From 4c99d22f19d329fe102d89c838134d75f1bf35a2 Mon Sep 17 00:00:00 2001
From: Alexander Kjeldaas <ak@formalprivacy.com>
Date: Sat, 1 Nov 2014 01:07:06 +0100
Subject: [PATCH] kernel: set nx bit on module ro segments

Fixes #4757.
---
 pkgs/os-specific/linux/kernel/common-config.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 485cdd76f6ac..3ce65a3f6e18 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -255,6 +255,9 @@ with stdenv.lib;
     SQUASHFS_LZ4 y
   ''}
 
+  # Runtime security tests
+  DEBUG_SET_MODULE_RONX? y # Detect writes to read-only module pages
+
   # Security related features.
   STRICT_DEVMEM y # Filter access to /dev/mem
   SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default