Implementation Kernel part simple and small: Policies for system calls are deny, permit or ask Information exported via /dev/systrace Deny and permit are handled in the kernel. Fast path. No need to ask user-space policy daemon. Initial policy is to ask for all system calls. User space policy daemon: Receives request. Looks up policy. Translates the system call arguments.