The code path were we pass `pathname' in the arguments is already limited

with pledge(2), but since we know exactly what it is then we can go further and
also unveil(2) it with read permissions.

OK millert@ deraadt@

usr.bin/getconf/getconf.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: getconf.c,v 1.19 2016/10/28 07:22:59 schwarze Exp $	*/
+/*	$OpenBSD: getconf.c,v 1.20 2018/10/26 17:11:32 mestre Exp $	*/
 
 /*-
  * Copyright (c) 1996 The NetBSD Foundation, Inc.
@@ -513,6 +513,8 @@ main(int argc, char *argv[])
 		break;
 
 	case PATHCONF:
+		if (unveil(argv[1], "r") == -1)
+			err(1, "unveil");
 		if (pledge("stdio rpath", NULL) == -1)
 			err(1, "pledge");
 		errno = 0;