System calls allowed by CodeSafe 5 applications
CodeSafe 5 applications are restricted to a subset of Linux system calls (syscalls) which they are permitted to execute.
Denied System Calls
Any denied syscalls fail by returning -1 and setting errno to the value 38, which denotes ENOSYS (Function not implemented).
This behavior applies in v13.7 firmware and later; before this, the SIGSYS signal was raised instead when a denied syscall was attempted.
Denying with ENOSYS (rather than raising a signal) allows applications to fall back gracefully to allowed alternative syscalls.
Library code (including the C library itself) often supports several alternative syscalls for an operation to maintain compatibility across platforms and kernel versions.
This enables security restrictions to be enforced while making it more likely that general-purpose library or application code can work with minimal modification in the restricted CodeSafe environment.
For example, the getrandom syscall is not supported in CodeSafe 5 and will fail with ENOSYS.
This prevents applications from accidentally using the Linux kernel’s non-HSM RNG.
Use either the Cmd_GenerateRandom nCore command, or /dev/random or /dev/urandom within the CodeSafe 5 application in order to obtain HSM RNG instead.
Many libraries fall back to /dev/random or /dev/urandom if the getrandom syscall (or the getentropy C library wrapper, which uses getrandom) fails with ENOSYS, allowing them to continue working without modification while still using the HSM-backed RNG.
If a library does not automatically fall back, configure it explicitly to use /dev/random. The /dev/random device is always seeded and fully initialized before the CodeSafe 5 application container starts.
When cross-compiling recent versions of OpenSSL, pass --with-rand-seed=devrandom to the Configure script to ensure /dev/random is used.
OpenSSL no longer falls back automatically when getentropy returns ENOSYS, so this option is required to avoid runtime failures.
Allowed System Calls
The table below lists all system calls allowed in CodeSafe 5 applications, including each syscall number, name, a link to the Linux documentation page, a broad operation category, and the firmware version in which it was first allowed in CodeSafe 5.
| Syscall Number | Syscall Name | Category | Comment |
|---|---|---|---|
1 |
Process Management: Process Creation & Termination |
Allowed in CodeSafe 5 since v13.4 |
|
2 |
Process Management: Process Creation & Termination |
Allowed in CodeSafe 5 since v13.4 |
|
3 |
File System: Read/Write Operations |
Allowed in CodeSafe 5 since v13.4 |
|
4 |
File System: Read/Write Operations |
Allowed in CodeSafe 5 since v13.4 |
|
5 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.4 |
|
6 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.4 |
|
7 |
Process Management: Process Creation & Termination |
Allowed in CodeSafe 5 since v13.4 |
|
8 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.4 |
|
9 |
File System: File Links and Symlinks |
Allowed in CodeSafe 5 since v13.4 |
|
10 |
File System: File Links and Symlinks |
Allowed in CodeSafe 5 since v13.4 |
|
11 |
Process Management: Process Creation & Termination |
Allowed in CodeSafe 5 since v13.4 |
|
12 |
File System: Directory Operations |
Allowed in CodeSafe 5 since v13.4 |
|
13 |
Time & Timers: System Time Access & Adjustment |
Allowed in CodeSafe 5 since v13.4 |
|
15 |
File System: Access Control and Permissions |
Allowed in CodeSafe 5 since v13.4 |
|
16 |
File System: Access Control and Permissions |
Allowed in CodeSafe 5 since v13.7 |
|
19 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.4 |
|
20 |
Process Management: Process Lifecycle & Waiting |
Allowed in CodeSafe 5 since v13.4 |
|
24 |
Resource Control & Permissions: User & Group Identifiers |
Allowed in CodeSafe 5 since v13.4 |
|
27 |
Time & Timers: Timers & Sleep Functions |
Allowed in CodeSafe 5 since v13.7 |
|
29 |
Process Management: Process Lifecycle & Waiting |
Allowed in CodeSafe 5 since v13.4 |
|
30 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
33 |
File System: Access Control and Permissions |
Allowed in CodeSafe 5 since v13.4 |
|
34 |
Process Management: Scheduling & Prioritization |
Allowed in CodeSafe 5 since v13.7 (to reduce priority only) |
|
36 |
File System: Filesystem Synchronization |
Allowed in CodeSafe 5 since v13.4 |
|
37 |
Process Management: Signal Handling |
Allowed in CodeSafe 5 since v13.4 |
|
38 |
File System: Directory Operations |
Allowed in CodeSafe 5 since v13.4 |
|
39 |
File System: Directory Operations |
Allowed in CodeSafe 5 since v13.4 |
|
40 |
File System: Directory Operations |
Allowed in CodeSafe 5 since v13.4 |
|
41 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.4 |
|
42 |
Inter-Process Communication: Shared Memory, Pipes & Events |
Allowed in CodeSafe 5 since v13.4 |
|
43 |
Resource Control & Permissions: Resource Limits |
Allowed in CodeSafe 5 since v13.7 |
|
45 |
Memory Management: Memory Management Operations |
Allowed in CodeSafe 5 since v13.4 |
|
47 |
Resource Control & Permissions: User & Group Identifiers |
Allowed in CodeSafe 5 since v13.4 |
|
49 |
Resource Control & Permissions: User & Group Identifiers |
Allowed in CodeSafe 5 since v13.4 |
|
50 |
Resource Control & Permissions: User & Group Identifiers |
Allowed in CodeSafe 5 since v13.4 |
|
54 |
Device Control: Character Device Operations |
Allowed in CodeSafe 5 since v13.4 |
|
55 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.4 |
|
57 |
Resource Control & Permissions: Session & Group Management |
Allowed in CodeSafe 5 since v13.7 |
|
60 |
File System: Access Control and Permissions |
Allowed in CodeSafe 5 since v13.4 |
|
63 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.4 |
|
64 |
Resource Control & Permissions: Session & Group Management |
Allowed in CodeSafe 5 since v13.4 |
|
65 |
Resource Control & Permissions: Session & Group Management |
Allowed in CodeSafe 5 since v13.4 |
|
66 |
Resource Control & Permissions: Session & Group Management |
Allowed in CodeSafe 5 since v13.4 |
|
75 |
Resource Control & Permissions: Resource Limits |
Allowed in CodeSafe 5 since v13.7 (to reduce resource limits only) |
|
77 |
Resource Control & Permissions: Resource Limits |
Allowed in CodeSafe 5 since v13.7 |
|
78 |
Time & Timers: System Time Access & Adjustment |
Allowed in CodeSafe 5 since v13.4 |
|
80 |
Resource Control & Permissions: Session & Group Management |
Allowed in CodeSafe 5 since v13.5 |
|
83 |
File System: File Links and Symlinks |
Allowed in CodeSafe 5 since v13.4 |
|
85 |
File System: File Links and Symlinks |
Allowed in CodeSafe 5 since v13.4 |
|
88 |
Process Management: Process Control |
Allowed in CodeSafe 5 since v13.4 |
|
90 |
Memory Management: Memory Mapping |
Allowed in CodeSafe 5 since v13.4 |
|
91 |
Memory Management: Memory Mapping |
Allowed in CodeSafe 5 since v13.4 |
|
92 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
93 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
94 |
File System: Access Control and Permissions |
Allowed in CodeSafe 5 since v13.4 |
|
95 |
File System: Access Control and Permissions |
Allowed in CodeSafe 5 since v13.7 |
|
96 |
Process Management: Scheduling & Prioritization |
Allowed in CodeSafe 5 since v13.5 |
|
97 |
Process Management: Scheduling & Prioritization |
Allowed in CodeSafe 5 since v13.7 (to reduce priority only) |
|
99 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.4 |
|
100 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
102 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
104 |
Time & Timers: Timers & Sleep Functions |
Allowed in CodeSafe 5 since v13.7 |
|
105 |
Time & Timers: Timers & Sleep Functions |
Allowed in CodeSafe 5 since v13.7 |
|
106 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.4 |
|
107 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.4 |
|
108 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.4 |
|
114 |
Process Management: Process Creation & Termination |
Allowed in CodeSafe 5 since v13.4 |
|
117 |
Inter-Process Communication: Compatibility Interfaces |
Allowed in CodeSafe 5 since v13.5 |
|
118 |
File System: Filesystem Synchronization |
Allowed in CodeSafe 5 since v13.7 |
|
120 |
Process Management: Process Creation & Termination |
Allowed in CodeSafe 5 since v13.4 |
|
122 |
Miscellaneous System Functions: Utility & System Info |
Allowed in CodeSafe 5 since v13.4 |
|
125 |
Memory Management: Memory Mapping |
Allowed in CodeSafe 5 since v13.4 |
|
132 |
Resource Control & Permissions: Session & Group Management |
Allowed in CodeSafe 5 since v13.7 |
|
133 |
File System: Directory Operations |
Allowed in CodeSafe 5 since v13.7 |
|
140 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.4 |
|
141 |
File System: Directory Operations |
Allowed in CodeSafe 5 since v13.4 |
|
142 |
Networking & Socket Operations: I/O Multiplexing & Readiness |
Allowed in CodeSafe 5 since v13.7 |
|
143 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.7 |
|
144 |
Memory Management: Memory Mapping |
Allowed in CodeSafe 5 since v13.7 |
|
145 |
File System: Read/Write Operations |
Allowed in CodeSafe 5 since v13.4 |
|
146 |
File System: Read/Write Operations |
Allowed in CodeSafe 5 since v13.4 |
|
147 |
Resource Control & Permissions: Session & Group Management |
Allowed in CodeSafe 5 since v13.7 |
|
148 |
File System: Filesystem Synchronization |
Allowed in CodeSafe 5 since v13.7 |
|
158 |
Process Management: Scheduling & Prioritization |
Allowed in CodeSafe 5 since v13.7 |
|
162 |
Time & Timers: Timers & Sleep Functions |
Allowed in CodeSafe 5 since v13.4 |
|
163 |
Memory Management: Memory Mapping |
Allowed in CodeSafe 5 since v13.4 |
|
167 |
Networking & Socket Operations: I/O Multiplexing & Readiness |
Allowed in CodeSafe 5 since v13.4 |
|
172 |
Process Management: Signal Handling |
Allowed in CodeSafe 5 since v13.4 |
|
173 |
Process Management: Signal Handling |
Allowed in CodeSafe 5 since v13.4 |
|
174 |
Process Management: Signal Handling |
Allowed in CodeSafe 5 since v13.4 |
|
175 |
Process Management: Signal Handling |
Allowed in CodeSafe 5 since v13.4 |
|
176 |
Process Management: Signal Handling |
Allowed in CodeSafe 5 since v13.4 |
|
177 |
Process Management: Signal Handling |
Allowed in CodeSafe 5 since v13.4 |
|
178 |
Process Management: Signal Handling |
Allowed in CodeSafe 5 since v13.4 |
|
179 |
File System: Read/Write Operations |
Allowed in CodeSafe 5 since v13.4 |
|
180 |
File System: Read/Write Operations |
Allowed in CodeSafe 5 since v13.7 |
|
181 |
File System: Access Control and Permissions |
Allowed in CodeSafe 5 since v13.4 |
|
182 |
File System: Directory Operations |
Allowed in CodeSafe 5 since v13.4 |
|
185 |
Process Management: Signal Handling |
Allowed in CodeSafe 5 since v13.4 |
|
186 |
File System: Read/Write Operations |
Allowed in CodeSafe 5 since v13.7 |
|
190 |
Resource Control & Permissions: Resource Limits |
Allowed in CodeSafe 5 since v13.4 |
|
202 |
File System: Directory Operations |
Allowed in CodeSafe 5 since v13.4 |
|
205 |
Memory Management: Memory Mapping |
Allowed in CodeSafe 5 since v13.4 |
|
207 |
Process Management: Process Lifecycle & Waiting |
Allowed in CodeSafe 5 since v13.4 |
|
208 |
Process Management: Signal Handling |
Allowed in CodeSafe 5 since v13.5 |
|
221 |
Process Management: Synchronization |
Allowed in CodeSafe 5 since v13.4 |
|
232 |
Process Management: Thread/Process Context Operations |
Allowed in CodeSafe 5 since v13.4 |
|
234 |
Process Management: Process Creation & Termination |
Allowed in CodeSafe 5 since v13.4 |
|
236 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.7 |
|
237 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.7 |
|
238 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.7 |
|
246 |
Time & Timers: Clock Management & Resolution |
Allowed in CodeSafe 5 since v13.4 |
|
247 |
Time & Timers: Clock Management & Resolution |
Allowed in CodeSafe 5 since v13.7 |
|
248 |
Time & Timers: Clock Management & Resolution |
Allowed in CodeSafe 5 since v13.7 |
|
250 |
Process Management: Signal Handling |
Allowed in CodeSafe 5 since v13.4 |
|
251 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
252 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.4 |
|
253 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
272 |
Process Management: Process Creation & Termination |
Allowed in CodeSafe 5 since v13.7 |
|
280 |
Networking & Socket Operations: I/O Multiplexing & Readiness |
Allowed in CodeSafe 5 since v13.7 |
|
281 |
Networking & Socket Operations: I/O Multiplexing & Readiness |
Allowed in CodeSafe 5 since v13.4 |
|
286 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.4 |
|
287 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
289 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
291 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
292 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
293 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
294 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
295 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
296 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
297 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
298 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.7 |
|
303 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.7 |
|
304 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.5 |
|
307 |
Inter-Process Communication: Shared Memory, Pipes & Events |
Allowed in CodeSafe 5 since v13.7 |
|
309 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.7 |
|
315 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.5 |
|
316 |
File System: File Descriptor & Control Operations |
Allowed in CodeSafe 5 since v13.7 |
|
317 |
Inter-Process Communication: Shared Memory, Pipes & Events |
Allowed in CodeSafe 5 since v13.7 |
|
320 |
File System: Read/Write Operations |
Allowed in CodeSafe 5 since v13.7 |
|
321 |
File System: Read/Write Operations |
Allowed in CodeSafe 5 since v13.7 |
|
322 |
Process Management: Signal Handling |
Allowed in CodeSafe 5 since v13.7 |
|
325 |
Resource Control & Permissions: Resource Limits |
Allowed in CodeSafe 5 since v13.7 (to reduce resource limits only) |
|
326 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
327 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
328 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
329 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
330 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
331 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
332 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
333 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
334 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
335 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
336 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
337 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
338 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
339 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
340 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
341 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
342 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
343 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
344 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
348 |
File System: Filesystem Synchronization |
Allowed in CodeSafe 5 since v13.7 |
|
349 |
Networking & Socket Operations: Socket Management & Data Transfer |
Allowed in CodeSafe 5 since v13.4 |
|
357 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |
|
362 |
Process Management: Process Creation & Termination |
Allowed in CodeSafe 5 since v13.7 |
|
365 |
Process Management: Synchronization |
Allowed in CodeSafe 5 since v13.4 |
|
380 |
File System: Read/Write Operations |
Allowed in CodeSafe 5 since v13.7 |
|
381 |
File System: Read/Write Operations |
Allowed in CodeSafe 5 since v13.7 |
|
383 |
File System: Metadata & Filesystem Attributes |
Allowed in CodeSafe 5 since v13.7 |