Exec Denier is a kernel module for NetBSD that restricts exec syscalls for certain UIDs. It is very useful for blocking exec calls for named and ntpd. It can also restrict exec calls for users to a certain directory. Changelog available here.
816dab99545116044312de51e57697d14c66c992ce590f81b6e8a869ce6115ae