release: 0.4.0

Signed-off-by: Ophestra <cat@gensokyo.uk>

check/absolute.go

@@ -2,7 +2,7 @@
 package check
 
 import (
-	"encoding/json"
+	"encoding"
 	"errors"
 	"fmt"
 	"path/filepath"
@@ -30,6 +30,16 @@ func (e AbsoluteError) Is(target error) bool {
 // Absolute holds a pathname checked to be absolute.
 type Absolute struct{ pathname unique.Handle[string] }
 
+var (
+	_ encoding.TextAppender    = new(Absolute)
+	_ encoding.TextMarshaler   = new(Absolute)
+	_ encoding.TextUnmarshaler = new(Absolute)
+
+	_ encoding.BinaryAppender    = new(Absolute)
+	_ encoding.BinaryMarshaler   = new(Absolute)
+	_ encoding.BinaryUnmarshaler = new(Absolute)
+)
+
 // ok returns whether [Absolute] is not the zero value.
 func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }
 
@@ -84,13 +94,16 @@ func (a *Absolute) Append(elem ...string) *Absolute {
 // Dir calls [filepath.Dir] with [Absolute] as its argument.
 func (a *Absolute) Dir() *Absolute { return unsafeAbs(filepath.Dir(a.String())) }
 
-// GobEncode returns the checked pathname.
-func (a *Absolute) GobEncode() ([]byte, error) {
-	return []byte(a.String()), nil
+// AppendText appends the checked pathname.
+func (a *Absolute) AppendText(data []byte) ([]byte, error) {
+	return append(data, a.String()...), nil
 }
 
-// GobDecode stores data if it represents an absolute pathname.
-func (a *Absolute) GobDecode(data []byte) error {
+// MarshalText returns the checked pathname.
+func (a *Absolute) MarshalText() ([]byte, error) { return a.AppendText(nil) }
+
+// UnmarshalText stores data if it represents an absolute pathname.
+func (a *Absolute) UnmarshalText(data []byte) error {
 	pathname := string(data)
 	if !filepath.IsAbs(pathname) {
 		return AbsoluteError(pathname)
@@ -99,23 +112,9 @@ func (a *Absolute) GobDecode(data []byte) error {
 	return nil
 }
 
-// MarshalJSON returns a JSON representation of the checked pathname.
-func (a *Absolute) MarshalJSON() ([]byte, error) {
-	return json.Marshal(a.String())
-}
-
-// UnmarshalJSON stores data if it represents an absolute pathname.
-func (a *Absolute) UnmarshalJSON(data []byte) error {
-	var pathname string
-	if err := json.Unmarshal(data, &pathname); err != nil {
-		return err
-	}
-	if !filepath.IsAbs(pathname) {
-		return AbsoluteError(pathname)
-	}
-	a.pathname = unique.Make(pathname)
-	return nil
-}
+func (a *Absolute) AppendBinary(data []byte) ([]byte, error) { return a.AppendText(data) }
+func (a *Absolute) MarshalBinary() ([]byte, error)           { return a.MarshalText() }
+func (a *Absolute) UnmarshalBinary(data []byte) error        { return a.UnmarshalText(data) }
 
 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {

check/absolute_test.go

@@ -170,20 +170,20 @@ func TestCodecAbsolute(t *testing.T) {
 
 		{"good", MustAbs("/etc"),
 			nil,
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
 
 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
 			AbsoluteError("etc"),
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
 
 			`"etc"`, `{"val":"etc","magic":3236757504}`},
 		{"zero", nil,
 			new(AbsoluteError),
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
 			`""`, `{"val":"","magic":3236757504}`},
 	}
 
@@ -347,15 +347,6 @@ func TestCodecAbsolute(t *testing.T) {
 			})
 		})
 	}
-
-	t.Run("json passthrough", func(t *testing.T) {
-		t.Parallel()
-
-		wantErr := "invalid character ':' looking for beginning of value"
-		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
-			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
-		}
-	})
 }
 
 func TestAbsoluteWrap(t *testing.T) {

cmd/hakurei/command.go

@@ -38,8 +38,9 @@ var errSuccess = errors.New("success")
 
 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
-		flagVerbose bool
-		flagJSON    bool
+		flagVerbose  bool
+		flagInsecure bool
+		flagJSON     bool
 	)
 	c := command.New(out, log.Printf, "hakurei", func([]string) error {
 		msg.SwapVerbose(flagVerbose)
@@ -57,6 +58,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
+		Flag(&flagInsecure, "insecure", command.BoolFlag(false), "Allow use of insecure compatibility options").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")
 
 	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
@@ -75,7 +77,12 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				config.Container.Args = append(config.Container.Args, args[1:]...)
 			}
 
-			outcome.Main(ctx, msg, config, flagIdentifierFile)
+			var flags int
+			if flagInsecure {
+				flags |= hst.VAllowInsecure
+			}
+
+			outcome.Main(ctx, msg, config, flags, flagIdentifierFile)
 			panic("unreachable")
 		}).
 			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
@@ -145,7 +152,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}
 
-			var et hst.Enablement
+			var et hst.Enablements
 			if flagWayland {
 				et |= hst.EWayland
 			}
@@ -163,7 +170,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				ID:          flagID,
 				Identity:    flagIdentity,
 				Groups:      flagGroups,
-				Enablements: hst.NewEnablements(et),
+				Enablements: &et,
 
 				Container: &hst.ContainerConfig{
 					Filesystem: []hst.FilesystemConfigJSON{
@@ -282,7 +289,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}
 
-			outcome.Main(ctx, msg, &config, -1)
+			outcome.Main(ctx, msg, &config, 0, -1)
 			panic("unreachable")
 		}).
 			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),

cmd/hakurei/command_test.go

@@ -20,7 +20,7 @@ func TestHelp(t *testing.T) {
 	}{
 		{
 			"main", []string{}, `
-Usage:	hakurei [-h | --help] [-v] [--json] COMMAND [OPTIONS]
+Usage:	hakurei [-h | --help] [-v] [--insecure] [--json] COMMAND [OPTIONS]
 
 Commands:
     run         Load and start container from configuration file

cmd/hakurei/print.go

@@ -56,7 +56,7 @@ func printShowInstance(
 	t := newPrinter(output)
 	defer t.MustFlush()
 
-	if err := config.Validate(); err != nil {
+	if err := config.Validate(hst.VAllowInsecure); err != nil {
 		valid = false
 		if m, ok := message.GetMessage(err); ok {
 			mustPrint(output, "Error: "+m+"!\n\n")

cmd/hakurei/print_test.go

@@ -32,7 +32,7 @@ var (
 		PID:     0xbeef,
 		ShimPID: 0xcafe,
 		Config: &hst.Config{
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
+			Enablements: new(hst.EWayland | hst.EPipeWire),
 			Identity:    1,
 			Container: &hst.ContainerConfig{
 				Shell: check.MustAbs("/bin/sh"),

container/container.go

@@ -21,6 +21,7 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
+	"hakurei.app/internal/landlock"
 	"hakurei.app/message"
 )
 
@@ -307,7 +308,7 @@ func (p *Container) Start() error {
 		done <- func() error {
 			// PR_SET_NO_NEW_PRIVS: thread-directed but acts on all processes
 			// created from the calling thread
-			if err := SetNoNewPrivs(); err != nil {
+			if err := setNoNewPrivs(); err != nil {
 				return &StartError{
 					Fatal: true,
 					Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
@@ -317,12 +318,14 @@ func (p *Container) Start() error {
 
 			// landlock: depends on per-thread state but acts on a process group
 			{
-				rulesetAttr := &RulesetAttr{Scoped: LANDLOCK_SCOPE_SIGNAL}
+				rulesetAttr := &landlock.RulesetAttr{
+					Scoped: landlock.LANDLOCK_SCOPE_SIGNAL,
+				}
 				if !p.HostAbstract {
-					rulesetAttr.Scoped |= LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+					rulesetAttr.Scoped |= landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
 				}
 
-				if abi, err := LandlockGetABI(); err != nil {
+				if abi, err := landlock.GetABI(); err != nil {
 					if p.HostAbstract || !p.HostNet {
 						// landlock can be skipped here as it restricts access
 						// to resources already covered by namespaces (pid, net)
@@ -351,7 +354,7 @@ func (p *Container) Start() error {
 					}
 				} else {
 					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
-					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
+					if err = landlock.RestrictSelf(rulesetFd, 0); err != nil {
 						_ = Close(rulesetFd)
 						return &StartError{
 							Fatal: true,

container/container_test.go

@@ -26,6 +26,7 @@ import (
 	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/info"
+	"hakurei.app/internal/landlock"
 	"hakurei.app/internal/params"
 	"hakurei.app/ldd"
 	"hakurei.app/message"
@@ -456,7 +457,7 @@ func TestContainer(t *testing.T) {
 			c.RetainSession = tc.session
 			c.HostNet = tc.net
 			if info.CanDegrade {
-				if _, err := container.LandlockGetABI(); err != nil {
+				if _, err := landlock.GetABI(); err != nil {
 					if !errors.Is(err, syscall.ENOSYS) {
 						t.Fatalf("LandlockGetABI: error = %v", err)
 					}

container/dispatcher.go

@@ -148,7 +148,7 @@ func (direct) lockOSThread() { runtime.LockOSThread() }
 
 func (direct) setPtracer(pid uintptr) error       { return ext.SetPtracer(pid) }
 func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) }
-func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }
+func (direct) setNoNewPrivs() error               { return setNoNewPrivs() }
 
 func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
 func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(hdrp, datap) }

container/landlock_test.go

@@ -1,65 +0,0 @@
-package container_test
-
-import (
-	"testing"
-	"unsafe"
-
-	"hakurei.app/container"
-)
-
-func TestLandlockString(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name        string
-		rulesetAttr *container.RulesetAttr
-		want        string
-	}{
-		{"nil", nil, "NULL"},
-		{"zero", new(container.RulesetAttr), "0"},
-		{"some", &container.RulesetAttr{Scoped: container.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
-		{"set", &container.RulesetAttr{
-			HandledAccessFS:  container.LANDLOCK_ACCESS_FS_MAKE_SYM | container.LANDLOCK_ACCESS_FS_IOCTL_DEV | container.LANDLOCK_ACCESS_FS_WRITE_FILE,
-			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP,
-			Scoped:           container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | container.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
-		{"all", &container.RulesetAttr{
-			HandledAccessFS: container.LANDLOCK_ACCESS_FS_EXECUTE |
-				container.LANDLOCK_ACCESS_FS_WRITE_FILE |
-				container.LANDLOCK_ACCESS_FS_READ_FILE |
-				container.LANDLOCK_ACCESS_FS_READ_DIR |
-				container.LANDLOCK_ACCESS_FS_REMOVE_DIR |
-				container.LANDLOCK_ACCESS_FS_REMOVE_FILE |
-				container.LANDLOCK_ACCESS_FS_MAKE_CHAR |
-				container.LANDLOCK_ACCESS_FS_MAKE_DIR |
-				container.LANDLOCK_ACCESS_FS_MAKE_REG |
-				container.LANDLOCK_ACCESS_FS_MAKE_SOCK |
-				container.LANDLOCK_ACCESS_FS_MAKE_FIFO |
-				container.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
-				container.LANDLOCK_ACCESS_FS_MAKE_SYM |
-				container.LANDLOCK_ACCESS_FS_REFER |
-				container.LANDLOCK_ACCESS_FS_TRUNCATE |
-				container.LANDLOCK_ACCESS_FS_IOCTL_DEV,
-			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP |
-				container.LANDLOCK_ACCESS_NET_CONNECT_TCP,
-			Scoped: container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
-				container.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			if got := tc.rulesetAttr.String(); got != tc.want {
-				t.Errorf("String: %s, want %s", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestLandlockAttrSize(t *testing.T) {
-	t.Parallel()
-	want := 24
-	if got := unsafe.Sizeof(container.RulesetAttr{}); got != uintptr(want) {
-		t.Errorf("Sizeof: %d, want %d", got, want)
-	}
-}

container/syscall.go

@@ -7,8 +7,8 @@ import (
 	"hakurei.app/ext"
 )
 
-// SetNoNewPrivs sets the calling thread's no_new_privs attribute.
-func SetNoNewPrivs() error {
+// setNoNewPrivs sets the calling thread's no_new_privs attribute.
+func setNoNewPrivs() error {
 	return ext.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0)
 }
 

hst/config.go

@@ -140,21 +140,29 @@ var (
 	ErrInsecure = errors.New("configuration is insecure")
 )
 
+const (
+	// VAllowInsecure allows use of compatibility options considered insecure
+	// under any configuration, to work around ecosystem-wide flaws.
+	VAllowInsecure = 1 << iota
+)
+
 // Validate checks [Config] and returns [AppError] if an invalid value is encountered.
-func (config *Config) Validate() error {
+func (config *Config) Validate(flags int) error {
+	const step = "validate configuration"
+
 	if config == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "invalid configuration"}
 	}
 
 	// this is checked again in hsu
 	if config.Identity < IdentityStart || config.Identity > IdentityEnd {
-		return &AppError{Step: "validate configuration", Err: ErrIdentityBounds,
+		return &AppError{Step: step, Err: ErrIdentityBounds,
 			Msg: "identity " + strconv.Itoa(config.Identity) + " out of range"}
 	}
 
 	if config.SchedPolicy < 0 || config.SchedPolicy > ext.SCHED_LAST {
-		return &AppError{Step: "validate configuration", Err: ErrSchedPolicyBounds,
+		return &AppError{Step: step, Err: ErrSchedPolicyBounds,
 			Msg: "scheduling policy " +
 				strconv.Itoa(int(config.SchedPolicy)) +
 				" out of range"}
@@ -168,34 +176,51 @@ func (config *Config) Validate() error {
 	}
 
 	if config.Container == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "configuration missing container state"}
 	}
 	if config.Container.Home == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "container configuration missing path to home directory"}
 	}
 	if config.Container.Shell == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "container configuration missing path to shell"}
 	}
 	if config.Container.Path == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "container configuration missing path to initial program"}
 	}
 
 	for key := range config.Container.Env {
 		if strings.IndexByte(key, '=') != -1 || strings.IndexByte(key, 0) != -1 {
-			return &AppError{Step: "validate configuration", Err: ErrEnviron,
+			return &AppError{Step: step, Err: ErrEnviron,
 				Msg: "invalid environment variable " + strconv.Quote(key)}
 		}
 	}
 
-	if et := config.Enablements.Unwrap(); !config.DirectPulse && et&EPulse != 0 {
-		return &AppError{Step: "validate configuration", Err: ErrInsecure,
+	et := config.Enablements.Unwrap()
+	if !config.DirectPulse && et&EPulse != 0 {
+		return &AppError{Step: step, Err: ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}
 	}
 
+	if flags&VAllowInsecure == 0 {
+		switch {
+		case et&EWayland != 0 && config.DirectWayland:
+			return &AppError{Step: step, Err: ErrInsecure,
+				Msg: "direct_wayland is insecure and no longer supported"}
+
+		case et&EPipeWire != 0 && config.DirectPipeWire:
+			return &AppError{Step: step, Err: ErrInsecure,
+				Msg: "direct_pipewire is insecure and no longer supported"}
+
+		case et&EPulse != 0 && config.DirectPulse:
+			return &AppError{Step: step, Err: ErrInsecure,
+				Msg: "direct_pulse is insecure and no longer supported"}
+		}
+	}
+
 	return nil
 }
 

hst/config_test.go

@@ -14,65 +14,109 @@ func TestConfigValidate(t *testing.T) {
 	testCases := []struct {
 		name    string
 		config  *hst.Config
+		flags   int
 		wantErr error
 	}{
-		{"nil", nil, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"nil", nil, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "invalid configuration"}},
-		{"identity lower", &hst.Config{Identity: -1}, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
+
+		{"identity lower", &hst.Config{Identity: -1}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
 			Msg: "identity -1 out of range"}},
-		{"identity upper", &hst.Config{Identity: 10000}, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
+		{"identity upper", &hst.Config{Identity: 10000}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
 			Msg: "identity 10000 out of range"}},
-		{"sched lower", &hst.Config{SchedPolicy: -1}, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
+
+		{"sched lower", &hst.Config{SchedPolicy: -1}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
 			Msg: "scheduling policy -1 out of range"}},
-		{"sched upper", &hst.Config{SchedPolicy: 0xcafe}, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
+		{"sched upper", &hst.Config{SchedPolicy: 0xcafe}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
 			Msg: "scheduling policy 51966 out of range"}},
-		{"dbus session", &hst.Config{SessionBus: &hst.BusConfig{See: []string{""}}},
+
+		{"dbus session", &hst.Config{SessionBus: &hst.BusConfig{See: []string{""}}}, 0,
 			&hst.BadInterfaceError{Interface: "", Segment: "session"}},
-		{"dbus system", &hst.Config{SystemBus: &hst.BusConfig{See: []string{""}}},
+		{"dbus system", &hst.Config{SystemBus: &hst.BusConfig{See: []string{""}}}, 0,
 			&hst.BadInterfaceError{Interface: "", Segment: "system"}},
-		{"container", &hst.Config{}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+
+		{"container", &hst.Config{}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "configuration missing container state"}},
-		{"home", &hst.Config{Container: &hst.ContainerConfig{}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"home", &hst.Config{Container: &hst.ContainerConfig{}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to home directory"}},
 		{"shell", &hst.Config{Container: &hst.ContainerConfig{
 			Home: fhs.AbsTmp,
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to shell"}},
 		{"path", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to initial program"}},
+
 		{"env equals", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 			Env:   map[string]string{"TERM=": ""},
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM="`}},
 		{"env NUL", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 			Env:   map[string]string{"TERM\x00": ""},
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM\x00"`}},
-		{"insecure pulse", &hst.Config{Enablements: hst.NewEnablements(hst.EPulse), Container: &hst.ContainerConfig{
+
+		{"insecure pulse", &hst.Config{Enablements: new(hst.EPulse), Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}},
+
+		{"direct wayland", &hst.Config{Enablements: new(hst.EWayland), DirectWayland: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "direct_wayland is insecure and no longer supported"}},
+		{"direct wayland allow", &hst.Config{Enablements: new(hst.EWayland), DirectWayland: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, hst.VAllowInsecure, nil},
+
+		{"direct pipewire", &hst.Config{Enablements: new(hst.EPipeWire), DirectPipeWire: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "direct_pipewire is insecure and no longer supported"}},
+		{"direct pipewire allow", &hst.Config{Enablements: new(hst.EPipeWire), DirectPipeWire: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, hst.VAllowInsecure, nil},
+
+		{"direct pulse", &hst.Config{Enablements: new(hst.EPulse), DirectPulse: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "direct_pulse is insecure and no longer supported"}},
+		{"direct pulse allow", &hst.Config{Enablements: new(hst.EPulse), DirectPulse: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, hst.VAllowInsecure, nil},
+
 		{"valid", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
-		}}, nil},
+		}}, 0, nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			if err := tc.config.Validate(); !reflect.DeepEqual(err, tc.wantErr) {
+			if err := tc.config.Validate(tc.flags); !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("Validate: error = %#v, want %#v", err, tc.wantErr)
 			}
 		})

hst/enablement.go

@@ -7,12 +7,12 @@ import (
 	"syscall"
 )
 
-// Enablement represents an optional host service to export to the target user.
-type Enablement byte
+// Enablements denotes optional host service to export to the target user.
+type Enablements byte
 
 const (
 	// EWayland exposes a Wayland pathname socket via security-context-v1.
-	EWayland Enablement = 1 << iota
+	EWayland Enablements = 1 << iota
 	// EX11 adds the target user via X11 ChangeHosts and exposes the X11
 	// pathname socket.
 	EX11
@@ -28,8 +28,8 @@ const (
 	EM
 )
 
-// String returns a string representation of the flags set on [Enablement].
-func (e Enablement) String() string {
+// String returns a string representation of the flags set on [Enablements].
+func (e Enablements) String() string {
 	switch e {
 	case 0:
 		return "(no enablements)"
@@ -47,7 +47,7 @@ func (e Enablement) String() string {
 		buf := new(strings.Builder)
 		buf.Grow(32)
 
-		for i := Enablement(1); i < EM; i <<= 1 {
+		for i := Enablements(1); i < EM; i <<= 1 {
 			if e&i != 0 {
 				buf.WriteString(", " + i.String())
 			}
@@ -60,12 +60,6 @@ func (e Enablement) String() string {
 	}
 }
 
-// NewEnablements returns the address of [Enablement] as [Enablements].
-func NewEnablements(e Enablement) *Enablements { return (*Enablements)(&e) }
-
-// Enablements is the [json] adapter for [Enablement].
-type Enablements Enablement
-
 // enablementsJSON is the [json] representation of [Enablements].
 type enablementsJSON = struct {
 	Wayland  bool `json:"wayland,omitempty"`
@@ -75,24 +69,21 @@ type enablementsJSON = struct {
 	Pulse    bool `json:"pulse,omitempty"`
 }
 
-// Unwrap returns the underlying [Enablement].
-func (e *Enablements) Unwrap() Enablement {
+// Unwrap returns the value pointed to by e.
+func (e *Enablements) Unwrap() Enablements {
 	if e == nil {
 		return 0
 	}
-	return Enablement(*e)
+	return *e
 }
 
-func (e *Enablements) MarshalJSON() ([]byte, error) {
-	if e == nil {
-		return nil, syscall.EINVAL
-	}
+func (e Enablements) MarshalJSON() ([]byte, error) {
 	return json.Marshal(&enablementsJSON{
-		Wayland:  Enablement(*e)&EWayland != 0,
-		X11:      Enablement(*e)&EX11 != 0,
-		DBus:     Enablement(*e)&EDBus != 0,
-		PipeWire: Enablement(*e)&EPipeWire != 0,
-		Pulse:    Enablement(*e)&EPulse != 0,
+		Wayland:  e&EWayland != 0,
+		X11:      e&EX11 != 0,
+		DBus:     e&EDBus != 0,
+		PipeWire: e&EPipeWire != 0,
+		Pulse:    e&EPulse != 0,
 	})
 }
 
@@ -106,22 +97,21 @@ func (e *Enablements) UnmarshalJSON(data []byte) error {
 		return err
 	}
 
-	var ve Enablement
+	*e = 0
 	if v.Wayland {
-		ve |= EWayland
+		*e |= EWayland
 	}
 	if v.X11 {
-		ve |= EX11
+		*e |= EX11
 	}
 	if v.DBus {
-		ve |= EDBus
+		*e |= EDBus
 	}
 	if v.PipeWire {
-		ve |= EPipeWire
+		*e |= EPipeWire
 	}
 	if v.Pulse {
-		ve |= EPulse
+		*e |= EPulse
 	}
-	*e = Enablements(ve)
 	return nil
 }

hst/enablement_test.go

@@ -13,7 +13,7 @@ func TestEnablementString(t *testing.T) {
 	t.Parallel()
 
 	testCases := []struct {
-		flags hst.Enablement
+		flags hst.Enablements
 		want  string
 	}{
 		{0, "(no enablements)"},
@@ -59,13 +59,13 @@ func TestEnablements(t *testing.T) {
 		sData string
 	}{
 		{"nil", nil, "null", `{"value":null,"magic":3236757504}`},
-		{"zero", hst.NewEnablements(0), `{}`, `{"value":{},"magic":3236757504}`},
-		{"wayland", hst.NewEnablements(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
-		{"x11", hst.NewEnablements(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
-		{"dbus", hst.NewEnablements(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
-		{"pipewire", hst.NewEnablements(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
-		{"pulse", hst.NewEnablements(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
-		{"all", hst.NewEnablements(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
+		{"zero", new(hst.Enablements(0)), `{}`, `{"value":{},"magic":3236757504}`},
+		{"wayland", new(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
+		{"x11", new(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
+		{"dbus", new(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
+		{"pipewire", new(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
+		{"pulse", new(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
+		{"all", new(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
 	}
 
 	for _, tc := range testCases {
@@ -137,7 +137,7 @@ func TestEnablements(t *testing.T) {
 		})
 
 		t.Run("val", func(t *testing.T) {
-			if got := hst.NewEnablements(hst.EWayland | hst.EPulse).Unwrap(); got != hst.EWayland|hst.EPulse {
+			if got := new(hst.EWayland | hst.EPulse).Unwrap(); got != hst.EWayland|hst.EPulse {
 				t.Errorf("Unwrap: %v", got)
 			}
 		})
@@ -146,9 +146,6 @@ func TestEnablements(t *testing.T) {
 	t.Run("passthrough", func(t *testing.T) {
 		t.Parallel()
 
-		if _, err := (*hst.Enablements)(nil).MarshalJSON(); !errors.Is(err, syscall.EINVAL) {
-			t.Errorf("MarshalJSON: error = %v", err)
-		}
 		if err := (*hst.Enablements)(nil).UnmarshalJSON(nil); !errors.Is(err, syscall.EINVAL) {
 			t.Errorf("UnmarshalJSON: error = %v", err)
 		}

hst/hst.go

@@ -72,7 +72,7 @@ func Template() *Config {
 	return &Config{
 		ID: "org.chromium.Chromium",
 
-		Enablements: NewEnablements(EWayland | EDBus | EPipeWire),
+		Enablements: new(EWayland | EDBus | EPipeWire),
 
 		SessionBus: &BusConfig{
 			See: nil,

internal/landlock/landlock.go

@@ -1,4 +1,4 @@
-package container
+package landlock
 
 import (
 	"strings"
@@ -14,11 +14,11 @@ const (
 	LANDLOCK_CREATE_RULESET_VERSION = 1 << iota
 )
 
-// LandlockAccessFS is bitmask of handled filesystem actions.
-type LandlockAccessFS uint64
+// AccessFS is bitmask of handled filesystem actions.
+type AccessFS uint64
 
 const (
-	LANDLOCK_ACCESS_FS_EXECUTE LandlockAccessFS = 1 << iota
+	LANDLOCK_ACCESS_FS_EXECUTE AccessFS = 1 << iota
 	LANDLOCK_ACCESS_FS_WRITE_FILE
 	LANDLOCK_ACCESS_FS_READ_FILE
 	LANDLOCK_ACCESS_FS_READ_DIR
@@ -38,8 +38,8 @@ const (
 	_LANDLOCK_ACCESS_FS_DELIM
 )
 
-// String returns a space-separated string of [LandlockAccessFS] flags.
-func (f LandlockAccessFS) String() string {
+// String returns a space-separated string of [AccessFS] flags.
+func (f AccessFS) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_FS_EXECUTE:
 		return "execute"
@@ -90,8 +90,8 @@ func (f LandlockAccessFS) String() string {
 		return "fs_ioctl_dev"
 
 	default:
-		var c []LandlockAccessFS
-		for i := LandlockAccessFS(1); i < _LANDLOCK_ACCESS_FS_DELIM; i <<= 1 {
+		var c []AccessFS
+		for i := AccessFS(1); i < _LANDLOCK_ACCESS_FS_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -107,18 +107,18 @@ func (f LandlockAccessFS) String() string {
 	}
 }
 
-// LandlockAccessNet is bitmask of handled network actions.
-type LandlockAccessNet uint64
+// AccessNet is bitmask of handled network actions.
+type AccessNet uint64
 
 const (
-	LANDLOCK_ACCESS_NET_BIND_TCP LandlockAccessNet = 1 << iota
+	LANDLOCK_ACCESS_NET_BIND_TCP AccessNet = 1 << iota
 	LANDLOCK_ACCESS_NET_CONNECT_TCP
 
 	_LANDLOCK_ACCESS_NET_DELIM
 )
 
-// String returns a space-separated string of [LandlockAccessNet] flags.
-func (f LandlockAccessNet) String() string {
+// String returns a space-separated string of [AccessNet] flags.
+func (f AccessNet) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_NET_BIND_TCP:
 		return "bind_tcp"
@@ -127,8 +127,8 @@ func (f LandlockAccessNet) String() string {
 		return "connect_tcp"
 
 	default:
-		var c []LandlockAccessNet
-		for i := LandlockAccessNet(1); i < _LANDLOCK_ACCESS_NET_DELIM; i <<= 1 {
+		var c []AccessNet
+		for i := AccessNet(1); i < _LANDLOCK_ACCESS_NET_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -144,18 +144,18 @@ func (f LandlockAccessNet) String() string {
 	}
 }
 
-// LandlockScope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
-type LandlockScope uint64
+// Scope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
+type Scope uint64
 
 const (
-	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET LandlockScope = 1 << iota
+	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET Scope = 1 << iota
 	LANDLOCK_SCOPE_SIGNAL
 
 	_LANDLOCK_SCOPE_DELIM
 )
 
-// String returns a space-separated string of [LandlockScope] flags.
-func (f LandlockScope) String() string {
+// String returns a space-separated string of [Scope] flags.
+func (f Scope) String() string {
 	switch f {
 	case LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET:
 		return "abstract_unix_socket"
@@ -164,8 +164,8 @@ func (f LandlockScope) String() string {
 		return "signal"
 
 	default:
-		var c []LandlockScope
-		for i := LandlockScope(1); i < _LANDLOCK_SCOPE_DELIM; i <<= 1 {
+		var c []Scope
+		for i := Scope(1); i < _LANDLOCK_SCOPE_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -184,12 +184,12 @@ func (f LandlockScope) String() string {
 // RulesetAttr is equivalent to struct landlock_ruleset_attr.
 type RulesetAttr struct {
 	// Bitmask of handled filesystem actions.
-	HandledAccessFS LandlockAccessFS
+	HandledAccessFS AccessFS
 	// Bitmask of handled network actions.
-	HandledAccessNet LandlockAccessNet
+	HandledAccessNet AccessNet
 	// Bitmask of scopes restricting a Landlock domain from accessing outside
 	// resources (e.g. IPCs).
-	Scoped LandlockScope
+	Scoped Scope
 }
 
 // String returns a user-facing description of [RulesetAttr].
@@ -239,13 +239,13 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 	return fd, nil
 }
 
-// LandlockGetABI returns the ABI version supported by the kernel.
-func LandlockGetABI() (int, error) {
+// GetABI returns the ABI version supported by the kernel.
+func GetABI() (int, error) {
 	return (*RulesetAttr)(nil).Create(LANDLOCK_CREATE_RULESET_VERSION)
 }
 
-// LandlockRestrictSelf applies a loaded ruleset to the calling thread.
-func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
+// RestrictSelf applies a loaded ruleset to the calling thread.
+func RestrictSelf(rulesetFd int, flags uintptr) error {
 	r, _, errno := syscall.Syscall(
 		ext.SYS_LANDLOCK_RESTRICT_SELF,
 		uintptr(rulesetFd),

internal/landlock/landlock_test.go

@@ -0,0 +1,65 @@
+package landlock_test
+
+import (
+	"testing"
+	"unsafe"
+
+	"hakurei.app/internal/landlock"
+)
+
+func TestLandlockString(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name        string
+		rulesetAttr *landlock.RulesetAttr
+		want        string
+	}{
+		{"nil", nil, "NULL"},
+		{"zero", new(landlock.RulesetAttr), "0"},
+		{"some", &landlock.RulesetAttr{Scoped: landlock.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
+		{"set", &landlock.RulesetAttr{
+			HandledAccessFS:  landlock.LANDLOCK_ACCESS_FS_MAKE_SYM | landlock.LANDLOCK_ACCESS_FS_IOCTL_DEV | landlock.LANDLOCK_ACCESS_FS_WRITE_FILE,
+			HandledAccessNet: landlock.LANDLOCK_ACCESS_NET_BIND_TCP,
+			Scoped:           landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | landlock.LANDLOCK_SCOPE_SIGNAL,
+		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
+		{"all", &landlock.RulesetAttr{
+			HandledAccessFS: landlock.LANDLOCK_ACCESS_FS_EXECUTE |
+				landlock.LANDLOCK_ACCESS_FS_WRITE_FILE |
+				landlock.LANDLOCK_ACCESS_FS_READ_FILE |
+				landlock.LANDLOCK_ACCESS_FS_READ_DIR |
+				landlock.LANDLOCK_ACCESS_FS_REMOVE_DIR |
+				landlock.LANDLOCK_ACCESS_FS_REMOVE_FILE |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_CHAR |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_DIR |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_REG |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_SOCK |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_FIFO |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_SYM |
+				landlock.LANDLOCK_ACCESS_FS_REFER |
+				landlock.LANDLOCK_ACCESS_FS_TRUNCATE |
+				landlock.LANDLOCK_ACCESS_FS_IOCTL_DEV,
+			HandledAccessNet: landlock.LANDLOCK_ACCESS_NET_BIND_TCP |
+				landlock.LANDLOCK_ACCESS_NET_CONNECT_TCP,
+			Scoped: landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
+				landlock.LANDLOCK_SCOPE_SIGNAL,
+		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := tc.rulesetAttr.String(); got != tc.want {
+				t.Errorf("String: %s, want %s", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestLandlockAttrSize(t *testing.T) {
+	t.Parallel()
+	want := 24
+	if got := unsafe.Sizeof(landlock.RulesetAttr{}); got != uintptr(want) {
+		t.Errorf("Sizeof: %d, want %d", got, want)
+	}
+}

internal/outcome/finalise.go

@@ -32,7 +32,14 @@ type outcome struct {
 	syscallDispatcher
 }
 
-func (k *outcome) finalise(ctx context.Context, msg message.Msg, id *hst.ID, config *hst.Config) error {
+// finalise prepares an outcome for main.
+func (k *outcome) finalise(
+	ctx context.Context,
+	msg message.Msg,
+	id *hst.ID,
+	config *hst.Config,
+	flags int,
+) error {
 	if ctx == nil || id == nil {
 		// unreachable
 		panic("invalid call to finalise")
@@ -43,7 +50,7 @@ func (k *outcome) finalise(ctx context.Context, msg message.Msg, id *hst.ID, con
 	}
 	k.ctx = ctx
 
-	if err := config.Validate(); err != nil {
+	if err := config.Validate(flags); err != nil {
 		return err
 	}
 

internal/outcome/outcome.go

@@ -194,7 +194,7 @@ type outcomeStateSys struct {
 	// Copied from [hst.Config]. Safe for read by outcomeOp.toSystem.
 	appId string
 	// Copied from [hst.Config]. Safe for read by outcomeOp.toSystem.
-	et hst.Enablement
+	et hst.Enablements
 
 	// Copied from [hst.Config]. Safe for read by spWaylandOp.toSystem only.
 	directWayland bool

internal/outcome/process.go

@@ -297,12 +297,12 @@ func (k *outcome) main(msg message.Msg, identifierFd int) {
 					// accumulate enablements of remaining instances
 					var (
 						// alive enablement bits
-						rt hst.Enablement
+						rt hst.Enablements
 						// alive instance count
 						n int
 					)
 					for eh := range entries {
-						var et hst.Enablement
+						var et hst.Enablements
 						if et, err = eh.Load(nil); err != nil {
 							perror(err, "read state header of instance "+eh.ID.String())
 						} else {

internal/outcome/run.go

@@ -18,7 +18,13 @@ import (
 func IsPollDescriptor(fd uintptr) bool
 
 // Main runs an app according to [hst.Config] and terminates. Main does not return.
-func Main(ctx context.Context, msg message.Msg, config *hst.Config, fd int) {
+func Main(
+	ctx context.Context,
+	msg message.Msg,
+	config *hst.Config,
+	flags int,
+	fd int,
+) {
 	// avoids runtime internals or standard streams
 	if fd >= 0 {
 		if IsPollDescriptor(uintptr(fd)) || fd < 3 {
@@ -34,7 +40,7 @@ func Main(ctx context.Context, msg message.Msg, config *hst.Config, fd int) {
 	k := outcome{syscallDispatcher: direct{msg}}
 
 	finaliseTime := time.Now()
-	if err := k.finalise(ctx, msg, &id, config); err != nil {
+	if err := k.finalise(ctx, msg, &id, config, flags); err != nil {
 		printMessageError(msg.GetLogger().Fatalln, "cannot seal app:", err)
 		panic("unreachable")
 	}

internal/outcome/run_test.go

@@ -288,7 +288,7 @@ func TestOutcomeRun(t *testing.T) {
 				},
 				Filter: true,
 			},
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
+			Enablements: new(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 
 			Container: &hst.ContainerConfig{
 				Filesystem: []hst.FilesystemConfigJSON{
@@ -427,7 +427,7 @@ func TestOutcomeRun(t *testing.T) {
 			DirectPipeWire: true,
 
 			ID:          "org.chromium.Chromium",
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
+			Enablements: new(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 			Container: &hst.ContainerConfig{
 				Env: nil,
 				Filesystem: []hst.FilesystemConfigJSON{

internal/outcome/sppulse_test.go

@@ -21,7 +21,7 @@ func TestSpPulseOp(t *testing.T) {
 	newConfig := func() *hst.Config {
 		config := hst.Template()
 		config.DirectPulse = true
-		config.Enablements = hst.NewEnablements(hst.EPulse)
+		config.Enablements = new(hst.EPulse)
 		return config
 	}
 

internal/pkg/pkg_test.go

@@ -25,6 +25,7 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/fhs"
 	"hakurei.app/internal/info"
+	"hakurei.app/internal/landlock"
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/stub"
 	"hakurei.app/message"
@@ -293,7 +294,7 @@ func checkWithCache(t *testing.T, testCases []cacheTestCase) {
 			flags := tc.flags
 
 			if info.CanDegrade {
-				if _, err := container.LandlockGetABI(); err != nil {
+				if _, err := landlock.GetABI(); err != nil {
 					if !errors.Is(err, syscall.ENOSYS) {
 						t.Fatalf("LandlockGetABI: error = %v", err)
 					}

internal/rosa/go.go

@@ -141,8 +141,8 @@ rm \
 	)
 
 	const (
-		version  = "1.26.1"
-		checksum = "DdC5Ea-aCYPUHNObQh_09uWU0vn4e-8Ben850Vq-5OoamDRrXhuYI4YQ_BOFgaT0"
+		version  = "1.26.2"
+		checksum = "v-6BE89_1g3xYf-9oIYpJKFXlo3xKHYJj2_VGkaUq8ZVkIVQmLwrto-xGG03OISH"
 	)
 	return t.newGo(
 		version,

internal/rosa/libcap.go

@@ -4,8 +4,8 @@ import "hakurei.app/internal/pkg"
 
 func (t Toolchain) newLibcap() (pkg.Artifact, string) {
 	const (
-		version  = "2.77"
-		checksum = "2GOTFU4cl2QoS7Dv5wh0c9-hxsQwIzMB9Y_gfAo5xKHqcM13fiHt1RbPkfemzjmB"
+		version  = "2.78"
+		checksum = "wFdUkBhFMD9InPnrBZyegWrlPSAg_9JiTBC-eSFyWWlmbzL2qjh2mKxr9Kx2a8ut"
 	)
 	return t.NewPackage("libcap", version, pkg.NewHTTPGetTar(
 		nil, "https://git.kernel.org/pub/scm/libs/libcap/libcap.git/"+

internal/rosa/llvm.go

@@ -13,8 +13,8 @@ import (
 // llvmAttr holds the attributes that will be applied to a new [pkg.Artifact]
 // containing a LLVM variant.
 type llvmAttr struct {
-	// Passed through to PackageAttr.Flag.
-	flags int
+	// Enabled projects and runtimes.
+	pr int
 
 	// Concatenated with default environment for PackageAttr.Env.
 	env []string
@@ -24,8 +24,6 @@ type llvmAttr struct {
 	append []string
 	// Passed through to PackageAttr.NonStage0.
 	nonStage0 []pkg.Artifact
-	// Passed through to PackageAttr.Paths.
-	paths []pkg.ExecPath
 	// Concatenated with default fixup for CMakeHelper.Script.
 	script string
 
@@ -75,19 +73,18 @@ func llvmFlagName(flag int) string {
 
 // newLLVMVariant returns a [pkg.Artifact] containing a LLVM variant.
 func (t Toolchain) newLLVMVariant(variant string, attr *llvmAttr) pkg.Artifact {
-
 	if attr == nil {
 		panic("LLVM attr must be non-nil")
 	}
 
 	var projects, runtimes []string
 	for i := 1; i < llvmProjectAll; i <<= 1 {
-		if attr.flags&i != 0 {
+		if attr.pr&i != 0 {
 			projects = append(projects, llvmFlagName(i))
 		}
 	}
 	for i := (llvmProjectAll + 1) << 1; i < llvmRuntimeAll; i <<= 1 {
-		if attr.flags&i != 0 {
+		if attr.pr&i != 0 {
 			runtimes = append(runtimes, llvmFlagName(i))
 		}
 	}
@@ -126,7 +123,7 @@ func (t Toolchain) newLLVMVariant(variant string, attr *llvmAttr) pkg.Artifact {
 		}...)
 	}
 
-	if attr.flags&llvmProjectClang != 0 {
+	if attr.pr&llvmProjectClang != 0 {
 		cache = append(cache, []KV{
 			{"CLANG_DEFAULT_LINKER", "lld"},
 			{"CLANG_DEFAULT_CXX_STDLIB", "libc++"},
@@ -134,30 +131,30 @@ func (t Toolchain) newLLVMVariant(variant string, attr *llvmAttr) pkg.Artifact {
 			{"CLANG_DEFAULT_UNWINDLIB", "libunwind"},
 		}...)
 	}
-	if attr.flags&llvmProjectLld != 0 {
+	if attr.pr&llvmProjectLld != 0 {
 		script += `
 ln -s ld.lld /work/system/bin/ld
 `
 	}
-	if attr.flags&llvmRuntimeCompilerRT != 0 {
+	if attr.pr&llvmRuntimeCompilerRT != 0 {
 		if attr.append == nil {
 			cache = append(cache, []KV{
 				{"COMPILER_RT_USE_LLVM_UNWINDER", "ON"},
 			}...)
 		}
 	}
-	if attr.flags&llvmRuntimeLibunwind != 0 {
+	if attr.pr&llvmRuntimeLibunwind != 0 {
 		cache = append(cache, []KV{
 			{"LIBUNWIND_USE_COMPILER_RT", "ON"},
 		}...)
 	}
-	if attr.flags&llvmRuntimeLibcxx != 0 {
+	if attr.pr&llvmRuntimeLibcxx != 0 {
 		cache = append(cache, []KV{
 			{"LIBCXX_HAS_MUSL_LIBC", "ON"},
 			{"LIBCXX_USE_COMPILER_RT", "ON"},
 		}...)
 	}
-	if attr.flags&llvmRuntimeLibcxxABI != 0 {
+	if attr.pr&llvmRuntimeLibcxxABI != 0 {
 		cache = append(cache, []KV{
 			{"LIBCXXABI_USE_COMPILER_RT", "ON"},
 			{"LIBCXXABI_USE_LLVM_UNWINDER", "ON"},
@@ -170,7 +167,22 @@ ln -s ld.lld /work/system/bin/ld
 		mustDecode(llvmChecksum),
 		pkg.TarGzip,
 	), &PackageAttr{
-		Patches:   attr.patches,
+		Patches: slices.Concat(attr.patches, []KV{
+			{"increase-stack-size-unconditional", `diff --git a/llvm/lib/Support/Threading.cpp b/llvm/lib/Support/Threading.cpp
+index 9da357a7ebb9..b2931510c1ae 100644
+--- a/llvm/lib/Support/Threading.cpp
++++ b/llvm/lib/Support/Threading.cpp
+@@ -80,7 +80,7 @@ unsigned llvm::ThreadPoolStrategy::compute_thread_count() const {
+ // keyword.
+ #include "llvm/Support/thread.h"
+ 
+-#if defined(__APPLE__)
++#if defined(__APPLE__) || 1
+   // Darwin's default stack size for threads except the main one is only 512KB,
+   // which is not enough for some/many normal LLVM compilations. This implements
+   // the same interface as std::thread but requests the same stack size as the
+`},
+		}),
 		NonStage0: attr.nonStage0,
 
 		Env: slices.Concat([]string{
@@ -178,8 +190,7 @@ ln -s ld.lld /work/system/bin/ld
 			"ROSA_LLVM_RUNTIMES=" + strings.Join(runtimes, ";"),
 		}, attr.env),
 
-		Paths: attr.paths,
-		Flag:  TExclusive,
+		Flag: TExclusive,
 	}, &CMakeHelper{
 		Variant: variant,
 
@@ -201,17 +212,19 @@ ln -s ld.lld /work/system/bin/ld
 
 // newLLVM returns LLVM toolchain across multiple [pkg.Artifact].
 func (t Toolchain) newLLVM() (musl, compilerRT, runtimes, clang pkg.Artifact) {
-	var target string
-	switch runtime.GOARCH {
-	case "386", "amd64":
-		target = "X86"
-	case "arm64":
-		target = "AArch64"
-	case "riscv64":
-		target = "RISCV"
+	target := "'AArch64;RISCV;X86'"
+	if t.isStage0() {
+		switch runtime.GOARCH {
+		case "386", "amd64":
+			target = "X86"
+		case "arm64":
+			target = "AArch64"
+		case "riscv64":
+			target = "RISCV"
 
-	default:
-		panic("unsupported target " + runtime.GOARCH)
+		default:
+			panic("unsupported target " + runtime.GOARCH)
+		}
 	}
 
 	minimalDeps := []KV{
@@ -233,7 +246,7 @@ func (t Toolchain) newLLVM() (musl, compilerRT, runtimes, clang pkg.Artifact) {
 			{"CMAKE_CXX_COMPILER_TARGET", ""},
 
 			{"COMPILER_RT_BUILD_BUILTINS", "ON"},
-			{"COMPILER_RT_DEFAULT_TARGET_ONLY", "ON"},
+			{"COMPILER_RT_DEFAULT_TARGET_ONLY", "OFF"},
 			{"COMPILER_RT_SANITIZERS_TO_BUILD", "asan"},
 			{"LLVM_ENABLE_PER_TARGET_RUNTIME_DIR", "ON"},
 
@@ -277,7 +290,7 @@ ln -s \
 		env: stage0ExclConcat(t, []string{},
 			"LDFLAGS="+earlyLDFLAGS(false),
 		),
-		flags: llvmRuntimeLibunwind | llvmRuntimeLibcxx | llvmRuntimeLibcxxABI,
+		pr: llvmRuntimeLibunwind | llvmRuntimeLibcxx | llvmRuntimeLibcxxABI,
 		cmake: slices.Concat([]KV{
 			// libc++ not yet available
 			{"CMAKE_CXX_COMPILER_WORKS", "ON"},
@@ -293,7 +306,7 @@ ln -s \
 	})
 
 	clang = t.newLLVMVariant("clang", &llvmAttr{
-		flags: llvmProjectClang | llvmProjectLld,
+		pr: llvmProjectClang | llvmProjectLld,
 		env: stage0ExclConcat(t, []string{},
 			"CFLAGS="+earlyCFLAGS,
 			"CXXFLAGS="+earlyCXXFLAGS(),
@@ -316,7 +329,7 @@ ln -s clang++ /work/system/bin/c++
 ninja check-all
 `,
 
-		patches: slices.Concat([]KV{
+		patches: []KV{
 			{"add-rosa-vendor", `diff --git a/llvm/include/llvm/TargetParser/Triple.h b/llvm/include/llvm/TargetParser/Triple.h
 index 9c83abeeb3b1..5acfe5836a23 100644
 --- a/llvm/include/llvm/TargetParser/Triple.h
@@ -488,7 +501,7 @@ index 64324a3f8b01..15ce70b68217 100644
                                     "/System/Library/Frameworks"};
  
 `},
-		}, clangPatches),
+		},
 	})
 
 	return

internal/rosa/llvm_amd64.go

@@ -1,4 +0,0 @@
-package rosa
-
-// clangPatches are patches applied to the LLVM source tree for building clang.
-var clangPatches []KV

internal/rosa/llvm_arm64.go

@@ -1,12 +0,0 @@
-package rosa
-
-// clangPatches are patches applied to the LLVM source tree for building clang.
-var clangPatches []KV
-
-// one version behind, latest fails 5 tests with 2 flaky on arm64
-const (
-	llvmVersionMajor = "21"
-	llvmVersion      = llvmVersionMajor + ".1.8"
-
-	llvmChecksum = "8SUpqDkcgwOPsqHVtmf9kXfFeVmjVxl4LMn-qSE1AI_Xoeju-9HaoPNGtidyxyka"
-)

internal/rosa/llvm_latest.go

@@ -1,11 +1,9 @@
-//go:build !arm64
-
 package rosa
 
 // latest version of LLVM, conditional to temporarily avoid broken new releases
 const (
 	llvmVersionMajor = "22"
-	llvmVersion      = llvmVersionMajor + ".1.2"
+	llvmVersion      = llvmVersionMajor + ".1.3"
 
-	llvmChecksum = "FwsmurWDVyYYQlOowowFjekwIGSB5__aKTpW_VGP3eWoZGXvBny-bOn1DuQ1U5xE"
+	llvmChecksum = "CUwnpzua_y28HZ9oI0NmcKL2wClsSjFpgY9do5-7cCZJHI5KNF64vfwGvY0TYyR3"
 )

internal/rosa/llvm_riscv64.go

@@ -1,4 +0,0 @@
-package rosa
-
-// clangPatches are patches applied to the LLVM source tree for building clang.
-var clangPatches []KV

internal/rosa/openssl.go

@@ -4,8 +4,8 @@ import "hakurei.app/internal/pkg"
 
 func (t Toolchain) newOpenSSL() (pkg.Artifact, string) {
 	const (
-		version  = "3.6.1"
-		checksum = "boMAj2SIVIFXHswZva3qHJuFEpc32rxCCu07wjMPsVe9nn_976BGMmW_5P1zthgg"
+		version  = "3.6.2"
+		checksum = "jH004dXTiE01Hp0kyShkWXwrSHEksZi4i_3v47D9H9Uz9LQ1aMwF7mrl2Tb4t_XA"
 	)
 	return t.NewPackage("openssl", version, pkg.NewHTTPGetTar(
 		nil, "https://github.com/openssl/openssl/releases/download/"+

internal/rosa/python.go

@@ -9,8 +9,8 @@ import (
 
 func (t Toolchain) newPython() (pkg.Artifact, string) {
 	const (
-		version  = "3.14.3"
-		checksum = "ajEC32WPmn9Jvll0n4gGvlTvhMPUHb2H_j5_h9jf_esHmkZBRfAumDcKY7nTTsCH"
+		version  = "3.14.4"
+		checksum = "X0VRAAGOlCVldh4J9tRAE-YrJtDvqfQTJaqxKPXNX6YTPlwpR9GwA5WRIZDO-63s"
 	)
 	return t.NewPackage("python", version, pkg.NewHTTPGetTar(
 		nil, "https://www.python.org/ftp/python/"+version+

internal/rosa/tamago.go

@@ -8,8 +8,8 @@ import (
 
 func (t Toolchain) newTamaGo() (pkg.Artifact, string) {
 	const (
-		version  = "1.26.1"
-		checksum = "fimZnklQcYWGsTQU8KepLn-yCYaTfNdMI9DCg6NJVQv-3gOJnUEO9mqRCMAHnEXZ"
+		version  = "1.26.2"
+		checksum = "5xlhWq2NGhYCjt0y73QkydJ386lxg6-HkiO84ne6ByQSJBDat7-HSVzNA6jy7Laz"
 	)
 	return t.New("tamago-go"+version, 0, t.AppendPresets(nil,
 		Bash,

internal/store/data.go

@@ -24,7 +24,7 @@ func entryEncode(w io.Writer, s *hst.State) error {
 }
 
 // entryDecodeHeader calls entryReadHeader, returning [hst.AppError] for a non-nil error.
-func entryDecodeHeader(r io.Reader) (hst.Enablement, error) {
+func entryDecodeHeader(r io.Reader) (hst.Enablements, error) {
 	if et, err := entryReadHeader(r); err != nil {
 		return 0, &hst.AppError{Step: "decode state header", Err: err}
 	} else {
@@ -32,20 +32,23 @@ func entryDecodeHeader(r io.Reader) (hst.Enablement, error) {
 	}
 }
 
-// entryDecode decodes [hst.State] from [io.Reader] and stores the result in the value pointed to by p.
-// entryDecode validates the embedded [hst.Config] value.
+// entryDecode decodes [hst.State] from [io.Reader] and stores the result in the
+// value pointed to by p. entryDecode validates the embedded [hst.Config] value.
 //
 // A non-nil error returned by entryDecode is of type [hst.AppError].
-func entryDecode(r io.Reader, p *hst.State) (hst.Enablement, error) {
+func entryDecode(r io.Reader, p *hst.State) (hst.Enablements, error) {
 	if et, err := entryDecodeHeader(r); err != nil {
 		return et, err
 	} else if err = gob.NewDecoder(r).Decode(&p); err != nil {
 		return et, &hst.AppError{Step: "decode state body", Err: err}
-	} else if err = p.Config.Validate(); err != nil {
+	} else if err = p.Config.Validate(hst.VAllowInsecure); err != nil {
 		return et, err
 	} else if p.Enablements.Unwrap() != et {
 		return et, &hst.AppError{Step: "validate state enablement", Err: os.ErrInvalid,
-			Msg: fmt.Sprintf("state entry %s has unexpected enablement byte %#x, %#x", p.ID.String(), byte(p.Enablements.Unwrap()), byte(et))}
+			Msg: fmt.Sprintf(
+				"state entry %s has unexpected enablement byte %#x, %#x",
+				p.ID.String(), byte(p.Enablements.Unwrap()), byte(et),
+			)}
 	} else {
 		return et, nil
 	}

internal/store/header.go

@@ -14,22 +14,25 @@ import (
 const (
 	// entryHeaderMagic are magic bytes at the beginning of the state entry file.
 	entryHeaderMagic = "\x00\xff\xca\xfe"
-	// entryHeaderRevision follows entryHeaderMagic and is incremented for revisions of the format.
+	// entryHeaderRevision follows entryHeaderMagic and is incremented for
+	// revisions of the format.
 	entryHeaderRevision = "\x00\x00"
-	// entryHeaderSize is the fixed size of the header in bytes, including the enablement byte and its complement.
+	// entryHeaderSize is the fixed size of the header in bytes, including the
+	// enablement byte and its complement.
 	entryHeaderSize = len(entryHeaderMagic+entryHeaderRevision) + 2
 )
 
-// entryHeaderEncode encodes a state entry header for a [hst.Enablement] byte.
-func entryHeaderEncode(et hst.Enablement) *[entryHeaderSize]byte {
+// entryHeaderEncode encodes a state entry header for a [hst.Enablements] byte.
+func entryHeaderEncode(et hst.Enablements) *[entryHeaderSize]byte {
 	data := [entryHeaderSize]byte([]byte(
-		entryHeaderMagic + entryHeaderRevision + string([]hst.Enablement{et, ^et}),
+		entryHeaderMagic + entryHeaderRevision + string([]hst.Enablements{et, ^et}),
 	))
 	return &data
 }
 
-// entryHeaderDecode validates a state entry header and returns the [hst.Enablement] byte.
-func entryHeaderDecode(data *[entryHeaderSize]byte) (hst.Enablement, error) {
+// entryHeaderDecode validates a state entry header and returns the
+// [hst.Enablements] byte.
+func entryHeaderDecode(data *[entryHeaderSize]byte) (hst.Enablements, error) {
 	if magic := data[:len(entryHeaderMagic)]; string(magic) != entryHeaderMagic {
 		return 0, errors.New("invalid header " + hex.EncodeToString(magic))
 	}
@@ -41,7 +44,7 @@ func entryHeaderDecode(data *[entryHeaderSize]byte) (hst.Enablement, error) {
 	if et != ^data[len(entryHeaderMagic+entryHeaderRevision)+1] {
 		return 0, errors.New("header enablement value is inconsistent")
 	}
-	return hst.Enablement(et), nil
+	return hst.Enablements(et), nil
 }
 
 // EntrySizeError is returned for a file too small to hold a state entry header.
@@ -68,8 +71,8 @@ func entryCheckFile(fi os.FileInfo) error {
 	return nil
 }
 
-// entryReadHeader reads [hst.Enablement] from an [io.Reader].
-func entryReadHeader(r io.Reader) (hst.Enablement, error) {
+// entryReadHeader reads [hst.Enablements] from an [io.Reader].
+func entryReadHeader(r io.Reader) (hst.Enablements, error) {
 	var data [entryHeaderSize]byte
 	if n, err := r.Read(data[:]); err != nil {
 		return 0, err
@@ -79,8 +82,8 @@ func entryReadHeader(r io.Reader) (hst.Enablement, error) {
 	return entryHeaderDecode(&data)
 }
 
-// entryWriteHeader writes [hst.Enablement] header to an [io.Writer].
-func entryWriteHeader(w io.Writer, et hst.Enablement) error {
+// entryWriteHeader writes [hst.Enablements] header to an [io.Writer].
+func entryWriteHeader(w io.Writer, et hst.Enablements) error {
 	_, err := w.Write(entryHeaderEncode(et)[:])
 	return err
 }

internal/store/header_test.go

@@ -20,7 +20,7 @@ func TestEntryHeader(t *testing.T) {
 	testCases := []struct {
 		name string
 		data [entryHeaderSize]byte
-		et   hst.Enablement
+		et   hst.Enablements
 		err  error
 	}{
 		{"complement mismatch", [entryHeaderSize]byte{0x00, 0xff, 0xca, 0xfe, 0x00, 0x00,

internal/store/segment.go

@@ -14,6 +14,7 @@ import (
 )
 
 // EntryHandle is a handle on a state entry retrieved from a [Handle].
+//
 // Must only be used while its parent [Handle.Lock] is held.
 type EntryHandle struct {
 	// Error returned while decoding pathname.
@@ -27,6 +28,7 @@ type EntryHandle struct {
 }
 
 // open opens the underlying state entry file.
+//
 // A non-nil error returned by open is of type [hst.AppError].
 func (eh *EntryHandle) open(flag int, perm os.FileMode) (*os.File, error) {
 	if eh.DecodeErr != nil {
@@ -41,6 +43,7 @@ func (eh *EntryHandle) open(flag int, perm os.FileMode) (*os.File, error) {
 }
 
 // Destroy removes the underlying state entry.
+//
 // A non-nil error returned by Destroy is of type [hst.AppError].
 func (eh *EntryHandle) Destroy() error {
 	// destroy does not go through open
@@ -55,8 +58,10 @@ func (eh *EntryHandle) Destroy() error {
 }
 
 // save encodes [hst.State] and writes it to the underlying file.
+//
 // An error is returned if a file already exists with the same identifier.
 // save does not validate the embedded [hst.Config].
+//
 // A non-nil error returned by save is of type [hst.AppError].
 func (eh *EntryHandle) save(state *hst.State) error {
 	f, err := eh.open(os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600)
@@ -71,17 +76,19 @@ func (eh *EntryHandle) save(state *hst.State) error {
 	return err
 }
 
-// Load loads and validates the state entry header, and returns the [hst.Enablement] byte.
-// for a non-nil v, the full state payload is decoded and stored in the value pointed to by v.
-// Load validates the embedded [hst.Config] value.
-// A non-nil error returned by Load is of type [hst.AppError].
-func (eh *EntryHandle) Load(v *hst.State) (hst.Enablement, error) {
+// Load loads and validates the state entry header, and returns the
+// [hst.Enablements] byte. For a non-nil v, the full state payload is decoded
+// and stored in the value pointed to by v.
+//
+// Load validates the embedded [hst.Config] value. A non-nil error returned by
+// Load is of type [hst.AppError].
+func (eh *EntryHandle) Load(v *hst.State) (hst.Enablements, error) {
 	f, err := eh.open(os.O_RDONLY, 0)
 	if err != nil {
 		return 0, err
 	}
 
-	var et hst.Enablement
+	var et hst.Enablements
 	if v != nil {
 		et, err = entryDecode(f, v)
 		if err == nil && v.ID != eh.ID {
@@ -99,6 +106,7 @@ func (eh *EntryHandle) Load(v *hst.State) (hst.Enablement, error) {
 }
 
 // Handle is a handle on a [Store] segment.
+//
 // Initialised by [Store.Handle].
 type Handle struct {
 	// Identity of instances tracked by this segment.
@@ -113,8 +121,9 @@ type Handle struct {
 	mu sync.Mutex
 }
 
-// Lock attempts to acquire a lock on [Handle].
-// If successful, Lock returns a non-nil unlock function.
+// Lock attempts to acquire a lock on [Handle]. If successful, Lock returns a
+// non-nil unlock function.
+//
 // A non-nil error returned by Lock is of type [hst.AppError].
 func (h *Handle) Lock() (unlock func(), err error) {
 	if unlock, err = h.fileMu.Lock(); err != nil {
@@ -123,20 +132,24 @@ func (h *Handle) Lock() (unlock func(), err error) {
 	return
 }
 
-// Save attempts to save [hst.State] as a segment entry, and returns its [EntryHandle].
-// Must be called while holding [Handle.Lock].
+// Save attempts to save [hst.State] as a segment entry, and returns its
+// [EntryHandle]. Must be called while holding [Handle.Lock].
+//
 // An error is returned if an entry already exists with the same identifier.
 // Save does not validate the embedded [hst.Config].
+//
 // A non-nil error returned by Save is of type [hst.AppError].
 func (h *Handle) Save(state *hst.State) (*EntryHandle, error) {
 	eh := EntryHandle{nil, h.Path.Append(state.ID.String()), state.ID}
 	return &eh, eh.save(state)
 }
 
-// Entries returns an iterator over all [EntryHandle] held in this segment.
-// Must be called while holding [Handle.Lock].
-// A non-nil error attached to a [EntryHandle] indicates a malformed identifier and is of type [hst.AppError].
-// A non-nil error returned by Entries is of type [hst.AppError].
+// Entries returns an iterator over all [EntryHandle] held in this segment. Must
+// be called while holding [Handle.Lock].
+//
+// A non-nil error attached to a [EntryHandle] indicates a malformed identifier
+// and is of type [hst.AppError]. A non-nil error returned by Entries is of type
+// [hst.AppError].
 func (h *Handle) Entries() (iter.Seq[*EntryHandle], int, error) {
 	// for error reporting
 	const step = "read store segment entries"

internal/store/segment_test.go

@@ -21,7 +21,7 @@ import (
 // Made available here for direct validation of state entry files.
 //
 //go:linkname entryDecode hakurei.app/internal/store.entryDecode
-func entryDecode(r io.Reader, p *hst.State) (hst.Enablement, error)
+func entryDecode(r io.Reader, p *hst.State) (hst.Enablements, error)
 
 // Made available here for direct access to known segment handles.
 //

internal/system/acl.go

@@ -17,20 +17,21 @@ func (sys *I) UpdatePerm(path *check.Absolute, perms ...acl.Perm) *I {
 	return sys
 }
 
-// UpdatePermType maintains [acl.Perms] on a file until its [Enablement] is no longer satisfied.
-func (sys *I) UpdatePermType(et hst.Enablement, path *check.Absolute, perms ...acl.Perm) *I {
+// UpdatePermType maintains [acl.Perms] on a file until its [hst.Enablements] is
+// no longer satisfied.
+func (sys *I) UpdatePermType(et hst.Enablements, path *check.Absolute, perms ...acl.Perm) *I {
 	sys.ops = append(sys.ops, &aclUpdateOp{et, path.String(), perms})
 	return sys
 }
 
 // aclUpdateOp implements [I.UpdatePermType].
 type aclUpdateOp struct {
-	et    hst.Enablement
+	et    hst.Enablements
 	path  string
 	perms acl.Perms
 }
 
-func (a *aclUpdateOp) Type() hst.Enablement { return a.et }
+func (a *aclUpdateOp) Type() hst.Enablements { return a.et }
 
 func (a *aclUpdateOp) apply(sys *I) error {
 	sys.msg.Verbose("applying ACL", a)

internal/system/dbus.go

@@ -31,7 +31,9 @@ func (sys *I) MustProxyDBus(
 	}
 }
 
-// ProxyDBus finalises configuration ahead of time and starts xdg-dbus-proxy via [dbus] and terminates it on revert.
+// ProxyDBus finalises configuration ahead of time and starts xdg-dbus-proxy via
+// [dbus] and terminates it on revert.
+//
 // This [Op] is always [Process] scoped.
 func (sys *I) ProxyDBus(
 	session, system *hst.BusConfig,
@@ -84,7 +86,7 @@ type dbusProxyOp struct {
 	system bool
 }
 
-func (d *dbusProxyOp) Type() hst.Enablement { return Process }
+func (d *dbusProxyOp) Type() hst.Enablements { return Process }
 
 func (d *dbusProxyOp) apply(sys *I) error {
 	sys.msg.Verbosef("session bus proxy on %q for upstream %q", d.final.Session[1], d.final.Session[0])

internal/system/dispatcher.go

@@ -21,12 +21,16 @@ type osFile interface {
 	fs.File
 }
 
-// syscallDispatcher provides methods that make state-dependent system calls as part of their behaviour.
+// syscallDispatcher provides methods that make state-dependent system calls as
+// part of their behaviour.
+//
 // syscallDispatcher is embedded in [I], so all methods must be unexported.
 type syscallDispatcher interface {
 	// new starts a goroutine with a new instance of syscallDispatcher.
-	// A syscallDispatcher must never be used in any goroutine other than the one owning it,
-	// just synchronising access is not enough, as this is for test instrumentation.
+	//
+	// A syscallDispatcher must never be used in any goroutine other than the
+	// one owning it, just synchronising access is not enough, as this is for
+	// test instrumentation.
 	new(f func(k syscallDispatcher))
 
 	// stat provides os.Stat.

internal/system/dispatcher_test.go

@@ -27,7 +27,7 @@ func call(name string, args stub.ExpectArgs, ret any, err error) stub.Call {
 type opBehaviourTestCase struct {
 	name string
 	uid  int
-	ec   hst.Enablement
+	ec   hst.Enablements
 	op   Op
 
 	apply        []stub.Call
@@ -158,7 +158,7 @@ type opMetaTestCase struct {
 	name string
 	op   Op
 
-	wantType   hst.Enablement
+	wantType   hst.Enablements
 	wantPath   string
 	wantString string
 }

internal/system/link.go

@@ -12,19 +12,19 @@ func (sys *I) Link(oldname, newname *check.Absolute) *I {
 	return sys.LinkFileType(Process, oldname, newname)
 }
 
-// LinkFileType maintains a hardlink until its [Enablement] is no longer satisfied.
-func (sys *I) LinkFileType(et hst.Enablement, oldname, newname *check.Absolute) *I {
+// LinkFileType maintains a hardlink until its [hst.Enablements] is no longer satisfied.
+func (sys *I) LinkFileType(et hst.Enablements, oldname, newname *check.Absolute) *I {
 	sys.ops = append(sys.ops, &hardlinkOp{et, newname.String(), oldname.String()})
 	return sys
 }
 
 // hardlinkOp implements [I.LinkFileType].
 type hardlinkOp struct {
-	et       hst.Enablement
+	et       hst.Enablements
 	dst, src string
 }
 
-func (l *hardlinkOp) Type() hst.Enablement { return l.et }
+func (l *hardlinkOp) Type() hst.Enablements { return l.et }
 
 func (l *hardlinkOp) apply(sys *I) error {
 	sys.msg.Verbose("linking", l)

internal/system/mkdir.go

@@ -15,21 +15,22 @@ func (sys *I) Ensure(name *check.Absolute, perm os.FileMode) *I {
 	return sys
 }
 
-// Ephemeral ensures the existence of a directory until its [Enablement] is no longer satisfied.
-func (sys *I) Ephemeral(et hst.Enablement, name *check.Absolute, perm os.FileMode) *I {
+// Ephemeral ensures the existence of a directory until its [hst.Enablements] is
+// no longer satisfied.
+func (sys *I) Ephemeral(et hst.Enablements, name *check.Absolute, perm os.FileMode) *I {
 	sys.ops = append(sys.ops, &mkdirOp{et, name.String(), perm, true})
 	return sys
 }
 
 // mkdirOp implements [I.Ensure] and [I.Ephemeral].
 type mkdirOp struct {
-	et        hst.Enablement
+	et        hst.Enablements
 	path      string
 	perm      os.FileMode
 	ephemeral bool
 }
 
-func (m *mkdirOp) Type() hst.Enablement { return m.et }
+func (m *mkdirOp) Type() hst.Enablements { return m.et }
 
 func (m *mkdirOp) apply(sys *I) error {
 	sys.msg.Verbose("ensuring directory", m)

internal/system/pipewire.go

@@ -12,8 +12,9 @@ import (
 )
 
 // PipeWire maintains a pipewire socket with SecurityContext attached via [pipewire].
-// The socket stops accepting connections once the pipe referred to by sync is closed.
-// The socket is pathname only and is destroyed on revert.
+//
+// The socket stops accepting connections once the pipe referred to by sync is
+// closed. The socket is pathname only and is destroyed on revert.
 func (sys *I) PipeWire(dst *check.Absolute, appID, instanceID string) *I {
 	sys.ops = append(sys.ops, &pipewireOp{nil, dst, appID, instanceID})
 	return sys
@@ -27,7 +28,7 @@ type pipewireOp struct {
 	appID, instanceID string
 }
 
-func (p *pipewireOp) Type() hst.Enablement { return Process }
+func (p *pipewireOp) Type() hst.Enablements { return Process }
 
 func (p *pipewireOp) apply(sys *I) (err error) {
 	var ctx *pipewire.Context

internal/system/system.go

@@ -20,21 +20,21 @@ const (
 )
 
 // Criteria specifies types of Op to revert.
-type Criteria hst.Enablement
+type Criteria hst.Enablements
 
-func (ec *Criteria) hasType(t hst.Enablement) bool {
+func (ec *Criteria) hasType(t hst.Enablements) bool {
 	// nil criteria: revert everything except User
 	if ec == nil {
 		return t != User
 	}
 
-	return hst.Enablement(*ec)&t != 0
+	return hst.Enablements(*ec)&t != 0
 }
 
 // Op is a reversible system operation.
 type Op interface {
 	// Type returns [Op]'s enablement type, for matching a revert criteria.
-	Type() hst.Enablement
+	Type() hst.Enablements
 
 	apply(sys *I) error
 	revert(sys *I, ec *Criteria) error
@@ -44,8 +44,8 @@ type Op interface {
 	String() string
 }
 
-// TypeString extends [hst.Enablement.String] to support [User] and [Process].
-func TypeString(e hst.Enablement) string {
+// TypeString extends [hst.Enablements] to support [User] and [Process].
+func TypeString(e hst.Enablements) string {
 	switch e {
 	case User:
 		return "user"
@@ -110,7 +110,9 @@ func (sys *I) Equal(target *I) bool {
 	return true
 }
 
-// Commit applies all [Op] held by [I] and reverts all successful [Op] on first error encountered.
+// Commit applies all [Op] held by [I] and reverts all successful [Op] on first
+// error encountered.
+//
 // Commit must not be called more than once.
 func (sys *I) Commit() error {
 	if sys.committed {

internal/system/system_test.go

@@ -20,7 +20,7 @@ func TestCriteria(t *testing.T) {
 
 	testCases := []struct {
 		name  string
-		ec, t hst.Enablement
+		ec, t hst.Enablements
 		want  bool
 	}{
 		{"nil", 0xff, hst.EWayland, true},
@@ -47,7 +47,7 @@ func TestTypeString(t *testing.T) {
 	t.Parallel()
 
 	testCases := []struct {
-		e    hst.Enablement
+		e    hst.Enablements
 		want string
 	}{
 		{hst.EWayland, hst.EWayland.String()},
@@ -190,7 +190,7 @@ func TestCommitRevert(t *testing.T) {
 	testCases := []struct {
 		name string
 		f    func(sys *I)
-		ec   hst.Enablement
+		ec   hst.Enablements
 
 		commit        []stub.Call
 		wantErrCommit error

internal/system/wayland.go

@@ -11,8 +11,9 @@ import (
 )
 
 // Wayland maintains a wayland socket with security-context-v1 attached via [wayland].
-// The socket stops accepting connections once the pipe referred to by sync is closed.
-// The socket is pathname only and is destroyed on revert.
+//
+// The socket stops accepting connections once the pipe referred to by sync is
+// closed. The socket is pathname only and is destroyed on revert.
 func (sys *I) Wayland(dst, src *check.Absolute, appID, instanceID string) *I {
 	sys.ops = append(sys.ops, &waylandOp{nil,
 		dst, src, appID, instanceID})
@@ -26,7 +27,7 @@ type waylandOp struct {
 	appID, instanceID string
 }
 
-func (w *waylandOp) Type() hst.Enablement { return Process }
+func (w *waylandOp) Type() hst.Enablements { return Process }
 
 func (w *waylandOp) apply(sys *I) (err error) {
 	if w.ctx, err = sys.waylandNew(w.src, w.dst, w.appID, w.instanceID); err != nil {

internal/system/xhost.go

@@ -5,7 +5,8 @@ import (
 	"hakurei.app/internal/xcb"
 )
 
-// ChangeHosts inserts the target user into X11 hosts and deletes it once its [Enablement] is no longer satisfied.
+// ChangeHosts inserts the target user into X11 hosts and deletes it once its
+// [hst.Enablements] is no longer satisfied.
 func (sys *I) ChangeHosts(username string) *I {
 	sys.ops = append(sys.ops, xhostOp(username))
 	return sys
@@ -14,7 +15,7 @@ func (sys *I) ChangeHosts(username string) *I {
 // xhostOp implements [I.ChangeHosts].
 type xhostOp string
 
-func (x xhostOp) Type() hst.Enablement { return hst.EX11 }
+func (x xhostOp) Type() hst.Enablements { return hst.EX11 }
 
 func (x xhostOp) apply(sys *I) error {
 	sys.msg.Verbosef("inserting entry %s to X11", x)

nixos.nix

@@ -265,7 +265,7 @@ in
                     '';
                 in
                 pkgs.writeShellScriptBin app.name ''
-                  exec hakurei${if app.verbose then " -v" else ""} run ${checkedConfig "hakurei-app-${app.name}.json" conf} $@
+                  exec hakurei${if app.verbose then " -v" else ""}${if app.insecureWayland then " --insecure" else ""} run ${checkedConfig "hakurei-app-${app.name}.json" conf} $@
                 ''
               )
             ]

options.md

@@ -35,7 +35,7 @@ package
 
 
 *Default:*
-` <derivation hakurei-static-x86_64-unknown-linux-musl-0.3.6> `
+` <derivation hakurei-static-x86_64-unknown-linux-musl-0.4.0> `
 
 
 
@@ -542,6 +542,43 @@ null or string
 
 
 
+## environment\.hakurei\.apps\.\<name>\.schedPolicy
+
+
+
+Scheduling policy to set for the container\.
+The zero value retains the current scheduling policy\.
+
+
+
+*Type:*
+null or one of “fifo”, “rr”, “batch”, “idle”, “deadline”, “ext”
+
+
+
+*Default:*
+` null `
+
+
+
+## environment\.hakurei\.apps\.\<name>\.schedPriority
+
+
+
+Scheduling priority to set for the container\.
+
+
+
+*Type:*
+null or integer between 1 and 99 (both inclusive)
+
+
+
+*Default:*
+` null `
+
+
+
 ## environment\.hakurei\.apps\.\<name>\.script
 
 
@@ -805,7 +842,7 @@ package
 
 
 *Default:*
-` <derivation hakurei-hsu-0.3.6> `
+` <derivation hakurei-hsu-0.4.0> `
 
 
 

package.nix

@@ -30,7 +30,7 @@
 
 buildGo126Module rec {
   pname = "hakurei";
-  version = "0.3.7";
+  version = "0.4.0";
 
   srcFiltered = builtins.path {
     name = "${pname}-src";