We currently don't support the combination of FFI with ruby and Hardened Gentoo (specifically PaX). The easy solution/work-around is to use pax-mark m on /usr/bin/ruby to turn off mprotect altogether, but this is not really desirable from a security standpoint. It would be better to get EMUTRAMP support working as we already do for python. Then we only need pax-mark E. This requires changes to the ruby ebuilds so set the marking similar to dev-lang/python, and changes to dev-ruby/ffi to work with EMUTRAMP.
The current, unpatched, situation is that using FFI code causes a segmentation fault (actually a RuntimeError in ruby), due to the ruby ffi code calling mprotect with PROT_EXEC. I have created a patch for this based on what is done with cffi. cffi only calls mmap, and here PROT_EXEC is set with mprotect, so the situation is not indentical, so my lack of grsecurity and memory allocation may be showing :-) This patch leads to dmesg logs from grsecurity: execution attempt in: <anonymous mapping>, 35f244e2000-35f244e3000 35f244e2000
Created attachment 445462 [details] dev-ruby/ffi patch
https://github.com/ffi/ffi/pull/540
(In reply to Magnus Granberg from comment #3) > https://github.com/ffi/ffi/pull/540 This pull request has been applied in dev-ruby/ffi-1.9.22
