Review flatpak sandboxing issues and document workarounds

[m3nu]

Overview

This task is to systematically review, test, and document known flatpak sandboxing issues that affect Vorta users, and identify workarounds where possible.

Related Issues

FUSE/Mounting Problems

• Unable to mount backup - FUSE mount failed #2255 - FUSE mount fails with "Bad file descriptor"
• Can't unmount #1461 - Can't unmount mounted archives

D-Bus and Keyring Access

• Flatpak - Failed to connect to DBUS interface to detect sleep/resume events #1988 - Failed to connect to DBUS interface for sleep/resume events
• [Flatpak + KWallet] Unable to connect / add repo on borgbase #1753 - KWallet access issues in Flatpak
• Vorta cannot get password from KWallet anymore - regression between 0.10.3 and 0.11.1 #2327 - KWallet regression between 0.10.3 and 0.11.1

Filesystem Access

• FR: Allow setting BORG_BASE_DIR. #1748 - Can't set custom BORG_BASE_DIR
• Extract ignores selected destination folder; always restores to original paths (Vorta 0.8.12 apt + Flatpak) #2335 - Extract ignores selected destination folder

Network/DNS

• Flatpak: Temporary failure in name resolution #2065 - Temporary failure in name resolution for .local domains

Theme and UI

• Flatpak vorta doesn't take the system theme #1023 - Flatpak doesn't take system theme
• Vorta Flatpak (edit: and RPM package) changes the icon of ALL other PyQt applications to the Vorta icon #2293 - Changes icon of all PyQt applications
• The font of the tabs & columns looks a bit blurry #1518 - Blurry fonts in tabs & columns

General

• Several Vorta Flatpak malfunctions #2334 - Several Vorta Flatpak malfunctions (performance, profiles)

Tasks

1. Review and reproduce issues

   • Test each issue on a recent distro with current Flatpak version (v0.11.x)
   • Document which issues are still reproducible
   • Identify root causes (sandbox permissions vs. code issues)

2. Document workarounds

   • For each confirmed issue, document any known workarounds
   • Test Flatseal permission overrides where applicable
   • Create user-facing documentation for common fixes

3. Propose manifest changes

   • Identify missing permissions in the Flatpak manifest
   • Create PR to flathub/com.borgbase.Vorta if changes are needed
   • Balance security (minimal permissions) with functionality

4. Update documentation

   • Add Flatpak-specific troubleshooting section to docs/wiki
   • Document known limitations of the sandboxed version
   • Clarify differences between Flatpak and native package behavior

Current Flatpak Permissions

The manifest at flathub/com.borgbase.Vorta includes:

• Filesystem: --filesystem=host, --filesystem=~/.var/app/
• D-Bus: org.freedesktop.secrets, org.kde.kwalletd5, org.freedesktop.NetworkManager, org.freedesktop.login1
• Sockets: X11 fallback, Wayland, SSH auth
• Network: Full network access

Potential Missing Permissions to Investigate

• System bus access for full D-Bus functionality
• FUSE device access for mounting
• Additional portal permissions for file dialogs

[goebbe]

I once did a small note for the use of borg (installed vial the Vorta flatpak):
This could be put to the Flatpak/ Vorta FAQs / documentation: #2201

This can be useful, e.g. to get the keyfile (repokey) or to unlock a repo.