This document aims to explain a number of aspects of security in the context of the Ubuntu Frame snap ecosystem (Frame itself, ubuntu-frame-osk and ubuntu-frame-vnc).
Contents:
Threat model
We ran threat modelling for Mir itself (the display server library underpinning Frame) based on this snap stack, and maintain that documented there:
https://canonical-mir.readthedocs-hosted.com/stable/explanation/security/
Cryptography
There is no cryptography used in Frame itself or the On-Screen Keyboard snap. No direct dependency on en/decryption, hashing or digital signatures.
The VNC snap is built on top of wayvnc, which has cryptographic features (password authentication, transport encryption) and that is handled through gnutls as packaged and maintained in Ubuntu. See remote access documentation for more information.
Hardening
Virtual Terminals
To prevent users from switching between virtual terminals, you can disable it in Ubuntu Frame’s configuration:
This feature is only available with version *-mir2.22
onward
$ snap set ubuntu-frame config=vt-switching=false
console-conf
Avoid console-conf
in your model to avoid presenting a “configure” screen in Ubuntu Core.
getty
To disable login prompts, you can mask the getty@.service
. It’s easiest to achieve through cmdline.extra
in the gadget snap:
# cmdline.extra
systemd.mask=getty@.service
Snap connections
Review the snap connections between snaps on the system and disconnect those not essential to your deployment:
$ snap connections
Interface Plug Slot Notes
# ... some examples
content[gpu-2404] ubuntu-frame:gpu-2404 mesa-2404:gpu-2404 -
hardware-observe ubuntu-frame:hardware-observe :hardware-observe -
opengl ubuntu-frame:opengl :opengl -
wayland - ubuntu-frame:wayland -
Refer to Snap interface and Frame snap interfaces documentation for more information.
Wayland extensions
Avoid adding extensions to the ones allowed by add-wayland-extensions
, as some of them may allow clients reading the screen contents or input events.
Refer to Frame configuration reference and the wayland-protocols repository for more information.
VNC authentication
If using the VNC snap, It is recommended that you enable password authentication to avoid unauthorized access to the VNC socket on localhost:5900
.
Refer to ubuntu-frame-vnc configuration reference for more information.