On 2025/07/15 19:35, Daniel Dickman wrote:
> Should ports not even try to do a runtime check in the first place?

I think these runtime checks are mainly for OS where the binary might
be compiled on a system with no W^X protection and then run on a system
with a kernel which enforces it (as long as it wasn't opted-out for the
binary..) and they don't seem to make much sense for OpenBSD to me.

On OpenBSD the possibilities (where a program deliberately tries to
make a W+X mapping and checks the return code like this) are:

- port forces W+X to be permitted (USE_WXNEEDED); binary run from
  wxallowed partition: test will succeed, program uses W+X and runs

- port forces W+X to be permitted (USE_WXNEEDED); binary run from
  !wxallowed partition: test will fail, program avoids W+X and runs

- port leaves W^X protection enabled; run with kern.wxabort=0; test
  will fail, program avoids W+X and runs

- port leaves W^X protection enabled; run with kern.wxabort=1; crash

For a port which does not set USE_WXNEEDED then avoiding the runtime
check gives the most useful behaviour under both possibilities. (And if
the port was changed to set USE_WXNEEDED the patch would presumably be
adjusted at the same time).