Okay, I'm going to hypothesize how to do this; correct any errors if you would
be so kind.  My VM knowledge is based on Leffler's book so I'm going to go
ahead and ask if any changes need to be made for NetBSD.

First you can allocate an extra (fractional?) page so that heap and static
data don't share a page, rounding the allocation boundary to a page size.
Then, each time sbrk is called, you mprotect any newly allocated pages (if any).
You'd have to maintain a "break"-like boundary, rounded up to the nearest
page size (e.g. the page-boundary upper limit of the heap area).
Is this correct?

And also, does the program layout still look like:

0...   |&etext..  |&edata...       |&end          |sp         |    |
-------+----------+----------------+------....----+-----------+----+----
txt seg|init data |uninit data(BSS)|              |(stack)    | (u)|(kstack)
                                   ^break

I'm asking this question b/c I think the end(3) manpage is a bit misleading
(it states the end etext and edata global vars corresp. to the addr following
the end of text, init data, and uninit data segments, but it might lead one
to believe that it means in that order).

I'm also asking this in case some other fundamental layout change has occured.
I know my version of AKCL stopped generating valid unexec'ed images, yet the
old binary image from 386BSD 0.1 still works.

Also, is there good reason not to protect areas of the stack above the location
of the stack pointer when main() is called?
-- 
VaX#n8 (vak-sa-nate) - n, CS senior++ and Unix junkie - vax@ccwf.cc.utexas.edu
Deal with evil through strength, yet encourage good through trust.    - PGP me