%2Emarkdown%2Dbody%3E%2A%3Afirst%2Dchild%20%7B%0Amargin%2Dtop%3A%200%20%21important%3B%0A%7D%0A%2Emarkdown%2Dbody%3E%2A%3Alast%2Dchild%20%7B%0Amargin%2Dbottom%3A%200%20%21important%3B%0A%7D%0Aa%3Anot%28%5Bhref%5D%29%20%7B%0Acolor%3A%20inherit%3B%0Atext%2Ddecoration%3A%20none%3B%0A%7D%0A%2Eanchor%20%7B%0Afloat%3A%20left%3B%0Apadding%2Dright%3A%200%2E25em%3B%0Amargin%2Dleft%3A%20%2D1%2E25em%3B%0Aline%2Dheight%3A%201%3B%0A%7D%0A%2Eanchor%3Afocus%20%7B%0Aoutline%3A%20none%3B%0A%7D%0Ap%2C%0Ablockquote%2C%0Aul%2C%0Aol%2C%0Adl%2C%0Atable%2C%0Apre%20%7B%0Amargin%2Dtop%3A%200%3B%0Amargin%2Dbottom%3A%201em%3B%0A%7D%0Ablockquote%20%7B%0Apadding%3A%200%201em%3B%0Acolor%3A%20var%28%2D%2Dblockquote%2Dtext%2Dcolor%29%3B%0Aborder%2Dleft%3A%200%2E25em%20solid%20var%28%2D%2Dblockquote%2Dborder%2Dcolor%29%3B%0A%7D%0Ablockquote%3E%3Afirst%2Dchild%20%7B%0Amargin%2Dtop%3A%200%3B%0A%7D%0Ablockquote%3E%3Alast%2Dchild%20%7B%0Amargin%2Dbottom%3A%200%3B%0A%7D%0Akbd%20%7B%0Adisplay%3A%20inline%2Dblock%3B%0Apadding%3A%200%2E1875em%200%2E3125em%3B%0Afont%2Dsize%3A%200%2E6875em%3B%0Aline%2Dheight%3A%201%3B%0Acolor%3A%20var%28%2D%2Dkbd%2Dtext%2Dcolor%29%3B%0Avertical%2Dalign%3A%20middle%3B%0Abackground%2Dcolor%3A%20var%28%2D%2Dkbd%2Dbackground%2Dcolor%29%3B%0Aborder%3A%20solid%201px%20var%28%2D%2Dkbd%2Dborder%2Dcolor%29%3B%0Aborder%2Dbottom%2Dcolor%3A%20var%28%2D%2Dkbd%2Dshadow%2Dcolor%29%3B%0Aborder%2Dradius%3A%203px%3B%0Abox%2Dshadow%3A%20inset%200%20%2D1px%200%20var%28%2D%2Dkbd%2Dshadow%2Dcolor%29%3B%3B%0A%7D%0Ah1%2C%0Ah2%2C%0Ah3%2C%0Ah4%2C%0Ah5%2C%0Ah6%20%7B%0Amargin%2Dtop%3A%201%2E5em%3B%0Amargin%2Dbottom%3A%201em%3B%0Afont%2Dweight%3A%20600%3B%0Aline%2Dheight%3A%201%2E25%3B%0A%7D%0Ah1%3Ahover%20%2Eanchor%2C%0Ah2%3Ahover%20%2Eanchor%2C%0Ah3%3Ahover%20%2Eanchor%2C%0Ah4%3Ahover%20%2Eanchor%2C%0Ah5%3Ahover%20%2Eanchor%2C%0Ah6%3Ahover%20%2Eanchor%20%7B%0Atext%2Ddecoration%3A%20none%3B%0A%7D%0Ah1%20%7B%0Apadding%2Dbottom%3A%200%2E3em%3B%0Afont%2Dsize%3A%202em%3B%0Aborder%2Dbottom%3A%201px%20solid%20var%28%2D%2Dheader%2Dborder%2Dcolor%29%3B%0A%7D%0Ah2%20%7B%0Apadding%2Dbottom%3A%200%2E3em%3B%0Afont%2Dsize%3A%201%2E5em%3B%0Aborder%2Dbottom%3A%201px%20solid%20var%28%2D%2Dheader%2Dborder%2Dcolor%29%3B%0A%7D%0Ah3%20%7B%0Afont%2Dsize%3A%201%2E25em%3B%0A%7D%0Ah4%20%7B%0Afont%2Dsize%3A%201em%3B%0A%7D%0Ah5%20%7B%0Afont%2Dsize%3A%200%2E875em%3B%0A%7D%0Ah6%20%7B%0Afont%2Dsize%3A%200%2E85em%3B%0Aopacity%3A%200%2E67%3B%0A%7D%0Aul%2C%0Aol%20%7B%0Apadding%2Dleft%3A%202em%3B%0A%7D%0Aul%20ul%2C%0Aul%20ol%2C%0Aol%20ol%2C%0Aol%20ul%20%7B%0Amargin%2Dtop%3A%200%3B%0Amargin%2Dbottom%3A%200%3B%0A%7D%0Ali%20%7B%0Aoverflow%2Dwrap%3A%20break%2Dword%3B%0A%7D%0Ali%3Ep%20%7B%0Amargin%2Dtop%3A%201em%3B%0A%7D%0Ali%2Bli%20%7B%0Amargin%2Dtop%3A%200%2E25em%3B%0A%7D%0Adl%20%7B%0Apadding%3A%200%3B%0A%7D%0Adl%20dt%20%7B%0Apadding%3A%200%3B%0Amargin%2Dtop%3A%201em%3B%0Afont%2Dsize%3A%201em%3B%0Afont%2Dstyle%3A%20italic%3B%0Afont%2Dweight%3A%20600%3B%0A%7D%0Adl%20dd%20%7B%0Apadding%3A%200%201em%3B%0Amargin%2Dbottom%3A%201em%3B%0A%7D%0Atable%20%7B%0Adisplay%3A%20block%3B%0Awidth%3A%20100%25%3B%0Aoverflow%3A%20auto%3B%0A%7D%0Atable%20th%20%7B%0Afont%2Dweight%3A%20600%3B%0A%7D%0Atable%20th%2C%0Atable%20td%20%7B%0Apadding%3A%200%2E375em%200%2E8125em%3B%0Aborder%3A%201px%20solid%20var%28%2D%2Dtable%2Dtd%2Dborder%2Dcolor%29%3B%0A%7D%0Atable%20tr%20%7B%0Abackground%2Dcolor%3A%20var%28%2D%2Dbackground%2Dcolor%29%3B%0Aborder%2Dtop%3A%201px%20solid%20var%28%2D%2Dtable%2Dtr%2Dborder%2Dcolor%29%3B%0A%7D%0Atable%20tr%3Anth%2Dchild%282n%29%20%7B%0Abackground%2Dcolor%3A%20var%28%2D%2Dalt%2Dbackground%2Dcolor%29%3B%0A%7D%0Aimg%20%7B%0Amax%2Dwidth%3A%20100%25%3B%0Abox%2Dsizing%3A%20content%2Dbox%3B%0A%7D%0Aimg%5Balign%3Dright%5D%20%7B%0Apadding%2Dleft%3A%201%2E25em%3B%0A%7D%0Aimg%5Balign%3Dleft%5D%20%7B%0Apadding%2Dright%3A%201%2E25em%3B%0A%7D%0A%2Etask%2Dlist%2Ditem%20%7B%0Alist%2Dstyle%2Dtype%3A%20none%3B%0A%7D%0A%2Etask%2Dlist%2Ditem%2B%2Etask%2Dlist%2Ditem%20%7B%0Amargin%2Dtop%3A%200%2E1875em%3B%0A%7D%0A%2Etask%2Dlist%2Ditem%20input%20%7B%0Amargin%3A%200%200%2E2em%200%2E25em%20%2D1%2E6em%3B%0Avertical%2Dalign%3A%20middle%3B%0A%7D%0A%3Aroot%20%7B%0A%2D%2Dtext%2Dcolor%3A%20%232e3436%3B%0A%2D%2Dbackground%2Dcolor%3A%20%23f6f5f4%3B%0A%2D%2Dalt%2Dbackground%2Dcolor%3A%20%23edeeef%3B%0A%2D%2Dlink%2Dcolor%3A%20%230d71de%3B%0A%2D%2Dblockquote%2Dtext%2Dcolor%3A%20%23747e85%3B%0A%2D%2Dblockquote%2Dborder%2Dcolor%3A%20%23d6d8da%3B%0A%2D%2Dheader%2Dborder%2Dcolor%3A%20%23e1e2e4%3B%0A%2D%2Dhr%2Dbackground%2Dcolor%3A%20%23d8dadd%3B%0A%2D%2Dtable%2Dtr%2Dborder%2Dcolor%3A%20%23bdc1c6%3B%0A%2D%2Dtable%2Dtd%2Dborder%2Dcolor%3A%20%23d6d8da%3B%0A%2D%2Dkbd%2Dtext%2Dcolor%3A%20%234e585e%3B%0A%2D%2Dkbd%2Dbackground%2Dcolor%3A%20%23f1f1f1%3B%0A%2D%2Dkbd%2Dborder%2Dcolor%3A%20%23bdc1c6%3B%0A%2D%2Dkbd%2Dshadow%2Dcolor%3A%20%238c939a%3B%0A%7D%0A%40media%20%28prefers%2Dcolor%2Dscheme%3A%20dark%29%20%7B%0A%3Aroot%20%7B%0A%2D%2Dtext%2Dcolor%3A%20%23eeeeec%3B%0A%2D%2Dbackground%2Dcolor%3A%20%23353535%3B%0A%2D%2Dalt%2Dbackground%2Dcolor%3A%20%233a3a3a%3B%0A%2D%2Dlink%2Dcolor%3A%20%23b5daff%3B%0A%2D%2Dblockquote%2Dtext%2Dcolor%3A%20%23a8a8a6%3B%0A%2D%2Dblockquote%2Dborder%2Dcolor%3A%20%23525252%3B%0A%2D%2Dheader%2Dborder%2Dcolor%3A%20%23474747%3B%0A%2D%2Dhr%2Dbackground%2Dcolor%3A%20%23505050%3B%0A%2D%2Dtable%2Dtr%2Dborder%2Dcolor%3A%20%23696969%3B%0A%2D%2Dtable%2Dtd%2Dborder%2Dcolor%3A%20%23525252%3B%0A%2D%2Dkbd%2Dtext%2Dcolor%3A%20%23cececc%3B%0A%2D%2Dkbd%2Dbackground%2Dcolor%3A%20%233c3c3c%3B%0A%2D%2Dkbd%2Dborder%2Dcolor%3A%20%23696969%3B%0A%2D%2Dkbd%2Dshadow%2Dcolor%3A%20%23979797%3B%0A%7D%0A%7D%0A" />
<style>
.task-list-item {
list-style-type: none;
}
.task-list-item-checkbox {
margin-left: -1.6em;
}
</style>
</head>
<body>
<h1 id="documentation">Documentation</h1>
<h2 id="table-of-contents">Table of contents</h2>
<ul>
<li>
<a href="#permissions">Permissions</a>
<ul>
<li>
<a href="#share">Share</a>
</li>
<li>
<a href="#socket">Socket</a>
</li>
<li>
<a href="#device">Device</a>
</li>
<li>
<a href="#allow">Allow</a>
</li>
<li>
<a href="#filesystem">Filesystem</a>
</li>
<li>
<a href="#persistent">Persistent</a>
</li>
<li>
<a href="#environment">Environment</a>
</li>
<li>
<a href="#system-bus">System Bus</a>
</li>
<li>
<a href="#system-bus">Session Bus</a>
</li>
<li>
<a href="#portals">Portals</a>
</li>
</ul>
</li>
<li>
<a href="#tips-and-tricks">Tips and Tricks</a>
<ul>
<li>
<a href="#manually-reset-flatseal-permissions">Manually reset Flatseal permissions</a>
</li>
<li>
<a href="#add-new-translations">Add new translations</a>
</li>
<li>
<a href="#enable-custom-installations">Enable custom installations</a>
</li>
<li>
<a href="#use-custom-flatpak_user_dir">Use custom FLATPAK_USER_DIR</a>
</li>
</ul>
</li>
</ul>
<h2 id="permissions">Permissions</h2>
<p>This is the list of permissions supported by Flatseal. These descriptions are based on Flatpak’s <a href="https://docs.flatpak.org/en/latest/sandbox-permissions.html">official documentation</a> and extended with examples and references to make it easier for newcomers to understand.</p>
<p>To summarize it, Flatpak provides two different permissions models: static and dynamic</p>
<p>Static refers to the permissions set by the developers when applications are built. Static permissions are holes in the sandbox, e.g. an application built with <code>--filesystem=home</code> can access <em>all</em> user personal files. The benefit of this model is that developers can support Flatpak without any change in their applications code.</p>
<p>Both Flatseal and <code>flatpak override</code> command-line tool, use the overrides backend to manage static permissions.</p>
<p>Dynamic refers to the permissions granted by the users when applications run. Dynamic permissions rely on resource providers called <a href="https://github.com/flatpak/flatpak/wiki/Portals">Portals</a> and can require user confirmation, e.g. users can grant access to <em>one</em> specific file thanks to the <code>org.freedesktop.portal.FileChooser</code> portal. The benefit of this model is that users don’t need to trust applications with more resources than is strictly needed.</p>
<p>Both Flatseal and <code>flatpak permissions</code> command-line tool, use the <code>org.freedesktop.impl.portal.PermissionStore</code> service to manage dynamic permissions.</p>
<h3 id="share">Share</h3>
<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th><code>flatpak override</code> equivalent</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>Network</td>
<td>Toggle</td>
<td>Allow the application to have access to the network. <br /> <br /> For example, if it’s disabled for Firefox, it will no longer be possible to browse the internet with this application.</td>
<td><code>--share=network</code> and <code>--unshare=network</code></td>
</tr>
<tr class="even">
<td><a href="https://en.wikipedia.org/wiki/Inter-process_communication">Inter-process communications</a></td>
<td>Toggle</td>
<td>Share IPC namespace with the host. <br /> <br /> This is required by X11 due to it depending on IPC.</td>
<td><code>--share=ipc</code> and <code>--unshare=ipc</code></td>
</tr>
</tbody>
</table>
<h3 id="socket">Socket</h3>
<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th><code>flatpak override</code> equivalent</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>X11 windowing system</td>
<td>Toggle</td>
<td>Allow the application to open in an X11 window. <br /> <br /> Most applications use X11 for historical reasons, but is considered less secure.</td>
<td><code>--socket=x11</code> and <code>--nosocket=x11</code></td>
</tr>
<tr class="even">
<td>Wayland windowing system</td>
<td>Toggle</td>
<td>Allow the application to open in a Wayland window. <br /> <br /> Many applications do not use Wayland as it is a newer display protocol unlike X11, and is considered more secure, but either some applications require extra steps to use it (see <a href="#environment">environment variables</a> example for Firefox), or do not support Wayland at all.</td>
<td><code>--socket=wayland</code> and <code>--nosocket=wayland</code></td>
</tr>
<tr class="odd">
<td>Fallback to X11 windowing system</td>
<td>Toggle</td>
<td>Allow the application to open in an X11 window when Wayland is not available. This overrides the X11 windowing system option when enabled.</td>
<td><code>--socket=fallback-x11</code> and <code>--nosocket=fallback-x11</code></td>
</tr>
<tr class="even">
<td>PulseAudio sound server</td>
<td>Toggle</td>
<td>Allow the application to play sounds or get access to the microphone when using PulseAudio. <br /> <br /> For example, if it’s disabled for Rhythmbox, it will no longer be possible to listen to the music with this application.</td>
<td><code>--socket=pulseaudio</code> and <code>--nosocket=pulseaudio</code></td>
</tr>
<tr class="odd">
<td>D-Bus session bus</td>
<td>Toggle</td>
<td>Allow the application to have access to the entire session bus.</td>
<td><code>--socket=session-dbus</code> and <code>--nosocket=session-dbus</code></td>
</tr>
<tr class="even">
<td>D-Bus system bus</td>
<td>Toggle</td>
<td>Allow the application to have access to the entire system bus.</td>
<td><code>--socket=system-dbus</code> and <code>--nosocket=system-dbus</code></td>
</tr>
<tr class="odd">
<td>Secure Shell agent</td>
<td>Toggle</td>
<td>Allow the application to use SSH authentications.</td>
<td><code>--socket=ssh-auth</code> and <code>--nosocket=ssh-auth</code></td>
</tr>
<tr class="even">
<td><a href="https://wiki.debian.org/Smartcards">Smart cards</a></td>
<td>Toggle</td>
<td>Allow the application to use smart cards.</td>
<td><code>--socket=pcsc</code> and <code>--nosocket=pcsc</code></td>
</tr>
<tr class="odd">
<td>Printing system</td>
<td>Toggle</td>
<td>Allow the application to use printing systems. <br /> <br /> For example, if it’s disabled for LibreOffice, it will no longer be possible to print documents with this application.</td>
<td><code>--socket=cups</code> and <code>--nosocket=cups</code></td>
</tr>
<tr class="even">
<td>GPG-Agent directories</td>
<td>Toggle</td>
<td>Allow the application to access GPG-Agent directories.</td>
<td><code>--socket=gpg-agent</code> and <code>--nosocket=gpg-agent</code></td>
</tr>
<tr class="odd">
<td>Inherit Wayland socket</td>
<td>Toggle</td>
<td>Allow passing WAYLAND_SOCKET environment variable to the sandbox. <br /> <br /> For example, if it's disabled for Fcitx5, it won't be able to connect to Wayland and display its autocompletion dialogs.</td>
<td><code>--socket=inherit-wayland-socket</code> and <code>--nosocket=inherit-wayland-socket</code></td>
</tr>
</tbody>
</table>
<h3 id="device">Device</h3>
<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th><code>flatpak override</code> equivalent</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>GPU acceleration</td>
<td>Toggle</td>
<td>Allow the application to access the graphics direct rendering to take advantage of GPU acceleration.</td>
<td><code>--device=dri</code> and <code>--nodevice=dri</code></td>
</tr>
<tr class="even">
<td>Input devices</td>
<td>Toggle</td>
<td>Allow input device access. <br /> <br /> Note that raw and virtual input devices could still require <a href="#device">All devices</a></td>
<td><code>--device=input</code> and <code>--nodevice=input</code></td>
</tr>
<tr class="odd">
<td>Virtualization</td>
<td>Toggle</td>
<td>Allow the application to support virtualization.</td>
<td><code>--device=kvm</code> and <code>--nodevice=kvm</code></td>
</tr>
<tr class="even">
<td>Shared memory</td>
<td>Toggle</td>
<td>Allow the application to access shared memory.</td>
<td><code>--device=shm</code> and <code>--nodevice=shm</code></td>
</tr>
<tr class="odd">
<td>USB devices</td>
<td>Toggle</td>
<td>Allow raw USB device access.</td>
<td><code>--device=usb</code> and <code>--nodevice=usb</code></td>
</tr>
<tr class="even">
<td>All devices</td>
<td>Toggle</td>
<td>Allow the application to access all devices, such as webcam and external devices. <br /> <br /> For example, if it’s disabled for Element, it will no longer be possible to do video calls with this application.</td>
<td><code>--device=all</code> and <code>--nodevice=all</code></td>
</tr>
</tbody>
</table>
<h3 id="allow">Allow</h3>
<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th><code>flatpak override</code> equivalent</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>Development syscalls</td>
<td>Toggle</td>
<td>Allow the application to access to certain syscalls, such as <a href="https://en.wikipedia.org/wiki/Ptrace"><code>ptrace()</code></a> and <a href="https://en.wikipedia.org/wiki/Perf_(Linux)"><code>perf_event_open()</code></a>.</td>
<td><code>--allow=devel</code> and <code>--disallow=devel</code></td>
</tr>
<tr class="even">
<td>Programs from other architectures</td>
<td>Toggle</td>
<td>Allow the application to execute programs for an <a href="https://en.wikipedia.org/wiki/Application_binary_interface">ABI</a> other than the one supported natively by the system.</td>
<td><code>--allow=multiarch</code> and <code>--disallow=multiarch</code></td>
</tr>
<tr class="odd">
<td>Bluetooth</td>
<td>Toggle</td>
<td>Allow the application to use Bluetooth.</td>
<td><code>--allow=bluetooth</code> and <code>--disallow=bluetooth</code></td>
</tr>
<tr class="even">
<td>Controller Area Network bus</td>
<td>Toggle</td>
<td>Allow the application to use canbus sockets. You must also have <a href="#share">network access</a> for this to work.</td>
<td><code>--allow=canbus</code> and <code>--disallow=canbus</code></td>
</tr>
<tr class="odd">
<td>Application Shared Memory</td>
<td>Toggle</td>
<td>Allow the application to share its /dev/shm between instances of the same $FLATPAK_APP_ID. Introduced specifically for the Steam flatpak, to share its /dev/shm with sub-sandboxed games.</td>
<td><code>--allow=per-app-dev-shm</code> and <code>--disallow=per-app-dev-shm</code></td>
</tr>
</tbody>
</table>
<h3 id="filesystem">Filesystem</h3>
<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th><code>flatpak override</code> equivalent</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>All filesystem files</td>
<td>Toggle</td>
<td>Allow read-write access to the whole filesystem. Everything that isn’t writeable by the user will be read-only</td>
<td><code>--filesystem=host</code> and <code>--nofilesystem=host</code></td>
</tr>
<tr class="even">
<td>All system libraries, executables and static data</td>
<td>Toggle</td>
<td>Allow read-write access to system libraries located in <code>/usr</code>. Since this directory requires root access to write, the permission will be read-only.</td>
<td><code>--filesystem=host-os</code> and <code>--nofilesystem=host-os</code></td>
</tr>
<tr class="odd">
<td>All system configurations</td>
<td>Toggle</td>
<td>Allow read-write access to system configurations located in <code>/etc</code>. Since this directory requires root access to write, the permission will be read-only.</td>
<td><code>--filesystem=host-etc</code> and <code>--nofilesystem=host-etc</code></td>
</tr>
<tr class="even">
<td>All user files</td>
<td>Toggle</td>
<td>Allow read-write access to the user directory (<code>$HOME</code> or <code>~/</code>).</td>
<td><code>--filesystem=home</code> and <code>--nofilesystem=home</code></td>
</tr>
<tr class="odd">
<td>Other files</td>
<td>Input</td>
<td>Allow read-write access to the directory you desire. <br /> <br /> For example, you would put <code>~/games</code> if you want read-write access to <code>~/games</code>. If you want read-only access to <code>~/games</code>, then you would put <code>~/games:ro</code>.</td>
<td><code>--filesystem=[PATH]</code>, <code>--filesystem=[PATH]:ro</code> and <code>--nofilesystem=[PATH]</code></td>
</tr>
</tbody>
</table>
<h3 id="persistent">Persistent</h3>
<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th><code>flatpak-override</code> equivalent</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>Files</td>
<td>Input</td>
<td>Allow the application to access the targeted directory while restricting other applications from accessing it. <br /> <br /> Starting from the user directory (<code>$HOME</code> or <code>~/</code>), the targeted directory will be remapped to the application’s directory (<code>~/.var/app/$FLATPAK_APP_ID/[PATH]</code>) if it has no write access to the targeted directory. <br /> <br /> For example, persisting <code>.mozilla</code> will map <code>~/.mozilla</code> to <code>~/.var/app/org.mozilla.Firefox/.mozilla</code>. <br /> <br /> This is also a technique used to declutter the user directory, as it prevents the application from writing to <code>~/</code>.</td>
<td><code>--persist=[PATH]</code></td>
</tr>
</tbody>
</table>
<h3 id="environment">Environment</h3>
<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th><code>flatpak override</code> equivalent</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>Variables</td>
<td>Input</td>
<td>Set an environment variable in the application to make the variable available to application when it runs. <br /> <br /> For example, adding <code>MOZ_ENABLE_WAYLAND=1</code> for Firefox to enable the Wayland back-end.</td>
<td><code>--env=[VAR]=[VALUE]</code></td>
</tr>
</tbody>
</table>
<h3 id="system-bus">System Bus</h3>
<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th><code>flatpak override</code> equivalent</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>Talks</td>
<td>Input</td>
<td>Allow the application to talk to system services. <br /> <br /> For example, adding <code>org.freedesktop.Accounts</code> will allow the application to access users login history.</td>
<td><code>--system-talk-name=[NAME]</code></td>
</tr>
<tr class="even">
<td>Owns</td>
<td>Input</td>
<td>Allow the application to own system services under the given name.</td>
<td><code>--system-own-name=[NAME]</code></td>
</tr>
</tbody>
</table>
<h3 id="session-bus">Session Bus</h3>
<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th><code>flatpak override</code> equivalent</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>Talks</td>
<td>Input</td>
<td>Allow the application to talk to session services. <br /> <br /> For example, adding <code>org.freedesktop.Notifications</code> will allow the application to send notifications.</td>
<td><code>--talk-name=[NAME]</code></td>
</tr>
<tr class="even">
<td>Owns</td>
<td>Input</td>
<td>Allow the application to own session services under the given name.</td>
<td><code>--own-name=[NAME]</code></td>
</tr>
</tbody>
</table>
<h3 id="portals">Portals</h3>
<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th>Portal</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>Background</td>
<td>Toggle</td>
<td>Allow the application to run in the background.</td>
<td><code>org.freedesktop.portal.Background</code></td>
</tr>
<tr class="even">
<td>Notifications</td>
<td>Toggle</td>
<td>Allow the application to send notifications.</td>
<td><code>org.freedesktop.portal.Notification</code></td>
</tr>
<tr class="odd">
<td>Microphone</td>
<td>Toggle</td>
<td>Allow the application to listen to your microphone.</td>
<td><code>org.freedesktop.portal.Device</code></td>
</tr>
<tr class="even">
<td>Speakers</td>
<td>Toggle</td>
<td>Allow the application to play sounds to your speakers.</td>
<td><code>org.freedesktop.portal.Device</code></td>
</tr>
<tr class="odd">
<td>Camera</td>
<td>Toggle</td>
<td>Allow the application to record videos with your camera.</td>
<td><code>org.freedesktop.portal.Device</code></td>
</tr>
<tr class="even">
<td>Location</td>
<td>Toggle</td>
<td>Allow the application to access your location data.</td>
<td><code>org.freedesktop.portal.Location</code></td>
</tr>
</tbody>
</table>
<h2 id="tips-and-tricks">Tips and Tricks</h2>
<h3 id="manually-reset-flatseal-permissions">Manually reset Flatseal permissions</h3>
<p>If permissions are removed and is no longer possible to reset, run the following command from the terminal and re-start Flatseal:</p>
<pre><code>$ rm ~/.local/share/flatpak/overrides/com.github.tchx84.Flatseal</code></pre>
<h3 id="add-new-translations">Add new translations</h3>
<p>Add a new language and update translations:</p>
<pre><code>$ git clone https://github.com/tchx84/Flatseal.git
$ cd Flatseal
$ echo "es" >> po/LINGUAS # es for Spanish
$ meson _translate && cd _translate
$ ninja flatseal-pot
$ ninja flatseal-update-po
$ gedit ../po/es.po # translate the strings to Spanish</code></pre>
<p>To test the translation language:</p>
<pre><code>$ flatpak config --set languages es
$ flatpak update org.gnome.Platform
$ LC_ALL=es_PY.UTF-8 flatpak run com.github.tchx84.Flatseal</code></pre>
<h3 id="enable-custom-installations">Enable custom installations</h3>
<p>To enable a custom installation, e.g, <code>/xusr/custom/flatpak</code>.</p>
<h4 id="flatpak-1.7.1-or-newer">Flatpak 1.7.1 or newer</h4>
<ol type="1">
<li>Launch Flatseal and select it to edit its own permissions.</li>
<li>Enable <code>host-etc</code>, or type in <code>host-etc:ro</code> in the other option.</li>
<li>Type in the custom installation path, e.g, <code>/xusr/custom/flatpak:ro</code>.</li>
<li>Restart Flatseal.</li>
</ol>
<h4 id="all-versions">All versions</h4>
<ol type="1">
<li>Launch Flatseal and select it to edit its own permissions.</li>
<li>Enable <code>host</code>, or type in <code>host:ro</code> in the other option.</li>
<li>Restart Flatseal.</li>
</ol>
<p><strong>NOTE</strong>: To find these installations, Flatseal needs access to <code>/etc/flatpak/installations.d</code>. Before Flatpak 1.7.1, accessing the host <code>/etc</code> required the <code>host</code> permission, which was an all-or-nothing situation. By default, Flatseal will have minimal permissions, so it’s up to the user to decide to enable this feature.</p>
<h3 id="use-custom-flatpak_user_dir">Use custom FLATPAK_USER_DIR</h3>
<p>To use a custom <code>FLATPAK_USER_DIR</code>, e.g. <code>/var/home/user/.flatpak</code>.</p>
<pre><code>flatpak --user override --filesystem=/var/home/user/.flatpak --env=FLATPAK_USER_DIR=/var/home/user/.flatpak com.github.tchx84.Flatseal</code></pre>
<p><strong>NOTE</strong>: By default, <code>FLATPAK_USER_DIR</code> is not accessible from within the Flatpak sandbox, and Flatseal has no access to custom directories. Therefore, these overrides are needed.</p>
</body>
</html>
|
