From 3fcb9e6f571536ed91ad6a738fda41afac7b8a32 Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Tue, 16 Aug 2016 14:03:40 +0200
Subject: [PATCH] grsecurity: support non-enforcing mode

Until we've made sure that most things actually work out of the box, we
need to give people a way of continuing to use the system without
completely disabling grsecurity.

Set sysctl kernel.pax.softmode=1 or boot with pax.softmode=1
---
 pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
index 67bad8aeb40..4e1080c3857 100644
--- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
+++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
@@ -13,6 +13,8 @@ GRKERNSEC_CONFIG_VIRT_EPT y
 GRKERNSEC_CONFIG_VIRT_KVM y
 GRKERNSEC_CONFIG_PRIORITY_SECURITY y
 
+PAX_SOFTMODE y
+
 PAX_PT_PAX_FLAGS y
 PAX_XATTR_PAX_FLAGS y
 PAX_EI_PAX n