The pledge() system call forces the current process into a restricted-service operating mode. A process which attempts a restricted operation is killed with an uncatchable SIGABRT, delivering a core file if possible.
The unveil() system call removes visibility of the entire filesystem from all other filesystem-related system calls, except for the specified paths and permissions.