

Limited access to the session D-Bus instance -Īn app can only own its own name on the bus. Limited syscalls.įor instance, apps can’t use nonstandard network socket types or No access to processes outside the sandbox. No access to any device nodes (apart from /dev/null,Įtc). No access to any host files except the runtime, the app and This is achieved using sandboxing and means that, by default, applications that are run with Flatpak have extremely limited access to the host environment. One of Flatpak’s main goals is to increase the security of desktop systems by isolating applications from one another. It turns out this is one of those "it's a feature not a bug" situations due to the way Flatpak sandboxes applications. I believe (but correct me if I'm wrong) that Linux Mint's Software Manager also uses flatpaks. I had the same problem with IntelliJ installed with Flatpak on Fedora 29. To reset permissions to the initial state: flatpak override -user -reset -IDEA-Community To forbid access: flatpak override -user -nofilesystem="/var/lib/gems" -IDEA-Community To grant access: flatpak override -user -filesystem="/var/lib/gems":ro -IDEA-Community To check current permissions: flatpak info -show-permissions -IDEA-Community Without the flag and with sudo prepended the change would be applied to all users.

The 3 last commands are given with the -user flag for a user-level change. The examples below are for managing the path /var/lib/gems for the flatpak app -IDEA-Community. It only manages permissions on the user-level, so if you need to change settings for all users (usually not), then turn to the next section. There's some useful path variables in the filesystem permissions reference and a lot of additional information about filesystem permissions here. You will also be partly responsible if some software abuses the access it has to your device. That's why it is preferable to use the optional :ro suffix when granting access to a path to make it accessible in read-only. NB: It is generally a good idea to give software as little extra access as possible. If you need to find or manage other paths: You also need to grant the -filesystem=host:ro permission to your app if it doesn't have it yet (see below on how).


