In my hardened desktop system 0ad fails to start with this errors in dmesg: grsec: denied RWX mmap of <anonymous mapping> by /usr/games/bin/pyrogenesis After '/usr/sbin/paxctl-ng -l -m /usr/games/bin/pyrogenesis' game works fine. Most likely the problem is in library from dev-lang/spidermonkey-24.2.0-r1: even with USE jit disabled it causes test failures with 'grsec: denied RWX mmap of <anonymous mapping>' errors in dmesg, so until bug #510982 is fixed 0ad ebuild should do this: pax-mark m /usr/games/bin/pyrogenesis P.S. Other 3d apps do not need pax marking in my desktops because foss drivers are used.
Can hardened@ confirm that this approach is ok?
After updating to dev-lang/spidermonkey-24.2.0-r2 no pax marking is required anymore.