GNOME Application Settings should include Flatpak permissions

Hello everyone!

As it stands right now, changing basic Flatpak permissions requires the usage of either the command line, or a third-party application (Flatseal). These permissions should be adjustable within GNOME's Applications.

Here’s a side-by-side between Flatseal and GNOME applications:

Whether you are for or against it, Flatpaks have become a very popular form of application delivery, included out-of-the-box with many of the most popular GNOME-first distros (e.g. Fedora Workstation, Silverblue, etc). Its prevalence only keeps increasing as more and more applications and distros adopt it. For example, a few months ago, a glibc update broke a large amount of Steam games on Linux for months. For many users, the only fix was to use the Flatpak version, and as it stands right now, is generally the most recommended form of installation. On top of that, some popular software only delivers Flatpaks, meaning users have to install it on their system to make use of it.

Since Flatpak sandboxes its applications, one is required to manually allow permissions to different part of the system. Some of these are incredibly common; for instance, access to another folder or disk.

Users using Steam, or a music player, video player, etc. shouldn’t be expected to run a shell command or install a third party application in order to allow access to a different folder. Some of the more advanced settings can remain behind that wall (or best, in a collapsed-by-default Advanced Permissions section), but the Desktop Environment should expose these permissions to them. I recently had a new Fedora user come to me asking why he couldn’t find the storage permissions for Steam under Applications/Steam/Storage, and it made me realize that it makes perfect sense for these settings to be here.

Imagine you’re using Android, and you download a music player, and the only way to grant it access to your SD card is to download another application on your phone that only does that. Seems a bit redundant!

Thankfully we already have an Applications settings that handles some very basic permissions, I propose Flatpak permissions also be exposed when appropriate!

2 Likes

The static flatpak permissions exist to ease the transition to portals and other container-aware technologies. The permissions for those container-aware technologies already are available in Settings.

As for the Steam example: the problem is that Steam doesn’t use a file chooser portal to let users select Steam Libraries and external programs.

I know that it can be a bit frustrating because some of those settings are really required right now to achieve a lot of use cases but at least we have flatseal for the transitional period.

my two cents

3 Likes

I can see the permissions but I cannot modify them.
I’m on GNOME 43 (fedora 37 Silverblue). In Settings I see that GNOME Text Editor (installed as flatpak) has full access to the file system, but I cannot change this permission (while I can do it in Flatseal).

It seems like it’s used to work around the pitfalls of Flatpak and portals, which doesn’t seem right in a first-party app, nor does it seem right to expect users to expose directories in Settings or Flatseal manually. However, portals move slow (e.g. you still cannot expose directories reliably) and proprietary apps move even slower, so this is likely to be a problem without a good solution for now.

In addition, a lot of other Flatpak permissions do not make sense to be managed by the end user, which is a non-issue for a very tweaky utility software like Flatseal but is much more problematic for a generic app like Settings.

Not 100% sure if related but im using the flatpak of heroic which allowed me for example to install games outside of my home folder.
I noticed tho that the read/write performance was terrible, i installed a game on a seperate SSD the loading times and stutters were horrendous.

Was this caused by the access through some gvfs layers?
I then allowed the heroic direct access to this drive (flatseal) and the issues were gone.