Electron app not working in dev/strict

fluke7777 · April 12, 2023, 11:37pm

Hello,

This is my first rodeo building a snap application so please bear with me.

I have built an app using electron and electron-builder. We started packaging with AppImage but given we had some issues with icons we decided to explore Snap as well.

I am a bit lost as how to debug the app. The application works as expected when using classic confinement but fails to work in strict or devmode. I tried to debug using snappy debug but it shows only one entry related to DBUS. The same call shows as allowed in devmode so I am assuming it is not the issue?

My questions are these.

Should I work on moving to strict confinement or is classic used widely and ok (assuming I am fine with manual verification on publish)?
How do I actually debug what interfaces do I need to have given the snappy-debug does not seem to show anything specific?

The failure in the app seems to be around networking. I have a network interface allowed and auto connected. DNS lookup actually works but following requests to the local discovered machines do not go through in strict or dev.

Any guidance appreciated

ogra · April 13, 2023, 8:47am

Well, you should show the error… and showing your current snapcraft.yaml might be helpful too… generally you should not need dbus for electron apps unless they actually use it from the app code…

Getting classic confinement granted for such an app is very unlikely, so you should move forward in strict mode and try to fix the issues.

With electron I’d recommend also comparing the javascript console output between working/non-working…

fluke7777 · April 13, 2023, 5:43pm

Hey @ogra.

Thanks for your answer.

The issue is there are no errors to speak of. I will play with the code today since I assume we are catching an error with the network requests but I even if I get an error in JS (it will likely be along the lines of hostname not found) it is difficult for me to understand how to align these with the interfaces that need to be granted and connected.

The errors I can see in snappy-debug are

    INFO: Following '/var/log/syslog'. If have dropped messages, use:
    INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
    = AppArmor =
    Time: Apr 13 10:36:05
    Log: apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=4554 label="snap.XXXXX.XXXXX"
    DBus access

    = AppArmor =
    Time: Apr 13 10:36:05
    Log: apparmor="ALLOWED" operation="unlink" profile="snap.XXXXX.XXXXX" name="/dev/char/195:255" pid=4647 comm="XXXXX" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
    File: /dev/char/195:255 (write)

    = AppArmor =
    Time: Apr 13 10:36:05
    Log: apparmor="ALLOWED" operation="unlink" profile="snap.XXXXX.XXXXX" name="/dev/char/195:254" pid=4647 comm="XXXXX" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
    File: /dev/char/195:254 (write)

    = AppArmor =
    Time: Apr 13 10:36:05
    Log: apparmor="ALLOWED" operation="unlink" profile="snap.XXXXX.XXXXX" name="/dev/char/195:0" pid=4647 comm="XXXXX" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
    File: /dev/char/195:0 (write)

    = AppArmor =
    Time: Apr 13 10:36:05
    Log: apparmor="ALLOWED" operation="unlink" profile="snap.XXXXX.XXXXX" name="/dev/char/195:254" pid=4647 comm="XXXXX" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
    File: /dev/char/195:254 (write)

    AppArmor =
    Time: Apr 13 10:33:58
    Log: apparmor="ALLOWED" operation="file_lock" profile="snap.XXXXX.XXXXX" name="/home/fluke/.cache/fontconfig/4c599c202bc5c08e2d34565a40eac3b2-le64.cache-7" pid=4140 comm="XXXXX" requested_mask="wk" denied_mask="wk" fsuid=1000 ouid=1000
    File: /home/fluke/.cache/fontconfig/4c599c202bc5c08e2d34565a40eac3b2-le64.cache-7 (write)
    Suggestions:
    * adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
    * add 'personal-files (see https://forum.snapcraft.io/t/the-personal-files-interface for acceptance criteria)' to 'plugs'

Interestingly enough. Only the DBUS I saw yesterday. The char and personal info is new when running today. But it seems it is allowed in devmode so I assume it does have access?

I do not have the snapcraft.yaml that I created but I managed to dig out something out of electron-builder which I use.

    base: core18
grade: stable
confinement: strict
plugs:
  gnome-3-28-1804:
    interface: content
    target: $SNAP/gnome-platform
    default-provider: gnome-3-28-1804
  gtk-3-themes:
    interface: content
    target: $SNAP/data-dir/themes
    default-provider: gtk-common-themes
  icon-themes:
    interface: content
    target: $SNAP/data-dir/icons
    default-provider: gtk-common-themes
  sound-themes:
    interface: content
    target: $SNAP/data-dir/sounds
    default-provider: gtk-common-themes
name: XXXXXX
version: 0.3.6
title: XXXXX
summary: XXXXX
description: Description comes here
architectures:
  - amd64
apps:
  XXXXXX:
    command: command.sh
    plugs:
      - desktop
      - desktop-legacy
      - home
      - x11
      - wayland
      - unity7
      - browser-support
      - network
      - gsettings
      - audio-playback
      - pulseaudio
      - opengl
    environment:
      DISABLE_WAYLAND: '1'
      PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH
      SNAP_DESKTOP_RUNTIME: $SNAP/gnome-platform
      LD_LIBRARY_PATH: $SNAP_LIBRARY_PATH:$SNAP/lib:$SNAP/usr/lib:$SNAP/lib/x86_64-linux-gnu:$SNAP/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH:$SNAP/lib:$SNAP/usr/lib:$SNAP/lib/x86_64-linux-gnu:$SNAP/usr/lib/x86_64-linux-gnu

Could you provide more information on

Getting classic confinement granted for such an app is very unlikely

ogra · April 13, 2023, 5:58pm

The first apparmor denial should go away when you add and connect the bluez interface… the last one is very odd, since the desktop interface should grant you access to the user’s fontconfig dir, are the permissions potentially wrong in that dir/file ?

The other ones seem to be attempts to delete char devices, could you guess why it tries to do that? Seems weird…

See:

Your app would have to fit into one of the supported categories to get classic granted, other applications will not be considered for classic…

fluke7777 · April 13, 2023, 7:18pm

Thanks again for your help.

The app has two parts. One is the JS part and I am not aware of it trying to touch any of these resources. The other part uses a Web Assembly package. Although we use it mainly for processing of data I am not perfectly aware of what it does on the lowest level so I might investigate if something odd is happening (Emscripten doing some things by default).

But this does not answer the fundamental question. And maybe I am misunderstanding the role of devmode. The app armor shows all these to be allowed in devmode. So if they are allowed under dev mode these should not be the case of the app not working, correct?

What should be my recommended process to get it working if it is not running even in devmode?

ogra · April 13, 2023, 7:26pm

My wild guess would be that some dependency is not included in the snap that the app tries to use/access… this is why I hoped you’d find any javascript errors…

Snaps have various other debugging options built in, you could try to strace it for example…

fluke7777 · April 13, 2023, 7:49pm

Unfortunately this is not a big area of my expertise :-/. Thanks a lot for your guidance though.

As next step I will try to tease out the errors so maybe there will be additional information.