TPE: Enforce at mmap boundary (and potentially mprotect)
One additional thought is that we could protect against mmap(fd, PROT_EXEC) when TPE is enabled. We would definitely want to gate it with a sysctl node, though, since doing vnode lookups is expensive, especially during mmap time.
We could explore protecting mprotect as well, though I suspect that might prove a bit more difficult.