From 90a59bdb6bfad816f1082ecdf2ac226ebdce09cc Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Thu, 2 Mar 2023 17:37:32 +0100
Subject: [PATCH] sys-devel/glibc: Fix CET handling

---
 .../sys-libs/glibc/glibc-2.36-r5.ebuild             | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.36-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.36-r5.ebuild
index 0163db33ee..05c1d5837f 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.36-r5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/glibc/glibc-2.36-r5.ebuild
@@ -466,7 +466,18 @@ setup_flags() {
 	filter-flags '-fsanitize=*'
 
 	# See end of bug #830454; we handle this via USE=cet
-	filter-flags '-fcf-protection='
+	#
+	# Flatcar: When bootstrapping, we may have a situation where
+	# CET-enabled gcc from seed is used to build CET-disabled
+	# glibc. As such, gcc implicitly enables CET if no
+	# -fcf-protection flag is passed. For a typical package it
+	# should not be a problem, but for glibc it matters as it is
+	# dealing with CET in ld.so. So if CET is supposed to be
+	# disabled for glibc, be explicit about it.
+	filter-flags '-fcf-protection=*'
+	if ! use cet; then
+		append-flags '-fcf-protection=none'
+	fi
 }
 
 use_multiarch() {