From 4aa3da578692d53a65342114e65403e7233aa726 Mon Sep 17 00:00:00 2001 From: Klemens Nanni Date: Fri, 11 Jun 2021 12:30:56 +0000 Subject: OpenBSD: Hoist loading save file to drop filesystem read-access After TLS cert/key files, the save file is the only file being read from; do so before pleding and drop the "rpath" promise all together: log files will only be created and written to. --- chat.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'chat.c') diff --git a/chat.c b/chat.c index 4f3c233..e01b511 100644 --- a/chat.c +++ b/chat.c @@ -276,6 +276,10 @@ int main(int argc, char *argv[]) { ircConfig(insecure, trust, cert, priv); uiInitEarly(); + if (save) { + uiLoad(save); + atexit(exitSave); + } #ifdef __OpenBSD__ if (self.restricted) { @@ -288,7 +292,7 @@ int main(int argc, char *argv[]) { char promises[64] = "stdio tty"; char *ptr = &promises[strlen(promises)], *end = &promises[sizeof(promises)]; - if (save || logEnable) ptr = seprintf(ptr, end, " rpath wpath cpath"); + if (save || logEnable) ptr = seprintf(ptr, end, " wpath cpath"); if (!self.restricted) ptr = seprintf(ptr, end, " proc exec"); char *promisesFinal = strdup(promises); @@ -299,10 +303,6 @@ int main(int argc, char *argv[]) { if (error) err(EX_OSERR, "pledge"); #endif - if (save) { - uiLoad(save); - atexit(exitSave); - } uiShowID(Network); uiFormat( Network, Cold, NULL, -- cgit 1.4.1-2-gfad0