This plugin aims at adding a bit of security to Irssi thanks to
seccomp. Syscalls that aren't vital to
Irssi (execve for instance) aren't allowed. If a forbidden syscall happen, the
Irssi process is immediately killed without executing it.
Unfortunately, seccomp alone isn't bulletproof since an attacker can still access to the filesystem. Running Irssi inside a chroot is recommended.
namnamc already wrote a pull request to add seccomp support to Irssi, but it has never been merged.
$ make
A complete build of Irssi isn't required since module_register() is resolved
by dlsym().
$ sudo apt install gcc-arm-linux-gnueabihf
$ ARM=1 make
/load /home/user/.irssi/modules/seccomp.so
To ensure that the plugin is loaded when Irssi starts, add the following line to
~/.irssi/config:
/load /home/user/.irssi/modules/seccomp.so
Since the execve syscall is forbidden by seccomp, the /exec command can be
used to trigger a warning (Irssi isn't killed because it forks beforce executing
the specified command in the background, and the clone syscall is allowed):
/exec uname
13:36 -!- Irssi: process 0 (uname) terminated with signal 31 (Bad system call)
The /proc filesystem gives some
informations (0 means
SECCOMP_MODE_DISABLED; 1 means SECCOMP_MODE_STRICT; 2 means
SECCOMP_MODE_FILTER):
$ grep Seccomp /proc/$(pidof irssi)/status
Seccomp: 2
If Irssi is killed and your shell displays Bad system call, you may try to
append the culprit syscall to the allowed list in seccomp.c. Use dmesg to
get the syscall number:
$ dmesg | tail -1
[21102.750355] audit: type=1326 audit(1475161330.424:30): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=19717 comm="irssi" exe="/usr/bin/irssi" sig=31 arch=c000003e syscall=112 compat=0 ip=0x7fee729a9a67 code=0x0
Find the corresponding syscall:
$ grep -r 112 /usr/include/ | grep __NR
/usr/include/x86_64-linux-gnu/asm/unistd_64.h:#define __NR_setsid 112
And add it to seccomp.c:
ALLOW_SYSCALL(setsid),