Unveil semantics are a compromise between two objectives 1) as near to O(1) behaviour in the kernel for the worst case program installing the worse case ruleset 2) Semantics a programmer can comprehend. Doing this requires substatial in-kernel object storage / tracking / checking. This *must* be as efficient as possible in the commonly hit cases - lookup during program operations After a few discarded designs, what we settled on in kernel was a per-process structure that holds and remembers directory vnodes looked up at the time of the unveil() call. - Unveiling a non directory remembers the name underneath its directory vnode. - non directories may be removed/recreated after unveil. - directories may not (they will appear not to exist after the vnode changes) - Keep lookup costs in the unveiling process as much as possible