This document aims to explain a number of aspects of security in the context of the Ubuntu Frame snap ecosystem (Frame itself, ubuntu-frame-osk and ubuntu-frame-vnc).
Contents:
Threat model
We ran threat modelling for Mir itself (the display server library underpinning Frame) based on this snap stack, and maintain that documented there:
https://canonical-mir.readthedocs-hosted.com/stable/explanation/security/
Cryptography
There is no cryptography used in Frame itself or the On-Screen Keyboard snap. No direct dependency on en/decryption, hashing or digital signatures.
The VNC snap is built on top of wayvnc, which has cryptographic features (password authentication, transport encryption) and that is handled through gnutls as packaged and maintained in Ubuntu. See remote access documentation for more information.
Hardening
Snap connections
Review the snap connections between snaps on the system and disconnect those not essential to your deployment:
$ snap connections
Interface Plug Slot Notes
# ... some examples
content[gpu-2404] ubuntu-frame:gpu-2404 mesa-2404:gpu-2404 -
hardware-observe ubuntu-frame:hardware-observe :hardware-observe -
opengl ubuntu-frame:opengl :opengl -
wayland - ubuntu-frame:wayland -
Refer to Snap interface and Frame snap interfaces documentation for more information.
Wayland extensions
Avoid adding extensions to the ones allowed by add-wayland-extensions, as some of them may allow clients reading the screen contents or input events.
Refer to Frame configuration reference and the wayland-protocols repository for more information.
VNC authentication
If using the VNC snap, It is recommended that you enable password authentication to avoid unauthorized access to the VNC socket on localhost:5900.
Refer to ubuntu-frame-vnc configuration reference for more information.