src:libcap2 builds both executables and libraries, and hardening=+all adding -fPIE to CFLAGS interfered with the library build, so I patched upstream's Makefile [1] to filter out those flags where necessary.
Thanks for the example! That made it very clear how the options could be filtered. It turns out that the only flag that was not working in device code was -fstack-protector-strong, so I've begun enabling +all and adding this substitution rule:
CFLAGS := $(subst -fstack-protector-strong,-Xarch_host -fstack-protector-strong,$(CFLAGS)) CXXFLAGS := $(subst -fstack-protector-strong,-Xarch_host -fstack-protector-strong,$(CXXFLAGS))
Regards,[1] https://sources.debian.org/src/libcap2/1%3A2.66-3/debian/patches/Filter-out-PIE-flags-when-building-shared-objects.patch/