Systrace enforces system call policies for applications. The policy can be generated interactively. Systrace can constrain the access that an application gets to the system. Operations not covered by the policy raise an alarm and allow an user to refine the currently configured policy.. . .
Systrace enforces system call policies for applications. The policy can be generated interactively. Systrace can constrain the access that an application gets to the system. Operations not covered by the policy raise an alarm and allow an user to refine the currently configured policy.

For complicated applications, it is difficult to know the correct policy before running them. Systrace starts by notifying the user about all system calls that an applications tries to make. The user then configures a policy for the specific system call that caused the warning. After a few minutes, a policy is generated that allows the application to run without any warnings. However, events that are not covered still generate a warning. Normally, that is an indication of a security problem.

With systrace untrusted binary applications can be sandboxed. It is possible to restrict their access to the system almost arbitrarily. Sandboxing applications that are available only in binary format is encouraged as it is not possible to directly analyze what they are designed to do. But large open-source applications should be constrained too as it is impossible to prove their correctness.