What is the best way to make a system call from a tracer such that the system call is executed as if called by the tracee? I would prefer to do this without writing to the text pages of the tracee.
If the tracee process is a dynamic executable, the dynamic linker is guaranteed to have the instruction for a system call. The tracer can find that and set the instruction pointer to it. A static executable would in practice have the instruction somewhere in the text.
If the best way is to write the system call instruction to the text, does PTRACE_POKETEXT automatically change the target page to writable? If it doesn't, we have a chicken and egg problem. If it does, is the tracer responsible for changing the page back to read-only?
Your idea could actually work for many system calls. You need to understand the exact calling convention -- you have to use ptrace() to load the registers of the tracee with the parameters(*). Find a system call instruction (**), the one that drops from user mode to kernel mode, and set a breakpoint after. Now set the instruction pointer register to the address of the system call instruction and tell the tracee process to execute - when it returns from the system call execution will hit your breakpoint and the tracing process can get control back and can examine the return value and do what's appropriate. To cleanup you'll need to remove the breakpoint and set the registers back to their original values, including the instruction pointer.
(*) Some system calls have too many parameters to fit in registers, mmap() comes to mind, make sure and deal with those cases.
(**) If you can disassemble libc.so, find some system calls (open, read, write, socket, mmap, etc.) in the disassembly and look at them. Each one has a system call instruction in it.