diff --git a/fst/config.go b/fst/config.go
index 27e13f0..ea7d45a 100644
--- a/fst/config.go
+++ b/fst/config.go
@@ -81,6 +81,7 @@ type SandboxConfig struct {
 }
 
 type ExtraPermConfig struct {
+	Ensure  bool   `json:"ensure,omitempty"`
 	Path    string `json:"path"`
 	Read    bool   `json:"r,omitempty"`
 	Write   bool   `json:"w,omitempty"`
@@ -88,8 +89,12 @@ type ExtraPermConfig struct {
 }
 
 func (e *ExtraPermConfig) String() string {
-	buf := make([]byte, 0, 4+len(e.Path))
-	buf = append(buf, '-', '-', '-', ':')
+	buf := make([]byte, 0, 5+len(e.Path))
+	buf = append(buf, '-', '-', '-')
+	if e.Ensure {
+		buf = append(buf, '+')
+	}
+	buf = append(buf, ':')
 	buf = append(buf, []byte(e.Path)...)
 	if e.Read {
 		buf[0] = 'r'
diff --git a/internal/app/seal.go b/internal/app/seal.go
index 82b7983..2766377 100644
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@@ -63,8 +63,9 @@ type appSeal struct {
 }
 
 type sealedExtraPerm struct {
-	name  string
-	perms acl.Perms
+	name   string
+	perms  acl.Perms
+	ensure bool
 }
 
 // Seal seals the app launch context
@@ -169,6 +170,7 @@ func (a *app) Seal(config *fst.Config) error {
 		if p.Execute {
 			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Execute)
 		}
+		seal.extraPerms[i].ensure = p.Ensure
 	}
 
 	// map sandbox config to bwrap
diff --git a/internal/app/share.go b/internal/app/share.go
index 0a18e31..3ee1794 100644
--- a/internal/app/share.go
+++ b/internal/app/share.go
@@ -297,6 +297,9 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
 		if p == nil {
 			continue
 		}
+		if p.ensure {
+			seal.sys.Ensure(p.name, 0700)
+		}
 		seal.sys.UpdatePermType(system.User, p.name, p.perms...)
 	}