diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index 12401f044a7f..3f24118ea1cb 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -126,6 +126,19 @@ in
           '';
         };
 
+        denyChrootCaps = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            Whether to lower capabilities of all processes within a chroot,
+            preventing commands that require <literal>CAP_SYS_ADMIN</literal>.
+
+            This protection is disabled by default because it breaks
+            <literal>nixos-rebuild</literal>. Whenever possible, it is
+            highly recommended to enable this protection.
+          '';
+        };
+
         denyUSB = mkOption {
           type = types.bool;
           default = false;
diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
index e06c02a294f6..7777b6000628 100644
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@@ -8,6 +8,7 @@ let
     config = {
       mode = "auto";
       sysctl = false;
+      denyChrootCaps = false;
       denyChrootChmod = false;
       denyUSB = false;
       restrictProc = false;
@@ -112,6 +113,7 @@ let
         }
 
         GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}
+        GRKERNSEC_CHROOT_CAPS ${boolToKernOpt cfg.config.denyChrootCaps}
         GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
         GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}
         GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}