Skip to content

Fix Flatpak sandbox preventing access to host system commands#8109

Merged
DOsinga merged 3 commits into
aaif-goose:mainfrom
vincenzopalazzo:macros/debugging
Apr 2, 2026
Merged

Fix Flatpak sandbox preventing access to host system commands#8109
DOsinga merged 3 commits into
aaif-goose:mainfrom
vincenzopalazzo:macros/debugging

Conversation

@vincenzopalazzo
Copy link
Copy Markdown
Contributor

@vincenzopalazzo vincenzopalazzo commented Mar 25, 2026

Summary

  • When Goose Desktop runs as a Flatpak, shell commands execute inside the sandbox, making host binaries inaccessible (/usr/bin shows nfsnobody-owned sandbox binaries)
  • Root cause: configure_shell_command spawns commands using the sandbox's shell directly
  • Fix: detect Flatpak via /.flatpak-info and wrap commands with flatpak-spawn --host, forwarding environment variables via --env args and resolving shells by basename for host PATH lookup

Fixes #7986

Test plan

  • CI passes
  • On Flatpak: ls -l /usr/bin shows host system binaries with correct ownership
  • On non-Flatpak: no behavioral change (.flatpak-info absent, code takes existing path)
  • PATH resolution via get_unix_path_async returns host paths when in Flatpak

🤖 Generated with Claude Code

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f32dc4b9fd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread crates/goose-mcp/src/developer/shell.rs Outdated
Comment thread download_cli.sh Outdated
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e82d94e09d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread crates/goose/src/agents/platform_extensions/developer/shell.rs Outdated
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b38c22c8d5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread crates/goose/src/agents/platform_extensions/developer/shell.rs Outdated
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 449572b3b8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread crates/goose/src/agents/platform_extensions/developer/shell.rs Outdated
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 600c158776

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread ui/desktop/src/api/core/params.gen.ts Outdated
@vincenzopalazzo
fix(goose): harden Flatpak host shell execution
cab4057 
Run developer shell commands on the Flatpak host instead of inside the sandbox.

Preserve the intended shell resolution and add host process lifecycle handling so timed-out commands do not outlive Goose.

Signed-off-by: Vincenzo Palazzo <vincenzopalazzodev@gmail.com>
@vincenzopalazzo
Copy link
Copy Markdown
Contributor Author

vincenzopalazzo commented Mar 31, 2026

Hi @DOsinga, is there anything left in this PR to unlock it

DOsinga
DOsinga approved these changes Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@DOsinga DOsinga left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Legitimate fix for Flatpak sandbox issue (#7986), from an established contributor (7 merged PRs). All Codex review comments were addressed. Merged main and removed the trivial flatpak_spawn_command_uses_watch_bus test (it only asserted a constant equals itself). Build, clippy, fmt, and all shell tests pass.

@DOsinga DOsinga added this pull request to the merge queue Apr 2, 2026
Merged via the queue into aaif-goose:main with commit c7b5fb9 Apr 2, 2026
22 checks passed
@vincenzopalazzo vincenzopalazzo deleted the macros/debugging branch April 2, 2026 14:44
@github-actions github-actions Bot mentioned this pull request Apr 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@DOsinga DOsinga DOsinga approved these changes

@blackgirlbytes blackgirlbytes Awaiting requested review from blackgirlbytes

@angiejones angiejones Awaiting requested review from angiejones

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Goose Desktop cannot access system commands like /usr/bin/go on Linux

2 participants

@vincenzopalazzo @DOsinga