From 4aa3da578692d53a65342114e65403e7233aa726 Mon Sep 17 00:00:00 2001
From: Klemens Nanni <klemens@posteo.de>
Date: Fri, 11 Jun 2021 12:30:56 +0000
Subject: OpenBSD: Hoist loading save file to drop filesystem read-access

After TLS cert/key files, the save file is the only file being read from;
do so before pleding and drop the "rpath" promise all together:  log files
will only be created and written to.
---
 chat.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/chat.c b/chat.c
index 4f3c233..e01b511 100644
--- a/chat.c
+++ b/chat.c
@@ -276,6 +276,10 @@ int main(int argc, char *argv[]) {
 	ircConfig(insecure, trust, cert, priv);
 
 	uiInitEarly();
+	if (save) {
+		uiLoad(save);
+		atexit(exitSave);
+	}
 
 #ifdef __OpenBSD__
 	if (self.restricted) {
@@ -288,7 +292,7 @@ int main(int argc, char *argv[]) {
 
 	char promises[64] = "stdio tty";
 	char *ptr = &promises[strlen(promises)], *end = &promises[sizeof(promises)];
-	if (save || logEnable) ptr = seprintf(ptr, end, " rpath wpath cpath");
+	if (save || logEnable) ptr = seprintf(ptr, end, " wpath cpath");
 	if (!self.restricted) ptr = seprintf(ptr, end, " proc exec");
 
 	char *promisesFinal = strdup(promises);
@@ -299,10 +303,6 @@ int main(int argc, char *argv[]) {
 	if (error) err(EX_OSERR, "pledge");
 #endif
 
-	if (save) {
-		uiLoad(save);
-		atexit(exitSave);
-	}
 	uiShowID(Network);
 	uiFormat(
 		Network, Cold, NULL,
-- 
cgit 1.4.0