Prisma Cloud Compute: App-embedded defender error "operation not permitted" in AWS Fargate
2068
Created On 09/10/24 19:14 PM - Last Modified 02/19/25 17:57 PM
Symptom
An “operation not permitted” message is experienced when a user attempts to run privileged actions such as changing the UID or running chown in fargate when App-embedded defenders are deployed.
Environment
- Prisma Cloud Compute Edition v33 and below
- Prisma Cloud Enterprise Edition v33 and below
- App-embedded defenders on AWS Fargate
Cause
- The defender's enforce functionality in Fargate where a process can only execute a predefined set of system calls, blocking unauthorized or risky ones. This minimizes the attack surface and helps protect against potential threats or exploits.
2. In addition, "no_new_privs" is used in order to prevent any process from elevating their permissions to prevent bypassing our security mechanisms.
3. For specific system calls, Defender implements functionality to selectively monitor certain calls and enforce our runtime policies.
Fargate intentionally blocks several privileged processes from running. This is expected behavior in order to abide by our security constraints.
Resolution
Whether this behavior can be altered is currently being analyzed through a feature request.