One of Flatpak’s best features is its ability to run each installed application in a sandboxed environment, which isolates it from the host system and other apps or services. Flatpak also extends granular sandbox controls to the end user, allowing them to delegate access to apps as they see fit. For example, it is possible to tell Flatpak to allow a certain app to have access to your file system.
System administrators can decide which Flatpak applications have network access, file system access, hardware resource access, etc. This is faciliated with default Flatpak commands, or more easily with a GUI application like Flatseal. In this tutorial, you will learn about Flatpak security and permissions and how to modify them on your Linux system.
In this tutorial you will learn:
- How to manage Flatpak permissions via command line
- How to manage Flatpak permissions via GUI tool
- How to install Flatseal on major Linux distros
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Any Linux distro |
| Software | Flatpak package manager, Flatseal |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Understanding Flatpak Security and Permissions
First, let’s look at how we can manage Flatpak permissions with ordinary
flatpak commands. Then we will see an easier way to do it with the Flatseal GUI tool.
As an example, to give a Flatpak app permission to access the Linux host file system:
$ sudo flatpak override [app id] --filesystem=host
Of course, replace [app id] with the ID of your app, such as org.gimp.GIMP.
There are a plethora of options in addition to --filesystem=host that can be used, depending on what kind of permissions you want to grant to an application. A full list can be found in the official Flatpak docs.
If you would rather avoid reading through walls of text and learning about these granular options, there is a much easier option available in the Flatseal application. Here is how to install it from FlatHub:
$ sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo $ sudo flatpak install flatseal
Then, to run it:
$ flatpak run com.github.tchx84.Flatseal
Inside Flatseal, click on the Flatpak application that you want to edit security permissions for. You will see easy toggle options that you can edit to configure permissions such as network access, file system access, socket access to Wayland, audio driver, peripheral devices, and lots of other granular settings.
Note that you can also change system wide settings across all of your installed Flatpak applications by clicking on the ‘All applications’ option at the top of the left pane.
When done, simply close the app and your changes will take effect immediately. Personally we find this method much more covenient than the command line method which is the only default way for an end user to change app permissions in Flatpak.
Closing Thoughts
In this tutorial, we saw how to edit Flatpak security and permissions for individual apps on a Linux system. Since Flatpak works by sandboxing each application in its own environment, the user can grant extraneous access to individual components like the host file system and network as needed. This can be done via command line, or much more easily with the Flatseal tool. This gives users complete control over the security of their system and in deciding how Flatpak applications can interact with their Linux system.
