(I am cc:ing both lists, as I think the groups overlap, and both have the seame concerns)
A choice of either a dynamic library (with LD_PRELOAD) or running it under a "sandboxify" application.
If nothing else, this may simplify finding out the syscalls that are in use. If there is interest, I could iterate (eg) gpsmon or ntpq,to estimate the smallest number of syscalls required.
I am not sure how portable this will be, as we support multiple OS kernels.