1 files changed, 46 insertions, 10 deletions

diff --git a/src/sandbox.rs b/src/sandbox.rs
index 13f6a87..43ce4d2 100644
--- a/src/sandbox.rs
+++ b/src/sandbox.rs
@@ -9,12 +9,44 @@ unsafe extern "C" {
 }
 
 /// Valid pledge promises on OpenBSD.
+/// See `pledgereq[]` in `/usr/src/sys/kern/kern_pledge.c`.
 const VALID_PROMISES: &[&str] = &[
-    "audio", "bpf", "chown", "cpath", "disklabel", "dns", "dpath",
-    "error", "exec", "fattr", "flock", "getpw", "id", "inet", "mcast",
-    "pf", "proc", "ps", "recvfd", "route", "rpath", "sendfd", "settime",
-    "stdio", "tape", "tmppath", "tty", "unix", "unveil", "video",
-    "vminfo", "vmm", "wpath", "wroute",
+    "audio",
+    "bpf",
+    "chown",
+    "cpath",
+    "disklabel",
+    "dns",
+    "dpath",
+    "drm",
+    "error",
+    "exec",
+    "fattr",
+    "flock",
+    "getpw",
+    "id",
+    "inet",
+    "mcast",
+    "pf",
+    "proc",
+    "prot_exec",
+    "ps",
+    "recvfd",
+    "route",
+    "rpath",
+    "sendfd",
+    "settime",
+    "stdio",
+    "tape",
+    "tmppath",
+    "tty",
+    "unix",
+    "unveil",
+    "video",
+    "vminfo",
+    "vmm",
+    "wpath",
+    "wroute",
 ];
 
 /// Valid unveil permission characters.
@@ -44,14 +76,18 @@ pub fn do_pledge(promises: &str) {
 /// Add a path to the unveil whitelist with the given permissions.
 /// Permissions: "r" read, "w" write, "c" create, "x" execute.
 pub fn do_unveil(path: &Path, perms: &str) {
-    if perms.is_empty() || !perms.as_bytes().iter().all(|b| VALID_PERMS.contains(b)) {
+    if perms.is_empty()
+        || !perms.as_bytes().iter().all(|b| VALID_PERMS.contains(b))
+    {
         log::error!("unveil: invalid permissions");
         std::process::exit(1);
     }
-    let p = CString::new(path.as_os_str().as_encoded_bytes()).unwrap_or_else(|_| {
-        log::error!("unveil: path contains NUL byte");
-        std::process::exit(1);
-    });
+    let p = CString::new(path.as_os_str().as_encoded_bytes()).unwrap_or_else(
+        |_| {
+            log::error!("unveil: path contains NUL byte");
+            std::process::exit(1);
+        },
+    );
     let f = CString::new(perms).unwrap_or_else(|_| {
         log::error!("unveil: permissions contain NUL byte");
         std::process::exit(1);