The Evolution of unveil.

We started working with a few small programs in OpenBSD base.

Some integration with pledge(2). (a special pledge for unveil)

Initial unveils of small programs in OpenBSD looked very nice

Many require a simple unveil or two, often right before pledge()

acme-client/fileproc.c: if (unveil(certdir, "rwc") == -1) {
acme-client/fileproc.c:         warn("unveil");
acme-client/netproc.c:  if (unveil(DEFAULT_CA_FILE, "r") == -1) {
acme-client/netproc.c:          warn("unveil");

Can use to restrict programs that aren't easily pledgeable, or further contain those that are.

Just like pledge, unveil makes privsep better!