Fonts fail to load when `desktop` plug added

Hi all

I’m trying to get the mattermost-desktop snap working on Fedora and with Chinese fonts. This requires me to add the desktop interface. If I do that however, fonts fail to load on strict confinement.

Is mmap on a font not allowed by the desktop plug? Anything I can do to fix this? Mattermost is an open-source electron chat app like Slack.

These are the logs I get when I run it in devmode (then everything works).

$ /snap/bin/snappy-debug.security scanlog
= AppArmor =
Time: Jan  4 21:00:52
Log: apparmor="ALLOWED" operation="file_mmap" profile="snap.mattermost-desktop.mattermost-desktop" name="/usr/share/fonts/truetype/dejavu/DejaVuSansMono.ttf" pid=18785 comm="mattermost-desk" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
File: /usr/share/fonts/truetype/dejavu/DejaVuSansMono.ttf (mmap)

= AppArmor =
Time: Jan  4 21:00:52
Log: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/gnome/GConf/Database/0" interface="org.gnome.GConf.Database" member="AddNotify" mask="send" name="org.gnome.GConf" pid=18785 label="snap.mattermost-desktop.mattermost-desktop" peer_pid=26707 peer_label="unconfined"
DBus access

= AppArmor =
Time: Jan  4 21:00:52
Log: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/gnome/GConf/Database/0" interface="org.gnome.GConf.Database" member="AllEntries" mask="send" name="org.gnome.GConf" pid=18785 label="snap.mattermost-desktop.mattermost-desktop" peer_pid=26707 peer_label="unconfined"
DBus access

= AppArmor =
Time: Jan  4 21:00:52
Log: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/gnome/GConf/Database/0" interface="org.gnome.GConf.Database" member="LookupExtended" mask="send" name="org.gnome.GConf" pid=18785 label="snap.mattermost-desktop.mattermost-desktop" peer_pid=26707 peer_label="unconfined"
DBus access

= AppArmor =
Time: Jan  4 21:00:52
Log: apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=18785 label="snap.mattermost-desktop.mattermost-desktop" peer_pid=1464 peer_label="unconfined"
DBus access

= AppArmor =
Time: Jan  4 21:00:53
Log: apparmor="ALLOWED" operation="file_mmap" profile="snap.mattermost-desktop.mattermost-desktop" name="/home/merlijn/.config/dconf/user" pid=18785 comm="mattermost-desk" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
File: /home/merlijn/.config/dconf/user (mmap)

= AppArmor =
Time: Jan  4 21:00:53
Log: apparmor="ALLOWED" operation="file_mmap" profile="snap.mattermost-desktop.mattermost-desktop" name="/usr/share/fonts/truetype/ubuntu-font-family/Ubuntu-R.ttf" pid=18785 comm="mattermost-desk" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
File: /usr/share/fonts/truetype/ubuntu-font-family/Ubuntu-R.ttf (mmap)

name: mattermost-desktop
version: 3.7.1
summary: Open source, private cloud Slack-alternative
description: |
  Mattermost is secure workplace messaging from behind your firewall.

  - Discuss topics in private groups, one-to-one or team-wide
  - Easily share and view image files
  - Connect in-house systems with webhooks and Slack-compatible integrations

  To use this app, you need a URL for a Mattermost server.

  -------

  Host your own server: https://about.mattermost.com/download

  Terms of Service: http://about.mattermost.com/terms/

  Contribute to the project: https://github.com/mattermost/desktop
grade: stable
confinement: strict
# Point the following path to the original icons directory if/when this gets merged
# with the mattermost desktop repo.
icon: mattermost-desktop.png
parts:
  mattermost-desktop:
    plugin: dump
    source: https://releases.mattermost.com/desktop/3.7.1/mattermost-desktop-3.7.1-linux-amd64.deb
    source-type: deb
    # Correct path to icon.
    prepare: |
      sed -i 's|Icon=mattermost-desktop|Icon=\${SNAP}/meta/gui/icon.png|' usr/share/applications/mattermost-desktop.desktop
    after:
      - desktop-gtk2
    stage-packages:
      - libasound2
      - libgconf2-4
      - libnotify4
      - libnspr4
      - libnss3
      - libpulse0
      - libxss1
      - libxtst6

apps:
  mattermost-desktop:
    command: bin/desktop-launch $SNAP/opt/Mattermost/mattermost-desktop
    desktop: usr/share/applications/mattermost-desktop.desktop
    # Correct the TMPDIR path for Chromium Framework/Electron to ensure
    # libappindicator has readable resources.
    environment:
      TMPDIR: $XDG_RUNTIME_DIR
    plugs:
      - bluez
      - browser-support
      - gsettings
      - home
      - mount-observe
      - network
      - network-bind
      - opengl
      - pulseaudio
      - unity7
      - wayland
      - x11
      - desktop

Repo: https://github.com/snapcrafters/mattermost-desktop

You can ignore the gconf accesses. The mmap denial is almost certainly due to electron having an executable stack:

• Snap and executable stacks
• canvas.createContext("webgl") returns null in Electron
• AppArmor denial for /dev/nvidiactl
• https://bugs.launchpad.net/snapcraft/+bug/1739066

Note that Path for desktop launch "does not exist": Building from .deb has snapcraft.yaml that clears the execstack during the build.

Awesome, Thanks @jdstrand! I removed the stackexec flag, and now everything works correctly.

diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
index 1383669..8e1b6bc 100644
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@@ -28,8 +28,11 @@ parts:
     source: https://releases.mattermost.com/desktop/3.7.1/mattermost-desktop-3.7.1-linux-amd64.deb
     source-type: deb
     # Correct path to icon.
+    build-packages:
+      - execstack
     prepare: |
       sed -i 's|Icon=mattermost-desktop|Icon=\${SNAP}/meta/gui/icon.png|' usr/share/applications/mattermost-desktop.desktop
+      execstack --clear-execstack opt/Mattermost/mattermost-desktop
     after:
       - desktop-gtk2
     stage-packages: