Gentoo Logo

Hardened Gentoo Roadmap

Content:

1.  Where the Hardened Gentoo Project Is Today

Past Hardened Gentoo work has focused on developing the hardened toolchain into the more mature, consistent approach that it currently takes. It is implemented as a patchset for gcc with rules that control object code creation and linking scenarios. Since the spotlight of development is no longer on the design aspect of the toolchain, the goals of the Hardened Gentoo Project must shift accordingly.

Similarly, the access control systems offered by the Hardened Gentoo Project have continued to mature, and both Grsecurity2 and the latest version of SELinux are now offered. Recent work by Guillaume Destuynder (kang) has also introduced RSBAC as another access control system available to Hardened Gentoo users.

2.  Short-Term Goals

Hardened Toolchain

Now is the time to take a step back and examine the work that has been done so far. A review of the current approach that the hardened toolchain takes is needed. There may be ways to strengthen the current implementation or areas of code that can be cleaned up to allow changes to be pushed upstream easier.

As a lingering effect of the previous hardened toolchain, many ebuilds currently filter hardened CFLAGS such as -fPIC and -fstack-protector. Work can now be devoted to reviewing those packages and seeking alternate solutions for the filters. Also, the hardened code in flag-o-matic.eclass should be reviewed and possibly rewritten.

Access Control Systems

Grsecurity

  • Documents regarding Grsecurity are currently a major need for Gentoo. The existing Grsecurity2 document needs to be converted to Handbook XML. Also, a document describing the RBAC system in more detail is needed.

SELinux

  • Strengthen and extend current policies.
  • Extend support to more architectures.
  • Policy module support.
  • Additional Daemon Policies.

RSBAC

  • Bring policy support tool to Gentoo packages.
  • Develop default Gentoo policies with policy support tool.
  • Enhance current documentation, and possibly add documentation about desktop RSBAC.

3.  Long-Term Goals

Documentation

The Hardened Gentoo Project is currently very lacking in documentation. The hardened toolchain needs to be documented fully, and older documents that have a relationship to the toolchain need to be updated, such as the SSP, PIE, and PIC documents. Also, comparative documents should be written to explain the choices that Hardened Gentoo has made in deciding which security tools to support and which not to support.

Support More Architectures

A long-term goal of the Hardened Gentoo Project is to support all of the architectures that are officially supported by Gentoo. The only strong support that exists at the moment is for x86.

The hardened toolchain supports x86, amd64, and sparc64, and would like to extend support to ppc, ppc64, s390, and similar architectures. With access to different kinds of hardware, hardened support can slowly be extended to those architectures as well.

Expand the Hardened Team

There will always be unfinished tasks for the Hardened Team. Users who take a proactive approach to finding places for improvement and filling in the holes will be noticed and probably recruited. Current Hardened Team members will be responsible for training new developers to fill new roles. If you are interested in helping out, stop by the IRC channel and let someone know what you are interested in and what you will be doing about it. Input/peer review should always be welcome as it helps everyone out in the long run.

4.  Roadmap Tracking

Hardened Toolchain

Description Coordinator(s) Status
x86 Support solar Complete
amd64 Support solar,r2d2 In experimental
sparc32 Support Unassigned
sparc64 Support Stalled
ppc Support In testing
ppc64 Support solar,dostrow seed stage built
s390 Support Unassigned
hppa Support Not supported
arm Support Unassigned (uclibc only)
mips Support Unassigned (uclibc only)

SELinux

Description Coordinator(s) Status
Strengthen and extend the current policies pebenito/kaiowas In Progress
Extend support to more architectures pebenito In Progress
Policy module support pebenito In Progress
Additional Daemon Policies pebenito/kaiowas In Progress

RSBAC

Description Coordinator(s) Status
Bring policy support tool to Gentoo packages. kang In Progress
Enhance RSBAC Documentation Unassigned

Documentation

Description Coordinator(s) Status
Comparative analysis of security approaches taken by distributions. Dave Monnier In Progress
Rework Grsecurity Documentation Unassigned
Update/Rewrite Propolice Documentation Adam Mondl In Progress
Document the Hardened Toolchain Unassigned


Print

Updated November 9, 2005

Summary: A roadmap that plots current needs and goals of the Hardened Gentoo project.

Adam Mondl
Author

Rob Holland
Editor

Ned Ludd
Contributor

Chris PeBenito
Contributor

Joshua Brindle
Contributor

Guillaume Destuynder
Contributor

Alexander Gabert
Contributor

Brandon Hale
Contributor

Donate to support our development efforts.

Support OSL

Support OSL

Gentoo Centric Hosting: vr.org

VR Hosted

Tek Alchemy

Tek Alchemy

SevenL.net

SevenL.net

Global Netoptex Inc.

Global Netoptex Inc.
Copyright 2001-2008 Gentoo Foundation, Inc. Questions, Comments? Contact us.