Merge remote-tracking branch 'origin/pkgserver' into pkgserver

This exposes the new OpenStatus cache method.

Signed-off-by: Ophestra <cat@gensokyo.uk>

.gitea/workflows/test.yml

@@ -72,20 +72,20 @@ jobs:
           path: result/*
           retention-days: 1
 
-  hpkg:
+  sharefs:
-    name: Hpkg
+    name: ShareFS
     runs-on: nix
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Run NixOS test
-        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.hpkg
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.sharefs
 
       - name: Upload test output
         uses: actions/upload-artifact@v3
         with:
-          name: "hpkg-vm-output"
+          name: "sharefs-vm-output"
           path: result/*
           retention-days: 1
 
@@ -96,7 +96,7 @@ jobs:
       - race
       - sandbox
       - sandbox-race
-      - hpkg
+      - sharefs
     runs-on: nix
     steps:
       - name: Checkout

.github/workflows/README

@@ -1,5 +0,0 @@
-DO NOT ADD NEW ACTIONS HERE
-
-This port is solely for releasing to the github mirror and serves no purpose during development.
-All development happens at https://git.gensokyo.uk/security/hakurei. If you wish to contribute,
-request for an account on git.gensokyo.uk.

.github/workflows/release.yml

@@ -1,46 +0,0 @@
-name: Release
-
-on:
-  push:
-    tags:
-      - 'v*'
-
-jobs:
-  release:
-    name: Create release
-    runs-on: ubuntu-latest
-
-    permissions:
-      packages: write
-      contents: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install Nix
-        uses: nixbuild/nix-quick-install-action@v32
-        with:
-          nix_conf: |
-            keep-env-derivations = true
-            keep-outputs = true
-
-      - name: Restore and cache Nix store
-        uses: nix-community/cache-nix-action@v6
-        with:
-          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: build-${{ runner.os }}-
-          gc-max-store-size-linux: 1G
-          purge: true
-          purge-prefixes: build-${{ runner.os }}-
-          purge-created: 60
-          purge-primary-key: never
-
-      - name: Build for release
-        run: nix build --print-out-paths --print-build-logs .#dist
-
-      - name: Release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |-
-            result/hakurei-**

.github/workflows/test.yml

@@ -1,48 +0,0 @@
-name: Test
-
-on:
-  - push
-
-jobs:
-  dist:
-    name: Create distribution
-    runs-on: ubuntu-latest
-    permissions:
-      actions: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install Nix
-        uses: nixbuild/nix-quick-install-action@v32
-        with:
-          nix_conf: |
-            keep-env-derivations = true
-            keep-outputs = true
-
-      - name: Restore and cache Nix store
-        uses: nix-community/cache-nix-action@v6
-        with:
-          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: build-${{ runner.os }}-
-          gc-max-store-size-linux: 1G
-          purge: true
-          purge-prefixes: build-${{ runner.os }}-
-          purge-created: 60
-          purge-primary-key: never
-
-      - name: Build for test
-        id: build-test
-        run: >-
-          export HAKUREI_REV="$(git rev-parse --short HEAD)" &&
-          sed -i.old 's/version = /version = "0.0.0-'$HAKUREI_REV'"; # version = /' package.nix &&
-          nix build --print-out-paths --print-build-logs .#dist &&
-          mv package.nix.old package.nix &&
-          echo "rev=$HAKUREI_REV" >> $GITHUB_OUTPUT
-
-      - name: Upload test build
-        uses: actions/upload-artifact@v4
-        with:
-          name: "hakurei-${{ steps.build-test.outputs.rev }}"
-          path: result/*
-          retention-days: 1

.gitignore

@@ -27,6 +27,8 @@ go.work.sum
 
 # go generate
 /cmd/hakurei/LICENSE
+/internal/pkg/testdata/testtool
+/internal/rosa/hakurei_current.tar.gz
 
 # release
 /dist/hakurei-*

README.md

@@ -15,164 +15,51 @@
   <a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
 </p>
 
-Hakurei is a tool for running sandboxed graphical applications as dedicated subordinate users on the Linux kernel.
+Hakurei is a tool for running sandboxed desktop applications as dedicated
-It implements the application container of [planterette (WIP)](https://git.gensokyo.uk/security/planterette),
+subordinate users on the Linux kernel. It implements the application container
-a self-contained Android-like package manager with modern security features.
+of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), a
+self-contained Android-like package manager with modern security features.
 
-## NixOS Module usage
+Interaction with hakurei happens entirely through structures described by
+package [hst](https://pkg.go.dev/hakurei.app/hst). No native API is available
+due to internal details of uid isolation.
 
-The NixOS module currently requires home-manager to configure subordinate users. Full module documentation can be found [here](options.md).
+## Notable Packages
 
-To use the module, import it into your configuration with
+Package [container](https://pkg.go.dev/hakurei.app/container) is general purpose
+container tooling. It is used by the hakurei shim process running as the target
+subordinate user to set up the application container. It has a single dependency,
+[libseccomp](https://github.com/seccomp/libseccomp), to create BPF programs
+for the [system call filter](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html).
 
-```nix
+Package [internal/pkg](https://pkg.go.dev/hakurei.app/internal/pkg) provides
-{
+infrastructure for hermetic builds. This replaces the legacy nix-based testing
-  inputs = {
+framework and serves as the build system of Rosa OS, currently developed under
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+package [internal/rosa](https://pkg.go.dev/hakurei.app/internal/rosa).
 
-    hakurei = {
+## Dependencies
-      url = "git+https://git.gensokyo.uk/security/hakurei";
 
-      # Optional but recommended to limit the size of your system closure.
+`container` depends on:
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-  };
 
-  outputs = { self, nixpkgs, hakurei, ... }:
+- [libseccomp](https://github.com/seccomp/libseccomp) to generate BPF programs.
-  {
-    nixosConfigurations.hakurei = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        hakurei.nixosModules.hakurei
-      ];
-    };
-  };
-}
-```
 
-This adds the `environment.hakurei` option:
+`cmd/hakurei` depends on:
 
-```nix
+- [acl](https://savannah.nongnu.org/projects/acl/) to export sockets to
-{ pkgs, ... }:
+  subordinate users.
+- [wayland](https://gitlab.freedesktop.org/wayland/wayland) to set up
+  [security-context-v1](https://wayland.app/protocols/security-context-v1).
+- [xcb](https://xcb.freedesktop.org/) to grant and revoke subordinate users
+  access to the X server.
 
-{
+`cmd/sharefs` depends on:
-  environment.hakurei = {
-    enable = true;
-    stateDir = "/var/lib/hakurei";
-    users = {
-      alice = 0;
-      nixos = 10;
-    };
 
-    commonPaths = [
+- [fuse](https://github.com/libfuse/libfuse) to implement the filesystem.
-      {
-        src = "/sdcard";
-        write = true;
-      }
-    ];
 
-    extraHomeConfig = {
+New dependencies will generally not be added. Patches adding new dependencies
-      home.stateVersion = "23.05";
+are very likely to be rejected.
-    };
 
-    apps = {
+## NixOS Module (deprecated)
-      "org.chromium.Chromium" = {
-        name = "chromium";
-        identity = 1;
-        packages = [ pkgs.chromium ];
-        userns = true;
-        mapRealUid = true;
-        dbus = {
-          system = {
-            filter = true;
-            talk = [
-              "org.bluez"
-              "org.freedesktop.Avahi"
-              "org.freedesktop.UPower"
-            ];
-          };
-          session =
-            f:
-            f {
-              talk = [
-                "org.freedesktop.FileManager1"
-                "org.freedesktop.Notifications"
-                "org.freedesktop.ScreenSaver"
-                "org.freedesktop.secrets"
-                "org.kde.kwalletd5"
-                "org.kde.kwalletd6"
-              ];
-              own = [
-                "org.chromium.Chromium.*"
-                "org.mpris.MediaPlayer2.org.chromium.Chromium.*"
-                "org.mpris.MediaPlayer2.chromium.*"
-              ];
-              call = { };
-              broadcast = { };
-            };
-        };
-      };
 
-      "org.claws_mail.Claws-Mail" = {
+The NixOS module is in maintenance mode and will be removed once planterette is
-        name = "claws-mail";
+feature-complete. Full module documentation can be found [here](options.md).
-        identity = 2;
-        packages = [ pkgs.claws-mail ];
-        gpu = false;
-        capability.pulse = false;
-      };
-
-      "org.weechat" = {
-        name = "weechat";
-        identity = 3;
-        shareUid = true;
-        packages = [ pkgs.weechat ];
-        capability = {
-          wayland = false;
-          x11 = false;
-          dbus = true;
-          pulse = false;
-        };
-      };
-
-      "dev.vencord.Vesktop" = {
-        name = "discord";
-        identity = 3;
-        shareUid = true;
-        packages = [ pkgs.vesktop ];
-        share = pkgs.vesktop;
-        command = "vesktop --ozone-platform-hint=wayland";
-        userns = true;
-        mapRealUid = true;
-        capability.x11 = true;
-        dbus = {
-          session =
-            f:
-            f {
-              talk = [ "org.kde.StatusNotifierWatcher" ];
-              own = [ ];
-              call = { };
-              broadcast = { };
-            };
-          system.filter = true;
-        };
-      };
-
-      "io.looking-glass" = {
-        name = "looking-glass-client";
-        identity = 4;
-        useCommonPaths = false;
-        groups = [ "plugdev" ];
-        extraPaths = [
-          {
-            src = "/dev/shm/looking-glass";
-            write = true;
-          }
-        ];
-        extraConfig = {
-          programs.looking-glass-client.enable = true;
-        };
-      };
-    };
-  };
-}
-```

cmd/earlyinit/main.go

@@ -0,0 +1,58 @@
+package main
+
+import (
+	"log"
+	"os"
+	"runtime"
+	. "syscall"
+)
+
+func main() {
+	runtime.LockOSThread()
+	log.SetFlags(0)
+	log.SetPrefix("earlyinit: ")
+
+	if err := Mount(
+		"devtmpfs",
+		"/dev/",
+		"devtmpfs",
+		MS_NOSUID|MS_NOEXEC,
+		"",
+	); err != nil {
+		log.Fatalf("cannot mount devtmpfs: %v", err)
+	}
+
+	// The kernel might be unable to set up the console. When that happens,
+	// printk is called with "Warning: unable to open an initial console."
+	// and the init runs with no files. The checkfds runtime function
+	// populates 0-2 by opening /dev/null for them.
+	//
+	// This check replaces 1 and 2 with /dev/kmsg to improve the chance
+	// of output being visible to the user.
+	if fi, err := os.Stdout.Stat(); err == nil {
+		if stat, ok := fi.Sys().(*Stat_t); ok {
+			if stat.Rdev == 0x103 {
+				var fd int
+				if fd, err = Open(
+					"/dev/kmsg",
+					O_WRONLY|O_CLOEXEC,
+					0,
+				); err != nil {
+					log.Fatalf("cannot open kmsg: %v", err)
+				}
+
+				if err = Dup3(fd, Stdout, 0); err != nil {
+					log.Fatalf("cannot open stdout: %v", err)
+				}
+				if err = Dup3(fd, Stderr, 0); err != nil {
+					log.Fatalf("cannot open stderr: %v", err)
+				}
+
+				if err = Close(fd); err != nil {
+					log.Printf("cannot close kmsg: %v", err)
+				}
+			}
+		}
+	}
+
+}

cmd/hakurei/command.go

@@ -14,7 +14,6 @@ import (
 	_ "unsafe" // for go:linkname
 
 	"hakurei.app/command"
-	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
@@ -187,14 +186,6 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}})
 			}
 
-			// start pipewire-pulse: this most likely exists on host if PipeWire is available
-			if flagPulse {
-				config.Container.Filesystem = append(config.Container.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSDaemon{
-					Target: fhs.AbsRunUser.Append(strconv.Itoa(container.OverflowUid(msg)), "pulse/native"),
-					Exec:   shell, Args: []string{"-lc", "exec pipewire-pulse"},
-				}})
-			}
-
 			config.Container.Filesystem = append(config.Container.Filesystem,
 				// opportunistically bind kvm
 				hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{

cmd/hpkg/README

@@ -1,7 +0,0 @@
-This program is a proof of concept and is now deprecated. It is only kept
-around for API demonstration purposes and to make the most out of the test
-suite.
-
-This program is replaced by planterette, which can be found at
-https://git.gensokyo.uk/security/planterette. Development effort should be
-focused there instead.

cmd/hpkg/app.go

@@ -1,173 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"log"
-	"os"
-
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
-	"hakurei.app/hst"
-)
-
-type appInfo struct {
-	Name    string `json:"name"`
-	Version string `json:"version"`
-
-	// passed through to [hst.Config]
-	ID string `json:"id"`
-	// passed through to [hst.Config]
-	Identity int `json:"identity"`
-	// passed through to [hst.Config]
-	Groups []string `json:"groups,omitempty"`
-	// passed through to [hst.Config]
-	Devel bool `json:"devel,omitempty"`
-	// passed through to [hst.Config]
-	Userns bool `json:"userns,omitempty"`
-	// passed through to [hst.Config]
-	HostNet bool `json:"net,omitempty"`
-	// passed through to [hst.Config]
-	HostAbstract bool `json:"abstract,omitempty"`
-	// passed through to [hst.Config]
-	Device bool `json:"dev,omitempty"`
-	// passed through to [hst.Config]
-	Tty bool `json:"tty,omitempty"`
-	// passed through to [hst.Config]
-	MapRealUID bool `json:"map_real_uid,omitempty"`
-	// passed through to [hst.Config]
-	DirectWayland bool `json:"direct_wayland,omitempty"`
-	// passed through to [hst.Config]
-	SystemBus *hst.BusConfig `json:"system_bus,omitempty"`
-	// passed through to [hst.Config]
-	SessionBus *hst.BusConfig `json:"session_bus,omitempty"`
-	// passed through to [hst.Config]
-	Enablements *hst.Enablements `json:"enablements,omitempty"`
-
-	// passed through to [hst.Config]
-	Multiarch bool `json:"multiarch,omitempty"`
-	// passed through to [hst.Config]
-	Bluetooth bool `json:"bluetooth,omitempty"`
-
-	// allow gpu access within sandbox
-	GPU bool `json:"gpu"`
-	// store path to nixGL mesa wrappers
-	Mesa string `json:"mesa,omitempty"`
-	// store path to nixGL source
-	NixGL string `json:"nix_gl,omitempty"`
-	// store path to activate-and-exec script
-	Launcher *check.Absolute `json:"launcher"`
-	// store path to /run/current-system
-	CurrentSystem *check.Absolute `json:"current_system"`
-	// store path to home-manager activation package
-	ActivationPackage string `json:"activation_package"`
-}
-
-func (app *appInfo) toHst(pathSet *appPathSet, pathname *check.Absolute, argv []string, flagDropShell bool) *hst.Config {
-	config := &hst.Config{
-		ID: app.ID,
-
-		Enablements: app.Enablements,
-
-		SystemBus:     app.SystemBus,
-		SessionBus:    app.SessionBus,
-		DirectWayland: app.DirectWayland,
-
-		Identity: app.Identity,
-		Groups:   app.Groups,
-
-		Container: &hst.ContainerConfig{
-			Hostname: formatHostname(app.Name),
-			Filesystem: []hst.FilesystemConfigJSON{
-				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
-				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}},
-				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
-				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsPrivateTmp.Append("app")}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsEtc.Append("resolv.conf"), Optional: true}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block"), Optional: true}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus"), Optional: true}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("class"), Optional: true}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("dev"), Optional: true}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("devices"), Optional: true}},
-				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}},
-			},
-
-			Username: "hakurei",
-			Shell:    pathShell,
-			Home:     pathDataData.Append(app.ID),
-
-			Path: pathname,
-			Args: argv,
-		},
-		ExtraPerms: []hst.ExtraPermConfig{
-			{Path: dataHome, Execute: true},
-			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-		},
-	}
-
-	if app.Devel {
-		config.Container.Flags |= hst.FDevel
-	}
-	if app.Userns {
-		config.Container.Flags |= hst.FUserns
-	}
-	if app.HostNet {
-		config.Container.Flags |= hst.FHostNet
-	}
-	if app.HostAbstract {
-		config.Container.Flags |= hst.FHostAbstract
-	}
-	if app.Device {
-		config.Container.Flags |= hst.FDevice
-	}
-	if app.Tty || flagDropShell {
-		config.Container.Flags |= hst.FTty
-	}
-	if app.MapRealUID {
-		config.Container.Flags |= hst.FMapRealUID
-	}
-	if app.Multiarch {
-		config.Container.Flags |= hst.FMultiarch
-	}
-	config.Container.Flags |= hst.FShareRuntime | hst.FShareTmpdir
-	return config
-}
-
-func loadAppInfo(name string, beforeFail func()) *appInfo {
-	bundle := new(appInfo)
-	if f, err := os.Open(name); err != nil {
-		beforeFail()
-		log.Fatalf("cannot open bundle: %v", err)
-	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
-		beforeFail()
-		log.Fatalf("cannot parse bundle metadata: %v", err)
-	} else if err = f.Close(); err != nil {
-		log.Printf("cannot close bundle metadata: %v", err)
-		// not fatal
-	}
-
-	if bundle.ID == "" {
-		beforeFail()
-		log.Fatal("application identifier must not be empty")
-	}
-	if bundle.Launcher == nil {
-		beforeFail()
-		log.Fatal("launcher must not be empty")
-	}
-	if bundle.CurrentSystem == nil {
-		beforeFail()
-		log.Fatal("current-system must not be empty")
-	}
-
-	return bundle
-}
-
-func formatHostname(name string) string {
-	if h, err := os.Hostname(); err != nil {
-		log.Printf("cannot get hostname: %v", err)
-		return "hakurei-" + name
-	} else {
-		return h + "-" + name
-	}
-}

cmd/hpkg/build.nix

@@ -1,256 +0,0 @@
-{
-  nixpkgsFor,
-  system,
-  nixpkgs,
-  home-manager,
-}:
-
-{
-  lib,
-  stdenv,
-  closureInfo,
-  writeScript,
-  runtimeShell,
-  writeText,
-  symlinkJoin,
-  vmTools,
-  runCommand,
-  fetchFromGitHub,
-
-  zstd,
-  nix,
-  sqlite,
-
-  name ? throw "name is required",
-  version ? throw "version is required",
-  pname ? "${name}-${version}",
-  modules ? [ ],
-  nixosModules ? [ ],
-  script ? ''
-    exec "$SHELL" "$@"
-  '',
-
-  id ? name,
-  identity ? throw "identity is required",
-  groups ? [ ],
-  userns ? false,
-  net ? true,
-  dev ? false,
-  no_new_session ? false,
-  map_real_uid ? false,
-  direct_wayland ? false,
-  system_bus ? null,
-  session_bus ? null,
-
-  allow_wayland ? true,
-  allow_x11 ? false,
-  allow_dbus ? true,
-  allow_audio ? true,
-  gpu ? allow_wayland || allow_x11,
-}:
-
-let
-  inherit (lib) optionals;
-
-  homeManagerConfiguration = home-manager.lib.homeManagerConfiguration {
-    pkgs = nixpkgsFor.${system};
-    modules = modules ++ [
-      {
-        home = {
-          username = "hakurei";
-          homeDirectory = "/data/data/${id}";
-          stateVersion = "22.11";
-        };
-      }
-    ];
-  };
-
-  launcher = writeScript "hakurei-${pname}" ''
-    #!${runtimeShell} -el
-    ${script}
-  '';
-
-  extraNixOSConfig =
-    { pkgs, ... }:
-    {
-      environment = {
-        etc.nixpkgs.source = nixpkgs.outPath;
-        systemPackages = [ pkgs.nix ];
-      };
-
-      imports = nixosModules;
-    };
-  nixos = nixpkgs.lib.nixosSystem {
-    inherit system;
-    modules = [
-      extraNixOSConfig
-      { nix.settings.experimental-features = [ "flakes" ]; }
-      { nix.settings.experimental-features = [ "nix-command" ]; }
-      { boot.isContainer = true; }
-      { system.stateVersion = "22.11"; }
-    ];
-  };
-
-  etc = vmTools.runInLinuxVM (
-    runCommand "etc" { } ''
-      mkdir -p /etc
-      ${nixos.config.system.build.etcActivationCommands}
-
-      # remove unused files
-      rm -rf /etc/sudoers
-
-      mkdir -p $out
-      tar -C /etc -cf "$out/etc.tar" .
-    ''
-  );
-
-  extendSessionDefault = id: ext: {
-    filter = true;
-
-    talk = [ "org.freedesktop.Notifications" ] ++ ext.talk;
-    own =
-      (optionals (id != null) [
-        "${id}.*"
-        "org.mpris.MediaPlayer2.${id}.*"
-      ])
-      ++ ext.own;
-
-    inherit (ext) call broadcast;
-  };
-
-  nixGL = fetchFromGitHub {
-    owner = "nix-community";
-    repo = "nixGL";
-    rev = "310f8e49a149e4c9ea52f1adf70cdc768ec53f8a";
-    hash = "sha256-lnzZQYG0+EXl/6NkGpyIz+FEOc/DSEG57AP1VsdeNrM=";
-  };
-
-  mesaWrappers =
-    let
-      isIntelX86Platform = system == "x86_64-linux";
-      nixGLPackages = import (nixGL + "/default.nix") {
-        pkgs = nixpkgs.legacyPackages.${system};
-        enable32bits = isIntelX86Platform;
-        enableIntelX86Extensions = isIntelX86Platform;
-      };
-    in
-    symlinkJoin {
-      name = "nixGL-mesa";
-      paths = with nixGLPackages; [
-        nixGLIntel
-        nixVulkanIntel
-      ];
-    };
-
-  info = builtins.toJSON {
-    inherit
-      name
-      version
-      id
-      identity
-      launcher
-      groups
-      userns
-      net
-      dev
-      no_new_session
-      map_real_uid
-      direct_wayland
-      system_bus
-      gpu
-      ;
-
-    session_bus =
-      if session_bus != null then
-        (session_bus (extendSessionDefault id))
-      else
-        (extendSessionDefault id {
-          talk = [ ];
-          own = [ ];
-          call = { };
-          broadcast = { };
-        });
-
-    enablements = {
-      wayland = allow_wayland;
-      x11 = allow_x11;
-      dbus = allow_dbus;
-      pipewire = allow_audio;
-    };
-
-    mesa = if gpu then mesaWrappers else null;
-    nix_gl = if gpu then nixGL else null;
-    current_system = nixos.config.system.build.toplevel;
-    activation_package = homeManagerConfiguration.activationPackage;
-  };
-in
-
-stdenv.mkDerivation {
-  name = "${pname}.pkg";
-  inherit version;
-  __structuredAttrs = true;
-
-  nativeBuildInputs = [
-    zstd
-    nix
-    sqlite
-  ];
-
-  buildCommand = ''
-    NIX_ROOT="$(mktemp -d)"
-    export USER="nobody"
-
-    # create bootstrap store
-    bootstrapClosureInfo="${
-      closureInfo {
-        rootPaths = [
-          nix
-          nixos.config.system.build.toplevel
-        ];
-      }
-    }"
-    echo "copying bootstrap store paths..."
-    mkdir -p "$NIX_ROOT/nix/store"
-    xargs -n 1 -a "$bootstrapClosureInfo/store-paths" cp -at "$NIX_ROOT/nix/store/"
-    NIX_REMOTE="local?root=$NIX_ROOT" nix-store --load-db < "$bootstrapClosureInfo/registration"
-    NIX_REMOTE="local?root=$NIX_ROOT" nix-store --optimise
-    sqlite3 "$NIX_ROOT/nix/var/nix/db/db.sqlite" "UPDATE ValidPaths SET registrationTime = ''${SOURCE_DATE_EPOCH}"
-    chmod -R +r "$NIX_ROOT/nix/var"
-
-    # create binary cache
-    closureInfo="${
-      closureInfo {
-        rootPaths = [
-          homeManagerConfiguration.activationPackage
-          launcher
-        ]
-        ++ optionals gpu [
-          mesaWrappers
-          nixGL
-        ];
-      }
-    }"
-    echo "copying application paths..."
-    TMP_STORE="$(mktemp -d)"
-    mkdir -p "$TMP_STORE/nix/store"
-    xargs -n 1 -a "$closureInfo/store-paths" cp -at "$TMP_STORE/nix/store/"
-    NIX_REMOTE="local?root=$TMP_STORE" nix-store --load-db < "$closureInfo/registration"
-    sqlite3 "$TMP_STORE/nix/var/nix/db/db.sqlite" "UPDATE ValidPaths SET registrationTime = ''${SOURCE_DATE_EPOCH}"
-    NIX_REMOTE="local?root=$TMP_STORE" nix --offline --extra-experimental-features nix-command \
-        --verbose --log-format raw-with-logs \
-        copy --all --no-check-sigs --to \
-        "file://$NIX_ROOT/res?compression=zstd&compression-level=19&parallel-compression=true"
-
-    # package /etc
-    mkdir -p "$NIX_ROOT/etc"
-    tar -C "$NIX_ROOT/etc" -xf "${etc}/etc.tar"
-
-    # write metadata
-    cp "${writeText "bundle.json" info}" "$NIX_ROOT/bundle.json"
-
-    # create an intermediate file to improve zstd performance
-    INTER="$(mktemp)"
-    tar -C "$NIX_ROOT" -cf "$INTER" .
-    zstd -T0 -19 -fo "$out" "$INTER"
-  '';
-}

cmd/hpkg/main.go

@@ -1,335 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"log"
-	"os"
-	"os/signal"
-	"path"
-	"syscall"
-
-	"hakurei.app/command"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
-	"hakurei.app/hst"
-	"hakurei.app/message"
-)
-
-var (
-	errSuccess = errors.New("success")
-)
-
-func main() {
-	log.SetPrefix("hpkg: ")
-	log.SetFlags(0)
-	msg := message.New(log.Default())
-
-	if err := os.Setenv("SHELL", pathShell.String()); err != nil {
-		log.Fatalf("cannot set $SHELL: %v", err)
-	}
-
-	if os.Geteuid() == 0 {
-		log.Fatal("this program must not run as root")
-	}
-
-	ctx, stop := signal.NotifyContext(context.Background(),
-		syscall.SIGINT, syscall.SIGTERM)
-	defer stop() // unreachable
-
-	var (
-		flagVerbose   bool
-		flagDropShell bool
-	)
-	c := command.New(os.Stderr, log.Printf, "hpkg", func([]string) error { msg.SwapVerbose(flagVerbose); return nil }).
-		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
-		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next hakurei action")
-
-	{
-		var (
-			flagDropShellActivate bool
-		)
-		c.NewCommand("install", "Install an application from its package", func(args []string) error {
-			if len(args) != 1 {
-				log.Println("invalid argument")
-				return syscall.EINVAL
-			}
-			pkgPath := args[0]
-			if !path.IsAbs(pkgPath) {
-				if dir, err := os.Getwd(); err != nil {
-					log.Printf("cannot get current directory: %v", err)
-					return err
-				} else {
-					pkgPath = path.Join(dir, pkgPath)
-				}
-			}
-
-			/*
-				Look up paths to programs started by hpkg.
-				This is done here to ease error handling as cleanup is not yet required.
-			*/
-
-			var (
-				_     = lookPath("zstd")
-				tar   = lookPath("tar")
-				chmod = lookPath("chmod")
-				rm    = lookPath("rm")
-			)
-
-			/*
-				Extract package and set up for cleanup.
-			*/
-
-			var workDir *check.Absolute
-			if p, err := os.MkdirTemp("", "hpkg.*"); err != nil {
-				log.Printf("cannot create temporary directory: %v", err)
-				return err
-			} else if workDir, err = check.NewAbs(p); err != nil {
-				log.Printf("invalid temporary directory: %v", err)
-				return err
-			}
-			cleanup := func() {
-				// should be faster than a native implementation
-				mustRun(msg, chmod, "-R", "+w", workDir.String())
-				mustRun(msg, rm, "-rf", workDir.String())
-			}
-			beforeRunFail.Store(&cleanup)
-
-			mustRun(msg, tar, "-C", workDir.String(), "-xf", pkgPath)
-
-			/*
-				Parse bundle and app metadata, do pre-install checks.
-			*/
-
-			bundle := loadAppInfo(path.Join(workDir.String(), "bundle.json"), cleanup)
-			pathSet := pathSetByApp(bundle.ID)
-
-			a := bundle
-			if s, err := os.Stat(pathSet.metaPath.String()); err != nil {
-				if !os.IsNotExist(err) {
-					cleanup()
-					log.Printf("cannot access %q: %v", pathSet.metaPath, err)
-					return err
-				}
-				// did not modify app, clean installation condition met later
-			} else if s.IsDir() {
-				cleanup()
-				log.Printf("metadata path %q is not a file", pathSet.metaPath)
-				return syscall.EBADMSG
-			} else {
-				a = loadAppInfo(pathSet.metaPath.String(), cleanup)
-				if a.ID != bundle.ID {
-					cleanup()
-					log.Printf("app %q claims to have identifier %q",
-						bundle.ID, a.ID)
-					return syscall.EBADE
-				}
-				// sec: should verify credentials
-			}
-
-			if a != bundle {
-				// do not try to re-install
-				if a.NixGL == bundle.NixGL &&
-					a.CurrentSystem == bundle.CurrentSystem &&
-					a.Launcher == bundle.Launcher &&
-					a.ActivationPackage == bundle.ActivationPackage {
-					cleanup()
-					log.Printf("package %q is identical to local application %q",
-						pkgPath, a.ID)
-					return errSuccess
-				}
-
-				// identity determines uid
-				if a.Identity != bundle.Identity {
-					cleanup()
-					log.Printf("package %q identity %d differs from installed %d",
-						pkgPath, bundle.Identity, a.Identity)
-					return syscall.EBADE
-				}
-
-				// sec: should compare version string
-				msg.Verbosef("installing application %q version %q over local %q",
-					bundle.ID, bundle.Version, a.Version)
-			} else {
-				msg.Verbosef("application %q clean installation", bundle.ID)
-				// sec: should install credentials
-			}
-
-			/*
-				Setup steps for files owned by the target user.
-			*/
-
-			withCacheDir(ctx, msg, "install", []string{
-				// export inner bundle path in the environment
-				"export BUNDLE=" + hst.PrivateTmp + "/bundle",
-				// replace inner /etc
-				"mkdir -p etc",
-				"chmod -R +w etc",
-				"rm -rf etc",
-				"cp -dRf $BUNDLE/etc etc",
-				// replace inner /nix
-				"mkdir -p nix",
-				"chmod -R +w nix",
-				"rm -rf nix",
-				"cp -dRf /nix nix",
-				// copy from binary cache
-				"nix copy --offline --no-check-sigs --all --from file://$BUNDLE/res --to $PWD",
-				// deduplicate nix store
-				"nix store --offline --store $PWD optimise",
-				// make cache directory world-readable for autoetc
-				"chmod 0755 .",
-			}, workDir, bundle, pathSet, flagDropShell, cleanup)
-
-			if bundle.GPU {
-				withCacheDir(ctx, msg, "mesa-wrappers", []string{
-					// link nixGL mesa wrappers
-					"mkdir -p nix/.nixGL",
-					"ln -s " + bundle.Mesa + "/bin/nixGLIntel nix/.nixGL/nixGL",
-					"ln -s " + bundle.Mesa + "/bin/nixVulkanIntel nix/.nixGL/nixVulkan",
-				}, workDir, bundle, pathSet, false, cleanup)
-			}
-
-			/*
-				Activate home-manager generation.
-			*/
-
-			withNixDaemon(ctx, msg, "activate", []string{
-				// clean up broken links
-				"mkdir -p .local/state/{nix,home-manager}",
-				"chmod -R +w .local/state/{nix,home-manager}",
-				"rm -rf .local/state/{nix,home-manager}",
-				// run activation script
-				bundle.ActivationPackage + "/activate",
-			}, false, func(config *hst.Config) *hst.Config { return config },
-				bundle, pathSet, flagDropShellActivate, cleanup)
-
-			/*
-				Installation complete. Write metadata to block re-installs or downgrades.
-			*/
-
-			// serialise metadata to ensure consistency
-			if f, err := os.OpenFile(pathSet.metaPath.String()+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
-				cleanup()
-				log.Printf("cannot create metadata file: %v", err)
-				return err
-			} else if err = json.NewEncoder(f).Encode(bundle); err != nil {
-				cleanup()
-				log.Printf("cannot write metadata: %v", err)
-				return err
-			} else if err = f.Close(); err != nil {
-				log.Printf("cannot close metadata file: %v", err)
-				// not fatal
-			}
-
-			if err := os.Rename(pathSet.metaPath.String()+"~", pathSet.metaPath.String()); err != nil {
-				cleanup()
-				log.Printf("cannot rename metadata file: %v", err)
-				return err
-			}
-
-			cleanup()
-			return errSuccess
-		}).
-			Flag(&flagDropShellActivate, "s", command.BoolFlag(false), "Drop to a shell on activation")
-	}
-
-	{
-		var (
-			flagDropShellNixGL bool
-			flagAutoDrivers    bool
-		)
-		c.NewCommand("start", "Start an application", func(args []string) error {
-			if len(args) < 1 {
-				log.Println("invalid argument")
-				return syscall.EINVAL
-			}
-
-			/*
-				Parse app metadata.
-			*/
-
-			id := args[0]
-			pathSet := pathSetByApp(id)
-			a := loadAppInfo(pathSet.metaPath.String(), func() {})
-			if a.ID != id {
-				log.Printf("app %q claims to have identifier %q", id, a.ID)
-				return syscall.EBADE
-			}
-
-			/*
-				Prepare nixGL.
-			*/
-
-			if a.GPU && flagAutoDrivers {
-				withNixDaemon(ctx, msg, "nix-gl", []string{
-					"mkdir -p /nix/.nixGL/auto",
-					"rm -rf /nix/.nixGL/auto",
-					"export NIXPKGS_ALLOW_UNFREE=1",
-					"nix build --impure " +
-						"--out-link /nix/.nixGL/auto/opengl " +
-						"--override-input nixpkgs path:/etc/nixpkgs " +
-						"path:" + a.NixGL,
-					"nix build --impure " +
-						"--out-link /nix/.nixGL/auto/vulkan " +
-						"--override-input nixpkgs path:/etc/nixpkgs " +
-						"path:" + a.NixGL + "#nixVulkanNvidia",
-				}, true, func(config *hst.Config) *hst.Config {
-					config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
-						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsEtc.Append("resolv.conf"), Optional: true}},
-						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block"), Optional: true}},
-						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus"), Optional: true}},
-						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("class"), Optional: true}},
-						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("dev"), Optional: true}},
-						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("devices"), Optional: true}},
-					}...)
-					appendGPUFilesystem(config)
-					return config
-				}, a, pathSet, flagDropShellNixGL, func() {})
-			}
-
-			/*
-				Create app configuration.
-			*/
-
-			pathname := a.Launcher
-			argv := make([]string, 1, len(args))
-			if flagDropShell {
-				pathname = pathShell
-				argv[0] = bash
-			} else {
-				argv[0] = a.Launcher.String()
-			}
-			argv = append(argv, args[1:]...)
-			config := a.toHst(pathSet, pathname, argv, flagDropShell)
-
-			/*
-				Expose GPU devices.
-			*/
-
-			if a.GPU {
-				config.Container.Filesystem = append(config.Container.Filesystem,
-					hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append(".nixGL"), Target: hst.AbsPrivateTmp.Append("nixGL")}})
-				appendGPUFilesystem(config)
-			}
-
-			/*
-				Spawn app.
-			*/
-
-			mustRunApp(ctx, msg, config, func() {})
-			return errSuccess
-		}).
-			Flag(&flagDropShellNixGL, "s", command.BoolFlag(false), "Drop to a shell on nixGL build").
-			Flag(&flagAutoDrivers, "auto-drivers", command.BoolFlag(false), "Attempt automatic opengl driver detection")
-	}
-
-	c.MustParse(os.Args[1:], func(err error) {
-		msg.Verbosef("command returned %v", err)
-		if errors.Is(err, errSuccess) {
-			msg.BeforeExit()
-			os.Exit(0)
-		}
-	})
-	log.Fatal("unreachable")
-}

cmd/hpkg/paths.go

@@ -1,117 +0,0 @@
-package main
-
-import (
-	"log"
-	"os"
-	"os/exec"
-	"strconv"
-	"sync/atomic"
-
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
-	"hakurei.app/hst"
-	"hakurei.app/message"
-)
-
-const bash = "bash"
-
-var (
-	dataHome *check.Absolute
-)
-
-func init() {
-	// dataHome
-	if a, err := check.NewAbs(os.Getenv("HAKUREI_DATA_HOME")); err == nil {
-		dataHome = a
-	} else {
-		dataHome = fhs.AbsVarLib.Append("hakurei/" + strconv.Itoa(os.Getuid()))
-	}
-}
-
-var (
-	pathBin = fhs.AbsRoot.Append("bin")
-
-	pathNix           = check.MustAbs("/nix/")
-	pathNixStore      = pathNix.Append("store/")
-	pathCurrentSystem = fhs.AbsRun.Append("current-system")
-	pathSwBin         = pathCurrentSystem.Append("sw/bin/")
-	pathShell         = pathSwBin.Append(bash)
-
-	pathData     = check.MustAbs("/data")
-	pathDataData = pathData.Append("data")
-)
-
-func lookPath(file string) string {
-	if p, err := exec.LookPath(file); err != nil {
-		log.Fatalf("%s: command not found", file)
-		return ""
-	} else {
-		return p
-	}
-}
-
-var beforeRunFail = new(atomic.Pointer[func()])
-
-func mustRun(msg message.Msg, name string, arg ...string) {
-	msg.Verbosef("spawning process: %q %q", name, arg)
-	cmd := exec.Command(name, arg...)
-	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	if err := cmd.Run(); err != nil {
-		if f := beforeRunFail.Swap(nil); f != nil {
-			(*f)()
-		}
-		log.Fatalf("%s: %v", name, err)
-	}
-}
-
-type appPathSet struct {
-	// ${dataHome}/${id}
-	baseDir *check.Absolute
-	// ${baseDir}/app
-	metaPath *check.Absolute
-	// ${baseDir}/files
-	homeDir *check.Absolute
-	// ${baseDir}/cache
-	cacheDir *check.Absolute
-	// ${baseDir}/cache/nix
-	nixPath *check.Absolute
-}
-
-func pathSetByApp(id string) *appPathSet {
-	pathSet := new(appPathSet)
-	pathSet.baseDir = dataHome.Append(id)
-	pathSet.metaPath = pathSet.baseDir.Append("app")
-	pathSet.homeDir = pathSet.baseDir.Append("files")
-	pathSet.cacheDir = pathSet.baseDir.Append("cache")
-	pathSet.nixPath = pathSet.cacheDir.Append("nix")
-	return pathSet
-}
-
-func appendGPUFilesystem(config *hst.Config) {
-	config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
-		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("dri"), Device: true, Optional: true}},
-		// mali
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("mali"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("mali0"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("umplock"), Device: true, Optional: true}},
-		// nvidia
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidiactl"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-modeset"), Device: true, Optional: true}},
-		// nvidia OpenCL/CUDA
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-uvm"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-uvm-tools"), Device: true, Optional: true}},
-
-		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia0"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia1"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia2"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia3"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia4"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia5"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia6"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia7"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia8"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia9"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia10"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia11"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia12"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia13"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia14"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia15"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia16"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia17"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia18"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia19"), Device: true, Optional: true}},
-	}...)
-}

cmd/hpkg/proc.go

@@ -1,61 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"io"
-	"log"
-	"os"
-	"os/exec"
-
-	"hakurei.app/hst"
-	"hakurei.app/internal/info"
-	"hakurei.app/message"
-)
-
-var hakureiPathVal = info.MustHakureiPath().String()
-
-func mustRunApp(ctx context.Context, msg message.Msg, config *hst.Config, beforeFail func()) {
-	var (
-		cmd *exec.Cmd
-		st  io.WriteCloser
-	)
-
-	if r, w, err := os.Pipe(); err != nil {
-		beforeFail()
-		log.Fatalf("cannot pipe: %v", err)
-	} else {
-		if msg.IsVerbose() {
-			cmd = exec.CommandContext(ctx, hakureiPathVal, "-v", "app", "3")
-		} else {
-			cmd = exec.CommandContext(ctx, hakureiPathVal, "app", "3")
-		}
-		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-		cmd.ExtraFiles = []*os.File{r}
-		st = w
-	}
-
-	go func() {
-		if err := json.NewEncoder(st).Encode(config); err != nil {
-			beforeFail()
-			log.Fatalf("cannot send configuration: %v", err)
-		}
-	}()
-
-	if err := cmd.Start(); err != nil {
-		beforeFail()
-		log.Fatalf("cannot start hakurei: %v", err)
-	}
-	if err := cmd.Wait(); err != nil {
-		var exitError *exec.ExitError
-		if errors.As(err, &exitError) {
-			beforeFail()
-			msg.BeforeExit()
-			os.Exit(exitError.ExitCode())
-		} else {
-			beforeFail()
-			log.Fatalf("cannot wait: %v", err)
-		}
-	}
-}

cmd/hpkg/test/configuration.nix

@@ -1,62 +0,0 @@
-{ pkgs, ... }:
-{
-  users.users = {
-    alice = {
-      isNormalUser = true;
-      description = "Alice Foobar";
-      password = "foobar";
-      uid = 1000;
-    };
-  };
-
-  home-manager.users.alice.home.stateVersion = "24.11";
-
-  # Automatically login on tty1 as a normal user:
-  services.getty.autologinUser = "alice";
-
-  environment = {
-    variables = {
-      SWAYSOCK = "/tmp/sway-ipc.sock";
-      WLR_RENDERER = "pixman";
-    };
-  };
-
-  # Automatically configure and start Sway when logging in on tty1:
-  programs.bash.loginShellInit = ''
-    if [ "$(tty)" = "/dev/tty1" ]; then
-      set -e
-
-      mkdir -p ~/.config/sway
-      (sed s/Mod4/Mod1/ /etc/sway/config &&
-      echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill' &&
-      echo 'output Virtual-1 res 1680x1050') > ~/.config/sway/config
-
-      sway --validate
-      systemd-cat --identifier=session sway && touch /tmp/sway-exit-ok
-    fi
-  '';
-
-  programs.sway.enable = true;
-
-  virtualisation = {
-    diskSize = 6 * 1024;
-
-    qemu.options = [
-      # Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
-      "-vga none -device virtio-gpu-pci"
-
-      # Increase zstd performance:
-      "-smp 8"
-    ];
-  };
-
-  environment.hakurei = {
-    enable = true;
-    stateDir = "/var/lib/hakurei";
-    users.alice = 0;
-
-    extraHomeConfig = {
-      home.stateVersion = "23.05";
-    };
-  };
-}

cmd/hpkg/test/default.nix

@@ -1,34 +0,0 @@
-{
-  nixosTest,
-  callPackage,
-
-  system,
-  self,
-}:
-let
-  buildPackage = self.buildPackage.${system};
-in
-nixosTest {
-  name = "hpkg";
-  nodes.machine = {
-    environment.etc = {
-      "foot.pkg".source = callPackage ./foot.nix { inherit buildPackage; };
-    };
-
-    imports = [
-      ./configuration.nix
-
-      self.nixosModules.hakurei
-      self.inputs.home-manager.nixosModules.home-manager
-    ];
-  };
-
-  # adapted from nixos sway integration tests
-
-  # testScriptWithTypes:49: error: Cannot call function of unknown type
-  #           (machine.succeed if succeed else machine.execute)(
-  #           ^
-  # Found 1 error in 1 file (checked 1 source file)
-  skipTypeCheck = true;
-  testScript = builtins.readFile ./test.py;
-}

cmd/hpkg/test/foot.nix

@@ -1,48 +0,0 @@
-{
-  lib,
-  buildPackage,
-  foot,
-  wayland-utils,
-  inconsolata,
-}:
-
-buildPackage {
-  name = "foot";
-  inherit (foot) version;
-
-  identity = 2;
-  id = "org.codeberg.dnkl.foot";
-
-  modules = [
-    {
-      home.packages = [
-        foot
-
-        # For wayland-info:
-        wayland-utils
-      ];
-    }
-  ];
-
-  nixosModules = [
-    {
-      # To help with OCR:
-      environment.etc."xdg/foot/foot.ini".text = lib.generators.toINI { } {
-        main = {
-          font = "inconsolata:size=14";
-        };
-        colors = rec {
-          foreground = "000000";
-          background = "ffffff";
-          regular2 = foreground;
-        };
-      };
-
-      fonts.packages = [ inconsolata ];
-    }
-  ];
-
-  script = ''
-    exec foot "$@"
-  '';
-}

cmd/hpkg/test/test.py

@@ -1,110 +0,0 @@
-import json
-import shlex
-
-q = shlex.quote
-NODE_GROUPS = ["nodes", "floating_nodes"]
-
-
-def swaymsg(command: str = "", succeed=True, type="command"):
-    assert command != "" or type != "command", "Must specify command or type"
-    shell = q(f"swaymsg -t {q(type)} -- {q(command)}")
-    with machine.nested(
-            f"sending swaymsg {shell!r}" + " (allowed to fail)" * (not succeed)
-    ):
-        ret = (machine.succeed if succeed else machine.execute)(
-            f"su - alice -c {shell}"
-        )
-
-    # execute also returns a status code, but disregard.
-    if not succeed:
-        _, ret = ret
-
-    if not succeed and not ret:
-        return None
-
-    parsed = json.loads(ret)
-    return parsed
-
-
-def walk(tree):
-    yield tree
-    for group in NODE_GROUPS:
-        for node in tree.get(group, []):
-            yield from walk(node)
-
-
-def wait_for_window(pattern):
-    def func(last_chance):
-        nodes = (node["name"] for node in walk(swaymsg(type="get_tree")))
-
-        if last_chance:
-            nodes = list(nodes)
-            machine.log(f"Last call! Current list of windows: {nodes}")
-
-        return any(pattern in name for name in nodes)
-
-    retry(func)
-
-
-def collect_state_ui(name):
-    swaymsg(f"exec hakurei ps > '/tmp/{name}.ps'")
-    machine.copy_from_vm(f"/tmp/{name}.ps", "")
-    swaymsg(f"exec hakurei --json ps > '/tmp/{name}.json'")
-    machine.copy_from_vm(f"/tmp/{name}.json", "")
-    machine.screenshot(name)
-
-
-def check_state(name, enablements):
-    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei --json ps"))
-    if len(instances) != 1:
-        raise Exception(f"unexpected state length {len(instances)}")
-    instance = instances[0]
-
-    if len(instance['container']['args']) != 1 or not (instance['container']['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (instance['container']['args'][0]):
-        raise Exception(f"unexpected args {instance['container']['args']}")
-
-    if instance['enablements'] != enablements:
-        raise Exception(f"unexpected enablements {instance['enablements']}")
-
-
-start_all()
-machine.wait_for_unit("multi-user.target")
-
-# To check hakurei's version:
-print(machine.succeed("sudo -u alice -i hakurei version"))
-
-# Wait for Sway to complete startup:
-machine.wait_for_file("/run/user/1000/wayland-1")
-machine.wait_for_file("/tmp/sway-ipc.sock")
-
-# Prepare hpkg directory:
-machine.succeed("install -dm 0700 -o alice -g users /var/lib/hakurei/1000")
-
-# Install hpkg app:
-swaymsg("exec hpkg -v install /etc/foot.pkg && touch /tmp/hpkg-install-ok")
-machine.wait_for_file("/tmp/hpkg-install-ok")
-
-# Start app (foot) with Wayland enablement:
-swaymsg("exec hpkg -v start org.codeberg.dnkl.foot")
-wait_for_window("hakurei@machine-foot")
-machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
-machine.wait_for_file("/tmp/hakurei.0/tmpdir/2/success-client")
-collect_state_ui("app_wayland")
-check_state("foot", {"wayland": True, "dbus": True, "pipewire": True})
-# Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002"))
-machine.send_chars("exit\n")
-machine.wait_until_fails("pgrep foot")
-# Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002")
-
-# Exit Sway and verify process exit status 0:
-swaymsg("exit", succeed=False)
-machine.wait_for_file("/tmp/sway-exit-ok")
-
-# Print hakurei share and rundir contents:
-print(machine.succeed("find /tmp/hakurei.0 "
-    + "-path '/tmp/hakurei.0/runtime/*/*' -prune -o "
-    + "-path '/tmp/hakurei.0/tmpdir/*/*' -prune -o "
-    + "-print"))
-print(machine.fail("ls /run/user/1000/hakurei"))

cmd/hpkg/with.go

@@ -1,130 +0,0 @@
-package main
-
-import (
-	"context"
-	"os"
-	"strings"
-
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
-	"hakurei.app/hst"
-	"hakurei.app/message"
-)
-
-func withNixDaemon(
-	ctx context.Context,
-	msg message.Msg,
-	action string, command []string, net bool, updateConfig func(config *hst.Config) *hst.Config,
-	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
-) {
-	flags := hst.FMultiarch | hst.FUserns // nix sandbox requires userns
-	if net {
-		flags |= hst.FHostNet
-	}
-	if dropShell {
-		flags |= hst.FTty
-	}
-
-	mustRunAppDropShell(ctx, msg, updateConfig(&hst.Config{
-		ID: app.ID,
-
-		ExtraPerms: []hst.ExtraPermConfig{
-			{Path: dataHome, Execute: true},
-			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-		},
-
-		Identity: app.Identity,
-
-		Container: &hst.ContainerConfig{
-			Hostname: formatHostname(app.Name) + "-" + action,
-
-			Filesystem: []hst.FilesystemConfigJSON{
-				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
-				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}},
-				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
-				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}},
-			},
-
-			Username: "hakurei",
-			Shell:    pathShell,
-			Home:     pathDataData.Append(app.ID),
-
-			Path: pathShell,
-			Args: []string{bash, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
-				// start nix-daemon
-				"nix-daemon --store / & " +
-				// wait for socket to appear
-				"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
-				// create directory so nix stops complaining
-				"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
-				strings.Join(command, " && ") +
-				// terminate nix-daemon
-				" && pkill nix-daemon",
-			},
-
-			Flags: flags,
-		},
-	}), dropShell, beforeFail)
-}
-
-func withCacheDir(
-	ctx context.Context,
-	msg message.Msg,
-	action string, command []string, workDir *check.Absolute,
-	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
-) {
-	flags := hst.FMultiarch
-	if dropShell {
-		flags |= hst.FTty
-	}
-
-	mustRunAppDropShell(ctx, msg, &hst.Config{
-		ID: app.ID,
-
-		ExtraPerms: []hst.ExtraPermConfig{
-			{Path: dataHome, Execute: true},
-			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-			{Path: workDir, Execute: true},
-		},
-
-		Identity: app.Identity,
-
-		Container: &hst.ContainerConfig{
-			Hostname: formatHostname(app.Name) + "-" + action,
-
-			Filesystem: []hst.FilesystemConfigJSON{
-				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: workDir.Append(fhs.Etc), Special: true}},
-				{FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}},
-				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
-				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsPrivateTmp.Append("bundle")}},
-				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID, "cache"), Source: pathSet.cacheDir, Write: true, Ensure: true}},
-			},
-
-			Username: "nixos",
-			Shell:    pathShell,
-			Home:     pathDataData.Append(app.ID, "cache"),
-
-			Path: pathShell,
-			Args: []string{bash, "-lc", strings.Join(command, " && ")},
-
-			Flags: flags,
-		},
-	}, dropShell, beforeFail)
-}
-
-func mustRunAppDropShell(ctx context.Context, msg message.Msg, config *hst.Config, dropShell bool, beforeFail func()) {
-	if dropShell {
-		if config.Container != nil {
-			config.Container.Args = []string{bash, "-l"}
-		}
-		mustRunApp(ctx, msg, config, beforeFail)
-		beforeFail()
-		msg.BeforeExit()
-		os.Exit(0)
-	}
-	mustRunApp(ctx, msg, config, beforeFail)
-}

cmd/mbf/main.go

@@ -0,0 +1,431 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+	"syscall"
+	"time"
+	"unique"
+
+	"hakurei.app/command"
+	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+)
+
+func main() {
+	container.TryArgv0(nil)
+
+	log.SetFlags(0)
+	log.SetPrefix("mbf: ")
+	msg := message.New(log.Default())
+
+	if os.Geteuid() == 0 {
+		log.Fatal("this program must not run as root")
+	}
+
+	var cache *pkg.Cache
+	ctx, stop := signal.NotifyContext(context.Background(),
+		syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
+	defer stop()
+	defer func() {
+		if cache != nil {
+			cache.Close()
+		}
+
+		if r := recover(); r != nil {
+			fmt.Println(r)
+			log.Fatal("consider scrubbing the on-disk cache")
+		}
+	}()
+
+	var (
+		flagQuiet  bool
+		flagCures  int
+		flagBase   string
+		flagTShift int
+		flagIdle   bool
+	)
+	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) (err error) {
+		msg.SwapVerbose(!flagQuiet)
+
+		flagBase = os.ExpandEnv(flagBase)
+		if flagBase == "" {
+			flagBase = "cache"
+		}
+
+		var base *check.Absolute
+		if flagBase, err = filepath.Abs(flagBase); err != nil {
+			return
+		} else if base, err = check.NewAbs(flagBase); err != nil {
+			return
+		}
+		if cache, err = pkg.Open(ctx, msg, flagCures, base); err == nil {
+			if flagTShift < 0 {
+				cache.SetThreshold(0)
+			} else if flagTShift > 31 {
+				cache.SetThreshold(1 << 31)
+			} else {
+				cache.SetThreshold(1 << flagTShift)
+			}
+		}
+
+		if flagIdle {
+			pkg.SchedPolicy = container.SCHED_IDLE
+		}
+
+		return
+	}).Flag(
+		&flagQuiet,
+		"q", command.BoolFlag(false),
+		"Do not print cure messages",
+	).Flag(
+		&flagCures,
+		"cures", command.IntFlag(0),
+		"Maximum number of dependencies to cure at any given time",
+	).Flag(
+		&flagBase,
+		"d", command.StringFlag("$MBF_CACHE_DIR"),
+		"Directory to store cured artifacts",
+	).Flag(
+		&flagTShift,
+		"tshift", command.IntFlag(-1),
+		"Dependency graph size exponent, to the power of 2",
+	).Flag(
+		&flagIdle,
+		"sched-idle", command.BoolFlag(false),
+		"Set SCHED_IDLE scheduling policy",
+	)
+
+	{
+		var flagShifts int
+		c.NewCommand(
+			"scrub", "Examine the on-disk cache for errors",
+			func(args []string) error {
+				if len(args) > 0 {
+					return errors.New("scrub expects no arguments")
+				}
+				if flagShifts < 0 || flagShifts > 31 {
+					flagShifts = 12
+				}
+				return cache.Scrub(runtime.NumCPU() << flagShifts)
+			},
+		).Flag(
+			&flagShifts,
+			"shift", command.IntFlag(12),
+			"Scrub parallelism size exponent, to the power of 2",
+		)
+	}
+
+	{
+		var (
+			flagGentoo   string
+			flagChecksum string
+
+			flagStage0 bool
+		)
+		c.NewCommand(
+			"stage3",
+			"Check for toolchain 3-stage non-determinism",
+			func(args []string) (err error) {
+				t := rosa.Std
+				if flagGentoo != "" {
+					t -= 3 // magic number to discourage misuse
+
+					var checksum pkg.Checksum
+					if len(flagChecksum) != 0 {
+						if err = pkg.Decode(&checksum, flagChecksum); err != nil {
+							return
+						}
+					}
+					rosa.SetGentooStage3(flagGentoo, checksum)
+				}
+
+				_, _, _, stage1 := (t - 2).NewLLVM()
+				_, _, _, stage2 := (t - 1).NewLLVM()
+				_, _, _, stage3 := t.NewLLVM()
+				var (
+					pathname *check.Absolute
+					checksum [2]unique.Handle[pkg.Checksum]
+				)
+
+				if pathname, _, err = cache.Cure(stage1); err != nil {
+					return err
+				}
+				log.Println("stage1:", pathname)
+
+				if pathname, checksum[0], err = cache.Cure(stage2); err != nil {
+					return err
+				}
+				log.Println("stage2:", pathname)
+				if pathname, checksum[1], err = cache.Cure(stage3); err != nil {
+					return err
+				}
+				log.Println("stage3:", pathname)
+
+				if checksum[0] != checksum[1] {
+					err = &pkg.ChecksumMismatchError{
+						Got:  checksum[0].Value(),
+						Want: checksum[1].Value(),
+					}
+				} else {
+					log.Println(
+						"stage2 is identical to stage3",
+						"("+pkg.Encode(checksum[0].Value())+")",
+					)
+				}
+
+				if flagStage0 {
+					if pathname, _, err = cache.Cure(
+						t.Load(rosa.Stage0),
+					); err != nil {
+						return err
+					}
+					log.Println(pathname)
+				}
+
+				return
+			},
+		).
+			Flag(
+				&flagGentoo,
+				"gentoo", command.StringFlag(""),
+				"Bootstrap from a Gentoo stage3 tarball",
+			).
+			Flag(
+				&flagChecksum,
+				"checksum", command.StringFlag(""),
+				"Checksum of Gentoo stage3 tarball",
+			).
+			Flag(
+				&flagStage0,
+				"stage0", command.BoolFlag(false),
+				"Create bootstrap stage0 tarball",
+			)
+	}
+
+	{
+		var (
+			flagDump string
+		)
+		c.NewCommand(
+			"cure",
+			"Cure the named artifact and show its path",
+			func(args []string) error {
+				if len(args) != 1 {
+					return errors.New("cure requires 1 argument")
+				}
+				if p, ok := rosa.ResolveName(args[0]); !ok {
+					return fmt.Errorf("unknown artifact %q", args[0])
+				} else if flagDump == "" {
+					pathname, _, err := cache.Cure(rosa.Std.Load(p))
+					if err == nil {
+						log.Println(pathname)
+					}
+					return err
+				} else {
+					f, err := os.OpenFile(
+						flagDump,
+						os.O_WRONLY|os.O_CREATE|os.O_EXCL,
+						0644,
+					)
+					if err != nil {
+						return err
+					}
+
+					if err = cache.EncodeAll(f, rosa.Std.Load(p)); err != nil {
+						_ = f.Close()
+						return err
+					}
+
+					return f.Close()
+				}
+			},
+		).
+			Flag(
+				&flagDump,
+				"dump", command.StringFlag(""),
+				"Write IR to specified pathname and terminate",
+			)
+	}
+
+	c.NewCommand(
+		"status",
+		"Display the status file of an artifact",
+		func(args []string) error {
+			if len(args) != 1 {
+				return errors.New("status requires 1 argument")
+			}
+			if p, ok := rosa.ResolveName(args[0]); !ok {
+				return fmt.Errorf("unknown artifact %q", args[0])
+			} else {
+				r, err := cache.OpenStatus(rosa.Std.Load(p))
+				if err != nil {
+					if errors.Is(err, os.ErrNotExist) {
+						return errors.New(args[0] + " was never cured")
+					}
+					return err
+				}
+
+				_, err = io.Copy(os.Stdout, r)
+				return errors.Join(err, r.Close())
+			}
+		},
+	)
+
+	{
+		var (
+			flagNet     bool
+			flagSession bool
+
+			flagWithToolchain bool
+		)
+		c.NewCommand(
+			"shell",
+			"Interactive shell in the specified Rosa OS environment",
+			func(args []string) error {
+				root := make([]pkg.Artifact, 0, 6+len(args))
+				for _, arg := range args {
+					p, ok := rosa.ResolveName(arg)
+					if !ok {
+						return fmt.Errorf("unknown artifact %q", arg)
+					}
+					root = append(root, rosa.Std.Load(p))
+				}
+
+				if flagWithToolchain {
+					musl, compilerRT, runtimes, clang := rosa.Std.NewLLVM()
+					root = append(root, musl, compilerRT, runtimes, clang)
+				} else {
+					root = append(root, rosa.Std.Load(rosa.Musl))
+				}
+				root = append(root,
+					rosa.Std.Load(rosa.Mksh),
+					rosa.Std.Load(rosa.Toybox),
+				)
+
+				type cureRes struct {
+					pathname *check.Absolute
+					checksum unique.Handle[pkg.Checksum]
+				}
+				cured := make(map[pkg.Artifact]cureRes)
+				for _, a := range root {
+					pathname, checksum, err := cache.Cure(a)
+					if err != nil {
+						return err
+					}
+					cured[a] = cureRes{pathname, checksum}
+				}
+
+				layers := pkg.PromoteLayers(root, func(a pkg.Artifact) (
+					*check.Absolute,
+					unique.Handle[pkg.Checksum],
+				) {
+					res := cured[a]
+					return res.pathname, res.checksum
+				}, func(i int, d pkg.Artifact) {
+					r := pkg.Encode(cache.Ident(d).Value())
+					if s, ok := d.(fmt.Stringer); ok {
+						if name := s.String(); name != "" {
+							r += "-" + name
+						}
+					}
+					msg.Verbosef("promoted layer %d as %s", i, r)
+				})
+
+				z := container.New(ctx, msg)
+				z.WaitDelay = 3 * time.Second
+				z.SeccompPresets = pkg.SeccompPresets
+				z.SeccompFlags |= seccomp.AllowMultiarch
+				z.ParentPerm = 0700
+				z.HostNet = flagNet
+				z.RetainSession = flagSession
+				z.Hostname = "localhost"
+				z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
+				z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
+
+				var tempdir *check.Absolute
+				if s, err := filepath.Abs(os.TempDir()); err != nil {
+					return err
+				} else if tempdir, err = check.NewAbs(s); err != nil {
+					return err
+				}
+
+				z.Dir = fhs.AbsRoot
+				z.Env = []string{
+					"SHELL=/system/bin/mksh",
+					"PATH=/system/bin",
+					"HOME=/",
+				}
+				z.Path = rosa.AbsSystem.Append("bin", "mksh")
+				z.Args = []string{"mksh"}
+				z.
+					OverlayEphemeral(fhs.AbsRoot, layers...).
+					Place(
+						fhs.AbsEtc.Append("hosts"),
+						[]byte("127.0.0.1 localhost\n"),
+					).
+					Place(
+						fhs.AbsEtc.Append("passwd"),
+						[]byte("media_rw:x:1023:1023::/:/system/bin/sh\n"+
+							"nobody:x:65534:65534::/proc/nonexistent:/system/bin/false\n"),
+					).
+					Place(
+						fhs.AbsEtc.Append("group"),
+						[]byte("media_rw:x:1023:\nnobody:x:65534:\n"),
+					).
+					Bind(tempdir, fhs.AbsTmp, std.BindWritable).
+					Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
+
+				if err := z.Start(); err != nil {
+					return err
+				}
+				if err := z.Serve(); err != nil {
+					return err
+				}
+				return z.Wait()
+			},
+		).
+			Flag(
+				&flagNet,
+				"net", command.BoolFlag(false),
+				"Share host net namespace",
+			).
+			Flag(
+				&flagSession,
+				"session", command.BoolFlag(false),
+				"Retain session",
+			).
+			Flag(
+				&flagWithToolchain,
+				"with-toolchain", command.BoolFlag(false),
+				"Include the stage3 LLVM toolchain",
+			)
+
+	}
+
+	c.Command(
+		"help",
+		"Show this help message",
+		func([]string) error { c.PrintHelp(); return nil },
+	)
+
+	c.MustParse(os.Args[1:], func(err error) {
+		if cache != nil {
+			cache.Close()
+		}
+		log.Fatal(err)
+	})
+}

cmd/pkgserver/main.go

@@ -0,0 +1,55 @@
+package main
+
+import (
+	"embed"
+	"fmt"
+	"net/http"
+)
+
+//go:generate sh -c "sass ui/static/dark.scss ui/static/dark.css && sass ui/static/light.scss ui/static/light.css && tsc ui/static/index.ts"
+//go:embed ui/*
+var content embed.FS
+
+func serveWebUI(w http.ResponseWriter, r *http.Request) {
+	fmt.Printf("serveWebUI: %s\n", r.URL.Path)
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Expires", "0")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-XSS-Protection", "1")
+	w.Header().Set("X-Frame-Options", "DENY")
+
+	http.ServeFileFS(w, r, content, "ui/index.html")
+}
+func serveStaticContent(w http.ResponseWriter, r *http.Request) {
+	fmt.Printf("serveStaticContent: %s\n", r.URL.Path)
+	switch r.URL.Path {
+	case "/static/style.css":
+		darkTheme := r.CookiesNamed("dark_theme")
+		if len(darkTheme) > 0 && darkTheme[0].Value == "true" {
+			http.ServeFileFS(w, r, content, "ui/static/dark.css")
+		} else {
+			http.ServeFileFS(w, r, content, "ui/static/light.css")
+		}
+		break
+	case "/favicon.ico":
+		http.ServeFileFS(w, r, content, "ui/static/favicon.ico")
+		break
+	case "/static/index.js":
+		http.ServeFileFS(w, r, content, "ui/static/index.js")
+		break
+	default:
+		http.NotFound(w, r)
+
+	}
+}
+func serveAPI(w http.ResponseWriter, r *http.Request) {
+
+}
+func main() {
+	http.HandleFunc("GET /{$}", serveWebUI)
+	http.HandleFunc("GET /favicon.ico", serveStaticContent)
+	http.HandleFunc("GET /static/", serveStaticContent)
+	http.HandleFunc("GET /api/", serveAPI)
+	http.ListenAndServe(":8067", nil)
+}

cmd/pkgserver/ui/index.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <link rel="stylesheet" href="static/style.css">
+    <title>Hakurei PkgServer</title>
+    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js"></script>
+    <script src="static/index.js"></script>
+</head>
+<body>
+<h1>Hakurei PkgServer</h1>
+
+<table id="pkg-list">
+    <tr><th>Status</th><th>Name</th><th>Version</th></tr>
+</table>
+<p>Showing entries <span id="entry-counter"></span>.</p>
+<span class="bottom-nav"><a href="javascript:prevPage()">&laquo; Previous</a> <span id="page-number">1</span> <a href="javascript:nextPage()">Next &raquo;</a></span>
+<span><label for="count">Entries per page:</label><select name="count" id="count">
+    <option value="10">10</option>
+    <option value="25">25</option>
+    <option value="50">50</option>
+    <option value="100">100</option>
+</select></span>
+</body>
+<footer>&copy; <a href="https://hakurei.app/">Hakurei</a>. Licensed under the MIT license.</footer>
+</html>

cmd/pkgserver/ui/static/dark.css

@@ -0,0 +1,6 @@
+@use 'common';
+html {
+  background-color: #2c2c2c;
+  color: ghostwhite; }
+
+/*# sourceMappingURL=dark.css.map */

cmd/pkgserver/ui/static/dark.css.map

@@ -0,0 +1,7 @@
+{
+"version": 3,
+"mappings": "AAAA,aAAa;AAEb,IAAK;EACH,gBAAgB,EAAE,OAAO;EACzB,KAAK,EAAE,UAAU",
+"sources": ["dark.scss"],
+"names": [],
+"file": "dark.css"
+}

cmd/pkgserver/ui/static/dark.scss

@@ -0,0 +1,6 @@
+@use 'common';
+
+html {
+  background-color: #2c2c2c;
+  color: ghostwhite;
+}

cmd/pkgserver/ui/static/index.js

@@ -0,0 +1,67 @@
+"use strict";
+var PackageEntry = /** @class */ (function () {
+    function PackageEntry() {
+    }
+    return PackageEntry;
+}());
+var State = /** @class */ (function () {
+    function State() {
+        this.entriesPerPage = 10;
+        this.currentPage = 1;
+        this.entryIndex = 0;
+        this.loadedEntries = [];
+    }
+    State.prototype.getEntriesPerPage = function () {
+        return this.entriesPerPage;
+    };
+    State.prototype.setEntriesPerPage = function (entriesPerPage) {
+        this.entriesPerPage = entriesPerPage;
+        this.updateRange();
+    };
+    State.prototype.getCurrentPage = function () {
+        return this.currentPage;
+    };
+    State.prototype.setCurrentPage = function (page) {
+        this.currentPage = page;
+        document.getElementById("page-number").innerText = String(this.currentPage);
+        this.updateRange();
+    };
+    State.prototype.getEntryIndex = function () {
+        return this.entryIndex;
+    };
+    State.prototype.setEntryIndex = function (entryIndex) {
+        this.entryIndex = entryIndex;
+        this.updateRange();
+    };
+    State.prototype.getLoadedEntries = function () {
+        return this.loadedEntries;
+    };
+    State.prototype.getMaxPage = function () {
+        return this.loadedEntries.length / this.entriesPerPage;
+    };
+    State.prototype.updateRange = function () {
+        var max = Math.min(this.entryIndex + this.entriesPerPage, this.loadedEntries.length);
+        document.getElementById("entry-counter").innerText = "".concat(this.entryIndex, "-").concat(max, " of ").concat(this.loadedEntries.length);
+    };
+    return State;
+}());
+var STATE;
+function prevPage() {
+    var current = STATE.getCurrentPage();
+    if (current > 1) {
+        STATE.setCurrentPage(STATE.getCurrentPage() - 1);
+    }
+}
+function nextPage() {
+    var current = STATE.getCurrentPage();
+    if (current < STATE.getMaxPage()) {
+        STATE.setCurrentPage(STATE.getCurrentPage() + 1);
+    }
+}
+document.addEventListener("DOMContentLoaded", function () {
+    STATE = new State();
+    STATE.updateRange();
+    document.getElementById("count").addEventListener("change", function (event) {
+        STATE.setEntriesPerPage(parseInt(event.target.value));
+    });
+});

cmd/pkgserver/ui/static/index.ts

@@ -0,0 +1,66 @@
+"use strict"
+
+class PackageEntry {
+
+}
+class State {
+    entriesPerPage: number = 10
+    currentPage: number = 1
+    entryIndex: number = 0
+    loadedEntries: PackageEntry[] = []
+    getEntriesPerPage(): number {
+        return this.entriesPerPage
+    }
+    setEntriesPerPage(entriesPerPage: number) {
+        this.entriesPerPage = entriesPerPage
+        this.updateRange()
+    }
+    getCurrentPage(): number {
+        return this.currentPage
+    }
+    setCurrentPage(page: number) {
+        this.currentPage = page
+        document.getElementById("page-number").innerText = String(this.currentPage)
+        this.updateRange()
+    }
+    getEntryIndex(): number {
+        return this.entryIndex
+    }
+    setEntryIndex(entryIndex: number) {
+        this.entryIndex = entryIndex
+        this.updateRange()
+    }
+    getLoadedEntries(): PackageEntry[] {
+        return this.loadedEntries
+    }
+    getMaxPage(): number {
+        return this.loadedEntries.length / this.entriesPerPage
+    }
+    updateRange() {
+        let max = Math.min(this.entryIndex + this.entriesPerPage, this.loadedEntries.length)
+        document.getElementById("entry-counter").innerText = `${this.entryIndex}-${max} of ${this.loadedEntries.length}`
+    }
+}
+
+let STATE: State
+
+function prevPage() {
+    let current = STATE.getCurrentPage()
+    if (current > 1) {
+        STATE.setCurrentPage(STATE.getCurrentPage() - 1)
+    }
+}
+function nextPage() {
+    let current = STATE.getCurrentPage()
+    if (current < STATE.getMaxPage()) {
+        STATE.setCurrentPage(STATE.getCurrentPage() + 1)
+    }
+}
+
+document.addEventListener("DOMContentLoaded", () => {
+    STATE = new State()
+    STATE.updateRange()
+    document.getElementById("count").addEventListener("change", (event) => {
+        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
+    })
+})

cmd/pkgserver/ui/static/light.css

@@ -0,0 +1,6 @@
+@use 'common';
+html {
+  background-color: #d3d3d3;
+  color: black; }
+
+/*# sourceMappingURL=light.css.map */

cmd/pkgserver/ui/static/light.css.map

@@ -0,0 +1,7 @@
+{
+"version": 3,
+"mappings": "AAAA,aAAa;AAEb,IAAK;EACH,gBAAgB,EAAE,OAAO;EACzB,KAAK,EAAE,KAAK",
+"sources": ["light.scss"],
+"names": [],
+"file": "light.css"
+}

cmd/pkgserver/ui/static/light.scss

@@ -0,0 +1,6 @@
+@use 'common';
+
+html {
+  background-color: #d3d3d3;
+  color: black;
+}

cmd/sharefs/fuse-operations.c

@@ -0,0 +1,282 @@
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE /* O_DIRECT */
+#endif
+
+#include <dirent.h>
+#include <errno.h>
+#include <unistd.h>
+
+/* TODO(ophestra): remove after 05ce67fea99ca09cd4b6625cff7aec9cc222dd5a reaches a release */
+#include <sys/syscall.h>
+
+#include "fuse-operations.h"
+
+/* MUST_TRANSLATE_PATHNAME translates a userspace pathname to a relative pathname;
+ * the resulting address points to a constant string or part of pathname, it is never heap allocated. */
+#define MUST_TRANSLATE_PATHNAME(pathname) \
+    do {                                  \
+        if (pathname == NULL)             \
+            return -EINVAL;               \
+        while (*pathname == '/')          \
+            pathname++;                   \
+        if (*pathname == '\0')            \
+            pathname = ".";               \
+    } while (0)
+
+/* GET_CONTEXT_PRIV obtains fuse context and private data for the calling thread. */
+#define GET_CONTEXT_PRIV(ctx, priv) \
+    do {                            \
+        ctx = fuse_get_context();   \
+        priv = ctx->private_data;   \
+    } while (0)
+
+/* impl_getattr modifies a struct stat from the kernel to present to userspace;
+ * impl_getattr returns a negative errno style error code. */
+static int impl_getattr(struct fuse_context *ctx, struct stat *statbuf) {
+    /* allowlist of permitted types */
+    if (!S_ISDIR(statbuf->st_mode) && !S_ISREG(statbuf->st_mode) && !S_ISLNK(statbuf->st_mode)) {
+        return -ENOTRECOVERABLE; /* returning an errno causes all operations on the file to return EIO */
+    }
+
+#define OVERRIDE_PERM(v) (statbuf->st_mode & ~0777) | (v & 0777)
+    if (S_ISDIR(statbuf->st_mode))
+        statbuf->st_mode = OVERRIDE_PERM(SHAREFS_PERM_DIR);
+    else if (S_ISREG(statbuf->st_mode))
+        statbuf->st_mode = OVERRIDE_PERM(SHAREFS_PERM_REG);
+    else
+        statbuf->st_mode = 0; /* should always be symlink in this case */
+
+    statbuf->st_uid = ctx->uid;
+    statbuf->st_gid = SHAREFS_MEDIA_RW_ID;
+    statbuf->st_ctim = statbuf->st_mtim;
+    statbuf->st_nlink = 1;
+    return 0;
+}
+
+/* fuse_operations implementation */
+
+int sharefs_getattr(const char *pathname, struct stat *statbuf, struct fuse_file_info *fi) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)fi;
+
+    if (fstatat(priv->dirfd, pathname, statbuf, AT_SYMLINK_NOFOLLOW) == -1)
+        return -errno;
+    return impl_getattr(ctx, statbuf);
+}
+
+int sharefs_readdir(const char *pathname, void *buf, fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi, enum fuse_readdir_flags flags) {
+    int fd;
+    DIR *dp;
+    struct stat st;
+    int ret = 0;
+    struct dirent *de;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)offset;
+    (void)fi;
+
+    if ((fd = openat(priv->dirfd, pathname, O_RDONLY | O_DIRECTORY | O_CLOEXEC)) == -1)
+        return -errno;
+    if ((dp = fdopendir(fd)) == NULL) {
+        close(fd);
+        return -errno;
+    }
+
+    errno = 0; /* for the next readdir call */
+    while ((de = readdir(dp)) != NULL) {
+        if (flags & FUSE_READDIR_PLUS) {
+            if (fstatat(dirfd(dp), de->d_name, &st, AT_SYMLINK_NOFOLLOW) == -1) {
+                ret = -errno;
+                break;
+            }
+
+            if ((ret = impl_getattr(ctx, &st)) < 0)
+                break;
+
+            errno = 0;
+            ret = filler(buf, de->d_name, &st, 0, FUSE_FILL_DIR_PLUS);
+        } else
+            ret = filler(buf, de->d_name, NULL, 0, 0);
+
+        if (ret != 0) {
+            ret = errno != 0 ? -errno : -EIO; /* filler */
+            break;
+        }
+
+        errno = 0; /* for the next readdir call */
+    }
+    if (ret == 0 && errno != 0)
+        ret = -errno; /* readdir */
+
+    closedir(dp);
+    return ret;
+}
+
+int sharefs_mkdir(const char *pathname, mode_t mode) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)mode;
+
+    if (mkdirat(priv->dirfd, pathname, SHAREFS_PERM_DIR) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_unlink(const char *pathname) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    if (unlinkat(priv->dirfd, pathname, 0) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_rmdir(const char *pathname) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    if (unlinkat(priv->dirfd, pathname, AT_REMOVEDIR) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_rename(const char *oldpath, const char *newpath, unsigned int flags) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(oldpath);
+    MUST_TRANSLATE_PATHNAME(newpath);
+
+    /* TODO(ophestra): replace with wrapper after 05ce67fea99ca09cd4b6625cff7aec9cc222dd5a reaches a release */
+    if (syscall(__NR_renameat2, priv->dirfd, oldpath, priv->dirfd, newpath, flags) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_truncate(const char *pathname, off_t length, struct fuse_file_info *fi) {
+    int fd;
+    int ret;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)fi;
+
+    if ((fd = openat(priv->dirfd, pathname, O_WRONLY | O_CLOEXEC)) == -1)
+        return -errno;
+    if ((ret = ftruncate(fd, length)) == -1)
+        ret = -errno;
+    close(fd);
+    return ret;
+}
+
+int sharefs_utimens(const char *pathname, const struct timespec times[2], struct fuse_file_info *fi) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)fi;
+
+    if (utimensat(priv->dirfd, pathname, times, AT_SYMLINK_NOFOLLOW) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_create(const char *pathname, mode_t mode, struct fuse_file_info *fi) {
+    int fd;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)mode;
+
+    if ((fd = openat(priv->dirfd, pathname, fi->flags & ~SHAREFS_FORBIDDEN_FLAGS, SHAREFS_PERM_REG)) == -1)
+        return -errno;
+    fi->fh = fd;
+    return 0;
+}
+
+int sharefs_open(const char *pathname, struct fuse_file_info *fi) {
+    int fd;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    if ((fd = openat(priv->dirfd, pathname, fi->flags & ~SHAREFS_FORBIDDEN_FLAGS)) == -1)
+        return -errno;
+    fi->fh = fd;
+    return 0;
+}
+
+int sharefs_read(const char *pathname, char *buf, size_t count, off_t offset, struct fuse_file_info *fi) {
+    int ret;
+
+    (void)pathname;
+
+    if ((ret = pread(fi->fh, buf, count, offset)) == -1)
+        return -errno;
+    return ret;
+}
+
+int sharefs_write(const char *pathname, const char *buf, size_t count, off_t offset, struct fuse_file_info *fi) {
+    int ret;
+
+    (void)pathname;
+
+    if ((ret = pwrite(fi->fh, buf, count, offset)) == -1)
+        return -errno;
+    return ret;
+}
+
+int sharefs_statfs(const char *pathname, struct statvfs *statbuf) {
+    int fd;
+    int ret;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    if ((fd = openat(priv->dirfd, pathname, O_RDONLY | O_CLOEXEC)) == -1)
+        return -errno;
+    if ((ret = fstatvfs(fd, statbuf)) == -1)
+        ret = -errno;
+    close(fd);
+    return ret;
+}
+
+int sharefs_release(const char *pathname, struct fuse_file_info *fi) {
+    (void)pathname;
+
+    return close(fi->fh);
+}
+
+int sharefs_fsync(const char *pathname, int datasync, struct fuse_file_info *fi) {
+    (void)pathname;
+
+    if (datasync ? fdatasync(fi->fh) : fsync(fi->fh) == -1)
+        return -errno;
+    return 0;
+}

cmd/sharefs/fuse-operations.h

@@ -0,0 +1,34 @@
+#define FUSE_USE_VERSION FUSE_MAKE_VERSION(3, 12)
+#include <fuse.h>
+#include <fuse_lowlevel.h> /* for fuse_cmdline_help */
+
+#if (FUSE_VERSION < FUSE_MAKE_VERSION(3, 12))
+#error This package requires libfuse >= v3.12
+#endif
+
+#define SHAREFS_MEDIA_RW_ID (1 << 10) - 1 /* owning gid presented to userspace */
+#define SHAREFS_PERM_DIR 0700             /* permission bits for directories presented to userspace */
+#define SHAREFS_PERM_REG 0600             /* permission bits for regular files presented to userspace */
+#define SHAREFS_FORBIDDEN_FLAGS O_DIRECT  /* these open flags are cleared unconditionally */
+
+/* sharefs_private is populated by sharefs_init and contains process-wide context */
+struct sharefs_private {
+    int dirfd;       /* source dirfd opened during sharefs_init */
+    uintptr_t setup; /* cgo handle of opaque setup state */
+};
+
+int sharefs_getattr(const char *pathname, struct stat *statbuf, struct fuse_file_info *fi);
+int sharefs_readdir(const char *pathname, void *buf, fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi, enum fuse_readdir_flags flags);
+int sharefs_mkdir(const char *pathname, mode_t mode);
+int sharefs_unlink(const char *pathname);
+int sharefs_rmdir(const char *pathname);
+int sharefs_rename(const char *oldpath, const char *newpath, unsigned int flags);
+int sharefs_truncate(const char *pathname, off_t length, struct fuse_file_info *fi);
+int sharefs_utimens(const char *pathname, const struct timespec times[2], struct fuse_file_info *fi);
+int sharefs_create(const char *pathname, mode_t mode, struct fuse_file_info *fi);
+int sharefs_open(const char *pathname, struct fuse_file_info *fi);
+int sharefs_read(const char *pathname, char *buf, size_t count, off_t offset, struct fuse_file_info *fi);
+int sharefs_write(const char *pathname, const char *buf, size_t count, off_t offset, struct fuse_file_info *fi);
+int sharefs_statfs(const char *pathname, struct statvfs *statbuf);
+int sharefs_release(const char *pathname, struct fuse_file_info *fi);
+int sharefs_fsync(const char *pathname, int datasync, struct fuse_file_info *fi);

cmd/sharefs/fuse.go

@@ -0,0 +1,552 @@
+package main
+
+/*
+#cgo pkg-config: --static fuse3
+
+#include "fuse-operations.h"
+#include <stdlib.h>
+#include <string.h>
+
+extern void *sharefs_init(struct fuse_conn_info *conn, struct fuse_config *cfg);
+extern void sharefs_destroy(void *private_data);
+
+typedef void (*closure)();
+static inline struct fuse_opt _FUSE_OPT_END() { return (struct fuse_opt)FUSE_OPT_END; };
+*/
+import "C"
+import (
+	"context"
+	"encoding/gob"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path"
+	"runtime"
+	"runtime/cgo"
+	"strconv"
+	"syscall"
+	"unsafe"
+
+	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/container/std"
+	"hakurei.app/hst"
+	"hakurei.app/internal/helper/proc"
+	"hakurei.app/internal/info"
+	"hakurei.app/message"
+)
+
+type (
+	// closure represents a C function pointer.
+	closure = C.closure
+
+	// fuseArgs represents the fuse_args structure.
+	fuseArgs = C.struct_fuse_args
+
+	// setupState holds state used for setup. Its cgo handle is included in
+	// sharefs_private and considered opaque to non-setup callbacks.
+	setupState struct {
+		// Whether sharefs_init failed.
+		initFailed bool
+
+		// Whether to create source directory as root.
+		mkdir bool
+
+		// Open file descriptor to fuse.
+		Fuse int
+
+		// Pathname to open for dirfd.
+		Source *check.Absolute
+		// New uid and gid to set by sharefs_init when starting as root.
+		Setuid, Setgid int
+	}
+)
+
+func init() { gob.Register(new(setupState)) }
+
+// destroySetup invalidates the setup [cgo.Handle] in a sharefs_private structure.
+func destroySetup(private_data unsafe.Pointer) (ok bool) {
+	if private_data == nil {
+		return false
+	}
+	priv := (*C.struct_sharefs_private)(private_data)
+
+	if h := cgo.Handle(priv.setup); h != 0 {
+		priv.setup = 0
+		h.Delete()
+		ok = true
+	}
+	return
+}
+
+//export sharefs_init
+func sharefs_init(_ *C.struct_fuse_conn_info, cfg *C.struct_fuse_config) unsafe.Pointer {
+	ctx := C.fuse_get_context()
+	priv := (*C.struct_sharefs_private)(ctx.private_data)
+	setup := cgo.Handle(priv.setup).Value().(*setupState)
+
+	if os.Geteuid() == 0 {
+		log.Println("filesystem daemon must not run as root")
+		goto fail
+	}
+
+	cfg.use_ino = C.true
+	cfg.direct_io = C.false
+	// getattr is context-dependent
+	cfg.attr_timeout = 0
+	cfg.entry_timeout = 0
+	cfg.negative_timeout = 0
+
+	// all future filesystem operations happen through this dirfd
+	if fd, err := syscall.Open(setup.Source.String(), syscall.O_DIRECTORY|syscall.O_RDONLY|syscall.O_CLOEXEC, 0); err != nil {
+		log.Printf("cannot open %q: %v", setup.Source, err)
+		goto fail
+	} else if err = syscall.Fchdir(fd); err != nil {
+		_ = syscall.Close(fd)
+		log.Printf("cannot enter %q: %s", setup.Source, err)
+		goto fail
+	} else {
+		priv.dirfd = C.int(fd)
+	}
+
+	return ctx.private_data
+
+fail:
+	setup.initFailed = true
+	C.fuse_exit(ctx.fuse)
+	return nil
+}
+
+//export sharefs_destroy
+func sharefs_destroy(private_data unsafe.Pointer) {
+	if private_data != nil {
+		destroySetup(private_data)
+		priv := (*C.struct_sharefs_private)(private_data)
+
+		if err := syscall.Close(int(priv.dirfd)); err != nil {
+			log.Printf("cannot close source directory: %v", err)
+		}
+	}
+}
+
+// showHelp prints the help message.
+func showHelp(args *fuseArgs) {
+	executableName := sharefsName
+	if args.argc > 0 {
+		executableName = path.Base(C.GoString(*args.argv))
+	} else if name, err := os.Executable(); err == nil {
+		executableName = path.Base(name)
+	}
+
+	fmt.Printf("usage: %s [options] <mountpoint>\n\n", executableName)
+
+	fmt.Println("Filesystem options:")
+	fmt.Println("    -o source=/data/media  source directory to be mounted")
+	fmt.Println("    -o setuid=1023         uid to run as when starting as root")
+	fmt.Println("    -o setgid=1023         gid to run as when starting as root")
+
+	fmt.Println("\nFUSE options:")
+	C.fuse_cmdline_help()
+	C.fuse_lib_help(args)
+}
+
+// parseOpts parses fuse options via fuse_opt_parse.
+func parseOpts(args *fuseArgs, setup *setupState, log *log.Logger) (ok bool) {
+	var unsafeOpts struct {
+		// Pathname to writable source directory.
+		source *C.char
+
+		// Whether to create source directory as root.
+		mkdir C.int
+
+		// Decimal string representation of uid to set when running as root.
+		setuid *C.char
+		// Decimal string representation of gid to set when running as root.
+		setgid *C.char
+
+		// Decimal string representation of open file descriptor to read setupState from.
+		// This is an internal detail for containerisation and must not be specified directly.
+		setup *C.char
+	}
+
+	if C.fuse_opt_parse(args, unsafe.Pointer(&unsafeOpts), &[]C.struct_fuse_opt{
+		{templ: C.CString("source=%s"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.source)), value: 0},
+		{templ: C.CString("mkdir"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.mkdir)), value: 1},
+		{templ: C.CString("setuid=%s"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.setuid)), value: 0},
+		{templ: C.CString("setgid=%s"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.setgid)), value: 0},
+
+		{templ: C.CString("setup=%s"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.setup)), value: 0},
+
+		C._FUSE_OPT_END(),
+	}[0], nil) == -1 {
+		return false
+	}
+
+	if unsafeOpts.source != nil {
+		defer C.free(unsafe.Pointer(unsafeOpts.source))
+	}
+	if unsafeOpts.setuid != nil {
+		defer C.free(unsafe.Pointer(unsafeOpts.setuid))
+	}
+	if unsafeOpts.setgid != nil {
+		defer C.free(unsafe.Pointer(unsafeOpts.setgid))
+	}
+
+	if unsafeOpts.setup != nil {
+		defer C.free(unsafe.Pointer(unsafeOpts.setup))
+
+		if v, err := strconv.Atoi(C.GoString(unsafeOpts.setup)); err != nil || v < 3 {
+			log.Println("invalid value for option setup")
+			return false
+		} else {
+			r := os.NewFile(uintptr(v), "setup")
+			defer func() {
+				if err = r.Close(); err != nil {
+					log.Println(err)
+				}
+			}()
+			if err = gob.NewDecoder(r).Decode(setup); err != nil {
+				log.Println(err)
+				return false
+			}
+		}
+		if setup.Fuse < 3 {
+			log.Println("invalid file descriptor", setup.Fuse)
+			return false
+		}
+		return true
+	}
+
+	if unsafeOpts.source == nil {
+		showHelp(args)
+		return false
+	} else if a, err := check.NewAbs(C.GoString(unsafeOpts.source)); err != nil {
+		log.Println(err)
+		return false
+	} else {
+		setup.Source = a
+	}
+	setup.mkdir = unsafeOpts.mkdir != 0
+
+	if unsafeOpts.setuid == nil {
+		setup.Setuid = -1
+	} else if v, err := strconv.Atoi(C.GoString(unsafeOpts.setuid)); err != nil || v <= 0 {
+		log.Println("invalid value for option setuid")
+		return false
+	} else {
+		setup.Setuid = v
+	}
+	if unsafeOpts.setgid == nil {
+		setup.Setgid = -1
+	} else if v, err := strconv.Atoi(C.GoString(unsafeOpts.setgid)); err != nil || v <= 0 {
+		log.Println("invalid value for option setgid")
+		return false
+	} else {
+		setup.Setgid = v
+	}
+
+	return true
+}
+
+// copyArgs returns a heap allocated copy of an argument slice in fuse_args representation.
+func copyArgs(s ...string) fuseArgs {
+	if len(s) == 0 {
+		return fuseArgs{argc: 0, argv: nil, allocated: 0}
+	}
+	args := unsafe.Slice((**C.char)(C.malloc(C.size_t(uintptr(len(s))*unsafe.Sizeof(s[0])))), len(s))
+	for i, arg := range s {
+		args[i] = C.CString(arg)
+	}
+	return fuseArgs{argc: C.int(len(s)), argv: &args[0], allocated: 1}
+}
+
+// freeArgs frees the contents of argument list.
+func freeArgs(args *fuseArgs) { C.fuse_opt_free_args(args) }
+
+// unsafeAddArgument adds an argument to fuseArgs via fuse_opt_add_arg.
+// The last byte of arg must be 0.
+func unsafeAddArgument(args *fuseArgs, arg string) {
+	C.fuse_opt_add_arg(args, (*C.char)(unsafe.Pointer(unsafe.StringData(arg))))
+}
+
+func _main(s ...string) (exitCode int) {
+	msg := message.New(log.Default())
+	container.TryArgv0(msg)
+	runtime.LockOSThread()
+
+	// don't mask creation mode, kernel already did that
+	syscall.Umask(0)
+
+	var pinner runtime.Pinner
+	defer pinner.Unpin()
+
+	args := copyArgs(s...)
+	defer freeArgs(&args)
+
+	// this causes the kernel to enforce access control based on
+	// struct stat populated by sharefs_getattr
+	unsafeAddArgument(&args, "-odefault_permissions\x00")
+
+	var priv C.struct_sharefs_private
+	pinner.Pin(&priv)
+	var setup setupState
+	priv.setup = C.uintptr_t(cgo.NewHandle(&setup))
+	defer destroySetup(unsafe.Pointer(&priv))
+
+	var opts C.struct_fuse_cmdline_opts
+	if C.fuse_parse_cmdline(&args, &opts) != 0 {
+		return 1
+	}
+	if opts.mountpoint != nil {
+		defer C.free(unsafe.Pointer(opts.mountpoint))
+	}
+
+	if opts.show_version != 0 {
+		fmt.Println("hakurei version", info.Version())
+		fmt.Println("FUSE library version", C.GoString(C.fuse_pkgversion()))
+		C.fuse_lowlevel_version()
+		return 0
+	}
+
+	if opts.show_help != 0 {
+		showHelp(&args)
+		return 0
+	} else if opts.mountpoint == nil {
+		log.Println("no mountpoint specified")
+		return 2
+	} else {
+		// hack to keep fuse_parse_cmdline happy in the container
+		mountpoint := C.GoString(opts.mountpoint)
+		pathnameArg := -1
+		for i, arg := range s {
+			if arg == mountpoint {
+				pathnameArg = i
+				break
+			}
+		}
+		if pathnameArg < 0 {
+			log.Println("mountpoint must be absolute")
+			return 2
+		}
+		s[pathnameArg] = container.Nonexistent
+	}
+
+	if !parseOpts(&args, &setup, msg.GetLogger()) {
+		return 1
+	}
+	asRoot := os.Geteuid() == 0
+
+	if asRoot {
+		if setup.Setuid <= 0 || setup.Setgid <= 0 {
+			log.Println("setuid and setgid must not be 0")
+			return 1
+		}
+
+		if setup.Fuse >= 3 {
+			log.Println("filesystem daemon must not run as root")
+			return 1
+		}
+
+		if setup.mkdir {
+			if err := os.MkdirAll(setup.Source.String(), 0700); err != nil {
+				if !errors.Is(err, os.ErrExist) {
+					log.Println(err)
+					return 1
+				}
+				// skip setup for existing source directory
+			} else if err = os.Chown(setup.Source.String(), setup.Setuid, setup.Setgid); err != nil {
+				log.Println(err)
+				return 1
+			}
+		}
+	} else if setup.Fuse < 3 && (setup.Setuid > 0 || setup.Setgid > 0) {
+		log.Println("setuid and setgid has no effect when not starting as root")
+		return 1
+	} else if setup.mkdir {
+		log.Println("mkdir has no effect when not starting as root")
+		return 1
+	}
+
+	op := C.struct_fuse_operations{
+		init:    closure(C.sharefs_init),
+		destroy: closure(C.sharefs_destroy),
+
+		// implemented in fuse-helper.c
+		getattr:  closure(C.sharefs_getattr),
+		readdir:  closure(C.sharefs_readdir),
+		mkdir:    closure(C.sharefs_mkdir),
+		unlink:   closure(C.sharefs_unlink),
+		rmdir:    closure(C.sharefs_rmdir),
+		rename:   closure(C.sharefs_rename),
+		truncate: closure(C.sharefs_truncate),
+		utimens:  closure(C.sharefs_utimens),
+		create:   closure(C.sharefs_create),
+		open:     closure(C.sharefs_open),
+		read:     closure(C.sharefs_read),
+		write:    closure(C.sharefs_write),
+		statfs:   closure(C.sharefs_statfs),
+		release:  closure(C.sharefs_release),
+		fsync:    closure(C.sharefs_fsync),
+	}
+
+	fuse := C.fuse_new_fn(&args, &op, C.size_t(unsafe.Sizeof(op)), unsafe.Pointer(&priv))
+	if fuse == nil {
+		return 3
+	}
+	defer C.fuse_destroy(fuse)
+	se := C.fuse_get_session(fuse)
+
+	if setup.Fuse < 3 {
+		// unconfined, set up mount point and container
+		if C.fuse_mount(fuse, opts.mountpoint) != 0 {
+			return 4
+		}
+		// unmounted by initial process
+		defer func() {
+			if exitCode == 5 {
+				C.fuse_unmount(fuse)
+			}
+		}()
+
+		if asRoot {
+			if err := syscall.Setresgid(setup.Setgid, setup.Setgid, setup.Setgid); err != nil {
+				log.Printf("cannot set gid: %v", err)
+				return 5
+			}
+			if err := syscall.Setgroups(nil); err != nil {
+				log.Printf("cannot set supplementary groups: %v", err)
+				return 5
+			}
+			if err := syscall.Setresuid(setup.Setuid, setup.Setuid, setup.Setuid); err != nil {
+				log.Printf("cannot set uid: %v", err)
+				return 5
+			}
+		}
+
+		msg.SwapVerbose(opts.debug != 0)
+		ctx := context.Background()
+		if opts.foreground != 0 {
+			c, cancel := signal.NotifyContext(ctx, syscall.SIGINT, syscall.SIGTERM)
+			defer cancel()
+			ctx = c
+		}
+		z := container.New(ctx, msg)
+		z.AllowOrphan = opts.foreground == 0
+		z.Env = os.Environ()
+
+		// keep fuse_parse_cmdline happy in the container
+		z.Tmpfs(check.MustAbs(container.Nonexistent), 1<<10, 0755)
+
+		z.Path = fhs.AbsProcSelfExe
+		z.Args = s
+		z.ForwardCancel = true
+		z.SeccompPresets |= std.PresetStrict
+		z.ParentPerm = 0700
+		z.Bind(setup.Source, setup.Source, std.BindWritable)
+		if !z.AllowOrphan {
+			z.WaitDelay = hst.WaitDelayMax
+			z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
+		}
+		z.Bind(z.Path, z.Path, 0)
+		setup.Fuse = int(proc.ExtraFileSlice(&z.ExtraFiles, os.NewFile(uintptr(C.fuse_session_fd(se)), "fuse")))
+
+		var setupWriter io.WriteCloser
+		if fd, w, err := container.Setup(&z.ExtraFiles); err != nil {
+			log.Println(err)
+			return 5
+		} else {
+			z.Args = append(z.Args, "-osetup="+strconv.Itoa(fd))
+			setupWriter = w
+		}
+
+		if err := z.Start(); err != nil {
+			if m, ok := message.GetMessage(err); ok {
+				log.Println(m)
+			} else {
+				log.Println(err)
+			}
+			return 5
+		}
+		if err := z.Serve(); err != nil {
+			if m, ok := message.GetMessage(err); ok {
+				log.Println(m)
+			} else {
+				log.Println(err)
+			}
+			return 5
+		}
+
+		if err := gob.NewEncoder(setupWriter).Encode(&setup); err != nil {
+			log.Println(err)
+			return 5
+		} else if err = setupWriter.Close(); err != nil {
+			log.Println(err)
+		}
+
+		if !z.AllowOrphan {
+			if err := z.Wait(); err != nil {
+				var exitError *exec.ExitError
+				if !errors.As(err, &exitError) || exitError == nil {
+					log.Println(err)
+					return 5
+				}
+				switch code := exitError.ExitCode(); syscall.Signal(code & 0x7f) {
+				case syscall.SIGINT:
+				case syscall.SIGTERM:
+
+				default:
+					return code
+				}
+			}
+		}
+		return 0
+	} else { // confined
+		C.free(unsafe.Pointer(opts.mountpoint))
+		// must be heap allocated
+		opts.mountpoint = C.CString("/dev/fd/" + strconv.Itoa(setup.Fuse))
+
+		if err := os.Chdir("/"); err != nil {
+			log.Println(err)
+		}
+	}
+
+	if C.fuse_mount(fuse, opts.mountpoint) != 0 {
+		return 4
+	}
+	defer C.fuse_unmount(fuse)
+
+	if C.fuse_set_signal_handlers(se) != 0 {
+		return 6
+	}
+	defer C.fuse_remove_signal_handlers(se)
+
+	if opts.singlethread != 0 {
+		if C.fuse_loop(fuse) != 0 {
+			return 8
+		}
+	} else {
+		loopConfig := C.fuse_loop_cfg_create()
+		if loopConfig == nil {
+			return 7
+		}
+		defer C.fuse_loop_cfg_destroy(loopConfig)
+
+		C.fuse_loop_cfg_set_clone_fd(loopConfig, C.uint(opts.clone_fd))
+
+		C.fuse_loop_cfg_set_idle_threads(loopConfig, opts.max_idle_threads)
+		C.fuse_loop_cfg_set_max_threads(loopConfig, opts.max_threads)
+		if C.fuse_loop_mt(fuse, loopConfig) != 0 {
+			return 8
+		}
+	}
+
+	if setup.initFailed {
+		return 1
+	}
+	return 0
+}

cmd/sharefs/fuse_test.go

@@ -0,0 +1,113 @@
+package main
+
+import (
+	"bytes"
+	"log"
+	"reflect"
+	"testing"
+
+	"hakurei.app/container/check"
+)
+
+func TestParseOpts(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name    string
+		args    []string
+		want    setupState
+		wantLog string
+		wantOk  bool
+	}{
+		{"zero length", []string{}, setupState{}, "", false},
+
+		{"not absolute", []string{"sharefs",
+			"-o", "source=nonexistent",
+			"-o", "setuid=1023",
+			"-o", "setgid=1023",
+		}, setupState{}, "sharefs: path \"nonexistent\" is not absolute\n", false},
+
+		{"not specified", []string{"sharefs",
+			"-o", "setuid=1023",
+			"-o", "setgid=1023",
+		}, setupState{}, "", false},
+
+		{"invalid setuid", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setuid=ff",
+			"-o", "setgid=1023",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+		}, "sharefs: invalid value for option setuid\n", false},
+
+		{"invalid setgid", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setuid=1023",
+			"-o", "setgid=ff",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: 1023,
+		}, "sharefs: invalid value for option setgid\n", false},
+
+		{"simple", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: -1,
+			Setgid: -1,
+		}, "", true},
+
+		{"root", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setuid=1023",
+			"-o", "setgid=1023",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: 1023,
+			Setgid: 1023,
+		}, "", true},
+
+		{"setuid", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setuid=1023",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: 1023,
+			Setgid: -1,
+		}, "", true},
+
+		{"setgid", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setgid=1023",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: -1,
+			Setgid: 1023,
+		}, "", true},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				got setupState
+				buf bytes.Buffer
+			)
+			args := copyArgs(tc.args...)
+			defer freeArgs(&args)
+			unsafeAddArgument(&args, "-odefault_permissions\x00")
+
+			if ok := parseOpts(&args, &got, log.New(&buf, "sharefs: ", 0)); ok != tc.wantOk {
+				t.Errorf("parseOpts: ok = %v, want %v", ok, tc.wantOk)
+			}
+
+			if !reflect.DeepEqual(&got, &tc.want) {
+				t.Errorf("parseOpts: setup = %#v, want %#v", got, tc.want)
+			}
+
+			if buf.String() != tc.wantLog {
+				t.Errorf("parseOpts: log =\n%s\nwant\n%s", buf.String(), tc.wantLog)
+			}
+		})
+	}
+}

cmd/sharefs/main.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"log"
+	"os"
+	"slices"
+)
+
+// sharefsName is the prefix used by log.std in the sharefs process.
+const sharefsName = "sharefs"
+
+// handleMountArgs returns an alternative, libfuse-compatible args slice for
+// args passed by mount -t fuse.sharefs [options] sharefs <mountpoint>.
+//
+// In this case, args always has a length of 5 with index 0 being what comes
+// after "fuse." in the filesystem type, 1 is the uninterpreted string passed
+// to mount (sharefsName is used as the magic string to enable this hack),
+// 2 is passed through to libfuse as mountpoint, and 3 is always "-o".
+func handleMountArgs(args []string) []string {
+	if len(args) == 5 && args[1] == sharefsName && args[3] == "-o" {
+		return []string{sharefsName, args[2], "-o", args[4]}
+	}
+	return slices.Clone(args)
+}
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix(sharefsName + ": ")
+
+	os.Exit(_main(handleMountArgs(os.Args)...))
+}

cmd/sharefs/main_test.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	"slices"
+	"testing"
+)
+
+func TestHandleMountArgs(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		args []string
+		want []string
+	}{
+		{"nil", nil, nil},
+		{"passthrough", []string{"sharefs", "-V"}, []string{"sharefs", "-V"}},
+		{"replace", []string{"/sbin/sharefs", "sharefs", "/sdcard", "-o", "rw"}, []string{"sharefs", "/sdcard", "-o", "rw"}},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := handleMountArgs(tc.args); !slices.Equal(got, tc.want) {
+				t.Errorf("handleMountArgs: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}

cmd/sharefs/test/configuration.nix

@@ -0,0 +1,41 @@
+{ pkgs, ... }:
+{
+  users.users = {
+    alice = {
+      isNormalUser = true;
+      description = "Alice Foobar";
+      password = "foobar";
+      uid = 1000;
+    };
+  };
+
+  home-manager.users.alice.home.stateVersion = "24.11";
+
+  # Automatically login on tty1 as a normal user:
+  services.getty.autologinUser = "alice";
+
+  environment = {
+    # For benchmarking sharefs:
+    systemPackages = [ pkgs.fsmark ];
+  };
+
+  virtualisation = {
+    diskSize = 6 * 1024;
+
+    qemu.options = [
+      # Increase test performance:
+      "-smp 8"
+    ];
+  };
+
+  environment.hakurei = rec {
+    enable = true;
+    stateDir = "/var/lib/hakurei";
+    sharefs.source = "${stateDir}/sdcard";
+    users.alice = 0;
+
+    extraHomeConfig = {
+      home.stateVersion = "23.05";
+    };
+  };
+}

cmd/sharefs/test/default.nix

@@ -0,0 +1,44 @@
+{
+  testers,
+
+  system,
+  self,
+}:
+testers.nixosTest {
+  name = "sharefs";
+  nodes.machine =
+    { options, pkgs, ... }:
+    let
+      fhs =
+        let
+          hakurei = options.environment.hakurei.package.default;
+        in
+        pkgs.buildFHSEnv {
+          pname = "hakurei-fhs";
+          inherit (hakurei) version;
+          targetPkgs = _: hakurei.targetPkgs;
+          extraOutputsToInstall = [ "dev" ];
+          profile = ''
+            export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
+          '';
+        };
+    in
+    {
+      environment.systemPackages = [
+        # For go tests:
+        (pkgs.writeShellScriptBin "sharefs-workload-hakurei-tests" ''
+          cp -r "${self.packages.${system}.hakurei.src}" "/sdcard/hakurei" && cd "/sdcard/hakurei"
+          ${fhs}/bin/hakurei-fhs -c 'CC="clang -O3 -Werror" go test ./...'
+        '')
+      ];
+
+      imports = [
+        ./configuration.nix
+
+        self.nixosModules.hakurei
+        self.inputs.home-manager.nixosModules.home-manager
+      ];
+    };
+
+  testScript = builtins.readFile ./test.py;
+}

cmd/sharefs/test/test.py

@@ -0,0 +1,60 @@
+start_all()
+machine.wait_for_unit("multi-user.target")
+
+# To check sharefs version:
+print(machine.succeed("sharefs -V"))
+
+# Make sure sharefs started:
+machine.wait_for_unit("sdcard.mount")
+
+machine.succeed("mkdir /mnt")
+def check_bad_opts_output(opts, want, source="/etc", privileged=False):
+    output = machine.fail(("" if privileged else "sudo -u alice -i ") + f"sharefs -f -o source={source},{opts} /mnt 2>&1")
+    if output != want:
+        raise Exception(f"unexpected output: {output}")
+
+# Malformed setuid/setgid representation:
+check_bad_opts_output("setuid=ff", "sharefs: invalid value for option setuid\n")
+check_bad_opts_output("setgid=ff", "sharefs: invalid value for option setgid\n")
+
+# Bounds check for setuid/setgid:
+check_bad_opts_output("setuid=0", "sharefs: invalid value for option setuid\n")
+check_bad_opts_output("setgid=0", "sharefs: invalid value for option setgid\n")
+check_bad_opts_output("setuid=-1", "sharefs: invalid value for option setuid\n")
+check_bad_opts_output("setgid=-1", "sharefs: invalid value for option setgid\n")
+
+# Non-root setuid/setgid:
+check_bad_opts_output("setuid=1023", "sharefs: setuid and setgid has no effect when not starting as root\n")
+check_bad_opts_output("setgid=1023", "sharefs: setuid and setgid has no effect when not starting as root\n")
+check_bad_opts_output("setuid=1023,setgid=1023", "sharefs: setuid and setgid has no effect when not starting as root\n")
+check_bad_opts_output("mkdir", "sharefs: mkdir has no effect when not starting as root\n")
+
+# Starting as root without setuid/setgid:
+check_bad_opts_output("allow_other", "sharefs: setuid and setgid must not be 0\n", privileged=True)
+check_bad_opts_output("setuid=1023", "sharefs: setuid and setgid must not be 0\n", privileged=True)
+check_bad_opts_output("setgid=1023", "sharefs: setuid and setgid must not be 0\n", privileged=True)
+
+# Make sure nothing actually got mounted:
+machine.fail("umount /mnt")
+machine.succeed("rmdir /mnt")
+
+# Unprivileged mount/unmount:
+machine.succeed("sudo -u alice -i mkdir /home/alice/{sdcard,persistent}")
+machine.succeed("sudo -u alice -i sharefs -o source=/home/alice/persistent /home/alice/sdcard")
+machine.succeed("sudo -u alice -i touch /home/alice/sdcard/check")
+machine.succeed("sudo -u alice -i umount /home/alice/sdcard")
+machine.succeed("sudo -u alice -i rm /home/alice/persistent/check")
+machine.succeed("sudo -u alice -i rmdir /home/alice/{sdcard,persistent}")
+
+# Benchmark sharefs:
+machine.succeed("fs_mark -v -d /sdcard/fs_mark -l /tmp/fs_log.txt")
+machine.copy_from_vm("/tmp/fs_log.txt", "")
+
+# Check permissions:
+machine.succeed("sudo -u sharefs touch /var/lib/hakurei/sdcard/fs_mark/.check")
+machine.succeed("sudo -u sharefs rm /var/lib/hakurei/sdcard/fs_mark/.check")
+machine.succeed("sudo -u alice rm -rf /sdcard/fs_mark")
+machine.fail("ls /var/lib/hakurei/sdcard/fs_mark")
+
+# Run hakurei tests on sharefs:
+machine.succeed("sudo -u alice -i sharefs-workload-hakurei-tests")

container/autoetc.go

@@ -10,8 +10,7 @@ import (
 
 func init() { gob.Register(new(AutoEtcOp)) }
 
-// Etc appends an [Op] that expands host /etc into a toplevel symlink mirror with /etc semantics.
+// Etc is a helper for appending [AutoEtcOp] to [Ops].
-// This is not a generic setup op. It is implemented here to reduce ipc overhead.
 func (f *Ops) Etc(host *check.Absolute, prefix string) *Ops {
 	e := &AutoEtcOp{prefix}
 	f.Mkdir(fhs.AbsEtc, 0755)
@@ -20,6 +19,9 @@ func (f *Ops) Etc(host *check.Absolute, prefix string) *Ops {
 	return f
 }
 
+// AutoEtcOp expands host /etc into a toplevel symlink mirror with /etc semantics.
+//
+// This is not a generic setup op. It is implemented here to reduce ipc overhead.
 type AutoEtcOp struct{ Prefix string }
 
 func (e *AutoEtcOp) Valid() bool                                { return e != nil }

container/autoroot.go

@@ -11,13 +11,15 @@ import (
 
 func init() { gob.Register(new(AutoRootOp)) }
 
-// Root appends an [Op] that expands a directory into a toplevel bind mount mirror on container root.
+// Root is a helper for appending [AutoRootOp] to [Ops].
-// This is not a generic setup op. It is implemented here to reduce ipc overhead.
 func (f *Ops) Root(host *check.Absolute, flags int) *Ops {
 	*f = append(*f, &AutoRootOp{host, flags, nil})
 	return f
 }
 
+// AutoRootOp expands a directory into a toplevel bind mount mirror on container root.
+//
+// This is not a generic setup op. It is implemented here to reduce ipc overhead.
 type AutoRootOp struct {
 	Host *check.Absolute
 	// passed through to bindMount

container/autoroot_test.go

@@ -202,7 +202,7 @@ func TestIsAutoRootBindable(t *testing.T) {
 			t.Parallel()
 			var msg message.Msg
 			if tc.log {
-				msg = &kstub{nil, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { panic("unreachable") }, stub.Expect{Calls: []stub.Call{
+				msg = &kstub{nil, nil, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { panic("unreachable") }, stub.Expect{Calls: []stub.Call{
 					call("verbose", stub.ExpectArgs{[]any{"got unexpected root entry"}}, nil, nil),
 				}})}
 			}

container/capability.go

@@ -14,6 +14,7 @@ const (
 
 	CAP_SYS_ADMIN    = 0x15
 	CAP_SETPCAP      = 0x8
+	CAP_NET_ADMIN    = 0xc
 	CAP_DAC_OVERRIDE = 0x1
 )
 
@@ -49,10 +50,16 @@ func capset(hdrp *capHeader, datap *[2]capData) error {
 }
 
 // capBoundingSetDrop drops a capability from the calling thread's capability bounding set.
-func capBoundingSetDrop(cap uintptr) error { return Prctl(syscall.PR_CAPBSET_DROP, cap, 0) }
+func capBoundingSetDrop(cap uintptr) error {
+	return Prctl(syscall.PR_CAPBSET_DROP, cap, 0)
+}
 
 // capAmbientClearAll clears the ambient capability set of the calling thread.
-func capAmbientClearAll() error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0) }
+func capAmbientClearAll() error {
+	return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0)
+}
 
 // capAmbientRaise adds to the ambient capability set of the calling thread.
-func capAmbientRaise(cap uintptr) error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap) }
+func capAmbientRaise(cap uintptr) error {
+	return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap)
+}

container/check/absolute.go

@@ -9,46 +9,60 @@ import (
 	"slices"
 	"strings"
 	"syscall"
+	"unique"
 )
 
 // AbsoluteError is returned by [NewAbs] and holds the invalid pathname.
-type AbsoluteError struct{ Pathname string }
+type AbsoluteError string
 
-func (e *AbsoluteError) Error() string { return fmt.Sprintf("path %q is not absolute", e.Pathname) }
+func (e AbsoluteError) Error() string {
-func (e *AbsoluteError) Is(target error) bool {
+	return fmt.Sprintf("path %q is not absolute", string(e))
-	var ce *AbsoluteError
+}
+
+func (e AbsoluteError) Is(target error) bool {
+	var ce AbsoluteError
 	if !errors.As(target, &ce) {
 		return errors.Is(target, syscall.EINVAL)
 	}
-	return *e == *ce
+	return e == ce
 }
 
 // Absolute holds a pathname checked to be absolute.
-type Absolute struct{ pathname string }
+type Absolute struct{ pathname unique.Handle[string] }
+
+// ok returns whether [Absolute] is not the zero value.
+func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }
 
 // unsafeAbs returns [check.Absolute] on any string value.
-func unsafeAbs(pathname string) *Absolute { return &Absolute{pathname} }
+func unsafeAbs(pathname string) *Absolute {
+	return &Absolute{unique.Make(pathname)}
+}
 
+// String returns the checked pathname.
 func (a *Absolute) String() string {
-	if a.pathname == "" {
+	if !a.ok() {
 		panic("attempted use of zero Absolute")
 	}
+	return a.pathname.Value()
+}
+
+// Handle returns the underlying [unique.Handle].
+func (a *Absolute) Handle() unique.Handle[string] {
 	return a.pathname
 }
 
+// Is efficiently compares the underlying pathname.
 func (a *Absolute) Is(v *Absolute) bool {
 	if a == nil && v == nil {
 		return true
 	}
-	return a != nil && v != nil &&
+	return a.ok() && v.ok() && a.pathname == v.pathname
-		a.pathname != "" && v.pathname != "" &&
-		a.pathname == v.pathname
 }
 
 // NewAbs checks pathname and returns a new [Absolute] if pathname is absolute.
 func NewAbs(pathname string) (*Absolute, error) {
 	if !path.IsAbs(pathname) {
-		return nil, &AbsoluteError{pathname}
+		return nil, AbsoluteError(pathname)
 	}
 	return unsafeAbs(pathname), nil
 }
@@ -70,35 +84,49 @@ func (a *Absolute) Append(elem ...string) *Absolute {
 // Dir calls [path.Dir] with [Absolute] as its argument.
 func (a *Absolute) Dir() *Absolute { return unsafeAbs(path.Dir(a.String())) }
 
-func (a *Absolute) GobEncode() ([]byte, error) { return []byte(a.String()), nil }
+// GobEncode returns the checked pathname.
+func (a *Absolute) GobEncode() ([]byte, error) {
+	return []byte(a.String()), nil
+}
+
+// GobDecode stores data if it represents an absolute pathname.
 func (a *Absolute) GobDecode(data []byte) error {
 	pathname := string(data)
 	if !path.IsAbs(pathname) {
-		return &AbsoluteError{pathname}
+		return AbsoluteError(pathname)
 	}
-	a.pathname = pathname
+	a.pathname = unique.Make(pathname)
 	return nil
 }
 
-func (a *Absolute) MarshalJSON() ([]byte, error) { return json.Marshal(a.String()) }
+// MarshalJSON returns a JSON representation of the checked pathname.
+func (a *Absolute) MarshalJSON() ([]byte, error) {
+	return json.Marshal(a.String())
+}
+
+// UnmarshalJSON stores data if it represents an absolute pathname.
 func (a *Absolute) UnmarshalJSON(data []byte) error {
 	var pathname string
 	if err := json.Unmarshal(data, &pathname); err != nil {
 		return err
 	}
 	if !path.IsAbs(pathname) {
-		return &AbsoluteError{pathname}
+		return AbsoluteError(pathname)
 	}
-	a.pathname = pathname
+	a.pathname = unique.Make(pathname)
 	return nil
 }
 
 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {
-	slices.SortFunc(x, func(a, b *Absolute) int { return strings.Compare(a.String(), b.String()) })
+	slices.SortFunc(x, func(a, b *Absolute) int {
+		return strings.Compare(a.String(), b.String())
+	})
 }
 
 // CompactAbs calls [slices.CompactFunc] for a slice of [Absolute].
 func CompactAbs(s []*Absolute) []*Absolute {
-	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool { return a.String() == b.String() })
+	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool {
+		return a.Is(b)
+	})
 }

container/check/absolute_test.go

@@ -31,8 +31,8 @@ func TestAbsoluteError(t *testing.T) {
 	}{
 		{"EINVAL", new(AbsoluteError), syscall.EINVAL, true},
 		{"not EINVAL", new(AbsoluteError), syscall.EBADE, false},
-		{"ne val", new(AbsoluteError), &AbsoluteError{Pathname: "etc"}, false},
+		{"ne val", new(AbsoluteError), AbsoluteError("etc"), false},
-		{"equals", &AbsoluteError{Pathname: "etc"}, &AbsoluteError{Pathname: "etc"}, true},
+		{"equals", AbsoluteError("etc"), AbsoluteError("etc"), true},
 	}
 
 	for _, tc := range testCases {
@@ -45,7 +45,7 @@ func TestAbsoluteError(t *testing.T) {
 		t.Parallel()
 
 		want := `path "etc" is not absolute`
-		if got := (&AbsoluteError{Pathname: "etc"}).Error(); got != want {
+		if got := (AbsoluteError("etc")).Error(); got != want {
 			t.Errorf("Error: %q, want %q", got, want)
 		}
 	})
@@ -62,8 +62,8 @@ func TestNewAbs(t *testing.T) {
 		wantErr  error
 	}{
 		{"good", "/etc", MustAbs("/etc"), nil},
-		{"not absolute", "etc", nil, &AbsoluteError{Pathname: "etc"}},
+		{"not absolute", "etc", nil, AbsoluteError("etc")},
-		{"zero", "", nil, &AbsoluteError{Pathname: ""}},
+		{"zero", "", nil, AbsoluteError("")},
 	}
 
 	for _, tc := range testCases {
@@ -84,7 +84,7 @@ func TestNewAbs(t *testing.T) {
 		t.Parallel()
 
 		defer func() {
-			wantPanic := &AbsoluteError{Pathname: "etc"}
+			wantPanic := AbsoluteError("etc")
 
 			if r := recover(); !reflect.DeepEqual(r, wantPanic) {
 				t.Errorf("MustAbs: panic = %v; want %v", r, wantPanic)
@@ -175,7 +175,7 @@ func TestCodecAbsolute(t *testing.T) {
 
 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
-			&AbsoluteError{Pathname: "etc"},
+			AbsoluteError("etc"),
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
 			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
 

container/check/overlay.go

@@ -11,7 +11,8 @@ const (
 	SpecialOverlayPath = ":"
 )
 
-// EscapeOverlayDataSegment escapes a string for formatting into the data argument of an overlay mount call.
+// EscapeOverlayDataSegment escapes a string for formatting into the data
+// argument of an overlay mount system call.
 func EscapeOverlayDataSegment(s string) string {
 	if s == "" {
 		return ""

container/container.go

@@ -1,4 +1,5 @@
-// Package container implements unprivileged Linux containers with built-in support for syscall filtering.
+// Package container implements unprivileged Linux containers with built-in
+// support for syscall filtering.
 package container
 
 import (
@@ -35,24 +36,32 @@ type (
 	// Container represents a container environment being prepared or run.
 	// None of [Container] methods are safe for concurrent use.
 	Container struct {
+		// Whether the container init should stay alive after its parent terminates.
+		AllowOrphan bool
+		// Scheduling policy to set via sched_setscheduler(2). The zero value
+		// skips this call. Supported policies are [SCHED_BATCH], [SCHED_IDLE].
+		SchedPolicy int
 		// Cgroup fd, nil to disable.
 		Cgroup *int
-		// ExtraFiles passed through to initial process in the container,
+		// ExtraFiles passed through to initial process in the container, with
-		// with behaviour identical to its [exec.Cmd] counterpart.
+		// behaviour identical to its [exec.Cmd] counterpart.
 		ExtraFiles []*os.File
 
-		// param pipe for shim and init
+		// Write end of a pipe connected to the init to deliver [Params].
 		setup *os.File
-		// cancels cmd
+		// Cancels the context passed to the underlying cmd.
 		cancel context.CancelFunc
-		// closed after Wait returns
+		// Closed after Wait returns. Keeps the spawning thread alive.
 		wait chan struct{}
 
 		Stdin  io.Reader
 		Stdout io.Writer
 		Stderr io.Writer
 
-		Cancel    func(cmd *exec.Cmd) error
+		// Custom cancellation behaviour for the underlying [exec.Cmd]. Must
+		// deliver [CancelSignal] before returning.
+		Cancel func(cmd *exec.Cmd) error
+		// Copied to the underlying [exec.Cmd].
 		WaitDelay time.Duration
 
 		cmd *exec.Cmd
@@ -252,8 +261,7 @@ func (p *Container) Start() error {
 	}
 	p.cmd.Dir = fhs.Root
 	p.cmd.SysProcAttr = &SysProcAttr{
-		Setsid:    !p.RetainSession,
+		Setsid: !p.RetainSession,
-		Pdeathsig: SIGKILL,
 		Cloneflags: CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS |
 			CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP,
 
@@ -262,12 +270,17 @@ func (p *Container) Start() error {
 			CAP_SYS_ADMIN,
 			// drop capabilities
 			CAP_SETPCAP,
+			// bring up loopback interface
+			CAP_NET_ADMIN,
 			// overlay access to upperdir and workdir
 			CAP_DAC_OVERRIDE,
 		},
 
 		UseCgroupFD: p.Cgroup != nil,
 	}
+	if !p.AllowOrphan {
+		p.cmd.SysProcAttr.Pdeathsig = SIGKILL
+	}
 	if p.cmd.SysProcAttr.UseCgroupFD {
 		p.cmd.SysProcAttr.CgroupFD = *p.Cgroup
 	}
@@ -277,7 +290,11 @@ func (p *Container) Start() error {
 
 	// place setup pipe before user supplied extra files, this is later restored by init
 	if fd, f, err := Setup(&p.cmd.ExtraFiles); err != nil {
-		return &StartError{true, "set up params stream", err, false, false}
+		return &StartError{
+			Fatal: true,
+			Step:  "set up params stream",
+			Err:   err,
+		}
 	} else {
 		p.setup = f
 		p.cmd.Env = []string{setupEnv + "=" + strconv.Itoa(fd)}
@@ -289,10 +306,16 @@ func (p *Container) Start() error {
 		runtime.LockOSThread()
 		p.wait = make(chan struct{})
 
-		done <- func() error { // setup depending on per-thread state must happen here
+		// setup depending on per-thread state must happen here
-			// PR_SET_NO_NEW_PRIVS: depends on per-thread state but acts on all processes created from that thread
+		done <- func() error {
+			// PR_SET_NO_NEW_PRIVS: thread-directed but acts on all processes
+			// created from the calling thread
 			if err := SetNoNewPrivs(); err != nil {
-				return &StartError{true, "prctl(PR_SET_NO_NEW_PRIVS)", err, false, false}
+				return &StartError{
+					Fatal: true,
+					Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
+					Err:   err,
+				}
 			}
 
 			// landlock: depends on per-thread state but acts on a process group
@@ -304,28 +327,40 @@ func (p *Container) Start() error {
 
 				if abi, err := LandlockGetABI(); err != nil {
 					if p.HostAbstract {
-						// landlock can be skipped here as it restricts access to resources
+						// landlock can be skipped here as it restricts access
-						// already covered by namespaces (pid)
+						// to resources already covered by namespaces (pid)
 						goto landlockOut
 					}
-					return &StartError{false, "get landlock ABI", err, false, false}
+					return &StartError{Step: "get landlock ABI", Err: err}
 				} else if abi < 6 {
 					if p.HostAbstract {
 						// see above comment
 						goto landlockOut
 					}
-					return &StartError{false, "kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET", ENOSYS, true, false}
+					return &StartError{
+						Step:   "kernel too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET",
+						Err:    ENOSYS,
+						Origin: true,
+					}
 				} else {
 					p.msg.Verbosef("landlock abi version %d", abi)
 				}
 
 				if rulesetFd, err := rulesetAttr.Create(0); err != nil {
-					return &StartError{true, "create landlock ruleset", err, false, false}
+					return &StartError{
+						Fatal: true,
+						Step:  "create landlock ruleset",
+						Err:   err,
+					}
 				} else {
 					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
 					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
 						_ = Close(rulesetFd)
-						return &StartError{true, "enforce landlock ruleset", err, false, false}
+						return &StartError{
+							Fatal: true,
+							Step:  "enforce landlock ruleset",
+							Err:   err,
+						}
 					}
 					if err = Close(rulesetFd); err != nil {
 						p.msg.Verbosef("cannot close landlock ruleset: %v", err)
@@ -336,9 +371,30 @@ func (p *Container) Start() error {
 			landlockOut:
 			}
 
+			// sched_setscheduler: thread-directed but acts on all processes
+			// created from the calling thread
+			if p.SchedPolicy > 0 {
+				p.msg.Verbosef("setting scheduling policy %d", p.SchedPolicy)
+				if err := schedSetscheduler(
+					0, // calling thread
+					p.SchedPolicy,
+					&schedParam{0},
+				); err != nil {
+					return &StartError{
+						Fatal: true,
+						Step:  "enforce landlock ruleset",
+						Err:   err,
+					}
+				}
+			}
+
 			p.msg.Verbose("starting container init")
 			if err := p.cmd.Start(); err != nil {
-				return &StartError{false, "start container init", err, false, true}
+				return &StartError{
+					Step:        "start container init",
+					Err:         err,
+					Passthrough: true,
+				}
 			}
 			return nil
 		}()
@@ -350,6 +406,7 @@ func (p *Container) Start() error {
 }
 
 // Serve serves [Container.Params] to the container init.
+//
 // Serve must only be called once.
 func (p *Container) Serve() error {
 	if p.setup == nil {
@@ -359,12 +416,21 @@ func (p *Container) Serve() error {
 	setup := p.setup
 	p.setup = nil
 	if err := setup.SetDeadline(time.Now().Add(initSetupTimeout)); err != nil {
-		return &StartError{true, "set init pipe deadline", err, false, true}
+		return &StartError{
+			Fatal:       true,
+			Step:        "set init pipe deadline",
+			Err:         err,
+			Passthrough: true,
+		}
 	}
 
 	if p.Path == nil {
 		p.cancel()
-		return &StartError{false, "invalid executable pathname", EINVAL, true, false}
+		return &StartError{
+			Step:   "invalid executable pathname",
+			Err:    EINVAL,
+			Origin: true,
+		}
 	}
 
 	// do not transmit nil
@@ -389,7 +455,8 @@ func (p *Container) Serve() error {
 	return err
 }
 
-// Wait waits for the container init process to exit and releases any resources associated with the [Container].
+// Wait blocks until the container init process to exit and releases any
+// resources associated with the [Container].
 func (p *Container) Wait() error {
 	if p.cmd == nil || p.cmd.Process == nil {
 		return EINVAL
@@ -434,11 +501,13 @@ func (p *Container) StderrPipe() (r io.ReadCloser, err error) {
 }
 
 func (p *Container) String() string {
-	return fmt.Sprintf("argv: %q, filter: %v, rules: %d, flags: %#x, presets: %#x",
+	return fmt.Sprintf(
-		p.Args, !p.SeccompDisable, len(p.SeccompRules), int(p.SeccompFlags), int(p.SeccompPresets))
+		"argv: %q, filter: %v, rules: %d, flags: %#x, presets: %#x",
+		p.Args, !p.SeccompDisable, len(p.SeccompRules), int(p.SeccompFlags), int(p.SeccompPresets),
+	)
 }
 
-// ProcessState returns the address to os.ProcessState held by the underlying [exec.Cmd].
+// ProcessState returns the address of os.ProcessState held by the underlying [exec.Cmd].
 func (p *Container) ProcessState() *os.ProcessState {
 	if p.cmd == nil {
 		return nil
@@ -446,7 +515,8 @@ func (p *Container) ProcessState() *os.ProcessState {
 	return p.cmd.ProcessState
 }
 
-// New returns the address to a new instance of [Container] that requires further initialisation before use.
+// New returns the address to a new instance of [Container]. This value requires
+// further initialisation before use.
 func New(ctx context.Context, msg message.Msg) *Container {
 	if msg == nil {
 		msg = message.New(nil)
@@ -455,12 +525,18 @@ func New(ctx context.Context, msg message.Msg) *Container {
 	p := &Container{ctx: ctx, msg: msg, Params: Params{Ops: new(Ops)}}
 	c, cancel := context.WithCancel(ctx)
 	p.cancel = cancel
-	p.cmd = exec.CommandContext(c, MustExecutable(msg))
+	p.cmd = exec.CommandContext(c, fhs.ProcSelfExe)
 	return p
 }
 
 // NewCommand calls [New] and initialises the [Params.Path] and [Params.Args] fields.
-func NewCommand(ctx context.Context, msg message.Msg, pathname *check.Absolute, name string, args ...string) *Container {
+func NewCommand(
+	ctx context.Context,
+	msg message.Msg,
+	pathname *check.Absolute,
+	name string,
+	args ...string,
+) *Container {
 	z := New(ctx, msg)
 	z.Path = pathname
 	z.Args = append([]string{name}, args...)

container/container_test.go

@@ -274,13 +274,13 @@ var containerTestCases = []struct {
 			Dev(check.MustAbs("/dev"), true),
 		),
 		earlyMnt(
-			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", ignore, ignore),
-			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/null", "/dev/null", ignore, "devtmpfs", ignore, ignore),
-			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/zero", "/dev/zero", ignore, "devtmpfs", ignore, ignore),
-			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/full", "/dev/full", ignore, "devtmpfs", ignore, ignore),
-			ent("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/random", "/dev/random", ignore, "devtmpfs", ignore, ignore),
-			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/urandom", "/dev/urandom", ignore, "devtmpfs", ignore, ignore),
-			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/tty", "/dev/tty", ignore, "devtmpfs", ignore, ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
@@ -292,13 +292,13 @@ var containerTestCases = []struct {
 			Dev(check.MustAbs("/dev"), false),
 		),
 		earlyMnt(
-			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", ignore, ignore),
-			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/null", "/dev/null", ignore, "devtmpfs", ignore, ignore),
-			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/zero", "/dev/zero", ignore, "devtmpfs", ignore, ignore),
-			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/full", "/dev/full", ignore, "devtmpfs", ignore, ignore),
-			ent("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/random", "/dev/random", ignore, "devtmpfs", ignore, ignore),
-			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/urandom", "/dev/urandom", ignore, "devtmpfs", ignore, ignore),
-			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/tty", "/dev/tty", ignore, "devtmpfs", ignore, ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
@@ -690,11 +690,22 @@ func init() {
 						return fmt.Errorf("got more than %d entries", len(mnt))
 					}
 
-					// ugly hack but should be reliable and is less likely to false negative than comparing by parsed flags
+					// ugly hack but should be reliable and is less likely to
-					cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ",relatime")
+					//false negative than comparing by parsed flags
-					cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ",noatime")
+					for _, s := range []string{
-					mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ",relatime")
+						"relatime",
-					mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ",noatime")
+						"noatime",
+					} {
+						cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ","+s)
+						mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ","+s)
+					}
+					for _, s := range []string{
+						"seclabel",
+						"inode64",
+					} {
+						cur.FsOptstr = strings.Replace(cur.FsOptstr, ","+s, "", 1)
+						mnt[i].FsOptstr = strings.Replace(mnt[i].FsOptstr, ","+s, "", 1)
+					}
 
 					if !cur.EqualWithIgnore(mnt[i], "\x00") {
 						fail = true
@@ -762,14 +773,13 @@ func TestMain(m *testing.M) {
 func helperNewContainerLibPaths(ctx context.Context, libPaths *[]*check.Absolute, args ...string) (c *container.Container) {
 	msg := message.New(nil)
 	msg.SwapVerbose(testing.Verbose())
-	executable := check.MustAbs(container.MustExecutable(msg))
 
 	c = container.NewCommand(ctx, msg, absHelperInnerPath, "helper", args...)
 	c.Env = append(c.Env, envDoCheck+"=1")
-	c.Bind(executable, absHelperInnerPath, 0)
+	c.Bind(fhs.AbsProcSelfExe, absHelperInnerPath, 0)
 
 	// in case test has cgo enabled
-	if entries, err := ldd.Resolve(ctx, msg, executable); err != nil {
+	if entries, err := ldd.Resolve(ctx, msg, nil); err != nil {
 		log.Fatalf("ldd: %v", err)
 	} else {
 		*libPaths = ldd.Path(entries)

container/dispatcher.go

@@ -21,7 +21,8 @@ type osFile interface {
 	fs.File
 }
 
-// syscallDispatcher provides methods that make state-dependent system calls as part of their behaviour.
+// syscallDispatcher provides methods that make state-dependent system calls as
+// part of their behaviour.
 type syscallDispatcher interface {
 	// new starts a goroutine with a new instance of syscallDispatcher.
 	// A syscallDispatcher must never be used in any goroutine other than the one owning it,
@@ -61,6 +62,8 @@ type syscallDispatcher interface {
 	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
+	// mustLoopback provides mustLoopback.
+	mustLoopback(msg message.Msg)
 
 	// seccompLoad provides [seccomp.Load].
 	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
@@ -164,6 +167,7 @@ func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
+func (direct) mustLoopback(msg message.Msg) { mustLoopback(msg) }
 
 func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)

container/dispatcher_test.go

@@ -162,7 +162,8 @@ func checkSimple(t *testing.T, fname string, testCases []simpleTestCase) {
 			t.Parallel()
 
 			wait4signal := make(chan struct{})
-			k := &kstub{wait4signal, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{wait4signal, s} }, tc.want)}
+			lockNotify := make(chan struct{})
+			k := &kstub{wait4signal, lockNotify, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{wait4signal, lockNotify, s} }, tc.want)}
 			defer stub.HandleExit(t)
 			if err := tc.f(k); !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("%s: error = %v, want %v", fname, err, tc.wantErr)
@@ -200,8 +201,8 @@ func checkOpBehaviour(t *testing.T, testCases []opBehaviourTestCase) {
 				t.Helper()
 				t.Parallel()
 
-				k := &kstub{nil, stub.New(t,
+				k := &kstub{nil, nil, stub.New(t,
-					func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{nil, s} },
+					func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{nil, nil, s} },
 					stub.Expect{Calls: slices.Concat(tc.early, []stub.Call{{Name: stub.CallSeparator}}, tc.apply)},
 				)}
 				state := &setupState{Params: tc.params, Msg: k}
@@ -237,8 +238,11 @@ func sliceAddr[S any](s []S) *[]S { return &s }
 
 func newCheckedFile(t *testing.T, name, wantData string, closeErr error) osFile {
 	f := &checkedOsFile{t: t, name: name, want: wantData, closeErr: closeErr}
-	// check happens in Close, and cleanup is not guaranteed to run, so relying on it for sloppy implementations will cause sporadic test results
+	// check happens in Close, and cleanup is not guaranteed to run, so relying
-	f.cleanup = runtime.AddCleanup(f, func(name string) { f.t.Fatalf("checkedOsFile %s became unreachable without a call to Close", name) }, f.name)
+	// on it for sloppy implementations will cause sporadic test results
+	f.cleanup = runtime.AddCleanup(f, func(name string) {
+		panic("checkedOsFile " + name + " became unreachable without a call to Close")
+	}, name)
 	return f
 }
 
@@ -322,12 +326,19 @@ const (
 
 type kstub struct {
 	wait4signal chan struct{}
+	lockNotify  chan struct{}
 	*stub.Stub[syscallDispatcher]
 }
 
 func (k *kstub) new(f func(k syscallDispatcher)) { k.Helper(); k.New(f) }
 
-func (k *kstub) lockOSThread() { k.Helper(); k.Expects("lockOSThread") }
+func (k *kstub) lockOSThread() {
+	k.Helper()
+	expect := k.Expects("lockOSThread")
+	if k.lockNotify != nil && expect.Ret == magicWait4Signal {
+		<-k.lockNotify
+	}
+}
 
 func (k *kstub) setPtracer(pid uintptr) error {
 	k.Helper()
@@ -457,6 +468,8 @@ func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 		stub.CheckArg(k.Stub, "pperm", pperm, 2))
 }
 
+func (*kstub) mustLoopback(message.Msg) { /* noop */ }
+
 func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	k.Helper()
 	return k.Expects("seccompLoad").Error(
@@ -472,6 +485,10 @@ func (k *kstub) notify(c chan<- os.Signal, sig ...os.Signal) {
 		k.FailNow()
 	}
 
+	if k.lockNotify != nil && expect.Ret == magicWait4Signal {
+		defer close(k.lockNotify)
+	}
+
 	// export channel for external instrumentation
 	if chanf, ok := expect.Args[0].(func(c chan<- os.Signal)); ok && chanf != nil {
 		chanf(c)

container/errors.go

@@ -18,7 +18,7 @@ func messageFromError(err error) (m string, ok bool) {
 	if m, ok = messagePrefixP[os.PathError]("cannot ", err); ok {
 		return
 	}
-	if m, ok = messagePrefixP[check.AbsoluteError](zeroString, err); ok {
+	if m, ok = messagePrefix[check.AbsoluteError](zeroString, err); ok {
 		return
 	}
 	if m, ok = messagePrefix[OpRepeatError](zeroString, err); ok {
@@ -43,7 +43,8 @@ func messageFromError(err error) (m string, ok bool) {
 }
 
 // messagePrefix checks and prefixes the error message of a non-pointer error.
-// While this is usable for pointer errors, such use should be avoided as nil check is omitted.
+// While this is usable for pointer errors, such use should be avoided as nil
+// check is omitted.
 func messagePrefix[T error](prefix string, err error) (string, bool) {
 	var targetError T
 	if errors.As(err, &targetError) {

container/errors_test.go

@@ -37,7 +37,7 @@ func TestMessageFromError(t *testing.T) {
 			Err:  stub.UniqueError(0xdeadbeef),
 		}, "cannot mount /sysroot: unique error 3735928559 injected by the test suite", true},
 
-		{"absolute", &check.AbsoluteError{Pathname: "etc/mtab"},
+		{"absolute", check.AbsoluteError("etc/mtab"),
 			`path "etc/mtab" is not absolute`, true},
 
 		{"repeat", OpRepeatError("autoetc"),

container/executable.go

@@ -28,6 +28,9 @@ func copyExecutable(msg message.Msg) {
 	}
 }
 
+// MustExecutable calls [os.Executable] and terminates the process on error.
+//
+// Deprecated: This is no longer used and will be removed in 0.4.
 func MustExecutable(msg message.Msg) string {
 	executableOnce.Do(func() { copyExecutable(msg) })
 	return executable

container/fhs/abs.go

@@ -26,6 +26,8 @@ var (
 	// AbsRunUser is [RunUser] as [check.Absolute].
 	AbsRunUser = unsafeAbs(RunUser)
 
+	// AbsUsr is [Usr] as [check.Absolute].
+	AbsUsr = unsafeAbs(Usr)
 	// AbsUsrBin is [UsrBin] as [check.Absolute].
 	AbsUsrBin = unsafeAbs(UsrBin)
 
@@ -40,6 +42,8 @@ var (
 	AbsDevShm = unsafeAbs(DevShm)
 	// AbsProc is [Proc] as [check.Absolute].
 	AbsProc = unsafeAbs(Proc)
+	// AbsProcSelfExe is [ProcSelfExe] as [check.Absolute].
+	AbsProcSelfExe = unsafeAbs(ProcSelfExe)
 	// AbsSys is [Sys] as [check.Absolute].
 	AbsSys = unsafeAbs(Sys)
 )

container/fhs/fhs.go

@@ -9,7 +9,8 @@ const (
 	// Tmp points to the place for small temporary files.
 	Tmp = "/tmp/"
 
-	// Run points to a "tmpfs" file system for system packages to place runtime data, socket files, and similar.
+	// Run points to a "tmpfs" file system for system packages to place runtime
+	// data, socket files, and similar.
 	Run = "/run/"
 	// RunUser points to a directory containing per-user runtime directories,
 	// each usually individually mounted "tmpfs" instances.
@@ -17,10 +18,12 @@ const (
 
 	// Usr points to vendor-supplied operating system resources.
 	Usr = "/usr/"
-	// UsrBin points to binaries and executables for user commands that shall appear in the $PATH search path.
+	// UsrBin points to binaries and executables for user commands that shall
+	// appear in the $PATH search path.
 	UsrBin = Usr + "bin/"
 
-	// Var points to persistent, variable system data. Writable during normal system operation.
+	// Var points to persistent, variable system data. Writable during normal
+	// system operation.
 	Var = "/var/"
 	// VarLib points to persistent system data.
 	VarLib = Var + "lib/"
@@ -29,12 +32,20 @@ const (
 
 	// Dev points to the root directory for device nodes.
 	Dev = "/dev/"
-	// DevShm is the place for POSIX shared memory segments, as created via shm_open(3).
+	// DevShm is the place for POSIX shared memory segments, as created via
+	// shm_open(3).
 	DevShm = "/dev/shm/"
-	// Proc points to a virtual kernel file system exposing the process list and other functionality.
+	// Proc points to a virtual kernel file system exposing the process list and
+	// other functionality.
 	Proc = "/proc/"
-	// ProcSys points to a hierarchy below /proc/ that exposes a number of kernel tunables.
+	// ProcSys points to a hierarchy below /proc/ that exposes a number of
+	// kernel tunables.
 	ProcSys = Proc + "sys/"
-	// Sys points to a virtual kernel file system exposing discovered devices and other functionality.
+	// ProcSelf resolves to the process's own /proc/pid directory.
+	ProcSelf = Proc + "self/"
+	// ProcSelfExe is a symbolic link to program pathname.
+	ProcSelfExe = ProcSelf + "exe"
+	// Sys points to a virtual kernel file system exposing discovered devices
+	// and other functionality.
 	Sys = "/sys/"
 )

container/init.go

@@ -33,12 +33,12 @@ const (
 	- This path is only accessible by init and root:
 	  The container init sets SUID_DUMP_DISABLE and terminates if that fails.
 
-	It should be noted that none of this should become relevant at any point since the resulting
+	It should be noted that none of this should become relevant at any point
-	intermediate root tmpfs should be effectively anonymous. */
+	since the resulting intermediate root tmpfs should be effectively anonymous. */
 	intermediateHostPath = fhs.Proc + "self/fd"
 
-	// setupEnv is the name of the environment variable holding the string representation of
+	// setupEnv is the name of the environment variable holding the string
-	// the read end file descriptor of the setup params pipe.
+	// representation of the read end file descriptor of the setup params pipe.
 	setupEnv = "HAKUREI_SETUP"
 
 	// exitUnexpectedWait4 is the exit code if wait4 returns an unexpected errno.
@@ -59,7 +59,8 @@ type (
 		// late is called right before starting the initial process.
 		late(state *setupState, k syscallDispatcher) error
 
-		// prefix returns a log message prefix, and whether this Op prints no identifying message on its own.
+		// prefix returns a log message prefix, and whether this Op prints no
+		// identifying message on its own.
 		prefix() (string, bool)
 
 		Is(op Op) bool
@@ -71,9 +72,11 @@ type (
 	setupState struct {
 		nonrepeatable uintptr
 
-		// Whether early reaping has concluded. Must only be accessed in the wait4 loop.
+		// Whether early reaping has concluded. Must only be accessed in the
+		// wait4 loop.
 		processConcluded bool
-		// Process to syscall.WaitStatus populated in the wait4 loop. Freed after early reaping concludes.
+		// Process to syscall.WaitStatus populated in the wait4 loop. Freed
+		// after early reaping concludes.
 		process map[int]WaitStatus
 		// Synchronises access to process.
 		processMu sync.RWMutex
@@ -170,6 +173,10 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		offsetSetup = int(setupFd + 1)
 	}
 
+	if !params.HostNet {
+		k.mustLoopback(msg)
+	}
+
 	// write uid/gid map here so parent does not need to set dumpable
 	if err := k.setDumpable(SUID_DUMP_USER); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
@@ -212,9 +219,10 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	defer cancel()
 
 	/* early is called right before pivot_root into intermediate root;
-	this step is mostly for gathering information that would otherwise be difficult to obtain
+	this step is mostly for gathering information that would otherwise be
-	via library functions after pivot_root, and implementations are expected to avoid changing
+	difficult to obtain via library functions after pivot_root, and
-	the state of the mount namespace */
+	implementations are expected to avoid changing the state of the mount
+	namespace */
 	for i, op := range *params.Ops {
 		if op == nil || !op.Valid() {
 			k.fatalf(msg, "invalid op at index %d", i)
@@ -254,10 +262,10 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot enter intermediate root: %v", err)
 	}
 
-	/* apply is called right after pivot_root and entering the new root;
+	/* apply is called right after pivot_root and entering the new root. This
-	this step sets up the container filesystem, and implementations are expected to keep the host root
+	step sets up the container filesystem, and implementations are expected to
-	and sysroot mount points intact but otherwise can do whatever they need to;
+	keep the host root and sysroot mount points intact but otherwise can do
-	chdir is allowed but discouraged */
+	whatever they need to. Calling chdir is allowed but discouraged. */
 	for i, op := range *params.Ops {
 		// ops already checked during early setup
 		if prefix, ok := op.prefix(); ok {

container/init_test.go

@@ -1992,7 +1992,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil, stub.PanicExit}, 0, syscall.ECHILD),
@@ -2075,7 +2075,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(10)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
-				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- CancelSignal }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- CancelSignal }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbose", stub.ExpectArgs{[]any{"forwarding context cancellation"}}, nil, nil),
 				// magicWait4Signal as ret causes wait4 stub to unblock
 				call("signal", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent", os.Interrupt}, magicWait4Signal, stub.UniqueError(9)),
@@ -2090,7 +2090,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				// magicWait4Signal as args[4] causes this to block until simulated signal is delivered
 				call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil, magicWait4Signal}, 0xbad, nil),
@@ -2175,7 +2175,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(7)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
-				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- syscall.SIGQUIT }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- syscall.SIGQUIT }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbosef", stub.ExpectArgs{"got %s, forwarding to initial process", []any{"quit"}}, nil, nil),
 				// magicWait4Signal as ret causes wait4 stub to unblock
 				call("signal", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent", syscall.SIGQUIT}, magicWait4Signal, stub.UniqueError(0xfe)),
@@ -2190,7 +2190,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				// magicWait4Signal as args[4] causes this to block until simulated signal is delivered
 				call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil, magicWait4Signal}, 0xbad, nil),
@@ -2275,7 +2275,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(7)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
-				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- os.Interrupt }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- os.Interrupt }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbosef", stub.ExpectArgs{"got %s", []any{"interrupt"}}, nil, nil),
 				call("beforeExit", stub.ExpectArgs{}, nil, nil),
 				call("exit", stub.ExpectArgs{0}, nil, nil),
@@ -2283,7 +2283,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil, stub.PanicExit}, 0, syscall.ECHILD),
@@ -2366,7 +2366,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(5)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
-				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"initial process exited with signal %s", []any{syscall.Signal(0x4e)}}, nil, nil),
@@ -2377,7 +2377,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil}, 0xbad, nil),
 				// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
@@ -2461,7 +2461,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(3)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
-				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"initial process exited with signal %s", []any{syscall.Signal(0x4e)}}, nil, nil),
@@ -2471,7 +2471,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
@@ -2599,7 +2599,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(1)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
-				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"initial process exited with code %d", []any{1}}, nil, nil),
@@ -2609,7 +2609,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
@@ -2741,7 +2741,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(0)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/bin/zsh")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/bin/zsh", []string{"zsh", "-c", "exec vim"}, []string{"DISPLAY=:0"}, "/.hakurei"}, &os.Process{Pid: 0xcafe}, nil),
-				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
+				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
@@ -2752,7 +2752,7 @@ func TestInitEntrypoint(t *testing.T) {
 
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
-				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
+				call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
 
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),

container/initbind.go

@@ -12,14 +12,16 @@ import (
 
 func init() { gob.Register(new(BindMountOp)) }
 
-// Bind appends an [Op] that bind mounts host path [BindMountOp.Source] on container path [BindMountOp.Target].
+// Bind is a helper for appending [BindMountOp] to [Ops].
 func (f *Ops) Bind(source, target *check.Absolute, flags int) *Ops {
 	*f = append(*f, &BindMountOp{nil, source, target, flags})
 	return f
 }
 
-// BindMountOp bind mounts host path Source on container path Target.
+// BindMountOp creates a bind mount from host path Source to container path Target.
-// Note that Flags uses bits declared in this package and should not be set with constants in [syscall].
+//
+// Note that Flags uses bits declared in the [std] package and should not be set
+// with constants in [syscall].
 type BindMountOp struct {
 	sourceFinal, Source, Target *check.Absolute
 

container/initdaemon.go

@@ -24,8 +24,7 @@ const (
 	daemonTimeout = 5 * time.Second
 )
 
-// Daemon appends an [Op] that starts a daemon in the container and blocks until
+// Daemon is a helper for appending [DaemonOp] to [Ops].
-// [DaemonOp.Target] appears.
 func (f *Ops) Daemon(target, path *check.Absolute, args ...string) *Ops {
 	*f = append(*f, &DaemonOp{target, path, args})
 	return f

container/initdev.go

@@ -19,7 +19,9 @@ func (f *Ops) Dev(target *check.Absolute, mqueue bool) *Ops {
 }
 
 // DevWritable appends an [Op] that mounts a writable subset of host /dev.
-// There is usually no good reason to write to /dev, so this should always be followed by a [RemountOp].
+//
+// There is usually no good reason to write to /dev, so this should always be
+// followed by a [RemountOp].
 func (f *Ops) DevWritable(target *check.Absolute, mqueue bool) *Ops {
 	*f = append(*f, &MountDevOp{target, mqueue, true})
 	return f

container/initmkdir.go

@@ -10,7 +10,7 @@ import (
 
 func init() { gob.Register(new(MkdirOp)) }
 
-// Mkdir appends an [Op] that creates a directory in the container filesystem.
+// Mkdir is a helper for appending [MkdirOp] to [Ops].
 func (f *Ops) Mkdir(name *check.Absolute, perm os.FileMode) *Ops {
 	*f = append(*f, &MkdirOp{name, perm})
 	return f

container/initoverlay.go

@@ -54,8 +54,11 @@ func (e *OverlayArgumentError) Error() string {
 	}
 }
 
-// Overlay appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target].
+// Overlay is a helper for appending [MountOverlayOp] to [Ops].
-func (f *Ops) Overlay(target, state, work *check.Absolute, layers ...*check.Absolute) *Ops {
+func (f *Ops) Overlay(
+	target, state, work *check.Absolute,
+	layers ...*check.Absolute,
+) *Ops {
 	*f = append(*f, &MountOverlayOp{
 		Target: target,
 		Lower:  layers,
@@ -65,13 +68,12 @@ func (f *Ops) Overlay(target, state, work *check.Absolute, layers ...*check.Abso
 	return f
 }
 
-// OverlayEphemeral appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target]
+// OverlayEphemeral appends a [MountOverlayOp] with an ephemeral upperdir and workdir.
-// with an ephemeral upperdir and workdir.
 func (f *Ops) OverlayEphemeral(target *check.Absolute, layers ...*check.Absolute) *Ops {
 	return f.Overlay(target, fhs.AbsRoot, nil, layers...)
 }
 
-// OverlayReadonly appends an [Op] that mounts the overlay pseudo filesystem readonly on [MountOverlayOp.Target]
+// OverlayReadonly appends a readonly [MountOverlayOp].
 func (f *Ops) OverlayReadonly(target *check.Absolute, layers ...*check.Absolute) *Ops {
 	return f.Overlay(target, nil, nil, layers...)
 }
@@ -82,25 +84,34 @@ type MountOverlayOp struct {
 
 	// Any filesystem, does not need to be on a writable filesystem.
 	Lower []*check.Absolute
-	// formatted for [OptionOverlayLowerdir], resolved, prefixed and escaped during early
+	// Formatted for [OptionOverlayLowerdir].
+	//
+	// Resolved, prefixed and escaped during early.
 	lower []string
+
 	// The upperdir is normally on a writable filesystem.
 	//
-	// If Work is nil and Upper holds the special value [fhs.AbsRoot],
+	// If Work is nil and Upper holds the special value [fhs.AbsRoot], an
-	// an ephemeral upperdir and workdir will be set up.
+	// ephemeral upperdir and workdir will be set up.
 	//
-	// If both Work and Upper are nil, upperdir and workdir is omitted and the overlay is mounted readonly.
+	// If both Work and Upper are nil, upperdir and workdir is omitted and the
+	// overlay is mounted readonly.
 	Upper *check.Absolute
-	// formatted for [OptionOverlayUpperdir], resolved, prefixed and escaped during early
+	// Formatted for [OptionOverlayUpperdir].
+	//
+	// Resolved, prefixed and escaped during early.
 	upper string
+
 	// The workdir needs to be an empty directory on the same filesystem as upperdir.
 	Work *check.Absolute
-	// formatted for [OptionOverlayWorkdir], resolved, prefixed and escaped during early
+	// Formatted for [OptionOverlayWorkdir].
+	//
+	// Resolved, prefixed and escaped during early.
 	work string
 
 	ephemeral bool
 
-	// used internally for mounting to the intermediate root
+	// Used internally for mounting to the intermediate root.
 	noPrefix bool
 }
 

container/initoverlay_test.go

@@ -312,7 +312,10 @@ func TestMountOverlayOp(t *testing.T) {
 			},
 		}},
 
-		{"ephemeral", new(Ops).OverlayEphemeral(check.MustAbs("/nix/store"), check.MustAbs("/mnt-root/nix/.ro-store")), Ops{
+		{"ephemeral", new(Ops).OverlayEphemeral(
+			check.MustAbs("/nix/store"),
+			check.MustAbs("/mnt-root/nix/.ro-store"),
+		), Ops{
 			&MountOverlayOp{
 				Target: check.MustAbs("/nix/store"),
 				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
@@ -320,7 +323,10 @@ func TestMountOverlayOp(t *testing.T) {
 			},
 		}},
 
-		{"readonly", new(Ops).OverlayReadonly(check.MustAbs("/nix/store"), check.MustAbs("/mnt-root/nix/.ro-store")), Ops{
+		{"readonly", new(Ops).OverlayReadonly(
+			check.MustAbs("/nix/store"),
+			check.MustAbs("/mnt-root/nix/.ro-store"),
+		), Ops{
 			&MountOverlayOp{
 				Target: check.MustAbs("/nix/store"),
 				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},

container/initplace.go

@@ -16,7 +16,7 @@ const (
 
 func init() { gob.Register(new(TmpfileOp)) }
 
-// Place appends an [Op] that places a file in container path [TmpfileOp.Path] containing [TmpfileOp.Data].
+// Place is a helper for appending [TmpfileOp] to [Ops].
 func (f *Ops) Place(name *check.Absolute, data []byte) *Ops {
 	*f = append(*f, &TmpfileOp{name, data})
 	return f

container/initplace_test.go

@@ -21,7 +21,7 @@ func TestTmpfileOp(t *testing.T) {
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), stub.UniqueError(5)),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, (*checkedOsFile)(nil), stub.UniqueError(5)),
 		}, stub.UniqueError(5)},
 
 		{"Write", &Params{ParentPerm: 0700}, &TmpfileOp{
@@ -35,14 +35,14 @@ func TestTmpfileOp(t *testing.T) {
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, stub.UniqueError(3)), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.Close", sampleDataString, stub.UniqueError(3)), nil),
 		}, stub.UniqueError(3)},
 
 		{"ensureFile", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.ensureFile", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, stub.UniqueError(2)),
 		}, stub.UniqueError(2)},
 
@@ -50,29 +50,29 @@ func TestTmpfileOp(t *testing.T) {
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.bindMount", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
-			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, stub.UniqueError(1)),
+			call("bindMount", stub.ExpectArgs{"tmp.bindMount", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, stub.UniqueError(1)),
 		}, stub.UniqueError(1)},
 
 		{"remove", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.remove", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
-			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"tmp.remove", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
-			call("remove", stub.ExpectArgs{"tmp.32768"}, nil, stub.UniqueError(0)),
+			call("remove", stub.ExpectArgs{"tmp.remove"}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},
 
 		{"success", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.success", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
-			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"tmp.success", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
-			call("remove", stub.ExpectArgs{"tmp.32768"}, nil, nil),
+			call("remove", stub.ExpectArgs{"tmp.success"}, nil, nil),
 		}, nil},
 	})
 

container/initproc.go

@@ -10,7 +10,7 @@ import (
 
 func init() { gob.Register(new(MountProcOp)) }
 
-// Proc appends an [Op] that mounts a private instance of proc.
+// Proc is a helper for appending [MountProcOp] to [Ops].
 func (f *Ops) Proc(target *check.Absolute) *Ops {
 	*f = append(*f, &MountProcOp{target})
 	return f

container/initremount.go

@@ -9,7 +9,7 @@ import (
 
 func init() { gob.Register(new(RemountOp)) }
 
-// Remount appends an [Op] that applies [RemountOp.Flags] on container path [RemountOp.Target].
+// Remount is a helper for appending [RemountOp] to [Ops].
 func (f *Ops) Remount(target *check.Absolute, flags uintptr) *Ops {
 	*f = append(*f, &RemountOp{target, flags})
 	return f

container/initsymlink.go

@@ -31,7 +31,7 @@ func (l *SymlinkOp) Valid() bool { return l != nil && l.Target != nil && l.LinkN
 func (l *SymlinkOp) early(_ *setupState, k syscallDispatcher) error {
 	if l.Dereference {
 		if !path.IsAbs(l.LinkName) {
-			return &check.AbsoluteError{Pathname: l.LinkName}
+			return check.AbsoluteError(l.LinkName)
 		}
 		if name, err := k.readlink(l.LinkName); err != nil {
 			return err

container/initsymlink_test.go

@@ -23,7 +23,7 @@ func TestSymlinkOp(t *testing.T) {
 			Target:      check.MustAbs("/etc/mtab"),
 			LinkName:    "etc/mtab",
 			Dereference: true,
-		}, nil, &check.AbsoluteError{Pathname: "etc/mtab"}, nil, nil},
+		}, nil, check.AbsoluteError("etc/mtab"), nil, nil},
 
 		{"readlink", &Params{ParentPerm: 0755}, &SymlinkOp{
 			Target:      check.MustAbs("/etc/mtab"),

container/landlock.go

@@ -38,6 +38,7 @@ const (
 	_LANDLOCK_ACCESS_FS_DELIM
 )
 
+// String returns a space-separated string of [LandlockAccessFS] flags.
 func (f LandlockAccessFS) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_FS_EXECUTE:
@@ -116,6 +117,7 @@ const (
 	_LANDLOCK_ACCESS_NET_DELIM
 )
 
+// String returns a space-separated string of [LandlockAccessNet] flags.
 func (f LandlockAccessNet) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_NET_BIND_TCP:
@@ -152,6 +154,7 @@ const (
 	_LANDLOCK_SCOPE_DELIM
 )
 
+// String returns a space-separated string of [LandlockScope] flags.
 func (f LandlockScope) String() string {
 	switch f {
 	case LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET:
@@ -184,10 +187,12 @@ type RulesetAttr struct {
 	HandledAccessFS LandlockAccessFS
 	// Bitmask of handled network actions.
 	HandledAccessNet LandlockAccessNet
-	// Bitmask of scopes restricting a Landlock domain from accessing outside resources (e.g. IPCs).
+	// Bitmask of scopes restricting a Landlock domain from accessing outside
+	// resources (e.g. IPCs).
 	Scoped LandlockScope
 }
 
+// String returns a user-facing description of [RulesetAttr].
 func (rulesetAttr *RulesetAttr) String() string {
 	if rulesetAttr == nil {
 		return "NULL"
@@ -208,6 +213,7 @@ func (rulesetAttr *RulesetAttr) String() string {
 	return strings.Join(elems, ", ")
 }
 
+// Create loads the ruleset into the kernel.
 func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 	var pointer, size uintptr
 	// NULL needed for abi version
@@ -216,10 +222,13 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 		size = unsafe.Sizeof(*rulesetAttr)
 	}
 
-	rulesetFd, _, errno := syscall.Syscall(std.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
+	rulesetFd, _, errno := syscall.Syscall(
+		std.SYS_LANDLOCK_CREATE_RULESET,
+		pointer, size,
+		flags,
+	)
 	fd = int(rulesetFd)
 	err = errno
-
 	if fd < 0 {
 		return
 	}
@@ -230,12 +239,19 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 	return fd, nil
 }
 
+// LandlockGetABI returns the ABI version supported by the kernel.
 func LandlockGetABI() (int, error) {
 	return (*RulesetAttr)(nil).Create(LANDLOCK_CREATE_RULESET_VERSION)
 }
 
+// LandlockRestrictSelf applies a loaded ruleset to the calling thread.
 func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
-	r, _, errno := syscall.Syscall(std.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
+	r, _, errno := syscall.Syscall(
+		std.SYS_LANDLOCK_RESTRICT_SELF,
+		uintptr(rulesetFd),
+		flags,
+		0,
+	)
 	if r != 0 {
 		return errno
 	}

container/netlink.go

@@ -0,0 +1,269 @@
+package container
+
+import (
+	"encoding/binary"
+	"errors"
+	"net"
+	"os"
+	. "syscall"
+	"unsafe"
+
+	"hakurei.app/container/std"
+	"hakurei.app/message"
+)
+
+// rtnetlink represents a NETLINK_ROUTE socket.
+type rtnetlink struct {
+	// Sent as part of rtnetlink messages.
+	pid uint32
+	// AF_NETLINK socket.
+	fd int
+	// Whether the socket is open.
+	ok bool
+	// Message sequence number.
+	seq uint32
+}
+
+// open creates the underlying NETLINK_ROUTE socket.
+func (s *rtnetlink) open() (err error) {
+	if s.ok || s.fd < 0 {
+		return os.ErrInvalid
+	}
+
+	s.pid = uint32(Getpid())
+	if s.fd, err = Socket(
+		AF_NETLINK,
+		SOCK_RAW|SOCK_CLOEXEC,
+		NETLINK_ROUTE,
+	); err != nil {
+		return os.NewSyscallError("socket", err)
+	} else if err = Bind(s.fd, &SockaddrNetlink{
+		Family: AF_NETLINK,
+		Pid:    s.pid,
+	}); err != nil {
+		_ = s.close()
+		return os.NewSyscallError("bind", err)
+	} else {
+		s.ok = true
+		return nil
+	}
+}
+
+// close closes the underlying NETLINK_ROUTE socket.
+func (s *rtnetlink) close() error {
+	if !s.ok {
+		return os.ErrInvalid
+	}
+
+	s.ok = false
+	err := Close(s.fd)
+	s.fd = -1
+	return err
+}
+
+// roundtrip sends a netlink message and handles the reply.
+func (s *rtnetlink) roundtrip(data []byte) error {
+	if !s.ok {
+		return os.ErrInvalid
+	}
+
+	defer func() { s.seq++ }()
+
+	if err := Sendto(s.fd, data, 0, &SockaddrNetlink{
+		Family: AF_NETLINK,
+	}); err != nil {
+		return os.NewSyscallError("sendto", err)
+	}
+	buf := make([]byte, Getpagesize())
+
+done:
+	for {
+		p := buf
+		if n, _, err := Recvfrom(s.fd, p, 0); err != nil {
+			return os.NewSyscallError("recvfrom", err)
+		} else if n < NLMSG_HDRLEN {
+			return errors.ErrUnsupported
+		} else {
+			p = p[:n]
+		}
+
+		if msgs, err := ParseNetlinkMessage(p); err != nil {
+			return err
+		} else {
+			for _, m := range msgs {
+				if m.Header.Seq != s.seq || m.Header.Pid != s.pid {
+					return errors.ErrUnsupported
+				}
+				if m.Header.Type == NLMSG_DONE {
+					break done
+				}
+				if m.Header.Type == NLMSG_ERROR {
+					if len(m.Data) >= 4 {
+						errno := Errno(-std.Int(binary.NativeEndian.Uint32(m.Data)))
+						if errno == 0 {
+							return nil
+						}
+						return errno
+					}
+					return errors.ErrUnsupported
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+// mustRoundtrip calls roundtrip and terminates via msg for a non-nil error.
+func (s *rtnetlink) mustRoundtrip(msg message.Msg, data []byte) {
+	err := s.roundtrip(data)
+	if err == nil {
+		return
+	}
+	if closeErr := Close(s.fd); closeErr != nil {
+		msg.Verbosef("cannot close: %v", err)
+	}
+
+	switch err.(type) {
+	case *os.SyscallError:
+		msg.GetLogger().Fatalf("cannot %v", err)
+
+	case Errno:
+		msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
+
+	default:
+		msg.GetLogger().Fatalln("RTNETLINK answers with unexpected message")
+	}
+}
+
+// newaddrLo represents a RTM_NEWADDR message with two addresses.
+type newaddrLo struct {
+	header NlMsghdr
+	data   IfAddrmsg
+
+	r0 RtAttr
+	a0 [4]byte // in_addr
+	r1 RtAttr
+	a1 [4]byte // in_addr
+}
+
+// sizeofNewaddrLo is the expected size of newaddrLo.
+const sizeofNewaddrLo = NLMSG_HDRLEN + SizeofIfAddrmsg + (SizeofRtAttr+4)*2
+
+// newaddrLo returns the address of a populated newaddrLo.
+func (s *rtnetlink) newaddrLo(lo int) *newaddrLo {
+	return &newaddrLo{NlMsghdr{
+		Len:   sizeofNewaddrLo,
+		Type:  RTM_NEWADDR,
+		Flags: NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_EXCL,
+		Seq:   s.seq,
+		Pid:   s.pid,
+	}, IfAddrmsg{
+		Family:    AF_INET,
+		Prefixlen: 8,
+		Flags:     IFA_F_PERMANENT,
+		Scope:     RT_SCOPE_HOST,
+		Index:     uint32(lo),
+	}, RtAttr{
+		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a0)),
+		Type: IFA_LOCAL,
+	}, [4]byte{127, 0, 0, 1}, RtAttr{
+		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a1)),
+		Type: IFA_ADDRESS,
+	}, [4]byte{127, 0, 0, 1}}
+}
+
+func (msg *newaddrLo) toWireFormat() []byte {
+	var buf [sizeofNewaddrLo]byte
+
+	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
+	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
+	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
+	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
+	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
+
+	buf[16] = msg.data.Family
+	buf[17] = msg.data.Prefixlen
+	buf[18] = msg.data.Flags
+	buf[19] = msg.data.Scope
+	*(*uint32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
+
+	*(*uint16)(unsafe.Pointer(&buf[24:26][0])) = msg.r0.Len
+	*(*uint16)(unsafe.Pointer(&buf[26:28][0])) = msg.r0.Type
+	copy(buf[28:32], msg.a0[:])
+	*(*uint16)(unsafe.Pointer(&buf[32:34][0])) = msg.r1.Len
+	*(*uint16)(unsafe.Pointer(&buf[34:36][0])) = msg.r1.Type
+	copy(buf[36:40], msg.a1[:])
+
+	return buf[:]
+}
+
+// newlinkLo represents a RTM_NEWLINK message.
+type newlinkLo struct {
+	header NlMsghdr
+	data   IfInfomsg
+}
+
+// sizeofNewlinkLo is the expected size of newlinkLo.
+const sizeofNewlinkLo = NLMSG_HDRLEN + SizeofIfInfomsg
+
+// newlinkLo returns the address of a populated newlinkLo.
+func (s *rtnetlink) newlinkLo(lo int) *newlinkLo {
+	return &newlinkLo{NlMsghdr{
+		Len:   sizeofNewlinkLo,
+		Type:  RTM_NEWLINK,
+		Flags: NLM_F_REQUEST | NLM_F_ACK,
+		Seq:   s.seq,
+		Pid:   s.pid,
+	}, IfInfomsg{
+		Family: AF_UNSPEC,
+		Index:  int32(lo),
+		Flags:  IFF_UP,
+		Change: IFF_UP,
+	}}
+}
+
+func (msg *newlinkLo) toWireFormat() []byte {
+	var buf [sizeofNewlinkLo]byte
+
+	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
+	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
+	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
+	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
+	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
+
+	buf[16] = msg.data.Family
+	*(*uint16)(unsafe.Pointer(&buf[18:20][0])) = msg.data.Type
+	*(*int32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
+	*(*uint32)(unsafe.Pointer(&buf[24:28][0])) = msg.data.Flags
+	*(*uint32)(unsafe.Pointer(&buf[28:32][0])) = msg.data.Change
+
+	return buf[:]
+}
+
+// mustLoopback creates the loopback address and brings the lo interface up.
+// mustLoopback calls a fatal method of the underlying [log.Logger] of m with a
+// user-facing error message if RTNETLINK behaves unexpectedly.
+func mustLoopback(msg message.Msg) {
+	log := msg.GetLogger()
+
+	var lo int
+	if ifi, err := net.InterfaceByName("lo"); err != nil {
+		log.Fatalln(err)
+	} else {
+		lo = ifi.Index
+	}
+
+	var s rtnetlink
+	if err := s.open(); err != nil {
+		log.Fatalln(err)
+	}
+	defer func() {
+		if err := s.close(); err != nil {
+			msg.Verbosef("cannot close netlink: %v", err)
+		}
+	}()
+
+	s.mustRoundtrip(msg, s.newaddrLo(lo).toWireFormat())
+	s.mustRoundtrip(msg, s.newlinkLo(lo).toWireFormat())
+}

container/netlink_test.go

@@ -0,0 +1,72 @@
+package container
+
+import (
+	"testing"
+	"unsafe"
+)
+
+func TestSizeof(t *testing.T) {
+	if got := unsafe.Sizeof(newaddrLo{}); got != sizeofNewaddrLo {
+		t.Fatalf("newaddrLo: sizeof = %#x, want %#x", got, sizeofNewaddrLo)
+	}
+
+	if got := unsafe.Sizeof(newlinkLo{}); got != sizeofNewlinkLo {
+		t.Fatalf("newlinkLo: sizeof = %#x, want %#x", got, sizeofNewlinkLo)
+	}
+}
+
+func TestRtnetlinkMessage(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		msg  interface{ toWireFormat() []byte }
+		want []byte
+	}{
+		{"newaddrLo", (&rtnetlink{pid: 1, seq: 0}).newaddrLo(1), []byte{
+			/* Len   */ 0x28, 0, 0, 0,
+			/* Type  */ 0x14, 0,
+			/* Flags */ 5, 6,
+			/* Seq   */ 0, 0, 0, 0,
+			/* Pid   */ 1, 0, 0, 0,
+
+			/* Family    */ 2,
+			/* Prefixlen */ 8,
+			/* Flags     */ 0x80,
+			/* Scope     */ 0xfe,
+			/* Index     */ 1, 0, 0, 0,
+
+			/* Len     */ 8, 0,
+			/* Type    */ 2, 0,
+			/* in_addr */ 127, 0, 0, 1,
+
+			/* Len     */ 8, 0,
+			/* Type    */ 1, 0,
+			/* in_addr */ 127, 0, 0, 1,
+		}},
+
+		{"newlinkLo", (&rtnetlink{pid: 1, seq: 1}).newlinkLo(1), []byte{
+			/* Len   */ 0x20, 0, 0, 0,
+			/* Type  */ 0x10, 0,
+			/* Flags */ 5, 0,
+			/* Seq   */ 1, 0, 0, 0,
+			/* Pid   */ 1, 0, 0, 0,
+
+			/* Family */ 0,
+			/* pad    */ 0,
+			/* Type   */ 0, 0,
+			/* Index  */ 1, 0, 0, 0,
+			/* Flags  */ 1, 0, 0, 0,
+			/* Change */ 1, 0, 0, 0,
+		}},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := tc.msg.toWireFormat(); string(got) != string(tc.want) {
+				t.Fatalf("toWireFormat: %#v, want %#v", got, tc.want)
+			}
+		})
+	}
+}

container/path.go

@@ -15,7 +15,10 @@ import (
 
 const (
 	// Nonexistent is a path that cannot exist.
-	// /proc is chosen because a system with covered /proc is unsupported by this package.
+	//
+	// This path can never be presented by the kernel if proc is mounted on
+	// /proc/. This can only exist if parts of /proc/ is covered, or proc is not
+	// mounted at all. Neither configuration is supported by this package.
 	Nonexistent = fhs.Proc + "nonexistent"
 
 	hostPath    = fhs.Root + hostDir

container/seccomp/libseccomp.go

@@ -88,18 +88,22 @@ var resPrefix = [...]string{
 	7: "seccomp_load failed",
 }
 
-// cbAllocateBuffer is the function signature for the function handle passed to hakurei_export_filter
+// cbAllocateBuffer is the function signature for the function handle passed to
-// which allocates the buffer that the resulting bpf program is copied into, and writes its slice header
+// hakurei_scmp_make_filter which allocates the buffer that the resulting bpf
-// to a value held by the caller.
+// program is copied into, and writes its slice header to a value held by the caller.
 type cbAllocateBuffer = func(len C.size_t) (buf unsafe.Pointer)
 
+// hakurei_scmp_allocate allocates a buffer of specified size known to the
+// runtime through a callback passed in a [cgo.Handle].
+//
 //export hakurei_scmp_allocate
 func hakurei_scmp_allocate(f C.uintptr_t, len C.size_t) (buf unsafe.Pointer) {
 	return cgo.Handle(f).Value().(cbAllocateBuffer)(len)
 }
 
-// makeFilter generates a bpf program from a slice of [std.NativeRule] and writes the resulting byte slice to p.
+// makeFilter generates a bpf program from a slice of [std.NativeRule] and
-// The filter is installed to the current process if p is nil.
+// writes the resulting byte slice to p. The filter is installed to the current
+// process if p is nil.
 func makeFilter(rules []std.NativeRule, flags ExportFlag, p *[]byte) error {
 	if len(rules) == 0 {
 		return ErrInvalidRules
@@ -170,8 +174,8 @@ func Export(rules []std.NativeRule, flags ExportFlag) (data []byte, err error) {
 	return
 }
 
-// Load generates a bpf program from a slice of [std.NativeRule] and enforces it on the current process.
+// Load generates a bpf program from a slice of [std.NativeRule] and enforces it
-// Errors returned by libseccomp is wrapped in [LibraryError].
+// on the current process. Errors returned by libseccomp is wrapped in [LibraryError].
 func Load(rules []std.NativeRule, flags ExportFlag) error { return makeFilter(rules, flags, nil) }
 
 type (

container/seccomp/presets_riscv64_test.go

@@ -0,0 +1,27 @@
+package seccomp_test
+
+import (
+	. "hakurei.app/container/seccomp"
+	. "hakurei.app/container/std"
+)
+
+var bpfExpected = bpfLookup{
+	{AllowMultiarch | AllowCAN |
+		AllowBluetooth, PresetExt |
+		PresetDenyNS | PresetDenyTTY | PresetDenyDevel |
+		PresetLinux32}: toHash(
+		"a1c4ffa35f4bfbf38061184760b9a09edfcb4964c3b534395e47327b83f3fb61f2f9573ddfcc4772424cc2f5dd12fd32471e6531dbe10e85eda3797dd4fa179f"),
+
+	{0, 0}: toHash(
+		"f3910fd727d087def593e3876c2c6ab9ace71d82ec8cbc992a26223e7bba85e1d7a0b56c5fc6303703f24595825dad8561637edaedd5384b34a6cd080946633c"),
+	{0, PresetExt}: toHash(
+		"741438c5e3f11c36c92ae8c5934f13440675c6e719541c2dbffeda79a10081bcfd9ad8314a60c1d1f53db86c8080c13fffa3bbcf7fe753935679b4b902737286"),
+	{0, PresetStrict}: toHash(
+		"79e9e464d02405c6d74fd2c771bd72a1311e488221c73a9c32db9270219837c54fccec2f36fe2474895547e60c311514567e2e6cf4e7a7fcf909c1ecd1e254a7"),
+	{0, PresetDenyNS | PresetDenyTTY | PresetDenyDevel}: toHash(
+		"3c443715a6c1e557a284862ea8efb70a5d4ecbe67d1226627323e861cd3646fb3e7768ec5b94b93760b7f652cf6916f66e317a4fbf8716d10c3673aa4fc3ae58"),
+	{0, PresetExt | PresetDenyDevel}: toHash(
+		"4448a74e8cc75a4ab63799c4f2cc2a5af63e5f4e8e9b8ac15a1873d647dfa67a4c67b39ed466d8dd32abc64136d401879fc6185c9ab00feeaf59ccf4305f8201"),
+	{0, PresetExt | PresetDenyNS | PresetDenyDevel}: toHash(
+		"c7c86e793cb7192f5f6c735f372cda27eb43ae1045e587f8eadb64c849520a3280b6570a3d7b601d32cddb38021585a2234db38e506cebfd10aa3d6c75440f17"),
+}

container/seccomp/std_test.go

@@ -24,8 +24,8 @@ func TestSyscallResolveName(t *testing.T) {
 }
 
 func TestRuleType(t *testing.T) {
-	assertKind[std.ScmpUint, scmpUint](t)
+	assertKind[std.Uint, scmpUint](t)
-	assertKind[std.ScmpInt, scmpInt](t)
+	assertKind[std.Int, scmpInt](t)
 
 	assertSize[std.NativeRule, syscallRule](t)
 	assertKind[std.ScmpDatum, scmpDatum](t)

container/std/mksysnum_linux.pl

@@ -12,6 +12,7 @@ my %syscall_cutoff_arch = (
 	"x86" => 340,
 	"x86_64" => 302,
 	"aarch64" => 281,
+	"riscv64" => 281,
 );
 
 print <<EOF;

container/std/seccomp.go

@@ -7,24 +7,28 @@ import (
 
 type (
 	// ScmpUint is equivalent to C.uint.
-	ScmpUint uint32
+	//
+	// Deprecated: This type has been renamed to Uint and will be removed in 0.4.
+	ScmpUint = Uint
 	// ScmpInt is equivalent to C.int.
-	ScmpInt int32
+	//
+	// Deprecated: This type has been renamed to Int and will be removed in 0.4.
+	ScmpInt = Int
 
 	// ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall].
-	ScmpSyscall ScmpInt
+	ScmpSyscall Int
 	// ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno].
-	ScmpErrno ScmpInt
+	ScmpErrno Int
 
 	// ScmpCompare is equivalent to enum scmp_compare;
-	ScmpCompare ScmpUint
+	ScmpCompare Uint
 	// ScmpDatum is equivalent to scmp_datum_t.
 	ScmpDatum uint64
 
 	// ScmpArgCmp is equivalent to struct scmp_arg_cmp.
 	ScmpArgCmp struct {
 		// argument number, starting at 0
-		Arg ScmpUint `json:"arg"`
+		Arg Uint `json:"arg"`
 		// the comparison op, e.g. SCMP_CMP_*
 		Op ScmpCompare `json:"op"`
 

container/std/syscall_extra_linux_riscv64.go

@@ -0,0 +1,55 @@
+package std
+
+import "syscall"
+
+const (
+	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
+)
+
+var syscallNumExtra = map[string]ScmpSyscall{
+	"uselib":          SNR_USELIB,
+	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
+	"clock_settime64": SNR_CLOCK_SETTIME64,
+	"umount":          SNR_UMOUNT,
+	"chown":           SNR_CHOWN,
+	"chown32":         SNR_CHOWN32,
+	"fchown32":        SNR_FCHOWN32,
+	"lchown":          SNR_LCHOWN,
+	"lchown32":        SNR_LCHOWN32,
+	"setgid32":        SNR_SETGID32,
+	"setgroups32":     SNR_SETGROUPS32,
+	"setregid32":      SNR_SETREGID32,
+	"setresgid32":     SNR_SETRESGID32,
+	"setresuid32":     SNR_SETRESUID32,
+	"setreuid32":      SNR_SETREUID32,
+	"setuid32":        SNR_SETUID32,
+	"modify_ldt":      SNR_MODIFY_LDT,
+	"subpage_prot":    SNR_SUBPAGE_PROT,
+	"switch_endian":   SNR_SWITCH_ENDIAN,
+	"vm86":            SNR_VM86,
+	"vm86old":         SNR_VM86OLD,
+}
+
+const (
+	SNR_USELIB          ScmpSyscall = __PNR_uselib
+	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
+	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
+	SNR_UMOUNT          ScmpSyscall = __PNR_umount
+	SNR_CHOWN           ScmpSyscall = __PNR_chown
+	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
+	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
+	SNR_LCHOWN          ScmpSyscall = __PNR_lchown
+	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
+	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
+	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
+	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
+	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
+	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
+	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
+	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
+	SNR_MODIFY_LDT      ScmpSyscall = __PNR_modify_ldt
+	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
+	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
+	SNR_VM86            ScmpSyscall = __PNR_vm86
+	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
+)

container/std/syscall_linux_riscv64.go

@@ -0,0 +1,719 @@
+// mksysnum_linux.pl /usr/include/riscv64-linux-gnu/asm/unistd.h
+// Code generated by the command above; DO NOT EDIT.
+
+package std
+
+import . "syscall"
+
+var syscallNum = map[string]ScmpSyscall{
+	"io_setup":                SNR_IO_SETUP,
+	"io_destroy":              SNR_IO_DESTROY,
+	"io_submit":               SNR_IO_SUBMIT,
+	"io_cancel":               SNR_IO_CANCEL,
+	"io_getevents":            SNR_IO_GETEVENTS,
+	"setxattr":                SNR_SETXATTR,
+	"lsetxattr":               SNR_LSETXATTR,
+	"fsetxattr":               SNR_FSETXATTR,
+	"getxattr":                SNR_GETXATTR,
+	"lgetxattr":               SNR_LGETXATTR,
+	"fgetxattr":               SNR_FGETXATTR,
+	"listxattr":               SNR_LISTXATTR,
+	"llistxattr":              SNR_LLISTXATTR,
+	"flistxattr":              SNR_FLISTXATTR,
+	"removexattr":             SNR_REMOVEXATTR,
+	"lremovexattr":            SNR_LREMOVEXATTR,
+	"fremovexattr":            SNR_FREMOVEXATTR,
+	"getcwd":                  SNR_GETCWD,
+	"lookup_dcookie":          SNR_LOOKUP_DCOOKIE,
+	"eventfd2":                SNR_EVENTFD2,
+	"epoll_create1":           SNR_EPOLL_CREATE1,
+	"epoll_ctl":               SNR_EPOLL_CTL,
+	"epoll_pwait":             SNR_EPOLL_PWAIT,
+	"dup":                     SNR_DUP,
+	"dup3":                    SNR_DUP3,
+	"fcntl":                   SNR_FCNTL,
+	"inotify_init1":           SNR_INOTIFY_INIT1,
+	"inotify_add_watch":       SNR_INOTIFY_ADD_WATCH,
+	"inotify_rm_watch":        SNR_INOTIFY_RM_WATCH,
+	"ioctl":                   SNR_IOCTL,
+	"ioprio_set":              SNR_IOPRIO_SET,
+	"ioprio_get":              SNR_IOPRIO_GET,
+	"flock":                   SNR_FLOCK,
+	"mknodat":                 SNR_MKNODAT,
+	"mkdirat":                 SNR_MKDIRAT,
+	"unlinkat":                SNR_UNLINKAT,
+	"symlinkat":               SNR_SYMLINKAT,
+	"linkat":                  SNR_LINKAT,
+	"umount2":                 SNR_UMOUNT2,
+	"mount":                   SNR_MOUNT,
+	"pivot_root":              SNR_PIVOT_ROOT,
+	"nfsservctl":              SNR_NFSSERVCTL,
+	"statfs":                  SNR_STATFS,
+	"fstatfs":                 SNR_FSTATFS,
+	"truncate":                SNR_TRUNCATE,
+	"ftruncate":               SNR_FTRUNCATE,
+	"fallocate":               SNR_FALLOCATE,
+	"faccessat":               SNR_FACCESSAT,
+	"chdir":                   SNR_CHDIR,
+	"fchdir":                  SNR_FCHDIR,
+	"chroot":                  SNR_CHROOT,
+	"fchmod":                  SNR_FCHMOD,
+	"fchmodat":                SNR_FCHMODAT,
+	"fchownat":                SNR_FCHOWNAT,
+	"fchown":                  SNR_FCHOWN,
+	"openat":                  SNR_OPENAT,
+	"close":                   SNR_CLOSE,
+	"vhangup":                 SNR_VHANGUP,
+	"pipe2":                   SNR_PIPE2,
+	"quotactl":                SNR_QUOTACTL,
+	"getdents64":              SNR_GETDENTS64,
+	"lseek":                   SNR_LSEEK,
+	"read":                    SNR_READ,
+	"write":                   SNR_WRITE,
+	"readv":                   SNR_READV,
+	"writev":                  SNR_WRITEV,
+	"pread64":                 SNR_PREAD64,
+	"pwrite64":                SNR_PWRITE64,
+	"preadv":                  SNR_PREADV,
+	"pwritev":                 SNR_PWRITEV,
+	"sendfile":                SNR_SENDFILE,
+	"pselect6":                SNR_PSELECT6,
+	"ppoll":                   SNR_PPOLL,
+	"signalfd4":               SNR_SIGNALFD4,
+	"vmsplice":                SNR_VMSPLICE,
+	"splice":                  SNR_SPLICE,
+	"tee":                     SNR_TEE,
+	"readlinkat":              SNR_READLINKAT,
+	"newfstatat":              SNR_NEWFSTATAT,
+	"fstat":                   SNR_FSTAT,
+	"sync":                    SNR_SYNC,
+	"fsync":                   SNR_FSYNC,
+	"fdatasync":               SNR_FDATASYNC,
+	"sync_file_range":         SNR_SYNC_FILE_RANGE,
+	"timerfd_create":          SNR_TIMERFD_CREATE,
+	"timerfd_settime":         SNR_TIMERFD_SETTIME,
+	"timerfd_gettime":         SNR_TIMERFD_GETTIME,
+	"utimensat":               SNR_UTIMENSAT,
+	"acct":                    SNR_ACCT,
+	"capget":                  SNR_CAPGET,
+	"capset":                  SNR_CAPSET,
+	"personality":             SNR_PERSONALITY,
+	"exit":                    SNR_EXIT,
+	"exit_group":              SNR_EXIT_GROUP,
+	"waitid":                  SNR_WAITID,
+	"set_tid_address":         SNR_SET_TID_ADDRESS,
+	"unshare":                 SNR_UNSHARE,
+	"futex":                   SNR_FUTEX,
+	"set_robust_list":         SNR_SET_ROBUST_LIST,
+	"get_robust_list":         SNR_GET_ROBUST_LIST,
+	"nanosleep":               SNR_NANOSLEEP,
+	"getitimer":               SNR_GETITIMER,
+	"setitimer":               SNR_SETITIMER,
+	"kexec_load":              SNR_KEXEC_LOAD,
+	"init_module":             SNR_INIT_MODULE,
+	"delete_module":           SNR_DELETE_MODULE,
+	"timer_create":            SNR_TIMER_CREATE,
+	"timer_gettime":           SNR_TIMER_GETTIME,
+	"timer_getoverrun":        SNR_TIMER_GETOVERRUN,
+	"timer_settime":           SNR_TIMER_SETTIME,
+	"timer_delete":            SNR_TIMER_DELETE,
+	"clock_settime":           SNR_CLOCK_SETTIME,
+	"clock_gettime":           SNR_CLOCK_GETTIME,
+	"clock_getres":            SNR_CLOCK_GETRES,
+	"clock_nanosleep":         SNR_CLOCK_NANOSLEEP,
+	"syslog":                  SNR_SYSLOG,
+	"ptrace":                  SNR_PTRACE,
+	"sched_setparam":          SNR_SCHED_SETPARAM,
+	"sched_setscheduler":      SNR_SCHED_SETSCHEDULER,
+	"sched_getscheduler":      SNR_SCHED_GETSCHEDULER,
+	"sched_getparam":          SNR_SCHED_GETPARAM,
+	"sched_setaffinity":       SNR_SCHED_SETAFFINITY,
+	"sched_getaffinity":       SNR_SCHED_GETAFFINITY,
+	"sched_yield":             SNR_SCHED_YIELD,
+	"sched_get_priority_max":  SNR_SCHED_GET_PRIORITY_MAX,
+	"sched_get_priority_min":  SNR_SCHED_GET_PRIORITY_MIN,
+	"sched_rr_get_interval":   SNR_SCHED_RR_GET_INTERVAL,
+	"restart_syscall":         SNR_RESTART_SYSCALL,
+	"kill":                    SNR_KILL,
+	"tkill":                   SNR_TKILL,
+	"tgkill":                  SNR_TGKILL,
+	"sigaltstack":             SNR_SIGALTSTACK,
+	"rt_sigsuspend":           SNR_RT_SIGSUSPEND,
+	"rt_sigaction":            SNR_RT_SIGACTION,
+	"rt_sigprocmask":          SNR_RT_SIGPROCMASK,
+	"rt_sigpending":           SNR_RT_SIGPENDING,
+	"rt_sigtimedwait":         SNR_RT_SIGTIMEDWAIT,
+	"rt_sigqueueinfo":         SNR_RT_SIGQUEUEINFO,
+	"rt_sigreturn":            SNR_RT_SIGRETURN,
+	"setpriority":             SNR_SETPRIORITY,
+	"getpriority":             SNR_GETPRIORITY,
+	"reboot":                  SNR_REBOOT,
+	"setregid":                SNR_SETREGID,
+	"setgid":                  SNR_SETGID,
+	"setreuid":                SNR_SETREUID,
+	"setuid":                  SNR_SETUID,
+	"setresuid":               SNR_SETRESUID,
+	"getresuid":               SNR_GETRESUID,
+	"setresgid":               SNR_SETRESGID,
+	"getresgid":               SNR_GETRESGID,
+	"setfsuid":                SNR_SETFSUID,
+	"setfsgid":                SNR_SETFSGID,
+	"times":                   SNR_TIMES,
+	"setpgid":                 SNR_SETPGID,
+	"getpgid":                 SNR_GETPGID,
+	"getsid":                  SNR_GETSID,
+	"setsid":                  SNR_SETSID,
+	"getgroups":               SNR_GETGROUPS,
+	"setgroups":               SNR_SETGROUPS,
+	"uname":                   SNR_UNAME,
+	"sethostname":             SNR_SETHOSTNAME,
+	"setdomainname":           SNR_SETDOMAINNAME,
+	"getrlimit":               SNR_GETRLIMIT,
+	"setrlimit":               SNR_SETRLIMIT,
+	"getrusage":               SNR_GETRUSAGE,
+	"umask":                   SNR_UMASK,
+	"prctl":                   SNR_PRCTL,
+	"getcpu":                  SNR_GETCPU,
+	"gettimeofday":            SNR_GETTIMEOFDAY,
+	"settimeofday":            SNR_SETTIMEOFDAY,
+	"adjtimex":                SNR_ADJTIMEX,
+	"getpid":                  SNR_GETPID,
+	"getppid":                 SNR_GETPPID,
+	"getuid":                  SNR_GETUID,
+	"geteuid":                 SNR_GETEUID,
+	"getgid":                  SNR_GETGID,
+	"getegid":                 SNR_GETEGID,
+	"gettid":                  SNR_GETTID,
+	"sysinfo":                 SNR_SYSINFO,
+	"mq_open":                 SNR_MQ_OPEN,
+	"mq_unlink":               SNR_MQ_UNLINK,
+	"mq_timedsend":            SNR_MQ_TIMEDSEND,
+	"mq_timedreceive":         SNR_MQ_TIMEDRECEIVE,
+	"mq_notify":               SNR_MQ_NOTIFY,
+	"mq_getsetattr":           SNR_MQ_GETSETATTR,
+	"msgget":                  SNR_MSGGET,
+	"msgctl":                  SNR_MSGCTL,
+	"msgrcv":                  SNR_MSGRCV,
+	"msgsnd":                  SNR_MSGSND,
+	"semget":                  SNR_SEMGET,
+	"semctl":                  SNR_SEMCTL,
+	"semtimedop":              SNR_SEMTIMEDOP,
+	"semop":                   SNR_SEMOP,
+	"shmget":                  SNR_SHMGET,
+	"shmctl":                  SNR_SHMCTL,
+	"shmat":                   SNR_SHMAT,
+	"shmdt":                   SNR_SHMDT,
+	"socket":                  SNR_SOCKET,
+	"socketpair":              SNR_SOCKETPAIR,
+	"bind":                    SNR_BIND,
+	"listen":                  SNR_LISTEN,
+	"accept":                  SNR_ACCEPT,
+	"connect":                 SNR_CONNECT,
+	"getsockname":             SNR_GETSOCKNAME,
+	"getpeername":             SNR_GETPEERNAME,
+	"sendto":                  SNR_SENDTO,
+	"recvfrom":                SNR_RECVFROM,
+	"setsockopt":              SNR_SETSOCKOPT,
+	"getsockopt":              SNR_GETSOCKOPT,
+	"shutdown":                SNR_SHUTDOWN,
+	"sendmsg":                 SNR_SENDMSG,
+	"recvmsg":                 SNR_RECVMSG,
+	"readahead":               SNR_READAHEAD,
+	"brk":                     SNR_BRK,
+	"munmap":                  SNR_MUNMAP,
+	"mremap":                  SNR_MREMAP,
+	"add_key":                 SNR_ADD_KEY,
+	"request_key":             SNR_REQUEST_KEY,
+	"keyctl":                  SNR_KEYCTL,
+	"clone":                   SNR_CLONE,
+	"execve":                  SNR_EXECVE,
+	"mmap":                    SNR_MMAP,
+	"fadvise64":               SNR_FADVISE64,
+	"swapon":                  SNR_SWAPON,
+	"swapoff":                 SNR_SWAPOFF,
+	"mprotect":                SNR_MPROTECT,
+	"msync":                   SNR_MSYNC,
+	"mlock":                   SNR_MLOCK,
+	"munlock":                 SNR_MUNLOCK,
+	"mlockall":                SNR_MLOCKALL,
+	"munlockall":              SNR_MUNLOCKALL,
+	"mincore":                 SNR_MINCORE,
+	"madvise":                 SNR_MADVISE,
+	"remap_file_pages":        SNR_REMAP_FILE_PAGES,
+	"mbind":                   SNR_MBIND,
+	"get_mempolicy":           SNR_GET_MEMPOLICY,
+	"set_mempolicy":           SNR_SET_MEMPOLICY,
+	"migrate_pages":           SNR_MIGRATE_PAGES,
+	"move_pages":              SNR_MOVE_PAGES,
+	"rt_tgsigqueueinfo":       SNR_RT_TGSIGQUEUEINFO,
+	"perf_event_open":         SNR_PERF_EVENT_OPEN,
+	"accept4":                 SNR_ACCEPT4,
+	"recvmmsg":                SNR_RECVMMSG,
+	"wait4":                   SNR_WAIT4,
+	"prlimit64":               SNR_PRLIMIT64,
+	"fanotify_init":           SNR_FANOTIFY_INIT,
+	"fanotify_mark":           SNR_FANOTIFY_MARK,
+	"name_to_handle_at":       SNR_NAME_TO_HANDLE_AT,
+	"open_by_handle_at":       SNR_OPEN_BY_HANDLE_AT,
+	"clock_adjtime":           SNR_CLOCK_ADJTIME,
+	"syncfs":                  SNR_SYNCFS,
+	"setns":                   SNR_SETNS,
+	"sendmmsg":                SNR_SENDMMSG,
+	"process_vm_readv":        SNR_PROCESS_VM_READV,
+	"process_vm_writev":       SNR_PROCESS_VM_WRITEV,
+	"kcmp":                    SNR_KCMP,
+	"finit_module":            SNR_FINIT_MODULE,
+	"sched_setattr":           SNR_SCHED_SETATTR,
+	"sched_getattr":           SNR_SCHED_GETATTR,
+	"renameat2":               SNR_RENAMEAT2,
+	"seccomp":                 SNR_SECCOMP,
+	"getrandom":               SNR_GETRANDOM,
+	"memfd_create":            SNR_MEMFD_CREATE,
+	"bpf":                     SNR_BPF,
+	"execveat":                SNR_EXECVEAT,
+	"userfaultfd":             SNR_USERFAULTFD,
+	"membarrier":              SNR_MEMBARRIER,
+	"mlock2":                  SNR_MLOCK2,
+	"copy_file_range":         SNR_COPY_FILE_RANGE,
+	"preadv2":                 SNR_PREADV2,
+	"pwritev2":                SNR_PWRITEV2,
+	"pkey_mprotect":           SNR_PKEY_MPROTECT,
+	"pkey_alloc":              SNR_PKEY_ALLOC,
+	"pkey_free":               SNR_PKEY_FREE,
+	"statx":                   SNR_STATX,
+	"io_pgetevents":           SNR_IO_PGETEVENTS,
+	"rseq":                    SNR_RSEQ,
+	"kexec_file_load":         SNR_KEXEC_FILE_LOAD,
+	"pidfd_send_signal":       SNR_PIDFD_SEND_SIGNAL,
+	"io_uring_setup":          SNR_IO_URING_SETUP,
+	"io_uring_enter":          SNR_IO_URING_ENTER,
+	"io_uring_register":       SNR_IO_URING_REGISTER,
+	"open_tree":               SNR_OPEN_TREE,
+	"move_mount":              SNR_MOVE_MOUNT,
+	"fsopen":                  SNR_FSOPEN,
+	"fsconfig":                SNR_FSCONFIG,
+	"fsmount":                 SNR_FSMOUNT,
+	"fspick":                  SNR_FSPICK,
+	"pidfd_open":              SNR_PIDFD_OPEN,
+	"clone3":                  SNR_CLONE3,
+	"close_range":             SNR_CLOSE_RANGE,
+	"openat2":                 SNR_OPENAT2,
+	"pidfd_getfd":             SNR_PIDFD_GETFD,
+	"faccessat2":              SNR_FACCESSAT2,
+	"process_madvise":         SNR_PROCESS_MADVISE,
+	"epoll_pwait2":            SNR_EPOLL_PWAIT2,
+	"mount_setattr":           SNR_MOUNT_SETATTR,
+	"quotactl_fd":             SNR_QUOTACTL_FD,
+	"landlock_create_ruleset": SNR_LANDLOCK_CREATE_RULESET,
+	"landlock_add_rule":       SNR_LANDLOCK_ADD_RULE,
+	"landlock_restrict_self":  SNR_LANDLOCK_RESTRICT_SELF,
+	"memfd_secret":            SNR_MEMFD_SECRET,
+	"process_mrelease":        SNR_PROCESS_MRELEASE,
+	"futex_waitv":             SNR_FUTEX_WAITV,
+	"set_mempolicy_home_node": SNR_SET_MEMPOLICY_HOME_NODE,
+	"cachestat":               SNR_CACHESTAT,
+	"fchmodat2":               SNR_FCHMODAT2,
+	"map_shadow_stack":        SNR_MAP_SHADOW_STACK,
+	"futex_wake":              SNR_FUTEX_WAKE,
+	"futex_wait":              SNR_FUTEX_WAIT,
+	"futex_requeue":           SNR_FUTEX_REQUEUE,
+	"statmount":               SNR_STATMOUNT,
+	"listmount":               SNR_LISTMOUNT,
+	"lsm_get_self_attr":       SNR_LSM_GET_SELF_ATTR,
+	"lsm_set_self_attr":       SNR_LSM_SET_SELF_ATTR,
+	"lsm_list_modules":        SNR_LSM_LIST_MODULES,
+	"mseal":                   SNR_MSEAL,
+	"setxattrat":              SNR_SETXATTRAT,
+	"getxattrat":              SNR_GETXATTRAT,
+	"listxattrat":             SNR_LISTXATTRAT,
+	"removexattrat":           SNR_REMOVEXATTRAT,
+}
+
+const (
+	SYS_USERFAULTFD             = 282
+	SYS_MEMBARRIER              = 283
+	SYS_MLOCK2                  = 284
+	SYS_COPY_FILE_RANGE         = 285
+	SYS_PREADV2                 = 286
+	SYS_PWRITEV2                = 287
+	SYS_PKEY_MPROTECT           = 288
+	SYS_PKEY_ALLOC              = 289
+	SYS_PKEY_FREE               = 290
+	SYS_STATX                   = 291
+	SYS_IO_PGETEVENTS           = 292
+	SYS_RSEQ                    = 293
+	SYS_KEXEC_FILE_LOAD         = 294
+	SYS_PIDFD_SEND_SIGNAL       = 424
+	SYS_IO_URING_SETUP          = 425
+	SYS_IO_URING_ENTER          = 426
+	SYS_IO_URING_REGISTER       = 427
+	SYS_OPEN_TREE               = 428
+	SYS_MOVE_MOUNT              = 429
+	SYS_FSOPEN                  = 430
+	SYS_FSCONFIG                = 431
+	SYS_FSMOUNT                 = 432
+	SYS_FSPICK                  = 433
+	SYS_PIDFD_OPEN              = 434
+	SYS_CLONE3                  = 435
+	SYS_CLOSE_RANGE             = 436
+	SYS_OPENAT2                 = 437
+	SYS_PIDFD_GETFD             = 438
+	SYS_FACCESSAT2              = 439
+	SYS_PROCESS_MADVISE         = 440
+	SYS_EPOLL_PWAIT2            = 441
+	SYS_MOUNT_SETATTR           = 442
+	SYS_QUOTACTL_FD             = 443
+	SYS_LANDLOCK_CREATE_RULESET = 444
+	SYS_LANDLOCK_ADD_RULE       = 445
+	SYS_LANDLOCK_RESTRICT_SELF  = 446
+	SYS_MEMFD_SECRET            = 447
+	SYS_PROCESS_MRELEASE        = 448
+	SYS_FUTEX_WAITV             = 449
+	SYS_SET_MEMPOLICY_HOME_NODE = 450
+	SYS_CACHESTAT               = 451
+	SYS_FCHMODAT2               = 452
+	SYS_MAP_SHADOW_STACK        = 453
+	SYS_FUTEX_WAKE              = 454
+	SYS_FUTEX_WAIT              = 455
+	SYS_FUTEX_REQUEUE           = 456
+	SYS_STATMOUNT               = 457
+	SYS_LISTMOUNT               = 458
+	SYS_LSM_GET_SELF_ATTR       = 459
+	SYS_LSM_SET_SELF_ATTR       = 460
+	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
+	SYS_SETXATTRAT              = 463
+	SYS_GETXATTRAT              = 464
+	SYS_LISTXATTRAT             = 465
+	SYS_REMOVEXATTRAT           = 466
+	SYS_OPEN_TREE_ATTR          = 467
+	SYS_FILE_GETATTR            = 468
+	SYS_FILE_SETATTR            = 469
+)
+
+const (
+	SNR_IO_SETUP                ScmpSyscall = SYS_IO_SETUP
+	SNR_IO_DESTROY              ScmpSyscall = SYS_IO_DESTROY
+	SNR_IO_SUBMIT               ScmpSyscall = SYS_IO_SUBMIT
+	SNR_IO_CANCEL               ScmpSyscall = SYS_IO_CANCEL
+	SNR_IO_GETEVENTS            ScmpSyscall = SYS_IO_GETEVENTS
+	SNR_SETXATTR                ScmpSyscall = SYS_SETXATTR
+	SNR_LSETXATTR               ScmpSyscall = SYS_LSETXATTR
+	SNR_FSETXATTR               ScmpSyscall = SYS_FSETXATTR
+	SNR_GETXATTR                ScmpSyscall = SYS_GETXATTR
+	SNR_LGETXATTR               ScmpSyscall = SYS_LGETXATTR
+	SNR_FGETXATTR               ScmpSyscall = SYS_FGETXATTR
+	SNR_LISTXATTR               ScmpSyscall = SYS_LISTXATTR
+	SNR_LLISTXATTR              ScmpSyscall = SYS_LLISTXATTR
+	SNR_FLISTXATTR              ScmpSyscall = SYS_FLISTXATTR
+	SNR_REMOVEXATTR             ScmpSyscall = SYS_REMOVEXATTR
+	SNR_LREMOVEXATTR            ScmpSyscall = SYS_LREMOVEXATTR
+	SNR_FREMOVEXATTR            ScmpSyscall = SYS_FREMOVEXATTR
+	SNR_GETCWD                  ScmpSyscall = SYS_GETCWD
+	SNR_LOOKUP_DCOOKIE          ScmpSyscall = SYS_LOOKUP_DCOOKIE
+	SNR_EVENTFD2                ScmpSyscall = SYS_EVENTFD2
+	SNR_EPOLL_CREATE1           ScmpSyscall = SYS_EPOLL_CREATE1
+	SNR_EPOLL_CTL               ScmpSyscall = SYS_EPOLL_CTL
+	SNR_EPOLL_PWAIT             ScmpSyscall = SYS_EPOLL_PWAIT
+	SNR_DUP                     ScmpSyscall = SYS_DUP
+	SNR_DUP3                    ScmpSyscall = SYS_DUP3
+	SNR_FCNTL                   ScmpSyscall = SYS_FCNTL
+	SNR_INOTIFY_INIT1           ScmpSyscall = SYS_INOTIFY_INIT1
+	SNR_INOTIFY_ADD_WATCH       ScmpSyscall = SYS_INOTIFY_ADD_WATCH
+	SNR_INOTIFY_RM_WATCH        ScmpSyscall = SYS_INOTIFY_RM_WATCH
+	SNR_IOCTL                   ScmpSyscall = SYS_IOCTL
+	SNR_IOPRIO_SET              ScmpSyscall = SYS_IOPRIO_SET
+	SNR_IOPRIO_GET              ScmpSyscall = SYS_IOPRIO_GET
+	SNR_FLOCK                   ScmpSyscall = SYS_FLOCK
+	SNR_MKNODAT                 ScmpSyscall = SYS_MKNODAT
+	SNR_MKDIRAT                 ScmpSyscall = SYS_MKDIRAT
+	SNR_UNLINKAT                ScmpSyscall = SYS_UNLINKAT
+	SNR_SYMLINKAT               ScmpSyscall = SYS_SYMLINKAT
+	SNR_LINKAT                  ScmpSyscall = SYS_LINKAT
+	SNR_UMOUNT2                 ScmpSyscall = SYS_UMOUNT2
+	SNR_MOUNT                   ScmpSyscall = SYS_MOUNT
+	SNR_PIVOT_ROOT              ScmpSyscall = SYS_PIVOT_ROOT
+	SNR_NFSSERVCTL              ScmpSyscall = SYS_NFSSERVCTL
+	SNR_STATFS                  ScmpSyscall = SYS_STATFS
+	SNR_FSTATFS                 ScmpSyscall = SYS_FSTATFS
+	SNR_TRUNCATE                ScmpSyscall = SYS_TRUNCATE
+	SNR_FTRUNCATE               ScmpSyscall = SYS_FTRUNCATE
+	SNR_FALLOCATE               ScmpSyscall = SYS_FALLOCATE
+	SNR_FACCESSAT               ScmpSyscall = SYS_FACCESSAT
+	SNR_CHDIR                   ScmpSyscall = SYS_CHDIR
+	SNR_FCHDIR                  ScmpSyscall = SYS_FCHDIR
+	SNR_CHROOT                  ScmpSyscall = SYS_CHROOT
+	SNR_FCHMOD                  ScmpSyscall = SYS_FCHMOD
+	SNR_FCHMODAT                ScmpSyscall = SYS_FCHMODAT
+	SNR_FCHOWNAT                ScmpSyscall = SYS_FCHOWNAT
+	SNR_FCHOWN                  ScmpSyscall = SYS_FCHOWN
+	SNR_OPENAT                  ScmpSyscall = SYS_OPENAT
+	SNR_CLOSE                   ScmpSyscall = SYS_CLOSE
+	SNR_VHANGUP                 ScmpSyscall = SYS_VHANGUP
+	SNR_PIPE2                   ScmpSyscall = SYS_PIPE2
+	SNR_QUOTACTL                ScmpSyscall = SYS_QUOTACTL
+	SNR_GETDENTS64              ScmpSyscall = SYS_GETDENTS64
+	SNR_LSEEK                   ScmpSyscall = SYS_LSEEK
+	SNR_READ                    ScmpSyscall = SYS_READ
+	SNR_WRITE                   ScmpSyscall = SYS_WRITE
+	SNR_READV                   ScmpSyscall = SYS_READV
+	SNR_WRITEV                  ScmpSyscall = SYS_WRITEV
+	SNR_PREAD64                 ScmpSyscall = SYS_PREAD64
+	SNR_PWRITE64                ScmpSyscall = SYS_PWRITE64
+	SNR_PREADV                  ScmpSyscall = SYS_PREADV
+	SNR_PWRITEV                 ScmpSyscall = SYS_PWRITEV
+	SNR_SENDFILE                ScmpSyscall = SYS_SENDFILE
+	SNR_PSELECT6                ScmpSyscall = SYS_PSELECT6
+	SNR_PPOLL                   ScmpSyscall = SYS_PPOLL
+	SNR_SIGNALFD4               ScmpSyscall = SYS_SIGNALFD4
+	SNR_VMSPLICE                ScmpSyscall = SYS_VMSPLICE
+	SNR_SPLICE                  ScmpSyscall = SYS_SPLICE
+	SNR_TEE                     ScmpSyscall = SYS_TEE
+	SNR_READLINKAT              ScmpSyscall = SYS_READLINKAT
+	SNR_NEWFSTATAT              ScmpSyscall = SYS_NEWFSTATAT
+	SNR_FSTAT                   ScmpSyscall = SYS_FSTAT
+	SNR_SYNC                    ScmpSyscall = SYS_SYNC
+	SNR_FSYNC                   ScmpSyscall = SYS_FSYNC
+	SNR_FDATASYNC               ScmpSyscall = SYS_FDATASYNC
+	SNR_SYNC_FILE_RANGE         ScmpSyscall = SYS_SYNC_FILE_RANGE
+	SNR_TIMERFD_CREATE          ScmpSyscall = SYS_TIMERFD_CREATE
+	SNR_TIMERFD_SETTIME         ScmpSyscall = SYS_TIMERFD_SETTIME
+	SNR_TIMERFD_GETTIME         ScmpSyscall = SYS_TIMERFD_GETTIME
+	SNR_UTIMENSAT               ScmpSyscall = SYS_UTIMENSAT
+	SNR_ACCT                    ScmpSyscall = SYS_ACCT
+	SNR_CAPGET                  ScmpSyscall = SYS_CAPGET
+	SNR_CAPSET                  ScmpSyscall = SYS_CAPSET
+	SNR_PERSONALITY             ScmpSyscall = SYS_PERSONALITY
+	SNR_EXIT                    ScmpSyscall = SYS_EXIT
+	SNR_EXIT_GROUP              ScmpSyscall = SYS_EXIT_GROUP
+	SNR_WAITID                  ScmpSyscall = SYS_WAITID
+	SNR_SET_TID_ADDRESS         ScmpSyscall = SYS_SET_TID_ADDRESS
+	SNR_UNSHARE                 ScmpSyscall = SYS_UNSHARE
+	SNR_FUTEX                   ScmpSyscall = SYS_FUTEX
+	SNR_SET_ROBUST_LIST         ScmpSyscall = SYS_SET_ROBUST_LIST
+	SNR_GET_ROBUST_LIST         ScmpSyscall = SYS_GET_ROBUST_LIST
+	SNR_NANOSLEEP               ScmpSyscall = SYS_NANOSLEEP
+	SNR_GETITIMER               ScmpSyscall = SYS_GETITIMER
+	SNR_SETITIMER               ScmpSyscall = SYS_SETITIMER
+	SNR_KEXEC_LOAD              ScmpSyscall = SYS_KEXEC_LOAD
+	SNR_INIT_MODULE             ScmpSyscall = SYS_INIT_MODULE
+	SNR_DELETE_MODULE           ScmpSyscall = SYS_DELETE_MODULE
+	SNR_TIMER_CREATE            ScmpSyscall = SYS_TIMER_CREATE
+	SNR_TIMER_GETTIME           ScmpSyscall = SYS_TIMER_GETTIME
+	SNR_TIMER_GETOVERRUN        ScmpSyscall = SYS_TIMER_GETOVERRUN
+	SNR_TIMER_SETTIME           ScmpSyscall = SYS_TIMER_SETTIME
+	SNR_TIMER_DELETE            ScmpSyscall = SYS_TIMER_DELETE
+	SNR_CLOCK_SETTIME           ScmpSyscall = SYS_CLOCK_SETTIME
+	SNR_CLOCK_GETTIME           ScmpSyscall = SYS_CLOCK_GETTIME
+	SNR_CLOCK_GETRES            ScmpSyscall = SYS_CLOCK_GETRES
+	SNR_CLOCK_NANOSLEEP         ScmpSyscall = SYS_CLOCK_NANOSLEEP
+	SNR_SYSLOG                  ScmpSyscall = SYS_SYSLOG
+	SNR_PTRACE                  ScmpSyscall = SYS_PTRACE
+	SNR_SCHED_SETPARAM          ScmpSyscall = SYS_SCHED_SETPARAM
+	SNR_SCHED_SETSCHEDULER      ScmpSyscall = SYS_SCHED_SETSCHEDULER
+	SNR_SCHED_GETSCHEDULER      ScmpSyscall = SYS_SCHED_GETSCHEDULER
+	SNR_SCHED_GETPARAM          ScmpSyscall = SYS_SCHED_GETPARAM
+	SNR_SCHED_SETAFFINITY       ScmpSyscall = SYS_SCHED_SETAFFINITY
+	SNR_SCHED_GETAFFINITY       ScmpSyscall = SYS_SCHED_GETAFFINITY
+	SNR_SCHED_YIELD             ScmpSyscall = SYS_SCHED_YIELD
+	SNR_SCHED_GET_PRIORITY_MAX  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MAX
+	SNR_SCHED_GET_PRIORITY_MIN  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MIN
+	SNR_SCHED_RR_GET_INTERVAL   ScmpSyscall = SYS_SCHED_RR_GET_INTERVAL
+	SNR_RESTART_SYSCALL         ScmpSyscall = SYS_RESTART_SYSCALL
+	SNR_KILL                    ScmpSyscall = SYS_KILL
+	SNR_TKILL                   ScmpSyscall = SYS_TKILL
+	SNR_TGKILL                  ScmpSyscall = SYS_TGKILL
+	SNR_SIGALTSTACK             ScmpSyscall = SYS_SIGALTSTACK
+	SNR_RT_SIGSUSPEND           ScmpSyscall = SYS_RT_SIGSUSPEND
+	SNR_RT_SIGACTION            ScmpSyscall = SYS_RT_SIGACTION
+	SNR_RT_SIGPROCMASK          ScmpSyscall = SYS_RT_SIGPROCMASK
+	SNR_RT_SIGPENDING           ScmpSyscall = SYS_RT_SIGPENDING
+	SNR_RT_SIGTIMEDWAIT         ScmpSyscall = SYS_RT_SIGTIMEDWAIT
+	SNR_RT_SIGQUEUEINFO         ScmpSyscall = SYS_RT_SIGQUEUEINFO
+	SNR_RT_SIGRETURN            ScmpSyscall = SYS_RT_SIGRETURN
+	SNR_SETPRIORITY             ScmpSyscall = SYS_SETPRIORITY
+	SNR_GETPRIORITY             ScmpSyscall = SYS_GETPRIORITY
+	SNR_REBOOT                  ScmpSyscall = SYS_REBOOT
+	SNR_SETREGID                ScmpSyscall = SYS_SETREGID
+	SNR_SETGID                  ScmpSyscall = SYS_SETGID
+	SNR_SETREUID                ScmpSyscall = SYS_SETREUID
+	SNR_SETUID                  ScmpSyscall = SYS_SETUID
+	SNR_SETRESUID               ScmpSyscall = SYS_SETRESUID
+	SNR_GETRESUID               ScmpSyscall = SYS_GETRESUID
+	SNR_SETRESGID               ScmpSyscall = SYS_SETRESGID
+	SNR_GETRESGID               ScmpSyscall = SYS_GETRESGID
+	SNR_SETFSUID                ScmpSyscall = SYS_SETFSUID
+	SNR_SETFSGID                ScmpSyscall = SYS_SETFSGID
+	SNR_TIMES                   ScmpSyscall = SYS_TIMES
+	SNR_SETPGID                 ScmpSyscall = SYS_SETPGID
+	SNR_GETPGID                 ScmpSyscall = SYS_GETPGID
+	SNR_GETSID                  ScmpSyscall = SYS_GETSID
+	SNR_SETSID                  ScmpSyscall = SYS_SETSID
+	SNR_GETGROUPS               ScmpSyscall = SYS_GETGROUPS
+	SNR_SETGROUPS               ScmpSyscall = SYS_SETGROUPS
+	SNR_UNAME                   ScmpSyscall = SYS_UNAME
+	SNR_SETHOSTNAME             ScmpSyscall = SYS_SETHOSTNAME
+	SNR_SETDOMAINNAME           ScmpSyscall = SYS_SETDOMAINNAME
+	SNR_GETRLIMIT               ScmpSyscall = SYS_GETRLIMIT
+	SNR_SETRLIMIT               ScmpSyscall = SYS_SETRLIMIT
+	SNR_GETRUSAGE               ScmpSyscall = SYS_GETRUSAGE
+	SNR_UMASK                   ScmpSyscall = SYS_UMASK
+	SNR_PRCTL                   ScmpSyscall = SYS_PRCTL
+	SNR_GETCPU                  ScmpSyscall = SYS_GETCPU
+	SNR_GETTIMEOFDAY            ScmpSyscall = SYS_GETTIMEOFDAY
+	SNR_SETTIMEOFDAY            ScmpSyscall = SYS_SETTIMEOFDAY
+	SNR_ADJTIMEX                ScmpSyscall = SYS_ADJTIMEX
+	SNR_GETPID                  ScmpSyscall = SYS_GETPID
+	SNR_GETPPID                 ScmpSyscall = SYS_GETPPID
+	SNR_GETUID                  ScmpSyscall = SYS_GETUID
+	SNR_GETEUID                 ScmpSyscall = SYS_GETEUID
+	SNR_GETGID                  ScmpSyscall = SYS_GETGID
+	SNR_GETEGID                 ScmpSyscall = SYS_GETEGID
+	SNR_GETTID                  ScmpSyscall = SYS_GETTID
+	SNR_SYSINFO                 ScmpSyscall = SYS_SYSINFO
+	SNR_MQ_OPEN                 ScmpSyscall = SYS_MQ_OPEN
+	SNR_MQ_UNLINK               ScmpSyscall = SYS_MQ_UNLINK
+	SNR_MQ_TIMEDSEND            ScmpSyscall = SYS_MQ_TIMEDSEND
+	SNR_MQ_TIMEDRECEIVE         ScmpSyscall = SYS_MQ_TIMEDRECEIVE
+	SNR_MQ_NOTIFY               ScmpSyscall = SYS_MQ_NOTIFY
+	SNR_MQ_GETSETATTR           ScmpSyscall = SYS_MQ_GETSETATTR
+	SNR_MSGGET                  ScmpSyscall = SYS_MSGGET
+	SNR_MSGCTL                  ScmpSyscall = SYS_MSGCTL
+	SNR_MSGRCV                  ScmpSyscall = SYS_MSGRCV
+	SNR_MSGSND                  ScmpSyscall = SYS_MSGSND
+	SNR_SEMGET                  ScmpSyscall = SYS_SEMGET
+	SNR_SEMCTL                  ScmpSyscall = SYS_SEMCTL
+	SNR_SEMTIMEDOP              ScmpSyscall = SYS_SEMTIMEDOP
+	SNR_SEMOP                   ScmpSyscall = SYS_SEMOP
+	SNR_SHMGET                  ScmpSyscall = SYS_SHMGET
+	SNR_SHMCTL                  ScmpSyscall = SYS_SHMCTL
+	SNR_SHMAT                   ScmpSyscall = SYS_SHMAT
+	SNR_SHMDT                   ScmpSyscall = SYS_SHMDT
+	SNR_SOCKET                  ScmpSyscall = SYS_SOCKET
+	SNR_SOCKETPAIR              ScmpSyscall = SYS_SOCKETPAIR
+	SNR_BIND                    ScmpSyscall = SYS_BIND
+	SNR_LISTEN                  ScmpSyscall = SYS_LISTEN
+	SNR_ACCEPT                  ScmpSyscall = SYS_ACCEPT
+	SNR_CONNECT                 ScmpSyscall = SYS_CONNECT
+	SNR_GETSOCKNAME             ScmpSyscall = SYS_GETSOCKNAME
+	SNR_GETPEERNAME             ScmpSyscall = SYS_GETPEERNAME
+	SNR_SENDTO                  ScmpSyscall = SYS_SENDTO
+	SNR_RECVFROM                ScmpSyscall = SYS_RECVFROM
+	SNR_SETSOCKOPT              ScmpSyscall = SYS_SETSOCKOPT
+	SNR_GETSOCKOPT              ScmpSyscall = SYS_GETSOCKOPT
+	SNR_SHUTDOWN                ScmpSyscall = SYS_SHUTDOWN
+	SNR_SENDMSG                 ScmpSyscall = SYS_SENDMSG
+	SNR_RECVMSG                 ScmpSyscall = SYS_RECVMSG
+	SNR_READAHEAD               ScmpSyscall = SYS_READAHEAD
+	SNR_BRK                     ScmpSyscall = SYS_BRK
+	SNR_MUNMAP                  ScmpSyscall = SYS_MUNMAP
+	SNR_MREMAP                  ScmpSyscall = SYS_MREMAP
+	SNR_ADD_KEY                 ScmpSyscall = SYS_ADD_KEY
+	SNR_REQUEST_KEY             ScmpSyscall = SYS_REQUEST_KEY
+	SNR_KEYCTL                  ScmpSyscall = SYS_KEYCTL
+	SNR_CLONE                   ScmpSyscall = SYS_CLONE
+	SNR_EXECVE                  ScmpSyscall = SYS_EXECVE
+	SNR_MMAP                    ScmpSyscall = SYS_MMAP
+	SNR_FADVISE64               ScmpSyscall = SYS_FADVISE64
+	SNR_SWAPON                  ScmpSyscall = SYS_SWAPON
+	SNR_SWAPOFF                 ScmpSyscall = SYS_SWAPOFF
+	SNR_MPROTECT                ScmpSyscall = SYS_MPROTECT
+	SNR_MSYNC                   ScmpSyscall = SYS_MSYNC
+	SNR_MLOCK                   ScmpSyscall = SYS_MLOCK
+	SNR_MUNLOCK                 ScmpSyscall = SYS_MUNLOCK
+	SNR_MLOCKALL                ScmpSyscall = SYS_MLOCKALL
+	SNR_MUNLOCKALL              ScmpSyscall = SYS_MUNLOCKALL
+	SNR_MINCORE                 ScmpSyscall = SYS_MINCORE
+	SNR_MADVISE                 ScmpSyscall = SYS_MADVISE
+	SNR_REMAP_FILE_PAGES        ScmpSyscall = SYS_REMAP_FILE_PAGES
+	SNR_MBIND                   ScmpSyscall = SYS_MBIND
+	SNR_GET_MEMPOLICY           ScmpSyscall = SYS_GET_MEMPOLICY
+	SNR_SET_MEMPOLICY           ScmpSyscall = SYS_SET_MEMPOLICY
+	SNR_MIGRATE_PAGES           ScmpSyscall = SYS_MIGRATE_PAGES
+	SNR_MOVE_PAGES              ScmpSyscall = SYS_MOVE_PAGES
+	SNR_RT_TGSIGQUEUEINFO       ScmpSyscall = SYS_RT_TGSIGQUEUEINFO
+	SNR_PERF_EVENT_OPEN         ScmpSyscall = SYS_PERF_EVENT_OPEN
+	SNR_ACCEPT4                 ScmpSyscall = SYS_ACCEPT4
+	SNR_RECVMMSG                ScmpSyscall = SYS_RECVMMSG
+	SNR_WAIT4                   ScmpSyscall = SYS_WAIT4
+	SNR_PRLIMIT64               ScmpSyscall = SYS_PRLIMIT64
+	SNR_FANOTIFY_INIT           ScmpSyscall = SYS_FANOTIFY_INIT
+	SNR_FANOTIFY_MARK           ScmpSyscall = SYS_FANOTIFY_MARK
+	SNR_NAME_TO_HANDLE_AT       ScmpSyscall = SYS_NAME_TO_HANDLE_AT
+	SNR_OPEN_BY_HANDLE_AT       ScmpSyscall = SYS_OPEN_BY_HANDLE_AT
+	SNR_CLOCK_ADJTIME           ScmpSyscall = SYS_CLOCK_ADJTIME
+	SNR_SYNCFS                  ScmpSyscall = SYS_SYNCFS
+	SNR_SETNS                   ScmpSyscall = SYS_SETNS
+	SNR_SENDMMSG                ScmpSyscall = SYS_SENDMMSG
+	SNR_PROCESS_VM_READV        ScmpSyscall = SYS_PROCESS_VM_READV
+	SNR_PROCESS_VM_WRITEV       ScmpSyscall = SYS_PROCESS_VM_WRITEV
+	SNR_KCMP                    ScmpSyscall = SYS_KCMP
+	SNR_FINIT_MODULE            ScmpSyscall = SYS_FINIT_MODULE
+	SNR_SCHED_SETATTR           ScmpSyscall = SYS_SCHED_SETATTR
+	SNR_SCHED_GETATTR           ScmpSyscall = SYS_SCHED_GETATTR
+	SNR_RENAMEAT2               ScmpSyscall = SYS_RENAMEAT2
+	SNR_SECCOMP                 ScmpSyscall = SYS_SECCOMP
+	SNR_GETRANDOM               ScmpSyscall = SYS_GETRANDOM
+	SNR_MEMFD_CREATE            ScmpSyscall = SYS_MEMFD_CREATE
+	SNR_BPF                     ScmpSyscall = SYS_BPF
+	SNR_EXECVEAT                ScmpSyscall = SYS_EXECVEAT
+	SNR_USERFAULTFD             ScmpSyscall = SYS_USERFAULTFD
+	SNR_MEMBARRIER              ScmpSyscall = SYS_MEMBARRIER
+	SNR_MLOCK2                  ScmpSyscall = SYS_MLOCK2
+	SNR_COPY_FILE_RANGE         ScmpSyscall = SYS_COPY_FILE_RANGE
+	SNR_PREADV2                 ScmpSyscall = SYS_PREADV2
+	SNR_PWRITEV2                ScmpSyscall = SYS_PWRITEV2
+	SNR_PKEY_MPROTECT           ScmpSyscall = SYS_PKEY_MPROTECT
+	SNR_PKEY_ALLOC              ScmpSyscall = SYS_PKEY_ALLOC
+	SNR_PKEY_FREE               ScmpSyscall = SYS_PKEY_FREE
+	SNR_STATX                   ScmpSyscall = SYS_STATX
+	SNR_IO_PGETEVENTS           ScmpSyscall = SYS_IO_PGETEVENTS
+	SNR_RSEQ                    ScmpSyscall = SYS_RSEQ
+	SNR_KEXEC_FILE_LOAD         ScmpSyscall = SYS_KEXEC_FILE_LOAD
+	SNR_PIDFD_SEND_SIGNAL       ScmpSyscall = SYS_PIDFD_SEND_SIGNAL
+	SNR_IO_URING_SETUP          ScmpSyscall = SYS_IO_URING_SETUP
+	SNR_IO_URING_ENTER          ScmpSyscall = SYS_IO_URING_ENTER
+	SNR_IO_URING_REGISTER       ScmpSyscall = SYS_IO_URING_REGISTER
+	SNR_OPEN_TREE               ScmpSyscall = SYS_OPEN_TREE
+	SNR_MOVE_MOUNT              ScmpSyscall = SYS_MOVE_MOUNT
+	SNR_FSOPEN                  ScmpSyscall = SYS_FSOPEN
+	SNR_FSCONFIG                ScmpSyscall = SYS_FSCONFIG
+	SNR_FSMOUNT                 ScmpSyscall = SYS_FSMOUNT
+	SNR_FSPICK                  ScmpSyscall = SYS_FSPICK
+	SNR_PIDFD_OPEN              ScmpSyscall = SYS_PIDFD_OPEN
+	SNR_CLONE3                  ScmpSyscall = SYS_CLONE3
+	SNR_CLOSE_RANGE             ScmpSyscall = SYS_CLOSE_RANGE
+	SNR_OPENAT2                 ScmpSyscall = SYS_OPENAT2
+	SNR_PIDFD_GETFD             ScmpSyscall = SYS_PIDFD_GETFD
+	SNR_FACCESSAT2              ScmpSyscall = SYS_FACCESSAT2
+	SNR_PROCESS_MADVISE         ScmpSyscall = SYS_PROCESS_MADVISE
+	SNR_EPOLL_PWAIT2            ScmpSyscall = SYS_EPOLL_PWAIT2
+	SNR_MOUNT_SETATTR           ScmpSyscall = SYS_MOUNT_SETATTR
+	SNR_QUOTACTL_FD             ScmpSyscall = SYS_QUOTACTL_FD
+	SNR_LANDLOCK_CREATE_RULESET ScmpSyscall = SYS_LANDLOCK_CREATE_RULESET
+	SNR_LANDLOCK_ADD_RULE       ScmpSyscall = SYS_LANDLOCK_ADD_RULE
+	SNR_LANDLOCK_RESTRICT_SELF  ScmpSyscall = SYS_LANDLOCK_RESTRICT_SELF
+	SNR_MEMFD_SECRET            ScmpSyscall = SYS_MEMFD_SECRET
+	SNR_PROCESS_MRELEASE        ScmpSyscall = SYS_PROCESS_MRELEASE
+	SNR_FUTEX_WAITV             ScmpSyscall = SYS_FUTEX_WAITV
+	SNR_SET_MEMPOLICY_HOME_NODE ScmpSyscall = SYS_SET_MEMPOLICY_HOME_NODE
+	SNR_CACHESTAT               ScmpSyscall = SYS_CACHESTAT
+	SNR_FCHMODAT2               ScmpSyscall = SYS_FCHMODAT2
+	SNR_MAP_SHADOW_STACK        ScmpSyscall = SYS_MAP_SHADOW_STACK
+	SNR_FUTEX_WAKE              ScmpSyscall = SYS_FUTEX_WAKE
+	SNR_FUTEX_WAIT              ScmpSyscall = SYS_FUTEX_WAIT
+	SNR_FUTEX_REQUEUE           ScmpSyscall = SYS_FUTEX_REQUEUE
+	SNR_STATMOUNT               ScmpSyscall = SYS_STATMOUNT
+	SNR_LISTMOUNT               ScmpSyscall = SYS_LISTMOUNT
+	SNR_LSM_GET_SELF_ATTR       ScmpSyscall = SYS_LSM_GET_SELF_ATTR
+	SNR_LSM_SET_SELF_ATTR       ScmpSyscall = SYS_LSM_SET_SELF_ATTR
+	SNR_LSM_LIST_MODULES        ScmpSyscall = SYS_LSM_LIST_MODULES
+	SNR_MSEAL                   ScmpSyscall = SYS_MSEAL
+	SNR_SETXATTRAT              ScmpSyscall = SYS_SETXATTRAT
+	SNR_GETXATTRAT              ScmpSyscall = SYS_GETXATTRAT
+	SNR_LISTXATTRAT             ScmpSyscall = SYS_LISTXATTRAT
+	SNR_REMOVEXATTRAT           ScmpSyscall = SYS_REMOVEXATTRAT
+	SNR_OPEN_TREE_ATTR          ScmpSyscall = SYS_OPEN_TREE_ATTR
+	SNR_FILE_GETATTR            ScmpSyscall = SYS_FILE_GETATTR
+	SNR_FILE_SETATTR            ScmpSyscall = SYS_FILE_SETATTR
+)

container/std/types.go

@@ -0,0 +1,8 @@
+package std
+
+type (
+	// Uint is equivalent to C.uint.
+	Uint uint32
+	// Int is equivalent to C.int.
+	Int int32
+)

container/syscall.go

@@ -3,6 +3,8 @@ package container
 import (
 	. "syscall"
 	"unsafe"
+
+	"hakurei.app/container/std"
 )
 
 // Prctl manipulates various aspects of the behavior of the calling thread or process.
@@ -41,6 +43,49 @@ func Isatty(fd int) bool {
 	return r == 0
 }
 
+// include/uapi/linux/sched.h
+const (
+	SCHED_NORMAL = iota
+	SCHED_FIFO
+	SCHED_RR
+	SCHED_BATCH
+	_ // SCHED_ISO: reserved but not implemented yet
+	SCHED_IDLE
+	SCHED_DEADLINE
+	SCHED_EXT
+)
+
+// schedParam is equivalent to struct sched_param from include/linux/sched.h.
+type schedParam struct {
+	// sched_priority
+	priority std.Int
+}
+
+// schedSetscheduler sets both the scheduling policy and parameters for the
+// thread whose ID is specified in tid. If tid equals zero, the scheduling
+// policy and parameters of the calling thread will be set.
+//
+// This function is unexported because it is [very subtle to use correctly]. The
+// function signature in libc is misleading: pid actually refers to a thread ID.
+// The glibc wrapper for this system call ignores this semantic and exposes
+// this counterintuitive behaviour.
+//
+// This function is only called from the container setup thread. Do not reuse
+// this if you do not have something similar in place!
+//
+// [very subtle to use correctly]: https://www.openwall.com/lists/musl/2016/03/01/4
+func schedSetscheduler(tid, policy int, param *schedParam) error {
+	if r, _, errno := Syscall(
+		SYS_SCHED_SETSCHEDULER,
+		uintptr(tid),
+		uintptr(policy),
+		uintptr(unsafe.Pointer(param)),
+	); r < 0 {
+		return errno
+	}
+	return nil
+}
+
 // IgnoringEINTR makes a function call and repeats it if it returns an
 // EINTR error. This appears to be required even though we install all
 // signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.

container/vfs/mangle.go

@@ -2,6 +2,8 @@ package vfs
 
 import "strings"
 
+// Unmangle reverses mangling of strings done by the kernel. Its behaviour is
+// consistent with the equivalent function in util-linux.
 func Unmangle(s string) string {
 	if !strings.ContainsRune(s, '\\') {
 		return s

container/vfs/mountinfo.go

@@ -24,6 +24,7 @@ var (
 	ErrMountInfoSep    = errors.New("bad optional fields separator")
 )
 
+// A DecoderError describes a nonrecoverable error decoding a mountinfo stream.
 type DecoderError struct {
 	Op   string
 	Line int
@@ -51,7 +52,8 @@ func (e *DecoderError) Error() string {
 }
 
 type (
-	// A MountInfoDecoder reads and decodes proc_pid_mountinfo(5) entries from an input stream.
+	// A MountInfoDecoder reads and decodes proc_pid_mountinfo(5) entries from
+	// an input stream.
 	MountInfoDecoder struct {
 		s *bufio.Scanner
 		m *MountInfo
@@ -72,13 +74,16 @@ type (
 	MountInfoEntry struct {
 		// mount ID: a unique ID for the mount (may be reused after umount(2)).
 		ID int `json:"id"`
-		// parent ID: the ID of the parent mount (or of self for the root of this mount namespace's mount tree).
+		// parent ID: the ID of the parent mount (or of self for the root of
+		// this mount namespace's mount tree).
 		Parent int `json:"parent"`
 		// major:minor: the value of st_dev for files on this filesystem (see stat(2)).
 		Devno DevT `json:"devno"`
-		// root: the pathname of the directory in the filesystem which forms the root of this mount.
+		// root: the pathname of the directory in the filesystem which forms the
+		// root of this mount.
 		Root string `json:"root"`
-		// mount point: the pathname of the mount point relative to the process's root directory.
+		// mount point: the pathname of the mount point relative to the
+		// process's root directory.
 		Target string `json:"target"`
 		// mount options: per-mount options (see mount(2)).
 		VfsOptstr string `json:"vfs_optstr"`
@@ -126,7 +131,8 @@ func (e *MountInfoEntry) Flags() (flags uintptr, unmatched []string) {
 
 // NewMountInfoDecoder returns a new decoder that reads from r.
 //
-// The decoder introduces its own buffering and may read data from r beyond the mountinfo entries requested.
+// The decoder introduces its own buffering and may read data from r beyond the
+// mountinfo entries requested.
 func NewMountInfoDecoder(r io.Reader) *MountInfoDecoder {
 	return &MountInfoDecoder{s: bufio.NewScanner(r)}
 }
@@ -271,6 +277,8 @@ func parseMountInfoLine(s string, ent *MountInfoEntry) error {
 	return nil
 }
 
+// EqualWithIgnore compares to [MountInfoEntry] values, ignoring fields that
+// compare equal to ignore.
 func (e *MountInfoEntry) EqualWithIgnore(want *MountInfoEntry, ignore string) bool {
 	return (e.ID == want.ID || want.ID == -1) &&
 		(e.Parent == want.Parent || want.Parent == -1) &&
@@ -284,6 +292,8 @@ func (e *MountInfoEntry) EqualWithIgnore(want *MountInfoEntry, ignore string) bo
 		(e.FsOptstr == want.FsOptstr || want.FsOptstr == ignore)
 }
 
+// String returns a user-facing representation of a [MountInfoEntry]. It fits
+// roughly into the mountinfo format, but without mangling.
 func (e *MountInfoEntry) String() string {
 	return fmt.Sprintf("%d %d %d:%d %s %s %s %s %s %s %s",
 		e.ID, e.Parent, e.Devno[0], e.Devno[1], e.Root, e.Target, e.VfsOptstr,

container/vfs/unfold.go

@@ -6,6 +6,7 @@ import (
 	"strings"
 )
 
+// UnfoldTargetError is a pathname that never appeared in a mount hierarchy.
 type UnfoldTargetError string
 
 func (e UnfoldTargetError) Error() string {
@@ -27,6 +28,7 @@ func (n *MountInfoNode) Collective() iter.Seq[*MountInfoNode] {
 	return func(yield func(*MountInfoNode) bool) { n.visit(yield) }
 }
 
+// visit recursively visits all visible mountinfo nodes.
 func (n *MountInfoNode) visit(yield func(*MountInfoNode) bool) bool {
 	if !n.Covered && !yield(n) {
 		return false

dist/install.sh

@@ -1,12 +1,12 @@
 #!/bin/sh
 cd "$(dirname -- "$0")" || exit 1
 
-install -vDm0755 "bin/hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hakurei"
+install -vDm0755 "bin/hakurei" "${DESTDIR}/usr/bin/hakurei"
-install -vDm0755 "bin/hpkg" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hpkg"
+install -vDm0755 "bin/sharefs" "${DESTDIR}/usr/bin/sharefs"
 
-install -vDm4511 "bin/hsu" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hsu"
+install -vDm4511 "bin/hsu" "${DESTDIR}/usr/bin/hsu"
-if [ ! -f "${HAKUREI_INSTALL_PREFIX}/etc/hsurc" ]; then
+if [ ! -f "${DESTDIR}/etc/hsurc" ]; then
-    install -vDm0400 "hsurc.default" "${HAKUREI_INSTALL_PREFIX}/etc/hsurc"
+    install -vDm0400 "hsurc.default" "${DESTDIR}/etc/hsurc"
 fi
 
-install -vDm0644 "comp/_hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/share/zsh/site-functions/_hakurei"
+install -vDm0644 "comp/_hakurei" "${DESTDIR}/usr/share/zsh/site-functions/_hakurei"

dist/release.sh

@@ -1,20 +1,31 @@
 #!/bin/sh -e
 cd "$(dirname -- "$0")/.."
 VERSION="${HAKUREI_VERSION:-untagged}"
-pname="hakurei-${VERSION}"
+pname="hakurei-${VERSION}-$(go env GOARCH)"
-out="dist/${pname}"
+out="${DESTDIR:-dist}/${pname}"
 
+echo '# Preparing distribution files.'
 mkdir -p "${out}"
 cp -v "README.md" "dist/hsurc.default" "dist/install.sh" "${out}"
 cp -rv "dist/comp" "${out}"
+echo
 
+echo '# Building hakurei.'
 go generate ./...
-go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
+go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
+  -buildid= -linkmode external -extldflags=-static
   -X hakurei.app/internal/info.buildVersion=${VERSION}
   -X hakurei.app/internal/info.hakureiPath=/usr/bin/hakurei
   -X hakurei.app/internal/info.hsuPath=/usr/bin/hsu
   -X main.hakureiPath=/usr/bin/hakurei" ./...
+echo
 
-rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
+echo '# Testing hakurei.'
-rm -rf "./${out}"
+go test -ldflags='-buildid= -linkmode external -extldflags=-static' ./...
-(cd dist && sha512sum "${pname}.tar.gz" > "${pname}.tar.gz.sha512")
+echo
+
+echo '# Creating distribution.'
+rm -f "${out}.tar.gz" && tar -C "${out}/.." -vczf "${out}.tar.gz" "${pname}"
+rm -rf "${out}"
+(cd "${out}/.." && sha512sum "${pname}.tar.gz" > "${pname}.tar.gz.sha512")
+echo

flake.lock

@@ -7,32 +7,32 @@
         ]
       },
       "locked": {
-        "lastModified": 1756679287,
+        "lastModified": 1765384171,
-        "narHash": "sha256-Xd1vOeY9ccDf5VtVK12yM0FS6qqvfUop8UQlxEB+gTQ=",
+        "narHash": "sha256-FuFtkJrW1Z7u+3lhzPRau69E0CNjADku1mLQQflUORo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "07fc025fe10487dd80f2ec694f1cd790e752d0e8",
+        "rev": "44777152652bc9eacf8876976fa72cc77ca8b9d8",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1757020766,
+        "lastModified": 1765311797,
-        "narHash": "sha256-PLoSjHRa2bUbi1x9HoXgTx2AiuzNXs54c8omhadyvp0=",
+        "narHash": "sha256-mSD5Ob7a+T2RNjvPvOA1dkJHGVrNVl8ZOrAwBjKBDQo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fe83bbdde2ccdc2cb9573aa846abe8363f79a97a",
+        "rev": "09eb77e94fa25202af8f3e81ddc7353d9970ac1b",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,10 +2,10 @@
   description = "hakurei container tool and nixos module";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
 
     home-manager = {
-      url = "github:nix-community/home-manager/release-25.05";
+      url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
@@ -29,20 +29,6 @@
     {
       nixosModules.hakurei = import ./nixos.nix self.packages;
 
-      buildPackage = forAllSystems (
-        system:
-        nixpkgsFor.${system}.callPackage (
-          import ./cmd/hpkg/build.nix {
-            inherit
-              nixpkgsFor
-              system
-              nixpkgs
-              home-manager
-              ;
-          }
-        )
-      );
-
       checks = forAllSystems (
         system:
         let
@@ -69,7 +55,7 @@
             withRace = true;
           };
 
-          hpkg = callPackage ./cmd/hpkg/test { inherit system self; };
+          sharefs = callPackage ./cmd/sharefs/test { inherit system self; };
 
           formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
             cd ${./.}
@@ -125,31 +111,38 @@
               glibc
               xdg-dbus-proxy
 
-              # hpkg
-              zstd
-              gnutar
-              coreutils
-
               # for check
               util-linux
               nettools
               ;
           };
           hsu = pkgs.callPackage ./cmd/hsu/package.nix { inherit (self.packages.${system}) hakurei; };
+          sharefs = pkgs.linkFarm "sharefs" {
+            "bin/sharefs" = "${hakurei}/libexec/sharefs";
+            "bin/mount.fuse.sharefs" = "${hakurei}/libexec/sharefs";
+          };
 
-          dist = pkgs.runCommand "${hakurei.name}-dist" { buildInputs = hakurei.targetPkgs ++ [ pkgs.pkgsStatic.musl ]; } ''
+          dist =
-            # go requires XDG_CACHE_HOME for the build cache
+            pkgs.runCommand "${hakurei.name}-dist"
-            export XDG_CACHE_HOME="$(mktemp -d)"
+              {
+                buildInputs = hakurei.targetPkgs ++ [
+                  pkgs.pkgsStatic.musl
+                ];
+              }
+              ''
+                cd $(mktemp -d) \
+                    && cp -r ${hakurei.src}/. . \
+                    && chmod +w cmd && cp -r ${hsu.src}/. cmd/hsu/ \
+                    && chmod -R +w .
 
-            # get a different workdir as go does not like /build
+                CC="musl-clang -O3 -Werror -Qunused-arguments" \
-            cd $(mktemp -d) \
+                GOCACHE="$(mktemp -d)" \
-                && cp -r ${hakurei.src}/. . \
+                HAKUREI_TEST_SKIP_ACL=1 \
-                && chmod +w cmd && cp -r ${hsu.src}/. cmd/hsu/ \
+                PATH="${pkgs.pkgsStatic.musl.bin}/bin:$PATH" \
-                && chmod -R +w .
+                DESTDIR="$out" \
-
+                HAKUREI_VERSION="v${hakurei.version}" \
-            export HAKUREI_VERSION="v${hakurei.version}"
+                  ./dist/release.sh
-            CC="clang -O3 -Werror" ./dist/release.sh && mkdir $out && cp -v "dist/hakurei-$HAKUREI_VERSION.tar.gz"* $out
+              '';
-          '';
         }
       );
 
@@ -160,7 +153,10 @@
           pkgs = nixpkgsFor.${system};
         in
         {
-          default = pkgs.mkShell { buildInputs = hakurei.targetPkgs; };
+          default = pkgs.mkShell {
+            buildInputs = hakurei.targetPkgs;
+            hardeningDisable = [ "fortify" ];
+          };
           withPackage = pkgs.mkShell { buildInputs = [ hakurei ] ++ hakurei.targetPkgs; };
 
           vm =
@@ -185,13 +181,13 @@
                       hakurei =
                         let
                           # this is used for interactive vm testing during development, where tests might be broken
-                          package = self.packages.${pkgs.system}.hakurei.override {
+                          package = self.packages.${pkgs.stdenv.hostPlatform.system}.hakurei.override {
                             buildGoModule = previousArgs: pkgs.pkgsStatic.buildGoModule (previousArgs // { doCheck = false; });
                           };
                         in
                         {
                           inherit package;
-                          hsuPackage = self.packages.${pkgs.system}.hsu.override { hakurei = package; };
+                          hsuPackage = self.packages.${pkgs.stdenv.hostPlatform.system}.hsu.override { hakurei = package; };
                         };
                     };
                   }
@@ -202,7 +198,7 @@
                   ./test/interactive/trace.nix
 
                   self.nixosModules.hakurei
-                  self.inputs.home-manager.nixosModules.home-manager
+                  home-manager.nixosModules.home-manager
                 ];
               };
             in

go.mod

@@ -1,3 +1,3 @@
 module hakurei.app
 
-go 1.24
+go 1.25

hst/config.go

@@ -30,12 +30,46 @@ type Config struct {
 	// This option is unsupported and most likely enables full control over the Wayland
 	// session. Do not set this to true unless you are sure you know what you are doing.
 	DirectWayland bool `json:"direct_wayland,omitempty"`
+	// Direct access to the PipeWire socket established via SecurityContext::Create, no
+	// attempt is made to start the pipewire-pulse server.
+	//
+	// The SecurityContext machinery is fatally flawed, it blindly sets read and execute
+	// bits on all objects for clients with the lowest achievable privilege level (by
+	// setting PW_KEY_ACCESS to "restricted"). This enables them to call any method
+	// targeting any object, and since Registry::Destroy checks for the read and execute bit,
+	// allows the destruction of any object other than PW_ID_CORE as well. This behaviour
+	// is implemented separately in media-session and wireplumber, with the wireplumber
+	// implementation in Lua via an embedded Lua vm. In all known setups, wireplumber is
+	// in use, and there is no known way to change its behaviour and set permissions
+	// differently without replacing the Lua script. Also, since PipeWire relies on these
+	// permissions to work, reducing them is not possible.
+	//
+	// Currently, the only other sandboxed use case is flatpak, which is not aware of
+	// PipeWire and blindly exposes the bare PulseAudio socket to the container (behaves
+	// like DirectPulse). This socket is backed by the pipewire-pulse compatibility daemon,
+	// which obtains client pid via the SO_PEERCRED option. The PipeWire daemon, pipewire-pulse
+	// daemon and the session manager daemon then separately performs the /.flatpak-info hack
+	// described in https://git.gensokyo.uk/security/hakurei/issues/21. Under such use case,
+	// since the client has no direct access to PipeWire, insecure parts of the protocol are
+	// obscured by pipewire-pulse simply not implementing them, and thus hiding the flaws
+	// described above.
+	//
+	// Hakurei does not rely on the /.flatpak-info hack. Instead, a socket is sets up via
+	// SecurityContext. A pipewire-pulse server connected through it achieves the same
+	// permissions as flatpak does via the /.flatpak-info hack and is maintained for the
+	// life of the container.
+	//
+	// This option is unsupported and enables a denial-of-service attack as the sandboxed
+	// client is able to destroy any client object and thus disconnecting them from PipeWire,
+	// or destroy the SecurityContext object preventing any further container creation.
+	// Do not set this to true, it is insecure under any configuration.
+	DirectPipeWire bool `json:"direct_pipewire,omitempty"`
 	// Direct access to PulseAudio socket, no attempt is made to establish pipewire-pulse
 	// server via a PipeWire socket with a SecurityContext attached and the bare socket
 	// is made available to the container.
 	//
 	// This option is unsupported and enables arbitrary code execution as the PulseAudio
-	// server. Do not set this to true, this is insecure under any configuration.
+	// server. Do not set this to true, it is insecure under any configuration.
 	DirectPulse bool `json:"direct_pulse,omitempty"`
 
 	// Extra acl updates to perform before setuid.

internal/acl/acl_test.go

@@ -24,9 +24,8 @@ var (
 )
 
 func TestUpdate(t *testing.T) {
-	if os.Getenv("GO_TEST_SKIP_ACL") == "1" {
+	if os.Getenv("HAKUREI_TEST_SKIP_ACL") == "1" {
-		t.Log("acl test skipped")
+		t.Skip("acl test skipped")
-		t.SkipNow()
 	}
 
 	testFilePath := path.Join(t.TempDir(), testFileName)
@@ -143,6 +142,7 @@ func (c *getFAclInvocation) run(name string) error {
 	}
 
 	c.cmd = exec.Command("getfacl", "--omit-header", "--absolute-names", "--numeric", name)
+	c.cmd.Stderr = os.Stderr
 
 	scanErr := make(chan error, 1)
 	if p, err := c.cmd.StdoutPipe(); err != nil {
@@ -254,7 +254,7 @@ func getfacl(t *testing.T, name string) []*getFAclResp {
 		t.Fatalf("getfacl: error = %v", err)
 	}
 	if len(c.pe) != 0 {
-		t.Errorf("errors encountered parsing getfacl output\n%s", errors.Join(c.pe...).Error())
+		t.Errorf("errors encountered parsing getfacl output\n%s", errors.Join(c.pe...))
 	}
 	return c.val
 }

internal/azalea/azalea.go

@@ -0,0 +1,69 @@
+//go:generate gocc -a azalea.bnf
+package azalea
+
+import (
+	"io"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"hakurei.app/container/check"
+)
+
+type Parser struct {
+	Generator
+}
+
+func NewParser(gen Generator) *Parser {
+	return &Parser{
+		Generator: gen,
+	}
+}
+func (p Parser) Initialise() {
+
+}
+
+func (p Parser) Consume(ns string, file io.Reader) error {
+	return nil
+}
+
+// ConsumeDir walks a directory and consumes all Azalea source files within it and all its subdirectories, as long as they end with the .az extension.
+func (p Parser) ConsumeDir(dir *check.Absolute) error {
+	ds := dir.String()
+	return filepath.WalkDir(ds, func(path string, d fs.DirEntry, err error) (e error) {
+		if err != nil {
+			return err
+		}
+		if d.IsDir() || !strings.HasSuffix(d.Name(), ".az") {
+			return
+		}
+		rel, e := filepath.Rel(ds, path)
+		ns := strings.TrimSuffix(rel, ".az")
+		f, e := os.Open(path)
+		return p.Consume(ns, f)
+	})
+}
+
+// ConsumeAll consumes all provided readers as Azalea source code, each given the namespace `r%d` where `%d` is the index of the reader in the provided arguments.
+func (p Parser) ConsumeAll(in ...io.Reader) error {
+	for i, r := range in {
+		err := p.Consume("r"+strconv.FormatInt(int64(i), 10), r)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// ConsumeStrings consumes all provided strings as Azalea source code, each given the namespace `s%d` where `%d` is the index of the string in the provided arugments.
+func (p Parser) ConsumeStrings(in ...string) error {
+	for i, s := range in {
+		err := p.Consume("s"+strconv.FormatInt(int64(i), 10), strings.NewReader(s))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

internal/azalea/generator.go

@@ -0,0 +1,36 @@
+package azalea
+
+import (
+	"io"
+)
+
+type Generator interface {
+	Finalise() (error, io.Writer)
+}
+
+type JsonGenerator struct {
+	t any
+}
+
+func NewJsonGenerator[T any]() JsonGenerator {
+	t := new(T)
+
+	return JsonGenerator{
+		t,
+	}
+}
+
+func (j *JsonGenerator) Finalise() (error, io.Writer) {
+
+}
+
+type PkgIRGenerator struct {
+}
+
+func NewPkgIRGenerator() PkgIRGenerator {
+	return PkgIRGenerator{}
+}
+
+func (p *PkgIRGenerator) Finalise() (error, io.Writer) {
+
+}

internal/lockedfile/internal/filelock/filelock.go

@@ -8,7 +8,6 @@
 package filelock
 
 import (
-	"errors"
 	"io/fs"
 )
 
@@ -74,10 +73,3 @@ func (lt lockType) String() string {
 		return "Unlock"
 	}
 }
-
-// IsNotSupported returns a boolean indicating whether the error is known to
-// report that a function is not supported (possibly for a specific input).
-// It is satisfied by errors.ErrUnsupported as well as some syscall errors.
-func IsNotSupported(err error) bool {
-	return errors.Is(err, errors.ErrUnsupported)
-}

internal/lockedfile/internal/filelock/filelock_test.go

@@ -14,7 +14,7 @@ import (
 	"testing"
 	"time"
 
-	"hakurei.app/container"
+	"hakurei.app/container/fhs"
 	"hakurei.app/internal/lockedfile/internal/filelock"
 	"hakurei.app/internal/lockedfile/internal/testexec"
 )
@@ -197,7 +197,7 @@ func TestLockNotDroppedByExecCommand(t *testing.T) {
 	// Some kinds of file locks are dropped when a duplicated or forked file
 	// descriptor is unlocked. Double-check that the approach used by os/exec does
 	// not accidentally drop locks.
-	cmd := testexec.CommandContext(t, t.Context(), container.MustExecutable(nil), "-test.run=^$")
+	cmd := testexec.CommandContext(t, t.Context(), fhs.ProcSelfExe, "-test.run=^$")
 	if err := cmd.Run(); err != nil {
 		t.Fatalf("exec failed: %v", err)
 	}

internal/lockedfile/lockedfile.go

@@ -94,6 +94,11 @@ func (f *File) Close() error {
 
 	err := closeFile(f.osFile.File)
 	f.cleanup.Stop()
+	// f may be dead at the moment after we access f.cleanup,
+	// so the cleanup can fire before Stop completes. Keep f
+	// alive while we call Stop. See the documentation for
+	// runtime.Cleanup.Stop.
+	runtime.KeepAlive(f)
 	return err
 }