The expected uses of unveil and pledge aren't some weird fiction
of "oh look I can use them wrong".
The interesting cases are when pledge and unveil are used correctly,
which means they reduce control or access to objects.
This is expecially true around pledge "proc exec".
Say you have program1 which does some work, but also later on runs
program2. It would look something like this.
program1.c
// program1 understands its own purpose, so this is where
// we declare what program1 will do.
unveil("/path/to/program2", "x");
unveil(NULL, NULL);
pledge("stdio proc exec", NULL);
// later on, run program2
switch (fork()) {
case 0:
execl("/path/to/program2", "program2", NULL);
...
program2.c
// at startup, no pledges or unveils active
// program2 understands its own purpose, so this is where
// we declare what program2 will do.
unveil("/somepath, "r")
unveil(NULL, NULL);
pledge("some pledges", NULL);
There is a visible interlock. program1 can only run program2.
program2 is expected to self-contain itself.
