We have to allow inspection

stat() and access() needed to be allowed for all intermediate vnodes for the unveil!

unveil has a hidden permission of "inspect" - anything you traverse on the way to an unveil becomes "inspectable"

So, if you unveil "/home/beck/Downloads" as above with "rwxc"

In absence of other unveils, four vnodes are remembered for you in the kernel.

   1. / can be inspected (stat and access)
   2. /home can be inspected (stat and access)
   3. /home/beck can be inspected (stat and access)
   4. /home/beck/Downloads can be "rwxc"

Now realpath() and nasty TOCTOCTOCTOU libraries can stat their way down the path before getting to what they want.

So this looks better.. right?