From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: watch(1) - periodically execute a command and display its output
To: Job Snijders <job@openbsd.org>
Cc: tech@cvs.openbsd.org
Date: Mon, 19 May 2025 18:54:37 -0600

This use of pledge "unveil" and unveil() is very ineffective.

There is no point in doing

fork + unveil + execve
              ^
              |
  apparently a patch access bug happens here?

Implausible.  These unveils are either too late, or not serving any purpose.

I believe cmdv[0] and _PATH_BSHELL are known a very long time earlier in
the program, and that is where unveil would get called.