Hi, The unveil man page stands that unveil will return EPERM when locked:
EPERM An attempt to add permission to flags was made, or path was not accessible, or unveil was called after it was locked The lock is sets when unveil(NULL, NULL) is called. The syscall will set `p->p_p->ps_uvdone=1`, and further call to unveil(2) will be refused. Currently, the syscall returns EINVAL in such case. So make it return what the documentation said, as it is the more obvious. While here, few style correction in return statements. Thanks. -- Sebastien Marie Index: kern/vfs_syscalls.c =================================================================== RCS file: /cvs/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.294 diff -u -p -r1.294 vfs_syscalls.c --- kern/vfs_syscalls.c 13 Jul 2018 09:36:00 -0000 1.294 +++ kern/vfs_syscalls.c 18 Jul 2018 13:47:12 -0000 @@ -897,21 +897,21 @@ sys_unveil(struct proc *p, void *v, regi } if (p->p_p->ps_uvdone != 0) - return EINVAL; + return (EPERM); error = copyinstr(SCARG(uap, flags), cflags, sizeof(cflags), NULL); if (error) - return(error); + return (error); error = copyinstr(SCARG(uap, path), pathname, sizeof(pathname), &pathlen); if (error) - return(error); + return (error); #ifdef KTRACE if (KTRPOINT(p, KTR_STRUCT)) ktrstruct(p, "unveil", cflags, strlen(cflags)); #endif if (pathlen < 2) - return EINVAL; + return (EINVAL); /* XXX unveil is disabled but returns sucess for now */ return 0; @@ -929,7 +929,7 @@ sys_unveil(struct proc *p, void *v, regi /* * XXX Any access to the file or directory will allow us to - * pledge path it + * unveil it */ if ((nd.ni_vp && (VOP_ACCESS(nd.ni_vp, VREAD, p->p_ucred, p) == 0 ||