hd_scania Shawn has told to me to turn mprotect and pageexec at 1 on HardenedBSD-CURRENT then KDE Plasma ceases dying,
So I was right? 😛 Good you finally found your solution. Indeed 'bad system call' when executing a shell script really sounded a Pax-alike
The problem is that unfortunately nobody here uses HBSD but you 😅, so no one actually knows what the values of those sysctl variables stand for, and it's not like you can easily retrieve HBSD documentation anywhere (still have to find an online man for
hbsdctl); I may guess at best. And if I had to guess, I'd lower Pax Sevguard (imaging level 3 is actually somehow strict): I've been testing it on NetBSD and enabling it system-wide is not only quite resource angry, but also way too limiting; I'd restrict its use to those binaries which actually matter, representing a possible target for brute-force attacks (sshd, postfix and alikes).
By the way, I can share my FreeBSD's sysctl.conf tuned for desktop if you want 😉