7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

*** 213,222 ****
--- 213,224 ----
          kcred->cr_zone = &zone0;
  
          priv_fillset(&CR_LPRIV(kcred));
          CR_IPRIV(kcred) = *priv_basic;
  
+         priv_addset(&CR_IPRIV(kcred), PRIV_PROC_SECFLAGS);
+ 
          /* Not a basic privilege, if chown is not restricted add it to I0 */
          if (!rstchown)
                  priv_addset(&CR_IPRIV(kcred), PRIV_FILE_CHOWN_SELF);
  
          /* Basic privilege, if link is restricted remove it from I0 */