We currently don't support the combination of FFI with ruby and Hardened Gentoo (specifically PaX).
The easy solution/work-around is to use pax-mark m on /usr/bin/ruby to turn off mprotect altogether, but this is not really desirable from a security standpoint. It would be better to get EMUTRAMP support working as we already do for python. Then we only need pax-mark E.
This requires changes to the ruby ebuilds so set the marking similar to dev-lang/python, and changes to dev-ruby/ffi to work with EMUTRAMP.
The current, unpatched, situation is that using FFI code causes a segmentation fault (actually a RuntimeError in ruby), due to the ruby ffi code calling mprotect with PROT_EXEC.
I have created a patch for this based on what is done with cffi. cffi only calls mmap, and here PROT_EXEC is set with mprotect, so the situation is not indentical, so my lack of grsecurity and memory allocation may be showing :-)
This patch leads to dmesg logs from grsecurity:
execution attempt in: <anonymous mapping>, 35f244e2000-35f244e3000 35f244e2000
Created attachment 445462 [details]
(In reply to Magnus Granberg from comment #3)
This pull request has been applied in dev-ruby/ffi-1.9.22