This is the list of permissions supported by Flatseal. These descriptions are based on Flatpak's official documentation and extended with examples and references to make it easier for newcomers to understand.
To summarize it, Flatpak provides two different permissions models: static and dynamic
Static refers to the permissions set by the developers when applications are built. Static permissions are holes in the sandbox, e.g. an application built with --filesystem=home can access all user personal files. The benefit of this model is that developers can support Flatpak without any change in their applications code.
Both Flatseal and flatpak override command-line tool, use the overrides backend to manage static permissions.
Dynamic refers to the permissions granted by the users when applications run. Dynamic permissions rely on resource providers called Portals and can require user confirmation, e.g. users can grant access to one specific file thanks to the org.freedesktop.portal.FileChooser portal. The benefit of this model is that users don't need to trust applications with more resources than is strictly needed.
Both Flatseal and flatpak permissions command-line tool, use the org.freedesktop.impl.portal.PermissionStore service to manage dynamic permissions.
| Name | Type | Description | flatpak override equivalent |
|---|---|---|---|
| Network | Toggle | Allow the application to have access to the network. For example, if it's disabled for Firefox, it will no longer be possible to browse the internet with this application. |
--share=network and --unshare=network |
| Inter-process communications | Toggle | Share IPC namespace with the host. This is required by X11 due to it depending on IPC. |
--share=ipc and --unshare=ipc |
| Name | Type | Description | flatpak override equivalent |
|---|---|---|---|
| X11 windowing system | Toggle | Allow the application to open in an X11 window. Most applications use X11 for historical reasons, but is considered less secure. |
--socket=x11 and --nosocket=x11 |
| Wayland windowing system | Toggle | Allow the application to open in a Wayland window. Many applications do not use Wayland as it is a newer display protocol unlike X11, and is considered more secure, but either some applications require extra steps to use it (see environment variables example for Firefox), or do not support Wayland at all. |
--socket=wayland and --nosocket=wayland |
| Fallback to X11 windowing system | Toggle | Allow the application to open in an X11 window when Wayland is not available. This overrides the X11 windowing system option when enabled. | --socket=fallback-x11 and --nosocket=fallback-x11 |
| PulseAudio sound server | Toggle | Allow the application to play sounds or get access to the microphone when using PulseAudio. For example, if it's disabled for Rhythmbox, it will no longer be possible to listen to the music with this application. |
--socket=pulseaudio and --nosocket=pulseaudio |
| D-Bus session bus | Toggle | Allow the application to have access to the entire session bus. | --socket=session-dbus and --nosocket=session-dbus |
| D-Bus system bus | Toggle | Allow the application to have access to the entire system bus. | --socket=system-dbus and --nosocket=system-dbus |
| Secure Shell agent | Toggle | Allow the application to use SSH authentications. | --socket=ssh-auth and --nosocket=ssh-auth |
| Smart cards | Toggle | Allow the application to use smart cards. | --socket=pcsc and --nosocket=pcsc |
| Printing system | Toggle | Allow the application to use printing systems. For example, if it's disabled for LibreOffice, it will no longer be possible to print documents with this application. |
--socket=cups and --nosocket=cups |
| GPG-Agent directories | Toggle | Allow the application to access GPG-Agent directories. | --socket=gpg-agent and --nosocket=gpg-agent |
| Inherit Wayland socket | Toggle | Allow passing WAYLAND_SOCKET environment variable to the sandbox. For example, if it's disabled for Fcitx5, it won't be able to connect to Wayland and display its autocompletion dialogs. |
--socket=inherit-wayland-socket and --nosocket=inherit-wayland-socket |
| Name | Type | Description | flatpak override equivalent |
|---|---|---|---|
| GPU acceleration | Toggle | Allow the application to access the graphics direct rendering to take advantage of GPU acceleration. | --device=dri and --nodevice=dri |
| Input devices | Toggle | Allow input device access. Note that raw and virtual input devices could still require All devices |
--device=input and --nodevice=input |
| Virtualization | Toggle | Allow the application to support virtualization. | --device=kvm and --nodevice=kvm |
| Shared memory | Toggle | Allow the application to access shared memory. | --device=shm and --nodevice=shm |
| All devices | Toggle | Allow the application to access all devices, such as webcam and external devices. For example, if it's disabled for Element, it will no longer be possible to do video calls with this application. |
--device=all and --nodevice=all |
| Name | Type | Description | flatpak override equivalent |
|---|---|---|---|
| Development syscalls | Toggle | Allow the application to access to certain syscalls, such as ptrace() and perf_event_open(). |
--allow=devel and --disallow=devel |
| Programs from other architectures | Toggle | Allow the application to execute programs for an ABI other than the one supported natively by the system. | --allow=multiarch and --disallow=multiarch |
| Bluetooth | Toggle | Allow the application to use Bluetooth. | --allow=bluetooth and --disallow=bluetooth |
| Controller Area Network bus | Toggle | Allow the application to use canbus sockets. You must also have network access for this to work. | --allow=canbus and --disallow=canbus |
| Application Shared Memory | Toggle | Allow the application to share its /dev/shm between instances of the same $FLATPAK_APP_ID. Introduced specifically for the Steam flatpak, to share its /dev/shm with sub-sandboxed games. | --allow=per-app-dev-shm and --disallow=per-app-dev-shm. |
| Name | Type | Description | flatpak override equivalent |
|---|---|---|---|
| All filesystem files | Toggle | Allow read-write access to the whole filesystem. Everything that isn't writeable by the user will be read-only | --filesystem=host and --nofilesystem=host |
| All system libraries, executables and static data | Toggle | Allow read-write access to system libraries located in /usr. Since this directory requires root access to write, the permission will be read-only. |
--filesystem=host-os and --nofilesystem=host-os |
| All system configurations | Toggle | Allow read-write access to system configurations located in /etc. Since this directory requires root access to write, the permission will be read-only. |
--filesystem=host-etc and --nofilesystem=host-etc |
| All user files | Toggle | Allow read-write access to the user directory ($HOME or ~/). |
--filesystem=home and --nofilesystem=home |
| Other files | Input | Allow read-write access to the directory you desire. For example, you would put ~/games if you want read-write access to ~/games. If you want read-only access to ~/games, then you would put ~/games:ro. |
--filesystem=[PATH], --filesystem=[PATH]:ro and --nofilesystem=[PATH] |
| Name | Type | Description | flatpak-override equivalent |
|---|---|---|---|
| Files | Input | Allow the application to access the targeted directory while restricting other applications from accessing it. Starting from the user directory ( $HOME or ~/), the targeted directory will be remapped to the application's directory (~/.var/app/$FLATPAK_APP_ID/[PATH]) if it has no write access to the targeted directory. For example, persisting .mozilla will map ~/.mozilla to ~/.var/app/org.mozilla.Firefox/.mozilla. This is also a technique used to declutter the user directory, as it prevents the application from writing to ~/. |
--persist=[PATH] |
| Name | Type | Description | flatpak override equivalent |
|---|---|---|---|
| Variables | Input | Set an environment variable in the application to make the variable available to application when it runs. For example, adding MOZ_ENABLE_WAYLAND=1 for Firefox to enable the Wayland back-end. |
--env=[VAR]=[VALUE] |
| Name | Type | Description | flatpak override equivalent |
|---|---|---|---|
| Talks | Input | Allow the application to talk to system services. For example, adding org.freedesktop.Accounts will allow the application to access users login history. |
--system-talk-name=[NAME] |
| Owns | Input | Allow the application to own system services under the given name. | --system-own-name=[NAME] |
| Name | Type | Description | flatpak override equivalent |
|---|---|---|---|
| Talks | Input | Allow the application to talk to session services. For example, adding org.freedesktop.Notifications will allow the application to send notifications. |
--talk-name=[NAME] |
| Owns | Input | Allow the application to own session services under the given name. | --own-name=[NAME] |
| Name | Type | Description | Portal |
|---|---|---|---|
| Background | Toggle | Allow the application to run in the background. | org.freedesktop.portal.Background |
| Notifications | Toggle | Allow the application to send notifications. | org.freedesktop.portal.Notification |
| Microphone | Toggle | Allow the application to listen to your microphone. | org.freedesktop.portal.Device |
| Speakers | Toggle | Allow the application to play sounds to your speakers. | org.freedesktop.portal.Device |
| Camera | Toggle | Allow the application to record videos with your camera. | org.freedesktop.portal.Device |
| Location | Toggle | Allow the application to access your location data. | org.freedesktop.portal.Location |
If permissions are removed and is no longer possible to reset, run the following command from the terminal and re-start Flatseal:
$ rm ~/.local/share/flatpak/overrides/com.github.tchx84.Flatseal
Add a new language and update translations:
$ git clone https://github.com/tchx84/Flatseal.git
$ cd Flatseal
$ echo "es" >> po/LINGUAS # es for Spanish
$ meson _translate && cd _translate
$ ninja flatseal-pot
$ ninja flatseal-update-po
$ gedit ../po/es.po # translate the strings to Spanish
To test the translation language:
$ flatpak config --set languages es
$ flatpak update org.gnome.Platform
$ LC_ALL=es_PY.UTF-8 flatpak run com.github.tchx84.Flatseal
To enable a custom installation, e.g, /xusr/custom/flatpak.
- Launch Flatseal and select it to edit its own permissions.
- Enable
host-etc, or type inhost-etc:roin the other option. - Type in the custom installation path, e.g,
/xusr/custom/flatpak:ro. - Restart Flatseal.
- Launch Flatseal and select it to edit its own permissions.
- Enable
host, or type inhost:roin the other option. - Restart Flatseal.
NOTE: To find these installations, Flatseal needs access to /etc/flatpak/installations.d. Before Flatpak 1.7.1, accessing the host /etc required the host permission, which was an all-or-nothing situation. By default, Flatseal will have minimal permissions, so it's up to the user to decide to enable this feature.
To use a custom FLATPAK_USER_DIR, e.g. /var/home/user/.flatpak.
flatpak --user override --filesystem=/var/home/user/.flatpak --env=FLATPAK_USER_DIR=/var/home/user/.flatpak com.github.tchx84.Flatseal
NOTE: By default, FLATPAK_USER_DIR is not accessible from within the Flatpak sandbox, and Flatseal has no access to custom directories. Therefore, these overrides are needed.