internal/rosa/package/python: add kernel-headers

Missing kernel headers implicitly disables many useful things. This change also enables PGO and installs symlink, since a rebuild is unavoidable.

Signed-off-by: Ophestra <cat@gensokyo.uk>

.gitignore

@@ -1,37 +1,18 @@
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-*.pkg
-/hakurei
-
-# Test binary, built with `go test -c`
+# produced by tools and text editors
+*.qcow2
 *.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
 *.out
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
-
-# Go workspace file
-go.work
-go.work.sum
-
-# env file
-.env
 .idea
 .vscode
 
 # go generate
 /cmd/hakurei/LICENSE
-/internal/pkg/testdata/testtool
+/cmd/mbf/internal/pkgserver/ui/static
+/internal/pkg/internal/testtool/testtool
 /internal/rosa/hakurei_current.tar.gz
 
-# release
-/dist/hakurei-*
+# cmd/dist default destination
+/dist
 
-# interactive nixos vm
-nixos.qcow2
+# local packages
+/internal/rosa/package/local

all.sh

@@ -0,0 +1,3 @@
+#!/bin/sh -e
+
+HAKUREI_DIST_MAKE='' exec "$(dirname -- "$0")/cmd/dist/dist.sh"

check/absolute.go

@@ -2,10 +2,10 @@
 package check
 
 import (
-	"encoding/json"
+	"encoding"
 	"errors"
 	"fmt"
-	"path"
+	"path/filepath"
 	"slices"
 	"strings"
 	"syscall"
@@ -20,8 +20,8 @@ func (e AbsoluteError) Error() string {
 }
 
 func (e AbsoluteError) Is(target error) bool {
-	var ce AbsoluteError
-	if !errors.As(target, &ce) {
+	ce, ok := errors.AsType[AbsoluteError](target)
+	if !ok {
 		return errors.Is(target, syscall.EINVAL)
 	}
 	return e == ce
@@ -30,6 +30,16 @@ func (e AbsoluteError) Is(target error) bool {
 // Absolute holds a pathname checked to be absolute.
 type Absolute struct{ pathname unique.Handle[string] }
 
+var (
+	_ encoding.TextAppender    = new(Absolute)
+	_ encoding.TextMarshaler   = new(Absolute)
+	_ encoding.TextUnmarshaler = new(Absolute)
+
+	_ encoding.BinaryAppender    = new(Absolute)
+	_ encoding.BinaryMarshaler   = new(Absolute)
+	_ encoding.BinaryUnmarshaler = new(Absolute)
+)
+
 // ok returns whether [Absolute] is not the zero value.
 func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }
 
@@ -61,7 +71,7 @@ func (a *Absolute) Is(v *Absolute) bool {
 
 // NewAbs checks pathname and returns a new [Absolute] if pathname is absolute.
 func NewAbs(pathname string) (*Absolute, error) {
-	if !path.IsAbs(pathname) {
+	if !filepath.IsAbs(pathname) {
 		return nil, AbsoluteError(pathname)
 	}
 	return unsafeAbs(pathname), nil
@@ -76,46 +86,35 @@ func MustAbs(pathname string) *Absolute {
 	}
 }
 
-// Append calls [path.Join] with [Absolute] as the first element.
+// Append calls [filepath.Join] with [Absolute] as the first element.
 func (a *Absolute) Append(elem ...string) *Absolute {
-	return unsafeAbs(path.Join(append([]string{a.String()}, elem...)...))
+	return unsafeAbs(filepath.Join(append([]string{a.String()}, elem...)...))
 }
 
-// Dir calls [path.Dir] with [Absolute] as its argument.
-func (a *Absolute) Dir() *Absolute { return unsafeAbs(path.Dir(a.String())) }
+// Dir calls [filepath.Dir] with [Absolute] as its argument.
+func (a *Absolute) Dir() *Absolute { return unsafeAbs(filepath.Dir(a.String())) }
 
-// GobEncode returns the checked pathname.
-func (a *Absolute) GobEncode() ([]byte, error) {
-	return []byte(a.String()), nil
+// AppendText appends the checked pathname.
+func (a *Absolute) AppendText(data []byte) ([]byte, error) {
+	return append(data, a.String()...), nil
 }
 
-// GobDecode stores data if it represents an absolute pathname.
-func (a *Absolute) GobDecode(data []byte) error {
+// MarshalText returns the checked pathname.
+func (a *Absolute) MarshalText() ([]byte, error) { return a.AppendText(nil) }
+
+// UnmarshalText stores data if it represents an absolute pathname.
+func (a *Absolute) UnmarshalText(data []byte) error {
 	pathname := string(data)
-	if !path.IsAbs(pathname) {
+	if !filepath.IsAbs(pathname) {
 		return AbsoluteError(pathname)
 	}
 	a.pathname = unique.Make(pathname)
 	return nil
 }
 
-// MarshalJSON returns a JSON representation of the checked pathname.
-func (a *Absolute) MarshalJSON() ([]byte, error) {
-	return json.Marshal(a.String())
-}
-
-// UnmarshalJSON stores data if it represents an absolute pathname.
-func (a *Absolute) UnmarshalJSON(data []byte) error {
-	var pathname string
-	if err := json.Unmarshal(data, &pathname); err != nil {
-		return err
-	}
-	if !path.IsAbs(pathname) {
-		return AbsoluteError(pathname)
-	}
-	a.pathname = unique.Make(pathname)
-	return nil
-}
+func (a *Absolute) AppendBinary(data []byte) ([]byte, error) { return a.AppendText(data) }
+func (a *Absolute) MarshalBinary() ([]byte, error)           { return a.MarshalText() }
+func (a *Absolute) UnmarshalBinary(data []byte) error        { return a.UnmarshalText(data) }
 
 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {

check/absolute_test.go

@@ -170,20 +170,20 @@ func TestCodecAbsolute(t *testing.T) {
 
 		{"good", MustAbs("/etc"),
 			nil,
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
 
 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
 			AbsoluteError("etc"),
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
 
 			`"etc"`, `{"val":"etc","magic":3236757504}`},
 		{"zero", nil,
 			new(AbsoluteError),
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
 			`""`, `{"val":"","magic":3236757504}`},
 	}
 
@@ -347,15 +347,6 @@ func TestCodecAbsolute(t *testing.T) {
 			})
 		})
 	}
-
-	t.Run("json passthrough", func(t *testing.T) {
-		t.Parallel()
-
-		wantErr := "invalid character ':' looking for beginning of value"
-		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
-			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
-		}
-	})
 }
 
 func TestAbsoluteWrap(t *testing.T) {

check/overlay.go

@@ -4,15 +4,23 @@ import "strings"
 
 const (
 	// SpecialOverlayEscape is the escape string for overlay mount options.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayEscape = `\`
 	// SpecialOverlayOption is the separator string between overlay mount options.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayOption = ","
 	// SpecialOverlayPath is the separator string between overlay paths.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayPath = ":"
 )
 
 // EscapeOverlayDataSegment escapes a string for formatting into the data
 // argument of an overlay mount system call.
+//
+// Deprecated: This is no longer used and will be removed in 0.5.
 func EscapeOverlayDataSegment(s string) string {
 	if s == "" {
 		return ""

cmd/dist/VERSION

@@ -0,0 +1 @@
+v0.4.3

cmd/dist/comp/_hakurei

@@ -1,11 +1,11 @@
 #compdef hakurei
 
-_hakurei_app() {
+_hakurei_run() {
   __hakurei_files
   return $?
 }
 
-_hakurei_run() {
+_hakurei_exec() {
   _arguments \
     '--id[Reverse-DNS style Application identifier, leave empty to inherit instance identifier]:id' \
     '-a[Application identity]: :_numbers' \
@@ -57,9 +57,9 @@ __hakurei_instances() {
 {
   local -a _hakurei_cmds
   _hakurei_cmds=(
-    "app:Load and start container from configuration file"
-    "run:Configure and start a permissive container"
-    "show:Show live or local app configuration"
+    "run:Load and start container from configuration file"
+    "exec:Configure and start a permissive container"
+    "show:Show live or local instance configuration"
     "ps:List active instances"
     "version:Display version information"
     "license:Show full license text"

cmd/dist/dist.sh

@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+TOOLCHAIN_VERSION="$(go version)"
+cd "$(dirname -- "$0")/../.."
+echo "Building cmd/dist using ${TOOLCHAIN_VERSION}."
+FLAGS=''
+if test -n "$VERBOSE"; then
+    FLAGS="$FLAGS -v"
+fi
+go run $FLAGS --tags=dist ./cmd/dist

cmd/dist/main.go

@@ -0,0 +1,254 @@
+//go:build dist
+
+package main
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"crypto/sha512"
+	_ "embed"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"io/fs"
+	"log"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+	"strings"
+)
+
+//go:generate sh -c "git describe --tags > VERSION"
+//go:embed VERSION
+var version string
+
+// getenv looks up an environment variable, and returns fallback if it is unset.
+func getenv(key, fallback string) string {
+	if v, ok := os.LookupEnv(key); ok {
+		return v
+	}
+	return fallback
+}
+
+// mustRun runs a command with the current process's environment and panics
+// on error or non-zero exit code.
+func mustRun(ctx context.Context, name string, arg ...string) {
+	cmd := exec.CommandContext(ctx, name, arg...)
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+	if err := cmd.Run(); err != nil {
+		panic(err)
+	}
+}
+
+//go:embed comp/_hakurei
+var comp []byte
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("")
+
+	verbose := os.Getenv("VERBOSE") != ""
+	runTests := os.Getenv("HAKUREI_DIST_MAKE") == ""
+	version = getenv("HAKUREI_VERSION", strings.TrimSpace(version))
+	prefix := getenv("PREFIX", "/usr")
+	destdir := getenv("DESTDIR", "dist")
+
+	if verbose {
+		log.Println()
+	}
+
+	if err := os.MkdirAll(destdir, 0755); err != nil {
+		log.Fatal(err)
+	}
+	s, err := os.MkdirTemp(destdir, ".dist.*")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer func() {
+		var code int
+
+		if err = os.RemoveAll(s); err != nil {
+			code = 1
+			log.Println(err)
+		}
+
+		if r := recover(); r != nil {
+			code = 1
+			log.Println(r)
+		}
+
+		os.Exit(code)
+	}()
+
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
+	defer cancel()
+
+	verboseFlag := "-v"
+	if !verbose {
+		verboseFlag = "-buildvcs=false"
+	}
+
+	log.Printf("Building hakurei for %s/%s.", runtime.GOOS, runtime.GOARCH)
+	mustRun(ctx, "go", "generate", "./...")
+	mustRun(
+		ctx, "go", "build",
+		"-trimpath",
+		verboseFlag, "-o", s,
+		"-ldflags=-s -w "+
+			"-buildid= -linkmode external -extldflags=-static "+
+			"-X hakurei.app/internal/info.buildVersion="+version+" "+
+			"-X hakurei.app/internal/info.hakureiPath="+prefix+"/bin/hakurei "+
+			"-X hakurei.app/internal/info.hsuPath="+prefix+"/bin/hsu "+
+			"-X main.hakureiPath="+prefix+"/bin/hakurei",
+		"./...",
+	)
+	log.Println()
+
+	if runTests {
+		log.Println("##### Testing Hakurei.")
+		mustRun(
+			ctx, "go", "test",
+			"-ldflags=-buildid= -linkmode external -extldflags=-static",
+			"./...",
+		)
+		log.Println()
+	}
+
+	log.Println("##### Creating distribution.")
+	const suffix = ".tar.gz"
+	distName := "hakurei-" + version + "-" + runtime.GOARCH
+	var f *os.File
+	if f, err = os.OpenFile(
+		filepath.Join(s, distName+suffix),
+		os.O_CREATE|os.O_EXCL|os.O_WRONLY,
+		0644,
+	); err != nil {
+		panic(err)
+	}
+	defer func() {
+		if f == nil {
+			return
+		}
+		if err = f.Close(); err != nil {
+			log.Println(err)
+		}
+	}()
+
+	h := sha512.New()
+	gw, _ := gzip.NewWriterLevel(io.MultiWriter(f, h), gzip.BestCompression)
+	tw := tar.NewWriter(gw)
+
+	mustWriteHeader := func(name string, size int64, mode os.FileMode) {
+		header := tar.Header{
+			Name:  filepath.Join(distName, name),
+			Size:  size,
+			Mode:  int64(mode),
+			Uname: "root",
+			Gname: "root",
+		}
+
+		if mode&os.ModeDir != 0 {
+			header.Typeflag = tar.TypeDir
+			fmt.Printf("%s %s\n", mode, name)
+		} else {
+			header.Typeflag = tar.TypeReg
+			fmt.Printf("%s %s (%d bytes)\n", mode, name, size)
+		}
+
+		if err = tw.WriteHeader(&header); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFile := func(name string, data []byte, mode os.FileMode) {
+		mustWriteHeader(name, int64(len(data)), mode)
+		if mode&os.ModeDir != 0 {
+			return
+		}
+		if _, err = tw.Write(data); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFromPath := func(dst, src string, mode os.FileMode) {
+		var r *os.File
+		if r, err = os.Open(src); err != nil {
+			panic(err)
+		}
+
+		var fi os.FileInfo
+		if fi, err = r.Stat(); err != nil {
+			_ = r.Close()
+			panic(err)
+		}
+
+		if mode == 0 {
+			mode = fi.Mode()
+		}
+
+		mustWriteHeader(dst, fi.Size(), mode)
+		if _, err = io.Copy(tw, r); err != nil {
+			_ = r.Close()
+			panic(err)
+		} else if err = r.Close(); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFile(".", nil, fs.ModeDir|0755)
+	mustWriteFile("comp/", nil, os.ModeDir|0755)
+	mustWriteFile("comp/_hakurei", comp, 0644)
+	mustWriteFile("install.sh", []byte(`#!/bin/sh -e
+cd "$(dirname -- "$0")" || exit 1
+
+install -vDm0755 "bin/hakurei" "${DESTDIR}`+prefix+`/bin/hakurei"
+install -vDm0755 "bin/sharefs" "${DESTDIR}`+prefix+`/bin/sharefs"
+
+install -vDm4511 "bin/hsu" "${DESTDIR}`+prefix+`/bin/hsu"
+if [ ! -f "${DESTDIR}/etc/hsurc" ]; then
+    install -vDm0400 "hsurc.default" "${DESTDIR}/etc/hsurc"
+fi
+
+install -vDm0644 "comp/_hakurei" "${DESTDIR}`+prefix+`/share/zsh/site-functions/_hakurei"
+`), 0755)
+
+	mustWriteFromPath("README.md", "README.md", 0)
+	mustWriteFile("hsurc.default", []byte("1000 0"), 0400)
+	mustWriteFromPath("bin/hsu", filepath.Join(s, "hsu"), 04511)
+	for _, name := range []string{
+		"hakurei",
+		"sharefs",
+	} {
+		mustWriteFromPath(
+			filepath.Join("bin", name),
+			filepath.Join(s, name),
+			0,
+		)
+	}
+
+	if err = tw.Close(); err != nil {
+		panic(err)
+	} else if err = gw.Close(); err != nil {
+		panic(err)
+	} else if err = f.Close(); err != nil {
+		panic(err)
+	}
+	f = nil
+
+	if err = os.WriteFile(
+		filepath.Join(destdir, distName+suffix+".sha512"),
+		append(hex.AppendEncode(nil, h.Sum(nil)), "  "+distName+suffix+"\n"...),
+		0644,
+	); err != nil {
+		panic(err)
+	}
+	if err = os.Rename(
+		filepath.Join(s, distName+suffix),
+		filepath.Join(destdir, distName+suffix),
+	); err != nil {
+		panic(err)
+	}
+}

cmd/earlyinit/main.go

@@ -1,17 +1,95 @@
+// The earlyinit is part of the Rosa OS initramfs and serves as the system init.
+//
+// This program is an internal detail of Rosa OS and is not usable on its own.
+// It is not covered by the compatibility promise.
 package main
 
 import (
+	"context"
+	"crypto/rand"
 	"log"
 	"os"
+	"os/signal"
 	"runtime"
+	"runtime/pprof"
+	"slices"
 	"strings"
 	. "syscall"
+
+	"hakurei.app/internal/kobject"
+	"hakurei.app/internal/report"
+	"hakurei.app/internal/uevent"
+	"hakurei.app/message"
+)
+
+var r report.Reporter
+
+func init() {
+	log.SetFlags(0)
+	log.SetPrefix("earlyinit: ")
+	r.SetOutput(log.Default())
+
+	// this handles SIGQUIT to provide useful debugging information without
+	// terminating, and prevents the runtime from throwing on the must family
+	// of early error reporting functions, DO NOT REMOVE
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, SIGQUIT)
+	go func() {
+		for {
+			<-c
+			if p := pprof.Lookup("goroutine"); p == nil {
+				log.Println("initial built-in goroutine profile does not exist")
+			} else if err := p.WriteTo(os.Stderr, 2); err != nil {
+				log.Println(err)
+			}
+		}
+	}()
+}
+
+// fatal calls [log.Println] with v and blocks forever. Must be called from
+// main. Must not be used after error reporting is set up.
+func fatal(v ...any) {
+	log.Println(v...)
+	log.Println("unable to continue, please reboot and resolve the problem manually")
+	select {}
+}
+
+// must calls fatal with err if it is non-nil.
+func must(err error) {
+	if err != nil {
+		log.Println(err)
+		select {}
+	}
+}
+
+// mustSyscall is like must, but with an additional action name.
+func mustSyscall(action string, err error) {
+	if err != nil {
+		fatal("cannot "+action+":", err)
+		select {}
+	}
+}
+
+// must1 is like must, but with an additional passed through value.
+func must1[T any](v T, err error) T {
+	must(err)
+	return v
+}
+
+const (
+	// optionSystem specifies devpath of the system device.
+	optionSystem = "system"
+
+	// flagVerbose increases output verbosity.
+	flagVerbose = "verbose"
+	// flagStrict sets [report.DStrict] on r.
+	flagStrict = "strict"
+	// flagNoRecover sets [report.DNoRecover] on r.
+	flagNoRecover = "no_recover"
 )
 
 func main() {
 	runtime.LockOSThread()
-	log.SetFlags(0)
-	log.SetPrefix("earlyinit: ")
 
 	var (
 		option map[string]string
@@ -29,15 +107,44 @@ func main() {
 		}
 	}
 
-	if err := Mount(
+	{
+		var flag uint64
+		if slices.Contains(flags, flagStrict) {
+			flag |= report.DStrict
+		}
+		if slices.Contains(flags, flagNoRecover) {
+			flag |= report.DNoRecover
+		}
+		log.Printf("reporting flags %x", flag)
+		r.SetFlags(flag)
+	}
+
+	msg := message.New(log.Default())
+	msg.SwapVerbose(slices.Contains(flags, flagVerbose))
+
+	mustSyscall("mount devtmpfs", Mount(
 		"devtmpfs",
 		"/dev/",
 		"devtmpfs",
 		MS_NOSUID|MS_NOEXEC,
 		"",
-	); err != nil {
-		log.Fatalf("cannot mount devtmpfs: %v", err)
-	}
+	))
+	must(os.Mkdir("/dev/pts/", 0))
+	mustSyscall("mount devpts", Mount(
+		"devpts",
+		"/dev/pts/",
+		"devpts",
+		MS_NOSUID|MS_NOEXEC,
+		"mode=620,ptmxmode=666",
+	))
+	must(os.Mkdir("/dev/shm/", 0))
+	mustSyscall("mount shm", Mount(
+		"shm",
+		"/dev/shm/",
+		"tmpfs",
+		MS_NOSUID|MS_NODEV,
+		"",
+	))
 
 	// The kernel might be unable to set up the console. When that happens,
 	// printk is called with "Warning: unable to open an initial console."
@@ -94,6 +201,49 @@ func main() {
 		"",
 	))
 
+	conn := must1(uevent.Dial(-128 * 1024 * 1024))
+	events := make(chan *uevent.Message, 1<<10)
+	var uuid uevent.UUID
+	must1(rand.Read(uuid[:]))
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go consume(ctx, msg, &r, conn, uuid, events)
+	s := kobject.New(uuid, func(o *kobject.Object, env map[string]string) {
+		p := make([]string, 0, len(env))
+		for k, v := range env {
+			p = append(p, k+"="+v)
+		}
+		slices.Sort(p)
+		log.Printf("change %s: %s", o.DevPath, strings.Join(p, ", "))
+	}, func(err error) {
+		severity := report.Inconsistent
+		if e, ok := err.(kobject.EventError); ok && e.Kind == kobject.EBadTarget {
+			severity = report.Trivial
+		}
+		r.Dispatch(
+			severity,
+			"processed inconsistent uevent",
+			err,
+		)
+	})
+	go func() {
+		s.Consume(ctx, events)
+
+		log.Println("closing NETLINK_KOBJECT_UEVENT socket")
+		cancel()
+		if err := conn.Close(); err != nil {
+			log.Fatal(err) // not reached
+		}
+	}()
+
+	must(os.Mkdir("/system", 0))
+	if devpath := option[optionSystem]; devpath == "" {
+		fatal("system must be nonempty")
+	} else {
+		log.Printf("waiting for devpath pattern %q", devpath)
+		mustMountSystem(ctx, s, devpath)
+	}
+
 	// after top level has been set up
 	mustSyscall("remount root", Mount(
 		"",
@@ -109,19 +259,6 @@ func main() {
 		[]byte("/system/lib/firmware"),
 		0,
 	))
+	go dispatchModprobe(ctx, s)
 
 }
-
-// mustSyscall calls [log.Fatalln] if err is non-nil.
-func mustSyscall(action string, err error) {
-	if err != nil {
-		log.Fatalln("cannot "+action+":", err)
-	}
-}
-
-// must calls [log.Fatal] with err if it is non-nil.
-func must(err error) {
-	if err != nil {
-		log.Fatal(err)
-	}
-}

cmd/earlyinit/modprobe.go

@@ -0,0 +1,73 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"os/exec"
+	"strings"
+
+	"hakurei.app/internal/kobject"
+	"hakurei.app/internal/report"
+	"hakurei.app/internal/uevent"
+)
+
+// ModprobeError describes an unsuccessful modprobe invocation.
+type ModprobeError struct {
+	ModAlias string `json:"modalias"`
+	Stdout   string `json:"stdout"`
+	Stderr   string `json:"stderr"`
+	ExitCode int    `json:"exit_code"`
+}
+
+var _ report.RepresentableError = ModprobeError{}
+
+func (ModprobeError) Representable() {}
+func (e ModprobeError) Error() string {
+	return fmt.Sprintf(
+		"modprobe exit status %d: %s",
+		e.ExitCode, strings.TrimSpace(e.Stderr),
+	)
+}
+
+// dispatchModprobe invokes modprobe for [uevent.KOBJ_ADD] events raising new
+// MODALIAS strings.
+func dispatchModprobe(
+	ctx context.Context,
+	s *kobject.State,
+) {
+	aliases := make(chan string, 1<<8)
+	go func() {
+		defer close(aliases)
+		s.Range(ctx, func(o *kobject.Object, act uevent.KobjectAction) bool {
+			if act == uevent.KOBJ_ADD && o.Driver == "" && o.ModAlias != "" {
+				aliases <- o.ModAlias
+			}
+			return true
+		})
+	}()
+
+	for alias := range aliases {
+		stdout, err := exec.Command("/system/sbin/modprobe", alias).Output()
+		if err == nil {
+			if len(stdout) > 0 {
+				log.Println(string(stdout))
+			}
+			continue
+		}
+
+		exitError, ok := errors.AsType[*exec.ExitError](err)
+		if !ok || exitError == nil {
+			r.Dispatch(report.Degraded, "invoke modprobe", err)
+			continue
+		}
+
+		r.Dispatch(report.Trivial, "load device driver", ModprobeError{
+			ModAlias: alias,
+			Stdout:   string(stdout),
+			Stderr:   string(exitError.Stderr),
+			ExitCode: exitError.ExitCode(),
+		})
+	}
+}

cmd/earlyinit/mount.go

@@ -0,0 +1,71 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"os"
+	"path/filepath"
+	"strconv"
+	"syscall"
+	"time"
+
+	"hakurei.app/check"
+	"hakurei.app/fhs"
+	"hakurei.app/internal/kobject"
+	"hakurei.app/internal/uevent"
+)
+
+// mustMountSystem waits for and mounts a system device matching pattern.
+func mustMountSystem(
+	ctx context.Context,
+	s *kobject.State,
+	pattern string,
+) {
+	c, stop := context.WithTimeout(ctx, 30*time.Second)
+	defer stop()
+
+	for {
+		var matchErr error
+		var systemPath *check.Absolute
+		s.Range(c, func(o *kobject.Object, act uevent.KobjectAction) bool {
+			if (act != uevent.KOBJ_ADD && act != uevent.KOBJ_CHANGE) ||
+				o.Subsystem != "block" ||
+				o.Env["DEVTYPE"] != "disk" {
+				return true
+			}
+
+			if ok, err := filepath.Match(pattern, o.DevPath); err != nil {
+				matchErr = err
+				return false
+			} else if !ok {
+				return true
+			}
+
+			name, ok := o.Env["DEVNAME"]
+			if !ok {
+				return true
+			}
+			systemPath = fhs.AbsDev.Append(name)
+			return false
+		})
+		if c.Err() != nil {
+			fatal("devpath", strconv.Quote(pattern), "never appeared")
+		}
+		if matchErr != nil {
+			fatal("cannot match system devpath:", matchErr)
+		}
+		err := syscall.Mount(
+			systemPath.String(),
+			"/system/",
+			"squashfs",
+			0,
+			"threads=multi",
+		)
+		if err == nil {
+			break
+		}
+		if !errors.Is(err, os.ErrNotExist) {
+			fatal("cannot mount system:", err)
+		}
+	}
+}

cmd/earlyinit/uevent.go

@@ -0,0 +1,104 @@
+package main
+
+import (
+	"context"
+	"time"
+
+	"hakurei.app/fhs"
+	"hakurei.app/internal/report"
+	"hakurei.app/internal/uevent"
+	"hakurei.app/message"
+)
+
+// newRejectColdboot returns a function to be called on every subsequent pending
+// coldboot, and returns whether coldboot should proceed. Rejection is sticky.
+func newRejectColdboot() func() bool {
+	// one coldboot per five minutes, two consecutive coldboot
+	const (
+		coldbootInterval = 5 * time.Minute
+		coldbootBurst    = 2
+	)
+
+	done := make(chan struct{})
+	s := make(chan struct{}, coldbootBurst)
+	s <- struct{}{} // for early fault before reporting is ready
+	go func() {
+		t := time.NewTicker(coldbootInterval)
+		for {
+			select {
+			case <-done:
+				return
+
+			case <-t.C:
+				select {
+				case s <- struct{}{}:
+				default:
+				}
+			}
+		}
+	}()
+
+	return func() bool {
+		select {
+		case <-s:
+			return true
+
+		case <-done:
+			return false
+
+		default:
+			close(done)
+			return false
+		}
+	}
+}
+
+// consume continuously consumes events from conn with retries.
+func consume(
+	ctx context.Context,
+	msg message.Msg,
+	r *report.Reporter,
+	conn *uevent.Conn,
+	uuid uevent.UUID,
+	events chan<- *uevent.Message,
+) {
+	defer close(events)
+
+	nextColdboot := newRejectColdboot()
+	coldboot := true
+retry:
+	if dispatchErr := conn.Consume(ctx, fhs.Sys, &uuid, events, coldboot, func(path string) {
+		msg.Verbose("coldboot visited", path)
+	}, func(err error) bool {
+		if _, ok := err.(uevent.NeedsColdboot); ok && !nextColdboot() {
+			r.Dispatch(
+				report.Degraded,
+				"rejecting coldboot loop",
+				err,
+			)
+			return false
+		}
+		r.Dispatch(
+			report.Inconsistent,
+			"consumed invalid message",
+			err,
+		)
+		return true
+	}, nil); dispatchErr != nil {
+		if _, ok := dispatchErr.(uevent.Recoverable); !ok {
+			r.Dispatch(
+				report.Fatal,
+				"discontinuing uevent processing due to nonrecoverable error",
+				dispatchErr,
+			)
+			return
+		}
+
+		if _, ok := dispatchErr.(uevent.NeedsColdboot); ok {
+			// coldboot loop rejected by handler
+			coldboot = false
+		}
+
+		goto retry
+	}
+}

cmd/earlyinit/uevent_test.go

@@ -0,0 +1,35 @@
+package main
+
+import (
+	"testing"
+	"testing/synctest"
+	"time"
+)
+
+func TestRejectColdboot(t *testing.T) {
+	t.Parallel()
+
+	synctest.Test(t, func(t *testing.T) {
+		nextColdboot := newRejectColdboot()
+		want := func(want bool) {
+			if got := nextColdboot(); got != want {
+				t.Fatalf("nextColdboot: %v, want %v", got, want)
+			}
+		}
+
+		synctest.Wait()
+		want(true)
+		time.Sleep(time.Hour)
+		synctest.Wait()
+		want(true)
+		want(true)
+		time.Sleep(5 * time.Minute)
+		synctest.Wait()
+		want(true)
+		want(false)
+		time.Sleep(time.Hour)
+		synctest.Wait()
+		want(false)
+		want(false)
+	})
+}

cmd/hakurei/command.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -11,7 +12,6 @@ import (
 	"strconv"
 	"sync"
 	"time"
-	_ "unsafe" // for go:linkname
 
 	"hakurei.app/check"
 	"hakurei.app/command"
@@ -27,14 +27,20 @@ import (
 
 // optionalErrorUnwrap calls [errors.Unwrap] and returns the resulting value
 // if it is not nil, or the original value if it is.
-//
-//go:linkname optionalErrorUnwrap hakurei.app/container.optionalErrorUnwrap
-func optionalErrorUnwrap(err error) error
+func optionalErrorUnwrap(err error) error {
+	if underlyingErr := errors.Unwrap(err); underlyingErr != nil {
+		return underlyingErr
+	}
+	return err
+}
+
+var errSuccess = errors.New("success")
 
 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
-		flagVerbose bool
-		flagJSON    bool
+		flagVerbose  bool
+		flagInsecure bool
+		flagJSON     bool
 	)
 	c := command.New(out, log.Printf, "hakurei", func([]string) error {
 		msg.SwapVerbose(flagVerbose)
@@ -52,6 +58,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
+		Flag(&flagInsecure, "insecure", command.BoolFlag(false), "Allow use of insecure compatibility options").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")
 
 	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
@@ -60,9 +67,9 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		var (
 			flagIdentifierFile int
 		)
-		c.NewCommand("app", "Load and start container from configuration file", func(args []string) error {
+		c.NewCommand("run", "Load and start container from configuration file", func(args []string) error {
 			if len(args) < 1 {
-				log.Fatal("app requires at least 1 argument")
+				log.Fatal("run requires at least 1 argument")
 			}
 
 			config := tryPath(msg, args[0])
@@ -70,7 +77,12 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				config.Container.Args = append(config.Container.Args, args[1:]...)
 			}
 
-			outcome.Main(ctx, msg, config, flagIdentifierFile)
+			var flags int
+			if flagInsecure {
+				flags |= hst.VAllowInsecure
+			}
+
+			outcome.Main(ctx, msg, config, flags, flagIdentifierFile)
 			panic("unreachable")
 		}).
 			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
@@ -98,7 +110,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			flagWayland, flagX11, flagDBus, flagPipeWire, flagPulse bool
 		)
 
-		c.NewCommand("run", "Configure and start a permissive container", func(args []string) error {
+		c.NewCommand("exec", "Configure and start a permissive container", func(args []string) error {
 			if flagIdentity < hst.IdentityStart || flagIdentity > hst.IdentityEnd {
 				log.Fatalf("identity %d out of range", flagIdentity)
 			}
@@ -140,7 +152,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}
 
-			var et hst.Enablement
+			var et hst.Enablements
 			if flagWayland {
 				et |= hst.EWayland
 			}
@@ -158,7 +170,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				ID:          flagID,
 				Identity:    flagIdentity,
 				Groups:      flagGroups,
-				Enablements: hst.NewEnablements(et),
+				Enablements: &et,
 
 				Container: &hst.ContainerConfig{
 					Filesystem: []hst.FilesystemConfigJSON{
@@ -277,7 +289,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}
 
-			outcome.Main(ctx, msg, &config, -1)
+			outcome.Main(ctx, msg, &config, 0, -1)
 			panic("unreachable")
 		}).
 			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),
@@ -323,7 +335,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			flagShort   bool
 			flagNoStore bool
 		)
-		c.NewCommand("show", "Show live or local app configuration", func(args []string) error {
+		c.NewCommand("show", "Show live or local instance configuration", func(args []string) error {
 			switch len(args) {
 			case 0: // system
 				printShowSystem(os.Stdout, flagShort, flagJSON)

cmd/hakurei/command_test.go

@@ -20,12 +20,12 @@ func TestHelp(t *testing.T) {
 	}{
 		{
 			"main", []string{}, `
-Usage:	hakurei [-h | --help] [-v] [--json] COMMAND [OPTIONS]
+Usage:	hakurei [-h | --help] [-v] [--insecure] [--json] COMMAND [OPTIONS]
 
 Commands:
-    app         Load and start container from configuration file
-    run         Configure and start a permissive container
-    show        Show live or local app configuration
+    run         Load and start container from configuration file
+    exec        Configure and start a permissive container
+    show        Show live or local instance configuration
     ps          List active instances
     version     Display version information
     license     Show full license text
@@ -35,8 +35,8 @@ Commands:
 `,
 		},
 		{
-			"run", []string{"run", "-h"}, `
-Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--policy <value>] [--priority <int>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
+			"exec", []string{"exec", "-h"}, `
+Usage:	hakurei exec [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--policy <value>] [--priority <int>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
 
 Flags:
   -X	Enable direct connection to X11

cmd/hakurei/json.go

@@ -7,7 +7,8 @@ import (
 	"strconv"
 )
 
-// decodeJSON decodes json from r and stores it in v. A non-nil error results in a call to fatal.
+// decodeJSON decodes json from r and stores it in v. A non-nil error results in
+// a call to fatal.
 func decodeJSON(fatal func(v ...any), op string, r io.Reader, v any) {
 	err := json.NewDecoder(r).Decode(v)
 	if err == nil {
@@ -47,14 +48,14 @@ func encodeJSON(fatal func(v ...any), output io.Writer, short bool, v any) {
 	}
 
 	if err := encoder.Encode(v); err != nil {
-		var marshalerError *json.MarshalerError
-		if errors.As(err, &marshalerError) && marshalerError != nil {
+		if e, ok := errors.AsType[*json.MarshalerError](err); ok && e != nil {
 			// this likely indicates an implementation error in hst
-			fatal("cannot encode json for " + marshalerError.Type.String() + ": " + marshalerError.Err.Error())
+			fatal("cannot encode json for " + e.Type.String() + ": " + e.Err.Error())
 			return
 		}
 
-		// UnsupportedTypeError, UnsupportedValueError: incorrect usage, does not need to be handled
+		// UnsupportedTypeError, UnsupportedValueError: incorrect usage, does
+		// not need to be handled
 		fatal("cannot write json: " + err.Error())
 	}
 }

cmd/hakurei/main.go

@@ -1,8 +1,42 @@
+// Hakurei runs user-specified containers as subordinate users.
+//
+// This program is generally invoked by another, higher level program, which
+// creates container configuration via package [hst] or an implementation of it.
+//
+// The parent may leave files open and specify their file descriptor for various
+// uses. In these cases, standard streams and netpoll files are treated as
+// invalid file descriptors and rejected. All string representations must be in
+// decimal.
+//
+// When specifying a [hst.Config] JSON stream or file to the run subcommand, the
+// argument "-" is equivalent to stdin. Otherwise, file descriptor rules
+// described above applies. Invalid file descriptors are treated as file names
+// in their string representation, with the exception that if a netpoll file
+// descriptor is attempted, the program fails.
+//
+// The flag --identifier-fd can be optionally specified to the run subcommand to
+// receive the identifier of the newly started instance. File descriptor rules
+// described above applies, and the file must be writable. This is sent after
+// its state is made available, so the client must not attempt to poll for it.
+// This uses the internal binary format of [hst.ID].
+//
+// For the show and ps subcommands, the flag --json can be applied to the main
+// hakurei command to serialise output in JSON when applicable. Additionally,
+// the flag --short targeting each subcommand is used to omit some information
+// in both JSON and user-facing output. Only JSON-encoded output is covered
+// under the compatibility promise.
+//
+// A template for [hst.Config] demonstrating all available configuration fields
+// is returned by [hst.Template]. The JSON-encoded equivalent of this can be
+// obtained via the template subcommand. Fields left unpopulated in the template
+// (the direct_* family of fields, which are insecure under any configuration if
+// enabled) are unsupported.
+//
+// For simple (but insecure) testing scenarios, the exec subcommand can be used
+// to generate a simple, permissive configuration in-memory. See its help
+// message for all available options.
 package main
 
-// this works around go:embed '..' limitation
-//go:generate cp ../../LICENSE .
-
 import (
 	"context"
 	_ "embed"
@@ -17,12 +51,9 @@ import (
 	"hakurei.app/message"
 )
 
-var (
-	errSuccess = errors.New("success")
-
-	//go:embed LICENSE
-	license string
-)
+//go:generate cp ../../LICENSE .
+//go:embed LICENSE
+var license string
 
 // earlyHardeningErrs are errors collected while setting up early hardening feature.
 type earlyHardeningErrs struct{ yamaLSM, dumpable error }
@@ -31,8 +62,8 @@ func main() {
 	// early init path, skips root check and duplicate PR_SET_DUMPABLE
 	container.TryArgv0(nil)
 
-	log.SetPrefix("hakurei: ")
 	log.SetFlags(0)
+	log.SetPrefix("hakurei: ")
 	msg := message.New(log.Default())
 
 	early := earlyHardeningErrs{

cmd/hakurei/parse.go

@@ -17,8 +17,9 @@ import (
 )
 
 // tryPath attempts to read [hst.Config] from multiple sources.
-// tryPath reads from [os.Stdin] if name has value "-".
-// Otherwise, name is passed to tryFd, and if that returns nil, name is passed to [os.Open].
+//
+// tryPath reads from [os.Stdin] if name has value "-". Otherwise, name is
+// passed to tryFd, and if that returns nil, name is passed to [os.Open].
 func tryPath(msg message.Msg, name string) (config *hst.Config) {
 	var r io.ReadCloser
 	config = new(hst.Config)
@@ -46,7 +47,8 @@ func tryPath(msg message.Msg, name string) (config *hst.Config) {
 	return
 }
 
-// tryFd returns a [io.ReadCloser] if name represents an integer corresponding to a valid file descriptor.
+// tryFd returns a [io.ReadCloser] if name represents an integer corresponding
+// to a valid file descriptor.
 func tryFd(msg message.Msg, name string) io.ReadCloser {
 	if v, err := strconv.Atoi(name); err != nil {
 		if !errors.Is(err, strconv.ErrSyntax) {
@@ -60,7 +62,12 @@ func tryFd(msg message.Msg, name string) io.ReadCloser {
 
 		msg.Verbosef("trying config stream from %d", v)
 		fd := uintptr(v)
-		if _, _, errno := syscall.Syscall(syscall.SYS_FCNTL, fd, syscall.F_GETFD, 0); errno != 0 {
+		if _, _, errno := syscall.Syscall(
+			syscall.SYS_FCNTL,
+			fd,
+			syscall.F_GETFD,
+			0,
+		); errno != 0 {
 			if errors.Is(errno, syscall.EBADF) { // reject bad fd
 				return nil
 			}
@@ -75,10 +82,12 @@ func tryFd(msg message.Msg, name string) io.ReadCloser {
 	}
 }
 
-// shortLengthMin is the minimum length a short form identifier can have and still be interpreted as an identifier.
+// shortLengthMin is the minimum length a short form identifier can have and
+// still be interpreted as an identifier.
 const shortLengthMin = 1 << 3
 
-// shortIdentifier returns an eight character short representation of [hst.ID] from its random bytes.
+// shortIdentifier returns an eight character short representation of [hst.ID]
+// from its random bytes.
 func shortIdentifier(id *hst.ID) string {
 	return shortIdentifierString(id.String())
 }
@@ -88,7 +97,8 @@ func shortIdentifierString(s string) string {
 	return s[len(hst.ID{}) : len(hst.ID{})+shortLengthMin]
 }
 
-// tryIdentifier attempts to match [hst.State] from a [hex] representation of [hst.ID] or a prefix of its lower half.
+// tryIdentifier attempts to match [hst.State] from a [hex] representation of
+// [hst.ID] or a prefix of its lower half.
 func tryIdentifier(msg message.Msg, name string, s *store.Store) *hst.State {
 	const (
 		likeShort = 1 << iota
@@ -96,7 +106,8 @@ func tryIdentifier(msg message.Msg, name string, s *store.Store) *hst.State {
 	)
 
 	var likely uintptr
-	if len(name) >= shortLengthMin && len(name) <= len(hst.ID{}) { // half the hex representation
+	// half the hex representation
+	if len(name) >= shortLengthMin && len(name) <= len(hst.ID{}) {
 		// cannot safely decode here due to unknown alignment
 		for _, c := range name {
 			if c >= '0' && c <= '9' {

cmd/hakurei/print.go

@@ -56,7 +56,7 @@ func printShowInstance(
 	t := newPrinter(output)
 	defer t.MustFlush()
 
-	if err := config.Validate(); err != nil {
+	if err := config.Validate(hst.VAllowInsecure); err != nil {
 		valid = false
 		if m, ok := message.GetMessage(err); ok {
 			mustPrint(output, "Error: "+m+"!\n\n")

cmd/hakurei/print_test.go

@@ -32,7 +32,7 @@ var (
 		PID:     0xbeef,
 		ShimPID: 0xcafe,
 		Config: &hst.Config{
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
+			Enablements: new(hst.EWayland | hst.EPipeWire),
 			Identity:    1,
 			Container: &hst.ContainerConfig{
 				Shell: check.MustAbs("/bin/sh"),

cmd/hsu/conf.go

@@ -0,0 +1,7 @@
+//go:build !rosa
+
+package main
+
+// hsuConfPath is an absolute pathname to the hsu configuration file. Its
+// contents are interpreted by parseConfig.
+const hsuConfPath = "/etc/hsurc"

cmd/hsu/config_rosa.go

@@ -0,0 +1,7 @@
+//go:build rosa
+
+package main
+
+// hsuConfPath is the pathname to the hsu configuration file, specific to
+// Rosa OS. Its contents are interpreted by parseConfig.
+const hsuConfPath = "/system/etc/hsurc"

cmd/hsu/hst.go

@@ -1,6 +1,6 @@
 package main
 
-/* copied from hst and must never be changed */
+/* keep in sync with hst */
 
 const (
 	userOffset = 100000

cmd/hsu/main.go

@@ -1,25 +1,69 @@
+// hsu starts the hakurei shim as the target subordinate user.
+//
+// The hsu program must be installed with the setuid and setgid bit set, and
+// owned by root. A configuration file must be installed at /etc/hsurc with
+// permission bits 0400, and owned by root. Each line of the file specifies a
+// hakurei userid to kernel uid mapping. A line consists of the decimal string
+// representation of the uid of the user wishing to start hakurei containers,
+// followed by a space, followed by the decimal string representation of its
+// userid. Duplicate uid entries are ignored, with the first occurrence taking
+// effect.
+//
+// For example, to map the kernel uid 1000 to the hakurei user id 0:
+//
+//	1000 0
+//
+// # Internals
+//
+// Hakurei and hsu holds pathnames pointing to each other set at link time. For
+// this reason, a distribution of hakurei has fixed installation prefix. Since
+// this program is never invoked by the user, behaviour described in the
+// following paragraphs are considered an internal detail and not covered by the
+// compatibility promise.
+//
+// Since target container environment variables are set up in shim via the
+// [container] infrastructure, the environment is used for parameters from the
+// parent process.
+//
+// HAKUREI_SHIM specifies a single byte between '3' and '9' representing the
+// setup pipe file descriptor. It is passed as is to the shim process and is the
+// only value in the environment of the shim process. Since hsurc is not
+// accessible to the parent process, leaving this unset causes hsu to print the
+// corresponding hakurei user id of the parent and terminate.
+//
+// HAKUREI_IDENTITY specifies the identity of the instance being started and is
+// used to produce the kernel uid alongside hakurei user id looked up from hsurc.
+//
+// HAKUREI_GROUPS specifies supplementary groups to inherit from the credentials
+// of the parent process in a ' ' separated list of decimal string
+// representations of gid. This has the unfortunate consequence of allowing
+// users mapped via hsurc to effectively drop group membership, so special care
+// must be taken to ensure this does not lead to an increase in access. This is
+// not applicable to Rosa OS since unsigned code execution is not permitted
+// outside hakurei containers, and is generally nonapplicable to the security
+// model of hakurei, where all untrusted code runs within containers.
 package main
 
-// minimise imports to avoid inadvertently calling init or global variable functions
-
 import (
 	"bytes"
 	"fmt"
 	"log"
 	"os"
-	"path"
+	"path/filepath"
 	"runtime"
 	"slices"
 	"strconv"
-	"strings"
 	"syscall"
 )
 
 const (
-	// envIdentity is the name of the environment variable holding a
-	// single byte representing the shim setup pipe file descriptor.
+	// envShim is the name of the environment variable holding a single byte
+	// representing the shim setup pipe file descriptor.
 	envShim = "HAKUREI_SHIM"
-	// envGroups holds a ' ' separated list of string representations of
+	// envIdentity is the name of the environment variable holding a decimal
+	// string representation of the current application identity.
+	envIdentity = "HAKUREI_IDENTITY"
+	// envGroups holds a ' ' separated list of decimal string representations of
 	// supplementary group gid. Membership requirements are enforced.
 	envGroups = "HAKUREI_GROUPS"
 )
@@ -35,7 +79,6 @@ func main() {
 
 	log.SetFlags(0)
 	log.SetPrefix("hsu: ")
-	log.SetOutput(os.Stderr)
 
 	if os.Geteuid() != 0 {
 		log.Fatal("this program must be owned by uid 0 and have the setuid bit set")
@@ -49,23 +92,11 @@ func main() {
 		log.Fatal("this program must not be started by root")
 	}
 
-	if !path.IsAbs(hakureiPath) {
+	if !filepath.IsAbs(hakureiPath) {
 		log.Fatal("this program is compiled incorrectly")
 		return
 	}
 
-	var toolPath string
-	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
-	if p, err := os.Readlink(pexe); err != nil {
-		log.Fatalf("cannot read parent executable path: %v", err)
-	} else if strings.HasSuffix(p, " (deleted)") {
-		log.Fatal("hakurei executable has been deleted")
-	} else if p != hakureiPath {
-		log.Fatal("this program must be started by hakurei")
-	} else {
-		toolPath = p
-	}
-
 	// refuse to run if hsurc is not protected correctly
 	if s, err := os.Stat(hsuConfPath); err != nil {
 		log.Fatal(err)
@@ -99,8 +130,6 @@ func main() {
 		// last possible uid outcome
 		uidEnd = 999919999
 	)
-
-	// cast to int for use with library functions
 	uid := int(toUser(userid, identity))
 
 	// final bounds check to catch any bugs
@@ -136,7 +165,6 @@ func main() {
 	}
 
 	// careful! users in the allowlist is effectively allowed to drop groups via hsu
-
 	if err := syscall.Setresgid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set gid: %v", err)
 	}
@@ -146,10 +174,21 @@ func main() {
 	if err := syscall.Setresuid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set uid: %v", err)
 	}
-	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
+
+	if _, _, errno := syscall.AllThreadsSyscall(
+		syscall.SYS_PRCTL,
+		PR_SET_NO_NEW_PRIVS, 1,
+		0,
+	); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(toolPath, []string{"hakurei", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+
+	if err := syscall.Exec(hakureiPath, []string{
+		"hakurei",
+		"shim",
+	}, []string{
+		envShim + "=" + shimSetupFd,
+	}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}
 

cmd/hsu/parse.go

@@ -18,8 +18,9 @@ const (
 	useridEnd = useridStart + rangeSize - 1
 )
 
-// parseUint32Fast parses a string representation of an unsigned 32-bit integer value
-// using the fast path only. This limits the range of values it is defined in.
+// parseUint32Fast parses a string representation of an unsigned 32-bit integer
+// value using the fast path only. This limits the range of values it is defined
+// in but is perfectly adequate for this use case.
 func parseUint32Fast(s string) (uint32, error) {
 	sLen := len(s)
 	if sLen < 1 {
@@ -40,12 +41,14 @@ func parseUint32Fast(s string) (uint32, error) {
 	return n, nil
 }
 
-// parseConfig reads a list of allowed users from r until it encounters puid or [io.EOF].
+// parseConfig reads a list of allowed users from r until it encounters puid or
+// [io.EOF].
 //
-// Each line of the file specifies a hakurei userid to kernel uid mapping. A line consists
-// of the string representation of the uid of the user wishing to start hakurei containers,
-// followed by a space, followed by the string representation of its userid. Duplicate uid
-// entries are ignored, with the first occurrence taking effect.
+// Each line of the file specifies a hakurei userid to kernel uid mapping. A
+// line consists of the string representation of the uid of the user wishing to
+// start hakurei containers, followed by a space, followed by the string
+// representation of its userid. Duplicate uid entries are ignored, with the
+// first occurrence taking effect.
 //
 // All string representations are parsed by calling parseUint32Fast.
 func parseConfig(r io.Reader, puid uint32) (userid uint32, ok bool, err error) {
@@ -81,10 +84,6 @@ func parseConfig(r io.Reader, puid uint32) (userid uint32, ok bool, err error) {
 	return useridEnd + 1, false, s.Err()
 }
 
-// hsuConfPath is an absolute pathname to the hsu configuration file.
-// Its contents are interpreted by parseConfig.
-const hsuConfPath = "/etc/hsurc"
-
 // mustParseConfig calls parseConfig to interpret the contents of hsuConfPath,
 // terminating the program if an error is encountered, the syntax is incorrect,
 // or the current user is not authorised to use hsu because its uid is missing.
@@ -112,10 +111,6 @@ func mustParseConfig(puid int) (userid uint32) {
 	return
 }
 
-// envIdentity is the name of the environment variable holding a
-// string representation of the current application identity.
-var envIdentity = "HAKUREI_IDENTITY"
-
 // mustReadIdentity calls parseUint32Fast to interpret the value stored in envIdentity,
 // terminating the program if the value is not set, malformed, or out of bounds.
 func mustReadIdentity() uint32 {

cmd/mbf/cache.go

@@ -0,0 +1,136 @@
+package main
+
+import (
+	"context"
+	"net/http"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+)
+
+// cache refers to an instance of [pkg.Cache] that might be open.
+type cache struct {
+	ctx context.Context
+	msg message.Msg
+
+	// Should generally not be used directly.
+	c *pkg.Cache
+
+	cures, jobs int
+	// Primarily to work around missing landlock LSM.
+	hostAbstract bool
+	// Set SCHED_IDLE.
+	idle bool
+	// Unset [pkg.CSuppressInit].
+	verboseInit bool
+	// Loaded artifact of [rosa.QEMU].
+	qemu pkg.Artifact
+
+	base, mirror string
+}
+
+// open opens the underlying [pkg.Cache].
+func (cache *cache) open() (err error) {
+	if cache.c != nil {
+		return os.ErrInvalid
+	}
+
+	var base *check.Absolute
+	if cache.base, err = filepath.Abs(cache.base); err != nil {
+		return
+	} else if base, err = check.NewAbs(cache.base); err != nil {
+		return
+	}
+
+	var flags int
+	if cache.idle {
+		flags |= pkg.CSchedIdle
+	}
+	if cache.hostAbstract {
+		flags |= pkg.CHostAbstract
+	}
+	if !cache.verboseInit {
+		flags |= pkg.CSuppressInit
+	}
+
+	done := make(chan struct{})
+	defer close(done)
+	go func() {
+		select {
+		case <-cache.ctx.Done():
+			if testing.Testing() {
+				return
+			}
+			os.Exit(2)
+
+		case <-done:
+			return
+		}
+	}()
+
+	cache.msg.Verbosef("opening cache at %s", base)
+	cache.c, err = pkg.Open(
+		cache.ctx,
+		cache.msg,
+		flags,
+		cache.cures,
+		cache.jobs,
+		base,
+	)
+	if err != nil {
+		return
+	}
+	done <- struct{}{}
+
+	if cache.mirror != "" {
+		var pub []byte
+		pub, err = os.ReadFile(base.Append("ed25519.pub").String())
+		if err != nil {
+			cache.c.Close()
+			return
+		}
+		var r rosa.Remote
+		if r, err = rosa.NewRemote(cache.mirror, pub, http.DefaultClient); err != nil {
+			cache.c.Close()
+			return err
+		}
+		cache.c.SetExternal(r)
+	}
+
+	if cache.qemu != nil {
+		var pathname *check.Absolute
+		pathname, _, err = cache.c.Cure(cache.qemu)
+		if err != nil {
+			cache.c.Close()
+			return
+		}
+
+		for arch, entry := range rosa.Arches(pathname) {
+			pkg.RegisterArch(arch, entry)
+		}
+	}
+
+	return
+}
+
+// Close closes the underlying [pkg.Cache] if it is open.
+func (cache *cache) Close() {
+	if cache.c != nil {
+		cache.c.Close()
+	}
+}
+
+// Do calls f on the underlying cache and returns its error value.
+func (cache *cache) Do(f func(cache *pkg.Cache) error) error {
+	if cache.c == nil {
+		if err := cache.open(); err != nil {
+			return err
+		}
+	}
+	return f(cache.c)
+}

cmd/mbf/cache_test.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"log"
+	"os"
+	"testing"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+func TestCache(t *testing.T) {
+	t.Parallel()
+
+	cm := cache{
+		ctx:  t.Context(),
+		msg:  message.New(log.New(os.Stderr, "check: ", 0)),
+		base: t.TempDir(),
+
+		hostAbstract: true, idle: true,
+	}
+	defer cm.Close()
+	cm.Close()
+
+	if err := cm.open(); err != nil {
+		t.Fatalf("open: error = %v", err)
+	}
+	if err := cm.open(); err != os.ErrInvalid {
+		t.Errorf("(duplicate) open: error = %v", err)
+	}
+
+	if err := cm.Do(func(cache *pkg.Cache) error {
+		return cache.Scrub(0)
+	}); err != nil {
+		t.Errorf("Scrub: error = %v", err)
+	}
+}

cmd/mbf/daemon.go

@@ -0,0 +1,354 @@
+package main
+
+import (
+	"context"
+	"encoding/binary"
+	"errors"
+	"io"
+	"log"
+	"math"
+	"net"
+	"os"
+	"sync"
+	"syscall"
+	"testing"
+	"time"
+	"unique"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+)
+
+// daemonTimeout is the maximum amount of time cureFromIR will wait on I/O.
+const daemonTimeout = 30 * time.Second
+
+// daemonDeadline returns the deadline corresponding to daemonTimeout, or the
+// zero value when running in a test.
+func daemonDeadline() time.Time {
+	if testing.Testing() {
+		return time.Time{}
+	}
+	return time.Now().Add(daemonTimeout)
+}
+
+const (
+	// remoteNoReply notifies that the client will not receive a cure reply.
+	remoteNoReply = 1 << iota
+)
+
+// cureFromIR services an IR curing request.
+func cureFromIR(
+	cache *pkg.Cache,
+	conn net.Conn,
+	flags uint64,
+) (pkg.Artifact, error) {
+	a, decodeErr := cache.NewDecoder(conn).Decode()
+	if decodeErr != nil {
+		_, err := conn.Write([]byte("\x00" + decodeErr.Error()))
+		return nil, errors.Join(decodeErr, err, conn.Close())
+	}
+
+	pathname, _, cureErr := cache.Cure(a)
+	if flags&remoteNoReply != 0 {
+		return a, errors.Join(cureErr, conn.Close())
+	}
+	if err := conn.SetWriteDeadline(daemonDeadline()); err != nil {
+		return a, errors.Join(cureErr, err, conn.Close())
+	}
+	if cureErr != nil {
+		_, err := conn.Write([]byte("\x00" + cureErr.Error()))
+		return a, errors.Join(cureErr, err, conn.Close())
+	}
+	_, err := conn.Write([]byte(pathname.String()))
+	if testing.Testing() && errors.Is(err, io.ErrClosedPipe) {
+		return a, nil
+	}
+	return a, errors.Join(err, conn.Close())
+}
+
+const (
+	// specialCancel is a message consisting of a single identifier referring
+	// to a curing artifact to be cancelled.
+	specialCancel = iota
+	// specialAbort requests for all pending cures to be aborted. It has no
+	// message body.
+	specialAbort
+
+	// remoteSpecial denotes a special message with custom layout.
+	remoteSpecial = math.MaxUint64
+)
+
+// writeSpecialHeader writes the header of a remoteSpecial message.
+func writeSpecialHeader(conn net.Conn, kind uint64) error {
+	var sh [16]byte
+	binary.LittleEndian.PutUint64(sh[:], remoteSpecial)
+	binary.LittleEndian.PutUint64(sh[8:], kind)
+	if n, err := conn.Write(sh[:]); err != nil {
+		return err
+	} else if n != len(sh) {
+		return io.ErrShortWrite
+	}
+	return nil
+}
+
+// cancelIdent reads an identifier from conn and cancels the corresponding cure.
+func cancelIdent(
+	cache *pkg.Cache,
+	conn net.Conn,
+) (*pkg.ID, bool, error) {
+	var ident pkg.ID
+	if _, err := io.ReadFull(conn, ident[:]); err != nil {
+		return nil, false, errors.Join(err, conn.Close())
+	}
+	ok := cache.Cancel(unique.Make(ident))
+	return &ident, ok, conn.Close()
+}
+
+// serve services connections from a [net.UnixListener].
+func serve(
+	ctx context.Context,
+	log *log.Logger,
+	cm *cache,
+	ul *net.UnixListener,
+) error {
+	ul.SetUnlinkOnClose(true)
+	if cm.c == nil {
+		if err := cm.open(); err != nil {
+			return errors.Join(err, ul.Close())
+		}
+	}
+
+	var wg sync.WaitGroup
+	defer wg.Wait()
+
+	wg.Go(func() {
+		for {
+			if ctx.Err() != nil {
+				break
+			}
+
+			conn, err := ul.AcceptUnix()
+			if err != nil {
+				if !errors.Is(err, os.ErrDeadlineExceeded) {
+					log.Println(err)
+				}
+				continue
+			}
+			wg.Go(func() {
+				done := make(chan struct{})
+				defer close(done)
+				go func() {
+					select {
+					case <-ctx.Done():
+						_ = conn.SetDeadline(time.Now())
+
+					case <-done:
+						return
+					}
+				}()
+
+				if _err := conn.SetReadDeadline(daemonDeadline()); _err != nil {
+					log.Println(_err)
+					if _err = conn.Close(); _err != nil {
+						log.Println(_err)
+					}
+					return
+				}
+
+				var word [8]byte
+				if _, _err := io.ReadFull(conn, word[:]); _err != nil {
+					log.Println(_err)
+					if _err = conn.Close(); _err != nil {
+						log.Println(_err)
+					}
+					return
+				}
+				flags := binary.LittleEndian.Uint64(word[:])
+
+				if flags == remoteSpecial {
+					if _, _err := io.ReadFull(conn, word[:]); _err != nil {
+						log.Println(_err)
+						if _err = conn.Close(); _err != nil {
+							log.Println(_err)
+						}
+						return
+					}
+					switch special := binary.LittleEndian.Uint64(word[:]); special {
+					default:
+						log.Printf("invalid special %d", special)
+
+					case specialCancel:
+						if id, ok, _err := cancelIdent(cm.c, conn); _err != nil {
+							log.Println(_err)
+						} else if !ok {
+							log.Println(
+								"attempting to cancel invalid artifact",
+								pkg.Encode(*id),
+							)
+						} else {
+							log.Println(
+								"cancelled artifact",
+								pkg.Encode(*id),
+							)
+						}
+
+					case specialAbort:
+						log.Println("aborting all pending cures")
+						cm.c.Abort()
+						if _err := conn.Close(); _err != nil {
+							log.Println(_err)
+						}
+					}
+
+					return
+				}
+
+				if a, _err := cureFromIR(cm.c, conn, flags); _err != nil {
+					log.Println(_err)
+				} else {
+					log.Printf(
+						"fulfilled artifact %s",
+						pkg.Encode(cm.c.Ident(a).Value()),
+					)
+				}
+			})
+		}
+	})
+
+	<-ctx.Done()
+	if err := ul.SetDeadline(time.Now()); err != nil {
+		return errors.Join(err, ul.Close())
+	}
+	wg.Wait()
+	return ul.Close()
+}
+
+// dial wraps [net.DialUnix] with a context.
+func dial(ctx context.Context, addr *net.UnixAddr) (
+	done chan<- struct{},
+	conn *net.UnixConn,
+	err error,
+) {
+	conn, err = net.DialUnix("unix", nil, addr)
+	if err != nil {
+		return
+	}
+
+	d := make(chan struct{})
+	done = d
+	go func() {
+		select {
+		case <-ctx.Done():
+			_ = conn.SetDeadline(time.Now())
+
+		case <-d:
+			return
+		}
+	}()
+	return
+}
+
+// cureRemote cures a [pkg.Artifact] on a daemon.
+func cureRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	a pkg.Artifact,
+	flags uint64,
+) (*check.Absolute, error) {
+	if flags == remoteSpecial {
+		return nil, syscall.EINVAL
+	}
+
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return nil, err
+	}
+	defer close(done)
+
+	if n, flagErr := conn.Write(binary.LittleEndian.AppendUint64(nil, flags)); flagErr != nil {
+		return nil, errors.Join(flagErr, conn.Close())
+	} else if n != 8 {
+		return nil, errors.Join(io.ErrShortWrite, conn.Close())
+	}
+
+	if err = pkg.NewIR().EncodeAll(conn, a); err != nil {
+		return nil, errors.Join(err, conn.Close())
+	} else if err = conn.CloseWrite(); err != nil {
+		return nil, errors.Join(err, conn.Close())
+	}
+
+	if flags&remoteNoReply != 0 {
+		return nil, conn.Close()
+	}
+
+	payload, recvErr := io.ReadAll(conn)
+	if err = errors.Join(recvErr, conn.Close()); err != nil {
+		if errors.Is(err, os.ErrDeadlineExceeded) {
+			if cancelErr := ctx.Err(); cancelErr != nil {
+				err = cancelErr
+			}
+		}
+		return nil, err
+	}
+
+	if len(payload) > 0 && payload[0] == 0 {
+		return nil, errors.New(string(payload[1:]))
+	}
+
+	var p *check.Absolute
+	p, err = check.NewAbs(string(payload))
+	return p, err
+}
+
+// cancelRemote cancels a [pkg.Artifact] curing on a daemon.
+func cancelRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	a pkg.Artifact,
+	wait bool,
+) error {
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return err
+	}
+	defer close(done)
+
+	if err = writeSpecialHeader(conn, specialCancel); err != nil {
+		return errors.Join(err, conn.Close())
+	}
+
+	var n int
+	id := pkg.NewIR().Ident(a).Value()
+	if n, err = conn.Write(id[:]); err != nil {
+		return errors.Join(err, conn.Close())
+	} else if n != len(id) {
+		return errors.Join(io.ErrShortWrite, conn.Close())
+	}
+	if wait {
+		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
+			err = nil
+		}
+	}
+	return errors.Join(err, conn.Close())
+}
+
+// abortRemote aborts all [pkg.Artifact] curing on a daemon.
+func abortRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	wait bool,
+) error {
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return err
+	}
+	defer close(done)
+
+	err = writeSpecialHeader(conn, specialAbort)
+	if wait && err == nil {
+		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
+			err = nil
+		}
+	}
+	return errors.Join(err, conn.Close())
+}

cmd/mbf/daemon_test.go

@@ -0,0 +1,146 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"io"
+	"log"
+	"net"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
+	"testing"
+	"time"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+func TestNoReply(t *testing.T) {
+	t.Parallel()
+	if !daemonDeadline().IsZero() {
+		t.Fatal("daemonDeadline did not return the zero value")
+	}
+
+	c, err := pkg.Open(
+		t.Context(),
+		message.New(log.New(os.Stderr, "cir: ", 0)),
+		0, 0, 0,
+		check.MustAbs(t.TempDir()),
+	)
+	if err != nil {
+		t.Fatalf("Open: error = %v", err)
+	}
+	defer c.Close()
+
+	client, server := net.Pipe()
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		go func() {
+			<-t.Context().Done()
+			if _err := client.SetDeadline(time.Now()); _err != nil && !errors.Is(_err, io.ErrClosedPipe) {
+				panic(_err)
+			}
+		}()
+
+		if _err := c.EncodeAll(
+			client,
+			pkg.NewFile("check", []byte{0}),
+		); _err != nil {
+			panic(_err)
+		} else if _err = client.Close(); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	a, cureErr := cureFromIR(c, server, remoteNoReply)
+	if cureErr != nil {
+		t.Fatalf("cureFromIR: error = %v", cureErr)
+	}
+
+	<-done
+	wantIdent := pkg.MustDecode("fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG")
+	if gotIdent := c.Ident(a).Value(); gotIdent != wantIdent {
+		t.Errorf(
+			"cureFromIR: %s, want %s",
+			pkg.Encode(gotIdent), pkg.Encode(wantIdent),
+		)
+	}
+}
+
+func TestDaemon(t *testing.T) {
+	t.Parallel()
+
+	var buf bytes.Buffer
+	logger := log.New(&buf, "daemon: ", 0)
+
+	addr := net.UnixAddr{
+		Name: filepath.Join(t.TempDir(), "daemon"),
+		Net:  "unix",
+	}
+
+	ctx, cancel := context.WithCancel(t.Context())
+	defer cancel()
+
+	cm := cache{
+		ctx:  ctx,
+		msg:  message.New(logger),
+		base: t.TempDir(),
+	}
+	defer cm.Close()
+
+	ul, err := net.ListenUnix("unix", &addr)
+	if err != nil {
+		t.Fatalf("ListenUnix: error = %v", err)
+	}
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		if _err := serve(ctx, logger, &cm, ul); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	if err = cancelRemote(ctx, &addr, pkg.NewFile("nonexistent", nil), true); err != nil {
+		t.Fatalf("cancelRemote: error = %v", err)
+	}
+
+	if err = abortRemote(ctx, &addr, true); err != nil {
+		t.Fatalf("abortRemote: error = %v", err)
+	}
+
+	// keep this last for synchronisation
+	var p *check.Absolute
+	p, err = cureRemote(ctx, &addr, pkg.NewFile("check", []byte{0}), 0)
+	if err != nil {
+		t.Fatalf("cureRemote: error = %v", err)
+	}
+
+	cancel()
+	<-done
+
+	const want = "fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG"
+	if got := filepath.Base(p.String()); got != want {
+		t.Errorf("cureRemote: %s, want %s", got, want)
+	}
+
+	wantLog := []string{
+		"",
+		"daemon: aborting all pending cures",
+		"daemon: attempting to cancel invalid artifact kQm9fmnCmXST1-MMmxzcau2oKZCXXrlZydo4PkeV5hO_2PKfeC8t98hrbV_ZZx_j",
+		"daemon: fulfilled artifact fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG",
+	}
+	gotLog := strings.Split(buf.String(), "\n")
+	slices.Sort(gotLog)
+	if !slices.Equal(gotLog, wantLog) {
+		t.Errorf(
+			"serve: logged\n%s\nwant\n%s",
+			strings.Join(gotLog, "\n"), strings.Join(wantLog, "\n"),
+		)
+	}
+}

cmd/mbf/info.go

@@ -0,0 +1,118 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"unique"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+)
+
+// commandInfo implements the info subcommand.
+func commandInfo(
+	cm *cache,
+	args []string,
+	w io.Writer,
+	writeStatus bool,
+	r *rosa.Report,
+) (err error) {
+	if len(args) == 0 {
+		return errors.New("info requires at least 1 argument")
+	}
+
+	// recovered by HandleAccess
+	mustPrintln := func(a ...any) {
+		if _, _err := fmt.Fprintln(w, a...); _err != nil {
+			panic(_err)
+		}
+	}
+	mustPrint := func(a ...any) {
+		if _, _err := fmt.Fprint(w, a...); _err != nil {
+			panic(_err)
+		}
+	}
+
+	t := rosa.Native().Std()
+	for i, name := range args {
+		handle := rosa.ArtifactH(unique.Make(name))
+		if meta, a := t.Load(handle); meta == nil {
+			return fmt.Errorf("unknown artifact %q", name)
+		} else {
+			var suffix string
+
+			if meta.Version != rosa.Unversioned {
+				suffix += "-" + meta.Version
+			}
+			mustPrintln("name        : " + name + suffix)
+
+			mustPrintln("description : " + meta.Description)
+			if meta.Website != "" {
+				mustPrintln("website     : " +
+					strings.TrimSuffix(meta.Website, "/"))
+			}
+			if len(meta.Dependencies) > 0 {
+				mustPrint("depends on  :")
+				for _, d := range meta.Dependencies {
+					_meta, _ := rosa.Native().Std().MustLoad(d)
+					s := _meta.Name
+					if _meta.Version != rosa.Unversioned {
+						s += "-" + _meta.Version
+					}
+					mustPrint(" " + s)
+				}
+				mustPrintln()
+			}
+
+			const statusPrefix = "status      : "
+			if writeStatus {
+				if r == nil {
+					var f io.ReadSeekCloser
+					err = cm.Do(func(cache *pkg.Cache) (err error) {
+						f, err = cache.OpenStatus(a)
+						return
+					})
+					if err != nil {
+						if errors.Is(err, os.ErrNotExist) {
+							mustPrintln(
+								statusPrefix + "not yet cured",
+							)
+						} else {
+							return
+						}
+					} else {
+						mustPrint(statusPrefix)
+						_, err = io.Copy(w, f)
+						if err = errors.Join(err, f.Close()); err != nil {
+							return
+						}
+					}
+				} else if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					status, n := r.ArtifactOf(cache.Ident(a))
+					if status == nil {
+						mustPrintln(
+							statusPrefix + "not in report",
+						)
+					} else {
+						mustPrintln("size        :", n)
+						mustPrint(statusPrefix)
+						if _, err = w.Write(status); err != nil {
+							return
+						}
+					}
+					return
+				}); err != nil {
+					return
+				}
+			}
+
+			if i != len(args)-1 {
+				mustPrintln()
+			}
+		}
+	}
+	return nil
+}

cmd/mbf/info_test.go

@@ -0,0 +1,190 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"syscall"
+	"testing"
+	"unique"
+	"unsafe"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+)
+
+func TestInfo(t *testing.T) {
+	t.Parallel()
+
+	_t := rosa.Native().Std()
+	qemuMeta, _ := _t.Load(rosa.H("qemu"))
+	glibMeta, _ := _t.Load(rosa.H("glib"))
+	zlibMeta, zlib := _t.Load(rosa.H("zlib"))
+	zstdMeta, _ := _t.Load(rosa.H("zstd"))
+	hakureiMeta, _ := _t.Load(rosa.H("hakurei"))
+	hakureiDistMeta, _ := _t.Load(rosa.H("hakurei-dist"))
+
+	testCases := []struct {
+		name    string
+		args    []string
+		status  map[string]string
+		report  string
+		want    string
+		wantErr any
+	}{
+		{"qemu", []string{"qemu"}, nil, "", `
+name        : qemu-` + qemuMeta.Version + `
+description : a generic and open source machine emulator and virtualizer
+website     : https://www.qemu.org
+depends on  : glib-` + glibMeta.Version + ` zstd-` + zstdMeta.Version + `
+`, nil},
+
+		{"multi", []string{"hakurei", "hakurei-dist"}, nil, "", `
+name        : hakurei-` + hakureiMeta.Version + `
+description : low-level userspace tooling for Rosa OS
+website     : https://hakurei.app
+
+name        : hakurei-dist-` + hakureiDistMeta.Version + `
+description : low-level userspace tooling for Rosa OS (distribution tarball)
+website     : https://hakurei.app
+`, nil},
+
+		{"nonexistent", []string{"zlib", "\x00"}, nil, "", `
+name        : zlib-` + zlibMeta.Version + `
+description : lossless data-compression library
+website     : https://zlib.net
+
+`, fmt.Errorf("unknown artifact %q", "\x00")},
+
+		{"status cache", []string{"zlib", "zstd"}, map[string]string{
+			"zstd":    "internal/pkg (amd64) on satori\n",
+			"hakurei": "internal/pkg (amd64) on satori\n\n",
+		}, "", `
+name        : zlib-` + zlibMeta.Version + `
+description : lossless data-compression library
+website     : https://zlib.net
+status      : not yet cured
+
+name        : zstd-` + zstdMeta.Version + `
+description : a fast compression algorithm
+website     : https://facebook.github.io/zstd
+status      : internal/pkg (amd64) on satori
+`, nil},
+
+		{"status cache perm", []string{"zlib"}, map[string]string{
+			"zlib": "\x00",
+		}, "", `
+name        : zlib-` + zlibMeta.Version + `
+description : lossless data-compression library
+website     : https://zlib.net
+`, func(cm *cache) error {
+			return &os.PathError{
+				Op:   "open",
+				Path: filepath.Join(cm.base, "status", pkg.Encode(cm.c.Ident(zlib).Value())),
+				Err:  syscall.EACCES,
+			}
+		}},
+
+		{"status report", []string{"zlib"}, nil, strings.Repeat("\x00", len(pkg.Checksum{})+8), `
+name        : zlib-` + zlibMeta.Version + `
+description : lossless data-compression library
+website     : https://zlib.net
+status      : not in report
+`, nil},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				cm  *cache
+				buf strings.Builder
+				r   *rosa.Report
+			)
+
+			if tc.status != nil || tc.report != "" {
+				cm = &cache{
+					ctx:  context.Background(),
+					msg:  message.New(log.New(os.Stderr, "info: ", 0)),
+					base: t.TempDir(),
+				}
+				defer cm.Close()
+			}
+
+			if tc.report != "" {
+				pathname := filepath.Join(t.TempDir(), "report")
+				err := os.WriteFile(
+					pathname,
+					unsafe.Slice(unsafe.StringData(tc.report), len(tc.report)),
+					0400,
+				)
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				r, err = rosa.OpenReport(pathname)
+				if err != nil {
+					t.Fatal(err)
+				}
+				defer func() {
+					if err = r.Close(); err != nil {
+						t.Fatal(err)
+					}
+				}()
+			}
+
+			if tc.status != nil {
+				for name, status := range tc.status {
+					_, a := _t.Load(rosa.ArtifactH(unique.Make(name)))
+					if a == nil {
+						t.Fatalf("invalid name %q", name)
+					}
+					perm := os.FileMode(0400)
+					if status == "\x00" {
+						perm = 0
+					}
+					if err := cm.Do(func(cache *pkg.Cache) error {
+						return os.WriteFile(filepath.Join(
+							cm.base,
+							"status",
+							pkg.Encode(cache.Ident(a).Value()),
+						), unsafe.Slice(unsafe.StringData(status), len(status)), perm)
+					}); err != nil {
+						t.Fatalf("Do: error = %v", err)
+					}
+				}
+			}
+
+			var wantErr error
+			switch c := tc.wantErr.(type) {
+			case error:
+				wantErr = c
+			case func(cm *cache) error:
+				wantErr = c(cm)
+			default:
+				if tc.wantErr != nil {
+					t.Fatalf("invalid wantErr %#v", tc.wantErr)
+				}
+			}
+
+			if err := commandInfo(
+				cm,
+				tc.args,
+				&buf,
+				cm != nil,
+				r,
+			); !reflect.DeepEqual(err, wantErr) {
+				t.Fatalf("commandInfo: error = %v, want %v", err, wantErr)
+			}
+
+			if got := buf.String(); got != strings.TrimPrefix(tc.want, "\n") {
+				t.Errorf("commandInfo:\n%s\nwant\n%s", got, tc.want)
+			}
+		})
+	}
+}

cmd/mbf/internal/pkgserver/api.go

@@ -0,0 +1,202 @@
+// Package pkgserver implements the package metadata service backend.
+package pkgserver
+
+import (
+	"context"
+	"encoding/json"
+	"log"
+	"net/http"
+	"net/url"
+	"path"
+	"strconv"
+	"sync"
+	"time"
+
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/rosa"
+)
+
+// for lazy initialisation of serveInfo
+var (
+	infoPayload struct {
+		// Current package count.
+		Count int `json:"count"`
+		// Hakurei version, set at link time.
+		HakureiVersion string `json:"hakurei_version"`
+	}
+	infoPayloadOnce sync.Once
+)
+
+// handleInfo writes constant system information.
+func handleInfo(w http.ResponseWriter, _ *http.Request) {
+	infoPayloadOnce.Do(func() {
+		infoPayload.Count = len(rosa.Native().Collect())
+		infoPayload.HakureiVersion = info.Version()
+	})
+	// TODO(mae): cache entire response if no additional fields are planned
+	writeAPIPayload(w, infoPayload)
+}
+
+// newStatusHandler returns a [http.HandlerFunc] that offers status files for
+// viewing or download, if available.
+func (index *packageIndex) newStatusHandler(disposition bool) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		m, ok := index.names[path.Base(r.URL.Path)]
+		if !ok || !m.HasReport {
+			http.NotFound(w, r)
+			return
+		}
+
+		contentType := "text/plain; charset=utf-8"
+		if disposition {
+			contentType = "application/octet-stream"
+
+			// quoting like this is unsound, but okay, because metadata is hardcoded
+			contentDisposition := `attachment; filename="`
+			contentDisposition += m.Name + "-"
+			if m.Version != "" {
+				contentDisposition += m.Version + "-"
+			}
+			contentDisposition += m.ids + `.log"`
+			w.Header().Set("Content-Disposition", contentDisposition)
+		}
+		w.Header().Set("Content-Type", contentType)
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+		if err := func() (err error) {
+			defer index.handleAccess(&err)()
+			_, err = w.Write(m.status)
+			return
+		}(); err != nil {
+			log.Println(err)
+			http.Error(
+				w, "cannot deliver status, contact maintainers",
+				http.StatusInternalServerError,
+			)
+		}
+	}
+}
+
+// handleGet writes a slice of metadata with specified order.
+func (index *packageIndex) handleGet(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit, err := strconv.Atoi(q.Get("limit"))
+	if err != nil || limit > 100 || limit < 1 {
+		http.Error(
+			w, "limit must be an integer between 1 and 100",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	i, err := strconv.Atoi(q.Get("index"))
+	if err != nil || i >= len(index.sorts[0]) || i < 0 {
+		http.Error(
+			w, "index must be an integer between 0 and "+
+				strconv.Itoa(len(index.sorts[0])-1),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	sort, err := strconv.Atoi(q.Get("sort"))
+	if err != nil || sort >= len(index.sorts) || sort < 0 {
+		http.Error(
+			w, "sort must be an integer between 0 and "+
+				strconv.Itoa(sortOrderEnd),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	values := index.sorts[sort][i:min(i+limit, len(index.sorts[sort]))]
+	writeAPIPayload(w, &struct {
+		Values []*metadata `json:"values"`
+	}{values})
+}
+
+func (index *packageIndex) handleSearch(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit, err := strconv.Atoi(q.Get("limit"))
+	if err != nil || limit > 100 || limit < 1 {
+		http.Error(
+			w, "limit must be an integer between 1 and 100",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	i, err := strconv.Atoi(q.Get("index"))
+	if err != nil || i >= len(index.sorts[0]) || i < 0 {
+		http.Error(
+			w, "index must be an integer between 0 and "+
+				strconv.Itoa(len(index.sorts[0])-1),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	search, err := url.QueryUnescape(q.Get("search"))
+	if len(search) > 100 || err != nil {
+		http.Error(
+			w, "search must be a string between 0 and 100 characters long",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	desc := q.Get("desc") == "true"
+	n, res, err := index.performSearchQuery(limit, i, search, desc)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+	writeAPIPayload(w, &struct {
+		Count  int            `json:"count"`
+		Values []searchResult `json:"values"`
+	}{n, res})
+}
+
+// apiVersion is the name of the current API revision, as part of the pattern.
+const apiVersion = "v1"
+
+// registerAPI registers API handler functions.
+func (index *packageIndex) registerAPI(mux *http.ServeMux) {
+	mux.HandleFunc("GET /api/"+apiVersion+"/info", handleInfo)
+	mux.HandleFunc("GET /api/"+apiVersion+"/get", index.handleGet)
+	mux.HandleFunc("GET /api/"+apiVersion+"/search", index.handleSearch)
+	mux.HandleFunc("GET /api/"+apiVersion+"/status/", index.newStatusHandler(false))
+	mux.HandleFunc("GET /status/", index.newStatusHandler(true))
+}
+
+// Register arranges for mux to service API requests.
+func Register(ctx context.Context, mux *http.ServeMux, report *rosa.Report) error {
+	var index packageIndex
+	index.search = make(searchCache)
+	if err := index.populate(report); err != nil {
+		return err
+	}
+	ticker := time.NewTicker(1 * time.Minute)
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				ticker.Stop()
+				return
+			case <-ticker.C:
+				index.search.clean()
+			}
+		}
+	}()
+	index.registerAPI(mux)
+	return nil
+}
+
+// writeAPIPayload sets headers common to API responses and encodes payload as
+// JSON for the response body.
+func writeAPIPayload(w http.ResponseWriter, payload any) {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Expires", "0")
+
+	if err := json.NewEncoder(w).Encode(payload); err != nil {
+		log.Println(err)
+		http.Error(
+			w, "cannot encode payload, contact maintainers",
+			http.StatusInternalServerError,
+		)
+	}
+}

cmd/mbf/internal/pkgserver/api_test.go

@@ -0,0 +1,111 @@
+package pkgserver
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"testing"
+
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/rosa"
+)
+
+// prefix is prepended to every API path.
+const prefix = "/api/" + apiVersion + "/"
+
+func TestAPIInfo(t *testing.T) {
+	t.Parallel()
+
+	w := httptest.NewRecorder()
+	handleInfo(w, httptest.NewRequestWithContext(
+		t.Context(),
+		http.MethodGet,
+		prefix+"info",
+		nil,
+	))
+
+	resp := w.Result()
+	checkStatus(t, resp, http.StatusOK)
+	checkAPIHeader(t, w.Header())
+
+	checkPayload(t, resp, struct {
+		Count          int    `json:"count"`
+		HakureiVersion string `json:"hakurei_version"`
+	}{len(rosa.Native().Collect()), info.Version()})
+}
+
+func TestAPIGet(t *testing.T) {
+	t.Parallel()
+	const target = prefix + "get"
+
+	index := newIndex(t)
+	newRequest := func(suffix string) *httptest.ResponseRecorder {
+		w := httptest.NewRecorder()
+		index.handleGet(w, httptest.NewRequestWithContext(
+			t.Context(),
+			http.MethodGet,
+			target+suffix,
+			nil,
+		))
+		return w
+	}
+
+	checkValidate := func(t *testing.T, suffix string, vmin, vmax int, wantErr string) {
+		t.Run("invalid", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=invalid")
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+		})
+
+		t.Run("min", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmin-1))
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+
+			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmin))
+			resp = w.Result()
+			checkStatus(t, resp, http.StatusOK)
+		})
+
+		t.Run("max", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmax+1))
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+
+			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmax))
+			resp = w.Result()
+			checkStatus(t, resp, http.StatusOK)
+		})
+	}
+
+	t.Run("limit", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "index=0&sort=0&limit", 1, 100,
+			"limit must be an integer between 1 and 100",
+		)
+	})
+
+	count := len(rosa.Native().Collect())
+	t.Run("index", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "limit=1&sort=0&index", 0, count-1,
+			"index must be an integer between 0 and "+strconv.Itoa(count-1),
+		)
+	})
+
+	t.Run("sort", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "index=0&limit=1&sort", 0, int(sortOrderEnd),
+			"sort must be an integer between 0 and "+strconv.Itoa(int(sortOrderEnd)),
+		)
+	})
+}

cmd/mbf/internal/pkgserver/index.go

@@ -0,0 +1,108 @@
+package pkgserver
+
+import (
+	"cmp"
+	"errors"
+	"slices"
+	"strings"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+)
+
+const (
+	declarationAscending = iota
+	declarationDescending
+	nameAscending
+	nameDescending
+	sizeAscending
+	sizeDescending
+
+	sortOrderEnd = iota - 1
+)
+
+// packageIndex refers to metadata by name and various sort orders.
+type packageIndex struct {
+	sorts  [sortOrderEnd + 1][]*metadata
+	names  map[string]*metadata
+	search searchCache
+	// Taken from [rosa.Report] if available.
+	handleAccess func(*error) func()
+}
+
+// metadata holds [rosa.Metadata] extended with additional information.
+type metadata struct {
+	handle rosa.ArtifactH
+	*rosa.Metadata
+
+	// Copied from [rosa.Metadata], [rosa.Unversioned] is equivalent to the zero
+	// value. Otherwise, the zero value is invalid.
+	Version string `json:"version,omitempty"`
+	// Output data size, available if present in report.
+	Size int64 `json:"size,omitempty"`
+	// Whether the underlying [pkg.Artifact] is present in the report.
+	HasReport bool `json:"report"`
+
+	// Ident string encoded ahead of time.
+	ids string
+	// Backed by [rosa.Report], access must be prepared by HandleAccess.
+	status []byte
+}
+
+// populate deterministically populates packageIndex, optionally with a report.
+func (index *packageIndex) populate(report *rosa.Report) (err error) {
+	if report != nil {
+		defer report.HandleAccess(&err)()
+		index.handleAccess = report.HandleAccess
+	}
+
+	handles := rosa.Native().Collect()
+	work := make([]*metadata, len(handles))
+	index.names = make(map[string]*metadata)
+	ir := pkg.NewIR()
+	for i, handle := range handles {
+		meta, a := rosa.Native().Std().MustLoad(handle)
+		m := metadata{
+			handle: handle,
+
+			Metadata: meta,
+			Version:  meta.Version,
+		}
+		if m.Version == "" {
+			return errors.New("invalid version from " + m.Name)
+		}
+		if m.Version == rosa.Unversioned {
+			m.Version = ""
+		}
+
+		if report != nil {
+			id := ir.Ident(a)
+			m.ids = pkg.Encode(id.Value())
+			m.status, m.Size = report.ArtifactOf(id)
+			m.HasReport = m.Size >= 0
+		}
+
+		work[i] = &m
+		index.names[m.Name] = &m
+	}
+
+	index.sorts[declarationAscending] = work
+	index.sorts[declarationDescending] = slices.Clone(work)
+	slices.Reverse(index.sorts[declarationDescending][:])
+
+	index.sorts[nameAscending] = slices.Clone(work)
+	slices.SortFunc(index.sorts[nameAscending][:], func(a, b *metadata) int {
+		return strings.Compare(a.Name, b.Name)
+	})
+	index.sorts[nameDescending] = slices.Clone(index.sorts[nameAscending])
+	slices.Reverse(index.sorts[nameDescending][:])
+
+	index.sorts[sizeAscending] = slices.Clone(work)
+	slices.SortFunc(index.sorts[sizeAscending][:], func(a, b *metadata) int {
+		return cmp.Compare(a.Size, b.Size)
+	})
+	index.sorts[sizeDescending] = slices.Clone(index.sorts[sizeAscending])
+	slices.Reverse(index.sorts[sizeDescending][:])
+
+	return
+}

cmd/mbf/internal/pkgserver/index_test.go

@@ -0,0 +1,96 @@
+package pkgserver
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"reflect"
+	"testing"
+)
+
+// newIndex returns the address of a newly populated packageIndex.
+func newIndex(t *testing.T) *packageIndex {
+	t.Helper()
+
+	var index packageIndex
+	if err := index.populate(nil); err != nil {
+		t.Fatalf("populate: error = %v", err)
+	}
+	return &index
+}
+
+// checkStatus checks response status code.
+func checkStatus(t *testing.T, resp *http.Response, want int) {
+	t.Helper()
+
+	if resp.StatusCode != want {
+		t.Errorf(
+			"StatusCode: %s, want %s",
+			http.StatusText(resp.StatusCode),
+			http.StatusText(want),
+		)
+	}
+}
+
+// checkHeader checks the value of a header entry.
+func checkHeader(t *testing.T, h http.Header, key, want string) {
+	t.Helper()
+
+	if got := h.Get(key); got != want {
+		t.Errorf("%s: %q, want %q", key, got, want)
+	}
+}
+
+// checkAPIHeader checks common entries set for API endpoints.
+func checkAPIHeader(t *testing.T, h http.Header) {
+	t.Helper()
+
+	checkHeader(t, h, "Content-Type", "application/json; charset=utf-8")
+	checkHeader(t, h, "Cache-Control", "no-cache, no-store, must-revalidate")
+	checkHeader(t, h, "Pragma", "no-cache")
+	checkHeader(t, h, "Expires", "0")
+}
+
+// checkPayloadFunc checks the JSON response of an API endpoint by passing it to f.
+func checkPayloadFunc[T any](
+	t *testing.T,
+	resp *http.Response,
+	f func(got *T) bool,
+) {
+	t.Helper()
+
+	var got T
+	r := io.Reader(resp.Body)
+	if testing.Verbose() {
+		var buf bytes.Buffer
+		r = io.TeeReader(r, &buf)
+		defer func() { t.Helper(); t.Log(buf.String()) }()
+	}
+	if err := json.NewDecoder(r).Decode(&got); err != nil {
+		t.Fatalf("Decode: error = %v", err)
+	}
+
+	if !f(&got) {
+		t.Errorf("Body: %#v", got)
+	}
+}
+
+// checkPayload checks the JSON response of an API endpoint.
+func checkPayload[T any](t *testing.T, resp *http.Response, want T) {
+	t.Helper()
+
+	checkPayloadFunc(t, resp, func(got *T) bool {
+		return reflect.DeepEqual(got, &want)
+	})
+}
+
+func checkError(t *testing.T, resp *http.Response, error string, code int) {
+	t.Helper()
+
+	checkStatus(t, resp, code)
+	if got, _ := io.ReadAll(resp.Body); string(got) != fmt.Sprintln(error) {
+		t.Errorf("Body: %q, want %q", string(got), error)
+	}
+}

cmd/mbf/internal/pkgserver/search.go

@@ -0,0 +1,81 @@
+package pkgserver
+
+import (
+	"cmp"
+	"maps"
+	"regexp"
+	"slices"
+	"time"
+)
+
+type searchCache map[string]searchCacheEntry
+type searchResult struct {
+	NameIndices [][]int `json:"name_matches"`
+	DescIndices [][]int `json:"desc_matches,omitempty"`
+	Score       float64 `json:"score"`
+	*metadata
+}
+type searchCacheEntry struct {
+	query   string
+	results []searchResult
+	expiry  time.Time
+}
+
+func (index *packageIndex) performSearchQuery(limit int, i int, search string, desc bool) (int, []searchResult, error) {
+	query := search
+	if desc {
+		query += ";withDesc"
+	}
+	entry, ok := index.search[query]
+	if ok && len(entry.results) > 0 {
+		return len(entry.results), entry.results[min(i, len(entry.results)-1):min(i+limit, len(entry.results))], nil
+	}
+
+	regex, err := regexp.Compile(search)
+	if err != nil {
+		return 0, make([]searchResult, 0), err
+	}
+	res := make([]searchResult, 0)
+	for p := range maps.Values(index.names) {
+		nameIndices := regex.FindAllIndex([]byte(p.Name), -1)
+		var descIndices [][]int = nil
+		if desc {
+			descIndices = regex.FindAllIndex([]byte(p.Description), -1)
+		}
+		if nameIndices == nil && descIndices == nil {
+			continue
+		}
+		score := float64(indexsum(nameIndices)) / (float64(len(nameIndices)) + 1)
+		if desc {
+			score += float64(indexsum(descIndices)) / (float64(len(descIndices)) + 1) / 10.0
+		}
+		res = append(res, searchResult{
+			NameIndices: nameIndices,
+			DescIndices: descIndices,
+			Score:       score,
+			metadata:    p,
+		})
+	}
+	slices.SortFunc(res[:], func(a, b searchResult) int { return -cmp.Compare(a.Score, b.Score) })
+	expiry := time.Now().Add(1 * time.Minute)
+	entry = searchCacheEntry{
+		query:   search,
+		results: res,
+		expiry:  expiry,
+	}
+	index.search[query] = entry
+
+	return len(res), res[i:min(i+limit, len(entry.results))], nil
+}
+func (s *searchCache) clean() {
+	maps.DeleteFunc(*s, func(_ string, v searchCacheEntry) bool {
+		return v.expiry.Before(time.Now())
+	})
+}
+func indexsum(in [][]int) int {
+	sum := 0
+	for i := range in {
+		sum += in[i][1] - in[i][0]
+	}
+	return sum
+}

cmd/mbf/internal/pkgserver/ui/index.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="stylesheet" href="style.css">
+    <link rel="icon" href="https://hakurei.app/favicon.ico"/>
+    <title>Rosa OS Packages</title>
+    <script src="index.js"></script>
+</head>
+<body>
+<h1>Rosa OS Packages</h1>
+<div class="top-controls" id="top-controls-regular">
+    <p>Showing entries <span id="entry-counter"></span>.</p>
+    <span id="search-bar">
+        <label for="search">Search: </label>
+        <input type="text" name="search" id="search"/>
+        <button onclick="doSearch()">Find</button>
+        <label for="include-desc">Include descriptions: </label>
+        <input type="checkbox" name="include-desc" id="include-desc" checked/>
+    </span>
+    <div><label for="count">Entries per page: </label><select name="count" id="count">
+        <option value="10">10</option>
+        <option value="20">20</option>
+        <option value="30">30</option>
+        <option value="50">50</option>
+    </select></div>
+    <div><label for="sort">Sort by: </label><select name="sort" id="sort">
+        <option value="0">Definition (ascending)</option>
+        <option value="1">Definition (descending)</option>
+        <option value="2">Name (ascending)</option>
+        <option value="3">Name (descending)</option>
+        <option value="4">Size (ascending)</option>
+        <option value="5">Size (descending)</option>
+    </select></div>
+</div>
+<div class="top-controls" id="search-top-controls" hidden>
+    <p>Showing search results <span id="search-entry-counter"></span> for query "<span id="search-query"></span>".</p>
+    <button onclick="exitSearch()">Back</button>
+    <div><label for="search-count">Entries per page: </label><select name="search-count" id="search-count">
+        <option value="10">10</option>
+        <option value="20">20</option>
+        <option value="30">30</option>
+        <option value="50">50</option>
+    </select></div>
+    <p>Sorted by best match</p>
+</div>
+<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
+<table id="pkg-list">
+    <tr><td>Loading...</td></tr>
+</table>
+<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
+<footer>
+    <p>&copy;<a href="https://hakurei.app/">Hakurei</a> (<span id="hakurei-version">unknown</span>). Licensed under the MIT license.</p>
+</footer>
+<script>main();</script>
+</body>
+</html>

cmd/mbf/internal/pkgserver/ui/index.ts

@@ -0,0 +1,331 @@
+interface PackageIndexEntry {
+    name: string
+    size?: number
+    description?: string
+    website?: string
+    version?: string
+    report?: boolean
+}
+
+function entryToHTML(entry: PackageIndexEntry | SearchResult): HTMLTableRowElement {
+    let v = entry.version != null ? `<span>${escapeHtml(entry.version)}</span>` : ""
+    let s = entry.size != null && entry.size > 0 ? `<p>Size: ${toByteSizeString(entry.size)} (${entry.size})</p>` : ""
+    let n: string
+    let d: string
+    if ('name_matches' in entry) {
+        n = `<h2>${nameMatches(entry as SearchResult)} ${v}</h2>`
+    } else {
+        n = `<h2>${escapeHtml(entry.name)} ${v}</h2>`
+    }
+    if ('desc_matches' in entry && STATE.getIncludeDescriptions()) {
+        d = descMatches(entry as SearchResult)
+    } else {
+        d = (entry as PackageIndexEntry).description != null ? `<p>${escapeHtml((entry as PackageIndexEntry).description)}</p>` : ""
+    }
+    let w = entry.website != null ? `<a href="${encodeURI(entry.website)}">Website</a>` : ""
+    let r = entry.report ? `Log (<a href=\"${encodeURI('/api/v1/status/' + entry.name)}\">View</a> | <a href=\"${encodeURI('/status/' + entry.name)}\">Download</a>)` : ""
+    let row = <HTMLTableRowElement>(document.createElement('tr'))
+    row.innerHTML = `<td>
+            ${n}
+            ${d}
+            ${s}
+            ${w}
+            ${r}
+        </td>`
+    return row
+}
+
+function nameMatches(sr: SearchResult): string {
+    return markMatches(sr.name, sr.name_matches)
+}
+
+function descMatches(sr: SearchResult): string {
+    return markMatches(sr.description!, sr.desc_matches)
+}
+
+function markMatches(str: string, indices: [number, number][]): string {
+    if (indices == null) {
+        return str
+    }
+    let out: string = ""
+    let j = 0
+    for (let i = 0; i < str.length; i++) {
+        if (j < indices.length) {
+            if (i === indices[j][0]) {
+                out += `<mark>${escapeHtmlChar(str[i])}`
+                continue
+            }
+            if (i === indices[j][1]) {
+                out += `</mark>${escapeHtmlChar(str[i])}`
+                j++
+                continue
+            }
+        }
+        out += escapeHtmlChar(str[i])
+    }
+    if (indices[j] !== undefined) {
+        out += "</mark>"
+    }
+    return out
+}
+
+function toByteSizeString(bytes: number): string {
+    if (bytes == null) return `unspecified`
+    if (bytes < 1024) return `${bytes}B`
+    if (bytes < Math.pow(1024, 2)) return `${(bytes / 1024).toFixed(2)}kiB`
+    if (bytes < Math.pow(1024, 3)) return `${(bytes / Math.pow(1024, 2)).toFixed(2)}MiB`
+    if (bytes < Math.pow(1024, 4)) return `${(bytes / Math.pow(1024, 3)).toFixed(2)}GiB`
+    if (bytes < Math.pow(1024, 5)) return `${(bytes / Math.pow(1024, 4)).toFixed(2)}TiB`
+    return "not only is it big, it's large"
+}
+
+const API_VERSION = 1
+const ENDPOINT = `/api/v${API_VERSION}`
+
+interface InfoPayload {
+    count?: number
+    hakurei_version?: string
+}
+
+async function infoRequest(): Promise<InfoPayload> {
+    const res = await fetch(`${ENDPOINT}/info`)
+    const payload = await res.json()
+    return payload as InfoPayload
+}
+
+interface GetPayload {
+    values?: PackageIndexEntry[]
+}
+
+enum SortOrders {
+    DeclarationAscending,
+    DeclarationDescending,
+    NameAscending,
+    NameDescending
+}
+
+async function getRequest(limit: number, index: number, sort: SortOrders): Promise<GetPayload> {
+    const res = await fetch(`${ENDPOINT}/get?limit=${limit}&index=${index}&sort=${sort.valueOf()}`)
+    const payload = await res.json()
+    return payload as GetPayload
+}
+
+interface SearchResult extends PackageIndexEntry {
+    name_matches: [number, number][]
+    desc_matches: [number, number][]
+    score: number
+}
+
+interface SearchPayload {
+    count?: number
+    values?: SearchResult[]
+}
+
+async function searchRequest(limit: number, index: number, search: string, desc: boolean): Promise<SearchPayload> {
+    const res = await fetch(`${ENDPOINT}/search?limit=${limit}&index=${index}&search=${encodeURIComponent(search)}&desc=${desc}`)
+    if (!res.ok) {
+        exitSearch()
+        alert("invalid search query!")
+        return Promise.reject(res.statusText)
+    }
+    const payload = await res.json()
+    return payload as SearchPayload
+}
+
+class State {
+    entriesPerPage: number = 10
+    entryIndex: number = 0
+    maxTotal: number = 0
+    maxEntries: number = 0
+    sort: SortOrders = SortOrders.DeclarationAscending
+    search: boolean = false
+
+    getEntriesPerPage(): number {
+        return this.entriesPerPage
+    }
+
+    setEntriesPerPage(entriesPerPage: number) {
+        this.entriesPerPage = entriesPerPage
+        this.setEntryIndex(Math.floor(this.getEntryIndex() / entriesPerPage) * entriesPerPage)
+    }
+
+    getEntryIndex(): number {
+        return this.entryIndex
+    }
+
+    setEntryIndex(entryIndex: number) {
+        this.entryIndex = entryIndex
+        this.updatePage()
+        this.updateRange()
+        this.updateListings()
+    }
+
+    getMaxTotal(): number {
+        return this.maxTotal
+    }
+
+    setMaxTotal(max: number) {
+        this.maxTotal = max
+    }
+
+    getSortOrder(): SortOrders {
+        return this.sort
+    }
+
+    setSortOrder(sortOrder: SortOrders) {
+        this.sort = sortOrder
+        this.setEntryIndex(0)
+    }
+
+    updatePage() {
+        let page = Math.ceil(((this.getEntryIndex() + this.getEntriesPerPage()) - 1) / this.getEntriesPerPage())
+        for (let e of document.getElementsByClassName("page-number")) {
+            (e as HTMLInputElement).value = String(page)
+        }
+    }
+
+    updateRange() {
+        let max = Math.min(this.getEntryIndex() + this.getEntriesPerPage(), this.getMaxTotal())
+        document.getElementById("entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.getMaxTotal()}`
+        if (this.search) {
+            document.getElementById("search-entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.maxTotal}/${this.maxEntries}`
+            document.getElementById("search-query")!.innerHTML = `<code>${escapeHtml(this.getSearchQuery())}</code>`
+        }
+    }
+
+    getSearchQuery(): string {
+        let queryString = document.getElementById("search")!;
+        return (queryString as HTMLInputElement).value
+    }
+
+    getIncludeDescriptions(): boolean {
+        let includeDesc = document.getElementById("include-desc")!;
+        return (includeDesc as HTMLInputElement).checked
+    }
+
+    updateListings() {
+        if (this.search) {
+            searchRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSearchQuery(), this.getIncludeDescriptions())
+                .then(res => {
+                    let table = document.getElementById("pkg-list")!
+                    table.innerHTML = ''
+                    for (let row of res.values!) {
+                        table.appendChild(entryToHTML(row))
+                    }
+                    STATE.maxTotal = res.count!
+                    STATE.updateRange()
+                    if(res.count! < 1) {
+                        exitSearch()
+                        alert("no results found!")
+                    }
+                })
+        } else {
+            getRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSortOrder())
+                .then(res => {
+                    let table = document.getElementById("pkg-list")!
+                    table.innerHTML = ''
+                    for (let row of res.values!) {
+                        table.appendChild(entryToHTML(row))
+                    }
+                })
+        }
+    }
+}
+
+let STATE: State
+
+
+function lastPageIndex(): number {
+    return Math.floor(STATE.getMaxTotal() / STATE.getEntriesPerPage()) * STATE.getEntriesPerPage()
+}
+
+function setPage(page: number) {
+    STATE.setEntryIndex(Math.max(0, Math.min(STATE.getEntriesPerPage() * (page - 1), lastPageIndex())))
+}
+
+
+function escapeHtml(str?: string): string {
+    let out: string = ''
+    if (str == undefined) return ""
+    for (let i = 0; i < str.length; i++) {
+        out += escapeHtmlChar(str[i])
+    }
+    return out
+}
+
+function escapeHtmlChar(char: string): string {
+    if (char.length != 1) return char
+    switch (char[0]) {
+        case '&':
+            return "&amp;"
+        case '<':
+            return "&lt;"
+        case '>':
+            return "&gt;"
+        case '"':
+            return "&quot;"
+        case "'":
+            return "&apos;"
+        default:
+            return char
+    }
+}
+
+function firstPage() {
+    STATE.setEntryIndex(0)
+}
+
+function prevPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.max(0, index - STATE.getEntriesPerPage()))
+}
+
+function lastPage() {
+    STATE.setEntryIndex(lastPageIndex())
+}
+
+function nextPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.min(lastPageIndex(), index + STATE.getEntriesPerPage()))
+}
+
+function doSearch() {
+    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
+    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
+    STATE.search = true;
+    STATE.setEntryIndex(0);
+}
+
+function exitSearch() {
+    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
+    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
+    STATE.search = false;
+    STATE.setMaxTotal(STATE.maxEntries)
+    STATE.setEntryIndex(0)
+}
+
+function main() {
+    STATE = new State()
+    infoRequest()
+        .then(res => {
+            STATE.maxEntries = res.count!
+            STATE.setMaxTotal(STATE.maxEntries)
+            document.getElementById("hakurei-version")!.textContent = res.hakurei_version!
+            STATE.updateRange()
+            STATE.updateListings()
+        })
+    for (let e of document.getElementsByClassName("page-number")) {
+        e.addEventListener("change", (_) => {
+            setPage(parseInt((e as HTMLInputElement).value))
+        })
+    }
+    document.getElementById("count")?.addEventListener("change", (event) => {
+        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
+    })
+    document.getElementById("sort")?.addEventListener("change", (event) => {
+        STATE.setSortOrder(parseInt((event.target as HTMLSelectElement).value))
+    })
+    document.getElementById("search")?.addEventListener("keyup", (event) => {
+        if (event.key === 'Enter') doSearch()
+    })
+}

cmd/mbf/internal/pkgserver/ui/style.css

@@ -0,0 +1,21 @@
+.page-number {
+  width: 2em;
+  text-align: center;
+}
+.page-number {
+  width: 2em;
+  text-align: center;
+}
+
+@media (prefers-color-scheme: dark) {
+  html {
+    background-color: #2c2c2c;
+    color: ghostwhite;
+  }
+}
+@media (prefers-color-scheme: light) {
+  html {
+    background-color: #d3d3d3;
+    color: black;
+  }
+}

cmd/mbf/internal/pkgserver/ui/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "compilerOptions": {
+    "target": "ES2024",
+    "strict": true,
+    "alwaysStrict": true,
+    "outDir": "static"
+  }
+}

cmd/mbf/internal/pkgserver/ui/ui.go

@@ -0,0 +1,9 @@
+// Package ui holds the static web UI.
+package ui
+
+import "net/http"
+
+// Register arranges for mux to serve the embedded frontend.
+func Register(mux *http.ServeMux) {
+	mux.Handle("GET /", http.FileServer(http.FS(static)))
+}

cmd/mbf/internal/pkgserver/ui/ui_full.go

@@ -0,0 +1,21 @@
+//go:build frontend
+
+package ui
+
+import (
+	"embed"
+	"io/fs"
+)
+
+//go:generate tsc
+//go:generate cp index.html style.css static
+//go:embed static
+var _static embed.FS
+
+var static = func() fs.FS {
+	if f, err := fs.Sub(_static, "static"); err != nil {
+		panic(err)
+	} else {
+		return f
+	}
+}()

cmd/mbf/internal/pkgserver/ui/ui_stub.go

@@ -0,0 +1,7 @@
+//go:build !frontend
+
+package ui
+
+import "testing/fstest"
+
+var static fstest.MapFS

cmd/mbf/main_test.go

@@ -0,0 +1,47 @@
+package main
+
+import (
+	"net"
+	"os"
+	"testing"
+
+	"hakurei.app/internal/rosa"
+)
+
+func TestMain(m *testing.M) {
+	rosa.Native().DropCaches("", rosa.OptLLVMNoLTO)
+	os.Exit(m.Run())
+}
+
+func TestCureAll(t *testing.T) {
+	t.Parallel()
+	const env = "ROSA_TEST_DAEMON"
+
+	if !testing.Verbose() {
+		t.Skip("verbose flag not set")
+	}
+
+	pathname, ok := os.LookupEnv(env)
+	if !ok {
+		t.Skip(env + " not set")
+	}
+
+	addr := net.UnixAddr{Net: "unix", Name: pathname}
+	t.Cleanup(func() {
+		if t.Failed() {
+			if err := abortRemote(t.Context(), &addr, false); err != nil {
+				t.Fatal(err)
+			}
+		}
+	})
+
+	for _, handle := range rosa.Native().Collect() {
+		_, a := rosa.Native().Std().MustLoad(handle)
+		t.Run(handle.String(), func(t *testing.T) {
+			_, err := cureRemote(t.Context(), &addr, a, 0)
+			if err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}

cmd/sharefs/fuse-operations.h

@@ -7,8 +7,8 @@
 #endif
 
 #define SHAREFS_MEDIA_RW_ID (1 << 10) - 1 /* owning gid presented to userspace */
-#define SHAREFS_PERM_DIR 0700             /* permission bits for directories presented to userspace */
-#define SHAREFS_PERM_REG 0600             /* permission bits for regular files presented to userspace */
+#define SHAREFS_PERM_DIR 0770             /* permission bits for directories presented to userspace */
+#define SHAREFS_PERM_REG 0660             /* permission bits for regular files presented to userspace */
 #define SHAREFS_FORBIDDEN_FLAGS O_DIRECT  /* these open flags are cleared unconditionally */
 
 /* sharefs_private is populated by sharefs_init and contains process-wide context */

cmd/sharefs/fuse.go

@@ -19,12 +19,11 @@ import (
 	"encoding/gob"
 	"errors"
 	"fmt"
-	"io"
 	"log"
 	"os"
 	"os/exec"
 	"os/signal"
-	"path"
+	"path/filepath"
 	"runtime"
 	"runtime/cgo"
 	"strconv"
@@ -85,7 +84,10 @@ func destroySetup(private_data unsafe.Pointer) (ok bool) {
 }
 
 //export sharefs_init
-func sharefs_init(_ *C.struct_fuse_conn_info, cfg *C.struct_fuse_config) unsafe.Pointer {
+func sharefs_init(
+	_ *C.struct_fuse_conn_info,
+	cfg *C.struct_fuse_config,
+) unsafe.Pointer {
 	ctx := C.fuse_get_context()
 	priv := (*C.struct_sharefs_private)(ctx.private_data)
 	setup := cgo.Handle(priv.setup).Value().(*setupState)
@@ -103,7 +105,11 @@ func sharefs_init(_ *C.struct_fuse_conn_info, cfg *C.struct_fuse_config) unsafe.
 	cfg.negative_timeout = 0
 
 	// all future filesystem operations happen through this dirfd
-	if fd, err := syscall.Open(setup.Source.String(), syscall.O_DIRECTORY|syscall.O_RDONLY|syscall.O_CLOEXEC, 0); err != nil {
+	if fd, err := syscall.Open(
+		setup.Source.String(),
+		syscall.O_DIRECTORY|syscall.O_RDONLY|syscall.O_CLOEXEC,
+		0,
+	); err != nil {
 		log.Printf("cannot open %q: %v", setup.Source, err)
 		goto fail
 	} else if err = syscall.Fchdir(fd); err != nil {
@@ -138,9 +144,9 @@ func sharefs_destroy(private_data unsafe.Pointer) {
 func showHelp(args *fuseArgs) {
 	executableName := sharefsName
 	if args.argc > 0 {
-		executableName = path.Base(C.GoString(*args.argv))
+		executableName = filepath.Base(C.GoString(*args.argv))
 	} else if name, err := os.Executable(); err == nil {
-		executableName = path.Base(name)
+		executableName = filepath.Base(name)
 	}
 
 	fmt.Printf("usage: %s [options] <mountpoint>\n\n", executableName)
@@ -169,8 +175,11 @@ func parseOpts(args *fuseArgs, setup *setupState, log *log.Logger) (ok bool) {
 		// Decimal string representation of gid to set when running as root.
 		setgid *C.char
 
-		// Decimal string representation of open file descriptor to read setupState from.
-		// This is an internal detail for containerisation and must not be specified directly.
+		// Decimal string representation of open file descriptor to read
+		// setupState from.
+		//
+		// This is an internal detail for containerisation and must not be
+		// specified directly.
 		setup *C.char
 	}
 
@@ -253,7 +262,8 @@ func parseOpts(args *fuseArgs, setup *setupState, log *log.Logger) (ok bool) {
 	return true
 }
 
-// copyArgs returns a heap allocated copy of an argument slice in fuse_args representation.
+// copyArgs returns a heap allocated copy of an argument slice in fuse_args
+// representation.
 func copyArgs(s ...string) fuseArgs {
 	if len(s) == 0 {
 		return fuseArgs{argc: 0, argv: nil, allocated: 0}
@@ -269,6 +279,7 @@ func copyArgs(s ...string) fuseArgs {
 func freeArgs(args *fuseArgs) { C.fuse_opt_free_args(args) }
 
 // unsafeAddArgument adds an argument to fuseArgs via fuse_opt_add_arg.
+//
 // The last byte of arg must be 0.
 func unsafeAddArgument(args *fuseArgs, arg string) {
 	C.fuse_opt_add_arg(args, (*C.char)(unsafe.Pointer(unsafe.StringData(arg))))
@@ -288,8 +299,8 @@ func _main(s ...string) (exitCode int) {
 	args := copyArgs(s...)
 	defer freeArgs(&args)
 
-	// this causes the kernel to enforce access control based on
-	// struct stat populated by sharefs_getattr
+	// this causes the kernel to enforce access control based on struct stat
+	// populated by sharefs_getattr
 	unsafeAddArgument(&args, "-odefault_permissions\x00")
 
 	var priv C.struct_sharefs_private
@@ -453,15 +464,19 @@ func _main(s ...string) (exitCode int) {
 			z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
 		}
 		z.Bind(z.Path, z.Path, 0)
-		setup.Fuse = int(proc.ExtraFileSlice(&z.ExtraFiles, os.NewFile(uintptr(C.fuse_session_fd(se)), "fuse")))
+		setup.Fuse = int(proc.ExtraFileSlice(
+			&z.ExtraFiles,
+			os.NewFile(uintptr(C.fuse_session_fd(se)), "fuse"),
+		))
 
-		var setupWriter io.WriteCloser
-		if fd, w, err := container.Setup(&z.ExtraFiles); err != nil {
+		var setupPipe [2]*os.File
+		if r, w, err := os.Pipe(); err != nil {
 			log.Println(err)
 			return 5
 		} else {
-			z.Args = append(z.Args, "-osetup="+strconv.Itoa(fd))
-			setupWriter = w
+			z.Args = append(z.Args, "-osetup="+strconv.Itoa(3+len(z.ExtraFiles)))
+			z.ExtraFiles = append(z.ExtraFiles, r)
+			setupPipe[0], setupPipe[1] = r, w
 		}
 
 		if err := z.Start(); err != nil {
@@ -472,6 +487,9 @@ func _main(s ...string) (exitCode int) {
 			}
 			return 5
 		}
+		if err := setupPipe[0].Close(); err != nil {
+			log.Println(err)
+		}
 		if err := z.Serve(); err != nil {
 			if m, ok := message.GetMessage(err); ok {
 				log.Println(m)
@@ -481,17 +499,17 @@ func _main(s ...string) (exitCode int) {
 			return 5
 		}
 
-		if err := gob.NewEncoder(setupWriter).Encode(&setup); err != nil {
+		if err := gob.NewEncoder(setupPipe[1]).Encode(&setup); err != nil {
 			log.Println(err)
 			return 5
-		} else if err = setupWriter.Close(); err != nil {
+		} else if err = setupPipe[1].Close(); err != nil {
 			log.Println(err)
 		}
 
 		if !z.AllowOrphan {
 			if err := z.Wait(); err != nil {
-				var exitError *exec.ExitError
-				if !errors.As(err, &exitError) || exitError == nil {
+				exitError, ok := errors.AsType[*exec.ExitError](err)
+				if !ok || exitError == nil {
 					log.Println(err)
 					return 5
 				}

cmd/sharefs/main.go

@@ -1,3 +1,10 @@
+// The sharefs FUSE filesystem is a permissionless shared filesystem.
+//
+// This filesystem is the primary means of file sharing between hakurei
+// application containers. It serves the same purpose in Rosa OS as /sdcard
+// does in AOSP.
+//
+// See help message for all available options.
 package main
 
 import (

cmd/sharefs/test/configuration.nix

@@ -20,11 +20,14 @@
   };
 
   virtualisation = {
+    # Hopefully reduces spurious test failures:
+    memorySize = if pkgs.stdenv.hostPlatform.is32bit then 2046 else 8192;
+
     diskSize = 6 * 1024;
 
     qemu.options = [
       # Increase test performance:
-      "-smp 8"
+      "-smp 16"
     ];
   };
 

cmd/sharefs/test/default.nix

@@ -28,7 +28,7 @@ testers.nixosTest {
         # For go tests:
         (pkgs.writeShellScriptBin "sharefs-workload-hakurei-tests" ''
           cp -r "${self.packages.${system}.hakurei.src}" "/sdcard/hakurei" && cd "/sdcard/hakurei"
-          ${fhs}/bin/hakurei-fhs -c 'CC="clang -O3 -Werror" go test ./...'
+          ${fhs}/bin/hakurei-fhs -c 'ROSA_SKIP_BINFMT=1 CC="clang -O3 -Werror" go test ./...'
         '')
       ];
 

cmd/sharefs/test/raceattr.go

@@ -0,0 +1,122 @@
+//go:build raceattr
+
+// The raceattr program reproduces vfs inode file attribute race.
+//
+// Even though libfuse high-level API presents the address of a struct stat
+// alongside struct fuse_context, file attributes are actually inherent to the
+// inode, instead of the specific call from userspace. The kernel implementation
+// in fs/fuse/xattr.c appears to make stale data in the inode (set by a previous
+// call) impossible or very unlikely to reach userspace via the stat family of
+// syscalls. However, when using default_permissions to have the VFS check
+// permissions, this race still happens, despite the resulting struct stat being
+// correct when overriding the check via capabilities otherwise.
+//
+// This program reproduces the failure, but because of its continuous nature, it
+// is provided independent of the vm integration test suite.
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"os"
+	"os/signal"
+	"runtime"
+	"sync"
+	"sync/atomic"
+	"syscall"
+)
+
+func newStatAs(
+	ctx context.Context, cancel context.CancelFunc,
+	n *atomic.Uint64, ok *atomic.Bool,
+	uid uint32, pathname string,
+	continuous bool,
+) func() {
+	return func() {
+		runtime.LockOSThread()
+		defer cancel()
+
+		if _, _, errno := syscall.Syscall(
+			syscall.SYS_SETUID, uintptr(uid),
+			0, 0,
+		); errno != 0 {
+			cancel()
+			log.Printf("cannot set uid to %d: %s", uid, errno)
+		}
+
+		var stat syscall.Stat_t
+		for {
+			if ctx.Err() != nil {
+				return
+			}
+
+			if err := syscall.Lstat(pathname, &stat); err != nil {
+				// SHAREFS_PERM_DIR not world executable, or
+				// SHAREFS_PERM_REG not world readable
+				if !continuous {
+					cancel()
+				}
+				ok.Store(true)
+				log.Printf("uid %d: %v", uid, err)
+			} else if stat.Uid != uid {
+				// appears to be unreachable
+				if !continuous {
+					cancel()
+				}
+				ok.Store(true)
+				log.Printf("got uid %d instead of %d", stat.Uid, uid)
+			}
+			n.Add(1)
+		}
+	}
+}
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("raceattr: ")
+
+	p := flag.String("target", "/sdcard/raceattr", "pathname of test file")
+	u0 := flag.Int("uid0", 1<<10-1, "first uid")
+	u1 := flag.Int("uid1", 1<<10-2, "second uid")
+	count := flag.Int("count", 1, "threads per uid")
+	continuous := flag.Bool("continuous", false, "keep running even after reproduce")
+	flag.Parse()
+
+	if os.Geteuid() != 0 {
+		log.Fatal("this program must run as root")
+	}
+
+	ctx, cancel := signal.NotifyContext(
+		context.Background(),
+		syscall.SIGINT,
+		syscall.SIGTERM,
+		syscall.SIGHUP,
+	)
+
+	if err := os.WriteFile(*p, nil, 0); err != nil {
+		log.Fatal(err)
+	}
+
+	var (
+		wg sync.WaitGroup
+
+		n  atomic.Uint64
+		ok atomic.Bool
+	)
+
+	if *count < 1 {
+		*count = 1
+	}
+	for range *count {
+		wg.Go(newStatAs(ctx, cancel, &n, &ok, uint32(*u0), *p, *continuous))
+		if *u1 >= 0 {
+			wg.Go(newStatAs(ctx, cancel, &n, &ok, uint32(*u1), *p, *continuous))
+		}
+	}
+
+	wg.Wait()
+	if !*continuous && ok.Load() {
+		log.Printf("reproduced after %d calls", n.Load())
+	}
+}

command/parse.go

@@ -91,8 +91,8 @@ func (n *node) MustParse(arguments []string, handleError func(error)) {
 	case ErrEmptyTree:
 		os.Exit(1)
 	default:
-		var flagError FlagError
-		if !errors.As(err, &flagError) { // returned by HandlerFunc
+		flagError, ok := errors.AsType[FlagError](err)
+		if !ok { // returned by HandlerFunc
 			handleError(err)
 			os.Exit(1)
 		}

container/binfmt.go

@@ -0,0 +1,46 @@
+package container
+
+import (
+	"strings"
+	"unsafe"
+
+	"hakurei.app/check"
+)
+
+// escapeBinfmt escapes magic/mask sequences in a [BinfmtEntry].
+func escapeBinfmt(buf *strings.Builder, s string) string {
+	const lowerhex = "0123456789abcdef"
+
+	buf.Reset()
+	for _, c := range unsafe.Slice(unsafe.StringData(s), len(s)) {
+		switch c {
+		case 0, '\\', ':':
+			buf.WriteString(`\x`)
+			buf.WriteByte(lowerhex[c>>4])
+			buf.WriteByte(lowerhex[c&0xf])
+
+		default:
+			buf.WriteByte(c)
+		}
+	}
+	return buf.String()
+}
+
+// BinfmtEntry is an entry to be registered by the init process.
+type BinfmtEntry struct {
+	// The offset of the magic/mask in the file, counted in bytes.
+	Offset byte
+	// The byte sequence binfmt_misc is matching for.
+	Magic string
+	// An (optional, defaults to all 0xff) mask.
+	Mask string
+	// The program that should be invoked with the binary as first argument.
+	Interpreter *check.Absolute
+}
+
+// Valid returns whether e can be registered into the kernel.
+func (e *BinfmtEntry) Valid() bool {
+	return e != nil &&
+		int(e.Offset)+max(len(e.Magic), len(e.Mask)) < 128 &&
+		e.Interpreter != nil && len(e.Interpreter.String()) < 128
+}

container/binfmt_test.go

@@ -0,0 +1,62 @@
+package container
+
+import (
+	"strings"
+	"testing"
+
+	"hakurei.app/fhs"
+)
+
+func TestEscapeBinfmt(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name  string
+		magic string
+		want  string
+	}{
+		{"packed DOS applications", "\x0eDEX", "\x0eDEX"},
+
+		{"riscv64 magic",
+			"\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00",
+			"\x7fELF\x02\x01\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\x02\\x00\xf3\\x00"},
+		{"riscv64 mask",
+			"\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
+			"\xff\xff\xff\xff\xff\xff\xff\\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := escapeBinfmt(new(strings.Builder), tc.magic)
+			if got != tc.want {
+				t.Errorf("escapeBinfmt: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestBinfmtEntry(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name  string
+		e     BinfmtEntry
+		valid bool
+	}{
+		{"zero", BinfmtEntry{}, false},
+		{"large offset", BinfmtEntry{Offset: 128}, false},
+		{"long magic", BinfmtEntry{Magic: strings.Repeat("\x00", 128)}, false},
+		{"long mask", BinfmtEntry{Mask: strings.Repeat("\x00", 128)}, false},
+		{"valid", BinfmtEntry{Interpreter: fhs.AbsRoot}, true},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if tc.e.Valid() != tc.valid {
+				t.Errorf("Valid: %v", !tc.valid)
+			}
+		})
+	}
+}

container/capability.go

@@ -18,6 +18,7 @@ const (
 	CAP_SETPCAP      = 0x8
 	CAP_NET_ADMIN    = 0xc
 	CAP_DAC_OVERRIDE = 0x1
+	CAP_SETFCAP      = 0x1f
 )
 
 type (

container/container.go

@@ -21,6 +21,7 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
+	"hakurei.app/internal/landlock"
 	"hakurei.app/message"
 )
 
@@ -28,9 +29,6 @@ const (
 	// CancelSignal is the signal expected by container init on context cancel.
 	// A custom [Container.Cancel] function must eventually deliver this signal.
 	CancelSignal = SIGUSR2
-
-	// Timeout for writing initParams to Container.setup.
-	initSetupTimeout = 5 * time.Second
 )
 
 type (
@@ -53,7 +51,7 @@ type (
 		ExtraFiles []*os.File
 
 		// Write end of a pipe connected to the init to deliver [Params].
-		setup *os.File
+		setup [2]*os.File
 		// Cancels the context passed to the underlying cmd.
 		cancel context.CancelFunc
 		// Closed after Wait returns. Keeps the spawning thread alive.
@@ -69,6 +67,9 @@ type (
 		// Copied to the underlying [exec.Cmd].
 		WaitDelay time.Duration
 
+		// Suppress verbose output of init.
+		Quiet bool
+
 		cmd *exec.Cmd
 		ctx context.Context
 		msg message.Msg
@@ -90,12 +91,20 @@ type (
 		// Time to wait for processes lingering after the initial process terminates.
 		AdoptWaitDelay time.Duration
 
+		// Map uid/gid 0 in the init process. Requires [FstypeProc] attached to
+		// [fhs.Proc] in the container filesystem.
+		InitAsRoot bool
 		// Mapped Uid in user namespace.
 		Uid int
 		// Mapped Gid in user namespace.
 		Gid int
 		// Hostname value in UTS namespace.
 		Hostname string
+		// Register binfmt_misc entries.
+		Binfmt []BinfmtEntry
+		// Alternative pathname to attach binfmt_misc filesystem. The zero value
+		// requires [FstypeProc] to be made available at [fhs.Proc].
+		BinfmtPath *check.Absolute
 		// Sequential container setup ops.
 		*Ops
 
@@ -145,11 +154,8 @@ func (e *StartError) Error() string {
 		return e.Step
 	}
 
-	{
-		var syscallError *os.SyscallError
-		if errors.As(e.Err, &syscallError) && syscallError != nil {
-			return e.Step + " " + syscallError.Error()
-		}
+	if se, ok := errors.AsType[*os.SyscallError](e.Err); ok && se != nil {
+		return e.Step + " " + se.Error()
 	}
 
 	return e.Step + ": " + e.Err.Error()
@@ -215,6 +221,9 @@ func (p *Container) Start() error {
 	if p.cmd.Process != nil {
 		return errors.New("container: already started")
 	}
+	if !p.InitAsRoot && len(p.Binfmt) > 0 {
+		return errors.New("container: init as root required, but not enabled")
+	}
 
 	if err := ensureCloseOnExec(); err != nil {
 		return err
@@ -285,16 +294,30 @@ func (p *Container) Start() error {
 	if !p.HostNet {
 		p.cmd.SysProcAttr.Cloneflags |= CLONE_NEWNET
 	}
+	if p.InitAsRoot {
+		p.cmd.SysProcAttr.AmbientCaps = append(p.cmd.SysProcAttr.AmbientCaps,
+			// mappings during init as root
+			CAP_SETFCAP,
+		)
+
+		if !p.SeccompDisable &&
+			len(p.SeccompRules) == 0 &&
+			p.SeccompPresets&std.PresetDenyNS != 0 {
+			return errors.New("container: as root requires late namespace creation")
+		}
+	}
 
 	// place setup pipe before user supplied extra files, this is later restored by init
-	if fd, f, err := Setup(&p.cmd.ExtraFiles); err != nil {
+	if r, w, err := os.Pipe(); err != nil {
 		return &StartError{
 			Fatal: true,
 			Step:  "set up params stream",
 			Err:   err,
 		}
 	} else {
-		p.setup = f
+		fd := 3 + len(p.cmd.ExtraFiles)
+		p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, r)
+		p.setup[0], p.setup[1] = r, w
 		p.cmd.Env = []string{setupEnv + "=" + strconv.Itoa(fd)}
 	}
 	p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, p.ExtraFiles...)
@@ -308,7 +331,7 @@ func (p *Container) Start() error {
 		done <- func() error {
 			// PR_SET_NO_NEW_PRIVS: thread-directed but acts on all processes
 			// created from the calling thread
-			if err := SetNoNewPrivs(); err != nil {
+			if err := setNoNewPrivs(); err != nil {
 				return &StartError{
 					Fatal: true,
 					Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
@@ -318,15 +341,17 @@ func (p *Container) Start() error {
 
 			// landlock: depends on per-thread state but acts on a process group
 			{
-				rulesetAttr := &RulesetAttr{Scoped: LANDLOCK_SCOPE_SIGNAL}
+				rulesetAttr := &landlock.RulesetAttr{
+					Scoped: landlock.LANDLOCK_SCOPE_SIGNAL,
+				}
 				if !p.HostAbstract {
-					rulesetAttr.Scoped |= LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+					rulesetAttr.Scoped |= landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
 				}
 
-				if abi, err := LandlockGetABI(); err != nil {
-					if p.HostAbstract {
+				if abi, err := landlock.GetABI(); err != nil {
+					if p.HostAbstract || !p.HostNet {
 						// landlock can be skipped here as it restricts access
-						// to resources already covered by namespaces (pid)
+						// to resources already covered by namespaces (pid, net)
 						goto landlockOut
 					}
 					return &StartError{Step: "get landlock ABI", Err: err}
@@ -340,8 +365,6 @@ func (p *Container) Start() error {
 						Err:    ENOSYS,
 						Origin: true,
 					}
-				} else {
-					p.msg.Verbosef("landlock abi version %d", abi)
 				}
 
 				if rulesetFd, err := rulesetAttr.Create(0); err != nil {
@@ -351,8 +374,7 @@ func (p *Container) Start() error {
 						Err:   err,
 					}
 				} else {
-					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
-					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
+					if err = landlock.RestrictSelf(rulesetFd, 0); err != nil {
 						_ = Close(rulesetFd)
 						return &StartError{
 							Fatal: true,
@@ -408,7 +430,6 @@ func (p *Container) Start() error {
 				}
 			}
 
-			p.msg.Verbose("starting container init")
 			if err := p.cmd.Start(); err != nil {
 				return &StartError{
 					Step:        "start container init",
@@ -428,24 +449,33 @@ func (p *Container) Start() error {
 // Serve serves [Container.Params] to the container init.
 //
 // Serve must only be called once.
-func (p *Container) Serve() error {
-	if p.setup == nil {
+func (p *Container) Serve() (err error) {
+	if p.setup[0] == nil || p.setup[1] == nil {
 		panic("invalid serve")
 	}
 
-	setup := p.setup
-	p.setup = nil
-	if err := setup.SetDeadline(time.Now().Add(initSetupTimeout)); err != nil {
+	done := make(chan struct{})
+	defer func() {
+		if closeErr := p.setup[1].Close(); err == nil {
+			err = closeErr
+		}
+
+		if err != nil {
+			p.cancel()
+		}
+		close(done)
+		p.setup[0], p.setup[1] = nil, nil
+	}()
+	if err = p.setup[0].Close(); err != nil {
 		return &StartError{
 			Fatal:       true,
-			Step:        "set init pipe deadline",
+			Step:        "close read end of init pipe",
 			Err:         err,
 			Passthrough: true,
 		}
 	}
 
 	if p.Path == nil {
-		p.cancel()
 		return &StartError{
 			Step:   "invalid executable pathname",
 			Err:    EINVAL,
@@ -461,18 +491,26 @@ func (p *Container) Serve() error {
 		p.SeccompRules = make([]std.NativeRule, 0)
 	}
 
-	err := gob.NewEncoder(setup).Encode(&initParams{
+	t := time.Now().UTC()
+	go func(f *os.File) {
+		select {
+		case <-p.ctx.Done():
+			if cancelErr := f.SetWriteDeadline(t); cancelErr != nil {
+				p.msg.Verbose(err)
+			}
+
+		case <-done:
+			return
+		}
+	}(p.setup[1])
+
+	return gob.NewEncoder(p.setup[1]).Encode(&initParams{
 		p.Params,
 		Getuid(),
 		Getgid(),
 		len(p.ExtraFiles),
-		p.msg.IsVerbose(),
+		p.msg.IsVerbose() && !p.Quiet,
 	})
-	_ = setup.Close()
-	if err != nil {
-		p.cancel()
-	}
-	return err
 }
 
 // Wait blocks until the container init process to exit and releases any

container/container_test.go

@@ -17,6 +17,7 @@ import (
 	"syscall"
 	"testing"
 	"time"
+	"unsafe"
 
 	"hakurei.app/check"
 	"hakurei.app/command"
@@ -26,6 +27,9 @@ import (
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
 	"hakurei.app/hst"
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/landlock"
+	"hakurei.app/internal/params"
 	"hakurei.app/ldd"
 	"hakurei.app/message"
 	"hakurei.app/vfs"
@@ -84,9 +88,9 @@ func TestStartError(t *testing.T) {
 		{"params env", &container.StartError{
 			Fatal: true,
 			Step:  "set up params stream",
-			Err:   container.ErrReceiveEnv,
+			Err:   params.ErrReceiveEnv,
 		}, "set up params stream: environment variable not set",
-			container.ErrReceiveEnv, syscall.EBADF,
+			params.ErrReceiveEnv, syscall.EBADF,
 			"cannot set up params stream: environment variable not set"},
 
 		{"params", &container.StartError{
@@ -231,6 +235,9 @@ func earlyMnt(mnt ...*vfs.MountInfoEntry) func(*testing.T, context.Context) []*v
 	return func(*testing.T, context.Context) []*vfs.MountInfoEntry { return mnt }
 }
 
+//go:linkname toHost hakurei.app/container.toHost
+func toHost(name string) string
+
 var containerTestCases = []struct {
 	name    string
 	filter  bool
@@ -330,13 +337,15 @@ var containerTestCases = []struct {
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
-					"rw,lowerdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
+					"rw"+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower0")).(*check.Absolute).String())+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",upperdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("upper")).(*check.Absolute).String())+
+						toHost(ctx.Value(testVal("upper")).(*check.Absolute).String())+
 						",workdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("work")).(*check.Absolute).String())+
+						toHost(ctx.Value(testVal("work")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,uuid=on,userxattr"),
 			}
 		},
@@ -386,9 +395,11 @@ var containerTestCases = []struct {
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
-					"ro,lowerdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
+					"ro"+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower0")).(*check.Absolute).String())+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,userxattr"),
 			}
 		},
@@ -398,49 +409,18 @@ var containerTestCases = []struct {
 func TestContainer(t *testing.T) {
 	t.Parallel()
 
-	t.Run("cancel", testContainerCancel(nil, func(t *testing.T, c *container.Container) {
-		wantErr := context.Canceled
-		wantExitCode := 0
-		if err := c.Wait(); !reflect.DeepEqual(err, wantErr) {
-			if m, ok := container.InternalMessageFromError(err); ok {
-				t.Error(m)
-			}
-			t.Errorf("Wait: error = %#v, want %#v", err, wantErr)
-		}
-		if ps := c.ProcessState(); ps == nil {
-			t.Errorf("ProcessState unexpectedly returned nil")
-		} else if code := ps.ExitCode(); code != wantExitCode {
-			t.Errorf("ExitCode: %d, want %d", code, wantExitCode)
-		}
-	}))
-
-	t.Run("forward", testContainerCancel(func(c *container.Container) {
-		c.ForwardCancel = true
-	}, func(t *testing.T, c *container.Container) {
-		var exitError *exec.ExitError
-		if err := c.Wait(); !errors.As(err, &exitError) {
-			if m, ok := container.InternalMessageFromError(err); ok {
-				t.Error(m)
-			}
-			t.Errorf("Wait: error = %v", err)
-		}
-		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
-			t.Errorf("ExitCode: %d, want %d", code, blockExitCodeInterrupt)
-		}
-	}))
-
+	var suffix string
+runTests:
 	for i, tc := range containerTestCases {
-		t.Run(tc.name, func(t *testing.T) {
+		_suffix := suffix
+		t.Run(tc.name+_suffix, func(t *testing.T) {
 			t.Parallel()
 
 			wantOps, wantOpsCtx := tc.ops(t)
 			wantMnt := tc.mnt(t, wantOpsCtx)
 
-			ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
-			defer cancel()
-
 			var libPaths []*check.Absolute
-			c := helperNewContainerLibPaths(ctx, &libPaths, "container", strconv.Itoa(i))
+			c := helperNewContainerLibPaths(t.Context(), &libPaths, "container", strconv.Itoa(i))
 			c.Uid = tc.uid
 			c.Gid = tc.gid
 			c.Hostname = hostnameFromTestCase(tc.name)
@@ -450,7 +430,6 @@ func TestContainer(t *testing.T) {
 			} else {
 				c.Stdout, c.Stderr = os.Stdout, os.Stderr
 			}
-			c.WaitDelay = helperDefaultTimeout
 			*c.Ops = append(*c.Ops, *wantOps...)
 			c.SeccompRules = tc.rules
 			c.SeccompFlags = tc.flags | seccomp.AllowMultiarch
@@ -458,6 +437,20 @@ func TestContainer(t *testing.T) {
 			c.SeccompDisable = !tc.filter
 			c.RetainSession = tc.session
 			c.HostNet = tc.net
+			c.InitAsRoot = _suffix != ""
+			c.Env = append(c.Env, "HAKUREI_TEST_SUFFIX="+_suffix)
+			if info.CanDegrade {
+				if _, err := landlock.GetABI(); err != nil {
+					if !errors.Is(err, syscall.ENOSYS) {
+						t.Fatalf("LandlockGetABI: error = %v", err)
+					}
+					c.HostAbstract = true
+					t.Log("Landlock LSM is unavailable, enabling HostAbstract")
+				}
+			}
+			if c.InitAsRoot {
+				c.SeccompPresets &= ^std.PresetDenyNS
+			}
 
 			c.
 				Readonly(check.MustAbs(pathReadonly), 0755).
@@ -526,6 +519,11 @@ func TestContainer(t *testing.T) {
 			}
 		})
 	}
+
+	if suffix == "" {
+		suffix = " as root"
+		goto runTests
+	}
 }
 
 func ent(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoEntry {
@@ -548,50 +546,118 @@ func hostnameFromTestCase(name string) string {
 }
 
 func testContainerCancel(
+	t *testing.T,
 	containerExtra func(c *container.Container),
-	waitCheck func(t *testing.T, c *container.Container),
-) func(t *testing.T) {
-	return func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
+	waitCheck func(ps *os.ProcessState, waitErr error),
+) {
+	ctx, cancel := context.WithCancel(t.Context())
 
-		c := helperNewContainer(ctx, "block")
-		c.Stdout, c.Stderr = os.Stdout, os.Stderr
-		c.WaitDelay = helperDefaultTimeout
-		if containerExtra != nil {
-			containerExtra(c)
-		}
-
-		ready := make(chan struct{})
-		if r, w, err := os.Pipe(); err != nil {
-			t.Fatalf("cannot pipe: %v", err)
-		} else {
-			c.ExtraFiles = append(c.ExtraFiles, w)
-			go func() {
-				defer close(ready)
-				if _, err = r.Read(make([]byte, 1)); err != nil {
-					panic(err.Error())
-				}
-			}()
-		}
-
-		if err := c.Start(); err != nil {
-			if m, ok := container.InternalMessageFromError(err); ok {
-				t.Fatal(m)
-			} else {
-				t.Fatalf("cannot start container: %v", err)
-			}
-		} else if err = c.Serve(); err != nil {
-			if m, ok := container.InternalMessageFromError(err); ok {
-				t.Error(m)
-			} else {
-				t.Errorf("cannot serve setup params: %v", err)
-			}
-		}
-		<-ready
-		cancel()
-		waitCheck(t, c)
+	c := helperNewContainer(ctx, "block")
+	c.Stdout, c.Stderr = os.Stdout, os.Stderr
+	if containerExtra != nil {
+		containerExtra(c)
 	}
+
+	ready := make(chan struct{})
+	var waitErr error
+	r, w, err := os.Pipe()
+	if err != nil {
+		t.Fatalf("cannot pipe: %v", err)
+	}
+
+	c.ExtraFiles = append(c.ExtraFiles, w)
+	go func() {
+		defer close(ready)
+		if _, _err := r.Read(make([]byte, 1)); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	if err = c.Start(); err != nil {
+		if m, ok := container.InternalMessageFromError(err); ok {
+			t.Fatal(m)
+		} else {
+			t.Fatalf("cannot start container: %v", err)
+		}
+	}
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		waitErr = c.Wait()
+		_ = r.SetReadDeadline(time.Now())
+	}()
+
+	if err = c.Serve(); err != nil {
+		if m, ok := container.InternalMessageFromError(err); ok {
+			t.Error(m)
+		} else {
+			t.Errorf("cannot serve setup params: %v", err)
+		}
+	}
+	<-ready
+	cancel()
+	<-done
+	waitCheck(c.ProcessState(), waitErr)
+}
+
+func TestForward(t *testing.T) {
+	t.Parallel()
+
+	f := func(ps *os.ProcessState, waitErr error) {
+		var exitError *exec.ExitError
+		if !errors.As(waitErr, &exitError) {
+			if m, ok := container.InternalMessageFromError(waitErr); ok {
+				t.Error(m)
+			}
+			t.Errorf("Wait: error = %v", waitErr)
+		}
+		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
+			t.Errorf("ExitCode: %d, want %d", code, blockExitCodeInterrupt)
+		}
+	}
+	t.Run("direct", func(t *testing.T) {
+		t.Parallel()
+		testContainerCancel(t, func(c *container.Container) {
+			c.ForwardCancel = true
+		}, f)
+	})
+	t.Run("as root", func(t *testing.T) {
+		testContainerCancel(t, func(c *container.Container) {
+			c.ForwardCancel = true
+			c.InitAsRoot = true
+			c.Proc(fhs.AbsProc)
+		}, f)
+	})
+}
+
+func TestCancel(t *testing.T) {
+	t.Parallel()
+
+	f := func(ps *os.ProcessState, waitErr error) {
+		wantErr := context.Canceled
+		if !reflect.DeepEqual(waitErr, wantErr) {
+			if m, ok := container.InternalMessageFromError(waitErr); ok {
+				t.Error(m)
+			}
+			t.Errorf("Wait: error = %#v, want %#v", waitErr, wantErr)
+		}
+		if ps == nil {
+			t.Errorf("ProcessState unexpectedly returned nil")
+		} else if code := ps.ExitCode(); code != 0 {
+			t.Errorf("ExitCode: %d, want %d", code, 0)
+		}
+	}
+	t.Run("direct", func(t *testing.T) {
+		t.Parallel()
+		testContainerCancel(t, nil, f)
+	})
+	t.Run("as root", func(t *testing.T) {
+		testContainerCancel(t, func(c *container.Container) {
+			c.InitAsRoot = true
+			c.Proc(fhs.AbsProc)
+		}, f)
+	})
 }
 
 func TestContainerString(t *testing.T) {
@@ -627,6 +693,8 @@ func init() {
 		})
 
 		c.Command("container", command.UsageInternal, func(args []string) error {
+			asRoot := os.Getenv("HAKUREI_TEST_SUFFIX") == " as root"
+
 			if len(args) != 1 {
 				return syscall.EINVAL
 			}
@@ -644,6 +712,66 @@ func init() {
 				return fmt.Errorf("gid: %d, want %d", gid, tc.gid)
 			}
 
+			// no attack surface increase during as root due to no_new_privs
+			var wantBounding uintptr = 1
+			asRootNot := " not"
+			if !asRoot {
+				wantBounding = 0
+				asRootNot = ""
+			}
+
+			const (
+				PR_CAP_AMBIENT        = 0x2f
+				PR_CAP_AMBIENT_IS_SET = 0x1
+			)
+			for i := range container.LastCap(nil) + 1 {
+				r, _, errno := syscall.Syscall(
+					syscall.SYS_PRCTL,
+					PR_CAP_AMBIENT,
+					PR_CAP_AMBIENT_IS_SET,
+					i,
+				)
+				if errno != 0 {
+					return os.NewSyscallError("prctl", errno)
+				}
+				if r != 0 {
+					return fmt.Errorf("capability %d in ambient set", i)
+				}
+
+				r, _, errno = syscall.Syscall(
+					syscall.SYS_PRCTL,
+					syscall.PR_CAPBSET_READ,
+					i,
+					0,
+				)
+				if errno != 0 {
+					return os.NewSyscallError("prctl", errno)
+				}
+				if r != wantBounding {
+					return fmt.Errorf("capability %d%s in bounding set", i, asRootNot)
+				}
+			}
+
+			const _LINUX_CAPABILITY_VERSION_3 = 0x20080522
+			var capData struct {
+				effective   uint32
+				permitted   uint32
+				inheritable uint32
+			}
+			if _, _, errno := syscall.Syscall(syscall.SYS_CAPGET, uintptr(unsafe.Pointer(&struct {
+				version uint32
+				pid     int32
+			}{_LINUX_CAPABILITY_VERSION_3, 0})), uintptr(unsafe.Pointer(&capData)), 0); errno != 0 {
+				return os.NewSyscallError("capget", errno)
+			}
+
+			if max(capData.effective, capData.permitted, capData.inheritable) != 0 {
+				return fmt.Errorf(
+					"effective = %d, permitted = %d, inheritable = %d",
+					capData.effective, capData.permitted, capData.inheritable,
+				)
+			}
+
 			wantHost := hostnameFromTestCase(tc.name)
 			if host, err := os.Hostname(); err != nil {
 				return fmt.Errorf("cannot get hostname: %v", err)
@@ -738,8 +866,7 @@ func init() {
 const (
 	envDoCheck = "HAKUREI_TEST_DO_CHECK"
 
-	helperDefaultTimeout = 5 * time.Second
-	helperInnerPath      = "/usr/bin/helper"
+	helperInnerPath = "/usr/bin/helper"
 )
 
 var (
@@ -762,7 +889,7 @@ func TestMain(m *testing.M) {
 		}
 		c.MustParse(os.Args[1:], func(err error) {
 			if err != nil {
-				log.Fatal(err.Error())
+				log.Fatal(err)
 			}
 		})
 		return

container/dispatcher.go

@@ -1,6 +1,7 @@
 package container
 
 import (
+	"context"
 	"io"
 	"io/fs"
 	"net"
@@ -15,6 +16,7 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/ext"
 	"hakurei.app/internal/netlink"
+	"hakurei.app/internal/params"
 	"hakurei.app/message"
 )
 
@@ -55,7 +57,7 @@ type syscallDispatcher interface {
 	// isatty provides [Isatty].
 	isatty(fd int) bool
 	// receive provides [Receive].
-	receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error)
+	receive(key string, e any, fdp *int) (closeFunc func() error, err error)
 
 	// bindMount provides procPaths.bindMount.
 	bindMount(msg message.Msg, source, target string, flags uintptr) error
@@ -63,10 +65,12 @@ type syscallDispatcher interface {
 	remount(msg message.Msg, target string, flags uintptr) error
 	// mountTmpfs provides mountTmpfs.
 	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
+	// mountOverlay provides mountOverlay.
+	mountOverlay(target string, options [][2]string) error
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
 	// mustLoopback provides mustLoopback.
-	mustLoopback(msg message.Msg)
+	mustLoopback(ctx context.Context, msg message.Msg)
 
 	// seccompLoad provides [seccomp.Load].
 	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
@@ -146,7 +150,7 @@ func (direct) lockOSThread() { runtime.LockOSThread() }
 
 func (direct) setPtracer(pid uintptr) error       { return ext.SetPtracer(pid) }
 func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) }
-func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }
+func (direct) setNoNewPrivs() error               { return setNoNewPrivs() }
 
 func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
 func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(hdrp, datap) }
@@ -154,8 +158,8 @@ func (direct) capBoundingSetDrop(cap uintptr) error            { return capBound
 func (direct) capAmbientClearAll() error                       { return capAmbientClearAll() }
 func (direct) capAmbientRaise(cap uintptr) error               { return capAmbientRaise(cap) }
 func (direct) isatty(fd int) bool                              { return ext.Isatty(fd) }
-func (direct) receive(key string, e any, fdp *uintptr) (func() error, error) {
-	return Receive(key, e, fdp)
+func (direct) receive(key string, e any, fdp *int) (func() error, error) {
+	return params.Receive(key, e, fdp)
 }
 
 func (direct) bindMount(msg message.Msg, source, target string, flags uintptr) error {
@@ -167,10 +171,13 @@ func (direct) remount(msg message.Msg, target string, flags uintptr) error {
 func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
 	return mountTmpfs(k, fsname, target, flags, size, perm)
 }
+func (k direct) mountOverlay(target string, options [][2]string) error {
+	return mountOverlay(target, options)
+}
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
-func (direct) mustLoopback(msg message.Msg) {
+func (direct) mustLoopback(ctx context.Context, msg message.Msg) {
 	var lo int
 	if ifi, err := net.InterfaceByName("lo"); err != nil {
 		msg.GetLogger().Fatalln(err)
@@ -178,7 +185,7 @@ func (direct) mustLoopback(msg message.Msg) {
 		lo = ifi.Index
 	}
 
-	c, err := netlink.DialRoute()
+	c, err := netlink.DialRoute(0)
 	if err != nil {
 		msg.GetLogger().Fatalln(err)
 	}
@@ -199,11 +206,14 @@ func (direct) mustLoopback(msg message.Msg) {
 			msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
 
 		default:
-			msg.GetLogger().Fatalf("RTNETLINK answers with malformed message")
+			if err == context.DeadlineExceeded || err == context.Canceled {
+				msg.GetLogger().Fatalf("interrupted RTNETLINK operation")
+			}
+			msg.GetLogger().Fatal("RTNETLINK answers with malformed message")
 		}
 	}
-	must(c.SendNewaddrLo(uint32(lo)))
-	must(c.SendIfInfomsg(syscall.RTM_NEWLINK, 0, &syscall.IfInfomsg{
+	must(c.SendNewaddrLo(ctx, uint32(lo)))
+	must(c.SendIfInfomsg(ctx, syscall.RTM_NEWLINK, 0, &syscall.IfInfomsg{
 		Family: syscall.AF_UNSPEC,
 		Index:  int32(lo),
 		Flags:  syscall.IFF_UP,

container/dispatcher_test.go

@@ -2,6 +2,7 @@ package container
 
 import (
 	"bytes"
+	"context"
 	"fmt"
 	"io"
 	"io/fs"
@@ -234,8 +235,6 @@ func checkOpBehaviour(t *testing.T, testCases []opBehaviourTestCase) {
 	})
 }
 
-func sliceAddr[S any](s []S) *[]S { return &s }
-
 func newCheckedFile(t *testing.T, name, wantData string, closeErr error) osFile {
 	f := &checkedOsFile{t: t, name: name, want: wantData, closeErr: closeErr}
 	// check happens in Close, and cleanup is not guaranteed to run, so relying
@@ -389,7 +388,7 @@ func (k *kstub) isatty(fd int) bool {
 	return expect.Ret.(bool)
 }
 
-func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error) {
+func (k *kstub) receive(key string, e any, fdp *int) (closeFunc func() error, err error) {
 	k.Helper()
 	expect := k.Expects("receive")
 
@@ -407,10 +406,17 @@ func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error
 		}
 		return nil
 	}
+
+	// avoid changing test cases
+	var fdpComp *uintptr
+	if fdp != nil {
+		fdpComp = new(uintptr(*fdp))
+	}
+
 	err = expect.Error(
 		stub.CheckArg(k.Stub, "key", key, 0),
 		stub.CheckArgReflect(k.Stub, "e", e, 1),
-		stub.CheckArgReflect(k.Stub, "fdp", fdp, 2))
+		stub.CheckArgReflect(k.Stub, "fdp", fdpComp, 2))
 
 	// 3 is unused so stores params
 	if expect.Args[3] != nil {
@@ -425,7 +431,7 @@ func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error
 	if expect.Args[4] != nil {
 		if v, ok := expect.Args[4].(uintptr); ok && v >= 3 {
 			if fdp != nil {
-				*fdp = v
+				*fdp = int(v)
 			}
 		}
 	}
@@ -460,6 +466,14 @@ func (k *kstub) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 		stub.CheckArg(k.Stub, "perm", perm, 4))
 }
 
+func (k *kstub) mountOverlay(target string, options [][2]string) error {
+	k.Helper()
+	return k.Expects("mountOverlay").Error(
+		stub.CheckArg(k.Stub, "target", target, 0),
+		stub.CheckArgReflect(k.Stub, "options", options, 1),
+	)
+}
+
 func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 	k.Helper()
 	return k.Expects("ensureFile").Error(
@@ -468,7 +482,7 @@ func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 		stub.CheckArg(k.Stub, "pperm", pperm, 2))
 }
 
-func (*kstub) mustLoopback(message.Msg) { /* noop */ }
+func (*kstub) mustLoopback(context.Context, message.Msg) { /* noop */ }
 
 func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	k.Helper()

container/errors.go

@@ -46,9 +46,8 @@ func messageFromError(err error) (m string, ok bool) {
 // While this is usable for pointer errors, such use should be avoided as nil
 // check is omitted.
 func messagePrefix[T error](prefix string, err error) (string, bool) {
-	var targetError T
-	if errors.As(err, &targetError) {
-		return prefix + targetError.Error(), true
+	if e, ok := errors.AsType[T](err); ok {
+		return prefix + e.Error(), true
 	}
 	return zeroString, false
 }
@@ -58,9 +57,8 @@ func messagePrefixP[V any, T interface {
 	*V
 	error
 }](prefix string, err error) (string, bool) {
-	var targetError T
-	if errors.As(err, &targetError) && targetError != nil {
-		return prefix + targetError.Error(), true
+	if e, ok := errors.AsType[T](err); ok && e != nil {
+		return prefix + e.Error(), true
 	}
 	return zeroString, false
 }
@@ -109,8 +107,8 @@ func optionalErrorUnwrap(err error) error {
 
 // errnoFallback returns the concrete errno from an error, or a [os.PathError] fallback.
 func errnoFallback(op, path string, err error) (syscall.Errno, *os.PathError) {
-	var errno syscall.Errno
-	if !errors.As(err, &errno) {
+	errno, ok := errors.AsType[syscall.Errno](err)
+	if !ok {
 		return 0, &os.PathError{Op: op, Path: path, Err: err}
 	}
 	return errno, nil
@@ -118,6 +116,10 @@ func errnoFallback(op, path string, err error) (syscall.Errno, *os.PathError) {
 
 // mount wraps syscall.Mount for error handling.
 func mount(source, target, fstype string, flags uintptr, data string) error {
+	if max(len(source), len(target), len(data))+1 > os.Getpagesize() {
+		return &MountError{source, target, fstype, flags, data, syscall.ENOMEM}
+	}
+
 	err := syscall.Mount(source, target, fstype, flags, data)
 	if err == nil {
 		return nil

container/init.go

@@ -7,17 +7,21 @@ import (
 	"log"
 	"os"
 	"os/exec"
-	"path"
+	"os/signal"
+	"path/filepath"
 	"slices"
 	"strconv"
+	"strings"
 	"sync"
 	"sync/atomic"
 	. "syscall"
 	"time"
 
+	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
+	"hakurei.app/internal/params"
 	"hakurei.app/message"
 )
 
@@ -146,55 +150,67 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 
 	var (
-		params      initParams
-		closeSetup  func() error
-		setupFd     uintptr
-		offsetSetup int
+		param      initParams
+		closeSetup func() error
+		setupFd    int
 	)
-	if f, err := k.receive(setupEnv, &params, &setupFd); err != nil {
+	if f, err := k.receive(setupEnv, &param, &setupFd); err != nil {
 		if errors.Is(err, EBADF) {
 			k.fatal(msg, "invalid setup descriptor")
 		}
-		if errors.Is(err, ErrReceiveEnv) {
+		if errors.Is(err, params.ErrReceiveEnv) {
 			k.fatal(msg, setupEnv+" not set")
 		}
 
 		k.fatalf(msg, "cannot decode init setup payload: %v", err)
 	} else {
-		if params.Ops == nil {
+		if param.Ops == nil {
 			k.fatal(msg, "invalid setup parameters")
 		}
-		if params.ParentPerm == 0 {
-			params.ParentPerm = 0755
+		if param.ParentPerm == 0 {
+			param.ParentPerm = 0755
 		}
 
-		msg.SwapVerbose(params.Verbose)
+		msg.SwapVerbose(param.Verbose)
 		msg.Verbose("received setup parameters")
 		closeSetup = f
-		offsetSetup = int(setupFd + 1)
 	}
 
-	if !params.HostNet {
-		k.mustLoopback(msg)
+	if !param.HostNet {
+		ctx, cancel := signal.NotifyContext(context.Background(), CancelSignal,
+			os.Interrupt, SIGTERM, SIGQUIT)
+		defer cancel() // for panics
+		k.mustLoopback(ctx, msg)
+		cancel()
+	}
+
+	uid, gid := param.Uid, param.Gid
+	if param.InitAsRoot {
+		uid, gid = 0, 0
 	}
 
 	// write uid/gid map here so parent does not need to set dumpable
 	if err := k.setDumpable(ext.SUID_DUMP_USER); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
 	}
-	if err := k.writeFile(fhs.Proc+"self/uid_map",
-		append([]byte{}, strconv.Itoa(params.Uid)+" "+strconv.Itoa(params.HostUid)+" 1\n"...),
-		0); err != nil {
+	if err := k.writeFile(
+		fhs.Proc+"self/uid_map",
+		[]byte(strconv.Itoa(uid)+" "+strconv.Itoa(param.HostUid)+" 1\n"),
+		0,
+	); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-	if err := k.writeFile(fhs.Proc+"self/setgroups",
+	if err := k.writeFile(
+		fhs.Proc+"self/setgroups",
 		[]byte("deny\n"),
-		0); err != nil && !os.IsNotExist(err) {
+		0,
+	); err != nil && !os.IsNotExist(err) {
 		k.fatalf(msg, "%v", err)
 	}
 	if err := k.writeFile(fhs.Proc+"self/gid_map",
-		append([]byte{}, strconv.Itoa(params.Gid)+" "+strconv.Itoa(params.HostGid)+" 1\n"...),
-		0); err != nil {
+		[]byte(strconv.Itoa(gid)+" "+strconv.Itoa(param.HostGid)+" 1\n"),
+		0,
+	); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
 	if err := k.setDumpable(ext.SUID_DUMP_DISABLE); err != nil {
@@ -202,8 +218,8 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 
 	oldmask := k.umask(0)
-	if params.Hostname != "" {
-		if err := k.sethostname([]byte(params.Hostname)); err != nil {
+	if param.Hostname != "" {
+		if err := k.sethostname([]byte(param.Hostname)); err != nil {
 			k.fatalf(msg, "cannot set hostname: %v", err)
 		}
 	}
@@ -216,15 +232,32 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 
 	ctx, cancel := context.WithCancel(context.Background())
-	state := &setupState{process: make(map[int]WaitStatus), Params: &params.Params, Msg: msg, Context: ctx}
+	state := &setupState{process: make(map[int]WaitStatus), Params: &param.Params, Msg: msg, Context: ctx}
 	defer cancel()
 
+	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
+		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
+	}
+	if err := k.chdir(intermediateHostPath); err != nil {
+		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
+	}
+
+	if len(param.Binfmt) > 0 {
+		for i, e := range param.Binfmt {
+			if pathname, err := k.evalSymlinks(e.Interpreter.String()); err != nil {
+				k.fatal(msg, err)
+			} else if param.Binfmt[i].Interpreter, err = check.NewAbs(pathname); err != nil {
+				k.fatal(msg, err)
+			}
+		}
+	}
+
 	/* early is called right before pivot_root into intermediate root;
 	this step is mostly for gathering information that would otherwise be
 	difficult to obtain via library functions after pivot_root, and
 	implementations are expected to avoid changing the state of the mount
 	namespace */
-	for i, op := range *params.Ops {
+	for i, op := range *param.Ops {
 		if op == nil || !op.Valid() {
 			k.fatalf(msg, "invalid op at index %d", i)
 		}
@@ -238,13 +271,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}
 
-	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
-		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
-	}
-	if err := k.chdir(intermediateHostPath); err != nil {
-		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
-	}
-
 	if err := k.mkdir(sysrootDir, 0755); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
@@ -267,7 +293,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	step sets up the container filesystem, and implementations are expected to
 	keep the host root and sysroot mount points intact but otherwise can do
 	whatever they need to. Calling chdir is allowed but discouraged. */
-	for i, op := range *params.Ops {
+	for i, op := range *param.Ops {
 		// ops already checked during early setup
 		if prefix, ok := op.prefix(); ok {
 			msg.Verbosef("%s %s", prefix, op)
@@ -281,6 +307,48 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}
 
+	if len(param.Binfmt) > 0 {
+		const interpreter = "/interpreter"
+
+		if param.BinfmtPath == nil {
+			param.BinfmtPath = fhs.AbsProcSys.Append("fs/binfmt_misc")
+		}
+		binfmt := sysrootPath + param.BinfmtPath.String()
+		if err := k.mkdirAll(binfmt, 0); err != nil {
+			k.fatal(msg, err)
+		}
+		if err := k.mount(
+			SourceBinfmtMisc,
+			binfmt,
+			FstypeBinfmtMisc,
+			MS_NOSUID|MS_NOEXEC|MS_NODEV,
+			zeroString,
+		); err != nil {
+			k.fatal(msg, err)
+		}
+
+		var buf strings.Builder
+		buf.Grow(1920)
+
+		register := binfmt + "/register"
+		for i, e := range param.Binfmt {
+			if err := k.symlink(hostPath+e.Interpreter.String(), interpreter); err != nil {
+				k.fatal(msg, err)
+			} else if err = k.writeFile(register, []byte(":"+
+				strconv.Itoa(i)+":"+
+				"M:"+
+				strconv.Itoa(int(e.Offset))+":"+
+				escapeBinfmt(&buf, e.Magic)+":"+
+				escapeBinfmt(&buf, e.Mask)+":"+
+				interpreter+":"+
+				"F"), 0); err != nil {
+				k.fatal(msg, err)
+			} else if err = k.remove(interpreter); err != nil {
+				k.fatal(msg, err)
+			}
+		}
+	}
+
 	// setup requiring host root complete at this point
 	if err := k.mount(hostDir, hostDir, zeroString, MS_SILENT|MS_REC|MS_PRIVATE, zeroString); err != nil {
 		k.fatalf(msg, "cannot make host root rprivate: %v", optionalErrorUnwrap(err))
@@ -319,11 +387,19 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}
 
+	var keepCaps []uintptr
+	if param.Privileged {
+		keepCaps = append(keepCaps, CAP_SYS_ADMIN, CAP_SETPCAP)
+	}
+	if param.InitAsRoot {
+		keepCaps = append(keepCaps, CAP_SETFCAP)
+	}
+
 	if err := k.capAmbientClearAll(); err != nil {
 		k.fatalf(msg, "cannot clear the ambient capability set: %v", err)
 	}
-	for i := uintptr(0); i <= lastcap; i++ {
-		if params.Privileged && i == CAP_SYS_ADMIN {
+	for i := range lastcap + 1 {
+		if slices.Contains(keepCaps, i) {
 			continue
 		}
 		if err := k.capBoundingSetDrop(i); err != nil {
@@ -332,27 +408,30 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 
 	var keep [2]uint32
-	if params.Privileged {
-		keep[capToIndex(CAP_SYS_ADMIN)] |= capToMask(CAP_SYS_ADMIN)
-
-		if err := k.capAmbientRaise(CAP_SYS_ADMIN); err != nil {
-			k.fatalf(msg, "cannot raise CAP_SYS_ADMIN: %v", err)
-		}
+	for _, c := range keepCaps {
+		keep[capToIndex(c)] |= capToMask(c)
 	}
+
 	if err := k.capset(
 		&capHeader{_LINUX_CAPABILITY_VERSION_3, 0},
-		&[2]capData{{0, keep[0], keep[0]}, {0, keep[1], keep[1]}},
+		&[2]capData{{keep[0], keep[0], keep[0]}, {keep[1], keep[1], keep[1]}},
 	); err != nil {
 		k.fatalf(msg, "cannot capset: %v", err)
 	}
 
-	if !params.SeccompDisable {
-		rules := params.SeccompRules
-		if len(rules) == 0 { // non-empty rules slice always overrides presets
-			msg.Verbosef("resolving presets %#x", params.SeccompPresets)
-			rules = seccomp.Preset(params.SeccompPresets, params.SeccompFlags)
+	for _, c := range keepCaps {
+		if err := k.capAmbientRaise(c); err != nil {
+			k.fatalf(msg, "cannot raise %#x: %v", c, err)
 		}
-		if err := k.seccompLoad(rules, params.SeccompFlags); err != nil {
+	}
+
+	if !param.SeccompDisable {
+		rules := param.SeccompRules
+		if len(rules) == 0 { // non-empty rules slice always overrides presets
+			msg.Verbosef("resolving presets %#x", param.SeccompPresets)
+			rules = seccomp.Preset(param.SeccompPresets, param.SeccompFlags)
+		}
+		if err := k.seccompLoad(rules, param.SeccompFlags); err != nil {
 			// this also indirectly asserts PR_SET_NO_NEW_PRIVS
 			k.fatalf(msg, "cannot load syscall filter: %v", err)
 		}
@@ -361,10 +440,10 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		msg.Verbose("syscall filter not configured")
 	}
 
-	extraFiles := make([]*os.File, params.Count)
+	extraFiles := make([]*os.File, param.Count)
 	for i := range extraFiles {
 		// setup fd is placed before all extra files
-		extraFiles[i] = k.newFile(uintptr(offsetSetup+i), "extra file "+strconv.Itoa(i))
+		extraFiles[i] = k.newFile(uintptr(setupFd+1+i), "extra file "+strconv.Itoa(i))
 	}
 	k.umask(oldmask)
 
@@ -442,7 +521,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 
 	// called right before startup of initial process, all state changes to the
 	// current process is prohibited during late
-	for i, op := range *params.Ops {
+	for i, op := range *param.Ops {
 		// ops already checked during early setup
 		if err := op.late(state, k); err != nil {
 			if m, ok := messageFromError(err); ok {
@@ -463,14 +542,22 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot close setup pipe: %v", err)
 	}
 
-	cmd := exec.Command(params.Path.String())
+	cmd := exec.Command(param.Path.String())
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	cmd.Args = params.Args
-	cmd.Env = params.Env
+	cmd.Args = param.Args
+	cmd.Env = param.Env
 	cmd.ExtraFiles = extraFiles
-	cmd.Dir = params.Dir.String()
+	cmd.Dir = param.Dir.String()
 
-	msg.Verbosef("starting initial process %s", params.Path)
+	if param.InitAsRoot {
+		cmd.SysProcAttr = &SysProcAttr{
+			Cloneflags:  CLONE_NEWUSER,
+			UidMappings: []SysProcIDMap{{ContainerID: param.Uid, HostID: 0, Size: 1}},
+			GidMappings: []SysProcIDMap{{ContainerID: param.Gid, HostID: 0, Size: 1}},
+		}
+	}
+
+	msg.Verbosef("starting initial process %s", param.Path)
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
@@ -488,9 +575,9 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	for {
 		select {
 		case s := <-sig:
-			if s == CancelSignal && params.ForwardCancel && cmd.Process != nil {
+			if s == CancelSignal && param.ForwardCancel && cmd.Process != nil {
 				msg.Verbose("forwarding context cancellation")
-				if err := k.signal(cmd, os.Interrupt); err != nil {
+				if err := k.signal(cmd, os.Interrupt); err != nil && !errors.Is(err, os.ErrProcessDone) {
 					k.printf(msg, "cannot forward cancellation: %v", err)
 				}
 				continue
@@ -520,7 +607,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 				cancel()
 
 				// start timeout early
-				go func() { time.Sleep(params.AdoptWaitDelay); close(timeout) }()
+				go func() { time.Sleep(param.AdoptWaitDelay); close(timeout) }()
 
 				// close initial process files; this also keeps them alive
 				for _, f := range extraFiles {
@@ -564,7 +651,7 @@ func TryArgv0(msg message.Msg) {
 		msg = message.New(log.Default())
 	}
 
-	if len(os.Args) > 0 && path.Base(os.Args[0]) == initName {
+	if len(os.Args) > 0 && filepath.Base(os.Args[0]) == initName {
 		Init(msg)
 		msg.BeforeExit()
 		os.Exit(0)

container/init_test.go

@@ -10,6 +10,7 @@ import (
 	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
+	"hakurei.app/internal/params"
 	"hakurei.app/internal/stub"
 )
 
@@ -40,7 +41,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
 				call("getpid", stub.ExpectArgs{}, 1, nil),
 				call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
-				call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, ErrReceiveEnv),
+				call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, params.ErrReceiveEnv),
 				call("fatal", stub.ExpectArgs{[]any{"HAKUREI_SETUP not set"}}, nil, nil),
 			},
 		}, nil},
@@ -94,7 +95,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
+					Ops:            new(make(Ops, 1)),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -122,7 +123,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
+					Ops:            new(make(Ops, 1)),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -151,7 +152,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
+					Ops:            new(make(Ops, 1)),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -181,7 +182,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
+					Ops:            new(make(Ops, 1)),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -212,7 +213,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
+					Ops:            new(make(Ops, 1)),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -244,7 +245,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
+					Ops:            new(make(Ops, 1)),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -278,7 +279,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
+					Ops:            new(make(Ops, 1)),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -314,7 +315,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
+					Ops:            new(make(Ops, 1)),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -331,6 +332,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("fatalf", stub.ExpectArgs{"invalid op at index %d", []any{0}}, nil, nil),
 				/* end early */
@@ -369,6 +372,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("fatalf", stub.ExpectArgs{"invalid op at index %d", []any{0}}, nil, nil),
 				/* end early */
@@ -407,6 +412,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", stub.UniqueError(61)),
 				call("fatalf", stub.ExpectArgs{"cannot prepare op at index %d: %v", []any{0, stub.UniqueError(61)}}, nil, nil),
@@ -446,6 +453,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", &os.PathError{Op: "readlink", Path: "/", Err: stub.UniqueError(60)}),
 				call("fatal", stub.ExpectArgs{[]any{"cannot readlink /: unique error 60 injected by the test suite"}}, nil, nil),
@@ -485,9 +494,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				/* begin early */
-				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
-				/* end early */
 				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, stub.UniqueError(58)),
 				call("fatalf", stub.ExpectArgs{"cannot mount intermediate root: %v", []any{stub.UniqueError(58)}}, nil, nil),
 			},
@@ -525,9 +531,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				/* begin early */
-				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
-				/* end early */
 				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
 				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, stub.UniqueError(56)),
 				call("fatalf", stub.ExpectArgs{"cannot enter intermediate host path: %v", []any{stub.UniqueError(56)}}, nil, nil),
@@ -566,11 +569,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, stub.UniqueError(54)),
 				call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(54)}}, nil, nil),
 			},
@@ -608,11 +611,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, stub.UniqueError(52)),
 				call("fatalf", stub.ExpectArgs{"cannot bind sysroot: %v", []any{stub.UniqueError(52)}}, nil, nil),
@@ -651,11 +654,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, stub.UniqueError(50)),
@@ -695,11 +698,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -740,11 +743,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -786,11 +789,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -841,11 +844,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -896,11 +899,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -952,11 +955,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1009,11 +1012,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1068,11 +1071,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1128,11 +1131,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1189,11 +1192,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1251,11 +1254,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1314,11 +1317,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1378,11 +1381,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1443,11 +1446,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1509,11 +1512,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1583,11 +1586,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1621,7 +1624,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
-				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1653,8 +1655,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, stub.UniqueError(19)),
-				call("fatalf", stub.ExpectArgs{"cannot raise CAP_SYS_ADMIN: %v", []any{stub.UniqueError(19)}}, nil, nil),
+				call("fatalf", stub.ExpectArgs{"cannot raise %#x: %v", []any{uintptr(0x15), stub.UniqueError(19)}}, nil, nil),
 			},
 		}, nil},
 
@@ -1690,11 +1693,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1728,7 +1731,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
-				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1760,8 +1762,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
-				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, stub.UniqueError(17)),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, stub.UniqueError(17)),
 				call("fatalf", stub.ExpectArgs{"cannot capset: %v", []any{stub.UniqueError(17)}}, nil, nil),
 			},
 		}, nil},
@@ -1798,11 +1799,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1836,7 +1837,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
-				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1868,8 +1868,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
+				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{std.FilterPreset(0xf)}}, nil, nil),
 				call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, stub.UniqueError(15)),
 				call("fatalf", stub.ExpectArgs{"cannot load syscall filter: %v", []any{stub.UniqueError(15)}}, nil, nil),
@@ -1907,11 +1908,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2031,11 +2032,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2131,11 +2132,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2231,11 +2232,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2322,11 +2323,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2417,11 +2418,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2519,11 +2520,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2658,11 +2659,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2696,7 +2697,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
-				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -2728,8 +2728,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
+				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{std.FilterPreset(0xf)}}, nil, nil),
 				call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"%d filter rules loaded", []any{73}}, nil, nil),

container/initdev.go

@@ -3,7 +3,7 @@ package container
 import (
 	"encoding/gob"
 	"fmt"
-	"path"
+	"path/filepath"
 	. "syscall"
 
 	"hakurei.app/check"
@@ -46,7 +46,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 
 	for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} {
-		targetPath := path.Join(target, name)
+		targetPath := filepath.Join(target, name)
 		if err := k.ensureFile(targetPath, 0444, state.ParentPerm); err != nil {
 			return err
 		}
@@ -62,7 +62,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	for i, name := range []string{"stdin", "stdout", "stderr"} {
 		if err := k.symlink(
 			fhs.Proc+"self/fd/"+string(rune(i+'0')),
-			path.Join(target, name),
+			filepath.Join(target, name),
 		); err != nil {
 			return err
 		}
@@ -72,13 +72,13 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 		{fhs.Proc + "kcore", "core"},
 		{"pts/ptmx", "ptmx"},
 	} {
-		if err := k.symlink(pair[0], path.Join(target, pair[1])); err != nil {
+		if err := k.symlink(pair[0], filepath.Join(target, pair[1])); err != nil {
 			return err
 		}
 	}
 
-	devShmPath := path.Join(target, "shm")
-	devPtsPath := path.Join(target, "pts")
+	devShmPath := filepath.Join(target, "shm")
+	devPtsPath := filepath.Join(target, "pts")
 	for _, name := range []string{devShmPath, devPtsPath} {
 		if err := k.mkdir(name, state.ParentPerm); err != nil {
 			return err
@@ -92,7 +92,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 
 	if state.RetainSession {
 		if k.isatty(Stdout) {
-			consolePath := path.Join(target, "console")
+			consolePath := filepath.Join(target, "console")
 			if err := k.ensureFile(consolePath, 0444, state.ParentPerm); err != nil {
 				return err
 			}
@@ -110,7 +110,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 
 	if d.Mqueue {
-		mqueueTarget := path.Join(target, "mqueue")
+		mqueueTarget := filepath.Join(target, "mqueue")
 		if err := k.mkdir(mqueueTarget, state.ParentPerm); err != nil {
 			return err
 		}

container/initoverlay.go

@@ -4,9 +4,9 @@ import (
 	"encoding/gob"
 	"fmt"
 	"slices"
-	"strings"
 
 	"hakurei.app/check"
+	"hakurei.app/ext"
 	"hakurei.app/fhs"
 )
 
@@ -150,7 +150,7 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 			if v, err := k.evalSymlinks(o.Upper.String()); err != nil {
 				return err
 			} else {
-				o.upper = check.EscapeOverlayDataSegment(toHost(v))
+				o.upper = toHost(v)
 			}
 		}
 
@@ -158,7 +158,7 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 			if v, err := k.evalSymlinks(o.Work.String()); err != nil {
 				return err
 			} else {
-				o.work = check.EscapeOverlayDataSegment(toHost(v))
+				o.work = toHost(v)
 			}
 		}
 	}
@@ -168,12 +168,39 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 		if v, err := k.evalSymlinks(a.String()); err != nil {
 			return err
 		} else {
-			o.lower[i] = check.EscapeOverlayDataSegment(toHost(v))
+			o.lower[i] = toHost(v)
 		}
 	}
 	return nil
 }
 
+// mountOverlay sets up an overlay mount via [ext.FS].
+func mountOverlay(target string, options [][2]string) error {
+	fs, err := ext.OpenFS(SourceOverlay, 0)
+	if err != nil {
+		return err
+	}
+	if err = fs.SetString("source", SourceOverlay); err != nil {
+		_ = fs.Close()
+		return err
+	}
+	for _, option := range options {
+		if err = fs.SetString(option[0], option[1]); err != nil {
+			_ = fs.Close()
+			return err
+		}
+	}
+	if err = fs.SetFlag(OptionOverlayUserxattr); err != nil {
+		_ = fs.Close()
+		return err
+	}
+	if err = fs.Mount(target, 0); err != nil {
+		_ = fs.Close()
+		return err
+	}
+	return fs.Close()
+}
+
 func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 	target := o.Target.String()
 	if !o.noPrefix {
@@ -194,7 +221,7 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 		}
 	}
 
-	options := make([]string, 0, 4)
+	options := make([][2]string, 0, 2+len(o.lower))
 
 	if o.upper == zeroString && o.work == zeroString { // readonly
 		if len(o.Lower) < 2 {
@@ -205,15 +232,16 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 		if len(o.Lower) == 0 {
 			return &OverlayArgumentError{OverlayEmptyLower, zeroString}
 		}
-		options = append(options,
-			OptionOverlayUpperdir+"="+o.upper,
-			OptionOverlayWorkdir+"="+o.work)
+		options = append(options, [][2]string{
+			{OptionOverlayUpperdir, o.upper},
+			{OptionOverlayWorkdir, o.work},
+		}...)
+	}
+	for _, lower := range o.lower {
+		options = append(options, [2]string{OptionOverlayLowerdir + "+", lower})
 	}
-	options = append(options,
-		OptionOverlayLowerdir+"="+strings.Join(o.lower, check.SpecialOverlayPath),
-		OptionOverlayUserxattr)
 
-	return k.mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, check.SpecialOverlayOption))
+	return k.mountOverlay(target, options)
 }
 
 func (o *MountOverlayOp) late(*setupState, syscallDispatcher) error { return nil }

container/initoverlay_test.go

@@ -97,13 +97,12 @@ func TestMountOverlayOp(t *testing.T) {
 			call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0705)}, nil, nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.upper.*"}, "overlay.upper.32768", nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.work.*"}, "overlay.work.32768", nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot", "overlay", uintptr(0), "" +
-				"upperdir=overlay.upper.32768," +
-				"workdir=overlay.work.32768," +
-				"lowerdir=" +
-				`/host/var/lib/planterette/base/debian\:f92c9052:` +
-				`/host/var/lib/planterette/app/org.chromium.Chromium@debian\:f92c9052,` +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot", [][2]string{
+				{"upperdir", "overlay.upper.32768"},
+				{"workdir", "overlay.work.32768"},
+				{"lowerdir+", `/host/var/lib/planterette/base/debian:f92c9052`},
+				{"lowerdir+", `/host/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052`},
+			}}, nil, nil),
 		}, nil},
 
 		{"short lower ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
@@ -129,11 +128,10 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/nix/store", os.FileMode(0755)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/nix/store", "overlay", uintptr(0), "" +
-				"lowerdir=" +
-				"/host/mnt-root/nix/.ro-store:" +
-				"/host/mnt-root/nix/.ro-store0," +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/nix/store", [][2]string{
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store"},
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store0"},
+			}}, nil, nil),
 		}, nil},
 
 		{"success ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
@@ -147,11 +145,10 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0755)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
-				"lowerdir=" +
-				"/host/mnt-root/nix/.ro-store:" +
-				"/host/mnt-root/nix/.ro-store0," +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store"},
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store0"},
+			}}, nil, nil),
 		}, nil},
 
 		{"nil lower", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -219,7 +216,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "upperdir=/host/mnt-root/nix/.rw-store/.upper,workdir=/host/mnt-root/nix/.rw-store/.work,lowerdir=/host/mnt-root/nix/ro-store,userxattr"}, nil, stub.UniqueError(0)),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
+				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
+			}}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},
 
 		{"success single layer", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -233,11 +234,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
-				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
-				"workdir=/host/mnt-root/nix/.rw-store/.work," +
-				"lowerdir=/host/mnt-root/nix/ro-store," +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
+				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
+			}}, nil, nil),
 		}, nil},
 
 		{"success", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -261,16 +262,15 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store3"}, "/mnt-root/nix/ro-store3", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
-				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
-				"workdir=/host/mnt-root/nix/.rw-store/.work," +
-				"lowerdir=" +
-				"/host/mnt-root/nix/ro-store:" +
-				"/host/mnt-root/nix/ro-store0:" +
-				"/host/mnt-root/nix/ro-store1:" +
-				"/host/mnt-root/nix/ro-store2:" +
-				"/host/mnt-root/nix/ro-store3," +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
+				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store0"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store1"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store2"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store3"},
+			}}, nil, nil),
 		}, nil},
 	})
 

container/initsymlink.go

@@ -3,7 +3,7 @@ package container
 import (
 	"encoding/gob"
 	"fmt"
-	"path"
+	"path/filepath"
 
 	"hakurei.app/check"
 )
@@ -30,7 +30,7 @@ func (l *SymlinkOp) Valid() bool { return l != nil && l.Target != nil && l.LinkN
 
 func (l *SymlinkOp) early(_ *setupState, k syscallDispatcher) error {
 	if l.Dereference {
-		if !path.IsAbs(l.LinkName) {
+		if !filepath.IsAbs(l.LinkName) {
 			return check.AbsoluteError(l.LinkName)
 		}
 		if name, err := k.readlink(l.LinkName); err != nil {
@@ -44,7 +44,7 @@ func (l *SymlinkOp) early(_ *setupState, k syscallDispatcher) error {
 
 func (l *SymlinkOp) apply(state *setupState, k syscallDispatcher) error {
 	target := toSysroot(l.Target.String())
-	if err := k.mkdirAll(path.Dir(target), state.ParentPerm); err != nil {
+	if err := k.mkdirAll(filepath.Dir(target), state.ParentPerm); err != nil {
 		return err
 	}
 	return k.symlink(l.LinkName, target)

container/landlock_test.go

@@ -1,65 +0,0 @@
-package container_test
-
-import (
-	"testing"
-	"unsafe"
-
-	"hakurei.app/container"
-)
-
-func TestLandlockString(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name        string
-		rulesetAttr *container.RulesetAttr
-		want        string
-	}{
-		{"nil", nil, "NULL"},
-		{"zero", new(container.RulesetAttr), "0"},
-		{"some", &container.RulesetAttr{Scoped: container.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
-		{"set", &container.RulesetAttr{
-			HandledAccessFS:  container.LANDLOCK_ACCESS_FS_MAKE_SYM | container.LANDLOCK_ACCESS_FS_IOCTL_DEV | container.LANDLOCK_ACCESS_FS_WRITE_FILE,
-			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP,
-			Scoped:           container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | container.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
-		{"all", &container.RulesetAttr{
-			HandledAccessFS: container.LANDLOCK_ACCESS_FS_EXECUTE |
-				container.LANDLOCK_ACCESS_FS_WRITE_FILE |
-				container.LANDLOCK_ACCESS_FS_READ_FILE |
-				container.LANDLOCK_ACCESS_FS_READ_DIR |
-				container.LANDLOCK_ACCESS_FS_REMOVE_DIR |
-				container.LANDLOCK_ACCESS_FS_REMOVE_FILE |
-				container.LANDLOCK_ACCESS_FS_MAKE_CHAR |
-				container.LANDLOCK_ACCESS_FS_MAKE_DIR |
-				container.LANDLOCK_ACCESS_FS_MAKE_REG |
-				container.LANDLOCK_ACCESS_FS_MAKE_SOCK |
-				container.LANDLOCK_ACCESS_FS_MAKE_FIFO |
-				container.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
-				container.LANDLOCK_ACCESS_FS_MAKE_SYM |
-				container.LANDLOCK_ACCESS_FS_REFER |
-				container.LANDLOCK_ACCESS_FS_TRUNCATE |
-				container.LANDLOCK_ACCESS_FS_IOCTL_DEV,
-			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP |
-				container.LANDLOCK_ACCESS_NET_CONNECT_TCP,
-			Scoped: container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
-				container.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			if got := tc.rulesetAttr.String(); got != tc.want {
-				t.Errorf("String: %s, want %s", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestLandlockAttrSize(t *testing.T) {
-	t.Parallel()
-	want := 24
-	if got := unsafe.Sizeof(container.RulesetAttr{}); got != uintptr(want) {
-		t.Errorf("Sizeof: %d, want %d", got, want)
-	}
-}

container/mount.go

@@ -40,6 +40,9 @@ const (
 	// SourceMqueue is used when mounting mqueue.
 	// Note that any source value is allowed when fstype is [FstypeMqueue].
 	SourceMqueue = "mqueue"
+	// SourceBinfmtMisc is used when mounting binfmt_misc.
+	// Note that any source value is allowed when fstype is [SourceBinfmtMisc].
+	SourceBinfmtMisc = "binfmt_misc"
 	// SourceOverlay is used when mounting overlay.
 	// Note that any source value is allowed when fstype is [FstypeOverlay].
 	SourceOverlay = "overlay"
@@ -70,6 +73,9 @@ const (
 	// FstypeMqueue represents the mqueue pseudo-filesystem.
 	// This filesystem type is usually mounted on /dev/mqueue.
 	FstypeMqueue = "mqueue"
+	// FstypeBinfmtMisc represents the binfmt_misc pseudo-filesystem.
+	// This filesystem type is usually mounted on /proc/sys/fs/binfmt_misc.
+	FstypeBinfmtMisc = "binfmt_misc"
 	// FstypeOverlay represents the overlay pseudo-filesystem.
 	// This filesystem type can be mounted anywhere in the container filesystem.
 	FstypeOverlay = "overlay"

container/params.go

@@ -1,47 +0,0 @@
-package container
-
-import (
-	"encoding/gob"
-	"errors"
-	"os"
-	"strconv"
-	"syscall"
-)
-
-// Setup appends the read end of a pipe for setup params transmission and returns its fd.
-func Setup(extraFiles *[]*os.File) (int, *os.File, error) {
-	if r, w, err := os.Pipe(); err != nil {
-		return -1, nil, err
-	} else {
-		fd := 3 + len(*extraFiles)
-		*extraFiles = append(*extraFiles, r)
-		return fd, w, nil
-	}
-}
-
-var (
-	ErrReceiveEnv = errors.New("environment variable not set")
-)
-
-// Receive retrieves setup fd from the environment and receives params.
-func Receive(key string, e any, fdp *uintptr) (func() error, error) {
-	var setup *os.File
-
-	if s, ok := os.LookupEnv(key); !ok {
-		return nil, ErrReceiveEnv
-	} else {
-		if fd, err := strconv.Atoi(s); err != nil {
-			return nil, optionalErrorUnwrap(err)
-		} else {
-			setup = os.NewFile(uintptr(fd), "setup")
-			if setup == nil {
-				return nil, syscall.EDOM
-			}
-			if fdp != nil {
-				*fdp = setup.Fd()
-			}
-		}
-	}
-
-	return setup.Close, gob.NewDecoder(setup).Decode(e)
-}

container/path.go

@@ -4,7 +4,7 @@ import (
 	"errors"
 	"io/fs"
 	"os"
-	"path"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"syscall"
@@ -29,16 +29,16 @@ const (
 
 func toSysroot(name string) string {
 	name = strings.TrimLeftFunc(name, func(r rune) bool { return r == '/' })
-	return path.Join(sysrootPath, name)
+	return filepath.Join(sysrootPath, name)
 }
 
 func toHost(name string) string {
 	name = strings.TrimLeftFunc(name, func(r rune) bool { return r == '/' })
-	return path.Join(hostPath, name)
+	return filepath.Join(hostPath, name)
 }
 
 func createFile(name string, perm, pperm os.FileMode, content []byte) error {
-	if err := os.MkdirAll(path.Dir(name), pperm); err != nil {
+	if err := os.MkdirAll(filepath.Dir(name), pperm); err != nil {
 		return err
 	}
 	f, err := os.OpenFile(name, syscall.O_CREAT|syscall.O_EXCL|syscall.O_WRONLY, perm)

container/path_test.go

@@ -4,13 +4,12 @@ import (
 	"io"
 	"math"
 	"os"
-	"path"
+	"path/filepath"
 	"reflect"
 	"syscall"
 	"testing"
 	"unsafe"
 
-	"hakurei.app/check"
 	"hakurei.app/vfs"
 )
 
@@ -50,9 +49,6 @@ func TestToHost(t *testing.T) {
 	}
 }
 
-// InternalToHostOvlEscape exports toHost passed to [check.EscapeOverlayDataSegment].
-func InternalToHostOvlEscape(s string) string { return check.EscapeOverlayDataSegment(toHost(s)) }
-
 func TestCreateFile(t *testing.T) {
 	t.Run("nonexistent", func(t *testing.T) {
 		t.Run("mkdir", func(t *testing.T) {
@@ -61,7 +57,7 @@ func TestCreateFile(t *testing.T) {
 				Path: "/proc/nonexistent",
 				Err:  syscall.ENOENT,
 			}
-			if err := createFile(path.Join(Nonexistent, ":3"), 0644, 0755, nil); !reflect.DeepEqual(err, wantErr) {
+			if err := createFile(filepath.Join(Nonexistent, ":3"), 0644, 0755, nil); !reflect.DeepEqual(err, wantErr) {
 				t.Errorf("createFile: error = %#v, want %#v", err, wantErr)
 			}
 		})
@@ -72,7 +68,7 @@ func TestCreateFile(t *testing.T) {
 				Path: "/proc/nonexistent",
 				Err:  syscall.ENOENT,
 			}
-			if err := createFile(path.Join(Nonexistent), 0644, 0755, nil); !reflect.DeepEqual(err, wantErr) {
+			if err := createFile(filepath.Join(Nonexistent), 0644, 0755, nil); !reflect.DeepEqual(err, wantErr) {
 				t.Errorf("createFile: error = %#v, want %#v", err, wantErr)
 			}
 		})
@@ -80,7 +76,7 @@ func TestCreateFile(t *testing.T) {
 
 	t.Run("touch", func(t *testing.T) {
 		tempDir := t.TempDir()
-		pathname := path.Join(tempDir, "empty")
+		pathname := filepath.Join(tempDir, "empty")
 		if err := createFile(pathname, 0644, 0755, nil); err != nil {
 			t.Fatalf("createFile: error = %v", err)
 		}
@@ -93,7 +89,7 @@ func TestCreateFile(t *testing.T) {
 
 	t.Run("write", func(t *testing.T) {
 		tempDir := t.TempDir()
-		pathname := path.Join(tempDir, "zero")
+		pathname := filepath.Join(tempDir, "zero")
 		if err := createFile(pathname, 0644, 0755, []byte{0}); err != nil {
 			t.Fatalf("createFile: error = %v", err)
 		}
@@ -107,7 +103,7 @@ func TestCreateFile(t *testing.T) {
 
 func TestEnsureFile(t *testing.T) {
 	t.Run("create", func(t *testing.T) {
-		if err := ensureFile(path.Join(t.TempDir(), "ensure"), 0644, 0755); err != nil {
+		if err := ensureFile(filepath.Join(t.TempDir(), "ensure"), 0644, 0755); err != nil {
 			t.Errorf("ensureFile: error = %v", err)
 		}
 	})
@@ -115,7 +111,7 @@ func TestEnsureFile(t *testing.T) {
 	t.Run("stat", func(t *testing.T) {
 		t.Run("inaccessible", func(t *testing.T) {
 			tempDir := t.TempDir()
-			pathname := path.Join(tempDir, "inaccessible")
+			pathname := filepath.Join(tempDir, "inaccessible")
 			if f, err := os.Create(pathname); err != nil {
 				t.Fatalf("Create: error = %v", err)
 			} else {
@@ -150,7 +146,7 @@ func TestEnsureFile(t *testing.T) {
 
 		t.Run("ensure", func(t *testing.T) {
 			tempDir := t.TempDir()
-			pathname := path.Join(tempDir, "ensure")
+			pathname := filepath.Join(tempDir, "ensure")
 			if f, err := os.Create(pathname); err != nil {
 				t.Fatalf("Create: error = %v", err)
 			} else {
@@ -195,12 +191,12 @@ func TestProcPaths(t *testing.T) {
 
 		t.Run("sample", func(t *testing.T) {
 			tempDir := t.TempDir()
-			if err := os.MkdirAll(path.Join(tempDir, "proc/self"), 0755); err != nil {
+			if err := os.MkdirAll(filepath.Join(tempDir, "proc/self"), 0755); err != nil {
 				t.Fatalf("MkdirAll: error = %v", err)
 			}
 
 			t.Run("clean", func(t *testing.T) {
-				if err := os.WriteFile(path.Join(tempDir, "proc/self/mountinfo"), []byte(`15 20 0:3 / /proc rw,relatime - proc /proc rw
+				if err := os.WriteFile(filepath.Join(tempDir, "proc/self/mountinfo"), []byte(`15 20 0:3 / /proc rw,relatime - proc /proc rw
 16 20 0:15 / /sys rw,relatime - sysfs /sys rw
 17 20 0:5 / /dev rw,relatime - devtmpfs udev rw,size=1983516k,nr_inodes=495879,mode=755`), 0644); err != nil {
 					t.Fatalf("WriteFile: error = %v", err)
@@ -243,8 +239,8 @@ func TestProcPaths(t *testing.T) {
 			})
 
 			t.Run("malformed", func(t *testing.T) {
-				path.Join(tempDir, "proc/self/mountinfo")
-				if err := os.WriteFile(path.Join(tempDir, "proc/self/mountinfo"), []byte{0}, 0644); err != nil {
+				filepath.Join(tempDir, "proc/self/mountinfo")
+				if err := os.WriteFile(filepath.Join(tempDir, "proc/self/mountinfo"), []byte{0}, 0644); err != nil {
 					t.Fatalf("WriteFile: error = %v", err)
 				}
 

container/syscall.go

@@ -7,8 +7,8 @@ import (
 	"hakurei.app/ext"
 )
 
-// SetNoNewPrivs sets the calling thread's no_new_privs attribute.
-func SetNoNewPrivs() error {
+// setNoNewPrivs sets the calling thread's no_new_privs attribute.
+func setNoNewPrivs() error {
 	return ext.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0)
 }
 

dist/hsurc.default

@@ -1 +0,0 @@
-1000 0

dist/install.sh

@@ -1,12 +0,0 @@
-#!/bin/sh
-cd "$(dirname -- "$0")" || exit 1
-
-install -vDm0755 "bin/hakurei" "${DESTDIR}/usr/bin/hakurei"
-install -vDm0755 "bin/sharefs" "${DESTDIR}/usr/bin/sharefs"
-
-install -vDm4511 "bin/hsu" "${DESTDIR}/usr/bin/hsu"
-if [ ! -f "${DESTDIR}/etc/hsurc" ]; then
-    install -vDm0400 "hsurc.default" "${DESTDIR}/etc/hsurc"
-fi
-
-install -vDm0644 "comp/_hakurei" "${DESTDIR}/usr/share/zsh/site-functions/_hakurei"

dist/release.sh

@@ -1,31 +0,0 @@
-#!/bin/sh -e
-cd "$(dirname -- "$0")/.."
-VERSION="${HAKUREI_VERSION:-untagged}"
-pname="hakurei-${VERSION}-$(go env GOARCH)"
-out="${DESTDIR:-dist}/${pname}"
-
-echo '# Preparing distribution files.'
-mkdir -p "${out}"
-cp -v "README.md" "dist/hsurc.default" "dist/install.sh" "${out}"
-cp -rv "dist/comp" "${out}"
-echo
-
-echo '# Building hakurei.'
-go generate ./...
-go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
-  -buildid= -linkmode external -extldflags=-static
-  -X hakurei.app/internal/info.buildVersion=${VERSION}
-  -X hakurei.app/internal/info.hakureiPath=/usr/bin/hakurei
-  -X hakurei.app/internal/info.hsuPath=/usr/bin/hsu
-  -X main.hakureiPath=/usr/bin/hakurei" ./...
-echo
-
-echo '# Testing hakurei.'
-go test -ldflags='-buildid= -linkmode external -extldflags=-static' ./...
-echo
-
-echo '# Creating distribution.'
-rm -f "${out}.tar.gz" && tar -C "${out}/.." -vczf "${out}.tar.gz" "${pname}"
-rm -rf "${out}"
-(cd "${out}/.." && sha512sum "${pname}.tar.gz" > "${pname}.tar.gz.sha512")
-echo

ext/ext_test.go

@@ -39,7 +39,7 @@ func TestSyscall(t *testing.T) {
 					t.Errorf("Unmarshal: %v, want %v", got, tc.want)
 				}
 			})
-			if errors.As(tc.err, new(ext.SyscallNameError)) {
+			if _, ok := errors.AsType[ext.SyscallNameError](tc.err); ok {
 				return
 			}
 

ext/fs.go

@@ -0,0 +1,267 @@
+package ext
+
+import (
+	"os"
+	"runtime"
+	"syscall"
+	"unsafe"
+)
+
+// include/uapi/linux/mount.h
+
+/*
+ * move_mount() flags.
+ */
+const (
+	MOVE_MOUNT_F_SYMLINKS   = 1 << iota /* Follow symlinks on from path */
+	MOVE_MOUNT_F_AUTOMOUNTS             /* Follow automounts on from path */
+	MOVE_MOUNT_F_EMPTY_PATH             /* Empty from path permitted */
+	_
+	MOVE_MOUNT_T_SYMLINKS   /* Follow symlinks on to path */
+	MOVE_MOUNT_T_AUTOMOUNTS /* Follow automounts on to path */
+	MOVE_MOUNT_T_EMPTY_PATH /* Empty to path permitted */
+	_
+	MOVE_MOUNT_SET_GROUP /* Set sharing group instead */
+	MOVE_MOUNT_BENEATH   /* Mount beneath top mount */
+)
+
+/*
+ * fsopen() flags.
+ */
+const (
+	FSOPEN_CLOEXEC = 1 << iota
+)
+
+/*
+ * fspick() flags.
+ */
+const (
+	FSPICK_CLOEXEC = 1 << iota
+	FSPICK_SYMLINK_NOFOLLOW
+	FSPICK_NO_AUTOMOUNT
+	FSPICK_EMPTY_PATH
+)
+
+/*
+ * The type of fsconfig() call made.
+ */
+const (
+	FSCONFIG_SET_FLAG        = iota /* Set parameter, supplying no value */
+	FSCONFIG_SET_STRING             /* Set parameter, supplying a string value */
+	FSCONFIG_SET_BINARY             /* Set parameter, supplying a binary blob value */
+	FSCONFIG_SET_PATH               /* Set parameter, supplying an object by path */
+	FSCONFIG_SET_PATH_EMPTY         /* Set parameter, supplying an object by (empty) path */
+	FSCONFIG_SET_FD                 /* Set parameter, supplying an object by fd */
+	FSCONFIG_CMD_CREATE             /* Create new or reuse existing superblock */
+	FSCONFIG_CMD_RECONFIGURE        /* Invoke superblock reconfiguration */
+	FSCONFIG_CMD_CREATE_EXCL        /* Create new superblock, fail if reusing existing superblock */
+)
+
+/*
+ * fsmount() flags.
+ */
+const (
+	FSMOUNT_CLOEXEC = 1 << iota
+)
+
+/*
+ * Mount attributes.
+ */
+const (
+	MOUNT_ATTR_RDONLY      = 0x00000001 /* Mount read-only */
+	MOUNT_ATTR_NOSUID      = 0x00000002 /* Ignore suid and sgid bits */
+	MOUNT_ATTR_NODEV       = 0x00000004 /* Disallow access to device special files */
+	MOUNT_ATTR_NOEXEC      = 0x00000008 /* Disallow program execution */
+	MOUNT_ATTR__ATIME      = 0x00000070 /* Setting on how atime should be updated */
+	MOUNT_ATTR_RELATIME    = 0x00000000 /* - Update atime relative to mtime/ctime. */
+	MOUNT_ATTR_NOATIME     = 0x00000010 /* - Do not update access times. */
+	MOUNT_ATTR_STRICTATIME = 0x00000020 /* - Always perform atime updates */
+	MOUNT_ATTR_NODIRATIME  = 0x00000080 /* Do not update directory access times */
+	MOUNT_ATTR_IDMAP       = 0x00100000 /* Idmap mount to @userns_fd in struct mount_attr. */
+	MOUNT_ATTR_NOSYMFOLLOW = 0x00200000 /* Do not follow symlinks */
+)
+
+// FS provides low-level wrappers around the suite of file-descriptor-based
+// mount facilities in Linux.
+type FS struct {
+	fd uintptr
+	c  runtime.Cleanup
+}
+
+// newFS allocates a new [FS] for the specified fd.
+func newFS(fd uintptr) *FS {
+	fs := FS{fd: fd}
+	fs.c = runtime.AddCleanup(&fs, func(fd uintptr) {
+		_ = syscall.Close(int(fd))
+	}, fd)
+	return &fs
+}
+
+// Close closes the underlying filesystem context.
+func (fs *FS) Close() error {
+	if fs == nil {
+		return syscall.EINVAL
+	}
+	err := syscall.Close(int(fs.fd))
+	fs.c.Stop()
+	return err
+}
+
+// OpenFS creates a new filesystem context.
+func OpenFS(fsname string, flags int) (fs *FS, err error) {
+	var s *byte
+	s, err = syscall.BytePtrFromString(fsname)
+	if err != nil {
+		return
+	}
+	fd, _, errno := syscall.Syscall(
+		SYS_FSOPEN,
+		uintptr(unsafe.Pointer(s)),
+		uintptr(flags|FSOPEN_CLOEXEC),
+		0,
+	)
+	if errno != 0 {
+		err = os.NewSyscallError("fsopen", errno)
+	} else {
+		fs = newFS(fd)
+	}
+	return
+}
+
+// PickFS selects filesystem for reconfiguration.
+func PickFS(dirfd int, pathname string, flags int) (fs *FS, err error) {
+	var s *byte
+	s, err = syscall.BytePtrFromString(pathname)
+	if err != nil {
+		return
+	}
+	fd, _, errno := syscall.Syscall(
+		SYS_FSPICK,
+		uintptr(dirfd),
+		uintptr(unsafe.Pointer(s)),
+		uintptr(flags|FSPICK_CLOEXEC),
+	)
+	if errno != 0 {
+		err = os.NewSyscallError("fspick", errno)
+	} else {
+		fs = newFS(fd)
+	}
+	return
+}
+
+// config configures new or existing filesystem context.
+func (fs *FS) config(cmd uint, key *byte, value unsafe.Pointer, aux int) (err error) {
+	_, _, errno := syscall.Syscall6(
+		SYS_FSCONFIG,
+		fs.fd,
+		uintptr(cmd),
+		uintptr(unsafe.Pointer(key)),
+		uintptr(value),
+		uintptr(aux),
+		0,
+	)
+	if errno != 0 {
+		err = os.NewSyscallError("fsconfig", errno)
+	}
+	return
+}
+
+// SetFlag sets the flag parameter named by key. ([FSCONFIG_SET_FLAG])
+func (fs *FS) SetFlag(key string) (err error) {
+	var s *byte
+	s, err = syscall.BytePtrFromString(key)
+	if err != nil {
+		return
+	}
+
+	return fs.config(FSCONFIG_SET_FLAG, s, nil, 0)
+}
+
+// SetString sets the string parameter named by key to the value specified by
+// value. ([FSCONFIG_SET_STRING])
+func (fs *FS) SetString(key, value string) (err error) {
+	var s0 *byte
+	s0, err = syscall.BytePtrFromString(key)
+	if err != nil {
+		return
+	}
+
+	var s1 *byte
+	s1, err = syscall.BytePtrFromString(value)
+	if err != nil {
+		return
+	}
+
+	return fs.config(FSCONFIG_SET_STRING, s0, unsafe.Pointer(s1), 0)
+}
+
+// mount instantiates mount object from filesystem context.
+func (fs *FS) mount(flags, attrFlags int) (fsfd int, err error) {
+	r, _, errno := syscall.Syscall(
+		SYS_FSMOUNT,
+		fs.fd,
+		uintptr(flags|FSMOUNT_CLOEXEC),
+		uintptr(attrFlags),
+	)
+	fsfd = int(r)
+	if errno != 0 {
+		err = os.NewSyscallError("fsmount", errno)
+	}
+	return
+}
+
+// MoveMount moves or attaches mount object to filesystem.
+func MoveMount(
+	fromDirfd int,
+	fromPathname string,
+	toDirfd int,
+	toPathname string,
+	flags int,
+) (err error) {
+	var s0 *byte
+	s0, err = syscall.BytePtrFromString(fromPathname)
+	if err != nil {
+		return
+	}
+
+	var s1 *byte
+	s1, err = syscall.BytePtrFromString(toPathname)
+	if err != nil {
+		return
+	}
+
+	_, _, errno := syscall.Syscall6(
+		SYS_MOVE_MOUNT,
+		uintptr(fromDirfd),
+		uintptr(unsafe.Pointer(s0)),
+		uintptr(toDirfd),
+		uintptr(unsafe.Pointer(s1)),
+		uintptr(flags),
+		0,
+	)
+	if errno != 0 {
+		err = os.NewSyscallError("move_mount", errno)
+	}
+	return
+}
+
+// Mount attaches the underlying filesystem context to the specified pathname.
+func (fs *FS) Mount(pathname string, attrFlags int) error {
+	if err := fs.config(FSCONFIG_CMD_CREATE_EXCL, nil, nil, 0); err != nil {
+		return err
+	}
+	fd, err := fs.mount(0, attrFlags)
+	if err != nil {
+		return err
+	}
+	err = MoveMount(
+		fd, "",
+		-1, pathname,
+		MOVE_MOUNT_F_EMPTY_PATH,
+	)
+	closeErr := syscall.Close(fd)
+	if err == nil {
+		err = closeErr
+	}
+	return err
+}

fhs/abs.go

@@ -42,6 +42,8 @@ var (
 	AbsDevShm = unsafeAbs(DevShm)
 	// AbsProc is [Proc] as [check.Absolute].
 	AbsProc = unsafeAbs(Proc)
+	// AbsProcSys is [ProcSys] as [check.Absolute].
+	AbsProcSys = unsafeAbs(ProcSys)
 	// AbsProcSelfExe is [ProcSelfExe] as [check.Absolute].
 	AbsProcSelfExe = unsafeAbs(ProcSelfExe)
 	// AbsSys is [Sys] as [check.Absolute].

flake.lock

@@ -7,32 +7,32 @@
         ]
       },
       "locked": {
-        "lastModified": 1772985280,
-        "narHash": "sha256-FdrNykOoY9VStevU4zjSUdvsL9SzJTcXt4omdEDZDLk=",
+        "lastModified": 1780361225,
+        "narHash": "sha256-wnV9ttf4fPWNonBIQmvlrSlNpQYgx5HgWWd007mwIFA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "8f736f007139d7f70752657dff6a401a585d6cbc",
+        "rev": "e28654b71096e08c019d4861ca26acb646f583d8",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-25.11",
+        "ref": "release-26.05",
         "repo": "home-manager",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1772822230,
-        "narHash": "sha256-yf3iYLGbGVlIthlQIk5/4/EQDZNNEmuqKZkQssMljuw=",
+        "lastModified": 1780453794,
+        "narHash": "sha256-bXMRa9VTsHSPXL4Cw8R6JJLQeY3Y/IP4+YJCYVmQ7FY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "71caefce12ba78d84fe618cf61644dce01cf3a96",
+        "rev": "6b316287bae2ee04c9b93c8c858d930fd07d7338",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-25.11",
+        "ref": "nixos-26.05",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,10 +2,10 @@
   description = "hakurei container tool and nixos module";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-26.05";
 
     home-manager = {
-      url = "github:nix-community/home-manager/release-25.11";
+      url = "github:nix-community/home-manager/release-26.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
@@ -37,7 +37,7 @@
           inherit (pkgs)
             runCommandLocal
             callPackage
-            nixfmt-rfc-style
+            nixfmt
             deadnix
             statix
             ;
@@ -57,7 +57,7 @@
 
           sharefs = callPackage ./cmd/sharefs/test { inherit system self; };
 
-          formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
+          formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt ]; } ''
             cd ${./.}
 
             echo "running nixfmt..."
@@ -137,11 +137,9 @@
 
                 CC="musl-clang -O3 -Werror -Qunused-arguments" \
                 GOCACHE="$(mktemp -d)" \
-                HAKUREI_TEST_SKIP_ACL=1 \
                 PATH="${pkgs.pkgsStatic.musl.bin}/bin:$PATH" \
                 DESTDIR="$out" \
-                HAKUREI_VERSION="v${hakurei.version}" \
-                  ./dist/release.sh
+                  ./all.sh
               '';
         }
       );
@@ -196,6 +194,7 @@
                   ./test/interactive/vm.nix
                   ./test/interactive/hakurei.nix
                   ./test/interactive/trace.nix
+                  ./test/interactive/raceattr.nix
 
                   self.nixosModules.hakurei
                   home-manager.nixosModules.home-manager

hst/config.go

@@ -140,21 +140,29 @@ var (
 	ErrInsecure = errors.New("configuration is insecure")
 )
 
+const (
+	// VAllowInsecure allows use of compatibility options considered insecure
+	// under any configuration, to work around ecosystem-wide flaws.
+	VAllowInsecure = 1 << iota
+)
+
 // Validate checks [Config] and returns [AppError] if an invalid value is encountered.
-func (config *Config) Validate() error {
+func (config *Config) Validate(flags int) error {
+	const step = "validate configuration"
+
 	if config == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "invalid configuration"}
 	}
 
 	// this is checked again in hsu
 	if config.Identity < IdentityStart || config.Identity > IdentityEnd {
-		return &AppError{Step: "validate configuration", Err: ErrIdentityBounds,
+		return &AppError{Step: step, Err: ErrIdentityBounds,
 			Msg: "identity " + strconv.Itoa(config.Identity) + " out of range"}
 	}
 
 	if config.SchedPolicy < 0 || config.SchedPolicy > ext.SCHED_LAST {
-		return &AppError{Step: "validate configuration", Err: ErrSchedPolicyBounds,
+		return &AppError{Step: step, Err: ErrSchedPolicyBounds,
 			Msg: "scheduling policy " +
 				strconv.Itoa(int(config.SchedPolicy)) +
 				" out of range"}
@@ -168,34 +176,51 @@ func (config *Config) Validate() error {
 	}
 
 	if config.Container == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "configuration missing container state"}
 	}
 	if config.Container.Home == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "container configuration missing path to home directory"}
 	}
 	if config.Container.Shell == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "container configuration missing path to shell"}
 	}
 	if config.Container.Path == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "container configuration missing path to initial program"}
 	}
 
 	for key := range config.Container.Env {
 		if strings.IndexByte(key, '=') != -1 || strings.IndexByte(key, 0) != -1 {
-			return &AppError{Step: "validate configuration", Err: ErrEnviron,
+			return &AppError{Step: step, Err: ErrEnviron,
 				Msg: "invalid environment variable " + strconv.Quote(key)}
 		}
 	}
 
-	if et := config.Enablements.Unwrap(); !config.DirectPulse && et&EPulse != 0 {
-		return &AppError{Step: "validate configuration", Err: ErrInsecure,
+	et := config.Enablements.Unwrap()
+	if !config.DirectPulse && et&EPulse != 0 {
+		return &AppError{Step: step, Err: ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}
 	}
 
+	if flags&VAllowInsecure == 0 {
+		switch {
+		case et&EWayland != 0 && config.DirectWayland:
+			return &AppError{Step: step, Err: ErrInsecure,
+				Msg: "direct_wayland is insecure and no longer supported"}
+
+		case et&EPipeWire != 0 && config.DirectPipeWire:
+			return &AppError{Step: step, Err: ErrInsecure,
+				Msg: "direct_pipewire is insecure and no longer supported"}
+
+		case et&EPulse != 0 && config.DirectPulse:
+			return &AppError{Step: step, Err: ErrInsecure,
+				Msg: "direct_pulse is insecure and no longer supported"}
+		}
+	}
+
 	return nil
 }
 

hst/config_test.go

@@ -14,65 +14,109 @@ func TestConfigValidate(t *testing.T) {
 	testCases := []struct {
 		name    string
 		config  *hst.Config
+		flags   int
 		wantErr error
 	}{
-		{"nil", nil, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"nil", nil, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "invalid configuration"}},
-		{"identity lower", &hst.Config{Identity: -1}, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
+
+		{"identity lower", &hst.Config{Identity: -1}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
 			Msg: "identity -1 out of range"}},
-		{"identity upper", &hst.Config{Identity: 10000}, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
+		{"identity upper", &hst.Config{Identity: 10000}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
 			Msg: "identity 10000 out of range"}},
-		{"sched lower", &hst.Config{SchedPolicy: -1}, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
+
+		{"sched lower", &hst.Config{SchedPolicy: -1}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
 			Msg: "scheduling policy -1 out of range"}},
-		{"sched upper", &hst.Config{SchedPolicy: 0xcafe}, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
+		{"sched upper", &hst.Config{SchedPolicy: 0xcafe}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
 			Msg: "scheduling policy 51966 out of range"}},
-		{"dbus session", &hst.Config{SessionBus: &hst.BusConfig{See: []string{""}}},
+
+		{"dbus session", &hst.Config{SessionBus: &hst.BusConfig{See: []string{""}}}, 0,
 			&hst.BadInterfaceError{Interface: "", Segment: "session"}},
-		{"dbus system", &hst.Config{SystemBus: &hst.BusConfig{See: []string{""}}},
+		{"dbus system", &hst.Config{SystemBus: &hst.BusConfig{See: []string{""}}}, 0,
 			&hst.BadInterfaceError{Interface: "", Segment: "system"}},
-		{"container", &hst.Config{}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+
+		{"container", &hst.Config{}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "configuration missing container state"}},
-		{"home", &hst.Config{Container: &hst.ContainerConfig{}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"home", &hst.Config{Container: &hst.ContainerConfig{}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to home directory"}},
 		{"shell", &hst.Config{Container: &hst.ContainerConfig{
 			Home: fhs.AbsTmp,
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to shell"}},
 		{"path", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to initial program"}},
+
 		{"env equals", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 			Env:   map[string]string{"TERM=": ""},
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM="`}},
 		{"env NUL", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 			Env:   map[string]string{"TERM\x00": ""},
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM\x00"`}},
-		{"insecure pulse", &hst.Config{Enablements: hst.NewEnablements(hst.EPulse), Container: &hst.ContainerConfig{
+
+		{"insecure pulse", &hst.Config{Enablements: new(hst.EPulse), Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}},
+
+		{"direct wayland", &hst.Config{Enablements: new(hst.EWayland), DirectWayland: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "direct_wayland is insecure and no longer supported"}},
+		{"direct wayland allow", &hst.Config{Enablements: new(hst.EWayland), DirectWayland: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, hst.VAllowInsecure, nil},
+
+		{"direct pipewire", &hst.Config{Enablements: new(hst.EPipeWire), DirectPipeWire: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "direct_pipewire is insecure and no longer supported"}},
+		{"direct pipewire allow", &hst.Config{Enablements: new(hst.EPipeWire), DirectPipeWire: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, hst.VAllowInsecure, nil},
+
+		{"direct pulse", &hst.Config{Enablements: new(hst.EPulse), DirectPulse: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "direct_pulse is insecure and no longer supported"}},
+		{"direct pulse allow", &hst.Config{Enablements: new(hst.EPulse), DirectPulse: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, hst.VAllowInsecure, nil},
+
 		{"valid", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
-		}}, nil},
+		}}, 0, nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			if err := tc.config.Validate(); !reflect.DeepEqual(err, tc.wantErr) {
+			if err := tc.config.Validate(tc.flags); !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("Validate: error = %#v, want %#v", err, tc.wantErr)
 			}
 		})

hst/enablement.go

@@ -7,12 +7,12 @@ import (
 	"syscall"
 )
 
-// Enablement represents an optional host service to export to the target user.
-type Enablement byte
+// Enablements denotes optional host service to export to the target user.
+type Enablements byte
 
 const (
 	// EWayland exposes a Wayland pathname socket via security-context-v1.
-	EWayland Enablement = 1 << iota
+	EWayland Enablements = 1 << iota
 	// EX11 adds the target user via X11 ChangeHosts and exposes the X11
 	// pathname socket.
 	EX11
@@ -28,8 +28,8 @@ const (
 	EM
 )
 
-// String returns a string representation of the flags set on [Enablement].
-func (e Enablement) String() string {
+// String returns a string representation of the flags set on [Enablements].
+func (e Enablements) String() string {
 	switch e {
 	case 0:
 		return "(no enablements)"
@@ -47,7 +47,7 @@ func (e Enablement) String() string {
 		buf := new(strings.Builder)
 		buf.Grow(32)
 
-		for i := Enablement(1); i < EM; i <<= 1 {
+		for i := Enablements(1); i < EM; i <<= 1 {
 			if e&i != 0 {
 				buf.WriteString(", " + i.String())
 			}
@@ -60,12 +60,6 @@ func (e Enablement) String() string {
 	}
 }
 
-// NewEnablements returns the address of [Enablement] as [Enablements].
-func NewEnablements(e Enablement) *Enablements { return (*Enablements)(&e) }
-
-// Enablements is the [json] adapter for [Enablement].
-type Enablements Enablement
-
 // enablementsJSON is the [json] representation of [Enablements].
 type enablementsJSON = struct {
 	Wayland  bool `json:"wayland,omitempty"`
@@ -75,24 +69,21 @@ type enablementsJSON = struct {
 	Pulse    bool `json:"pulse,omitempty"`
 }
 
-// Unwrap returns the underlying [Enablement].
-func (e *Enablements) Unwrap() Enablement {
+// Unwrap returns the value pointed to by e.
+func (e *Enablements) Unwrap() Enablements {
 	if e == nil {
 		return 0
 	}
-	return Enablement(*e)
+	return *e
 }
 
-func (e *Enablements) MarshalJSON() ([]byte, error) {
-	if e == nil {
-		return nil, syscall.EINVAL
-	}
+func (e Enablements) MarshalJSON() ([]byte, error) {
 	return json.Marshal(&enablementsJSON{
-		Wayland:  Enablement(*e)&EWayland != 0,
-		X11:      Enablement(*e)&EX11 != 0,
-		DBus:     Enablement(*e)&EDBus != 0,
-		PipeWire: Enablement(*e)&EPipeWire != 0,
-		Pulse:    Enablement(*e)&EPulse != 0,
+		Wayland:  e&EWayland != 0,
+		X11:      e&EX11 != 0,
+		DBus:     e&EDBus != 0,
+		PipeWire: e&EPipeWire != 0,
+		Pulse:    e&EPulse != 0,
 	})
 }
 
@@ -106,22 +97,21 @@ func (e *Enablements) UnmarshalJSON(data []byte) error {
 		return err
 	}
 
-	var ve Enablement
+	*e = 0
 	if v.Wayland {
-		ve |= EWayland
+		*e |= EWayland
 	}
 	if v.X11 {
-		ve |= EX11
+		*e |= EX11
 	}
 	if v.DBus {
-		ve |= EDBus
+		*e |= EDBus
 	}
 	if v.PipeWire {
-		ve |= EPipeWire
+		*e |= EPipeWire
 	}
 	if v.Pulse {
-		ve |= EPulse
+		*e |= EPulse
 	}
-	*e = Enablements(ve)
 	return nil
 }

hst/enablement_test.go

@@ -13,7 +13,7 @@ func TestEnablementString(t *testing.T) {
 	t.Parallel()
 
 	testCases := []struct {
-		flags hst.Enablement
+		flags hst.Enablements
 		want  string
 	}{
 		{0, "(no enablements)"},
@@ -59,13 +59,13 @@ func TestEnablements(t *testing.T) {
 		sData string
 	}{
 		{"nil", nil, "null", `{"value":null,"magic":3236757504}`},
-		{"zero", hst.NewEnablements(0), `{}`, `{"value":{},"magic":3236757504}`},
-		{"wayland", hst.NewEnablements(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
-		{"x11", hst.NewEnablements(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
-		{"dbus", hst.NewEnablements(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
-		{"pipewire", hst.NewEnablements(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
-		{"pulse", hst.NewEnablements(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
-		{"all", hst.NewEnablements(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
+		{"zero", new(hst.Enablements(0)), `{}`, `{"value":{},"magic":3236757504}`},
+		{"wayland", new(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
+		{"x11", new(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
+		{"dbus", new(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
+		{"pipewire", new(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
+		{"pulse", new(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
+		{"all", new(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
 	}
 
 	for _, tc := range testCases {
@@ -137,7 +137,7 @@ func TestEnablements(t *testing.T) {
 		})
 
 		t.Run("val", func(t *testing.T) {
-			if got := hst.NewEnablements(hst.EWayland | hst.EPulse).Unwrap(); got != hst.EWayland|hst.EPulse {
+			if got := new(hst.EWayland | hst.EPulse).Unwrap(); got != hst.EWayland|hst.EPulse {
 				t.Errorf("Unwrap: %v", got)
 			}
 		})
@@ -146,9 +146,6 @@ func TestEnablements(t *testing.T) {
 	t.Run("passthrough", func(t *testing.T) {
 		t.Parallel()
 
-		if _, err := (*hst.Enablements)(nil).MarshalJSON(); !errors.Is(err, syscall.EINVAL) {
-			t.Errorf("MarshalJSON: error = %v", err)
-		}
 		if err := (*hst.Enablements)(nil).UnmarshalJSON(nil); !errors.Is(err, syscall.EINVAL) {
 			t.Errorf("UnmarshalJSON: error = %v", err)
 		}

hst/fs.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"reflect"
+	"strings"
 
 	"hakurei.app/check"
 )
@@ -56,8 +57,10 @@ type Ops interface {
 
 // ApplyState holds the address of [Ops] and any relevant application state.
 type ApplyState struct {
-	// AutoEtcPrefix is the prefix for [FSBind] in autoetc [FSBind.Special] condition.
+	// Prefix for [FSBind] in autoetc [FSBind.Special] condition.
 	AutoEtcPrefix string
+	// Whether to skip remounting root.
+	NoRemountRoot bool
 
 	Ops
 }
@@ -76,17 +79,17 @@ type FSImplError struct{ Value FilesystemConfig }
 
 func (f FSImplError) Error() string {
 	implType := reflect.TypeOf(f.Value)
-	var name string
-	for implType != nil && implType.Kind() == reflect.Ptr {
-		name += "*"
+	var buf strings.Builder
+	for implType != nil && implType.Kind() == reflect.Pointer {
+		buf.WriteByte('*')
 		implType = implType.Elem()
 	}
 	if implType != nil {
-		name += implType.Name()
+		buf.WriteString(implType.Name())
 	} else {
-		name += "nil"
+		buf.WriteString("nil")
 	}
-	return fmt.Sprintf("implementation %s not supported", name)
+	return "implementation " + buf.String() + " not supported"
 }
 
 // FilesystemConfigJSON is the [json] adapter for [FilesystemConfig].

hst/fs_test.go

@@ -103,7 +103,7 @@ func TestFilesystemConfigJSON(t *testing.T) {
 			t.Run("marshal", func(t *testing.T) {
 				t.Parallel()
 				wantErr := tc.wantErr
-				if errors.As(wantErr, new(hst.FSTypeError)) {
+				if _, ok := errors.AsType[hst.FSTypeError](wantErr); ok {
 					// for unsupported implementation tc
 					wantErr = hst.FSImplError{Value: stubFS{"cat"}}
 				}
@@ -139,7 +139,7 @@ func TestFilesystemConfigJSON(t *testing.T) {
 			t.Run("unmarshal", func(t *testing.T) {
 				t.Parallel()
 				if tc.data == "\x00" && tc.sData == "\x00" {
-					if errors.As(tc.wantErr, new(hst.FSImplError)) {
+					if _, ok := errors.AsType[hst.FSImplError](tc.wantErr); ok {
 						// this error is only returned on marshal
 						return
 					}

hst/fsephemeral.go

@@ -43,18 +43,13 @@ func (e *FSEphemeral) Apply(z *ApplyState) {
 		return
 	}
 
-	size := e.Size
-	if size < 0 {
-		size = 0
-	}
-
 	perm := e.Perm
 	if perm == 0 {
 		perm = fsEphemeralDefaultPerm
 	}
 
 	if e.Write {
-		z.Tmpfs(e.Target, size, perm)
+		z.Tmpfs(e.Target, max(e.Size, 0), perm)
 	} else {
 		z.Readonly(e.Target, perm)
 	}

hst/fslink.go

@@ -2,7 +2,7 @@ package hst
 
 import (
 	"encoding/gob"
-	"path"
+	"path/filepath"
 
 	"hakurei.app/check"
 )
@@ -28,7 +28,7 @@ func (l *FSLink) Valid() bool {
 	if l == nil || l.Target == nil || l.Linkname == "" {
 		return false
 	}
-	return !l.Dereference || path.IsAbs(l.Linkname)
+	return !l.Dereference || filepath.IsAbs(l.Linkname)
 }
 
 func (l *FSLink) Path() *check.Absolute {

hst/fsoverlay.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"hakurei.app/check"
+	"hakurei.app/fhs"
 )
 
 func init() { gob.Register(new(FSOverlay)) }
@@ -69,9 +70,12 @@ func (o *FSOverlay) Apply(z *ApplyState) {
 		return
 	}
 
-	if o.Upper != nil && o.Work != nil { // rw
+	if o.Upper != nil && o.Work != nil {
 		z.Overlay(o.Target, o.Upper, o.Work, o.Lower...)
-	} else { // ro
+		if o.Target.Is(fhs.AbsRoot) {
+			z.NoRemountRoot = true
+		}
+	} else {
 		z.OverlayReadonly(o.Target, o.Lower...)
 	}
 }

hst/fsoverlay_test.go

@@ -49,5 +49,18 @@ func TestFSOverlay(t *testing.T) {
 			Lower:  ms("/tmp/.src0", "/tmp/.src1"),
 		}}, m("/mnt/src"), ms("/tmp/.src0", "/tmp/.src1"),
 			"*/mnt/src:/tmp/.src0:/tmp/.src1"},
+
+		{"no remount root", &hst.FSOverlay{
+			Target: m("/"),
+			Lower:  ms("/tmp/.src0", "/tmp/.src1"),
+			Upper:  m("/tmp/upper"),
+			Work:   m("/tmp/work"),
+		}, true, container.Ops{&container.MountOverlayOp{
+			Target: m("/"),
+			Lower:  ms("/tmp/.src0", "/tmp/.src1"),
+			Upper:  m("/tmp/upper"),
+			Work:   m("/tmp/work"),
+		}}, m("/"), ms("/tmp/upper", "/tmp/work", "/tmp/.src0", "/tmp/.src1"),
+			"w*/:/tmp/upper:/tmp/work:/tmp/.src0:/tmp/.src1"},
 	})
 }

hst/hst.go

@@ -72,7 +72,7 @@ func Template() *Config {
 	return &Config{
 		ID: "org.chromium.Chromium",
 
-		Enablements: NewEnablements(EWayland | EDBus | EPipeWire),
+		Enablements: new(EWayland | EDBus | EPipeWire),
 
 		SessionBus: &BusConfig{
 			See: nil,

internal/acl/acl_test.go

@@ -8,12 +8,14 @@ import (
 	"io"
 	"os"
 	"os/exec"
-	"path"
+	"path/filepath"
 	"reflect"
 	"strconv"
+	"syscall"
 	"testing"
 
 	"hakurei.app/internal/acl"
+	"hakurei.app/internal/info"
 )
 
 const testFileName = "acl.test"
@@ -24,11 +26,17 @@ var (
 )
 
 func TestUpdate(t *testing.T) {
-	if os.Getenv("HAKUREI_TEST_SKIP_ACL") == "1" {
-		t.Skip("acl test skipped")
+	if info.CanDegrade {
+		name := filepath.Join(t.TempDir(), "check-degrade")
+		if err := os.WriteFile(name, nil, 0); err != nil {
+			t.Fatal(err)
+		}
+		if err := acl.Update(name, os.Geteuid()); errors.Is(err, syscall.ENOTSUP) {
+			t.Skip(err)
+		}
 	}
 
-	testFilePath := path.Join(t.TempDir(), testFileName)
+	testFilePath := filepath.Join(t.TempDir(), testFileName)
 
 	if f, err := os.Create(testFilePath); err != nil {
 		t.Fatalf("Create: error = %v", err)

internal/dbus/address.go

@@ -80,7 +80,7 @@ func unescapeValue(v []byte) (val []byte, errno ParseError) {
 			continue
 		}
 
-		if ib := bytes.IndexByte([]byte("-_/.\\*"), b); ib != -1 { // - // _/.\*
+		if found := bytes.Contains([]byte("-_/.\\*"), []byte{b}); found { // - // _/.\*
 			goto opt
 		} else if b >= '0' && b <= '9' { // 0-9
 			goto opt
@@ -101,7 +101,7 @@ func unescapeValue(v []byte) (val []byte, errno ParseError) {
 			break
 		}
 		if c, err := hex.Decode(val[i:i+1], v[iu+1:iu+3]); err != nil {
-			if errors.As(err, new(hex.InvalidByteError)) {
+			if _, ok := errors.AsType[hex.InvalidByteError](err); ok {
 				errno = ErrBadValHexByte
 				break
 			}

internal/info/optional_skip.go

@@ -0,0 +1,7 @@
+//go:build !noskip
+
+package info
+
+// CanDegrade is whether tests are allowed to transparently degrade or skip due
+// to required system features being denied or unavailable.
+const CanDegrade = true

internal/info/optional_strict.go

@@ -0,0 +1,5 @@
+//go:build noskip
+
+package info
+
+const CanDegrade = false

internal/kobject/event.go

@@ -0,0 +1,107 @@
+package kobject
+
+import (
+	"errors"
+	"maps"
+	"strconv"
+	"strings"
+	"unsafe"
+
+	"hakurei.app/internal/uevent"
+)
+
+// Event is a [uevent.Message] with known environment variables processed.
+type Event struct {
+	// alloc_uevent_skb: action_string
+	Action uevent.KobjectAction `json:"action"`
+	// alloc_uevent_skb: devpath
+	DevPath string `json:"devpath"`
+
+	// Uninterpreted environment variable pairs. An entry missing a separator
+	// gains the value "\x00".
+	Env map[string]string `json:"env"`
+
+	// SEQNUM value set by the kernel.
+	Sequence uint64 `json:"seqnum"`
+	// SYNTH_UUID value set on trigger, nil denotes a non-synthetic event.
+	Synth *uevent.UUID `json:"synth_uuid,omitempty"`
+	// SUBSYSTEM value set by the kernel.
+	Subsystem string `json:"subsystem"`
+}
+
+// Clone returns a copy of e.
+func (e *Event) Clone() Event {
+	v := *e
+	v.Env = maps.Clone(e.Env)
+	return v
+}
+
+// makeColdboot allocates a new [Object] from e in [StateColdboot].
+func (e *Event) makeColdboot() *Object {
+	return &Object{
+		State:     StateColdboot,
+		DevPath:   e.DevPath,
+		Subsystem: e.Subsystem,
+	}
+}
+
+// Populate populates e with the contents of a [uevent.Message].
+//
+// The ACTION and DEVPATH environment variables are ignored and assumed to be
+// consistent with the header.
+func (e *Event) Populate(reportErr func(error), m *uevent.Message) {
+	if reportErr == nil {
+		reportErr = func(error) {}
+	}
+
+	*e = Event{
+		Action:  m.Action,
+		DevPath: m.DevPath,
+		Env:     make(map[string]string),
+	}
+
+	for _, s := range m.Env {
+		k, v, ok := strings.Cut(s, "=")
+		if !ok {
+			if _, ok = e.Env[s]; !ok {
+				e.Env[s] = "\x00"
+			}
+			continue
+		}
+
+		switch k {
+		case "ACTION", "DEVPATH":
+			continue
+
+		case "SEQNUM":
+			seq, err := strconv.ParseUint(v, 10, 64)
+			if err != nil {
+				if _e := errors.Unwrap(err); _e != nil {
+					err = _e
+				}
+				reportErr(err)
+
+				e.Env[k] = v
+				continue
+			}
+			e.Sequence = seq
+
+		case "SYNTH_UUID":
+			var uuid uevent.UUID
+			err := uuid.UnmarshalText(unsafe.Slice(unsafe.StringData(v), len(v)))
+			if err != nil {
+				reportErr(err)
+
+				e.Env[k] = v
+				continue
+			}
+			e.Synth = &uuid
+
+		case "SUBSYSTEM":
+			e.Subsystem = v
+
+		default:
+			e.Env[k] = v
+		}
+	}
+}

internal/kobject/event_test.go

@@ -0,0 +1,92 @@
+package kobject_test
+
+import (
+	"reflect"
+	"strconv"
+	"testing"
+
+	"hakurei.app/internal/kobject"
+	"hakurei.app/internal/uevent"
+)
+
+func TestEvent(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		msg  uevent.Message
+		want kobject.Event
+		errs []error
+	}{
+		{"sample coldboot qemu", uevent.Message{
+			Action:  uevent.KOBJ_ADD,
+			DevPath: "/devices/LNXSYSTM:00/LNXPWRBN:00",
+			Env: []string{
+				"ACTION=add",
+				"DEVPATH=/devices/LNXSYSTM:00/LNXPWRBN:00",
+				"SUBSYSTEM=acpi",
+				"SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed",
+				"MODALIAS=acpi:LNXPWRBN:",
+				"SEQNUM=777",
+			}}, kobject.Event{
+			Action:  uevent.KOBJ_ADD,
+			DevPath: "/devices/LNXSYSTM:00/LNXPWRBN:00",
+			Env: map[string]string{
+				"MODALIAS": "acpi:LNXPWRBN:",
+			},
+			Sequence: 777,
+			Synth: &uevent.UUID{
+				0xfe, 0x4d, 0x7c, 0x9d,
+				0xb8, 0xc6,
+				0x4a, 0x70,
+				0x9e, 0xf1,
+				0x3d, 0x8a, 0x58, 0xd1, 0x8e, 0xed,
+			},
+			Subsystem: "acpi",
+		}, []error{}},
+
+		{"nil reportErr", uevent.Message{Env: []string{
+			"SEQNUM=\x00",
+		}}, kobject.Event{Env: map[string]string{
+			"SEQNUM": "\x00",
+		}}, nil},
+
+		{"bad SEQNUM SYNTH_UUID", uevent.Message{Env: []string{
+			"SEQNUM=\x00",
+			"SYNTH_UUID=\x00",
+			"SUBSYSTEM=\x00",
+		}}, kobject.Event{Subsystem: "\x00", Env: map[string]string{
+			"SEQNUM":     "\x00",
+			"SYNTH_UUID": "\x00",
+		}}, []error{strconv.ErrSyntax, uevent.UUIDSizeError(1)}},
+
+		{"bad sep", uevent.Message{Env: []string{
+			"SYNTH_UUID",
+		}}, kobject.Event{Env: map[string]string{
+			"SYNTH_UUID": "\x00",
+		}}, []error{}},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var f func(error)
+			gotErrs := make([]error, 0)
+			if tc.errs != nil {
+				f = func(err error) {
+					gotErrs = append(gotErrs, err)
+				}
+			}
+
+			var got kobject.Event
+			got.Populate(f, &tc.msg)
+
+			if !reflect.DeepEqual(&got, &tc.want) {
+				t.Errorf("Populate: %#v, want %#v", got, tc.want)
+			}
+			if tc.errs != nil && !reflect.DeepEqual(gotErrs, tc.errs) {
+				t.Errorf("Populate: errs = %v, want %v", gotErrs, tc.errs)
+			}
+		})
+	}
+}

internal/kobject/kobject.go

@@ -0,0 +1,491 @@
+// Package kobject interprets uevent messages from a NETLINK_KOBJECT_UEVENT socket.
+package kobject
+
+import (
+	"context"
+	"fmt"
+	"maps"
+	"slices"
+	"strconv"
+	"sync"
+
+	"hakurei.app/internal/report"
+	"hakurei.app/internal/uevent"
+)
+
+const (
+	// StateColdboot denotes an [Object] populated by a coldboot event. It is
+	// eligible for all event actions.
+	StateColdboot = iota
+	// StateNew denotes an [Object] previously populated by a [uevent.KOBJ_ADD]
+	// event, but has not yet been targeted by a [uevent.KOBJ_BIND] event, or
+	// has been targeted by a [uevent.KOBJ_UNBIND] event.
+	StateNew
+	// StateBound denotes an [Object] that has been targeted by a
+	// [uevent.KOBJ_BIND] and has not been targeted by a [uevent.KOBJ_UNBIND]
+	// after that.
+	StateBound
+)
+
+// Object represents a kernel object.
+type Object struct {
+	// Origin of the object.
+	State int `json:"state,omitempty"`
+	// Set by [uevent.KOBJ_OFFLINE] and [uevent.KOBJ_ONLINE].
+	Offline bool `json:"offline,omitempty"`
+
+	// alloc_uevent_skb: devpath
+	DevPath string `json:"devpath"`
+	// registered per-driver (optional)
+	ModAlias string `json:"modalias,omitempty"`
+	// dev_driver_uevent: drv->name (optional)
+	Driver string `json:"driver,omitempty"`
+
+	// SUBSYSTEM value set by the kernel.
+	Subsystem string `json:"subsystem"`
+
+	// Uninterpreted environment variable pairs. An entry missing a separator
+	// gains the value "\x00".
+	Env map[string]string `json:"env"`
+}
+
+// Clone returns the address of a copy of o.
+func (o *Object) Clone() *Object {
+	v := *o
+	v.Env = maps.Clone(o.Env)
+	return &v
+}
+
+// GoString returns compound literal for the underlying value.
+func (o *Object) GoString() string {
+	return fmt.Sprintf("&%#v", *o)
+}
+
+// merge merges uninterpreted environment variable pairs from an [Event].
+func (o *Object) merge(env map[string]string) {
+	for k, v := range env {
+		if v == "\x00" {
+			continue
+		}
+
+		switch k {
+		case "MODALIAS":
+			o.ModAlias = v
+			continue
+
+		case "DRIVER":
+			o.Driver = v
+			continue
+
+		default:
+			if o.Env == nil {
+				o.Env = make(map[string]string)
+			}
+			o.Env[k] = v
+		}
+	}
+}
+
+// update updates o with pairs from env, optionally stripping visited pairs.
+func (o *Object) update(env map[string]string, strip bool) {
+	for k := range o.Env {
+		if v, ok := env[k]; ok {
+			if strip {
+				delete(env, k)
+			}
+			o.Env[k] = v
+		}
+	}
+}
+
+// A pendingIterator is a callback currently iterating through objects targeted
+// by ongoing events.
+type pendingIterator struct {
+	f    func(o *Object, act uevent.KobjectAction) bool
+	done chan<- struct{}
+}
+
+// State processes a stream of [Event] populated from [uevent.Message] received
+// from a NETLINK_KOBJECT_UEVENT socket and presents an efficient representation
+// of kernel state.
+type State struct {
+	// Next expected SEQNUM.
+	seq uint64
+	// DevPath to environment variables.
+	uevent map[string]*Object
+	// Synchronises access to uevent and its objects.
+	ueventMu sync.RWMutex
+	// Alive iterators.
+	iter []*pendingIterator
+	// Synchronises access to iter.
+	iterMu sync.Mutex
+	// UUID for synthetic [uevent.Coldboot] events.
+	coldboot uevent.UUID
+	// Called on [uevent.KOBJ_CHANGE] with stripped environment variables.
+	handleChange func(o *Object, env map[string]string)
+	// Reports errors populating [Event] from [uevent.Message]. A user-supplied
+	// nil value is replaced with a noop.
+	reportErr func(error)
+}
+
+// New returns the address of a new [State].
+func New(
+	coldboot uevent.UUID,
+	handleChange func(o *Object, env map[string]string),
+	reportErr func(error),
+) *State {
+	return &State{
+		uevent:       make(map[string]*Object),
+		coldboot:     coldboot,
+		handleChange: handleChange,
+		reportErr:    reportErr,
+	}
+}
+
+// deleteIter removes an iterator from s. Must be called after acquiring iterMu.
+func (s *State) deleteIter(p *pendingIterator) {
+	s.iter = slices.DeleteFunc(s.iter, func(v *pendingIterator) bool {
+		return p == v
+	})
+}
+
+// dispatchIter broadcasts an [Object] to all alive iterators.
+func (s *State) dispatchIter(o *Object, act uevent.KobjectAction) {
+	s.iterMu.Lock()
+	defer s.iterMu.Unlock()
+
+	for _, p := range s.iter {
+		if !p.f(o, act) {
+			s.deleteIter(p)
+			close(p.done)
+		}
+	}
+}
+
+// Range calls f on all current and upcoming [Object] values tracked by s until
+// f returns false or the context is cancelled. f must not retain o or modify
+// the value it points to.
+func (s *State) Range(
+	ctx context.Context,
+	f func(o *Object, act uevent.KobjectAction) bool,
+) {
+	done := make(chan struct{})
+	p := pendingIterator{f, done}
+
+	s.iterMu.Lock()
+	s.ueventMu.RLock()
+	for _, o := range s.uevent {
+		if !f(o, uevent.KOBJ_ADD) {
+			s.ueventMu.RUnlock()
+			s.iterMu.Unlock()
+			return
+		}
+	}
+	s.ueventMu.RUnlock()
+	s.iter = append(s.iter, &p)
+	s.iterMu.Unlock()
+
+	select {
+	case <-ctx.Done():
+		s.iterMu.Lock()
+		s.deleteIter(&p)
+		s.iterMu.Unlock()
+		return
+
+	case <-done:
+		// deregistered by dispatchIter
+		return
+	}
+}
+
+// An EventError describes a malformed or inconsistent [Event].
+type EventError struct {
+	Kind int     `json:"fault"`
+	E    Event   `json:"event"`
+	O    *Object `json:"object,omitempty"`
+}
+
+var _ report.RepresentableError = EventError{}
+
+func (EventError) Representable() {}
+
+const (
+	// EUnexpectedColdboot is reported for a coldboot event with action other
+	// than the expected [uevent.KOBJ_ADD].
+	EUnexpectedColdboot = iota
+	// EDuplicateAdd is reported for a [uevent.KOBJ_ADD] event on a
+	// still-existing entry that was not the result of a coldboot.
+	EDuplicateAdd
+	// EBadTarget is reported for an event on a nonexistent [Object]. This is
+	// generally only possible before coldboot completes.
+	EBadTarget
+	// ERemoveState is reported for a [uevent.KOBJ_REMOVE] event targeting an
+	// entry in a state other than [StateColdboot] and [StateNew].
+	ERemoveState
+	// EUnexpectedOffline is reported for a [uevent.KOBJ_OFFLINE] or
+	// [uevent.KOBJ_ONLINE] event targeting an already offline or online object.
+	EUnexpectedOffline
+	// EBindState is reported for a [uevent.KOBJ_BIND] event targeting an entry
+	// in a state other than [StateColdboot] and [StateNew].
+	EBindState
+	// EUnbindState is reported for a [uevent.KOBJ_UNBIND] event targeting an
+	// entry in a state other than [StateBound].
+	EUnbindState
+	// EMalformedMove is reported for a [uevent.KOBJ_MOVE] event missing the
+	// DEVPATH_OLD environment variable.
+	EMalformedMove
+)
+
+func (e EventError) Error() string {
+	switch e.Kind {
+	case EUnexpectedColdboot:
+		return "unexpected " + e.E.Action.String() + " coldboot event"
+	case EDuplicateAdd:
+		return "duplicate add event on devpath " + strconv.Quote(e.E.DevPath)
+	case EBadTarget:
+		return "unexpected " + e.E.Action.String() + " event on devpath " +
+			strconv.Quote(e.E.DevPath)
+	case ERemoveState:
+		if e.O == nil {
+			return "invalid remove event error"
+		}
+		return "remove event targeting devpath " + strconv.Quote(e.E.DevPath) +
+			" in state " + strconv.Itoa(e.O.State)
+	case EUnexpectedOffline:
+		if e.O == nil {
+			return "invalid unexpected offline error"
+		}
+		if e.O.Offline {
+			return "offline event targeting devpath " + strconv.Quote(e.E.DevPath)
+		}
+		return "online event targeting devpath " + strconv.Quote(e.E.DevPath)
+	case EBindState:
+		if e.O == nil {
+			return "invalid bind state error"
+		}
+		return "bind event targeting devpath " + strconv.Quote(e.E.DevPath) +
+			" in state " + strconv.Itoa(e.O.State)
+	case EUnbindState:
+		if e.O == nil {
+			return "invalid unbind state error"
+		}
+		return "unbind event targeting devpath " + strconv.Quote(e.E.DevPath) +
+			" in state " + strconv.Itoa(e.O.State)
+	case EMalformedMove:
+		return "move event targeting devpath " + strconv.Quote(e.E.DevPath) +
+			" missing DEVPATH_OLD"
+
+	default:
+		return "invalid event error kind " + strconv.Itoa(e.Kind)
+	}
+}
+
+// NewError returns a new [EventError] for e and o.
+func (e *Event) NewError(kind int, o *Object) error {
+	if o != nil {
+		o = o.Clone()
+	}
+	return EventError{kind, e.Clone(), o}
+}
+
+// processEvent merges an event into s.
+func (s *State) processEvent(e *Event) {
+	s.ueventMu.Lock()
+	defer s.ueventMu.Unlock()
+
+	coldboot := e.Synth != nil
+	if e.Action != uevent.KOBJ_ADD && coldboot {
+		s.reportErr(e.NewError(EUnexpectedColdboot, nil))
+		return
+	}
+
+	switch act := e.Action; act {
+	case uevent.KOBJ_ADD:
+		if e.Synth == nil {
+			if o, ok := s.uevent[e.DevPath]; ok {
+				s.reportErr(e.NewError(EDuplicateAdd, o))
+				o.merge(e.Env)
+				s.dispatchIter(o, act)
+				return
+			}
+		}
+		o := e.makeColdboot()
+		if !coldboot {
+			o.State = StateNew
+		}
+		o.merge(e.Env)
+		s.uevent[e.DevPath] = o
+		s.dispatchIter(o, act)
+		return
+
+	case uevent.KOBJ_REMOVE:
+		if o, ok := s.uevent[e.DevPath]; !ok {
+			s.reportErr(e.NewError(EBadTarget, nil))
+			return
+		} else if o.State != StateColdboot && o.State != StateNew {
+			s.reportErr(e.NewError(ERemoveState, o))
+		}
+		delete(s.uevent, e.DevPath)
+		return
+
+	case uevent.KOBJ_CHANGE:
+		o, ok := s.uevent[e.DevPath]
+		if !ok {
+			s.reportErr(e.NewError(EBadTarget, nil))
+			// this suffers from the coldboot race window similar to KOBJ_MOVE,
+			// however this action combines driver-specific and change-specific
+			// environment variables and combines them with environment
+			// variables meant to convey state of the kobject, and it is not
+			// possible to reliably separate them, so this fallback avoids the
+			// race at the cost of including some garbage in tracked state
+			o = e.makeColdboot()
+			o.merge(e.Env)
+			s.uevent[e.DevPath] = o
+			s.dispatchIter(o, act)
+			return
+		}
+		o.update(e.Env, true)
+		if s.handleChange != nil {
+			s.handleChange(o, e.Env)
+		}
+		s.dispatchIter(o, act)
+		return
+
+	case uevent.KOBJ_MOVE:
+		var o *Object
+		if old, ok := e.Env["DEVPATH_OLD"]; !ok {
+			s.reportErr(e.NewError(EMalformedMove, nil))
+			// not reached
+			o = e.makeColdboot()
+		} else if o, ok = s.uevent[old]; !ok {
+			s.reportErr(e.NewError(EBadTarget, nil))
+			// this generally happens during coldboot, dropping the event here
+			// may cause inconsistent state if the coldboot event for this
+			// object was generated before the bind event
+			delete(e.Env, "DEVPATH_OLD")
+			o = e.makeColdboot()
+		} else {
+			delete(s.uevent, old)
+			delete(e.Env, "DEVPATH_OLD")
+		}
+		o.merge(e.Env)
+		s.uevent[e.DevPath] = o
+		o.DevPath = e.DevPath
+		s.dispatchIter(o, act)
+		return
+
+	case uevent.KOBJ_ONLINE:
+		o, ok := s.uevent[e.DevPath]
+		if !ok {
+			s.reportErr(e.NewError(EBadTarget, nil))
+			// coldboot race window similar to an unexpected KOBJ_MOVE
+			o = e.makeColdboot()
+			s.uevent[e.DevPath] = o
+			o.merge(e.Env)
+		}
+		if !o.Offline {
+			s.reportErr(e.NewError(EUnexpectedOffline, o))
+		}
+		o.Offline = false
+		s.dispatchIter(o, act)
+		return
+
+	case uevent.KOBJ_OFFLINE:
+		o, ok := s.uevent[e.DevPath]
+		if !ok {
+			s.reportErr(e.NewError(EBadTarget, nil))
+			// coldboot race window similar to an unexpected KOBJ_MOVE
+			o = e.makeColdboot()
+			s.uevent[e.DevPath] = o
+			o.merge(e.Env)
+		}
+		if o.Offline {
+			s.reportErr(e.NewError(EUnexpectedOffline, o))
+		}
+		o.Offline = true
+		s.dispatchIter(o, act)
+		return
+
+	case uevent.KOBJ_BIND:
+		o, ok := s.uevent[e.DevPath]
+		if !ok {
+			s.reportErr(e.NewError(EBadTarget, nil))
+			// coldboot race window similar to an unexpected KOBJ_MOVE
+			o = e.makeColdboot()
+			s.uevent[e.DevPath] = o
+		}
+		if o.State != StateColdboot && o.State != StateNew {
+			s.reportErr(e.NewError(EBindState, o))
+		}
+		o.State = StateBound
+		o.merge(e.Env)
+		s.dispatchIter(o, act)
+		return
+
+	case uevent.KOBJ_UNBIND:
+		o, ok := s.uevent[e.DevPath]
+		if !ok {
+			s.reportErr(e.NewError(EBadTarget, nil))
+			// coldboot race window similar to an unexpected KOBJ_MOVE, but does
+			// not result in inconsistent state if dropped
+			return
+		}
+		if o.State != StateBound {
+			s.reportErr(e.NewError(EUnbindState, o))
+		}
+		o.State = StateNew
+		o.Driver = ""
+		s.dispatchIter(o, act)
+		return
+
+	default: // not reached
+		s.reportErr(fmt.Errorf("invalid action %d", e.Action))
+		return
+	}
+}
+
+// BadSequenceError is reported for an unexpected SEQNUM.
+type BadSequenceError struct{ Got, Want uint64 }
+
+func (e BadSequenceError) Error() string {
+	return "SEQNUM=" + strconv.FormatUint(e.Got, 10) +
+		", want " + strconv.FormatUint(e.Want, 10)
+}
+
+// Consume receives uevent messages and updates s to reflect state of kernel.
+func (s *State) Consume(ctx context.Context, events <-chan *uevent.Message) {
+	if s.uevent == nil {
+		s.uevent = make(map[string]*Object)
+	}
+	if s.reportErr == nil {
+		s.reportErr = func(error) {}
+	}
+
+	var e Event
+	for {
+		select {
+		case <-ctx.Done():
+			return
+
+		case m, ok := <-events:
+			if !ok {
+				return
+			}
+			e.Populate(s.reportErr, m)
+
+			// skip external synthetic event
+			if e.Synth != nil && *e.Synth != s.coldboot {
+				continue
+			}
+
+			if s.seq == 0 {
+				s.seq = e.Sequence
+			}
+			if s.seq != e.Sequence {
+				s.reportErr(BadSequenceError{e.Sequence, s.seq})
+			}
+			s.seq++
+			s.processEvent(&e)
+		}
+	}
+}