Resource restriction systems and methods

What is claimed is: 1. A method comprising: receiving an execution call to an operating system for launching an application, the execution call associated with resource request data that identifies a user; intercepting the execution call using an operating system kernel service; from the operating system kernel service, providing the resource request data to a resource agent; receiving launch data from the resource agent in response; and granting or denying the execution call based on the launch data, wherein the resource agent is configured to execute in a user space outside the operating system kernel and perform operations comprising: determining whether the launching of the application is restricted for the user based at least in part on the resource request data provided by the operating system kernel service; and generating the launch data based on the determination. 2. The method of claim 1 , wherein the operating system kernel service is configured to communicate with the resource agent via a kernel control socket. 3. The method of claim 2 , wherein the kernel control socket is a root-owned socket. 4. The method of claim 1 further comprising: determining if the launch data is received before expiration of a time period; and if the launch data is not received before the expiration of the time period, only granting the execution call if the application is an allowed application. 5. The method of claim 4 , wherein an allowed application is defined by an application path. 6. The method of claim 1 , wherein the resource agent determines whether the launching of the application is restricted further based on one or more launch restrictions. 7. The method of claim 6 , wherein the launch restrictions are defined by at least one of an application path and an application hash. 8. The method of claim 1 , wherein the resource agent includes a user agent that is specific to the user. 9. The method of claim 1 , wherein the resource request data comprises data identifying the execution call. 10. The method of claim 1 , wherein the operating system kernel service includes a launch restriction extension of an operating system kernel. 11. A non-transitory machine readable medium storing an operating system kernel service for execution by at least one processing unit, the operating system kernel service comprising sets of instructions for: receiving an execution call to an operating system for launching an application, the execution call associated with resource request data that identifies a user; intercepting the execution call; providing the resource request data to a resource agent; receiving launch data from the resource agent in response; and granting or denying the execution call based on the launch data, wherein the resource agent is configured to execute in a user space outside the operating system kernel and perform operations comprising: determining whether the launching of the application is restricted for the user based at least in part on the resource request data provided by the operating system kernel service; and generating the launch data based on the determination. 12. The non-transitory machine readable medium of claim 11 , wherein the operating system kernel service communicates with the resource agent via a kernel control socket. 13. The non-transitory machine readable medium of claim 11 , wherein the operating system kernel service further comprises sets of instructions for: determining if the launch data is received before expiration of a time period; and if the launch data is not received before the expiration of the time period, only granting the execution call if the application is an allowed application. 14. The non-transitory machine readable medium of claim 13 , wherein an allowed application is defined by an application path. 15. The non-transitory machine readable medium of claim 11 , wherein the resource agent includes a user agent that is specific to the user. 16. An electronic device comprising: a set of processing units for executing sets of instructions; and a non-transitory machine readable medium storing an operating system kernel service for execution by at least one of the processing units, the operating system kernel service comprising sets of instructions for: receiving an execution call to an operating system for launching an application, the execution call associated with resource request data that identifies a user; intercepting the execution call; providing the resource request data to a resource agent; receiving launch data from the resource agent in response; and granting or denying the execution call based on the launch data, wherein the resource agent is configured to execute in a user space outside the operating system kernel and perform operations comprising: determining whether the launching of the application is restricted for the user based at least in part on the resource request data provided by the operating system kernel service; and generating the launch data based on the determination. 17. The electronic device of claim 16 , wherein the resource agent determines whether the launching of the application is restricted further based on one or more launch restrictions. 18. The electronic device of claim 17 , wherein the launch restrictions are defined by at least one of an application path and an application hash. 19. The electronic device of claim 16 , wherein the resource request data comprises data identifying the execution call. 20. The electronic device of claim 16 , wherein the operating system kernel service includes a launch restriction extension of an operating system kernel.