From dfd77a046de192d8dfa5f9534552c299c3da26ac Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Sat, 5 Jan 2019 13:43:42 +0100
Subject: [PATCH] hardened-config: ensure STRICT_KERNEL_RWX

This is y in the default config, but enable it explicitly here to catch
situations where it has been disabled (explicitly or implicitly).
---
 pkgs/os-specific/linux/kernel/hardened-config.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix
index 6ae0108b3f0f..90856d593dd9 100644
--- a/pkgs/os-specific/linux/kernel/hardened-config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened-config.nix
@@ -66,6 +66,9 @@ ${optionalString (versionAtLeast version "4.12") ''
 ''}
 
 DEBUG_WX y # boot-time warning on RWX mappings
+${optionalString (versionAtLeast version "4.11") ''
+  STRICT_KERNEL_RWX y
+''}
 
 # Stricter /dev/mem
 STRICT_DEVMEM? y