Implementation

Policies can return error codes for denied system calls.
Behavior of application changes dependent on returned error codes.

EACCESS: Access to file is not permitted.
ENOENT: File does not exist.

Automatic Policy Generation:
Random components:

mkstemp("/tmp/confXXXXXX") -> /tmp/confJ31A69

Post processing required:
native-fswrite: filename eq "/tmp/confJ31A69" then permit
needs to be changed to
native-fswrite: filename match "/tmp/conf*" then permit

Difficult to exhaust all code paths, so use automatic and interactive policy generation together.