linux: enable STRICT_KERNEL_RWX & STRICT_MODULE_RWX

Enabled in [Arch][1], [Debian][2], [Fedora][3]. Recommended by [Kernel
Self Protection Project][4].

As it is now in common-config, remove from hardened’s extra config.

[1]: 6392fb2bed/config (L914-917)
[2]: 5f6aa5cb48/debian/config/config (L11-12)
[3]: e8025dc0fb/f/kernel-x86_64-fedora.config (_7449)
[4]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078

pkgs/os-specific/linux/kernel/common-config.nix

@@ -674,6 +674,8 @@ let
 
       HARDENED_USERCOPY                = yes;
       RANDOMIZE_BASE                   = option yes;
+      STRICT_KERNEL_RWX                = yes;
+      STRICT_MODULE_RWX                = yes;
       STRICT_DEVMEM                    = mkDefault yes; # Filter access to /dev/mem
       IO_STRICT_DEVMEM                 = mkDefault yes;
       SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default

pkgs/os-specific/linux/kernel/hardened/config.nix

@@ -31,8 +31,6 @@ assert (versionAtLeast version "4.9");
   SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE
   SECURITY_WRITABLE_HOOKS  = option no;
 
-  STRICT_KERNEL_RWX = yes;
-
   # Perform additional validation of commonly targeted structures.
   DEBUG_CREDENTIALS     = whenOlder "6.6" yes;
   DEBUG_NOTIFIERS       = yes;