acct(8) and quotactl(8) can see files beyond unveil. These are root-only

system calls, also obviously blocked by all pledge.
However there is a circumstance of root running with unveil but without pledge
(quite rare in the tree) and there are some gaps.  These two fixes are a
stopgap because I think we should re-design how namei handles this.
From ivan at Quarkslab
ok dgl

sys/kern/kern_acct.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_acct.c,v 1.49 2024/07/08 13:17:11 claudio Exp $	*/
+/*	$OpenBSD: kern_acct.c,v 1.50 2026/06/01 16:33:49 deraadt Exp $	*/
 /*	$NetBSD: kern_acct.c,v 1.42 1996/02/04 02:15:12 christos Exp $	*/
 
 /*-
@@ -118,6 +118,7 @@ sys_acct(struct proc *p, void *v, register_t *retval)
 	 */
 	if (SCARG(uap, path) != NULL) {
 		NDINIT(&nd, 0, 0, UIO_USERSPACE, SCARG(uap, path), p);
+		nd.ni_unveil = UNVEIL_READ;
 		if ((error = vn_open(&nd, FWRITE|O_APPEND, 0)) != 0)
 			return (error);
 		VOP_UNLOCK(nd.ni_vp);

sys/kern/vfs_syscalls.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_syscalls.c,v 1.383 2026/05/23 14:56:20 deraadt Exp $	*/
+/*	$OpenBSD: vfs_syscalls.c,v 1.384 2026/06/01 16:33:49 deraadt Exp $	*/
 /*	$NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $	*/
 
 /*
@@ -558,6 +558,7 @@ sys_quotactl(struct proc *p, void *v, register_t *retval)
 	struct nameidata nd;
 
 	NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
+	nd.ni_unveil = UNVEIL_READ | UNVEIL_WRITE;
 	if ((error = namei(&nd)) != 0)
 		return (error);
 	mp = nd.ni_vp->v_mount;