Understanding Flatpak Security and Permissions

One of Flatpak’s best features is its ability to run each installed application in a sandboxed environment, which isolates it from the host system and other apps or services. Flatpak also extends granular sandbox controls to the end user, allowing them to delegate access to apps as they see fit. For example, it is possible to tell Flatpak to allow a certain app to have access to your file system.

System administrators can decide which Flatpak applications have network access, file system access, hardware resource access, etc. This is faciliated with default Flatpak commands, or more easily with a GUI application like Flatseal. In this tutorial, you will learn about Flatpak security and permissions and how to modify them on your Linux system.

In this tutorial you will learn:

  • How to manage Flatpak permissions via command line
  • How to manage Flatpak permissions via GUI tool
  • How to install Flatseal on major Linux distros
Understanding Flatpak Security and Permissions
Understanding Flatpak Security and Permissions
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software Flatpak package manager, Flatseal
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Understanding Flatpak Security and Permissions



Twitter icon Follow LinuxConfig.org on Twitter for the latest tips and tricks about Linux!


First, let’s look at how we can manage Flatpak permissions with ordinary flatpak commands. Then we will see an easier way to do it with the Flatseal GUI tool.

As an example, to give a Flatpak app permission to access the Linux host file system:

$ sudo flatpak override [app id] --filesystem=host

Of course, replace [app id] with the ID of your app, such as org.gimp.GIMP.

There are a plethora of options in addition to --filesystem=host that can be used, depending on what kind of permissions you want to grant to an application. A full list can be found in the official Flatpak docs.

If you would rather avoid reading through walls of text and learning about these granular options, there is a much easier option available in the Flatseal application. Here is how to install it from FlatHub:

$ sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
$ sudo flatpak install flatseal

Then, to run it:

$ flatpak run com.github.tchx84.Flatseal

Inside Flatseal, click on the Flatpak application that you want to edit security permissions for. You will see easy toggle options that you can edit to configure permissions such as network access, file system access, socket access to Wayland, audio driver, peripheral devices, and lots of other granular settings.

Editing Flatpak app permissions inside of Flatseal
Editing Flatpak app permissions inside of Flatseal

Note that you can also change system wide settings across all of your installed Flatpak applications by clicking on the ‘All applications’ option at the top of the left pane.

Editing Flatpak app permissions for all installed apps
Editing Flatpak app permissions for all installed apps

When done, simply close the app and your changes will take effect immediately. Personally we find this method much more covenient than the command line method which is the only default way for an end user to change app permissions in Flatpak.

Closing Thoughts




In this tutorial, we saw how to edit Flatpak security and permissions for individual apps on a Linux system. Since Flatpak works by sandboxing each application in its own environment, the user can grant extraneous access to individual components like the host file system and network as needed. This can be done via command line, or much more easily with the Flatseal tool. This gives users complete control over the security of their system and in deciding how Flatpak applications can interact with their Linux system.



Comments and Discussions
Linux Forum