@@ -16,18 +16,42 @@
  */
 
 #include "config.h"
 
 #import "OFSandbox.h"
-#import "OFString.h"
 #import "OFArray.h"
+#import "OFPair.h"
+#import "OFString.h"
 
 @implementation OFSandbox
+@synthesize unveiledPaths = _unveiledPaths;
+
 + (instancetype)sandbox
 {
 	return [[[self alloc] init] autorelease];
 }
+
+- (instancetype)init
+{
+	self = [super init];
+
+	@try {
+		_unveiledPaths = [[OFMutableArray alloc] init];
+	} @catch (id e) {
+		[self release];
+		@throw e;
+	}
+
+	return self;
+}
+
+- (void)dealloc
+{
+	[_unveiledPaths release];
+
+	[super dealloc];
+}
 
 - (void)setAllowsStdIO: (bool)allowsStdIO
 {
 	_allowsStdIO = allowsStdIO;
 }
@@ -304,10 +328,30 @@
 
 - (bool)allowsBPF
 {
 	return _allowsBPF;
 }
+
+- (void)setAllowsUnveil: (bool)allowsUnveil
+{
+	_allowsUnveil = allowsUnveil;
+}
+
+- (bool)allowsUnveil
+{
+	return _allowsUnveil;
+}
+
+- (void)setReturnsErrors: (bool)returnsErrors
+{
+	_returnsErrors = returnsErrors;
+}
+
+- (bool)returnsErrors
+{
+	return _returnsErrors;
+}
 
 - (id)copy
 {
 	OFSandbox *copy = [[OFSandbox alloc] init];
 
@@ -337,10 +381,12 @@
 	copy->_allowsVMInfo = _allowsVMInfo;
 	copy->_allowsChangingProcessRights = _allowsChangingProcessRights;
 	copy->_allowsPF = _allowsPF;
 	copy->_allowsAudio = _allowsAudio;
 	copy->_allowsBPF = _allowsBPF;
+	copy->_allowsUnveil = _allowsUnveil;
+	copy->_returnsErrors = _returnsErrors;
 
 	return copy;
 }
 
 - (bool)isEqual: (id)object
@@ -413,10 +459,14 @@
 		return false;
 	if (sandbox->_allowsAudio != _allowsAudio)
 		return false;
 	if (sandbox->_allowsBPF != _allowsBPF)
 		return false;
+	if (sandbox->_allowsUnveil != _allowsUnveil)
+		return false;
+	if (sandbox->_returnsErrors != _returnsErrors)
+		return false;
 
 	return true;
 }
 
 - (uint32_t)hash
@@ -451,10 +501,12 @@
 	OF_HASH_ADD(hash, _allowsVMInfo);
 	OF_HASH_ADD(hash, _allowsChangingProcessRights);
 	OF_HASH_ADD(hash, _allowsPF);
 	OF_HASH_ADD(hash, _allowsAudio);
 	OF_HASH_ADD(hash, _allowsBPF);
+	OF_HASH_ADD(hash, _allowsUnveil);
+	OF_HASH_ADD(hash, _returnsErrors);
 
 	OF_HASH_FINALIZE(hash);
 
 	return hash;
 }
@@ -520,10 +572,14 @@
 		[pledges addObject: @"pf"];
 	if (_allowsAudio)
 		[pledges addObject: @"audio"];
 	if (_allowsBPF)
 		[pledges addObject: @"bpf"];
+	if (_allowsUnveil)
+		[pledges addObject: @"unveil"];
+	if (_returnsErrors)
+		[pledges addObject: @"error"];
 
 	ret = [pledges componentsJoinedByString: @" "];
 
 	[ret retain];
 
@@ -530,6 +586,22 @@
 	objc_autoreleasePoolPop(pool);
 
 	return [ret autorelease];
 }
 #endif
+
+- (void)unveilPath: (OFString *)path
+       permissions: (OFString *)permissions
+{
+	void *pool = objc_autoreleasePoolPush();
+
+	[_unveiledPaths addObject: [OFPair pairWithFirstObject: path
+						  secondObject: permissions]];
+
+	objc_autoreleasePoolPop(pool);
+}
+
+- (OFArray OF_GENERIC(of_sandbox_unveil_path_t) *)unveiledPaths
+{
+	return [[_unveiledPaths copy] autorelease];
+}
 @end