On systems where mac_veriexec is enforced, init should run its scripts in verified mode.
This relies on the verify shell option introduced by D30464. init will detect if the shell is /bin/sh, and in which case, add the verify option to the argument vector.
The verify option propagates to all files sourced by the shell, ensuring a better protection than if the script was tested against an open(O_VERIFY) before running it.
This security can be bypassed with the kenv which overloads the shell to use. However we feel confident that on systems running with mac_veriexec, this kenv will be blocked somehow.
Also, the verify option has no effect on systems where mac_veriexec is not loaded nor enforced.