7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -30,10 +30,11 @@
 #include <libscf.h>
 #include <limits.h>
 #include <priv.h>
 #include <pwd.h>
 #include <sys/types.h>
+#include <sys/secflags.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 

@@ -263,18 +264,20 @@
     restarter_contract_type_t);
 
 ssize_t restarter_state_to_string(restarter_instance_state_t, char *, size_t);
 restarter_instance_state_t restarter_string_to_state(char *);
 
-#define RESTARTER_METHOD_CONTEXT_VERSION        7
+#define RESTARTER_METHOD_CONTEXT_VERSION        8
 
 struct method_context {
         /* Stable */
         uid_t           uid, euid;
         gid_t           gid, egid;
         int             ngroups;                /* -1 means use initgroups(). */
         gid_t           groups[NGROUPS_MAX];
+        psecflags_t     def_secflags;
+        secflagdelta_t  secflag_delta;
         priv_set_t      *lpriv_set, *priv_set;
         char            *corefile_pattern;      /* Optional. */
         char            *project;               /* NULL for no change */
         char            *resource_pool;         /* NULL for project default */
         char            *working_dir;           /* NULL for :default */