--- portage.ORIG/profiles/hardened/package.mask	2006-10-07 01:06:18.000000000 +0200
+++ portage.ORIG/profiles/hardened/package.mask	2006-10-07 16:20:06.000000000 +0200
@@ -11,14 +11,14 @@ 
 # If you want to play with it, unmask in /etc/portage/package.unmask
 # but be prepared to rebuild anything you build with gcc-4, later.
 # 2006-01-11 kevquinn
-=sys-devel/gcc-4*
+# BETA PATCH TESTING # =sys-devel/gcc-4*
 
 # Mask off glibc-2.4 until the approach for SSP compatibilty is
 # resolved in a way that doesn't break running systems, and we
 # have a sensible upgrade path.  Advise having a static busybox
 # around if you try it in a live system.
 # 2006-03-13 kevquinn
-=sys-libs/glibc-2.4*
+# BETA PATCH TESTING # =sys-libs/glibc-2.4*
 
 # These packages do more harm than good w/ hardened.
 # users must now the opensource xorg nv driver with nvidia cards.
--- portage.ORIG/sys-devel/gcc/files/4.1.0/gcc-4.1.0-hardened-minispec-callouts.patch	1970-01-01 01:00:00.000000000 +0100
+++ portage.ORIG/sys-devel/gcc/files/4.1.0/gcc-4.1.0-hardened-minispec-callouts.patch	2006-10-07 16:19:24.000000000 +0200
@@ -0,0 +1,53 @@ 
+	Add callouts to minispecs to simplify gcc hardening.
+	Hardening is achieved through "minispecs" which adjust
+	the additional specs CC1_SSP, CC1_PIE, LINK_COMMAND_PIE
+	(and rewriting STARTFILE_SPEC/ENDFILE_SPEC for PIE).
+	These minispecs are supplied directly rather than
+	patching gcc itself.
+	Kevin F. Quinn, 2006-10-02
+
+--- gcc/gcc.c.orig	2006-10-03 03:13:30.000000000 +0200
@@ -57,5 +57,8 @@ 
 	# Fix cross-compiling
 	epatch "${FILESDIR}"/4.1.0/gcc-4.1.0-cross-compile.patch
 
+	# Add hardened minispec support
+	use hardened && epatch "${FILESDIR}"/4.1.0/gcc-4.1.0-hardened-minispec-callouts.patch
+
 	[[ ${CTARGET} == *-softfloat-* ]] && epatch "${FILESDIR}"/4.0.2/gcc-4.0.2-softfloat.patch
 }
--- portage.ORIG/sys-libs/glibc/files/2.3.6/glibc-2.3.6-pt_chown-znow.patch	1970-01-01 01:00:00.000000000 +0100
+++ portage.ORIG/sys-libs/glibc/files/2.3.6/glibc-2.3.6-pt_chown-znow.patch	2006-10-07 16:17:59.000000000 +0200
@@ -0,0 +1,12 @@ 
+--- login/Makefile.orig	2006-02-10 11:40:05.000000000 +0100
@@ -0,0 +1,394 @@ 
+	Modifications to glibc-2.4 to allow it to build with stack-protection
+	enabled throughout, and to provide a logging stack_chk_fail handler.
+
+	debug/stack_chk_fail.c: provide stack_chk_fail handler that logs to
+	  syslog, and uses syscalls directly inline.
+
+	debug/Makefile: build stack_chk_fail_local -fno-stack-protector
+	  Leave stack_chk_fail alone, so checking __SSP__ will show whether
+	  compiler is rigged to build SSP, and hence that we want the modified
+	  handler (which will never trigger SSP because there are no function
+	  calls).
+
+	csu/Makefile, linuxthreads/Makefile, nptl/Makefile: inihibit SSP on
+	  crti/crtn (i.e. compilation of initfini)
+
+	elf/rtld-Rules: Add compilation rules for .oS targets (so that
+	  stack_chk_fail_local will build for rtld).
+
+	elf/Makefile: Add libc_nonshared.a to rtld build set so that
+	  stack_chk_fail_local can be found (and other modifications
+	  so that static objects are considered).
+
+	Makerules: add stack_chk_fail_local.os to libc_pic.os (needed for
+	  SSP builds on x86 so that it can resolve __stack_chk_fail_local).
+	  Note this is a whole-archive link so adding libc_nonshared.a is
+	  causes too much stuff to be included.
+
+	Kevin F. Quinn 2006-09-30
+
+--- debug/stack_chk_fail.c.orig	2006-09-29 17:04:58.000000000 +0200
@@ -214,6 +214,14 @@ 
 		epatch "${WORKDIR}"/patches
 	fi
 
+	if use hardened ; then
+		einfo "Patching pt_chown to BIND_NOW"
+		epatch ${FILESDIR}/2.3.6/glibc-2.3.6-pt_chown-znow.patch
+
+		einfo "Patching SSP handler so that glibc builds with hardened compiler"
+		epatch ${FILESDIR}/2.4/glibc-2.4-linuxssp.patch
+	fi
+
 	gnuconfig_update
 }