Add `-fstack-clash-protection` hardening (and enable by default?)

## Issue description

It would be good for the security of NixOS to compile user-space with `-fstack-clash-protection`. It should probably be added either as a new hardening flag or perhaps included as part of the `stackprotector` flag.

## Motivation

[CVE-2018-16864](https://www.qualys.com/2019/01/09/system-down/system-down.txt) and [CVE-2018-16865](https://www.qualys.com/2019/01/09/system-down/system-down.txt) describe new vulnerabilities and exploits in systemd which `-fstack-clash-protection` can mitigate, according to the linked advisory:

> SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora
28 and 29 are not exploitable because their user space is compiled with
GCC's -fstack-clash-protection

However, since NixOS doesn't compile user-space with `-fstack-clash-protection`, it's likely to be vulnerable.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add `-fstack-clash-protection` hardening (and enable by default?) #53753

Issue description

Motivation

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Add -fstack-clash-protection hardening (and enable by default?) #53753

Description

Issue description

Motivation

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

Add `-fstack-clash-protection` hardening (and enable by default?) #53753