Palantir restricts various system calls (syscalls) from running inside our infrastructure through Secure Computing Mode (seccomp). Seccomp is a security feature in the Linux kernel that allows system call (syscall) restrictions to apply to a process or container.
Seccomp filters provide a way to allowlist the syscalls that a container can make and allows for multiple methods of handling non-allowlisted syscalls, including LOG, KILL, and ERRNO profiles:
LOG allows non-allowlisted syscalls to run but logs them to auditd/osquery for process auditing.KILL terminates any process that makes a non-allowlisted syscall.ERRNO prevents a syscall from running, but does not generate a logging event.Seccomp allows us to reduce the attack surface of a container by preventing/logging syscalls considered to be unsafe or that can be used to escape a container. Doing so provides an additional layer of security between the container and the host as well as between containers. Below, you will find a list of the syscalls we automatically block in the Palantir platform.
If your application makes a syscall listed below, the process will be terminated and our incident response team will be notified. If your use case requires use of these syscalls, contact Palantir support for assistance.
| Linux call | Description |
|---|---|
| ACCT ↗ | Enables or disables Berkeley Software Distribution (BSD) style accounting. |
| ADD_KEY ↗ | Creates a key in the kernel. If a key already exists, it will be updated. |
| AFS_SYSCALL ↗ | Unimplemented |
| BPF ↗ | Performs operations on the Berkeley Packet Filters. |
| CLOCK_SETTIME ↗ | Sets the time of a specified clock (clockid). |
| CREATE_MODULE ↗ | Deprecated post 2.6; kernel creates a loadable module entry. |
| DELETE_MODULE ↗ | Attempts to remove an unused, loadable module by name. |
| FANOTIFY_INIT ↗ | Requires CAP_SYS_ADMIN; creates a fanotify group and returns a descriptor for the event queue. |
| FINIT_MODULE ↗ | Loads an ELF image into kernel space and performs sym relocation. |
| GETPMSG ↗ | Unimplemented |
| GET_KERNEL_SYMS ↗ | Deprecated post 2.6; copies kernel syms to a table. |
| GET_MEMPOLICY ↗ | Retrieves the non-uniform memory access (NUMA) policy for a thread; NUMA nodes have separate memory controller per NUMA, and crossing nodes is slow. |
| INIT_MODULE ↗ | Loads an ELF image into kernel space. |
| IOPERM ↗ | Sets port input/output perms; i386 only. |
| IOPL ↗ | Deprecated for ioperm i386 only; changes I/O privilege level. |
| KCMP ↗ | Compares two processes to determine if they share kernel resources (Virtual Memory, for example). |
| KEXEC_FILE_LOAD ↗ | Loads a new kernel that can be executed by reboot. |
| KEXEC_LOAD ↗ | Loads a new kernel that can later be executed by reboot. |
| KEYCTL ↗ | Manipulates the kernel key management facility from user space. |
| LOOKUP_DCOOKIE ↗ | Returns a directory entry path. |
| MBIND ↗ | Set a memory policy for a memory range; used with Numa nodes. |
| MIGRATE_PAGES ↗ | Moves all pages in a process to another set of nodes; requires CAP_SYS_NICE. |
| MSGRCV ↗ | System V message queue operations. |
| MOUNT ↗ | Mounts a filesystem; requires CAP_SYS_ADMIN. |
| MOVE_PAGES ↗ | Moves individual pages of a process to another node. |
| NAME_TO_HANDLE_AT ↗ | Obtains a handle for a pathname and opens file via a handle. |
| NFSSERVCTL ↗ | Deprecated as of Linux 3.1; interface to the Kernel NFS Daemon. |
| OPEN_BY_HANDLE_AT ↗ | Similar to NAME_TO_HANDLE_AT; instead of returning the handle, opens the file using the handle. |
| PERF_EVENT_OPEN ↗ | Sets up performance monitoring. |
| PIVOT_ROOT ↗ | Changes the root mount; requires CAP_SYS_ADMIN. |
| PKEY_ALLOC ↗ | Allocates or frees a protection key. |
| PKEY_FREE ↗ | Allocates or frees a protection key. |
| PKEY_MPROTECT ↗ | Sets protection on a region of memory. |
| PROCESS_VM_READV ↗ | Transfers data between process address spaces. |
| PROCESS_VM_WRITEV ↗ | Transfers data between process address spaces. |
| PUTPMSG ↗ | Unimplemented |
| QUERY_MODULE ↗ | Deprecated in 2.6; queries the kernel for various information pertaining to modules. |
| QUOTACTL ↗ | Manipulates disk quotes; requires CAP_SYS_ADMIN. |
| REBOOT ↗ | Reboots or enables the reboot keystroke (CTRL-ALT-DEL). |
| REQUEST_KEY ↗ | Requests a key form the kernel's key management facility. |
| SECURITY ↗ | Unimplemented |
| SETDOMAINNAME ↗ | Gets or sets NIS domain name; requires CAP_SYS_ADMIN. |
| SETHOSTNAME ↗ | Gets or sets the hostname; requires CAP_SYS_ADMIN. |
| SETNS ↗ | Reallocates a thread with a name space; must have CAP_SYS_ADMIN in the desired namespace. |
| SETSID ↗ | Creates a session and sets the process group ID. |
| SETTIMEOFDAY ↗ | Sets the time of day and timezone/CAP_SYS_TIME. |
| SET_MEMPOLICY ↗ | Sets default NUMA memory policy. |
| SWAPOFF ↗ | Disables swap on a file/device; requires CAP_SYS_ADMIN. |
| SWAPON ↗ | Enables swap on a file/device; requires CAP_SYS_ADMIN. |
| SYSFS ↗ | Gets filesystem type information. |
| SYSLOG ↗ | Reads and/or clears kernel message ring buffer. |
| TUXCALL ↗ | Unimplemented |
| UMOUNT2 ↗ | Umounts a filesystem; requires CAP_SYS_ADMIN. |
| UNSHARE ↗ | Disassociates parts of the process execution context; some, but not all, options require CAP_SYS_ADMIN. |
| USELIB ↗ | Deprecated; loads a shared library to be used by calling process. |
| USERFAULTFD ↗ | Creates a file descriptor for handling page faults in user space. |
| USTAT ↗ | Deprecated; gives filesystem stats. |
| VHANGUP ↗ | Virtually disconnects a terminal; requires CAP_SYS_TTY_CONFIG. |
| VSERVER ↗ | Unimplemented |
| _SYSCTL ↗ | Deprecated; reads and writes system parameters. |