The WildFly Core Security Manager cares for modules and deployed artifacts. It offers a JavaEE 7 compliant solution to permissions.xml in META-INF of EARs/WARs.

Unfortunately it does not take care of javaagents, specified in
https://docs.oracle.com/javase/8/docs/api/java/lang/instrument/package-summary.html

OpenSource:
https://inspectit.github.io/inspectit-ocelot/docs/getting-started/quick-start

java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "setContextClassLoader")" in code source "(file:/opt/inspectit/inspectit-ocelot-agent-0.6.jar <no signer certificates>)" of "sun.misc.Launcher$AppClassLoader@18b4aac2")
at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
at java.lang.Thread.setContextClassLoader(Thread.java:1474)
at rocks.inspectit.ocelot.bootstrap.AgentManager.startOrReplaceInspectitCore(AgentManager.java:49)
at rocks.inspectit.ocelot.agent.AgentMain.startAgent(AgentMain.java:78)
at rocks.inspectit.ocelot.agent.AgentMain.lambda$premain$0(AgentMain.java:67)
at java.lang.Thread.run(Thread.java:748)

The specified JARs need AllPermission Config in the same way as container modules.

Other Examples for JavaAgents - closed source:
https://docs.appdynamics.com/display/PRO45/Java+Agent
https://docs.appdynamics.com/display/PRO45/JBoss+and+Wildfly+Startup+Settings
https://docs.appdynamics.com/display/PRO45/Java+Security+Manager+Configuration