In Google's NaCl (native client) SDK there is sel_ldr.py (secure elf loader), which allows a user to run a NaCl executable ( .nexe ) created through the NaCl or PNaCl toolchain. What exactly does sel_ldr.py do while running these .nexe files?

Specifically how does sel_ldr handle operating system calls of the NaCl executables? Reading NaCl documentation most of the information pertains to using the pepper API to create Chrome browser portable applications, and there is not much detail on how the sel_ldr service-runtime handles these NaCl executables.

I have created many NaCl executables that while running in sel_ldr can create directories, files, pipe, sleep, and use various other system calls and it works correctly. I know native client itself monitors system calls. Is that monitoring done through the use of the pepper API or does sel_ldr.py intercept and redirect system calls to NaCl's own system call implementations within its service-runtime sandbox?