System calls allowed by CodeSafe 5 SEE machines
SEE machines are restricted to a subset of Linux system calls they can execute.
An SEE machine that attempts to execute a system call that is not allowed will be immediately terminated by a safeguarding process.
The whitelisted system calls are given in the following table, with their number and name.
Whitelisted System Calls | |
---|---|
1 __NR_exit |
2 __NR_fork |
3 __NR_read |
4 __NR_write |
5 __NR_open |
6 __NR_close |
7 __NR_waitpid |
8 __NR_creat |
9 __NR_link |
10 __NR_unlink |
11 __NR_execve |
12 __NR_chdir |
13 __NR_time |
15 __NR_chmod |
19 __NR_lseek |
20 __NR_getpid |
21 __NR_mount |
22 __NR_umount |
24 __NR_getuid |
29 __NR_pause |
33 __NR_access |
36 __NR_sync |
37 __NR_kill |
38 __NR_rename |
39 __NR_mkdir |
40 __NR_rmdir |
41 __NR_dup |
42 __NR_pipe |
45 __NR_brk |
47 __NR_getgid |
49 __NR_geteuid |
50 __NR_getegid |
54 __NR_ioctl |
55 __NR_fcntl |
60 __NR_umask |
63 __NR_dup2 |
64 __NR_getppid |
65 __NR_getpgrp |
66 __NR_setsid |
78 __NR_gettimeofday |
83 __NR_symlink |
85 __NR_readlink |
88 __NR_reboot |
90 __NR_mmap |
91 __NR_munmap |
94 __NR_fchmod |
99 __NR_statfs |
102 __NR_socketcall |
106 __NR_stat |
107 __NR_lstat |
108 __NR_fstat |
114 __NR_wait4 |
119 __NR_sigreturn |
120 __NR_clone |
122 __NR_uname |
125 __NR_mprotect |
140 __NR_llseek |
141 __NR_getdents |
145 __NR_readv |
146 __NR_writev |
160 __NR_sched_get_priority_min |
162 __NR_nanosleep |
163 __NR_mremap |
167 __NR_poll |
172 __NR_rt_sigreturn |
173 __NR_rt_sigaction |
174 __NR_rt_sigprocmask |
175 __NR_rt_sigpending |
176 __NR_rt_sigtimedwait |
177 __NR_rt_sigqueueinfo |
178 __NR_rt_sigsuspend |
179 __NR_pread64 |
181 __NR_chown |
182 __NR_getcwd |
185 __NR_sigaltstack |
190 __NR_ugetrlimit |
195 __NR_stat64 |
196 __NR_lstat64 |
197 __NR_fstat64 |
202 __NR_getdents64 |
204 __NR_fcntl64 |
205 __NR_madvise |
207 __NR_gettid |
221 __NR_futex |
229 __NR_io_getevents |
232 __NR_set_tid_address |
234 __NR_exit_group |
246 __NR_clock_gettime |
250 __NR_tgkill |
252 __NR_statfs64 |
281 __NR_ppoll |
286 __NR_openat |
300 __NR_set_robust_list |
326 __NR_socket |
327 __NR_bind |
328 __NR_connect |
329 __NR_listen |
330 __NR_accept |
331 __NR_getsockname |
332 __NR_getpeername |
333 __NR_socketpair |
334 __NR_send |
335 __NR_sendto |
336 __NR_recv |
337 __NR_recvfrom |
338 __NR_shutdown |
339 __NR_setsockopt |
340 __NR_getsockopt |
341 __NR_sendmsg |
342 __NR_recvmsg |
343 __NR_recvmmsg |
344 __NR_accept4 |
349 __NR_sendmmsg |
359 __NR_getrandom (See note) |
365 __NR_membarrier |
getrandom is not implemented in nShield 5.
Use either /dev/random or the Cmd_GenerateRandom nCore command instead.
|