internal/pkg: drop cached error on cancel

This avoids disabling the artifact when using the individual cancel method. Unfortunately this makes the method blocking. Signed-off-by: Ophestra <cat@gensokyo.uk>
internal/pkg: pending error alongside done channel
2026-04-18 03:24:48 +09:00 · 2026-04-18 03:10:37 +09:00 · 2026-04-18 02:59:44 +09:00 · 2026-04-17 22:47:02 +09:00 · 2026-04-17 22:40:35 +09:00 · 2026-04-17 22:00:04 +09:00
386 changed files with 26953 additions and 8128 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,27 +1,7 @@
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-*.pkg
-/hakurei
-
-# Test binary, built with `go test -c`
+# produced by tools and text editors
+*.qcow2
 *.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
 *.out
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
-
-# Go workspace file
-go.work
-go.work.sum
-
-# env file
-.env
 .idea
 .vscode

@@ -30,8 +10,5 @@ go.work.sum
 /internal/pkg/testdata/testtool
 /internal/rosa/hakurei_current.tar.gz

-# release
-/dist/hakurei-*
-
-# interactive nixos vm
-nixos.qcow2
+# cmd/dist default destination
+/dist
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 <p align="center">
-  <a href="https://git.gensokyo.uk/security/hakurei">
+  <a href="https://git.gensokyo.uk/rosa/hakurei">
    <picture>
      <img src="https://basement.gensokyo.uk/images/yukari1.png" width="200px" alt="Yukari">
    </picture>
@@ -8,16 +8,16 @@

 <p align="center">
  <a href="https://pkg.go.dev/hakurei.app"><img src="https://pkg.go.dev/badge/hakurei.app.svg" alt="Go Reference" /></a>
-  <a href="https://git.gensokyo.uk/security/hakurei/actions"><img src="https://git.gensokyo.uk/security/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
+  <a href="https://git.gensokyo.uk/rosa/hakurei/actions"><img src="https://git.gensokyo.uk/rosa/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
  <br/>
-  <a href="https://git.gensokyo.uk/security/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/security/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
+  <a href="https://git.gensokyo.uk/rosa/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/rosa/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
  <a href="https://goreportcard.com/report/hakurei.app"><img src="https://goreportcard.com/badge/hakurei.app" alt="Go Report Card" /></a>
  <a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
 </p>

 Hakurei is a tool for running sandboxed desktop applications as dedicated
 subordinate users on the Linux kernel. It implements the application container
-of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), a
+of [planterette (WIP)](https://git.gensokyo.uk/rosa/planterette), a
 self-contained Android-like package manager with modern security features.

 Interaction with hakurei happens entirely through structures described by
@@ -62,4 +62,4 @@ are very likely to be rejected.
 ## NixOS Module (deprecated)

 The NixOS module is in maintenance mode and will be removed once planterette is
-feature-complete. Full module documentation can be found [here](options.md).
+feature-complete. Full module documentation can be found [here](options.md).
--- a/all.sh
+++ b/all.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -e
+
+TOOLCHAIN_VERSION="$(go version)"
+cd "$(dirname -- "$0")/"
+echo "# Building cmd/dist using ${TOOLCHAIN_VERSION}."
+go run -v --tags=dist ./cmd/dist
--- a/container/check/absolute.go
+++ b/container/check/absolute.go
@@ -2,10 +2,10 @@
 package check

 import (
-	"encoding/json"
+	"encoding"
 	"errors"
 	"fmt"
-	"path"
+	"path/filepath"
 	"slices"
 	"strings"
 	"syscall"
@@ -30,6 +30,16 @@ func (e AbsoluteError) Is(target error) bool {
 // Absolute holds a pathname checked to be absolute.
 type Absolute struct{ pathname unique.Handle[string] }

+var (
+	_ encoding.TextAppender    = new(Absolute)
+	_ encoding.TextMarshaler   = new(Absolute)
+	_ encoding.TextUnmarshaler = new(Absolute)
+
+	_ encoding.BinaryAppender    = new(Absolute)
+	_ encoding.BinaryMarshaler   = new(Absolute)
+	_ encoding.BinaryUnmarshaler = new(Absolute)
+)
+
 // ok returns whether [Absolute] is not the zero value.
 func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }

@@ -61,7 +71,7 @@ func (a *Absolute) Is(v *Absolute) bool {

 // NewAbs checks pathname and returns a new [Absolute] if pathname is absolute.
 func NewAbs(pathname string) (*Absolute, error) {
-	if !path.IsAbs(pathname) {
+	if !filepath.IsAbs(pathname) {
 		return nil, AbsoluteError(pathname)
 	}
 	return unsafeAbs(pathname), nil
@@ -76,46 +86,35 @@ func MustAbs(pathname string) *Absolute {
 	}
 }

-// Append calls [path.Join] with [Absolute] as the first element.
+// Append calls [filepath.Join] with [Absolute] as the first element.
 func (a *Absolute) Append(elem ...string) *Absolute {
-	return unsafeAbs(path.Join(append([]string{a.String()}, elem...)...))
+	return unsafeAbs(filepath.Join(append([]string{a.String()}, elem...)...))
 }

-// Dir calls [path.Dir] with [Absolute] as its argument.
-func (a *Absolute) Dir() *Absolute { return unsafeAbs(path.Dir(a.String())) }
+// Dir calls [filepath.Dir] with [Absolute] as its argument.
+func (a *Absolute) Dir() *Absolute { return unsafeAbs(filepath.Dir(a.String())) }

-// GobEncode returns the checked pathname.
-func (a *Absolute) GobEncode() ([]byte, error) {
-	return []byte(a.String()), nil
+// AppendText appends the checked pathname.
+func (a *Absolute) AppendText(data []byte) ([]byte, error) {
+	return append(data, a.String()...), nil
 }

-// GobDecode stores data if it represents an absolute pathname.
-func (a *Absolute) GobDecode(data []byte) error {
+// MarshalText returns the checked pathname.
+func (a *Absolute) MarshalText() ([]byte, error) { return a.AppendText(nil) }
+
+// UnmarshalText stores data if it represents an absolute pathname.
+func (a *Absolute) UnmarshalText(data []byte) error {
 	pathname := string(data)
-	if !path.IsAbs(pathname) {
+	if !filepath.IsAbs(pathname) {
 		return AbsoluteError(pathname)
 	}
 	a.pathname = unique.Make(pathname)
 	return nil
 }

-// MarshalJSON returns a JSON representation of the checked pathname.
-func (a *Absolute) MarshalJSON() ([]byte, error) {
-	return json.Marshal(a.String())
-}
-
-// UnmarshalJSON stores data if it represents an absolute pathname.
-func (a *Absolute) UnmarshalJSON(data []byte) error {
-	var pathname string
-	if err := json.Unmarshal(data, &pathname); err != nil {
-		return err
-	}
-	if !path.IsAbs(pathname) {
-		return AbsoluteError(pathname)
-	}
-	a.pathname = unique.Make(pathname)
-	return nil
-}
+func (a *Absolute) AppendBinary(data []byte) ([]byte, error) { return a.AppendText(data) }
+func (a *Absolute) MarshalBinary() ([]byte, error)           { return a.MarshalText() }
+func (a *Absolute) UnmarshalBinary(data []byte) error        { return a.UnmarshalText(data) }

 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {
--- a/container/check/absolute_test.go
+++ b/container/check/absolute_test.go
@@ -11,12 +11,12 @@ import (
 	"testing"
 	_ "unsafe" // for go:linkname

-	. "hakurei.app/container/check"
+	. "hakurei.app/check"
 )

 // unsafeAbs returns check.Absolute on any string value.
 //
-//go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
+//go:linkname unsafeAbs hakurei.app/check.unsafeAbs
 func unsafeAbs(pathname string) *Absolute

 func TestAbsoluteError(t *testing.T) {
@@ -170,20 +170,20 @@ func TestCodecAbsolute(t *testing.T) {

 		{"good", MustAbs("/etc"),
 			nil,
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",

 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
 			AbsoluteError("etc"),
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",

 			`"etc"`, `{"val":"etc","magic":3236757504}`},
 		{"zero", nil,
 			new(AbsoluteError),
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
 			`""`, `{"val":"","magic":3236757504}`},
 	}

@@ -347,15 +347,6 @@ func TestCodecAbsolute(t *testing.T) {
 			})
 		})
 	}
-
-	t.Run("json passthrough", func(t *testing.T) {
-		t.Parallel()
-
-		wantErr := "invalid character ':' looking for beginning of value"
-		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
-			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
-		}
-	})
 }

 func TestAbsoluteWrap(t *testing.T) {
--- a/container/check/overlay.go
+++ b/container/check/overlay.go
--- a/container/check/overlay_test.go
+++ b/container/check/overlay_test.go
@@ -3,7 +3,7 @@ package check_test
 import (
 	"testing"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func TestEscapeOverlayDataSegment(t *testing.T) {
--- a/cmd/dist/comp/_hakurei
+++ b/cmd/dist/comp/_hakurei
@@ -1,11 +1,11 @@
 #compdef hakurei

-_hakurei_app() {
+_hakurei_run() {
  __hakurei_files
  return $?
 }

-_hakurei_run() {
+_hakurei_exec() {
  _arguments \
    '--id[Reverse-DNS style Application identifier, leave empty to inherit instance identifier]:id' \
    '-a[Application identity]: :_numbers' \
@@ -57,9 +57,9 @@ __hakurei_instances() {
 {
  local -a _hakurei_cmds
  _hakurei_cmds=(
-    "app:Load and start container from configuration file"
-    "run:Configure and start a permissive container"
-    "show:Show live or local app configuration"
+    "run:Load and start container from configuration file"
+    "exec:Configure and start a permissive container"
+    "show:Show live or local instance configuration"
    "ps:List active instances"
    "version:Display version information"
    "license:Show full license text"
--- a/cmd/dist/main.go
+++ b/cmd/dist/main.go
@@ -0,0 +1,237 @@
+//go:build dist
+
+package main
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"crypto/sha512"
+	_ "embed"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"io/fs"
+	"log"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+)
+
+// getenv looks up an environment variable, and returns fallback if it is unset.
+func getenv(key, fallback string) string {
+	if v, ok := os.LookupEnv(key); ok {
+		return v
+	}
+	return fallback
+}
+
+// mustRun runs a command with the current process's environment and panics
+// on error or non-zero exit code.
+func mustRun(ctx context.Context, name string, arg ...string) {
+	cmd := exec.CommandContext(ctx, name, arg...)
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+	if err := cmd.Run(); err != nil {
+		panic(err)
+	}
+}
+
+//go:embed comp/_hakurei
+var comp []byte
+
+func main() {
+	fmt.Println()
+	log.SetFlags(0)
+	log.SetPrefix("# ")
+
+	version := getenv("HAKUREI_VERSION", "untagged")
+	prefix := getenv("PREFIX", "/usr")
+	destdir := getenv("DESTDIR", "dist")
+
+	if err := os.MkdirAll(destdir, 0755); err != nil {
+		log.Fatal(err)
+	}
+	s, err := os.MkdirTemp(destdir, ".dist.*")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer func() {
+		var code int
+
+		if err = os.RemoveAll(s); err != nil {
+			code = 1
+			log.Println(err)
+		}
+
+		if r := recover(); r != nil {
+			code = 1
+			log.Println(r)
+		}
+
+		os.Exit(code)
+	}()
+
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
+	defer cancel()
+
+	log.Println("Building hakurei.")
+	mustRun(ctx, "go", "generate", "./...")
+	mustRun(
+		ctx, "go", "build",
+		"-trimpath",
+		"-v", "-o", s,
+		"-ldflags=-s -w "+
+			"-buildid= -linkmode external -extldflags=-static "+
+			"-X hakurei.app/internal/info.buildVersion="+version+" "+
+			"-X hakurei.app/internal/info.hakureiPath="+prefix+"/bin/hakurei "+
+			"-X hakurei.app/internal/info.hsuPath="+prefix+"/bin/hsu "+
+			"-X main.hakureiPath="+prefix+"/bin/hakurei",
+		"./...",
+	)
+	fmt.Println()
+
+	log.Println("Testing Hakurei.")
+	mustRun(
+		ctx, "go", "test",
+		"-ldflags=-buildid= -linkmode external -extldflags=-static",
+		"./...",
+	)
+	fmt.Println()
+
+	log.Println("Creating distribution.")
+	const suffix = ".tar.gz"
+	distName := "hakurei-" + version + "-" + runtime.GOARCH
+	var f *os.File
+	if f, err = os.OpenFile(
+		filepath.Join(s, distName+suffix),
+		os.O_CREATE|os.O_EXCL|os.O_WRONLY,
+		0644,
+	); err != nil {
+		panic(err)
+	}
+	defer func() {
+		if f == nil {
+			return
+		}
+		if err = f.Close(); err != nil {
+			log.Println(err)
+		}
+	}()
+
+	h := sha512.New()
+	gw := gzip.NewWriter(io.MultiWriter(f, h))
+	tw := tar.NewWriter(gw)
+
+	mustWriteHeader := func(name string, size int64, mode os.FileMode) {
+		header := tar.Header{
+			Name:  filepath.Join(distName, name),
+			Size:  size,
+			Mode:  int64(mode),
+			Uname: "root",
+			Gname: "root",
+		}
+
+		if mode&os.ModeDir != 0 {
+			header.Typeflag = tar.TypeDir
+			fmt.Printf("%s %s\n", mode, name)
+		} else {
+			header.Typeflag = tar.TypeReg
+			fmt.Printf("%s %s (%d bytes)\n", mode, name, size)
+		}
+
+		if err = tw.WriteHeader(&header); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFile := func(name string, data []byte, mode os.FileMode) {
+		mustWriteHeader(name, int64(len(data)), mode)
+		if mode&os.ModeDir != 0 {
+			return
+		}
+		if _, err = tw.Write(data); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFromPath := func(dst, src string, mode os.FileMode) {
+		var r *os.File
+		if r, err = os.Open(src); err != nil {
+			panic(err)
+		}
+
+		var fi os.FileInfo
+		if fi, err = r.Stat(); err != nil {
+			_ = r.Close()
+			panic(err)
+		}
+
+		if mode == 0 {
+			mode = fi.Mode()
+		}
+
+		mustWriteHeader(dst, fi.Size(), mode)
+		if _, err = io.Copy(tw, r); err != nil {
+			_ = r.Close()
+			panic(err)
+		} else if err = r.Close(); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFile(".", nil, fs.ModeDir|0755)
+	mustWriteFile("comp/", nil, os.ModeDir|0755)
+	mustWriteFile("comp/_hakurei", comp, 0644)
+	mustWriteFile("install.sh", []byte(`#!/bin/sh -e
+cd "$(dirname -- "$0")" || exit 1
+
+install -vDm0755 "bin/hakurei" "${DESTDIR}`+prefix+`/bin/hakurei"
+install -vDm0755 "bin/sharefs" "${DESTDIR}`+prefix+`/bin/sharefs"
+
+install -vDm4511 "bin/hsu" "${DESTDIR}`+prefix+`/bin/hsu"
+if [ ! -f "${DESTDIR}/etc/hsurc" ]; then
+    install -vDm0400 "hsurc.default" "${DESTDIR}/etc/hsurc"
+fi
+
+install -vDm0644 "comp/_hakurei" "${DESTDIR}`+prefix+`/share/zsh/site-functions/_hakurei"
+`), 0755)
+
+	mustWriteFromPath("README.md", "README.md", 0)
+	mustWriteFile("hsurc.default", []byte("1000 0"), 0400)
+	mustWriteFromPath("bin/hsu", filepath.Join(s, "hsu"), 04511)
+	for _, name := range []string{
+		"hakurei",
+		"sharefs",
+	} {
+		mustWriteFromPath(
+			filepath.Join("bin", name),
+			filepath.Join(s, name),
+			0,
+		)
+	}
+
+	if err = tw.Close(); err != nil {
+		panic(err)
+	} else if err = gw.Close(); err != nil {
+		panic(err)
+	} else if err = f.Close(); err != nil {
+		panic(err)
+	}
+	f = nil
+
+	if err = os.WriteFile(
+		filepath.Join(destdir, distName+suffix+".sha512"),
+		append(hex.AppendEncode(nil, h.Sum(nil)), "  "+distName+suffix+"\n"...),
+		0644,
+	); err != nil {
+		panic(err)
+	}
+	if err = os.Rename(
+		filepath.Join(s, distName+suffix),
+		filepath.Join(destdir, distName+suffix),
+	); err != nil {
+		panic(err)
+	}
+}
--- a/cmd/earlyinit/main.go
+++ b/cmd/earlyinit/main.go
@@ -1,9 +1,14 @@
+// The earlyinit is part of the Rosa OS initramfs and serves as the system init.
+//
+// This program is an internal detail of Rosa OS and is not usable on its own.
+// It is not covered by the compatibility promise.
 package main

 import (
 	"log"
 	"os"
 	"runtime"
+	"strings"
 	. "syscall"
 )

@@ -12,6 +17,22 @@ func main() {
 	log.SetFlags(0)
 	log.SetPrefix("earlyinit: ")

+	var (
+		option map[string]string
+		flags  []string
+	)
+	if len(os.Args) > 1 {
+		option = make(map[string]string)
+		for _, s := range os.Args[1:] {
+			key, value, ok := strings.Cut(s, "=")
+			if !ok {
+				flags = append(flags, s)
+				continue
+			}
+			option[key] = value
+		}
+	}
+
 	if err := Mount(
 		"devtmpfs",
 		"/dev/",
@@ -55,4 +76,56 @@ func main() {
 		}
 	}

+	// staying in rootfs, these are no longer used
+	must(os.Remove("/root"))
+	must(os.Remove("/init"))
+
+	must(os.Mkdir("/proc", 0))
+	mustSyscall("mount proc", Mount(
+		"proc",
+		"/proc",
+		"proc",
+		MS_NOSUID|MS_NOEXEC|MS_NODEV,
+		"hidepid=1",
+	))
+
+	must(os.Mkdir("/sys", 0))
+	mustSyscall("mount sysfs", Mount(
+		"sysfs",
+		"/sys",
+		"sysfs",
+		0,
+		"",
+	))
+
+	// after top level has been set up
+	mustSyscall("remount root", Mount(
+		"",
+		"/",
+		"",
+		MS_REMOUNT|MS_BIND|
+			MS_RDONLY|MS_NODEV|MS_NOSUID|MS_NOEXEC,
+		"",
+	))
+
+	must(os.WriteFile(
+		"/sys/module/firmware_class/parameters/path",
+		[]byte("/system/lib/firmware"),
+		0,
+	))
+
+}
+
+// mustSyscall calls [log.Fatalln] if err is non-nil.
+func mustSyscall(action string, err error) {
+	if err != nil {
+		log.Fatalln("cannot "+action+":", err)
+	}
+}
+
+// must calls [log.Fatal] with err if it is non-nil.
+func must(err error) {
+	if err != nil {
+		log.Fatal(err)
+	}
 }
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@@ -2,6 +2,7 @@ package main

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -11,11 +12,11 @@ import (
 	"strconv"
 	"sync"
 	"time"
-	_ "unsafe" // for go:linkname

+	"hakurei.app/check"
 	"hakurei.app/command"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/env"
@@ -26,14 +27,20 @@ import (

 // optionalErrorUnwrap calls [errors.Unwrap] and returns the resulting value
 // if it is not nil, or the original value if it is.
-//
-//go:linkname optionalErrorUnwrap hakurei.app/container.optionalErrorUnwrap
-func optionalErrorUnwrap(err error) error
+func optionalErrorUnwrap(err error) error {
+	if underlyingErr := errors.Unwrap(err); underlyingErr != nil {
+		return underlyingErr
+	}
+	return err
+}
+
+var errSuccess = errors.New("success")

 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
-		flagVerbose bool
-		flagJSON    bool
+		flagVerbose  bool
+		flagInsecure bool
+		flagJSON     bool
 	)
 	c := command.New(out, log.Printf, "hakurei", func([]string) error {
 		msg.SwapVerbose(flagVerbose)
@@ -51,6 +58,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
+		Flag(&flagInsecure, "insecure", command.BoolFlag(false), "Allow use of insecure compatibility options").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")

 	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
@@ -59,9 +67,9 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		var (
 			flagIdentifierFile int
 		)
-		c.NewCommand("app", "Load and start container from configuration file", func(args []string) error {
+		c.NewCommand("run", "Load and start container from configuration file", func(args []string) error {
 			if len(args) < 1 {
-				log.Fatal("app requires at least 1 argument")
+				log.Fatal("run requires at least 1 argument")
 			}

 			config := tryPath(msg, args[0])
@@ -69,7 +77,12 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				config.Container.Args = append(config.Container.Args, args[1:]...)
 			}

-			outcome.Main(ctx, msg, config, flagIdentifierFile)
+			var flags int
+			if flagInsecure {
+				flags |= hst.VAllowInsecure
+			}
+
+			outcome.Main(ctx, msg, config, flags, flagIdentifierFile)
 			panic("unreachable")
 		}).
 			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
@@ -89,12 +102,15 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			flagHomeDir  string
 			flagUserName string

+			flagSchedPolicy   string
+			flagSchedPriority int
+
 			flagPrivateRuntime, flagPrivateTmpdir bool

 			flagWayland, flagX11, flagDBus, flagPipeWire, flagPulse bool
 		)

-		c.NewCommand("run", "Configure and start a permissive container", func(args []string) error {
+		c.NewCommand("exec", "Configure and start a permissive container", func(args []string) error {
 			if flagIdentity < hst.IdentityStart || flagIdentity > hst.IdentityEnd {
 				log.Fatalf("identity %d out of range", flagIdentity)
 			}
@@ -131,12 +147,12 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 					log.Fatal(optionalErrorUnwrap(err))
 					return err
 				} else if progPath, err = check.NewAbs(p); err != nil {
-					log.Fatal(err.Error())
+					log.Fatal(err)
 					return err
 				}
 			}

-			var et hst.Enablement
+			var et hst.Enablements
 			if flagWayland {
 				et |= hst.EWayland
 			}
@@ -150,11 +166,11 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				et |= hst.EPipeWire
 			}

-			config := &hst.Config{
+			config := hst.Config{
 				ID:          flagID,
 				Identity:    flagIdentity,
 				Groups:      flagGroups,
-				Enablements: hst.NewEnablements(et),
+				Enablements: &et,

 				Container: &hst.ContainerConfig{
 					Filesystem: []hst.FilesystemConfigJSON{
@@ -177,6 +193,13 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				},
 			}

+			if err := config.SchedPolicy.UnmarshalText(
+				[]byte(flagSchedPolicy),
+			); err != nil {
+				log.Fatal(err)
+			}
+			config.SchedPriority = ext.Int(flagSchedPriority)
+
 			// bind GPU stuff
 			if et&(hst.EX11|hst.EWayland) != 0 {
 				config.Container.Filesystem = append(config.Container.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
@@ -214,7 +237,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 					homeDir = passwd.HomeDir
 				}
 				if a, err := check.NewAbs(homeDir); err != nil {
-					log.Fatal(err.Error())
+					log.Fatal(err)
 					return err
 				} else {
 					config.Container.Home = a
@@ -234,11 +257,11 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 					config.SessionBus = dbus.NewConfig(flagID, true, flagDBusMpris)
 				} else {
 					if f, err := os.Open(flagDBusConfigSession); err != nil {
-						log.Fatal(err.Error())
+						log.Fatal(err)
 					} else {
 						decodeJSON(log.Fatal, "load session bus proxy config", f, &config.SessionBus)
 						if err = f.Close(); err != nil {
-							log.Fatal(err.Error())
+							log.Fatal(err)
 						}
 					}
 				}
@@ -246,11 +269,11 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				// system bus proxy is optional
 				if flagDBusConfigSystem != "nil" {
 					if f, err := os.Open(flagDBusConfigSystem); err != nil {
-						log.Fatal(err.Error())
+						log.Fatal(err)
 					} else {
 						decodeJSON(log.Fatal, "load system bus proxy config", f, &config.SystemBus)
 						if err = f.Close(); err != nil {
-							log.Fatal(err.Error())
+							log.Fatal(err)
 						}
 					}
 				}
@@ -266,7 +289,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}

-			outcome.Main(ctx, msg, config, -1)
+			outcome.Main(ctx, msg, &config, 0, -1)
 			panic("unreachable")
 		}).
 			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),
@@ -287,6 +310,10 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				"Container home directory").
 			Flag(&flagUserName, "u", command.StringFlag("chronos"),
 				"Passwd user name within sandbox").
+			Flag(&flagSchedPolicy, "policy", command.StringFlag(""),
+				"Scheduling policy to set for the container").
+			Flag(&flagSchedPriority, "priority", command.IntFlag(0),
+				"Scheduling priority to set for the container").
 			Flag(&flagPrivateRuntime, "private-runtime", command.BoolFlag(false),
 				"Do not share XDG_RUNTIME_DIR between containers under the same identity").
 			Flag(&flagPrivateTmpdir, "private-tmpdir", command.BoolFlag(false),
@@ -308,7 +335,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			flagShort   bool
 			flagNoStore bool
 		)
-		c.NewCommand("show", "Show live or local app configuration", func(args []string) error {
+		c.NewCommand("show", "Show live or local instance configuration", func(args []string) error {
 			switch len(args) {
 			case 0: // system
 				printShowSystem(os.Stdout, flagShort, flagJSON)
--- a/cmd/hakurei/command_test.go
+++ b/cmd/hakurei/command_test.go
@@ -20,12 +20,12 @@ func TestHelp(t *testing.T) {
 	}{
 		{
 			"main", []string{}, `
-Usage:	hakurei [-h | --help] [-v] [--json] COMMAND [OPTIONS]
+Usage:	hakurei [-h | --help] [-v] [--insecure] [--json] COMMAND [OPTIONS]

 Commands:
-    app         Load and start container from configuration file
-    run         Configure and start a permissive container
-    show        Show live or local app configuration
+    run         Load and start container from configuration file
+    exec        Configure and start a permissive container
+    show        Show live or local instance configuration
    ps          List active instances
    version     Display version information
    license     Show full license text
@@ -35,8 +35,8 @@ Commands:
 `,
 		},
 		{
-			"run", []string{"run", "-h"}, `
-Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
+			"exec", []string{"exec", "-h"}, `
+Usage:	hakurei exec [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--policy <value>] [--priority <int>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]

 Flags:
  -X	Enable direct connection to X11
@@ -60,6 +60,10 @@ Flags:
    	Allow owning MPRIS D-Bus path, has no effect if custom config is available
  -pipewire
    	Enable connection to PipeWire via SecurityContext
+  -policy string
+    	Scheduling policy to set for the container
+  -priority int
+    	Scheduling priority to set for the container
  -private-runtime
    	Do not share XDG_RUNTIME_DIR between containers under the same identity
  -private-tmpdir
--- a/cmd/hakurei/json_test.go
+++ b/cmd/hakurei/json_test.go
@@ -5,7 +5,7 @@ import (
 	"strings"
 	"testing"

-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 )

 func TestDecodeJSON(t *testing.T) {
--- a/cmd/hakurei/main.go
+++ b/cmd/hakurei/main.go
@@ -1,8 +1,42 @@
+// Hakurei runs user-specified containers as subordinate users.
+//
+// This program is generally invoked by another, higher level program, which
+// creates container configuration via package [hst] or an implementation of it.
+//
+// The parent may leave files open and specify their file descriptor for various
+// uses. In these cases, standard streams and netpoll files are treated as
+// invalid file descriptors and rejected. All string representations must be in
+// decimal.
+//
+// When specifying a [hst.Config] JSON stream or file to the run subcommand, the
+// argument "-" is equivalent to stdin. Otherwise, file descriptor rules
+// described above applies. Invalid file descriptors are treated as file names
+// in their string representation, with the exception that if a netpoll file
+// descriptor is attempted, the program fails.
+//
+// The flag --identifier-fd can be optionally specified to the run subcommand to
+// receive the identifier of the newly started instance. File descriptor rules
+// described above applies, and the file must be writable. This is sent after
+// its state is made available, so the client must not attempt to poll for it.
+// This uses the internal binary format of [hst.ID].
+//
+// For the show and ps subcommands, the flag --json can be applied to the main
+// hakurei command to serialise output in JSON when applicable. Additionally,
+// the flag --short targeting each subcommand is used to omit some information
+// in both JSON and user-facing output. Only JSON-encoded output is covered
+// under the compatibility promise.
+//
+// A template for [hst.Config] demonstrating all available configuration fields
+// is returned by [hst.Template]. The JSON-encoded equivalent of this can be
+// obtained via the template subcommand. Fields left unpopulated in the template
+// (the direct_* family of fields, which are insecure under any configuration if
+// enabled) are unsupported.
+//
+// For simple (but insecure) testing scenarios, the exec subcommand can be used
+// to generate a simple, permissive configuration in-memory. See its help
+// message for all available options.
 package main

-// this works around go:embed '..' limitation
-//go:generate cp ../../LICENSE .
-
 import (
 	"context"
 	_ "embed"
@@ -13,15 +47,13 @@ import (
 	"syscall"

 	"hakurei.app/container"
+	"hakurei.app/ext"
 	"hakurei.app/message"
 )

-var (
-	errSuccess = errors.New("success")
-
-	//go:embed LICENSE
-	license string
-)
+//go:generate cp ../../LICENSE .
+//go:embed LICENSE
+var license string

 // earlyHardeningErrs are errors collected while setting up early hardening feature.
 type earlyHardeningErrs struct{ yamaLSM, dumpable error }
@@ -30,13 +62,13 @@ func main() {
 	// early init path, skips root check and duplicate PR_SET_DUMPABLE
 	container.TryArgv0(nil)

-	log.SetPrefix("hakurei: ")
 	log.SetFlags(0)
+	log.SetPrefix("hakurei: ")
 	msg := message.New(log.Default())

 	early := earlyHardeningErrs{
-		yamaLSM:  container.SetPtracer(0),
-		dumpable: container.SetDumpable(container.SUID_DUMP_DISABLE),
+		yamaLSM:  ext.SetPtracer(0),
+		dumpable: ext.SetDumpable(ext.SUID_DUMP_DISABLE),
 	}

 	if os.Geteuid() == 0 {
--- a/cmd/hakurei/parse.go
+++ b/cmd/hakurei/parse.go
@@ -17,8 +17,9 @@ import (
 )

 // tryPath attempts to read [hst.Config] from multiple sources.
-// tryPath reads from [os.Stdin] if name has value "-".
-// Otherwise, name is passed to tryFd, and if that returns nil, name is passed to [os.Open].
+//
+// tryPath reads from [os.Stdin] if name has value "-". Otherwise, name is
+// passed to tryFd, and if that returns nil, name is passed to [os.Open].
 func tryPath(msg message.Msg, name string) (config *hst.Config) {
 	var r io.ReadCloser
 	config = new(hst.Config)
@@ -46,7 +47,8 @@ func tryPath(msg message.Msg, name string) (config *hst.Config) {
 	return
 }

-// tryFd returns a [io.ReadCloser] if name represents an integer corresponding to a valid file descriptor.
+// tryFd returns a [io.ReadCloser] if name represents an integer corresponding
+// to a valid file descriptor.
 func tryFd(msg message.Msg, name string) io.ReadCloser {
 	if v, err := strconv.Atoi(name); err != nil {
 		if !errors.Is(err, strconv.ErrSyntax) {
@@ -60,7 +62,12 @@ func tryFd(msg message.Msg, name string) io.ReadCloser {

 		msg.Verbosef("trying config stream from %d", v)
 		fd := uintptr(v)
-		if _, _, errno := syscall.Syscall(syscall.SYS_FCNTL, fd, syscall.F_GETFD, 0); errno != 0 {
+		if _, _, errno := syscall.Syscall(
+			syscall.SYS_FCNTL,
+			fd,
+			syscall.F_GETFD,
+			0,
+		); errno != 0 {
 			if errors.Is(errno, syscall.EBADF) { // reject bad fd
 				return nil
 			}
@@ -75,10 +82,12 @@ func tryFd(msg message.Msg, name string) io.ReadCloser {
 	}
 }

-// shortLengthMin is the minimum length a short form identifier can have and still be interpreted as an identifier.
+// shortLengthMin is the minimum length a short form identifier can have and
+// still be interpreted as an identifier.
 const shortLengthMin = 1 << 3

-// shortIdentifier returns an eight character short representation of [hst.ID] from its random bytes.
+// shortIdentifier returns an eight character short representation of [hst.ID]
+// from its random bytes.
 func shortIdentifier(id *hst.ID) string {
 	return shortIdentifierString(id.String())
 }
@@ -88,7 +97,8 @@ func shortIdentifierString(s string) string {
 	return s[len(hst.ID{}) : len(hst.ID{})+shortLengthMin]
 }

-// tryIdentifier attempts to match [hst.State] from a [hex] representation of [hst.ID] or a prefix of its lower half.
+// tryIdentifier attempts to match [hst.State] from a [hex] representation of
+// [hst.ID] or a prefix of its lower half.
 func tryIdentifier(msg message.Msg, name string, s *store.Store) *hst.State {
 	const (
 		likeShort = 1 << iota
@@ -96,7 +106,8 @@ func tryIdentifier(msg message.Msg, name string, s *store.Store) *hst.State {
 	)

 	var likely uintptr
-	if len(name) >= shortLengthMin && len(name) <= len(hst.ID{}) { // half the hex representation
+	// half the hex representation
+	if len(name) >= shortLengthMin && len(name) <= len(hst.ID{}) {
 		// cannot safely decode here due to unknown alignment
 		for _, c := range name {
 			if c >= '0' && c <= '9' {
--- a/cmd/hakurei/parse_test.go
+++ b/cmd/hakurei/parse_test.go
@@ -6,7 +6,7 @@ import (
 	"testing"
 	"time"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
--- a/cmd/hakurei/print.go
+++ b/cmd/hakurei/print.go
@@ -56,7 +56,7 @@ func printShowInstance(
 	t := newPrinter(output)
 	defer t.MustFlush()

-	if err := config.Validate(); err != nil {
+	if err := config.Validate(hst.VAllowInsecure); err != nil {
 		valid = false
 		if m, ok := message.GetMessage(err); ok {
 			mustPrint(output, "Error: "+m+"!\n\n")
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
@@ -7,7 +7,7 @@ import (
 	"testing"
 	"time"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
@@ -32,7 +32,7 @@ var (
 		PID:     0xbeef,
 		ShimPID: 0xcafe,
 		Config: &hst.Config{
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
+			Enablements: new(hst.EWayland | hst.EPipeWire),
 			Identity:    1,
 			Container: &hst.ContainerConfig{
 				Shell: check.MustAbs("/bin/sh"),
--- a/cmd/hsu/conf.go
+++ b/cmd/hsu/conf.go
@@ -0,0 +1,7 @@
+//go:build !rosa
+
+package main
+
+// hsuConfPath is an absolute pathname to the hsu configuration file. Its
+// contents are interpreted by parseConfig.
+const hsuConfPath = "/etc/hsurc"
--- a/cmd/hsu/config_rosa.go
+++ b/cmd/hsu/config_rosa.go
@@ -0,0 +1,7 @@
+//go:build rosa
+
+package main
+
+// hsuConfPath is the pathname to the hsu configuration file, specific to
+// Rosa OS. Its contents are interpreted by parseConfig.
+const hsuConfPath = "/system/etc/hsurc"
--- a/cmd/hsu/hst.go
+++ b/cmd/hsu/hst.go
@@ -1,6 +1,6 @@
 package main

-/* copied from hst and must never be changed */
+/* keep in sync with hst */

 const (
 	userOffset = 100000
--- a/cmd/hsu/main.go
+++ b/cmd/hsu/main.go
@@ -1,13 +1,64 @@
+// hsu starts the hakurei shim as the target subordinate user.
+//
+// The hsu program must be installed with the setuid and setgid bit set, and
+// owned by root. A configuration file must be installed at /etc/hsurc with
+// permission bits 0400, and owned by root. Each line of the file specifies a
+// hakurei userid to kernel uid mapping. A line consists of the decimal string
+// representation of the uid of the user wishing to start hakurei containers,
+// followed by a space, followed by the decimal string representation of its
+// userid. Duplicate uid entries are ignored, with the first occurrence taking
+// effect.
+//
+// For example, to map the kernel uid 1000 to the hakurei user id 0:
+//
+//	1000 0
+//
+// # Internals
+//
+// Hakurei and hsu holds pathnames pointing to each other set at link time. For
+// this reason, a distribution of hakurei has fixed installation prefix. Since
+// this program is never invoked by the user, behaviour described in the
+// following paragraphs are considered an internal detail and not covered by the
+// compatibility promise.
+//
+// After checking credentials, hsu checks via /proc/ the absolute pathname of
+// its parent process, and fails if it does not match the hakurei pathname set
+// at link time. This is not a security feature: the priv-side is considered
+// trusted, and this feature makes no attempt to address the racy nature of
+// querying /proc/, or debuggers attached to the parent process. Instead, this
+// aims to discourage misuse and reduce confusion if the user accidentally
+// stumbles upon this program. It also prevents accidental use of the incorrect
+// installation of hsu in some environments.
+//
+// Since target container environment variables are set up in shim via the
+// [container] infrastructure, the environment is used for parameters from the
+// parent process.
+//
+// HAKUREI_SHIM specifies a single byte between '3' and '9' representing the
+// setup pipe file descriptor. It is passed as is to the shim process and is the
+// only value in the environment of the shim process. Since hsurc is not
+// accessible to the parent process, leaving this unset causes hsu to print the
+// corresponding hakurei user id of the parent and terminate.
+//
+// HAKUREI_IDENTITY specifies the identity of the instance being started and is
+// used to produce the kernel uid alongside hakurei user id looked up from hsurc.
+//
+// HAKUREI_GROUPS specifies supplementary groups to inherit from the credentials
+// of the parent process in a ' ' separated list of decimal string
+// representations of gid. This has the unfortunate consequence of allowing
+// users mapped via hsurc to effectively drop group membership, so special care
+// must be taken to ensure this does not lead to an increase in access. This is
+// not applicable to Rosa OS since unsigned code execution is not permitted
+// outside hakurei containers, and is generally nonapplicable to the security
+// model of hakurei, where all untrusted code runs within containers.
 package main

-// minimise imports to avoid inadvertently calling init or global variable functions
-
 import (
 	"bytes"
 	"fmt"
 	"log"
 	"os"
-	"path"
+	"path/filepath"
 	"runtime"
 	"slices"
 	"strconv"
@@ -16,10 +67,13 @@ import (
 )

 const (
-	// envIdentity is the name of the environment variable holding a
-	// single byte representing the shim setup pipe file descriptor.
+	// envShim is the name of the environment variable holding a single byte
+	// representing the shim setup pipe file descriptor.
 	envShim = "HAKUREI_SHIM"
-	// envGroups holds a ' ' separated list of string representations of
+	// envIdentity is the name of the environment variable holding a decimal
+	// string representation of the current application identity.
+	envIdentity = "HAKUREI_IDENTITY"
+	// envGroups holds a ' ' separated list of decimal string representations of
 	// supplementary group gid. Membership requirements are enforced.
 	envGroups = "HAKUREI_GROUPS"
 )
@@ -35,7 +89,6 @@ func main() {

 	log.SetFlags(0)
 	log.SetPrefix("hsu: ")
-	log.SetOutput(os.Stderr)

 	if os.Geteuid() != 0 {
 		log.Fatal("this program must be owned by uid 0 and have the setuid bit set")
@@ -49,13 +102,13 @@ func main() {
 		log.Fatal("this program must not be started by root")
 	}

-	if !path.IsAbs(hakureiPath) {
+	if !filepath.IsAbs(hakureiPath) {
 		log.Fatal("this program is compiled incorrectly")
 		return
 	}

 	var toolPath string
-	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
+	pexe := filepath.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
 	if p, err := os.Readlink(pexe); err != nil {
 		log.Fatalf("cannot read parent executable path: %v", err)
 	} else if strings.HasSuffix(p, " (deleted)") {
@@ -99,8 +152,6 @@ func main() {
 		// last possible uid outcome
 		uidEnd = 999919999
 	)
-
-	// cast to int for use with library functions
 	uid := int(toUser(userid, identity))

 	// final bounds check to catch any bugs
@@ -136,7 +187,6 @@ func main() {
 	}

 	// careful! users in the allowlist is effectively allowed to drop groups via hsu
-
 	if err := syscall.Setresgid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set gid: %v", err)
 	}
@@ -146,10 +196,21 @@ func main() {
 	if err := syscall.Setresuid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set uid: %v", err)
 	}
-	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
+
+	if _, _, errno := syscall.AllThreadsSyscall(
+		syscall.SYS_PRCTL,
+		PR_SET_NO_NEW_PRIVS, 1,
+		0,
+	); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(toolPath, []string{"hakurei", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+
+	if err := syscall.Exec(toolPath, []string{
+		"hakurei",
+		"shim",
+	}, []string{
+		envShim + "=" + shimSetupFd,
+	}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}

--- a/cmd/hsu/parse.go
+++ b/cmd/hsu/parse.go
@@ -18,8 +18,9 @@ const (
 	useridEnd = useridStart + rangeSize - 1
 )

-// parseUint32Fast parses a string representation of an unsigned 32-bit integer value
-// using the fast path only. This limits the range of values it is defined in.
+// parseUint32Fast parses a string representation of an unsigned 32-bit integer
+// value using the fast path only. This limits the range of values it is defined
+// in but is perfectly adequate for this use case.
 func parseUint32Fast(s string) (uint32, error) {
 	sLen := len(s)
 	if sLen < 1 {
@@ -40,12 +41,14 @@ func parseUint32Fast(s string) (uint32, error) {
 	return n, nil
 }

-// parseConfig reads a list of allowed users from r until it encounters puid or [io.EOF].
+// parseConfig reads a list of allowed users from r until it encounters puid or
+// [io.EOF].
 //
-// Each line of the file specifies a hakurei userid to kernel uid mapping. A line consists
-// of the string representation of the uid of the user wishing to start hakurei containers,
-// followed by a space, followed by the string representation of its userid. Duplicate uid
-// entries are ignored, with the first occurrence taking effect.
+// Each line of the file specifies a hakurei userid to kernel uid mapping. A
+// line consists of the string representation of the uid of the user wishing to
+// start hakurei containers, followed by a space, followed by the string
+// representation of its userid. Duplicate uid entries are ignored, with the
+// first occurrence taking effect.
 //
 // All string representations are parsed by calling parseUint32Fast.
 func parseConfig(r io.Reader, puid uint32) (userid uint32, ok bool, err error) {
@@ -81,10 +84,6 @@ func parseConfig(r io.Reader, puid uint32) (userid uint32, ok bool, err error) {
 	return useridEnd + 1, false, s.Err()
 }

-// hsuConfPath is an absolute pathname to the hsu configuration file.
-// Its contents are interpreted by parseConfig.
-const hsuConfPath = "/etc/hsurc"
-
 // mustParseConfig calls parseConfig to interpret the contents of hsuConfPath,
 // terminating the program if an error is encountered, the syntax is incorrect,
 // or the current user is not authorised to use hsu because its uid is missing.
@@ -112,10 +111,6 @@ func mustParseConfig(puid int) (userid uint32) {
 	return
 }

-// envIdentity is the name of the environment variable holding a
-// string representation of the current application identity.
-var envIdentity = "HAKUREI_IDENTITY"
-
 // mustReadIdentity calls parseUint32Fast to interpret the value stored in envIdentity,
 // terminating the program if the value is not set, malformed, or out of bounds.
 func mustReadIdentity() uint32 {
--- a/cmd/mbf/cache.go
+++ b/cmd/mbf/cache.go
@@ -0,0 +1,94 @@
+package main
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+// cache refers to an instance of [pkg.Cache] that might be open.
+type cache struct {
+	ctx context.Context
+	msg message.Msg
+
+	// Should generally not be used directly.
+	c *pkg.Cache
+
+	cures, jobs        int
+	hostAbstract, idle bool
+
+	base string
+}
+
+// open opens the underlying [pkg.Cache].
+func (cache *cache) open() (err error) {
+	if cache.c != nil {
+		return os.ErrInvalid
+	}
+
+	if cache.base == "" {
+		cache.base = "cache"
+	}
+	var base *check.Absolute
+	if cache.base, err = filepath.Abs(cache.base); err != nil {
+		return
+	} else if base, err = check.NewAbs(cache.base); err != nil {
+		return
+	}
+
+	var flags int
+	if cache.idle {
+		flags |= pkg.CSchedIdle
+	}
+	if cache.hostAbstract {
+		flags |= pkg.CHostAbstract
+	}
+
+	done := make(chan struct{})
+	defer close(done)
+	go func() {
+		select {
+		case <-cache.ctx.Done():
+			if testing.Testing() {
+				return
+			}
+			os.Exit(2)
+
+		case <-done:
+			return
+		}
+	}()
+
+	cache.msg.Verbosef("opening cache at %s", base)
+	cache.c, err = pkg.Open(
+		cache.ctx,
+		cache.msg,
+		flags,
+		cache.cures,
+		cache.jobs,
+		base,
+	)
+	return
+}
+
+// Close closes the underlying [pkg.Cache] if it is open.
+func (cache *cache) Close() {
+	if cache.c != nil {
+		cache.c.Close()
+	}
+}
+
+// Do calls f on the underlying cache and returns its error value.
+func (cache *cache) Do(f func(cache *pkg.Cache) error) error {
+	if cache.c == nil {
+		if err := cache.open(); err != nil {
+			return err
+		}
+	}
+	return f(cache.c)
+}
--- a/cmd/mbf/cache_test.go
+++ b/cmd/mbf/cache_test.go
@@ -0,0 +1,37 @@
+package main
+
+import (
+	"log"
+	"os"
+	"testing"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+func TestCache(t *testing.T) {
+	t.Parallel()
+
+	cm := cache{
+		ctx:  t.Context(),
+		msg:  message.New(log.New(os.Stderr, "check: ", 0)),
+		base: t.TempDir(),
+
+		hostAbstract: true, idle: true,
+	}
+	defer cm.Close()
+	cm.Close()
+
+	if err := cm.open(); err != nil {
+		t.Fatalf("open: error = %v", err)
+	}
+	if err := cm.open(); err != os.ErrInvalid {
+		t.Errorf("(duplicate) open: error = %v", err)
+	}
+
+	if err := cm.Do(func(cache *pkg.Cache) error {
+		return cache.Scrub(0)
+	}); err != nil {
+		t.Errorf("Scrub: error = %v", err)
+	}
+}
--- a/cmd/mbf/daemon.go
+++ b/cmd/mbf/daemon.go
@@ -0,0 +1,343 @@
+package main
+
+import (
+	"context"
+	"encoding/binary"
+	"errors"
+	"io"
+	"log"
+	"math"
+	"net"
+	"os"
+	"sync"
+	"syscall"
+	"testing"
+	"time"
+	"unique"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+)
+
+// daemonTimeout is the maximum amount of time cureFromIR will wait on I/O.
+const daemonTimeout = 30 * time.Second
+
+// daemonDeadline returns the deadline corresponding to daemonTimeout, or the
+// zero value when running in a test.
+func daemonDeadline() time.Time {
+	if testing.Testing() {
+		return time.Time{}
+	}
+	return time.Now().Add(daemonTimeout)
+}
+
+const (
+	// remoteNoReply notifies that the client will not receive a cure reply.
+	remoteNoReply = 1 << iota
+)
+
+// cureFromIR services an IR curing request.
+func cureFromIR(
+	cache *pkg.Cache,
+	conn net.Conn,
+	flags uint64,
+) (pkg.Artifact, error) {
+	a, decodeErr := cache.NewDecoder(conn).Decode()
+	if decodeErr != nil {
+		_, err := conn.Write([]byte("\x00" + decodeErr.Error()))
+		return nil, errors.Join(decodeErr, err, conn.Close())
+	}
+
+	pathname, _, cureErr := cache.Cure(a)
+	if flags&remoteNoReply != 0 {
+		return a, errors.Join(cureErr, conn.Close())
+	}
+	if err := conn.SetWriteDeadline(daemonDeadline()); err != nil {
+		return a, errors.Join(cureErr, err, conn.Close())
+	}
+	if cureErr != nil {
+		_, err := conn.Write([]byte("\x00" + cureErr.Error()))
+		return a, errors.Join(cureErr, err, conn.Close())
+	}
+	_, err := conn.Write([]byte(pathname.String()))
+	if testing.Testing() && errors.Is(err, io.ErrClosedPipe) {
+		return a, nil
+	}
+	return a, errors.Join(err, conn.Close())
+}
+
+const (
+	// specialCancel is a message consisting of a single identifier referring
+	// to a curing artifact to be cancelled.
+	specialCancel = iota
+	// specialAbort requests for all pending cures to be aborted. It has no
+	// message body.
+	specialAbort
+
+	// remoteSpecial denotes a special message with custom layout.
+	remoteSpecial = math.MaxUint64
+)
+
+// writeSpecialHeader writes the header of a remoteSpecial message.
+func writeSpecialHeader(conn net.Conn, kind uint64) error {
+	var sh [16]byte
+	binary.LittleEndian.PutUint64(sh[:], remoteSpecial)
+	binary.LittleEndian.PutUint64(sh[8:], kind)
+	if n, err := conn.Write(sh[:]); err != nil {
+		return err
+	} else if n != len(sh) {
+		return io.ErrShortWrite
+	}
+	return nil
+}
+
+// cancelIdent reads an identifier from conn and cancels the corresponding cure.
+func cancelIdent(
+	cache *pkg.Cache,
+	conn net.Conn,
+) (*pkg.ID, bool, error) {
+	var ident pkg.ID
+	if _, err := io.ReadFull(conn, ident[:]); err != nil {
+		return nil, false, errors.Join(err, conn.Close())
+	} else if err = conn.Close(); err != nil {
+		return nil, false, err
+	}
+	return &ident, cache.Cancel(unique.Make(ident)), nil
+}
+
+// serve services connections from a [net.UnixListener].
+func serve(
+	ctx context.Context,
+	log *log.Logger,
+	cm *cache,
+	ul *net.UnixListener,
+) error {
+	ul.SetUnlinkOnClose(true)
+	if cm.c == nil {
+		if err := cm.open(); err != nil {
+			return errors.Join(err, ul.Close())
+		}
+	}
+
+	var wg sync.WaitGroup
+	defer wg.Wait()
+
+	wg.Go(func() {
+		for {
+			if ctx.Err() != nil {
+				break
+			}
+
+			conn, err := ul.AcceptUnix()
+			if err != nil {
+				if !errors.Is(err, os.ErrDeadlineExceeded) {
+					log.Println(err)
+				}
+				continue
+			}
+			wg.Go(func() {
+				done := make(chan struct{})
+				defer close(done)
+				go func() {
+					select {
+					case <-ctx.Done():
+						_ = conn.SetDeadline(time.Now())
+
+					case <-done:
+						return
+					}
+				}()
+
+				if _err := conn.SetReadDeadline(daemonDeadline()); _err != nil {
+					log.Println(_err)
+					if _err = conn.Close(); _err != nil {
+						log.Println(_err)
+					}
+					return
+				}
+
+				var word [8]byte
+				if _, _err := io.ReadFull(conn, word[:]); _err != nil {
+					log.Println(_err)
+					if _err = conn.Close(); _err != nil {
+						log.Println(_err)
+					}
+					return
+				}
+				flags := binary.LittleEndian.Uint64(word[:])
+
+				if flags == remoteSpecial {
+					if _, _err := io.ReadFull(conn, word[:]); _err != nil {
+						log.Println(_err)
+						if _err = conn.Close(); _err != nil {
+							log.Println(_err)
+						}
+						return
+					}
+					switch special := binary.LittleEndian.Uint64(word[:]); special {
+					default:
+						log.Printf("invalid special %d", special)
+
+					case specialCancel:
+						if id, ok, _err := cancelIdent(cm.c, conn); _err != nil {
+							log.Println(_err)
+						} else if !ok {
+							log.Println(
+								"attempting to cancel invalid artifact",
+								pkg.Encode(*id),
+							)
+						} else {
+							log.Println(
+								"cancelled artifact",
+								pkg.Encode(*id),
+							)
+						}
+
+					case specialAbort:
+						if _err := conn.Close(); _err != nil {
+							log.Println(_err)
+						}
+						log.Println("aborting all pending cures")
+						cm.c.Abort()
+					}
+
+					return
+				}
+
+				if a, _err := cureFromIR(cm.c, conn, flags); _err != nil {
+					log.Println(_err)
+				} else {
+					log.Printf(
+						"fulfilled artifact %s",
+						pkg.Encode(cm.c.Ident(a).Value()),
+					)
+				}
+			})
+		}
+	})
+
+	<-ctx.Done()
+	if err := ul.SetDeadline(time.Now()); err != nil {
+		return errors.Join(err, ul.Close())
+	}
+	wg.Wait()
+	return ul.Close()
+}
+
+// dial wraps [net.DialUnix] with a context.
+func dial(ctx context.Context, addr *net.UnixAddr) (
+	done chan<- struct{},
+	conn *net.UnixConn,
+	err error,
+) {
+	conn, err = net.DialUnix("unix", nil, addr)
+	if err != nil {
+		return
+	}
+
+	d := make(chan struct{})
+	done = d
+	go func() {
+		select {
+		case <-ctx.Done():
+			_ = conn.SetDeadline(time.Now())
+
+		case <-d:
+			return
+		}
+	}()
+	return
+}
+
+// cureRemote cures a [pkg.Artifact] on a daemon.
+func cureRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	a pkg.Artifact,
+	flags uint64,
+) (*check.Absolute, error) {
+	if flags == remoteSpecial {
+		return nil, syscall.EINVAL
+	}
+
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return nil, err
+	}
+	defer close(done)
+
+	if n, flagErr := conn.Write(binary.LittleEndian.AppendUint64(nil, flags)); flagErr != nil {
+		return nil, errors.Join(flagErr, conn.Close())
+	} else if n != 8 {
+		return nil, errors.Join(io.ErrShortWrite, conn.Close())
+	}
+
+	if err = pkg.NewIR().EncodeAll(conn, a); err != nil {
+		return nil, errors.Join(err, conn.Close())
+	} else if err = conn.CloseWrite(); err != nil {
+		return nil, errors.Join(err, conn.Close())
+	}
+
+	if flags&remoteNoReply != 0 {
+		return nil, conn.Close()
+	}
+
+	payload, recvErr := io.ReadAll(conn)
+	if err = errors.Join(recvErr, conn.Close()); err != nil {
+		if errors.Is(err, os.ErrDeadlineExceeded) {
+			if cancelErr := ctx.Err(); cancelErr != nil {
+				err = cancelErr
+			}
+		}
+		return nil, err
+	}
+
+	if len(payload) > 0 && payload[0] == 0 {
+		return nil, errors.New(string(payload[1:]))
+	}
+
+	var p *check.Absolute
+	p, err = check.NewAbs(string(payload))
+	return p, err
+}
+
+// cancelRemote cancels a [pkg.Artifact] curing on a daemon.
+func cancelRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	a pkg.Artifact,
+) error {
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return err
+	}
+	defer close(done)
+
+	if err = writeSpecialHeader(conn, specialCancel); err != nil {
+		return errors.Join(err, conn.Close())
+	}
+
+	var n int
+	id := pkg.NewIR().Ident(a).Value()
+	if n, err = conn.Write(id[:]); err != nil {
+		return errors.Join(err, conn.Close())
+	} else if n != len(id) {
+		return errors.Join(io.ErrShortWrite, conn.Close())
+	}
+	return conn.Close()
+}
+
+// abortRemote aborts all [pkg.Artifact] curing on a daemon.
+func abortRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+) error {
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return err
+	}
+	defer close(done)
+
+	err = writeSpecialHeader(conn, specialAbort)
+	return errors.Join(err, conn.Close())
+}
--- a/cmd/mbf/daemon_test.go
+++ b/cmd/mbf/daemon_test.go
@@ -0,0 +1,146 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"io"
+	"log"
+	"net"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
+	"testing"
+	"time"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+func TestNoReply(t *testing.T) {
+	t.Parallel()
+	if !daemonDeadline().IsZero() {
+		t.Fatal("daemonDeadline did not return the zero value")
+	}
+
+	c, err := pkg.Open(
+		t.Context(),
+		message.New(log.New(os.Stderr, "cir: ", 0)),
+		0, 0, 0,
+		check.MustAbs(t.TempDir()),
+	)
+	if err != nil {
+		t.Fatalf("Open: error = %v", err)
+	}
+	defer c.Close()
+
+	client, server := net.Pipe()
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		go func() {
+			<-t.Context().Done()
+			if _err := client.SetDeadline(time.Now()); _err != nil && !errors.Is(_err, io.ErrClosedPipe) {
+				panic(_err)
+			}
+		}()
+
+		if _err := c.EncodeAll(
+			client,
+			pkg.NewFile("check", []byte{0}),
+		); _err != nil {
+			panic(_err)
+		} else if _err = client.Close(); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	a, cureErr := cureFromIR(c, server, remoteNoReply)
+	if cureErr != nil {
+		t.Fatalf("cureFromIR: error = %v", cureErr)
+	}
+
+	<-done
+	wantIdent := pkg.MustDecode("fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG")
+	if gotIdent := c.Ident(a).Value(); gotIdent != wantIdent {
+		t.Errorf(
+			"cureFromIR: %s, want %s",
+			pkg.Encode(gotIdent), pkg.Encode(wantIdent),
+		)
+	}
+}
+
+func TestDaemon(t *testing.T) {
+	t.Parallel()
+
+	var buf bytes.Buffer
+	logger := log.New(&buf, "daemon: ", 0)
+
+	addr := net.UnixAddr{
+		Name: filepath.Join(t.TempDir(), "daemon"),
+		Net:  "unix",
+	}
+
+	ctx, cancel := context.WithCancel(t.Context())
+	defer cancel()
+
+	cm := cache{
+		ctx:  ctx,
+		msg:  message.New(logger),
+		base: t.TempDir(),
+	}
+	defer cm.Close()
+
+	ul, err := net.ListenUnix("unix", &addr)
+	if err != nil {
+		t.Fatalf("ListenUnix: error = %v", err)
+	}
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		if _err := serve(ctx, logger, &cm, ul); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	if err = cancelRemote(ctx, &addr, pkg.NewFile("nonexistent", nil)); err != nil {
+		t.Fatalf("cancelRemote: error = %v", err)
+	}
+
+	if err = abortRemote(ctx, &addr); err != nil {
+		t.Fatalf("abortRemote: error = %v", err)
+	}
+
+	// keep this last for synchronisation
+	var p *check.Absolute
+	p, err = cureRemote(ctx, &addr, pkg.NewFile("check", []byte{0}), 0)
+	if err != nil {
+		t.Fatalf("cureRemote: error = %v", err)
+	}
+
+	cancel()
+	<-done
+
+	const want = "fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG"
+	if got := filepath.Base(p.String()); got != want {
+		t.Errorf("cureRemote: %s, want %s", got, want)
+	}
+
+	wantLog := []string{
+		"",
+		"daemon: aborting all pending cures",
+		"daemon: attempting to cancel invalid artifact kQm9fmnCmXST1-MMmxzcau2oKZCXXrlZydo4PkeV5hO_2PKfeC8t98hrbV_ZZx_j",
+		"daemon: fulfilled artifact fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG",
+	}
+	gotLog := strings.Split(buf.String(), "\n")
+	slices.Sort(gotLog)
+	if !slices.Equal(gotLog, wantLog) {
+		t.Errorf(
+			"serve: logged\n%s\nwant\n%s",
+			strings.Join(gotLog, "\n"), strings.Join(wantLog, "\n"),
+		)
+	}
+}
--- a/cmd/mbf/info.go
+++ b/cmd/mbf/info.go
@@ -0,0 +1,127 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+)
+
+// commandInfo implements the info subcommand.
+func commandInfo(
+	cm *cache,
+	args []string,
+	w io.Writer,
+	writeStatus bool,
+	reportPath string,
+) (err error) {
+	if len(args) == 0 {
+		return errors.New("info requires at least 1 argument")
+	}
+
+	var r *rosa.Report
+	if reportPath != "" {
+		if r, err = rosa.OpenReport(reportPath); err != nil {
+			return err
+		}
+		defer func() {
+			if closeErr := r.Close(); err == nil {
+				err = closeErr
+			}
+		}()
+		defer r.HandleAccess(&err)()
+	}
+
+	// recovered by HandleAccess
+	mustPrintln := func(a ...any) {
+		if _, _err := fmt.Fprintln(w, a...); _err != nil {
+			panic(_err)
+		}
+	}
+	mustPrint := func(a ...any) {
+		if _, _err := fmt.Fprint(w, a...); _err != nil {
+			panic(_err)
+		}
+	}
+
+	for i, name := range args {
+		if p, ok := rosa.ResolveName(name); !ok {
+			return fmt.Errorf("unknown artifact %q", name)
+		} else {
+			var suffix string
+			if version := rosa.Std.Version(p); version != rosa.Unversioned {
+				suffix += "-" + version
+			}
+			mustPrintln("name        : " + name + suffix)
+
+			meta := rosa.GetMetadata(p)
+			mustPrintln("description : " + meta.Description)
+			if meta.Website != "" {
+				mustPrintln("website     : " +
+					strings.TrimSuffix(meta.Website, "/"))
+			}
+			if len(meta.Dependencies) > 0 {
+				mustPrint("depends on  :")
+				for _, d := range meta.Dependencies {
+					s := rosa.GetMetadata(d).Name
+					if version := rosa.Std.Version(d); version != rosa.Unversioned {
+						s += "-" + version
+					}
+					mustPrint(" " + s)
+				}
+				mustPrintln()
+			}
+
+			const statusPrefix = "status      : "
+			if writeStatus {
+				if r == nil {
+					var f io.ReadSeekCloser
+					err = cm.Do(func(cache *pkg.Cache) (err error) {
+						f, err = cache.OpenStatus(rosa.Std.Load(p))
+						return
+					})
+					if err != nil {
+						if errors.Is(err, os.ErrNotExist) {
+							mustPrintln(
+								statusPrefix + "not yet cured",
+							)
+						} else {
+							return
+						}
+					} else {
+						mustPrint(statusPrefix)
+						_, err = io.Copy(w, f)
+						if err = errors.Join(err, f.Close()); err != nil {
+							return
+						}
+					}
+				} else if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					status, n := r.ArtifactOf(cache.Ident(rosa.Std.Load(p)))
+					if status == nil {
+						mustPrintln(
+							statusPrefix + "not in report",
+						)
+					} else {
+						mustPrintln("size        :", n)
+						mustPrint(statusPrefix)
+						if _, err = w.Write(status); err != nil {
+							return
+						}
+					}
+					return
+				}); err != nil {
+					return
+				}
+			}
+
+			if i != len(args)-1 {
+				mustPrintln()
+			}
+		}
+	}
+	return nil
+}
--- a/cmd/mbf/info_test.go
+++ b/cmd/mbf/info_test.go
@@ -0,0 +1,170 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"syscall"
+	"testing"
+	"unsafe"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+)
+
+func TestInfo(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name    string
+		args    []string
+		status  map[string]string
+		report  string
+		want    string
+		wantErr any
+	}{
+		{"qemu", []string{"qemu"}, nil, "", `
+name        : qemu-` + rosa.Std.Version(rosa.QEMU) + `
+description : a generic and open source machine emulator and virtualizer
+website     : https://www.qemu.org
+depends on  : glib-` + rosa.Std.Version(rosa.GLib) + ` zstd-` + rosa.Std.Version(rosa.Zstd) + `
+`, nil},
+
+		{"multi", []string{"hakurei", "hakurei-dist"}, nil, "", `
+name        : hakurei-` + rosa.Std.Version(rosa.Hakurei) + `
+description : low-level userspace tooling for Rosa OS
+website     : https://hakurei.app
+
+name        : hakurei-dist-` + rosa.Std.Version(rosa.HakureiDist) + `
+description : low-level userspace tooling for Rosa OS (distribution tarball)
+website     : https://hakurei.app
+`, nil},
+
+		{"nonexistent", []string{"zlib", "\x00"}, nil, "", `
+name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+description : lossless data-compression library
+website     : https://zlib.net
+
+`, fmt.Errorf("unknown artifact %q", "\x00")},
+
+		{"status cache", []string{"zlib", "zstd"}, map[string]string{
+			"zstd":    "internal/pkg (amd64) on satori\n",
+			"hakurei": "internal/pkg (amd64) on satori\n\n",
+		}, "", `
+name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+description : lossless data-compression library
+website     : https://zlib.net
+status      : not yet cured
+
+name        : zstd-` + rosa.Std.Version(rosa.Zstd) + `
+description : a fast compression algorithm
+website     : https://facebook.github.io/zstd
+status      : internal/pkg (amd64) on satori
+`, nil},
+
+		{"status cache perm", []string{"zlib"}, map[string]string{
+			"zlib": "\x00",
+		}, "", `
+name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+description : lossless data-compression library
+website     : https://zlib.net
+`, func(cm *cache) error {
+			return &os.PathError{
+				Op:   "open",
+				Path: filepath.Join(cm.base, "status", pkg.Encode(cm.c.Ident(rosa.Std.Load(rosa.Zlib)).Value())),
+				Err:  syscall.EACCES,
+			}
+		}},
+
+		{"status report", []string{"zlib"}, nil, strings.Repeat("\x00", len(pkg.Checksum{})+8), `
+name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+description : lossless data-compression library
+website     : https://zlib.net
+status      : not in report
+`, nil},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				cm  *cache
+				buf strings.Builder
+				rp  string
+			)
+
+			if tc.status != nil || tc.report != "" {
+				cm = &cache{
+					ctx:  context.Background(),
+					msg:  message.New(log.New(os.Stderr, "info: ", 0)),
+					base: t.TempDir(),
+				}
+				defer cm.Close()
+			}
+
+			if tc.report != "" {
+				rp = filepath.Join(t.TempDir(), "report")
+				if err := os.WriteFile(
+					rp,
+					unsafe.Slice(unsafe.StringData(tc.report), len(tc.report)),
+					0400,
+				); err != nil {
+					t.Fatal(err)
+				}
+			}
+
+			if tc.status != nil {
+				for name, status := range tc.status {
+					p, ok := rosa.ResolveName(name)
+					if !ok {
+						t.Fatalf("invalid name %q", name)
+					}
+					perm := os.FileMode(0400)
+					if status == "\x00" {
+						perm = 0
+					}
+					if err := cm.Do(func(cache *pkg.Cache) error {
+						return os.WriteFile(filepath.Join(
+							cm.base,
+							"status",
+							pkg.Encode(cache.Ident(rosa.Std.Load(p)).Value()),
+						), unsafe.Slice(unsafe.StringData(status), len(status)), perm)
+					}); err != nil {
+						t.Fatalf("Do: error = %v", err)
+					}
+				}
+			}
+
+			var wantErr error
+			switch c := tc.wantErr.(type) {
+			case error:
+				wantErr = c
+			case func(cm *cache) error:
+				wantErr = c(cm)
+			default:
+				if tc.wantErr != nil {
+					t.Fatalf("invalid wantErr %#v", tc.wantErr)
+				}
+			}
+
+			if err := commandInfo(
+				cm,
+				tc.args,
+				&buf,
+				cm != nil,
+				rp,
+			); !reflect.DeepEqual(err, wantErr) {
+				t.Fatalf("commandInfo: error = %v, want %v", err, wantErr)
+			}
+
+			if got := buf.String(); got != strings.TrimPrefix(tc.want, "\n") {
+				t.Errorf("commandInfo:\n%s\nwant\n%s", got, tc.want)
+			}
+		})
+	}
+}
--- a/cmd/mbf/main.go
+++ b/cmd/mbf/main.go
@@ -1,25 +1,43 @@
+// The mbf program is a frontend for [hakurei.app/internal/rosa].
+//
+// This program is not covered by the compatibility promise. The command line
+// interface, available packages and their behaviour, and even the on-disk
+// format, may change at any time.
+//
+// # Name
+//
+// The name mbf stands for maiden's best friend, as a tribute to the DOOM source
+// port of [the same name]. This name is a placeholder and is subject to change.
+//
+// [the same name]: https://www.doomwiki.org/wiki/MBF
 package main

 import (
 	"context"
+	"crypto/sha512"
 	"errors"
 	"fmt"
 	"io"
 	"log"
+	"net"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"runtime"
+	"strconv"
+	"sync"
+	"sync/atomic"
 	"syscall"
 	"time"
 	"unique"

+	"hakurei.app/check"
 	"hakurei.app/command"
 	"hakurei.app/container"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/rosa"
 	"hakurei.app/message"
@@ -36,14 +54,13 @@ func main() {
 		log.Fatal("this program must not run as root")
 	}

-	var cache *pkg.Cache
 	ctx, stop := signal.NotifyContext(context.Background(),
 		syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
 	defer stop()
+
+	var cm cache
 	defer func() {
-		if cache != nil {
-			cache.Close()
-		}
+		cm.Close()

 		if r := recover(); r != nil {
 			fmt.Println(r)
@@ -52,61 +69,66 @@ func main() {
 	}()

 	var (
-		flagQuiet  bool
-		flagCures  int
-		flagBase   string
-		flagTShift int
-		flagIdle   bool
+		flagQuiet bool
+
+		addr net.UnixAddr
 	)
-	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) (err error) {
+	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) error {
 		msg.SwapVerbose(!flagQuiet)
+		cm.ctx, cm.msg = ctx, msg
+		cm.base = os.ExpandEnv(cm.base)

-		flagBase = os.ExpandEnv(flagBase)
-		if flagBase == "" {
-			flagBase = "cache"
+		addr.Net = "unix"
+		addr.Name = os.ExpandEnv(addr.Name)
+		if addr.Name == "" {
+			addr.Name = "daemon"
 		}

-		var base *check.Absolute
-		if flagBase, err = filepath.Abs(flagBase); err != nil {
-			return
-		} else if base, err = check.NewAbs(flagBase); err != nil {
-			return
-		}
-		if cache, err = pkg.Open(ctx, msg, flagCures, base); err == nil {
-			if flagTShift < 0 {
-				cache.SetThreshold(0)
-			} else if flagTShift > 31 {
-				cache.SetThreshold(1 << 31)
-			} else {
-				cache.SetThreshold(1 << flagTShift)
-			}
-		}
-
-		if flagIdle {
-			pkg.SchedPolicy = container.SCHED_IDLE
-		}
-
-		return
+		return nil
 	}).Flag(
 		&flagQuiet,
 		"q", command.BoolFlag(false),
 		"Do not print cure messages",
 	).Flag(
-		&flagCures,
+		&cm.cures,
 		"cures", command.IntFlag(0),
 		"Maximum number of dependencies to cure at any given time",
 	).Flag(
-		&flagBase,
+		&cm.jobs,
+		"jobs", command.IntFlag(0),
+		"Preferred number of jobs to run, when applicable",
+	).Flag(
+		&cm.base,
 		"d", command.StringFlag("$MBF_CACHE_DIR"),
 		"Directory to store cured artifacts",
 	).Flag(
-		&flagTShift,
-		"tshift", command.IntFlag(-1),
-		"Dependency graph size exponent, to the power of 2",
-	).Flag(
-		&flagIdle,
+		&cm.idle,
 		"sched-idle", command.BoolFlag(false),
 		"Set SCHED_IDLE scheduling policy",
+	).Flag(
+		&cm.hostAbstract,
+		"host-abstract", command.BoolFlag(
+			os.Getenv("MBF_HOST_ABSTRACT") != "",
+		),
+		"Do not restrict networked cure containers from connecting to host "+
+			"abstract UNIX sockets",
+	).Flag(
+		&addr.Name,
+		"socket", command.StringFlag("$MBF_DAEMON_SOCKET"),
+		"Pathname of socket to bind to",
+	)
+
+	c.NewCommand(
+		"checksum", "Compute checksum of data read from standard input",
+		func([]string) error {
+			go func() { <-ctx.Done(); os.Exit(1) }()
+			h := sha512.New384()
+			if _, err := io.Copy(h, os.Stdin); err != nil {
+				return err
+			}
+			log.Println(pkg.Encode(pkg.Checksum(h.Sum(nil))))
+			return nil
+		},
 	)

 	{
@@ -120,7 +142,9 @@ func main() {
 				if flagShifts < 0 || flagShifts > 31 {
 					flagShifts = 12
 				}
-				return cache.Scrub(runtime.NumCPU() << flagShifts)
+				return cm.Do(func(cache *pkg.Cache) error {
+					return cache.Scrub(runtime.NumCPU() << flagShifts)
+				})
 			},
 		).Flag(
 			&flagShifts,
@@ -129,6 +153,144 @@ func main() {
 		)
 	}

+	{
+		var (
+			flagStatus bool
+			flagReport string
+		)
+		c.NewCommand(
+			"info",
+			"Display out-of-band metadata of an artifact",
+			func(args []string) (err error) {
+				return commandInfo(&cm, args, os.Stdout, flagStatus, flagReport)
+			},
+		).Flag(
+			&flagStatus,
+			"status", command.BoolFlag(false),
+			"Display cure status if available",
+		).Flag(
+			&flagReport,
+			"report", command.StringFlag(""),
+			"Load cure status from this report file instead of cache",
+		)
+	}
+
+	c.NewCommand(
+		"report",
+		"Generate an artifact cure report for the current cache",
+		func(args []string) (err error) {
+			var w *os.File
+			switch len(args) {
+			case 0:
+				w = os.Stdout
+
+			case 1:
+				if w, err = os.OpenFile(
+					args[0],
+					os.O_CREATE|os.O_EXCL|syscall.O_WRONLY,
+					0400,
+				); err != nil {
+					return
+				}
+				defer func() {
+					closeErr := w.Close()
+					if err == nil {
+						err = closeErr
+					}
+				}()
+
+			default:
+				return errors.New("report requires 1 argument")
+			}
+
+			if ext.Isatty(int(w.Fd())) {
+				return errors.New("output appears to be a terminal")
+			}
+			return cm.Do(func(cache *pkg.Cache) error {
+				return rosa.WriteReport(msg, w, cache)
+			})
+		},
+	)
+
+	{
+		var flagJobs int
+		c.NewCommand("updates", command.UsageInternal, func([]string) error {
+			var (
+				errsMu sync.Mutex
+				errs   []error
+
+				n atomic.Uint64
+			)
+
+			w := make(chan rosa.PArtifact)
+			var wg sync.WaitGroup
+			for range max(flagJobs, 1) {
+				wg.Go(func() {
+					for p := range w {
+						meta := rosa.GetMetadata(p)
+						if meta.ID == 0 {
+							continue
+						}
+
+						v, err := meta.GetVersions(ctx)
+						if err != nil {
+							errsMu.Lock()
+							errs = append(errs, err)
+							errsMu.Unlock()
+							continue
+						}
+
+						if current, latest :=
+							rosa.Std.Version(p),
+							meta.GetLatest(v); current != latest {
+
+							n.Add(1)
+							log.Printf("%s %s < %s", meta.Name, current, latest)
+							continue
+						}
+
+						msg.Verbosef("%s is up to date", meta.Name)
+					}
+				})
+			}
+
+		done:
+			for i := range rosa.PresetEnd {
+				select {
+				case w <- rosa.PArtifact(i):
+					break
+				case <-ctx.Done():
+					break done
+				}
+			}
+			close(w)
+			wg.Wait()
+
+			if v := n.Load(); v > 0 {
+				errs = append(errs, errors.New(strconv.Itoa(int(v))+
+					" package(s) are out of date"))
+			}
+			return errors.Join(errs...)
+		}).Flag(
+			&flagJobs,
+			"j", command.IntFlag(32),
+			"Maximum number of simultaneous connections",
+		)
+	}
+
+	c.NewCommand(
+		"daemon",
+		"Service artifact IR with Rosa OS extensions",
+		func(args []string) error {
+			ul, err := net.ListenUnix("unix", &addr)
+			if err != nil {
+				return err
+			}
+			log.Printf("listening on pathname socket at %s", addr.Name)
+			return serve(ctx, log.Default(), &cm, ul)
+		},
+	)
+
 	{
 		var (
 			flagGentoo   string
@@ -153,25 +315,37 @@ func main() {
 					rosa.SetGentooStage3(flagGentoo, checksum)
 				}

-				_, _, _, stage1 := (t - 2).NewLLVM()
-				_, _, _, stage2 := (t - 1).NewLLVM()
-				_, _, _, stage3 := t.NewLLVM()
 				var (
 					pathname *check.Absolute
 					checksum [2]unique.Handle[pkg.Checksum]
 				)

-				if pathname, _, err = cache.Cure(stage1); err != nil {
-					return err
+				if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					pathname, _, err = cache.Cure(
+						(t - 2).Load(rosa.Clang),
+					)
+					return
+				}); err != nil {
+					return
 				}
 				log.Println("stage1:", pathname)

-				if pathname, checksum[0], err = cache.Cure(stage2); err != nil {
-					return err
+				if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					pathname, checksum[0], err = cache.Cure(
+						(t - 1).Load(rosa.Clang),
+					)
+					return
+				}); err != nil {
+					return
 				}
 				log.Println("stage2:", pathname)
-				if pathname, checksum[1], err = cache.Cure(stage3); err != nil {
-					return err
+				if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					pathname, checksum[1], err = cache.Cure(
+						t.Load(rosa.Clang),
+					)
+					return
+				}); err != nil {
+					return
 				}
 				log.Println("stage3:", pathname)

@@ -188,37 +362,41 @@ func main() {
 				}

 				if flagStage0 {
-					if pathname, _, err = cache.Cure(
-						t.Load(rosa.Stage0),
-					); err != nil {
-						return err
+					if err = cm.Do(func(cache *pkg.Cache) (err error) {
+						pathname, _, err = cache.Cure(
+							t.Load(rosa.Stage0),
+						)
+						return
+					}); err != nil {
+						return
 					}
 					log.Println(pathname)
 				}

 				return
 			},
-		).
-			Flag(
-				&flagGentoo,
-				"gentoo", command.StringFlag(""),
-				"Bootstrap from a Gentoo stage3 tarball",
-			).
-			Flag(
-				&flagChecksum,
-				"checksum", command.StringFlag(""),
-				"Checksum of Gentoo stage3 tarball",
-			).
-			Flag(
-				&flagStage0,
-				"stage0", command.BoolFlag(false),
-				"Create bootstrap stage0 tarball",
-			)
+		).Flag(
+			&flagGentoo,
+			"gentoo", command.StringFlag(""),
+			"Bootstrap from a Gentoo stage3 tarball",
+		).Flag(
+			&flagChecksum,
+			"checksum", command.StringFlag(""),
+			"Checksum of Gentoo stage3 tarball",
+		).Flag(
+			&flagStage0,
+			"stage0", command.BoolFlag(false),
+			"Create bootstrap stage0 tarball",
+		)
 	}

 	{
 		var (
-			flagDump string
+			flagDump    string
+			flagEnter   bool
+			flagExport  string
+			flagRemote  bool
+			flagNoReply bool
 		)
 		c.NewCommand(
 			"cure",
@@ -227,15 +405,48 @@ func main() {
 				if len(args) != 1 {
 					return errors.New("cure requires 1 argument")
 				}
-				if p, ok := rosa.ResolveName(args[0]); !ok {
+				p, ok := rosa.ResolveName(args[0])
+				if !ok {
 					return fmt.Errorf("unknown artifact %q", args[0])
-				} else if flagDump == "" {
-					pathname, _, err := cache.Cure(rosa.Std.Load(p))
-					if err == nil {
-						log.Println(pathname)
+				}
+
+				switch {
+				default:
+					var pathname *check.Absolute
+					err := cm.Do(func(cache *pkg.Cache) (err error) {
+						pathname, _, err = cache.Cure(rosa.Std.Load(p))
+						return
+					})
+					if err != nil {
+						return err
 					}
-					return err
-				} else {
+					log.Println(pathname)
+
+					if flagExport != "" {
+						msg.Verbosef("exporting %s to %s...", args[0], flagExport)
+
+						var f *os.File
+						if f, err = os.OpenFile(
+							flagExport,
+							os.O_WRONLY|os.O_CREATE|os.O_EXCL,
+							0400,
+						); err != nil {
+							return err
+						} else if _, err = pkg.Flatten(
+							os.DirFS(pathname.String()),
+							".",
+							f,
+						); err != nil {
+							_ = f.Close()
+							return err
+						} else if err = f.Close(); err != nil {
+							return err
+						}
+					}
+
+					return nil
+
+				case flagDump != "":
 					f, err := os.OpenFile(
 						flagDump,
 						os.O_WRONLY|os.O_CREATE|os.O_EXCL,
@@ -245,44 +456,74 @@ func main() {
 						return err
 					}

-					if err = cache.EncodeAll(f, rosa.Std.Load(p)); err != nil {
+					if err = pkg.NewIR().EncodeAll(f, rosa.Std.Load(p)); err != nil {
 						_ = f.Close()
 						return err
 					}

 					return f.Close()
+
+				case flagEnter:
+					return cm.Do(func(cache *pkg.Cache) error {
+						return cache.EnterExec(
+							ctx,
+							rosa.Std.Load(p),
+							true, os.Stdin, os.Stdout, os.Stderr,
+							rosa.AbsSystem.Append("bin", "mksh"),
+							"sh",
+						)
+					})
+
+				case flagRemote:
+					var flags uint64
+					if flagNoReply {
+						flags |= remoteNoReply
+					}
+					a := rosa.Std.Load(p)
+					pathname, err := cureRemote(ctx, &addr, a, flags)
+					if !flagNoReply && err == nil {
+						log.Println(pathname)
+					}
+
+					if errors.Is(err, context.Canceled) {
+						cc, cancel := context.WithDeadline(context.Background(), daemonDeadline())
+						defer cancel()
+
+						if _err := cancelRemote(cc, &addr, a); _err != nil {
+							log.Println(err)
+						}
+					}
+
+					return err
 				}
 			},
-		).
-			Flag(
-				&flagDump,
-				"dump", command.StringFlag(""),
-				"Write IR to specified pathname and terminate",
-			)
+		).Flag(
+			&flagDump,
+			"dump", command.StringFlag(""),
+			"Write IR to specified pathname and terminate",
+		).Flag(
+			&flagExport,
+			"export", command.StringFlag(""),
+			"Export cured artifact to specified pathname",
+		).Flag(
+			&flagEnter,
+			"enter", command.BoolFlag(false),
+			"Enter cure container with an interactive shell",
+		).Flag(
+			&flagRemote,
+			"daemon", command.BoolFlag(false),
+			"Cure artifact on the daemon",
+		).Flag(
+			&flagNoReply,
+			"no-reply", command.BoolFlag(false),
+			"Do not receive a reply from the daemon",
+		)
 	}

 	c.NewCommand(
-		"status",
-		"Display the status file of an artifact",
-		func(args []string) error {
-			if len(args) != 1 {
-				return errors.New("status requires 1 argument")
-			}
-			if p, ok := rosa.ResolveName(args[0]); !ok {
-				return fmt.Errorf("unknown artifact %q", args[0])
-			} else {
-				r, err := cache.OpenStatus(rosa.Std.Load(p))
-				if err != nil {
-					if errors.Is(err, os.ErrNotExist) {
-						return errors.New(args[0] + " was never cured")
-					}
-					return err
-				}
-
-				_, err = io.Copy(os.Stdout, r)
-				return errors.Join(err, r.Close())
-			}
-		},
+		"abort",
+		"Abort all pending cures on the daemon",
+		func([]string) error { return abortRemote(ctx, &addr) },
 	)

 	{
@@ -296,37 +537,59 @@ func main() {
 			"shell",
 			"Interactive shell in the specified Rosa OS environment",
 			func(args []string) error {
-				root := make([]pkg.Artifact, 0, 6+len(args))
-				for _, arg := range args {
+				presets := make([]rosa.PArtifact, len(args)+3)
+				for i, arg := range args {
 					p, ok := rosa.ResolveName(arg)
 					if !ok {
 						return fmt.Errorf("unknown artifact %q", arg)
 					}
-					root = append(root, rosa.Std.Load(p))
+					presets[i] = p
 				}

-				if flagWithToolchain {
-					musl, compilerRT, runtimes, clang := rosa.Std.NewLLVM()
-					root = append(root, musl, compilerRT, runtimes, clang)
-				} else {
-					root = append(root, rosa.Std.Load(rosa.Musl))
+				base := rosa.Clang
+				if !flagWithToolchain {
+					base = rosa.Musl
 				}
-				root = append(root,
-					rosa.Std.Load(rosa.Mksh),
-					rosa.Std.Load(rosa.Toybox),
+				presets = append(presets,
+					base,
+					rosa.Mksh,
+					rosa.Toybox,
 				)

+				root := make(pkg.Collect, 0, 6+len(args))
+				root = rosa.Std.AppendPresets(root, presets...)
+
+				if err := cm.Do(func(cache *pkg.Cache) error {
+					_, _, err := cache.Cure(&root)
+					return err
+				}); err == nil {
+					return errors.New("unreachable")
+				} else if !pkg.IsCollected(err) {
+					return err
+				}
+
 				type cureRes struct {
 					pathname *check.Absolute
 					checksum unique.Handle[pkg.Checksum]
 				}
 				cured := make(map[pkg.Artifact]cureRes)
 				for _, a := range root {
-					pathname, checksum, err := cache.Cure(a)
-					if err != nil {
+					if err := cm.Do(func(cache *pkg.Cache) error {
+						pathname, checksum, err := cache.Cure(a)
+						if err == nil {
+							cured[a] = cureRes{pathname, checksum}
+						}
+						return err
+					}); err != nil {
+						return err
+					}
+				}
+
+				// explicitly open for direct error-free use from this point
+				if cm.c == nil {
+					if err := cm.open(); err != nil {
 						return err
 					}
-					cured[a] = cureRes{pathname, checksum}
 				}

 				layers := pkg.PromoteLayers(root, func(a pkg.Artifact) (
@@ -336,7 +599,7 @@ func main() {
 					res := cured[a]
 					return res.pathname, res.checksum
 				}, func(i int, d pkg.Artifact) {
-					r := pkg.Encode(cache.Ident(d).Value())
+					r := pkg.Encode(cm.c.Ident(d).Value())
 					if s, ok := d.(fmt.Stringer); ok {
 						if name := s.String(); name != "" {
 							r += "-" + name
@@ -355,6 +618,9 @@ func main() {
 				z.Hostname = "localhost"
 				z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
 				z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
+				if s, ok := os.LookupEnv("TERM"); ok {
+					z.Env = append(z.Env, "TERM="+s)
+				}

 				var tempdir *check.Absolute
 				if s, err := filepath.Abs(os.TempDir()); err != nil {
@@ -397,22 +663,19 @@ func main() {
 				}
 				return z.Wait()
 			},
-		).
-			Flag(
-				&flagNet,
-				"net", command.BoolFlag(false),
-				"Share host net namespace",
-			).
-			Flag(
-				&flagSession,
-				"session", command.BoolFlag(false),
-				"Retain session",
-			).
-			Flag(
-				&flagWithToolchain,
-				"with-toolchain", command.BoolFlag(false),
-				"Include the stage3 LLVM toolchain",
-			)
+		).Flag(
+			&flagNet,
+			"net", command.BoolFlag(false),
+			"Share host net namespace",
+		).Flag(
+			&flagSession,
+			"session", command.BoolFlag(true),
+			"Retain session",
+		).Flag(
+			&flagWithToolchain,
+			"with-toolchain", command.BoolFlag(false),
+			"Include the stage2 LLVM toolchain",
+		)

 	}

@@ -423,9 +686,17 @@ func main() {
 	)

 	c.MustParse(os.Args[1:], func(err error) {
-		if cache != nil {
-			cache.Close()
+		cm.Close()
+		if w, ok := err.(interface{ Unwrap() []error }); !ok {
+			log.Fatal(err)
+		} else {
+			errs := w.Unwrap()
+			for i, e := range errs {
+				if i == len(errs)-1 {
+					log.Fatal(e)
+				}
+				log.Println(e)
+			}
 		}
-		log.Fatal(err)
 	})
 }
--- a/cmd/pkgserver/main.go
+++ b/cmd/pkgserver/main.go
@@ -1,55 +0,0 @@
-package main
-
-import (
-	"embed"
-	"fmt"
-	"net/http"
-)
-
-//go:generate sh -c "sass ui/static/dark.scss ui/static/dark.css && sass ui/static/light.scss ui/static/light.css && tsc ui/static/index.ts"
-//go:embed ui/*
-var content embed.FS
-
-func serveWebUI(w http.ResponseWriter, r *http.Request) {
-	fmt.Printf("serveWebUI: %s\n", r.URL.Path)
-	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
-	w.Header().Set("Pragma", "no-cache")
-	w.Header().Set("Expires", "0")
-	w.Header().Set("X-Content-Type-Options", "nosniff")
-	w.Header().Set("X-XSS-Protection", "1")
-	w.Header().Set("X-Frame-Options", "DENY")
-
-	http.ServeFileFS(w, r, content, "ui/index.html")
-}
-func serveStaticContent(w http.ResponseWriter, r *http.Request) {
-	fmt.Printf("serveStaticContent: %s\n", r.URL.Path)
-	switch r.URL.Path {
-	case "/static/style.css":
-		darkTheme := r.CookiesNamed("dark_theme")
-		if len(darkTheme) > 0 && darkTheme[0].Value == "true" {
-			http.ServeFileFS(w, r, content, "ui/static/dark.css")
-		} else {
-			http.ServeFileFS(w, r, content, "ui/static/light.css")
-		}
-		break
-	case "/favicon.ico":
-		http.ServeFileFS(w, r, content, "ui/static/favicon.ico")
-		break
-	case "/static/index.js":
-		http.ServeFileFS(w, r, content, "ui/static/index.js")
-		break
-	default:
-		http.NotFound(w, r)
-
-	}
-}
-func serveAPI(w http.ResponseWriter, r *http.Request) {
-
-}
-func main() {
-	http.HandleFunc("GET /{$}", serveWebUI)
-	http.HandleFunc("GET /favicon.ico", serveStaticContent)
-	http.HandleFunc("GET /static/", serveStaticContent)
-	http.HandleFunc("GET /api/", serveAPI)
-	http.ListenAndServe(":8067", nil)
-}
--- a/cmd/pkgserver/ui/index.html
+++ b/cmd/pkgserver/ui/index.html
@@ -1,26 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <link rel="stylesheet" href="static/style.css">
-    <title>Hakurei PkgServer</title>
-    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js"></script>
-    <script src="static/index.js"></script>
-</head>
-<body>
-<h1>Hakurei PkgServer</h1>
-
-<table id="pkg-list">
-    <tr><th>Status</th><th>Name</th><th>Version</th></tr>
-</table>
-<p>Showing entries <span id="entry-counter"></span>.</p>
-<span class="bottom-nav"><a href="javascript:prevPage()">&laquo; Previous</a> <span id="page-number">1</span> <a href="javascript:nextPage()">Next &raquo;</a></span>
-<span><label for="count">Entries per page:</label><select name="count" id="count">
-    <option value="10">10</option>
-    <option value="25">25</option>
-    <option value="50">50</option>
-    <option value="100">100</option>
-</select></span>
-</body>
-<footer>&copy; <a href="https://hakurei.app/">Hakurei</a>. Licensed under the MIT license.</footer>
-</html>
--- a/cmd/pkgserver/ui/static/_common.scss
+++ b/cmd/pkgserver/ui/static/_common.scss
--- a/cmd/pkgserver/ui/static/dark.css
+++ b/cmd/pkgserver/ui/static/dark.css
@@ -1,6 +0,0 @@
-@use 'common';
-html {
-  background-color: #2c2c2c;
-  color: ghostwhite; }
-
-/*# sourceMappingURL=dark.css.map */
--- a/cmd/pkgserver/ui/static/dark.css.map
+++ b/cmd/pkgserver/ui/static/dark.css.map
@@ -1,7 +0,0 @@
-{
-"version": 3,
-"mappings": "AAAA,aAAa;AAEb,IAAK;EACH,gBAAgB,EAAE,OAAO;EACzB,KAAK,EAAE,UAAU",
-"sources": ["dark.scss"],
-"names": [],
-"file": "dark.css"
-}
--- a/cmd/pkgserver/ui/static/dark.scss
+++ b/cmd/pkgserver/ui/static/dark.scss
@@ -1,6 +0,0 @@
-@use 'common';
-
-html {
-  background-color: #2c2c2c;
-  color: ghostwhite;
-}
--- a/cmd/pkgserver/ui/static/favicon.ico
+++ b/cmd/pkgserver/ui/static/favicon.ico
--- a/cmd/pkgserver/ui/static/index.js
+++ b/cmd/pkgserver/ui/static/index.js
@@ -1,67 +0,0 @@
-"use strict";
-var PackageEntry = /** @class */ (function () {
-    function PackageEntry() {
-    }
-    return PackageEntry;
-}());
-var State = /** @class */ (function () {
-    function State() {
-        this.entriesPerPage = 10;
-        this.currentPage = 1;
-        this.entryIndex = 0;
-        this.loadedEntries = [];
-    }
-    State.prototype.getEntriesPerPage = function () {
-        return this.entriesPerPage;
-    };
-    State.prototype.setEntriesPerPage = function (entriesPerPage) {
-        this.entriesPerPage = entriesPerPage;
-        this.updateRange();
-    };
-    State.prototype.getCurrentPage = function () {
-        return this.currentPage;
-    };
-    State.prototype.setCurrentPage = function (page) {
-        this.currentPage = page;
-        document.getElementById("page-number").innerText = String(this.currentPage);
-        this.updateRange();
-    };
-    State.prototype.getEntryIndex = function () {
-        return this.entryIndex;
-    };
-    State.prototype.setEntryIndex = function (entryIndex) {
-        this.entryIndex = entryIndex;
-        this.updateRange();
-    };
-    State.prototype.getLoadedEntries = function () {
-        return this.loadedEntries;
-    };
-    State.prototype.getMaxPage = function () {
-        return this.loadedEntries.length / this.entriesPerPage;
-    };
-    State.prototype.updateRange = function () {
-        var max = Math.min(this.entryIndex + this.entriesPerPage, this.loadedEntries.length);
-        document.getElementById("entry-counter").innerText = "".concat(this.entryIndex, "-").concat(max, " of ").concat(this.loadedEntries.length);
-    };
-    return State;
-}());
-var STATE;
-function prevPage() {
-    var current = STATE.getCurrentPage();
-    if (current > 1) {
-        STATE.setCurrentPage(STATE.getCurrentPage() - 1);
-    }
-}
-function nextPage() {
-    var current = STATE.getCurrentPage();
-    if (current < STATE.getMaxPage()) {
-        STATE.setCurrentPage(STATE.getCurrentPage() + 1);
-    }
-}
-document.addEventListener("DOMContentLoaded", function () {
-    STATE = new State();
-    STATE.updateRange();
-    document.getElementById("count").addEventListener("change", function (event) {
-        STATE.setEntriesPerPage(parseInt(event.target.value));
-    });
-});
--- a/cmd/pkgserver/ui/static/index.ts
+++ b/cmd/pkgserver/ui/static/index.ts
@@ -1,66 +0,0 @@
-"use strict"
-
-class PackageEntry {
-
-}
-class State {
-    entriesPerPage: number = 10
-    currentPage: number = 1
-    entryIndex: number = 0
-    loadedEntries: PackageEntry[] = []
-    getEntriesPerPage(): number {
-        return this.entriesPerPage
-    }
-    setEntriesPerPage(entriesPerPage: number) {
-        this.entriesPerPage = entriesPerPage
-        this.updateRange()
-    }
-    getCurrentPage(): number {
-        return this.currentPage
-    }
-    setCurrentPage(page: number) {
-        this.currentPage = page
-        document.getElementById("page-number").innerText = String(this.currentPage)
-        this.updateRange()
-    }
-    getEntryIndex(): number {
-        return this.entryIndex
-    }
-    setEntryIndex(entryIndex: number) {
-        this.entryIndex = entryIndex
-        this.updateRange()
-    }
-    getLoadedEntries(): PackageEntry[] {
-        return this.loadedEntries
-    }
-    getMaxPage(): number {
-        return this.loadedEntries.length / this.entriesPerPage
-    }
-    updateRange() {
-        let max = Math.min(this.entryIndex + this.entriesPerPage, this.loadedEntries.length)
-        document.getElementById("entry-counter").innerText = `${this.entryIndex}-${max} of ${this.loadedEntries.length}`
-    }
-}
-
-let STATE: State
-
-function prevPage() {
-    let current = STATE.getCurrentPage()
-    if (current > 1) {
-        STATE.setCurrentPage(STATE.getCurrentPage() - 1)
-    }
-}
-function nextPage() {
-    let current = STATE.getCurrentPage()
-    if (current < STATE.getMaxPage()) {
-        STATE.setCurrentPage(STATE.getCurrentPage() + 1)
-    }
-}
-
-document.addEventListener("DOMContentLoaded", () => {
-    STATE = new State()
-    STATE.updateRange()
-    document.getElementById("count").addEventListener("change", (event) => {
-        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
-    })
-})
--- a/cmd/pkgserver/ui/static/light.css
+++ b/cmd/pkgserver/ui/static/light.css
@@ -1,6 +0,0 @@
-@use 'common';
-html {
-  background-color: #d3d3d3;
-  color: black; }
-
-/*# sourceMappingURL=light.css.map */
--- a/cmd/pkgserver/ui/static/light.css.map
+++ b/cmd/pkgserver/ui/static/light.css.map
@@ -1,7 +0,0 @@
-{
-"version": 3,
-"mappings": "AAAA,aAAa;AAEb,IAAK;EACH,gBAAgB,EAAE,OAAO;EACzB,KAAK,EAAE,KAAK",
-"sources": ["light.scss"],
-"names": [],
-"file": "light.css"
-}
--- a/cmd/pkgserver/ui/static/light.scss
+++ b/cmd/pkgserver/ui/static/light.scss
@@ -1,6 +0,0 @@
-@use 'common';
-
-html {
-  background-color: #d3d3d3;
-  color: black;
-}
--- a/cmd/sharefs/fuse-operations.h
+++ b/cmd/sharefs/fuse-operations.h
@@ -7,8 +7,8 @@
 #endif

 #define SHAREFS_MEDIA_RW_ID (1 << 10) - 1 /* owning gid presented to userspace */
-#define SHAREFS_PERM_DIR 0700             /* permission bits for directories presented to userspace */
-#define SHAREFS_PERM_REG 0600             /* permission bits for regular files presented to userspace */
+#define SHAREFS_PERM_DIR 0770             /* permission bits for directories presented to userspace */
+#define SHAREFS_PERM_REG 0660             /* permission bits for regular files presented to userspace */
 #define SHAREFS_FORBIDDEN_FLAGS O_DIRECT  /* these open flags are cleared unconditionally */

 /* sharefs_private is populated by sharefs_init and contains process-wide context */
--- a/cmd/sharefs/fuse.go
+++ b/cmd/sharefs/fuse.go
@@ -19,22 +19,21 @@ import (
 	"encoding/gob"
 	"errors"
 	"fmt"
-	"io"
 	"log"
 	"os"
 	"os/exec"
 	"os/signal"
-	"path"
+	"path/filepath"
 	"runtime"
 	"runtime/cgo"
 	"strconv"
 	"syscall"
 	"unsafe"

+	"hakurei.app/check"
 	"hakurei.app/container"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
 	"hakurei.app/container/std"
+	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/helper/proc"
 	"hakurei.app/internal/info"
@@ -85,7 +84,10 @@ func destroySetup(private_data unsafe.Pointer) (ok bool) {
 }

 //export sharefs_init
-func sharefs_init(_ *C.struct_fuse_conn_info, cfg *C.struct_fuse_config) unsafe.Pointer {
+func sharefs_init(
+	_ *C.struct_fuse_conn_info,
+	cfg *C.struct_fuse_config,
+) unsafe.Pointer {
 	ctx := C.fuse_get_context()
 	priv := (*C.struct_sharefs_private)(ctx.private_data)
 	setup := cgo.Handle(priv.setup).Value().(*setupState)
@@ -103,7 +105,11 @@ func sharefs_init(_ *C.struct_fuse_conn_info, cfg *C.struct_fuse_config) unsafe.
 	cfg.negative_timeout = 0

 	// all future filesystem operations happen through this dirfd
-	if fd, err := syscall.Open(setup.Source.String(), syscall.O_DIRECTORY|syscall.O_RDONLY|syscall.O_CLOEXEC, 0); err != nil {
+	if fd, err := syscall.Open(
+		setup.Source.String(),
+		syscall.O_DIRECTORY|syscall.O_RDONLY|syscall.O_CLOEXEC,
+		0,
+	); err != nil {
 		log.Printf("cannot open %q: %v", setup.Source, err)
 		goto fail
 	} else if err = syscall.Fchdir(fd); err != nil {
@@ -138,9 +144,9 @@ func sharefs_destroy(private_data unsafe.Pointer) {
 func showHelp(args *fuseArgs) {
 	executableName := sharefsName
 	if args.argc > 0 {
-		executableName = path.Base(C.GoString(*args.argv))
+		executableName = filepath.Base(C.GoString(*args.argv))
 	} else if name, err := os.Executable(); err == nil {
-		executableName = path.Base(name)
+		executableName = filepath.Base(name)
 	}

 	fmt.Printf("usage: %s [options] <mountpoint>\n\n", executableName)
@@ -169,8 +175,11 @@ func parseOpts(args *fuseArgs, setup *setupState, log *log.Logger) (ok bool) {
 		// Decimal string representation of gid to set when running as root.
 		setgid *C.char

-		// Decimal string representation of open file descriptor to read setupState from.
-		// This is an internal detail for containerisation and must not be specified directly.
+		// Decimal string representation of open file descriptor to read
+		// setupState from.
+		//
+		// This is an internal detail for containerisation and must not be
+		// specified directly.
 		setup *C.char
 	}

@@ -253,7 +262,8 @@ func parseOpts(args *fuseArgs, setup *setupState, log *log.Logger) (ok bool) {
 	return true
 }

-// copyArgs returns a heap allocated copy of an argument slice in fuse_args representation.
+// copyArgs returns a heap allocated copy of an argument slice in fuse_args
+// representation.
 func copyArgs(s ...string) fuseArgs {
 	if len(s) == 0 {
 		return fuseArgs{argc: 0, argv: nil, allocated: 0}
@@ -269,6 +279,7 @@ func copyArgs(s ...string) fuseArgs {
 func freeArgs(args *fuseArgs) { C.fuse_opt_free_args(args) }

 // unsafeAddArgument adds an argument to fuseArgs via fuse_opt_add_arg.
+//
 // The last byte of arg must be 0.
 func unsafeAddArgument(args *fuseArgs, arg string) {
 	C.fuse_opt_add_arg(args, (*C.char)(unsafe.Pointer(unsafe.StringData(arg))))
@@ -288,8 +299,8 @@ func _main(s ...string) (exitCode int) {
 	args := copyArgs(s...)
 	defer freeArgs(&args)

-	// this causes the kernel to enforce access control based on
-	// struct stat populated by sharefs_getattr
+	// this causes the kernel to enforce access control based on struct stat
+	// populated by sharefs_getattr
 	unsafeAddArgument(&args, "-odefault_permissions\x00")

 	var priv C.struct_sharefs_private
@@ -453,15 +464,19 @@ func _main(s ...string) (exitCode int) {
 			z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
 		}
 		z.Bind(z.Path, z.Path, 0)
-		setup.Fuse = int(proc.ExtraFileSlice(&z.ExtraFiles, os.NewFile(uintptr(C.fuse_session_fd(se)), "fuse")))
+		setup.Fuse = int(proc.ExtraFileSlice(
+			&z.ExtraFiles,
+			os.NewFile(uintptr(C.fuse_session_fd(se)), "fuse"),
+		))

-		var setupWriter io.WriteCloser
-		if fd, w, err := container.Setup(&z.ExtraFiles); err != nil {
+		var setupPipe [2]*os.File
+		if r, w, err := os.Pipe(); err != nil {
 			log.Println(err)
 			return 5
 		} else {
-			z.Args = append(z.Args, "-osetup="+strconv.Itoa(fd))
-			setupWriter = w
+			z.Args = append(z.Args, "-osetup="+strconv.Itoa(3+len(z.ExtraFiles)))
+			z.ExtraFiles = append(z.ExtraFiles, r)
+			setupPipe[0], setupPipe[1] = r, w
 		}

 		if err := z.Start(); err != nil {
@@ -472,6 +487,9 @@ func _main(s ...string) (exitCode int) {
 			}
 			return 5
 		}
+		if err := setupPipe[0].Close(); err != nil {
+			log.Println(err)
+		}
 		if err := z.Serve(); err != nil {
 			if m, ok := message.GetMessage(err); ok {
 				log.Println(m)
@@ -481,10 +499,10 @@ func _main(s ...string) (exitCode int) {
 			return 5
 		}

-		if err := gob.NewEncoder(setupWriter).Encode(&setup); err != nil {
+		if err := gob.NewEncoder(setupPipe[1]).Encode(&setup); err != nil {
 			log.Println(err)
 			return 5
-		} else if err = setupWriter.Close(); err != nil {
+		} else if err = setupPipe[1].Close(); err != nil {
 			log.Println(err)
 		}

--- a/cmd/sharefs/fuse_test.go
+++ b/cmd/sharefs/fuse_test.go
@@ -6,7 +6,7 @@ import (
 	"reflect"
 	"testing"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func TestParseOpts(t *testing.T) {
--- a/cmd/sharefs/main.go
+++ b/cmd/sharefs/main.go
@@ -1,3 +1,10 @@
+// The sharefs FUSE filesystem is a permissionless shared filesystem.
+//
+// This filesystem is the primary means of file sharing between hakurei
+// application containers. It serves the same purpose in Rosa OS as /sdcard
+// does in AOSP.
+//
+// See help message for all available options.
 package main

 import (
--- a/cmd/sharefs/test/raceattr.go
+++ b/cmd/sharefs/test/raceattr.go
@@ -0,0 +1,122 @@
+//go:build raceattr
+
+// The raceattr program reproduces vfs inode file attribute race.
+//
+// Even though libfuse high-level API presents the address of a struct stat
+// alongside struct fuse_context, file attributes are actually inherent to the
+// inode, instead of the specific call from userspace. The kernel implementation
+// in fs/fuse/xattr.c appears to make stale data in the inode (set by a previous
+// call) impossible or very unlikely to reach userspace via the stat family of
+// syscalls. However, when using default_permissions to have the VFS check
+// permissions, this race still happens, despite the resulting struct stat being
+// correct when overriding the check via capabilities otherwise.
+//
+// This program reproduces the failure, but because of its continuous nature, it
+// is provided independent of the vm integration test suite.
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"os"
+	"os/signal"
+	"runtime"
+	"sync"
+	"sync/atomic"
+	"syscall"
+)
+
+func newStatAs(
+	ctx context.Context, cancel context.CancelFunc,
+	n *atomic.Uint64, ok *atomic.Bool,
+	uid uint32, pathname string,
+	continuous bool,
+) func() {
+	return func() {
+		runtime.LockOSThread()
+		defer cancel()
+
+		if _, _, errno := syscall.Syscall(
+			syscall.SYS_SETUID, uintptr(uid),
+			0, 0,
+		); errno != 0 {
+			cancel()
+			log.Printf("cannot set uid to %d: %s", uid, errno)
+		}
+
+		var stat syscall.Stat_t
+		for {
+			if ctx.Err() != nil {
+				return
+			}
+
+			if err := syscall.Lstat(pathname, &stat); err != nil {
+				// SHAREFS_PERM_DIR not world executable, or
+				// SHAREFS_PERM_REG not world readable
+				if !continuous {
+					cancel()
+				}
+				ok.Store(true)
+				log.Printf("uid %d: %v", uid, err)
+			} else if stat.Uid != uid {
+				// appears to be unreachable
+				if !continuous {
+					cancel()
+				}
+				ok.Store(true)
+				log.Printf("got uid %d instead of %d", stat.Uid, uid)
+			}
+			n.Add(1)
+		}
+	}
+}
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("raceattr: ")
+
+	p := flag.String("target", "/sdcard/raceattr", "pathname of test file")
+	u0 := flag.Int("uid0", 1<<10-1, "first uid")
+	u1 := flag.Int("uid1", 1<<10-2, "second uid")
+	count := flag.Int("count", 1, "threads per uid")
+	continuous := flag.Bool("continuous", false, "keep running even after reproduce")
+	flag.Parse()
+
+	if os.Geteuid() != 0 {
+		log.Fatal("this program must run as root")
+	}
+
+	ctx, cancel := signal.NotifyContext(
+		context.Background(),
+		syscall.SIGINT,
+		syscall.SIGTERM,
+		syscall.SIGHUP,
+	)
+
+	if err := os.WriteFile(*p, nil, 0); err != nil {
+		log.Fatal(err)
+	}
+
+	var (
+		wg sync.WaitGroup
+
+		n  atomic.Uint64
+		ok atomic.Bool
+	)
+
+	if *count < 1 {
+		*count = 1
+	}
+	for range *count {
+		wg.Go(newStatAs(ctx, cancel, &n, &ok, uint32(*u0), *p, *continuous))
+		if *u1 >= 0 {
+			wg.Go(newStatAs(ctx, cancel, &n, &ok, uint32(*u1), *p, *continuous))
+		}
+	}
+
+	wg.Wait()
+	if !*continuous && ok.Load() {
+		log.Printf("reproduced after %d calls", n.Load())
+	}
+}
--- a/container/autoetc.go
+++ b/container/autoetc.go
@@ -4,8 +4,8 @@ import (
 	"encoding/gob"
 	"fmt"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 func init() { gob.Register(new(AutoEtcOp)) }
--- a/container/autoetc_test.go
+++ b/container/autoetc_test.go
@@ -5,8 +5,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestAutoEtcOp(t *testing.T) {
--- a/container/autoroot.go
+++ b/container/autoroot.go
@@ -4,8 +4,8 @@ import (
 	"encoding/gob"
 	"fmt"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 	"hakurei.app/message"
 )

--- a/container/autoroot_test.go
+++ b/container/autoroot_test.go
@@ -5,9 +5,9 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/container/std"
-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 	"hakurei.app/message"
 )

--- a/container/capability.go
+++ b/container/capability.go
@@ -3,6 +3,8 @@ package container
 import (
 	"syscall"
 	"unsafe"
+
+	"hakurei.app/ext"
 )

 const (
@@ -51,15 +53,15 @@ func capset(hdrp *capHeader, datap *[2]capData) error {

 // capBoundingSetDrop drops a capability from the calling thread's capability bounding set.
 func capBoundingSetDrop(cap uintptr) error {
-	return Prctl(syscall.PR_CAPBSET_DROP, cap, 0)
+	return ext.Prctl(syscall.PR_CAPBSET_DROP, cap, 0)
 }

 // capAmbientClearAll clears the ambient capability set of the calling thread.
 func capAmbientClearAll() error {
-	return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0)
+	return ext.Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0)
 }

 // capAmbientRaise adds to the ambient capability set of the calling thread.
 func capAmbientRaise(cap uintptr) error {
-	return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap)
+	return ext.Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap)
 }
--- a/container/container.go
+++ b/container/container.go
@@ -16,10 +16,12 @@ import (
 	. "syscall"
 	"time"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
+	"hakurei.app/internal/landlock"
 	"hakurei.app/message"
 )

@@ -27,9 +29,6 @@ const (
 	// CancelSignal is the signal expected by container init on context cancel.
 	// A custom [Container.Cancel] function must eventually deliver this signal.
 	CancelSignal = SIGUSR2
-
-	// Timeout for writing initParams to Container.setup.
-	initSetupTimeout = 5 * time.Second
 )

 type (
@@ -38,9 +37,13 @@ type (
 	Container struct {
 		// Whether the container init should stay alive after its parent terminates.
 		AllowOrphan bool
-		// Scheduling policy to set via sched_setscheduler(2). The zero value
-		// skips this call. Supported policies are [SCHED_BATCH], [SCHED_IDLE].
-		SchedPolicy int
+		// Whether to set SchedPolicy and SchedPriority via sched_setscheduler(2).
+		SetScheduler bool
+		// Scheduling policy to set via sched_setscheduler(2).
+		SchedPolicy ext.SchedPolicy
+		// Scheduling priority to set via sched_setscheduler(2). The zero value
+		// implies the minimum value supported by the current SchedPolicy.
+		SchedPriority ext.Int
 		// Cgroup fd, nil to disable.
 		Cgroup *int
 		// ExtraFiles passed through to initial process in the container, with
@@ -48,7 +51,7 @@ type (
 		ExtraFiles []*os.File

 		// Write end of a pipe connected to the init to deliver [Params].
-		setup *os.File
+		setup [2]*os.File
 		// Cancels the context passed to the underlying cmd.
 		cancel context.CancelFunc
 		// Closed after Wait returns. Keeps the spawning thread alive.
@@ -181,31 +184,24 @@ var (
 	closeOnExecErr  error
 )

-// ensureCloseOnExec ensures all currently open file descriptors have the syscall.FD_CLOEXEC flag set.
-// This is only ran once as it is intended to handle files left open by the parent, and any file opened
-// on this side should already have syscall.FD_CLOEXEC set.
+// ensureCloseOnExec ensures all currently open file descriptors have the
+// syscall.FD_CLOEXEC flag set.
+//
+// This is only ran once as it is intended to handle files left open by the
+// parent, and any file opened on this side should already have
+// syscall.FD_CLOEXEC set.
 func ensureCloseOnExec() error {
-	closeOnExecOnce.Do(func() {
-		const fdPrefixPath = "/proc/self/fd/"
-
-		var entries []os.DirEntry
-		if entries, closeOnExecErr = os.ReadDir(fdPrefixPath); closeOnExecErr != nil {
-			return
-		}
-
-		var fd int
-		for _, ent := range entries {
-			if fd, closeOnExecErr = strconv.Atoi(ent.Name()); closeOnExecErr != nil {
-				break // not reached
-			}
-			CloseOnExec(fd)
-		}
-	})
+	closeOnExecOnce.Do(func() { closeOnExecErr = doCloseOnExec() })

 	if closeOnExecErr == nil {
 		return nil
 	}
-	return &StartError{Fatal: true, Step: "set FD_CLOEXEC on all open files", Err: closeOnExecErr, Passthrough: true}
+	return &StartError{
+		Fatal:       true,
+		Step:        "set FD_CLOEXEC on all open files",
+		Err:         closeOnExecErr,
+		Passthrough: true,
+	}
 }

 // Start starts the container init. The init process blocks until Serve is called.
@@ -289,14 +285,16 @@ func (p *Container) Start() error {
 	}

 	// place setup pipe before user supplied extra files, this is later restored by init
-	if fd, f, err := Setup(&p.cmd.ExtraFiles); err != nil {
+	if r, w, err := os.Pipe(); err != nil {
 		return &StartError{
 			Fatal: true,
 			Step:  "set up params stream",
 			Err:   err,
 		}
 	} else {
-		p.setup = f
+		fd := 3 + len(p.cmd.ExtraFiles)
+		p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, r)
+		p.setup[0], p.setup[1] = r, w
 		p.cmd.Env = []string{setupEnv + "=" + strconv.Itoa(fd)}
 	}
 	p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, p.ExtraFiles...)
@@ -310,7 +308,7 @@ func (p *Container) Start() error {
 		done <- func() error {
 			// PR_SET_NO_NEW_PRIVS: thread-directed but acts on all processes
 			// created from the calling thread
-			if err := SetNoNewPrivs(); err != nil {
+			if err := setNoNewPrivs(); err != nil {
 				return &StartError{
 					Fatal: true,
 					Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
@@ -320,15 +318,17 @@ func (p *Container) Start() error {

 			// landlock: depends on per-thread state but acts on a process group
 			{
-				rulesetAttr := &RulesetAttr{Scoped: LANDLOCK_SCOPE_SIGNAL}
+				rulesetAttr := &landlock.RulesetAttr{
+					Scoped: landlock.LANDLOCK_SCOPE_SIGNAL,
+				}
 				if !p.HostAbstract {
-					rulesetAttr.Scoped |= LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+					rulesetAttr.Scoped |= landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
 				}

-				if abi, err := LandlockGetABI(); err != nil {
-					if p.HostAbstract {
+				if abi, err := landlock.GetABI(); err != nil {
+					if p.HostAbstract || !p.HostNet {
 						// landlock can be skipped here as it restricts access
-						// to resources already covered by namespaces (pid)
+						// to resources already covered by namespaces (pid, net)
 						goto landlockOut
 					}
 					return &StartError{Step: "get landlock ABI", Err: err}
@@ -354,7 +354,7 @@ func (p *Container) Start() error {
 					}
 				} else {
 					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
-					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
+					if err = landlock.RestrictSelf(rulesetFd, 0); err != nil {
 						_ = Close(rulesetFd)
 						return &StartError{
 							Fatal: true,
@@ -373,16 +373,38 @@ func (p *Container) Start() error {

 			// sched_setscheduler: thread-directed but acts on all processes
 			// created from the calling thread
-			if p.SchedPolicy > 0 {
-				p.msg.Verbosef("setting scheduling policy %d", p.SchedPolicy)
+			if p.SetScheduler {
+				if p.SchedPolicy < 0 || p.SchedPolicy > ext.SCHED_LAST {
+					return &StartError{
+						Fatal: false,
+						Step:  "set scheduling policy",
+						Err:   EINVAL,
+					}
+				}
+
+				var param schedParam
+				if priority, err := p.SchedPolicy.GetPriorityMin(); err != nil {
+					return &StartError{
+						Fatal: true,
+						Step:  "get minimum priority",
+						Err:   err,
+					}
+				} else {
+					param.priority = max(priority, p.SchedPriority)
+				}
+
+				p.msg.Verbosef(
+					"setting scheduling policy %s priority %d",
+					p.SchedPolicy, param.priority,
+				)
 				if err := schedSetscheduler(
 					0, // calling thread
 					p.SchedPolicy,
-					&schedParam{0},
+					&param,
 				); err != nil {
 					return &StartError{
 						Fatal: true,
-						Step:  "enforce landlock ruleset",
+						Step:  "set scheduling policy",
 						Err:   err,
 					}
 				}
@@ -408,24 +430,33 @@ func (p *Container) Start() error {
 // Serve serves [Container.Params] to the container init.
 //
 // Serve must only be called once.
-func (p *Container) Serve() error {
-	if p.setup == nil {
+func (p *Container) Serve() (err error) {
+	if p.setup[0] == nil || p.setup[1] == nil {
 		panic("invalid serve")
 	}

-	setup := p.setup
-	p.setup = nil
-	if err := setup.SetDeadline(time.Now().Add(initSetupTimeout)); err != nil {
+	done := make(chan struct{})
+	defer func() {
+		if closeErr := p.setup[1].Close(); err == nil {
+			err = closeErr
+		}
+
+		if err != nil {
+			p.cancel()
+		}
+		close(done)
+		p.setup[0], p.setup[1] = nil, nil
+	}()
+	if err = p.setup[0].Close(); err != nil {
 		return &StartError{
 			Fatal:       true,
-			Step:        "set init pipe deadline",
+			Step:        "close read end of init pipe",
 			Err:         err,
 			Passthrough: true,
 		}
 	}

 	if p.Path == nil {
-		p.cancel()
 		return &StartError{
 			Step:   "invalid executable pathname",
 			Err:    EINVAL,
@@ -441,18 +472,27 @@ func (p *Container) Serve() error {
 		p.SeccompRules = make([]std.NativeRule, 0)
 	}

-	err := gob.NewEncoder(setup).Encode(&initParams{
+	t := time.Now().UTC()
+	go func(f *os.File) {
+		select {
+		case <-p.ctx.Done():
+			if cancelErr := f.SetWriteDeadline(t); cancelErr != nil {
+				p.msg.Verbose(err)
+			}
+
+		case <-done:
+			p.msg.Verbose("setup payload took", time.Since(t))
+			return
+		}
+	}(p.setup[1])
+
+	return gob.NewEncoder(p.setup[1]).Encode(&initParams{
 		p.Params,
 		Getuid(),
 		Getgid(),
 		len(p.ExtraFiles),
 		p.msg.IsVerbose(),
 	})
-	_ = setup.Close()
-	if err != nil {
-		p.cancel()
-	}
-	return err
 }

 // Wait blocks until the container init process to exit and releases any
--- a/container/container_test.go
+++ b/container/container_test.go
@@ -16,18 +16,21 @@ import (
 	"strings"
 	"syscall"
 	"testing"
-	"time"

+	"hakurei.app/check"
 	"hakurei.app/command"
 	"hakurei.app/container"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/container/vfs"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 	"hakurei.app/hst"
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/landlock"
+	"hakurei.app/internal/params"
 	"hakurei.app/ldd"
 	"hakurei.app/message"
+	"hakurei.app/vfs"
 )

 // Note: this package requires cgo, which is unavailable in the Go playground.
@@ -83,9 +86,9 @@ func TestStartError(t *testing.T) {
 		{"params env", &container.StartError{
 			Fatal: true,
 			Step:  "set up params stream",
-			Err:   container.ErrReceiveEnv,
+			Err:   params.ErrReceiveEnv,
 		}, "set up params stream: environment variable not set",
-			container.ErrReceiveEnv, syscall.EBADF,
+			params.ErrReceiveEnv, syscall.EBADF,
 			"cannot set up params stream: environment variable not set"},

 		{"params", &container.StartError{
@@ -258,7 +261,7 @@ var containerTestCases = []struct {
 		1000, 100, nil, 0, std.PresetExt},
 	{"custom rules", true, true, true, false,
 		emptyOps, emptyMnt,
-		1, 31, []std.NativeRule{{Syscall: std.ScmpSyscall(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
+		1, 31, []std.NativeRule{{Syscall: ext.SyscallNum(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},

 	{"tmpfs", true, false, false, true,
 		earlyOps(new(container.Ops).
@@ -435,11 +438,8 @@ func TestContainer(t *testing.T) {
 			wantOps, wantOpsCtx := tc.ops(t)
 			wantMnt := tc.mnt(t, wantOpsCtx)

-			ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
-			defer cancel()
-
 			var libPaths []*check.Absolute
-			c := helperNewContainerLibPaths(ctx, &libPaths, "container", strconv.Itoa(i))
+			c := helperNewContainerLibPaths(t.Context(), &libPaths, "container", strconv.Itoa(i))
 			c.Uid = tc.uid
 			c.Gid = tc.gid
 			c.Hostname = hostnameFromTestCase(tc.name)
@@ -449,7 +449,6 @@ func TestContainer(t *testing.T) {
 			} else {
 				c.Stdout, c.Stderr = os.Stdout, os.Stderr
 			}
-			c.WaitDelay = helperDefaultTimeout
 			*c.Ops = append(*c.Ops, *wantOps...)
 			c.SeccompRules = tc.rules
 			c.SeccompFlags = tc.flags | seccomp.AllowMultiarch
@@ -457,6 +456,15 @@ func TestContainer(t *testing.T) {
 			c.SeccompDisable = !tc.filter
 			c.RetainSession = tc.session
 			c.HostNet = tc.net
+			if info.CanDegrade {
+				if _, err := landlock.GetABI(); err != nil {
+					if !errors.Is(err, syscall.ENOSYS) {
+						t.Fatalf("LandlockGetABI: error = %v", err)
+					}
+					c.HostAbstract = true
+					t.Log("Landlock LSM is unavailable, enabling HostAbstract")
+				}
+			}

 			c.
 				Readonly(check.MustAbs(pathReadonly), 0755).
@@ -552,11 +560,10 @@ func testContainerCancel(
 ) func(t *testing.T) {
 	return func(t *testing.T) {
 		t.Parallel()
-		ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
+		ctx, cancel := context.WithCancel(t.Context())

 		c := helperNewContainer(ctx, "block")
 		c.Stdout, c.Stderr = os.Stdout, os.Stderr
-		c.WaitDelay = helperDefaultTimeout
 		if containerExtra != nil {
 			containerExtra(c)
 		}
@@ -737,8 +744,7 @@ func init() {
 const (
 	envDoCheck = "HAKUREI_TEST_DO_CHECK"

-	helperDefaultTimeout = 5 * time.Second
-	helperInnerPath      = "/usr/bin/helper"
+	helperInnerPath = "/usr/bin/helper"
 )

 var (
--- a/container/dispatcher.go
+++ b/container/dispatcher.go
@@ -1,8 +1,10 @@
 package container

 import (
+	"context"
 	"io"
 	"io/fs"
+	"net"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -12,6 +14,9 @@ import (

 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
+	"hakurei.app/ext"
+	"hakurei.app/internal/netlink"
+	"hakurei.app/internal/params"
 	"hakurei.app/message"
 )

@@ -52,7 +57,7 @@ type syscallDispatcher interface {
 	// isatty provides [Isatty].
 	isatty(fd int) bool
 	// receive provides [Receive].
-	receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error)
+	receive(key string, e any, fdp *int) (closeFunc func() error, err error)

 	// bindMount provides procPaths.bindMount.
 	bindMount(msg message.Msg, source, target string, flags uintptr) error
@@ -63,7 +68,7 @@ type syscallDispatcher interface {
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
 	// mustLoopback provides mustLoopback.
-	mustLoopback(msg message.Msg)
+	mustLoopback(ctx context.Context, msg message.Msg)

 	// seccompLoad provides [seccomp.Load].
 	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
@@ -141,18 +146,18 @@ func (k direct) new(f func(k syscallDispatcher)) { go f(k) }

 func (direct) lockOSThread() { runtime.LockOSThread() }

-func (direct) setPtracer(pid uintptr) error       { return SetPtracer(pid) }
-func (direct) setDumpable(dumpable uintptr) error { return SetDumpable(dumpable) }
-func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }
+func (direct) setPtracer(pid uintptr) error       { return ext.SetPtracer(pid) }
+func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) }
+func (direct) setNoNewPrivs() error               { return setNoNewPrivs() }

 func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
 func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(hdrp, datap) }
 func (direct) capBoundingSetDrop(cap uintptr) error            { return capBoundingSetDrop(cap) }
 func (direct) capAmbientClearAll() error                       { return capAmbientClearAll() }
 func (direct) capAmbientRaise(cap uintptr) error               { return capAmbientRaise(cap) }
-func (direct) isatty(fd int) bool                              { return Isatty(fd) }
-func (direct) receive(key string, e any, fdp *uintptr) (func() error, error) {
-	return Receive(key, e, fdp)
+func (direct) isatty(fd int) bool                              { return ext.Isatty(fd) }
+func (direct) receive(key string, e any, fdp *int) (func() error, error) {
+	return params.Receive(key, e, fdp)
 }

 func (direct) bindMount(msg message.Msg, source, target string, flags uintptr) error {
@@ -167,7 +172,50 @@ func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
-func (direct) mustLoopback(msg message.Msg) { mustLoopback(msg) }
+func (direct) mustLoopback(ctx context.Context, msg message.Msg) {
+	var lo int
+	if ifi, err := net.InterfaceByName("lo"); err != nil {
+		msg.GetLogger().Fatalln(err)
+	} else {
+		lo = ifi.Index
+	}
+
+	c, err := netlink.DialRoute(0)
+	if err != nil {
+		msg.GetLogger().Fatalln(err)
+	}
+
+	must := func(err error) {
+		if err == nil {
+			return
+		}
+		if closeErr := c.Close(); closeErr != nil {
+			msg.Verbosef("cannot close RTNETLINK: %v", closeErr)
+		}
+
+		switch err.(type) {
+		case *os.SyscallError:
+			msg.GetLogger().Fatalf("cannot %v", err)
+
+		case syscall.Errno:
+			msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
+
+		default:
+			if err == context.DeadlineExceeded || err == context.Canceled {
+				msg.GetLogger().Fatalf("interrupted RTNETLINK operation")
+			}
+			msg.GetLogger().Fatal("RTNETLINK answers with malformed message")
+		}
+	}
+	must(c.SendNewaddrLo(ctx, uint32(lo)))
+	must(c.SendIfInfomsg(ctx, syscall.RTM_NEWLINK, 0, &syscall.IfInfomsg{
+		Family: syscall.AF_UNSPEC,
+		Index:  int32(lo),
+		Flags:  syscall.IFF_UP,
+		Change: syscall.IFF_UP,
+	}))
+	must(c.Close())
+}

 func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)
--- a/container/dispatcher_test.go
+++ b/container/dispatcher_test.go
@@ -2,6 +2,7 @@ package container

 import (
 	"bytes"
+	"context"
 	"fmt"
 	"io"
 	"io/fs"
@@ -18,7 +19,7 @@ import (

 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 	"hakurei.app/message"
 )

@@ -389,7 +390,7 @@ func (k *kstub) isatty(fd int) bool {
 	return expect.Ret.(bool)
 }

-func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error) {
+func (k *kstub) receive(key string, e any, fdp *int) (closeFunc func() error, err error) {
 	k.Helper()
 	expect := k.Expects("receive")

@@ -407,10 +408,17 @@ func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error
 		}
 		return nil
 	}
+
+	// avoid changing test cases
+	var fdpComp *uintptr
+	if fdp != nil {
+		fdpComp = new(uintptr(*fdp))
+	}
+
 	err = expect.Error(
 		stub.CheckArg(k.Stub, "key", key, 0),
 		stub.CheckArgReflect(k.Stub, "e", e, 1),
-		stub.CheckArgReflect(k.Stub, "fdp", fdp, 2))
+		stub.CheckArgReflect(k.Stub, "fdp", fdpComp, 2))

 	// 3 is unused so stores params
 	if expect.Args[3] != nil {
@@ -425,7 +433,7 @@ func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error
 	if expect.Args[4] != nil {
 		if v, ok := expect.Args[4].(uintptr); ok && v >= 3 {
 			if fdp != nil {
-				*fdp = v
+				*fdp = int(v)
 			}
 		}
 	}
@@ -468,7 +476,7 @@ func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 		stub.CheckArg(k.Stub, "pperm", pperm, 2))
 }

-func (*kstub) mustLoopback(message.Msg) { /* noop */ }
+func (*kstub) mustLoopback(context.Context, message.Msg) { /* noop */ }

 func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	k.Helper()
--- a/container/errors.go
+++ b/container/errors.go
@@ -5,9 +5,9 @@ import (
 	"os"
 	"syscall"

-	"hakurei.app/container/check"
-	"hakurei.app/container/vfs"
+	"hakurei.app/check"
 	"hakurei.app/message"
+	"hakurei.app/vfs"
 )

 // messageFromError returns a printable error message for a supported concrete type.
--- a/container/errors_test.go
+++ b/container/errors_test.go
@@ -8,9 +8,9 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
-	"hakurei.app/container/vfs"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
+	"hakurei.app/vfs"
 )

 func TestMessageFromError(t *testing.T) {
--- a/container/executable.go
+++ b/container/executable.go
@@ -1,37 +0,0 @@
-package container
-
-import (
-	"fmt"
-	"log"
-	"os"
-	"sync"
-
-	"hakurei.app/message"
-)
-
-var (
-	executable     string
-	executableOnce sync.Once
-)
-
-func copyExecutable(msg message.Msg) {
-	if name, err := os.Executable(); err != nil {
-		m := fmt.Sprintf("cannot read executable path: %v", err)
-		if msg != nil {
-			msg.BeforeExit()
-			msg.GetLogger().Fatal(m)
-		} else {
-			log.Fatal(m)
-		}
-	} else {
-		executable = name
-	}
-}
-
-// MustExecutable calls [os.Executable] and terminates the process on error.
-//
-// Deprecated: This is no longer used and will be removed in 0.4.
-func MustExecutable(msg message.Msg) string {
-	executableOnce.Do(func() { copyExecutable(msg) })
-	return executable
-}
--- a/container/executable_test.go
+++ b/container/executable_test.go
@@ -1,18 +0,0 @@
-package container_test
-
-import (
-	"os"
-	"testing"
-
-	"hakurei.app/container"
-	"hakurei.app/message"
-)
-
-func TestExecutable(t *testing.T) {
-	t.Parallel()
-	for i := 0; i < 16; i++ {
-		if got := container.MustExecutable(message.New(nil)); got != os.Args[0] {
-			t.Errorf("MustExecutable: %q, want %q", got, os.Args[0])
-		}
-	}
-}
--- a/container/init.go
+++ b/container/init.go
@@ -7,7 +7,8 @@ import (
 	"log"
 	"os"
 	"os/exec"
-	"path"
+	"os/signal"
+	"path/filepath"
 	"slices"
 	"strconv"
 	"sync"
@@ -15,8 +16,10 @@ import (
 	. "syscall"
 	"time"

-	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
+	"hakurei.app/internal/params"
 	"hakurei.app/message"
 )

@@ -145,44 +148,46 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}

 	var (
-		params      initParams
-		closeSetup  func() error
-		setupFd     uintptr
-		offsetSetup int
+		param      initParams
+		closeSetup func() error
+		setupFd    int
 	)
-	if f, err := k.receive(setupEnv, &params, &setupFd); err != nil {
+	if f, err := k.receive(setupEnv, &param, &setupFd); err != nil {
 		if errors.Is(err, EBADF) {
 			k.fatal(msg, "invalid setup descriptor")
 		}
-		if errors.Is(err, ErrReceiveEnv) {
+		if errors.Is(err, params.ErrReceiveEnv) {
 			k.fatal(msg, setupEnv+" not set")
 		}

 		k.fatalf(msg, "cannot decode init setup payload: %v", err)
 	} else {
-		if params.Ops == nil {
+		if param.Ops == nil {
 			k.fatal(msg, "invalid setup parameters")
 		}
-		if params.ParentPerm == 0 {
-			params.ParentPerm = 0755
+		if param.ParentPerm == 0 {
+			param.ParentPerm = 0755
 		}

-		msg.SwapVerbose(params.Verbose)
+		msg.SwapVerbose(param.Verbose)
 		msg.Verbose("received setup parameters")
 		closeSetup = f
-		offsetSetup = int(setupFd + 1)
 	}

-	if !params.HostNet {
-		k.mustLoopback(msg)
+	if !param.HostNet {
+		ctx, cancel := signal.NotifyContext(context.Background(), CancelSignal,
+			os.Interrupt, SIGTERM, SIGQUIT)
+		defer cancel() // for panics
+		k.mustLoopback(ctx, msg)
+		cancel()
 	}

 	// write uid/gid map here so parent does not need to set dumpable
-	if err := k.setDumpable(SUID_DUMP_USER); err != nil {
+	if err := k.setDumpable(ext.SUID_DUMP_USER); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
 	}
 	if err := k.writeFile(fhs.Proc+"self/uid_map",
-		append([]byte{}, strconv.Itoa(params.Uid)+" "+strconv.Itoa(params.HostUid)+" 1\n"...),
+		append([]byte{}, strconv.Itoa(param.Uid)+" "+strconv.Itoa(param.HostUid)+" 1\n"...),
 		0); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
@@ -192,17 +197,17 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "%v", err)
 	}
 	if err := k.writeFile(fhs.Proc+"self/gid_map",
-		append([]byte{}, strconv.Itoa(params.Gid)+" "+strconv.Itoa(params.HostGid)+" 1\n"...),
+		append([]byte{}, strconv.Itoa(param.Gid)+" "+strconv.Itoa(param.HostGid)+" 1\n"...),
 		0); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-	if err := k.setDumpable(SUID_DUMP_DISABLE); err != nil {
+	if err := k.setDumpable(ext.SUID_DUMP_DISABLE); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_DISABLE: %v", err)
 	}

 	oldmask := k.umask(0)
-	if params.Hostname != "" {
-		if err := k.sethostname([]byte(params.Hostname)); err != nil {
+	if param.Hostname != "" {
+		if err := k.sethostname([]byte(param.Hostname)); err != nil {
 			k.fatalf(msg, "cannot set hostname: %v", err)
 		}
 	}
@@ -215,7 +220,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}

 	ctx, cancel := context.WithCancel(context.Background())
-	state := &setupState{process: make(map[int]WaitStatus), Params: &params.Params, Msg: msg, Context: ctx}
+	state := &setupState{process: make(map[int]WaitStatus), Params: &param.Params, Msg: msg, Context: ctx}
 	defer cancel()

 	/* early is called right before pivot_root into intermediate root;
@@ -223,7 +228,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	difficult to obtain via library functions after pivot_root, and
 	implementations are expected to avoid changing the state of the mount
 	namespace */
-	for i, op := range *params.Ops {
+	for i, op := range *param.Ops {
 		if op == nil || !op.Valid() {
 			k.fatalf(msg, "invalid op at index %d", i)
 		}
@@ -266,7 +271,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	step sets up the container filesystem, and implementations are expected to
 	keep the host root and sysroot mount points intact but otherwise can do
 	whatever they need to. Calling chdir is allowed but discouraged. */
-	for i, op := range *params.Ops {
+	for i, op := range *param.Ops {
 		// ops already checked during early setup
 		if prefix, ok := op.prefix(); ok {
 			msg.Verbosef("%s %s", prefix, op)
@@ -290,7 +295,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {

 	{
 		var fd int
-		if err := IgnoringEINTR(func() (err error) {
+		if err := ext.IgnoringEINTR(func() (err error) {
 			fd, err = k.open(fhs.Root, O_DIRECTORY|O_RDONLY, 0)
 			return
 		}); err != nil {
@@ -322,7 +327,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot clear the ambient capability set: %v", err)
 	}
 	for i := uintptr(0); i <= lastcap; i++ {
-		if params.Privileged && i == CAP_SYS_ADMIN {
+		if param.Privileged && i == CAP_SYS_ADMIN {
 			continue
 		}
 		if err := k.capBoundingSetDrop(i); err != nil {
@@ -331,7 +336,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}

 	var keep [2]uint32
-	if params.Privileged {
+	if param.Privileged {
 		keep[capToIndex(CAP_SYS_ADMIN)] |= capToMask(CAP_SYS_ADMIN)

 		if err := k.capAmbientRaise(CAP_SYS_ADMIN); err != nil {
@@ -345,13 +350,13 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot capset: %v", err)
 	}

-	if !params.SeccompDisable {
-		rules := params.SeccompRules
+	if !param.SeccompDisable {
+		rules := param.SeccompRules
 		if len(rules) == 0 { // non-empty rules slice always overrides presets
-			msg.Verbosef("resolving presets %#x", params.SeccompPresets)
-			rules = seccomp.Preset(params.SeccompPresets, params.SeccompFlags)
+			msg.Verbosef("resolving presets %#x", param.SeccompPresets)
+			rules = seccomp.Preset(param.SeccompPresets, param.SeccompFlags)
 		}
-		if err := k.seccompLoad(rules, params.SeccompFlags); err != nil {
+		if err := k.seccompLoad(rules, param.SeccompFlags); err != nil {
 			// this also indirectly asserts PR_SET_NO_NEW_PRIVS
 			k.fatalf(msg, "cannot load syscall filter: %v", err)
 		}
@@ -360,10 +365,10 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		msg.Verbose("syscall filter not configured")
 	}

-	extraFiles := make([]*os.File, params.Count)
+	extraFiles := make([]*os.File, param.Count)
 	for i := range extraFiles {
 		// setup fd is placed before all extra files
-		extraFiles[i] = k.newFile(uintptr(offsetSetup+i), "extra file "+strconv.Itoa(i))
+		extraFiles[i] = k.newFile(uintptr(setupFd+1+i), "extra file "+strconv.Itoa(i))
 	}
 	k.umask(oldmask)

@@ -441,7 +446,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {

 	// called right before startup of initial process, all state changes to the
 	// current process is prohibited during late
-	for i, op := range *params.Ops {
+	for i, op := range *param.Ops {
 		// ops already checked during early setup
 		if err := op.late(state, k); err != nil {
 			if m, ok := messageFromError(err); ok {
@@ -462,14 +467,14 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot close setup pipe: %v", err)
 	}

-	cmd := exec.Command(params.Path.String())
+	cmd := exec.Command(param.Path.String())
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	cmd.Args = params.Args
-	cmd.Env = params.Env
+	cmd.Args = param.Args
+	cmd.Env = param.Env
 	cmd.ExtraFiles = extraFiles
-	cmd.Dir = params.Dir.String()
+	cmd.Dir = param.Dir.String()

-	msg.Verbosef("starting initial process %s", params.Path)
+	msg.Verbosef("starting initial process %s", param.Path)
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
@@ -487,9 +492,9 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	for {
 		select {
 		case s := <-sig:
-			if s == CancelSignal && params.ForwardCancel && cmd.Process != nil {
+			if s == CancelSignal && param.ForwardCancel && cmd.Process != nil {
 				msg.Verbose("forwarding context cancellation")
-				if err := k.signal(cmd, os.Interrupt); err != nil {
+				if err := k.signal(cmd, os.Interrupt); err != nil && !errors.Is(err, os.ErrProcessDone) {
 					k.printf(msg, "cannot forward cancellation: %v", err)
 				}
 				continue
@@ -519,7 +524,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 				cancel()

 				// start timeout early
-				go func() { time.Sleep(params.AdoptWaitDelay); close(timeout) }()
+				go func() { time.Sleep(param.AdoptWaitDelay); close(timeout) }()

 				// close initial process files; this also keeps them alive
 				for _, f := range extraFiles {
@@ -563,7 +568,7 @@ func TryArgv0(msg message.Msg) {
 		msg = message.New(log.Default())
 	}

-	if len(os.Args) > 0 && path.Base(os.Args[0]) == initName {
+	if len(os.Args) > 0 && filepath.Base(os.Args[0]) == initName {
 		Init(msg)
 		msg.BeforeExit()
 		os.Exit(0)
--- a/container/init_test.go
+++ b/container/init_test.go
@@ -7,10 +7,11 @@ import (
 	"testing"
 	"time"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/container/stub"
+	"hakurei.app/internal/params"
+	"hakurei.app/internal/stub"
 )

 func TestInitEntrypoint(t *testing.T) {
@@ -40,7 +41,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
 				call("getpid", stub.ExpectArgs{}, 1, nil),
 				call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
-				call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, ErrReceiveEnv),
+				call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, params.ErrReceiveEnv),
 				call("fatal", stub.ExpectArgs{[]any{"HAKUREI_SETUP not set"}}, nil, nil),
 			},
 		}, nil},
--- a/container/initbind.go
+++ b/container/initbind.go
@@ -6,7 +6,7 @@ import (
 	"os"
 	"syscall"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/container/std"
 )

--- a/container/initbind_test.go
+++ b/container/initbind_test.go
@@ -6,9 +6,9 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/container/std"
-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 )

 func TestBindMountOp(t *testing.T) {
--- a/container/initdaemon.go
+++ b/container/initdaemon.go
@@ -12,8 +12,8 @@ import (
 	"syscall"
 	"time"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 func init() { gob.Register(new(DaemonOp)) }
--- a/container/initdaemon_test.go
+++ b/container/initdaemon_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 	"hakurei.app/message"
 )

--- a/container/initdev.go
+++ b/container/initdev.go
@@ -3,11 +3,11 @@ package container
 import (
 	"encoding/gob"
 	"fmt"
-	"path"
+	"path/filepath"
 	. "syscall"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 func init() { gob.Register(new(MountDevOp)) }
@@ -46,7 +46,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	}

 	for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} {
-		targetPath := path.Join(target, name)
+		targetPath := filepath.Join(target, name)
 		if err := k.ensureFile(targetPath, 0444, state.ParentPerm); err != nil {
 			return err
 		}
@@ -62,7 +62,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	for i, name := range []string{"stdin", "stdout", "stderr"} {
 		if err := k.symlink(
 			fhs.Proc+"self/fd/"+string(rune(i+'0')),
-			path.Join(target, name),
+			filepath.Join(target, name),
 		); err != nil {
 			return err
 		}
@@ -72,13 +72,13 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 		{fhs.Proc + "kcore", "core"},
 		{"pts/ptmx", "ptmx"},
 	} {
-		if err := k.symlink(pair[0], path.Join(target, pair[1])); err != nil {
+		if err := k.symlink(pair[0], filepath.Join(target, pair[1])); err != nil {
 			return err
 		}
 	}

-	devShmPath := path.Join(target, "shm")
-	devPtsPath := path.Join(target, "pts")
+	devShmPath := filepath.Join(target, "shm")
+	devPtsPath := filepath.Join(target, "pts")
 	for _, name := range []string{devShmPath, devPtsPath} {
 		if err := k.mkdir(name, state.ParentPerm); err != nil {
 			return err
@@ -92,7 +92,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {

 	if state.RetainSession {
 		if k.isatty(Stdout) {
-			consolePath := path.Join(target, "console")
+			consolePath := filepath.Join(target, "console")
 			if err := k.ensureFile(consolePath, 0444, state.ParentPerm); err != nil {
 				return err
 			}
@@ -110,7 +110,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	}

 	if d.Mqueue {
-		mqueueTarget := path.Join(target, "mqueue")
+		mqueueTarget := filepath.Join(target, "mqueue")
 		if err := k.mkdir(mqueueTarget, state.ParentPerm); err != nil {
 			return err
 		}
--- a/container/initdev_test.go
+++ b/container/initdev_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMountDevOp(t *testing.T) {
--- a/container/initmkdir.go
+++ b/container/initmkdir.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"os"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(MkdirOp)) }
--- a/container/initmkdir_test.go
+++ b/container/initmkdir_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMkdirOp(t *testing.T) {
--- a/container/initoverlay.go
+++ b/container/initoverlay.go
@@ -6,8 +6,8 @@ import (
 	"slices"
 	"strings"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 const (
--- a/container/initoverlay_test.go
+++ b/container/initoverlay_test.go
@@ -5,8 +5,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMountOverlayOp(t *testing.T) {
--- a/container/initplace.go
+++ b/container/initplace.go
@@ -5,8 +5,8 @@ import (
 	"fmt"
 	"syscall"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 const (
--- a/container/initplace_test.go
+++ b/container/initplace_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestTmpfileOp(t *testing.T) {
--- a/container/initproc.go
+++ b/container/initproc.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	. "syscall"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(MountProcOp)) }
--- a/container/initproc_test.go
+++ b/container/initproc_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMountProcOp(t *testing.T) {
--- a/container/initremount.go
+++ b/container/initremount.go
@@ -4,7 +4,7 @@ import (
 	"encoding/gob"
 	"fmt"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(RemountOp)) }
--- a/container/initremount_test.go
+++ b/container/initremount_test.go
@@ -4,8 +4,8 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestRemountOp(t *testing.T) {
--- a/container/initsymlink.go
+++ b/container/initsymlink.go
@@ -3,9 +3,9 @@ package container
 import (
 	"encoding/gob"
 	"fmt"
-	"path"
+	"path/filepath"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(SymlinkOp)) }
@@ -30,7 +30,7 @@ func (l *SymlinkOp) Valid() bool { return l != nil && l.Target != nil && l.LinkN

 func (l *SymlinkOp) early(_ *setupState, k syscallDispatcher) error {
 	if l.Dereference {
-		if !path.IsAbs(l.LinkName) {
+		if !filepath.IsAbs(l.LinkName) {
 			return check.AbsoluteError(l.LinkName)
 		}
 		if name, err := k.readlink(l.LinkName); err != nil {
@@ -44,7 +44,7 @@ func (l *SymlinkOp) early(_ *setupState, k syscallDispatcher) error {

 func (l *SymlinkOp) apply(state *setupState, k syscallDispatcher) error {
 	target := toSysroot(l.Target.String())
-	if err := k.mkdirAll(path.Dir(target), state.ParentPerm); err != nil {
+	if err := k.mkdirAll(filepath.Dir(target), state.ParentPerm); err != nil {
 		return err
 	}
 	return k.symlink(l.LinkName, target)
--- a/container/initsymlink_test.go
+++ b/container/initsymlink_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestSymlinkOp(t *testing.T) {
--- a/container/inittmpfs.go
+++ b/container/inittmpfs.go
@@ -8,7 +8,7 @@ import (
 	"strconv"
 	. "syscall"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(MountTmpfsOp)) }
--- a/container/inittmpfs_test.go
+++ b/container/inittmpfs_test.go
@@ -5,8 +5,8 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMountTmpfsOp(t *testing.T) {
--- a/container/landlock_test.go
+++ b/container/landlock_test.go
@@ -1,65 +0,0 @@
-package container_test
-
-import (
-	"testing"
-	"unsafe"
-
-	"hakurei.app/container"
-)
-
-func TestLandlockString(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name        string
-		rulesetAttr *container.RulesetAttr
-		want        string
-	}{
-		{"nil", nil, "NULL"},
-		{"zero", new(container.RulesetAttr), "0"},
-		{"some", &container.RulesetAttr{Scoped: container.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
-		{"set", &container.RulesetAttr{
-			HandledAccessFS:  container.LANDLOCK_ACCESS_FS_MAKE_SYM | container.LANDLOCK_ACCESS_FS_IOCTL_DEV | container.LANDLOCK_ACCESS_FS_WRITE_FILE,
-			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP,
-			Scoped:           container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | container.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
-		{"all", &container.RulesetAttr{
-			HandledAccessFS: container.LANDLOCK_ACCESS_FS_EXECUTE |
-				container.LANDLOCK_ACCESS_FS_WRITE_FILE |
-				container.LANDLOCK_ACCESS_FS_READ_FILE |
-				container.LANDLOCK_ACCESS_FS_READ_DIR |
-				container.LANDLOCK_ACCESS_FS_REMOVE_DIR |
-				container.LANDLOCK_ACCESS_FS_REMOVE_FILE |
-				container.LANDLOCK_ACCESS_FS_MAKE_CHAR |
-				container.LANDLOCK_ACCESS_FS_MAKE_DIR |
-				container.LANDLOCK_ACCESS_FS_MAKE_REG |
-				container.LANDLOCK_ACCESS_FS_MAKE_SOCK |
-				container.LANDLOCK_ACCESS_FS_MAKE_FIFO |
-				container.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
-				container.LANDLOCK_ACCESS_FS_MAKE_SYM |
-				container.LANDLOCK_ACCESS_FS_REFER |
-				container.LANDLOCK_ACCESS_FS_TRUNCATE |
-				container.LANDLOCK_ACCESS_FS_IOCTL_DEV,
-			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP |
-				container.LANDLOCK_ACCESS_NET_CONNECT_TCP,
-			Scoped: container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
-				container.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			if got := tc.rulesetAttr.String(); got != tc.want {
-				t.Errorf("String: %s, want %s", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestLandlockAttrSize(t *testing.T) {
-	t.Parallel()
-	want := 24
-	if got := unsafe.Sizeof(container.RulesetAttr{}); got != uintptr(want) {
-		t.Errorf("Sizeof: %d, want %d", got, want)
-	}
-}
--- a/container/mount.go
+++ b/container/mount.go
@@ -6,8 +6,9 @@ import (
 	"os"
 	. "syscall"

-	"hakurei.app/container/vfs"
+	"hakurei.app/ext"
 	"hakurei.app/message"
+	"hakurei.app/vfs"
 )

 /*
@@ -115,7 +116,7 @@ func (p *procPaths) remount(msg message.Msg, target string, flags uintptr) error
 	var targetKFinal string
 	{
 		var destFd int
-		if err := IgnoringEINTR(func() (err error) {
+		if err := ext.IgnoringEINTR(func() (err error) {
 			destFd, err = p.k.open(targetFinal, O_PATH|O_CLOEXEC, 0)
 			return
 		}); err != nil {
--- a/container/mount_test.go
+++ b/container/mount_test.go
@@ -5,8 +5,8 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/stub"
-	"hakurei.app/container/vfs"
+	"hakurei.app/internal/stub"
+	"hakurei.app/vfs"
 )

 func TestBindMount(t *testing.T) {
--- a/container/netlink.go
+++ b/container/netlink.go
@@ -1,269 +0,0 @@
-package container
-
-import (
-	"encoding/binary"
-	"errors"
-	"net"
-	"os"
-	. "syscall"
-	"unsafe"
-
-	"hakurei.app/container/std"
-	"hakurei.app/message"
-)
-
-// rtnetlink represents a NETLINK_ROUTE socket.
-type rtnetlink struct {
-	// Sent as part of rtnetlink messages.
-	pid uint32
-	// AF_NETLINK socket.
-	fd int
-	// Whether the socket is open.
-	ok bool
-	// Message sequence number.
-	seq uint32
-}
-
-// open creates the underlying NETLINK_ROUTE socket.
-func (s *rtnetlink) open() (err error) {
-	if s.ok || s.fd < 0 {
-		return os.ErrInvalid
-	}
-
-	s.pid = uint32(Getpid())
-	if s.fd, err = Socket(
-		AF_NETLINK,
-		SOCK_RAW|SOCK_CLOEXEC,
-		NETLINK_ROUTE,
-	); err != nil {
-		return os.NewSyscallError("socket", err)
-	} else if err = Bind(s.fd, &SockaddrNetlink{
-		Family: AF_NETLINK,
-		Pid:    s.pid,
-	}); err != nil {
-		_ = s.close()
-		return os.NewSyscallError("bind", err)
-	} else {
-		s.ok = true
-		return nil
-	}
-}
-
-// close closes the underlying NETLINK_ROUTE socket.
-func (s *rtnetlink) close() error {
-	if !s.ok {
-		return os.ErrInvalid
-	}
-
-	s.ok = false
-	err := Close(s.fd)
-	s.fd = -1
-	return err
-}
-
-// roundtrip sends a netlink message and handles the reply.
-func (s *rtnetlink) roundtrip(data []byte) error {
-	if !s.ok {
-		return os.ErrInvalid
-	}
-
-	defer func() { s.seq++ }()
-
-	if err := Sendto(s.fd, data, 0, &SockaddrNetlink{
-		Family: AF_NETLINK,
-	}); err != nil {
-		return os.NewSyscallError("sendto", err)
-	}
-	buf := make([]byte, Getpagesize())
-
-done:
-	for {
-		p := buf
-		if n, _, err := Recvfrom(s.fd, p, 0); err != nil {
-			return os.NewSyscallError("recvfrom", err)
-		} else if n < NLMSG_HDRLEN {
-			return errors.ErrUnsupported
-		} else {
-			p = p[:n]
-		}
-
-		if msgs, err := ParseNetlinkMessage(p); err != nil {
-			return err
-		} else {
-			for _, m := range msgs {
-				if m.Header.Seq != s.seq || m.Header.Pid != s.pid {
-					return errors.ErrUnsupported
-				}
-				if m.Header.Type == NLMSG_DONE {
-					break done
-				}
-				if m.Header.Type == NLMSG_ERROR {
-					if len(m.Data) >= 4 {
-						errno := Errno(-std.Int(binary.NativeEndian.Uint32(m.Data)))
-						if errno == 0 {
-							return nil
-						}
-						return errno
-					}
-					return errors.ErrUnsupported
-				}
-			}
-		}
-	}
-
-	return nil
-}
-
-// mustRoundtrip calls roundtrip and terminates via msg for a non-nil error.
-func (s *rtnetlink) mustRoundtrip(msg message.Msg, data []byte) {
-	err := s.roundtrip(data)
-	if err == nil {
-		return
-	}
-	if closeErr := Close(s.fd); closeErr != nil {
-		msg.Verbosef("cannot close: %v", err)
-	}
-
-	switch err.(type) {
-	case *os.SyscallError:
-		msg.GetLogger().Fatalf("cannot %v", err)
-
-	case Errno:
-		msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
-
-	default:
-		msg.GetLogger().Fatalln("RTNETLINK answers with unexpected message")
-	}
-}
-
-// newaddrLo represents a RTM_NEWADDR message with two addresses.
-type newaddrLo struct {
-	header NlMsghdr
-	data   IfAddrmsg
-
-	r0 RtAttr
-	a0 [4]byte // in_addr
-	r1 RtAttr
-	a1 [4]byte // in_addr
-}
-
-// sizeofNewaddrLo is the expected size of newaddrLo.
-const sizeofNewaddrLo = NLMSG_HDRLEN + SizeofIfAddrmsg + (SizeofRtAttr+4)*2
-
-// newaddrLo returns the address of a populated newaddrLo.
-func (s *rtnetlink) newaddrLo(lo int) *newaddrLo {
-	return &newaddrLo{NlMsghdr{
-		Len:   sizeofNewaddrLo,
-		Type:  RTM_NEWADDR,
-		Flags: NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_EXCL,
-		Seq:   s.seq,
-		Pid:   s.pid,
-	}, IfAddrmsg{
-		Family:    AF_INET,
-		Prefixlen: 8,
-		Flags:     IFA_F_PERMANENT,
-		Scope:     RT_SCOPE_HOST,
-		Index:     uint32(lo),
-	}, RtAttr{
-		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a0)),
-		Type: IFA_LOCAL,
-	}, [4]byte{127, 0, 0, 1}, RtAttr{
-		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a1)),
-		Type: IFA_ADDRESS,
-	}, [4]byte{127, 0, 0, 1}}
-}
-
-func (msg *newaddrLo) toWireFormat() []byte {
-	var buf [sizeofNewaddrLo]byte
-
-	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
-	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
-	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
-	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
-	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
-
-	buf[16] = msg.data.Family
-	buf[17] = msg.data.Prefixlen
-	buf[18] = msg.data.Flags
-	buf[19] = msg.data.Scope
-	*(*uint32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
-
-	*(*uint16)(unsafe.Pointer(&buf[24:26][0])) = msg.r0.Len
-	*(*uint16)(unsafe.Pointer(&buf[26:28][0])) = msg.r0.Type
-	copy(buf[28:32], msg.a0[:])
-	*(*uint16)(unsafe.Pointer(&buf[32:34][0])) = msg.r1.Len
-	*(*uint16)(unsafe.Pointer(&buf[34:36][0])) = msg.r1.Type
-	copy(buf[36:40], msg.a1[:])
-
-	return buf[:]
-}
-
-// newlinkLo represents a RTM_NEWLINK message.
-type newlinkLo struct {
-	header NlMsghdr
-	data   IfInfomsg
-}
-
-// sizeofNewlinkLo is the expected size of newlinkLo.
-const sizeofNewlinkLo = NLMSG_HDRLEN + SizeofIfInfomsg
-
-// newlinkLo returns the address of a populated newlinkLo.
-func (s *rtnetlink) newlinkLo(lo int) *newlinkLo {
-	return &newlinkLo{NlMsghdr{
-		Len:   sizeofNewlinkLo,
-		Type:  RTM_NEWLINK,
-		Flags: NLM_F_REQUEST | NLM_F_ACK,
-		Seq:   s.seq,
-		Pid:   s.pid,
-	}, IfInfomsg{
-		Family: AF_UNSPEC,
-		Index:  int32(lo),
-		Flags:  IFF_UP,
-		Change: IFF_UP,
-	}}
-}
-
-func (msg *newlinkLo) toWireFormat() []byte {
-	var buf [sizeofNewlinkLo]byte
-
-	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
-	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
-	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
-	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
-	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
-
-	buf[16] = msg.data.Family
-	*(*uint16)(unsafe.Pointer(&buf[18:20][0])) = msg.data.Type
-	*(*int32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
-	*(*uint32)(unsafe.Pointer(&buf[24:28][0])) = msg.data.Flags
-	*(*uint32)(unsafe.Pointer(&buf[28:32][0])) = msg.data.Change
-
-	return buf[:]
-}
-
-// mustLoopback creates the loopback address and brings the lo interface up.
-// mustLoopback calls a fatal method of the underlying [log.Logger] of m with a
-// user-facing error message if RTNETLINK behaves unexpectedly.
-func mustLoopback(msg message.Msg) {
-	log := msg.GetLogger()
-
-	var lo int
-	if ifi, err := net.InterfaceByName("lo"); err != nil {
-		log.Fatalln(err)
-	} else {
-		lo = ifi.Index
-	}
-
-	var s rtnetlink
-	if err := s.open(); err != nil {
-		log.Fatalln(err)
-	}
-	defer func() {
-		if err := s.close(); err != nil {
-			msg.Verbosef("cannot close netlink: %v", err)
-		}
-	}()
-
-	s.mustRoundtrip(msg, s.newaddrLo(lo).toWireFormat())
-	s.mustRoundtrip(msg, s.newlinkLo(lo).toWireFormat())
-}
--- a/container/netlink_test.go
+++ b/container/netlink_test.go
@@ -1,72 +0,0 @@
-package container
-
-import (
-	"testing"
-	"unsafe"
-)
-
-func TestSizeof(t *testing.T) {
-	if got := unsafe.Sizeof(newaddrLo{}); got != sizeofNewaddrLo {
-		t.Fatalf("newaddrLo: sizeof = %#x, want %#x", got, sizeofNewaddrLo)
-	}
-
-	if got := unsafe.Sizeof(newlinkLo{}); got != sizeofNewlinkLo {
-		t.Fatalf("newlinkLo: sizeof = %#x, want %#x", got, sizeofNewlinkLo)
-	}
-}
-
-func TestRtnetlinkMessage(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name string
-		msg  interface{ toWireFormat() []byte }
-		want []byte
-	}{
-		{"newaddrLo", (&rtnetlink{pid: 1, seq: 0}).newaddrLo(1), []byte{
-			/* Len   */ 0x28, 0, 0, 0,
-			/* Type  */ 0x14, 0,
-			/* Flags */ 5, 6,
-			/* Seq   */ 0, 0, 0, 0,
-			/* Pid   */ 1, 0, 0, 0,
-
-			/* Family    */ 2,
-			/* Prefixlen */ 8,
-			/* Flags     */ 0x80,
-			/* Scope     */ 0xfe,
-			/* Index     */ 1, 0, 0, 0,
-
-			/* Len     */ 8, 0,
-			/* Type    */ 2, 0,
-			/* in_addr */ 127, 0, 0, 1,
-
-			/* Len     */ 8, 0,
-			/* Type    */ 1, 0,
-			/* in_addr */ 127, 0, 0, 1,
-		}},
-
-		{"newlinkLo", (&rtnetlink{pid: 1, seq: 1}).newlinkLo(1), []byte{
-			/* Len   */ 0x20, 0, 0, 0,
-			/* Type  */ 0x10, 0,
-			/* Flags */ 5, 0,
-			/* Seq   */ 1, 0, 0, 0,
-			/* Pid   */ 1, 0, 0, 0,
-
-			/* Family */ 0,
-			/* pad    */ 0,
-			/* Type   */ 0, 0,
-			/* Index  */ 1, 0, 0, 0,
-			/* Flags  */ 1, 0, 0, 0,
-			/* Change */ 1, 0, 0, 0,
-		}},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			if got := tc.msg.toWireFormat(); string(got) != string(tc.want) {
-				t.Fatalf("toWireFormat: %#v, want %#v", got, tc.want)
-			}
-		})
-	}
-}
--- a/container/params.go
+++ b/container/params.go
@@ -1,47 +0,0 @@
-package container
-
-import (
-	"encoding/gob"
-	"errors"
-	"os"
-	"strconv"
-	"syscall"
-)
-
-// Setup appends the read end of a pipe for setup params transmission and returns its fd.
-func Setup(extraFiles *[]*os.File) (int, *os.File, error) {
-	if r, w, err := os.Pipe(); err != nil {
-		return -1, nil, err
-	} else {
-		fd := 3 + len(*extraFiles)
-		*extraFiles = append(*extraFiles, r)
-		return fd, w, nil
-	}
-}
-
-var (
-	ErrReceiveEnv = errors.New("environment variable not set")
-)
-
-// Receive retrieves setup fd from the environment and receives params.
-func Receive(key string, e any, fdp *uintptr) (func() error, error) {
-	var setup *os.File
-
-	if s, ok := os.LookupEnv(key); !ok {
-		return nil, ErrReceiveEnv
-	} else {
-		if fd, err := strconv.Atoi(s); err != nil {
-			return nil, optionalErrorUnwrap(err)
-		} else {
-			setup = os.NewFile(uintptr(fd), "setup")
-			if setup == nil {
-				return nil, syscall.EDOM
-			}
-			if fdp != nil {
-				*fdp = setup.Fd()
-			}
-		}
-	}
-
-	return setup.Close, gob.NewDecoder(setup).Decode(e)
-}
--- a/container/path.go
+++ b/container/path.go
@@ -4,13 +4,13 @@ import (
 	"errors"
 	"io/fs"
 	"os"
-	"path"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"syscall"

-	"hakurei.app/container/fhs"
-	"hakurei.app/container/vfs"
+	"hakurei.app/fhs"
+	"hakurei.app/vfs"
 )

 const (
@@ -29,16 +29,16 @@ const (

 func toSysroot(name string) string {
 	name = strings.TrimLeftFunc(name, func(r rune) bool { return r == '/' })
-	return path.Join(sysrootPath, name)
+	return filepath.Join(sysrootPath, name)
 }

 func toHost(name string) string {
 	name = strings.TrimLeftFunc(name, func(r rune) bool { return r == '/' })
-	return path.Join(hostPath, name)
+	return filepath.Join(hostPath, name)
 }

 func createFile(name string, perm, pperm os.FileMode, content []byte) error {
-	if err := os.MkdirAll(path.Dir(name), pperm); err != nil {
+	if err := os.MkdirAll(filepath.Dir(name), pperm); err != nil {
 		return err
 	}
 	f, err := os.OpenFile(name, syscall.O_CREAT|syscall.O_EXCL|syscall.O_WRONLY, perm)
--- a/container/path_test.go
+++ b/container/path_test.go
@@ -4,14 +4,14 @@ import (
 	"io"
 	"math"
 	"os"
-	"path"
+	"path/filepath"
 	"reflect"
 	"syscall"
 	"testing"
 	"unsafe"

-	"hakurei.app/container/check"
-	"hakurei.app/container/vfs"
+	"hakurei.app/check"
+	"hakurei.app/vfs"
 )

 func TestToSysroot(t *testing.T) {
@@ -61,7 +61,7 @@ func TestCreateFile(t *testing.T) {
 				Path: "/proc/nonexistent",
 				Err:  syscall.ENOENT,
 			}
-			if err := createFile(path.Join(Nonexistent, ":3"), 0644, 0755, nil); !reflect.DeepEqual(err, wantErr) {
+			if err := createFile(filepath.Join(Nonexistent, ":3"), 0644, 0755, nil); !reflect.DeepEqual(err, wantErr) {
 				t.Errorf("createFile: error = %#v, want %#v", err, wantErr)
 			}
 		})
@@ -72,7 +72,7 @@ func TestCreateFile(t *testing.T) {
 				Path: "/proc/nonexistent",
 				Err:  syscall.ENOENT,
 			}
-			if err := createFile(path.Join(Nonexistent), 0644, 0755, nil); !reflect.DeepEqual(err, wantErr) {
+			if err := createFile(filepath.Join(Nonexistent), 0644, 0755, nil); !reflect.DeepEqual(err, wantErr) {
 				t.Errorf("createFile: error = %#v, want %#v", err, wantErr)
 			}
 		})
@@ -80,7 +80,7 @@ func TestCreateFile(t *testing.T) {

 	t.Run("touch", func(t *testing.T) {
 		tempDir := t.TempDir()
-		pathname := path.Join(tempDir, "empty")
+		pathname := filepath.Join(tempDir, "empty")
 		if err := createFile(pathname, 0644, 0755, nil); err != nil {
 			t.Fatalf("createFile: error = %v", err)
 		}
@@ -93,7 +93,7 @@ func TestCreateFile(t *testing.T) {

 	t.Run("write", func(t *testing.T) {
 		tempDir := t.TempDir()
-		pathname := path.Join(tempDir, "zero")
+		pathname := filepath.Join(tempDir, "zero")
 		if err := createFile(pathname, 0644, 0755, []byte{0}); err != nil {
 			t.Fatalf("createFile: error = %v", err)
 		}
@@ -107,7 +107,7 @@ func TestCreateFile(t *testing.T) {

 func TestEnsureFile(t *testing.T) {
 	t.Run("create", func(t *testing.T) {
-		if err := ensureFile(path.Join(t.TempDir(), "ensure"), 0644, 0755); err != nil {
+		if err := ensureFile(filepath.Join(t.TempDir(), "ensure"), 0644, 0755); err != nil {
 			t.Errorf("ensureFile: error = %v", err)
 		}
 	})
@@ -115,7 +115,7 @@ func TestEnsureFile(t *testing.T) {
 	t.Run("stat", func(t *testing.T) {
 		t.Run("inaccessible", func(t *testing.T) {
 			tempDir := t.TempDir()
-			pathname := path.Join(tempDir, "inaccessible")
+			pathname := filepath.Join(tempDir, "inaccessible")
 			if f, err := os.Create(pathname); err != nil {
 				t.Fatalf("Create: error = %v", err)
 			} else {
@@ -150,7 +150,7 @@ func TestEnsureFile(t *testing.T) {

 		t.Run("ensure", func(t *testing.T) {
 			tempDir := t.TempDir()
-			pathname := path.Join(tempDir, "ensure")
+			pathname := filepath.Join(tempDir, "ensure")
 			if f, err := os.Create(pathname); err != nil {
 				t.Fatalf("Create: error = %v", err)
 			} else {
@@ -195,12 +195,12 @@ func TestProcPaths(t *testing.T) {

 		t.Run("sample", func(t *testing.T) {
 			tempDir := t.TempDir()
-			if err := os.MkdirAll(path.Join(tempDir, "proc/self"), 0755); err != nil {
+			if err := os.MkdirAll(filepath.Join(tempDir, "proc/self"), 0755); err != nil {
 				t.Fatalf("MkdirAll: error = %v", err)
 			}

 			t.Run("clean", func(t *testing.T) {
-				if err := os.WriteFile(path.Join(tempDir, "proc/self/mountinfo"), []byte(`15 20 0:3 / /proc rw,relatime - proc /proc rw
+				if err := os.WriteFile(filepath.Join(tempDir, "proc/self/mountinfo"), []byte(`15 20 0:3 / /proc rw,relatime - proc /proc rw
 16 20 0:15 / /sys rw,relatime - sysfs /sys rw
 17 20 0:5 / /dev rw,relatime - devtmpfs udev rw,size=1983516k,nr_inodes=495879,mode=755`), 0644); err != nil {
 					t.Fatalf("WriteFile: error = %v", err)
@@ -243,8 +243,8 @@ func TestProcPaths(t *testing.T) {
 			})

 			t.Run("malformed", func(t *testing.T) {
-				path.Join(tempDir, "proc/self/mountinfo")
-				if err := os.WriteFile(path.Join(tempDir, "proc/self/mountinfo"), []byte{0}, 0644); err != nil {
+				filepath.Join(tempDir, "proc/self/mountinfo")
+				if err := os.WriteFile(filepath.Join(tempDir, "proc/self/mountinfo"), []byte{0}, 0644); err != nil {
 					t.Fatalf("WriteFile: error = %v", err)
 				}

--- a/container/seccomp/libseccomp.go
+++ b/container/seccomp/libseccomp.go
@@ -16,6 +16,7 @@ import (
 	"unsafe"

 	"hakurei.app/container/std"
+	"hakurei.app/ext"
 )

 // ErrInvalidRules is returned for a zero-length rules slice.
@@ -219,9 +220,9 @@ const (

 // syscallResolveName resolves a syscall number by name via seccomp_syscall_resolve_name.
 // This function is only for testing the lookup tables and included here for convenience.
-func syscallResolveName(s string) (num std.ScmpSyscall, ok bool) {
+func syscallResolveName(s string) (num ext.SyscallNum, ok bool) {
 	v := C.CString(s)
-	num = std.ScmpSyscall(C.seccomp_syscall_resolve_name(v))
+	num = ext.SyscallNum(C.seccomp_syscall_resolve_name(v))
 	C.free(unsafe.Pointer(v))
 	ok = num != C.__NR_SCMP_ERROR
 	return
--- a/container/seccomp/presets.go
+++ b/container/seccomp/presets.go
@@ -6,6 +6,7 @@ import (
 	. "syscall"

 	. "hakurei.app/container/std"
+	. "hakurei.app/ext"
 )

 func Preset(presets FilterPreset, flags ExportFlag) (rules []NativeRule) {
--- a/container/seccomp/std_test.go
+++ b/container/seccomp/std_test.go
@@ -6,12 +6,13 @@ import (
 	"unsafe"

 	"hakurei.app/container/std"
+	"hakurei.app/ext"
 )

 func TestSyscallResolveName(t *testing.T) {
 	t.Parallel()

-	for name, want := range std.Syscalls() {
+	for name, want := range ext.Syscalls() {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()

@@ -24,8 +25,10 @@ func TestSyscallResolveName(t *testing.T) {
 }

 func TestRuleType(t *testing.T) {
-	assertKind[std.Uint, scmpUint](t)
-	assertKind[std.Int, scmpInt](t)
+	assertKind[ext.Uint, scmpUint](t)
+	assertOverflow(t, ext.Uint(ext.MaxUint))
+	assertKind[ext.Int, scmpInt](t)
+	assertOverflow(t, ext.Int(ext.MaxInt))

 	assertSize[std.NativeRule, syscallRule](t)
 	assertKind[std.ScmpDatum, scmpDatum](t)
@@ -61,3 +64,14 @@ func assertKind[native, equivalent any](t *testing.T) {
 		t.Fatalf("%s: %s, want %s", nativeType.Name(), nativeType.Kind(), equivalentType.Kind())
 	}
 }
+
+// assertOverflow asserts that incrementing m overflows.
+func assertOverflow[T ~int32 | ~uint32](t *testing.T, m T) {
+	t.Helper()
+
+	old := m
+	m++
+	if m > old {
+		t.Fatalf("unexpected value %#x", m)
+	}
+}
--- a/container/std/seccomp.go
+++ b/container/std/seccomp.go
@@ -1,34 +1,20 @@
 package std

-import (
-	"encoding/json"
-	"strconv"
-)
+import "hakurei.app/ext"

 type (
-	// ScmpUint is equivalent to C.uint.
-	//
-	// Deprecated: This type has been renamed to Uint and will be removed in 0.4.
-	ScmpUint = Uint
-	// ScmpInt is equivalent to C.int.
-	//
-	// Deprecated: This type has been renamed to Int and will be removed in 0.4.
-	ScmpInt = Int
-
-	// ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall].
-	ScmpSyscall Int
 	// ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno].
-	ScmpErrno Int
+	ScmpErrno = ext.Int

 	// ScmpCompare is equivalent to enum scmp_compare;
-	ScmpCompare Uint
+	ScmpCompare = ext.Uint
 	// ScmpDatum is equivalent to scmp_datum_t.
-	ScmpDatum uint64
+	ScmpDatum = uint64

 	// ScmpArgCmp is equivalent to struct scmp_arg_cmp.
 	ScmpArgCmp struct {
 		// argument number, starting at 0
-		Arg Uint `json:"arg"`
+		Arg ext.Uint `json:"arg"`
 		// the comparison op, e.g. SCMP_CMP_*
 		Op ScmpCompare `json:"op"`

@@ -39,42 +25,10 @@ type (
 	// A NativeRule specifies an arch-specific action taken by seccomp under certain conditions.
 	NativeRule struct {
 		// Syscall is the arch-dependent syscall number to act against.
-		Syscall ScmpSyscall `json:"syscall"`
+		Syscall ext.SyscallNum `json:"syscall"`
 		// Errno is the errno value to return when the condition is satisfied.
 		Errno ScmpErrno `json:"errno"`
 		// Arg is the optional struct scmp_arg_cmp passed to libseccomp.
 		Arg *ScmpArgCmp `json:"arg,omitempty"`
 	}
 )
-
-// MarshalJSON resolves the name of [ScmpSyscall] and encodes it as a [json] string.
-// If such a name does not exist, the syscall number is encoded instead.
-func (num *ScmpSyscall) MarshalJSON() ([]byte, error) {
-	n := *num
-	for name, cur := range Syscalls() {
-		if cur == n {
-			return json.Marshal(name)
-		}
-	}
-	return json.Marshal(n)
-}
-
-// SyscallNameError is returned when trying to unmarshal an invalid syscall name into [ScmpSyscall].
-type SyscallNameError string
-
-func (e SyscallNameError) Error() string { return "invalid syscall name " + strconv.Quote(string(e)) }
-
-// UnmarshalJSON looks up the syscall number corresponding to name encoded in data
-// by calling [SyscallResolveName].
-func (num *ScmpSyscall) UnmarshalJSON(data []byte) error {
-	var name string
-	if err := json.Unmarshal(data, &name); err != nil {
-		return err
-	}
-	if n, ok := SyscallResolveName(name); !ok {
-		return SyscallNameError(name)
-	} else {
-		*num = n
-		return nil
-	}
-}
--- a/container/std/syscall.go
+++ b/container/std/syscall.go
@@ -1,28 +0,0 @@
-package std
-
-import "iter"
-
-// Syscalls returns an iterator over all wired syscalls.
-func Syscalls() iter.Seq2[string, ScmpSyscall] {
-	return func(yield func(string, ScmpSyscall) bool) {
-		for name, num := range syscallNum {
-			if !yield(name, num) {
-				return
-			}
-		}
-		for name, num := range syscallNumExtra {
-			if !yield(name, num) {
-				return
-			}
-		}
-	}
-}
-
-// SyscallResolveName resolves a syscall number from its string representation.
-func SyscallResolveName(name string) (num ScmpSyscall, ok bool) {
-	if num, ok = syscallNum[name]; ok {
-		return
-	}
-	num, ok = syscallNumExtra[name]
-	return
-}
--- a/container/std/syscall_extra_linux_386.go
+++ b/container/std/syscall_extra_linux_386.go
@@ -1,13 +0,0 @@
-package std
-
-var syscallNumExtra = map[string]ScmpSyscall{
-	"kexec_file_load": SNR_KEXEC_FILE_LOAD,
-	"subpage_prot":    SNR_SUBPAGE_PROT,
-	"switch_endian":   SNR_SWITCH_ENDIAN,
-}
-
-const (
-	SNR_KEXEC_FILE_LOAD ScmpSyscall = __PNR_kexec_file_load
-	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
-	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
-)
--- a/container/std/syscall_extra_linux_amd64.go
+++ b/container/std/syscall_extra_linux_amd64.go
@@ -1,41 +0,0 @@
-package std
-
-var syscallNumExtra = map[string]ScmpSyscall{
-	"umount":          SNR_UMOUNT,
-	"subpage_prot":    SNR_SUBPAGE_PROT,
-	"switch_endian":   SNR_SWITCH_ENDIAN,
-	"vm86":            SNR_VM86,
-	"vm86old":         SNR_VM86OLD,
-	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
-	"clock_settime64": SNR_CLOCK_SETTIME64,
-	"chown32":         SNR_CHOWN32,
-	"fchown32":        SNR_FCHOWN32,
-	"lchown32":        SNR_LCHOWN32,
-	"setgid32":        SNR_SETGID32,
-	"setgroups32":     SNR_SETGROUPS32,
-	"setregid32":      SNR_SETREGID32,
-	"setresgid32":     SNR_SETRESGID32,
-	"setresuid32":     SNR_SETRESUID32,
-	"setreuid32":      SNR_SETREUID32,
-	"setuid32":        SNR_SETUID32,
-}
-
-const (
-	SNR_UMOUNT          ScmpSyscall = __PNR_umount
-	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
-	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
-	SNR_VM86            ScmpSyscall = __PNR_vm86
-	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
-	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
-	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
-	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
-	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
-	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
-	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
-	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
-	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
-	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
-	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
-	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
-	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
-)
--- a/container/std/syscall_extra_linux_arm64.go
+++ b/container/std/syscall_extra_linux_arm64.go
@@ -1,55 +0,0 @@
-package std
-
-import "syscall"
-
-const (
-	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
-)
-
-var syscallNumExtra = map[string]ScmpSyscall{
-	"uselib":          SNR_USELIB,
-	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
-	"clock_settime64": SNR_CLOCK_SETTIME64,
-	"umount":          SNR_UMOUNT,
-	"chown":           SNR_CHOWN,
-	"chown32":         SNR_CHOWN32,
-	"fchown32":        SNR_FCHOWN32,
-	"lchown":          SNR_LCHOWN,
-	"lchown32":        SNR_LCHOWN32,
-	"setgid32":        SNR_SETGID32,
-	"setgroups32":     SNR_SETGROUPS32,
-	"setregid32":      SNR_SETREGID32,
-	"setresgid32":     SNR_SETRESGID32,
-	"setresuid32":     SNR_SETRESUID32,
-	"setreuid32":      SNR_SETREUID32,
-	"setuid32":        SNR_SETUID32,
-	"modify_ldt":      SNR_MODIFY_LDT,
-	"subpage_prot":    SNR_SUBPAGE_PROT,
-	"switch_endian":   SNR_SWITCH_ENDIAN,
-	"vm86":            SNR_VM86,
-	"vm86old":         SNR_VM86OLD,
-}
-
-const (
-	SNR_USELIB          ScmpSyscall = __PNR_uselib
-	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
-	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
-	SNR_UMOUNT          ScmpSyscall = __PNR_umount
-	SNR_CHOWN           ScmpSyscall = __PNR_chown
-	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
-	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
-	SNR_LCHOWN          ScmpSyscall = __PNR_lchown
-	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
-	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
-	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
-	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
-	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
-	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
-	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
-	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
-	SNR_MODIFY_LDT      ScmpSyscall = __PNR_modify_ldt
-	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
-	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
-	SNR_VM86            ScmpSyscall = __PNR_vm86
-	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
-)
--- a/container/std/syscall_extra_linux_riscv64.go
+++ b/container/std/syscall_extra_linux_riscv64.go
@@ -1,55 +0,0 @@
-package std
-
-import "syscall"
-
-const (
-	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
-)
-
-var syscallNumExtra = map[string]ScmpSyscall{
-	"uselib":          SNR_USELIB,
-	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
-	"clock_settime64": SNR_CLOCK_SETTIME64,
-	"umount":          SNR_UMOUNT,
-	"chown":           SNR_CHOWN,
-	"chown32":         SNR_CHOWN32,
-	"fchown32":        SNR_FCHOWN32,
-	"lchown":          SNR_LCHOWN,
-	"lchown32":        SNR_LCHOWN32,
-	"setgid32":        SNR_SETGID32,
-	"setgroups32":     SNR_SETGROUPS32,
-	"setregid32":      SNR_SETREGID32,
-	"setresgid32":     SNR_SETRESGID32,
-	"setresuid32":     SNR_SETRESUID32,
-	"setreuid32":      SNR_SETREUID32,
-	"setuid32":        SNR_SETUID32,
-	"modify_ldt":      SNR_MODIFY_LDT,
-	"subpage_prot":    SNR_SUBPAGE_PROT,
-	"switch_endian":   SNR_SWITCH_ENDIAN,
-	"vm86":            SNR_VM86,
-	"vm86old":         SNR_VM86OLD,
-}
-
-const (
-	SNR_USELIB          ScmpSyscall = __PNR_uselib
-	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
-	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
-	SNR_UMOUNT          ScmpSyscall = __PNR_umount
-	SNR_CHOWN           ScmpSyscall = __PNR_chown
-	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
-	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
-	SNR_LCHOWN          ScmpSyscall = __PNR_lchown
-	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
-	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
-	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
-	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
-	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
-	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
-	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
-	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
-	SNR_MODIFY_LDT      ScmpSyscall = __PNR_modify_ldt
-	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
-	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
-	SNR_VM86            ScmpSyscall = __PNR_vm86
-	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
-)
--- a/container/std/syscall_linux_386.go
+++ b/container/std/syscall_linux_386.go
--- a/Show More
+++ b/Show More