Flatpaks represent a relative new, cross-distribution way of distributing software on Linux: applications are packaged together with their dependencies and runs in a sandbox, isolated from the rest of the system, except for some specific areas they need to access to work correctly. The system resources a flatpak needs to access are visible when it is installed from the command line; with Flatseal we can inspect and manage them graphically.
In this tutorial we learn how to install Flatseal and how to use it to manage permissions and privileges of flatpak applications.
In this tutorial you will learn:
- How to install Flatseal
- How to use Flatseal to manage flatpaks privileges
- How to revert back to default settings
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Distribution-agnostic |
| Software | flatpak |
| Other | Administrative privileges are for system-wide software installation |
| Conventions | # – requires given linux-commands to be executed with root privileges either directly as a root user or by use of sudo command $ – requires given linux-commands to be executed as a regular non-privileged user |
Installation
At the moment of writing, except on Fedora, which has a native package for it, the most convenient way to install Flatseal on the most used Linux distributions, is as a flatpak itself, since it is available on the Flathub remote.
The first thing we have to decide is if we want to install the application system-wide or just for a user. This depends on how we added the remote in the first place (not familiar with Flatpak terminology? You may want to take a look at this tutorial) . The command to be used is the same, the only difference is that to install the application at the user level we have to use the
--user option. In such configuration, we don’t need to use privilege escalation:
$ flatpak --user install flathub com.github.tchx84.Flatseal
If we use graphical software installers like GNOME software, we can also search and install the application graphically:
If using Fedora we have the option to install Flatseal as a native package, directly with the distribution package manager:
$ sudo dnf install flatseal
Using Flatseal to manage flatpaks privileges
Following the GNOME guidelines, the Flatseal interface is quite minimal. Once we launch the application, we can see the list of the installed flatpaks on the left. A description of the application, the permissions it uses and the subsystems shared with the host system can be found in the main section, instead:
The first item in the left menu list, the one you see selected in the screenshot above, is about global settings. As you can see, by default no privileges are enabled in this section. Each application requests its own, as we can see in a moment. Enabling a privilege in this section is discouraged, since enables it for all the installed flatpaks. If we take a look at the list of available permissions, we can see they are grouped in the following subsections:
- Subsystem shared with the host system
- Sockets
- Devices
- List of features available to the application
- Filesystem and files access
- Persistent files created by the application
- Environment variables exported to the application
- System bus
- Session bus
- Portals
In the “Sockets” section, for example, we can choose what sockets to make available in the sandbox. Sockets are used as a way to achieve inter-process communications. An application needs to access a specific socket in order to perform some actions. In this case we can see, among the others, the X11 and Wayland windowing system sockets are available. You may find those sockets are accessible by all sandboxed applications, since each one needs them to draw its own windows. For instance, as you can see in the screenshot below, Vlc has access to the X11 socket (not the Wayland one, since looks like the application itself doesn’t support it yet):
Modifying an application privileges
To modify default settings we can just click on the associated toggle. As soon as we do it, a little warning sing will appear, marking the change as user-made:
To revert the settings, and return back to the default configuration, we just click on the “Reset” button in the right side of the header bar.
Conclusions
In this tutorial we saw how to install Flatseal on some of the most used Linux distributions. The application can be used to graphically manage the privileges of software distributed in the flatpak format which runs in a sandbox, is isolated from the rest of the system, but needs to access specific features on the host in order to work correctly. Want to know more about Flatpak technology? Take a look at our tutorials!
