Hardened Gentoo Roadmap

1.  Where the Hardened Gentoo Project Is Today

Past Hardened Gentoo work has focused on developing the hardened toolchain into the more mature, consistent approach that it currently takes. It is implemented as a patchset for gcc with rules that control object code creation and linking scenarios. Since the spotlight of development is no longer on the design aspect of the toolchain, the goals of the Hardened Gentoo Project must shift accordingly.

Similarly, the access control systems offered by the Hardened Gentoo Project have continued to mature, and both Grsecurity2 and the latest version of SELinux are now offered. Recent work by Guillaume Destuynder (kang) has also introduced RSBAC as another access control system available to Hardened Gentoo users.

2.  Short-Term Goals

Hardened Toolchain

Now is the time to take a step back and examine the work that has been done so far. A review of the current approach that the hardened toolchain takes is needed. There may be ways to strengthen the current implementation or areas of code that can be cleaned up to allow changes to be pushed upstream easier.

As a lingering effect of the previous hardened toolchain, many ebuilds currently filter hardened CFLAGS such as -fPIC and -fstack-protector. Work can now be devoted to reviewing those packages and seeking alternate solutions for the filters. Also, the hardened code in flag-o-matic.eclass should be reviewed and possibly rewritten.

Access Control Systems

Grsecurity

• Documents regarding Grsecurity are currently a major need for Gentoo. The existing Grsecurity2 document needs to be converted to Handbook XML. Also, a document describing the RBAC system in more detail is needed.

SELinux

• Strengthen and extend current policies.
• Extend support to more architectures.
• Policy module support.
• Additional Daemon Policies.

RSBAC

• Bring policy support tool to Gentoo packages.
• Develop default Gentoo policies with policy support tool.
• Enhance current documentation, and possibly add documentation about desktop RSBAC.

3.  Long-Term Goals

Documentation

The Hardened Gentoo Project is currently very lacking in documentation. The hardened toolchain needs to be documented fully, and older documents that have a relationship to the toolchain need to be updated, such as the SSP, PIE, and PIC documents. Also, comparative documents should be written to explain the choices that Hardened Gentoo has made in deciding which security tools to support and which not to support.

Support More Architectures

A long-term goal of the Hardened Gentoo Project is to support all of the architectures that are officially supported by Gentoo. The only strong support that exists at the moment is for x86.

The hardened toolchain supports x86, amd64, and sparc64, and would like to extend support to ppc, ppc64, s390, and similar architectures. With access to different kinds of hardware, hardened support can slowly be extended to those architectures as well.

Expand the Hardened Team

There will always be unfinished tasks for the Hardened Team. Users who take a proactive approach to finding places for improvement and filling in the holes will be noticed and probably recruited. Current Hardened Team members will be responsible for training new developers to fill new roles. If you are interested in helping out, stop by the IRC channel and let someone know what you are interested in and what you will be doing about it. Input/peer review should always be welcome as it helps everyone out in the long run.

4.  Roadmap Tracking

Hardened Toolchain

SELinux

RSBAC

Documentation