Security¶

This document aims to explain a number of aspects of security in the context of the Ubuntu Frame snap ecosystem (Frame itself, ubuntu-frame-osk and ubuntu-frame-vnc).

Threat model¶

We ran threat modeling for Mir itself (the display server library underpinning Frame) based on this snap stack, and maintain that documented there: Mir Security documentation.

Security event logging¶

The following events will be logged to standard error in the OWASP JSON format:

sys_startup on startup:

{"datetime": "YYYY-MM-DDThh:mm:ssZ", "appid": "frame", "event": "sys_startup", "level": "WARN", "description": "Mir is starting up" }

sys_shutdown on shutdown:

{"datetime": "YYYY-MM-DDThh:mm:ssZ", "appid": "frame", "event": "sys_shutdown", "level": "WARN", "description": "Mir is shutting down" }

sys_crash on a fatal signal received:

{"datetime": "YYYY-MM-DDThh:mm:ssZ", "appid": "frame", "event": "sys_crash", "level": "WARN", "description": "Fatal signal received" }

This functionality comes from Mir’s Security event logging.

Cryptography¶

There is no cryptography used in Frame itself or the On-Screen Keyboard snap. No direct dependency on en/decryption, hashing or digital signatures.

The VNC snap is built on top of wayvnc, which has cryptographic features (password authentication, transport encryption) and that is handled through gnutls as packaged and maintained in Ubuntu. See remote access documentation for more information.

Hardening¶

Snap connections¶

Review the snap connections between snaps on the system and disconnect those not essential to your deployment:

$ snap connections
Interface            Plug                           Slot                  Notes
# ... some examples
content[gpu-2404]    ubuntu-frame:gpu-2404          mesa-2404:gpu-2404    -
hardware-observe     ubuntu-frame:hardware-observe  :hardware-observe     -
opengl               ubuntu-frame:opengl            :opengl               -
wayland              -                              ubuntu-frame:wayland  -

Refer to Interfaces and Frame snap interfaces documentation for more information.

Wayland extensions¶

Avoid adding extensions to the ones allowed by add-wayland-extensions, as some of them may allow clients reading the screen contents or input events.

Refer to Frame configuration reference and the wayland-protocols repository for more information.

VNC authentication¶

If using the VNC snap, It is recommended that you enable password authentication to avoid unauthorized access to the VNC socket on localhost:5900.

Refer to ubuntu-frame-vnc configuration reference for more information.