add unveil(2) again

this allows reading from anywhere in the filesystem (in order to read the
config file and those ones included from it), but also executing, which I
missed from my last attempt, because it's required for "check script(s)".

even though it's a broad permission, and the main proc cannot be pledged due to
forbidden ioctls, then this at least prevents it from creating/writing/deleting
files which is not required here.

OK benno@ a long time ago

0 files changed, 0 insertions, 0 deletions