Help! isolate worker cannot load profile.xml

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Wed Nov 11 07:11:03 PST 2015

On Wed, Nov 11, 2015 at 9:35 AM, yick xie <yick.xie at> wrote:
> Dear developers,
> Sorry for my disturbance again, but this time I got really no way to
> deal with such a problem during the last 3 days.
> When I enabled the isolate-worker, the log hinted "cannot load
> profile.xml". No matter how I configured the run-as-user and
> run-as-group (such as nobody:nogroup, root:root, ocserv:ocserv which I
> added additionally) and the profile.xml path, it still cannot work.
> However once I switched off isolate-worker option,it worked. Hence was
>  there anything I missed? Or could you please give me a brief
> instruction kindly? Just let me know if you need more information.

Isolate workers enables seccomp and sets a filter for system calls.
That is not always precise if system calls are used via libc, and as I
see that was the case here in the worker process. I've modified the
code a bit, so if you like to try the new version please check
solves your issue.

> MobileHostEntryInfo etc..), while I got no idea what the risk would be
> if without isolate-worker.

You don't get the system call filter from seccomp. That filter ensures
that a successful attacker will have very limited privileges even if
there is a serious bug in ocserv worker process.


More information about the openconnect-devel mailing list