hardened-config: enable read-only LSM hooks

Implies that SELinux can no longer be disabled at runtime (only at boot
time, via selinux=0).

See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd0859dccbe291cf8179a96390f5c0e45cb9af1d

pkgs/os-specific/linux/kernel/hardened-config.nix

@@ -46,6 +46,14 @@ ${optionalString (versionOlder version "4.11") ''
   DEBUG_SET_MODULE_RONX y
 ''}
 
+# Mark LSM hooks read-only after init.  Conflicts with SECURITY_SELINUX_DISABLE
+# (disabling SELinux at runtime); hence, SELinux can only be disabled at boot
+# via the selinux=0 boot parameter.
+${optionalString (versionAtLeast version "4.12") ''
+  SECURITY_SELINUX_DISABLE n
+  SECURITY_WRITABLE_HOOKS n
+''}
+
 DEBUG_WX y # boot-time warning on RWX mappings
 
 # Stricter /dev/mem