flatpak is incompatible with /home noexec by default. Quote flatpak developer: Runtime installed in the home directory is always used. · Issue #4067 · flatpak/flatpak · GitHub
If you have your home directory mounted
noexec, then you can’t install any Flatpak apps or runtimes into your home directory (well, you can, but they won’t work).
(But workaround may be possible.)
As a future development direction…
Do we want executable files in /home folder? Probably not.
Do we want:
- A) More rootless features:
- Less secure, better usability, higher development effort:
- account
usercapable of rootless installation / uninstallation of software? This would be similar to Android / iOS. Comes with non-root enforcement by default but app installation is possible using the app stores. Or;
- account
- Less secure, better usability, higher development effort:
- B) Keep user / sysmaint isolation:
- More secure, worse usability, lower development effort:
- prohibit account
userfrom installing/removing applications. Limit to software installed in sysmaint session only.
- prohibit account
- More secure, worse usability, lower development effort:
Probably B).
Because lower development effort, compatible with future plan:
And compatible with Integration with Security Initiatives: