Extend Pledge with anet (same as inet, but with no connect) (#827)

* Add `anet` pledge for `inet` without connect

This is useful for configurations where it's desirable to start redbean
under these restrictions, but not to allow `connect` socket calls.

* Update message on protected/unpledged syscalls for clarity

* Update redbean to add reporting for unpledged sigaction

Previously it would abort without indicating what signal it failed to
install when sigaction is not pledged (although it fails all of them).

* Move GetHostIps before processing command line options

This allows using unix.pledge as part of the options without affecting
retrieving host IP addresses (which requires `connect`). It may still
fail under external `pledge` command as expected; in this case IPs
would need to be passed manually.

* Update tests for pledge anet promise

tool/net/redbean.c

@@ -7182,7 +7182,8 @@ static int WindowsReplThread(void *arg, int tid) {
 
 static void InstallSignalHandler(int sig, void *handler) {
   struct sigaction sa = {.sa_sigaction = handler};
-  CHECK_NE(-1, sigaction(sig, &sa, 0));
+  if (sigaction(sig, &sa, 0) == -1)
+    WARNF("(srvr) failed to set signal handler #%d: %m", sig);
 }
 
 static void SigInit(void) {
@@ -7400,12 +7401,12 @@ void RedBean(int argc, char *argv[]) {
   CHECK_NE(-1, fstat(zfd, &zst));
   OpenZip(true);
   SetDefaults();
-  LuaStart();
-  GetOpts(argc, argv);
   // this can fail with EPERM if we're running under pledge()
   if (!interpretermode && !(interfaces = GetHostIps())) {
     WARNF("(srvr) failed to query system network interface addresses: %m");
   }
+  LuaStart();
+  GetOpts(argc, argv);
 #ifndef STATIC
   if (selfmodifiable) {
     MakeExecutableModifiable();