Current (known) limitations

You must cross an unveiled vnode on namei(8) lookup

Consider if we unveil "/usr"

  unveil("/usr", rwxc);
  chdir("/usr/blah/woof/yakk");
  open("./hurl", O_RDWR);
  open("/usr/blah/woof/yakk/hurl", O_RDWR);

  open("../yakk/hurl", O_RDWR);

We need to "go up the tree" to find covering unveil
Currently being worked on.