Flatpak apps are becoming increasingly popular. Their special feature is that the application already includes all the necessary libraries for installation, operation, and updates. Thanks to this, such applications run on almost any Linux operating system.
Each Flatpak application is created and run in an isolated environment called a sandbox. By default, an application can only access the contents of its sandbox. The remaining accesses must be configured additionally. If, when using the Flatpak application, a message appears about no access to some system resource, then you need to configure access for this application.
¶ Configuring Flatpak application access using the "Flatseal" utility
To set up access, it is convenient to use the "Flatseal" application; it is available for installation in the Ina OS App Store:
The graphical interface of the utility displays a list of applications and the settings available for them:
Let's briefly review all available options:
¶ Share
- Network - allow the application to access the network;
- Inter-process Communications - Allow interprocessor communications with the host system.
These two options are enabled by default for all applications.
¶ Socket
- X11 Windowing System - Allow the application to open in the X11 window interface;
- Wayland Windowing System - Allow the application to open in the Wayland window interface;
- Return to X11 Windowing System - Allow the application to open in an X11 window if Wayland is not available. For correct operation, the "X11 Window System" socket must be enabled;
- PulseAudio Sound Server - Allow the application to play sounds or access the microphone when using PulseAudio;
- D-Bus Session Bus - Allow the application to access the entire session bus;
- D-Bus System Bus - Allow the application to access the entire system bus;
- Secure Shell Agent - Allow the application to use SSH authentication;
- Smart Cards - Allow the application to use smart cards;
- Printing System - Allow the application to use printing systems;
- GPG Agent Directories - Allow the application to access the GPG Agent directories.
- Inherit Wayland Socket - Allow the application to access limited Wayland features
¶ Device
- GPU acceleration - allow the application to access direct graphics rendering to take advantage of GPU (video card) acceleration;
- Input devices - allow access to input devices;
- Virtualization - allow the application to access virtualization;
- Shared memory - allow the application to access shared memory (memory that can be accessed by several programs at the same time to ensure communication between them or to avoid redundant copies);
- All devices (e.g. webcam) - allow the application to access all devices, such as the webcam and external devices.
¶ Allow
- Development Syscalls (ex. ptrace) - Allow the application to access certain system calls, such as
ptrace()andperf_event_open().; - Programs from other architectures - Allow the application to execute programs for an ABI different from the one natively supported by the system;
- Bluetooth - Allow the application to use Bluetooth;
- Controller Area Network Bus - Allow the application to use the
canbusconnectors. This also requires network access; - Application Shared Memory - Allow the application to share its
/dev/shmbetween instances of the same$FLATPAK_APP_ID. Introduced specifically for theSteamFlatpak to use its/dev/shmfor sandboxed games.
¶ Filesystem
- All system files - allow read/write access to the entire file system. Anything that is not writable by the user will be read-only;
- All system libraries, executables, and static data - allow read/write access to system libraries located in
/usr. Since root access is required to write to this directory, the permission will be read-only; - All system configurations - allow read/write access to system configurations located in /etc. Since root access is required to write to this directory, the permission will be read-only;
- All user files - allow read/write access to the user directory (
$HOMEor~/); - Other files - allow read/write access to the directory you need. You must manually specify the path to the directory and add the attribute corresponding to the access rights at the end,
:ro(read only) or:rw(read-write). For example:/home/ina/Downloads:rw.
Pay attention! When manually specifying the path to files, there is no need to confirm writing the line with the Enter key or save the settings. Simply add a new line and enter the required data.
¶ Persistent
- Files - Allow the application to access the target directory while restricting other applications from accessing it. Starting with the user's directory (
$HOMEor~/), the target directory will be remapped to the application's directory (~/.var/app/$FLATPAK_APP_ID/[PATH]) if it does not have write access to the target directory. For example, specifying.mozillain this line will map~/.mozillato~/.var/app/org.mozilla.Firefox/.mozilla. This setting is also used to tidy up the user's directory, as it prevents the application from writing to~/.
¶ Environment
- Variables - Set an environment variable in the application to make that variable available to the application when it starts. For example, you can add
MOZ_ENABLE_WAYLAND=1for Firefox to enable the Wayland server side.
¶ System bus
- Talks - Allow the application to interact with system services. For example, adding
org.freedesktop.Accountswill allow the application to access the user's login history; - Owns - Allow the application to own system services under the given name.
¶ Session bus
- Talks - Allow the application to interact with session services. For example, adding
org.freedesktop.Notificationswill allow the application to send notifications; - Owns - Allow the application to own session services under the given name.
¶ Portals
- Background - allow the app to run in the background;
- Notifications - allow the app to send notifications;
- Microphone - allow the app to use the microphone;
- Speakers - allow the app to use the speakers;
- Camera - allow the app to use the camera;
- Location - allow the app to access your location.
To return the settings to their original state, click on the "Restore" option at the top of the window, and all settings will return to the state they were in after installing the corresponding Flatpak application.
After configuring access settings, a reboot of the system application is not required, it is enough to restart the Flatpak application for which changes were made in the access settings.
When writing this article, materials from the official documentation of the Flatseal project were used https://github.com/tchx84/Flatseal/blob/master/DOCUMENTATION.md Materials are distributed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) license