[compsciphd]

this has been done for ages with a simple kernel module that just wraps the real kernel syscall, no binary changes needed.

example how we used it in early 2000s to implement pre linux namespace containerization.

https://www.usenix.org/legacy/publications/library/proceedin... (note the shepherd and where kubernetes arguably got the pod name from).

and security policies on top of it

https://www.usenix.org/legacy/event/lisa07/tech/full_papers/...