linux_hardened: move to 4.11

Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX &
STRICT_MODULE_RWX, which are on by default (non-optional).

2 files changed, 5 insertions, 7 deletions

diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix
index c54ee0e5aff1..78fb1e368be7 100644
--- a/pkgs/os-specific/linux/kernel/hardened-config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened-config.nix
@@ -2,22 +2,19 @@
 # http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
 # https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
 #
-# The base kernel is assumed to be at least 4.9 or whatever the toplevel
-# linux_hardened package expression uses.
-#
 # Dangerous features that can be permanently (for the boot session) disabled at
 # boot via sysctl or kernel cmdline are left enabled here, for improved
 # flexibility.
 
-{ stdenv }:
+{ stdenv, version }:
 
 with stdenv.lib;
 
+assert (versionAtLeast version "4.9");
+
 ''
 GCC_PLUGINS y # Enable gcc plugin options
 
-DEBUG_KERNEL y
-DEBUG_RODATA y # Make kernel text & rodata read-only
 DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning
 
 # Additional validation of commonly targetted structures
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index b2540cbe2060..e9741abcb5fa 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -11995,9 +11995,10 @@ with pkgs;
   linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }));
 
   # Hardened linux
-  linux_hardened = linux_4_9.override {
+  linux_hardened = let linux = pkgs.linux_4_11; in linux.override {
     extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
       inherit stdenv;
+      inherit (linux) version;
     };
   };