One thing we could do... something I've actually wanted to do for a
while, is to create separate randomization domains and give the
kernel its own personal generator that userland never touches.
Maybe even also give each jail its own random number generator too,
though that would be extra.
-Matt