What is Unveil

"Unveil parts of a restricted filesystem view"

int unveil(const char *path, const char *permissions);

Access to a path that is not unveiled returns ENOENT

Flags "rwxc", Access to an unveiled path disallowed by flags returns EACCES

First call to unveil restricts filesystem view. Subsequent calls can open it up more.

unveil(NULL,NULL) prevents further unveiling (or drop "unveil" pledge if pledged)