diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix
index a6a835c1fe9f..13db3873e628 100644
--- a/pkgs/os-specific/linux/kernel/hardened-config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened-config.nix
@@ -52,15 +52,17 @@ ${optionalString (versionOlder version "4.11") ''
   DEBUG_SET_MODULE_RONX y
 ''}
 
-# Mark LSM hooks read-only after init.  Conflicts with SECURITY_SELINUX_DISABLE
-# (disabling SELinux at runtime); hence, SELinux can only be disabled at boot
-# via the selinux=0 boot parameter.
+# Mark LSM hooks read-only after init.  SECURITY_WRITABLE_HOOKS n
+# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
+# implicitly marks LSM hooks read-only after init.
+#
+# SELinux can only be disabled at boot via selinux=0
+#
+# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
+# config builder fails to detect that it has indeed been unset.
 ${optionalString (versionAtLeast version "4.12") ''
   SECURITY_SELINUX_DISABLE n
-''}
-
-${optionalString ((versionAtLeast version "4.12") && (versionOlder version "4.17")) ''
-  SECURITY_WRITABLE_HOOKS n
+  SECURITY_WRITABLE_HOOKS? n
 ''}
 
 DEBUG_WX y # boot-time warning on RWX mappings