1. Where the Hardened Gentoo Project Is Today
Past Hardened Gentoo work has focused on developing the hardened toolchain into the more mature, consistent approach that it currently takes. It is implemented as a patchset for gcc with rules that control object code creation and linking scenarios. Since the spotlight of development is no longer on the design aspect of the toolchain, the goals of the Hardened Gentoo Project must shift accordingly.
Similarly, the access control systems offered by the Hardened Gentoo Project have continued to mature, and both Grsecurity2 and the latest version of SELinux are now offered. Recent work by Guillaume Destuynder (kang) has also introduced RSBAC as another access control system available to Hardened Gentoo users.
Now is the time to take a step back and examine the work that has been done so far. A review of the current approach that the hardened toolchain takes is needed. There may be ways to strengthen the current implementation or areas of code that can be cleaned up to allow changes to be pushed upstream easier.
As a lingering effect of the previous hardened toolchain, many ebuilds currently filter hardened CFLAGS such as -fPIC and -fstack-protector. Work can now be devoted to reviewing those packages and seeking alternate solutions for the filters. Also, the hardened code in flag-o-matic.eclass should be reviewed and possibly rewritten.
Grsecurity
SELinux
RSBAC
The Hardened Gentoo Project is currently very lacking in documentation. The hardened toolchain needs to be documented fully, and older documents that have a relationship to the toolchain need to be updated, such as the SSP, PIE, and PIC documents. Also, comparative documents should be written to explain the choices that Hardened Gentoo has made in deciding which security tools to support and which not to support.
A long-term goal of the Hardened Gentoo Project is to support all of the architectures that are officially supported by Gentoo. The only strong support that exists at the moment is for x86.
The hardened toolchain supports x86, amd64, and sparc64, and would like to extend support to ppc, ppc64, s390, and similar architectures. With access to different kinds of hardware, hardened support can slowly be extended to those architectures as well.
There will always be unfinished tasks for the Hardened Team. Users who take a proactive approach to finding places for improvement and filling in the holes will be noticed and probably recruited. Current Hardened Team members will be responsible for training new developers to fill new roles. If you are interested in helping out, stop by the IRC channel and let someone know what you are interested in and what you will be doing about it. Input/peer review should always be welcome as it helps everyone out in the long run.
| Description | Coordinator(s) | Status |
| x86 Support | solar | Complete |
| amd64 Support | solar,r2d2 | In experimental |
| sparc32 Support | Unassigned | |
| sparc64 Support | Stalled | |
| ppc Support | In testing | |
| ppc64 Support | solar,dostrow | seed stage built |
| s390 Support | Unassigned | |
| hppa Support | Not supported | |
| arm Support | Unassigned (uclibc only) | |
| mips Support | Unassigned (uclibc only) |
| Description | Coordinator(s) | Status |
| Strengthen and extend the current policies | pebenito/kaiowas | In Progress |
| Extend support to more architectures | pebenito | In Progress |
| Policy module support | pebenito | In Progress |
| Additional Daemon Policies | pebenito/kaiowas | In Progress |
| Description | Coordinator(s) | Status |
| Bring policy support tool to Gentoo packages. | kang | In Progress |
| Enhance RSBAC Documentation | Unassigned |
| Description | Coordinator(s) | Status |
| Comparative analysis of security approaches taken by distributions. | Dave Monnier | In Progress |
| Rework Grsecurity Documentation | Unassigned | |
| Update/Rewrite Propolice Documentation | Adam Mondl | In Progress |
| Document the Hardened Toolchain | Unassigned |