7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -1012,10 +1012,14 @@
 
         if (new_opt_str_prop_from_attr(pg, SCF_PROPERTY_RESOURCE_POOL,
             SCF_TYPE_ASTRING, ctx, "resource_pool", NULL) != 0)
                 return (-1);
 
+        if (new_opt_str_prop_from_attr(pg, SCF_PROPERTY_SECFLAGS,
+            SCF_TYPE_ASTRING, ctx, "security_flags", NULL) != 0)
+                return (-1);
+
         for (cursor = ctx->xmlChildrenNode; cursor != NULL;
             cursor = cursor->next) {
                 if (lxml_ignorable_block(cursor))
                         continue;
 

@@ -1098,11 +1102,12 @@
                 return (-1);
 
         /*
          * There is a possibility that a method context also exists, in which
          * case the following attributes are defined: project, resource_pool,
-         * working_directory, profile, user, group, privileges, limit_privileges
+         * working_directory, profile, user, group, privileges,
+         * limit_privileges, security_flags
          */
         for (cursor = emeth->xmlChildrenNode; cursor != NULL;
             cursor = cursor->next) {
                 if (lxml_ignorable_block(cursor))
                         continue;

@@ -3351,11 +3356,12 @@
  * in early manifest import due to upgrade process needing
  * information that has not yet been supplied by manifests
  * that are still located in the /var/svc manifests directory.
  */
 static int
-lxml_check_upgrade(const char *service) {
+lxml_check_upgrade(const char *service)
+{
         scf_handle_t    *h = NULL;
         scf_scope_t     *sc = NULL;
         scf_service_t   *svc = NULL;
         scf_propertygroup_t     *pg = NULL;
         int rc = SCF_FAILED;