Help! isolate worker cannot load profile.xml
yick xie
yick.xie at gmail.com
Thu Nov 12 06:11:50 PST 2015
Hi Nikos,
This commit indeed works, honestly thanks for your great favor. I will
keep my eyes on its stability.
Regards,
Yick
2015-11-11 23:11 GMT+08:00 Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com>:
> On Wed, Nov 11, 2015 at 9:35 AM, yick xie <yick.xie at gmail.com> wrote:
>> Dear developers,
>> Sorry for my disturbance again, but this time I got really no way to
>> deal with such a problem during the last 3 days.
>> When I enabled the isolate-worker, the log hinted "cannot load
>> profile.xml". No matter how I configured the run-as-user and
>> run-as-group (such as nobody:nogroup, root:root, ocserv:ocserv which I
>> added additionally) and the profile.xml path, it still cannot work.
>> However once I switched off isolate-worker option,it worked. Hence was
>> there anything I missed? Or could you please give me a brief
>> instruction kindly? Just let me know if you need more information.
>
> Isolate workers enables seccomp and sets a filter for system calls.
> That is not always precise if system calls are used via libc, and as I
> see that was the case here in the worker process. I've modified the
> code a bit, so if you like to try the new version please check
> whether:
> https://gitlab.com/ocserv/ocserv/commit/b5640d61fbf93a3f1a2a194c4e5d747b6b17009a
> solves your issue.
>
>> MobileHostEntryInfo etc..), while I got no idea what the risk would be
>> if without isolate-worker.
>
> You don't get the system call filter from seccomp. That filter ensures
> that a successful attacker will have very limited privileges even if
> there is a serious bug in ocserv worker process.
>
> regards,
> Nikos
More information about the openconnect-devel
mailing list