Application Permissions¶
When an application is distributed as a flatpak it needs permission to access certain features on the phone, such as using the network, or reading and writing the user’s files. This is done by requesting permissions in the Flatpak manifest file.
The permissions required by an application are included in the finish-args
entry of its manifest. The following example shows the first part of a manifest
for an application that uses the display and maintains user-specific settings:
{
"app-id": "com.example.some_example",
"runtime": "org.gnome.Platform",
"runtime-version": "45",
"sdk": "org.gnome.Sdk",
"command": "my-program",
"finish-args": [
"--socket=wayland",
"--filesystem=~/.config/dconf:ro",
"--talk-name=ca.desrt.dconf",
"--env=DCONF_USER_CONFIG_DIR=.config/dconf"
],
Some tasks can be performed without the need to request permissions. For example, each application can store and retrieve user data in its own private area. This mechanism for storing persistent data is described in the section about User Data.
Permissions for Common Features¶
The table below shows the permissions that correspond to some common features used by applications.
| Feature | Flatpak Permissions |
|---|---|
| Display a graphical user interface | --socket=wayland |
| Access the Internet using sockets | --share=network |
| Access Bluetooth devices | --allow=bluetooth |
| Read and write user’s documents | --xdg-documents |
| Read and write user’s downloads | --xdg-download |
| Read and write user’s music | --xdg-music |
| Read and write user’s pictures | --xdg-pictures |
| Read and write user’s videos | --xdg-videos |
A more detailed description of permissions is given in the Sandbox Permissions section of the Flatpak documentation, which also contains a more extensive list.