Application Permissions

When an application is distributed as a flatpak it needs permission to access certain features on the phone, such as using the network, or reading and writing the user’s files. This is done by requesting permissions in the Flatpak manifest file.

The permissions required by an application are included in the finish-args entry of its manifest. The following example shows the first part of a manifest for an application that uses the display and maintains user-specific settings:

{
    "app-id": "com.example.some_example",
    "runtime": "org.gnome.Platform",
    "runtime-version": "3.32",
    "sdk": "org.gnome.Sdk",
    "command": "my-program",
    "finish-args": [
        "--socket=wayland",
        "--filesystem=~/.config/dconf:ro",
        "--talk-name=ca.desrt.dconf",
        "--env=DCONF_USER_CONFIG_DIR=.config/dconf"
    ],

Some tasks can be performed without the need to request permissions. For example, each application can store and retrieve user data in its own private area. This mechanism for storing persistent data is described in the section about User Data.

Permissions for Common Features

The table below shows the permissions that correspond to some common features used by applications.

Feature Flatpak Permissions
Display a graphical user interface --socket=wayland
Access the Internet using sockets --share=network
Access settings (GNOME applications) --filesystem=~/.config/dconf:ro
--talk-name=ca.desrt.dconf
--env=DCONF_USER_CONFIG_DIR=.config/dconf
Access Bluetooth devices --allow=bluetooth
Read and write user’s documents --xdg-documents
Read and write user’s downloads --xdg-download
Read and write user’s music --xdg-music
Read and write user’s pictures --xdg-pictures
Read and write user’s videos --xdg-videos

A more detailed description of permissions is given in the Sandbox Permissions section of the Flatpak documentation, which also contains a more extensive list.