7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

@@ -570,10 +570,21 @@
 .RE
 
 .sp
 .ne 2
 .na
+\fB\PRIV_PROC_SECFLAGS\fR
+.ad
+.sp .6
+.RS 4n
+Allow a process to manipulate the secflags of processes (subject to,
+additionally, the ability to signal that process).
+.RE
+
+.sp
+.ne 2
+.na
 \fB\fBPRIV_PROC_SESSION\fR\fR
 .ad
 .sp .6
 .RS 4n
 Allow a process to send signals or trace processes outside its session.