Application Permissions

When an application is distributed as a flatpak it needs permission to access certain features on the phone, such as using the network, or reading and writing the user’s files. This is done by requesting permissions in the Flatpak manifest file.

The permissions required by an application are included in the finish-args entry of its manifest. The following example shows the first part of a manifest for an application that uses the display and maintains user-specific settings:

{
    "app-id": "com.example.some_example",
    "runtime": "org.gnome.Platform",
    "runtime-version": "40",
    "sdk": "org.gnome.Sdk",
    "command": "my-program",
    "finish-args": [
        "--socket=wayland",
        "--filesystem=~/.config/dconf:ro",
        "--talk-name=ca.desrt.dconf",
        "--env=DCONF_USER_CONFIG_DIR=.config/dconf"
    ],

Some tasks can be performed without the need to request permissions. For example, each application can store and retrieve user data in its own private area. This mechanism for storing persistent data is described in the section about User Data.

Permissions for Common Features

The table below shows the permissions that correspond to some common features used by applications.

Feature

Flatpak Permissions

Display a graphical user interface

--socket=wayland

Access the Internet using sockets

--share=network

Access Bluetooth devices

--allow=bluetooth

Read and write user’s documents

--xdg-documents

Read and write user’s downloads

--xdg-download

Read and write user’s music

--xdg-music

Read and write user’s pictures

--xdg-pictures

Read and write user’s videos

--xdg-videos

A more detailed description of permissions is given in the Sandbox Permissions section of the Flatpak documentation, which also contains a more extensive list.