What is Unveil

"Unveil parts of a restricted filesystem view"

int unveil(const char *path, const char *permissions);

Access to a path that is not unveiled returns ENOENT

Permissions: "rwxc" (read, write, execute, create)
      Access to an unveiled path disallowed by flags returns EACCES

First call to unveil restricts filesystem view. Subsequent calls can
open it up more.

unveil(NULL,NULL);

prevents further unveiling
(or drop "unveil" pledge if pledged)