landlock is applied only to the ui process to drop fs access and in the fs process to limit where telescope can read/write files. The network process is more difficult to landlock because while in theory it doesn't need *any* fs access, in practice it needs to read (at least) files inside /etc/ for DNS to work.

It's clearer to specify first the configuration file before dumping all the keys and available functions.

Point out that *by default* telescope uses XDG-style directories, but if ~/.telescope exists XDG is ignored. While here also use a shorter URL for the XDG spec and add it to the STANDARDS section of the manpage.

and while there also publish various path. It's easier and better to have all of them exported from here instead of hardcoding them in other files (such as sandbox.c)

dirname(3) is really one of the worst part of POSIX, portability-wise. Implementors can decide to either modify the passed string or return a pointer to an internal storage. The current code fails when dirname returns a pointer to an internal storage because between the strcmp call and the mkdir we go into a recursion that can modify `path'. We can't use copy either because *some* implementation of dirname would have changed that. How to escape from this hell? Take yet another copy of the path!