On Fri, May 02, 2014 at 07:45:44PM +0000, Luck, Tony wrote:

> > It would be useful for the smaller build case to have a way of auditing
> > which syscalls are actually in use on a system so you can then go
> > through and construct a minimal config.

> "strace -c" ?

That works for specific processes but I don't immediately see a
straightforward way to do it system wide (I guess a wrapper that straces
init and children might do the trick but it's not particularly nice).
Part of the trick for getting the general security win is to lower the
barrier to entry.`