Comment # 10 on bug 997239 from Richard Biener

I don't see how this is _not_ an issue with GRSEC.  If we are allowed to
mmap a PROT_WRITE|PROT_EXEC mapping (no error when doing that) but then
get killed when actually executing from it then something is broken.

Yes, libffi seems to have "dances" around similar issues in SElinux
but "misses" the GRsec case.  Hmm, in fact it _does_ have it!  See
the emutramp_enabled_check () in closures.c:

/* On PaX enable kernels that have MPROTECT enable we can't use PROT_EXEC. */
#ifdef FFI_MMAP_EXEC_EMUTRAMP_PAX
#include <stdlib.h>

static int emutramp_enabled = -1;

static int
emutramp_enabled_check (void)
{
  char *buf = NULL;
  size_t len = 0;
  FILE *f;
  int ret;
  f = fopen ("/proc/self/status", "r");
  if (f == NULL)
    return 0;
  ret = 0;

  while (getline (&buf, &len, f) != -1)
    if (!strncmp (buf, "PaX:", 4))
      {
        char emutramp;
        if (sscanf (buf, "%*s %*c%c", &emutramp) == 1)
          ret = (emutramp == 'E');
        break;
      }
  free (buf);
  fclose (f);
  return ret;
}

#define is_emutramp_enabled() (emutramp_enabled >= 0 ? emutramp_enabled \
                               : (emutramp_enabled = emutramp_enabled_check
()))


but that needs to be enabled at configure time it seems (--enable-pax_emutramp)

Can you check if using a libffi built with that flag works?