> But, is the situation with unveil(2) worst that before ? It seems to me > a user could already doing vnode comsuption with just opening as many > file descriptors it can (and fork and repeat when RLIMIT_NOFILES is > reached for the process).
No, it is a little different. An unveil is a tighter lock on the vnode, such that it cannot be recycled as easily as a regular file. Anyways everything you wrote, I considered before going down this way. Bob and I were not prepared to have processes manipulate a mount-tree, so vnode hold references was the only way to go.