Add `-fstack-clash-protection` hardening (and enable by default?)

[wizeman]

Issue description

It would be good for the security of NixOS to compile user-space with -fstack-clash-protection. It should probably be added either as a new hardening flag or perhaps included as part of the stackprotector flag.

Motivation

CVE-2018-16864 and CVE-2018-16865 describe new vulnerabilities and exploits in systemd which -fstack-clash-protection can mitigate, according to the linked advisory:

SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora
28 and 29 are not exploitable because their user space is compiled with
GCC's -fstack-clash-protection

However, since NixOS doesn't compile user-space with -fstack-clash-protection, it's likely to be vulnerable.

[schmittlauch]

@wizeman Are you going to open an issue about actually patching systemd to fix the vulnerabilities, or shall I do it?

[wizeman]

@schmittlauch Please go ahead. I can't tell which systemd version has fixed those vulnerabilities from reading the advisory.

[globin]

@fpletz is actively working on this

[mkg20001]

@fpletz Any updates?