7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

*** 38,47 ****
--- 38,48 ----
  #include <sys/cred.h>
  #include <sys/netstack.h>
  #include <sys/uadmin.h>
  #include <sys/ksynch.h>
  #include <sys/socket_impl.h>
+ #include <sys/secflags.h>
  #include <netinet/in.h>
  
  #ifdef  __cplusplus
  extern "C" {
  #endif
*** 102,111 ****
--- 103,113 ----
  #define ZONE_ATTR_FLAGS         14
  #define ZONE_ATTR_HOSTID        15
  #define ZONE_ATTR_FS_ALLOWED    16
  #define ZONE_ATTR_NETWORK       17
  #define ZONE_ATTR_INITNORESTART 20
+ #define ZONE_ATTR_SECFLAGS      21
  
  /* Start of the brand-specific attribute namespace */
  #define ZONE_ATTR_BRAND_ATTRS   32768
  
  #define ZONE_FS_ALLOWED_MAX     1024
*** 576,585 ****
--- 578,589 ----
          uint64_t        zone_anonpgin;          /* anon pages paged in */
          uint64_t        zone_execpgin;          /* exec pages paged in */
          uint64_t        zone_fspgin;            /* fs pages paged in */
          uint64_t        zone_anon_alloc_fail;   /* cnt of anon alloc fails */
  
+         psecflags_t     zone_secflags; /* default zone security-flags */
+ 
          /*
           * Misc. kstats and counters for zone cpu-usage aggregation.
           * The zone_Xtime values are the sum of the micro-state accounting
           * values for all threads that are running or have run in the zone.
           * This is tracked in msacct.c as threads change state.