diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 13db3873e62..6ae0108b3f0 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -28,9 +28,9 @@ ${optionalString (stdenv.hostPlatform.platform.kernelArch == "x86_64") '' # Reduce attack surface by disabling various emulations IA32_EMULATION n X86_X32 n - ${optionalString (versionOlder version "4.17") '' - MODIFY_LDT_SYSCALL? n - ''} + # Note: this config depends on EXPERT y and so will not take effect, hence + # it is left "optional" for now. + MODIFY_LDT_SYSCALL? n VMAP_STACK y # Catch kernel stack overflows