Security¶
This document aims to explore in depth the security considerations around Mir based compositors.
Threat Model¶
Mir is a C++ library for building compositors, not a product itself. As such, when discussing the threat model for Mir, it is useful to discuss it in terms of an actual product that is built on Mir. With this in mind, we will define the threat model of Ubuntu Frame in this document.
Ubuntu Frame Threat Model Diagram¶
Ubuntu Frame is published as a snap. As such, the threat model for frame assumes that the snap is secure, and proceeds to outline the frame snap’s interactions with the outside world.
%%{ init: { 'flowchart': { 'curve': 'monotoneY' } } }%%
flowchart
shell((Mir-based Shell))
vnc_server(VNC Server)
vnc_client(VNC Client)
osk(On-screen Keyboard)
snapd(Snapd)
operator_app(Operator App)
user(User)
display(Display)
app(App)
subgraph snap [Snap]
vnc_server--input-->shell
shell--screen content-->vnc_server
osk--content/input-->shell
shell--input-->osk
end
shell--contents/configuration--->display
snapd--configuration-->shell
display--visuals-->user
operator_app--help message-->shell
user--input events-->shell
display--properties-->shell
vnc_server<--vnc-->vnc_client
app--window contents-->shell
shell--input/window management-->app
classDef boundary fill:none,stroke-dasharray: 5 5
snap:::boundary
Cryptography¶
There is no cryptography used in Mir, no direct dependency on en/decryption, hashing or digital signatures.