OpenBSD system-call-origin verification

Disallowing system calls originating from writable pages seems useful. This could be implemented with seccomp as the instruction pointer is already available to the BPF, so kernel only needs to allow calling a function to check the page of the IP for various properties from seccomp BPF.

Also alignment of the return address could be checked. Random ROP gadgets for system calls might be found at various non-aligned locations, but if compilers could be instructed to align the system call location strictly, even at specific offset to page boundary, it would decrease the chances of finding a gadget by 1/alignment (1/PAGE_SIZE for fixed page offset version). The check itself would be doable today in BPF and it would be very easy to add this to for example systemd or Firejail as a new sandboxing option.