[Bug]: Linux desktop client (5.6.0) does not work with Firefox -- AppArmor avoid executions of mattermost-desktop.

[grisuthedragon]

Checks before filing an issue

• This issue doesn't reproduce on web browsers (such as in Chrome). If it does, issue reports go to the Mattermost Server repository.
• I have checked the issue tracker and have not found an issue that matches the one I'm filing.
• This issue is not a troubleshooting question. Troubleshooting questions go here: https://forum.mattermost.com/c/trouble-shoot/16.
• This issue is not a feature request. You can request features and make product suggestions here: https://mattermost.com/suggestions/.
• This issue reproduces on the most recent stable version, or the most recent prerelease version of the Mattermost Desktop App.
• I have read the contribution guidelines.

Mattermost Desktop Version

5.6.0

Operating System

Ubuntu Linux 22.04 LTS x64

Mattermost Server Version

9.4.1

Steps to reproduce

• Install Firefox from the ppa (and not the snap) (https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt-ubuntu-22-04)
• Install Mattermost-Desktop via the deb package from the release page
• Update the mime-types using xdg-mime default mattermost-desktop.desktop x-scheme-handler/mattermost
• SSO with Gitlab in Mattermost

Expected behavior

I can log in directly in Mattermost via the as it could be done with the client (< 5.6.0) and the server (< 9.0.0) or get the painful way through the browser working and being logged in afterwards.

Observed behavior

Two cases appear:

1. If firefox is already open, and I click on the SSO button in the app, a message from firefox appears, that it is already running and nothing more mattermost related happens.

So after closing firefox, I ran into the second scenario:

2. The mattermost desktop app opens the login page in firefox and after the login it asks to open the mattermost link in an external application. This results in an error on the command line :

sh: 1: exec: /opt/Mattermost/mattermost-desktop: Permission denied

and an error message in the syslog

[38538.088223] audit: type=1400 audit(1705436897.549:1086): apparmor="DENIED" operation="exec" class="file" profile="firefox" name="/opt/Mattermost/mattermost-desktop" pid=381924 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000

which indicates that apparmor blocks the execution of mattermost-desktop from firefox for security reasons.

After disabling apparmor, at least the second scenario works.

Log Output

Error was shown in syslog as described in the observed behavior.

Additional Information

I would like to have the possibility to switch back to the old behavior, without going through the browser. We also have system wide installations via network shares, where we are not able to register the mime type on the systems and how to do this is out of scope for many of our users. So log in directly from the app is a must.

[devinbinnie]

@grisuthedragon Unfortunately this isn't something we can likely support going forward, as there are many security concerns that have been alleviated from moving away from external authentication in the app, and we plan to remove the functionality entirely for all server versions in the near future.

We do provide a script that should set up the mime type for most users under scripts/create_desktop_file.sh, which I would advise users to run if they're having trouble with the deep linking. Unfortunately if there is an application blocking deep linking altogether from the browser, then I'm afraid we can't support it otherwise.

Apologies for the inconvenience.

[grisuthedragon]

It's a default firefox installation, nothing special hardened (in this case I could understand that there will be no support), so I would expect, that at least when installing it from the deb package it works. The security issue is something I do not really see, since after authenticating in the browser, that session token is passed as an argument via the process table, where it could be easily accessed by foreigners, thus keeping it in the application seems to be safer in my point of view.

As a first step, although I would not be fully happy with it, would be to ensure that the packages provided here, work with security techniques installed by default in Linux Desktops, like apparmor. At least place some easily visible information in the documentation.

[devinbinnie]

Thanks for the feedback. This is something we can look into in the near future to better accommodate the Linux desktop experience.