Index: flag-o-matic.eclass
===================================================================
RCS file: /var/cvsroot/gentoo-x86/eclass/flag-o-matic.eclass,v
retrieving revision 1.106
diff -u -b -B -r1.106 flag-o-matic.eclass
--- flag-o-matic.eclass	19 Feb 2006 23:18:30 -0000	1.106
+++ flag-o-matic.eclass	26 Mar 2006 23:58:28 -0000
@@ -61,6 +61,14 @@
 #### bindnow-flags ####
 # Returns the flags to enable "now" binding in the current selected linker.
 #
+#### get-soft-flags ####
+# Write to stdout the gcc options to disable hardened tech
+# Intended for use where the options need to be set to
+# something other than C[XX]FLAGS.  Use this rather than
+# hard-coding the flags in ebuilds.
+# Usage:
+#    MY_CC_OPTS=$(get-soft-flags [pie] [ssp] [ssp-to-all] [now] [relro])
+#
 ################ DEPRECATED functions ################
 # The following are still present to avoid breaking existing
 # code more than necessary; however they are deprecated. Please
@@ -101,7 +109,7 @@
 		export ALLOWED_FLAGS="${ALLOWED_FLAGS} -g -g0 -g1 -g2 -g3 -ggdb -ggdb0 -ggdb1 -ggdb2 -ggdb3"
 	fi
 	# allow a bunch of flags that negate features / control ABI
-	ALLOWED_FLAGS="${ALLOWED_FLAGS} -fno-stack-protector -fno-stack-protector-all"
+	ALLOWED_FLAGS="${ALLOWED_FLAGS} -nopie -nonow -norelro -fno-stack-protector -fno-stack-protector-all"
 	ALLOWED_FLAGS="${ALLOWED_FLAGS} -mregparm -mno-app-regs -mapp-regs \
 		-mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow \
 		-mips1 -mips2 -mips3 -mips4 -mips32 -mips64 -mips16 \
@@ -118,6 +126,35 @@
 	return 0
 }
 
+# echo flags to disabled hardened tech
+get-soft-flags() {
+	local f
+	for f in "$@" ; do
+		case "${f}" in
+			# Ideally we should only concern ourselves with PIE flags,
+			# not -fPIC or -fpic, but too many places filter -fPIC without
+			# thinking about -fPIE.
+			pie)
+				gcc-specs-pie || continue
+				is-flagq -nopie || echo -n -nopie;;
+			ssp)
+				gcc-specs-ssp || continue
+				is-flagq -fno-stack-protector || echo -n -fno-stack-protector;;
+			ssp-to-all)
+				gcc-specs-ssp-to-all || continue
+				is-flagq -fno-stack-protector-all || echo -n -fno-stack-protector-all;;
+			now)
+				gcc-specs-now || continue
+				is-flagq -nonow || echo -n -nonow;;
+			relro)
+				gcc-specs-relro || continue
+				is-flagq -norelro || echo -n -norelro;;
+			*)
+				die "get-soft-flags does not understand ${f}";;
+		esac
+	done
+}
+
 # inverted filters for hardened compiler.  This is trying to unpick
 # the hardened compiler defaults.
 _filter-hardened() {
@@ -128,14 +165,11 @@
 			# not -fPIC or -fpic, but too many places filter -fPIC without
 			# thinking about -fPIE.
 			-fPIC|-fpic|-fPIE|-fpie|-Wl,pie|-pie)
-				gcc-specs-pie || continue
-				is-flagq -nopie || append-flags -nopie;;
+				append-flags $(get-soft-flags pie);;
 			-fstack-protector)
-				gcc-specs-ssp || continue
-				is-flagq -fno-stack-protector || append-flags -fno-stack-protector;;
+				append-flags $(get-soft-flags ssp);;
 			-fstack-protector-all)
-				gcc-specs-ssp-to-all || continue
-				is-flagq -fno-stack-protector-all || append-flags -fno-stack-protector-all;;
+				append-flags $(get-soft-flags ssp-to-all);;
 		esac
 	done
 }
@@ -385,7 +420,7 @@
 # its really only present due to the append-flags() abomination.
 test-flags() { test-flags-CC "$@"; }
 
-# Depriciated, use test-flags()
+# Deprecated, use test-flags()
 test_flag() {
 	ewarn "test_flag: deprecated, please use test-flags()!" >&2