7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -316,10 +316,15 @@
 
         Allows all that PRIV_PROC_PRIOUP allows.
         Allows a process to change its scheduling class to any scheduling class,
         including the RT class.
 
+basic privilege PRIV_PROC_SECFLAGS
+
+        Allows a process to manipulate the secflags of processes (subject to,
+        additionally, the ability to signal that process)
+
 basic privilege PRIV_PROC_SESSION
 
         Allows a process to send signals or trace processes outside its
         session.