Implementation

Kernel part simple and small:
Policies for system calls are deny, permit or ask
Information exported via /dev/systrace

Deny and allow are handled in the kernel.
Fast path.  No need to ask userland.

Several requests supported (via ioctl):
Attach to a process.
Detach from a process.
Answer a policy question: deny or allow.
Do memory IO from userland process.
Request a new policy or change an existing policy.
Report information about monitored process.
Replace system call arguments.