1. What is flatpak?
- Like Firejail and snap, flatpak is a sandboxing solution, allowing to run applications with controlled permissions. This increases security, particularly for internet connecting applications. Flatpak is based on sandboxing software bubblewrap and on ostree file system.
- Like snaps and AppImages, flatpaks are a way to distribute applications packages that run unchanged on several distributions.
- Flatpak launch is fast: flatpaks don't need to be uncompressed before launch (as snaps need); flatpaks don't need to have a SquashFS file system mounted before launch (as AppImages need).
- Unlike snap, flatpak is not controlled by an organization (Canonical). Any user can make a flatpak for his own use or publish it in a repository (Flathub is the main one).
- Flatpak has three categories of components:
* flatpak framework, packages installed in the operating system,
* flatpak runtimes, necessary to run applications,
* flatpak applications.
- Flatpak also allows to have fresh applications, with automatic updates. With stable distributions, such as Linux Mint or Ubuntu LTS, applications (except some such as browsers and mail clients) are not updated. With rolling distributions, such as Arch Linux or Manjaro, applications are updated but the operating system is not stable. Flatpak is a way to have updated applications in a stable operating system, flatpak runtimes and applications are a kind of rolling distribution running in a stable operating system.
- Caveats:
* Flatpaks take a lot of disk space, since runtimes are needed to run applications. The installation of the first flatpak might increase system disk use by several hundreds of MB; following installations will increase disk use less if the installed applications use the same runtime.
* Most flatpaks are published by developers on Github and are not endorsed by the application author (a notable exception is Firefox flatpak, published by Mozilla). For this reason I don't recommend the use of a flatpak security application such as password manager or encryption, unless it is published or endorsed by the application author.
* Flatpak runtimes change very quickly; daily Timeshift snapshots show that several thousands files change or are created every day. Timeshift snapshots should be so done on a daily basis, completed by operating system backups on a weekly basis.
2. Reference links
- Flatpak website: https://www.flatpak.org/
- Flatpak's documentation: https://docs.flatpak.org/en/latest/
- Flatpak on Github: https://github.com/flatpak/
- Flatpak ppa stable on Github: https://github.com/flatpak/ppa-flatpak
- Flatpak ppa stable on Launchpad: https://launchpad.net/~flatpak/+archive/ubuntu/stable
- Flathub repository: https://flathub.org/home
3. Installing flatpak framework and Flathub repository
Flatpak framework is normally installed by default in Linux Mint. However, as with any security application, user should always use the latest available flatpak framework, with the latest bugs and security failures corrections. Ubuntu does not update flatpak framework. Linux Mint has updated it, one shot, in Mint 20.3 (version 1.12.1). But the latest one is 1.12.5 (on February the 20th, 2022).
The solution to always use the latest available stable framework is to install the flatpak stable ppa, maintained by flatpak developers team, and available for stable supported versions of Ubuntu, and so for Linux Mint 19.x and 20.x. To add this ppa to your system:
Code: Select all
sudo add-apt-repository ppa:flatpak/stable
* If flatpak is installed on your system, Update Manager will propose you to update it; accept, update and close Update Manager.
* If flatpak is not installed, Update Manager will not propose you to update it, close Update Manager; launch Synaptic, look for flatpak, select it for installation and apply. Synaptic will install flatpak framework with all its dependencies (on February the 20th, 2022, the following packages are installed, at a minimum: flatpak, gir1.2-flatpak-1.0, libflatpak0, libostree-1-1, xdg-dbus-proxy, xdg-desktop-portal). Optionally, user can install flatpak-builder and its dependencies, to build his own flatpaks.
Once flatpak framework is installed, it is time to install Flathub repository (to allow command line search in it). This is done by the following command:
Code: Select all
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
4. Installing a flatpak application
There are three ways to install a flatpak application:
* Use the Software Manager to look for and install a flatpak application (flatpak applications are identified as such in the Software Manager; and search can be restricted to flatpaks).
* Use Flathub: from its home main page, look for an application (search function at the top of the page) or browse applications per categories; once found the application you want to install, copy the installation code from the application page, paste it in the terminal and launch it.
* Use flatpak commands; as an example, you want to install Gimp, you first search for it:
Code: Select all
~$ flatpak search gimp
Name Description Application ID Version Branch Remotes
Éditeur d’imag… Créer des images et modifier des photographies org.gimp.GIMP 2.10.30 stable flathub
GIMP User Manu… GIMP User Manual org.gimp.GIMP.Manual 2.10 2.10 flathub
Resynthesizer Set of GIMP plug-ins that heal (in-paint), synthesize texture, theme an image, and more …mp.GIMP.Plugin.Resynthesizer 2.0.3 2-40 flathub
Resynthesizer Set of GIMP plug-ins that heal (in-paint), synthesize texture, theme an image, and more …mp.GIMP.Plugin.Resynthesizer 2.0.3 2-3.36 flathub
GimpLensfun GimpLensfun is a Gimp plugin to correct lens distortion using the lensfun library and database. org.gimp.GIMP.Plugin.Lensfun 0.2.4 2-40 flathub
GimpLensfun GimpLensfun is a Gimp plugin to correct lens distortion using the lensfun library and database. org.gimp.GIMP.Plugin.Lensfun 0.2.4 2-3.36 flathub
Fourier A simple GIMP plug-in to do fourier transform on your image. org.gimp.GIMP.Plugin.Fourier 0.4.3 2-40 flathub
Fourier A simple GIMP plug-in to do fourier transform on your image. org.gimp.GIMP.Plugin.Fourier 0.4.3 2-3.36 flathub
BIMP Batch Image Manipulation Program, a GIMP plugin to apply a set of manipulations to an entire group of i… org.gimp.GIMP.Plugin.BIMP 2.6 2-40 flathub
BIMP Batch Image Manipulation Program, a GIMP plugin to apply a set of manipulations to an entire group of i… org.gimp.GIMP.Plugin.BIMP 2.5 2-3.36 flathub
LiquidRescale LiquidRescale plugin to resize pictures non uniformly while preserving their features, i.e. avoiding di… …mp.GIMP.Plugin.LiquidRescale 0.7.2 2-40 flathub
LiquidRescale LiquidRescale plugin to resize pictures non uniformly while preserving their features, i.e. avoiding di… …mp.GIMP.Plugin.LiquidRescale 0.7.2 2-3.36 flathub
G'MIC GREYC's Magic for Image Computing org.gimp.GIMP.Plugin.GMic 3.0.2 2-40 flathub
G'MIC GREYC's Magic for Image Computing org.gimp.GIMP.Plugin.GMic 2.9.6 2-3.36 flathub
FocusBlur Focus Blur plug-in crete a blurring effect similar to Depth of Field. …g.gimp.GIMP.Plugin.FocusBlur 3.2.6 2-40 flathub
FocusBlur Focus Blur plug-in crete a blurring effect similar to Depth of Field. …g.gimp.GIMP.Plugin.FocusBlur 3.2.6 2-3.36 flathub
Glimpse Créer des images et modifier des photographies org.glimpse_editor.Glimpse 0.2.0 stable flathub
Scans to PDF Create small, searchable PDFs from scanned documents com.github.unrud.djpdf 0.1.6 stable flathub
* Gimp program is "org.gimp.GIMP",
* Gimp user manual is "org.gimp.GIMP.Manual",
* Several plugins are found: "org.gimp.GIMP.Plugin.Resynthesizer", "org.gimp.GIMP.Plugin.Lensfun", "org.gimp.GIMP.Plugin.Fourier", "org.gimp.GIMP.Plugin.BIMP", "org.gimp.GIMP.Plugin.Plugin.LiquidRescale", "org.gimp.GIMP.Plugin.GMic ", "org.gimp.GIMP.Plugin.FocusBlur" that you would not find with Software Manager or Flathub online search.
Now you can install what you need, as an example the following commands will install Gimp, its manual, and G'MIC plugin:
Code: Select all
flatpak install org.gimp.GIMP
flatpak install org.gimp.GIMP.Manual
flatpak install org.gimp.GIMP.Plugin.GMic
- applications will be installed automatically in your system language,
- you will have to choose the place for applications, system or user home, during the installation; default is system.
5. Useful tricks and commands
Automatic updates:
You can set automatic silent flatpaks update: launch the Update Manager / Edition / Preferences / Automation and move to the right the slider "Update flatpaks automatically", then close Update Manager windows.
Some useful commands:
Flatpak framework version:
Code: Select all
flatpak --version
Code: Select all
flatpak update
Flatpak runtimes and applications installation repair:
Code: Select all
flatpak repair
Code: Select all
flatpak uninstall --unused
Code: Select all
flatpak uninstall appname
Code: Select all
flatpak uninstall org.gimp.GIMP
Code: Select all
flatpak list
Code: Select all
flatpak list --app
Code: Select all
~$ flatpak list --app
Name Application ID Version Branch Installation
calibre com.calibre_ebook.calibre 5.37.0 stable system
Pinta com.github.PintaProject.Pinta 2.0.2 stable system
Flatseal com.github.tchx84.Flatseal 1.7.5 stable system
OBS Studio com.obsproject.Studio 27.2.0 stable system
Transmission com.transmissionbt.Transmission 3.00 stable system
XnView MP com.xnview.XnViewMP 0.99.7 stable system
HandBrake fr.handbrake.ghb 1.5.1 stable system
Audacity org.audacityteam.Audacity 3.1.3 stable system
Avidemux org.avidemux.Avidemux 2.8.0 stable system
Chromium Web Browser org.chromium.Chromium 98.0.4758.102 stable system
FileZilla org.filezillaproject.Filezilla 3.58.0 stable system
Geeqie org.geeqie.Geeqie v1.7.2 stable system
Inkscape org.inkscape.Inkscape 1.1.2 stable system
Okular org.kde.okular 21.12.2 stable system
Thunderbird org.mozilla.Thunderbird 91.6.1 stable system
Firefox org.mozilla.firefox 97.0.1 stable system
VLC org.videolan.VLC 3.0.16 stable system
Code: Select all
flatpak run appname
NB: the preferred way to launch a flatpak is by the shortcut added to your menu during the flatpak application installation; the command line may be more complex and include some extra arguments. Example, for chromium browser "/usr/bin/flatpak run --branch=stable --arch=x86_64 --command=/app/bin/chromium --file-forwarding org.chromium.Chromium @@u %U @@"
The whole list of commands and their syntax are described in Flatpak's documentation.
Files on your disk:
- With the default (system) place, runtimes and applications are installed in "/var/lib/flatpak" and do not disturb in any way your operating system installation (no system file is changed or created in other system directory during runtimes or applications installation).
- Configuration and cache files, including browsers or mail clients profiles, are in "/home/username/.var/app"
Flatpaks permissions editor:
Flatpak permissions are set by flatpak publishers. They are generally well adapted to the application. If permissions of an application need to be edited, Flatseal is a flatpak application allowing to do it. It is done easily, with a graphical UI. Flatseal includes an integrated documentation explaining the meaning of each permission setting. To install Flatseal:
Code: Select all
flatpak install com.github.tchx84.Flatseal
6. About Flatpak security
Flatpak uses Bubblewrap https://github.com/containers/bubblewrap.
From Bubblewrap github page:
Permissions setting (with Flatseal) allows to restrict file accesses: as an example, restricting file access of your browser or e-mail client to "xdg-download" will allow it to only read /write your Downloads directory, with no access to any other directory (except with user control, through file chooser portal).The goal of bubblewrap is to run an application in a sandbox, where it has restricted access to parts of the operating system or user data such as the home directory.
Bubblewrap works by creating a new, completely empty, mount namespace where the root is on a tmpfs that is invisible from the host, and will be automatically cleaned up when the last process exits.
The user can specify exactly what parts of the filesystem should be visible in the sandbox. Any such directories you specify mounted nodev by default, and can be made readonly.
The maintainers of this tool believe that it does not, even when used in combination with typical software installed on that distribution, allow privilege escalation. It may increase the ability of a logged in user to perform denial of service attacks, however.
In particular, bubblewrap uses PR_SET_NO_NEW_PRIVS to turn off setuid binaries, which is the traditional way to get out of things like chroots.
[Added on 2023-04-23]
More explanations on how flatpak security works.
I will take an example: you use a browser, and you have set this browser to forbid the use of webcam.
Using browser only:
In the normal use, the browser saves its disk cache and configuration on a hidden directory of home user (as an example, "~/.mozilla"); when a file is downloaded with user action, a window appears offering the user the choice where to download the file; and the browser respects the webcam setting.
The browser, being launched by the user without superuser rights, has the same file access rights as the user; its write rights are limited to user home, "/tmp" (*) and any connected device (USB disk, key... ) where user can write.
Malicious script action is limited by the browser (with its own sandboxing system) and by the operating system: an application launched without superuser rights cannot write on the system "/".
But browsers are complex software, and they have bugs. This bugs are the results of human errors at the specification, code writing, code compiling and testing stages. They are found in the software itself, in the libraries/dependencies it uses, or in the tools used by developers. Some of these bugs induce security weaknesses that could be used by a malicious script: at each revision of a browser, there are several (in the range 1 to 50) security fixes, and a few times a year, a highly critical weakness is exploited before a fix is available (they are called "zero day exploits").
Exploiting such a critical weakness, a malicious script could find a way to circumvent browser settings (and to use webcam without your consent), or to put the system in an unstable state, gain superuser privileges, and find a way to write files on the system "/" and corrupt it.
[(*): in Linux there is only one directory for temporary files, for system and user; as a consequence, any user has a write access on this directory; this is different in Windows where system temp and user temp are different directories, with different access rights.]
Using browser flatpak:
Flatpak applications are not intrinsically more secure than non-flatpak ones: application software is the same, and libraries/dependencies are replaced by the ones in runtimes. But they run in a sandbox.
In the normal use, the browser saves its disk cache and configuration on a hidden directory of home user (as an example, "~/.var/app/org.mozilla.firefox"); when a file is downloaded on user request, a window appears offering the user the choice where to download the file: this is done through the "file chooser portal", an interface between the flatpak sandbox and the system, having the same write privileges as normal user (file chooser portal CANNOT have superuser rights); if the use of devices has been prevented in the browser flatpak permissions, webcam cannot be used.
Suppose now a malicious script exploits a browser security weakness: webcam block cannot be circumvented, since it is controlled by flatpak sandbox permissions, and not by the browser only.
No file can be written on the system "/":
- It is not possible through file chooser portal, with user interaction, since this portal cannot write on the system "/".
- It is not possible in an unattended way, without user interaction, since this way is controlled by flatpak filesystem permissions, and since the most permissive possible one is the same as file chooser portal: no file can be written on the system "/".
--> System corruption by a malicious script is not possible
Moreover, since the operating system is isolated from the browser by flatpak sandbox, it cannot be put in an unstable state.
--> Privileges escalation is blocked by both flatpak sandbox and the operating system and is considered as not possible.
Another example of use of filesystem permission:
I have an AppImage application with its help in the AppImage; when I want to read the help, html help files are copied to "/tmp", then browser is launched; since I have associated html files to my flatpak browser, it is automatically launched; however, without the corresponding filesystem permission, the browser cannot open help files: I had to add a "/tmp:ro" filesystem permission (allowing to read only files in "/tmp" directory) to have the browser opening the help files.
More precision on sandbox, filesystem and portals permissions:
- Sandbox permissions can be adjusted:
- Filesystem permissions can be adjusted (they apply to unattended files read/write):
Sandbox permissions and filesystem permissions are normally set by flatpak applications publishers in the application manifest. They can be easily adjusted by the user with Flatseal.
[NB: User should take care to read Flatseal documentation or Flatpak reference and understand what each setting does before to change these settings.]
- Portals permissions cannot be adjusted: file chooser portal has the same read/write permissions as the user, and printer portal can use the same printers as the user.
[NB: this point is still discussed on flatpak GitHub, some users would prefer to have the capability to adjust (reduce) portals permissions; it is not a security concern, since portals permissions cannot exceed user ones and since portals use is under user control, it is simply a facility request.]
Of course, flatpak framework itself, providing the sandbox, can have bugs and security weaknesses. That's why it should be kept update, as any security software. The simplest way to do it is by using flatpak stable PPA.
___________________________
Feel free to comment this tutorial and help me to improve it.
Regards,
MN
PS: you can refer to the following tutorials on this forum, to see real examples
- Thunderbird 91 as a flatpak: viewtopic.php?f=42&t=358185
- AnonFirefox, a TorBrowser equivalent, as a flatpak: viewtopic.php?f=42&t=358889
- Chromium as a flatpak: viewtopic.php?f=42&t=358979