diff --git a/nixos/doc/manual/configuration/grsecurity.xml b/nixos/doc/manual/configuration/grsecurity.xml
index 3c17fc19397..8387658f1e5 100644
--- a/nixos/doc/manual/configuration/grsecurity.xml
+++ b/nixos/doc/manual/configuration/grsecurity.xml
@@ -265,6 +265,11 @@
   <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title>
 
   <itemizedlist>
+    <listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>:
+    consequently, unprivileged namespaces are unsupported. Applications that
+    rely on namespaces for sandboxing (e.g., chromium) must use a privileged
+    helper.</para></listitem>
+
     <listitem><para>Access to EFI runtime services is disabled by default:
     this plugs a potential code injection attack vector; use
     <option>security.grsecurity.disableEfiRuntimeServices</option> to override