Palantir restricts various system calls (syscalls) from running inside our infrastructure through Secure Computing Mode (seccomp). Seccomp is a security feature in the Linux kernel that allows system call (syscall) restrictions to apply to a process or container.
Seccomp filters provide a way to allowlist the syscalls that a container can make and allows for multiple methods of handling non-allowlisted syscalls, including LOG
, KILL
, and ERRNO
profiles:
LOG
allows non-allowlisted syscalls to run but logs them to auditd/osquery for process auditing.KILL
terminates any process that makes a non-allowlisted syscall.ERRNO
prevents a syscall from running, but does not generate a logging event.Seccomp allows us to reduce the attack surface of a container by preventing/logging syscalls considered to be unsafe or that can be used to escape a container. Doing so provides an additional layer of security between the container and the host as well as between containers. Below, you will find a list of the syscalls we automatically block in the Palantir platform.
If your application makes a syscall listed below, the process will be terminated and our incident response team will be notified. If your use case requires use of these syscalls, contact Palantir support for assistance.
Linux call | Description |
---|---|
ACCT ↗ | Enables or disables Berkeley Software Distribution (BSD) style accounting. |
ADD_KEY ↗ | Creates a key in the kernel. If a key already exists, it will be updated. |
AFS_SYSCALL ↗ | Unimplemented |
BPF ↗ | Performs operations on the Berkeley Packet Filters. |
CLOCK_SETTIME ↗ | Sets the time of a specified clock (clockid). |
CREATE_MODULE ↗ | Deprecated post 2.6; kernel creates a loadable module entry. |
DELETE_MODULE ↗ | Attempts to remove an unused, loadable module by name. |
FANOTIFY_INIT ↗ | Requires CAP_SYS_ADMIN; creates a fanotify group and returns a descriptor for the event queue. |
FINIT_MODULE ↗ | Loads an ELF image into kernel space and performs sym relocation. |
GETPMSG ↗ | Unimplemented |
GET_KERNEL_SYMS ↗ | Deprecated post 2.6; copies kernel syms to a table. |
GET_MEMPOLICY ↗ | Retrieves the non-uniform memory access (NUMA) policy for a thread; NUMA nodes have separate memory controller per NUMA, and crossing nodes is slow. |
INIT_MODULE ↗ | Loads an ELF image into kernel space. |
IOPERM ↗ | Sets port input/output perms; i386 only. |
IOPL ↗ | Deprecated for ioperm i386 only; changes I/O privilege level. |
KCMP ↗ | Compares two processes to determine if they share kernel resources (Virtual Memory, for example). |
KEXEC_FILE_LOAD ↗ | Loads a new kernel that can be executed by reboot. |
KEXEC_LOAD ↗ | Loads a new kernel that can later be executed by reboot. |
KEYCTL ↗ | Manipulates the kernel key management facility from user space. |
LOOKUP_DCOOKIE ↗ | Returns a directory entry path. |
MBIND ↗ | Set a memory policy for a memory range; used with Numa nodes. |
MIGRATE_PAGES ↗ | Moves all pages in a process to another set of nodes; requires CAP_SYS_NICE. |
MSGRCV ↗ | System V message queue operations. |
MOUNT ↗ | Mounts a filesystem; requires CAP_SYS_ADMIN. |
MOVE_PAGES ↗ | Moves individual pages of a process to another node. |
NAME_TO_HANDLE_AT ↗ | Obtains a handle for a pathname and opens file via a handle. |
NFSSERVCTL ↗ | Deprecated as of Linux 3.1; interface to the Kernel NFS Daemon. |
OPEN_BY_HANDLE_AT ↗ | Similar to NAME_TO_HANDLE_AT; instead of returning the handle, opens the file using the handle. |
PERF_EVENT_OPEN ↗ | Sets up performance monitoring. |
PIVOT_ROOT ↗ | Changes the root mount; requires CAP_SYS_ADMIN. |
PKEY_ALLOC ↗ | Allocates or frees a protection key. |
PKEY_FREE ↗ | Allocates or frees a protection key. |
PKEY_MPROTECT ↗ | Sets protection on a region of memory. |
PROCESS_VM_READV ↗ | Transfers data between process address spaces. |
PROCESS_VM_WRITEV ↗ | Transfers data between process address spaces. |
PUTPMSG ↗ | Unimplemented |
QUERY_MODULE ↗ | Deprecated in 2.6; queries the kernel for various information pertaining to modules. |
QUOTACTL ↗ | Manipulates disk quotes; requires CAP_SYS_ADMIN. |
REBOOT ↗ | Reboots or enables the reboot keystroke (CTRL-ALT-DEL). |
REQUEST_KEY ↗ | Requests a key form the kernel's key management facility. |
SECURITY ↗ | Unimplemented |
SETDOMAINNAME ↗ | Gets or sets NIS domain name; requires CAP_SYS_ADMIN. |
SETHOSTNAME ↗ | Gets or sets the hostname; requires CAP_SYS_ADMIN. |
SETNS ↗ | Reallocates a thread with a name space; must have CAP_SYS_ADMIN in the desired namespace. |
SETSID ↗ | Creates a session and sets the process group ID. |
SETTIMEOFDAY ↗ | Sets the time of day and timezone/CAP_SYS_TIME. |
SET_MEMPOLICY ↗ | Sets default NUMA memory policy. |
SWAPOFF ↗ | Disables swap on a file/device; requires CAP_SYS_ADMIN. |
SWAPON ↗ | Enables swap on a file/device; requires CAP_SYS_ADMIN. |
SYSFS ↗ | Gets filesystem type information. |
SYSLOG ↗ | Reads and/or clears kernel message ring buffer. |
TUXCALL ↗ | Unimplemented |
UMOUNT2 ↗ | Umounts a filesystem; requires CAP_SYS_ADMIN. |
UNSHARE ↗ | Disassociates parts of the process execution context; some, but not all, options require CAP_SYS_ADMIN. |
USELIB ↗ | Deprecated; loads a shared library to be used by calling process. |
USERFAULTFD ↗ | Creates a file descriptor for handling page faults in user space. |
USTAT ↗ | Deprecated; gives filesystem stats. |
VHANGUP ↗ | Virtually disconnects a terminal; requires CAP_SYS_TTY_CONFIG. |
VSERVER ↗ | Unimplemented |
_SYSCTL ↗ | Deprecated; reads and writes system parameters. |