Newbie questions

I have a few questions regarding Silverblue.

When using a workstation, can I prevent the application from having access to the home folder and instead it creates its own virtual home folder?

When using flatpak package manager, first of all, can I prevent the application from having access to certain files/directores and when I install an application through flatpak, do other users get access to that application by any chance?

As for Flatpaks, they normally access your files in two different ways:

  • Via the XDG desktop portal. This is essentially a method where the app has no file system access; your host is asked to open a file chooser dialog, and only the files you select are exposed to the app’s sandbox. Since the app itself can’t directly access anything you don’t tell it to, there’s nothing here that needs blocking.

  • Via direct filesystem access. You can run flatpak info -M my.app.Id to see the permissions the app uses, and their meaning is documented here. In short, anything after filesystems= is a path the app can access, e.g. an absolute path represents itself, xdg-music is your Music directory, home is your home directory (excluding other app’s data), etc.

    To revoke one of these permissions from an app, you can run flatpak override my.app.Id --nofilesystem=the-filesystem-to-remove. However, do note that it may cause unexpected issues with the app, since it likely expects that directory to be accessible.

3 Likes

So lets just say I installed chrome through flatpak, wouldn’t it need to store some configuration file or something? So in this instance what happens then, does flatpak prompt me if it can access a certain directory to add this specific folder where its configuration is going to be stored?

Thanks for your help :slight_smile:

Each app has access to three entirely private directories for storing configuration (in place of ~/.config), data (in place of ~/.local/share), and cache (in place of ~/.cache). If you want to look at them yourself, they’re all under ~/.var/app.

3 Likes

Most flatpacks don’t even make use of XDG Portals, and just use direct
filesystem access.

Actually most of them do, off the top of my head the primary exception is Electron apps (the proprietary ones on Flathub generally have a very conservative set of expose filesystems by default, e.g. Discord can only write to Downloads and read 3 XDG dirs) and apps that need to open full directories / use custom file choosers (which is actually pretty few).

2 Likes

Flatpack doesn’t mean what you think it does.

1 Like