hardened-config: enable read-only LSM hooks

Implies that SELinux can no longer be disabled at runtime (only at boot time, via selinux=0). See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd0859dccbe291cf8179a96390f5c0e45cb9af1d
NixOS · Aug 11, 2017 · 345e0e6 · 345e0e6
1 parent 723bd8b
commit 345e0e6
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix
@@ -46,6 +46,14 @@ ${optionalString (versionOlder version "4.11") ''
   DEBUG_SET_MODULE_RONX y
 ''}
 
+# Mark LSM hooks read-only after init.  Conflicts with SECURITY_SELINUX_DISABLE
+# (disabling SELinux at runtime); hence, SELinux can only be disabled at boot
+# via the selinux=0 boot parameter.
+${optionalString (versionAtLeast version "4.12") ''
+  SECURITY_SELINUX_DISABLE n
+  SECURITY_WRITABLE_HOOKS n
+''}
+
 DEBUG_WX y # boot-time warning on RWX mappings
 
 # Stricter /dev/mem