sys-libs/glibc: disable CET explicitly if USE=-cet

When bootstrapping, we may have a situation where CET-enabled gcc from seed is
used to build CET-disabled glibc. As such, gcc implicitly enables CET if no
-fcf-protection flag is passed. For a typical package it should not be a problem,
but for glibc it matters as it is dealing with CET in ld.so. So if CET is supposed to be
disabled for glibc, be explicit about it.

[sam: cherry-picked from Flatcar at https://github.com/flatcar/coreos-overlay/commit/f4b92a6de9fcf506b30f1c6156b27c0e3d25438e]

Bug: https://bugs.gentoo.org/830454
Closes: https://bugs.gentoo.org/901363
Signed-off-by: Sam James <sam@gentoo.org>

3 files changed, 36 insertions, 3 deletions

diff --git a/sys-libs/glibc/glibc-2.36-r7.ebuild b/sys-libs/glibc/glibc-2.36-r7.ebuild
index 8bb3e20062b4..28002f738a95 100644
--- a/sys-libs/glibc/glibc-2.36-r7.ebuild
+++ b/sys-libs/glibc/glibc-2.36-r7.ebuild
@@ -472,7 +472,18 @@ setup_flags() {
 	filter-flags '-fsanitize=*'
 
 	# See end of bug #830454; we handle this via USE=cet
-	filter-flags '-fcf-protection='
+	filter-flags '-fcf-protection=*'
+
+	# When bootstrapping, we may have a situation where
+	# CET-enabled gcc from seed is used to build CET-disabled
+	# glibc. As such, gcc implicitly enables CET if no
+	# -fcf-protection flag is passed. For a typical package it
+	# should not be a problem, but for glibc it matters as it is
+	# dealing with CET in ld.so. So if CET is supposed to be
+	# disabled for glibc, be explicit about it.
+	if (use amd64 || use x86) && ! use cet; then
+		append-flags '-fcf-protection=none'
+	fi
 }
 
 use_multiarch() {
diff --git a/sys-libs/glibc/glibc-2.37-r1.ebuild b/sys-libs/glibc/glibc-2.37-r1.ebuild
index 55b5a05c1ef8..4b041ecc1f7e 100644
--- a/sys-libs/glibc/glibc-2.37-r1.ebuild
+++ b/sys-libs/glibc/glibc-2.37-r1.ebuild
@@ -472,7 +472,18 @@ setup_flags() {
 	filter-flags '-fsanitize=*'
 
 	# See end of bug #830454; we handle this via USE=cet
-	filter-flags '-fcf-protection='
+	filter-flags '-fcf-protection=*'
+
+	# When bootstrapping, we may have a situation where
+	# CET-enabled gcc from seed is used to build CET-disabled
+	# glibc. As such, gcc implicitly enables CET if no
+	# -fcf-protection flag is passed. For a typical package it
+	# should not be a problem, but for glibc it matters as it is
+	# dealing with CET in ld.so. So if CET is supposed to be
+	# disabled for glibc, be explicit about it.
+	if (use amd64 || use x86) && ! use cet; then
+		append-flags '-fcf-protection=none'
+	fi
 }
 
 use_multiarch() {
diff --git a/sys-libs/glibc/glibc-9999.ebuild b/sys-libs/glibc/glibc-9999.ebuild
index df348d783cb1..f5ec71d81a7b 100644
--- a/sys-libs/glibc/glibc-9999.ebuild
+++ b/sys-libs/glibc/glibc-9999.ebuild
@@ -472,7 +472,18 @@ setup_flags() {
 	filter-flags '-fsanitize=*'
 
 	# See end of bug #830454; we handle this via USE=cet
-	filter-flags '-fcf-protection='
+	filter-flags '-fcf-protection=*'
+
+	# When bootstrapping, we may have a situation where
+	# CET-enabled gcc from seed is used to build CET-disabled
+	# glibc. As such, gcc implicitly enables CET if no
+	# -fcf-protection flag is passed. For a typical package it
+	# should not be a problem, but for glibc it matters as it is
+	# dealing with CET in ld.so. So if CET is supposed to be
+	# disabled for glibc, be explicit about it.
+	if (use amd64 || use x86) && ! use cet; then
+		append-flags '-fcf-protection=none'
+	fi
 }
 
 use_multiarch() {