diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index 6838dbd111bb..3726b6c78185 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -59,7 +59,8 @@ in
boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos;
- boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi";
+ boot.kernelParams = [ "grsec_sysfs_restrict=0" ]
+ ++ optional cfg.disableEfiRuntimeServices "noefi";
nixpkgs.config.grsecurity = true;
diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml
index e41748358fbb..a991758021a1 100644
--- a/nixos/modules/security/grsecurity.xml
+++ b/nixos/modules/security/grsecurity.xml
@@ -151,9 +151,6 @@
a TCP simultaneous OPEN on that port before the connection is actually
established.
- /sys hardening:
- breaks systemd.
-
Trusted path execution: a desirable feature, but
requires some more work to operate smoothly on NixOS.
@@ -357,6 +354,12 @@
pax_size_overflow_report_only: log size overflow
violations but leave the violating task running
+
+
+ grsec_sysfs_restrict=[0|1]: toggle sysfs
+ restrictions. The NixOS module sets this to 0
+ for systemd compatibility
+
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
index e54ab8c4944f..96da936642d2 100644
--- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
+++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
@@ -29,6 +29,7 @@ PAX_KERNEXEC_PLUGIN_METHOD_BTS y
# Additional grsec hardening not implied by auto constraints
GRKERNSEC_IO y
+GRKERNSEC_SYSFS_RESTRICT y
# Disable protections rendered useless by redistribution
GRKERNSEC_HIDESYM n