cmd/irdump: formatted disassembly

.gitignore

@@ -7,12 +7,8 @@
 
 # go generate
 /cmd/hakurei/LICENSE
-/cmd/mbf/internal/pkgserver/ui/static
+/internal/pkg/testdata/testtool
-/internal/pkg/internal/testtool/testtool
 /internal/rosa/hakurei_current.tar.gz
 
 # cmd/dist default destination
 /dist
-
-# local packages
-/internal/rosa/package/local

all.sh

@@ -1,3 +1,6 @@
 #!/bin/sh -e
 
-HAKUREI_DIST_MAKE='' exec "$(dirname -- "$0")/cmd/dist/dist.sh"
+TOOLCHAIN_VERSION="$(go version)"
+cd "$(dirname -- "$0")/"
+echo "# Building cmd/dist using ${TOOLCHAIN_VERSION}."
+go run -v --tags=dist ./cmd/dist

check/absolute.go

@@ -2,7 +2,7 @@
 package check
 
 import (
-	"encoding"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"path/filepath"
@@ -20,8 +20,8 @@ func (e AbsoluteError) Error() string {
 }
 
 func (e AbsoluteError) Is(target error) bool {
-	ce, ok := errors.AsType[AbsoluteError](target)
+	var ce AbsoluteError
-	if !ok {
+	if !errors.As(target, &ce) {
 		return errors.Is(target, syscall.EINVAL)
 	}
 	return e == ce
@@ -30,22 +30,6 @@ func (e AbsoluteError) Is(target error) bool {
 // Absolute holds a pathname checked to be absolute.
 type Absolute struct{ pathname unique.Handle[string] }
 
-var (
-	_ fmt.GoStringer = new(Absolute)
-
-	_ encoding.TextAppender    = new(Absolute)
-	_ encoding.TextMarshaler   = new(Absolute)
-	_ encoding.TextUnmarshaler = new(Absolute)
-
-	_ encoding.BinaryAppender    = new(Absolute)
-	_ encoding.BinaryMarshaler   = new(Absolute)
-	_ encoding.BinaryUnmarshaler = new(Absolute)
-)
-
-func (a *Absolute) GoString() string {
-	return fmt.Sprintf("check.MustAbs(%q)", a.String())
-}
-
 // ok returns whether [Absolute] is not the zero value.
 func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }
 
@@ -100,16 +84,13 @@ func (a *Absolute) Append(elem ...string) *Absolute {
 // Dir calls [filepath.Dir] with [Absolute] as its argument.
 func (a *Absolute) Dir() *Absolute { return unsafeAbs(filepath.Dir(a.String())) }
 
-// AppendText appends the checked pathname.
+// GobEncode returns the checked pathname.
-func (a *Absolute) AppendText(data []byte) ([]byte, error) {
+func (a *Absolute) GobEncode() ([]byte, error) {
-	return append(data, a.String()...), nil
+	return []byte(a.String()), nil
 }
 
-// MarshalText returns the checked pathname.
+// GobDecode stores data if it represents an absolute pathname.
-func (a *Absolute) MarshalText() ([]byte, error) { return a.AppendText(nil) }
+func (a *Absolute) GobDecode(data []byte) error {
-
-// UnmarshalText stores data if it represents an absolute pathname.
-func (a *Absolute) UnmarshalText(data []byte) error {
 	pathname := string(data)
 	if !filepath.IsAbs(pathname) {
 		return AbsoluteError(pathname)
@@ -118,9 +99,23 @@ func (a *Absolute) UnmarshalText(data []byte) error {
 	return nil
 }
 
-func (a *Absolute) AppendBinary(data []byte) ([]byte, error) { return a.AppendText(data) }
+// MarshalJSON returns a JSON representation of the checked pathname.
-func (a *Absolute) MarshalBinary() ([]byte, error)           { return a.MarshalText() }
+func (a *Absolute) MarshalJSON() ([]byte, error) {
-func (a *Absolute) UnmarshalBinary(data []byte) error        { return a.UnmarshalText(data) }
+	return json.Marshal(a.String())
+}
+
+// UnmarshalJSON stores data if it represents an absolute pathname.
+func (a *Absolute) UnmarshalJSON(data []byte) error {
+	var pathname string
+	if err := json.Unmarshal(data, &pathname); err != nil {
+		return err
+	}
+	if !filepath.IsAbs(pathname) {
+		return AbsoluteError(pathname)
+	}
+	a.pathname = unique.Make(pathname)
+	return nil
+}
 
 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {

check/absolute_test.go

@@ -170,20 +170,20 @@ func TestCodecAbsolute(t *testing.T) {
 
 		{"good", MustAbs("/etc"),
 			nil,
-			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
 
 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
 			AbsoluteError("etc"),
-			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
 
 			`"etc"`, `{"val":"etc","magic":3236757504}`},
 		{"zero", nil,
 			new(AbsoluteError),
-			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
 			`""`, `{"val":"","magic":3236757504}`},
 	}
 
@@ -347,6 +347,15 @@ func TestCodecAbsolute(t *testing.T) {
 			})
 		})
 	}
+
+	t.Run("json passthrough", func(t *testing.T) {
+		t.Parallel()
+
+		wantErr := "invalid character ':' looking for beginning of value"
+		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
+			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
+		}
+	})
 }
 
 func TestAbsoluteWrap(t *testing.T) {

check/overlay.go

@@ -4,23 +4,15 @@ import "strings"
 
 const (
 	// SpecialOverlayEscape is the escape string for overlay mount options.
-	//
-	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayEscape = `\`
 	// SpecialOverlayOption is the separator string between overlay mount options.
-	//
-	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayOption = ","
 	// SpecialOverlayPath is the separator string between overlay paths.
-	//
-	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayPath = ":"
 )
 
 // EscapeOverlayDataSegment escapes a string for formatting into the data
 // argument of an overlay mount system call.
-//
-// Deprecated: This is no longer used and will be removed in 0.5.
 func EscapeOverlayDataSegment(s string) string {
 	if s == "" {
 		return ""

cmd/app/app.go

@@ -1,264 +0,0 @@
-package main
-
-import (
-	"bufio"
-	"fmt"
-	"io"
-	"strconv"
-	"strings"
-
-	"hakurei.app/check"
-	"hakurei.app/fhs"
-	"hakurei.app/hst"
-)
-
-// parsePair parses a NUL-delimited quoted paths pair.
-func parsePair(s string) (source, target *check.Absolute, err error) {
-	var p string
-	if p, err = strconv.Unquote(s); err != nil {
-		return
-	}
-	_source, _target, ok := strings.Cut(p, "\x00")
-	if source, err = check.NewAbs(_source); err != nil {
-		return
-	}
-	if !ok {
-		return
-	}
-	target, err = check.NewAbs(_target)
-	return
-}
-
-// parse decodes a high-level configuration stream and returns its
-// corresponding [hst.Config].
-func parse(id string, base *check.Absolute, r io.Reader) (*hst.Config, error) {
-	shell := fhs.AbsRoot.Append("bin", "zsh")
-	home := hst.AbsPrivateTmp.Append("home")
-
-	c := hst.Config{
-		ID:          id,
-		Enablements: new(hst.Enablements),
-
-		SessionBus: &hst.BusConfig{
-			Own: []string{
-				id + ".*",
-				"org.mpris.MediaPlayer2." + id + ".*",
-			},
-			Filter: true,
-		},
-		SystemBus: &hst.BusConfig{Filter: true},
-
-		Container: &hst.ContainerConfig{
-			Env: make(map[string]string),
-			Filesystem: []hst.FilesystemConfigJSON{
-				{FilesystemConfig: &hst.FSOverlay{
-					Target: fhs.AbsRoot,
-					Lower: []*check.Absolute{
-						base.Append("template", "initial"),
-					},
-					Upper: base.Append("template", "upper"),
-				}},
-				{FilesystemConfig: &hst.FSBind{
-					Target: home,
-					Source: base.Append("state", id),
-					Write:  true,
-					Ensure: true,
-				}},
-
-				{FilesystemConfig: &hst.FSEphemeral{
-					Target: fhs.AbsVar.Append("tmp"),
-					Write:  true,
-					Perm:   01777,
-				}},
-
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block")}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus")}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("class")}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("dev")}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("devices")}},
-			},
-
-			Username: "chronos",
-			Shell:    shell,
-			Home:     home,
-			Path:     shell,
-			Args:     []string{"zsh", "-c"},
-
-			Flags: hst.FCoverRun,
-		},
-	}
-
-	s := bufio.NewScanner(r)
-	scanOnce := func() error {
-		if s.Scan() {
-			return nil
-		}
-		if err := s.Err(); err != nil {
-			return err
-		}
-		return io.ErrUnexpectedEOF
-	}
-
-	if err := scanOnce(); err != nil {
-		return nil, err
-	}
-	if v, err := strconv.Atoi(s.Text()); err != nil {
-		return nil, err
-	} else {
-		c.Identity = v
-	}
-
-	if err := scanOnce(); err != nil {
-		return nil, err
-	}
-	c.Container.Args = append(c.Container.Args, s.Text())
-
-	var flagGPU, flagSystemBus bool
-	flags := map[string]*bool{
-		"gpu":        &flagGPU,
-		"system_bus": &flagSystemBus,
-	}
-
-	for s.Scan() {
-		key, value, ok := strings.Cut(s.Text(), " ")
-		if key != "" && key[0] == ';' {
-			continue
-		}
-
-		if !ok {
-			if key == "" {
-				continue
-			}
-
-			var p *bool
-			if p, ok = flags[key]; ok {
-				*p = true
-				continue
-			}
-
-			switch key {
-			case "wayland":
-				*c.Enablements |= hst.EWayland
-			case "x11":
-				*c.Enablements |= hst.EX11
-			case "dbus":
-				*c.Enablements |= hst.EDBus
-			case "pipewire":
-				*c.Enablements |= hst.EPipeWire
-
-			case "multiarch":
-				c.Container.Flags |= hst.FMultiarch
-			case "devel":
-				c.Container.Flags |= hst.FDevel
-			case "userns":
-				c.Container.Flags |= hst.FUserns
-			case "net":
-				c.Container.Flags |= hst.FHostNet
-			case "abstract":
-				c.Container.Flags |= hst.FHostAbstract
-			case "tty":
-				c.Container.Flags |= hst.FTty
-			case "mapuid":
-				c.Container.Flags |= hst.FMapRealUID
-			case "device":
-				c.Container.Flags |= hst.FDevice
-
-			case "share_runtime":
-				c.Container.Flags |= hst.FShareRuntime
-			case "share_tmpdir":
-				c.Container.Flags |= hst.FShareTmpdir
-
-			default:
-				return nil, fmt.Errorf("invalid flag %q", key)
-			}
-
-			continue
-		}
-
-		switch key {
-		case "group":
-			c.Groups = append(c.Groups, value)
-			continue
-
-		case "env":
-			if key, value, ok = strings.Cut(value, "="); !ok {
-				return nil, fmt.Errorf("invalid environment %q", key)
-			}
-			c.Container.Env[key] = value
-			continue
-
-		case "ro":
-			source, target, err := parsePair(value)
-			if err != nil {
-				return nil, err
-			}
-			c.Container.Filesystem = append(c.Container.Filesystem,
-				hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
-					Target: target,
-					Source: source,
-				}},
-			)
-			continue
-
-		case "rw":
-			source, target, err := parsePair(value)
-			if err != nil {
-				return nil, err
-			}
-			c.Container.Filesystem = append(c.Container.Filesystem,
-				hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
-					Target: target,
-					Source: source,
-					Write:  true,
-				}},
-			)
-			continue
-
-		case "own":
-			c.SessionBus.Own = append(c.SessionBus.Own, value)
-			continue
-		case "own_system":
-			c.SystemBus.Own = append(c.SystemBus.Own, value)
-			continue
-
-		case "talk":
-			c.SessionBus.Talk = append(c.SessionBus.Talk, value)
-			continue
-		case "talk_system":
-			c.SystemBus.Talk = append(c.SystemBus.Talk, value)
-			continue
-
-		default:
-			return nil, fmt.Errorf("invalid key %q", key)
-		}
-	}
-	if err := s.Err(); err != nil {
-		return nil, err
-	}
-
-	if flagGPU {
-		c.Container.Filesystem = append(c.Container.Filesystem, []hst.FilesystemConfigJSON{
-			{FilesystemConfig: &hst.FSBind{
-				Source:   fhs.AbsDev.Append("dri"),
-				Device:   true,
-				Optional: true,
-			}},
-		}...)
-	}
-
-	if !flagSystemBus {
-		c.SystemBus = nil
-	}
-
-	if c.Container.Flags&hst.FShareTmpdir == 0 {
-		c.Container.Filesystem = append(c.Container.Filesystem,
-			hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSEphemeral{
-				Target: fhs.AbsTmp,
-				Write:  true,
-				Perm:   01777,
-			}},
-		)
-	}
-
-	return &c, nil
-}

cmd/app/app_test.go

@@ -1,152 +0,0 @@
-package main
-
-import (
-	"reflect"
-	"strings"
-	"testing"
-
-	"hakurei.app/check"
-	"hakurei.app/fhs"
-	"hakurei.app/hst"
-)
-
-func TestParse(t *testing.T) {
-	t.Parallel()
-
-	base := fhs.AbsProc.Append("nonexistent")
-	testCases := []struct {
-		name string
-		data string
-		want *hst.Config
-		err  error
-	}{
-		{"com.discordapp.Discord", `8
-exec Discord --ozone-platform-hint=wayland
-
-gpu
-wayland
-dbus
-system_bus
-pipewire
-userns
-net
-mapuid
-
-share_runtime
-share_tmpdir
-
-group media_rw
-env ELECTRON_TRASH=gio
-rw "/sdcard"
-; remove before reusing
-ro "/bin\x00/.hakurei/bin"
-
-talk org.kde.StatusNotifierWatcher
-talk com.canonical.AppMenu.Registrar
-talk com.canonical.indicator.application
-talk com.canonical.Unity
-`, &hst.Config{
-			Identity:    8,
-			ID:          "com.discordapp.Discord",
-			Enablements: new(hst.EWayland | hst.EDBus | hst.EPipeWire),
-			Groups:      []string{"media_rw"},
-
-			SessionBus: &hst.BusConfig{
-				Talk: []string{
-					"org.kde.StatusNotifierWatcher",
-					"com.canonical.AppMenu.Registrar",
-					"com.canonical.indicator.application",
-					"com.canonical.Unity",
-				},
-				Own: []string{
-					"com.discordapp.Discord.*",
-					"org.mpris.MediaPlayer2.com.discordapp.Discord.*",
-				},
-				Filter: true,
-			},
-			SystemBus: &hst.BusConfig{Filter: true},
-
-			Container: &hst.ContainerConfig{
-				Env: map[string]string{
-					"ELECTRON_TRASH": "gio",
-				},
-				Filesystem: []hst.FilesystemConfigJSON{
-					{FilesystemConfig: &hst.FSOverlay{
-						Target: fhs.AbsRoot,
-						Lower: []*check.Absolute{
-							base.Append("template", "initial"),
-						},
-						Upper: base.Append("template", "upper"),
-					}},
-					{FilesystemConfig: &hst.FSBind{
-						Target: hst.AbsPrivateTmp.Append("home"),
-						Source: base.Append("state", "com.discordapp.Discord"),
-						Write:  true,
-						Ensure: true,
-					}},
-
-					{FilesystemConfig: &hst.FSEphemeral{
-						Target: fhs.AbsVar.Append("tmp"),
-						Write:  true,
-						Perm:   01777,
-					}},
-
-					{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block")}},
-					{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus")}},
-					{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("class")}},
-					{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("dev")}},
-					{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("devices")}},
-
-					{FilesystemConfig: &hst.FSBind{
-						Source: check.MustAbs("/sdcard"),
-						Write:  true,
-					}},
-					{FilesystemConfig: &hst.FSBind{
-						Target: check.MustAbs("/.hakurei/bin"),
-						Source: check.MustAbs("/bin"),
-					}},
-
-					{FilesystemConfig: &hst.FSBind{
-						Source:   fhs.AbsDev.Append("dri"),
-						Device:   true,
-						Optional: true,
-					}},
-				},
-
-				Username: "chronos",
-				Shell:    fhs.AbsRoot.Append("bin", "zsh"),
-				Home:     hst.AbsPrivateTmp.Append("home"),
-				Path:     fhs.AbsRoot.Append("bin", "zsh"),
-				Args: []string{
-					"zsh", "-c",
-					"exec Discord --ozone-platform-hint=wayland",
-				},
-
-				Flags: hst.FCoverRun | hst.FUserns | hst.FHostNet | hst.FMapRealUID |
-					hst.FShareRuntime | hst.FShareTmpdir,
-			},
-		}, nil},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			got, err := parse(
-				tc.name,
-				base,
-				strings.NewReader(tc.data),
-			)
-
-			if !reflect.DeepEqual(err, tc.err) {
-				t.Errorf("parse: error = %v, want %v", err, tc.err)
-			}
-			if err != nil {
-				return
-			}
-
-			if !reflect.DeepEqual(got, tc.want) {
-				t.Errorf("parse: %#v, want %#v", got, tc.want)
-			}
-		})
-	}
-}

cmd/app/main.go

@@ -1,170 +0,0 @@
-// The app program is a proof-of-concept frontend for cmd/hakurei.
-//
-// This program is not covered by the compatibility promise. The command line
-// interface and configuration syntax may change at any time.
-package main
-
-import (
-	"context"
-	"errors"
-	"log"
-	"os"
-	"os/exec"
-	"os/signal"
-	"path/filepath"
-	"syscall"
-
-	"hakurei.app/check"
-	"hakurei.app/command"
-	"hakurei.app/fhs"
-	"hakurei.app/hst"
-	"hakurei.app/message"
-)
-
-func main() {
-	log.SetFlags(0)
-	log.SetPrefix("app: ")
-	msg := message.New(log.Default())
-
-	ctx, stop := signal.NotifyContext(context.Background(),
-		syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
-	defer stop()
-
-	var (
-		flagVerbose bool
-		flagBase    string
-
-		base, template, initial, upper, work *check.Absolute
-	)
-	c := command.New(os.Stderr, log.Printf, "app", func([]string) (err error) {
-		msg.SwapVerbose(flagVerbose)
-		flagBase = os.ExpandEnv(flagBase)
-		if flagBase == "" {
-			flagBase = "state"
-		}
-		if flagBase, err = filepath.Abs(flagBase); err != nil {
-			return
-		} else if base, err = check.NewAbs(flagBase); err != nil {
-			return
-		}
-
-		template = base.Append("template")
-		initial = template.Append("initial")
-		upper = template.Append("upper")
-		work = template.Append("work")
-		return
-	}).Flag(
-		&flagVerbose,
-		"v", command.BoolFlag(false),
-		"Increase log verbosity",
-	).Flag(
-		&flagBase,
-		"d", command.StringFlag("$HAKUREI_APP_PATH"),
-		"Configuration and state directory",
-	)
-
-	{
-		var (
-			flagShell string
-			flagHome  string
-		)
-		c.NewCommand(
-			"enter", "Enter mutable state template",
-			func([]string) error {
-				config := hst.Config{
-					ID: "app.hakurei.mutable",
-					Container: &hst.ContainerConfig{
-						Hostname: "mutable",
-						Filesystem: []hst.FilesystemConfigJSON{
-							{FilesystemConfig: &hst.FSOverlay{
-								Target: fhs.AbsRoot,
-								Lower:  []*check.Absolute{initial},
-								Upper:  upper,
-								Work:   work,
-							}},
-							{FilesystemConfig: &hst.FSEphemeral{
-								Target: fhs.AbsTmp,
-								Write:  true,
-								Perm:   0755,
-							}},
-						},
-						Username: "chronos",
-						Flags: hst.FMultiarch |
-							hst.FDevel |
-							hst.FUserns |
-							hst.FHostNet |
-							hst.FTty,
-					},
-				}
-
-				if a, err := check.NewAbs(flagShell); err != nil {
-					return err
-				} else {
-					config.Container.Shell = a
-					config.Container.Path = a
-					config.Container.Args = []string{
-						"-" + filepath.Base(flagShell),
-					}
-				}
-
-				if a, err := check.NewAbs(flagHome); err != nil {
-					return err
-				} else {
-					config.Container.Home = a
-				}
-
-				return run(ctx, msg, &config)
-			},
-		).Flag(
-			&flagShell,
-			"shell", command.StringFlag("/bin/zsh"),
-			"Shell program within container",
-		).Flag(
-			&flagHome,
-			"home", command.StringFlag("/home/chronos"),
-			"Home directory within container",
-		)
-	}
-
-	c.NewCommand(
-		"run", "Start the named application",
-		func(args []string) error {
-			if len(args) != 1 {
-				return errors.New("run requires 1 argument")
-			}
-
-			var config *hst.Config
-			f, err := os.Open(base.Append("app", args[0]).String())
-			if err != nil {
-				return err
-			}
-			config, err = parse(args[0], base, f)
-			if closeErr := f.Close(); err == nil {
-				err = closeErr
-			}
-			if err != nil {
-				return err
-			}
-
-			return run(ctx, msg, config)
-		},
-	)
-
-	c.MustParse(os.Args[1:], func(err error) {
-		if e, ok := errors.AsType[*exec.ExitError](err); ok && e != nil {
-			os.Exit(e.ExitCode())
-		}
-
-		if w, ok := err.(interface{ Unwrap() []error }); !ok {
-			log.Fatal(err)
-		} else {
-			errs := w.Unwrap()
-			for i, e := range errs {
-				if i == len(errs)-1 {
-					log.Fatal(e)
-				}
-				log.Println(e)
-			}
-		}
-	})
-}

cmd/app/run.go

@@ -1,51 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"os"
-	"os/exec"
-	"syscall"
-
-	"hakurei.app/hst"
-	"hakurei.app/message"
-)
-
-// run starts a container via cmd/hakurei and returns after it terminates.
-func run(ctx context.Context, msg message.Msg, config *hst.Config) error {
-	c, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	cmd := exec.CommandContext(c, "hakurei")
-	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	cmd.Cancel = func() error {
-		return cmd.Process.Signal(syscall.SIGINT)
-	}
-	if msg.IsVerbose() {
-		cmd.Args = append(cmd.Args, "-v")
-	}
-	cmd.Args = append(cmd.Args, "run", "3")
-
-	r, w, err := os.Pipe()
-	if err != nil {
-		return err
-	}
-	cmd.ExtraFiles = append(cmd.ExtraFiles, r)
-
-	if err = cmd.Start(); err != nil {
-		_, _ = r.Close(), w.Close()
-		return err
-	}
-
-	if err = r.Close(); err != nil {
-		_ = w.Close()
-		return err
-	} else if err = json.NewEncoder(w).Encode(&config); err != nil {
-		_ = w.Close()
-		return err
-	} else if err = w.Close(); err != nil {
-		return err
-	}
-
-	return cmd.Wait()
-}

cmd/dist/VERSION

@@ -1 +0,0 @@
-v0.4.4

cmd/dist/dist.sh

@@ -1,10 +0,0 @@
-#!/bin/sh -e
-
-TOOLCHAIN_VERSION="$(go version)"
-cd "$(dirname -- "$0")/../.."
-echo "Building cmd/dist using ${TOOLCHAIN_VERSION}."
-FLAGS=''
-if test -n "$VERBOSE"; then
-    FLAGS="$FLAGS -v"
-fi
-go run $FLAGS --tags=dist ./cmd/dist

cmd/dist/main.go

@@ -18,13 +18,8 @@ import (
 	"os/signal"
 	"path/filepath"
 	"runtime"
-	"strings"
 )
 
-//go:generate sh -c "git describe --tags > VERSION"
-//go:embed VERSION
-var version string
-
 // getenv looks up an environment variable, and returns fallback if it is unset.
 func getenv(key, fallback string) string {
 	if v, ok := os.LookupEnv(key); ok {
@@ -47,19 +42,14 @@ func mustRun(ctx context.Context, name string, arg ...string) {
 var comp []byte
 
 func main() {
+	fmt.Println()
 	log.SetFlags(0)
-	log.SetPrefix("")
+	log.SetPrefix("# ")
 
-	verbose := os.Getenv("VERBOSE") != ""
+	version := getenv("HAKUREI_VERSION", "untagged")
-	runTests := os.Getenv("HAKUREI_DIST_MAKE") == ""
-	version = getenv("HAKUREI_VERSION", strings.TrimSpace(version))
 	prefix := getenv("PREFIX", "/usr")
 	destdir := getenv("DESTDIR", "dist")
 
-	if verbose {
-		log.Println()
-	}
-
 	if err := os.MkdirAll(destdir, 0755); err != nil {
 		log.Fatal(err)
 	}
@@ -86,17 +76,12 @@ func main() {
 	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
 	defer cancel()
 
-	verboseFlag := "-v"
+	log.Println("Building hakurei.")
-	if !verbose {
-		verboseFlag = "-buildvcs=false"
-	}
-
-	log.Printf("Building hakurei for %s/%s.", runtime.GOOS, runtime.GOARCH)
 	mustRun(ctx, "go", "generate", "./...")
 	mustRun(
 		ctx, "go", "build",
 		"-trimpath",
-		verboseFlag, "-o", s,
+		"-v", "-o", s,
 		"-ldflags=-s -w "+
 			"-buildid= -linkmode external -extldflags=-static "+
 			"-X hakurei.app/internal/info.buildVersion="+version+" "+
@@ -105,19 +90,17 @@ func main() {
 			"-X main.hakureiPath="+prefix+"/bin/hakurei",
 		"./...",
 	)
-	log.Println()
+	fmt.Println()
 
-	if runTests {
+	log.Println("Testing Hakurei.")
-		log.Println("##### Testing Hakurei.")
+	mustRun(
-		mustRun(
+		ctx, "go", "test",
-			ctx, "go", "test",
+		"-ldflags=-buildid= -linkmode external -extldflags=-static",
-			"-ldflags=-buildid= -linkmode external -extldflags=-static",
+		"./...",
-			"./...",
+	)
-		)
+	fmt.Println()
-		log.Println()
-	}
 
-	log.Println("##### Creating distribution.")
+	log.Println("Creating distribution.")
 	const suffix = ".tar.gz"
 	distName := "hakurei-" + version + "-" + runtime.GOARCH
 	var f *os.File
@@ -138,7 +121,7 @@ func main() {
 	}()
 
 	h := sha512.New()
-	gw, _ := gzip.NewWriterLevel(io.MultiWriter(f, h), gzip.BestCompression)
+	gw := gzip.NewWriter(io.MultiWriter(f, h))
 	tw := tar.NewWriter(gw)
 
 	mustWriteHeader := func(name string, size int64, mode os.FileMode) {

cmd/earlyinit/main.go

@@ -5,91 +5,17 @@
 package main
 
 import (
-	"context"
-	"crypto/rand"
 	"log"
 	"os"
-	"os/signal"
 	"runtime"
-	"runtime/pprof"
-	"slices"
 	"strings"
 	. "syscall"
-
-	"hakurei.app/internal/kobject"
-	"hakurei.app/internal/report"
-	"hakurei.app/internal/uevent"
-	"hakurei.app/message"
-)
-
-var r report.Reporter
-
-func init() {
-	log.SetFlags(0)
-	log.SetPrefix("earlyinit: ")
-	r.SetOutput(log.Default())
-
-	// this handles SIGQUIT to provide useful debugging information without
-	// terminating, and prevents the runtime from throwing on the must family
-	// of early error reporting functions, DO NOT REMOVE
-	c := make(chan os.Signal, 1)
-	signal.Notify(c, SIGQUIT)
-	go func() {
-		for {
-			<-c
-			if p := pprof.Lookup("goroutine"); p == nil {
-				log.Println("initial built-in goroutine profile does not exist")
-			} else if err := p.WriteTo(os.Stderr, 2); err != nil {
-				log.Println(err)
-			}
-		}
-	}()
-}
-
-// fatal calls [log.Println] with v and blocks forever. Must be called from
-// main. Must not be used after error reporting is set up.
-func fatal(v ...any) {
-	log.Println(v...)
-	log.Println("unable to continue, please reboot and resolve the problem manually")
-	select {}
-}
-
-// must calls fatal with err if it is non-nil.
-func must(err error) {
-	if err != nil {
-		log.Println(err)
-		select {}
-	}
-}
-
-// mustSyscall is like must, but with an additional action name.
-func mustSyscall(action string, err error) {
-	if err != nil {
-		fatal("cannot "+action+":", err)
-		select {}
-	}
-}
-
-// must1 is like must, but with an additional passed through value.
-func must1[T any](v T, err error) T {
-	must(err)
-	return v
-}
-
-const (
-	// optionSystem specifies devpath of the system device.
-	optionSystem = "system"
-
-	// flagVerbose increases output verbosity.
-	flagVerbose = "verbose"
-	// flagStrict sets [report.DStrict] on r.
-	flagStrict = "strict"
-	// flagNoRecover sets [report.DNoRecover] on r.
-	flagNoRecover = "no_recover"
 )
 
 func main() {
 	runtime.LockOSThread()
+	log.SetFlags(0)
+	log.SetPrefix("earlyinit: ")
 
 	var (
 		option map[string]string
@@ -107,44 +33,15 @@ func main() {
 		}
 	}
 
-	{
+	if err := Mount(
-		var flag uint64
-		if slices.Contains(flags, flagStrict) {
-			flag |= report.DStrict
-		}
-		if slices.Contains(flags, flagNoRecover) {
-			flag |= report.DNoRecover
-		}
-		log.Printf("reporting flags %x", flag)
-		r.SetFlags(flag)
-	}
-
-	msg := message.New(log.Default())
-	msg.SwapVerbose(slices.Contains(flags, flagVerbose))
-
-	mustSyscall("mount devtmpfs", Mount(
 		"devtmpfs",
 		"/dev/",
 		"devtmpfs",
 		MS_NOSUID|MS_NOEXEC,
 		"",
-	))
+	); err != nil {
-	must(os.Mkdir("/dev/pts/", 0))
+		log.Fatalf("cannot mount devtmpfs: %v", err)
-	mustSyscall("mount devpts", Mount(
+	}
-		"devpts",
-		"/dev/pts/",
-		"devpts",
-		MS_NOSUID|MS_NOEXEC,
-		"mode=620,ptmxmode=666",
-	))
-	must(os.Mkdir("/dev/shm/", 0))
-	mustSyscall("mount shm", Mount(
-		"shm",
-		"/dev/shm/",
-		"tmpfs",
-		MS_NOSUID|MS_NODEV,
-		"",
-	))
 
 	// The kernel might be unable to set up the console. When that happens,
 	// printk is called with "Warning: unable to open an initial console."
@@ -201,49 +98,6 @@ func main() {
 		"",
 	))
 
-	conn := must1(uevent.Dial(-128 * 1024 * 1024))
-	events := make(chan *uevent.Message, 1<<10)
-	var uuid uevent.UUID
-	must1(rand.Read(uuid[:]))
-	ctx, cancel := context.WithCancel(context.Background())
-
-	go consume(ctx, msg, &r, conn, uuid, events)
-	s := kobject.New(uuid, func(o *kobject.Object, env map[string]string) {
-		p := make([]string, 0, len(env))
-		for k, v := range env {
-			p = append(p, k+"="+v)
-		}
-		slices.Sort(p)
-		log.Printf("change %s: %s", o.DevPath, strings.Join(p, ", "))
-	}, func(err error) {
-		severity := report.Inconsistent
-		if e, ok := err.(kobject.EventError); ok && e.Kind == kobject.EBadTarget {
-			severity = report.Trivial
-		}
-		r.Dispatch(
-			severity,
-			"processed inconsistent uevent",
-			err,
-		)
-	})
-	go func() {
-		s.Consume(ctx, events)
-
-		log.Println("closing NETLINK_KOBJECT_UEVENT socket")
-		cancel()
-		if err := conn.Close(); err != nil {
-			log.Fatal(err) // not reached
-		}
-	}()
-
-	must(os.Mkdir("/system", 0))
-	if devpath := option[optionSystem]; devpath == "" {
-		fatal("system must be nonempty")
-	} else {
-		log.Printf("waiting for devpath pattern %q", devpath)
-		mustMountSystem(ctx, s, devpath)
-	}
-
 	// after top level has been set up
 	mustSyscall("remount root", Mount(
 		"",
@@ -259,6 +113,19 @@ func main() {
 		[]byte("/system/lib/firmware"),
 		0,
 	))
-	go dispatchModprobe(ctx, s)
 
 }
+
+// mustSyscall calls [log.Fatalln] if err is non-nil.
+func mustSyscall(action string, err error) {
+	if err != nil {
+		log.Fatalln("cannot "+action+":", err)
+	}
+}
+
+// must calls [log.Fatal] with err if it is non-nil.
+func must(err error) {
+	if err != nil {
+		log.Fatal(err)
+	}
+}

cmd/earlyinit/modprobe.go

@@ -1,73 +0,0 @@
-package main
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"log"
-	"os/exec"
-	"strings"
-
-	"hakurei.app/internal/kobject"
-	"hakurei.app/internal/report"
-	"hakurei.app/internal/uevent"
-)
-
-// ModprobeError describes an unsuccessful modprobe invocation.
-type ModprobeError struct {
-	ModAlias string `json:"modalias"`
-	Stdout   string `json:"stdout"`
-	Stderr   string `json:"stderr"`
-	ExitCode int    `json:"exit_code"`
-}
-
-var _ report.RepresentableError = ModprobeError{}
-
-func (ModprobeError) Representable() {}
-func (e ModprobeError) Error() string {
-	return fmt.Sprintf(
-		"modprobe exit status %d: %s",
-		e.ExitCode, strings.TrimSpace(e.Stderr),
-	)
-}
-
-// dispatchModprobe invokes modprobe for [uevent.KOBJ_ADD] events raising new
-// MODALIAS strings.
-func dispatchModprobe(
-	ctx context.Context,
-	s *kobject.State,
-) {
-	aliases := make(chan string, 1<<8)
-	go func() {
-		defer close(aliases)
-		s.Range(ctx, func(o *kobject.Object, act uevent.KobjectAction) bool {
-			if act == uevent.KOBJ_ADD && o.Driver == "" && o.ModAlias != "" {
-				aliases <- o.ModAlias
-			}
-			return true
-		})
-	}()
-
-	for alias := range aliases {
-		stdout, err := exec.Command("/system/sbin/modprobe", alias).Output()
-		if err == nil {
-			if len(stdout) > 0 {
-				log.Println(string(stdout))
-			}
-			continue
-		}
-
-		exitError, ok := errors.AsType[*exec.ExitError](err)
-		if !ok || exitError == nil {
-			r.Dispatch(report.Degraded, "invoke modprobe", err)
-			continue
-		}
-
-		r.Dispatch(report.Trivial, "load device driver", ModprobeError{
-			ModAlias: alias,
-			Stdout:   string(stdout),
-			Stderr:   string(exitError.Stderr),
-			ExitCode: exitError.ExitCode(),
-		})
-	}
-}

cmd/earlyinit/mount.go

@@ -1,71 +0,0 @@
-package main
-
-import (
-	"context"
-	"errors"
-	"os"
-	"path/filepath"
-	"strconv"
-	"syscall"
-	"time"
-
-	"hakurei.app/check"
-	"hakurei.app/fhs"
-	"hakurei.app/internal/kobject"
-	"hakurei.app/internal/uevent"
-)
-
-// mustMountSystem waits for and mounts a system device matching pattern.
-func mustMountSystem(
-	ctx context.Context,
-	s *kobject.State,
-	pattern string,
-) {
-	c, stop := context.WithTimeout(ctx, 30*time.Second)
-	defer stop()
-
-	for {
-		var matchErr error
-		var systemPath *check.Absolute
-		s.Range(c, func(o *kobject.Object, act uevent.KobjectAction) bool {
-			if (act != uevent.KOBJ_ADD && act != uevent.KOBJ_CHANGE) ||
-				o.Subsystem != "block" ||
-				o.Env["DEVTYPE"] != "disk" {
-				return true
-			}
-
-			if ok, err := filepath.Match(pattern, o.DevPath); err != nil {
-				matchErr = err
-				return false
-			} else if !ok {
-				return true
-			}
-
-			name, ok := o.Env["DEVNAME"]
-			if !ok {
-				return true
-			}
-			systemPath = fhs.AbsDev.Append(name)
-			return false
-		})
-		if c.Err() != nil {
-			fatal("devpath", strconv.Quote(pattern), "never appeared")
-		}
-		if matchErr != nil {
-			fatal("cannot match system devpath:", matchErr)
-		}
-		err := syscall.Mount(
-			systemPath.String(),
-			"/system/",
-			"squashfs",
-			0,
-			"threads=multi",
-		)
-		if err == nil {
-			break
-		}
-		if !errors.Is(err, os.ErrNotExist) {
-			fatal("cannot mount system:", err)
-		}
-	}
-}

cmd/earlyinit/uevent.go

@@ -1,104 +0,0 @@
-package main
-
-import (
-	"context"
-	"time"
-
-	"hakurei.app/fhs"
-	"hakurei.app/internal/report"
-	"hakurei.app/internal/uevent"
-	"hakurei.app/message"
-)
-
-// newRejectColdboot returns a function to be called on every subsequent pending
-// coldboot, and returns whether coldboot should proceed. Rejection is sticky.
-func newRejectColdboot() func() bool {
-	// one coldboot per five minutes, two consecutive coldboot
-	const (
-		coldbootInterval = 5 * time.Minute
-		coldbootBurst    = 2
-	)
-
-	done := make(chan struct{})
-	s := make(chan struct{}, coldbootBurst)
-	s <- struct{}{} // for early fault before reporting is ready
-	go func() {
-		t := time.NewTicker(coldbootInterval)
-		for {
-			select {
-			case <-done:
-				return
-
-			case <-t.C:
-				select {
-				case s <- struct{}{}:
-				default:
-				}
-			}
-		}
-	}()
-
-	return func() bool {
-		select {
-		case <-s:
-			return true
-
-		case <-done:
-			return false
-
-		default:
-			close(done)
-			return false
-		}
-	}
-}
-
-// consume continuously consumes events from conn with retries.
-func consume(
-	ctx context.Context,
-	msg message.Msg,
-	r *report.Reporter,
-	conn *uevent.Conn,
-	uuid uevent.UUID,
-	events chan<- *uevent.Message,
-) {
-	defer close(events)
-
-	nextColdboot := newRejectColdboot()
-	coldboot := true
-retry:
-	if dispatchErr := conn.Consume(ctx, fhs.Sys, &uuid, events, coldboot, func(path string) {
-		msg.Verbose("coldboot visited", path)
-	}, func(err error) bool {
-		if _, ok := err.(uevent.NeedsColdboot); ok && !nextColdboot() {
-			r.Dispatch(
-				report.Degraded,
-				"rejecting coldboot loop",
-				err,
-			)
-			return false
-		}
-		r.Dispatch(
-			report.Inconsistent,
-			"consumed invalid message",
-			err,
-		)
-		return true
-	}, nil); dispatchErr != nil {
-		if _, ok := dispatchErr.(uevent.Recoverable); !ok {
-			r.Dispatch(
-				report.Fatal,
-				"discontinuing uevent processing due to nonrecoverable error",
-				dispatchErr,
-			)
-			return
-		}
-
-		if _, ok := dispatchErr.(uevent.NeedsColdboot); ok {
-			// coldboot loop rejected by handler
-			coldboot = false
-		}
-
-		goto retry
-	}
-}

cmd/earlyinit/uevent_test.go

@@ -1,35 +0,0 @@
-package main
-
-import (
-	"testing"
-	"testing/synctest"
-	"time"
-)
-
-func TestRejectColdboot(t *testing.T) {
-	t.Parallel()
-
-	synctest.Test(t, func(t *testing.T) {
-		nextColdboot := newRejectColdboot()
-		want := func(want bool) {
-			if got := nextColdboot(); got != want {
-				t.Fatalf("nextColdboot: %v, want %v", got, want)
-			}
-		}
-
-		synctest.Wait()
-		want(true)
-		time.Sleep(time.Hour)
-		synctest.Wait()
-		want(true)
-		want(true)
-		time.Sleep(5 * time.Minute)
-		synctest.Wait()
-		want(true)
-		want(false)
-		time.Sleep(time.Hour)
-		synctest.Wait()
-		want(false)
-		want(false)
-	})
-}

cmd/hakurei/command.go

@@ -38,9 +38,8 @@ var errSuccess = errors.New("success")
 
 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
-		flagVerbose  bool
+		flagVerbose bool
-		flagInsecure bool
+		flagJSON    bool
-		flagJSON     bool
 	)
 	c := command.New(out, log.Printf, "hakurei", func([]string) error {
 		msg.SwapVerbose(flagVerbose)
@@ -58,7 +57,6 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
-		Flag(&flagInsecure, "insecure", command.BoolFlag(false), "Allow use of insecure compatibility options").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")
 
 	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
@@ -77,12 +75,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				config.Container.Args = append(config.Container.Args, args[1:]...)
 			}
 
-			var flags int
+			outcome.Main(ctx, msg, config, flagIdentifierFile)
-			if flagInsecure {
-				flags |= hst.VAllowInsecure
-			}
-
-			outcome.Main(ctx, msg, config, flags, flagIdentifierFile)
 			panic("unreachable")
 		}).
 			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
@@ -152,7 +145,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}
 
-			var et hst.Enablements
+			var et hst.Enablement
 			if flagWayland {
 				et |= hst.EWayland
 			}
@@ -170,7 +163,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				ID:          flagID,
 				Identity:    flagIdentity,
 				Groups:      flagGroups,
-				Enablements: &et,
+				Enablements: hst.NewEnablements(et),
 
 				Container: &hst.ContainerConfig{
 					Filesystem: []hst.FilesystemConfigJSON{
@@ -289,7 +282,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}
 
-			outcome.Main(ctx, msg, &config, 0, -1)
+			outcome.Main(ctx, msg, &config, -1)
 			panic("unreachable")
 		}).
 			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),

cmd/hakurei/command_test.go

@@ -20,7 +20,7 @@ func TestHelp(t *testing.T) {
 	}{
 		{
 			"main", []string{}, `
-Usage:	hakurei [-h | --help] [-v] [--insecure] [--json] COMMAND [OPTIONS]
+Usage:	hakurei [-h | --help] [-v] [--json] COMMAND [OPTIONS]
 
 Commands:
     run         Load and start container from configuration file

cmd/hakurei/json.go

@@ -7,8 +7,7 @@ import (
 	"strconv"
 )
 
-// decodeJSON decodes json from r and stores it in v. A non-nil error results in
+// decodeJSON decodes json from r and stores it in v. A non-nil error results in a call to fatal.
-// a call to fatal.
 func decodeJSON(fatal func(v ...any), op string, r io.Reader, v any) {
 	err := json.NewDecoder(r).Decode(v)
 	if err == nil {
@@ -48,14 +47,14 @@ func encodeJSON(fatal func(v ...any), output io.Writer, short bool, v any) {
 	}
 
 	if err := encoder.Encode(v); err != nil {
-		if e, ok := errors.AsType[*json.MarshalerError](err); ok && e != nil {
+		var marshalerError *json.MarshalerError
+		if errors.As(err, &marshalerError) && marshalerError != nil {
 			// this likely indicates an implementation error in hst
-			fatal("cannot encode json for " + e.Type.String() + ": " + e.Err.Error())
+			fatal("cannot encode json for " + marshalerError.Type.String() + ": " + marshalerError.Err.Error())
 			return
 		}
 
-		// UnsupportedTypeError, UnsupportedValueError: incorrect usage, does
+		// UnsupportedTypeError, UnsupportedValueError: incorrect usage, does not need to be handled
-		// not need to be handled
 		fatal("cannot write json: " + err.Error())
 	}
 }

cmd/hakurei/print.go

@@ -56,7 +56,7 @@ func printShowInstance(
 	t := newPrinter(output)
 	defer t.MustFlush()
 
-	if err := config.Validate(hst.VAllowInsecure); err != nil {
+	if err := config.Validate(); err != nil {
 		valid = false
 		if m, ok := message.GetMessage(err); ok {
 			mustPrint(output, "Error: "+m+"!\n\n")

cmd/hakurei/print_test.go

@@ -32,7 +32,7 @@ var (
 		PID:     0xbeef,
 		ShimPID: 0xcafe,
 		Config: &hst.Config{
-			Enablements: new(hst.EWayland | hst.EPipeWire),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
 			Identity:    1,
 			Container: &hst.ContainerConfig{
 				Shell: check.MustAbs("/bin/sh"),
@@ -64,7 +64,7 @@ func TestPrintShowInstance(t *testing.T) {
  Identity:       9 (org.chromium.Chromium)
  Enablements:    wayland, dbus, pipewire
  Groups:         video, dialout, plugdev
- Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, cover_run, runtime, tmpdir
+ Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Home:           /data/data/org.chromium.Chromium
  Hostname:       localhost
  Path:           /run/current-system/sw/bin/chromium
@@ -161,7 +161,7 @@ App
  Identity:       9 (org.chromium.Chromium)
  Enablements:    wayland, dbus, pipewire
  Groups:         video, dialout, plugdev
- Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, cover_run, runtime, tmpdir
+ Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Home:           /data/data/org.chromium.Chromium
  Hostname:       localhost
  Path:           /run/current-system/sw/bin/chromium
@@ -355,7 +355,6 @@ App
     "multiarch": true,
     "map_real_uid": true,
     "device": true,
-    "cover_run": true,
     "share_runtime": true,
     "share_tmpdir": true
   },
@@ -507,7 +506,6 @@ App
     "multiarch": true,
     "map_real_uid": true,
     "device": true,
-    "cover_run": true,
     "share_runtime": true,
     "share_tmpdir": true
   }
@@ -706,7 +704,6 @@ func TestPrintPs(t *testing.T) {
       "multiarch": true,
       "map_real_uid": true,
       "device": true,
-      "cover_run": true,
       "share_runtime": true,
       "share_tmpdir": true
     },

cmd/hsu/main.go

@@ -21,6 +21,15 @@
 // following paragraphs are considered an internal detail and not covered by the
 // compatibility promise.
 //
+// After checking credentials, hsu checks via /proc/ the absolute pathname of
+// its parent process, and fails if it does not match the hakurei pathname set
+// at link time. This is not a security feature: the priv-side is considered
+// trusted, and this feature makes no attempt to address the racy nature of
+// querying /proc/, or debuggers attached to the parent process. Instead, this
+// aims to discourage misuse and reduce confusion if the user accidentally
+// stumbles upon this program. It also prevents accidental use of the incorrect
+// installation of hsu in some environments.
+//
 // Since target container environment variables are set up in shim via the
 // [container] infrastructure, the environment is used for parameters from the
 // parent process.
@@ -53,6 +62,7 @@ import (
 	"runtime"
 	"slices"
 	"strconv"
+	"strings"
 	"syscall"
 )
 
@@ -97,6 +107,18 @@ func main() {
 		return
 	}
 
+	var toolPath string
+	pexe := filepath.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
+	if p, err := os.Readlink(pexe); err != nil {
+		log.Fatalf("cannot read parent executable path: %v", err)
+	} else if strings.HasSuffix(p, " (deleted)") {
+		log.Fatal("hakurei executable has been deleted")
+	} else if p != hakureiPath {
+		log.Fatal("this program must be started by hakurei")
+	} else {
+		toolPath = p
+	}
+
 	// refuse to run if hsurc is not protected correctly
 	if s, err := os.Stat(hsuConfPath); err != nil {
 		log.Fatal(err)
@@ -183,7 +205,7 @@ func main() {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
 
-	if err := syscall.Exec(hakureiPath, []string{
+	if err := syscall.Exec(toolPath, []string{
 		"hakurei",
 		"shim",
 	}, []string{

cmd/irdump/main.go

@@ -0,0 +1,76 @@
+package main
+
+import (
+	"errors"
+	"log"
+	"os"
+
+	"hakurei.app/command"
+	"hakurei.app/internal/pkg"
+)
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("irdump: ")
+
+	var (
+		flagOutput string
+		flagReal   bool
+		flagHeader bool
+		flagForce  bool
+		flagRaw    bool
+	)
+	c := command.New(os.Stderr, log.Printf, "irdump", func(args []string) (err error) {
+		var input *os.File
+		if len(args) != 1 {
+			return errors.New("irdump requires 1 argument")
+		}
+		if input, err = os.Open(args[0]); err != nil {
+			return
+		}
+		defer input.Close()
+
+		var output *os.File
+		if flagOutput == "" {
+			output = os.Stdout
+		} else {
+			defer output.Close()
+			if output, err = os.Create(flagOutput); err != nil {
+				return
+			}
+		}
+
+		var out string
+		if out, err = pkg.Disassemble(input, flagReal, flagHeader, flagForce, flagRaw); err != nil {
+			return
+		}
+		if _, err = output.WriteString(out); err != nil {
+			return
+		}
+		return
+	}).Flag(
+		&flagOutput,
+		"o", command.StringFlag(""),
+		"Output file for asm (leave empty for stdout)",
+	).Flag(
+		&flagReal,
+		"r", command.BoolFlag(false),
+		"skip label generation; idents print real value",
+	).Flag(
+		&flagHeader,
+		"H", command.BoolFlag(false),
+		"display artifact headers",
+	).Flag(
+		&flagForce,
+		"f", command.BoolFlag(false),
+		"force display (skip validations)",
+	).Flag(
+		&flagRaw,
+		"R", command.BoolFlag(false),
+		"don't format output",
+	)
+
+	c.MustParse(os.Args[1:], func(err error) {
+		log.Fatal(err)
+	})
+}

cmd/mbf/cache.go

@@ -1,136 +0,0 @@
-package main
-
-import (
-	"context"
-	"net/http"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"hakurei.app/check"
-	"hakurei.app/internal/pkg"
-	"hakurei.app/internal/rosa"
-	"hakurei.app/message"
-)
-
-// cache refers to an instance of [pkg.Cache] that might be open.
-type cache struct {
-	ctx context.Context
-	msg message.Msg
-
-	// Should generally not be used directly.
-	c *pkg.Cache
-
-	cures, jobs int
-	// Primarily to work around missing landlock LSM.
-	hostAbstract bool
-	// Set SCHED_IDLE.
-	idle bool
-	// Unset [pkg.CSuppressInit].
-	verboseInit bool
-	// Loaded artifact of [rosa.QEMU].
-	qemu pkg.Artifact
-
-	base, mirror string
-}
-
-// open opens the underlying [pkg.Cache].
-func (cache *cache) open() (err error) {
-	if cache.c != nil {
-		return os.ErrInvalid
-	}
-
-	var base *check.Absolute
-	if cache.base, err = filepath.Abs(cache.base); err != nil {
-		return
-	} else if base, err = check.NewAbs(cache.base); err != nil {
-		return
-	}
-
-	var flags int
-	if cache.idle {
-		flags |= pkg.CSchedIdle
-	}
-	if cache.hostAbstract {
-		flags |= pkg.CHostAbstract
-	}
-	if !cache.verboseInit {
-		flags |= pkg.CSuppressInit
-	}
-
-	done := make(chan struct{})
-	defer close(done)
-	go func() {
-		select {
-		case <-cache.ctx.Done():
-			if testing.Testing() {
-				return
-			}
-			os.Exit(2)
-
-		case <-done:
-			return
-		}
-	}()
-
-	cache.msg.Verbosef("opening cache at %s", base)
-	cache.c, err = pkg.Open(
-		cache.ctx,
-		cache.msg,
-		flags,
-		cache.cures,
-		cache.jobs,
-		base,
-	)
-	if err != nil {
-		return
-	}
-	done <- struct{}{}
-
-	if cache.mirror != "" {
-		var pub []byte
-		pub, err = os.ReadFile(base.Append("ed25519.pub").String())
-		if err != nil {
-			cache.c.Close()
-			return
-		}
-		var r rosa.Remote
-		if r, err = rosa.NewRemote(cache.mirror, pub, http.DefaultClient); err != nil {
-			cache.c.Close()
-			return err
-		}
-		cache.c.SetExternal(r)
-	}
-
-	if cache.qemu != nil {
-		var pathname *check.Absolute
-		pathname, _, err = cache.c.Cure(cache.qemu)
-		if err != nil {
-			cache.c.Close()
-			return
-		}
-
-		for arch, entry := range rosa.Arches(pathname) {
-			pkg.RegisterArch(arch, entry)
-		}
-	}
-
-	return
-}
-
-// Close closes the underlying [pkg.Cache] if it is open.
-func (cache *cache) Close() {
-	if cache.c != nil {
-		cache.c.Close()
-	}
-}
-
-// Do calls f on the underlying cache and returns its error value.
-func (cache *cache) Do(f func(cache *pkg.Cache) error) error {
-	if cache.c == nil {
-		if err := cache.open(); err != nil {
-			return err
-		}
-	}
-	return f(cache.c)
-}

cmd/mbf/cache_test.go

@@ -1,37 +0,0 @@
-package main
-
-import (
-	"log"
-	"os"
-	"testing"
-
-	"hakurei.app/internal/pkg"
-	"hakurei.app/message"
-)
-
-func TestCache(t *testing.T) {
-	t.Parallel()
-
-	cm := cache{
-		ctx:  t.Context(),
-		msg:  message.New(log.New(os.Stderr, "check: ", 0)),
-		base: t.TempDir(),
-
-		hostAbstract: true, idle: true,
-	}
-	defer cm.Close()
-	cm.Close()
-
-	if err := cm.open(); err != nil {
-		t.Fatalf("open: error = %v", err)
-	}
-	if err := cm.open(); err != os.ErrInvalid {
-		t.Errorf("(duplicate) open: error = %v", err)
-	}
-
-	if err := cm.Do(func(cache *pkg.Cache) error {
-		return cache.Scrub(0)
-	}); err != nil {
-		t.Errorf("Scrub: error = %v", err)
-	}
-}

cmd/mbf/daemon.go

@@ -1,354 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/binary"
-	"errors"
-	"io"
-	"log"
-	"math"
-	"net"
-	"os"
-	"sync"
-	"syscall"
-	"testing"
-	"time"
-	"unique"
-
-	"hakurei.app/check"
-	"hakurei.app/internal/pkg"
-)
-
-// daemonTimeout is the maximum amount of time cureFromIR will wait on I/O.
-const daemonTimeout = 30 * time.Second
-
-// daemonDeadline returns the deadline corresponding to daemonTimeout, or the
-// zero value when running in a test.
-func daemonDeadline() time.Time {
-	if testing.Testing() {
-		return time.Time{}
-	}
-	return time.Now().Add(daemonTimeout)
-}
-
-const (
-	// remoteNoReply notifies that the client will not receive a cure reply.
-	remoteNoReply = 1 << iota
-)
-
-// cureFromIR services an IR curing request.
-func cureFromIR(
-	cache *pkg.Cache,
-	conn net.Conn,
-	flags uint64,
-) (pkg.Artifact, error) {
-	a, decodeErr := cache.NewDecoder(conn).Decode()
-	if decodeErr != nil {
-		_, err := conn.Write([]byte("\x00" + decodeErr.Error()))
-		return nil, errors.Join(decodeErr, err, conn.Close())
-	}
-
-	pathname, _, cureErr := cache.Cure(a)
-	if flags&remoteNoReply != 0 {
-		return a, errors.Join(cureErr, conn.Close())
-	}
-	if err := conn.SetWriteDeadline(daemonDeadline()); err != nil {
-		return a, errors.Join(cureErr, err, conn.Close())
-	}
-	if cureErr != nil {
-		_, err := conn.Write([]byte("\x00" + cureErr.Error()))
-		return a, errors.Join(cureErr, err, conn.Close())
-	}
-	_, err := conn.Write([]byte(pathname.String()))
-	if testing.Testing() && errors.Is(err, io.ErrClosedPipe) {
-		return a, nil
-	}
-	return a, errors.Join(err, conn.Close())
-}
-
-const (
-	// specialCancel is a message consisting of a single identifier referring
-	// to a curing artifact to be cancelled.
-	specialCancel = iota
-	// specialAbort requests for all pending cures to be aborted. It has no
-	// message body.
-	specialAbort
-
-	// remoteSpecial denotes a special message with custom layout.
-	remoteSpecial = math.MaxUint64
-)
-
-// writeSpecialHeader writes the header of a remoteSpecial message.
-func writeSpecialHeader(conn net.Conn, kind uint64) error {
-	var sh [16]byte
-	binary.LittleEndian.PutUint64(sh[:], remoteSpecial)
-	binary.LittleEndian.PutUint64(sh[8:], kind)
-	if n, err := conn.Write(sh[:]); err != nil {
-		return err
-	} else if n != len(sh) {
-		return io.ErrShortWrite
-	}
-	return nil
-}
-
-// cancelIdent reads an identifier from conn and cancels the corresponding cure.
-func cancelIdent(
-	cache *pkg.Cache,
-	conn net.Conn,
-) (*pkg.ID, bool, error) {
-	var ident pkg.ID
-	if _, err := io.ReadFull(conn, ident[:]); err != nil {
-		return nil, false, errors.Join(err, conn.Close())
-	}
-	ok := cache.Cancel(unique.Make(ident))
-	return &ident, ok, conn.Close()
-}
-
-// serve services connections from a [net.UnixListener].
-func serve(
-	ctx context.Context,
-	log *log.Logger,
-	cm *cache,
-	ul *net.UnixListener,
-) error {
-	ul.SetUnlinkOnClose(true)
-	if cm.c == nil {
-		if err := cm.open(); err != nil {
-			return errors.Join(err, ul.Close())
-		}
-	}
-
-	var wg sync.WaitGroup
-	defer wg.Wait()
-
-	wg.Go(func() {
-		for {
-			if ctx.Err() != nil {
-				break
-			}
-
-			conn, err := ul.AcceptUnix()
-			if err != nil {
-				if !errors.Is(err, os.ErrDeadlineExceeded) {
-					log.Println(err)
-				}
-				continue
-			}
-			wg.Go(func() {
-				done := make(chan struct{})
-				defer close(done)
-				go func() {
-					select {
-					case <-ctx.Done():
-						_ = conn.SetDeadline(time.Now())
-
-					case <-done:
-						return
-					}
-				}()
-
-				if _err := conn.SetReadDeadline(daemonDeadline()); _err != nil {
-					log.Println(_err)
-					if _err = conn.Close(); _err != nil {
-						log.Println(_err)
-					}
-					return
-				}
-
-				var word [8]byte
-				if _, _err := io.ReadFull(conn, word[:]); _err != nil {
-					log.Println(_err)
-					if _err = conn.Close(); _err != nil {
-						log.Println(_err)
-					}
-					return
-				}
-				flags := binary.LittleEndian.Uint64(word[:])
-
-				if flags == remoteSpecial {
-					if _, _err := io.ReadFull(conn, word[:]); _err != nil {
-						log.Println(_err)
-						if _err = conn.Close(); _err != nil {
-							log.Println(_err)
-						}
-						return
-					}
-					switch special := binary.LittleEndian.Uint64(word[:]); special {
-					default:
-						log.Printf("invalid special %d", special)
-
-					case specialCancel:
-						if id, ok, _err := cancelIdent(cm.c, conn); _err != nil {
-							log.Println(_err)
-						} else if !ok {
-							log.Println(
-								"attempting to cancel invalid artifact",
-								pkg.Encode(*id),
-							)
-						} else {
-							log.Println(
-								"cancelled artifact",
-								pkg.Encode(*id),
-							)
-						}
-
-					case specialAbort:
-						log.Println("aborting all pending cures")
-						cm.c.Abort()
-						if _err := conn.Close(); _err != nil {
-							log.Println(_err)
-						}
-					}
-
-					return
-				}
-
-				if a, _err := cureFromIR(cm.c, conn, flags); _err != nil {
-					log.Println(_err)
-				} else {
-					log.Printf(
-						"fulfilled artifact %s",
-						pkg.Encode(cm.c.Ident(a).Value()),
-					)
-				}
-			})
-		}
-	})
-
-	<-ctx.Done()
-	if err := ul.SetDeadline(time.Now()); err != nil {
-		return errors.Join(err, ul.Close())
-	}
-	wg.Wait()
-	return ul.Close()
-}
-
-// dial wraps [net.DialUnix] with a context.
-func dial(ctx context.Context, addr *net.UnixAddr) (
-	done chan<- struct{},
-	conn *net.UnixConn,
-	err error,
-) {
-	conn, err = net.DialUnix("unix", nil, addr)
-	if err != nil {
-		return
-	}
-
-	d := make(chan struct{})
-	done = d
-	go func() {
-		select {
-		case <-ctx.Done():
-			_ = conn.SetDeadline(time.Now())
-
-		case <-d:
-			return
-		}
-	}()
-	return
-}
-
-// cureRemote cures a [pkg.Artifact] on a daemon.
-func cureRemote(
-	ctx context.Context,
-	addr *net.UnixAddr,
-	a pkg.Artifact,
-	flags uint64,
-) (*check.Absolute, error) {
-	if flags == remoteSpecial {
-		return nil, syscall.EINVAL
-	}
-
-	done, conn, err := dial(ctx, addr)
-	if err != nil {
-		return nil, err
-	}
-	defer close(done)
-
-	if n, flagErr := conn.Write(binary.LittleEndian.AppendUint64(nil, flags)); flagErr != nil {
-		return nil, errors.Join(flagErr, conn.Close())
-	} else if n != 8 {
-		return nil, errors.Join(io.ErrShortWrite, conn.Close())
-	}
-
-	if err = pkg.NewIR().EncodeAll(conn, a); err != nil {
-		return nil, errors.Join(err, conn.Close())
-	} else if err = conn.CloseWrite(); err != nil {
-		return nil, errors.Join(err, conn.Close())
-	}
-
-	if flags&remoteNoReply != 0 {
-		return nil, conn.Close()
-	}
-
-	payload, recvErr := io.ReadAll(conn)
-	if err = errors.Join(recvErr, conn.Close()); err != nil {
-		if errors.Is(err, os.ErrDeadlineExceeded) {
-			if cancelErr := ctx.Err(); cancelErr != nil {
-				err = cancelErr
-			}
-		}
-		return nil, err
-	}
-
-	if len(payload) > 0 && payload[0] == 0 {
-		return nil, errors.New(string(payload[1:]))
-	}
-
-	var p *check.Absolute
-	p, err = check.NewAbs(string(payload))
-	return p, err
-}
-
-// cancelRemote cancels a [pkg.Artifact] curing on a daemon.
-func cancelRemote(
-	ctx context.Context,
-	addr *net.UnixAddr,
-	a pkg.Artifact,
-	wait bool,
-) error {
-	done, conn, err := dial(ctx, addr)
-	if err != nil {
-		return err
-	}
-	defer close(done)
-
-	if err = writeSpecialHeader(conn, specialCancel); err != nil {
-		return errors.Join(err, conn.Close())
-	}
-
-	var n int
-	id := pkg.NewIR().Ident(a).Value()
-	if n, err = conn.Write(id[:]); err != nil {
-		return errors.Join(err, conn.Close())
-	} else if n != len(id) {
-		return errors.Join(io.ErrShortWrite, conn.Close())
-	}
-	if wait {
-		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
-			err = nil
-		}
-	}
-	return errors.Join(err, conn.Close())
-}
-
-// abortRemote aborts all [pkg.Artifact] curing on a daemon.
-func abortRemote(
-	ctx context.Context,
-	addr *net.UnixAddr,
-	wait bool,
-) error {
-	done, conn, err := dial(ctx, addr)
-	if err != nil {
-		return err
-	}
-	defer close(done)
-
-	err = writeSpecialHeader(conn, specialAbort)
-	if wait && err == nil {
-		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
-			err = nil
-		}
-	}
-	return errors.Join(err, conn.Close())
-}

cmd/mbf/daemon_test.go

@@ -1,146 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"context"
-	"errors"
-	"io"
-	"log"
-	"net"
-	"os"
-	"path/filepath"
-	"slices"
-	"strings"
-	"testing"
-	"time"
-
-	"hakurei.app/check"
-	"hakurei.app/internal/pkg"
-	"hakurei.app/message"
-)
-
-func TestNoReply(t *testing.T) {
-	t.Parallel()
-	if !daemonDeadline().IsZero() {
-		t.Fatal("daemonDeadline did not return the zero value")
-	}
-
-	c, err := pkg.Open(
-		t.Context(),
-		message.New(log.New(os.Stderr, "cir: ", 0)),
-		0, 0, 0,
-		check.MustAbs(t.TempDir()),
-	)
-	if err != nil {
-		t.Fatalf("Open: error = %v", err)
-	}
-	defer c.Close()
-
-	client, server := net.Pipe()
-	done := make(chan struct{})
-	go func() {
-		defer close(done)
-		go func() {
-			<-t.Context().Done()
-			if _err := client.SetDeadline(time.Now()); _err != nil && !errors.Is(_err, io.ErrClosedPipe) {
-				panic(_err)
-			}
-		}()
-
-		if _err := c.EncodeAll(
-			client,
-			pkg.NewFile("check", []byte{0}),
-		); _err != nil {
-			panic(_err)
-		} else if _err = client.Close(); _err != nil {
-			panic(_err)
-		}
-	}()
-
-	a, cureErr := cureFromIR(c, server, remoteNoReply)
-	if cureErr != nil {
-		t.Fatalf("cureFromIR: error = %v", cureErr)
-	}
-
-	<-done
-	wantIdent := pkg.MustDecode("fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG")
-	if gotIdent := c.Ident(a).Value(); gotIdent != wantIdent {
-		t.Errorf(
-			"cureFromIR: %s, want %s",
-			pkg.Encode(gotIdent), pkg.Encode(wantIdent),
-		)
-	}
-}
-
-func TestDaemon(t *testing.T) {
-	t.Parallel()
-
-	var buf bytes.Buffer
-	logger := log.New(&buf, "daemon: ", 0)
-
-	addr := net.UnixAddr{
-		Name: filepath.Join(t.TempDir(), "daemon"),
-		Net:  "unix",
-	}
-
-	ctx, cancel := context.WithCancel(t.Context())
-	defer cancel()
-
-	cm := cache{
-		ctx:  ctx,
-		msg:  message.New(logger),
-		base: t.TempDir(),
-	}
-	defer cm.Close()
-
-	ul, err := net.ListenUnix("unix", &addr)
-	if err != nil {
-		t.Fatalf("ListenUnix: error = %v", err)
-	}
-
-	done := make(chan struct{})
-	go func() {
-		defer close(done)
-		if _err := serve(ctx, logger, &cm, ul); _err != nil {
-			panic(_err)
-		}
-	}()
-
-	if err = cancelRemote(ctx, &addr, pkg.NewFile("nonexistent", nil), true); err != nil {
-		t.Fatalf("cancelRemote: error = %v", err)
-	}
-
-	if err = abortRemote(ctx, &addr, true); err != nil {
-		t.Fatalf("abortRemote: error = %v", err)
-	}
-
-	// keep this last for synchronisation
-	var p *check.Absolute
-	p, err = cureRemote(ctx, &addr, pkg.NewFile("check", []byte{0}), 0)
-	if err != nil {
-		t.Fatalf("cureRemote: error = %v", err)
-	}
-
-	cancel()
-	<-done
-
-	const want = "fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG"
-	if got := filepath.Base(p.String()); got != want {
-		t.Errorf("cureRemote: %s, want %s", got, want)
-	}
-
-	wantLog := []string{
-		"",
-		"daemon: aborting all pending cures",
-		"daemon: attempting to cancel invalid artifact kQm9fmnCmXST1-MMmxzcau2oKZCXXrlZydo4PkeV5hO_2PKfeC8t98hrbV_ZZx_j",
-		"daemon: fulfilled artifact fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG",
-	}
-	gotLog := strings.Split(buf.String(), "\n")
-	slices.Sort(gotLog)
-	if !slices.Equal(gotLog, wantLog) {
-		t.Errorf(
-			"serve: logged\n%s\nwant\n%s",
-			strings.Join(gotLog, "\n"), strings.Join(wantLog, "\n"),
-		)
-	}
-}

cmd/mbf/info.go

@@ -1,118 +0,0 @@
-package main
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"strings"
-	"unique"
-
-	"hakurei.app/internal/pkg"
-	"hakurei.app/internal/rosa"
-)
-
-// commandInfo implements the info subcommand.
-func commandInfo(
-	cm *cache,
-	args []string,
-	w io.Writer,
-	writeStatus bool,
-	r *rosa.Report,
-) (err error) {
-	if len(args) == 0 {
-		return errors.New("info requires at least 1 argument")
-	}
-
-	// recovered by HandleAccess
-	mustPrintln := func(a ...any) {
-		if _, _err := fmt.Fprintln(w, a...); _err != nil {
-			panic(_err)
-		}
-	}
-	mustPrint := func(a ...any) {
-		if _, _err := fmt.Fprint(w, a...); _err != nil {
-			panic(_err)
-		}
-	}
-
-	t := rosa.Native().Std()
-	for i, name := range args {
-		handle := rosa.ArtifactH(unique.Make(name))
-		if meta, a := t.Load(handle); meta == nil {
-			return fmt.Errorf("unknown artifact %q", name)
-		} else {
-			var suffix string
-
-			if meta.Version != rosa.Unversioned {
-				suffix += "-" + meta.Version
-			}
-			mustPrintln("name        : " + name + suffix)
-
-			mustPrintln("description : " + meta.Description)
-			if meta.Website != "" {
-				mustPrintln("website     : " +
-					strings.TrimSuffix(meta.Website, "/"))
-			}
-			if len(meta.Dependencies) > 0 {
-				mustPrint("depends on  :")
-				for _, d := range meta.Dependencies {
-					_meta, _ := rosa.Native().Std().MustLoad(d)
-					s := _meta.Name
-					if _meta.Version != rosa.Unversioned {
-						s += "-" + _meta.Version
-					}
-					mustPrint(" " + s)
-				}
-				mustPrintln()
-			}
-
-			const statusPrefix = "status      : "
-			if writeStatus {
-				if r == nil {
-					var f io.ReadSeekCloser
-					err = cm.Do(func(cache *pkg.Cache) (err error) {
-						f, err = cache.OpenStatus(a)
-						return
-					})
-					if err != nil {
-						if errors.Is(err, os.ErrNotExist) {
-							mustPrintln(
-								statusPrefix + "not yet cured",
-							)
-						} else {
-							return
-						}
-					} else {
-						mustPrint(statusPrefix)
-						_, err = io.Copy(w, f)
-						if err = errors.Join(err, f.Close()); err != nil {
-							return
-						}
-					}
-				} else if err = cm.Do(func(cache *pkg.Cache) (err error) {
-					status, n := r.ArtifactOf(cache.Ident(a))
-					if status == nil {
-						mustPrintln(
-							statusPrefix + "not in report",
-						)
-					} else {
-						mustPrintln("size        :", n)
-						mustPrint(statusPrefix)
-						if _, err = w.Write(status); err != nil {
-							return
-						}
-					}
-					return
-				}); err != nil {
-					return
-				}
-			}
-
-			if i != len(args)-1 {
-				mustPrintln()
-			}
-		}
-	}
-	return nil
-}

cmd/mbf/info_test.go

@@ -1,190 +0,0 @@
-package main
-
-import (
-	"context"
-	"fmt"
-	"log"
-	"os"
-	"path/filepath"
-	"reflect"
-	"strings"
-	"syscall"
-	"testing"
-	"unique"
-	"unsafe"
-
-	"hakurei.app/internal/pkg"
-	"hakurei.app/internal/rosa"
-	"hakurei.app/message"
-)
-
-func TestInfo(t *testing.T) {
-	t.Parallel()
-
-	_t := rosa.Native().Std()
-	qemuMeta, _ := _t.Load(rosa.H("qemu"))
-	glibMeta, _ := _t.Load(rosa.H("glib"))
-	zlibMeta, zlib := _t.Load(rosa.H("zlib"))
-	zstdMeta, _ := _t.Load(rosa.H("zstd"))
-	hakureiMeta, _ := _t.Load(rosa.H("hakurei"))
-	hakureiDistMeta, _ := _t.Load(rosa.H("hakurei-dist"))
-
-	testCases := []struct {
-		name    string
-		args    []string
-		status  map[string]string
-		report  string
-		want    string
-		wantErr any
-	}{
-		{"qemu", []string{"qemu"}, nil, "", `
-name        : qemu-` + qemuMeta.Version + `
-description : a generic and open source machine emulator and virtualizer
-website     : https://www.qemu.org
-depends on  : glib-` + glibMeta.Version + ` zstd-` + zstdMeta.Version + `
-`, nil},
-
-		{"multi", []string{"hakurei", "hakurei-dist"}, nil, "", `
-name        : hakurei-` + hakureiMeta.Version + `
-description : low-level userspace tooling for Rosa OS
-website     : https://hakurei.app
-
-name        : hakurei-dist-` + hakureiDistMeta.Version + `
-description : low-level userspace tooling for Rosa OS (distribution tarball)
-website     : https://hakurei.app
-`, nil},
-
-		{"nonexistent", []string{"zlib", "\x00"}, nil, "", `
-name        : zlib-` + zlibMeta.Version + `
-description : lossless data-compression library
-website     : https://zlib.net
-
-`, fmt.Errorf("unknown artifact %q", "\x00")},
-
-		{"status cache", []string{"zlib", "zstd"}, map[string]string{
-			"zstd":    "internal/pkg (amd64) on satori\n",
-			"hakurei": "internal/pkg (amd64) on satori\n\n",
-		}, "", `
-name        : zlib-` + zlibMeta.Version + `
-description : lossless data-compression library
-website     : https://zlib.net
-status      : not yet cured
-
-name        : zstd-` + zstdMeta.Version + `
-description : a fast compression algorithm
-website     : https://facebook.github.io/zstd
-status      : internal/pkg (amd64) on satori
-`, nil},
-
-		{"status cache perm", []string{"zlib"}, map[string]string{
-			"zlib": "\x00",
-		}, "", `
-name        : zlib-` + zlibMeta.Version + `
-description : lossless data-compression library
-website     : https://zlib.net
-`, func(cm *cache) error {
-			return &os.PathError{
-				Op:   "open",
-				Path: filepath.Join(cm.base, "status", pkg.Encode(cm.c.Ident(zlib).Value())),
-				Err:  syscall.EACCES,
-			}
-		}},
-
-		{"status report", []string{"zlib"}, nil, strings.Repeat("\x00", len(pkg.Checksum{})+8), `
-name        : zlib-` + zlibMeta.Version + `
-description : lossless data-compression library
-website     : https://zlib.net
-status      : not in report
-`, nil},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			var (
-				cm  *cache
-				buf strings.Builder
-				r   *rosa.Report
-			)
-
-			if tc.status != nil || tc.report != "" {
-				cm = &cache{
-					ctx:  context.Background(),
-					msg:  message.New(log.New(os.Stderr, "info: ", 0)),
-					base: t.TempDir(),
-				}
-				defer cm.Close()
-			}
-
-			if tc.report != "" {
-				pathname := filepath.Join(t.TempDir(), "report")
-				err := os.WriteFile(
-					pathname,
-					unsafe.Slice(unsafe.StringData(tc.report), len(tc.report)),
-					0400,
-				)
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				r, err = rosa.OpenReport(pathname)
-				if err != nil {
-					t.Fatal(err)
-				}
-				defer func() {
-					if err = r.Close(); err != nil {
-						t.Fatal(err)
-					}
-				}()
-			}
-
-			if tc.status != nil {
-				for name, status := range tc.status {
-					_, a := _t.Load(rosa.ArtifactH(unique.Make(name)))
-					if a == nil {
-						t.Fatalf("invalid name %q", name)
-					}
-					perm := os.FileMode(0400)
-					if status == "\x00" {
-						perm = 0
-					}
-					if err := cm.Do(func(cache *pkg.Cache) error {
-						return os.WriteFile(filepath.Join(
-							cm.base,
-							"status",
-							pkg.Encode(cache.Ident(a).Value()),
-						), unsafe.Slice(unsafe.StringData(status), len(status)), perm)
-					}); err != nil {
-						t.Fatalf("Do: error = %v", err)
-					}
-				}
-			}
-
-			var wantErr error
-			switch c := tc.wantErr.(type) {
-			case error:
-				wantErr = c
-			case func(cm *cache) error:
-				wantErr = c(cm)
-			default:
-				if tc.wantErr != nil {
-					t.Fatalf("invalid wantErr %#v", tc.wantErr)
-				}
-			}
-
-			if err := commandInfo(
-				cm,
-				tc.args,
-				&buf,
-				cm != nil,
-				r,
-			); !reflect.DeepEqual(err, wantErr) {
-				t.Fatalf("commandInfo: error = %v, want %v", err, wantErr)
-			}
-
-			if got := buf.String(); got != strings.TrimPrefix(tc.want, "\n") {
-				t.Errorf("commandInfo:\n%s\nwant\n%s", got, tc.want)
-			}
-		})
-	}
-}

cmd/mbf/internal/pkgserver/api.go

@@ -1,202 +0,0 @@
-// Package pkgserver implements the package metadata service backend.
-package pkgserver
-
-import (
-	"context"
-	"encoding/json"
-	"log"
-	"net/http"
-	"net/url"
-	"path"
-	"strconv"
-	"sync"
-	"time"
-
-	"hakurei.app/internal/info"
-	"hakurei.app/internal/rosa"
-)
-
-// for lazy initialisation of serveInfo
-var (
-	infoPayload struct {
-		// Current package count.
-		Count int `json:"count"`
-		// Hakurei version, set at link time.
-		HakureiVersion string `json:"hakurei_version"`
-	}
-	infoPayloadOnce sync.Once
-)
-
-// handleInfo writes constant system information.
-func handleInfo(w http.ResponseWriter, _ *http.Request) {
-	infoPayloadOnce.Do(func() {
-		infoPayload.Count = len(rosa.Native().Collect())
-		infoPayload.HakureiVersion = info.Version()
-	})
-	// TODO(mae): cache entire response if no additional fields are planned
-	writeAPIPayload(w, infoPayload)
-}
-
-// newStatusHandler returns a [http.HandlerFunc] that offers status files for
-// viewing or download, if available.
-func (index *packageIndex) newStatusHandler(disposition bool) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		m, ok := index.names[path.Base(r.URL.Path)]
-		if !ok || !m.HasReport {
-			http.NotFound(w, r)
-			return
-		}
-
-		contentType := "text/plain; charset=utf-8"
-		if disposition {
-			contentType = "application/octet-stream"
-
-			// quoting like this is unsound, but okay, because metadata is hardcoded
-			contentDisposition := `attachment; filename="`
-			contentDisposition += m.Name + "-"
-			if m.Version != "" {
-				contentDisposition += m.Version + "-"
-			}
-			contentDisposition += m.ids + `.log"`
-			w.Header().Set("Content-Disposition", contentDisposition)
-		}
-		w.Header().Set("Content-Type", contentType)
-		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
-		if err := func() (err error) {
-			defer index.handleAccess(&err)()
-			_, err = w.Write(m.status)
-			return
-		}(); err != nil {
-			log.Println(err)
-			http.Error(
-				w, "cannot deliver status, contact maintainers",
-				http.StatusInternalServerError,
-			)
-		}
-	}
-}
-
-// handleGet writes a slice of metadata with specified order.
-func (index *packageIndex) handleGet(w http.ResponseWriter, r *http.Request) {
-	q := r.URL.Query()
-	limit, err := strconv.Atoi(q.Get("limit"))
-	if err != nil || limit > 100 || limit < 1 {
-		http.Error(
-			w, "limit must be an integer between 1 and 100",
-			http.StatusBadRequest,
-		)
-		return
-	}
-	i, err := strconv.Atoi(q.Get("index"))
-	if err != nil || i >= len(index.sorts[0]) || i < 0 {
-		http.Error(
-			w, "index must be an integer between 0 and "+
-				strconv.Itoa(len(index.sorts[0])-1),
-			http.StatusBadRequest,
-		)
-		return
-	}
-	sort, err := strconv.Atoi(q.Get("sort"))
-	if err != nil || sort >= len(index.sorts) || sort < 0 {
-		http.Error(
-			w, "sort must be an integer between 0 and "+
-				strconv.Itoa(sortOrderEnd),
-			http.StatusBadRequest,
-		)
-		return
-	}
-	values := index.sorts[sort][i:min(i+limit, len(index.sorts[sort]))]
-	writeAPIPayload(w, &struct {
-		Values []*metadata `json:"values"`
-	}{values})
-}
-
-func (index *packageIndex) handleSearch(w http.ResponseWriter, r *http.Request) {
-	q := r.URL.Query()
-	limit, err := strconv.Atoi(q.Get("limit"))
-	if err != nil || limit > 100 || limit < 1 {
-		http.Error(
-			w, "limit must be an integer between 1 and 100",
-			http.StatusBadRequest,
-		)
-		return
-	}
-	i, err := strconv.Atoi(q.Get("index"))
-	if err != nil || i >= len(index.sorts[0]) || i < 0 {
-		http.Error(
-			w, "index must be an integer between 0 and "+
-				strconv.Itoa(len(index.sorts[0])-1),
-			http.StatusBadRequest,
-		)
-		return
-	}
-	search, err := url.QueryUnescape(q.Get("search"))
-	if len(search) > 100 || err != nil {
-		http.Error(
-			w, "search must be a string between 0 and 100 characters long",
-			http.StatusBadRequest,
-		)
-		return
-	}
-	desc := q.Get("desc") == "true"
-	n, res, err := index.performSearchQuery(limit, i, search, desc)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-	}
-	writeAPIPayload(w, &struct {
-		Count  int            `json:"count"`
-		Values []searchResult `json:"values"`
-	}{n, res})
-}
-
-// apiVersion is the name of the current API revision, as part of the pattern.
-const apiVersion = "v1"
-
-// registerAPI registers API handler functions.
-func (index *packageIndex) registerAPI(mux *http.ServeMux) {
-	mux.HandleFunc("GET /api/"+apiVersion+"/info", handleInfo)
-	mux.HandleFunc("GET /api/"+apiVersion+"/get", index.handleGet)
-	mux.HandleFunc("GET /api/"+apiVersion+"/search", index.handleSearch)
-	mux.HandleFunc("GET /api/"+apiVersion+"/status/", index.newStatusHandler(false))
-	mux.HandleFunc("GET /status/", index.newStatusHandler(true))
-}
-
-// Register arranges for mux to service API requests.
-func Register(ctx context.Context, mux *http.ServeMux, report *rosa.Report) error {
-	var index packageIndex
-	index.search = make(searchCache)
-	if err := index.populate(report); err != nil {
-		return err
-	}
-	ticker := time.NewTicker(1 * time.Minute)
-	go func() {
-		for {
-			select {
-			case <-ctx.Done():
-				ticker.Stop()
-				return
-			case <-ticker.C:
-				index.search.clean()
-			}
-		}
-	}()
-	index.registerAPI(mux)
-	return nil
-}
-
-// writeAPIPayload sets headers common to API responses and encodes payload as
-// JSON for the response body.
-func writeAPIPayload(w http.ResponseWriter, payload any) {
-	w.Header().Set("Content-Type", "application/json; charset=utf-8")
-	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
-	w.Header().Set("Pragma", "no-cache")
-	w.Header().Set("Expires", "0")
-
-	if err := json.NewEncoder(w).Encode(payload); err != nil {
-		log.Println(err)
-		http.Error(
-			w, "cannot encode payload, contact maintainers",
-			http.StatusInternalServerError,
-		)
-	}
-}

cmd/mbf/internal/pkgserver/api_test.go

@@ -1,111 +0,0 @@
-package pkgserver
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"strconv"
-	"testing"
-
-	"hakurei.app/internal/info"
-	"hakurei.app/internal/rosa"
-)
-
-// prefix is prepended to every API path.
-const prefix = "/api/" + apiVersion + "/"
-
-func TestAPIInfo(t *testing.T) {
-	t.Parallel()
-
-	w := httptest.NewRecorder()
-	handleInfo(w, httptest.NewRequestWithContext(
-		t.Context(),
-		http.MethodGet,
-		prefix+"info",
-		nil,
-	))
-
-	resp := w.Result()
-	checkStatus(t, resp, http.StatusOK)
-	checkAPIHeader(t, w.Header())
-
-	checkPayload(t, resp, struct {
-		Count          int    `json:"count"`
-		HakureiVersion string `json:"hakurei_version"`
-	}{len(rosa.Native().Collect()), info.Version()})
-}
-
-func TestAPIGet(t *testing.T) {
-	t.Parallel()
-	const target = prefix + "get"
-
-	index := newIndex(t)
-	newRequest := func(suffix string) *httptest.ResponseRecorder {
-		w := httptest.NewRecorder()
-		index.handleGet(w, httptest.NewRequestWithContext(
-			t.Context(),
-			http.MethodGet,
-			target+suffix,
-			nil,
-		))
-		return w
-	}
-
-	checkValidate := func(t *testing.T, suffix string, vmin, vmax int, wantErr string) {
-		t.Run("invalid", func(t *testing.T) {
-			t.Parallel()
-
-			w := newRequest("?" + suffix + "=invalid")
-			resp := w.Result()
-			checkError(t, resp, wantErr, http.StatusBadRequest)
-		})
-
-		t.Run("min", func(t *testing.T) {
-			t.Parallel()
-
-			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmin-1))
-			resp := w.Result()
-			checkError(t, resp, wantErr, http.StatusBadRequest)
-
-			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmin))
-			resp = w.Result()
-			checkStatus(t, resp, http.StatusOK)
-		})
-
-		t.Run("max", func(t *testing.T) {
-			t.Parallel()
-
-			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmax+1))
-			resp := w.Result()
-			checkError(t, resp, wantErr, http.StatusBadRequest)
-
-			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmax))
-			resp = w.Result()
-			checkStatus(t, resp, http.StatusOK)
-		})
-	}
-
-	t.Run("limit", func(t *testing.T) {
-		t.Parallel()
-		checkValidate(
-			t, "index=0&sort=0&limit", 1, 100,
-			"limit must be an integer between 1 and 100",
-		)
-	})
-
-	count := len(rosa.Native().Collect())
-	t.Run("index", func(t *testing.T) {
-		t.Parallel()
-		checkValidate(
-			t, "limit=1&sort=0&index", 0, count-1,
-			"index must be an integer between 0 and "+strconv.Itoa(count-1),
-		)
-	})
-
-	t.Run("sort", func(t *testing.T) {
-		t.Parallel()
-		checkValidate(
-			t, "index=0&limit=1&sort", 0, int(sortOrderEnd),
-			"sort must be an integer between 0 and "+strconv.Itoa(int(sortOrderEnd)),
-		)
-	})
-}

cmd/mbf/internal/pkgserver/index.go

@@ -1,108 +0,0 @@
-package pkgserver
-
-import (
-	"cmp"
-	"errors"
-	"slices"
-	"strings"
-
-	"hakurei.app/internal/pkg"
-	"hakurei.app/internal/rosa"
-)
-
-const (
-	declarationAscending = iota
-	declarationDescending
-	nameAscending
-	nameDescending
-	sizeAscending
-	sizeDescending
-
-	sortOrderEnd = iota - 1
-)
-
-// packageIndex refers to metadata by name and various sort orders.
-type packageIndex struct {
-	sorts  [sortOrderEnd + 1][]*metadata
-	names  map[string]*metadata
-	search searchCache
-	// Taken from [rosa.Report] if available.
-	handleAccess func(*error) func()
-}
-
-// metadata holds [rosa.Metadata] extended with additional information.
-type metadata struct {
-	handle rosa.ArtifactH
-	*rosa.Metadata
-
-	// Copied from [rosa.Metadata], [rosa.Unversioned] is equivalent to the zero
-	// value. Otherwise, the zero value is invalid.
-	Version string `json:"version,omitempty"`
-	// Output data size, available if present in report.
-	Size int64 `json:"size,omitempty"`
-	// Whether the underlying [pkg.Artifact] is present in the report.
-	HasReport bool `json:"report"`
-
-	// Ident string encoded ahead of time.
-	ids string
-	// Backed by [rosa.Report], access must be prepared by HandleAccess.
-	status []byte
-}
-
-// populate deterministically populates packageIndex, optionally with a report.
-func (index *packageIndex) populate(report *rosa.Report) (err error) {
-	if report != nil {
-		defer report.HandleAccess(&err)()
-		index.handleAccess = report.HandleAccess
-	}
-
-	handles := rosa.Native().Collect()
-	work := make([]*metadata, len(handles))
-	index.names = make(map[string]*metadata)
-	ir := pkg.NewIR()
-	for i, handle := range handles {
-		meta, a := rosa.Native().Std().MustLoad(handle)
-		m := metadata{
-			handle: handle,
-
-			Metadata: meta,
-			Version:  meta.Version,
-		}
-		if m.Version == "" {
-			return errors.New("invalid version from " + m.Name)
-		}
-		if m.Version == rosa.Unversioned {
-			m.Version = ""
-		}
-
-		if report != nil {
-			id := ir.Ident(a)
-			m.ids = pkg.Encode(id.Value())
-			m.status, m.Size = report.ArtifactOf(id)
-			m.HasReport = m.Size >= 0
-		}
-
-		work[i] = &m
-		index.names[m.Name] = &m
-	}
-
-	index.sorts[declarationAscending] = work
-	index.sorts[declarationDescending] = slices.Clone(work)
-	slices.Reverse(index.sorts[declarationDescending][:])
-
-	index.sorts[nameAscending] = slices.Clone(work)
-	slices.SortFunc(index.sorts[nameAscending][:], func(a, b *metadata) int {
-		return strings.Compare(a.Name, b.Name)
-	})
-	index.sorts[nameDescending] = slices.Clone(index.sorts[nameAscending])
-	slices.Reverse(index.sorts[nameDescending][:])
-
-	index.sorts[sizeAscending] = slices.Clone(work)
-	slices.SortFunc(index.sorts[sizeAscending][:], func(a, b *metadata) int {
-		return cmp.Compare(a.Size, b.Size)
-	})
-	index.sorts[sizeDescending] = slices.Clone(index.sorts[sizeAscending])
-	slices.Reverse(index.sorts[sizeDescending][:])
-
-	return
-}

cmd/mbf/internal/pkgserver/index_test.go

@@ -1,96 +0,0 @@
-package pkgserver
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"reflect"
-	"testing"
-)
-
-// newIndex returns the address of a newly populated packageIndex.
-func newIndex(t *testing.T) *packageIndex {
-	t.Helper()
-
-	var index packageIndex
-	if err := index.populate(nil); err != nil {
-		t.Fatalf("populate: error = %v", err)
-	}
-	return &index
-}
-
-// checkStatus checks response status code.
-func checkStatus(t *testing.T, resp *http.Response, want int) {
-	t.Helper()
-
-	if resp.StatusCode != want {
-		t.Errorf(
-			"StatusCode: %s, want %s",
-			http.StatusText(resp.StatusCode),
-			http.StatusText(want),
-		)
-	}
-}
-
-// checkHeader checks the value of a header entry.
-func checkHeader(t *testing.T, h http.Header, key, want string) {
-	t.Helper()
-
-	if got := h.Get(key); got != want {
-		t.Errorf("%s: %q, want %q", key, got, want)
-	}
-}
-
-// checkAPIHeader checks common entries set for API endpoints.
-func checkAPIHeader(t *testing.T, h http.Header) {
-	t.Helper()
-
-	checkHeader(t, h, "Content-Type", "application/json; charset=utf-8")
-	checkHeader(t, h, "Cache-Control", "no-cache, no-store, must-revalidate")
-	checkHeader(t, h, "Pragma", "no-cache")
-	checkHeader(t, h, "Expires", "0")
-}
-
-// checkPayloadFunc checks the JSON response of an API endpoint by passing it to f.
-func checkPayloadFunc[T any](
-	t *testing.T,
-	resp *http.Response,
-	f func(got *T) bool,
-) {
-	t.Helper()
-
-	var got T
-	r := io.Reader(resp.Body)
-	if testing.Verbose() {
-		var buf bytes.Buffer
-		r = io.TeeReader(r, &buf)
-		defer func() { t.Helper(); t.Log(buf.String()) }()
-	}
-	if err := json.NewDecoder(r).Decode(&got); err != nil {
-		t.Fatalf("Decode: error = %v", err)
-	}
-
-	if !f(&got) {
-		t.Errorf("Body: %#v", got)
-	}
-}
-
-// checkPayload checks the JSON response of an API endpoint.
-func checkPayload[T any](t *testing.T, resp *http.Response, want T) {
-	t.Helper()
-
-	checkPayloadFunc(t, resp, func(got *T) bool {
-		return reflect.DeepEqual(got, &want)
-	})
-}
-
-func checkError(t *testing.T, resp *http.Response, error string, code int) {
-	t.Helper()
-
-	checkStatus(t, resp, code)
-	if got, _ := io.ReadAll(resp.Body); string(got) != fmt.Sprintln(error) {
-		t.Errorf("Body: %q, want %q", string(got), error)
-	}
-}

cmd/mbf/internal/pkgserver/search.go

@@ -1,81 +0,0 @@
-package pkgserver
-
-import (
-	"cmp"
-	"maps"
-	"regexp"
-	"slices"
-	"time"
-)
-
-type searchCache map[string]searchCacheEntry
-type searchResult struct {
-	NameIndices [][]int `json:"name_matches"`
-	DescIndices [][]int `json:"desc_matches,omitempty"`
-	Score       float64 `json:"score"`
-	*metadata
-}
-type searchCacheEntry struct {
-	query   string
-	results []searchResult
-	expiry  time.Time
-}
-
-func (index *packageIndex) performSearchQuery(limit int, i int, search string, desc bool) (int, []searchResult, error) {
-	query := search
-	if desc {
-		query += ";withDesc"
-	}
-	entry, ok := index.search[query]
-	if ok && len(entry.results) > 0 {
-		return len(entry.results), entry.results[min(i, len(entry.results)-1):min(i+limit, len(entry.results))], nil
-	}
-
-	regex, err := regexp.Compile(search)
-	if err != nil {
-		return 0, make([]searchResult, 0), err
-	}
-	res := make([]searchResult, 0)
-	for p := range maps.Values(index.names) {
-		nameIndices := regex.FindAllIndex([]byte(p.Name), -1)
-		var descIndices [][]int = nil
-		if desc {
-			descIndices = regex.FindAllIndex([]byte(p.Description), -1)
-		}
-		if nameIndices == nil && descIndices == nil {
-			continue
-		}
-		score := float64(indexsum(nameIndices)) / (float64(len(nameIndices)) + 1)
-		if desc {
-			score += float64(indexsum(descIndices)) / (float64(len(descIndices)) + 1) / 10.0
-		}
-		res = append(res, searchResult{
-			NameIndices: nameIndices,
-			DescIndices: descIndices,
-			Score:       score,
-			metadata:    p,
-		})
-	}
-	slices.SortFunc(res[:], func(a, b searchResult) int { return -cmp.Compare(a.Score, b.Score) })
-	expiry := time.Now().Add(1 * time.Minute)
-	entry = searchCacheEntry{
-		query:   search,
-		results: res,
-		expiry:  expiry,
-	}
-	index.search[query] = entry
-
-	return len(res), res[i:min(i+limit, len(entry.results))], nil
-}
-func (s *searchCache) clean() {
-	maps.DeleteFunc(*s, func(_ string, v searchCacheEntry) bool {
-		return v.expiry.Before(time.Now())
-	})
-}
-func indexsum(in [][]int) int {
-	sum := 0
-	for i := range in {
-		sum += in[i][1] - in[i][0]
-	}
-	return sum
-}

cmd/mbf/internal/pkgserver/ui/index.html

@@ -1,58 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <link rel="stylesheet" href="style.css">
-    <link rel="icon" href="https://hakurei.app/favicon.ico"/>
-    <title>Rosa OS Packages</title>
-    <script src="index.js"></script>
-</head>
-<body>
-<h1>Rosa OS Packages</h1>
-<div class="top-controls" id="top-controls-regular">
-    <p>Showing entries <span id="entry-counter"></span>.</p>
-    <span id="search-bar">
-        <label for="search">Search: </label>
-        <input type="text" name="search" id="search"/>
-        <button onclick="doSearch()">Find</button>
-        <label for="include-desc">Include descriptions: </label>
-        <input type="checkbox" name="include-desc" id="include-desc" checked/>
-    </span>
-    <div><label for="count">Entries per page: </label><select name="count" id="count">
-        <option value="10">10</option>
-        <option value="20">20</option>
-        <option value="30">30</option>
-        <option value="50">50</option>
-    </select></div>
-    <div><label for="sort">Sort by: </label><select name="sort" id="sort">
-        <option value="0">Definition (ascending)</option>
-        <option value="1">Definition (descending)</option>
-        <option value="2">Name (ascending)</option>
-        <option value="3">Name (descending)</option>
-        <option value="4">Size (ascending)</option>
-        <option value="5">Size (descending)</option>
-    </select></div>
-</div>
-<div class="top-controls" id="search-top-controls" hidden>
-    <p>Showing search results <span id="search-entry-counter"></span> for query "<span id="search-query"></span>".</p>
-    <button onclick="exitSearch()">Back</button>
-    <div><label for="search-count">Entries per page: </label><select name="search-count" id="search-count">
-        <option value="10">10</option>
-        <option value="20">20</option>
-        <option value="30">30</option>
-        <option value="50">50</option>
-    </select></div>
-    <p>Sorted by best match</p>
-</div>
-<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
-<table id="pkg-list">
-    <tr><td>Loading...</td></tr>
-</table>
-<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
-<footer>
-    <p>&copy;<a href="https://hakurei.app/">Hakurei</a> (<span id="hakurei-version">unknown</span>). Licensed under the MIT license.</p>
-</footer>
-<script>main();</script>
-</body>
-</html>

cmd/mbf/internal/pkgserver/ui/index.ts

@@ -1,331 +0,0 @@
-interface PackageIndexEntry {
-    name: string
-    size?: number
-    description?: string
-    website?: string
-    version?: string
-    report?: boolean
-}
-
-function entryToHTML(entry: PackageIndexEntry | SearchResult): HTMLTableRowElement {
-    let v = entry.version != null ? `<span>${escapeHtml(entry.version)}</span>` : ""
-    let s = entry.size != null && entry.size > 0 ? `<p>Size: ${toByteSizeString(entry.size)} (${entry.size})</p>` : ""
-    let n: string
-    let d: string
-    if ('name_matches' in entry) {
-        n = `<h2>${nameMatches(entry as SearchResult)} ${v}</h2>`
-    } else {
-        n = `<h2>${escapeHtml(entry.name)} ${v}</h2>`
-    }
-    if ('desc_matches' in entry && STATE.getIncludeDescriptions()) {
-        d = descMatches(entry as SearchResult)
-    } else {
-        d = (entry as PackageIndexEntry).description != null ? `<p>${escapeHtml((entry as PackageIndexEntry).description)}</p>` : ""
-    }
-    let w = entry.website != null ? `<a href="${encodeURI(entry.website)}">Website</a>` : ""
-    let r = entry.report ? `Log (<a href=\"${encodeURI('/api/v1/status/' + entry.name)}\">View</a> | <a href=\"${encodeURI('/status/' + entry.name)}\">Download</a>)` : ""
-    let row = <HTMLTableRowElement>(document.createElement('tr'))
-    row.innerHTML = `<td>
-            ${n}
-            ${d}
-            ${s}
-            ${w}
-            ${r}
-        </td>`
-    return row
-}
-
-function nameMatches(sr: SearchResult): string {
-    return markMatches(sr.name, sr.name_matches)
-}
-
-function descMatches(sr: SearchResult): string {
-    return markMatches(sr.description!, sr.desc_matches)
-}
-
-function markMatches(str: string, indices: [number, number][]): string {
-    if (indices == null) {
-        return str
-    }
-    let out: string = ""
-    let j = 0
-    for (let i = 0; i < str.length; i++) {
-        if (j < indices.length) {
-            if (i === indices[j][0]) {
-                out += `<mark>${escapeHtmlChar(str[i])}`
-                continue
-            }
-            if (i === indices[j][1]) {
-                out += `</mark>${escapeHtmlChar(str[i])}`
-                j++
-                continue
-            }
-        }
-        out += escapeHtmlChar(str[i])
-    }
-    if (indices[j] !== undefined) {
-        out += "</mark>"
-    }
-    return out
-}
-
-function toByteSizeString(bytes: number): string {
-    if (bytes == null) return `unspecified`
-    if (bytes < 1024) return `${bytes}B`
-    if (bytes < Math.pow(1024, 2)) return `${(bytes / 1024).toFixed(2)}kiB`
-    if (bytes < Math.pow(1024, 3)) return `${(bytes / Math.pow(1024, 2)).toFixed(2)}MiB`
-    if (bytes < Math.pow(1024, 4)) return `${(bytes / Math.pow(1024, 3)).toFixed(2)}GiB`
-    if (bytes < Math.pow(1024, 5)) return `${(bytes / Math.pow(1024, 4)).toFixed(2)}TiB`
-    return "not only is it big, it's large"
-}
-
-const API_VERSION = 1
-const ENDPOINT = `/api/v${API_VERSION}`
-
-interface InfoPayload {
-    count?: number
-    hakurei_version?: string
-}
-
-async function infoRequest(): Promise<InfoPayload> {
-    const res = await fetch(`${ENDPOINT}/info`)
-    const payload = await res.json()
-    return payload as InfoPayload
-}
-
-interface GetPayload {
-    values?: PackageIndexEntry[]
-}
-
-enum SortOrders {
-    DeclarationAscending,
-    DeclarationDescending,
-    NameAscending,
-    NameDescending
-}
-
-async function getRequest(limit: number, index: number, sort: SortOrders): Promise<GetPayload> {
-    const res = await fetch(`${ENDPOINT}/get?limit=${limit}&index=${index}&sort=${sort.valueOf()}`)
-    const payload = await res.json()
-    return payload as GetPayload
-}
-
-interface SearchResult extends PackageIndexEntry {
-    name_matches: [number, number][]
-    desc_matches: [number, number][]
-    score: number
-}
-
-interface SearchPayload {
-    count?: number
-    values?: SearchResult[]
-}
-
-async function searchRequest(limit: number, index: number, search: string, desc: boolean): Promise<SearchPayload> {
-    const res = await fetch(`${ENDPOINT}/search?limit=${limit}&index=${index}&search=${encodeURIComponent(search)}&desc=${desc}`)
-    if (!res.ok) {
-        exitSearch()
-        alert("invalid search query!")
-        return Promise.reject(res.statusText)
-    }
-    const payload = await res.json()
-    return payload as SearchPayload
-}
-
-class State {
-    entriesPerPage: number = 10
-    entryIndex: number = 0
-    maxTotal: number = 0
-    maxEntries: number = 0
-    sort: SortOrders = SortOrders.DeclarationAscending
-    search: boolean = false
-
-    getEntriesPerPage(): number {
-        return this.entriesPerPage
-    }
-
-    setEntriesPerPage(entriesPerPage: number) {
-        this.entriesPerPage = entriesPerPage
-        this.setEntryIndex(Math.floor(this.getEntryIndex() / entriesPerPage) * entriesPerPage)
-    }
-
-    getEntryIndex(): number {
-        return this.entryIndex
-    }
-
-    setEntryIndex(entryIndex: number) {
-        this.entryIndex = entryIndex
-        this.updatePage()
-        this.updateRange()
-        this.updateListings()
-    }
-
-    getMaxTotal(): number {
-        return this.maxTotal
-    }
-
-    setMaxTotal(max: number) {
-        this.maxTotal = max
-    }
-
-    getSortOrder(): SortOrders {
-        return this.sort
-    }
-
-    setSortOrder(sortOrder: SortOrders) {
-        this.sort = sortOrder
-        this.setEntryIndex(0)
-    }
-
-    updatePage() {
-        let page = Math.ceil(((this.getEntryIndex() + this.getEntriesPerPage()) - 1) / this.getEntriesPerPage())
-        for (let e of document.getElementsByClassName("page-number")) {
-            (e as HTMLInputElement).value = String(page)
-        }
-    }
-
-    updateRange() {
-        let max = Math.min(this.getEntryIndex() + this.getEntriesPerPage(), this.getMaxTotal())
-        document.getElementById("entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.getMaxTotal()}`
-        if (this.search) {
-            document.getElementById("search-entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.maxTotal}/${this.maxEntries}`
-            document.getElementById("search-query")!.innerHTML = `<code>${escapeHtml(this.getSearchQuery())}</code>`
-        }
-    }
-
-    getSearchQuery(): string {
-        let queryString = document.getElementById("search")!;
-        return (queryString as HTMLInputElement).value
-    }
-
-    getIncludeDescriptions(): boolean {
-        let includeDesc = document.getElementById("include-desc")!;
-        return (includeDesc as HTMLInputElement).checked
-    }
-
-    updateListings() {
-        if (this.search) {
-            searchRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSearchQuery(), this.getIncludeDescriptions())
-                .then(res => {
-                    let table = document.getElementById("pkg-list")!
-                    table.innerHTML = ''
-                    for (let row of res.values!) {
-                        table.appendChild(entryToHTML(row))
-                    }
-                    STATE.maxTotal = res.count!
-                    STATE.updateRange()
-                    if(res.count! < 1) {
-                        exitSearch()
-                        alert("no results found!")
-                    }
-                })
-        } else {
-            getRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSortOrder())
-                .then(res => {
-                    let table = document.getElementById("pkg-list")!
-                    table.innerHTML = ''
-                    for (let row of res.values!) {
-                        table.appendChild(entryToHTML(row))
-                    }
-                })
-        }
-    }
-}
-
-let STATE: State
-
-
-function lastPageIndex(): number {
-    return Math.floor(STATE.getMaxTotal() / STATE.getEntriesPerPage()) * STATE.getEntriesPerPage()
-}
-
-function setPage(page: number) {
-    STATE.setEntryIndex(Math.max(0, Math.min(STATE.getEntriesPerPage() * (page - 1), lastPageIndex())))
-}
-
-
-function escapeHtml(str?: string): string {
-    let out: string = ''
-    if (str == undefined) return ""
-    for (let i = 0; i < str.length; i++) {
-        out += escapeHtmlChar(str[i])
-    }
-    return out
-}
-
-function escapeHtmlChar(char: string): string {
-    if (char.length != 1) return char
-    switch (char[0]) {
-        case '&':
-            return "&amp;"
-        case '<':
-            return "&lt;"
-        case '>':
-            return "&gt;"
-        case '"':
-            return "&quot;"
-        case "'":
-            return "&apos;"
-        default:
-            return char
-    }
-}
-
-function firstPage() {
-    STATE.setEntryIndex(0)
-}
-
-function prevPage() {
-    let index = STATE.getEntryIndex()
-    STATE.setEntryIndex(Math.max(0, index - STATE.getEntriesPerPage()))
-}
-
-function lastPage() {
-    STATE.setEntryIndex(lastPageIndex())
-}
-
-function nextPage() {
-    let index = STATE.getEntryIndex()
-    STATE.setEntryIndex(Math.min(lastPageIndex(), index + STATE.getEntriesPerPage()))
-}
-
-function doSearch() {
-    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
-    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
-    STATE.search = true;
-    STATE.setEntryIndex(0);
-}
-
-function exitSearch() {
-    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
-    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
-    STATE.search = false;
-    STATE.setMaxTotal(STATE.maxEntries)
-    STATE.setEntryIndex(0)
-}
-
-function main() {
-    STATE = new State()
-    infoRequest()
-        .then(res => {
-            STATE.maxEntries = res.count!
-            STATE.setMaxTotal(STATE.maxEntries)
-            document.getElementById("hakurei-version")!.textContent = res.hakurei_version!
-            STATE.updateRange()
-            STATE.updateListings()
-        })
-    for (let e of document.getElementsByClassName("page-number")) {
-        e.addEventListener("change", (_) => {
-            setPage(parseInt((e as HTMLInputElement).value))
-        })
-    }
-    document.getElementById("count")?.addEventListener("change", (event) => {
-        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
-    })
-    document.getElementById("sort")?.addEventListener("change", (event) => {
-        STATE.setSortOrder(parseInt((event.target as HTMLSelectElement).value))
-    })
-    document.getElementById("search")?.addEventListener("keyup", (event) => {
-        if (event.key === 'Enter') doSearch()
-    })
-}

cmd/mbf/internal/pkgserver/ui/style.css

@@ -1,21 +0,0 @@
-.page-number {
-  width: 2em;
-  text-align: center;
-}
-.page-number {
-  width: 2em;
-  text-align: center;
-}
-
-@media (prefers-color-scheme: dark) {
-  html {
-    background-color: #2c2c2c;
-    color: ghostwhite;
-  }
-}
-@media (prefers-color-scheme: light) {
-  html {
-    background-color: #d3d3d3;
-    color: black;
-  }
-}

cmd/mbf/internal/pkgserver/ui/tsconfig.json

@@ -1,8 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2024",
-    "strict": true,
-    "alwaysStrict": true,
-    "outDir": "static"
-  }
-}

cmd/mbf/internal/pkgserver/ui/ui.go

@@ -1,9 +0,0 @@
-// Package ui holds the static web UI.
-package ui
-
-import "net/http"
-
-// Register arranges for mux to serve the embedded frontend.
-func Register(mux *http.ServeMux) {
-	mux.Handle("GET /", http.FileServer(http.FS(static)))
-}

cmd/mbf/internal/pkgserver/ui/ui_full.go

@@ -1,21 +0,0 @@
-//go:build frontend
-
-package ui
-
-import (
-	"embed"
-	"io/fs"
-)
-
-//go:generate tsc
-//go:generate cp index.html style.css static
-//go:embed static
-var _static embed.FS
-
-var static = func() fs.FS {
-	if f, err := fs.Sub(_static, "static"); err != nil {
-		panic(err)
-	} else {
-		return f
-	}
-}()

cmd/mbf/internal/pkgserver/ui/ui_stub.go

@@ -1,7 +0,0 @@
-//go:build !frontend
-
-package ui
-
-import "testing/fstest"
-
-var static fstest.MapFS

cmd/mbf/main_test.go

@@ -1,47 +0,0 @@
-package main
-
-import (
-	"net"
-	"os"
-	"testing"
-
-	"hakurei.app/internal/rosa"
-)
-
-func TestMain(m *testing.M) {
-	rosa.Native().DropCaches("", rosa.OptLLVMNoLTO)
-	os.Exit(m.Run())
-}
-
-func TestCureAll(t *testing.T) {
-	t.Parallel()
-	const env = "ROSA_TEST_DAEMON"
-
-	if !testing.Verbose() {
-		t.Skip("verbose flag not set")
-	}
-
-	pathname, ok := os.LookupEnv(env)
-	if !ok {
-		t.Skip(env + " not set")
-	}
-
-	addr := net.UnixAddr{Net: "unix", Name: pathname}
-	t.Cleanup(func() {
-		if t.Failed() {
-			if err := abortRemote(t.Context(), &addr, false); err != nil {
-				t.Fatal(err)
-			}
-		}
-	})
-
-	for _, handle := range rosa.Native().Collect() {
-		_, a := rosa.Native().Std().MustLoad(handle)
-		t.Run(handle.String(), func(t *testing.T) {
-			_, err := cureRemote(t.Context(), &addr, a, 0)
-			if err != nil {
-				t.Error(err)
-			}
-		})
-	}
-}

cmd/sharefs/fuse.go

@@ -508,8 +508,8 @@ func _main(s ...string) (exitCode int) {
 
 		if !z.AllowOrphan {
 			if err := z.Wait(); err != nil {
-				exitError, ok := errors.AsType[*exec.ExitError](err)
+				var exitError *exec.ExitError
-				if !ok || exitError == nil {
+				if !errors.As(err, &exitError) || exitError == nil {
 					log.Println(err)
 					return 5
 				}

cmd/sharefs/test/configuration.nix

@@ -20,14 +20,11 @@
   };
 
   virtualisation = {
-    # Hopefully reduces spurious test failures:
-    memorySize = if pkgs.stdenv.hostPlatform.is32bit then 2046 else 8192;
-
     diskSize = 6 * 1024;
 
     qemu.options = [
       # Increase test performance:
-      "-smp 16"
+      "-smp 8"
     ];
   };
 

cmd/sharefs/test/default.nix

@@ -28,7 +28,7 @@ testers.nixosTest {
         # For go tests:
         (pkgs.writeShellScriptBin "sharefs-workload-hakurei-tests" ''
           cp -r "${self.packages.${system}.hakurei.src}" "/sdcard/hakurei" && cd "/sdcard/hakurei"
-          ${fhs}/bin/hakurei-fhs -c 'ROSA_SKIP_BINFMT=1 CC="clang -O3 -Werror" go test ./...'
+          ${fhs}/bin/hakurei-fhs -c 'CC="clang -O3 -Werror" go test ./...'
         '')
       ];
 

command/parse.go

@@ -91,8 +91,8 @@ func (n *node) MustParse(arguments []string, handleError func(error)) {
 	case ErrEmptyTree:
 		os.Exit(1)
 	default:
-		flagError, ok := errors.AsType[FlagError](err)
+		var flagError FlagError
-		if !ok { // returned by HandlerFunc
+		if !errors.As(err, &flagError) { // returned by HandlerFunc
 			handleError(err)
 			os.Exit(1)
 		}

container/binfmt.go

@@ -1,46 +0,0 @@
-package container
-
-import (
-	"strings"
-	"unsafe"
-
-	"hakurei.app/check"
-)
-
-// escapeBinfmt escapes magic/mask sequences in a [BinfmtEntry].
-func escapeBinfmt(buf *strings.Builder, s string) string {
-	const lowerhex = "0123456789abcdef"
-
-	buf.Reset()
-	for _, c := range unsafe.Slice(unsafe.StringData(s), len(s)) {
-		switch c {
-		case 0, '\\', ':':
-			buf.WriteString(`\x`)
-			buf.WriteByte(lowerhex[c>>4])
-			buf.WriteByte(lowerhex[c&0xf])
-
-		default:
-			buf.WriteByte(c)
-		}
-	}
-	return buf.String()
-}
-
-// BinfmtEntry is an entry to be registered by the init process.
-type BinfmtEntry struct {
-	// The offset of the magic/mask in the file, counted in bytes.
-	Offset byte
-	// The byte sequence binfmt_misc is matching for.
-	Magic string
-	// An (optional, defaults to all 0xff) mask.
-	Mask string
-	// The program that should be invoked with the binary as first argument.
-	Interpreter *check.Absolute
-}
-
-// Valid returns whether e can be registered into the kernel.
-func (e *BinfmtEntry) Valid() bool {
-	return e != nil &&
-		int(e.Offset)+max(len(e.Magic), len(e.Mask)) < 128 &&
-		e.Interpreter != nil && len(e.Interpreter.String()) < 128
-}

container/binfmt_test.go

@@ -1,62 +0,0 @@
-package container
-
-import (
-	"strings"
-	"testing"
-
-	"hakurei.app/fhs"
-)
-
-func TestEscapeBinfmt(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name  string
-		magic string
-		want  string
-	}{
-		{"packed DOS applications", "\x0eDEX", "\x0eDEX"},
-
-		{"riscv64 magic",
-			"\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00",
-			"\x7fELF\x02\x01\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\x02\\x00\xf3\\x00"},
-		{"riscv64 mask",
-			"\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
-			"\xff\xff\xff\xff\xff\xff\xff\\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff"},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			got := escapeBinfmt(new(strings.Builder), tc.magic)
-			if got != tc.want {
-				t.Errorf("escapeBinfmt: %q, want %q", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestBinfmtEntry(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name  string
-		e     BinfmtEntry
-		valid bool
-	}{
-		{"zero", BinfmtEntry{}, false},
-		{"large offset", BinfmtEntry{Offset: 128}, false},
-		{"long magic", BinfmtEntry{Magic: strings.Repeat("\x00", 128)}, false},
-		{"long mask", BinfmtEntry{Mask: strings.Repeat("\x00", 128)}, false},
-		{"valid", BinfmtEntry{Interpreter: fhs.AbsRoot}, true},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			if tc.e.Valid() != tc.valid {
-				t.Errorf("Valid: %v", !tc.valid)
-			}
-		})
-	}
-}

container/capability.go

@@ -18,7 +18,6 @@ const (
 	CAP_SETPCAP      = 0x8
 	CAP_NET_ADMIN    = 0xc
 	CAP_DAC_OVERRIDE = 0x1
-	CAP_SETFCAP      = 0x1f
 )
 
 type (

container/container.go

@@ -21,7 +21,6 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
-	"hakurei.app/internal/landlock"
 	"hakurei.app/message"
 )
 
@@ -67,9 +66,6 @@ type (
 		// Copied to the underlying [exec.Cmd].
 		WaitDelay time.Duration
 
-		// Suppress verbose output of init.
-		Quiet bool
-
 		cmd *exec.Cmd
 		ctx context.Context
 		msg message.Msg
@@ -91,20 +87,12 @@ type (
 		// Time to wait for processes lingering after the initial process terminates.
 		AdoptWaitDelay time.Duration
 
-		// Map uid/gid 0 in the init process. Requires [FstypeProc] attached to
-		// [fhs.Proc] in the container filesystem.
-		InitAsRoot bool
 		// Mapped Uid in user namespace.
 		Uid int
 		// Mapped Gid in user namespace.
 		Gid int
 		// Hostname value in UTS namespace.
 		Hostname string
-		// Register binfmt_misc entries.
-		Binfmt []BinfmtEntry
-		// Alternative pathname to attach binfmt_misc filesystem. The zero value
-		// requires [FstypeProc] to be made available at [fhs.Proc].
-		BinfmtPath *check.Absolute
 		// Sequential container setup ops.
 		*Ops
 
@@ -154,8 +142,11 @@ func (e *StartError) Error() string {
 		return e.Step
 	}
 
-	if se, ok := errors.AsType[*os.SyscallError](e.Err); ok && se != nil {
+	{
-		return e.Step + " " + se.Error()
+		var syscallError *os.SyscallError
+		if errors.As(e.Err, &syscallError) && syscallError != nil {
+			return e.Step + " " + syscallError.Error()
+		}
 	}
 
 	return e.Step + ": " + e.Err.Error()
@@ -221,9 +212,6 @@ func (p *Container) Start() error {
 	if p.cmd.Process != nil {
 		return errors.New("container: already started")
 	}
-	if !p.InitAsRoot && len(p.Binfmt) > 0 {
-		return errors.New("container: init as root required, but not enabled")
-	}
 
 	if err := ensureCloseOnExec(); err != nil {
 		return err
@@ -294,18 +282,6 @@ func (p *Container) Start() error {
 	if !p.HostNet {
 		p.cmd.SysProcAttr.Cloneflags |= CLONE_NEWNET
 	}
-	if p.InitAsRoot {
-		p.cmd.SysProcAttr.AmbientCaps = append(p.cmd.SysProcAttr.AmbientCaps,
-			// mappings during init as root
-			CAP_SETFCAP,
-		)
-
-		if !p.SeccompDisable &&
-			len(p.SeccompRules) == 0 &&
-			p.SeccompPresets&std.PresetDenyNS != 0 {
-			return errors.New("container: as root requires late namespace creation")
-		}
-	}
 
 	// place setup pipe before user supplied extra files, this is later restored by init
 	if r, w, err := os.Pipe(); err != nil {
@@ -331,7 +307,7 @@ func (p *Container) Start() error {
 		done <- func() error {
 			// PR_SET_NO_NEW_PRIVS: thread-directed but acts on all processes
 			// created from the calling thread
-			if err := setNoNewPrivs(); err != nil {
+			if err := SetNoNewPrivs(); err != nil {
 				return &StartError{
 					Fatal: true,
 					Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
@@ -341,14 +317,12 @@ func (p *Container) Start() error {
 
 			// landlock: depends on per-thread state but acts on a process group
 			{
-				rulesetAttr := &landlock.RulesetAttr{
+				rulesetAttr := &RulesetAttr{Scoped: LANDLOCK_SCOPE_SIGNAL}
-					Scoped: landlock.LANDLOCK_SCOPE_SIGNAL,
-				}
 				if !p.HostAbstract {
-					rulesetAttr.Scoped |= landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+					rulesetAttr.Scoped |= LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
 				}
 
-				if abi, err := landlock.GetABI(); err != nil {
+				if abi, err := LandlockGetABI(); err != nil {
 					if p.HostAbstract || !p.HostNet {
 						// landlock can be skipped here as it restricts access
 						// to resources already covered by namespaces (pid, net)
@@ -365,6 +339,8 @@ func (p *Container) Start() error {
 						Err:    ENOSYS,
 						Origin: true,
 					}
+				} else {
+					p.msg.Verbosef("landlock abi version %d", abi)
 				}
 
 				if rulesetFd, err := rulesetAttr.Create(0); err != nil {
@@ -374,7 +350,8 @@ func (p *Container) Start() error {
 						Err:   err,
 					}
 				} else {
-					if err = landlock.RestrictSelf(rulesetFd, 0); err != nil {
+					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
+					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
 						_ = Close(rulesetFd)
 						return &StartError{
 							Fatal: true,
@@ -430,6 +407,7 @@ func (p *Container) Start() error {
 				}
 			}
 
+			p.msg.Verbose("starting container init")
 			if err := p.cmd.Start(); err != nil {
 				return &StartError{
 					Step:        "start container init",
@@ -500,6 +478,7 @@ func (p *Container) Serve() (err error) {
 			}
 
 		case <-done:
+			p.msg.Verbose("setup payload took", time.Since(t))
 			return
 		}
 	}(p.setup[1])
@@ -509,7 +488,7 @@ func (p *Container) Serve() (err error) {
 		Getuid(),
 		Getgid(),
 		len(p.ExtraFiles),
-		p.msg.IsVerbose() && !p.Quiet,
+		p.msg.IsVerbose(),
 	})
 }
 

container/container_test.go

@@ -16,8 +16,6 @@ import (
 	"strings"
 	"syscall"
 	"testing"
-	"time"
-	"unsafe"
 
 	"hakurei.app/check"
 	"hakurei.app/command"
@@ -28,7 +26,6 @@ import (
 	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/info"
-	"hakurei.app/internal/landlock"
 	"hakurei.app/internal/params"
 	"hakurei.app/ldd"
 	"hakurei.app/message"
@@ -235,9 +232,6 @@ func earlyMnt(mnt ...*vfs.MountInfoEntry) func(*testing.T, context.Context) []*v
 	return func(*testing.T, context.Context) []*vfs.MountInfoEntry { return mnt }
 }
 
-//go:linkname toHost hakurei.app/container.toHost
-func toHost(name string) string
-
 var containerTestCases = []struct {
 	name    string
 	filter  bool
@@ -337,15 +331,13 @@ var containerTestCases = []struct {
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
-					"rw"+
+					"rw,lowerdir="+
-						",lowerdir+="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
-						toHost(ctx.Value(testVal("lower0")).(*check.Absolute).String())+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
-						",lowerdir+="+
-						toHost(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",upperdir="+
-						toHost(ctx.Value(testVal("upper")).(*check.Absolute).String())+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("upper")).(*check.Absolute).String())+
 						",workdir="+
-						toHost(ctx.Value(testVal("work")).(*check.Absolute).String())+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("work")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,uuid=on,userxattr"),
 			}
 		},
@@ -395,11 +387,9 @@ var containerTestCases = []struct {
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
-					"ro"+
+					"ro,lowerdir="+
-						",lowerdir+="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
-						toHost(ctx.Value(testVal("lower0")).(*check.Absolute).String())+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
-						",lowerdir+="+
-						toHost(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,userxattr"),
 			}
 		},
@@ -409,11 +399,39 @@ var containerTestCases = []struct {
 func TestContainer(t *testing.T) {
 	t.Parallel()
 
-	var suffix string
+	t.Run("cancel", testContainerCancel(nil, func(t *testing.T, c *container.Container) {
-runTests:
+		wantErr := context.Canceled
+		wantExitCode := 0
+		if err := c.Wait(); !reflect.DeepEqual(err, wantErr) {
+			if m, ok := container.InternalMessageFromError(err); ok {
+				t.Error(m)
+			}
+			t.Errorf("Wait: error = %#v, want %#v", err, wantErr)
+		}
+		if ps := c.ProcessState(); ps == nil {
+			t.Errorf("ProcessState unexpectedly returned nil")
+		} else if code := ps.ExitCode(); code != wantExitCode {
+			t.Errorf("ExitCode: %d, want %d", code, wantExitCode)
+		}
+	}))
+
+	t.Run("forward", testContainerCancel(func(c *container.Container) {
+		c.ForwardCancel = true
+	}, func(t *testing.T, c *container.Container) {
+		var exitError *exec.ExitError
+		if err := c.Wait(); !errors.As(err, &exitError) {
+			if m, ok := container.InternalMessageFromError(err); ok {
+				t.Error(m)
+			}
+			t.Errorf("Wait: error = %v", err)
+		}
+		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
+			t.Errorf("ExitCode: %d, want %d", code, blockExitCodeInterrupt)
+		}
+	}))
+
 	for i, tc := range containerTestCases {
-		_suffix := suffix
+		t.Run(tc.name, func(t *testing.T) {
-		t.Run(tc.name+_suffix, func(t *testing.T) {
 			t.Parallel()
 
 			wantOps, wantOpsCtx := tc.ops(t)
@@ -437,10 +455,8 @@ runTests:
 			c.SeccompDisable = !tc.filter
 			c.RetainSession = tc.session
 			c.HostNet = tc.net
-			c.InitAsRoot = _suffix != ""
-			c.Env = append(c.Env, "HAKUREI_TEST_SUFFIX="+_suffix)
 			if info.CanDegrade {
-				if _, err := landlock.GetABI(); err != nil {
+				if _, err := container.LandlockGetABI(); err != nil {
 					if !errors.Is(err, syscall.ENOSYS) {
 						t.Fatalf("LandlockGetABI: error = %v", err)
 					}
@@ -448,9 +464,6 @@ runTests:
 					t.Log("Landlock LSM is unavailable, enabling HostAbstract")
 				}
 			}
-			if c.InitAsRoot {
-				c.SeccompPresets &= ^std.PresetDenyNS
-			}
 
 			c.
 				Readonly(check.MustAbs(pathReadonly), 0755).
@@ -519,11 +532,6 @@ runTests:
 			}
 		})
 	}
-
-	if suffix == "" {
-		suffix = " as root"
-		goto runTests
-	}
 }
 
 func ent(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoEntry {
@@ -546,118 +554,49 @@ func hostnameFromTestCase(name string) string {
 }
 
 func testContainerCancel(
-	t *testing.T,
 	containerExtra func(c *container.Container),
-	waitCheck func(ps *os.ProcessState, waitErr error),
+	waitCheck func(t *testing.T, c *container.Container),
-) {
+) func(t *testing.T) {
-	ctx, cancel := context.WithCancel(t.Context())
+	return func(t *testing.T) {
-
-	c := helperNewContainer(ctx, "block")
-	c.Stdout, c.Stderr = os.Stdout, os.Stderr
-	if containerExtra != nil {
-		containerExtra(c)
-	}
-
-	ready := make(chan struct{})
-	var waitErr error
-	r, w, err := os.Pipe()
-	if err != nil {
-		t.Fatalf("cannot pipe: %v", err)
-	}
-
-	c.ExtraFiles = append(c.ExtraFiles, w)
-	go func() {
-		defer close(ready)
-		if _, _err := r.Read(make([]byte, 1)); _err != nil {
-			panic(_err)
-		}
-	}()
-
-	if err = c.Start(); err != nil {
-		if m, ok := container.InternalMessageFromError(err); ok {
-			t.Fatal(m)
-		} else {
-			t.Fatalf("cannot start container: %v", err)
-		}
-	}
-
-	done := make(chan struct{})
-	go func() {
-		defer close(done)
-		waitErr = c.Wait()
-		_ = r.SetReadDeadline(time.Now())
-	}()
-
-	if err = c.Serve(); err != nil {
-		if m, ok := container.InternalMessageFromError(err); ok {
-			t.Error(m)
-		} else {
-			t.Errorf("cannot serve setup params: %v", err)
-		}
-	}
-	<-ready
-	cancel()
-	<-done
-	waitCheck(c.ProcessState(), waitErr)
-}
-
-func TestForward(t *testing.T) {
-	t.Parallel()
-
-	f := func(ps *os.ProcessState, waitErr error) {
-		var exitError *exec.ExitError
-		if !errors.As(waitErr, &exitError) {
-			if m, ok := container.InternalMessageFromError(waitErr); ok {
-				t.Error(m)
-			}
-			t.Errorf("Wait: error = %v", waitErr)
-		}
-		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
-			t.Errorf("ExitCode: %d, want %d", code, blockExitCodeInterrupt)
-		}
-	}
-	t.Run("direct", func(t *testing.T) {
 		t.Parallel()
-		testContainerCancel(t, func(c *container.Container) {
+		ctx, cancel := context.WithCancel(t.Context())
-			c.ForwardCancel = true
-		}, f)
-	})
-	t.Run("as root", func(t *testing.T) {
-		testContainerCancel(t, func(c *container.Container) {
-			c.ForwardCancel = true
-			c.InitAsRoot = true
-			c.Proc(fhs.AbsProc)
-		}, f)
-	})
-}
 
-func TestCancel(t *testing.T) {
+		c := helperNewContainer(ctx, "block")
-	t.Parallel()
+		c.Stdout, c.Stderr = os.Stdout, os.Stderr
+		if containerExtra != nil {
+			containerExtra(c)
+		}
 
-	f := func(ps *os.ProcessState, waitErr error) {
+		ready := make(chan struct{})
-		wantErr := context.Canceled
+		if r, w, err := os.Pipe(); err != nil {
-		if !reflect.DeepEqual(waitErr, wantErr) {
+			t.Fatalf("cannot pipe: %v", err)
-			if m, ok := container.InternalMessageFromError(waitErr); ok {
+		} else {
+			c.ExtraFiles = append(c.ExtraFiles, w)
+			go func() {
+				defer close(ready)
+				if _, err = r.Read(make([]byte, 1)); err != nil {
+					panic(err.Error())
+				}
+			}()
+		}
+
+		if err := c.Start(); err != nil {
+			if m, ok := container.InternalMessageFromError(err); ok {
+				t.Fatal(m)
+			} else {
+				t.Fatalf("cannot start container: %v", err)
+			}
+		} else if err = c.Serve(); err != nil {
+			if m, ok := container.InternalMessageFromError(err); ok {
 				t.Error(m)
+			} else {
+				t.Errorf("cannot serve setup params: %v", err)
 			}
-			t.Errorf("Wait: error = %#v, want %#v", waitErr, wantErr)
-		}
-		if ps == nil {
-			t.Errorf("ProcessState unexpectedly returned nil")
-		} else if code := ps.ExitCode(); code != 0 {
-			t.Errorf("ExitCode: %d, want %d", code, 0)
 		}
+		<-ready
+		cancel()
+		waitCheck(t, c)
 	}
-	t.Run("direct", func(t *testing.T) {
-		t.Parallel()
-		testContainerCancel(t, nil, f)
-	})
-	t.Run("as root", func(t *testing.T) {
-		testContainerCancel(t, func(c *container.Container) {
-			c.InitAsRoot = true
-			c.Proc(fhs.AbsProc)
-		}, f)
-	})
 }
 
 func TestContainerString(t *testing.T) {
@@ -693,8 +632,6 @@ func init() {
 		})
 
 		c.Command("container", command.UsageInternal, func(args []string) error {
-			asRoot := os.Getenv("HAKUREI_TEST_SUFFIX") == " as root"
-
 			if len(args) != 1 {
 				return syscall.EINVAL
 			}
@@ -712,66 +649,6 @@ func init() {
 				return fmt.Errorf("gid: %d, want %d", gid, tc.gid)
 			}
 
-			// no attack surface increase during as root due to no_new_privs
-			var wantBounding uintptr = 1
-			asRootNot := " not"
-			if !asRoot {
-				wantBounding = 0
-				asRootNot = ""
-			}
-
-			const (
-				PR_CAP_AMBIENT        = 0x2f
-				PR_CAP_AMBIENT_IS_SET = 0x1
-			)
-			for i := range container.LastCap(nil) + 1 {
-				r, _, errno := syscall.Syscall(
-					syscall.SYS_PRCTL,
-					PR_CAP_AMBIENT,
-					PR_CAP_AMBIENT_IS_SET,
-					i,
-				)
-				if errno != 0 {
-					return os.NewSyscallError("prctl", errno)
-				}
-				if r != 0 {
-					return fmt.Errorf("capability %d in ambient set", i)
-				}
-
-				r, _, errno = syscall.Syscall(
-					syscall.SYS_PRCTL,
-					syscall.PR_CAPBSET_READ,
-					i,
-					0,
-				)
-				if errno != 0 {
-					return os.NewSyscallError("prctl", errno)
-				}
-				if r != wantBounding {
-					return fmt.Errorf("capability %d%s in bounding set", i, asRootNot)
-				}
-			}
-
-			const _LINUX_CAPABILITY_VERSION_3 = 0x20080522
-			var capData struct {
-				effective   uint32
-				permitted   uint32
-				inheritable uint32
-			}
-			if _, _, errno := syscall.Syscall(syscall.SYS_CAPGET, uintptr(unsafe.Pointer(&struct {
-				version uint32
-				pid     int32
-			}{_LINUX_CAPABILITY_VERSION_3, 0})), uintptr(unsafe.Pointer(&capData)), 0); errno != 0 {
-				return os.NewSyscallError("capget", errno)
-			}
-
-			if max(capData.effective, capData.permitted, capData.inheritable) != 0 {
-				return fmt.Errorf(
-					"effective = %d, permitted = %d, inheritable = %d",
-					capData.effective, capData.permitted, capData.inheritable,
-				)
-			}
-
 			wantHost := hostnameFromTestCase(tc.name)
 			if host, err := os.Hostname(); err != nil {
 				return fmt.Errorf("cannot get hostname: %v", err)
@@ -889,7 +766,7 @@ func TestMain(m *testing.M) {
 		}
 		c.MustParse(os.Args[1:], func(err error) {
 			if err != nil {
-				log.Fatal(err)
+				log.Fatal(err.Error())
 			}
 		})
 		return

container/dispatcher.go

@@ -65,8 +65,6 @@ type syscallDispatcher interface {
 	remount(msg message.Msg, target string, flags uintptr) error
 	// mountTmpfs provides mountTmpfs.
 	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
-	// mountOverlay provides mountOverlay.
-	mountOverlay(target string, options [][2]string) error
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
 	// mustLoopback provides mustLoopback.
@@ -150,7 +148,7 @@ func (direct) lockOSThread() { runtime.LockOSThread() }
 
 func (direct) setPtracer(pid uintptr) error       { return ext.SetPtracer(pid) }
 func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) }
-func (direct) setNoNewPrivs() error               { return setNoNewPrivs() }
+func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }
 
 func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
 func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(hdrp, datap) }
@@ -171,9 +169,6 @@ func (direct) remount(msg message.Msg, target string, flags uintptr) error {
 func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
 	return mountTmpfs(k, fsname, target, flags, size, perm)
 }
-func (k direct) mountOverlay(target string, options [][2]string) error {
-	return mountOverlay(target, options)
-}
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }

container/dispatcher_test.go

@@ -235,6 +235,8 @@ func checkOpBehaviour(t *testing.T, testCases []opBehaviourTestCase) {
 	})
 }
 
+func sliceAddr[S any](s []S) *[]S { return &s }
+
 func newCheckedFile(t *testing.T, name, wantData string, closeErr error) osFile {
 	f := &checkedOsFile{t: t, name: name, want: wantData, closeErr: closeErr}
 	// check happens in Close, and cleanup is not guaranteed to run, so relying
@@ -466,14 +468,6 @@ func (k *kstub) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 		stub.CheckArg(k.Stub, "perm", perm, 4))
 }
 
-func (k *kstub) mountOverlay(target string, options [][2]string) error {
-	k.Helper()
-	return k.Expects("mountOverlay").Error(
-		stub.CheckArg(k.Stub, "target", target, 0),
-		stub.CheckArgReflect(k.Stub, "options", options, 1),
-	)
-}
-
 func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 	k.Helper()
 	return k.Expects("ensureFile").Error(

container/errors.go

@@ -46,8 +46,9 @@ func messageFromError(err error) (m string, ok bool) {
 // While this is usable for pointer errors, such use should be avoided as nil
 // check is omitted.
 func messagePrefix[T error](prefix string, err error) (string, bool) {
-	if e, ok := errors.AsType[T](err); ok {
+	var targetError T
-		return prefix + e.Error(), true
+	if errors.As(err, &targetError) {
+		return prefix + targetError.Error(), true
 	}
 	return zeroString, false
 }
@@ -57,8 +58,9 @@ func messagePrefixP[V any, T interface {
 	*V
 	error
 }](prefix string, err error) (string, bool) {
-	if e, ok := errors.AsType[T](err); ok && e != nil {
+	var targetError T
-		return prefix + e.Error(), true
+	if errors.As(err, &targetError) && targetError != nil {
+		return prefix + targetError.Error(), true
 	}
 	return zeroString, false
 }
@@ -107,8 +109,8 @@ func optionalErrorUnwrap(err error) error {
 
 // errnoFallback returns the concrete errno from an error, or a [os.PathError] fallback.
 func errnoFallback(op, path string, err error) (syscall.Errno, *os.PathError) {
-	errno, ok := errors.AsType[syscall.Errno](err)
+	var errno syscall.Errno
-	if !ok {
+	if !errors.As(err, &errno) {
 		return 0, &os.PathError{Op: op, Path: path, Err: err}
 	}
 	return errno, nil
@@ -116,10 +118,6 @@ func errnoFallback(op, path string, err error) (syscall.Errno, *os.PathError) {
 
 // mount wraps syscall.Mount for error handling.
 func mount(source, target, fstype string, flags uintptr, data string) error {
-	if max(len(source), len(target), len(data))+1 > os.Getpagesize() {
-		return &MountError{source, target, fstype, flags, data, syscall.ENOMEM}
-	}
-
 	err := syscall.Mount(source, target, fstype, flags, data)
 	if err == nil {
 		return nil

container/init.go

@@ -11,13 +11,11 @@ import (
 	"path/filepath"
 	"slices"
 	"strconv"
-	"strings"
 	"sync"
 	"sync/atomic"
 	. "syscall"
 	"time"
 
-	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
@@ -184,33 +182,23 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		cancel()
 	}
 
-	uid, gid := param.Uid, param.Gid
-	if param.InitAsRoot {
-		uid, gid = 0, 0
-	}
-
 	// write uid/gid map here so parent does not need to set dumpable
 	if err := k.setDumpable(ext.SUID_DUMP_USER); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
 	}
-	if err := k.writeFile(
+	if err := k.writeFile(fhs.Proc+"self/uid_map",
-		fhs.Proc+"self/uid_map",
+		append([]byte{}, strconv.Itoa(param.Uid)+" "+strconv.Itoa(param.HostUid)+" 1\n"...),
-		[]byte(strconv.Itoa(uid)+" "+strconv.Itoa(param.HostUid)+" 1\n"),
+		0); err != nil {
-		0,
-	); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-	if err := k.writeFile(
+	if err := k.writeFile(fhs.Proc+"self/setgroups",
-		fhs.Proc+"self/setgroups",
 		[]byte("deny\n"),
-		0,
+		0); err != nil && !os.IsNotExist(err) {
-	); err != nil && !os.IsNotExist(err) {
 		k.fatalf(msg, "%v", err)
 	}
 	if err := k.writeFile(fhs.Proc+"self/gid_map",
-		[]byte(strconv.Itoa(gid)+" "+strconv.Itoa(param.HostGid)+" 1\n"),
+		append([]byte{}, strconv.Itoa(param.Gid)+" "+strconv.Itoa(param.HostGid)+" 1\n"...),
-		0,
+		0); err != nil {
-	); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
 	if err := k.setDumpable(ext.SUID_DUMP_DISABLE); err != nil {
@@ -235,23 +223,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	state := &setupState{process: make(map[int]WaitStatus), Params: &param.Params, Msg: msg, Context: ctx}
 	defer cancel()
 
-	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
-		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
-	}
-	if err := k.chdir(intermediateHostPath); err != nil {
-		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
-	}
-
-	if len(param.Binfmt) > 0 {
-		for i, e := range param.Binfmt {
-			if pathname, err := k.evalSymlinks(e.Interpreter.String()); err != nil {
-				k.fatal(msg, err)
-			} else if param.Binfmt[i].Interpreter, err = check.NewAbs(pathname); err != nil {
-				k.fatal(msg, err)
-			}
-		}
-	}
-
 	/* early is called right before pivot_root into intermediate root;
 	this step is mostly for gathering information that would otherwise be
 	difficult to obtain via library functions after pivot_root, and
@@ -271,6 +242,13 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}
 
+	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
+		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
+	}
+	if err := k.chdir(intermediateHostPath); err != nil {
+		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
+	}
+
 	if err := k.mkdir(sysrootDir, 0755); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
@@ -307,48 +285,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}
 
-	if len(param.Binfmt) > 0 {
-		const interpreter = "/interpreter"
-
-		if param.BinfmtPath == nil {
-			param.BinfmtPath = fhs.AbsProcSys.Append("fs/binfmt_misc")
-		}
-		binfmt := sysrootPath + param.BinfmtPath.String()
-		if err := k.mkdirAll(binfmt, 0); err != nil {
-			k.fatal(msg, err)
-		}
-		if err := k.mount(
-			SourceBinfmtMisc,
-			binfmt,
-			FstypeBinfmtMisc,
-			MS_NOSUID|MS_NOEXEC|MS_NODEV,
-			zeroString,
-		); err != nil {
-			k.fatal(msg, err)
-		}
-
-		var buf strings.Builder
-		buf.Grow(1920)
-
-		register := binfmt + "/register"
-		for i, e := range param.Binfmt {
-			if err := k.symlink(hostPath+e.Interpreter.String(), interpreter); err != nil {
-				k.fatal(msg, err)
-			} else if err = k.writeFile(register, []byte(":"+
-				strconv.Itoa(i)+":"+
-				"M:"+
-				strconv.Itoa(int(e.Offset))+":"+
-				escapeBinfmt(&buf, e.Magic)+":"+
-				escapeBinfmt(&buf, e.Mask)+":"+
-				interpreter+":"+
-				"F"), 0); err != nil {
-				k.fatal(msg, err)
-			} else if err = k.remove(interpreter); err != nil {
-				k.fatal(msg, err)
-			}
-		}
-	}
-
 	// setup requiring host root complete at this point
 	if err := k.mount(hostDir, hostDir, zeroString, MS_SILENT|MS_REC|MS_PRIVATE, zeroString); err != nil {
 		k.fatalf(msg, "cannot make host root rprivate: %v", optionalErrorUnwrap(err))
@@ -387,19 +323,11 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}
 
-	var keepCaps []uintptr
-	if param.Privileged {
-		keepCaps = append(keepCaps, CAP_SYS_ADMIN, CAP_SETPCAP)
-	}
-	if param.InitAsRoot {
-		keepCaps = append(keepCaps, CAP_SETFCAP)
-	}
-
 	if err := k.capAmbientClearAll(); err != nil {
 		k.fatalf(msg, "cannot clear the ambient capability set: %v", err)
 	}
-	for i := range lastcap + 1 {
+	for i := uintptr(0); i <= lastcap; i++ {
-		if slices.Contains(keepCaps, i) {
+		if param.Privileged && i == CAP_SYS_ADMIN {
 			continue
 		}
 		if err := k.capBoundingSetDrop(i); err != nil {
@@ -408,23 +336,20 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 
 	var keep [2]uint32
-	for _, c := range keepCaps {
+	if param.Privileged {
-		keep[capToIndex(c)] |= capToMask(c)
+		keep[capToIndex(CAP_SYS_ADMIN)] |= capToMask(CAP_SYS_ADMIN)
-	}
 
+		if err := k.capAmbientRaise(CAP_SYS_ADMIN); err != nil {
+			k.fatalf(msg, "cannot raise CAP_SYS_ADMIN: %v", err)
+		}
+	}
 	if err := k.capset(
 		&capHeader{_LINUX_CAPABILITY_VERSION_3, 0},
-		&[2]capData{{keep[0], keep[0], keep[0]}, {keep[1], keep[1], keep[1]}},
+		&[2]capData{{0, keep[0], keep[0]}, {0, keep[1], keep[1]}},
 	); err != nil {
 		k.fatalf(msg, "cannot capset: %v", err)
 	}
 
-	for _, c := range keepCaps {
-		if err := k.capAmbientRaise(c); err != nil {
-			k.fatalf(msg, "cannot raise %#x: %v", c, err)
-		}
-	}
-
 	if !param.SeccompDisable {
 		rules := param.SeccompRules
 		if len(rules) == 0 { // non-empty rules slice always overrides presets
@@ -549,14 +474,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	cmd.ExtraFiles = extraFiles
 	cmd.Dir = param.Dir.String()
 
-	if param.InitAsRoot {
-		cmd.SysProcAttr = &SysProcAttr{
-			Cloneflags:  CLONE_NEWUSER,
-			UidMappings: []SysProcIDMap{{ContainerID: param.Uid, HostID: 0, Size: 1}},
-			GidMappings: []SysProcIDMap{{ContainerID: param.Gid, HostID: 0, Size: 1}},
-		}
-	}
-
 	msg.Verbosef("starting initial process %s", param.Path)
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)

container/init_test.go

@@ -95,7 +95,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            new(make(Ops, 1)),
+					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -123,7 +123,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            new(make(Ops, 1)),
+					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -152,7 +152,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            new(make(Ops, 1)),
+					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -182,7 +182,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            new(make(Ops, 1)),
+					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -213,7 +213,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            new(make(Ops, 1)),
+					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -245,7 +245,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            new(make(Ops, 1)),
+					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -279,7 +279,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            new(make(Ops, 1)),
+					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -315,7 +315,7 @@ func TestInitEntrypoint(t *testing.T) {
 					Uid:            1 << 16,
 					Gid:            1 << 15,
 					Hostname:       "hakurei-check",
-					Ops:            new(make(Ops, 1)),
+					Ops:            (*Ops)(sliceAddr(make(Ops, 1))),
 					SeccompRules:   make([]std.NativeRule, 0),
 					SeccompPresets: std.PresetStrict,
 					RetainSession:  true,
@@ -332,8 +332,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("fatalf", stub.ExpectArgs{"invalid op at index %d", []any{0}}, nil, nil),
 				/* end early */
@@ -372,8 +370,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("fatalf", stub.ExpectArgs{"invalid op at index %d", []any{0}}, nil, nil),
 				/* end early */
@@ -412,8 +408,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", stub.UniqueError(61)),
 				call("fatalf", stub.ExpectArgs{"cannot prepare op at index %d: %v", []any{0, stub.UniqueError(61)}}, nil, nil),
@@ -453,8 +447,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", &os.PathError{Op: "readlink", Path: "/", Err: stub.UniqueError(60)}),
 				call("fatal", stub.ExpectArgs{[]any{"cannot readlink /: unique error 60 injected by the test suite"}}, nil, nil),
@@ -494,6 +486,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				/* begin early */
+				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
+				/* end early */
 				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, stub.UniqueError(58)),
 				call("fatalf", stub.ExpectArgs{"cannot mount intermediate root: %v", []any{stub.UniqueError(58)}}, nil, nil),
 			},
@@ -531,6 +526,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				/* begin early */
+				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
+				/* end early */
 				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
 				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, stub.UniqueError(56)),
 				call("fatalf", stub.ExpectArgs{"cannot enter intermediate host path: %v", []any{stub.UniqueError(56)}}, nil, nil),
@@ -569,11 +567,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, stub.UniqueError(54)),
 				call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(54)}}, nil, nil),
 			},
@@ -611,11 +609,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, stub.UniqueError(52)),
 				call("fatalf", stub.ExpectArgs{"cannot bind sysroot: %v", []any{stub.UniqueError(52)}}, nil, nil),
@@ -654,11 +652,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, stub.UniqueError(50)),
@@ -698,11 +696,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -743,11 +741,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -789,11 +787,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -844,11 +842,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -899,11 +897,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -955,11 +953,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1012,11 +1010,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1071,11 +1069,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1131,11 +1129,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1192,11 +1190,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1254,11 +1252,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1317,11 +1315,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1381,11 +1379,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1446,11 +1444,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1512,11 +1510,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1586,11 +1584,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1624,6 +1622,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
+				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1655,9 +1654,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, stub.UniqueError(19)),
-				call("fatalf", stub.ExpectArgs{"cannot raise %#x: %v", []any{uintptr(0x15), stub.UniqueError(19)}}, nil, nil),
+				call("fatalf", stub.ExpectArgs{"cannot raise CAP_SYS_ADMIN: %v", []any{stub.UniqueError(19)}}, nil, nil),
 			},
 		}, nil},
 
@@ -1693,11 +1691,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1731,6 +1729,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
+				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1762,7 +1761,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, stub.UniqueError(17)),
+				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, stub.UniqueError(17)),
 				call("fatalf", stub.ExpectArgs{"cannot capset: %v", []any{stub.UniqueError(17)}}, nil, nil),
 			},
 		}, nil},
@@ -1799,11 +1799,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1837,6 +1837,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
+				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1868,9 +1869,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{std.FilterPreset(0xf)}}, nil, nil),
 				call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, stub.UniqueError(15)),
 				call("fatalf", stub.ExpectArgs{"cannot load syscall filter: %v", []any{stub.UniqueError(15)}}, nil, nil),
@@ -1908,11 +1908,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2032,11 +2032,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2132,11 +2132,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2232,11 +2232,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2323,11 +2323,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2418,11 +2418,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2520,11 +2520,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2659,11 +2659,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2697,6 +2697,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
+				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -2728,9 +2729,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{std.FilterPreset(0xf)}}, nil, nil),
 				call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"%d filter rules loaded", []any{73}}, nil, nil),

container/initoverlay.go

@@ -4,9 +4,9 @@ import (
 	"encoding/gob"
 	"fmt"
 	"slices"
+	"strings"
 
 	"hakurei.app/check"
-	"hakurei.app/ext"
 	"hakurei.app/fhs"
 )
 
@@ -150,7 +150,7 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 			if v, err := k.evalSymlinks(o.Upper.String()); err != nil {
 				return err
 			} else {
-				o.upper = toHost(v)
+				o.upper = check.EscapeOverlayDataSegment(toHost(v))
 			}
 		}
 
@@ -158,7 +158,7 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 			if v, err := k.evalSymlinks(o.Work.String()); err != nil {
 				return err
 			} else {
-				o.work = toHost(v)
+				o.work = check.EscapeOverlayDataSegment(toHost(v))
 			}
 		}
 	}
@@ -168,39 +168,12 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 		if v, err := k.evalSymlinks(a.String()); err != nil {
 			return err
 		} else {
-			o.lower[i] = toHost(v)
+			o.lower[i] = check.EscapeOverlayDataSegment(toHost(v))
 		}
 	}
 	return nil
 }
 
-// mountOverlay sets up an overlay mount via [ext.FS].
-func mountOverlay(target string, options [][2]string) error {
-	fs, err := ext.OpenFS(SourceOverlay, 0)
-	if err != nil {
-		return err
-	}
-	if err = fs.SetString("source", SourceOverlay); err != nil {
-		_ = fs.Close()
-		return err
-	}
-	for _, option := range options {
-		if err = fs.SetString(option[0], option[1]); err != nil {
-			_ = fs.Close()
-			return err
-		}
-	}
-	if err = fs.SetFlag(OptionOverlayUserxattr); err != nil {
-		_ = fs.Close()
-		return err
-	}
-	if err = fs.Mount(target, 0); err != nil {
-		_ = fs.Close()
-		return err
-	}
-	return fs.Close()
-}
-
 func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 	target := o.Target.String()
 	if !o.noPrefix {
@@ -221,7 +194,7 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 		}
 	}
 
-	options := make([][2]string, 0, 2+len(o.lower))
+	options := make([]string, 0, 4)
 
 	if o.upper == zeroString && o.work == zeroString { // readonly
 		if len(o.Lower) < 2 {
@@ -232,16 +205,15 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 		if len(o.Lower) == 0 {
 			return &OverlayArgumentError{OverlayEmptyLower, zeroString}
 		}
-		options = append(options, [][2]string{
+		options = append(options,
-			{OptionOverlayUpperdir, o.upper},
+			OptionOverlayUpperdir+"="+o.upper,
-			{OptionOverlayWorkdir, o.work},
+			OptionOverlayWorkdir+"="+o.work)
-		}...)
-	}
-	for _, lower := range o.lower {
-		options = append(options, [2]string{OptionOverlayLowerdir + "+", lower})
 	}
+	options = append(options,
+		OptionOverlayLowerdir+"="+strings.Join(o.lower, check.SpecialOverlayPath),
+		OptionOverlayUserxattr)
 
-	return k.mountOverlay(target, options)
+	return k.mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, check.SpecialOverlayOption))
 }
 
 func (o *MountOverlayOp) late(*setupState, syscallDispatcher) error { return nil }

container/initoverlay_test.go

@@ -97,12 +97,13 @@ func TestMountOverlayOp(t *testing.T) {
 			call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0705)}, nil, nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.upper.*"}, "overlay.upper.32768", nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.work.*"}, "overlay.work.32768", nil),
-			call("mountOverlay", stub.ExpectArgs{"/sysroot", [][2]string{
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot", "overlay", uintptr(0), "" +
-				{"upperdir", "overlay.upper.32768"},
+				"upperdir=overlay.upper.32768," +
-				{"workdir", "overlay.work.32768"},
+				"workdir=overlay.work.32768," +
-				{"lowerdir+", `/host/var/lib/planterette/base/debian:f92c9052`},
+				"lowerdir=" +
-				{"lowerdir+", `/host/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052`},
+				`/host/var/lib/planterette/base/debian\:f92c9052:` +
-			}}, nil, nil),
+				`/host/var/lib/planterette/app/org.chromium.Chromium@debian\:f92c9052,` +
+				"userxattr"}, nil, nil),
 		}, nil},
 
 		{"short lower ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
@@ -128,10 +129,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/nix/store", os.FileMode(0755)}, nil, nil),
-			call("mountOverlay", stub.ExpectArgs{"/nix/store", [][2]string{
+			call("mount", stub.ExpectArgs{"overlay", "/nix/store", "overlay", uintptr(0), "" +
-				{"lowerdir+", "/host/mnt-root/nix/.ro-store"},
+				"lowerdir=" +
-				{"lowerdir+", "/host/mnt-root/nix/.ro-store0"},
+				"/host/mnt-root/nix/.ro-store:" +
-			}}, nil, nil),
+				"/host/mnt-root/nix/.ro-store0," +
+				"userxattr"}, nil, nil),
 		}, nil},
 
 		{"success ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
@@ -145,10 +147,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0755)}, nil, nil),
-			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
-				{"lowerdir+", "/host/mnt-root/nix/.ro-store"},
+				"lowerdir=" +
-				{"lowerdir+", "/host/mnt-root/nix/.ro-store0"},
+				"/host/mnt-root/nix/.ro-store:" +
-			}}, nil, nil),
+				"/host/mnt-root/nix/.ro-store0," +
+				"userxattr"}, nil, nil),
 		}, nil},
 
 		{"nil lower", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -216,11 +219,7 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "upperdir=/host/mnt-root/nix/.rw-store/.upper,workdir=/host/mnt-root/nix/.rw-store/.work,lowerdir=/host/mnt-root/nix/ro-store,userxattr"}, nil, stub.UniqueError(0)),
-				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
-				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
-				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
-			}}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},
 
 		{"success single layer", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -234,11 +233,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
-				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
+				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
-				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
+				"workdir=/host/mnt-root/nix/.rw-store/.work," +
-				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
+				"lowerdir=/host/mnt-root/nix/ro-store," +
-			}}, nil, nil),
+				"userxattr"}, nil, nil),
 		}, nil},
 
 		{"success", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -262,15 +261,16 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store3"}, "/mnt-root/nix/ro-store3", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
-				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
+				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
-				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
+				"workdir=/host/mnt-root/nix/.rw-store/.work," +
-				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
+				"lowerdir=" +
-				{"lowerdir+", "/host/mnt-root/nix/ro-store0"},
+				"/host/mnt-root/nix/ro-store:" +
-				{"lowerdir+", "/host/mnt-root/nix/ro-store1"},
+				"/host/mnt-root/nix/ro-store0:" +
-				{"lowerdir+", "/host/mnt-root/nix/ro-store2"},
+				"/host/mnt-root/nix/ro-store1:" +
-				{"lowerdir+", "/host/mnt-root/nix/ro-store3"},
+				"/host/mnt-root/nix/ro-store2:" +
-			}}, nil, nil),
+				"/host/mnt-root/nix/ro-store3," +
+				"userxattr"}, nil, nil),
 		}, nil},
 	})
 

container/landlock.go

@@ -1,4 +1,4 @@
-package landlock
+package container
 
 import (
 	"strings"
@@ -14,11 +14,11 @@ const (
 	LANDLOCK_CREATE_RULESET_VERSION = 1 << iota
 )
 
-// AccessFS is bitmask of handled filesystem actions.
+// LandlockAccessFS is bitmask of handled filesystem actions.
-type AccessFS uint64
+type LandlockAccessFS uint64
 
 const (
-	LANDLOCK_ACCESS_FS_EXECUTE AccessFS = 1 << iota
+	LANDLOCK_ACCESS_FS_EXECUTE LandlockAccessFS = 1 << iota
 	LANDLOCK_ACCESS_FS_WRITE_FILE
 	LANDLOCK_ACCESS_FS_READ_FILE
 	LANDLOCK_ACCESS_FS_READ_DIR
@@ -38,8 +38,8 @@ const (
 	_LANDLOCK_ACCESS_FS_DELIM
 )
 
-// String returns a space-separated string of [AccessFS] flags.
+// String returns a space-separated string of [LandlockAccessFS] flags.
-func (f AccessFS) String() string {
+func (f LandlockAccessFS) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_FS_EXECUTE:
 		return "execute"
@@ -90,8 +90,8 @@ func (f AccessFS) String() string {
 		return "fs_ioctl_dev"
 
 	default:
-		var c []AccessFS
+		var c []LandlockAccessFS
-		for i := AccessFS(1); i < _LANDLOCK_ACCESS_FS_DELIM; i <<= 1 {
+		for i := LandlockAccessFS(1); i < _LANDLOCK_ACCESS_FS_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -107,18 +107,18 @@ func (f AccessFS) String() string {
 	}
 }
 
-// AccessNet is bitmask of handled network actions.
+// LandlockAccessNet is bitmask of handled network actions.
-type AccessNet uint64
+type LandlockAccessNet uint64
 
 const (
-	LANDLOCK_ACCESS_NET_BIND_TCP AccessNet = 1 << iota
+	LANDLOCK_ACCESS_NET_BIND_TCP LandlockAccessNet = 1 << iota
 	LANDLOCK_ACCESS_NET_CONNECT_TCP
 
 	_LANDLOCK_ACCESS_NET_DELIM
 )
 
-// String returns a space-separated string of [AccessNet] flags.
+// String returns a space-separated string of [LandlockAccessNet] flags.
-func (f AccessNet) String() string {
+func (f LandlockAccessNet) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_NET_BIND_TCP:
 		return "bind_tcp"
@@ -127,8 +127,8 @@ func (f AccessNet) String() string {
 		return "connect_tcp"
 
 	default:
-		var c []AccessNet
+		var c []LandlockAccessNet
-		for i := AccessNet(1); i < _LANDLOCK_ACCESS_NET_DELIM; i <<= 1 {
+		for i := LandlockAccessNet(1); i < _LANDLOCK_ACCESS_NET_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -144,18 +144,18 @@ func (f AccessNet) String() string {
 	}
 }
 
-// Scope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
+// LandlockScope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
-type Scope uint64
+type LandlockScope uint64
 
 const (
-	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET Scope = 1 << iota
+	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET LandlockScope = 1 << iota
 	LANDLOCK_SCOPE_SIGNAL
 
 	_LANDLOCK_SCOPE_DELIM
 )
 
-// String returns a space-separated string of [Scope] flags.
+// String returns a space-separated string of [LandlockScope] flags.
-func (f Scope) String() string {
+func (f LandlockScope) String() string {
 	switch f {
 	case LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET:
 		return "abstract_unix_socket"
@@ -164,8 +164,8 @@ func (f Scope) String() string {
 		return "signal"
 
 	default:
-		var c []Scope
+		var c []LandlockScope
-		for i := Scope(1); i < _LANDLOCK_SCOPE_DELIM; i <<= 1 {
+		for i := LandlockScope(1); i < _LANDLOCK_SCOPE_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -184,12 +184,12 @@ func (f Scope) String() string {
 // RulesetAttr is equivalent to struct landlock_ruleset_attr.
 type RulesetAttr struct {
 	// Bitmask of handled filesystem actions.
-	HandledAccessFS AccessFS
+	HandledAccessFS LandlockAccessFS
 	// Bitmask of handled network actions.
-	HandledAccessNet AccessNet
+	HandledAccessNet LandlockAccessNet
 	// Bitmask of scopes restricting a Landlock domain from accessing outside
 	// resources (e.g. IPCs).
-	Scoped Scope
+	Scoped LandlockScope
 }
 
 // String returns a user-facing description of [RulesetAttr].
@@ -239,13 +239,13 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 	return fd, nil
 }
 
-// GetABI returns the ABI version supported by the kernel.
+// LandlockGetABI returns the ABI version supported by the kernel.
-func GetABI() (int, error) {
+func LandlockGetABI() (int, error) {
 	return (*RulesetAttr)(nil).Create(LANDLOCK_CREATE_RULESET_VERSION)
 }
 
-// RestrictSelf applies a loaded ruleset to the calling thread.
+// LandlockRestrictSelf applies a loaded ruleset to the calling thread.
-func RestrictSelf(rulesetFd int, flags uintptr) error {
+func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
 	r, _, errno := syscall.Syscall(
 		ext.SYS_LANDLOCK_RESTRICT_SELF,
 		uintptr(rulesetFd),

container/landlock_test.go

@@ -0,0 +1,65 @@
+package container_test
+
+import (
+	"testing"
+	"unsafe"
+
+	"hakurei.app/container"
+)
+
+func TestLandlockString(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name        string
+		rulesetAttr *container.RulesetAttr
+		want        string
+	}{
+		{"nil", nil, "NULL"},
+		{"zero", new(container.RulesetAttr), "0"},
+		{"some", &container.RulesetAttr{Scoped: container.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
+		{"set", &container.RulesetAttr{
+			HandledAccessFS:  container.LANDLOCK_ACCESS_FS_MAKE_SYM | container.LANDLOCK_ACCESS_FS_IOCTL_DEV | container.LANDLOCK_ACCESS_FS_WRITE_FILE,
+			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP,
+			Scoped:           container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | container.LANDLOCK_SCOPE_SIGNAL,
+		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
+		{"all", &container.RulesetAttr{
+			HandledAccessFS: container.LANDLOCK_ACCESS_FS_EXECUTE |
+				container.LANDLOCK_ACCESS_FS_WRITE_FILE |
+				container.LANDLOCK_ACCESS_FS_READ_FILE |
+				container.LANDLOCK_ACCESS_FS_READ_DIR |
+				container.LANDLOCK_ACCESS_FS_REMOVE_DIR |
+				container.LANDLOCK_ACCESS_FS_REMOVE_FILE |
+				container.LANDLOCK_ACCESS_FS_MAKE_CHAR |
+				container.LANDLOCK_ACCESS_FS_MAKE_DIR |
+				container.LANDLOCK_ACCESS_FS_MAKE_REG |
+				container.LANDLOCK_ACCESS_FS_MAKE_SOCK |
+				container.LANDLOCK_ACCESS_FS_MAKE_FIFO |
+				container.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
+				container.LANDLOCK_ACCESS_FS_MAKE_SYM |
+				container.LANDLOCK_ACCESS_FS_REFER |
+				container.LANDLOCK_ACCESS_FS_TRUNCATE |
+				container.LANDLOCK_ACCESS_FS_IOCTL_DEV,
+			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP |
+				container.LANDLOCK_ACCESS_NET_CONNECT_TCP,
+			Scoped: container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
+				container.LANDLOCK_SCOPE_SIGNAL,
+		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := tc.rulesetAttr.String(); got != tc.want {
+				t.Errorf("String: %s, want %s", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestLandlockAttrSize(t *testing.T) {
+	t.Parallel()
+	want := 24
+	if got := unsafe.Sizeof(container.RulesetAttr{}); got != uintptr(want) {
+		t.Errorf("Sizeof: %d, want %d", got, want)
+	}
+}

container/mount.go

@@ -40,9 +40,6 @@ const (
 	// SourceMqueue is used when mounting mqueue.
 	// Note that any source value is allowed when fstype is [FstypeMqueue].
 	SourceMqueue = "mqueue"
-	// SourceBinfmtMisc is used when mounting binfmt_misc.
-	// Note that any source value is allowed when fstype is [SourceBinfmtMisc].
-	SourceBinfmtMisc = "binfmt_misc"
 	// SourceOverlay is used when mounting overlay.
 	// Note that any source value is allowed when fstype is [FstypeOverlay].
 	SourceOverlay = "overlay"
@@ -73,9 +70,6 @@ const (
 	// FstypeMqueue represents the mqueue pseudo-filesystem.
 	// This filesystem type is usually mounted on /dev/mqueue.
 	FstypeMqueue = "mqueue"
-	// FstypeBinfmtMisc represents the binfmt_misc pseudo-filesystem.
-	// This filesystem type is usually mounted on /proc/sys/fs/binfmt_misc.
-	FstypeBinfmtMisc = "binfmt_misc"
 	// FstypeOverlay represents the overlay pseudo-filesystem.
 	// This filesystem type can be mounted anywhere in the container filesystem.
 	FstypeOverlay = "overlay"

container/path_test.go

@@ -10,6 +10,7 @@ import (
 	"testing"
 	"unsafe"
 
+	"hakurei.app/check"
 	"hakurei.app/vfs"
 )
 
@@ -49,6 +50,9 @@ func TestToHost(t *testing.T) {
 	}
 }
 
+// InternalToHostOvlEscape exports toHost passed to [check.EscapeOverlayDataSegment].
+func InternalToHostOvlEscape(s string) string { return check.EscapeOverlayDataSegment(toHost(s)) }
+
 func TestCreateFile(t *testing.T) {
 	t.Run("nonexistent", func(t *testing.T) {
 		t.Run("mkdir", func(t *testing.T) {

container/syscall.go

@@ -7,8 +7,8 @@ import (
 	"hakurei.app/ext"
 )
 
-// setNoNewPrivs sets the calling thread's no_new_privs attribute.
+// SetNoNewPrivs sets the calling thread's no_new_privs attribute.
-func setNoNewPrivs() error {
+func SetNoNewPrivs() error {
 	return ext.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0)
 }
 

ext/ext_test.go

@@ -39,7 +39,7 @@ func TestSyscall(t *testing.T) {
 					t.Errorf("Unmarshal: %v, want %v", got, tc.want)
 				}
 			})
-			if _, ok := errors.AsType[ext.SyscallNameError](tc.err); ok {
+			if errors.As(tc.err, new(ext.SyscallNameError)) {
 				return
 			}
 

ext/fs.go

@@ -1,267 +0,0 @@
-package ext
-
-import (
-	"os"
-	"runtime"
-	"syscall"
-	"unsafe"
-)
-
-// include/uapi/linux/mount.h
-
-/*
- * move_mount() flags.
- */
-const (
-	MOVE_MOUNT_F_SYMLINKS   = 1 << iota /* Follow symlinks on from path */
-	MOVE_MOUNT_F_AUTOMOUNTS             /* Follow automounts on from path */
-	MOVE_MOUNT_F_EMPTY_PATH             /* Empty from path permitted */
-	_
-	MOVE_MOUNT_T_SYMLINKS   /* Follow symlinks on to path */
-	MOVE_MOUNT_T_AUTOMOUNTS /* Follow automounts on to path */
-	MOVE_MOUNT_T_EMPTY_PATH /* Empty to path permitted */
-	_
-	MOVE_MOUNT_SET_GROUP /* Set sharing group instead */
-	MOVE_MOUNT_BENEATH   /* Mount beneath top mount */
-)
-
-/*
- * fsopen() flags.
- */
-const (
-	FSOPEN_CLOEXEC = 1 << iota
-)
-
-/*
- * fspick() flags.
- */
-const (
-	FSPICK_CLOEXEC = 1 << iota
-	FSPICK_SYMLINK_NOFOLLOW
-	FSPICK_NO_AUTOMOUNT
-	FSPICK_EMPTY_PATH
-)
-
-/*
- * The type of fsconfig() call made.
- */
-const (
-	FSCONFIG_SET_FLAG        = iota /* Set parameter, supplying no value */
-	FSCONFIG_SET_STRING             /* Set parameter, supplying a string value */
-	FSCONFIG_SET_BINARY             /* Set parameter, supplying a binary blob value */
-	FSCONFIG_SET_PATH               /* Set parameter, supplying an object by path */
-	FSCONFIG_SET_PATH_EMPTY         /* Set parameter, supplying an object by (empty) path */
-	FSCONFIG_SET_FD                 /* Set parameter, supplying an object by fd */
-	FSCONFIG_CMD_CREATE             /* Create new or reuse existing superblock */
-	FSCONFIG_CMD_RECONFIGURE        /* Invoke superblock reconfiguration */
-	FSCONFIG_CMD_CREATE_EXCL        /* Create new superblock, fail if reusing existing superblock */
-)
-
-/*
- * fsmount() flags.
- */
-const (
-	FSMOUNT_CLOEXEC = 1 << iota
-)
-
-/*
- * Mount attributes.
- */
-const (
-	MOUNT_ATTR_RDONLY      = 0x00000001 /* Mount read-only */
-	MOUNT_ATTR_NOSUID      = 0x00000002 /* Ignore suid and sgid bits */
-	MOUNT_ATTR_NODEV       = 0x00000004 /* Disallow access to device special files */
-	MOUNT_ATTR_NOEXEC      = 0x00000008 /* Disallow program execution */
-	MOUNT_ATTR__ATIME      = 0x00000070 /* Setting on how atime should be updated */
-	MOUNT_ATTR_RELATIME    = 0x00000000 /* - Update atime relative to mtime/ctime. */
-	MOUNT_ATTR_NOATIME     = 0x00000010 /* - Do not update access times. */
-	MOUNT_ATTR_STRICTATIME = 0x00000020 /* - Always perform atime updates */
-	MOUNT_ATTR_NODIRATIME  = 0x00000080 /* Do not update directory access times */
-	MOUNT_ATTR_IDMAP       = 0x00100000 /* Idmap mount to @userns_fd in struct mount_attr. */
-	MOUNT_ATTR_NOSYMFOLLOW = 0x00200000 /* Do not follow symlinks */
-)
-
-// FS provides low-level wrappers around the suite of file-descriptor-based
-// mount facilities in Linux.
-type FS struct {
-	fd uintptr
-	c  runtime.Cleanup
-}
-
-// newFS allocates a new [FS] for the specified fd.
-func newFS(fd uintptr) *FS {
-	fs := FS{fd: fd}
-	fs.c = runtime.AddCleanup(&fs, func(fd uintptr) {
-		_ = syscall.Close(int(fd))
-	}, fd)
-	return &fs
-}
-
-// Close closes the underlying filesystem context.
-func (fs *FS) Close() error {
-	if fs == nil {
-		return syscall.EINVAL
-	}
-	err := syscall.Close(int(fs.fd))
-	fs.c.Stop()
-	return err
-}
-
-// OpenFS creates a new filesystem context.
-func OpenFS(fsname string, flags int) (fs *FS, err error) {
-	var s *byte
-	s, err = syscall.BytePtrFromString(fsname)
-	if err != nil {
-		return
-	}
-	fd, _, errno := syscall.Syscall(
-		SYS_FSOPEN,
-		uintptr(unsafe.Pointer(s)),
-		uintptr(flags|FSOPEN_CLOEXEC),
-		0,
-	)
-	if errno != 0 {
-		err = os.NewSyscallError("fsopen", errno)
-	} else {
-		fs = newFS(fd)
-	}
-	return
-}
-
-// PickFS selects filesystem for reconfiguration.
-func PickFS(dirfd int, pathname string, flags int) (fs *FS, err error) {
-	var s *byte
-	s, err = syscall.BytePtrFromString(pathname)
-	if err != nil {
-		return
-	}
-	fd, _, errno := syscall.Syscall(
-		SYS_FSPICK,
-		uintptr(dirfd),
-		uintptr(unsafe.Pointer(s)),
-		uintptr(flags|FSPICK_CLOEXEC),
-	)
-	if errno != 0 {
-		err = os.NewSyscallError("fspick", errno)
-	} else {
-		fs = newFS(fd)
-	}
-	return
-}
-
-// config configures new or existing filesystem context.
-func (fs *FS) config(cmd uint, key *byte, value unsafe.Pointer, aux int) (err error) {
-	_, _, errno := syscall.Syscall6(
-		SYS_FSCONFIG,
-		fs.fd,
-		uintptr(cmd),
-		uintptr(unsafe.Pointer(key)),
-		uintptr(value),
-		uintptr(aux),
-		0,
-	)
-	if errno != 0 {
-		err = os.NewSyscallError("fsconfig", errno)
-	}
-	return
-}
-
-// SetFlag sets the flag parameter named by key. ([FSCONFIG_SET_FLAG])
-func (fs *FS) SetFlag(key string) (err error) {
-	var s *byte
-	s, err = syscall.BytePtrFromString(key)
-	if err != nil {
-		return
-	}
-
-	return fs.config(FSCONFIG_SET_FLAG, s, nil, 0)
-}
-
-// SetString sets the string parameter named by key to the value specified by
-// value. ([FSCONFIG_SET_STRING])
-func (fs *FS) SetString(key, value string) (err error) {
-	var s0 *byte
-	s0, err = syscall.BytePtrFromString(key)
-	if err != nil {
-		return
-	}
-
-	var s1 *byte
-	s1, err = syscall.BytePtrFromString(value)
-	if err != nil {
-		return
-	}
-
-	return fs.config(FSCONFIG_SET_STRING, s0, unsafe.Pointer(s1), 0)
-}
-
-// mount instantiates mount object from filesystem context.
-func (fs *FS) mount(flags, attrFlags int) (fsfd int, err error) {
-	r, _, errno := syscall.Syscall(
-		SYS_FSMOUNT,
-		fs.fd,
-		uintptr(flags|FSMOUNT_CLOEXEC),
-		uintptr(attrFlags),
-	)
-	fsfd = int(r)
-	if errno != 0 {
-		err = os.NewSyscallError("fsmount", errno)
-	}
-	return
-}
-
-// MoveMount moves or attaches mount object to filesystem.
-func MoveMount(
-	fromDirfd int,
-	fromPathname string,
-	toDirfd int,
-	toPathname string,
-	flags int,
-) (err error) {
-	var s0 *byte
-	s0, err = syscall.BytePtrFromString(fromPathname)
-	if err != nil {
-		return
-	}
-
-	var s1 *byte
-	s1, err = syscall.BytePtrFromString(toPathname)
-	if err != nil {
-		return
-	}
-
-	_, _, errno := syscall.Syscall6(
-		SYS_MOVE_MOUNT,
-		uintptr(fromDirfd),
-		uintptr(unsafe.Pointer(s0)),
-		uintptr(toDirfd),
-		uintptr(unsafe.Pointer(s1)),
-		uintptr(flags),
-		0,
-	)
-	if errno != 0 {
-		err = os.NewSyscallError("move_mount", errno)
-	}
-	return
-}
-
-// Mount attaches the underlying filesystem context to the specified pathname.
-func (fs *FS) Mount(pathname string, attrFlags int) error {
-	if err := fs.config(FSCONFIG_CMD_CREATE_EXCL, nil, nil, 0); err != nil {
-		return err
-	}
-	fd, err := fs.mount(0, attrFlags)
-	if err != nil {
-		return err
-	}
-	err = MoveMount(
-		fd, "",
-		-1, pathname,
-		MOVE_MOUNT_F_EMPTY_PATH,
-	)
-	closeErr := syscall.Close(fd)
-	if err == nil {
-		err = closeErr
-	}
-	return err
-}

fhs/abs.go

@@ -42,8 +42,6 @@ var (
 	AbsDevShm = unsafeAbs(DevShm)
 	// AbsProc is [Proc] as [check.Absolute].
 	AbsProc = unsafeAbs(Proc)
-	// AbsProcSys is [ProcSys] as [check.Absolute].
-	AbsProcSys = unsafeAbs(ProcSys)
 	// AbsProcSelfExe is [ProcSelfExe] as [check.Absolute].
 	AbsProcSelfExe = unsafeAbs(ProcSelfExe)
 	// AbsSys is [Sys] as [check.Absolute].

flake.lock

@@ -7,32 +7,32 @@
         ]
       },
       "locked": {
-        "lastModified": 1780361225,
+        "lastModified": 1772985280,
-        "narHash": "sha256-wnV9ttf4fPWNonBIQmvlrSlNpQYgx5HgWWd007mwIFA=",
+        "narHash": "sha256-FdrNykOoY9VStevU4zjSUdvsL9SzJTcXt4omdEDZDLk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e28654b71096e08c019d4861ca26acb646f583d8",
+        "rev": "8f736f007139d7f70752657dff6a401a585d6cbc",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-26.05",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1780453794,
+        "lastModified": 1772822230,
-        "narHash": "sha256-bXMRa9VTsHSPXL4Cw8R6JJLQeY3Y/IP4+YJCYVmQ7FY=",
+        "narHash": "sha256-yf3iYLGbGVlIthlQIk5/4/EQDZNNEmuqKZkQssMljuw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6b316287bae2ee04c9b93c8c858d930fd07d7338",
+        "rev": "71caefce12ba78d84fe618cf61644dce01cf3a96",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-26.05",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,10 +2,10 @@
   description = "hakurei container tool and nixos module";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-26.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
 
     home-manager = {
-      url = "github:nix-community/home-manager/release-26.05";
+      url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
@@ -37,7 +37,7 @@
           inherit (pkgs)
             runCommandLocal
             callPackage
-            nixfmt
+            nixfmt-rfc-style
             deadnix
             statix
             ;
@@ -57,7 +57,7 @@
 
           sharefs = callPackage ./cmd/sharefs/test { inherit system self; };
 
-          formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt ]; } ''
+          formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
             cd ${./.}
 
             echo "running nixfmt..."
@@ -139,6 +139,7 @@
                 GOCACHE="$(mktemp -d)" \
                 PATH="${pkgs.pkgsStatic.musl.bin}/bin:$PATH" \
                 DESTDIR="$out" \
+                HAKUREI_VERSION="v${hakurei.version}" \
                   ./all.sh
               '';
         }

hst/config.go

@@ -140,29 +140,21 @@ var (
 	ErrInsecure = errors.New("configuration is insecure")
 )
 
-const (
-	// VAllowInsecure allows use of compatibility options considered insecure
-	// under any configuration, to work around ecosystem-wide flaws.
-	VAllowInsecure = 1 << iota
-)
-
 // Validate checks [Config] and returns [AppError] if an invalid value is encountered.
-func (config *Config) Validate(flags int) error {
+func (config *Config) Validate() error {
-	const step = "validate configuration"
-
 	if config == nil {
-		return &AppError{Step: step, Err: ErrConfigNull,
+		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
 			Msg: "invalid configuration"}
 	}
 
 	// this is checked again in hsu
 	if config.Identity < IdentityStart || config.Identity > IdentityEnd {
-		return &AppError{Step: step, Err: ErrIdentityBounds,
+		return &AppError{Step: "validate configuration", Err: ErrIdentityBounds,
 			Msg: "identity " + strconv.Itoa(config.Identity) + " out of range"}
 	}
 
 	if config.SchedPolicy < 0 || config.SchedPolicy > ext.SCHED_LAST {
-		return &AppError{Step: step, Err: ErrSchedPolicyBounds,
+		return &AppError{Step: "validate configuration", Err: ErrSchedPolicyBounds,
 			Msg: "scheduling policy " +
 				strconv.Itoa(int(config.SchedPolicy)) +
 				" out of range"}
@@ -176,51 +168,34 @@ func (config *Config) Validate(flags int) error {
 	}
 
 	if config.Container == nil {
-		return &AppError{Step: step, Err: ErrConfigNull,
+		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
 			Msg: "configuration missing container state"}
 	}
 	if config.Container.Home == nil {
-		return &AppError{Step: step, Err: ErrConfigNull,
+		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
 			Msg: "container configuration missing path to home directory"}
 	}
 	if config.Container.Shell == nil {
-		return &AppError{Step: step, Err: ErrConfigNull,
+		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
 			Msg: "container configuration missing path to shell"}
 	}
 	if config.Container.Path == nil {
-		return &AppError{Step: step, Err: ErrConfigNull,
+		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
 			Msg: "container configuration missing path to initial program"}
 	}
 
 	for key := range config.Container.Env {
 		if strings.IndexByte(key, '=') != -1 || strings.IndexByte(key, 0) != -1 {
-			return &AppError{Step: step, Err: ErrEnviron,
+			return &AppError{Step: "validate configuration", Err: ErrEnviron,
 				Msg: "invalid environment variable " + strconv.Quote(key)}
 		}
 	}
 
-	et := config.Enablements.Unwrap()
+	if et := config.Enablements.Unwrap(); !config.DirectPulse && et&EPulse != 0 {
-	if !config.DirectPulse && et&EPulse != 0 {
+		return &AppError{Step: "validate configuration", Err: ErrInsecure,
-		return &AppError{Step: step, Err: ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}
 	}
 
-	if flags&VAllowInsecure == 0 {
-		switch {
-		case et&EWayland != 0 && config.DirectWayland:
-			return &AppError{Step: step, Err: ErrInsecure,
-				Msg: "direct_wayland is insecure and no longer supported"}
-
-		case et&EPipeWire != 0 && config.DirectPipeWire:
-			return &AppError{Step: step, Err: ErrInsecure,
-				Msg: "direct_pipewire is insecure and no longer supported"}
-
-		case et&EPulse != 0 && config.DirectPulse:
-			return &AppError{Step: step, Err: ErrInsecure,
-				Msg: "direct_pulse is insecure and no longer supported"}
-		}
-	}
-
 	return nil
 }
 

hst/config_test.go

@@ -14,109 +14,65 @@ func TestConfigValidate(t *testing.T) {
 	testCases := []struct {
 		name    string
 		config  *hst.Config
-		flags   int
 		wantErr error
 	}{
-		{"nil", nil, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"nil", nil, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "invalid configuration"}},
-
+		{"identity lower", &hst.Config{Identity: -1}, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
-		{"identity lower", &hst.Config{Identity: -1}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
 			Msg: "identity -1 out of range"}},
-		{"identity upper", &hst.Config{Identity: 10000}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
+		{"identity upper", &hst.Config{Identity: 10000}, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
 			Msg: "identity 10000 out of range"}},
-
+		{"sched lower", &hst.Config{SchedPolicy: -1}, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
-		{"sched lower", &hst.Config{SchedPolicy: -1}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
 			Msg: "scheduling policy -1 out of range"}},
-		{"sched upper", &hst.Config{SchedPolicy: 0xcafe}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
+		{"sched upper", &hst.Config{SchedPolicy: 0xcafe}, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
 			Msg: "scheduling policy 51966 out of range"}},
-
+		{"dbus session", &hst.Config{SessionBus: &hst.BusConfig{See: []string{""}}},
-		{"dbus session", &hst.Config{SessionBus: &hst.BusConfig{See: []string{""}}}, 0,
 			&hst.BadInterfaceError{Interface: "", Segment: "session"}},
-		{"dbus system", &hst.Config{SystemBus: &hst.BusConfig{See: []string{""}}}, 0,
+		{"dbus system", &hst.Config{SystemBus: &hst.BusConfig{See: []string{""}}},
 			&hst.BadInterfaceError{Interface: "", Segment: "system"}},
-
+		{"container", &hst.Config{}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
-		{"container", &hst.Config{}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "configuration missing container state"}},
-		{"home", &hst.Config{Container: &hst.ContainerConfig{}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"home", &hst.Config{Container: &hst.ContainerConfig{}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to home directory"}},
 		{"shell", &hst.Config{Container: &hst.ContainerConfig{
 			Home: fhs.AbsTmp,
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to shell"}},
 		{"path", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to initial program"}},
-
 		{"env equals", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 			Env:   map[string]string{"TERM=": ""},
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
+		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM="`}},
 		{"env NUL", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 			Env:   map[string]string{"TERM\x00": ""},
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
+		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM\x00"`}},
-
+		{"insecure pulse", &hst.Config{Enablements: hst.NewEnablements(hst.EPulse), Container: &hst.ContainerConfig{
-		{"insecure pulse", &hst.Config{Enablements: new(hst.EPulse), Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}},
-
-		{"direct wayland", &hst.Config{Enablements: new(hst.EWayland), DirectWayland: true, Container: &hst.ContainerConfig{
-			Home:  fhs.AbsTmp,
-			Shell: fhs.AbsTmp,
-			Path:  fhs.AbsTmp,
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
-			Msg: "direct_wayland is insecure and no longer supported"}},
-		{"direct wayland allow", &hst.Config{Enablements: new(hst.EWayland), DirectWayland: true, Container: &hst.ContainerConfig{
-			Home:  fhs.AbsTmp,
-			Shell: fhs.AbsTmp,
-			Path:  fhs.AbsTmp,
-		}}, hst.VAllowInsecure, nil},
-
-		{"direct pipewire", &hst.Config{Enablements: new(hst.EPipeWire), DirectPipeWire: true, Container: &hst.ContainerConfig{
-			Home:  fhs.AbsTmp,
-			Shell: fhs.AbsTmp,
-			Path:  fhs.AbsTmp,
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
-			Msg: "direct_pipewire is insecure and no longer supported"}},
-		{"direct pipewire allow", &hst.Config{Enablements: new(hst.EPipeWire), DirectPipeWire: true, Container: &hst.ContainerConfig{
-			Home:  fhs.AbsTmp,
-			Shell: fhs.AbsTmp,
-			Path:  fhs.AbsTmp,
-		}}, hst.VAllowInsecure, nil},
-
-		{"direct pulse", &hst.Config{Enablements: new(hst.EPulse), DirectPulse: true, Container: &hst.ContainerConfig{
-			Home:  fhs.AbsTmp,
-			Shell: fhs.AbsTmp,
-			Path:  fhs.AbsTmp,
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
-			Msg: "direct_pulse is insecure and no longer supported"}},
-		{"direct pulse allow", &hst.Config{Enablements: new(hst.EPulse), DirectPulse: true, Container: &hst.ContainerConfig{
-			Home:  fhs.AbsTmp,
-			Shell: fhs.AbsTmp,
-			Path:  fhs.AbsTmp,
-		}}, hst.VAllowInsecure, nil},
-
 		{"valid", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
-		}}, 0, nil},
+		}}, nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			if err := tc.config.Validate(tc.flags); !reflect.DeepEqual(err, tc.wantErr) {
+			if err := tc.config.Validate(); !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("Validate: error = %#v, want %#v", err, tc.wantErr)
 			}
 		})

hst/container.go

@@ -2,7 +2,6 @@ package hst
 
 import (
 	"encoding/json"
-	"fmt"
 	"strings"
 	"syscall"
 	"time"
@@ -69,8 +68,6 @@ const (
 	// FDevice mount /dev/ from the init mount namespace as is in the container
 	// mount namespace.
 	FDevice
-	// FCoverRun covers /run/ in the container mount namespace early.
-	FCoverRun
 
 	// FShareRuntime shares XDG_RUNTIME_DIR between containers under the same identity.
 	FShareRuntime
@@ -103,8 +100,6 @@ func (flags Flags) String() string {
 		return "mapuid"
 	case FDevice:
 		return "device"
-	case FCoverRun:
-		return "cover_run"
 	case FShareRuntime:
 		return "runtime"
 	case FShareTmpdir:
@@ -166,10 +161,6 @@ type ContainerConfig struct {
 	Flags Flags `json:"-"`
 }
 
-func (c *ContainerConfig) GoString() string {
-	return fmt.Sprintf("&%#v", *c)
-}
-
 // ContainerConfigF is [ContainerConfig] stripped of its methods.
 //
 // The [ContainerConfig.Flags] field does not survive a [json] round trip.
@@ -200,8 +191,6 @@ type containerConfigJSON = struct {
 
 	// Corresponds to [FDevice].
 	Device bool `json:"device,omitempty"`
-	// Corresponds to [FCoverRun].
-	CoverRun bool `json:"cover_run,omitempty"`
 
 	// Corresponds to [FShareRuntime].
 	ShareRuntime bool `json:"share_runtime,omitempty"`
@@ -225,7 +214,6 @@ func (c *ContainerConfig) MarshalJSON() ([]byte, error) {
 		Multiarch:     c.Flags&FMultiarch != 0,
 		MapRealUID:    c.Flags&FMapRealUID != 0,
 		Device:        c.Flags&FDevice != 0,
-		CoverRun:      c.Flags&FCoverRun != 0,
 		ShareRuntime:  c.Flags&FShareRuntime != 0,
 		ShareTmpdir:   c.Flags&FShareTmpdir != 0,
 	})
@@ -269,9 +257,6 @@ func (c *ContainerConfig) UnmarshalJSON(data []byte) error {
 	if v.Device {
 		c.Flags |= FDevice
 	}
-	if v.CoverRun {
-		c.Flags |= FCoverRun
-	}
 	if v.ShareRuntime {
 		c.Flags |= FShareRuntime
 	}

hst/container_test.go

@@ -21,8 +21,8 @@ func TestFlagsString(t *testing.T) {
 	}{
 		{"none", 0, "none"},
 		{"none high", hst.FAll + 1, "none"},
-		{"all", hst.FAll, "multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, cover_run, runtime, tmpdir"},
+		{"all", hst.FAll, "multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir"},
-		{"all high", math.MaxUint, "multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, cover_run, runtime, tmpdir"},
+		{"all high", math.MaxUint, "multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir"},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -53,7 +53,7 @@ func TestContainerConfig(t *testing.T) {
 		{"hostnet hostabstract mapuid", &hst.ContainerConfig{Flags: hst.FHostNet | hst.FHostAbstract | hst.FMapRealUID},
 			`{"env":null,"filesystem":null,"shell":null,"home":null,"args":null,"host_net":true,"host_abstract":true,"map_real_uid":true}`},
 		{"all", &hst.ContainerConfig{Flags: hst.FAll},
-			`{"env":null,"filesystem":null,"shell":null,"home":null,"args":null,"seccomp_compat":true,"devel":true,"userns":true,"host_net":true,"host_abstract":true,"tty":true,"multiarch":true,"map_real_uid":true,"device":true,"cover_run":true,"share_runtime":true,"share_tmpdir":true}`},
+			`{"env":null,"filesystem":null,"shell":null,"home":null,"args":null,"seccomp_compat":true,"devel":true,"userns":true,"host_net":true,"host_abstract":true,"tty":true,"multiarch":true,"map_real_uid":true,"device":true,"share_runtime":true,"share_tmpdir":true}`},
 	}
 
 	for _, tc := range testCases {

hst/dbus.go

@@ -1,7 +1,6 @@
 package hst
 
 import (
-	"fmt"
 	"strconv"
 	"strings"
 )
@@ -62,10 +61,6 @@ type BusConfig struct {
 	Filter bool `json:"filter"`
 }
 
-func (c *BusConfig) GoString() string {
-	return fmt.Sprintf("&%#v", *c)
-}
-
 // Interfaces iterates over all interface strings specified in [BusConfig].
 func (c *BusConfig) Interfaces(yield func(string) bool) {
 	if c == nil {

hst/enablement.go

@@ -7,12 +7,12 @@ import (
 	"syscall"
 )
 
-// Enablements denotes optional host service to export to the target user.
+// Enablement represents an optional host service to export to the target user.
-type Enablements byte
+type Enablement byte
 
 const (
 	// EWayland exposes a Wayland pathname socket via security-context-v1.
-	EWayland Enablements = 1 << iota
+	EWayland Enablement = 1 << iota
 	// EX11 adds the target user via X11 ChangeHosts and exposes the X11
 	// pathname socket.
 	EX11
@@ -28,8 +28,8 @@ const (
 	EM
 )
 
-// String returns a string representation of the flags set on [Enablements].
+// String returns a string representation of the flags set on [Enablement].
-func (e Enablements) String() string {
+func (e Enablement) String() string {
 	switch e {
 	case 0:
 		return "(no enablements)"
@@ -47,7 +47,7 @@ func (e Enablements) String() string {
 		buf := new(strings.Builder)
 		buf.Grow(32)
 
-		for i := Enablements(1); i < EM; i <<= 1 {
+		for i := Enablement(1); i < EM; i <<= 1 {
 			if e&i != 0 {
 				buf.WriteString(", " + i.String())
 			}
@@ -60,6 +60,12 @@ func (e Enablements) String() string {
 	}
 }
 
+// NewEnablements returns the address of [Enablement] as [Enablements].
+func NewEnablements(e Enablement) *Enablements { return (*Enablements)(&e) }
+
+// Enablements is the [json] adapter for [Enablement].
+type Enablements Enablement
+
 // enablementsJSON is the [json] representation of [Enablements].
 type enablementsJSON = struct {
 	Wayland  bool `json:"wayland,omitempty"`
@@ -69,21 +75,24 @@ type enablementsJSON = struct {
 	Pulse    bool `json:"pulse,omitempty"`
 }
 
-// Unwrap returns the value pointed to by e.
+// Unwrap returns the underlying [Enablement].
-func (e *Enablements) Unwrap() Enablements {
+func (e *Enablements) Unwrap() Enablement {
 	if e == nil {
 		return 0
 	}
-	return *e
+	return Enablement(*e)
 }
 
-func (e Enablements) MarshalJSON() ([]byte, error) {
+func (e *Enablements) MarshalJSON() ([]byte, error) {
+	if e == nil {
+		return nil, syscall.EINVAL
+	}
 	return json.Marshal(&enablementsJSON{
-		Wayland:  e&EWayland != 0,
+		Wayland:  Enablement(*e)&EWayland != 0,
-		X11:      e&EX11 != 0,
+		X11:      Enablement(*e)&EX11 != 0,
-		DBus:     e&EDBus != 0,
+		DBus:     Enablement(*e)&EDBus != 0,
-		PipeWire: e&EPipeWire != 0,
+		PipeWire: Enablement(*e)&EPipeWire != 0,
-		Pulse:    e&EPulse != 0,
+		Pulse:    Enablement(*e)&EPulse != 0,
 	})
 }
 
@@ -97,21 +106,22 @@ func (e *Enablements) UnmarshalJSON(data []byte) error {
 		return err
 	}
 
-	*e = 0
+	var ve Enablement
 	if v.Wayland {
-		*e |= EWayland
+		ve |= EWayland
 	}
 	if v.X11 {
-		*e |= EX11
+		ve |= EX11
 	}
 	if v.DBus {
-		*e |= EDBus
+		ve |= EDBus
 	}
 	if v.PipeWire {
-		*e |= EPipeWire
+		ve |= EPipeWire
 	}
 	if v.Pulse {
-		*e |= EPulse
+		ve |= EPulse
 	}
+	*e = Enablements(ve)
 	return nil
 }

hst/enablement_test.go

@@ -13,7 +13,7 @@ func TestEnablementString(t *testing.T) {
 	t.Parallel()
 
 	testCases := []struct {
-		flags hst.Enablements
+		flags hst.Enablement
 		want  string
 	}{
 		{0, "(no enablements)"},
@@ -59,13 +59,13 @@ func TestEnablements(t *testing.T) {
 		sData string
 	}{
 		{"nil", nil, "null", `{"value":null,"magic":3236757504}`},
-		{"zero", new(hst.Enablements(0)), `{}`, `{"value":{},"magic":3236757504}`},
+		{"zero", hst.NewEnablements(0), `{}`, `{"value":{},"magic":3236757504}`},
-		{"wayland", new(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
+		{"wayland", hst.NewEnablements(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
-		{"x11", new(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
+		{"x11", hst.NewEnablements(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
-		{"dbus", new(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
+		{"dbus", hst.NewEnablements(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
-		{"pipewire", new(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
+		{"pipewire", hst.NewEnablements(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
-		{"pulse", new(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
+		{"pulse", hst.NewEnablements(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
-		{"all", new(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
+		{"all", hst.NewEnablements(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
 	}
 
 	for _, tc := range testCases {
@@ -137,7 +137,7 @@ func TestEnablements(t *testing.T) {
 		})
 
 		t.Run("val", func(t *testing.T) {
-			if got := new(hst.EWayland | hst.EPulse).Unwrap(); got != hst.EWayland|hst.EPulse {
+			if got := hst.NewEnablements(hst.EWayland | hst.EPulse).Unwrap(); got != hst.EWayland|hst.EPulse {
 				t.Errorf("Unwrap: %v", got)
 			}
 		})
@@ -146,6 +146,9 @@ func TestEnablements(t *testing.T) {
 	t.Run("passthrough", func(t *testing.T) {
 		t.Parallel()
 
+		if _, err := (*hst.Enablements)(nil).MarshalJSON(); !errors.Is(err, syscall.EINVAL) {
+			t.Errorf("MarshalJSON: error = %v", err)
+		}
 		if err := (*hst.Enablements)(nil).UnmarshalJSON(nil); !errors.Is(err, syscall.EINVAL) {
 			t.Errorf("UnmarshalJSON: error = %v", err)
 		}

hst/fs.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"os"
 	"reflect"
-	"strings"
 
 	"hakurei.app/check"
 )
@@ -37,8 +36,6 @@ type Ops interface {
 	Bind(source, target *check.Absolute, flags int) Ops
 	// Overlay appends an op that mounts the overlay pseudo filesystem.
 	Overlay(target, state, work *check.Absolute, layers ...*check.Absolute) Ops
-	// OverlayEphemeral appends a MountOverlayOp with an ephemeral upperdir and workdir.
-	OverlayEphemeral(target *check.Absolute, layers ...*check.Absolute) Ops
 	// OverlayReadonly appends an op that mounts the overlay pseudo filesystem readonly.
 	OverlayReadonly(target *check.Absolute, layers ...*check.Absolute) Ops
 
@@ -81,17 +78,17 @@ type FSImplError struct{ Value FilesystemConfig }
 
 func (f FSImplError) Error() string {
 	implType := reflect.TypeOf(f.Value)
-	var buf strings.Builder
+	var name string
-	for implType != nil && implType.Kind() == reflect.Pointer {
+	for implType != nil && implType.Kind() == reflect.Ptr {
-		buf.WriteByte('*')
+		name += "*"
 		implType = implType.Elem()
 	}
 	if implType != nil {
-		buf.WriteString(implType.Name())
+		name += implType.Name()
 	} else {
-		buf.WriteString("nil")
+		name += "nil"
 	}
-	return "implementation " + buf.String() + " not supported"
+	return fmt.Sprintf("implementation %s not supported", name)
 }
 
 // FilesystemConfigJSON is the [json] adapter for [FilesystemConfig].

hst/fs_test.go

@@ -3,7 +3,6 @@ package hst_test
 import (
 	"encoding/json"
 	"errors"
-	"fmt"
 	"os"
 	"reflect"
 	"strings"
@@ -104,7 +103,7 @@ func TestFilesystemConfigJSON(t *testing.T) {
 			t.Run("marshal", func(t *testing.T) {
 				t.Parallel()
 				wantErr := tc.wantErr
-				if _, ok := errors.AsType[hst.FSTypeError](wantErr); ok {
+				if errors.As(wantErr, new(hst.FSTypeError)) {
 					// for unsupported implementation tc
 					wantErr = hst.FSImplError{Value: stubFS{"cat"}}
 				}
@@ -140,7 +139,7 @@ func TestFilesystemConfigJSON(t *testing.T) {
 			t.Run("unmarshal", func(t *testing.T) {
 				t.Parallel()
 				if tc.data == "\x00" && tc.sData == "\x00" {
-					if _, ok := errors.AsType[hst.FSImplError](tc.wantErr); ok {
+					if errors.As(tc.wantErr, new(hst.FSImplError)) {
 						// this error is only returned on marshal
 						return
 					}
@@ -284,11 +283,11 @@ func checkFs(t *testing.T, testCases []fsTestCase) {
 				if !reflect.DeepEqual(ops, &tc.ops) {
 					gotString := new(strings.Builder)
 					for _, op := range *ops {
-						gotString.WriteString("\n" + fmt.Sprintf("%#v", op))
+						gotString.WriteString("\n" + op.String())
 					}
 					wantString := new(strings.Builder)
 					for _, op := range tc.ops {
-						wantString.WriteString("\n" + fmt.Sprintf("%#v", op))
+						wantString.WriteString("\n" + op.String())
 					}
 					t.Errorf("Apply: %s, want %s", gotString, wantString)
 				}
@@ -340,10 +339,6 @@ func (p opsAdapter) Overlay(target, state, work *check.Absolute, layers ...*chec
 	return opsAdapter{p.Ops.Overlay(target, state, work, layers...)}
 }
 
-func (p opsAdapter) OverlayEphemeral(target *check.Absolute, layers ...*check.Absolute) hst.Ops {
-	return opsAdapter{p.Ops.OverlayEphemeral(target, layers...)}
-}
-
 func (p opsAdapter) OverlayReadonly(target *check.Absolute, layers ...*check.Absolute) hst.Ops {
 	return opsAdapter{p.Ops.OverlayReadonly(target, layers...)}
 }

hst/fsephemeral.go

@@ -43,13 +43,18 @@ func (e *FSEphemeral) Apply(z *ApplyState) {
 		return
 	}
 
+	size := e.Size
+	if size < 0 {
+		size = 0
+	}
+
 	perm := e.Perm
 	if perm == 0 {
 		perm = fsEphemeralDefaultPerm
 	}
 
 	if e.Write {
-		z.Tmpfs(e.Target, max(e.Size, 0), perm)
+		z.Tmpfs(e.Target, size, perm)
 	} else {
 		z.Readonly(e.Target, perm)
 	}

hst/fsoverlay.go

@@ -2,7 +2,6 @@ package hst
 
 import (
 	"encoding/gob"
-	"slices"
 	"strings"
 
 	"hakurei.app/check"
@@ -41,7 +40,7 @@ func (o *FSOverlay) Valid() bool {
 	}
 
 	if o.Upper != nil { // rw
-		return o.Work != nil || len(o.Lower) > 0
+		return o.Work != nil && len(o.Lower) > 0
 	} else { // ro
 		return len(o.Lower) >= 2
 	}
@@ -59,11 +58,8 @@ func (o *FSOverlay) Host() []*check.Absolute {
 		return nil
 	}
 	p := make([]*check.Absolute, 0, 2+len(o.Lower))
-	if o.Upper != nil {
+	if o.Upper != nil && o.Work != nil {
-		p = append(p, o.Upper)
+		p = append(p, o.Upper, o.Work)
-		if o.Work != nil {
-			p = append(p, o.Work)
-		}
 	}
 	p = append(p, o.Lower...)
 	return p
@@ -74,18 +70,11 @@ func (o *FSOverlay) Apply(z *ApplyState) {
 		return
 	}
 
-	if o.Upper != nil {
+	if o.Upper != nil && o.Work != nil {
+		z.Overlay(o.Target, o.Upper, o.Work, o.Lower...)
 		if o.Target.Is(fhs.AbsRoot) {
 			z.NoRemountRoot = true
 		}
-		if o.Work != nil {
-			z.Overlay(o.Target, o.Upper, o.Work, o.Lower...)
-		} else {
-			z.OverlayEphemeral(o.Target, slices.Concat(
-				o.Lower,
-				[]*check.Absolute{o.Upper})...,
-			)
-		}
 	} else {
 		z.OverlayReadonly(o.Target, o.Lower...)
 	}
@@ -101,19 +90,12 @@ func (o *FSOverlay) String() string {
 		lower[i] = check.EscapeOverlayDataSegment(a.String())
 	}
 
-	if o.Upper != nil {
+	if o.Upper != nil && o.Work != nil {
-		if o.Work != nil {
+		return "w*" + strings.Join(append([]string{
-			return "w*" + strings.Join(append([]string{
-				check.EscapeOverlayDataSegment(o.Target.String()),
-				check.EscapeOverlayDataSegment(o.Upper.String()),
-				check.EscapeOverlayDataSegment(o.Work.String())},
-				lower...), check.SpecialOverlayPath)
-		}
-		return "e*" + strings.Join(append([]string{
 			check.EscapeOverlayDataSegment(o.Target.String()),
-			check.EscapeOverlayDataSegment(o.Upper.String())},
+			check.EscapeOverlayDataSegment(o.Upper.String()),
+			check.EscapeOverlayDataSegment(o.Work.String())},
 			lower...), check.SpecialOverlayPath)
-
 	} else {
 		return "*" + strings.Join(append([]string{
 			check.EscapeOverlayDataSegment(o.Target.String())},

hst/fsoverlay_test.go

@@ -5,7 +5,6 @@ import (
 
 	"hakurei.app/check"
 	"hakurei.app/container"
-	"hakurei.app/fhs"
 	"hakurei.app/hst"
 )
 
@@ -15,7 +14,7 @@ func TestFSOverlay(t *testing.T) {
 	checkFs(t, []fsTestCase{
 		{"nil", (*hst.FSOverlay)(nil), false, nil, nil, nil, "<invalid>"},
 		{"nil lower", &hst.FSOverlay{Target: m("/etc"), Lower: []*check.Absolute{nil}}, false, nil, nil, nil, "<invalid>"},
-		{"zero lower", &hst.FSOverlay{Target: m("/etc"), Work: m("/")}, false, nil, nil, nil, "<invalid>"},
+		{"zero lower", &hst.FSOverlay{Target: m("/etc"), Upper: m("/"), Work: m("/")}, false, nil, nil, nil, "<invalid>"},
 		{"zero lower ro", &hst.FSOverlay{Target: m("/etc")}, false, nil, nil, nil, "<invalid>"},
 		{"short lower", &hst.FSOverlay{Target: m("/etc"), Lower: ms("/etc")}, false, nil, nil, nil, "<invalid>"},
 
@@ -63,16 +62,5 @@ func TestFSOverlay(t *testing.T) {
 			Work:   m("/tmp/work"),
 		}}, m("/"), ms("/tmp/upper", "/tmp/work", "/tmp/.src0", "/tmp/.src1"),
 			"w*/:/tmp/upper:/tmp/work:/tmp/.src0:/tmp/.src1"},
-
-		{"ephemeral", &hst.FSOverlay{
-			Target: m("/"),
-			Lower:  ms("/tmp/.src0", "/tmp/.src1"),
-			Upper:  m("/tmp/upper"),
-		}, true, container.Ops{&container.MountOverlayOp{
-			Target: m("/"),
-			Lower:  ms("/tmp/.src0", "/tmp/.src1", "/tmp/upper"),
-			Upper:  fhs.AbsRoot,
-		}}, m("/"), ms("/tmp/upper", "/tmp/.src0", "/tmp/.src1"),
-			"e*/:/tmp/upper:/tmp/.src0:/tmp/.src1"},
 	})
 }

hst/hst.go

@@ -72,7 +72,7 @@ func Template() *Config {
 	return &Config{
 		ID: "org.chromium.Chromium",
 
-		Enablements: new(EWayland | EDBus | EPipeWire),
+		Enablements: NewEnablements(EWayland | EDBus | EPipeWire),
 
 		SessionBus: &BusConfig{
 			See: nil,

hst/hst_test.go

@@ -245,7 +245,6 @@ func TestTemplate(t *testing.T) {
 		"multiarch": true,
 		"map_real_uid": true,
 		"device": true,
-		"cover_run": true,
 		"share_runtime": true,
 		"share_tmpdir": true
 	}

internal/dbus/address.go

@@ -80,7 +80,7 @@ func unescapeValue(v []byte) (val []byte, errno ParseError) {
 			continue
 		}
 
-		if found := bytes.Contains([]byte("-_/.\\*"), []byte{b}); found { // - // _/.\*
+		if ib := bytes.IndexByte([]byte("-_/.\\*"), b); ib != -1 { // - // _/.\*
 			goto opt
 		} else if b >= '0' && b <= '9' { // 0-9
 			goto opt
@@ -101,7 +101,7 @@ func unescapeValue(v []byte) (val []byte, errno ParseError) {
 			break
 		}
 		if c, err := hex.Decode(val[i:i+1], v[iu+1:iu+3]); err != nil {
-			if _, ok := errors.AsType[hex.InvalidByteError](err); ok {
+			if errors.As(err, new(hex.InvalidByteError)) {
 				errno = ErrBadValHexByte
 				break
 			}

internal/kobject/event.go

@@ -2,7 +2,6 @@ package kobject
 
 import (
 	"errors"
-	"maps"
 	"strconv"
 	"strings"
 	"unsafe"
@@ -29,22 +28,6 @@ type Event struct {
 	Subsystem string `json:"subsystem"`
 }
 
-// Clone returns a copy of e.
-func (e *Event) Clone() Event {
-	v := *e
-	v.Env = maps.Clone(e.Env)
-	return v
-}
-
-// makeColdboot allocates a new [Object] from e in [StateColdboot].
-func (e *Event) makeColdboot() *Object {
-	return &Object{
-		State:     StateColdboot,
-		DevPath:   e.DevPath,
-		Subsystem: e.Subsystem,
-	}
-}
-
 // Populate populates e with the contents of a [uevent.Message].
 //
 // The ACTION and DEVPATH environment variables are ignored and assumed to be

internal/kobject/kobject.go

@@ -1,491 +0,0 @@
-// Package kobject interprets uevent messages from a NETLINK_KOBJECT_UEVENT socket.
-package kobject
-
-import (
-	"context"
-	"fmt"
-	"maps"
-	"slices"
-	"strconv"
-	"sync"
-
-	"hakurei.app/internal/report"
-	"hakurei.app/internal/uevent"
-)
-
-const (
-	// StateColdboot denotes an [Object] populated by a coldboot event. It is
-	// eligible for all event actions.
-	StateColdboot = iota
-	// StateNew denotes an [Object] previously populated by a [uevent.KOBJ_ADD]
-	// event, but has not yet been targeted by a [uevent.KOBJ_BIND] event, or
-	// has been targeted by a [uevent.KOBJ_UNBIND] event.
-	StateNew
-	// StateBound denotes an [Object] that has been targeted by a
-	// [uevent.KOBJ_BIND] and has not been targeted by a [uevent.KOBJ_UNBIND]
-	// after that.
-	StateBound
-)
-
-// Object represents a kernel object.
-type Object struct {
-	// Origin of the object.
-	State int `json:"state,omitempty"`
-	// Set by [uevent.KOBJ_OFFLINE] and [uevent.KOBJ_ONLINE].
-	Offline bool `json:"offline,omitempty"`
-
-	// alloc_uevent_skb: devpath
-	DevPath string `json:"devpath"`
-	// registered per-driver (optional)
-	ModAlias string `json:"modalias,omitempty"`
-	// dev_driver_uevent: drv->name (optional)
-	Driver string `json:"driver,omitempty"`
-
-	// SUBSYSTEM value set by the kernel.
-	Subsystem string `json:"subsystem"`
-
-	// Uninterpreted environment variable pairs. An entry missing a separator
-	// gains the value "\x00".
-	Env map[string]string `json:"env"`
-}
-
-// Clone returns the address of a copy of o.
-func (o *Object) Clone() *Object {
-	v := *o
-	v.Env = maps.Clone(o.Env)
-	return &v
-}
-
-// GoString returns compound literal for the underlying value.
-func (o *Object) GoString() string {
-	return fmt.Sprintf("&%#v", *o)
-}
-
-// merge merges uninterpreted environment variable pairs from an [Event].
-func (o *Object) merge(env map[string]string) {
-	for k, v := range env {
-		if v == "\x00" {
-			continue
-		}
-
-		switch k {
-		case "MODALIAS":
-			o.ModAlias = v
-			continue
-
-		case "DRIVER":
-			o.Driver = v
-			continue
-
-		default:
-			if o.Env == nil {
-				o.Env = make(map[string]string)
-			}
-			o.Env[k] = v
-		}
-	}
-}
-
-// update updates o with pairs from env, optionally stripping visited pairs.
-func (o *Object) update(env map[string]string, strip bool) {
-	for k := range o.Env {
-		if v, ok := env[k]; ok {
-			if strip {
-				delete(env, k)
-			}
-			o.Env[k] = v
-		}
-	}
-}
-
-// A pendingIterator is a callback currently iterating through objects targeted
-// by ongoing events.
-type pendingIterator struct {
-	f    func(o *Object, act uevent.KobjectAction) bool
-	done chan<- struct{}
-}
-
-// State processes a stream of [Event] populated from [uevent.Message] received
-// from a NETLINK_KOBJECT_UEVENT socket and presents an efficient representation
-// of kernel state.
-type State struct {
-	// Next expected SEQNUM.
-	seq uint64
-	// DevPath to environment variables.
-	uevent map[string]*Object
-	// Synchronises access to uevent and its objects.
-	ueventMu sync.RWMutex
-	// Alive iterators.
-	iter []*pendingIterator
-	// Synchronises access to iter.
-	iterMu sync.Mutex
-	// UUID for synthetic [uevent.Coldboot] events.
-	coldboot uevent.UUID
-	// Called on [uevent.KOBJ_CHANGE] with stripped environment variables.
-	handleChange func(o *Object, env map[string]string)
-	// Reports errors populating [Event] from [uevent.Message]. A user-supplied
-	// nil value is replaced with a noop.
-	reportErr func(error)
-}
-
-// New returns the address of a new [State].
-func New(
-	coldboot uevent.UUID,
-	handleChange func(o *Object, env map[string]string),
-	reportErr func(error),
-) *State {
-	return &State{
-		uevent:       make(map[string]*Object),
-		coldboot:     coldboot,
-		handleChange: handleChange,
-		reportErr:    reportErr,
-	}
-}
-
-// deleteIter removes an iterator from s. Must be called after acquiring iterMu.
-func (s *State) deleteIter(p *pendingIterator) {
-	s.iter = slices.DeleteFunc(s.iter, func(v *pendingIterator) bool {
-		return p == v
-	})
-}
-
-// dispatchIter broadcasts an [Object] to all alive iterators.
-func (s *State) dispatchIter(o *Object, act uevent.KobjectAction) {
-	s.iterMu.Lock()
-	defer s.iterMu.Unlock()
-
-	for _, p := range s.iter {
-		if !p.f(o, act) {
-			s.deleteIter(p)
-			close(p.done)
-		}
-	}
-}
-
-// Range calls f on all current and upcoming [Object] values tracked by s until
-// f returns false or the context is cancelled. f must not retain o or modify
-// the value it points to.
-func (s *State) Range(
-	ctx context.Context,
-	f func(o *Object, act uevent.KobjectAction) bool,
-) {
-	done := make(chan struct{})
-	p := pendingIterator{f, done}
-
-	s.iterMu.Lock()
-	s.ueventMu.RLock()
-	for _, o := range s.uevent {
-		if !f(o, uevent.KOBJ_ADD) {
-			s.ueventMu.RUnlock()
-			s.iterMu.Unlock()
-			return
-		}
-	}
-	s.ueventMu.RUnlock()
-	s.iter = append(s.iter, &p)
-	s.iterMu.Unlock()
-
-	select {
-	case <-ctx.Done():
-		s.iterMu.Lock()
-		s.deleteIter(&p)
-		s.iterMu.Unlock()
-		return
-
-	case <-done:
-		// deregistered by dispatchIter
-		return
-	}
-}
-
-// An EventError describes a malformed or inconsistent [Event].
-type EventError struct {
-	Kind int     `json:"fault"`
-	E    Event   `json:"event"`
-	O    *Object `json:"object,omitempty"`
-}
-
-var _ report.RepresentableError = EventError{}
-
-func (EventError) Representable() {}
-
-const (
-	// EUnexpectedColdboot is reported for a coldboot event with action other
-	// than the expected [uevent.KOBJ_ADD].
-	EUnexpectedColdboot = iota
-	// EDuplicateAdd is reported for a [uevent.KOBJ_ADD] event on a
-	// still-existing entry that was not the result of a coldboot.
-	EDuplicateAdd
-	// EBadTarget is reported for an event on a nonexistent [Object]. This is
-	// generally only possible before coldboot completes.
-	EBadTarget
-	// ERemoveState is reported for a [uevent.KOBJ_REMOVE] event targeting an
-	// entry in a state other than [StateColdboot] and [StateNew].
-	ERemoveState
-	// EUnexpectedOffline is reported for a [uevent.KOBJ_OFFLINE] or
-	// [uevent.KOBJ_ONLINE] event targeting an already offline or online object.
-	EUnexpectedOffline
-	// EBindState is reported for a [uevent.KOBJ_BIND] event targeting an entry
-	// in a state other than [StateColdboot] and [StateNew].
-	EBindState
-	// EUnbindState is reported for a [uevent.KOBJ_UNBIND] event targeting an
-	// entry in a state other than [StateBound].
-	EUnbindState
-	// EMalformedMove is reported for a [uevent.KOBJ_MOVE] event missing the
-	// DEVPATH_OLD environment variable.
-	EMalformedMove
-)
-
-func (e EventError) Error() string {
-	switch e.Kind {
-	case EUnexpectedColdboot:
-		return "unexpected " + e.E.Action.String() + " coldboot event"
-	case EDuplicateAdd:
-		return "duplicate add event on devpath " + strconv.Quote(e.E.DevPath)
-	case EBadTarget:
-		return "unexpected " + e.E.Action.String() + " event on devpath " +
-			strconv.Quote(e.E.DevPath)
-	case ERemoveState:
-		if e.O == nil {
-			return "invalid remove event error"
-		}
-		return "remove event targeting devpath " + strconv.Quote(e.E.DevPath) +
-			" in state " + strconv.Itoa(e.O.State)
-	case EUnexpectedOffline:
-		if e.O == nil {
-			return "invalid unexpected offline error"
-		}
-		if e.O.Offline {
-			return "offline event targeting devpath " + strconv.Quote(e.E.DevPath)
-		}
-		return "online event targeting devpath " + strconv.Quote(e.E.DevPath)
-	case EBindState:
-		if e.O == nil {
-			return "invalid bind state error"
-		}
-		return "bind event targeting devpath " + strconv.Quote(e.E.DevPath) +
-			" in state " + strconv.Itoa(e.O.State)
-	case EUnbindState:
-		if e.O == nil {
-			return "invalid unbind state error"
-		}
-		return "unbind event targeting devpath " + strconv.Quote(e.E.DevPath) +
-			" in state " + strconv.Itoa(e.O.State)
-	case EMalformedMove:
-		return "move event targeting devpath " + strconv.Quote(e.E.DevPath) +
-			" missing DEVPATH_OLD"
-
-	default:
-		return "invalid event error kind " + strconv.Itoa(e.Kind)
-	}
-}
-
-// NewError returns a new [EventError] for e and o.
-func (e *Event) NewError(kind int, o *Object) error {
-	if o != nil {
-		o = o.Clone()
-	}
-	return EventError{kind, e.Clone(), o}
-}
-
-// processEvent merges an event into s.
-func (s *State) processEvent(e *Event) {
-	s.ueventMu.Lock()
-	defer s.ueventMu.Unlock()
-
-	coldboot := e.Synth != nil
-	if e.Action != uevent.KOBJ_ADD && coldboot {
-		s.reportErr(e.NewError(EUnexpectedColdboot, nil))
-		return
-	}
-
-	switch act := e.Action; act {
-	case uevent.KOBJ_ADD:
-		if e.Synth == nil {
-			if o, ok := s.uevent[e.DevPath]; ok {
-				s.reportErr(e.NewError(EDuplicateAdd, o))
-				o.merge(e.Env)
-				s.dispatchIter(o, act)
-				return
-			}
-		}
-		o := e.makeColdboot()
-		if !coldboot {
-			o.State = StateNew
-		}
-		o.merge(e.Env)
-		s.uevent[e.DevPath] = o
-		s.dispatchIter(o, act)
-		return
-
-	case uevent.KOBJ_REMOVE:
-		if o, ok := s.uevent[e.DevPath]; !ok {
-			s.reportErr(e.NewError(EBadTarget, nil))
-			return
-		} else if o.State != StateColdboot && o.State != StateNew {
-			s.reportErr(e.NewError(ERemoveState, o))
-		}
-		delete(s.uevent, e.DevPath)
-		return
-
-	case uevent.KOBJ_CHANGE:
-		o, ok := s.uevent[e.DevPath]
-		if !ok {
-			s.reportErr(e.NewError(EBadTarget, nil))
-			// this suffers from the coldboot race window similar to KOBJ_MOVE,
-			// however this action combines driver-specific and change-specific
-			// environment variables and combines them with environment
-			// variables meant to convey state of the kobject, and it is not
-			// possible to reliably separate them, so this fallback avoids the
-			// race at the cost of including some garbage in tracked state
-			o = e.makeColdboot()
-			o.merge(e.Env)
-			s.uevent[e.DevPath] = o
-			s.dispatchIter(o, act)
-			return
-		}
-		o.update(e.Env, true)
-		if s.handleChange != nil {
-			s.handleChange(o, e.Env)
-		}
-		s.dispatchIter(o, act)
-		return
-
-	case uevent.KOBJ_MOVE:
-		var o *Object
-		if old, ok := e.Env["DEVPATH_OLD"]; !ok {
-			s.reportErr(e.NewError(EMalformedMove, nil))
-			// not reached
-			o = e.makeColdboot()
-		} else if o, ok = s.uevent[old]; !ok {
-			s.reportErr(e.NewError(EBadTarget, nil))
-			// this generally happens during coldboot, dropping the event here
-			// may cause inconsistent state if the coldboot event for this
-			// object was generated before the bind event
-			delete(e.Env, "DEVPATH_OLD")
-			o = e.makeColdboot()
-		} else {
-			delete(s.uevent, old)
-			delete(e.Env, "DEVPATH_OLD")
-		}
-		o.merge(e.Env)
-		s.uevent[e.DevPath] = o
-		o.DevPath = e.DevPath
-		s.dispatchIter(o, act)
-		return
-
-	case uevent.KOBJ_ONLINE:
-		o, ok := s.uevent[e.DevPath]
-		if !ok {
-			s.reportErr(e.NewError(EBadTarget, nil))
-			// coldboot race window similar to an unexpected KOBJ_MOVE
-			o = e.makeColdboot()
-			s.uevent[e.DevPath] = o
-			o.merge(e.Env)
-		}
-		if !o.Offline {
-			s.reportErr(e.NewError(EUnexpectedOffline, o))
-		}
-		o.Offline = false
-		s.dispatchIter(o, act)
-		return
-
-	case uevent.KOBJ_OFFLINE:
-		o, ok := s.uevent[e.DevPath]
-		if !ok {
-			s.reportErr(e.NewError(EBadTarget, nil))
-			// coldboot race window similar to an unexpected KOBJ_MOVE
-			o = e.makeColdboot()
-			s.uevent[e.DevPath] = o
-			o.merge(e.Env)
-		}
-		if o.Offline {
-			s.reportErr(e.NewError(EUnexpectedOffline, o))
-		}
-		o.Offline = true
-		s.dispatchIter(o, act)
-		return
-
-	case uevent.KOBJ_BIND:
-		o, ok := s.uevent[e.DevPath]
-		if !ok {
-			s.reportErr(e.NewError(EBadTarget, nil))
-			// coldboot race window similar to an unexpected KOBJ_MOVE
-			o = e.makeColdboot()
-			s.uevent[e.DevPath] = o
-		}
-		if o.State != StateColdboot && o.State != StateNew {
-			s.reportErr(e.NewError(EBindState, o))
-		}
-		o.State = StateBound
-		o.merge(e.Env)
-		s.dispatchIter(o, act)
-		return
-
-	case uevent.KOBJ_UNBIND:
-		o, ok := s.uevent[e.DevPath]
-		if !ok {
-			s.reportErr(e.NewError(EBadTarget, nil))
-			// coldboot race window similar to an unexpected KOBJ_MOVE, but does
-			// not result in inconsistent state if dropped
-			return
-		}
-		if o.State != StateBound {
-			s.reportErr(e.NewError(EUnbindState, o))
-		}
-		o.State = StateNew
-		o.Driver = ""
-		s.dispatchIter(o, act)
-		return
-
-	default: // not reached
-		s.reportErr(fmt.Errorf("invalid action %d", e.Action))
-		return
-	}
-}
-
-// BadSequenceError is reported for an unexpected SEQNUM.
-type BadSequenceError struct{ Got, Want uint64 }
-
-func (e BadSequenceError) Error() string {
-	return "SEQNUM=" + strconv.FormatUint(e.Got, 10) +
-		", want " + strconv.FormatUint(e.Want, 10)
-}
-
-// Consume receives uevent messages and updates s to reflect state of kernel.
-func (s *State) Consume(ctx context.Context, events <-chan *uevent.Message) {
-	if s.uevent == nil {
-		s.uevent = make(map[string]*Object)
-	}
-	if s.reportErr == nil {
-		s.reportErr = func(error) {}
-	}
-
-	var e Event
-	for {
-		select {
-		case <-ctx.Done():
-			return
-
-		case m, ok := <-events:
-			if !ok {
-				return
-			}
-			e.Populate(s.reportErr, m)
-
-			// skip external synthetic event
-			if e.Synth != nil && *e.Synth != s.coldboot {
-				continue
-			}
-
-			if s.seq == 0 {
-				s.seq = e.Sequence
-			}
-			if s.seq != e.Sequence {
-				s.reportErr(BadSequenceError{e.Sequence, s.seq})
-			}
-			s.seq++
-			s.processEvent(&e)
-		}
-	}
-}

internal/kobject/testdata/00-coldboot

@@ -1,266 +0,0 @@
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXPWRBN:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXPWRBN:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:LNXPWRBN:","SEQNUM=777"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXPWRBN:00/wakeup/wakeup7","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXPWRBN:00/wakeup/wakeup7","SUBSYSTEM=wakeup","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=778"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0010:00/LNXCPU:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0010:00/LNXCPU:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:LNXCPU:","SEQNUM=779"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0010:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0010:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:ACPI0010:PNP0A05:","SEQNUM=780"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0103:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0103:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0103:","SEQNUM=781"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/PNP0A06:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/PNP0A06:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0A06:","SEQNUM=782"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/PNP0A06:01","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/PNP0A06:01","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0A06:","SEQNUM=783"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/PNP0A06:02","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/PNP0A06:02","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0A06:","SEQNUM=784"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/QEMU0002:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/QEMU0002:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:QEMU0002:","SEQNUM=785"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=786"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:00/wakeup/wakeup0","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:00/wakeup/wakeup0","SUBSYSTEM=wakeup","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=787"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0303:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0303:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0303:","SEQNUM=788"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0400:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0400:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0400:","SEQNUM=789"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0501:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0501:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0501:","SEQNUM=790"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0700:00/device:02","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0700:00/device:02","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=791"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0700:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0700:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0700:","SEQNUM=792"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0B00:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0B00:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0B00:","SEQNUM=793"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0F13:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0F13:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0F13:","SEQNUM=794"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=795"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/wakeup/wakeup1","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/wakeup/wakeup1","SUBSYSTEM=wakeup","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=796"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:03","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:03","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=797"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:03/wakeup/wakeup2","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:03/wakeup/wakeup2","SUBSYSTEM=wakeup","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=798"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:04","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:04","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=799"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:04/wakeup/wakeup3","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:04/wakeup/wakeup3","SUBSYSTEM=wakeup","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=800"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:05","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:05","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=801"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:05/wakeup/wakeup4","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:05/wakeup/wakeup4","SUBSYSTEM=wakeup","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=802"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:06","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:06","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=803"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:06/wakeup/wakeup5","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:06/wakeup/wakeup5","SUBSYSTEM=wakeup","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=804"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=805"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:08","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:08","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=806"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:09","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:09","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=807"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0a","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0a","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=808"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0b","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0b","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=809"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0c","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0c","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=810"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0d","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0d","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=811"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0e","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0e","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=812"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0f","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0f","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=813"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:10","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:10","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=814"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:11","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:11","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=815"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:12","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:12","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=816"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:13","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:13","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=817"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:14","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:14","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=818"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:15","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:15","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=819"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:16","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:16","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=820"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:17","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:17","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=821"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:18","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:18","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=822"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:19","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:19","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=823"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1a","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1a","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=824"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1b","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1b","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=825"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1c","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1c","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=826"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1d","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1d","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=827"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1e","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1e","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=828"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1f","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1f","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=829"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:20","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:20","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=830"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:21","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:21","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=831"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:22","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:22","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=832"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0A03:","SEQNUM=833"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/wakeup/wakeup6","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/wakeup/wakeup6","SUBSYSTEM=wakeup","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=834"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0C0F:","SEQNUM=835"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:01","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:01","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0C0F:","SEQNUM=836"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:02","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:02","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0C0F:","SEQNUM=837"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:03","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:03","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0C0F:","SEQNUM=838"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:04","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:04","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0C0F:","SEQNUM=839"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:LNXSYBUS:","SEQNUM=840"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:01","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:01","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:LNXSYBUS:","SEQNUM=841"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00","SUBSYSTEM=acpi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:LNXSYSTM:","SEQNUM=842"]}
-{"action":"add","devpath":"/devices/breakpoint","env":["ACTION=add","DEVPATH=/devices/breakpoint","SUBSYSTEM=event_source","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=843"]}
-{"action":"add","devpath":"/devices/cpu","env":["ACTION=add","DEVPATH=/devices/cpu","SUBSYSTEM=event_source","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=844"]}
-{"action":"add","devpath":"/devices/kprobe","env":["ACTION=add","DEVPATH=/devices/kprobe","SUBSYSTEM=event_source","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=845"]}
-{"action":"add","devpath":"/devices/msr","env":["ACTION=add","DEVPATH=/devices/msr","SUBSYSTEM=event_source","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=846"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:00.0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:00.0","SUBSYSTEM=pci","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","PCI_CLASS=60000","PCI_ID=8086:1237","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:00.0","MODALIAS=pci:v00008086d00001237sv00001AF4sd00001100bc06sc00i00","SEQNUM=847"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.0","SUBSYSTEM=pci","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","PCI_CLASS=60100","PCI_ID=8086:7000","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:01.0","MODALIAS=pci:v00008086d00007000sv00001AF4sd00001100bc06sc01i00","SEQNUM=848"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata1/ata_port/ata1","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata1/ata_port/ata1","SUBSYSTEM=ata_port","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=849"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata1/host0/scsi_host/host0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata1/host0/scsi_host/host0","SUBSYSTEM=scsi_host","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=850"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata1/host0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata1/host0","SUBSYSTEM=scsi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DEVTYPE=scsi_host","SEQNUM=851"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata1/link1/ata_link/link1","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata1/link1/ata_link/link1","SUBSYSTEM=ata_link","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=852"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata1/link1/dev1.0/ata_device/dev1.0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata1/link1/dev1.0/ata_device/dev1.0","SUBSYSTEM=ata_device","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=853"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata1/link1/dev1.1/ata_device/dev1.1","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata1/link1/dev1.1/ata_device/dev1.1","SUBSYSTEM=ata_device","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=854"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata2/ata_port/ata2","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata2/ata_port/ata2","SUBSYSTEM=ata_port","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=855"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata2/host1/scsi_host/host1","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata2/host1/scsi_host/host1","SUBSYSTEM=scsi_host","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=856"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata2/host1/target1:0:0/1:0:0:0/bsg/1:0:0:0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata2/host1/target1:0:0/1:0:0:0/bsg/1:0:0:0","SUBSYSTEM=bsg","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=251","MINOR=0","DEVNAME=bsg/1:0:0:0","SEQNUM=857"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata2/host1/target1:0:0/1:0:0:0/scsi_device/1:0:0:0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata2/host1/target1:0:0/1:0:0:0/scsi_device/1:0:0:0","SUBSYSTEM=scsi_device","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=858"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata2/host1/target1:0:0/1:0:0:0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata2/host1/target1:0:0/1:0:0:0","SUBSYSTEM=scsi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DEVTYPE=scsi_device","MODALIAS=scsi:t-0x05","SEQNUM=859"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata2/host1/target1:0:0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata2/host1/target1:0:0","SUBSYSTEM=scsi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DEVTYPE=scsi_target","SEQNUM=860"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata2/host1","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata2/host1","SUBSYSTEM=scsi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DEVTYPE=scsi_host","SEQNUM=861"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata2/link2/ata_link/link2","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata2/link2/ata_link/link2","SUBSYSTEM=ata_link","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=862"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata2/link2/dev2.0/ata_device/dev2.0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata2/link2/dev2.0/ata_device/dev2.0","SUBSYSTEM=ata_device","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=863"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1/ata2/link2/dev2.1/ata_device/dev2.1","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1/ata2/link2/dev2.1/ata_device/dev2.1","SUBSYSTEM=ata_device","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=864"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.1","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.1","SUBSYSTEM=pci","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DRIVER=ata_piix","PCI_CLASS=10180","PCI_ID=8086:7010","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:01.1","MODALIAS=pci:v00008086d00007010sv00001AF4sd00001100bc01sc01i80","SEQNUM=865"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:01.3","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:01.3","SUBSYSTEM=pci","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","PCI_CLASS=68000","PCI_ID=8086:7113","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:01.3","MODALIAS=pci:v00008086d00007113sv00001AF4sd00001100bc06sc80i00","SEQNUM=866"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:02.0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:02.0","SUBSYSTEM=pci","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","PCI_CLASS=20000","PCI_ID=8086:100E","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:02.0","MODALIAS=pci:v00008086d0000100Esv00001AF4sd00001100bc02sc00i00","SEQNUM=867"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:03.0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:03.0","SUBSYSTEM=pci","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DRIVER=virtio-pci","PCI_CLASS=10000","PCI_ID=1AF4:1001","PCI_SUBSYS_ID=1AF4:0002","PCI_SLOT_NAME=0000:00:03.0","MODALIAS=pci:v00001AF4d00001001sv00001AF4sd00000002bc01sc00i00","SEQNUM=868"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:03.0/virtio0/block/vda","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:03.0/virtio0/block/vda","SUBSYSTEM=block","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=254","MINOR=0","DEVNAME=vda","DEVTYPE=disk","DISKSEQ=1","SEQNUM=869"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:03.0/virtio0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:03.0/virtio0","SUBSYSTEM=virtio","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DRIVER=virtio_blk","MODALIAS=virtio:d00000002v00001AF4","SEQNUM=870"]}
-{"action":"add","devpath":"/devices/pci0000:00/QEMU0002:00","env":["ACTION=add","DEVPATH=/devices/pci0000:00/QEMU0002:00","SUBSYSTEM=platform","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:QEMU0002:","SEQNUM=871"]}
-{"action":"add","devpath":"/devices/pci0000:00/pci_bus/0000:00","env":["ACTION=add","DEVPATH=/devices/pci0000:00/pci_bus/0000:00","SUBSYSTEM=pci_bus","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=872"]}
-{"action":"add","devpath":"/devices/platform/PNP0103:00","env":["ACTION=add","DEVPATH=/devices/platform/PNP0103:00","SUBSYSTEM=platform","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=acpi:PNP0103:","SEQNUM=873"]}
-{"action":"add","devpath":"/devices/platform/pcspkr","env":["ACTION=add","DEVPATH=/devices/platform/pcspkr","SUBSYSTEM=platform","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=platform:pcspkr","SEQNUM=874"]}
-{"action":"add","devpath":"/devices/platform/reg-dummy/regulator/regulator.0","env":["ACTION=add","DEVPATH=/devices/platform/reg-dummy/regulator/regulator.0","SUBSYSTEM=regulator","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=875"]}
-{"action":"add","devpath":"/devices/platform/reg-dummy","env":["ACTION=add","DEVPATH=/devices/platform/reg-dummy","SUBSYSTEM=platform","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DRIVER=reg-dummy","MODALIAS=platform:reg-dummy","SEQNUM=876"]}
-{"action":"add","devpath":"/devices/platform/serial8250/serial8250:0/serial8250:0.1/tty/ttyS1","env":["ACTION=add","DEVPATH=/devices/platform/serial8250/serial8250:0/serial8250:0.1/tty/ttyS1","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=65","DEVNAME=ttyS1","SEQNUM=877"]}
-{"action":"add","devpath":"/devices/platform/serial8250/serial8250:0/serial8250:0.1","env":["ACTION=add","DEVPATH=/devices/platform/serial8250/serial8250:0/serial8250:0.1","SUBSYSTEM=serial-base","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DEVTYPE=port","DRIVER=port","SEQNUM=878"]}
-{"action":"add","devpath":"/devices/platform/serial8250/serial8250:0/serial8250:0.2/tty/ttyS2","env":["ACTION=add","DEVPATH=/devices/platform/serial8250/serial8250:0/serial8250:0.2/tty/ttyS2","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=66","DEVNAME=ttyS2","SEQNUM=879"]}
-{"action":"add","devpath":"/devices/platform/serial8250/serial8250:0/serial8250:0.2","env":["ACTION=add","DEVPATH=/devices/platform/serial8250/serial8250:0/serial8250:0.2","SUBSYSTEM=serial-base","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DEVTYPE=port","DRIVER=port","SEQNUM=880"]}
-{"action":"add","devpath":"/devices/platform/serial8250/serial8250:0/serial8250:0.3/tty/ttyS3","env":["ACTION=add","DEVPATH=/devices/platform/serial8250/serial8250:0/serial8250:0.3/tty/ttyS3","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=67","DEVNAME=ttyS3","SEQNUM=881"]}
-{"action":"add","devpath":"/devices/platform/serial8250/serial8250:0/serial8250:0.3","env":["ACTION=add","DEVPATH=/devices/platform/serial8250/serial8250:0/serial8250:0.3","SUBSYSTEM=serial-base","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DEVTYPE=port","DRIVER=port","SEQNUM=882"]}
-{"action":"add","devpath":"/devices/platform/serial8250/serial8250:0","env":["ACTION=add","DEVPATH=/devices/platform/serial8250/serial8250:0","SUBSYSTEM=serial-base","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DEVTYPE=ctrl","DRIVER=ctrl","SEQNUM=883"]}
-{"action":"add","devpath":"/devices/platform/serial8250","env":["ACTION=add","DEVPATH=/devices/platform/serial8250","SUBSYSTEM=platform","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DRIVER=serial8250","MODALIAS=platform:serial8250","SEQNUM=884"]}
-{"action":"add","devpath":"/devices/pnp0/00:00","env":["ACTION=add","DEVPATH=/devices/pnp0/00:00","SUBSYSTEM=pnp","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=885"]}
-{"action":"add","devpath":"/devices/pnp0/00:01","env":["ACTION=add","DEVPATH=/devices/pnp0/00:01","SUBSYSTEM=pnp","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=886"]}
-{"action":"add","devpath":"/devices/pnp0/00:02","env":["ACTION=add","DEVPATH=/devices/pnp0/00:02","SUBSYSTEM=pnp","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=887"]}
-{"action":"add","devpath":"/devices/pnp0/00:03","env":["ACTION=add","DEVPATH=/devices/pnp0/00:03","SUBSYSTEM=pnp","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=888"]}
-{"action":"add","devpath":"/devices/pnp0/00:04/00:04:0/00:04:0.0/tty/ttyS0","env":["ACTION=add","DEVPATH=/devices/pnp0/00:04/00:04:0/00:04:0.0/tty/ttyS0","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=64","DEVNAME=ttyS0","SEQNUM=889"]}
-{"action":"add","devpath":"/devices/pnp0/00:04/00:04:0/00:04:0.0","env":["ACTION=add","DEVPATH=/devices/pnp0/00:04/00:04:0/00:04:0.0","SUBSYSTEM=serial-base","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DEVTYPE=port","DRIVER=port","SEQNUM=890"]}
-{"action":"add","devpath":"/devices/pnp0/00:04/00:04:0","env":["ACTION=add","DEVPATH=/devices/pnp0/00:04/00:04:0","SUBSYSTEM=serial-base","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DEVTYPE=ctrl","DRIVER=ctrl","SEQNUM=891"]}
-{"action":"add","devpath":"/devices/pnp0/00:04","env":["ACTION=add","DEVPATH=/devices/pnp0/00:04","SUBSYSTEM=pnp","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DRIVER=serial","SEQNUM=892"]}
-{"action":"add","devpath":"/devices/pnp0/00:05","env":["ACTION=add","DEVPATH=/devices/pnp0/00:05","SUBSYSTEM=pnp","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=893"]}
-{"action":"add","devpath":"/devices/software","env":["ACTION=add","DEVPATH=/devices/software","SUBSYSTEM=event_source","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=894"]}
-{"action":"add","devpath":"/devices/system/clockevents/broadcast","env":["ACTION=add","DEVPATH=/devices/system/clockevents/broadcast","SUBSYSTEM=clockevents","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=895"]}
-{"action":"add","devpath":"/devices/system/clockevents/clockevent0","env":["ACTION=add","DEVPATH=/devices/system/clockevents/clockevent0","SUBSYSTEM=clockevents","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=896"]}
-{"action":"add","devpath":"/devices/system/clocksource/clocksource0","env":["ACTION=add","DEVPATH=/devices/system/clocksource/clocksource0","SUBSYSTEM=clocksource","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=897"]}
-{"action":"add","devpath":"/devices/system/container/PNP0A06:00","env":["ACTION=add","DEVPATH=/devices/system/container/PNP0A06:00","SUBSYSTEM=container","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=898"]}
-{"action":"add","devpath":"/devices/system/container/PNP0A06:01","env":["ACTION=add","DEVPATH=/devices/system/container/PNP0A06:01","SUBSYSTEM=container","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=899"]}
-{"action":"add","devpath":"/devices/system/container/PNP0A06:02","env":["ACTION=add","DEVPATH=/devices/system/container/PNP0A06:02","SUBSYSTEM=container","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=900"]}
-{"action":"add","devpath":"/devices/system/cpu/cpu0","env":["ACTION=add","DEVPATH=/devices/system/cpu/cpu0","SUBSYSTEM=cpu","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","DRIVER=processor","MODALIAS=cpu:type:x86,ven0002fam000Fmod006B:feature:,0000,0002,0003,0004,0005,0006,0007,0008,0009,000B,000C,000D,000E,000F,0010,0011,0013,0017,0018,0019,001A,0020,0022,0023,0024,0025,0026,0027,0028,0029,002B,002C,002D,002E,002F,0030,0031,0034,0037,0038,003D,0064,006E,0070,0074,0075,0076,0079,007A,007F,0080,008D,0095,009F,00C0,00C8,00ED,00F3,010F,0115,0165,016C,0282\n","SEQNUM=901"]}
-{"action":"add","devpath":"/devices/system/machinecheck/machinecheck0","env":["ACTION=add","DEVPATH=/devices/system/machinecheck/machinecheck0","SUBSYSTEM=machinecheck","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=902"]}
-{"action":"add","devpath":"/devices/system/memory/memory0","env":["ACTION=add","DEVPATH=/devices/system/memory/memory0","SUBSYSTEM=memory","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=903"]}
-{"action":"add","devpath":"/devices/system/memory/memory1","env":["ACTION=add","DEVPATH=/devices/system/memory/memory1","SUBSYSTEM=memory","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=904"]}
-{"action":"add","devpath":"/devices/system/memory/memory2","env":["ACTION=add","DEVPATH=/devices/system/memory/memory2","SUBSYSTEM=memory","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=905"]}
-{"action":"add","devpath":"/devices/system/memory/memory3","env":["ACTION=add","DEVPATH=/devices/system/memory/memory3","SUBSYSTEM=memory","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=906"]}
-{"action":"add","devpath":"/devices/system/memory/memory4","env":["ACTION=add","DEVPATH=/devices/system/memory/memory4","SUBSYSTEM=memory","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=907"]}
-{"action":"add","devpath":"/devices/system/memory/memory5","env":["ACTION=add","DEVPATH=/devices/system/memory/memory5","SUBSYSTEM=memory","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=908"]}
-{"action":"add","devpath":"/devices/system/memory/memory6","env":["ACTION=add","DEVPATH=/devices/system/memory/memory6","SUBSYSTEM=memory","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=909"]}
-{"action":"add","devpath":"/devices/system/memory/memory7","env":["ACTION=add","DEVPATH=/devices/system/memory/memory7","SUBSYSTEM=memory","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=910"]}
-{"action":"add","devpath":"/devices/system/node/node0","env":["ACTION=add","DEVPATH=/devices/system/node/node0","SUBSYSTEM=node","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=911"]}
-{"action":"add","devpath":"/devices/tracepoint","env":["ACTION=add","DEVPATH=/devices/tracepoint","SUBSYSTEM=event_source","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=912"]}
-{"action":"add","devpath":"/devices/uprobe","env":["ACTION=add","DEVPATH=/devices/uprobe","SUBSYSTEM=event_source","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=913"]}
-{"action":"add","devpath":"/devices/virtual/bdi/254:0","env":["ACTION=add","DEVPATH=/devices/virtual/bdi/254:0","SUBSYSTEM=bdi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=914"]}
-{"action":"add","devpath":"/devices/virtual/devlink/:ata2--scsi:1:0:0:0","env":["ACTION=add","DEVPATH=/devices/virtual/devlink/:ata2--scsi:1:0:0:0","SUBSYSTEM=devlink","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=915"]}
-{"action":"add","devpath":"/devices/virtual/dmi/id","env":["ACTION=add","DEVPATH=/devices/virtual/dmi/id","SUBSYSTEM=dmi","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MODALIAS=dmi:bvnSeaBIOS:bvrrel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org:bd04/01/2014:br0.0:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-10.1:cvnQEMU:ct1:cvrpc-i440fx-10.1:sku:","SEQNUM=916"]}
-{"action":"add","devpath":"/devices/virtual/mem/full","env":["ACTION=add","DEVPATH=/devices/virtual/mem/full","SUBSYSTEM=mem","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=1","MINOR=7","DEVNAME=full","DEVMODE=0666","SEQNUM=917"]}
-{"action":"add","devpath":"/devices/virtual/mem/kmsg","env":["ACTION=add","DEVPATH=/devices/virtual/mem/kmsg","SUBSYSTEM=mem","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=1","MINOR=11","DEVNAME=kmsg","DEVMODE=0644","SEQNUM=918"]}
-{"action":"add","devpath":"/devices/virtual/mem/mem","env":["ACTION=add","DEVPATH=/devices/virtual/mem/mem","SUBSYSTEM=mem","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=1","MINOR=1","DEVNAME=mem","SEQNUM=919"]}
-{"action":"add","devpath":"/devices/virtual/mem/null","env":["ACTION=add","DEVPATH=/devices/virtual/mem/null","SUBSYSTEM=mem","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=1","MINOR=3","DEVNAME=null","DEVMODE=0666","SEQNUM=920"]}
-{"action":"add","devpath":"/devices/virtual/mem/port","env":["ACTION=add","DEVPATH=/devices/virtual/mem/port","SUBSYSTEM=mem","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=1","MINOR=4","DEVNAME=port","SEQNUM=921"]}
-{"action":"add","devpath":"/devices/virtual/mem/random","env":["ACTION=add","DEVPATH=/devices/virtual/mem/random","SUBSYSTEM=mem","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=1","MINOR=8","DEVNAME=random","DEVMODE=0666","SEQNUM=922"]}
-{"action":"add","devpath":"/devices/virtual/mem/urandom","env":["ACTION=add","DEVPATH=/devices/virtual/mem/urandom","SUBSYSTEM=mem","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=1","MINOR=9","DEVNAME=urandom","DEVMODE=0666","SEQNUM=923"]}
-{"action":"add","devpath":"/devices/virtual/mem/zero","env":["ACTION=add","DEVPATH=/devices/virtual/mem/zero","SUBSYSTEM=mem","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=1","MINOR=5","DEVNAME=zero","DEVMODE=0666","SEQNUM=924"]}
-{"action":"add","devpath":"/devices/virtual/memory_tiering/memory_tier4","env":["ACTION=add","DEVPATH=/devices/virtual/memory_tiering/memory_tier4","SUBSYSTEM=memory_tiering","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=925"]}
-{"action":"add","devpath":"/devices/virtual/misc/cpu_dma_latency","env":["ACTION=add","DEVPATH=/devices/virtual/misc/cpu_dma_latency","SUBSYSTEM=misc","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=10","MINOR=259","DEVNAME=cpu_dma_latency","SEQNUM=926"]}
-{"action":"add","devpath":"/devices/virtual/misc/hpet","env":["ACTION=add","DEVPATH=/devices/virtual/misc/hpet","SUBSYSTEM=misc","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=10","MINOR=228","DEVNAME=hpet","SEQNUM=927"]}
-{"action":"add","devpath":"/devices/virtual/misc/snapshot","env":["ACTION=add","DEVPATH=/devices/virtual/misc/snapshot","SUBSYSTEM=misc","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=10","MINOR=231","DEVNAME=snapshot","SEQNUM=928"]}
-{"action":"add","devpath":"/devices/virtual/misc/udmabuf","env":["ACTION=add","DEVPATH=/devices/virtual/misc/udmabuf","SUBSYSTEM=misc","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=10","MINOR=258","DEVNAME=udmabuf","SEQNUM=929"]}
-{"action":"add","devpath":"/devices/virtual/misc/userfaultfd","env":["ACTION=add","DEVPATH=/devices/virtual/misc/userfaultfd","SUBSYSTEM=misc","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=10","MINOR=257","DEVNAME=userfaultfd","SEQNUM=930"]}
-{"action":"add","devpath":"/devices/virtual/misc/vga_arbiter","env":["ACTION=add","DEVPATH=/devices/virtual/misc/vga_arbiter","SUBSYSTEM=misc","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=10","MINOR=256","DEVNAME=vga_arbiter","SEQNUM=931"]}
-{"action":"add","devpath":"/devices/virtual/net/lo","env":["ACTION=add","DEVPATH=/devices/virtual/net/lo","SUBSYSTEM=net","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","INTERFACE=lo","IFINDEX=1","SEQNUM=932"]}
-{"action":"add","devpath":"/devices/virtual/thermal/cooling_device0","env":["ACTION=add","DEVPATH=/devices/virtual/thermal/cooling_device0","SUBSYSTEM=thermal","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=933"]}
-{"action":"add","devpath":"/devices/virtual/tty/console","env":["ACTION=add","DEVPATH=/devices/virtual/tty/console","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=5","MINOR=1","DEVNAME=console","SEQNUM=934"]}
-{"action":"add","devpath":"/devices/virtual/tty/ptmx","env":["ACTION=add","DEVPATH=/devices/virtual/tty/ptmx","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=5","MINOR=2","DEVNAME=ptmx","DEVMODE=0666","SEQNUM=935"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=5","MINOR=0","DEVNAME=tty","DEVMODE=0666","SEQNUM=936"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty0","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty0","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=0","DEVNAME=tty0","SEQNUM=937"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty1","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty1","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=1","DEVNAME=tty1","SEQNUM=938"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty10","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty10","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=10","DEVNAME=tty10","SEQNUM=939"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty11","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty11","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=11","DEVNAME=tty11","SEQNUM=940"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty12","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty12","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=12","DEVNAME=tty12","SEQNUM=941"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty13","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty13","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=13","DEVNAME=tty13","SEQNUM=942"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty14","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty14","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=14","DEVNAME=tty14","SEQNUM=943"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty15","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty15","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=15","DEVNAME=tty15","SEQNUM=944"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty16","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty16","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=16","DEVNAME=tty16","SEQNUM=945"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty17","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty17","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=17","DEVNAME=tty17","SEQNUM=946"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty18","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty18","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=18","DEVNAME=tty18","SEQNUM=947"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty19","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty19","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=19","DEVNAME=tty19","SEQNUM=948"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty2","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty2","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=2","DEVNAME=tty2","SEQNUM=949"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty20","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty20","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=20","DEVNAME=tty20","SEQNUM=950"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty21","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty21","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=21","DEVNAME=tty21","SEQNUM=951"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty22","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty22","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=22","DEVNAME=tty22","SEQNUM=952"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty23","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty23","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=23","DEVNAME=tty23","SEQNUM=953"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty24","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty24","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=24","DEVNAME=tty24","SEQNUM=954"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty25","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty25","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=25","DEVNAME=tty25","SEQNUM=955"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty26","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty26","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=26","DEVNAME=tty26","SEQNUM=956"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty27","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty27","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=27","DEVNAME=tty27","SEQNUM=957"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty28","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty28","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=28","DEVNAME=tty28","SEQNUM=958"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty29","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty29","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=29","DEVNAME=tty29","SEQNUM=959"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty3","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty3","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=3","DEVNAME=tty3","SEQNUM=960"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty30","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty30","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=30","DEVNAME=tty30","SEQNUM=961"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty31","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty31","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=31","DEVNAME=tty31","SEQNUM=962"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty32","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty32","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=32","DEVNAME=tty32","SEQNUM=963"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty33","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty33","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=33","DEVNAME=tty33","SEQNUM=964"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty34","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty34","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=34","DEVNAME=tty34","SEQNUM=965"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty35","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty35","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=35","DEVNAME=tty35","SEQNUM=966"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty36","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty36","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=36","DEVNAME=tty36","SEQNUM=967"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty37","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty37","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=37","DEVNAME=tty37","SEQNUM=968"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty38","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty38","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=38","DEVNAME=tty38","SEQNUM=969"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty39","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty39","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=39","DEVNAME=tty39","SEQNUM=970"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty4","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty4","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=4","DEVNAME=tty4","SEQNUM=971"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty40","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty40","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=40","DEVNAME=tty40","SEQNUM=972"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty41","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty41","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=41","DEVNAME=tty41","SEQNUM=973"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty42","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty42","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=42","DEVNAME=tty42","SEQNUM=974"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty43","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty43","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=43","DEVNAME=tty43","SEQNUM=975"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty44","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty44","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=44","DEVNAME=tty44","SEQNUM=976"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty45","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty45","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=45","DEVNAME=tty45","SEQNUM=977"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty46","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty46","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=46","DEVNAME=tty46","SEQNUM=978"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty47","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty47","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=47","DEVNAME=tty47","SEQNUM=979"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty48","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty48","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=48","DEVNAME=tty48","SEQNUM=980"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty49","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty49","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=49","DEVNAME=tty49","SEQNUM=981"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty5","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty5","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=5","DEVNAME=tty5","SEQNUM=982"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty50","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty50","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=50","DEVNAME=tty50","SEQNUM=983"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty51","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty51","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=51","DEVNAME=tty51","SEQNUM=984"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty52","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty52","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=52","DEVNAME=tty52","SEQNUM=985"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty53","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty53","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=53","DEVNAME=tty53","SEQNUM=986"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty54","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty54","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=54","DEVNAME=tty54","SEQNUM=987"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty55","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty55","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=55","DEVNAME=tty55","SEQNUM=988"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty56","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty56","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=56","DEVNAME=tty56","SEQNUM=989"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty57","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty57","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=57","DEVNAME=tty57","SEQNUM=990"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty58","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty58","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=58","DEVNAME=tty58","SEQNUM=991"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty59","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty59","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=59","DEVNAME=tty59","SEQNUM=992"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty6","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty6","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=6","DEVNAME=tty6","SEQNUM=993"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty60","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty60","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=60","DEVNAME=tty60","SEQNUM=994"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty61","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty61","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=61","DEVNAME=tty61","SEQNUM=995"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty62","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty62","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=62","DEVNAME=tty62","SEQNUM=996"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty63","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty63","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=63","DEVNAME=tty63","SEQNUM=997"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty7","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty7","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=7","DEVNAME=tty7","SEQNUM=998"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty8","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty8","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=8","DEVNAME=tty8","SEQNUM=999"]}
-{"action":"add","devpath":"/devices/virtual/tty/tty9","env":["ACTION=add","DEVPATH=/devices/virtual/tty/tty9","SUBSYSTEM=tty","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=4","MINOR=9","DEVNAME=tty9","SEQNUM=1000"]}
-{"action":"add","devpath":"/devices/virtual/vc/vcs","env":["ACTION=add","DEVPATH=/devices/virtual/vc/vcs","SUBSYSTEM=vc","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=7","MINOR=0","DEVNAME=vcs","SEQNUM=1001"]}
-{"action":"add","devpath":"/devices/virtual/vc/vcs1","env":["ACTION=add","DEVPATH=/devices/virtual/vc/vcs1","SUBSYSTEM=vc","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=7","MINOR=1","DEVNAME=vcs1","SEQNUM=1002"]}
-{"action":"add","devpath":"/devices/virtual/vc/vcsa","env":["ACTION=add","DEVPATH=/devices/virtual/vc/vcsa","SUBSYSTEM=vc","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=7","MINOR=128","DEVNAME=vcsa","SEQNUM=1003"]}
-{"action":"add","devpath":"/devices/virtual/vc/vcsa1","env":["ACTION=add","DEVPATH=/devices/virtual/vc/vcsa1","SUBSYSTEM=vc","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=7","MINOR=129","DEVNAME=vcsa1","SEQNUM=1004"]}
-{"action":"add","devpath":"/devices/virtual/vc/vcsu","env":["ACTION=add","DEVPATH=/devices/virtual/vc/vcsu","SUBSYSTEM=vc","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=7","MINOR=64","DEVNAME=vcsu","SEQNUM=1005"]}
-{"action":"add","devpath":"/devices/virtual/vc/vcsu1","env":["ACTION=add","DEVPATH=/devices/virtual/vc/vcsu1","SUBSYSTEM=vc","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","MAJOR=7","MINOR=65","DEVNAME=vcsu1","SEQNUM=1006"]}
-{"action":"add","devpath":"/devices/virtual/vtconsole/vtcon0","env":["ACTION=add","DEVPATH=/devices/virtual/vtconsole/vtcon0","SUBSYSTEM=vtconsole","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=1007"]}
-{"action":"add","devpath":"/devices/virtual/workqueue/nvme-auth-wq","env":["ACTION=add","DEVPATH=/devices/virtual/workqueue/nvme-auth-wq","SUBSYSTEM=workqueue","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=1008"]}
-{"action":"add","devpath":"/devices/virtual/workqueue/nvme-delete-wq","env":["ACTION=add","DEVPATH=/devices/virtual/workqueue/nvme-delete-wq","SUBSYSTEM=workqueue","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=1009"]}
-{"action":"add","devpath":"/devices/virtual/workqueue/nvme-reset-wq","env":["ACTION=add","DEVPATH=/devices/virtual/workqueue/nvme-reset-wq","SUBSYSTEM=workqueue","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=1010"]}
-{"action":"add","devpath":"/devices/virtual/workqueue/nvme-wq","env":["ACTION=add","DEVPATH=/devices/virtual/workqueue/nvme-wq","SUBSYSTEM=workqueue","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=1011"]}
-{"action":"add","devpath":"/devices/virtual/workqueue/scsi_tmf_0","env":["ACTION=add","DEVPATH=/devices/virtual/workqueue/scsi_tmf_0","SUBSYSTEM=workqueue","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=1012"]}
-{"action":"add","devpath":"/devices/virtual/workqueue/scsi_tmf_1","env":["ACTION=add","DEVPATH=/devices/virtual/workqueue/scsi_tmf_1","SUBSYSTEM=workqueue","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=1013"]}
-{"action":"add","devpath":"/devices/virtual/workqueue/writeback","env":["ACTION=add","DEVPATH=/devices/virtual/workqueue/writeback","SUBSYSTEM=workqueue","SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed","SEQNUM=1014"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/wakeup/wakeup8","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/wakeup/wakeup8","SUBSYSTEM=wakeup","SEQNUM=1015"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:04.0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:04.0","SUBSYSTEM=pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:04.0","MODALIAS=pci:v00001AF4d00001059sv00001AF4sd00001100bc04sc01i00","SEQNUM=1016"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:04.0/virtio1","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:04.0/virtio1","SUBSYSTEM=virtio","MODALIAS=virtio:d00000019v00001AF4","SEQNUM=1017"]}
-{"action":"bind","devpath":"/devices/pci0000:00/0000:00:04.0","env":["ACTION=bind","DEVPATH=/devices/pci0000:00/0000:00:04.0","SUBSYSTEM=pci","DRIVER=virtio-pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:04.0","MODALIAS=pci:v00001AF4d00001059sv00001AF4sd00001100bc04sc01i00","SEQNUM=1018"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:08/wakeup/wakeup9","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:08/wakeup/wakeup9","SUBSYSTEM=wakeup","SEQNUM=1019"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:05.0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:05.0","SUBSYSTEM=pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:05.0","MODALIAS=pci:v00001AF4d00001059sv00001AF4sd00001100bc04sc01i00","SEQNUM=1020"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:05.0/virtio2","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:05.0/virtio2","SUBSYSTEM=virtio","MODALIAS=virtio:d00000019v00001AF4","SEQNUM=1021"]}
-{"action":"bind","devpath":"/devices/pci0000:00/0000:00:05.0","env":["ACTION=bind","DEVPATH=/devices/pci0000:00/0000:00:05.0","SUBSYSTEM=pci","DRIVER=virtio-pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:05.0","MODALIAS=pci:v00001AF4d00001059sv00001AF4sd00001100bc04sc01i00","SEQNUM=1022"]}
-{"action":"remove","devpath":"/devices/pci0000:00/0000:00:04.0/virtio1","env":["ACTION=remove","DEVPATH=/devices/pci0000:00/0000:00:04.0/virtio1","SUBSYSTEM=virtio","MODALIAS=virtio:d00000019v00001AF4","SEQNUM=1023"]}
-{"action":"unbind","devpath":"/devices/pci0000:00/0000:00:04.0","env":["ACTION=unbind","DEVPATH=/devices/pci0000:00/0000:00:04.0","SUBSYSTEM=pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:04.0","SEQNUM=1024"]}
-{"action":"remove","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/wakeup/wakeup8","env":["ACTION=remove","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/wakeup/wakeup8","SUBSYSTEM=wakeup","SEQNUM=1025"]}
-{"action":"remove","devpath":"/devices/pci0000:00/0000:00:04.0","env":["ACTION=remove","DEVPATH=/devices/pci0000:00/0000:00:04.0","SUBSYSTEM=pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:04.0","MODALIAS=pci:v00001AF4d00001059sv00001AF4sd00001100bc04sc01i00","SEQNUM=1026"]}
-{"action":"remove","devpath":"/devices/pci0000:00/0000:00:05.0/virtio2","env":["ACTION=remove","DEVPATH=/devices/pci0000:00/0000:00:05.0/virtio2","SUBSYSTEM=virtio","MODALIAS=virtio:d00000019v00001AF4","SEQNUM=1027"]}
-{"action":"unbind","devpath":"/devices/pci0000:00/0000:00:05.0","env":["ACTION=unbind","DEVPATH=/devices/pci0000:00/0000:00:05.0","SUBSYSTEM=pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:05.0","SEQNUM=1028"]}
-{"action":"remove","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:08/wakeup/wakeup9","env":["ACTION=remove","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:08/wakeup/wakeup9","SUBSYSTEM=wakeup","SEQNUM=1029"]}
-{"action":"remove","devpath":"/devices/pci0000:00/0000:00:05.0","env":["ACTION=remove","DEVPATH=/devices/pci0000:00/0000:00:05.0","SUBSYSTEM=pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:05.0","MODALIAS=pci:v00001AF4d00001059sv00001AF4sd00001100bc04sc01i00","SEQNUM=1030"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/wakeup/wakeup8","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/wakeup/wakeup8","SUBSYSTEM=wakeup","SEQNUM=1031"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:04.0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:04.0","SUBSYSTEM=pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:04.0","MODALIAS=pci:v00001AF4d00001059sv00001AF4sd00001100bc04sc01i00","SEQNUM=1032"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:04.0/virtio1","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:04.0/virtio1","SUBSYSTEM=virtio","MODALIAS=virtio:d00000019v00001AF4","SEQNUM=1033"]}
-{"action":"bind","devpath":"/devices/pci0000:00/0000:00:04.0","env":["ACTION=bind","DEVPATH=/devices/pci0000:00/0000:00:04.0","SUBSYSTEM=pci","DRIVER=virtio-pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:04.0","MODALIAS=pci:v00001AF4d00001059sv00001AF4sd00001100bc04sc01i00","SEQNUM=1034"]}
-{"action":"add","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:08/wakeup/wakeup9","env":["ACTION=add","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:08/wakeup/wakeup9","SUBSYSTEM=wakeup","SEQNUM=1035"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:05.0","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:05.0","SUBSYSTEM=pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:05.0","MODALIAS=pci:v00001AF4d00001059sv00001AF4sd00001100bc04sc01i00","SEQNUM=1036"]}
-{"action":"add","devpath":"/devices/pci0000:00/0000:00:05.0/virtio2","env":["ACTION=add","DEVPATH=/devices/pci0000:00/0000:00:05.0/virtio2","SUBSYSTEM=virtio","MODALIAS=virtio:d00000019v00001AF4","SEQNUM=1037"]}
-{"action":"bind","devpath":"/devices/pci0000:00/0000:00:05.0","env":["ACTION=bind","DEVPATH=/devices/pci0000:00/0000:00:05.0","SUBSYSTEM=pci","DRIVER=virtio-pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:05.0","MODALIAS=pci:v00001AF4d00001059sv00001AF4sd00001100bc04sc01i00","SEQNUM=1038"]}
-{"action":"remove","devpath":"/devices/pci0000:00/0000:00:05.0/virtio2","env":["ACTION=remove","DEVPATH=/devices/pci0000:00/0000:00:05.0/virtio2","SUBSYSTEM=virtio","MODALIAS=virtio:d00000019v00001AF4","SEQNUM=1039"]}
-{"action":"unbind","devpath":"/devices/pci0000:00/0000:00:05.0","env":["ACTION=unbind","DEVPATH=/devices/pci0000:00/0000:00:05.0","SUBSYSTEM=pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:05.0","SEQNUM=1040"]}
-{"action":"remove","devpath":"/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:08/wakeup/wakeup9","env":["ACTION=remove","DEVPATH=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:08/wakeup/wakeup9","SUBSYSTEM=wakeup","SEQNUM=1041"]}
-{"action":"remove","devpath":"/devices/pci0000:00/0000:00:05.0","env":["ACTION=remove","DEVPATH=/devices/pci0000:00/0000:00:05.0","SUBSYSTEM=pci","PCI_CLASS=40100","PCI_ID=1AF4:1059","PCI_SUBSYS_ID=1AF4:1100","PCI_SLOT_NAME=0000:00:05.0","MODALIAS=pci:v00001AF4d00001059sv00001AF4sd00001100bc04sc01i00","SEQNUM=1042"]}

internal/kobject/testdata/01-move

@@ -1 +0,0 @@
-{"action":"move","devpath":"/devices/virtual/net/_lo","env":["ACTION=move","DEVPATH=/devices/virtual/net/_lo","SUBSYSTEM=net","DEVPATH_OLD=/devices/virtual/net/lo","INTERFACE=_lo","IFINDEX=1","SEQNUM=1043"]}

internal/kobject/testdata/02-cpu

@@ -1,8 +0,0 @@
-{"action":"remove","devpath":"/devices/system/machinecheck/machinecheck0","env":["ACTION=remove","DEVPATH=/devices/system/machinecheck/machinecheck0","SUBSYSTEM=machinecheck","SEQNUM=1044"]}
-{"action":"offline","devpath":"/devices/system/cpu/cpu0","env":["ACTION=offline","DEVPATH=/devices/system/cpu/cpu0","SUBSYSTEM=cpu","DRIVER=processor","MODALIAS=cpu:type:x86,ven0002fam000Fmod006B:feature:,0000,0002,0003,0004,0005,0006,0007,0008,0009,000B,000C,000D,000E,000F,0010,0011,0013,0017,0018,0019,001A,001C,0020,0022,0023,0024,0025,0026,0027,0028,0029,002B,002C,002D,002E,002F,0030,0031,0034,0037,0038,003D,0064,006E,0070,0074,0075,0076,0079,007A,007F,0080,008D,0095,009F,00C0,00C1,00C8,00ED,00F3,010F,0115,0165,016C,0282\n","SEQNUM=1045"]}
-{"action":"add","devpath":"/devices/system/machinecheck/machinecheck0","env":["ACTION=add","DEVPATH=/devices/system/machinecheck/machinecheck0","SUBSYSTEM=machinecheck","SEQNUM=1046"]}
-{"action":"online","devpath":"/devices/system/cpu/cpu0","env":["ACTION=online","DEVPATH=/devices/system/cpu/cpu0","SUBSYSTEM=cpu","DRIVER=processor","MODALIAS=cpu:type:x86,ven0002fam000Fmod006B:feature:,0000,0002,0003,0004,0005,0006,0007,0008,0009,000B,000C,000D,000E,000F,0010,0011,0013,0017,0018,0019,001A,001C,0020,0022,0023,0024,0025,0026,0027,0028,0029,002B,002C,002D,002E,002F,0030,0031,0034,0037,0038,003D,0064,006E,0070,0074,0075,0076,0079,007A,007F,0080,008D,0095,009F,00C0,00C1,00C8,00ED,00F3,010F,0115,0165,016C,0282\n","SEQNUM=1047"]}
-{"action":"remove","devpath":"/devices/system/machinecheck/machinecheck0","env":["ACTION=remove","DEVPATH=/devices/system/machinecheck/machinecheck0","SUBSYSTEM=machinecheck","SEQNUM=1048"]}
-{"action":"offline","devpath":"/devices/system/cpu/cpu0","env":["ACTION=offline","DEVPATH=/devices/system/cpu/cpu0","SUBSYSTEM=cpu","DRIVER=processor","MODALIAS=cpu:type:x86,ven0002fam000Fmod006B:feature:,0000,0002,0003,0004,0005,0006,0007,0008,0009,000B,000C,000D,000E,000F,0010,0011,0013,0017,0018,0019,001A,001C,0020,0022,0023,0024,0025,0026,0027,0028,0029,002B,002C,002D,002E,002F,0030,0031,0034,0037,0038,003D,0064,006E,0070,0074,0075,0076,0079,007A,007F,0080,008D,0095,009F,00C0,00C1,00C8,00ED,00F3,010F,0115,0165,016C,0282\n","SEQNUM=1049"]}
-{"action":"add","devpath":"/devices/system/machinecheck/machinecheck0","env":["ACTION=add","DEVPATH=/devices/system/machinecheck/machinecheck0","SUBSYSTEM=machinecheck","SEQNUM=1050"]}
-{"action":"online","devpath":"/devices/system/cpu/cpu0","env":["ACTION=online","DEVPATH=/devices/system/cpu/cpu0","SUBSYSTEM=cpu","DRIVER=processor","MODALIAS=cpu:type:x86,ven0002fam000Fmod006B:feature:,0000,0002,0003,0004,0005,0006,0007,0008,0009,000B,000C,000D,000E,000F,0010,0011,0013,0017,0018,0019,001A,001C,0020,0022,0023,0024,0025,0026,0027,0028,0029,002B,002C,002D,002E,002F,0030,0031,0034,0037,0038,003D,0064,006E,0070,0074,0075,0076,0079,007A,007F,0080,008D,0095,009F,00C0,00C1,00C8,00ED,00F3,010F,0115,0165,016C,0282\n","SEQNUM=1051"]}

internal/kobject/testdata/03-loop

@@ -1,19 +0,0 @@
-{"action":"add","devpath":"/devices/virtual/misc/loop-control","env":["ACTION=add","DEVPATH=/devices/virtual/misc/loop-control","SUBSYSTEM=misc","MAJOR=10","MINOR=237","DEVNAME=loop-control","SEQNUM=1052"]}
-{"action":"add","devpath":"/devices/virtual/bdi/7:0","env":["ACTION=add","DEVPATH=/devices/virtual/bdi/7:0","SUBSYSTEM=bdi","SEQNUM=1053"]}
-{"action":"add","devpath":"/devices/virtual/block/loop0","env":["ACTION=add","DEVPATH=/devices/virtual/block/loop0","SUBSYSTEM=block","MAJOR=7","MINOR=0","DEVNAME=loop0","DEVTYPE=disk","DISKSEQ=2","SEQNUM=1054"]}
-{"action":"add","devpath":"/devices/virtual/bdi/7:1","env":["ACTION=add","DEVPATH=/devices/virtual/bdi/7:1","SUBSYSTEM=bdi","SEQNUM=1055"]}
-{"action":"add","devpath":"/devices/virtual/block/loop1","env":["ACTION=add","DEVPATH=/devices/virtual/block/loop1","SUBSYSTEM=block","MAJOR=7","MINOR=1","DEVNAME=loop1","DEVTYPE=disk","DISKSEQ=3","SEQNUM=1056"]}
-{"action":"add","devpath":"/devices/virtual/bdi/7:2","env":["ACTION=add","DEVPATH=/devices/virtual/bdi/7:2","SUBSYSTEM=bdi","SEQNUM=1057"]}
-{"action":"add","devpath":"/devices/virtual/block/loop2","env":["ACTION=add","DEVPATH=/devices/virtual/block/loop2","SUBSYSTEM=block","MAJOR=7","MINOR=2","DEVNAME=loop2","DEVTYPE=disk","DISKSEQ=4","SEQNUM=1058"]}
-{"action":"add","devpath":"/devices/virtual/bdi/7:3","env":["ACTION=add","DEVPATH=/devices/virtual/bdi/7:3","SUBSYSTEM=bdi","SEQNUM=1059"]}
-{"action":"add","devpath":"/devices/virtual/block/loop3","env":["ACTION=add","DEVPATH=/devices/virtual/block/loop3","SUBSYSTEM=block","MAJOR=7","MINOR=3","DEVNAME=loop3","DEVTYPE=disk","DISKSEQ=5","SEQNUM=1060"]}
-{"action":"add","devpath":"/devices/virtual/bdi/7:4","env":["ACTION=add","DEVPATH=/devices/virtual/bdi/7:4","SUBSYSTEM=bdi","SEQNUM=1061"]}
-{"action":"add","devpath":"/devices/virtual/block/loop4","env":["ACTION=add","DEVPATH=/devices/virtual/block/loop4","SUBSYSTEM=block","MAJOR=7","MINOR=4","DEVNAME=loop4","DEVTYPE=disk","DISKSEQ=6","SEQNUM=1062"]}
-{"action":"add","devpath":"/devices/virtual/bdi/7:5","env":["ACTION=add","DEVPATH=/devices/virtual/bdi/7:5","SUBSYSTEM=bdi","SEQNUM=1063"]}
-{"action":"add","devpath":"/devices/virtual/block/loop5","env":["ACTION=add","DEVPATH=/devices/virtual/block/loop5","SUBSYSTEM=block","MAJOR=7","MINOR=5","DEVNAME=loop5","DEVTYPE=disk","DISKSEQ=7","SEQNUM=1064"]}
-{"action":"add","devpath":"/devices/virtual/bdi/7:6","env":["ACTION=add","DEVPATH=/devices/virtual/bdi/7:6","SUBSYSTEM=bdi","SEQNUM=1065"]}
-{"action":"add","devpath":"/devices/virtual/block/loop6","env":["ACTION=add","DEVPATH=/devices/virtual/block/loop6","SUBSYSTEM=block","MAJOR=7","MINOR=6","DEVNAME=loop6","DEVTYPE=disk","DISKSEQ=8","SEQNUM=1066"]}
-{"action":"add","devpath":"/devices/virtual/bdi/7:7","env":["ACTION=add","DEVPATH=/devices/virtual/bdi/7:7","SUBSYSTEM=bdi","SEQNUM=1067"]}
-{"action":"add","devpath":"/devices/virtual/block/loop7","env":["ACTION=add","DEVPATH=/devices/virtual/block/loop7","SUBSYSTEM=block","MAJOR=7","MINOR=7","DEVNAME=loop7","DEVTYPE=disk","DISKSEQ=9","SEQNUM=1068"]}
-{"action":"add","devpath":"/module/loop","env":["ACTION=add","DEVPATH=/module/loop","SUBSYSTEM=module","SEQNUM=1069"]}
-{"action":"change","devpath":"/devices/virtual/block/loop0","env":["ACTION=change","DEVPATH=/devices/virtual/block/loop0","SUBSYSTEM=block","MAJOR=7","MINOR=0","DEVNAME=loop0","DEVTYPE=disk","DISKSEQ=10","SEQNUM=1070"]}

internal/kobject/testdata/04-loop-detach

@@ -1,2 +0,0 @@
-{"action":"change","devpath":"/devices/virtual/block/loop0","env":["ACTION=change","DEVPATH=/devices/virtual/block/loop0","SUBSYSTEM=block","MAJOR=7","MINOR=0","DEVNAME=loop0","DEVTYPE=disk","DISKSEQ=10","SEQNUM=1071"]}
-{"action":"change","devpath":"/devices/virtual/block/loop0","env":["ACTION=change","DEVPATH=/devices/virtual/block/loop0","SUBSYSTEM=block","DISK_MEDIA_CHANGE=1","MAJOR=7","MINOR=0","DEVNAME=loop0","DEVTYPE=disk","DISKSEQ=10","SEQNUM=1072"]}

internal/kobject/testdata/05-loop-remove

@@ -1,18 +0,0 @@
-{"action":"remove","devpath":"/devices/virtual/misc/loop-control","env":["ACTION=remove","DEVPATH=/devices/virtual/misc/loop-control","SUBSYSTEM=misc","MAJOR=10","MINOR=237","DEVNAME=loop-control","SEQNUM=1073"]}
-{"action":"remove","devpath":"/devices/virtual/bdi/7:0","env":["ACTION=remove","DEVPATH=/devices/virtual/bdi/7:0","SUBSYSTEM=bdi","SEQNUM=1074"]}
-{"action":"remove","devpath":"/devices/virtual/block/loop0","env":["ACTION=remove","DEVPATH=/devices/virtual/block/loop0","SUBSYSTEM=block","MAJOR=7","MINOR=0","DEVNAME=loop0","DEVTYPE=disk","DISKSEQ=11","SEQNUM=1075"]}
-{"action":"remove","devpath":"/devices/virtual/bdi/7:1","env":["ACTION=remove","DEVPATH=/devices/virtual/bdi/7:1","SUBSYSTEM=bdi","SEQNUM=1076"]}
-{"action":"remove","devpath":"/devices/virtual/block/loop1","env":["ACTION=remove","DEVPATH=/devices/virtual/block/loop1","SUBSYSTEM=block","MAJOR=7","MINOR=1","DEVNAME=loop1","DEVTYPE=disk","DISKSEQ=3","SEQNUM=1077"]}
-{"action":"remove","devpath":"/devices/virtual/bdi/7:2","env":["ACTION=remove","DEVPATH=/devices/virtual/bdi/7:2","SUBSYSTEM=bdi","SEQNUM=1078"]}
-{"action":"remove","devpath":"/devices/virtual/block/loop2","env":["ACTION=remove","DEVPATH=/devices/virtual/block/loop2","SUBSYSTEM=block","MAJOR=7","MINOR=2","DEVNAME=loop2","DEVTYPE=disk","DISKSEQ=4","SEQNUM=1079"]}
-{"action":"remove","devpath":"/devices/virtual/bdi/7:3","env":["ACTION=remove","DEVPATH=/devices/virtual/bdi/7:3","SUBSYSTEM=bdi","SEQNUM=1080"]}
-{"action":"remove","devpath":"/devices/virtual/block/loop3","env":["ACTION=remove","DEVPATH=/devices/virtual/block/loop3","SUBSYSTEM=block","MAJOR=7","MINOR=3","DEVNAME=loop3","DEVTYPE=disk","DISKSEQ=5","SEQNUM=1081"]}
-{"action":"remove","devpath":"/devices/virtual/bdi/7:4","env":["ACTION=remove","DEVPATH=/devices/virtual/bdi/7:4","SUBSYSTEM=bdi","SEQNUM=1082"]}
-{"action":"remove","devpath":"/devices/virtual/block/loop4","env":["ACTION=remove","DEVPATH=/devices/virtual/block/loop4","SUBSYSTEM=block","MAJOR=7","MINOR=4","DEVNAME=loop4","DEVTYPE=disk","DISKSEQ=6","SEQNUM=1083"]}
-{"action":"remove","devpath":"/devices/virtual/bdi/7:5","env":["ACTION=remove","DEVPATH=/devices/virtual/bdi/7:5","SUBSYSTEM=bdi","SEQNUM=1084"]}
-{"action":"remove","devpath":"/devices/virtual/block/loop5","env":["ACTION=remove","DEVPATH=/devices/virtual/block/loop5","SUBSYSTEM=block","MAJOR=7","MINOR=5","DEVNAME=loop5","DEVTYPE=disk","DISKSEQ=7","SEQNUM=1085"]}
-{"action":"remove","devpath":"/devices/virtual/bdi/7:6","env":["ACTION=remove","DEVPATH=/devices/virtual/bdi/7:6","SUBSYSTEM=bdi","SEQNUM=1086"]}
-{"action":"remove","devpath":"/devices/virtual/block/loop6","env":["ACTION=remove","DEVPATH=/devices/virtual/block/loop6","SUBSYSTEM=block","MAJOR=7","MINOR=6","DEVNAME=loop6","DEVTYPE=disk","DISKSEQ=8","SEQNUM=1087"]}
-{"action":"remove","devpath":"/devices/virtual/bdi/7:7","env":["ACTION=remove","DEVPATH=/devices/virtual/bdi/7:7","SUBSYSTEM=bdi","SEQNUM=1088"]}
-{"action":"remove","devpath":"/devices/virtual/block/loop7","env":["ACTION=remove","DEVPATH=/devices/virtual/block/loop7","SUBSYSTEM=block","MAJOR=7","MINOR=7","DEVNAME=loop7","DEVTYPE=disk","DISKSEQ=9","SEQNUM=1089"]}
-{"action":"remove","devpath":"/module/loop","env":["ACTION=remove","DEVPATH=/module/loop","SUBSYSTEM=module","SEQNUM=1090"]}

internal/landlock/landlock_test.go

@@ -1,65 +0,0 @@
-package landlock_test
-
-import (
-	"testing"
-	"unsafe"
-
-	"hakurei.app/internal/landlock"
-)
-
-func TestLandlockString(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name        string
-		rulesetAttr *landlock.RulesetAttr
-		want        string
-	}{
-		{"nil", nil, "NULL"},
-		{"zero", new(landlock.RulesetAttr), "0"},
-		{"some", &landlock.RulesetAttr{Scoped: landlock.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
-		{"set", &landlock.RulesetAttr{
-			HandledAccessFS:  landlock.LANDLOCK_ACCESS_FS_MAKE_SYM | landlock.LANDLOCK_ACCESS_FS_IOCTL_DEV | landlock.LANDLOCK_ACCESS_FS_WRITE_FILE,
-			HandledAccessNet: landlock.LANDLOCK_ACCESS_NET_BIND_TCP,
-			Scoped:           landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | landlock.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
-		{"all", &landlock.RulesetAttr{
-			HandledAccessFS: landlock.LANDLOCK_ACCESS_FS_EXECUTE |
-				landlock.LANDLOCK_ACCESS_FS_WRITE_FILE |
-				landlock.LANDLOCK_ACCESS_FS_READ_FILE |
-				landlock.LANDLOCK_ACCESS_FS_READ_DIR |
-				landlock.LANDLOCK_ACCESS_FS_REMOVE_DIR |
-				landlock.LANDLOCK_ACCESS_FS_REMOVE_FILE |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_CHAR |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_DIR |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_REG |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_SOCK |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_FIFO |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_SYM |
-				landlock.LANDLOCK_ACCESS_FS_REFER |
-				landlock.LANDLOCK_ACCESS_FS_TRUNCATE |
-				landlock.LANDLOCK_ACCESS_FS_IOCTL_DEV,
-			HandledAccessNet: landlock.LANDLOCK_ACCESS_NET_BIND_TCP |
-				landlock.LANDLOCK_ACCESS_NET_CONNECT_TCP,
-			Scoped: landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
-				landlock.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			if got := tc.rulesetAttr.String(); got != tc.want {
-				t.Errorf("String: %s, want %s", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestLandlockAttrSize(t *testing.T) {
-	t.Parallel()
-	want := 24
-	if got := unsafe.Sizeof(landlock.RulesetAttr{}); got != uintptr(want) {
-		t.Errorf("Sizeof: %d, want %d", got, want)
-	}
-}

internal/lockedfile/transform_test.go

@@ -40,7 +40,7 @@ func TestTransform(t *testing.T) {
 
 	const maxChunkWords = 8 << 10
 	buf := make([]byte, 2*maxChunkWords*8)
-	for i := range uint64(2 * maxChunkWords) {
+	for i := uint64(0); i < 2*maxChunkWords; i++ {
 		binary.LittleEndian.PutUint64(buf[i*8:], i)
 	}
 	if err := lockedfile.Write(path, bytes.NewReader(buf[:8]), 0666); err != nil {

internal/outcome/finalise.go

@@ -32,14 +32,7 @@ type outcome struct {
 	syscallDispatcher
 }
 
-// finalise prepares an outcome for main.
+func (k *outcome) finalise(ctx context.Context, msg message.Msg, id *hst.ID, config *hst.Config) error {
-func (k *outcome) finalise(
-	ctx context.Context,
-	msg message.Msg,
-	id *hst.ID,
-	config *hst.Config,
-	flags int,
-) error {
 	if ctx == nil || id == nil {
 		// unreachable
 		panic("invalid call to finalise")
@@ -50,7 +43,7 @@ func (k *outcome) finalise(
 	}
 	k.ctx = ctx
 
-	if err := config.Validate(flags); err != nil {
+	if err := config.Validate(); err != nil {
 		return err
 	}
 
@@ -58,7 +51,8 @@ func (k *outcome) finalise(
 	supp := make([]string, len(config.Groups))
 	for i, name := range config.Groups {
 		if gid, err := k.lookupGroupId(name); err != nil {
-			if unknownGroupError, ok := errors.AsType[user.UnknownGroupError](err); ok {
+			var unknownGroupError user.UnknownGroupError
+			if errors.As(err, &unknownGroupError) {
 				return newWithMessageError(fmt.Sprintf("unknown group %q", name), unknownGroupError)
 			} else {
 				return &hst.AppError{Step: "look up group by name", Err: err, Msg: err.Error()}

internal/outcome/hsu.go

@@ -51,16 +51,18 @@ func (h *Hsu) ID() (int, error) {
 		cmd.Stderr = os.Stderr // pass through fatal messages
 		cmd.Env = make([]string, 0)
 		cmd.Dir = fhs.Root
-		var p []byte
+		var (
+			p         []byte
+			exitError *exec.ExitError
+		)
+
 		const step = "obtain uid from hsu"
 		if p, h.idErr = h.k.cmdOutput(cmd); h.idErr == nil {
 			h.id, h.idErr = strconv.Atoi(string(p))
 			if h.idErr != nil {
 				h.idErr = &hst.AppError{Step: step, Err: h.idErr, Msg: "invalid uid string from hsu"}
 			}
-		} else if exitError, ok := errors.AsType[*exec.ExitError](h.idErr); ok &&
+		} else if errors.As(h.idErr, &exitError) && exitError != nil && exitError.ExitCode() == 1 {
-			exitError != nil &&
-			exitError.ExitCode() == 1 {
 			// hsu prints an error message in this case
 			h.idErr = &hst.AppError{Step: step, Err: ErrHsuAccess}
 		} else if errors.Is(h.idErr, os.ErrNotExist) {

internal/outcome/outcome.go

@@ -194,7 +194,7 @@ type outcomeStateSys struct {
 	// Copied from [hst.Config]. Safe for read by outcomeOp.toSystem.
 	appId string
 	// Copied from [hst.Config]. Safe for read by outcomeOp.toSystem.
-	et hst.Enablements
+	et hst.Enablement
 
 	// Copied from [hst.Config]. Safe for read by spWaylandOp.toSystem only.
 	directWayland bool

internal/outcome/process.go

@@ -297,12 +297,12 @@ func (k *outcome) main(msg message.Msg, identifierFd int) {
 					// accumulate enablements of remaining instances
 					var (
 						// alive enablement bits
-						rt hst.Enablements
+						rt hst.Enablement
 						// alive instance count
 						n int
 					)
 					for eh := range entries {
-						var et hst.Enablements
+						var et hst.Enablement
 						if et, err = eh.Load(nil); err != nil {
 							perror(err, "read state header of instance "+eh.ID.String())
 						} else {
@@ -328,11 +328,11 @@ func (k *outcome) main(msg message.Msg, identifierFd int) {
 				}
 
 				if err := k.sys.Revert((*system.Criteria)(&ec)); err != nil {
-					joinError, ok := errors.AsType[interface {
+					var joinError interface {
 						Unwrap() []error
 						error
-					}](err)
+					}
-					if !ok || joinError == nil {
+					if !errors.As(err, &joinError) || joinError == nil {
 						perror(err, "revert system setup")
 					} else {
 						for _, v := range joinError.Unwrap() {