But since that isn't currently possible, add a sysctl or syscall which would allows a process to prevent itself from having a fork or exec succeed (they would fail with ENOSYS and cause a SIGSYS signal to kill the process).
This would for long running daemons which might be attacked and used to get a shell. If you can't exec, then that approach is thwarted.
