How to use Flatseal to modify and review Flatpak permissions in Linux

- by John Been

Just like for Windows and macOS, there are also specific application formats available for Linux to install an application. And technically they all work a little differently, but all aim to make it possible for you as a user to install your favorite applications. For example, for Windows, we know the EXE format, and for macOS the DMG format. For Linux, we know different formats, such as DEB, RPM, AppImage, Snap, and Flatpak. Modern application users are more and more used to both their desktop and mobile applications receiving regular updates, automatically or otherwise, with improved security and improved functionality. As a result, a format like Flatpak seems to be becoming increasingly popular at the expense of the classic .deb format. Users will sometimes find that when they use a Flatpak application, they are unable to access their data on an external drive, for example from RawTherapee or darktable. This initial limitation has to do with the sandbox nature of the Flatpak format and the standard lack of permissions. But the Flatseal app for Linux can help to solve that, and much more. In this article, I will explain how to use Flatseal to modify and review Flatpak permissions in Linux.

Content of the article

  1. What is Flatpak
  2. Why do you need Flatseal
  3. How to get and install Flatseal
  4. How to use Flatseal

What is Flatpak

As a Linux developer, instead of the need to create separate dedicated .deb files for Debian and Ubuntu-based distributions and .rpm files for Red Hat, Fedora, and derivatives such as CentOS and openSUSE, it has become much easier with the relatively new Flatpak file format to create and distribute distribution independent packages. 

These packages run on almost every distribution without the required effort to connect the application to the correct dependencies and libraries when using the classic .deb packaging format. With Flatpak, as a developer you create a sandbox in which you pre-bundle the required libraries with your core app, so you always know your application will work on every platform and you also offer the user of the application a hassle-free solution and automatic and simplified updates as well. With Flatpak you just create one application package for the entire Linux desktop domain and on top of that you are in control of updates as well. 

Source / Credits: https://docs.flatpak.org/en/latest/basic-concepts.html

Flatpak-based applications exist on their own without actual dependence on the host system components. Because dependent libraries are included in the package, the application is not dependent on those available in the Linux distribution. Every Flatpak-based application can have even its own version of the same library because they don’t interfere with each other.

Flatpak can be compared with Snap, but Snap is backed by only one company while Flatpak is independent community-based. For example in Linux Mint or Zorin OS, Flatpak is supported out of the box without the necessary additional settings or adjustments. But in other distributions, it is easy to add Flatpak support yourself as a user. In Linux Mint, Zorin OS, and Fedora, you can find Flatpaks directly via the Software Manager, but there is even a Flatpak software store available, called Flathub, comparable with the Google Play store or the Microsoft Store where lots of Flatpak-based applications are gathered and ready to download.

As a user of applications, there are of course pros and cons for choosing between Flatpak or .deb package formats. 

Pros:

  • the all-in-one nature, thus with all dependencies integrated, one package works on any distribution
  • install updates when available
  • sandbox, so often more secure as the app is less integrated into the operating system, and also no conflicts between apps
  • because of its sandbox nature, you can run different versions of the same application at the same time, for example for review purposes

Cons:

  • the application can look a bit different on different Linux distros because of the sandbox nature and thus the independence of the look and feel provided by the host distribution itself
  • Flatpak-based apps can be much larger in size than the same .deb-based apps, because of all included dependent components
  • Flatpak-based applications can run a bit slower than their .deb-based counterparts

Why do you need Flatseal

Because of the isolation of a Flatpak-based application from your system’s components, a lot of permissions are initially not enabled. For example, when I recently installed the most recent RawTherapee photo application, I was not immediately able to look at my photo files stored on one of my external drives. In contrast, when you install the .deb version of RawTherapee, it is possible to access your external drives directly after installation. So for my Flatpak-based RawTherapee I need to be able to change some permissions, so my operating system allows this app to make a connection with my external drive.

But it is not only about giving more permissions, in some cases you may want to even lessen the possibilities of your app, like using your webcam, using Bluetooth, or even accessing the internet.

Flatseal is a Flatpak-based application that offers a nice and functional graphical user interface for Linux in which you can modify and review a lot of available permissions for a specific Flatpak-based application by simply toggling them on or off. All the Flatpak-based applications you have installed on your system will be visible in an overview from which you can select an application to do the required modifications or check the current settings. Also, it is much more convenient because you can see for each application which settings you can actually change, which can be different per application.

In Flatseal this is all much easier, user-friendly, and beginner friendly, than using the command line, but keep in mind that it also can be a drawback. Via the command line, you have more detailed control over the Flaptpak permissions compared to Flatseal. But for a lot of us nontechnical Linux users who just want our Linux system productive, Flatseal is a very nice tool and offers just enough for our needs. 

How to get and install Flatseal

Enable Flatpak support

First, we need to make sure that Flatpak support is enabled in our system. If you use a Linux distribution like Pop!_OS, Linux Mint, or Zorin OS, Flatpak support is offered out-of-the-box, so is integrated into the system and in the Software application. If you use a distro without native Flatpak support, then it is easy to set it up. Via the Quick Setup page on the Flatpak website, you can see if your distro offers Flatpak support or what you can do to set it up. 

Go to Flathub Quick Setup

Next click on a logo to see what you need to do.

Install Flatpak based apps

Of course, you first need to have at least one Flatpak-based app to be able to change the permissions with Flatseal, so select a nice app and install it from the Software center in your distro or by downloading it from Flathub

Go to Flathub

Install Flatseal

In your Software center search for Flatseal and install it, or find it on Flathub via the below link:

Get Flatseal

How to use Flatseal

Now that you have both Flatpak-based apps and Flatseal on your system, let’s see what we can do with it.

Find Flatseal in your applications and start it up.

In this screen, you see your installed Flatpak-based apps at the left, and for the selected app the available permissions with their settings at the right. At the top, you see the hamburger menu for Help, Documentation, Keyboard shortcuts, and About. Further, you see a looking glass for search and a Reset option which can be used on the selected app.

When you make a change to one of the available attributes in Flatseal different from the standard setting, you will see an indicator (warning sign) to warn you about everything different from the ordinary that has been changed by the user. 

Each application can have its own permissions settings, which are described in detail in the Flatseal documentation. But in this article I want to keep things a bit more simple, so let’s have a look at which types of settings we have and what they mean. Below is a simplified summary (source/credits: Flatseal documentation).

Share

List of subsystems shared with the host system.

  • Network >> This setting allows the application to have access to the network.
  • Inter-process communications >> When enabled the app can share IPC (Inter-Process Communication) namespace information with your system.

Socket

List of well-known sockets available in the sandbox.

  • X11 windowing system >> Allows the application to open in an X11 window.
  • Wayland windowing system >> Allow the application to open in a Wayland window.
  • Fallback to X11 windowing system >> Allow the application to open in an X11 window when Wayland is not available.
  • PulseAudio sound server >> Allow the application to play sounds or get access to the microphone when using PulseAudio.
  • D-Bus session bus >> Allow the application to have access to the entire session bus.
  • D-Bus system bus >> Allow the application to have access to the entire system bus.
  • Secure Shell agent >> Allow the application to use SSH (Secure Shell) authentications.
  • Smart cards >> Allow the application to use smart cards.
  • Printing system >> Allow the application to use printing systems.
  • GPG-Agent directories >> Allow the application to access GPG-Agent (GNU Privacy Guard / daemon to manage secret keys) directories.

Device

List of devices available in the sandbox.

  • GPU acceleration >> Allow the application to access the graphics direct rendering to take advantage of GPU acceleration.
  • Input devices >> Allow input device access.
  • Virtualization >> Allow the application to support virtualization.
  • Shared memory >> Allow the application to access shared memory.
  • All devices >> Allow the application to access all devices, such as webcam and external devices.

Allow

List of features available to the application.

  • Development syscalls >> Allow the application to access to certain syscalls.
  • Programs from other architectures >> Allow the application to execute programs for an ABI other than the one supported natively by the system.
  • Bluetooth >> Allow the application to use Bluetooth.
  • Controller Area Network bus >> Allow the application to use canbus sockets. You must also have network access for this to work.
  • Application Shared Memory >> Allow the application to share its /dev/shm between instances of the same $FLATPAK_APP_ID.

Filesystem

List of filesystem subsets available to the application.

  • All filesystem files >> Allow read-write access to the whole filesystem. Everything that isn’t writeable by the user will be read-only.
  • All system libraries, executables and static data >> Allow read-write access to system libraries located in /usr. Since this directory requires root access to write, the permission will be read-only.
  • All system configurations >> Allow read-write access to system configurations located in /etc. Since this directory requires root access to write, the permission will be read-only.
  • All user files >> Allow read-write access to the user directory ($HOME or ~/).
  • Other files >> Allow read-write access to the directory you desire.

Persistent

List of homedir-relative paths created in the sandbox.

  • Files >> Allow the application to access the targeted directory while restricting other applications from accessing it.

Environment

List of variables exported to the application.

  • Variables >> Set an environment variable in the application to make the variable available to application when it runs.

System Bus

List of well-known names on the system bus.

  • Talks >> Allow the application to talk to system services.
  • Owns >> Allow the application to own system services under the given name.

Session Bus

List of well-known names on the session bus.

  • Talks >> Allow the application to talk to session services.
  • Owns >> Allow the application to own session services under the given name.

Portals

List of resources selectively granted to the application.

  • Background >> Allow the application to run in the background.
  • Notifications >> Allow the application to send notifications.
  • Microphone >> Allow the application to listen to your microphone.
  • Speakers >> Allow the application to play sounds to your speakers.
  • Camera >> Allow the application to record videos with your camera.
  • Location >> Allow the application to access your location data.

Use case: external drives

Based on the above options in Flatseal, you have a great amount of flexibility to set the permissions to your requirements. Here is one of those use cases. 

As already mentioned before, when you want to edit for example your RAW photo files in RawTherapee and you installed the photo editing application as Flatpak, you will notice you can’t access the external drives connected to your system. Personally, I only use my internal SSD for my system and use external drives connected via USB for my data files, like documents, photos, and music. So to make it possible for these types of applications to access my external drives, I have the following options:

Option 1:

In the section Filesystem toggle “All system files” to On.

This option gives my application much more permission than is actually required because I need to access only one of my external drives and not all system files.

Option 2:

In the section Filesystem add “/media” to Other files.

This option still gives too much permission than is actually required, because I need access only to my photos folder on one of my external drives.

Option 3:

In the section Filesystem add “/media/johnbeen/EXT 3TB MYFILES/5 Creativity/My Photo Files” to Other files.

Now I have the correct permissions that give me not too much, but exactly what I need for this specific use case.

Note: The changes of permissions via Flatseal will only be active after you do a relaunch of the specific app you did these changes for.

When you want to bring things back to the standard positions, just select your Flatpak app on the left of the screen and click the Reset button.

Final words

I can imagine that some of the above still feels a bit technical and you probably don’t see immediately a personal use case for all of the permissions that can be changed via Flatseal. My main goal for this article was to inform you about the existence of Flatseal, show how to install it, explain what it can do, and hopefully, you remember to look back at this article if you stumble upon a situation and think, hey, I can use Flatseal for that, like I did myself when installing a photo editing app that needed access to my external drive.  

Have a look at my latest book on Linux, in Paperback or Kindle format.

For more info on my book click here.

When you want to buy the book click on the image below.

If you appreciate what I do on this website…,

Post Views: 869

Related Posts

An introduction to ONLYOFFICE for Linux

Main image Linux Mint 21.3 Tutorial Series

How to Connect your mobile phone to Linux Mint with KDE Connect – Linux Mint 21.3 edition

Joplin Basics – How to capture your visual thoughts in Joplin with Freehand Drawing

User Avatar

About John Been

Hi there! My name is John Been. At the moment I work as a senior solution engineer for a large financial institution, but in my free time, I am the owner of RealAppUser.com, RealLinuxUser.com, and author of my first book "Linux for the rest of us". I have a broad insight and user experience in everything related to information technology and I believe I can communicate about it with some fun and knowledge and skills.

View all posts by John Been →