Help! isolate worker cannot load profile.xml
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Wed Nov 11 07:11:03 PST 2015
On Wed, Nov 11, 2015 at 9:35 AM, yick xie <yick.xie at gmail.com> wrote:
> Dear developers,
> Sorry for my disturbance again, but this time I got really no way to
> deal with such a problem during the last 3 days.
> When I enabled the isolate-worker, the log hinted "cannot load
> profile.xml". No matter how I configured the run-as-user and
> run-as-group (such as nobody:nogroup, root:root, ocserv:ocserv which I
> added additionally) and the profile.xml path, it still cannot work.
> However once I switched off isolate-worker option,it worked. Hence was
> there anything I missed? Or could you please give me a brief
> instruction kindly? Just let me know if you need more information.
Isolate workers enables seccomp and sets a filter for system calls.
That is not always precise if system calls are used via libc, and as I
see that was the case here in the worker process. I've modified the
code a bit, so if you like to try the new version please check
whether:
https://gitlab.com/ocserv/ocserv/commit/b5640d61fbf93a3f1a2a194c4e5d747b6b17009a
solves your issue.
> MobileHostEntryInfo etc..), while I got no idea what the risk would be
> if without isolate-worker.
You don't get the system call filter from seccomp. That filter ensures
that a successful attacker will have very limited privileges even if
there is a serious bug in ocserv worker process.
regards,
Nikos
More information about the openconnect-devel
mailing list