cmd/irdump: formatted disassembly

These can be set to anything by the distribution.

Signed-off-by: Ophestra <cat@gensokyo.uk>

.clang-format

@@ -0,0 +1,2 @@
+ColumnLimit: 0
+IndentWidth: 4

.gitea/workflows/test.yml

@@ -2,7 +2,6 @@ name: Test
 
 on:
   - push
-  - pull_request
 
 jobs:
   hakurei:
@@ -73,6 +72,23 @@ jobs:
           path: result/*
           retention-days: 1
 
+  sharefs:
+    name: ShareFS
+    runs-on: nix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run NixOS test
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.sharefs
+
+      - name: Upload test output
+        uses: actions/upload-artifact@v3
+        with:
+          name: "sharefs-vm-output"
+          path: result/*
+          retention-days: 1
+
   hpkg:
     name: Hpkg
     runs-on: nix
@@ -97,6 +113,7 @@ jobs:
       - race
       - sandbox
       - sandbox-race
+      - sharefs
       - hpkg
     runs-on: nix
     steps:

.gitignore

@@ -27,6 +27,7 @@ go.work.sum
 
 # go generate
 /cmd/hakurei/LICENSE
+/internal/pkg/testdata/testtool
 
 # release
 /dist/hakurei-*

cmd/hakurei/command.go

@@ -11,21 +11,24 @@ import (
 	"strconv"
 	"sync"
 	"time"
-	_ "unsafe"
+	_ "unsafe" // for go:linkname
 
 	"hakurei.app/command"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
-	"hakurei.app/internal"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/env"
+	"hakurei.app/internal/info"
 	"hakurei.app/internal/outcome"
 	"hakurei.app/message"
-	"hakurei.app/system/dbus"
 )
 
+// optionalErrorUnwrap calls [errors.Unwrap] and returns the resulting value
+// if it is not nil, or the original value if it is.
+//
 //go:linkname optionalErrorUnwrap hakurei.app/container.optionalErrorUnwrap
-func optionalErrorUnwrap(_ error) error
+func optionalErrorUnwrap(err error) error
 
 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
@@ -88,7 +91,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 
 			flagPrivateRuntime, flagPrivateTmpdir bool
 
-			flagWayland, flagX11, flagDBus, flagPulse bool
+			flagWayland, flagX11, flagDBus, flagPipeWire, flagPulse bool
 		)
 
 		c.NewCommand("run", "Configure and start a permissive container", func(args []string) error {
@@ -143,8 +146,8 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			if flagDBus {
 				et |= hst.EDBus
 			}
-			if flagPulse {
-				et |= hst.EPulse
+			if flagPipeWire || flagPulse {
+				et |= hst.EPipeWire
 			}
 
 			config := &hst.Config{
@@ -294,8 +297,10 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				"Enable direct connection to X11").
 			Flag(&flagDBus, "dbus", command.BoolFlag(false),
 				"Enable proxied connection to D-Bus").
+			Flag(&flagPipeWire, "pipewire", command.BoolFlag(false),
+				"Enable connection to PipeWire via SecurityContext").
 			Flag(&flagPulse, "pulse", command.BoolFlag(false),
-				"Enable direct connection to PulseAudio")
+				"Enable PulseAudio compatibility daemon")
 	}
 
 	{
@@ -350,7 +355,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		}).Flag(&flagShort, "short", command.BoolFlag(false), "Print instance id")
 	}
 
-	c.Command("version", "Display version information", func(args []string) error { fmt.Println(internal.Version()); return errSuccess })
+	c.Command("version", "Display version information", func(args []string) error { fmt.Println(info.Version()); return errSuccess })
 	c.Command("license", "Show full license text", func(args []string) error { fmt.Println(license); return errSuccess })
 	c.Command("template", "Produce a config template", func(args []string) error { encodeJSON(log.Fatal, os.Stdout, false, hst.Template()); return errSuccess })
 	c.Command("help", "Show this help message", func([]string) error { c.PrintHelp(); return errSuccess })

cmd/hakurei/command_test.go

@@ -36,7 +36,7 @@ Commands:
 		},
 		{
 			"run", []string{"run", "-h"}, `
-Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pulse] COMMAND [OPTIONS]
+Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
 
 Flags:
   -X	Enable direct connection to X11
@@ -58,12 +58,14 @@ Flags:
     	Reverse-DNS style Application identifier, leave empty to inherit instance identifier
   -mpris
     	Allow owning MPRIS D-Bus path, has no effect if custom config is available
+  -pipewire
+    	Enable connection to PipeWire via SecurityContext
   -private-runtime
     	Do not share XDG_RUNTIME_DIR between containers under the same identity
   -private-tmpdir
     	Do not share TMPDIR between containers under the same identity
   -pulse
-    	Enable direct connection to PulseAudio
+    	Enable PulseAudio compatibility daemon
   -u string
     	Passwd user name within sandbox (default "chronos")
   -wayland

cmd/hakurei/json_test.go

@@ -1,18 +1,13 @@
-package main_test
+package main
 
 import (
-	"io"
 	"reflect"
 	"strings"
 	"testing"
-	_ "unsafe"
 
 	"hakurei.app/container/stub"
 )
 
-//go:linkname decodeJSON hakurei.app/cmd/hakurei.decodeJSON
-func decodeJSON(fatal func(v ...any), op string, r io.Reader, v any)
-
 func TestDecodeJSON(t *testing.T) {
 	t.Parallel()
 
@@ -62,9 +57,6 @@ func TestDecodeJSON(t *testing.T) {
 	}
 }
 
-//go:linkname encodeJSON hakurei.app/cmd/hakurei.encodeJSON
-func encodeJSON(fatal func(v ...any), output io.Writer, short bool, v any)
-
 func TestEncodeJSON(t *testing.T) {
 	t.Parallel()
 
@@ -74,7 +66,7 @@ func TestEncodeJSON(t *testing.T) {
 		want string
 	}{
 		{"marshaler", errorJSONMarshaler{},
-			`cannot encode json for main_test.errorJSONMarshaler: unique error 3735928559 injected by the test suite`},
+			`cannot encode json for main.errorJSONMarshaler: unique error 3735928559 injected by the test suite`},
 		{"default", func() {},
 			`cannot write json: json: unsupported type: func()`},
 	}

cmd/hakurei/print.go

@@ -12,8 +12,6 @@ import (
 	"time"
 
 	"hakurei.app/hst"
-	"hakurei.app/internal"
-	"hakurei.app/internal/env"
 	"hakurei.app/internal/outcome"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
@@ -23,21 +21,19 @@ import (
 func printShowSystem(output io.Writer, short, flagJSON bool) {
 	t := newPrinter(output)
 	defer t.MustFlush()
-
-	info := &hst.Info{Version: internal.Version(), User: new(outcome.Hsu).MustID(nil)}
-	env.CopyPaths().Copy(&info.Paths, info.User)
+	hi := outcome.Info()
 
 	if flagJSON {
-		encodeJSON(log.Fatal, output, short, info)
+		encodeJSON(log.Fatal, output, short, hi)
 		return
 	}
 
-	t.Printf("Version:\t%s\n", info.Version)
-	t.Printf("User:\t%d\n", info.User)
-	t.Printf("TempDir:\t%s\n", info.TempDir)
-	t.Printf("SharePath:\t%s\n", info.SharePath)
-	t.Printf("RuntimePath:\t%s\n", info.RuntimePath)
-	t.Printf("RunDirPath:\t%s\n", info.RunDirPath)
+	t.Printf("Version:\t%s (libwayland %s)\n", hi.Version, hi.WaylandVersion)
+	t.Printf("User:\t%d\n", hi.User)
+	t.Printf("TempDir:\t%s\n", hi.TempDir)
+	t.Printf("SharePath:\t%s\n", hi.SharePath)
+	t.Printf("RuntimePath:\t%s\n", hi.RuntimePath)
+	t.Printf("RunDirPath:\t%s\n", hi.RunDirPath)
 }
 
 // printShowInstance writes a representation of [hst.State] or [hst.Config] to output.
@@ -90,12 +86,6 @@ func printShowInstance(
 		t.Printf(" Groups:\t%s\n", strings.Join(config.Groups, ", "))
 	}
 	if config.Container != nil {
-		if config.Container.Home != nil {
-			t.Printf(" Home:\t%s\n", config.Container.Home)
-		}
-		if config.Container.Hostname != "" {
-			t.Printf(" Hostname:\t%s\n", config.Container.Hostname)
-		}
 		flags := config.Container.Flags.String()
 
 		// this is included in the upper hst.Config struct but is relevant here
@@ -110,6 +100,12 @@ func printShowInstance(
 		}
 		t.Printf(" Flags:\t%s\n", flags)
 
+		if config.Container.Home != nil {
+			t.Printf(" Home:\t%s\n", config.Container.Home)
+		}
+		if config.Container.Hostname != "" {
+			t.Printf(" Hostname:\t%s\n", config.Container.Hostname)
+		}
 		if config.Container.Path != nil {
 			t.Printf(" Path:\t%s\n", config.Container.Path)
 		}

cmd/hakurei/print_test.go

@@ -32,7 +32,7 @@ var (
 		PID:     0xbeef,
 		ShimPID: 0xcafe,
 		Config: &hst.Config{
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EPulse),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
 			Identity:    1,
 			Container: &hst.ContainerConfig{
 				Shell: check.MustAbs("/bin/sh"),
@@ -62,11 +62,11 @@ func TestPrintShowInstance(t *testing.T) {
 		{"nil", nil, nil, false, false, "Error: invalid configuration!\n\n", false},
 		{"config", nil, hst.Template(), false, false, `App
  Identity:       9 (org.chromium.Chromium)
- Enablements:    wayland, dbus, pulseaudio
+ Enablements:    wayland, dbus, pipewire
  Groups:         video, dialout, plugdev
+ Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Home:           /data/data/org.chromium.Chromium
  Hostname:       localhost
- Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Path:           /run/current-system/sw/bin/chromium
  Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
 
@@ -159,11 +159,11 @@ Session bus
 
 App
  Identity:       9 (org.chromium.Chromium)
- Enablements:    wayland, dbus, pulseaudio
+ Enablements:    wayland, dbus, pipewire
  Groups:         video, dialout, plugdev
+ Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Home:           /data/data/org.chromium.Chromium
  Hostname:       localhost
- Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Path:           /run/current-system/sw/bin/chromium
  Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
 
@@ -215,7 +215,7 @@ App
   "enablements": {
     "wayland": true,
     "dbus": true,
-    "pulse": true
+    "pipewire": true
   },
   "session_bus": {
     "see": null,
@@ -366,7 +366,7 @@ App
   "enablements": {
     "wayland": true,
     "dbus": true,
-    "pulse": true
+    "pipewire": true
   },
   "session_bus": {
     "see": null,
@@ -564,7 +564,7 @@ func TestPrintPs(t *testing.T) {
     "enablements": {
       "wayland": true,
       "dbus": true,
-      "pulse": true
+      "pipewire": true
     },
     "session_bus": {
       "see": null,
@@ -715,7 +715,7 @@ func TestPrintPs(t *testing.T) {
     "shim_pid": 51966,
     "enablements": {
       "wayland": true,
-      "pulse": true
+      "pipewire": true
     },
     "identity": 1,
     "groups": null,

cmd/hpkg/build.nix

@@ -45,7 +45,7 @@
   allow_wayland ? true,
   allow_x11 ? false,
   allow_dbus ? true,
-  allow_pulse ? true,
+  allow_audio ? true,
   gpu ? allow_wayland || allow_x11,
 }:
 
@@ -175,7 +175,7 @@ let
       wayland = allow_wayland;
       x11 = allow_x11;
       dbus = allow_dbus;
-      pulse = allow_pulse;
+      pipewire = allow_audio;
     };
 
     mesa = if gpu then mesaWrappers else null;

cmd/hpkg/proc.go

@@ -10,11 +10,11 @@ import (
 	"os/exec"
 
 	"hakurei.app/hst"
-	"hakurei.app/internal"
+	"hakurei.app/internal/info"
 	"hakurei.app/message"
 )
 
-var hakureiPathVal = internal.MustHakureiPath().String()
+var hakureiPathVal = info.MustHakureiPath().String()
 
 func mustRunApp(ctx context.Context, msg message.Msg, config *hst.Config, beforeFail func()) {
 	var (

cmd/hpkg/test/default.nix

@@ -1,5 +1,5 @@
 {
-  nixosTest,
+  testers,
   callPackage,
 
   system,
@@ -8,7 +8,7 @@
 let
   buildPackage = self.buildPackage.${system};
 in
-nixosTest {
+testers.nixosTest {
   name = "hpkg";
   nodes.machine = {
     environment.etc = {

cmd/hpkg/test/test.py

@@ -90,13 +90,13 @@ wait_for_window("hakurei@machine-foot")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
 machine.wait_for_file("/tmp/hakurei.0/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
-check_state("foot", {"wayland": True, "dbus": True, "pulse": True})
+check_state("foot", {"wayland": True, "dbus": True, "pipewire": True})
 # Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot")
 # Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002")
+machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002")
 
 # Exit Sway and verify process exit status 0:
 swaymsg("exit", succeed=False)
@@ -107,4 +107,4 @@ print(machine.succeed("find /tmp/hakurei.0 "
     + "-path '/tmp/hakurei.0/runtime/*/*' -prune -o "
     + "-path '/tmp/hakurei.0/tmpdir/*/*' -prune -o "
     + "-print"))
-print(machine.succeed("find /run/user/1000/hakurei"))
+print(machine.fail("ls /run/user/1000/hakurei"))

cmd/irdump/main.go

@@ -0,0 +1,76 @@
+package main
+
+import (
+	"errors"
+	"log"
+	"os"
+
+	"hakurei.app/command"
+	"hakurei.app/internal/pkg"
+)
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("irdump: ")
+
+	var (
+		flagOutput string
+		flagReal   bool
+		flagHeader bool
+		flagForce  bool
+		flagRaw    bool
+	)
+	c := command.New(os.Stderr, log.Printf, "irdump", func(args []string) (err error) {
+		var input *os.File
+		if len(args) != 1 {
+			return errors.New("irdump requires 1 argument")
+		}
+		if input, err = os.Open(args[0]); err != nil {
+			return
+		}
+		defer input.Close()
+
+		var output *os.File
+		if flagOutput == "" {
+			output = os.Stdout
+		} else {
+			defer output.Close()
+			if output, err = os.Create(flagOutput); err != nil {
+				return
+			}
+		}
+
+		var out string
+		if out, err = pkg.Disassemble(input, flagReal, flagHeader, flagForce, flagRaw); err != nil {
+			return
+		}
+		if _, err = output.WriteString(out); err != nil {
+			return
+		}
+		return
+	}).Flag(
+		&flagOutput,
+		"o", command.StringFlag(""),
+		"Output file for asm (leave empty for stdout)",
+	).Flag(
+		&flagReal,
+		"r", command.BoolFlag(false),
+		"skip label generation; idents print real value",
+	).Flag(
+		&flagHeader,
+		"H", command.BoolFlag(false),
+		"display artifact headers",
+	).Flag(
+		&flagForce,
+		"f", command.BoolFlag(false),
+		"force display (skip validations)",
+	).Flag(
+		&flagRaw,
+		"R", command.BoolFlag(false),
+		"don't format output",
+	)
+
+	c.MustParse(os.Args[1:], func(err error) {
+		log.Fatal(err)
+	})
+}

cmd/mbf/main.go

@@ -0,0 +1,204 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+	"syscall"
+	"unique"
+
+	"hakurei.app/command"
+	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+)
+
+func main() {
+	container.TryArgv0(nil)
+
+	log.SetFlags(0)
+	log.SetPrefix("mbf: ")
+	msg := message.New(log.Default())
+
+	if os.Geteuid() == 0 {
+		log.Fatal("this program must not run as root")
+	}
+
+	var cache *pkg.Cache
+	ctx, stop := signal.NotifyContext(context.Background(),
+		syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
+	defer stop()
+	defer func() {
+		if cache != nil {
+			cache.Close()
+		}
+
+		if r := recover(); r != nil {
+			fmt.Println(r)
+			log.Fatal("consider scrubbing the on-disk cache")
+		}
+	}()
+
+	var (
+		flagQuiet  bool
+		flagCures  int
+		flagBase   string
+		flagTShift int
+	)
+	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) (err error) {
+		msg.SwapVerbose(!flagQuiet)
+
+		var base *check.Absolute
+		if flagBase, err = filepath.Abs(flagBase); err != nil {
+			return
+		} else if base, err = check.NewAbs(flagBase); err != nil {
+			return
+		}
+		if cache, err = pkg.Open(ctx, msg, flagCures, base); err == nil {
+			if flagTShift < 0 {
+				cache.SetThreshold(0)
+			} else if flagTShift > 31 {
+				cache.SetThreshold(1 << 31)
+			} else {
+				cache.SetThreshold(1 << flagTShift)
+			}
+		}
+		return
+	}).Flag(
+		&flagQuiet,
+		"q", command.BoolFlag(false),
+		"Do not print cure messages",
+	).Flag(
+		&flagCures,
+		"cures", command.IntFlag(0),
+		"Maximum number of dependencies to cure at any given time",
+	).Flag(
+		&flagBase,
+		"d", command.StringFlag("cache"),
+		"Directory to store cured artifacts",
+	).Flag(
+		&flagTShift,
+		"tshift", command.IntFlag(-1),
+		"Dependency graph size exponent, to the power of 2",
+	)
+
+	{
+		var flagShifts int
+		c.NewCommand(
+			"scrub", "Examine the on-disk cache for errors",
+			func(args []string) error {
+				if len(args) > 0 {
+					return errors.New("scrub expects no arguments")
+				}
+				if flagShifts < 0 || flagShifts > 31 {
+					flagShifts = 12
+				}
+				return cache.Scrub(runtime.NumCPU() << flagShifts)
+			},
+		).Flag(
+			&flagShifts,
+			"shift", command.IntFlag(12),
+			"Scrub parallelism size exponent, to the power of 2",
+		)
+	}
+
+	c.NewCommand(
+		"stage3",
+		"Check for toolchain 3-stage non-determinism",
+		func(args []string) (err error) {
+			_, _, _, stage1 := (rosa.Std - 2).NewLLVM()
+			_, _, _, stage2 := (rosa.Std - 1).NewLLVM()
+			_, _, _, stage3 := rosa.Std.NewLLVM()
+			var (
+				pathname *check.Absolute
+				checksum [2]unique.Handle[pkg.Checksum]
+			)
+
+			if pathname, _, err = cache.Cure(stage1); err != nil {
+				return err
+			}
+			log.Println("stage1:", pathname)
+
+			if pathname, checksum[0], err = cache.Cure(stage2); err != nil {
+				return err
+			}
+			log.Println("stage2:", pathname)
+			if pathname, checksum[1], err = cache.Cure(stage3); err != nil {
+				return err
+			}
+			log.Println("stage3:", pathname)
+
+			if checksum[0] != checksum[1] {
+				err = &pkg.ChecksumMismatchError{
+					Got:  checksum[0].Value(),
+					Want: checksum[1].Value(),
+				}
+			} else {
+				log.Println(
+					"stage2 is identical to stage3",
+					"("+pkg.Encode(checksum[0].Value())+")",
+				)
+			}
+			return
+		},
+	)
+
+	{
+		var (
+			flagDump string
+		)
+		c.NewCommand(
+			"cure",
+			"Cure the named artifact and show its path",
+			func(args []string) error {
+				if len(args) != 1 {
+					return errors.New("cure requires 1 argument")
+				}
+				if p, ok := rosa.ResolveName(args[0]); !ok {
+					return fmt.Errorf("unsupported artifact %q", args[0])
+				} else if flagDump == "" {
+					pathname, _, err := cache.Cure(rosa.Std.Load(p))
+					if err == nil {
+						log.Println(pathname)
+					}
+					return err
+				} else {
+					f, err := os.OpenFile(
+						flagDump,
+						os.O_WRONLY|os.O_CREATE|os.O_EXCL,
+						0644,
+					)
+					if err != nil {
+						return err
+					}
+
+					if err = cache.EncodeAll(f, rosa.Std.Load(p)); err != nil {
+						_ = f.Close()
+						return err
+					}
+
+					return f.Close()
+				}
+			},
+		).
+			Flag(
+				&flagDump,
+				"dump", command.StringFlag(""),
+				"Write IR to specified pathname and terminate",
+			)
+	}
+
+	c.MustParse(os.Args[1:], func(err error) {
+		if cache != nil {
+			cache.Close()
+		}
+		log.Fatal(err)
+	})
+}

cmd/sharefs/fuse-operations.c

@@ -0,0 +1,282 @@
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE /* O_DIRECT */
+#endif
+
+#include <dirent.h>
+#include <errno.h>
+#include <unistd.h>
+
+/* TODO(ophestra): remove after 05ce67fea99ca09cd4b6625cff7aec9cc222dd5a reaches a release */
+#include <sys/syscall.h>
+
+#include "fuse-operations.h"
+
+/* MUST_TRANSLATE_PATHNAME translates a userspace pathname to a relative pathname;
+ * the resulting address points to a constant string or part of pathname, it is never heap allocated. */
+#define MUST_TRANSLATE_PATHNAME(pathname) \
+    do {                                  \
+        if (pathname == NULL)             \
+            return -EINVAL;               \
+        while (*pathname == '/')          \
+            pathname++;                   \
+        if (*pathname == '\0')            \
+            pathname = ".";               \
+    } while (0)
+
+/* GET_CONTEXT_PRIV obtains fuse context and private data for the calling thread. */
+#define GET_CONTEXT_PRIV(ctx, priv) \
+    do {                            \
+        ctx = fuse_get_context();   \
+        priv = ctx->private_data;   \
+    } while (0)
+
+/* impl_getattr modifies a struct stat from the kernel to present to userspace;
+ * impl_getattr returns a negative errno style error code. */
+static int impl_getattr(struct fuse_context *ctx, struct stat *statbuf) {
+    /* allowlist of permitted types */
+    if (!S_ISDIR(statbuf->st_mode) && !S_ISREG(statbuf->st_mode) && !S_ISLNK(statbuf->st_mode)) {
+        return -ENOTRECOVERABLE; /* returning an errno causes all operations on the file to return EIO */
+    }
+
+#define OVERRIDE_PERM(v) (statbuf->st_mode & ~0777) | (v & 0777)
+    if (S_ISDIR(statbuf->st_mode))
+        statbuf->st_mode = OVERRIDE_PERM(SHAREFS_PERM_DIR);
+    else if (S_ISREG(statbuf->st_mode))
+        statbuf->st_mode = OVERRIDE_PERM(SHAREFS_PERM_REG);
+    else
+        statbuf->st_mode = 0; /* should always be symlink in this case */
+
+    statbuf->st_uid = ctx->uid;
+    statbuf->st_gid = SHAREFS_MEDIA_RW_ID;
+    statbuf->st_ctim = statbuf->st_mtim;
+    statbuf->st_nlink = 1;
+    return 0;
+}
+
+/* fuse_operations implementation */
+
+int sharefs_getattr(const char *pathname, struct stat *statbuf, struct fuse_file_info *fi) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)fi;
+
+    if (fstatat(priv->dirfd, pathname, statbuf, AT_SYMLINK_NOFOLLOW) == -1)
+        return -errno;
+    return impl_getattr(ctx, statbuf);
+}
+
+int sharefs_readdir(const char *pathname, void *buf, fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi, enum fuse_readdir_flags flags) {
+    int fd;
+    DIR *dp;
+    struct stat st;
+    int ret = 0;
+    struct dirent *de;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)offset;
+    (void)fi;
+
+    if ((fd = openat(priv->dirfd, pathname, O_RDONLY | O_DIRECTORY | O_CLOEXEC)) == -1)
+        return -errno;
+    if ((dp = fdopendir(fd)) == NULL) {
+        close(fd);
+        return -errno;
+    }
+
+    errno = 0; /* for the next readdir call */
+    while ((de = readdir(dp)) != NULL) {
+        if (flags & FUSE_READDIR_PLUS) {
+            if (fstatat(dirfd(dp), de->d_name, &st, AT_SYMLINK_NOFOLLOW) == -1) {
+                ret = -errno;
+                break;
+            }
+
+            if ((ret = impl_getattr(ctx, &st)) < 0)
+                break;
+
+            errno = 0;
+            ret = filler(buf, de->d_name, &st, 0, FUSE_FILL_DIR_PLUS);
+        } else
+            ret = filler(buf, de->d_name, NULL, 0, 0);
+
+        if (ret != 0) {
+            ret = errno != 0 ? -errno : -EIO; /* filler */
+            break;
+        }
+
+        errno = 0; /* for the next readdir call */
+    }
+    if (ret == 0 && errno != 0)
+        ret = -errno; /* readdir */
+
+    closedir(dp);
+    return ret;
+}
+
+int sharefs_mkdir(const char *pathname, mode_t mode) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)mode;
+
+    if (mkdirat(priv->dirfd, pathname, SHAREFS_PERM_DIR) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_unlink(const char *pathname) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    if (unlinkat(priv->dirfd, pathname, 0) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_rmdir(const char *pathname) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    if (unlinkat(priv->dirfd, pathname, AT_REMOVEDIR) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_rename(const char *oldpath, const char *newpath, unsigned int flags) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(oldpath);
+    MUST_TRANSLATE_PATHNAME(newpath);
+
+    /* TODO(ophestra): replace with wrapper after 05ce67fea99ca09cd4b6625cff7aec9cc222dd5a reaches a release */
+    if (syscall(__NR_renameat2, priv->dirfd, oldpath, priv->dirfd, newpath, flags) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_truncate(const char *pathname, off_t length, struct fuse_file_info *fi) {
+    int fd;
+    int ret;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)fi;
+
+    if ((fd = openat(priv->dirfd, pathname, O_WRONLY | O_CLOEXEC)) == -1)
+        return -errno;
+    if ((ret = ftruncate(fd, length)) == -1)
+        ret = -errno;
+    close(fd);
+    return ret;
+}
+
+int sharefs_utimens(const char *pathname, const struct timespec times[2], struct fuse_file_info *fi) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)fi;
+
+    if (utimensat(priv->dirfd, pathname, times, AT_SYMLINK_NOFOLLOW) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_create(const char *pathname, mode_t mode, struct fuse_file_info *fi) {
+    int fd;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)mode;
+
+    if ((fd = openat(priv->dirfd, pathname, fi->flags & ~SHAREFS_FORBIDDEN_FLAGS, SHAREFS_PERM_REG)) == -1)
+        return -errno;
+    fi->fh = fd;
+    return 0;
+}
+
+int sharefs_open(const char *pathname, struct fuse_file_info *fi) {
+    int fd;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    if ((fd = openat(priv->dirfd, pathname, fi->flags & ~SHAREFS_FORBIDDEN_FLAGS)) == -1)
+        return -errno;
+    fi->fh = fd;
+    return 0;
+}
+
+int sharefs_read(const char *pathname, char *buf, size_t count, off_t offset, struct fuse_file_info *fi) {
+    int ret;
+
+    (void)pathname;
+
+    if ((ret = pread(fi->fh, buf, count, offset)) == -1)
+        return -errno;
+    return ret;
+}
+
+int sharefs_write(const char *pathname, const char *buf, size_t count, off_t offset, struct fuse_file_info *fi) {
+    int ret;
+
+    (void)pathname;
+
+    if ((ret = pwrite(fi->fh, buf, count, offset)) == -1)
+        return -errno;
+    return ret;
+}
+
+int sharefs_statfs(const char *pathname, struct statvfs *statbuf) {
+    int fd;
+    int ret;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    if ((fd = openat(priv->dirfd, pathname, O_RDONLY | O_CLOEXEC)) == -1)
+        return -errno;
+    if ((ret = fstatvfs(fd, statbuf)) == -1)
+        ret = -errno;
+    close(fd);
+    return ret;
+}
+
+int sharefs_release(const char *pathname, struct fuse_file_info *fi) {
+    (void)pathname;
+
+    return close(fi->fh);
+}
+
+int sharefs_fsync(const char *pathname, int datasync, struct fuse_file_info *fi) {
+    (void)pathname;
+
+    if (datasync ? fdatasync(fi->fh) : fsync(fi->fh) == -1)
+        return -errno;
+    return 0;
+}

cmd/sharefs/fuse-operations.h

@@ -0,0 +1,34 @@
+#define FUSE_USE_VERSION FUSE_MAKE_VERSION(3, 12)
+#include <fuse.h>
+#include <fuse_lowlevel.h> /* for fuse_cmdline_help */
+
+#if (FUSE_VERSION < FUSE_MAKE_VERSION(3, 12))
+#error This package requires libfuse >= v3.12
+#endif
+
+#define SHAREFS_MEDIA_RW_ID (1 << 10) - 1 /* owning gid presented to userspace */
+#define SHAREFS_PERM_DIR 0700             /* permission bits for directories presented to userspace */
+#define SHAREFS_PERM_REG 0600             /* permission bits for regular files presented to userspace */
+#define SHAREFS_FORBIDDEN_FLAGS O_DIRECT  /* these open flags are cleared unconditionally */
+
+/* sharefs_private is populated by sharefs_init and contains process-wide context */
+struct sharefs_private {
+    int dirfd;       /* source dirfd opened during sharefs_init */
+    uintptr_t setup; /* cgo handle of opaque setup state */
+};
+
+int sharefs_getattr(const char *pathname, struct stat *statbuf, struct fuse_file_info *fi);
+int sharefs_readdir(const char *pathname, void *buf, fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi, enum fuse_readdir_flags flags);
+int sharefs_mkdir(const char *pathname, mode_t mode);
+int sharefs_unlink(const char *pathname);
+int sharefs_rmdir(const char *pathname);
+int sharefs_rename(const char *oldpath, const char *newpath, unsigned int flags);
+int sharefs_truncate(const char *pathname, off_t length, struct fuse_file_info *fi);
+int sharefs_utimens(const char *pathname, const struct timespec times[2], struct fuse_file_info *fi);
+int sharefs_create(const char *pathname, mode_t mode, struct fuse_file_info *fi);
+int sharefs_open(const char *pathname, struct fuse_file_info *fi);
+int sharefs_read(const char *pathname, char *buf, size_t count, off_t offset, struct fuse_file_info *fi);
+int sharefs_write(const char *pathname, const char *buf, size_t count, off_t offset, struct fuse_file_info *fi);
+int sharefs_statfs(const char *pathname, struct statvfs *statbuf);
+int sharefs_release(const char *pathname, struct fuse_file_info *fi);
+int sharefs_fsync(const char *pathname, int datasync, struct fuse_file_info *fi);

cmd/sharefs/fuse.go

@@ -0,0 +1,556 @@
+package main
+
+/*
+#cgo pkg-config: --static fuse3
+
+#include "fuse-operations.h"
+#include <stdlib.h>
+#include <string.h>
+
+extern void *sharefs_init(struct fuse_conn_info *conn, struct fuse_config *cfg);
+extern void sharefs_destroy(void *private_data);
+
+typedef void (*closure)();
+static inline struct fuse_opt _FUSE_OPT_END() { return (struct fuse_opt)FUSE_OPT_END; };
+*/
+import "C"
+import (
+	"context"
+	"encoding/gob"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path"
+	"runtime"
+	"runtime/cgo"
+	"strconv"
+	"syscall"
+	"unsafe"
+
+	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/container/std"
+	"hakurei.app/hst"
+	"hakurei.app/internal/helper/proc"
+	"hakurei.app/internal/info"
+	"hakurei.app/message"
+)
+
+type (
+	// closure represents a C function pointer.
+	closure = C.closure
+
+	// fuseArgs represents the fuse_args structure.
+	fuseArgs = C.struct_fuse_args
+
+	// setupState holds state used for setup. Its cgo handle is included in
+	// sharefs_private and considered opaque to non-setup callbacks.
+	setupState struct {
+		// Whether sharefs_init failed.
+		initFailed bool
+
+		// Whether to create source directory as root.
+		mkdir bool
+
+		// Open file descriptor to fuse.
+		Fuse int
+
+		// Pathname to open for dirfd.
+		Source *check.Absolute
+		// New uid and gid to set by sharefs_init when starting as root.
+		Setuid, Setgid int
+	}
+)
+
+func init() { gob.Register(new(setupState)) }
+
+// destroySetup invalidates the setup [cgo.Handle] in a sharefs_private structure.
+func destroySetup(private_data unsafe.Pointer) (ok bool) {
+	if private_data == nil {
+		return false
+	}
+	priv := (*C.struct_sharefs_private)(private_data)
+
+	if h := cgo.Handle(priv.setup); h != 0 {
+		priv.setup = 0
+		h.Delete()
+		ok = true
+	}
+	return
+}
+
+//export sharefs_init
+func sharefs_init(_ *C.struct_fuse_conn_info, cfg *C.struct_fuse_config) unsafe.Pointer {
+	ctx := C.fuse_get_context()
+	priv := (*C.struct_sharefs_private)(ctx.private_data)
+	setup := cgo.Handle(priv.setup).Value().(*setupState)
+
+	if os.Geteuid() == 0 {
+		log.Println("filesystem daemon must not run as root")
+		goto fail
+	}
+
+	cfg.use_ino = C.true
+	cfg.direct_io = C.false
+	// getattr is context-dependent
+	cfg.attr_timeout = 0
+	cfg.entry_timeout = 0
+	cfg.negative_timeout = 0
+
+	// all future filesystem operations happen through this dirfd
+	if fd, err := syscall.Open(setup.Source.String(), syscall.O_DIRECTORY|syscall.O_RDONLY|syscall.O_CLOEXEC, 0); err != nil {
+		log.Printf("cannot open %q: %v", setup.Source, err)
+		goto fail
+	} else if err = syscall.Fchdir(fd); err != nil {
+		_ = syscall.Close(fd)
+		log.Printf("cannot enter %q: %s", setup.Source, err)
+		goto fail
+	} else {
+		priv.dirfd = C.int(fd)
+	}
+
+	return ctx.private_data
+
+fail:
+	setup.initFailed = true
+	C.fuse_exit(ctx.fuse)
+	return nil
+}
+
+//export sharefs_destroy
+func sharefs_destroy(private_data unsafe.Pointer) {
+	if private_data != nil {
+		destroySetup(private_data)
+		priv := (*C.struct_sharefs_private)(private_data)
+
+		if err := syscall.Close(int(priv.dirfd)); err != nil {
+			log.Printf("cannot close source directory: %v", err)
+		}
+	}
+}
+
+// showHelp prints the help message.
+func showHelp(args *fuseArgs) {
+	executableName := sharefsName
+	if args.argc > 0 {
+		executableName = path.Base(C.GoString(*args.argv))
+	} else if name, err := os.Executable(); err == nil {
+		executableName = path.Base(name)
+	}
+
+	fmt.Printf("usage: %s [options] <mountpoint>\n\n", executableName)
+
+	fmt.Println("Filesystem options:")
+	fmt.Println("    -o source=/data/media  source directory to be mounted")
+	fmt.Println("    -o setuid=1023         uid to run as when starting as root")
+	fmt.Println("    -o setgid=1023         gid to run as when starting as root")
+
+	fmt.Println("\nFUSE options:")
+	C.fuse_cmdline_help()
+	C.fuse_lib_help(args)
+}
+
+// parseOpts parses fuse options via fuse_opt_parse.
+func parseOpts(args *fuseArgs, setup *setupState, log *log.Logger) (ok bool) {
+	var unsafeOpts struct {
+		// Pathname to writable source directory.
+		source *C.char
+
+		// Whether to create source directory as root.
+		mkdir C.int
+
+		// Decimal string representation of uid to set when running as root.
+		setuid *C.char
+		// Decimal string representation of gid to set when running as root.
+		setgid *C.char
+
+		// Decimal string representation of open file descriptor to read setupState from.
+		// This is an internal detail for containerisation and must not be specified directly.
+		setup *C.char
+	}
+
+	if C.fuse_opt_parse(args, unsafe.Pointer(&unsafeOpts), &[]C.struct_fuse_opt{
+		{templ: C.CString("source=%s"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.source)), value: 0},
+		{templ: C.CString("mkdir"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.mkdir)), value: 1},
+		{templ: C.CString("setuid=%s"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.setuid)), value: 0},
+		{templ: C.CString("setgid=%s"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.setgid)), value: 0},
+
+		{templ: C.CString("setup=%s"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.setup)), value: 0},
+
+		C._FUSE_OPT_END(),
+	}[0], nil) == -1 {
+		return false
+	}
+
+	if unsafeOpts.source != nil {
+		defer C.free(unsafe.Pointer(unsafeOpts.source))
+	}
+	if unsafeOpts.setuid != nil {
+		defer C.free(unsafe.Pointer(unsafeOpts.setuid))
+	}
+	if unsafeOpts.setgid != nil {
+		defer C.free(unsafe.Pointer(unsafeOpts.setgid))
+	}
+
+	if unsafeOpts.setup != nil {
+		defer C.free(unsafe.Pointer(unsafeOpts.setup))
+
+		if v, err := strconv.Atoi(C.GoString(unsafeOpts.setup)); err != nil || v < 3 {
+			log.Println("invalid value for option setup")
+			return false
+		} else {
+			r := os.NewFile(uintptr(v), "setup")
+			defer func() {
+				if err = r.Close(); err != nil {
+					log.Println(err)
+				}
+			}()
+			if err = gob.NewDecoder(r).Decode(setup); err != nil {
+				log.Println(err)
+				return false
+			}
+		}
+		if setup.Fuse < 3 {
+			log.Println("invalid file descriptor", setup.Fuse)
+			return false
+		}
+		return true
+	}
+
+	if unsafeOpts.source == nil {
+		showHelp(args)
+		return false
+	} else if a, err := check.NewAbs(C.GoString(unsafeOpts.source)); err != nil {
+		log.Println(err)
+		return false
+	} else {
+		setup.Source = a
+	}
+	setup.mkdir = unsafeOpts.mkdir != 0
+
+	if unsafeOpts.setuid == nil {
+		setup.Setuid = -1
+	} else if v, err := strconv.Atoi(C.GoString(unsafeOpts.setuid)); err != nil || v <= 0 {
+		log.Println("invalid value for option setuid")
+		return false
+	} else {
+		setup.Setuid = v
+	}
+	if unsafeOpts.setgid == nil {
+		setup.Setgid = -1
+	} else if v, err := strconv.Atoi(C.GoString(unsafeOpts.setgid)); err != nil || v <= 0 {
+		log.Println("invalid value for option setgid")
+		return false
+	} else {
+		setup.Setgid = v
+	}
+
+	return true
+}
+
+// copyArgs returns a heap allocated copy of an argument slice in fuse_args representation.
+func copyArgs(s ...string) fuseArgs {
+	if len(s) == 0 {
+		return fuseArgs{argc: 0, argv: nil, allocated: 0}
+	}
+	args := unsafe.Slice((**C.char)(C.malloc(C.size_t(uintptr(len(s))*unsafe.Sizeof(s[0])))), len(s))
+	for i, arg := range s {
+		args[i] = C.CString(arg)
+	}
+	return fuseArgs{argc: C.int(len(s)), argv: &args[0], allocated: 1}
+}
+
+// freeArgs frees the contents of argument list.
+func freeArgs(args *fuseArgs) { C.fuse_opt_free_args(args) }
+
+// unsafeAddArgument adds an argument to fuseArgs via fuse_opt_add_arg.
+// The last byte of arg must be 0.
+func unsafeAddArgument(args *fuseArgs, arg string) {
+	C.fuse_opt_add_arg(args, (*C.char)(unsafe.Pointer(unsafe.StringData(arg))))
+}
+
+func _main(s ...string) (exitCode int) {
+	msg := message.New(log.Default())
+	container.TryArgv0(msg)
+	runtime.LockOSThread()
+
+	// don't mask creation mode, kernel already did that
+	syscall.Umask(0)
+
+	var pinner runtime.Pinner
+	defer pinner.Unpin()
+
+	args := copyArgs(s...)
+	defer freeArgs(&args)
+
+	// this causes the kernel to enforce access control based on
+	// struct stat populated by sharefs_getattr
+	unsafeAddArgument(&args, "-odefault_permissions\x00")
+
+	var priv C.struct_sharefs_private
+	pinner.Pin(&priv)
+	var setup setupState
+	priv.setup = C.uintptr_t(cgo.NewHandle(&setup))
+	defer destroySetup(unsafe.Pointer(&priv))
+
+	var opts C.struct_fuse_cmdline_opts
+	if C.fuse_parse_cmdline(&args, &opts) != 0 {
+		return 1
+	}
+	if opts.mountpoint != nil {
+		defer C.free(unsafe.Pointer(opts.mountpoint))
+	}
+
+	if opts.show_version != 0 {
+		fmt.Println("hakurei version", info.Version())
+		fmt.Println("FUSE library version", C.GoString(C.fuse_pkgversion()))
+		C.fuse_lowlevel_version()
+		return 0
+	}
+
+	if opts.show_help != 0 {
+		showHelp(&args)
+		return 0
+	} else if opts.mountpoint == nil {
+		log.Println("no mountpoint specified")
+		return 2
+	} else {
+		// hack to keep fuse_parse_cmdline happy in the container
+		mountpoint := C.GoString(opts.mountpoint)
+		pathnameArg := -1
+		for i, arg := range s {
+			if arg == mountpoint {
+				pathnameArg = i
+				break
+			}
+		}
+		if pathnameArg < 0 {
+			log.Println("mountpoint must be absolute")
+			return 2
+		}
+		s[pathnameArg] = container.Nonexistent
+	}
+
+	if !parseOpts(&args, &setup, msg.GetLogger()) {
+		return 1
+	}
+	asRoot := os.Geteuid() == 0
+
+	if asRoot {
+		if setup.Setuid <= 0 || setup.Setgid <= 0 {
+			log.Println("setuid and setgid must not be 0")
+			return 1
+		}
+
+		if setup.Fuse >= 3 {
+			log.Println("filesystem daemon must not run as root")
+			return 1
+		}
+
+		if setup.mkdir {
+			if err := os.MkdirAll(setup.Source.String(), 0700); err != nil {
+				if !errors.Is(err, os.ErrExist) {
+					log.Println(err)
+					return 1
+				}
+				// skip setup for existing source directory
+			} else if err = os.Chown(setup.Source.String(), setup.Setuid, setup.Setgid); err != nil {
+				log.Println(err)
+				return 1
+			}
+		}
+	} else if setup.Fuse < 3 && (setup.Setuid > 0 || setup.Setgid > 0) {
+		log.Println("setuid and setgid has no effect when not starting as root")
+		return 1
+	} else if setup.mkdir {
+		log.Println("mkdir has no effect when not starting as root")
+		return 1
+	}
+
+	op := C.struct_fuse_operations{
+		init:    closure(C.sharefs_init),
+		destroy: closure(C.sharefs_destroy),
+
+		// implemented in fuse-helper.c
+		getattr:  closure(C.sharefs_getattr),
+		readdir:  closure(C.sharefs_readdir),
+		mkdir:    closure(C.sharefs_mkdir),
+		unlink:   closure(C.sharefs_unlink),
+		rmdir:    closure(C.sharefs_rmdir),
+		rename:   closure(C.sharefs_rename),
+		truncate: closure(C.sharefs_truncate),
+		utimens:  closure(C.sharefs_utimens),
+		create:   closure(C.sharefs_create),
+		open:     closure(C.sharefs_open),
+		read:     closure(C.sharefs_read),
+		write:    closure(C.sharefs_write),
+		statfs:   closure(C.sharefs_statfs),
+		release:  closure(C.sharefs_release),
+		fsync:    closure(C.sharefs_fsync),
+	}
+
+	fuse := C.fuse_new_fn(&args, &op, C.size_t(unsafe.Sizeof(op)), unsafe.Pointer(&priv))
+	if fuse == nil {
+		return 3
+	}
+	defer C.fuse_destroy(fuse)
+	se := C.fuse_get_session(fuse)
+
+	if setup.Fuse < 3 {
+		// unconfined, set up mount point and container
+		if C.fuse_mount(fuse, opts.mountpoint) != 0 {
+			return 4
+		}
+		// unmounted by initial process
+		defer func() {
+			if exitCode == 5 {
+				C.fuse_unmount(fuse)
+			}
+		}()
+
+		if asRoot {
+			if err := syscall.Setresgid(setup.Setgid, setup.Setgid, setup.Setgid); err != nil {
+				log.Printf("cannot set gid: %v", err)
+				return 5
+			}
+			if err := syscall.Setgroups(nil); err != nil {
+				log.Printf("cannot set supplementary groups: %v", err)
+				return 5
+			}
+			if err := syscall.Setresuid(setup.Setuid, setup.Setuid, setup.Setuid); err != nil {
+				log.Printf("cannot set uid: %v", err)
+				return 5
+			}
+		}
+
+		msg.SwapVerbose(opts.debug != 0)
+		ctx := context.Background()
+		if opts.foreground != 0 {
+			c, cancel := signal.NotifyContext(ctx, syscall.SIGINT, syscall.SIGTERM)
+			defer cancel()
+			ctx = c
+		}
+		z := container.New(ctx, msg)
+		z.AllowOrphan = opts.foreground == 0
+		z.Env = os.Environ()
+
+		// keep fuse_parse_cmdline happy in the container
+		z.Tmpfs(check.MustAbs(container.Nonexistent), 1<<10, 0755)
+
+		if a, err := check.NewAbs(container.MustExecutable(msg)); err != nil {
+			log.Println(err)
+			return 5
+		} else {
+			z.Path = a
+		}
+		z.Args = s
+		z.ForwardCancel = true
+		z.SeccompPresets |= std.PresetStrict
+		z.ParentPerm = 0700
+		z.Bind(setup.Source, setup.Source, std.BindWritable)
+		if !z.AllowOrphan {
+			z.WaitDelay = hst.WaitDelayMax
+			z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
+		}
+		z.Bind(z.Path, z.Path, 0)
+		setup.Fuse = int(proc.ExtraFileSlice(&z.ExtraFiles, os.NewFile(uintptr(C.fuse_session_fd(se)), "fuse")))
+
+		var setupWriter io.WriteCloser
+		if fd, w, err := container.Setup(&z.ExtraFiles); err != nil {
+			log.Println(err)
+			return 5
+		} else {
+			z.Args = append(z.Args, "-osetup="+strconv.Itoa(fd))
+			setupWriter = w
+		}
+
+		if err := z.Start(); err != nil {
+			if m, ok := message.GetMessage(err); ok {
+				log.Println(m)
+			} else {
+				log.Println(err)
+			}
+			return 5
+		}
+		if err := z.Serve(); err != nil {
+			if m, ok := message.GetMessage(err); ok {
+				log.Println(m)
+			} else {
+				log.Println(err)
+			}
+			return 5
+		}
+
+		if err := gob.NewEncoder(setupWriter).Encode(&setup); err != nil {
+			log.Println(err)
+			return 5
+		} else if err = setupWriter.Close(); err != nil {
+			log.Println(err)
+		}
+
+		if !z.AllowOrphan {
+			if err := z.Wait(); err != nil {
+				var exitError *exec.ExitError
+				if !errors.As(err, &exitError) || exitError == nil {
+					log.Println(err)
+					return 5
+				}
+				switch code := exitError.ExitCode(); syscall.Signal(code & 0x7f) {
+				case syscall.SIGINT:
+				case syscall.SIGTERM:
+
+				default:
+					return code
+				}
+			}
+		}
+		return 0
+	} else { // confined
+		C.free(unsafe.Pointer(opts.mountpoint))
+		// must be heap allocated
+		opts.mountpoint = C.CString("/dev/fd/" + strconv.Itoa(setup.Fuse))
+
+		if err := os.Chdir("/"); err != nil {
+			log.Println(err)
+		}
+	}
+
+	if C.fuse_mount(fuse, opts.mountpoint) != 0 {
+		return 4
+	}
+	defer C.fuse_unmount(fuse)
+
+	if C.fuse_set_signal_handlers(se) != 0 {
+		return 6
+	}
+	defer C.fuse_remove_signal_handlers(se)
+
+	if opts.singlethread != 0 {
+		if C.fuse_loop(fuse) != 0 {
+			return 8
+		}
+	} else {
+		loopConfig := C.fuse_loop_cfg_create()
+		if loopConfig == nil {
+			return 7
+		}
+		defer C.fuse_loop_cfg_destroy(loopConfig)
+
+		C.fuse_loop_cfg_set_clone_fd(loopConfig, C.uint(opts.clone_fd))
+
+		C.fuse_loop_cfg_set_idle_threads(loopConfig, opts.max_idle_threads)
+		C.fuse_loop_cfg_set_max_threads(loopConfig, opts.max_threads)
+		if C.fuse_loop_mt(fuse, loopConfig) != 0 {
+			return 8
+		}
+	}
+
+	if setup.initFailed {
+		return 1
+	}
+	return 0
+}

cmd/sharefs/fuse_test.go

@@ -0,0 +1,113 @@
+package main
+
+import (
+	"bytes"
+	"log"
+	"reflect"
+	"testing"
+
+	"hakurei.app/container/check"
+)
+
+func TestParseOpts(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name    string
+		args    []string
+		want    setupState
+		wantLog string
+		wantOk  bool
+	}{
+		{"zero length", []string{}, setupState{}, "", false},
+
+		{"not absolute", []string{"sharefs",
+			"-o", "source=nonexistent",
+			"-o", "setuid=1023",
+			"-o", "setgid=1023",
+		}, setupState{}, "sharefs: path \"nonexistent\" is not absolute\n", false},
+
+		{"not specified", []string{"sharefs",
+			"-o", "setuid=1023",
+			"-o", "setgid=1023",
+		}, setupState{}, "", false},
+
+		{"invalid setuid", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setuid=ff",
+			"-o", "setgid=1023",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+		}, "sharefs: invalid value for option setuid\n", false},
+
+		{"invalid setgid", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setuid=1023",
+			"-o", "setgid=ff",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: 1023,
+		}, "sharefs: invalid value for option setgid\n", false},
+
+		{"simple", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: -1,
+			Setgid: -1,
+		}, "", true},
+
+		{"root", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setuid=1023",
+			"-o", "setgid=1023",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: 1023,
+			Setgid: 1023,
+		}, "", true},
+
+		{"setuid", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setuid=1023",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: 1023,
+			Setgid: -1,
+		}, "", true},
+
+		{"setgid", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setgid=1023",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: -1,
+			Setgid: 1023,
+		}, "", true},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				got setupState
+				buf bytes.Buffer
+			)
+			args := copyArgs(tc.args...)
+			defer freeArgs(&args)
+			unsafeAddArgument(&args, "-odefault_permissions\x00")
+
+			if ok := parseOpts(&args, &got, log.New(&buf, "sharefs: ", 0)); ok != tc.wantOk {
+				t.Errorf("parseOpts: ok = %v, want %v", ok, tc.wantOk)
+			}
+
+			if !reflect.DeepEqual(&got, &tc.want) {
+				t.Errorf("parseOpts: setup = %#v, want %#v", got, tc.want)
+			}
+
+			if buf.String() != tc.wantLog {
+				t.Errorf("parseOpts: log =\n%s\nwant\n%s", buf.String(), tc.wantLog)
+			}
+		})
+	}
+}

cmd/sharefs/main.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"log"
+	"os"
+	"slices"
+)
+
+// sharefsName is the prefix used by log.std in the sharefs process.
+const sharefsName = "sharefs"
+
+// handleMountArgs returns an alternative, libfuse-compatible args slice for
+// args passed by mount -t fuse.sharefs [options] sharefs <mountpoint>.
+//
+// In this case, args always has a length of 5 with index 0 being what comes
+// after "fuse." in the filesystem type, 1 is the uninterpreted string passed
+// to mount (sharefsName is used as the magic string to enable this hack),
+// 2 is passed through to libfuse as mountpoint, and 3 is always "-o".
+func handleMountArgs(args []string) []string {
+	if len(args) == 5 && args[1] == sharefsName && args[3] == "-o" {
+		return []string{sharefsName, args[2], "-o", args[4]}
+	}
+	return slices.Clone(args)
+}
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix(sharefsName + ": ")
+
+	os.Exit(_main(handleMountArgs(os.Args)...))
+}

cmd/sharefs/main_test.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	"slices"
+	"testing"
+)
+
+func TestHandleMountArgs(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		args []string
+		want []string
+	}{
+		{"nil", nil, nil},
+		{"passthrough", []string{"sharefs", "-V"}, []string{"sharefs", "-V"}},
+		{"replace", []string{"/sbin/sharefs", "sharefs", "/sdcard", "-o", "rw"}, []string{"sharefs", "/sdcard", "-o", "rw"}},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := handleMountArgs(tc.args); !slices.Equal(got, tc.want) {
+				t.Errorf("handleMountArgs: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}

cmd/sharefs/test/configuration.nix

@@ -0,0 +1,41 @@
+{ pkgs, ... }:
+{
+  users.users = {
+    alice = {
+      isNormalUser = true;
+      description = "Alice Foobar";
+      password = "foobar";
+      uid = 1000;
+    };
+  };
+
+  home-manager.users.alice.home.stateVersion = "24.11";
+
+  # Automatically login on tty1 as a normal user:
+  services.getty.autologinUser = "alice";
+
+  environment = {
+    # For benchmarking sharefs:
+    systemPackages = [ pkgs.fsmark ];
+  };
+
+  virtualisation = {
+    diskSize = 6 * 1024;
+
+    qemu.options = [
+      # Increase test performance:
+      "-smp 8"
+    ];
+  };
+
+  environment.hakurei = rec {
+    enable = true;
+    stateDir = "/var/lib/hakurei";
+    sharefs.source = "${stateDir}/sdcard";
+    users.alice = 0;
+
+    extraHomeConfig = {
+      home.stateVersion = "23.05";
+    };
+  };
+}

cmd/sharefs/test/default.nix

@@ -0,0 +1,44 @@
+{
+  testers,
+
+  system,
+  self,
+}:
+testers.nixosTest {
+  name = "sharefs";
+  nodes.machine =
+    { options, pkgs, ... }:
+    let
+      fhs =
+        let
+          hakurei = options.environment.hakurei.package.default;
+        in
+        pkgs.buildFHSEnv {
+          pname = "hakurei-fhs";
+          inherit (hakurei) version;
+          targetPkgs = _: hakurei.targetPkgs;
+          extraOutputsToInstall = [ "dev" ];
+          profile = ''
+            export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
+          '';
+        };
+    in
+    {
+      environment.systemPackages = [
+        # For go tests:
+        (pkgs.writeShellScriptBin "sharefs-workload-hakurei-tests" ''
+          cp -r "${self.packages.${system}.hakurei.src}" "/sdcard/hakurei" && cd "/sdcard/hakurei"
+          ${fhs}/bin/hakurei-fhs -c 'CC="clang -O3 -Werror" go test ./...'
+        '')
+      ];
+
+      imports = [
+        ./configuration.nix
+
+        self.nixosModules.hakurei
+        self.inputs.home-manager.nixosModules.home-manager
+      ];
+    };
+
+  testScript = builtins.readFile ./test.py;
+}

cmd/sharefs/test/test.py

@@ -0,0 +1,60 @@
+start_all()
+machine.wait_for_unit("multi-user.target")
+
+# To check sharefs version:
+print(machine.succeed("sharefs -V"))
+
+# Make sure sharefs started:
+machine.wait_for_unit("sdcard.mount")
+
+machine.succeed("mkdir /mnt")
+def check_bad_opts_output(opts, want, source="/etc", privileged=False):
+    output = machine.fail(("" if privileged else "sudo -u alice -i ") + f"sharefs -f -o source={source},{opts} /mnt 2>&1")
+    if output != want:
+        raise Exception(f"unexpected output: {output}")
+
+# Malformed setuid/setgid representation:
+check_bad_opts_output("setuid=ff", "sharefs: invalid value for option setuid\n")
+check_bad_opts_output("setgid=ff", "sharefs: invalid value for option setgid\n")
+
+# Bounds check for setuid/setgid:
+check_bad_opts_output("setuid=0", "sharefs: invalid value for option setuid\n")
+check_bad_opts_output("setgid=0", "sharefs: invalid value for option setgid\n")
+check_bad_opts_output("setuid=-1", "sharefs: invalid value for option setuid\n")
+check_bad_opts_output("setgid=-1", "sharefs: invalid value for option setgid\n")
+
+# Non-root setuid/setgid:
+check_bad_opts_output("setuid=1023", "sharefs: setuid and setgid has no effect when not starting as root\n")
+check_bad_opts_output("setgid=1023", "sharefs: setuid and setgid has no effect when not starting as root\n")
+check_bad_opts_output("setuid=1023,setgid=1023", "sharefs: setuid and setgid has no effect when not starting as root\n")
+check_bad_opts_output("mkdir", "sharefs: mkdir has no effect when not starting as root\n")
+
+# Starting as root without setuid/setgid:
+check_bad_opts_output("allow_other", "sharefs: setuid and setgid must not be 0\n", privileged=True)
+check_bad_opts_output("setuid=1023", "sharefs: setuid and setgid must not be 0\n", privileged=True)
+check_bad_opts_output("setgid=1023", "sharefs: setuid and setgid must not be 0\n", privileged=True)
+
+# Make sure nothing actually got mounted:
+machine.fail("umount /mnt")
+machine.succeed("rmdir /mnt")
+
+# Unprivileged mount/unmount:
+machine.succeed("sudo -u alice -i mkdir /home/alice/{sdcard,persistent}")
+machine.succeed("sudo -u alice -i sharefs -o source=/home/alice/persistent /home/alice/sdcard")
+machine.succeed("sudo -u alice -i touch /home/alice/sdcard/check")
+machine.succeed("sudo -u alice -i umount /home/alice/sdcard")
+machine.succeed("sudo -u alice -i rm /home/alice/persistent/check")
+machine.succeed("sudo -u alice -i rmdir /home/alice/{sdcard,persistent}")
+
+# Benchmark sharefs:
+machine.succeed("fs_mark -v -d /sdcard/fs_mark -l /tmp/fs_log.txt")
+machine.copy_from_vm("/tmp/fs_log.txt", "")
+
+# Check permissions:
+machine.succeed("sudo -u sharefs touch /var/lib/hakurei/sdcard/fs_mark/.check")
+machine.succeed("sudo -u sharefs rm /var/lib/hakurei/sdcard/fs_mark/.check")
+machine.succeed("sudo -u alice rm -rf /sdcard/fs_mark")
+machine.fail("ls /var/lib/hakurei/sdcard/fs_mark")
+
+# Run hakurei tests on sharefs:
+machine.succeed("sudo -u alice -i sharefs-workload-hakurei-tests")

container/autoetc.go

@@ -59,6 +59,7 @@ func (e *AutoEtcOp) apply(state *setupState, k syscallDispatcher) error {
 
 	return nil
 }
+func (e *AutoEtcOp) late(*setupState, syscallDispatcher) error { return nil }
 
 func (e *AutoEtcOp) hostPath() *check.Absolute { return fhs.AbsEtc.Append(e.hostRel()) }
 func (e *AutoEtcOp) hostRel() string           { return ".host/" + e.Prefix }

container/autoroot.go

@@ -69,6 +69,7 @@ func (r *AutoRootOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return nil
 }
+func (r *AutoRootOp) late(*setupState, syscallDispatcher) error { return nil }
 
 func (r *AutoRootOp) Is(op Op) bool {
 	vr, ok := op.(*AutoRootOp)

container/autoroot_test.go

@@ -202,7 +202,7 @@ func TestIsAutoRootBindable(t *testing.T) {
 			t.Parallel()
 			var msg message.Msg
 			if tc.log {
-				msg = &kstub{nil, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { panic("unreachable") }, stub.Expect{Calls: []stub.Call{
+				msg = &kstub{nil, nil, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { panic("unreachable") }, stub.Expect{Calls: []stub.Call{
 					call("verbose", stub.ExpectArgs{[]any{"got unexpected root entry"}}, nil, nil),
 				}})}
 			}

container/capability.go

@@ -14,6 +14,7 @@ const (
 
 	CAP_SYS_ADMIN    = 0x15
 	CAP_SETPCAP      = 0x8
+	CAP_NET_ADMIN    = 0xc
 	CAP_DAC_OVERRIDE = 0x1
 )
 

container/check/absolute.go

@@ -9,46 +9,60 @@ import (
 	"slices"
 	"strings"
 	"syscall"
+	"unique"
 )
 
 // AbsoluteError is returned by [NewAbs] and holds the invalid pathname.
-type AbsoluteError struct{ Pathname string }
+type AbsoluteError string
 
-func (e *AbsoluteError) Error() string { return fmt.Sprintf("path %q is not absolute", e.Pathname) }
-func (e *AbsoluteError) Is(target error) bool {
-	var ce *AbsoluteError
+func (e AbsoluteError) Error() string {
+	return fmt.Sprintf("path %q is not absolute", string(e))
+}
+
+func (e AbsoluteError) Is(target error) bool {
+	var ce AbsoluteError
 	if !errors.As(target, &ce) {
 		return errors.Is(target, syscall.EINVAL)
 	}
-	return *e == *ce
+	return e == ce
 }
 
 // Absolute holds a pathname checked to be absolute.
-type Absolute struct{ pathname string }
+type Absolute struct{ pathname unique.Handle[string] }
+
+// ok returns whether [Absolute] is not the zero value.
+func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }
 
 // unsafeAbs returns [check.Absolute] on any string value.
-func unsafeAbs(pathname string) *Absolute { return &Absolute{pathname} }
+func unsafeAbs(pathname string) *Absolute {
+	return &Absolute{unique.Make(pathname)}
+}
 
+// String returns the checked pathname.
 func (a *Absolute) String() string {
-	if a.pathname == "" {
+	if !a.ok() {
 		panic("attempted use of zero Absolute")
 	}
+	return a.pathname.Value()
+}
+
+// Handle returns the underlying [unique.Handle].
+func (a *Absolute) Handle() unique.Handle[string] {
 	return a.pathname
 }
 
+// Is efficiently compares the underlying pathname.
 func (a *Absolute) Is(v *Absolute) bool {
 	if a == nil && v == nil {
 		return true
 	}
-	return a != nil && v != nil &&
-		a.pathname != "" && v.pathname != "" &&
-		a.pathname == v.pathname
+	return a.ok() && v.ok() && a.pathname == v.pathname
 }
 
 // NewAbs checks pathname and returns a new [Absolute] if pathname is absolute.
 func NewAbs(pathname string) (*Absolute, error) {
 	if !path.IsAbs(pathname) {
-		return nil, &AbsoluteError{pathname}
+		return nil, AbsoluteError(pathname)
 	}
 	return unsafeAbs(pathname), nil
 }
@@ -56,7 +70,7 @@ func NewAbs(pathname string) (*Absolute, error) {
 // MustAbs calls [NewAbs] and panics on error.
 func MustAbs(pathname string) *Absolute {
 	if a, err := NewAbs(pathname); err != nil {
-		panic(err.Error())
+		panic(err)
 	} else {
 		return a
 	}
@@ -70,35 +84,49 @@ func (a *Absolute) Append(elem ...string) *Absolute {
 // Dir calls [path.Dir] with [Absolute] as its argument.
 func (a *Absolute) Dir() *Absolute { return unsafeAbs(path.Dir(a.String())) }
 
-func (a *Absolute) GobEncode() ([]byte, error) { return []byte(a.String()), nil }
+// GobEncode returns the checked pathname.
+func (a *Absolute) GobEncode() ([]byte, error) {
+	return []byte(a.String()), nil
+}
+
+// GobDecode stores data if it represents an absolute pathname.
 func (a *Absolute) GobDecode(data []byte) error {
 	pathname := string(data)
 	if !path.IsAbs(pathname) {
-		return &AbsoluteError{pathname}
+		return AbsoluteError(pathname)
 	}
-	a.pathname = pathname
+	a.pathname = unique.Make(pathname)
 	return nil
 }
 
-func (a *Absolute) MarshalJSON() ([]byte, error) { return json.Marshal(a.String()) }
+// MarshalJSON returns a JSON representation of the checked pathname.
+func (a *Absolute) MarshalJSON() ([]byte, error) {
+	return json.Marshal(a.String())
+}
+
+// UnmarshalJSON stores data if it represents an absolute pathname.
 func (a *Absolute) UnmarshalJSON(data []byte) error {
 	var pathname string
 	if err := json.Unmarshal(data, &pathname); err != nil {
 		return err
 	}
 	if !path.IsAbs(pathname) {
-		return &AbsoluteError{pathname}
+		return AbsoluteError(pathname)
 	}
-	a.pathname = pathname
+	a.pathname = unique.Make(pathname)
 	return nil
 }
 
 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {
-	slices.SortFunc(x, func(a, b *Absolute) int { return strings.Compare(a.String(), b.String()) })
+	slices.SortFunc(x, func(a, b *Absolute) int {
+		return strings.Compare(a.String(), b.String())
+	})
 }
 
 // CompactAbs calls [slices.CompactFunc] for a slice of [Absolute].
 func CompactAbs(s []*Absolute) []*Absolute {
-	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool { return a.String() == b.String() })
+	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool {
+		return a.Is(b)
+	})
 }

container/check/absolute_test.go

@@ -14,8 +14,10 @@ import (
 	. "hakurei.app/container/check"
 )
 
+// unsafeAbs returns check.Absolute on any string value.
+//
 //go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
-func unsafeAbs(_ string) *Absolute
+func unsafeAbs(pathname string) *Absolute
 
 func TestAbsoluteError(t *testing.T) {
 	t.Parallel()
@@ -29,8 +31,8 @@ func TestAbsoluteError(t *testing.T) {
 	}{
 		{"EINVAL", new(AbsoluteError), syscall.EINVAL, true},
 		{"not EINVAL", new(AbsoluteError), syscall.EBADE, false},
-		{"ne val", new(AbsoluteError), &AbsoluteError{Pathname: "etc"}, false},
-		{"equals", &AbsoluteError{Pathname: "etc"}, &AbsoluteError{Pathname: "etc"}, true},
+		{"ne val", new(AbsoluteError), AbsoluteError("etc"), false},
+		{"equals", AbsoluteError("etc"), AbsoluteError("etc"), true},
 	}
 
 	for _, tc := range testCases {
@@ -43,7 +45,7 @@ func TestAbsoluteError(t *testing.T) {
 		t.Parallel()
 
 		want := `path "etc" is not absolute`
-		if got := (&AbsoluteError{Pathname: "etc"}).Error(); got != want {
+		if got := (AbsoluteError("etc")).Error(); got != want {
 			t.Errorf("Error: %q, want %q", got, want)
 		}
 	})
@@ -60,8 +62,8 @@ func TestNewAbs(t *testing.T) {
 		wantErr  error
 	}{
 		{"good", "/etc", MustAbs("/etc"), nil},
-		{"not absolute", "etc", nil, &AbsoluteError{Pathname: "etc"}},
-		{"zero", "", nil, &AbsoluteError{Pathname: ""}},
+		{"not absolute", "etc", nil, AbsoluteError("etc")},
+		{"zero", "", nil, AbsoluteError("")},
 	}
 
 	for _, tc := range testCases {
@@ -82,9 +84,9 @@ func TestNewAbs(t *testing.T) {
 		t.Parallel()
 
 		defer func() {
-			wantPanic := `path "etc" is not absolute`
+			wantPanic := AbsoluteError("etc")
 
-			if r := recover(); r != wantPanic {
+			if r := recover(); !reflect.DeepEqual(r, wantPanic) {
 				t.Errorf("MustAbs: panic = %v; want %v", r, wantPanic)
 			}
 		}()
@@ -173,7 +175,7 @@ func TestCodecAbsolute(t *testing.T) {
 
 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
-			&AbsoluteError{Pathname: "etc"},
+			AbsoluteError("etc"),
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
 			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
 

container/container.go

@@ -35,6 +35,8 @@ type (
 	// Container represents a container environment being prepared or run.
 	// None of [Container] methods are safe for concurrent use.
 	Container struct {
+		// Whether the container init should stay alive after its parent terminates.
+		AllowOrphan bool
 		// Cgroup fd, nil to disable.
 		Cgroup *int
 		// ExtraFiles passed through to initial process in the container,
@@ -252,8 +254,7 @@ func (p *Container) Start() error {
 	}
 	p.cmd.Dir = fhs.Root
 	p.cmd.SysProcAttr = &SysProcAttr{
-		Setsid:    !p.RetainSession,
-		Pdeathsig: SIGKILL,
+		Setsid: !p.RetainSession,
 		Cloneflags: CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS |
 			CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP,
 
@@ -262,12 +263,17 @@ func (p *Container) Start() error {
 			CAP_SYS_ADMIN,
 			// drop capabilities
 			CAP_SETPCAP,
+			// bring up loopback interface
+			CAP_NET_ADMIN,
 			// overlay access to upperdir and workdir
 			CAP_DAC_OVERRIDE,
 		},
 
 		UseCgroupFD: p.Cgroup != nil,
 	}
+	if !p.AllowOrphan {
+		p.cmd.SysProcAttr.Pdeathsig = SIGKILL
+	}
 	if p.cmd.SysProcAttr.UseCgroupFD {
 		p.cmd.SysProcAttr.CgroupFD = *p.Cgroup
 	}

container/container_test.go

@@ -21,6 +21,7 @@ import (
 	"hakurei.app/command"
 	"hakurei.app/container"
 	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/container/vfs"
@@ -29,6 +30,45 @@ import (
 	"hakurei.app/message"
 )
 
+// Note: this package requires cgo, which is unavailable in the Go playground.
+func Example() {
+	// Must be called early if the current process starts containers.
+	container.TryArgv0(nil)
+
+	// Configure the container.
+	z := container.New(context.Background(), nil)
+	z.Hostname = "hakurei-example"
+	z.Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
+	z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
+
+	// Bind / for demonstration.
+	z.Bind(fhs.AbsRoot, fhs.AbsRoot, 0)
+	if name, err := exec.LookPath("hostname"); err != nil {
+		panic(err)
+	} else {
+		z.Path = check.MustAbs(name)
+	}
+
+	// This completes the first stage of container setup and starts the container init process.
+	// The new process blocks until the Serve method is called.
+	if err := z.Start(); err != nil {
+		panic(err)
+	}
+
+	// This serves the setup payload to the container init process,
+	// starting the second stage of container setup.
+	if err := z.Serve(); err != nil {
+		panic(err)
+	}
+
+	// Must be called if the Start method succeeds.
+	if err := z.Wait(); err != nil {
+		panic(err)
+	}
+
+	// Output: hakurei-example
+}
+
 func TestStartError(t *testing.T) {
 	t.Parallel()
 
@@ -234,13 +274,13 @@ var containerTestCases = []struct {
 			Dev(check.MustAbs("/dev"), true),
 		),
 		earlyMnt(
-			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
-			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
-			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
-			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
-			ent("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
-			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
-			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", ignore, ignore),
+			ent("/null", "/dev/null", ignore, "devtmpfs", ignore, ignore),
+			ent("/zero", "/dev/zero", ignore, "devtmpfs", ignore, ignore),
+			ent("/full", "/dev/full", ignore, "devtmpfs", ignore, ignore),
+			ent("/random", "/dev/random", ignore, "devtmpfs", ignore, ignore),
+			ent("/urandom", "/dev/urandom", ignore, "devtmpfs", ignore, ignore),
+			ent("/tty", "/dev/tty", ignore, "devtmpfs", ignore, ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
@@ -252,13 +292,13 @@ var containerTestCases = []struct {
 			Dev(check.MustAbs("/dev"), false),
 		),
 		earlyMnt(
-			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
-			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
-			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
-			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
-			ent("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
-			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
-			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", ignore, ignore),
+			ent("/null", "/dev/null", ignore, "devtmpfs", ignore, ignore),
+			ent("/zero", "/dev/zero", ignore, "devtmpfs", ignore, ignore),
+			ent("/full", "/dev/full", ignore, "devtmpfs", ignore, ignore),
+			ent("/random", "/dev/random", ignore, "devtmpfs", ignore, ignore),
+			ent("/urandom", "/dev/urandom", ignore, "devtmpfs", ignore, ignore),
+			ent("/tty", "/dev/tty", ignore, "devtmpfs", ignore, ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
@@ -650,11 +690,22 @@ func init() {
 						return fmt.Errorf("got more than %d entries", len(mnt))
 					}
 
-					// ugly hack but should be reliable and is less likely to false negative than comparing by parsed flags
-					cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ",relatime")
-					cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ",noatime")
-					mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ",relatime")
-					mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ",noatime")
+					// ugly hack but should be reliable and is less likely to
+					//false negative than comparing by parsed flags
+					for _, s := range []string{
+						"relatime",
+						"noatime",
+					} {
+						cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ","+s)
+						mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ","+s)
+					}
+					for _, s := range []string{
+						"seclabel",
+						"inode64",
+					} {
+						cur.FsOptstr = strings.Replace(cur.FsOptstr, ","+s, "", 1)
+						mnt[i].FsOptstr = strings.Replace(mnt[i].FsOptstr, ","+s, "", 1)
+					}
 
 					if !cur.EqualWithIgnore(mnt[i], "\x00") {
 						fail = true
@@ -722,12 +773,14 @@ func TestMain(m *testing.M) {
 func helperNewContainerLibPaths(ctx context.Context, libPaths *[]*check.Absolute, args ...string) (c *container.Container) {
 	msg := message.New(nil)
 	msg.SwapVerbose(testing.Verbose())
+	executable := check.MustAbs(container.MustExecutable(msg))
+
 	c = container.NewCommand(ctx, msg, absHelperInnerPath, "helper", args...)
 	c.Env = append(c.Env, envDoCheck+"=1")
-	c.Bind(check.MustAbs(os.Args[0]), absHelperInnerPath, 0)
+	c.Bind(executable, absHelperInnerPath, 0)
 
 	// in case test has cgo enabled
-	if entries, err := ldd.Exec(ctx, msg, os.Args[0]); err != nil {
+	if entries, err := ldd.Resolve(ctx, msg, executable); err != nil {
 		log.Fatalf("ldd: %v", err)
 	} else {
 		*libPaths = ldd.Path(entries)

container/dispatcher.go

@@ -61,6 +61,8 @@ type syscallDispatcher interface {
 	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
+	// mustLoopback provides mustLoopback.
+	mustLoopback(msg message.Msg)
 
 	// seccompLoad provides [seccomp.Load].
 	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
@@ -164,6 +166,7 @@ func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
+func (direct) mustLoopback(msg message.Msg) { mustLoopback(msg) }
 
 func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)

container/dispatcher_test.go

@@ -162,7 +162,8 @@ func checkSimple(t *testing.T, fname string, testCases []simpleTestCase) {
 			t.Parallel()
 
 			wait4signal := make(chan struct{})
-			k := &kstub{wait4signal, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{wait4signal, s} }, tc.want)}
+			lockNotify := make(chan struct{})
+			k := &kstub{wait4signal, lockNotify, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{wait4signal, lockNotify, s} }, tc.want)}
 			defer stub.HandleExit(t)
 			if err := tc.f(k); !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("%s: error = %v, want %v", fname, err, tc.wantErr)
@@ -200,8 +201,8 @@ func checkOpBehaviour(t *testing.T, testCases []opBehaviourTestCase) {
 				t.Helper()
 				t.Parallel()
 
-				k := &kstub{nil, stub.New(t,
-					func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{nil, s} },
+				k := &kstub{nil, nil, stub.New(t,
+					func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{nil, nil, s} },
 					stub.Expect{Calls: slices.Concat(tc.early, []stub.Call{{Name: stub.CallSeparator}}, tc.apply)},
 				)}
 				state := &setupState{Params: tc.params, Msg: k}
@@ -322,12 +323,19 @@ const (
 
 type kstub struct {
 	wait4signal chan struct{}
+	lockNotify  chan struct{}
 	*stub.Stub[syscallDispatcher]
 }
 
 func (k *kstub) new(f func(k syscallDispatcher)) { k.Helper(); k.New(f) }
 
-func (k *kstub) lockOSThread() { k.Helper(); k.Expects("lockOSThread") }
+func (k *kstub) lockOSThread() {
+	k.Helper()
+	expect := k.Expects("lockOSThread")
+	if k.lockNotify != nil && expect.Ret == magicWait4Signal {
+		<-k.lockNotify
+	}
+}
 
 func (k *kstub) setPtracer(pid uintptr) error {
 	k.Helper()
@@ -457,6 +465,8 @@ func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 		stub.CheckArg(k.Stub, "pperm", pperm, 2))
 }
 
+func (*kstub) mustLoopback(message.Msg) { /* noop */ }
+
 func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	k.Helper()
 	return k.Expects("seccompLoad").Error(
@@ -472,6 +482,10 @@ func (k *kstub) notify(c chan<- os.Signal, sig ...os.Signal) {
 		k.FailNow()
 	}
 
+	if k.lockNotify != nil && expect.Ret == magicWait4Signal {
+		defer close(k.lockNotify)
+	}
+
 	// export channel for external instrumentation
 	if chanf, ok := expect.Args[0].(func(c chan<- os.Signal)); ok && chanf != nil {
 		chanf(c)
@@ -759,7 +773,8 @@ func (k *kstub) checkMsg(msg message.Msg) {
 }
 
 func (k *kstub) GetLogger() *log.Logger { panic("unreachable") }
-func (k *kstub) IsVerbose() bool        { panic("unreachable") }
+
+func (k *kstub) IsVerbose() bool { k.Helper(); return k.Expects("isVerbose").Ret.(bool) }
 
 func (k *kstub) SwapVerbose(verbose bool) bool {
 	k.Helper()

container/errors.go

@@ -7,31 +7,36 @@ import (
 
 	"hakurei.app/container/check"
 	"hakurei.app/container/vfs"
+	"hakurei.app/message"
 )
 
 // messageFromError returns a printable error message for a supported concrete type.
-func messageFromError(err error) (string, bool) {
-	if m, ok := messagePrefixP[MountError]("cannot ", err); ok {
-		return m, ok
+func messageFromError(err error) (m string, ok bool) {
+	if m, ok = messagePrefixP[MountError]("cannot ", err); ok {
+		return
 	}
-	if m, ok := messagePrefixP[os.PathError]("cannot ", err); ok {
-		return m, ok
+	if m, ok = messagePrefixP[os.PathError]("cannot ", err); ok {
+		return
 	}
-	if m, ok := messagePrefixP[check.AbsoluteError]("", err); ok {
-		return m, ok
+	if m, ok = messagePrefix[check.AbsoluteError](zeroString, err); ok {
+		return
 	}
-	if m, ok := messagePrefix[OpRepeatError]("", err); ok {
-		return m, ok
+	if m, ok = messagePrefix[OpRepeatError](zeroString, err); ok {
+		return
 	}
-	if m, ok := messagePrefix[OpStateError]("", err); ok {
-		return m, ok
+	if m, ok = messagePrefix[OpStateError](zeroString, err); ok {
+		return
 	}
 
-	if m, ok := messagePrefixP[vfs.DecoderError]("cannot ", err); ok {
-		return m, ok
+	if m, ok = messagePrefixP[vfs.DecoderError]("cannot ", err); ok {
+		return
 	}
-	if m, ok := messagePrefix[TmpfsSizeError]("", err); ok {
-		return m, ok
+	if m, ok = messagePrefix[TmpfsSizeError](zeroString, err); ok {
+		return
+	}
+
+	if m, ok = message.GetMessage(err); ok {
+		return
 	}
 
 	return zeroString, false

container/errors_test.go

@@ -37,7 +37,7 @@ func TestMessageFromError(t *testing.T) {
 			Err:  stub.UniqueError(0xdeadbeef),
 		}, "cannot mount /sysroot: unique error 3735928559 injected by the test suite", true},
 
-		{"absolute", &check.AbsoluteError{Pathname: "etc/mtab"},
+		{"absolute", check.AbsoluteError("etc/mtab"),
 			`path "etc/mtab" is not absolute`, true},
 
 		{"repeat", OpRepeatError("autoetc"),

container/fhs/abs.go

@@ -8,8 +8,10 @@ import (
 
 /* constants in this file bypass abs check, be extremely careful when changing them! */
 
+// unsafeAbs returns check.Absolute on any string value.
+//
 //go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
-func unsafeAbs(_ string) *check.Absolute
+func unsafeAbs(pathname string) *check.Absolute
 
 var (
 	// AbsRoot is [Root] as [check.Absolute].
@@ -24,6 +26,8 @@ var (
 	// AbsRunUser is [RunUser] as [check.Absolute].
 	AbsRunUser = unsafeAbs(RunUser)
 
+	// AbsUsr is [Usr] as [check.Absolute].
+	AbsUsr = unsafeAbs(Usr)
 	// AbsUsrBin is [UsrBin] as [check.Absolute].
 	AbsUsrBin = unsafeAbs(UsrBin)
 
@@ -34,6 +38,8 @@ var (
 
 	// AbsDev is [Dev] as [check.Absolute].
 	AbsDev = unsafeAbs(Dev)
+	// AbsDevShm is [DevShm] as [check.Absolute].
+	AbsDevShm = unsafeAbs(DevShm)
 	// AbsProc is [Proc] as [check.Absolute].
 	AbsProc = unsafeAbs(Proc)
 	// AbsSys is [Sys] as [check.Absolute].

container/fhs/fhs.go

@@ -29,6 +29,8 @@ const (
 
 	// Dev points to the root directory for device nodes.
 	Dev = "/dev/"
+	// DevShm is the place for POSIX shared memory segments, as created via shm_open(3).
+	DevShm = "/dev/shm/"
 	// Proc points to a virtual kernel file system exposing the process list and other functionality.
 	Proc = "/proc/"
 	// ProcSys points to a hierarchy below /proc/ that exposes a number of kernel tunables.

container/init.go

@@ -1,6 +1,7 @@
 package container
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"log"
@@ -9,6 +10,8 @@ import (
 	"path"
 	"slices"
 	"strconv"
+	"sync"
+	"sync/atomic"
 	. "syscall"
 	"time"
 
@@ -18,24 +21,28 @@ import (
 )
 
 const (
-	/* intermediate tmpfs mount point
+	/* intermediateHostPath is the pathname of the intermediate tmpfs mount point.
 
-	this path might seem like a weird choice, however there are many good reasons to use it:
-	- the contents of this path is never exposed to the container:
-	  the tmpfs root established here effectively becomes anonymous after pivot_root
-	- it is safe to assume this path exists and is a directory:
-	  this program will not work correctly without a proper /proc and neither will most others
-	- this path belongs to the container init:
-	  the container init is not any more privileged or trusted than the rest of the container
-	- this path is only accessible by init and root:
-	  the container init sets SUID_DUMP_DISABLE and terminates if that fails;
+	This path might seem like a weird choice, however there are many good reasons to use it:
+	- The contents of this path is never exposed to the container:
+	  The tmpfs root established here effectively becomes anonymous after pivot_root.
+	- It is safe to assume this path exists and is a directory:
+	  This program will not work correctly without a proper /proc and neither will most others.
+	- This path belongs to the container init:
+	  The container init is not any more privileged or trusted than the rest of the container.
+	- This path is only accessible by init and root:
+	  The container init sets SUID_DUMP_DISABLE and terminates if that fails.
 
-	it should be noted that none of this should become relevant at any point since the resulting
-	intermediate root tmpfs should be effectively anonymous */
+	It should be noted that none of this should become relevant at any point since the resulting
+	intermediate root tmpfs should be effectively anonymous. */
 	intermediateHostPath = fhs.Proc + "self/fd"
 
-	// setup params file descriptor
+	// setupEnv is the name of the environment variable holding the string representation of
+	// the read end file descriptor of the setup params pipe.
 	setupEnv = "HAKUREI_SETUP"
+
+	// exitUnexpectedWait4 is the exit code if wait4 returns an unexpected errno.
+	exitUnexpectedWait4 = 2
 )
 
 type (
@@ -49,6 +56,8 @@ type (
 		early(state *setupState, k syscallDispatcher) error
 		// apply is called in intermediate root.
 		apply(state *setupState, k syscallDispatcher) error
+		// late is called right before starting the initial process.
+		late(state *setupState, k syscallDispatcher) error
 
 		// prefix returns a log message prefix, and whether this Op prints no identifying message on its own.
 		prefix() (string, bool)
@@ -61,11 +70,29 @@ type (
 	// setupState persists context between Ops.
 	setupState struct {
 		nonrepeatable uintptr
+
+		// Whether early reaping has concluded. Must only be accessed in the wait4 loop.
+		processConcluded bool
+		// Process to syscall.WaitStatus populated in the wait4 loop. Freed after early reaping concludes.
+		process map[int]WaitStatus
+		// Synchronises access to process.
+		processMu sync.RWMutex
+
 		*Params
+		context.Context
 		message.Msg
 	}
 )
 
+// terminated returns whether the specified pid has been reaped, and its
+// syscall.WaitStatus if it had. This is only usable by [Op].
+func (state *setupState) terminated(pid int) (wstatus WaitStatus, ok bool) {
+	state.processMu.RLock()
+	wstatus, ok = state.process[pid]
+	state.processMu.RUnlock()
+	return
+}
+
 // Grow grows the slice Ops points to using [slices.Grow].
 func (f *Ops) Grow(n int) { *f = slices.Grow(*f, n) }
 
@@ -143,6 +170,10 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		offsetSetup = int(setupFd + 1)
 	}
 
+	if !params.HostNet {
+		k.mustLoopback(msg)
+	}
+
 	// write uid/gid map here so parent does not need to set dumpable
 	if err := k.setDumpable(SUID_DUMP_USER); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
@@ -180,7 +211,9 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot make / rslave: %v", optionalErrorUnwrap(err))
 	}
 
-	state := &setupState{Params: &params.Params, Msg: msg}
+	ctx, cancel := context.WithCancel(context.Background())
+	state := &setupState{process: make(map[int]WaitStatus), Params: &params.Params, Msg: msg, Context: ctx}
+	defer cancel()
 
 	/* early is called right before pivot_root into intermediate root;
 	this step is mostly for gathering information that would otherwise be difficult to obtain
@@ -330,6 +363,97 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 	k.umask(oldmask)
 
+	// winfo represents an exited process from wait4.
+	type winfo struct {
+		wpid    int
+		wstatus WaitStatus
+	}
+
+	// info is closed as the wait4 thread terminates
+	// when there are no longer any processes left to reap
+	info := make(chan winfo, 1)
+
+	// whether initial process has started
+	var initialProcessStarted atomic.Bool
+
+	k.new(func(k syscallDispatcher) {
+		k.lockOSThread()
+
+	wait4:
+		var (
+			err     error
+			wpid    = -2
+			wstatus WaitStatus
+
+			// whether initial process has started
+			started bool
+		)
+
+		// keep going until no child process is left
+		for wpid != -1 {
+			if err != nil {
+				break
+			}
+
+			if wpid != -2 {
+				if !state.processConcluded {
+					state.processMu.Lock()
+					if state.process == nil {
+						// early reaping has already concluded at this point
+						state.processConcluded = true
+						info <- winfo{wpid, wstatus}
+					} else {
+						// initial process has not yet been created, and the
+						// info channel is not yet being received from
+						state.process[wpid] = wstatus
+					}
+					state.processMu.Unlock()
+				} else {
+					info <- winfo{wpid, wstatus}
+				}
+			}
+
+			if !started {
+				started = initialProcessStarted.Load()
+			}
+
+			err = EINTR
+			for errors.Is(err, EINTR) {
+				wpid, err = k.wait4(-1, &wstatus, 0, nil)
+			}
+		}
+
+		if !errors.Is(err, ECHILD) {
+			k.printf(msg, "unexpected wait4 response: %v", err)
+		} else if !started {
+			// initial process has not yet been reached and all daemons
+			// terminated or none were started in the first place
+			time.Sleep(500 * time.Microsecond)
+			goto wait4
+		}
+
+		close(info)
+	})
+
+	// called right before startup of initial process, all state changes to the
+	// current process is prohibited during late
+	for i, op := range *params.Ops {
+		// ops already checked during early setup
+		if err := op.late(state, k); err != nil {
+			if m, ok := messageFromError(err); ok {
+				k.fatal(msg, m)
+			} else if errors.Is(err, context.DeadlineExceeded) {
+				k.fatalf(msg, "%s deadline exceeded", op.String())
+			} else {
+				k.fatalf(msg, "cannot complete op at index %d: %v", i, err)
+			}
+		}
+	}
+	// early reaping has concluded, this must happen before initial process is created
+	state.processMu.Lock()
+	state.process = nil
+	state.processMu.Unlock()
+
 	if err := closeSetup(); err != nil {
 		k.fatalf(msg, "cannot close setup pipe: %v", err)
 	}
@@ -341,50 +465,11 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	cmd.ExtraFiles = extraFiles
 	cmd.Dir = params.Dir.String()
 
-	msg.Verbosef("starting initial program %s", params.Path)
+	msg.Verbosef("starting initial process %s", params.Path)
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-
-	type winfo struct {
-		wpid    int
-		wstatus WaitStatus
-	}
-
-	// info is closed as the wait4 thread terminates
-	// when there are no longer any processes left to reap
-	info := make(chan winfo, 1)
-
-	k.new(func(k syscallDispatcher) {
-		k.lockOSThread()
-
-		var (
-			err     error
-			wpid    = -2
-			wstatus WaitStatus
-		)
-
-		// keep going until no child process is left
-		for wpid != -1 {
-			if err != nil {
-				break
-			}
-
-			if wpid != -2 {
-				info <- winfo{wpid, wstatus}
-			}
-
-			err = EINTR
-			for errors.Is(err, EINTR) {
-				wpid, err = k.wait4(-1, &wstatus, 0, nil)
-			}
-		}
-		if !errors.Is(err, ECHILD) {
-			k.printf(msg, "unexpected wait4 response: %v", err)
-		}
-
-		close(info)
-	})
+	initialProcessStarted.Store(true)
 
 	// handle signals to dump withheld messages
 	sig := make(chan os.Signal, 2)
@@ -394,7 +479,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	// closed after residualProcessTimeout has elapsed after initial process death
 	timeout := make(chan struct{})
 
-	r := 2
+	r := exitUnexpectedWait4
 	for {
 		select {
 		case s := <-sig:
@@ -426,6 +511,9 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 			}
 
 			if w.wpid == cmd.Process.Pid {
+				// cancel Op context early
+				cancel()
+
 				// start timeout early
 				go func() { time.Sleep(params.AdoptWaitDelay); close(timeout) }()
 

container/init_test.go

@@ -1983,11 +1983,20 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
+				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(13)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, nil, stub.UniqueError(12)),
 				call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(12)}}, nil, nil),
 			},
+
+			/* wait4 */
+			Tracks: []stub.Expect{{Calls: []stub.Call{
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
+
+				// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
+				call("wait4", stub.ExpectArgs{-1, nil, 0, nil, stub.PanicExit}, 0, syscall.ECHILD),
+			}}},
 		}, nil},
 
 		{"lowlastcap signaled cancel forward error", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
@@ -2062,11 +2071,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
+				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(10)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
-				call("New", stub.ExpectArgs{}, nil, nil),
-				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- CancelSignal }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- CancelSignal }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbose", stub.ExpectArgs{[]any{"forwarding context cancellation"}}, nil, nil),
 				// magicWait4Signal as ret causes wait4 stub to unblock
 				call("signal", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent", os.Interrupt}, magicWait4Signal, stub.UniqueError(9)),
@@ -2081,7 +2090,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				// magicWait4Signal as args[4] causes this to block until simulated signal is delivered
 				call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil, magicWait4Signal}, 0xbad, nil),
@@ -2162,11 +2171,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
+				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(7)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
-				call("New", stub.ExpectArgs{}, nil, nil),
-				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- syscall.SIGQUIT }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- syscall.SIGQUIT }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbosef", stub.ExpectArgs{"got %s, forwarding to initial process", []any{"quit"}}, nil, nil),
 				// magicWait4Signal as ret causes wait4 stub to unblock
 				call("signal", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent", syscall.SIGQUIT}, magicWait4Signal, stub.UniqueError(0xfe)),
@@ -2181,7 +2190,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				// magicWait4Signal as args[4] causes this to block until simulated signal is delivered
 				call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil, magicWait4Signal}, 0xbad, nil),
@@ -2262,11 +2271,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
+				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(7)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
-				call("New", stub.ExpectArgs{}, nil, nil),
-				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- os.Interrupt }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- os.Interrupt }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbosef", stub.ExpectArgs{"got %s", []any{"interrupt"}}, nil, nil),
 				call("beforeExit", stub.ExpectArgs{}, nil, nil),
 				call("exit", stub.ExpectArgs{0}, nil, nil),
@@ -2274,7 +2283,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil, stub.PanicExit}, 0, syscall.ECHILD),
@@ -2353,11 +2362,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
+				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(5)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
-				call("New", stub.ExpectArgs{}, nil, nil),
-				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"initial process exited with signal %s", []any{syscall.Signal(0x4e)}}, nil, nil),
@@ -2368,7 +2377,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil}, 0xbad, nil),
 				// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
@@ -2448,11 +2457,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
+				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(3)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
-				call("New", stub.ExpectArgs{}, nil, nil),
-				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"initial process exited with signal %s", []any{syscall.Signal(0x4e)}}, nil, nil),
@@ -2462,7 +2471,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
@@ -2586,11 +2595,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
+				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(1)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
-				call("New", stub.ExpectArgs{}, nil, nil),
-				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"initial process exited with code %d", []any{1}}, nil, nil),
@@ -2600,7 +2609,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
@@ -2728,11 +2737,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(11), "extra file 1"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(12), "extra file 2"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
+				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(0)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/bin/zsh")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/bin/zsh", []string{"zsh", "-c", "exec vim"}, []string{"DISPLAY=:0"}, "/.hakurei"}, &os.Process{Pid: 0xcafe}, nil),
-				call("New", stub.ExpectArgs{}, nil, nil),
-				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
@@ -2743,7 +2752,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),

container/initbind.go

@@ -90,6 +90,7 @@ func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return k.bindMount(state, source, target, flags)
 }
+func (b *BindMountOp) late(*setupState, syscallDispatcher) error { return nil }
 
 func (b *BindMountOp) Is(op Op) bool {
 	vb, ok := op.(*BindMountOp)

container/initdaemon.go

@@ -0,0 +1,134 @@
+package container
+
+import (
+	"context"
+	"encoding/gob"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"slices"
+	"strconv"
+	"syscall"
+	"time"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+)
+
+func init() { gob.Register(new(DaemonOp)) }
+
+const (
+	// daemonTimeout is the duration a [DaemonOp] is allowed to block before the
+	// [DaemonOp.Target] marker becomes available.
+	daemonTimeout = 5 * time.Second
+)
+
+// Daemon appends an [Op] that starts a daemon in the container and blocks until
+// [DaemonOp.Target] appears.
+func (f *Ops) Daemon(target, path *check.Absolute, args ...string) *Ops {
+	*f = append(*f, &DaemonOp{target, path, args})
+	return f
+}
+
+// DaemonOp starts a daemon in the container and blocks until Target appears.
+type DaemonOp struct {
+	// Pathname indicating readiness of daemon.
+	Target *check.Absolute
+	// Absolute pathname passed to [exec.Cmd].
+	Path *check.Absolute
+	// Arguments (excl. first) passed to [exec.Cmd].
+	Args []string
+}
+
+// earlyTerminationError is returned by [DaemonOp] when a daemon terminates
+// before [DaemonOp.Target] appears.
+type earlyTerminationError struct {
+	// Returned by [DaemonOp.String].
+	op string
+	// Copied from wait4 loop.
+	wstatus syscall.WaitStatus
+}
+
+func (e *earlyTerminationError) Error() string {
+	res := ""
+	switch {
+	case e.wstatus.Exited():
+		res = "exit status " + strconv.Itoa(e.wstatus.ExitStatus())
+	case e.wstatus.Signaled():
+		res = "signal: " + e.wstatus.Signal().String()
+	case e.wstatus.Stopped():
+		res = "stop signal: " + e.wstatus.StopSignal().String()
+		if e.wstatus.StopSignal() == syscall.SIGTRAP && e.wstatus.TrapCause() != 0 {
+			res += " (trap " + strconv.Itoa(e.wstatus.TrapCause()) + ")"
+		}
+	case e.wstatus.Continued():
+		res = "continued"
+	}
+	if e.wstatus.CoreDump() {
+		res += " (core dumped)"
+	}
+	return res
+}
+
+func (e *earlyTerminationError) Message() string { return e.op + " " + e.Error() }
+
+func (d *DaemonOp) Valid() bool                                { return d != nil && d.Target != nil && d.Path != nil }
+func (d *DaemonOp) early(*setupState, syscallDispatcher) error { return nil }
+func (d *DaemonOp) apply(*setupState, syscallDispatcher) error { return nil }
+func (d *DaemonOp) late(state *setupState, k syscallDispatcher) error {
+	cmd := exec.CommandContext(state.Context, d.Path.String(), d.Args...)
+	cmd.Env = state.Env
+	cmd.Dir = fhs.Root
+	if state.IsVerbose() {
+		cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
+	}
+	// WaitDelay: left unset because lifetime is bound by AdoptWaitDelay on cancellation
+	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGTERM) }
+
+	state.Verbosef("starting %s", d.String())
+	if err := k.start(cmd); err != nil {
+		return err
+	}
+
+	deadline := time.Now().Add(daemonTimeout)
+	var wstatusErr error
+
+	for {
+		if _, err := k.stat(d.Target.String()); err != nil {
+			if !errors.Is(err, os.ErrNotExist) {
+				_ = k.signal(cmd, os.Kill)
+				return err
+			}
+
+			if time.Now().After(deadline) {
+				_ = k.signal(cmd, os.Kill)
+				return context.DeadlineExceeded
+			}
+
+			if wstatusErr != nil {
+				return wstatusErr
+			}
+			if wstatus, ok := state.terminated(cmd.Process.Pid); ok {
+				// check once again: process could have satisfied Target between stat and the lookup
+				wstatusErr = &earlyTerminationError{d.String(), wstatus}
+				continue
+			}
+
+			time.Sleep(500 * time.Microsecond)
+			continue
+		}
+
+		state.Verbosef("daemon process %d ready", cmd.Process.Pid)
+		return nil
+	}
+}
+
+func (d *DaemonOp) Is(op Op) bool {
+	vd, ok := op.(*DaemonOp)
+	return ok && d.Valid() && vd.Valid() &&
+		d.Target.Is(vd.Target) && d.Path.Is(vd.Path) &&
+		slices.Equal(d.Args, vd.Args)
+}
+func (*DaemonOp) prefix() (string, bool) { return zeroString, false }
+func (d *DaemonOp) String() string       { return fmt.Sprintf("daemon providing %q", d.Target) }

container/initdaemon_test.go

@@ -0,0 +1,127 @@
+package container
+
+import (
+	"os"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+	"hakurei.app/message"
+)
+
+func TestEarlyTerminationError(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		err  error
+		want string
+		msg  string
+	}{
+		{"exited", &earlyTerminationError{
+			`daemon providing "/run/user/1971/pulse/native"`, 127 << 8,
+		}, "exit status 127", `daemon providing "/run/user/1971/pulse/native" exit status 127`},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := tc.err.Error(); got != tc.want {
+				t.Errorf("Error: %q, want %q", got, tc.want)
+			}
+			if got := tc.err.(message.Error).Message(); got != tc.msg {
+				t.Errorf("Message: %s, want %s", got, tc.msg)
+			}
+		})
+	}
+}
+
+func TestDaemonOp(t *testing.T) {
+	t.Parallel()
+
+	checkSimple(t, "DaemonOp.late", []simpleTestCase{
+		{"success", func(k *kstub) error {
+			state := setupState{Params: &Params{Env: []string{"\x00"}}, Context: t.Context(), Msg: k}
+			return (&DaemonOp{
+				Target: check.MustAbs("/run/user/1971/pulse/native"),
+				Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+				Args:   []string{"-v"},
+			}).late(&state, k)
+		}, stub.Expect{Calls: []stub.Call{
+			call("isVerbose", stub.ExpectArgs{}, true, nil),
+			call("verbosef", stub.ExpectArgs{"starting %s", []any{`daemon providing "/run/user/1971/pulse/native"`}}, nil, nil),
+			call("start", stub.ExpectArgs{"/run/current-system/sw/bin/pipewire-pulse", []string{"/run/current-system/sw/bin/pipewire-pulse", "-v"}, []string{"\x00"}, "/"}, &os.Process{Pid: 0xcafe}, nil),
+			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
+			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
+			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
+			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), nil),
+			call("verbosef", stub.ExpectArgs{"daemon process %d ready", []any{0xcafe}}, nil, nil),
+		}}, nil},
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*DaemonOp)(nil), false},
+		{"zero", new(DaemonOp), false},
+		{"valid", &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+			Args:   []string{"-v"},
+		}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"pipewire-pulse", new(Ops).Daemon(
+			check.MustAbs("/run/user/1971/pulse/native"),
+			check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"), "-v",
+		), Ops{
+			&DaemonOp{
+				Target: check.MustAbs("/run/user/1971/pulse/native"),
+				Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+				Args:   []string{"-v"},
+			},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(DaemonOp), new(DaemonOp), false},
+
+		{"args differs", &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+			Args:   []string{"-v"},
+		}, &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+		}, false},
+
+		{"path differs", &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire"),
+		}, &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+		}, false},
+
+		{"target differs", &DaemonOp{
+			Target: check.MustAbs("/run/user/65534/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+		}, &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+		}, false},
+
+		{"equals", &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+		}, &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"pipewire-pulse", &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+		}, zeroString, `daemon providing "/run/user/1971/pulse/native"`},
+	})
+}

container/initdev.go

@@ -126,6 +126,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return k.mountTmpfs(SourceTmpfs, devShmPath, MS_NOSUID|MS_NODEV, 0, 01777)
 }
+func (d *MountDevOp) late(*setupState, syscallDispatcher) error { return nil }
 
 func (d *MountDevOp) Is(op Op) bool {
 	vd, ok := op.(*MountDevOp)

container/initmkdir.go

@@ -27,6 +27,7 @@ func (m *MkdirOp) early(*setupState, syscallDispatcher) error { return nil }
 func (m *MkdirOp) apply(_ *setupState, k syscallDispatcher) error {
 	return k.mkdirAll(toSysroot(m.Path.String()), m.Perm)
 }
+func (m *MkdirOp) late(*setupState, syscallDispatcher) error { return nil }
 
 func (m *MkdirOp) Is(op Op) bool {
 	vm, ok := op.(*MkdirOp)

container/initoverlay.go

@@ -205,6 +205,8 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 	return k.mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, check.SpecialOverlayOption))
 }
 
+func (o *MountOverlayOp) late(*setupState, syscallDispatcher) error { return nil }
+
 func (o *MountOverlayOp) Is(op Op) bool {
 	vo, ok := op.(*MountOverlayOp)
 	return ok && o.Valid() && vo.Valid() &&

container/initoverlay_test.go

@@ -312,7 +312,10 @@ func TestMountOverlayOp(t *testing.T) {
 			},
 		}},
 
-		{"ephemeral", new(Ops).OverlayEphemeral(check.MustAbs("/nix/store"), check.MustAbs("/mnt-root/nix/.ro-store")), Ops{
+		{"ephemeral", new(Ops).OverlayEphemeral(
+			check.MustAbs("/nix/store"),
+			check.MustAbs("/mnt-root/nix/.ro-store"),
+		), Ops{
 			&MountOverlayOp{
 				Target: check.MustAbs("/nix/store"),
 				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
@@ -320,7 +323,10 @@ func TestMountOverlayOp(t *testing.T) {
 			},
 		}},
 
-		{"readonly", new(Ops).OverlayReadonly(check.MustAbs("/nix/store"), check.MustAbs("/mnt-root/nix/.ro-store")), Ops{
+		{"readonly", new(Ops).OverlayReadonly(
+			check.MustAbs("/nix/store"),
+			check.MustAbs("/mnt-root/nix/.ro-store"),
+		), Ops{
 			&MountOverlayOp{
 				Target: check.MustAbs("/nix/store"),
 				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},

container/initplace.go

@@ -57,6 +57,7 @@ func (t *TmpfileOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return nil
 }
+func (t *TmpfileOp) late(*setupState, syscallDispatcher) error { return nil }
 
 func (t *TmpfileOp) Is(op Op) bool {
 	vt, ok := op.(*TmpfileOp)

container/initproc.go

@@ -28,6 +28,7 @@ func (p *MountProcOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return k.mount(SourceProc, target, FstypeProc, MS_NOSUID|MS_NOEXEC|MS_NODEV, zeroString)
 }
+func (p *MountProcOp) late(*setupState, syscallDispatcher) error { return nil }
 
 func (p *MountProcOp) Is(op Op) bool {
 	vp, ok := op.(*MountProcOp)

container/initremount.go

@@ -26,6 +26,7 @@ func (*RemountOp) early(*setupState, syscallDispatcher) error { return nil }
 func (r *RemountOp) apply(state *setupState, k syscallDispatcher) error {
 	return k.remount(state, toSysroot(r.Target.String()), r.Flags)
 }
+func (r *RemountOp) late(*setupState, syscallDispatcher) error { return nil }
 
 func (r *RemountOp) Is(op Op) bool {
 	vr, ok := op.(*RemountOp)

container/initsymlink.go

@@ -31,7 +31,7 @@ func (l *SymlinkOp) Valid() bool { return l != nil && l.Target != nil && l.LinkN
 func (l *SymlinkOp) early(_ *setupState, k syscallDispatcher) error {
 	if l.Dereference {
 		if !path.IsAbs(l.LinkName) {
-			return &check.AbsoluteError{Pathname: l.LinkName}
+			return check.AbsoluteError(l.LinkName)
 		}
 		if name, err := k.readlink(l.LinkName); err != nil {
 			return err
@@ -50,6 +50,8 @@ func (l *SymlinkOp) apply(state *setupState, k syscallDispatcher) error {
 	return k.symlink(l.LinkName, target)
 }
 
+func (l *SymlinkOp) late(*setupState, syscallDispatcher) error { return nil }
+
 func (l *SymlinkOp) Is(op Op) bool {
 	vl, ok := op.(*SymlinkOp)
 	return ok && l.Valid() && vl.Valid() &&

container/initsymlink_test.go

@@ -23,7 +23,7 @@ func TestSymlinkOp(t *testing.T) {
 			Target:      check.MustAbs("/etc/mtab"),
 			LinkName:    "etc/mtab",
 			Dereference: true,
-		}, nil, &check.AbsoluteError{Pathname: "etc/mtab"}, nil, nil},
+		}, nil, check.AbsoluteError("etc/mtab"), nil, nil},
 
 		{"readlink", &Params{ParentPerm: 0755}, &SymlinkOp{
 			Target:      check.MustAbs("/etc/mtab"),

container/inittmpfs.go

@@ -48,6 +48,7 @@ func (t *MountTmpfsOp) apply(_ *setupState, k syscallDispatcher) error {
 	}
 	return k.mountTmpfs(t.FSName, toSysroot(t.Path.String()), t.Flags, t.Size, t.Perm)
 }
+func (t *MountTmpfsOp) late(*setupState, syscallDispatcher) error { return nil }
 
 func (t *MountTmpfsOp) Is(op Op) bool {
 	vt, ok := op.(*MountTmpfsOp)

container/netlink.go

@@ -0,0 +1,269 @@
+package container
+
+import (
+	"encoding/binary"
+	"errors"
+	"net"
+	"os"
+	. "syscall"
+	"unsafe"
+
+	"hakurei.app/container/std"
+	"hakurei.app/message"
+)
+
+// rtnetlink represents a NETLINK_ROUTE socket.
+type rtnetlink struct {
+	// Sent as part of rtnetlink messages.
+	pid uint32
+	// AF_NETLINK socket.
+	fd int
+	// Whether the socket is open.
+	ok bool
+	// Message sequence number.
+	seq uint32
+}
+
+// open creates the underlying NETLINK_ROUTE socket.
+func (s *rtnetlink) open() (err error) {
+	if s.ok || s.fd < 0 {
+		return os.ErrInvalid
+	}
+
+	s.pid = uint32(Getpid())
+	if s.fd, err = Socket(
+		AF_NETLINK,
+		SOCK_RAW|SOCK_CLOEXEC,
+		NETLINK_ROUTE,
+	); err != nil {
+		return os.NewSyscallError("socket", err)
+	} else if err = Bind(s.fd, &SockaddrNetlink{
+		Family: AF_NETLINK,
+		Pid:    s.pid,
+	}); err != nil {
+		_ = s.close()
+		return os.NewSyscallError("bind", err)
+	} else {
+		s.ok = true
+		return nil
+	}
+}
+
+// close closes the underlying NETLINK_ROUTE socket.
+func (s *rtnetlink) close() error {
+	if !s.ok {
+		return os.ErrInvalid
+	}
+
+	s.ok = false
+	err := Close(s.fd)
+	s.fd = -1
+	return err
+}
+
+// roundtrip sends a netlink message and handles the reply.
+func (s *rtnetlink) roundtrip(data []byte) error {
+	if !s.ok {
+		return os.ErrInvalid
+	}
+
+	defer func() { s.seq++ }()
+
+	if err := Sendto(s.fd, data, 0, &SockaddrNetlink{
+		Family: AF_NETLINK,
+	}); err != nil {
+		return os.NewSyscallError("sendto", err)
+	}
+	buf := make([]byte, Getpagesize())
+
+done:
+	for {
+		p := buf
+		if n, _, err := Recvfrom(s.fd, p, 0); err != nil {
+			return os.NewSyscallError("recvfrom", err)
+		} else if n < NLMSG_HDRLEN {
+			return errors.ErrUnsupported
+		} else {
+			p = p[:n]
+		}
+
+		if msgs, err := ParseNetlinkMessage(p); err != nil {
+			return err
+		} else {
+			for _, m := range msgs {
+				if m.Header.Seq != s.seq || m.Header.Pid != s.pid {
+					return errors.ErrUnsupported
+				}
+				if m.Header.Type == NLMSG_DONE {
+					break done
+				}
+				if m.Header.Type == NLMSG_ERROR {
+					if len(m.Data) >= 4 {
+						errno := Errno(-std.ScmpInt(binary.NativeEndian.Uint32(m.Data)))
+						if errno == 0 {
+							return nil
+						}
+						return errno
+					}
+					return errors.ErrUnsupported
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+// mustRoundtrip calls roundtrip and terminates via msg for a non-nil error.
+func (s *rtnetlink) mustRoundtrip(msg message.Msg, data []byte) {
+	err := s.roundtrip(data)
+	if err == nil {
+		return
+	}
+	if closeErr := Close(s.fd); closeErr != nil {
+		msg.Verbosef("cannot close: %v", err)
+	}
+
+	switch err.(type) {
+	case *os.SyscallError:
+		msg.GetLogger().Fatalf("cannot %v", err)
+
+	case Errno:
+		msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
+
+	default:
+		msg.GetLogger().Fatalln("RTNETLINK answers with unexpected message")
+	}
+}
+
+// newaddrLo represents a RTM_NEWADDR message with two addresses.
+type newaddrLo struct {
+	header NlMsghdr
+	data   IfAddrmsg
+
+	r0 RtAttr
+	a0 [4]byte // in_addr
+	r1 RtAttr
+	a1 [4]byte // in_addr
+}
+
+// sizeofNewaddrLo is the expected size of newaddrLo.
+const sizeofNewaddrLo = NLMSG_HDRLEN + SizeofIfAddrmsg + (SizeofRtAttr+4)*2
+
+// newaddrLo returns the address of a populated newaddrLo.
+func (s *rtnetlink) newaddrLo(lo int) *newaddrLo {
+	return &newaddrLo{NlMsghdr{
+		Len:   sizeofNewaddrLo,
+		Type:  RTM_NEWADDR,
+		Flags: NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_EXCL,
+		Seq:   s.seq,
+		Pid:   s.pid,
+	}, IfAddrmsg{
+		Family:    AF_INET,
+		Prefixlen: 8,
+		Flags:     IFA_F_PERMANENT,
+		Scope:     RT_SCOPE_HOST,
+		Index:     uint32(lo),
+	}, RtAttr{
+		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a0)),
+		Type: IFA_LOCAL,
+	}, [4]byte{127, 0, 0, 1}, RtAttr{
+		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a1)),
+		Type: IFA_ADDRESS,
+	}, [4]byte{127, 0, 0, 1}}
+}
+
+func (msg *newaddrLo) toWireFormat() []byte {
+	var buf [sizeofNewaddrLo]byte
+
+	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
+	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
+	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
+	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
+	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
+
+	buf[16] = msg.data.Family
+	buf[17] = msg.data.Prefixlen
+	buf[18] = msg.data.Flags
+	buf[19] = msg.data.Scope
+	*(*uint32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
+
+	*(*uint16)(unsafe.Pointer(&buf[24:26][0])) = msg.r0.Len
+	*(*uint16)(unsafe.Pointer(&buf[26:28][0])) = msg.r0.Type
+	copy(buf[28:32], msg.a0[:])
+	*(*uint16)(unsafe.Pointer(&buf[32:34][0])) = msg.r1.Len
+	*(*uint16)(unsafe.Pointer(&buf[34:36][0])) = msg.r1.Type
+	copy(buf[36:40], msg.a1[:])
+
+	return buf[:]
+}
+
+// newlinkLo represents a RTM_NEWLINK message.
+type newlinkLo struct {
+	header NlMsghdr
+	data   IfInfomsg
+}
+
+// sizeofNewlinkLo is the expected size of newlinkLo.
+const sizeofNewlinkLo = NLMSG_HDRLEN + SizeofIfInfomsg
+
+// newlinkLo returns the address of a populated newlinkLo.
+func (s *rtnetlink) newlinkLo(lo int) *newlinkLo {
+	return &newlinkLo{NlMsghdr{
+		Len:   sizeofNewlinkLo,
+		Type:  RTM_NEWLINK,
+		Flags: NLM_F_REQUEST | NLM_F_ACK,
+		Seq:   s.seq,
+		Pid:   s.pid,
+	}, IfInfomsg{
+		Family: AF_UNSPEC,
+		Index:  int32(lo),
+		Flags:  IFF_UP,
+		Change: IFF_UP,
+	}}
+}
+
+func (msg *newlinkLo) toWireFormat() []byte {
+	var buf [sizeofNewlinkLo]byte
+
+	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
+	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
+	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
+	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
+	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
+
+	buf[16] = msg.data.Family
+	*(*uint16)(unsafe.Pointer(&buf[18:20][0])) = msg.data.Type
+	*(*int32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
+	*(*uint32)(unsafe.Pointer(&buf[24:28][0])) = msg.data.Flags
+	*(*uint32)(unsafe.Pointer(&buf[28:32][0])) = msg.data.Change
+
+	return buf[:]
+}
+
+// mustLoopback creates the loopback address and brings the lo interface up.
+// mustLoopback calls a fatal method of the underlying [log.Logger] of m with a
+// user-facing error message if RTNETLINK behaves unexpectedly.
+func mustLoopback(msg message.Msg) {
+	log := msg.GetLogger()
+
+	var lo int
+	if ifi, err := net.InterfaceByName("lo"); err != nil {
+		log.Fatalln(err)
+	} else {
+		lo = ifi.Index
+	}
+
+	var s rtnetlink
+	if err := s.open(); err != nil {
+		log.Fatalln(err)
+	}
+	defer func() {
+		if err := s.close(); err != nil {
+			msg.Verbosef("cannot close netlink: %v", err)
+		}
+	}()
+
+	s.mustRoundtrip(msg, s.newaddrLo(lo).toWireFormat())
+	s.mustRoundtrip(msg, s.newlinkLo(lo).toWireFormat())
+}

container/netlink_test.go

@@ -0,0 +1,72 @@
+package container
+
+import (
+	"testing"
+	"unsafe"
+)
+
+func TestSizeof(t *testing.T) {
+	if got := unsafe.Sizeof(newaddrLo{}); got != sizeofNewaddrLo {
+		t.Fatalf("newaddrLo: sizeof = %#x, want %#x", got, sizeofNewaddrLo)
+	}
+
+	if got := unsafe.Sizeof(newlinkLo{}); got != sizeofNewlinkLo {
+		t.Fatalf("newlinkLo: sizeof = %#x, want %#x", got, sizeofNewlinkLo)
+	}
+}
+
+func TestRtnetlinkMessage(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		msg  interface{ toWireFormat() []byte }
+		want []byte
+	}{
+		{"newaddrLo", (&rtnetlink{pid: 1, seq: 0}).newaddrLo(1), []byte{
+			/* Len   */ 0x28, 0, 0, 0,
+			/* Type  */ 0x14, 0,
+			/* Flags */ 5, 6,
+			/* Seq   */ 0, 0, 0, 0,
+			/* Pid   */ 1, 0, 0, 0,
+
+			/* Family    */ 2,
+			/* Prefixlen */ 8,
+			/* Flags     */ 0x80,
+			/* Scope     */ 0xfe,
+			/* Index     */ 1, 0, 0, 0,
+
+			/* Len     */ 8, 0,
+			/* Type    */ 2, 0,
+			/* in_addr */ 127, 0, 0, 1,
+
+			/* Len     */ 8, 0,
+			/* Type    */ 1, 0,
+			/* in_addr */ 127, 0, 0, 1,
+		}},
+
+		{"newlinkLo", (&rtnetlink{pid: 1, seq: 1}).newlinkLo(1), []byte{
+			/* Len   */ 0x20, 0, 0, 0,
+			/* Type  */ 0x10, 0,
+			/* Flags */ 5, 0,
+			/* Seq   */ 1, 0, 0, 0,
+			/* Pid   */ 1, 0, 0, 0,
+
+			/* Family */ 0,
+			/* pad    */ 0,
+			/* Type   */ 0, 0,
+			/* Index  */ 1, 0, 0, 0,
+			/* Flags  */ 1, 0, 0, 0,
+			/* Change */ 1, 0, 0, 0,
+		}},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := tc.msg.toWireFormat(); string(got) != string(tc.want) {
+				t.Fatalf("toWireFormat: %#v, want %#v", got, tc.want)
+			}
+		})
+	}
+}

container/seccomp/libseccomp-helper.c

@@ -9,136 +9,130 @@
 
 #define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
 
-int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
-                                 uint32_t arch, uint32_t multiarch,
-                                 struct hakurei_syscall_rule *rules,
-                                 size_t rules_sz, hakurei_export_flag flags) {
-  int i;
-  int last_allowed_family;
-  int disallowed;
-  struct hakurei_syscall_rule *rule;
-  void *buf;
-  size_t len = 0;
+int32_t hakurei_scmp_make_filter(
+    int *ret_p, uintptr_t allocate_p,
+    uint32_t arch, uint32_t multiarch,
+    struct hakurei_syscall_rule *rules,
+    size_t rules_sz, hakurei_export_flag flags) {
+    int i;
+    int last_allowed_family;
+    int disallowed;
+    struct hakurei_syscall_rule *rule;
+    void *buf;
+    size_t len = 0;
 
-  int32_t res = 0; /* refer to resPrefix for message */
+    int32_t res = 0; /* refer to resPrefix for message */
 
-  /* Blocklist all but unix, inet, inet6 and netlink */
-  struct {
-    int family;
-    hakurei_export_flag flags_mask;
-  } socket_family_allowlist[] = {
-      /* NOTE: Keep in numerical order */
-      {AF_UNSPEC, 0},
-      {AF_LOCAL, 0},
-      {AF_INET, 0},
-      {AF_INET6, 0},
-      {AF_NETLINK, 0},
-      {AF_CAN, HAKUREI_EXPORT_CAN},
-      {AF_BLUETOOTH, HAKUREI_EXPORT_BLUETOOTH},
-  };
+    /* Blocklist all but unix, inet, inet6 and netlink */
+    struct {
+        int family;
+        hakurei_export_flag flags_mask;
+    } socket_family_allowlist[] = {
+        /* NOTE: Keep in numerical order */
+        {AF_UNSPEC, 0},
+        {AF_LOCAL, 0},
+        {AF_INET, 0},
+        {AF_INET6, 0},
+        {AF_NETLINK, 0},
+        {AF_CAN, HAKUREI_EXPORT_CAN},
+        {AF_BLUETOOTH, HAKUREI_EXPORT_BLUETOOTH},
+    };
 
-  scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
-  if (ctx == NULL) {
-    res = 1;
-    goto out;
-  } else
-    errno = 0;
-
-  /* We only really need to handle arches on multiarch systems.
-   * If only one arch is supported the default is fine */
-  if (arch != 0) {
-    /* This *adds* the target arch, instead of replacing the
-     * native one. This is not ideal, because we'd like to only
-     * allow the target arch, but we can't really disallow the
-     * native arch at this point, because then bubblewrap
-     * couldn't continue running. */
-    *ret_p = seccomp_arch_add(ctx, arch);
-    if (*ret_p < 0 && *ret_p != -EEXIST) {
-      res = 2;
-      goto out;
-    }
-
-    if (flags & HAKUREI_EXPORT_MULTIARCH && multiarch != 0) {
-      *ret_p = seccomp_arch_add(ctx, multiarch);
-      if (*ret_p < 0 && *ret_p != -EEXIST) {
-        res = 3;
+    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
+    if (ctx == NULL) {
+        res = 1;
         goto out;
-      }
-    }
-  }
+    } else
+        errno = 0;
 
-  for (i = 0; i < rules_sz; i++) {
-    rule = &rules[i];
-    assert(rule->m_errno == EPERM || rule->m_errno == ENOSYS);
+    /* We only really need to handle arches on multiarch systems.
+     * If only one arch is supported the default is fine */
+    if (arch != 0) {
+        /* This *adds* the target arch, instead of replacing the
+         * native one. This is not ideal, because we'd like to only
+         * allow the target arch, but we can't really disallow the
+         * native arch at this point, because then bubblewrap
+         * couldn't continue running. */
+        *ret_p = seccomp_arch_add(ctx, arch);
+        if (*ret_p < 0 && *ret_p != -EEXIST) {
+            res = 2;
+            goto out;
+        }
 
-    if (rule->arg)
-      *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno),
-                                rule->syscall, 1, *rule->arg);
-    else
-      *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno),
-                                rule->syscall, 0);
-
-    if (*ret_p == -EFAULT) {
-      res = 4;
-      goto out;
-    } else if (*ret_p < 0) {
-      res = 5;
-      goto out;
-    }
-  }
-
-  /* Socket filtering doesn't work on e.g. i386, so ignore failures here
-   * However, we need to user seccomp_rule_add_exact to avoid libseccomp doing
-   * something else: https://github.com/seccomp/libseccomp/issues/8 */
-  last_allowed_family = -1;
-  for (i = 0; i < LEN(socket_family_allowlist); i++) {
-    if (socket_family_allowlist[i].flags_mask != 0 &&
-        (socket_family_allowlist[i].flags_mask & flags) !=
-            socket_family_allowlist[i].flags_mask)
-      continue;
-
-    for (disallowed = last_allowed_family + 1;
-         disallowed < socket_family_allowlist[i].family; disallowed++) {
-      /* Blocklist the in-between valid families */
-      seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT),
-                             SCMP_SYS(socket), 1,
-                             SCMP_A0(SCMP_CMP_EQ, disallowed));
-    }
-    last_allowed_family = socket_family_allowlist[i].family;
-  }
-  /* Blocklist the rest */
-  seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-                         SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
-
-  if (allocate_p == 0) {
-    *ret_p = seccomp_load(ctx);
-    if (*ret_p != 0) {
-      res = 7;
-      goto out;
-    }
-  } else {
-    *ret_p = seccomp_export_bpf_mem(ctx, NULL, &len);
-    if (*ret_p != 0) {
-      res = 6;
-      goto out;
+        if (flags & HAKUREI_EXPORT_MULTIARCH && multiarch != 0) {
+            *ret_p = seccomp_arch_add(ctx, multiarch);
+            if (*ret_p < 0 && *ret_p != -EEXIST) {
+                res = 3;
+                goto out;
+            }
+        }
     }
 
-    buf = hakurei_scmp_allocate(allocate_p, len);
-    if (buf == NULL) {
-      res = 4;
-      goto out;
+    for (i = 0; i < rules_sz; i++) {
+        rule = &rules[i];
+        assert(rule->m_errno == EPERM || rule->m_errno == ENOSYS);
+
+        if (rule->arg)
+            *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), rule->syscall, 1, *rule->arg);
+        else
+            *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), rule->syscall, 0);
+
+        if (*ret_p == -EFAULT) {
+            res = 4;
+            goto out;
+        } else if (*ret_p < 0) {
+            res = 5;
+            goto out;
+        }
     }
 
-    *ret_p = seccomp_export_bpf_mem(ctx, buf, &len);
-    if (*ret_p != 0) {
-      res = 6;
-      goto out;
+    /* Socket filtering doesn't work on e.g. i386, so ignore failures here
+     * However, we need to user seccomp_rule_add_exact to avoid libseccomp doing
+     * something else: https://github.com/seccomp/libseccomp/issues/8 */
+    last_allowed_family = -1;
+    for (i = 0; i < LEN(socket_family_allowlist); i++) {
+        if (socket_family_allowlist[i].flags_mask != 0 &&
+            (socket_family_allowlist[i].flags_mask & flags) != socket_family_allowlist[i].flags_mask)
+            continue;
+
+        for (disallowed = last_allowed_family + 1; disallowed < socket_family_allowlist[i].family; disallowed++) {
+            /* Blocklist the in-between valid families */
+            seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, disallowed));
+        }
+        last_allowed_family = socket_family_allowlist[i].family;
+    }
+    /* Blocklist the rest */
+    seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
+
+    if (allocate_p == 0) {
+        *ret_p = seccomp_load(ctx);
+        if (*ret_p != 0) {
+            res = 7;
+            goto out;
+        }
+    } else {
+        *ret_p = seccomp_export_bpf_mem(ctx, NULL, &len);
+        if (*ret_p != 0) {
+            res = 6;
+            goto out;
+        }
+
+        buf = hakurei_scmp_allocate(allocate_p, len);
+        if (buf == NULL) {
+            res = 4;
+            goto out;
+        }
+
+        *ret_p = seccomp_export_bpf_mem(ctx, buf, &len);
+        if (*ret_p != 0) {
+            res = 6;
+            goto out;
+        }
     }
-  }
 
 out:
-  if (ctx)
-    seccomp_release(ctx);
+    if (ctx)
+        seccomp_release(ctx);
 
-  return res;
+    return res;
 }

container/seccomp/libseccomp-helper.h

@@ -1,25 +1,26 @@
 #include <seccomp.h>
 #include <stdint.h>
 
-#if (SCMP_VER_MAJOR < 2) || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) ||     \
+#if (SCMP_VER_MAJOR < 2) || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) || \
     (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 5 && SCMP_VER_MICRO < 1)
 #error This package requires libseccomp >= v2.5.1
 #endif
 
 typedef enum {
-  HAKUREI_EXPORT_MULTIARCH = 1 << 0,
-  HAKUREI_EXPORT_CAN = 1 << 1,
-  HAKUREI_EXPORT_BLUETOOTH = 1 << 2,
+    HAKUREI_EXPORT_MULTIARCH = 1 << 0,
+    HAKUREI_EXPORT_CAN = 1 << 1,
+    HAKUREI_EXPORT_BLUETOOTH = 1 << 2,
 } hakurei_export_flag;
 
 struct hakurei_syscall_rule {
-  int syscall;
-  int m_errno;
-  struct scmp_arg_cmp *arg;
+    int syscall;
+    int m_errno;
+    struct scmp_arg_cmp *arg;
 };
 
 extern void *hakurei_scmp_allocate(uintptr_t f, size_t len);
-int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
-                                 uint32_t arch, uint32_t multiarch,
-                                 struct hakurei_syscall_rule *rules,
-                                 size_t rules_sz, hakurei_export_flag flags);
+int32_t hakurei_scmp_make_filter(
+    int *ret_p, uintptr_t allocate_p,
+    uint32_t arch, uint32_t multiarch,
+    struct hakurei_syscall_rule *rules,
+    size_t rules_sz, hakurei_export_flag flags);

container/seccomp/presets_riscv64_test.go

@@ -0,0 +1,27 @@
+package seccomp_test
+
+import (
+	. "hakurei.app/container/seccomp"
+	. "hakurei.app/container/std"
+)
+
+var bpfExpected = bpfLookup{
+	{AllowMultiarch | AllowCAN |
+		AllowBluetooth, PresetExt |
+		PresetDenyNS | PresetDenyTTY | PresetDenyDevel |
+		PresetLinux32}: toHash(
+		"a1c4ffa35f4bfbf38061184760b9a09edfcb4964c3b534395e47327b83f3fb61f2f9573ddfcc4772424cc2f5dd12fd32471e6531dbe10e85eda3797dd4fa179f"),
+
+	{0, 0}: toHash(
+		"f3910fd727d087def593e3876c2c6ab9ace71d82ec8cbc992a26223e7bba85e1d7a0b56c5fc6303703f24595825dad8561637edaedd5384b34a6cd080946633c"),
+	{0, PresetExt}: toHash(
+		"741438c5e3f11c36c92ae8c5934f13440675c6e719541c2dbffeda79a10081bcfd9ad8314a60c1d1f53db86c8080c13fffa3bbcf7fe753935679b4b902737286"),
+	{0, PresetStrict}: toHash(
+		"79e9e464d02405c6d74fd2c771bd72a1311e488221c73a9c32db9270219837c54fccec2f36fe2474895547e60c311514567e2e6cf4e7a7fcf909c1ecd1e254a7"),
+	{0, PresetDenyNS | PresetDenyTTY | PresetDenyDevel}: toHash(
+		"3c443715a6c1e557a284862ea8efb70a5d4ecbe67d1226627323e861cd3646fb3e7768ec5b94b93760b7f652cf6916f66e317a4fbf8716d10c3673aa4fc3ae58"),
+	{0, PresetExt | PresetDenyDevel}: toHash(
+		"4448a74e8cc75a4ab63799c4f2cc2a5af63e5f4e8e9b8ac15a1873d647dfa67a4c67b39ed466d8dd32abc64136d401879fc6185c9ab00feeaf59ccf4305f8201"),
+	{0, PresetExt | PresetDenyNS | PresetDenyDevel}: toHash(
+		"c7c86e793cb7192f5f6c735f372cda27eb43ae1045e587f8eadb64c849520a3280b6570a3d7b601d32cddb38021585a2234db38e506cebfd10aa3d6c75440f17"),
+}

container/std/mksysnum_linux.pl

@@ -12,6 +12,7 @@ my %syscall_cutoff_arch = (
 	"x86" => 340,
 	"x86_64" => 302,
 	"aarch64" => 281,
+	"riscv64" => 281,
 );
 
 print <<EOF;

container/std/syscall_extra_linux_riscv64.go

@@ -0,0 +1,55 @@
+package std
+
+import "syscall"
+
+const (
+	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
+)
+
+var syscallNumExtra = map[string]ScmpSyscall{
+	"uselib":          SNR_USELIB,
+	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
+	"clock_settime64": SNR_CLOCK_SETTIME64,
+	"umount":          SNR_UMOUNT,
+	"chown":           SNR_CHOWN,
+	"chown32":         SNR_CHOWN32,
+	"fchown32":        SNR_FCHOWN32,
+	"lchown":          SNR_LCHOWN,
+	"lchown32":        SNR_LCHOWN32,
+	"setgid32":        SNR_SETGID32,
+	"setgroups32":     SNR_SETGROUPS32,
+	"setregid32":      SNR_SETREGID32,
+	"setresgid32":     SNR_SETRESGID32,
+	"setresuid32":     SNR_SETRESUID32,
+	"setreuid32":      SNR_SETREUID32,
+	"setuid32":        SNR_SETUID32,
+	"modify_ldt":      SNR_MODIFY_LDT,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+	"vm86":            SNR_VM86,
+	"vm86old":         SNR_VM86OLD,
+}
+
+const (
+	SNR_USELIB          ScmpSyscall = __PNR_uselib
+	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
+	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
+	SNR_UMOUNT          ScmpSyscall = __PNR_umount
+	SNR_CHOWN           ScmpSyscall = __PNR_chown
+	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
+	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
+	SNR_LCHOWN          ScmpSyscall = __PNR_lchown
+	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
+	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
+	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
+	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
+	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
+	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
+	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
+	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
+	SNR_MODIFY_LDT      ScmpSyscall = __PNR_modify_ldt
+	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
+	SNR_VM86            ScmpSyscall = __PNR_vm86
+	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
+)

container/std/syscall_linux_riscv64.go

@@ -0,0 +1,719 @@
+// mksysnum_linux.pl /usr/include/riscv64-linux-gnu/asm/unistd.h
+// Code generated by the command above; DO NOT EDIT.
+
+package std
+
+import . "syscall"
+
+var syscallNum = map[string]ScmpSyscall{
+	"io_setup":                SNR_IO_SETUP,
+	"io_destroy":              SNR_IO_DESTROY,
+	"io_submit":               SNR_IO_SUBMIT,
+	"io_cancel":               SNR_IO_CANCEL,
+	"io_getevents":            SNR_IO_GETEVENTS,
+	"setxattr":                SNR_SETXATTR,
+	"lsetxattr":               SNR_LSETXATTR,
+	"fsetxattr":               SNR_FSETXATTR,
+	"getxattr":                SNR_GETXATTR,
+	"lgetxattr":               SNR_LGETXATTR,
+	"fgetxattr":               SNR_FGETXATTR,
+	"listxattr":               SNR_LISTXATTR,
+	"llistxattr":              SNR_LLISTXATTR,
+	"flistxattr":              SNR_FLISTXATTR,
+	"removexattr":             SNR_REMOVEXATTR,
+	"lremovexattr":            SNR_LREMOVEXATTR,
+	"fremovexattr":            SNR_FREMOVEXATTR,
+	"getcwd":                  SNR_GETCWD,
+	"lookup_dcookie":          SNR_LOOKUP_DCOOKIE,
+	"eventfd2":                SNR_EVENTFD2,
+	"epoll_create1":           SNR_EPOLL_CREATE1,
+	"epoll_ctl":               SNR_EPOLL_CTL,
+	"epoll_pwait":             SNR_EPOLL_PWAIT,
+	"dup":                     SNR_DUP,
+	"dup3":                    SNR_DUP3,
+	"fcntl":                   SNR_FCNTL,
+	"inotify_init1":           SNR_INOTIFY_INIT1,
+	"inotify_add_watch":       SNR_INOTIFY_ADD_WATCH,
+	"inotify_rm_watch":        SNR_INOTIFY_RM_WATCH,
+	"ioctl":                   SNR_IOCTL,
+	"ioprio_set":              SNR_IOPRIO_SET,
+	"ioprio_get":              SNR_IOPRIO_GET,
+	"flock":                   SNR_FLOCK,
+	"mknodat":                 SNR_MKNODAT,
+	"mkdirat":                 SNR_MKDIRAT,
+	"unlinkat":                SNR_UNLINKAT,
+	"symlinkat":               SNR_SYMLINKAT,
+	"linkat":                  SNR_LINKAT,
+	"umount2":                 SNR_UMOUNT2,
+	"mount":                   SNR_MOUNT,
+	"pivot_root":              SNR_PIVOT_ROOT,
+	"nfsservctl":              SNR_NFSSERVCTL,
+	"statfs":                  SNR_STATFS,
+	"fstatfs":                 SNR_FSTATFS,
+	"truncate":                SNR_TRUNCATE,
+	"ftruncate":               SNR_FTRUNCATE,
+	"fallocate":               SNR_FALLOCATE,
+	"faccessat":               SNR_FACCESSAT,
+	"chdir":                   SNR_CHDIR,
+	"fchdir":                  SNR_FCHDIR,
+	"chroot":                  SNR_CHROOT,
+	"fchmod":                  SNR_FCHMOD,
+	"fchmodat":                SNR_FCHMODAT,
+	"fchownat":                SNR_FCHOWNAT,
+	"fchown":                  SNR_FCHOWN,
+	"openat":                  SNR_OPENAT,
+	"close":                   SNR_CLOSE,
+	"vhangup":                 SNR_VHANGUP,
+	"pipe2":                   SNR_PIPE2,
+	"quotactl":                SNR_QUOTACTL,
+	"getdents64":              SNR_GETDENTS64,
+	"lseek":                   SNR_LSEEK,
+	"read":                    SNR_READ,
+	"write":                   SNR_WRITE,
+	"readv":                   SNR_READV,
+	"writev":                  SNR_WRITEV,
+	"pread64":                 SNR_PREAD64,
+	"pwrite64":                SNR_PWRITE64,
+	"preadv":                  SNR_PREADV,
+	"pwritev":                 SNR_PWRITEV,
+	"sendfile":                SNR_SENDFILE,
+	"pselect6":                SNR_PSELECT6,
+	"ppoll":                   SNR_PPOLL,
+	"signalfd4":               SNR_SIGNALFD4,
+	"vmsplice":                SNR_VMSPLICE,
+	"splice":                  SNR_SPLICE,
+	"tee":                     SNR_TEE,
+	"readlinkat":              SNR_READLINKAT,
+	"newfstatat":              SNR_NEWFSTATAT,
+	"fstat":                   SNR_FSTAT,
+	"sync":                    SNR_SYNC,
+	"fsync":                   SNR_FSYNC,
+	"fdatasync":               SNR_FDATASYNC,
+	"sync_file_range":         SNR_SYNC_FILE_RANGE,
+	"timerfd_create":          SNR_TIMERFD_CREATE,
+	"timerfd_settime":         SNR_TIMERFD_SETTIME,
+	"timerfd_gettime":         SNR_TIMERFD_GETTIME,
+	"utimensat":               SNR_UTIMENSAT,
+	"acct":                    SNR_ACCT,
+	"capget":                  SNR_CAPGET,
+	"capset":                  SNR_CAPSET,
+	"personality":             SNR_PERSONALITY,
+	"exit":                    SNR_EXIT,
+	"exit_group":              SNR_EXIT_GROUP,
+	"waitid":                  SNR_WAITID,
+	"set_tid_address":         SNR_SET_TID_ADDRESS,
+	"unshare":                 SNR_UNSHARE,
+	"futex":                   SNR_FUTEX,
+	"set_robust_list":         SNR_SET_ROBUST_LIST,
+	"get_robust_list":         SNR_GET_ROBUST_LIST,
+	"nanosleep":               SNR_NANOSLEEP,
+	"getitimer":               SNR_GETITIMER,
+	"setitimer":               SNR_SETITIMER,
+	"kexec_load":              SNR_KEXEC_LOAD,
+	"init_module":             SNR_INIT_MODULE,
+	"delete_module":           SNR_DELETE_MODULE,
+	"timer_create":            SNR_TIMER_CREATE,
+	"timer_gettime":           SNR_TIMER_GETTIME,
+	"timer_getoverrun":        SNR_TIMER_GETOVERRUN,
+	"timer_settime":           SNR_TIMER_SETTIME,
+	"timer_delete":            SNR_TIMER_DELETE,
+	"clock_settime":           SNR_CLOCK_SETTIME,
+	"clock_gettime":           SNR_CLOCK_GETTIME,
+	"clock_getres":            SNR_CLOCK_GETRES,
+	"clock_nanosleep":         SNR_CLOCK_NANOSLEEP,
+	"syslog":                  SNR_SYSLOG,
+	"ptrace":                  SNR_PTRACE,
+	"sched_setparam":          SNR_SCHED_SETPARAM,
+	"sched_setscheduler":      SNR_SCHED_SETSCHEDULER,
+	"sched_getscheduler":      SNR_SCHED_GETSCHEDULER,
+	"sched_getparam":          SNR_SCHED_GETPARAM,
+	"sched_setaffinity":       SNR_SCHED_SETAFFINITY,
+	"sched_getaffinity":       SNR_SCHED_GETAFFINITY,
+	"sched_yield":             SNR_SCHED_YIELD,
+	"sched_get_priority_max":  SNR_SCHED_GET_PRIORITY_MAX,
+	"sched_get_priority_min":  SNR_SCHED_GET_PRIORITY_MIN,
+	"sched_rr_get_interval":   SNR_SCHED_RR_GET_INTERVAL,
+	"restart_syscall":         SNR_RESTART_SYSCALL,
+	"kill":                    SNR_KILL,
+	"tkill":                   SNR_TKILL,
+	"tgkill":                  SNR_TGKILL,
+	"sigaltstack":             SNR_SIGALTSTACK,
+	"rt_sigsuspend":           SNR_RT_SIGSUSPEND,
+	"rt_sigaction":            SNR_RT_SIGACTION,
+	"rt_sigprocmask":          SNR_RT_SIGPROCMASK,
+	"rt_sigpending":           SNR_RT_SIGPENDING,
+	"rt_sigtimedwait":         SNR_RT_SIGTIMEDWAIT,
+	"rt_sigqueueinfo":         SNR_RT_SIGQUEUEINFO,
+	"rt_sigreturn":            SNR_RT_SIGRETURN,
+	"setpriority":             SNR_SETPRIORITY,
+	"getpriority":             SNR_GETPRIORITY,
+	"reboot":                  SNR_REBOOT,
+	"setregid":                SNR_SETREGID,
+	"setgid":                  SNR_SETGID,
+	"setreuid":                SNR_SETREUID,
+	"setuid":                  SNR_SETUID,
+	"setresuid":               SNR_SETRESUID,
+	"getresuid":               SNR_GETRESUID,
+	"setresgid":               SNR_SETRESGID,
+	"getresgid":               SNR_GETRESGID,
+	"setfsuid":                SNR_SETFSUID,
+	"setfsgid":                SNR_SETFSGID,
+	"times":                   SNR_TIMES,
+	"setpgid":                 SNR_SETPGID,
+	"getpgid":                 SNR_GETPGID,
+	"getsid":                  SNR_GETSID,
+	"setsid":                  SNR_SETSID,
+	"getgroups":               SNR_GETGROUPS,
+	"setgroups":               SNR_SETGROUPS,
+	"uname":                   SNR_UNAME,
+	"sethostname":             SNR_SETHOSTNAME,
+	"setdomainname":           SNR_SETDOMAINNAME,
+	"getrlimit":               SNR_GETRLIMIT,
+	"setrlimit":               SNR_SETRLIMIT,
+	"getrusage":               SNR_GETRUSAGE,
+	"umask":                   SNR_UMASK,
+	"prctl":                   SNR_PRCTL,
+	"getcpu":                  SNR_GETCPU,
+	"gettimeofday":            SNR_GETTIMEOFDAY,
+	"settimeofday":            SNR_SETTIMEOFDAY,
+	"adjtimex":                SNR_ADJTIMEX,
+	"getpid":                  SNR_GETPID,
+	"getppid":                 SNR_GETPPID,
+	"getuid":                  SNR_GETUID,
+	"geteuid":                 SNR_GETEUID,
+	"getgid":                  SNR_GETGID,
+	"getegid":                 SNR_GETEGID,
+	"gettid":                  SNR_GETTID,
+	"sysinfo":                 SNR_SYSINFO,
+	"mq_open":                 SNR_MQ_OPEN,
+	"mq_unlink":               SNR_MQ_UNLINK,
+	"mq_timedsend":            SNR_MQ_TIMEDSEND,
+	"mq_timedreceive":         SNR_MQ_TIMEDRECEIVE,
+	"mq_notify":               SNR_MQ_NOTIFY,
+	"mq_getsetattr":           SNR_MQ_GETSETATTR,
+	"msgget":                  SNR_MSGGET,
+	"msgctl":                  SNR_MSGCTL,
+	"msgrcv":                  SNR_MSGRCV,
+	"msgsnd":                  SNR_MSGSND,
+	"semget":                  SNR_SEMGET,
+	"semctl":                  SNR_SEMCTL,
+	"semtimedop":              SNR_SEMTIMEDOP,
+	"semop":                   SNR_SEMOP,
+	"shmget":                  SNR_SHMGET,
+	"shmctl":                  SNR_SHMCTL,
+	"shmat":                   SNR_SHMAT,
+	"shmdt":                   SNR_SHMDT,
+	"socket":                  SNR_SOCKET,
+	"socketpair":              SNR_SOCKETPAIR,
+	"bind":                    SNR_BIND,
+	"listen":                  SNR_LISTEN,
+	"accept":                  SNR_ACCEPT,
+	"connect":                 SNR_CONNECT,
+	"getsockname":             SNR_GETSOCKNAME,
+	"getpeername":             SNR_GETPEERNAME,
+	"sendto":                  SNR_SENDTO,
+	"recvfrom":                SNR_RECVFROM,
+	"setsockopt":              SNR_SETSOCKOPT,
+	"getsockopt":              SNR_GETSOCKOPT,
+	"shutdown":                SNR_SHUTDOWN,
+	"sendmsg":                 SNR_SENDMSG,
+	"recvmsg":                 SNR_RECVMSG,
+	"readahead":               SNR_READAHEAD,
+	"brk":                     SNR_BRK,
+	"munmap":                  SNR_MUNMAP,
+	"mremap":                  SNR_MREMAP,
+	"add_key":                 SNR_ADD_KEY,
+	"request_key":             SNR_REQUEST_KEY,
+	"keyctl":                  SNR_KEYCTL,
+	"clone":                   SNR_CLONE,
+	"execve":                  SNR_EXECVE,
+	"mmap":                    SNR_MMAP,
+	"fadvise64":               SNR_FADVISE64,
+	"swapon":                  SNR_SWAPON,
+	"swapoff":                 SNR_SWAPOFF,
+	"mprotect":                SNR_MPROTECT,
+	"msync":                   SNR_MSYNC,
+	"mlock":                   SNR_MLOCK,
+	"munlock":                 SNR_MUNLOCK,
+	"mlockall":                SNR_MLOCKALL,
+	"munlockall":              SNR_MUNLOCKALL,
+	"mincore":                 SNR_MINCORE,
+	"madvise":                 SNR_MADVISE,
+	"remap_file_pages":        SNR_REMAP_FILE_PAGES,
+	"mbind":                   SNR_MBIND,
+	"get_mempolicy":           SNR_GET_MEMPOLICY,
+	"set_mempolicy":           SNR_SET_MEMPOLICY,
+	"migrate_pages":           SNR_MIGRATE_PAGES,
+	"move_pages":              SNR_MOVE_PAGES,
+	"rt_tgsigqueueinfo":       SNR_RT_TGSIGQUEUEINFO,
+	"perf_event_open":         SNR_PERF_EVENT_OPEN,
+	"accept4":                 SNR_ACCEPT4,
+	"recvmmsg":                SNR_RECVMMSG,
+	"wait4":                   SNR_WAIT4,
+	"prlimit64":               SNR_PRLIMIT64,
+	"fanotify_init":           SNR_FANOTIFY_INIT,
+	"fanotify_mark":           SNR_FANOTIFY_MARK,
+	"name_to_handle_at":       SNR_NAME_TO_HANDLE_AT,
+	"open_by_handle_at":       SNR_OPEN_BY_HANDLE_AT,
+	"clock_adjtime":           SNR_CLOCK_ADJTIME,
+	"syncfs":                  SNR_SYNCFS,
+	"setns":                   SNR_SETNS,
+	"sendmmsg":                SNR_SENDMMSG,
+	"process_vm_readv":        SNR_PROCESS_VM_READV,
+	"process_vm_writev":       SNR_PROCESS_VM_WRITEV,
+	"kcmp":                    SNR_KCMP,
+	"finit_module":            SNR_FINIT_MODULE,
+	"sched_setattr":           SNR_SCHED_SETATTR,
+	"sched_getattr":           SNR_SCHED_GETATTR,
+	"renameat2":               SNR_RENAMEAT2,
+	"seccomp":                 SNR_SECCOMP,
+	"getrandom":               SNR_GETRANDOM,
+	"memfd_create":            SNR_MEMFD_CREATE,
+	"bpf":                     SNR_BPF,
+	"execveat":                SNR_EXECVEAT,
+	"userfaultfd":             SNR_USERFAULTFD,
+	"membarrier":              SNR_MEMBARRIER,
+	"mlock2":                  SNR_MLOCK2,
+	"copy_file_range":         SNR_COPY_FILE_RANGE,
+	"preadv2":                 SNR_PREADV2,
+	"pwritev2":                SNR_PWRITEV2,
+	"pkey_mprotect":           SNR_PKEY_MPROTECT,
+	"pkey_alloc":              SNR_PKEY_ALLOC,
+	"pkey_free":               SNR_PKEY_FREE,
+	"statx":                   SNR_STATX,
+	"io_pgetevents":           SNR_IO_PGETEVENTS,
+	"rseq":                    SNR_RSEQ,
+	"kexec_file_load":         SNR_KEXEC_FILE_LOAD,
+	"pidfd_send_signal":       SNR_PIDFD_SEND_SIGNAL,
+	"io_uring_setup":          SNR_IO_URING_SETUP,
+	"io_uring_enter":          SNR_IO_URING_ENTER,
+	"io_uring_register":       SNR_IO_URING_REGISTER,
+	"open_tree":               SNR_OPEN_TREE,
+	"move_mount":              SNR_MOVE_MOUNT,
+	"fsopen":                  SNR_FSOPEN,
+	"fsconfig":                SNR_FSCONFIG,
+	"fsmount":                 SNR_FSMOUNT,
+	"fspick":                  SNR_FSPICK,
+	"pidfd_open":              SNR_PIDFD_OPEN,
+	"clone3":                  SNR_CLONE3,
+	"close_range":             SNR_CLOSE_RANGE,
+	"openat2":                 SNR_OPENAT2,
+	"pidfd_getfd":             SNR_PIDFD_GETFD,
+	"faccessat2":              SNR_FACCESSAT2,
+	"process_madvise":         SNR_PROCESS_MADVISE,
+	"epoll_pwait2":            SNR_EPOLL_PWAIT2,
+	"mount_setattr":           SNR_MOUNT_SETATTR,
+	"quotactl_fd":             SNR_QUOTACTL_FD,
+	"landlock_create_ruleset": SNR_LANDLOCK_CREATE_RULESET,
+	"landlock_add_rule":       SNR_LANDLOCK_ADD_RULE,
+	"landlock_restrict_self":  SNR_LANDLOCK_RESTRICT_SELF,
+	"memfd_secret":            SNR_MEMFD_SECRET,
+	"process_mrelease":        SNR_PROCESS_MRELEASE,
+	"futex_waitv":             SNR_FUTEX_WAITV,
+	"set_mempolicy_home_node": SNR_SET_MEMPOLICY_HOME_NODE,
+	"cachestat":               SNR_CACHESTAT,
+	"fchmodat2":               SNR_FCHMODAT2,
+	"map_shadow_stack":        SNR_MAP_SHADOW_STACK,
+	"futex_wake":              SNR_FUTEX_WAKE,
+	"futex_wait":              SNR_FUTEX_WAIT,
+	"futex_requeue":           SNR_FUTEX_REQUEUE,
+	"statmount":               SNR_STATMOUNT,
+	"listmount":               SNR_LISTMOUNT,
+	"lsm_get_self_attr":       SNR_LSM_GET_SELF_ATTR,
+	"lsm_set_self_attr":       SNR_LSM_SET_SELF_ATTR,
+	"lsm_list_modules":        SNR_LSM_LIST_MODULES,
+	"mseal":                   SNR_MSEAL,
+	"setxattrat":              SNR_SETXATTRAT,
+	"getxattrat":              SNR_GETXATTRAT,
+	"listxattrat":             SNR_LISTXATTRAT,
+	"removexattrat":           SNR_REMOVEXATTRAT,
+}
+
+const (
+	SYS_USERFAULTFD             = 282
+	SYS_MEMBARRIER              = 283
+	SYS_MLOCK2                  = 284
+	SYS_COPY_FILE_RANGE         = 285
+	SYS_PREADV2                 = 286
+	SYS_PWRITEV2                = 287
+	SYS_PKEY_MPROTECT           = 288
+	SYS_PKEY_ALLOC              = 289
+	SYS_PKEY_FREE               = 290
+	SYS_STATX                   = 291
+	SYS_IO_PGETEVENTS           = 292
+	SYS_RSEQ                    = 293
+	SYS_KEXEC_FILE_LOAD         = 294
+	SYS_PIDFD_SEND_SIGNAL       = 424
+	SYS_IO_URING_SETUP          = 425
+	SYS_IO_URING_ENTER          = 426
+	SYS_IO_URING_REGISTER       = 427
+	SYS_OPEN_TREE               = 428
+	SYS_MOVE_MOUNT              = 429
+	SYS_FSOPEN                  = 430
+	SYS_FSCONFIG                = 431
+	SYS_FSMOUNT                 = 432
+	SYS_FSPICK                  = 433
+	SYS_PIDFD_OPEN              = 434
+	SYS_CLONE3                  = 435
+	SYS_CLOSE_RANGE             = 436
+	SYS_OPENAT2                 = 437
+	SYS_PIDFD_GETFD             = 438
+	SYS_FACCESSAT2              = 439
+	SYS_PROCESS_MADVISE         = 440
+	SYS_EPOLL_PWAIT2            = 441
+	SYS_MOUNT_SETATTR           = 442
+	SYS_QUOTACTL_FD             = 443
+	SYS_LANDLOCK_CREATE_RULESET = 444
+	SYS_LANDLOCK_ADD_RULE       = 445
+	SYS_LANDLOCK_RESTRICT_SELF  = 446
+	SYS_MEMFD_SECRET            = 447
+	SYS_PROCESS_MRELEASE        = 448
+	SYS_FUTEX_WAITV             = 449
+	SYS_SET_MEMPOLICY_HOME_NODE = 450
+	SYS_CACHESTAT               = 451
+	SYS_FCHMODAT2               = 452
+	SYS_MAP_SHADOW_STACK        = 453
+	SYS_FUTEX_WAKE              = 454
+	SYS_FUTEX_WAIT              = 455
+	SYS_FUTEX_REQUEUE           = 456
+	SYS_STATMOUNT               = 457
+	SYS_LISTMOUNT               = 458
+	SYS_LSM_GET_SELF_ATTR       = 459
+	SYS_LSM_SET_SELF_ATTR       = 460
+	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
+	SYS_SETXATTRAT              = 463
+	SYS_GETXATTRAT              = 464
+	SYS_LISTXATTRAT             = 465
+	SYS_REMOVEXATTRAT           = 466
+	SYS_OPEN_TREE_ATTR          = 467
+	SYS_FILE_GETATTR            = 468
+	SYS_FILE_SETATTR            = 469
+)
+
+const (
+	SNR_IO_SETUP                ScmpSyscall = SYS_IO_SETUP
+	SNR_IO_DESTROY              ScmpSyscall = SYS_IO_DESTROY
+	SNR_IO_SUBMIT               ScmpSyscall = SYS_IO_SUBMIT
+	SNR_IO_CANCEL               ScmpSyscall = SYS_IO_CANCEL
+	SNR_IO_GETEVENTS            ScmpSyscall = SYS_IO_GETEVENTS
+	SNR_SETXATTR                ScmpSyscall = SYS_SETXATTR
+	SNR_LSETXATTR               ScmpSyscall = SYS_LSETXATTR
+	SNR_FSETXATTR               ScmpSyscall = SYS_FSETXATTR
+	SNR_GETXATTR                ScmpSyscall = SYS_GETXATTR
+	SNR_LGETXATTR               ScmpSyscall = SYS_LGETXATTR
+	SNR_FGETXATTR               ScmpSyscall = SYS_FGETXATTR
+	SNR_LISTXATTR               ScmpSyscall = SYS_LISTXATTR
+	SNR_LLISTXATTR              ScmpSyscall = SYS_LLISTXATTR
+	SNR_FLISTXATTR              ScmpSyscall = SYS_FLISTXATTR
+	SNR_REMOVEXATTR             ScmpSyscall = SYS_REMOVEXATTR
+	SNR_LREMOVEXATTR            ScmpSyscall = SYS_LREMOVEXATTR
+	SNR_FREMOVEXATTR            ScmpSyscall = SYS_FREMOVEXATTR
+	SNR_GETCWD                  ScmpSyscall = SYS_GETCWD
+	SNR_LOOKUP_DCOOKIE          ScmpSyscall = SYS_LOOKUP_DCOOKIE
+	SNR_EVENTFD2                ScmpSyscall = SYS_EVENTFD2
+	SNR_EPOLL_CREATE1           ScmpSyscall = SYS_EPOLL_CREATE1
+	SNR_EPOLL_CTL               ScmpSyscall = SYS_EPOLL_CTL
+	SNR_EPOLL_PWAIT             ScmpSyscall = SYS_EPOLL_PWAIT
+	SNR_DUP                     ScmpSyscall = SYS_DUP
+	SNR_DUP3                    ScmpSyscall = SYS_DUP3
+	SNR_FCNTL                   ScmpSyscall = SYS_FCNTL
+	SNR_INOTIFY_INIT1           ScmpSyscall = SYS_INOTIFY_INIT1
+	SNR_INOTIFY_ADD_WATCH       ScmpSyscall = SYS_INOTIFY_ADD_WATCH
+	SNR_INOTIFY_RM_WATCH        ScmpSyscall = SYS_INOTIFY_RM_WATCH
+	SNR_IOCTL                   ScmpSyscall = SYS_IOCTL
+	SNR_IOPRIO_SET              ScmpSyscall = SYS_IOPRIO_SET
+	SNR_IOPRIO_GET              ScmpSyscall = SYS_IOPRIO_GET
+	SNR_FLOCK                   ScmpSyscall = SYS_FLOCK
+	SNR_MKNODAT                 ScmpSyscall = SYS_MKNODAT
+	SNR_MKDIRAT                 ScmpSyscall = SYS_MKDIRAT
+	SNR_UNLINKAT                ScmpSyscall = SYS_UNLINKAT
+	SNR_SYMLINKAT               ScmpSyscall = SYS_SYMLINKAT
+	SNR_LINKAT                  ScmpSyscall = SYS_LINKAT
+	SNR_UMOUNT2                 ScmpSyscall = SYS_UMOUNT2
+	SNR_MOUNT                   ScmpSyscall = SYS_MOUNT
+	SNR_PIVOT_ROOT              ScmpSyscall = SYS_PIVOT_ROOT
+	SNR_NFSSERVCTL              ScmpSyscall = SYS_NFSSERVCTL
+	SNR_STATFS                  ScmpSyscall = SYS_STATFS
+	SNR_FSTATFS                 ScmpSyscall = SYS_FSTATFS
+	SNR_TRUNCATE                ScmpSyscall = SYS_TRUNCATE
+	SNR_FTRUNCATE               ScmpSyscall = SYS_FTRUNCATE
+	SNR_FALLOCATE               ScmpSyscall = SYS_FALLOCATE
+	SNR_FACCESSAT               ScmpSyscall = SYS_FACCESSAT
+	SNR_CHDIR                   ScmpSyscall = SYS_CHDIR
+	SNR_FCHDIR                  ScmpSyscall = SYS_FCHDIR
+	SNR_CHROOT                  ScmpSyscall = SYS_CHROOT
+	SNR_FCHMOD                  ScmpSyscall = SYS_FCHMOD
+	SNR_FCHMODAT                ScmpSyscall = SYS_FCHMODAT
+	SNR_FCHOWNAT                ScmpSyscall = SYS_FCHOWNAT
+	SNR_FCHOWN                  ScmpSyscall = SYS_FCHOWN
+	SNR_OPENAT                  ScmpSyscall = SYS_OPENAT
+	SNR_CLOSE                   ScmpSyscall = SYS_CLOSE
+	SNR_VHANGUP                 ScmpSyscall = SYS_VHANGUP
+	SNR_PIPE2                   ScmpSyscall = SYS_PIPE2
+	SNR_QUOTACTL                ScmpSyscall = SYS_QUOTACTL
+	SNR_GETDENTS64              ScmpSyscall = SYS_GETDENTS64
+	SNR_LSEEK                   ScmpSyscall = SYS_LSEEK
+	SNR_READ                    ScmpSyscall = SYS_READ
+	SNR_WRITE                   ScmpSyscall = SYS_WRITE
+	SNR_READV                   ScmpSyscall = SYS_READV
+	SNR_WRITEV                  ScmpSyscall = SYS_WRITEV
+	SNR_PREAD64                 ScmpSyscall = SYS_PREAD64
+	SNR_PWRITE64                ScmpSyscall = SYS_PWRITE64
+	SNR_PREADV                  ScmpSyscall = SYS_PREADV
+	SNR_PWRITEV                 ScmpSyscall = SYS_PWRITEV
+	SNR_SENDFILE                ScmpSyscall = SYS_SENDFILE
+	SNR_PSELECT6                ScmpSyscall = SYS_PSELECT6
+	SNR_PPOLL                   ScmpSyscall = SYS_PPOLL
+	SNR_SIGNALFD4               ScmpSyscall = SYS_SIGNALFD4
+	SNR_VMSPLICE                ScmpSyscall = SYS_VMSPLICE
+	SNR_SPLICE                  ScmpSyscall = SYS_SPLICE
+	SNR_TEE                     ScmpSyscall = SYS_TEE
+	SNR_READLINKAT              ScmpSyscall = SYS_READLINKAT
+	SNR_NEWFSTATAT              ScmpSyscall = SYS_NEWFSTATAT
+	SNR_FSTAT                   ScmpSyscall = SYS_FSTAT
+	SNR_SYNC                    ScmpSyscall = SYS_SYNC
+	SNR_FSYNC                   ScmpSyscall = SYS_FSYNC
+	SNR_FDATASYNC               ScmpSyscall = SYS_FDATASYNC
+	SNR_SYNC_FILE_RANGE         ScmpSyscall = SYS_SYNC_FILE_RANGE
+	SNR_TIMERFD_CREATE          ScmpSyscall = SYS_TIMERFD_CREATE
+	SNR_TIMERFD_SETTIME         ScmpSyscall = SYS_TIMERFD_SETTIME
+	SNR_TIMERFD_GETTIME         ScmpSyscall = SYS_TIMERFD_GETTIME
+	SNR_UTIMENSAT               ScmpSyscall = SYS_UTIMENSAT
+	SNR_ACCT                    ScmpSyscall = SYS_ACCT
+	SNR_CAPGET                  ScmpSyscall = SYS_CAPGET
+	SNR_CAPSET                  ScmpSyscall = SYS_CAPSET
+	SNR_PERSONALITY             ScmpSyscall = SYS_PERSONALITY
+	SNR_EXIT                    ScmpSyscall = SYS_EXIT
+	SNR_EXIT_GROUP              ScmpSyscall = SYS_EXIT_GROUP
+	SNR_WAITID                  ScmpSyscall = SYS_WAITID
+	SNR_SET_TID_ADDRESS         ScmpSyscall = SYS_SET_TID_ADDRESS
+	SNR_UNSHARE                 ScmpSyscall = SYS_UNSHARE
+	SNR_FUTEX                   ScmpSyscall = SYS_FUTEX
+	SNR_SET_ROBUST_LIST         ScmpSyscall = SYS_SET_ROBUST_LIST
+	SNR_GET_ROBUST_LIST         ScmpSyscall = SYS_GET_ROBUST_LIST
+	SNR_NANOSLEEP               ScmpSyscall = SYS_NANOSLEEP
+	SNR_GETITIMER               ScmpSyscall = SYS_GETITIMER
+	SNR_SETITIMER               ScmpSyscall = SYS_SETITIMER
+	SNR_KEXEC_LOAD              ScmpSyscall = SYS_KEXEC_LOAD
+	SNR_INIT_MODULE             ScmpSyscall = SYS_INIT_MODULE
+	SNR_DELETE_MODULE           ScmpSyscall = SYS_DELETE_MODULE
+	SNR_TIMER_CREATE            ScmpSyscall = SYS_TIMER_CREATE
+	SNR_TIMER_GETTIME           ScmpSyscall = SYS_TIMER_GETTIME
+	SNR_TIMER_GETOVERRUN        ScmpSyscall = SYS_TIMER_GETOVERRUN
+	SNR_TIMER_SETTIME           ScmpSyscall = SYS_TIMER_SETTIME
+	SNR_TIMER_DELETE            ScmpSyscall = SYS_TIMER_DELETE
+	SNR_CLOCK_SETTIME           ScmpSyscall = SYS_CLOCK_SETTIME
+	SNR_CLOCK_GETTIME           ScmpSyscall = SYS_CLOCK_GETTIME
+	SNR_CLOCK_GETRES            ScmpSyscall = SYS_CLOCK_GETRES
+	SNR_CLOCK_NANOSLEEP         ScmpSyscall = SYS_CLOCK_NANOSLEEP
+	SNR_SYSLOG                  ScmpSyscall = SYS_SYSLOG
+	SNR_PTRACE                  ScmpSyscall = SYS_PTRACE
+	SNR_SCHED_SETPARAM          ScmpSyscall = SYS_SCHED_SETPARAM
+	SNR_SCHED_SETSCHEDULER      ScmpSyscall = SYS_SCHED_SETSCHEDULER
+	SNR_SCHED_GETSCHEDULER      ScmpSyscall = SYS_SCHED_GETSCHEDULER
+	SNR_SCHED_GETPARAM          ScmpSyscall = SYS_SCHED_GETPARAM
+	SNR_SCHED_SETAFFINITY       ScmpSyscall = SYS_SCHED_SETAFFINITY
+	SNR_SCHED_GETAFFINITY       ScmpSyscall = SYS_SCHED_GETAFFINITY
+	SNR_SCHED_YIELD             ScmpSyscall = SYS_SCHED_YIELD
+	SNR_SCHED_GET_PRIORITY_MAX  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MAX
+	SNR_SCHED_GET_PRIORITY_MIN  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MIN
+	SNR_SCHED_RR_GET_INTERVAL   ScmpSyscall = SYS_SCHED_RR_GET_INTERVAL
+	SNR_RESTART_SYSCALL         ScmpSyscall = SYS_RESTART_SYSCALL
+	SNR_KILL                    ScmpSyscall = SYS_KILL
+	SNR_TKILL                   ScmpSyscall = SYS_TKILL
+	SNR_TGKILL                  ScmpSyscall = SYS_TGKILL
+	SNR_SIGALTSTACK             ScmpSyscall = SYS_SIGALTSTACK
+	SNR_RT_SIGSUSPEND           ScmpSyscall = SYS_RT_SIGSUSPEND
+	SNR_RT_SIGACTION            ScmpSyscall = SYS_RT_SIGACTION
+	SNR_RT_SIGPROCMASK          ScmpSyscall = SYS_RT_SIGPROCMASK
+	SNR_RT_SIGPENDING           ScmpSyscall = SYS_RT_SIGPENDING
+	SNR_RT_SIGTIMEDWAIT         ScmpSyscall = SYS_RT_SIGTIMEDWAIT
+	SNR_RT_SIGQUEUEINFO         ScmpSyscall = SYS_RT_SIGQUEUEINFO
+	SNR_RT_SIGRETURN            ScmpSyscall = SYS_RT_SIGRETURN
+	SNR_SETPRIORITY             ScmpSyscall = SYS_SETPRIORITY
+	SNR_GETPRIORITY             ScmpSyscall = SYS_GETPRIORITY
+	SNR_REBOOT                  ScmpSyscall = SYS_REBOOT
+	SNR_SETREGID                ScmpSyscall = SYS_SETREGID
+	SNR_SETGID                  ScmpSyscall = SYS_SETGID
+	SNR_SETREUID                ScmpSyscall = SYS_SETREUID
+	SNR_SETUID                  ScmpSyscall = SYS_SETUID
+	SNR_SETRESUID               ScmpSyscall = SYS_SETRESUID
+	SNR_GETRESUID               ScmpSyscall = SYS_GETRESUID
+	SNR_SETRESGID               ScmpSyscall = SYS_SETRESGID
+	SNR_GETRESGID               ScmpSyscall = SYS_GETRESGID
+	SNR_SETFSUID                ScmpSyscall = SYS_SETFSUID
+	SNR_SETFSGID                ScmpSyscall = SYS_SETFSGID
+	SNR_TIMES                   ScmpSyscall = SYS_TIMES
+	SNR_SETPGID                 ScmpSyscall = SYS_SETPGID
+	SNR_GETPGID                 ScmpSyscall = SYS_GETPGID
+	SNR_GETSID                  ScmpSyscall = SYS_GETSID
+	SNR_SETSID                  ScmpSyscall = SYS_SETSID
+	SNR_GETGROUPS               ScmpSyscall = SYS_GETGROUPS
+	SNR_SETGROUPS               ScmpSyscall = SYS_SETGROUPS
+	SNR_UNAME                   ScmpSyscall = SYS_UNAME
+	SNR_SETHOSTNAME             ScmpSyscall = SYS_SETHOSTNAME
+	SNR_SETDOMAINNAME           ScmpSyscall = SYS_SETDOMAINNAME
+	SNR_GETRLIMIT               ScmpSyscall = SYS_GETRLIMIT
+	SNR_SETRLIMIT               ScmpSyscall = SYS_SETRLIMIT
+	SNR_GETRUSAGE               ScmpSyscall = SYS_GETRUSAGE
+	SNR_UMASK                   ScmpSyscall = SYS_UMASK
+	SNR_PRCTL                   ScmpSyscall = SYS_PRCTL
+	SNR_GETCPU                  ScmpSyscall = SYS_GETCPU
+	SNR_GETTIMEOFDAY            ScmpSyscall = SYS_GETTIMEOFDAY
+	SNR_SETTIMEOFDAY            ScmpSyscall = SYS_SETTIMEOFDAY
+	SNR_ADJTIMEX                ScmpSyscall = SYS_ADJTIMEX
+	SNR_GETPID                  ScmpSyscall = SYS_GETPID
+	SNR_GETPPID                 ScmpSyscall = SYS_GETPPID
+	SNR_GETUID                  ScmpSyscall = SYS_GETUID
+	SNR_GETEUID                 ScmpSyscall = SYS_GETEUID
+	SNR_GETGID                  ScmpSyscall = SYS_GETGID
+	SNR_GETEGID                 ScmpSyscall = SYS_GETEGID
+	SNR_GETTID                  ScmpSyscall = SYS_GETTID
+	SNR_SYSINFO                 ScmpSyscall = SYS_SYSINFO
+	SNR_MQ_OPEN                 ScmpSyscall = SYS_MQ_OPEN
+	SNR_MQ_UNLINK               ScmpSyscall = SYS_MQ_UNLINK
+	SNR_MQ_TIMEDSEND            ScmpSyscall = SYS_MQ_TIMEDSEND
+	SNR_MQ_TIMEDRECEIVE         ScmpSyscall = SYS_MQ_TIMEDRECEIVE
+	SNR_MQ_NOTIFY               ScmpSyscall = SYS_MQ_NOTIFY
+	SNR_MQ_GETSETATTR           ScmpSyscall = SYS_MQ_GETSETATTR
+	SNR_MSGGET                  ScmpSyscall = SYS_MSGGET
+	SNR_MSGCTL                  ScmpSyscall = SYS_MSGCTL
+	SNR_MSGRCV                  ScmpSyscall = SYS_MSGRCV
+	SNR_MSGSND                  ScmpSyscall = SYS_MSGSND
+	SNR_SEMGET                  ScmpSyscall = SYS_SEMGET
+	SNR_SEMCTL                  ScmpSyscall = SYS_SEMCTL
+	SNR_SEMTIMEDOP              ScmpSyscall = SYS_SEMTIMEDOP
+	SNR_SEMOP                   ScmpSyscall = SYS_SEMOP
+	SNR_SHMGET                  ScmpSyscall = SYS_SHMGET
+	SNR_SHMCTL                  ScmpSyscall = SYS_SHMCTL
+	SNR_SHMAT                   ScmpSyscall = SYS_SHMAT
+	SNR_SHMDT                   ScmpSyscall = SYS_SHMDT
+	SNR_SOCKET                  ScmpSyscall = SYS_SOCKET
+	SNR_SOCKETPAIR              ScmpSyscall = SYS_SOCKETPAIR
+	SNR_BIND                    ScmpSyscall = SYS_BIND
+	SNR_LISTEN                  ScmpSyscall = SYS_LISTEN
+	SNR_ACCEPT                  ScmpSyscall = SYS_ACCEPT
+	SNR_CONNECT                 ScmpSyscall = SYS_CONNECT
+	SNR_GETSOCKNAME             ScmpSyscall = SYS_GETSOCKNAME
+	SNR_GETPEERNAME             ScmpSyscall = SYS_GETPEERNAME
+	SNR_SENDTO                  ScmpSyscall = SYS_SENDTO
+	SNR_RECVFROM                ScmpSyscall = SYS_RECVFROM
+	SNR_SETSOCKOPT              ScmpSyscall = SYS_SETSOCKOPT
+	SNR_GETSOCKOPT              ScmpSyscall = SYS_GETSOCKOPT
+	SNR_SHUTDOWN                ScmpSyscall = SYS_SHUTDOWN
+	SNR_SENDMSG                 ScmpSyscall = SYS_SENDMSG
+	SNR_RECVMSG                 ScmpSyscall = SYS_RECVMSG
+	SNR_READAHEAD               ScmpSyscall = SYS_READAHEAD
+	SNR_BRK                     ScmpSyscall = SYS_BRK
+	SNR_MUNMAP                  ScmpSyscall = SYS_MUNMAP
+	SNR_MREMAP                  ScmpSyscall = SYS_MREMAP
+	SNR_ADD_KEY                 ScmpSyscall = SYS_ADD_KEY
+	SNR_REQUEST_KEY             ScmpSyscall = SYS_REQUEST_KEY
+	SNR_KEYCTL                  ScmpSyscall = SYS_KEYCTL
+	SNR_CLONE                   ScmpSyscall = SYS_CLONE
+	SNR_EXECVE                  ScmpSyscall = SYS_EXECVE
+	SNR_MMAP                    ScmpSyscall = SYS_MMAP
+	SNR_FADVISE64               ScmpSyscall = SYS_FADVISE64
+	SNR_SWAPON                  ScmpSyscall = SYS_SWAPON
+	SNR_SWAPOFF                 ScmpSyscall = SYS_SWAPOFF
+	SNR_MPROTECT                ScmpSyscall = SYS_MPROTECT
+	SNR_MSYNC                   ScmpSyscall = SYS_MSYNC
+	SNR_MLOCK                   ScmpSyscall = SYS_MLOCK
+	SNR_MUNLOCK                 ScmpSyscall = SYS_MUNLOCK
+	SNR_MLOCKALL                ScmpSyscall = SYS_MLOCKALL
+	SNR_MUNLOCKALL              ScmpSyscall = SYS_MUNLOCKALL
+	SNR_MINCORE                 ScmpSyscall = SYS_MINCORE
+	SNR_MADVISE                 ScmpSyscall = SYS_MADVISE
+	SNR_REMAP_FILE_PAGES        ScmpSyscall = SYS_REMAP_FILE_PAGES
+	SNR_MBIND                   ScmpSyscall = SYS_MBIND
+	SNR_GET_MEMPOLICY           ScmpSyscall = SYS_GET_MEMPOLICY
+	SNR_SET_MEMPOLICY           ScmpSyscall = SYS_SET_MEMPOLICY
+	SNR_MIGRATE_PAGES           ScmpSyscall = SYS_MIGRATE_PAGES
+	SNR_MOVE_PAGES              ScmpSyscall = SYS_MOVE_PAGES
+	SNR_RT_TGSIGQUEUEINFO       ScmpSyscall = SYS_RT_TGSIGQUEUEINFO
+	SNR_PERF_EVENT_OPEN         ScmpSyscall = SYS_PERF_EVENT_OPEN
+	SNR_ACCEPT4                 ScmpSyscall = SYS_ACCEPT4
+	SNR_RECVMMSG                ScmpSyscall = SYS_RECVMMSG
+	SNR_WAIT4                   ScmpSyscall = SYS_WAIT4
+	SNR_PRLIMIT64               ScmpSyscall = SYS_PRLIMIT64
+	SNR_FANOTIFY_INIT           ScmpSyscall = SYS_FANOTIFY_INIT
+	SNR_FANOTIFY_MARK           ScmpSyscall = SYS_FANOTIFY_MARK
+	SNR_NAME_TO_HANDLE_AT       ScmpSyscall = SYS_NAME_TO_HANDLE_AT
+	SNR_OPEN_BY_HANDLE_AT       ScmpSyscall = SYS_OPEN_BY_HANDLE_AT
+	SNR_CLOCK_ADJTIME           ScmpSyscall = SYS_CLOCK_ADJTIME
+	SNR_SYNCFS                  ScmpSyscall = SYS_SYNCFS
+	SNR_SETNS                   ScmpSyscall = SYS_SETNS
+	SNR_SENDMMSG                ScmpSyscall = SYS_SENDMMSG
+	SNR_PROCESS_VM_READV        ScmpSyscall = SYS_PROCESS_VM_READV
+	SNR_PROCESS_VM_WRITEV       ScmpSyscall = SYS_PROCESS_VM_WRITEV
+	SNR_KCMP                    ScmpSyscall = SYS_KCMP
+	SNR_FINIT_MODULE            ScmpSyscall = SYS_FINIT_MODULE
+	SNR_SCHED_SETATTR           ScmpSyscall = SYS_SCHED_SETATTR
+	SNR_SCHED_GETATTR           ScmpSyscall = SYS_SCHED_GETATTR
+	SNR_RENAMEAT2               ScmpSyscall = SYS_RENAMEAT2
+	SNR_SECCOMP                 ScmpSyscall = SYS_SECCOMP
+	SNR_GETRANDOM               ScmpSyscall = SYS_GETRANDOM
+	SNR_MEMFD_CREATE            ScmpSyscall = SYS_MEMFD_CREATE
+	SNR_BPF                     ScmpSyscall = SYS_BPF
+	SNR_EXECVEAT                ScmpSyscall = SYS_EXECVEAT
+	SNR_USERFAULTFD             ScmpSyscall = SYS_USERFAULTFD
+	SNR_MEMBARRIER              ScmpSyscall = SYS_MEMBARRIER
+	SNR_MLOCK2                  ScmpSyscall = SYS_MLOCK2
+	SNR_COPY_FILE_RANGE         ScmpSyscall = SYS_COPY_FILE_RANGE
+	SNR_PREADV2                 ScmpSyscall = SYS_PREADV2
+	SNR_PWRITEV2                ScmpSyscall = SYS_PWRITEV2
+	SNR_PKEY_MPROTECT           ScmpSyscall = SYS_PKEY_MPROTECT
+	SNR_PKEY_ALLOC              ScmpSyscall = SYS_PKEY_ALLOC
+	SNR_PKEY_FREE               ScmpSyscall = SYS_PKEY_FREE
+	SNR_STATX                   ScmpSyscall = SYS_STATX
+	SNR_IO_PGETEVENTS           ScmpSyscall = SYS_IO_PGETEVENTS
+	SNR_RSEQ                    ScmpSyscall = SYS_RSEQ
+	SNR_KEXEC_FILE_LOAD         ScmpSyscall = SYS_KEXEC_FILE_LOAD
+	SNR_PIDFD_SEND_SIGNAL       ScmpSyscall = SYS_PIDFD_SEND_SIGNAL
+	SNR_IO_URING_SETUP          ScmpSyscall = SYS_IO_URING_SETUP
+	SNR_IO_URING_ENTER          ScmpSyscall = SYS_IO_URING_ENTER
+	SNR_IO_URING_REGISTER       ScmpSyscall = SYS_IO_URING_REGISTER
+	SNR_OPEN_TREE               ScmpSyscall = SYS_OPEN_TREE
+	SNR_MOVE_MOUNT              ScmpSyscall = SYS_MOVE_MOUNT
+	SNR_FSOPEN                  ScmpSyscall = SYS_FSOPEN
+	SNR_FSCONFIG                ScmpSyscall = SYS_FSCONFIG
+	SNR_FSMOUNT                 ScmpSyscall = SYS_FSMOUNT
+	SNR_FSPICK                  ScmpSyscall = SYS_FSPICK
+	SNR_PIDFD_OPEN              ScmpSyscall = SYS_PIDFD_OPEN
+	SNR_CLONE3                  ScmpSyscall = SYS_CLONE3
+	SNR_CLOSE_RANGE             ScmpSyscall = SYS_CLOSE_RANGE
+	SNR_OPENAT2                 ScmpSyscall = SYS_OPENAT2
+	SNR_PIDFD_GETFD             ScmpSyscall = SYS_PIDFD_GETFD
+	SNR_FACCESSAT2              ScmpSyscall = SYS_FACCESSAT2
+	SNR_PROCESS_MADVISE         ScmpSyscall = SYS_PROCESS_MADVISE
+	SNR_EPOLL_PWAIT2            ScmpSyscall = SYS_EPOLL_PWAIT2
+	SNR_MOUNT_SETATTR           ScmpSyscall = SYS_MOUNT_SETATTR
+	SNR_QUOTACTL_FD             ScmpSyscall = SYS_QUOTACTL_FD
+	SNR_LANDLOCK_CREATE_RULESET ScmpSyscall = SYS_LANDLOCK_CREATE_RULESET
+	SNR_LANDLOCK_ADD_RULE       ScmpSyscall = SYS_LANDLOCK_ADD_RULE
+	SNR_LANDLOCK_RESTRICT_SELF  ScmpSyscall = SYS_LANDLOCK_RESTRICT_SELF
+	SNR_MEMFD_SECRET            ScmpSyscall = SYS_MEMFD_SECRET
+	SNR_PROCESS_MRELEASE        ScmpSyscall = SYS_PROCESS_MRELEASE
+	SNR_FUTEX_WAITV             ScmpSyscall = SYS_FUTEX_WAITV
+	SNR_SET_MEMPOLICY_HOME_NODE ScmpSyscall = SYS_SET_MEMPOLICY_HOME_NODE
+	SNR_CACHESTAT               ScmpSyscall = SYS_CACHESTAT
+	SNR_FCHMODAT2               ScmpSyscall = SYS_FCHMODAT2
+	SNR_MAP_SHADOW_STACK        ScmpSyscall = SYS_MAP_SHADOW_STACK
+	SNR_FUTEX_WAKE              ScmpSyscall = SYS_FUTEX_WAKE
+	SNR_FUTEX_WAIT              ScmpSyscall = SYS_FUTEX_WAIT
+	SNR_FUTEX_REQUEUE           ScmpSyscall = SYS_FUTEX_REQUEUE
+	SNR_STATMOUNT               ScmpSyscall = SYS_STATMOUNT
+	SNR_LISTMOUNT               ScmpSyscall = SYS_LISTMOUNT
+	SNR_LSM_GET_SELF_ATTR       ScmpSyscall = SYS_LSM_GET_SELF_ATTR
+	SNR_LSM_SET_SELF_ATTR       ScmpSyscall = SYS_LSM_SET_SELF_ATTR
+	SNR_LSM_LIST_MODULES        ScmpSyscall = SYS_LSM_LIST_MODULES
+	SNR_MSEAL                   ScmpSyscall = SYS_MSEAL
+	SNR_SETXATTRAT              ScmpSyscall = SYS_SETXATTRAT
+	SNR_GETXATTRAT              ScmpSyscall = SYS_GETXATTRAT
+	SNR_LISTXATTRAT             ScmpSyscall = SYS_LISTXATTRAT
+	SNR_REMOVEXATTRAT           ScmpSyscall = SYS_REMOVEXATTRAT
+	SNR_OPEN_TREE_ATTR          ScmpSyscall = SYS_OPEN_TREE_ATTR
+	SNR_FILE_GETATTR            ScmpSyscall = SYS_FILE_GETATTR
+	SNR_FILE_SETATTR            ScmpSyscall = SYS_FILE_SETATTR
+)

container/stub/exit_test.go

@@ -7,8 +7,10 @@ import (
 	"hakurei.app/container/stub"
 )
 
+// Made available here to check panic recovery behaviour.
+//
 //go:linkname handleExitNew hakurei.app/container/stub.handleExitNew
-func handleExitNew(_ testing.TB)
+func handleExitNew(t testing.TB)
 
 // overrideTFailNow overrides the Fail and FailNow method.
 type overrideTFailNow struct {

dist/comp/_hakurei

@@ -17,7 +17,8 @@ _hakurei_run() {
     '--wayland[Enable connection to Wayland via security-context-v1]' \
     '-X[Enable direct connection to X11]' \
     '--dbus[Enable proxied connection to D-Bus]' \
-    '--pulse[Enable direct connection to PulseAudio]' \
+    '--pipewire[Enable connection to PipeWire via SecurityContext]' \
+    '--pulse[Enable PulseAudio compatibility daemon]' \
     '--dbus-config[Path to session bus proxy config file]: :_files -g "*.json"' \
     '--dbus-system[Path to system bus proxy config file]: :_files -g "*.json"' \
     '--mpris[Allow owning MPRIS D-Bus path]' \

dist/install.sh

@@ -1,12 +1,12 @@
 #!/bin/sh
 cd "$(dirname -- "$0")" || exit 1
 
-install -vDm0755 "bin/hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hakurei"
-install -vDm0755 "bin/hpkg" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hpkg"
+install -vDm0755 "bin/hakurei" "${DESTDIR}/usr/bin/hakurei"
+install -vDm0755 "bin/sharefs" "${DESTDIR}/usr/bin/sharefs"
 
-install -vDm4511 "bin/hsu" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hsu"
-if [ ! -f "${HAKUREI_INSTALL_PREFIX}/etc/hsurc" ]; then
-    install -vDm0400 "hsurc.default" "${HAKUREI_INSTALL_PREFIX}/etc/hsurc"
+install -vDm4511 "bin/hsu" "${DESTDIR}/usr/bin/hsu"
+if [ ! -f "${DESTDIR}/etc/hsurc" ]; then
+    install -vDm0400 "hsurc.default" "${DESTDIR}/etc/hsurc"
 fi
 
-install -vDm0644 "comp/_hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/share/zsh/site-functions/_hakurei"
+install -vDm0644 "comp/_hakurei" "${DESTDIR}/usr/share/zsh/site-functions/_hakurei"

dist/release.sh

@@ -1,20 +1,31 @@
 #!/bin/sh -e
 cd "$(dirname -- "$0")/.."
 VERSION="${HAKUREI_VERSION:-untagged}"
-pname="hakurei-${VERSION}"
-out="dist/${pname}"
+pname="hakurei-${VERSION}-$(go env GOARCH)"
+out="${DESTDIR:-dist}/${pname}"
 
+echo '# Preparing distribution files.'
 mkdir -p "${out}"
 cp -v "README.md" "dist/hsurc.default" "dist/install.sh" "${out}"
 cp -rv "dist/comp" "${out}"
+echo
 
+echo '# Building hakurei.'
 go generate ./...
-go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
-  -X hakurei.app/internal.buildVersion=${VERSION}
-  -X hakurei.app/internal.hakureiPath=/usr/bin/hakurei
-  -X hakurei.app/internal.hsuPath=/usr/bin/hsu
+go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
+  -buildid= -extldflags '-static'
+  -X hakurei.app/internal/info.buildVersion=${VERSION}
+  -X hakurei.app/internal/info.hakureiPath=/usr/bin/hakurei
+  -X hakurei.app/internal/info.hsuPath=/usr/bin/hsu
   -X main.hakureiPath=/usr/bin/hakurei" ./...
+echo
 
-rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
-rm -rf "./${out}"
-(cd dist && sha512sum "${pname}.tar.gz" > "${pname}.tar.gz.sha512")
+echo '# Testing hakurei.'
+go test -ldflags='-buildid= -extldflags=-static' ./...
+echo
+
+echo '# Creating distribution.'
+rm -f "${out}.tar.gz" && tar -C "${out}/.." -vczf "${out}.tar.gz" "${pname}"
+rm -rf "${out}"
+(cd "${out}/.." && sha512sum "${pname}.tar.gz" > "${pname}.tar.gz.sha512")
+echo

flake.lock

@@ -7,32 +7,32 @@
         ]
       },
       "locked": {
-        "lastModified": 1756679287,
-        "narHash": "sha256-Xd1vOeY9ccDf5VtVK12yM0FS6qqvfUop8UQlxEB+gTQ=",
+        "lastModified": 1765384171,
+        "narHash": "sha256-FuFtkJrW1Z7u+3lhzPRau69E0CNjADku1mLQQflUORo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "07fc025fe10487dd80f2ec694f1cd790e752d0e8",
+        "rev": "44777152652bc9eacf8876976fa72cc77ca8b9d8",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1757020766,
-        "narHash": "sha256-PLoSjHRa2bUbi1x9HoXgTx2AiuzNXs54c8omhadyvp0=",
+        "lastModified": 1765311797,
+        "narHash": "sha256-mSD5Ob7a+T2RNjvPvOA1dkJHGVrNVl8ZOrAwBjKBDQo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fe83bbdde2ccdc2cb9573aa846abe8363f79a97a",
+        "rev": "09eb77e94fa25202af8f3e81ddc7353d9970ac1b",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,10 +2,10 @@
   description = "hakurei container tool and nixos module";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
 
     home-manager = {
-      url = "github:nix-community/home-manager/release-25.05";
+      url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
@@ -69,6 +69,8 @@
             withRace = true;
           };
 
+          sharefs = callPackage ./cmd/sharefs/test { inherit system self; };
+
           hpkg = callPackage ./cmd/hpkg/test { inherit system self; };
 
           formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
@@ -114,7 +116,7 @@
             inherit (pkgs)
               # passthru.buildInputs
               go
-              gcc
+              clang
 
               # nativeBuildInputs
               pkg-config
@@ -129,23 +131,39 @@
               zstd
               gnutar
               coreutils
+
+              # for check
+              util-linux
+              nettools
               ;
           };
           hsu = pkgs.callPackage ./cmd/hsu/package.nix { inherit (self.packages.${system}) hakurei; };
+          sharefs = pkgs.linkFarm "sharefs" {
+            "bin/sharefs" = "${hakurei}/libexec/sharefs";
+            "bin/mount.fuse.sharefs" = "${hakurei}/libexec/sharefs";
+          };
 
-          dist = pkgs.runCommand "${hakurei.name}-dist" { buildInputs = hakurei.targetPkgs ++ [ pkgs.pkgsStatic.musl ]; } ''
-            # go requires XDG_CACHE_HOME for the build cache
-            export XDG_CACHE_HOME="$(mktemp -d)"
+          dist =
+            pkgs.runCommand "${hakurei.name}-dist"
+              {
+                buildInputs = hakurei.targetPkgs ++ [
+                  pkgs.pkgsStatic.musl
+                ];
+              }
+              ''
+                cd $(mktemp -d) \
+                    && cp -r ${hakurei.src}/. . \
+                    && chmod +w cmd && cp -r ${hsu.src}/. cmd/hsu/ \
+                    && chmod -R +w .
 
-            # get a different workdir as go does not like /build
-            cd $(mktemp -d) \
-                && cp -r ${hakurei.src}/. . \
-                && chmod +w cmd && cp -r ${hsu.src}/. cmd/hsu/ \
-                && chmod -R +w .
-
-            export HAKUREI_VERSION="v${hakurei.version}"
-            ./dist/release.sh && mkdir $out && cp -v "dist/hakurei-$HAKUREI_VERSION.tar.gz"* $out
-          '';
+                CC="musl-clang -O3 -Werror -Qunused-arguments" \
+                GOCACHE="$(mktemp -d)" \
+                HAKUREI_TEST_SKIP_ACL=1 \
+                PATH="${pkgs.pkgsStatic.musl.bin}/bin:$PATH" \
+                DESTDIR="$out" \
+                HAKUREI_VERSION="v${hakurei.version}" \
+                  ./dist/release.sh
+              '';
         }
       );
 
@@ -156,7 +174,10 @@
           pkgs = nixpkgsFor.${system};
         in
         {
-          default = pkgs.mkShell { buildInputs = hakurei.targetPkgs; };
+          default = pkgs.mkShell {
+            buildInputs = hakurei.targetPkgs;
+            hardeningDisable = [ "fortify" ];
+          };
           withPackage = pkgs.mkShell { buildInputs = [ hakurei ] ++ hakurei.targetPkgs; };
 
           vm =
@@ -181,13 +202,13 @@
                       hakurei =
                         let
                           # this is used for interactive vm testing during development, where tests might be broken
-                          package = self.packages.${pkgs.system}.hakurei.override {
+                          package = self.packages.${pkgs.stdenv.hostPlatform.system}.hakurei.override {
                             buildGoModule = previousArgs: pkgs.pkgsStatic.buildGoModule (previousArgs // { doCheck = false; });
                           };
                         in
                         {
                           inherit package;
-                          hsuPackage = self.packages.${pkgs.system}.hsu.override { hakurei = package; };
+                          hsuPackage = self.packages.${pkgs.stdenv.hostPlatform.system}.hsu.override { hakurei = package; };
                         };
                     };
                   }

go.mod

@@ -1,3 +1,3 @@
 module hakurei.app
 
-go 1.24
+go 1.25

helper/deprecated.go

@@ -0,0 +1,73 @@
+// Package helper exposes the internal/helper package.
+//
+// Deprecated: This package will be removed in 0.4.
+package helper
+
+import (
+	"context"
+	"io"
+	"os"
+	"os/exec"
+	"time"
+	_ "unsafe" // for go:linkname
+
+	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/internal/helper"
+	"hakurei.app/message"
+)
+
+//go:linkname WaitDelay hakurei.app/internal/helper.WaitDelay
+var WaitDelay time.Duration
+
+const (
+	// HakureiHelper is set to 1 when args fd is enabled and 0 otherwise.
+	HakureiHelper = helper.HakureiHelper
+	// HakureiStatus is set to 1 when stat fd is enabled and 0 otherwise.
+	HakureiStatus = helper.HakureiStatus
+)
+
+type Helper = helper.Helper
+
+// NewCheckedArgs returns a checked null-terminated argument writer for a copy of args.
+//
+//go:linkname NewCheckedArgs hakurei.app/internal/helper.NewCheckedArgs
+func NewCheckedArgs(args ...string) (wt io.WriterTo, err error)
+
+// MustNewCheckedArgs returns a checked null-terminated argument writer for a copy of args.
+// If s contains a NUL byte this function panics instead of returning an error.
+//
+//go:linkname MustNewCheckedArgs hakurei.app/internal/helper.MustNewCheckedArgs
+func MustNewCheckedArgs(args ...string) io.WriterTo
+
+// NewDirect initialises a new direct Helper instance with wt as the null-terminated argument writer.
+// Function argF returns an array of arguments passed directly to the child process.
+//
+//go:linkname NewDirect hakurei.app/internal/helper.NewDirect
+func NewDirect(
+	ctx context.Context,
+	name string,
+	wt io.WriterTo,
+	stat bool,
+	argF func(argsFd, statFd int) []string,
+	cmdF func(cmd *exec.Cmd),
+	extraFiles []*os.File,
+) Helper
+
+// New initialises a Helper instance with wt as the null-terminated argument writer.
+//
+//go:linkname New hakurei.app/internal/helper.New
+func New(
+	ctx context.Context,
+	msg message.Msg,
+	pathname *check.Absolute, name string,
+	wt io.WriterTo,
+	stat bool,
+	argF func(argsFd, statFd int) []string,
+	cmdF func(z *container.Container),
+	extraFiles []*os.File,
+) Helper
+
+// InternalHelperStub is an internal function but exported because it is cross-package;
+// it is part of the implementation of the helper stub.
+func InternalHelperStub() { helper.InternalHelperStub() }

helper/proc/deprecated.go

@@ -0,0 +1,63 @@
+// Deprecated: This package will be removed in 0.4.
+package proc
+
+import (
+	"context"
+	"io"
+	"os"
+	"os/exec"
+	"time"
+	_ "unsafe" // for go:linkname
+
+	"hakurei.app/internal/helper/proc"
+)
+
+//go:linkname FulfillmentTimeout hakurei.app/internal/helper/proc.FulfillmentTimeout
+var FulfillmentTimeout time.Duration
+
+// A File is an extra file with deferred initialisation.
+type File = proc.File
+
+// ExtraFilesPre is a linked list storing addresses of [os.File].
+type ExtraFilesPre = proc.ExtraFilesPre
+
+// Fulfill calls the [File.Fulfill] method on all files, starts cmd and blocks until all fulfillment completes.
+//
+//go:linkname Fulfill hakurei.app/internal/helper/proc.Fulfill
+func Fulfill(ctx context.Context,
+	v *[]*os.File, start func() error,
+	files []File, extraFiles *ExtraFilesPre,
+) (err error)
+
+// InitFile initialises f as part of the slice extraFiles points to,
+// and returns its final fd value.
+//
+//go:linkname InitFile hakurei.app/internal/helper/proc.InitFile
+func InitFile(f File, extraFiles *ExtraFilesPre) (fd uintptr)
+
+// BaseFile implements the Init method of the File interface and provides indirect access to extra file state.
+type BaseFile = proc.BaseFile
+
+//go:linkname ExtraFile hakurei.app/internal/helper/proc.ExtraFile
+func ExtraFile(cmd *exec.Cmd, f *os.File) (fd uintptr)
+
+//go:linkname ExtraFileSlice hakurei.app/internal/helper/proc.ExtraFileSlice
+func ExtraFileSlice(extraFiles *[]*os.File, f *os.File) (fd uintptr)
+
+// NewWriterTo returns a [File] that receives content from wt on fulfillment.
+//
+//go:linkname NewWriterTo hakurei.app/internal/helper/proc.NewWriterTo
+func NewWriterTo(wt io.WriterTo) File
+
+// NewStat returns a [File] implementing the behaviour
+// of the receiving end of xdg-dbus-proxy stat fd.
+//
+//go:linkname NewStat hakurei.app/internal/helper/proc.NewStat
+func NewStat(s *io.Closer) File
+
+var (
+	//go:linkname ErrStatFault hakurei.app/internal/helper/proc.ErrStatFault
+	ErrStatFault error
+	//go:linkname ErrStatRead hakurei.app/internal/helper/proc.ErrStatRead
+	ErrStatRead error
+)

hst/config.go

@@ -23,9 +23,54 @@ type Config struct {
 	// System D-Bus proxy configuration.
 	// If set to nil, system bus proxy is disabled.
 	SystemBus *BusConfig `json:"system_bus,omitempty"`
+
 	// Direct access to wayland socket, no attempt is made to attach security-context-v1
 	// and the bare socket is made available to the container.
+	//
+	// This option is unsupported and most likely enables full control over the Wayland
+	// session. Do not set this to true unless you are sure you know what you are doing.
 	DirectWayland bool `json:"direct_wayland,omitempty"`
+	// Direct access to the PipeWire socket established via SecurityContext::Create, no
+	// attempt is made to start the pipewire-pulse server.
+	//
+	// The SecurityContext machinery is fatally flawed, it blindly sets read and execute
+	// bits on all objects for clients with the lowest achievable privilege level (by
+	// setting PW_KEY_ACCESS to "restricted"). This enables them to call any method
+	// targeting any object, and since Registry::Destroy checks for the read and execute bit,
+	// allows the destruction of any object other than PW_ID_CORE as well. This behaviour
+	// is implemented separately in media-session and wireplumber, with the wireplumber
+	// implementation in Lua via an embedded Lua vm. In all known setups, wireplumber is
+	// in use, and there is no known way to change its behaviour and set permissions
+	// differently without replacing the Lua script. Also, since PipeWire relies on these
+	// permissions to work, reducing them is not possible.
+	//
+	// Currently, the only other sandboxed use case is flatpak, which is not aware of
+	// PipeWire and blindly exposes the bare PulseAudio socket to the container (behaves
+	// like DirectPulse). This socket is backed by the pipewire-pulse compatibility daemon,
+	// which obtains client pid via the SO_PEERCRED option. The PipeWire daemon, pipewire-pulse
+	// daemon and the session manager daemon then separately performs the /.flatpak-info hack
+	// described in https://git.gensokyo.uk/security/hakurei/issues/21. Under such use case,
+	// since the client has no direct access to PipeWire, insecure parts of the protocol are
+	// obscured by pipewire-pulse simply not implementing them, and thus hiding the flaws
+	// described above.
+	//
+	// Hakurei does not rely on the /.flatpak-info hack. Instead, a socket is sets up via
+	// SecurityContext. A pipewire-pulse server connected through it achieves the same
+	// permissions as flatpak does via the /.flatpak-info hack and is maintained for the
+	// life of the container.
+	//
+	// This option is unsupported and enables a denial-of-service attack as the sandboxed
+	// client is able to destroy any client object and thus disconnecting them from PipeWire,
+	// or destroy the SecurityContext object preventing any further container creation.
+	// Do not set this to true, it is insecure under any configuration.
+	DirectPipeWire bool `json:"direct_pipewire,omitempty"`
+	// Direct access to PulseAudio socket, no attempt is made to establish pipewire-pulse
+	// server via a PipeWire socket with a SecurityContext attached and the bare socket
+	// is made available to the container.
+	//
+	// This option is unsupported and enables arbitrary code execution as the PulseAudio
+	// server. Do not set this to true, it is insecure under any configuration.
+	DirectPulse bool `json:"direct_pulse,omitempty"`
 
 	// Extra acl updates to perform before setuid.
 	ExtraPerms []ExtraPermConfig `json:"extra_perms,omitempty"`
@@ -49,6 +94,9 @@ var (
 
 	// ErrEnviron is returned by [Config.Validate] if an environment variable name contains '=' or NUL.
 	ErrEnviron = errors.New("invalid environment variable name")
+
+	// ErrInsecure is returned by [Config.Validate] if the configuration is considered insecure.
+	ErrInsecure = errors.New("configuration is insecure")
 )
 
 // Validate checks [Config] and returns [AppError] if an invalid value is encountered.
@@ -95,6 +143,11 @@ func (config *Config) Validate() error {
 		}
 	}
 
+	if et := config.Enablements.Unwrap(); !config.DirectPulse && et&EPulse != 0 {
+		return &AppError{Step: "validate configuration", Err: ErrInsecure,
+			Msg: "enablement PulseAudio is insecure and no longer supported"}
+	}
+
 	return nil
 }
 

hst/config_test.go

@@ -53,6 +53,12 @@ func TestConfigValidate(t *testing.T) {
 			Env:   map[string]string{"TERM\x00": ""},
 		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM\x00"`}},
+		{"insecure pulse", &hst.Config{Enablements: hst.NewEnablements(hst.EPulse), Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "enablement PulseAudio is insecure and no longer supported"}},
 		{"valid", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,

hst/enablement.go

@@ -17,6 +17,8 @@ const (
 	EX11
 	// EDBus enables the per-container xdg-dbus-proxy daemon.
 	EDBus
+	// EPipeWire exposes a pipewire pathname socket via SecurityContext.
+	EPipeWire
 	// EPulse copies the PulseAudio cookie to [hst.PrivateTmp] and exposes the PulseAudio socket.
 	EPulse
 
@@ -35,6 +37,8 @@ func (e Enablement) String() string {
 		return "x11"
 	case EDBus:
 		return "dbus"
+	case EPipeWire:
+		return "pipewire"
 	case EPulse:
 		return "pulseaudio"
 	default:
@@ -62,10 +66,11 @@ type Enablements Enablement
 
 // enablementsJSON is the [json] representation of [Enablements].
 type enablementsJSON = struct {
-	Wayland bool `json:"wayland,omitempty"`
-	X11     bool `json:"x11,omitempty"`
-	DBus    bool `json:"dbus,omitempty"`
-	Pulse   bool `json:"pulse,omitempty"`
+	Wayland  bool `json:"wayland,omitempty"`
+	X11      bool `json:"x11,omitempty"`
+	DBus     bool `json:"dbus,omitempty"`
+	PipeWire bool `json:"pipewire,omitempty"`
+	Pulse    bool `json:"pulse,omitempty"`
 }
 
 // Unwrap returns the underlying [Enablement].
@@ -81,10 +86,11 @@ func (e *Enablements) MarshalJSON() ([]byte, error) {
 		return nil, syscall.EINVAL
 	}
 	return json.Marshal(&enablementsJSON{
-		Wayland: Enablement(*e)&EWayland != 0,
-		X11:     Enablement(*e)&EX11 != 0,
-		DBus:    Enablement(*e)&EDBus != 0,
-		Pulse:   Enablement(*e)&EPulse != 0,
+		Wayland:  Enablement(*e)&EWayland != 0,
+		X11:      Enablement(*e)&EX11 != 0,
+		DBus:     Enablement(*e)&EDBus != 0,
+		PipeWire: Enablement(*e)&EPipeWire != 0,
+		Pulse:    Enablement(*e)&EPulse != 0,
 	})
 }
 
@@ -108,6 +114,9 @@ func (e *Enablements) UnmarshalJSON(data []byte) error {
 	if v.DBus {
 		ve |= EDBus
 	}
+	if v.PipeWire {
+		ve |= EPipeWire
+	}
 	if v.Pulse {
 		ve |= EPulse
 	}

hst/enablement_test.go

@@ -32,6 +32,7 @@ func TestEnablementString(t *testing.T) {
 		{hst.EWayland | hst.EDBus | hst.EPulse, "wayland, dbus, pulseaudio"},
 		{hst.EX11 | hst.EDBus | hst.EPulse, "x11, dbus, pulseaudio"},
 		{hst.EWayland | hst.EX11 | hst.EDBus | hst.EPulse, "wayland, x11, dbus, pulseaudio"},
+		{hst.EM - 1, "wayland, x11, dbus, pipewire, pulseaudio"},
 
 		{1 << 5, "e20"},
 		{1 << 6, "e40"},
@@ -62,8 +63,9 @@ func TestEnablements(t *testing.T) {
 		{"wayland", hst.NewEnablements(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
 		{"x11", hst.NewEnablements(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
 		{"dbus", hst.NewEnablements(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
+		{"pipewire", hst.NewEnablements(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
 		{"pulse", hst.NewEnablements(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
-		{"all", hst.NewEnablements(hst.EWayland | hst.EX11 | hst.EDBus | hst.EPulse), `{"wayland":true,"x11":true,"dbus":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pulse":true},"magic":3236757504}`},
+		{"all", hst.NewEnablements(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
 	}
 
 	for _, tc := range testCases {

hst/fs.go

@@ -45,6 +45,9 @@ type Ops interface {
 	Root(host *check.Absolute, flags int) Ops
 	// Etc appends an op that expands host /etc into a toplevel symlink mirror with /etc semantics.
 	Etc(host *check.Absolute, prefix string) Ops
+
+	// Daemon appends an op that starts a daemon in the container and blocks until target appears.
+	Daemon(target, path *check.Absolute, args ...string) Ops
 }
 
 // ApplyState holds the address of [Ops] and any relevant application state.
@@ -124,6 +127,12 @@ func (f *FilesystemConfigJSON) MarshalJSON() ([]byte, error) {
 			*FSLink
 		}{fsType{FilesystemLink}, cv}
 
+	case *FSDaemon:
+		v = &struct {
+			fsType
+			*FSDaemon
+		}{fsType{FilesystemDaemon}, cv}
+
 	default:
 		return nil, FSImplError{f.FilesystemConfig}
 	}
@@ -152,6 +161,9 @@ func (f *FilesystemConfigJSON) UnmarshalJSON(data []byte) error {
 	case FilesystemLink:
 		*f = FilesystemConfigJSON{new(FSLink)}
 
+	case FilesystemDaemon:
+		*f = FilesystemConfigJSON{new(FSDaemon)}
+
 	default:
 		return FSTypeError(t.Type)
 	}

hst/fs_test.go

@@ -84,6 +84,16 @@ func TestFilesystemConfigJSON(t *testing.T) {
 		}, nil,
 			`{"type":"link","dst":"/run/current-system","linkname":"/run/current-system","dereference":true}`,
 			`{"fs":{"type":"link","dst":"/run/current-system","linkname":"/run/current-system","dereference":true},"magic":3236757504}`},
+
+		{"daemon", hst.FilesystemConfigJSON{
+			FilesystemConfig: &hst.FSDaemon{
+				Target: m("/run/user/1971/pulse/native"),
+				Exec:   m("/run/current-system/sw/bin/pipewire-pulse"),
+				Args:   []string{"-v"},
+			},
+		}, nil,
+			`{"type":"daemon","dst":"/run/user/1971/pulse/native","path":"/run/current-system/sw/bin/pipewire-pulse","args":["-v"]}`,
+			`{"fs":{"type":"daemon","dst":"/run/user/1971/pulse/native","path":"/run/current-system/sw/bin/pipewire-pulse","args":["-v"]},"magic":3236757504}`},
 	}
 
 	for _, tc := range testCases {
@@ -345,6 +355,10 @@ func (p opsAdapter) Etc(host *check.Absolute, prefix string) hst.Ops {
 	return opsAdapter{p.Ops.Etc(host, prefix)}
 }
 
+func (p opsAdapter) Daemon(target, path *check.Absolute, args ...string) hst.Ops {
+	return opsAdapter{p.Ops.Daemon(target, path, args...)}
+}
+
 func m(pathname string) *check.Absolute { return check.MustAbs(pathname) }
 func ms(pathnames ...string) []*check.Absolute {
 	as := make([]*check.Absolute, len(pathnames))

hst/fsdaemon.go

@@ -0,0 +1,48 @@
+package hst
+
+import (
+	"encoding/gob"
+
+	"hakurei.app/container/check"
+)
+
+func init() { gob.Register(new(FSDaemon)) }
+
+// FilesystemDaemon is the type string of a daemon.
+const FilesystemDaemon = "daemon"
+
+// FSDaemon represents a daemon to be started in the container.
+type FSDaemon struct {
+	// Pathname indicating readiness of daemon.
+	Target *check.Absolute `json:"dst"`
+	// Absolute pathname to daemon executable file.
+	Exec *check.Absolute `json:"path"`
+	// Arguments (excl. first) passed to daemon.
+	Args []string `json:"args"`
+}
+
+func (d *FSDaemon) Valid() bool { return d != nil && d.Target != nil && d.Exec != nil }
+
+func (d *FSDaemon) Path() *check.Absolute {
+	if !d.Valid() {
+		return nil
+	}
+	return d.Target
+}
+
+func (d *FSDaemon) Host() []*check.Absolute { return nil }
+
+func (d *FSDaemon) Apply(z *ApplyState) {
+	if !d.Valid() {
+		return
+	}
+	z.Daemon(d.Target, d.Exec, d.Args...)
+}
+
+func (d *FSDaemon) String() string {
+	if !d.Valid() {
+		return "<invalid>"
+	}
+
+	return "daemon:" + d.Target.String()
+}

hst/fsdaemon_test.go

@@ -0,0 +1,29 @@
+package hst_test
+
+import (
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestFSDaemon(t *testing.T) {
+	t.Parallel()
+
+	checkFs(t, []fsTestCase{
+		{"nil", (*hst.FSDaemon)(nil), false, nil, nil, nil, "<invalid>"},
+		{"zero", new(hst.FSDaemon), false, nil, nil, nil, "<invalid>"},
+
+		{"pipewire-pulse", &hst.FSDaemon{
+			Target: m("/run/user/1971/pulse/native"),
+			Exec:   m("/run/current-system/sw/bin/pipewire-pulse"),
+			Args:   []string{"-v"},
+		}, true, container.Ops{
+			&container.DaemonOp{
+				Target: m("/run/user/1971/pulse/native"),
+				Path:   m("/run/current-system/sw/bin/pipewire-pulse"),
+				Args:   []string{"-v"},
+			},
+		}, m("/run/user/1971/pulse/native"), nil, `daemon:/run/user/1971/pulse/native`},
+	})
+}

hst/hst.go

@@ -54,6 +54,9 @@ type Paths struct {
 
 // Info holds basic system information collected from the implementation.
 type Info struct {
+	// WaylandVersion is the libwayland value of WAYLAND_VERSION.
+	WaylandVersion string `json:"WAYLAND_VERSION"`
+
 	// Version is a hardcoded version string.
 	Version string `json:"version"`
 	// User is the userid according to hsu.
@@ -67,7 +70,7 @@ func Template() *Config {
 	return &Config{
 		ID: "org.chromium.Chromium",
 
-		Enablements: NewEnablements(EWayland | EDBus | EPulse),
+		Enablements: NewEnablements(EWayland | EDBus | EPipeWire),
 
 		SessionBus: &BusConfig{
 			See: nil,
@@ -89,7 +92,6 @@ func Template() *Config {
 			Log:       false,
 			Filter:    true,
 		},
-		DirectWayland: false,
 
 		ExtraPerms: []ExtraPermConfig{
 			{Path: fhs.AbsVarLib.Append("hakurei/u0"), Ensure: true, Execute: true},

hst/hst_test.go

@@ -105,7 +105,7 @@ func TestTemplate(t *testing.T) {
 	"enablements": {
 		"wayland": true,
 		"dbus": true,
-		"pulse": true
+		"pipewire": true
 	},
 	"session_bus": {
 		"see": null,

hst/instance_test.go

@@ -6,11 +6,13 @@ import (
 	"reflect"
 	"testing"
 	"time"
-	_ "unsafe"
+	_ "unsafe" // for go:linkname
 
 	"hakurei.app/hst"
 )
 
+// Made available here to check time encoding behaviour of [hst.ID].
+//
 //go:linkname newInstanceID hakurei.app/hst.newInstanceID
 func newInstanceID(id *hst.ID, p uint64) error
 

internal/acl/acl_test.go

@@ -13,7 +13,7 @@ import (
 	"strconv"
 	"testing"
 
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 const testFileName = "acl.test"
@@ -24,9 +24,8 @@ var (
 )
 
 func TestUpdate(t *testing.T) {
-	if os.Getenv("GO_TEST_SKIP_ACL") == "1" {
-		t.Log("acl test skipped")
-		t.SkipNow()
+	if os.Getenv("HAKUREI_TEST_SKIP_ACL") == "1" {
+		t.Skip("acl test skipped")
 	}
 
 	testFilePath := path.Join(t.TempDir(), testFileName)
@@ -143,6 +142,7 @@ func (c *getFAclInvocation) run(name string) error {
 	}
 
 	c.cmd = exec.Command("getfacl", "--omit-header", "--absolute-names", "--numeric", name)
+	c.cmd.Stderr = os.Stderr
 
 	scanErr := make(chan error, 1)
 	if p, err := c.cmd.StdoutPipe(); err != nil {
@@ -254,7 +254,7 @@ func getfacl(t *testing.T, name string) []*getFAclResp {
 		t.Fatalf("getfacl: error = %v", err)
 	}
 	if len(c.pe) != 0 {
-		t.Errorf("errors encountered parsing getfacl output\n%s", errors.Join(c.pe...).Error())
+		t.Errorf("errors encountered parsing getfacl output\n%s", errors.Join(c.pe...))
 	}
 	return c.val
 }

internal/acl/libacl-helper.c

@@ -0,0 +1,90 @@
+#include "libacl-helper.h"
+#include <acl/libacl.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/acl.h>
+
+int hakurei_acl_update_file_by_uid(const char *path_p, uid_t uid,
+                                   acl_perm_t *perms, size_t plen) {
+    int ret;
+    bool v;
+    int i;
+    acl_t acl;
+    acl_entry_t entry;
+    acl_tag_t tag_type;
+    void *qualifier_p;
+    acl_permset_t permset;
+
+    ret = -1; /* acl_get_file */
+    acl = acl_get_file(path_p, ACL_TYPE_ACCESS);
+    if (acl == NULL)
+        goto out;
+
+    /* prune entries by uid */
+    for (i = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); i == 1;
+         i = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) {
+        ret = -2; /* acl_get_tag_type */
+        if (acl_get_tag_type(entry, &tag_type) != 0)
+            goto out;
+        if (tag_type != ACL_USER)
+            continue;
+
+        ret = -3; /* acl_get_qualifier */
+        qualifier_p = acl_get_qualifier(entry);
+        if (qualifier_p == NULL)
+            goto out;
+        v = *(uid_t *)qualifier_p == uid;
+        acl_free(qualifier_p);
+
+        if (!v)
+            continue;
+
+        ret = -4; /* acl_delete_entry */
+        if (acl_delete_entry(acl, entry) != 0)
+            goto out;
+    }
+
+    if (plen == 0)
+        goto set;
+
+    ret = -5; /* acl_create_entry */
+    if (acl_create_entry(&acl, &entry) != 0)
+        goto out;
+
+    ret = -6; /* acl_get_permset */
+    if (acl_get_permset(entry, &permset) != 0)
+        goto out;
+
+    ret = -7; /* acl_add_perm */
+    for (i = 0; i < plen; i++) {
+        if (acl_add_perm(permset, perms[i]) != 0)
+            goto out;
+    }
+
+    ret = -8; /* acl_set_tag_type */
+    if (acl_set_tag_type(entry, ACL_USER) != 0)
+        goto out;
+
+    ret = -9; /* acl_set_qualifier */
+    if (acl_set_qualifier(entry, (void *)&uid) != 0)
+        goto out;
+
+set:
+    ret = -10; /* acl_calc_mask */
+    if (acl_calc_mask(&acl) != 0)
+        goto out;
+
+    ret = -11; /* acl_valid */
+    if (acl_valid(acl) != 0)
+        goto out;
+
+    ret = -12; /* acl_set_file */
+    if (acl_set_file(path_p, ACL_TYPE_ACCESS, acl) == 0)
+        ret = 0;
+
+out:
+    free((void *)path_p);
+    if (acl != NULL)
+        acl_free((void *)acl);
+    return ret;
+}

internal/acl/perms_test.go

@@ -3,7 +3,7 @@ package acl_test
 import (
 	"testing"
 
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 func TestPerms(t *testing.T) {

internal/dbus/address_test.go

@@ -5,7 +5,7 @@ import (
 	"reflect"
 	"testing"
 
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/dbus"
 )
 
 func TestParse(t *testing.T) {

internal/dbus/config_test.go

@@ -7,7 +7,7 @@ import (
 	"testing"
 
 	"hakurei.app/hst"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/dbus"
 )
 
 func TestConfigArgs(t *testing.T) {

internal/dbus/dbus_test.go

@@ -11,9 +11,9 @@ import (
 	"testing"
 	"time"
 
-	"hakurei.app/helper"
+	"hakurei.app/internal/dbus"
+	"hakurei.app/internal/helper"
 	"hakurei.app/message"
-	"hakurei.app/system/dbus"
 )
 
 func TestFinalise(t *testing.T) {

internal/dbus/proc.go

@@ -12,7 +12,7 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 	"hakurei.app/ldd"
 )
 
@@ -54,7 +54,7 @@ func (p *Proxy) Start() error {
 		}
 
 		var libPaths []*check.Absolute
-		if entries, err := ldd.Exec(ctx, p.msg, toolPath.String()); err != nil {
+		if entries, err := ldd.Resolve(ctx, p.msg, toolPath); err != nil {
 			return err
 		} else {
 			libPaths = ldd.Path(entries)

internal/dbus/proc_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 
 	"hakurei.app/container"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 
 func TestMain(m *testing.M) { container.TryArgv0(nil); helper.InternalHelperStub(); os.Exit(m.Run()) }

internal/dbus/proxy.go

@@ -6,8 +6,8 @@ import (
 	"sync"
 	"syscall"
 
-	"hakurei.app/helper"
 	"hakurei.app/hst"
+	"hakurei.app/internal/helper"
 	"hakurei.app/message"
 )