7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

*** 46,55 ****
--- 46,56 ----
  #include <sys/rctl.h>
  #include <sys/list.h>
  #include <sys/avl.h>
  #include <sys/door_impl.h>
  #include <sys/signalfd.h>
+ #include <sys/secflags.h>
  
  #ifdef  __cplusplus
  extern "C" {
  #endif
  
*** 347,356 ****
--- 348,358 ----
          uintptr_t       p_portcnt;      /* event ports counter */
          struct zone     *p_zone;        /* zone in which process lives */
          struct vnode    *p_execdir;     /* directory that p_exec came from */
          struct brand    *p_brand;       /* process's brand  */
          void            *p_brand_data;  /* per-process brand state */
+         psecflags_t     p_secflags;     /* per-process security flags */
  
          /* additional lock to protect p_sessp (but not its contents) */
          kmutex_t p_splock;
          rctl_qty_t      p_locked_mem;   /* locked memory charged to proc */
                                          /* protected by p_lock */