Enable STRICT_MODULE_RWX

With this option set, module text and rodata memory areas will be made
read-only. Moreover, non-text memory will be made non-executable. This
provides protection against certain security exploits. Currently, this
option is implicitly enabled in Kconfig for most configurations where it
is possible to enable it. This commit enables the option by default
explictly for all supported targets (except marvell to keep it small)

debian/changelog

@@ -642,6 +642,7 @@ linux (4.19.26-1) UNRELEASED; urgency=medium
   * [rt] Update to 4.19.25-rt16
   * [armel/rpi] Add flavour for Raspberry Pi and Raspberry Pi Zero
   * [armel, armhf] Enable CRASH_DUMP
+  * Enable STRICT_MODULE_RWX
 
  -- Ben Hutchings <ben@decadent.org.uk>  Tue, 12 Feb 2019 12:49:10 +0000
 

debian/config/armel/config.marvell

@@ -4,6 +4,7 @@
 # CONFIG_KPROBES is not set
 # CONFIG_STACKPROTECTOR_STRONG is not set
 # CONFIG_STRICT_KERNEL_RWX is not set
+# CONFIG_STRICT_MODULE_RWX is not set
 
 ##
 ## file: arch/arm/Kconfig

debian/config/config

@@ -9,6 +9,7 @@ CONFIG_STACKPROTECTOR=y
 CONFIG_STACKPROTECTOR_STRONG=y
 CONFIG_VMAP_STACK=y
 CONFIG_STRICT_KERNEL_RWX=y
+CONFIG_STRICT_MODULE_RWX=y
 
 ##
 ## file: block/Kconfig