diff --git a/impermanence.pl b/impermanence.pl
index 5cca5fb..40260ca 100755
--- a/impermanence.pl
+++ b/impermanence.pl
@@ -10,6 +10,7 @@ use Data::Dumper;
 use File::HomeDir;
 use File::Path qw(make_path);
 use Sys::Syslog qw(:standard :macros);
+use OpenBSD::Unveil;
 use 5.010;
 
 my $verbose = 0;
@@ -266,6 +267,16 @@ sub main {
 
     if( $start ) {
         mount_mfs($opts{u}, $impermanence_home, $data);
+
+        unveil($persist_home, "r");
+        unveil($impermanence_home, "rwc");
+        unveil("/etc/pwd.db", "r");
+        unveil("/dev/", "r");
+        foreach my $binary (qw| /sbin/mount_mfs /sbin/umount /bin/sh /sbin/swapctl /bin/df|) {
+            unveil($binary, "x");
+        }
+        unveil();
+
         populate_ramdisk($data, $persist_home, $impermanence_home, $opts{u});
     }