sync readme.md with sandbox.c

author: Omar Polo <op@omarpolo.com> 2021-07-09 08:11:57 +0000
committer: Omar Polo <op@omarpolo.com> 2021-07-09 08:11:57 +0000
commit: be52e954c1d54f80485c643663db8e2ffc27510f (patch)
tree: 2013f5fd63e2e46ebe9b86be06d3506a38869972
parent: 3d132b283345475921bf9cf1e8d77e56ede2edf3 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/README.md b/README.md
index 6ee6d9b..074bc3f 100644
--- a/README.md
+++ b/README.md
@@ -169,12 +169,13 @@ to reload the configuration and spawn a new generation of children
 process.  The logger processes gather the logs and prints 'em to
 stderr or syslog (for the time being.)  The listener process is the
 only one that needs internet access and is sandboxed by default.  The
-executor process exists only to fork and execute CGI scripts.
+executor process exists only to fork and execute CGI scripts, and
+optionally to connect to FastCGI applications.
 
 On OpenBSD, the listener runs with the `stdio recvfd rpath inet`
-pledges, while the executor has `stdio sendfd proc exec`; both have
-unveiled only the served directories.  The logger process has pledge
-`stdio`.
+pledges, while the executor has `stdio sendfd proc exec dns inet
+unix`; both have unveiled only the served directories.  The logger
+process has pledge `stdio recvfd`.
 
 On FreeBSD, the listener and logger process are sandboxed with `capsicum(4)`.
author	Omar Polo <op@omarpolo.com>	2021-07-09 08:11:57 +0000
committer	Omar Polo <op@omarpolo.com>	2021-07-09 08:11:57 +0000
commit	be52e954c1d54f80485c643663db8e2ffc27510f (patch)
tree	2013f5fd63e2e46ebe9b86be06d3506a38869972
parent	3d132b283345475921bf9cf1e8d77e56ede2edf3 (diff)