Partial backport (without the test) of:
 
commit 1c1243b6fc33c029488add276e56570a07803bfd
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Tue Mar 7 20:52:04 2017 +0530
 
    Ignore and remove LD_HWCAP_MASK for AT_SECURE programs (bug #21209)
    
    The LD_HWCAP_MASK environment variable may alter the selection of
    function variants for some architectures.  For AT_SECURE process it
    means that if an outdated routine has a bug that would otherwise not
    affect newer platforms by default, LD_HWCAP_MASK will allow that bug
    to be exploited.
    
    To be on the safe side, ignore and disable LD_HWCAP_MASK for setuid
    binaries.
    
            [BZ #21209]
            * elf/rtld.c (process_envvars): Ignore LD_HWCAP_MASK for
            AT_SECURE processes.
            * sysdeps/generic/unsecvars.h: Add LD_HWCAP_MASK.
            * elf/tst-env-setuid.c (test_parent): Test LD_HWCAP_MASK.
            (test_child): Likewise.
            * elf/Makefile (tst-env-setuid-ENV): Add LD_HWCAP_MASK.
 
Index: b/elf/rtld.c
===================================================================
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2688,7 +2688,8 @@ process_envvars (enum mode *modep)
 
 	case 10:
 	  /* Mask for the important hardware capabilities.  */
-	  if (memcmp (envline, "HWCAP_MASK", 10) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "HWCAP_MASK", 10) == 0)
 	    GLRO(dl_hwcap_mask) = __strtoul_internal (&envline[11], NULL,
 						      0, 0);
 	  break;
Index: b/sysdeps/generic/unsecvars.h
===================================================================
--- a/sysdeps/generic/unsecvars.h
+++ b/sysdeps/generic/unsecvars.h
@@ -9,6 +9,7 @@
   "LD_DEBUG\0"								      \
   "LD_DEBUG_OUTPUT\0"							      \
   "LD_DYNAMIC_WEAK\0"							      \
+  "LD_HWCAP_MASK\0"							      \
   "LD_LIBRARY_PATH\0"							      \
   "LD_ORIGIN_PATH\0"							      \
   "LD_PRELOAD\0"							      \