grsecurity doc: describe work-around for gitlab

Fixes https://github.com/NixOS/nixpkgs/issues/20959

1 files changed, 13 insertions, 0 deletions

diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml
index 5b3e4db03a13..a7bcf4924f01 100644
--- a/nixos/modules/security/grsecurity.xml
+++ b/nixos/modules/security/grsecurity.xml
@@ -325,6 +325,19 @@
       </programlisting>
     </para></listitem>
 
+    <listitem><para>
+      The gitlab service (<xref linkend="module-services-gitlab" />)
+      requires a variant of the <literal>ruby</literal> interpreter
+      built without `mprotect()` hardening, as in
+      <programlisting>
+        services.gitlab.packages.gitlab = pkgs.gitlab.override {
+          ruby = pkgs.ruby.overrideAttrs (attrs: {
+            postFixup = "paxmark m $out/bin/ruby";
+          });
+        };
+      </programlisting>
+    </para></listitem>
+
   </itemizedlist>
 
   </sect1>