commit dcfdb969a267631fc9b787507c6ce6db7e290e48
from: Omar Polo <op@omarpolo.com>
date: Sun Oct 24 16:52:39 2021 UTC

don't list the exact pledge promises

It's easy to forgot to update the README after a code change (already
happened in the past) and they're easy to discover by reading
sandbox.c

commit - d65fa58c1bc10044d1dcba788b4662752206e373
commit + dcfdb969a267631fc9b787507c6ce6db7e290e48
blob - afce605094d0463f3b5df503357832f201658698
blob + a2143733bdd690847afab60ce72d10c8b5368072
--- README.md
+++ README.md
@@ -165,10 +165,7 @@ only one that needs internet access and is sandboxed b
 executor process exists only to fork and execute CGI scripts, and
 optionally to connect to FastCGI applications.
 
-On OpenBSD, the listener runs with the `stdio recvfd rpath inet`
-pledges, while the executor has `stdio sendfd proc exec dns inet
-unix`; both have unveiled only the served directories.  The logger
-process has pledge `stdio recvfd`.
+On OpenBSD the processes are all `pledge(2)`d and `unveil(2)`ed.
 
 On FreeBSD, the listener and logger process are sandboxed with `capsicum(4)`.