Flatpak printing and file attaching, especially with email clients that have been flatpaked, is a major (&)(*&+_ing nuisance. “Oh, we’re sandboxed!” will be the rallying cry from the support team that doesn’t want to actually fix anything. If your installation procedure, or even your first run where you ask everything else simply asked:
Do you want to be able to print?
Do you want to be able to attach files?
It could actually fix the desktop file instead of expecting users to be Linux experts able to change your diapers.
What You Need
Given the Flatpak naming schema the .desktop file you need to find won’t have the name you think.
cd /
sudo find -iname *.desktop | grep -i bird
Assuming you are looking for betterbird or thunderbird or some other application with bird in the name, the above should yield something like:
If you are on a real computer with a real browser you should be able to click and expand that. If you are reading this on your phone you are most deservedly screwed. Those who can see will note the name is actually eu.betterbird.Betterbird.desktop.
The Changes
The file you wish to modify is in the “exports” directory tree. You are interested in one line.
Exec=/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=betterbird --file-forwarding --filesystem=host --talk-name=org.gtk.vfs.* --filesystem=xdg-run/gvfsd --socket=cups eu.betterbird.Betterbird @@u %u @@
When all you can do for “printing” is to export to a PDF and you know for a fact you have printers defined you need to have
--socket=cups
If you have already made the changes identify in this post and your application still won’t open URLs even though it provides a function/method of doing so you need this on your Exec line:
--talk-name=org.gtk.vfs.* --filesystem=xdg-run/gvfsd
The reason you need that filesystem after the talk is the pipe used to communicate with the outside world is now on disk instead of just memory.
Everyone Has a NAS Today
Limited file access is the real humiliating kick to the crotch. Everybody has a NAS (Network Attached Storage) of some kind today. We have multiple computers that need to share files and “the cloud” is completely insecure. If you don’t believe that statement ask yourself this:
What is safer? A set of drives attached to my network with all Internet access turned off or a “cloud service” by big named cloud service provider that every hacker in the world is trying to penetrate?
Question to ask
Yes, you could do a dumb-ass thing like click on a link you know you shouldn’t or disable your browser security software so you can access that “special” porn site, but that only screws you. When you have your OneDrive, Google Drive, DropBox, insert-cloud-service-here open as a “local” drive and do that, it potentially screws the world.
Technically every application is supposed to use one of the xdg services, but that doesn’t give you everything. Here is a scrape from the Sandbox Permissions documentation for –filesystem.
Sorry for the duplicate of xdg-pictures with the scrapes. If you have your NAS mounted at the system level then you most likely need either
--filesystem=host
Or one of the directory specific paths. Just remember that host exposes pretty much the whole enchilada. For those of us who manually mount our NAS as a user to a directory under $HOME the following is a better option.
--filesystem=home
At least some things will be protected.