diff --git a/container/container_test.go b/container/container_test.go
index 693021bf..169efd8e 100644
--- a/container/container_test.go
+++ b/container/container_test.go
@@ -25,6 +25,7 @@ import (
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
 	"hakurei.app/hst"
+	"hakurei.app/internal/info"
 	"hakurei.app/ldd"
 	"hakurei.app/message"
 	"hakurei.app/vfs"
@@ -453,7 +454,7 @@ func TestContainer(t *testing.T) {
 			c.SeccompDisable = !tc.filter
 			c.RetainSession = tc.session
 			c.HostNet = tc.net
-			if !c.HostNet {
+			if info.CanDegrade {
 				if _, err := container.LandlockGetABI(); err != nil {
 					if !errors.Is(err, syscall.ENOSYS) {
 						t.Fatalf("LandlockGetABI: error = %v", err)
diff --git a/flake.nix b/flake.nix
index 3cca5975..f29dc179 100644
--- a/flake.nix
+++ b/flake.nix
@@ -137,7 +137,6 @@
 
                 CC="musl-clang -O3 -Werror -Qunused-arguments" \
                 GOCACHE="$(mktemp -d)" \
-                HAKUREI_TEST_SKIP_ACL=1 \
                 PATH="${pkgs.pkgsStatic.musl.bin}/bin:$PATH" \
                 DESTDIR="$out" \
                 HAKUREI_VERSION="v${hakurei.version}" \
diff --git a/internal/acl/acl_test.go b/internal/acl/acl_test.go
index 5f5447ba..60c4b702 100644
--- a/internal/acl/acl_test.go
+++ b/internal/acl/acl_test.go
@@ -11,9 +11,11 @@ import (
 	"path/filepath"
 	"reflect"
 	"strconv"
+	"syscall"
 	"testing"
 
 	"hakurei.app/internal/acl"
+	"hakurei.app/internal/info"
 )
 
 const testFileName = "acl.test"
@@ -24,8 +26,14 @@ var (
 )
 
 func TestUpdate(t *testing.T) {
-	if os.Getenv("HAKUREI_TEST_SKIP_ACL") == "1" {
-		t.Skip("acl test skipped")
+	if info.CanDegrade {
+		name := filepath.Join(t.TempDir(), "check-degrade")
+		if err := os.WriteFile(name, nil, 0); err != nil {
+			t.Fatal(err)
+		}
+		if err := acl.Update(name, os.Geteuid()); errors.Is(err, syscall.ENOTSUP) {
+			t.Skip(err)
+		}
 	}
 
 	testFilePath := filepath.Join(t.TempDir(), testFileName)
diff --git a/internal/info/optional_skip.go b/internal/info/optional_skip.go
new file mode 100644
index 00000000..c09a698f
--- /dev/null
+++ b/internal/info/optional_skip.go
@@ -0,0 +1,7 @@
+//go:build !noskip
+
+package info
+
+// CanDegrade is whether tests are allowed to transparently degrade or skip due
+// to required system features being denied or unavailable.
+const CanDegrade = true
diff --git a/internal/info/optional_strict.go b/internal/info/optional_strict.go
new file mode 100644
index 00000000..f288b78e
--- /dev/null
+++ b/internal/info/optional_strict.go
@@ -0,0 +1,5 @@
+//go:build noskip
+
+package info
+
+const CanDegrade = false
diff --git a/internal/pkg/pkg_test.go b/internal/pkg/pkg_test.go
index 4fce4b1e..e1deaf3d 100644
--- a/internal/pkg/pkg_test.go
+++ b/internal/pkg/pkg_test.go
@@ -24,6 +24,7 @@ import (
 	"hakurei.app/check"
 	"hakurei.app/container"
 	"hakurei.app/fhs"
+	"hakurei.app/internal/info"
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/stub"
 	"hakurei.app/message"
@@ -290,12 +291,15 @@ func checkWithCache(t *testing.T, testCases []cacheTestCase) {
 			msg.SwapVerbose(testing.Verbose())
 
 			flags := tc.flags
-			if _, err := container.LandlockGetABI(); err != nil {
-				if !errors.Is(err, syscall.ENOSYS) {
-					t.Fatalf("LandlockGetABI: error = %v", err)
+
+			if info.CanDegrade {
+				if _, err := container.LandlockGetABI(); err != nil {
+					if !errors.Is(err, syscall.ENOSYS) {
+						t.Fatalf("LandlockGetABI: error = %v", err)
+					}
+					flags |= pkg.CHostAbstract
+					t.Log("Landlock LSM is unavailable, setting CHostAbstract")
 				}
-				flags |= pkg.CHostAbstract
-				t.Log("Landlock LSM is unavailable, setting CHostAbstract")
 			}
 
 			var scrubFunc func() error // scrub after hashing
diff --git a/package.nix b/package.nix
index bde2f0c9..5fb220e9 100644
--- a/package.nix
+++ b/package.nix
@@ -82,9 +82,6 @@ buildGo126Module rec {
   env = {
     # use clang instead of gcc
     CC = "clang -O3 -Werror";
-
-    # nix build environment does not allow acls
-    HAKUREI_TEST_SKIP_ACL = 1;
   };
 
   buildInputs = [
diff --git a/test/default.nix b/test/default.nix
index 964e47be..246d6dfc 100644
--- a/test/default.nix
+++ b/test/default.nix
@@ -44,7 +44,7 @@ testers.nixosTest {
 
           cd ${self.packages.${system}.hakurei.src}
           ${fhs}/bin/hakurei-fhs -c \
-            'CC="clang -O3 -Werror" go test ${if withRace then "-race" else "-count 16"} ./...' \
+            'CC="clang -O3 -Werror" go test --tags=noskip ${if withRace then "-race" else "-count 16"} ./...' \
             &> /tmp/hakurei-test.log && \
             touch /tmp/hakurei-test-ok
           touch /tmp/hakurei-test-done