How to manage flatpaks privileges with Flatseal

Flatpaks represent a relative new, cross-distribution way of distributing software on Linux: applications are packaged together with their dependencies and runs in a sandbox, isolated from the rest of the system, except for some specific areas they need to access to work correctly. The system resources a flatpak needs to access are visible when it is installed from the command line; with Flatseal we can inspect and manage them graphically.

In this tutorial we learn how to install Flatseal and how to use it to manage permissions and privileges of flatpak applications.

In this tutorial you will learn:

  • How to install Flatseal
  • How to use Flatseal to manage flatpaks privileges
  • How to revert back to default settings
How to manage flatpaks privileges with Flatseal
How to manage flatpaks privileges with Flatseal

Category Requirements, Conventions or Software Version Used
System Distribution-agnostic
Software flatpak
Other Administrative privileges are for system-wide software installation
Conventions # – requires given linux-commands to be executed with root privileges either directly as a root user or by use of sudo command $ – requires given linux-commands to be executed as a regular non-privileged user

Installation

At the moment of writing, except on Fedora, which has a native package for it, the most convenient way to install Flatseal on the most used Linux distributions, is as a flatpak itself, since it is available on the Flathub remote.



The first thing we have to decide is if we want to install the application system-wide or just for a user. This depends on how we added the remote in the first place (not familiar with Flatpak terminology? You may want to take a look at this tutorial) . The command to be used is the same, the only difference is that to install the application at the user level we have to use the --user option. In such configuration, we don’t need to use privilege escalation:

$ flatpak --user install flathub com.github.tchx84.Flatseal

If we use graphical software installers like GNOME software, we can also search and install the application graphically:

Installing Flatseal with GNOME Software
Installing Flatseal with GNOME Software

If using Fedora we have the option to install Flatseal as a native package, directly with the distribution package manager:

$ sudo dnf install flatseal

Using Flatseal to manage flatpaks privileges

Following the GNOME guidelines, the Flatseal interface is quite minimal. Once we launch the application, we can see the list of the installed flatpaks on the left. A description of the application, the permissions it uses and the subsystems shared with the host system can be found in the main section, instead:

Flatseal interface
Flatseal interface



The first item in the left menu list, the one you see selected in the screenshot above, is about global settings. As you can see, by default no privileges are enabled in this section. Each application requests its own, as we can see in a moment. Enabling a privilege in this section is discouraged, since enables it for all the installed flatpaks. If we take a look at the list of available permissions, we can see they are grouped in the following subsections:

  1. Subsystem shared with the host system
  2. Sockets
  3. Devices
  4. List of features available to the application
  5. Filesystem and files access
  6. Persistent files created by the application
  7. Environment variables exported to the application
  8. System bus
  9. Session bus
  10. Portals



In the “Sockets” section, for example, we can choose what sockets to make available in the sandbox. Sockets are used as a way to achieve inter-process communications. An application needs to access a specific socket in order to perform some actions. In this case we can see, among the others, the X11 and Wayland windowing system sockets are available. You may find those sockets are accessible by all sandboxed applications, since each one needs them to draw its own windows. For instance, as you can see in the screenshot below, Vlc has access to the X11 socket (not the Wayland one, since looks like the application itself doesn’t support it yet):

Vlc flatpak shared sockets
Vlc flatpak shared sockets

Modifying an application privileges

To modify default settings we can just click on the associated toggle. As soon as we do it, a little warning sing will appear, marking the change as user-made:

A warning sing appears on settings changed by the user
A warning sing appears on settings changed by the user

To revert the settings, and return back to the default configuration, we just click on the “Reset” button in the right side of the header bar.

Conclusions

In this tutorial we saw how to install Flatseal on some of the most used Linux distributions. The application can be used to graphically manage the privileges of software distributed in the flatpak format which runs in a sandbox, is isolated from the rest of the system, but needs to access specific features on the host in order to work correctly. Want to know more about Flatpak technology? Take a look at our tutorials!



Comments and Discussions
Linux Forum