diff --git a/pkgs/os-specific/linux/kernel/grsec-path.patch b/pkgs/os-specific/linux/kernel/grsec-path.patch
new file mode 100644
index 00000000000..be242779548
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/grsec-path.patch
@@ -0,0 +1,15 @@
+diff --git a/kernel/kmod.c b/kernel/kmod.c
+index 3227c2c..f32c944 100644
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -246,8 +246,8 @@ static int ____call_usermodehelper(void *data)
+ 	   out the path to be used prior to this point and are now operating
+ 	   on that copy
+ 	*/
+-	if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
+-	     strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7)) || strstr(sub_info->path, "..")) {
++	if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/nix/store/", 11) &&
++	     strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
+ 		printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of /sbin and system library paths\n", sub_info->path);
+ 		retval = -EPERM;
+ 		goto fail;
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 3316911d3ed..128c42533c6 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -145,4 +145,9 @@ rec {
       # The grsec kernel patch seems to include the apparmor patches as of 3.0-3.12.1
       features.apparmor = true;
     };
+
+  grsec_path =
+    { name = "grsec-path";
+      patch = ./grsec-path.patch;
+    };
 }
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index ea4faf7369b..f3f31964b7d 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -6686,11 +6686,11 @@ let
   # config options you need (e.g. by overriding extraConfig). See list of options here:
   # https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options
   linux_3_2_grsecurity = lowPrio (lib.overrideDerivation (linux_3_2.override (args: {
-    kernelPatches = args.kernelPatches ++ [ kernelPatches.grsecurity_3_0_3_2_52 ];
+    kernelPatches = args.kernelPatches ++ [ kernelPatches.grsecurity_3_0_3_2_52 kernelPatches.grsec_path ];
   })) (args: grsecurityOverrider args));
 
   linux_3_12_grsecurity = lowPrio (lib.overrideDerivation (linux_3_12.override (args: {
-    kernelPatches = args.kernelPatches ++ [ kernelPatches.grsecurity_3_0_3_12_1 ];
+    kernelPatches = args.kernelPatches ++ [ kernelPatches.grsecurity_3_0_3_12_1 kernelPatches.grsec_path ];
   })) (args: grsecurityOverrider args));
 
   linux_3_2_apparmor = lowPrio (linux_3_2.override {