FYI, systemd's MemoryDenyWriteExecute=yes breaks "git grep" because of pcre2jit.
An easy test command is something like this: $ journalctl --user -fn0 & # so you see the error $ systemd-run --property=MemoryDenyWriteExecute=yes --user git -C /srv/vcs/kb grep -Fwi mutt --error--> git[2289491]: fatal: Couldn't JIT the PCRE2 pattern 'mutt', got '-48' A real-world use case is hardening gitit.service, a git-based wiki <https://packages.debian.org/stable/gitit>. With MemoryDenyWriteExecute=yes, gitit works perfectly, EXCEPT for search (which uses "git grep" under the hood). Is there a way for a sysadmin to disable pcre2jit at runtime, e.g. with an environment variable? I understand it makes pcre2 slower, but I might actually prefer to make that security-vs-speed tradeoff. I looked at https://manpages.debian.org/pcre2jit but only found compile-time options. See also https://github.com/systemd/systemd/issues/5970