7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -38,10 +38,11 @@
 #include <sys/cred.h>
 #include <sys/netstack.h>
 #include <sys/uadmin.h>
 #include <sys/ksynch.h>
 #include <sys/socket_impl.h>
+#include <sys/secflags.h>
 #include <netinet/in.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif

@@ -102,10 +103,11 @@
 #define ZONE_ATTR_FLAGS         14
 #define ZONE_ATTR_HOSTID        15
 #define ZONE_ATTR_FS_ALLOWED    16
 #define ZONE_ATTR_NETWORK       17
 #define ZONE_ATTR_INITNORESTART 20
+#define ZONE_ATTR_SECFLAGS      21
 
 /* Start of the brand-specific attribute namespace */
 #define ZONE_ATTR_BRAND_ATTRS   32768
 
 #define ZONE_FS_ALLOWED_MAX     1024

@@ -576,10 +578,12 @@
         uint64_t        zone_anonpgin;          /* anon pages paged in */
         uint64_t        zone_execpgin;          /* exec pages paged in */
         uint64_t        zone_fspgin;            /* fs pages paged in */
         uint64_t        zone_anon_alloc_fail;   /* cnt of anon alloc fails */
 
+        psecflags_t     zone_secflags; /* default zone security-flags */
+
         /*
          * Misc. kstats and counters for zone cpu-usage aggregation.
          * The zone_Xtime values are the sum of the micro-state accounting
          * values for all threads that are running or have run in the zone.
          * This is tracked in msacct.c as threads change state.