For complicated applications, it is difficult to know the correct policy before running them. Systrace starts by notifying the user about all system calls that an applications tries to make. The user then configures a policy for the specific system call that caused the warning. After a few minutes, a policy is generated that allows the application to run without any warnings. However, events that are not covered still generate a warning. Normally, that is an indication of a security problem.
With systrace untrusted binary applications can be sandboxed. It is possible to restrict their access to the system almost arbitrarily. Sandboxing applications that are available only in binary format is encouraged as it is not possible to directly analyze what they are designed to do. But large open-source applications should be constrained too as it is impossible to prove their correctness.
