docs/linux: updated reporting security bugs guide #5461
Conversation
|
This can be also sent for the confirmation to [email protected] and CC with [email protected] before PR merge |
|
|
||
| ### Process | ||
|
|
||
|  |
There was a problem hiding this comment.
I love the graph, thanks a lot for making it!
A couple of nits:
- can you please add an instruction for generating it to the commit message?
- there are two arrows going from the reporter to [email protected] and oss-security, but it is not clear from the picture at which point the letter to oss-security should be sent. If the blue numbers 1-4 on the picture correspond to steps 1-4 below, maybe the second arrow should be marked with the number 2?
There was a problem hiding this comment.
Thanks for the comments! I've updated the .md with syntax/grammar corrections, updated .drawio scheme and .png graph with the addressed comments. PTAL
novitoll
force-pushed
the
docs-linux-kernel-sec-4714
branch
2 times, most recently
from
33cf9d3
to
2e5cad9
Compare
novitoll
force-pushed
the
docs-linux-kernel-sec-4714
branch
from
2e5cad9
to
13a8d7b
Compare
|
PTAL. I'd like to have the confirmation that the updated instructions and diagram are accurate from @xairy , [email protected] and CC with [email protected] before PR merge. I can send the email referring to this PR after @ramosian-glider , @a-nogikh reviews (thanks again for the comments!) |
| <mxCell id="oGheDNism3NP_6yb4b1f-34" value="Bug is confirmed.<div>Fix is accepted.</div>" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" vertex="1" parent="1"> | ||
| <mxGeometry x="370" y="140" width="120" height="60" as="geometry" /> | ||
| </mxCell> | ||
| <mxCell id="oGheDNism3NP_6yb4b1f-42" value="<div><span style="font-size: 10px;">embargo period is up to 7 calendar days, with extension of 14 days.</span></div>" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1"> |
There was a problem hiding this comment.
s/embargo/Embargo (please capitalize the phrases in the white blocks)
It is also unclear who is requesting the extension, and what is the maximum possible embargo period (is it 14 or 7+14 days?)
There was a problem hiding this comment.
I've clarified with the following:
Embargo period is up to 7 calendar days, with the maximum additional 7 calendar days extension (14 days in total) which should be requested by the reporter with [email protected] and
linux-distros coordination.
| <mxCell id="oGheDNism3NP_6yb4b1f-93" value="<div><span style="font-size: 10px;">once the fix is merged to the stable tree, do NOT include [email protected] in discussion</span></div>" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1"> | ||
| <mxGeometry x="550" y="586.25" width="130" height="70" as="geometry" /> | ||
| </mxCell> | ||
| <mxCell id="oGheDNism3NP_6yb4b1f-95" value="<div><span style="font-size: 10px;">CVEs are assigned</span></div><div><span style="font-size: 10px;">after-the-fact of the fix is merged by CVE assignment team (see linux-cve-announce list). If the applicable CVE is missed, or reporter needs CVE assigned before an issue is resolved with a commit, notify [email protected]</span></div>" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1"> |
There was a problem hiding this comment.
Why does the font change before "after-the-fact"?
Also, we can make it shorter:
CVEs are typically assigned after the fix is merged (see linux-cve-announce list). If a CVE is missing or needed before the fix reaches upstream, contact [email protected].
There was a problem hiding this comment.
Fixed the font size to 12 px for all the most right comment boxes. Changed the description for the proposed shorter version.
novitoll
force-pushed
the
docs-linux-kernel-sec-4714
branch
5 times, most recently
from
0848902
to
8f37ba2
Compare
|
@ramosian-glider , @a-nogikh I've resolved all reviews, thanks! PTAL. I will send this current version to Greg for the confirmation that the graph is logically correct. Will update this message with the posted lore link. UPDT1: Posted here in lore. UPDT2: Updated the diagram with the most recent version. UPDT3: Received Greg's comments and recommendations not to contact linux-distros. Please let me know how to proceed further as I'm confused. |
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html, and recent Greg K-H video from the recent conference, https://www.youtube.com/watch?v=KumwRn1BA6s * reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. Since there are 4 different parties with own interests: - [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels. - [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests. - [email protected] is notified once the fix is publicly merged to the stable tree - [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree. reporting_kernel_bugs.png generation ==================================== - Go to https://draw.io - Click "Open the existing diagram" -> "Upload" tab - Browse to the repository's docs/linux/reporting_kernel_bugs.drawio - Make necessary changes - Click "Export as" -> PNG -> disable "Include a copy of my diagram" as we've already included the draw.io scheme as the separate file - Press "Ctrl-Shift-S" or "Cmd-Shift-S" on macOS to save ".drawio" format (draw.io scheme) Fixes: google#4714
novitoll
force-pushed
the
docs-linux-kernel-sec-4714
branch
from
8f37ba2
to
35b45ef
Compare
I should've started with the conversation with Greg first as it seems, linux-distros shouldn't be contacted at all as it's not recommended by the Linux security team. Please check the lore thread in UPDT1: So I think we should just remove all security guidelines so as not to confuse syzkaller users and just point them to kernel docs. Hence, the "nicely" drawn diagram is not needed here maybe(?), perhaps, we can leave only [email protected] as the only reporting party. I'll wait for any comments related to this and send here the adjusted guideline version UPDT:
|
Updated the documentation with:
Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system.
Since there are 4 different parties with own interests:
[email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels.
[email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree
Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests.
[email protected] is notified once the fix is publicly merged to the stable tree
[email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree.
reporting_kernel_bugs.pnggeneration:as we've already included the draw.io scheme as the separate
file
format (draw.io scheme)
Fixes: #4714
CC: @xairy , @dvyukov , @ramosian-glider , @a-nogikh , @tarasmadan