Avoid writable and executable memory mappings by GL libraries

For security reasons I’d like to enable systemd MemoryDenyWriteExecute flag for Xorg and other processes. However, NVIDIA GL libraries unfortunately create memory mappings which are both writable and executable at the same time, which prevent the flag use:

$ cat /proc/`pidof glxgears`/maps | grep rwx
7fd72ad52000-7fd72ad72000 rwxp 019fe000 08:11 795228                     /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.352.79
7fd72d236000-7fd72d269000 rwxp 000be000 08:11 924758                     /usr/lib/x86_64-linux-gnu/nvidia/current/libGL.so.352.79

# cat /proc/`pidof Xorg`/maps | grep rwx
7f2b6400a000-7f2b6402a000 rwxp 019fe000 08:11 795228                     /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.352.79
7f2b65c4e000-7f2b65c81000 rwxp 009ab000 08:11 924731                     /usr/lib/nvidia/current/libglx.so.352.79

Typically such mappings are only needed for self-modifying code or JIT dynamic code generators. I wouldn’t expect GL libraries to need to use those tricks, perhaps this is not intentional?

I’m using drivers from Debian unstable.

OpenGL libraries need to do this to efficiently dispatch GL calls to the correct handlers. IIRC, the driver should be able to detect when it can’t write to executable memory and fall back to a slower path.