cc-wrapper: include fortify-headers before libc includes for musl

[risicle]

Description of changes

Musl itself doesn't have support for FORTIFY_SOURCE. Distributions like alpine use the fortify-headers project (https://git.2f30.org/fortify-headers/file/README.html) to provide some basic fortify support using a header #include_next wrapper/passthru mechanism.

This PR does the same, firstly by packaging fortify-headers (in fact this extracts them from the alpine package because upstream only has a bare git repository and we don't want to depend on git in the bootstrap phases), then by applying them from the cc-wrapper on musl systems (or if includeFortifyHeaders is set manually).

This can be tested using the tests in #217390 (cherry-pick on top of this). I added tests.hardeningFlags.fortify1ExplicitEnabledExecTest to that specifically for testing this PR - the hardening-check method won't be able to detect fortify-headers' entirely-inlined approach and fortify-headers really only implements FORTIFY_SOURCE=1 mode. This passes for me for pkgsMusl and pkgsStatic on nixos x86_64.

(Side note: I don't think it would be particularly hard to add FORTIFY_SOURCE=2 or even FORTIFY_SOURCE=3 mode to fortify-headers, but it feels like the author is opposed to this. Yell if you'd be interested for me to try this...)

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[SuperSandro2000]

Shouldn't version number appear in the URL?

[risicle]

I'm the one calling this 1.1alpine1 - the r1 is not an official designation, just alpine's release of the package. And it does differ from upstream's package slightly, including a patch to fix ppoll on some systems https://git.alpinelinux.org/aports/commit/main/fortify-headers?id=4f60e618352e581f7f77a3842e29141da8992d5f. r3 in fact includes patches for clang support, but I'm not using that one yet because I can't find a stable url for it, only appearing in the edge release.

[risicle]

(simple rebase)

@trofi I'm not having a lot of luck switching it to -idirafter despite #245550

[risicle]

It appears to me that what #245550 has done is make both pkgsMusl and pkgsStatic (i.e. cross) act in the way that prevents -idirafter being usable here.

I guess at least it's consistent though.

[trofi]

Yeah, I did not make it any better :(

[risicle]

Have updated the comment. Would you approve of merging this as-is until someone decides to sort it out "properly"?