prevent user CFLAGS overrides from exposing executable stack

the option to suppress executable stack tagging was placed in CFLAGS,
which is treated as optional and overridable by the build system. if a
user replaces CFLAGS after configure has run, it could get lost,
resulting in a libc.so that's flagged as needing executable stack,
which would cause the kernel to map the initial stack as executable.

move -Wa,--noexecstack to CFLAGS_C99FSE, the make variable used for
mandatory compiler options.

configure

@@ -329,6 +329,13 @@ printf "yes\n"
 CFLAGS_C99FSE="$CFLAGS_C99FSE -D__may_alias__="
 fi
 
+#
+# The GNU toolchain defaults to assuming unmarked files need an
+# executable stack, potentially exposing vulnerabilities in programs
+# linked with such object files. Fix this.
+#
+tryflag CFLAGS_C99FSE -Wa,--noexecstack
+
 #
 # Check for options to disable stack protector, which needs to be
 # disabled for a few early-bootstrap translation units. If not found,
@@ -429,13 +436,6 @@ fi
 tryflag CFLAGS_AUTO -fno-unwind-tables
 tryflag CFLAGS_AUTO -fno-asynchronous-unwind-tables
 
-#
-# The GNU toolchain defaults to assuming unmarked files need an
-# executable stack, potentially exposing vulnerabilities in programs
-# linked with such object files. Fix this.
-#
-tryflag CFLAGS_AUTO -Wa,--noexecstack
-
 #
 # On x86, make sure we don't have incompatible instruction set
 # extensions enabled by default. This is bad for making static binaries.