glibc: enable stackprotection hardening

[fpletz]

Enables previously manually disabled stackprotector (#1) and stackguard randomization.

From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511811:

If glibc is built with the --enable-stackguard-randomization option, each application gets a random canary value (at runtime) from /dev/urandom. If --enable-stackguard-randomization is absent, applications get a static canary value of "0xff0a0000". This is very unfortunate, because the attacker may be able to bypass the stack protection mechanism, by placing those 4 bytes in the canary word, before the actual canary check is performed (for example in memcpy-based buffer overflows).

@domenkozar Provided it doesn't break any builds, can we maybe get it into 16.09? We missed this in #12895 and we feel it's important. Unfortunately a full rebuild is required. 😞

cc @vcunat

[mention-bot]

@fpletz, thanks for your PR! By analyzing the annotation information on this pull request, we identified @edolstra, @elitak and @vcunat to be potential reviewers

[copumpkin]

In favor of squeezing it into 16.09, myself.

[domenkozar]

Sure, but let's create a staging-16.09 branch from 16.09 to always have binaries on release-16.09

(I also feel something else might come up in a week or so, then we can get these changes in together).

[vcunat]

I was able to build lots of packages without any problem. In standard staging now; Hydra building already.

[fpletz]

We have not seen any build failures on our hydra either, so should be safe.

I've created a staging-16.09 branch. Can somebody please add a jobset to Hydra?

[vcunat]

Maybe we could wait anyway for the regular staging to finish its rebuild (~10k queued ATM), but it seems very unlikely to cause a mass breakage.

[domenkozar]

http://hydra.nixos.org/jobset/nixos/staging-16.09