7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -213,10 +213,12 @@
         kcred->cr_zone = &zone0;
 
         priv_fillset(&CR_LPRIV(kcred));
         CR_IPRIV(kcred) = *priv_basic;
 
+        priv_addset(&CR_IPRIV(kcred), PRIV_PROC_SECFLAGS);
+
         /* Not a basic privilege, if chown is not restricted add it to I0 */
         if (!rstchown)
                 priv_addset(&CR_IPRIV(kcred), PRIV_FILE_CHOWN_SELF);
 
         /* Basic privilege, if link is restricted remove it from I0 */