Is there a good way to empirically determine the additional calls required for an application, sort of like selinux permissive mode? We're often running user code on our servers, and we'd like to perform analysis and gradually roll out filtering. We'd like to be as non-disruptive as possible.