7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -9514,10 +9514,12 @@
             SCF_SUCCESS ||
             scf_pg_get_property(pg, SCF_PROPERTY_PROJECT, NULL) ==
             SCF_SUCCESS ||
             scf_pg_get_property(pg, SCF_PROPERTY_RESOURCE_POOL, NULL) ==
             SCF_SUCCESS ||
+            scf_pg_get_property(pg, SCF_PROPERTY_SECFLAGS, NULL) ==
+            SCF_SUCCESS ||
             scf_pg_get_property(pg, SCF_PROPERTY_USE_PROFILE, NULL) ==
             SCF_SUCCESS;
 
         if (nonenv) {
                 ctxt = xmlNewNode(NULL, (xmlChar *)"method_context");

@@ -9538,10 +9540,16 @@
                 if (pg_get_prop(pg, SCF_PROPERTY_RESOURCE_POOL, exp_prop) ==
                     0 &&
                     set_attr_from_prop_default(exp_prop, ctxt,
                     "resource_pool", ":default") != 0)
                         err = 1;
+
+                if (pg_get_prop(pg, SCF_PROPERTY_SECFLAGS, exp_prop) == 0 &&
+                    set_attr_from_prop_default(exp_prop, ctxt,
+                    "security_flags", ":default") != 0)
+                        err = 1;
+
                 /*
                  * We only want to complain about profile or credential
                  * properties if we will use them.  To determine that we must
                  * examine USE_PROFILE.
                  */

@@ -9660,11 +9668,12 @@
                                 continue;
                 } else if (strcmp(exp_str, SCF_PROPERTY_USER) == 0 ||
                     strcmp(exp_str, SCF_PROPERTY_GROUP) == 0 ||
                     strcmp(exp_str, SCF_PROPERTY_SUPP_GROUPS) == 0 ||
                     strcmp(exp_str, SCF_PROPERTY_PRIVILEGES) == 0 ||
-                    strcmp(exp_str, SCF_PROPERTY_LIMIT_PRIVILEGES) == 0) {
+                    strcmp(exp_str, SCF_PROPERTY_LIMIT_PRIVILEGES) == 0 ||
+                    strcmp(exp_str, SCF_PROPERTY_SECFLAGS) == 0) {
                         if (nonenv && !use_profile)
                                 continue;
                 } else if (strcmp(exp_str, SCF_PROPERTY_PROFILE) == 0) {
                         if (nonenv && use_profile)
                                 continue;

@@ -9846,10 +9855,14 @@
                                 err = 1;
                 } else if (strcmp(exp_str, SCF_PROPERTY_RESOURCE_POOL) == 0) {
                         if (set_attr_from_prop(exp_prop, n,
                             "resource_pool") != 0)
                                 err = 1;
+                } else if (strcmp(exp_str, SCF_PROPERTY_SECFLAGS) == 0) {
+                        if (set_attr_from_prop(exp_prop, n,
+                            "security_flags") != 0)
+                                err = 1;
                 } else if (strcmp(exp_str, SCF_PROPERTY_USE_PROFILE) == 0) {
                         /* EMPTY */
                 } else if (strcmp(exp_str, SCF_PROPERTY_USER) == 0) {
                         if (use_profile ||
                             set_attr_from_prop(exp_prop, cred, "user") != 0)