We have to allow inspection stat() and access() needed to be allowed for all intermediate vnodes for the unveil! unveil has a hidden permission of "inspect" - anything you traverse on the way to an unveil becomes "inspectable" So, if you unveil "/home/beck/Downloads" as above with "rwxc" In absence of other unveils, four vnodes are remembered for you in the kernel. 1. / can be inspected (stat and access) 2. /home can be inspected (stat and access) 3. /home/beck can be inspected (stat and access) 4. /home/beck/Downloads can be "rwxc" Now realpath() and nasty TOCTOCTOCTOU libraries can stat their way down the path before getting to what they want. So this looks better.. right?