diff --git a/internal/pkg/exec.go b/internal/pkg/exec.go
index e0512bac..244b353b 100644
--- a/internal/pkg/exec.go
+++ b/internal/pkg/exec.go
@@ -40,14 +40,17 @@ type ExecPath struct {
 	W bool
 }
 
-// SetSchedIdle is whether to set [std.SCHED_IDLE] scheduling priority.
+// SetSchedIdle is whether to set [ext.SCHED_IDLE] scheduling priority.
 var SetSchedIdle bool
 
+// GetArtifactFunc is the function signature of [FContext.GetArtifact].
+type GetArtifactFunc func(Artifact) (*check.Absolute, unique.Handle[Checksum])
+
 // PromoteLayers returns artifacts with identical-by-content layers promoted to
 // the highest priority instance, as if mounted via [ExecPath].
 func PromoteLayers(
 	artifacts []Artifact,
-	getArtifact func(Artifact) (*check.Absolute, unique.Handle[Checksum]),
+	getArtifact GetArtifactFunc,
 	report func(i int, d Artifact),
 ) []*check.Absolute {
 	layers := make([]*check.Absolute, 0, len(artifacts))
@@ -67,14 +70,14 @@ func PromoteLayers(
 }
 
 // layers returns pathnames collected from A deduplicated via [PromoteLayers].
-func (p *ExecPath) layers(f *FContext) []*check.Absolute {
-	msg := f.GetMessage()
-	return PromoteLayers(p.A, f.GetArtifact, func(i int, d Artifact) {
+func (p *ExecPath) layers(
+	msg message.Msg,
+	getArtifact GetArtifactFunc,
+	ident func(a Artifact) unique.Handle[ID],
+) []*check.Absolute {
+	return PromoteLayers(p.A, getArtifact, func(i int, d Artifact) {
 		if msg.IsVerbose() {
-			msg.Verbosef(
-				"promoted layer %d as %s",
-				i, reportName(d, f.cache.Ident(d)),
-			)
+			msg.Verbosef("promoted layer %d as %s", i, reportName(d, ident(d)))
 		}
 	})
 }
@@ -382,17 +385,30 @@ func scanVerbose(
 	}
 }
 
+var (
+	// ErrInvalidPaths is returned for an [Artifact] of [KindExec] or
+	// [KindExecNet] specified with invalid paths.
+	ErrInvalidPaths = errors.New("invalid mount point")
+)
+
 // SeccompPresets is the [seccomp] presets used by exec artifacts.
 const SeccompPresets = std.PresetStrict &
 	^(std.PresetDenyNS | std.PresetDenyDevel)
 
-// cure is like Cure but allows optional host net namespace. This is used for
-// the [KnownChecksum] variant where networking is allowed.
-func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
+// makeContainer sets up the specified temp and work directories and returns the
+// corresponding [container.Container] that would have run for cure.
+func (a *execArtifact) makeContainer(
+	ctx context.Context,
+	msg message.Msg,
+	hostNet bool,
+	temp, work *check.Absolute,
+	getArtifact GetArtifactFunc,
+	ident func(a Artifact) unique.Handle[ID],
+) (z *container.Container, err error) {
 	overlayWorkIndex := -1
 	for i, p := range a.paths {
 		if p.P == nil || len(p.A) == 0 {
-			return os.ErrInvalid
+			return nil, ErrInvalidPaths
 		}
 		if p.P.Is(AbsWork) {
 			overlayWorkIndex = i
@@ -404,10 +420,7 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 		artifactCount += len(p.A)
 	}
 
-	ctx, cancel := context.WithTimeout(f.Unwrap(), a.timeout)
-	defer cancel()
-
-	z := container.New(ctx, f.GetMessage())
+	z = container.New(ctx, msg)
 	z.WaitDelay = execWaitDelay
 	z.SeccompPresets = SeccompPresets
 	z.SeccompFlags |= seccomp.AllowMultiarch
@@ -421,12 +434,85 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 	}
 	z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
 
+	z.Dir, z.Env, z.Path, z.Args = a.dir, a.env, a.path, a.args
+	z.Grow(len(a.paths) + 4)
+
+	for i, b := range a.paths {
+		if i == overlayWorkIndex {
+			if err = os.MkdirAll(work.String(), 0700); err != nil {
+				return
+			}
+			tempWork := temp.Append(".work")
+			if err = os.MkdirAll(tempWork.String(), 0700); err != nil {
+				return
+			}
+			z.Overlay(
+				AbsWork,
+				work,
+				tempWork,
+				b.layers(msg, getArtifact, ident)...,
+			)
+			continue
+		}
+
+		if a.paths[i].W {
+			tempUpper, tempWork := temp.Append(
+				".upper", strconv.Itoa(i),
+			), temp.Append(
+				".work", strconv.Itoa(i),
+			)
+			if err = os.MkdirAll(tempUpper.String(), 0700); err != nil {
+				return
+			}
+			if err = os.MkdirAll(tempWork.String(), 0700); err != nil {
+				return
+			}
+			z.Overlay(b.P, tempUpper, tempWork, b.layers(msg, getArtifact, ident)...)
+		} else if len(b.A) == 1 {
+			pathname, _ := getArtifact(b.A[0])
+			z.Bind(pathname, b.P, 0)
+		} else {
+			z.OverlayReadonly(b.P, b.layers(msg, getArtifact, ident)...)
+		}
+	}
+	if overlayWorkIndex < 0 {
+		z.Bind(
+			work,
+			AbsWork,
+			std.BindWritable|std.BindEnsure,
+		)
+	}
+	z.Bind(
+		temp,
+		fhs.AbsTmp,
+		std.BindWritable|std.BindEnsure,
+	)
+	z.Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
+	return
+}
+
+// cure is like Cure but allows optional host net namespace.
+func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
+	ctx, cancel := context.WithTimeout(f.Unwrap(), a.timeout)
+	defer cancel()
+
+	msg := f.GetMessage()
+	var z *container.Container
+	if z, err = a.makeContainer(
+		ctx, msg, hostNet,
+		f.GetTempDir(), f.GetWorkDir(),
+		f.GetArtifact,
+		f.cache.Ident,
+	); err != nil {
+		return
+	}
+
 	var status io.Writer
 	if status, err = f.GetStatusWriter(); err != nil {
 		return
 	}
 
-	if msg := f.GetMessage(); msg.IsVerbose() {
+	if msg.IsVerbose() {
 		var stdout, stderr io.ReadCloser
 		if stdout, err = z.StdoutPipe(); err != nil {
 			return
@@ -464,62 +550,6 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 		z.Stdout, z.Stderr = status, status
 	}
 
-	z.Dir, z.Env, z.Path, z.Args = a.dir, a.env, a.path, a.args
-	z.Grow(len(a.paths) + 4)
-
-	temp, work := f.GetTempDir(), f.GetWorkDir()
-	for i, b := range a.paths {
-		if i == overlayWorkIndex {
-			if err = os.MkdirAll(work.String(), 0700); err != nil {
-				return
-			}
-			tempWork := temp.Append(".work")
-			if err = os.MkdirAll(tempWork.String(), 0700); err != nil {
-				return
-			}
-			z.Overlay(
-				AbsWork,
-				work,
-				tempWork,
-				b.layers(f)...,
-			)
-			continue
-		}
-
-		if a.paths[i].W {
-			tempUpper, tempWork := temp.Append(
-				".upper", strconv.Itoa(i),
-			), temp.Append(
-				".work", strconv.Itoa(i),
-			)
-			if err = os.MkdirAll(tempUpper.String(), 0700); err != nil {
-				return
-			}
-			if err = os.MkdirAll(tempWork.String(), 0700); err != nil {
-				return
-			}
-			z.Overlay(b.P, tempUpper, tempWork, b.layers(f)...)
-		} else if len(b.A) == 1 {
-			pathname, _ := f.GetArtifact(b.A[0])
-			z.Bind(pathname, b.P, 0)
-		} else {
-			z.OverlayReadonly(b.P, b.layers(f)...)
-		}
-	}
-	if overlayWorkIndex < 0 {
-		z.Bind(
-			work,
-			AbsWork,
-			std.BindWritable|std.BindEnsure,
-		)
-	}
-	z.Bind(
-		f.GetTempDir(),
-		fhs.AbsTmp,
-		std.BindWritable|std.BindEnsure,
-	)
-	z.Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
-
 	if err = z.Start(); err != nil {
 		return
 	}
@@ -532,7 +562,7 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 
 	// do not allow empty directories to succeed
 	for {
-		err = syscall.Rmdir(work.String())
+		err = syscall.Rmdir(f.GetWorkDir().String())
 		if err != syscall.EINTR {
 			break
 		}
diff --git a/internal/pkg/exec_test.go b/internal/pkg/exec_test.go
index baf9b8de..b3eaa74e 100644
--- a/internal/pkg/exec_test.go
+++ b/internal/pkg/exec_test.go
@@ -92,7 +92,7 @@ func TestExec(t *testing.T) {
 					[]string{"testtool"},
 
 					pkg.ExecPath{},
-				), nil, pkg.Checksum{}, os.ErrInvalid},
+				), nil, pkg.Checksum{}, pkg.ErrInvalidPaths},
 			})
 
 			// check init failure passthrough