release: 0.4.0

Signed-off-by: Ophestra <cat@gensokyo.uk>

.gitignore

@@ -1,27 +1,7 @@
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-*.pkg
-/hakurei
-
-# Test binary, built with `go test -c`
+# produced by tools and text editors
+*.qcow2
 *.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
 *.out
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
-
-# Go workspace file
-go.work
-go.work.sum
-
-# env file
-.env
 .idea
 .vscode
 
@@ -30,8 +10,5 @@ go.work.sum
 /internal/pkg/testdata/testtool
 /internal/rosa/hakurei_current.tar.gz
 
-# release
-/dist/hakurei-*
-
-# interactive nixos vm
-nixos.qcow2
+# cmd/dist default destination
+/dist

all.sh

@@ -0,0 +1,6 @@
+#!/bin/sh -e
+
+TOOLCHAIN_VERSION="$(go version)"
+cd "$(dirname -- "$0")/"
+echo "# Building cmd/dist using ${TOOLCHAIN_VERSION}."
+go run -v --tags=dist ./cmd/dist

check/absolute.go

@@ -2,7 +2,7 @@
 package check
 
 import (
-	"encoding/json"
+	"encoding"
 	"errors"
 	"fmt"
 	"path/filepath"
@@ -30,6 +30,16 @@ func (e AbsoluteError) Is(target error) bool {
 // Absolute holds a pathname checked to be absolute.
 type Absolute struct{ pathname unique.Handle[string] }
 
+var (
+	_ encoding.TextAppender    = new(Absolute)
+	_ encoding.TextMarshaler   = new(Absolute)
+	_ encoding.TextUnmarshaler = new(Absolute)
+
+	_ encoding.BinaryAppender    = new(Absolute)
+	_ encoding.BinaryMarshaler   = new(Absolute)
+	_ encoding.BinaryUnmarshaler = new(Absolute)
+)
+
 // ok returns whether [Absolute] is not the zero value.
 func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }
 
@@ -84,13 +94,16 @@ func (a *Absolute) Append(elem ...string) *Absolute {
 // Dir calls [filepath.Dir] with [Absolute] as its argument.
 func (a *Absolute) Dir() *Absolute { return unsafeAbs(filepath.Dir(a.String())) }
 
-// GobEncode returns the checked pathname.
-func (a *Absolute) GobEncode() ([]byte, error) {
-	return []byte(a.String()), nil
+// AppendText appends the checked pathname.
+func (a *Absolute) AppendText(data []byte) ([]byte, error) {
+	return append(data, a.String()...), nil
 }
 
-// GobDecode stores data if it represents an absolute pathname.
-func (a *Absolute) GobDecode(data []byte) error {
+// MarshalText returns the checked pathname.
+func (a *Absolute) MarshalText() ([]byte, error) { return a.AppendText(nil) }
+
+// UnmarshalText stores data if it represents an absolute pathname.
+func (a *Absolute) UnmarshalText(data []byte) error {
 	pathname := string(data)
 	if !filepath.IsAbs(pathname) {
 		return AbsoluteError(pathname)
@@ -99,23 +112,9 @@ func (a *Absolute) GobDecode(data []byte) error {
 	return nil
 }
 
-// MarshalJSON returns a JSON representation of the checked pathname.
-func (a *Absolute) MarshalJSON() ([]byte, error) {
-	return json.Marshal(a.String())
-}
-
-// UnmarshalJSON stores data if it represents an absolute pathname.
-func (a *Absolute) UnmarshalJSON(data []byte) error {
-	var pathname string
-	if err := json.Unmarshal(data, &pathname); err != nil {
-		return err
-	}
-	if !filepath.IsAbs(pathname) {
-		return AbsoluteError(pathname)
-	}
-	a.pathname = unique.Make(pathname)
-	return nil
-}
+func (a *Absolute) AppendBinary(data []byte) ([]byte, error) { return a.AppendText(data) }
+func (a *Absolute) MarshalBinary() ([]byte, error)           { return a.MarshalText() }
+func (a *Absolute) UnmarshalBinary(data []byte) error        { return a.UnmarshalText(data) }
 
 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {

check/absolute_test.go

@@ -170,20 +170,20 @@ func TestCodecAbsolute(t *testing.T) {
 
 		{"good", MustAbs("/etc"),
 			nil,
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
 
 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
 			AbsoluteError("etc"),
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
 
 			`"etc"`, `{"val":"etc","magic":3236757504}`},
 		{"zero", nil,
 			new(AbsoluteError),
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
 			`""`, `{"val":"","magic":3236757504}`},
 	}
 
@@ -347,15 +347,6 @@ func TestCodecAbsolute(t *testing.T) {
 			})
 		})
 	}
-
-	t.Run("json passthrough", func(t *testing.T) {
-		t.Parallel()
-
-		wantErr := "invalid character ':' looking for beginning of value"
-		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
-			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
-		}
-	})
 }
 
 func TestAbsoluteWrap(t *testing.T) {

cmd/dist/main.go

@@ -0,0 +1,237 @@
+//go:build dist
+
+package main
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"crypto/sha512"
+	_ "embed"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"io/fs"
+	"log"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+)
+
+// getenv looks up an environment variable, and returns fallback if it is unset.
+func getenv(key, fallback string) string {
+	if v, ok := os.LookupEnv(key); ok {
+		return v
+	}
+	return fallback
+}
+
+// mustRun runs a command with the current process's environment and panics
+// on error or non-zero exit code.
+func mustRun(ctx context.Context, name string, arg ...string) {
+	cmd := exec.CommandContext(ctx, name, arg...)
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+	if err := cmd.Run(); err != nil {
+		panic(err)
+	}
+}
+
+//go:embed comp/_hakurei
+var comp []byte
+
+func main() {
+	fmt.Println()
+	log.SetFlags(0)
+	log.SetPrefix("# ")
+
+	version := getenv("HAKUREI_VERSION", "untagged")
+	prefix := getenv("PREFIX", "/usr")
+	destdir := getenv("DESTDIR", "dist")
+
+	if err := os.MkdirAll(destdir, 0755); err != nil {
+		log.Fatal(err)
+	}
+	s, err := os.MkdirTemp(destdir, ".dist.*")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer func() {
+		var code int
+
+		if err = os.RemoveAll(s); err != nil {
+			code = 1
+			log.Println(err)
+		}
+
+		if r := recover(); r != nil {
+			code = 1
+			log.Println(r)
+		}
+
+		os.Exit(code)
+	}()
+
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
+	defer cancel()
+
+	log.Println("Building hakurei.")
+	mustRun(ctx, "go", "generate", "./...")
+	mustRun(
+		ctx, "go", "build",
+		"-trimpath",
+		"-v", "-o", s,
+		"-ldflags=-s -w "+
+			"-buildid= -linkmode external -extldflags=-static "+
+			"-X hakurei.app/internal/info.buildVersion="+version+" "+
+			"-X hakurei.app/internal/info.hakureiPath="+prefix+"/bin/hakurei "+
+			"-X hakurei.app/internal/info.hsuPath="+prefix+"/bin/hsu "+
+			"-X main.hakureiPath="+prefix+"/bin/hakurei",
+		"./...",
+	)
+	fmt.Println()
+
+	log.Println("Testing Hakurei.")
+	mustRun(
+		ctx, "go", "test",
+		"-ldflags=-buildid= -linkmode external -extldflags=-static",
+		"./...",
+	)
+	fmt.Println()
+
+	log.Println("Creating distribution.")
+	const suffix = ".tar.gz"
+	distName := "hakurei-" + version + "-" + runtime.GOARCH
+	var f *os.File
+	if f, err = os.OpenFile(
+		filepath.Join(s, distName+suffix),
+		os.O_CREATE|os.O_EXCL|os.O_WRONLY,
+		0644,
+	); err != nil {
+		panic(err)
+	}
+	defer func() {
+		if f == nil {
+			return
+		}
+		if err = f.Close(); err != nil {
+			log.Println(err)
+		}
+	}()
+
+	h := sha512.New()
+	gw := gzip.NewWriter(io.MultiWriter(f, h))
+	tw := tar.NewWriter(gw)
+
+	mustWriteHeader := func(name string, size int64, mode os.FileMode) {
+		header := tar.Header{
+			Name:  filepath.Join(distName, name),
+			Size:  size,
+			Mode:  int64(mode),
+			Uname: "root",
+			Gname: "root",
+		}
+
+		if mode&os.ModeDir != 0 {
+			header.Typeflag = tar.TypeDir
+			fmt.Printf("%s %s\n", mode, name)
+		} else {
+			header.Typeflag = tar.TypeReg
+			fmt.Printf("%s %s (%d bytes)\n", mode, name, size)
+		}
+
+		if err = tw.WriteHeader(&header); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFile := func(name string, data []byte, mode os.FileMode) {
+		mustWriteHeader(name, int64(len(data)), mode)
+		if mode&os.ModeDir != 0 {
+			return
+		}
+		if _, err = tw.Write(data); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFromPath := func(dst, src string, mode os.FileMode) {
+		var r *os.File
+		if r, err = os.Open(src); err != nil {
+			panic(err)
+		}
+
+		var fi os.FileInfo
+		if fi, err = r.Stat(); err != nil {
+			_ = r.Close()
+			panic(err)
+		}
+
+		if mode == 0 {
+			mode = fi.Mode()
+		}
+
+		mustWriteHeader(dst, fi.Size(), mode)
+		if _, err = io.Copy(tw, r); err != nil {
+			_ = r.Close()
+			panic(err)
+		} else if err = r.Close(); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFile(".", nil, fs.ModeDir|0755)
+	mustWriteFile("comp/", nil, os.ModeDir|0755)
+	mustWriteFile("comp/_hakurei", comp, 0644)
+	mustWriteFile("install.sh", []byte(`#!/bin/sh -e
+cd "$(dirname -- "$0")" || exit 1
+
+install -vDm0755 "bin/hakurei" "${DESTDIR}`+prefix+`/bin/hakurei"
+install -vDm0755 "bin/sharefs" "${DESTDIR}`+prefix+`/bin/sharefs"
+
+install -vDm4511 "bin/hsu" "${DESTDIR}`+prefix+`/bin/hsu"
+if [ ! -f "${DESTDIR}/etc/hsurc" ]; then
+    install -vDm0400 "hsurc.default" "${DESTDIR}/etc/hsurc"
+fi
+
+install -vDm0644 "comp/_hakurei" "${DESTDIR}`+prefix+`/share/zsh/site-functions/_hakurei"
+`), 0755)
+
+	mustWriteFromPath("README.md", "README.md", 0)
+	mustWriteFile("hsurc.default", []byte("1000 0"), 0400)
+	mustWriteFromPath("bin/hsu", filepath.Join(s, "hsu"), 04511)
+	for _, name := range []string{
+		"hakurei",
+		"sharefs",
+	} {
+		mustWriteFromPath(
+			filepath.Join("bin", name),
+			filepath.Join(s, name),
+			0,
+		)
+	}
+
+	if err = tw.Close(); err != nil {
+		panic(err)
+	} else if err = gw.Close(); err != nil {
+		panic(err)
+	} else if err = f.Close(); err != nil {
+		panic(err)
+	}
+	f = nil
+
+	if err = os.WriteFile(
+		filepath.Join(destdir, distName+suffix+".sha512"),
+		append(hex.AppendEncode(nil, h.Sum(nil)), "  "+distName+suffix+"\n"...),
+		0644,
+	); err != nil {
+		panic(err)
+	}
+	if err = os.Rename(
+		filepath.Join(s, distName+suffix),
+		filepath.Join(destdir, distName+suffix),
+	); err != nil {
+		panic(err)
+	}
+}

cmd/hakurei/command.go

@@ -38,8 +38,9 @@ var errSuccess = errors.New("success")
 
 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
-		flagVerbose bool
-		flagJSON    bool
+		flagVerbose  bool
+		flagInsecure bool
+		flagJSON     bool
 	)
 	c := command.New(out, log.Printf, "hakurei", func([]string) error {
 		msg.SwapVerbose(flagVerbose)
@@ -57,6 +58,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
+		Flag(&flagInsecure, "insecure", command.BoolFlag(false), "Allow use of insecure compatibility options").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")
 
 	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
@@ -75,7 +77,12 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				config.Container.Args = append(config.Container.Args, args[1:]...)
 			}
 
-			outcome.Main(ctx, msg, config, flagIdentifierFile)
+			var flags int
+			if flagInsecure {
+				flags |= hst.VAllowInsecure
+			}
+
+			outcome.Main(ctx, msg, config, flags, flagIdentifierFile)
 			panic("unreachable")
 		}).
 			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
@@ -145,7 +152,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}
 
-			var et hst.Enablement
+			var et hst.Enablements
 			if flagWayland {
 				et |= hst.EWayland
 			}
@@ -163,7 +170,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				ID:          flagID,
 				Identity:    flagIdentity,
 				Groups:      flagGroups,
-				Enablements: hst.NewEnablements(et),
+				Enablements: &et,
 
 				Container: &hst.ContainerConfig{
 					Filesystem: []hst.FilesystemConfigJSON{
@@ -282,7 +289,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}
 
-			outcome.Main(ctx, msg, &config, -1)
+			outcome.Main(ctx, msg, &config, 0, -1)
 			panic("unreachable")
 		}).
 			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),

cmd/hakurei/command_test.go

@@ -20,7 +20,7 @@ func TestHelp(t *testing.T) {
 	}{
 		{
 			"main", []string{}, `
-Usage:	hakurei [-h | --help] [-v] [--json] COMMAND [OPTIONS]
+Usage:	hakurei [-h | --help] [-v] [--insecure] [--json] COMMAND [OPTIONS]
 
 Commands:
     run         Load and start container from configuration file

cmd/hakurei/print.go

@@ -56,7 +56,7 @@ func printShowInstance(
 	t := newPrinter(output)
 	defer t.MustFlush()
 
-	if err := config.Validate(); err != nil {
+	if err := config.Validate(hst.VAllowInsecure); err != nil {
 		valid = false
 		if m, ok := message.GetMessage(err); ok {
 			mustPrint(output, "Error: "+m+"!\n\n")

cmd/hakurei/print_test.go

@@ -32,7 +32,7 @@ var (
 		PID:     0xbeef,
 		ShimPID: 0xcafe,
 		Config: &hst.Config{
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
+			Enablements: new(hst.EWayland | hst.EPipeWire),
 			Identity:    1,
 			Container: &hst.ContainerConfig{
 				Shell: check.MustAbs("/bin/sh"),

cmd/mbf/main.go

@@ -69,11 +69,12 @@ func main() {
 	}()
 
 	var (
-		flagQuiet  bool
-		flagCures  int
-		flagBase   string
-		flagTShift int
-		flagIdle   bool
+		flagQuiet bool
+		flagCures int
+		flagBase  string
+		flagIdle  bool
+
+		flagHostAbstract bool
 	)
 	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) (err error) {
 		msg.SwapVerbose(!flagQuiet)
@@ -89,19 +90,15 @@ func main() {
 		} else if base, err = check.NewAbs(flagBase); err != nil {
 			return
 		}
-		if cache, err = pkg.Open(ctx, msg, flagCures, base); err == nil {
-			if flagTShift < 0 {
-				cache.SetThreshold(0)
-			} else if flagTShift > 31 {
-				cache.SetThreshold(1 << 31)
-			} else {
-				cache.SetThreshold(1 << flagTShift)
-			}
-		}
 
+		var flags int
 		if flagIdle {
-			pkg.SetSchedIdle = true
+			flags |= pkg.CSchedIdle
 		}
+		if flagHostAbstract {
+			flags |= pkg.CHostAbstract
+		}
+		cache, err = pkg.Open(ctx, msg, flags, flagCures, base)
 
 		return
 	}).Flag(
@@ -116,14 +113,17 @@ func main() {
 		&flagBase,
 		"d", command.StringFlag("$MBF_CACHE_DIR"),
 		"Directory to store cured artifacts",
-	).Flag(
-		&flagTShift,
-		"tshift", command.IntFlag(-1),
-		"Dependency graph size exponent, to the power of 2",
 	).Flag(
 		&flagIdle,
 		"sched-idle", command.BoolFlag(false),
 		"Set SCHED_IDLE scheduling policy",
+	).Flag(
+		&flagHostAbstract,
+		"host-abstract", command.BoolFlag(
+			os.Getenv("MBF_HOST_ABSTRACT") != "",
+		),
+		"Do not restrict networked cure containers from connecting to host "+
+			"abstract UNIX sockets",
 	)
 
 	{

cmd/sharefs/fuse-operations.h

@@ -7,8 +7,8 @@
 #endif
 
 #define SHAREFS_MEDIA_RW_ID (1 << 10) - 1 /* owning gid presented to userspace */
-#define SHAREFS_PERM_DIR 0700             /* permission bits for directories presented to userspace */
-#define SHAREFS_PERM_REG 0600             /* permission bits for regular files presented to userspace */
+#define SHAREFS_PERM_DIR 0770             /* permission bits for directories presented to userspace */
+#define SHAREFS_PERM_REG 0660             /* permission bits for regular files presented to userspace */
 #define SHAREFS_FORBIDDEN_FLAGS O_DIRECT  /* these open flags are cleared unconditionally */
 
 /* sharefs_private is populated by sharefs_init and contains process-wide context */

cmd/sharefs/fuse.go

@@ -19,7 +19,6 @@ import (
 	"encoding/gob"
 	"errors"
 	"fmt"
-	"io"
 	"log"
 	"os"
 	"os/exec"
@@ -470,13 +469,14 @@ func _main(s ...string) (exitCode int) {
 			os.NewFile(uintptr(C.fuse_session_fd(se)), "fuse"),
 		))
 
-		var setupWriter io.WriteCloser
-		if fd, w, err := container.Setup(&z.ExtraFiles); err != nil {
+		var setupPipe [2]*os.File
+		if r, w, err := os.Pipe(); err != nil {
 			log.Println(err)
 			return 5
 		} else {
-			z.Args = append(z.Args, "-osetup="+strconv.Itoa(fd))
-			setupWriter = w
+			z.Args = append(z.Args, "-osetup="+strconv.Itoa(3+len(z.ExtraFiles)))
+			z.ExtraFiles = append(z.ExtraFiles, r)
+			setupPipe[0], setupPipe[1] = r, w
 		}
 
 		if err := z.Start(); err != nil {
@@ -487,6 +487,9 @@ func _main(s ...string) (exitCode int) {
 			}
 			return 5
 		}
+		if err := setupPipe[0].Close(); err != nil {
+			log.Println(err)
+		}
 		if err := z.Serve(); err != nil {
 			if m, ok := message.GetMessage(err); ok {
 				log.Println(m)
@@ -496,10 +499,10 @@ func _main(s ...string) (exitCode int) {
 			return 5
 		}
 
-		if err := gob.NewEncoder(setupWriter).Encode(&setup); err != nil {
+		if err := gob.NewEncoder(setupPipe[1]).Encode(&setup); err != nil {
 			log.Println(err)
 			return 5
-		} else if err = setupWriter.Close(); err != nil {
+		} else if err = setupPipe[1].Close(); err != nil {
 			log.Println(err)
 		}
 

cmd/sharefs/test/raceattr.go

@@ -0,0 +1,122 @@
+//go:build raceattr
+
+// The raceattr program reproduces vfs inode file attribute race.
+//
+// Even though libfuse high-level API presents the address of a struct stat
+// alongside struct fuse_context, file attributes are actually inherent to the
+// inode, instead of the specific call from userspace. The kernel implementation
+// in fs/fuse/xattr.c appears to make stale data in the inode (set by a previous
+// call) impossible or very unlikely to reach userspace via the stat family of
+// syscalls. However, when using default_permissions to have the VFS check
+// permissions, this race still happens, despite the resulting struct stat being
+// correct when overriding the check via capabilities otherwise.
+//
+// This program reproduces the failure, but because of its continuous nature, it
+// is provided independent of the vm integration test suite.
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"os"
+	"os/signal"
+	"runtime"
+	"sync"
+	"sync/atomic"
+	"syscall"
+)
+
+func newStatAs(
+	ctx context.Context, cancel context.CancelFunc,
+	n *atomic.Uint64, ok *atomic.Bool,
+	uid uint32, pathname string,
+	continuous bool,
+) func() {
+	return func() {
+		runtime.LockOSThread()
+		defer cancel()
+
+		if _, _, errno := syscall.Syscall(
+			syscall.SYS_SETUID, uintptr(uid),
+			0, 0,
+		); errno != 0 {
+			cancel()
+			log.Printf("cannot set uid to %d: %s", uid, errno)
+		}
+
+		var stat syscall.Stat_t
+		for {
+			if ctx.Err() != nil {
+				return
+			}
+
+			if err := syscall.Lstat(pathname, &stat); err != nil {
+				// SHAREFS_PERM_DIR not world executable, or
+				// SHAREFS_PERM_REG not world readable
+				if !continuous {
+					cancel()
+				}
+				ok.Store(true)
+				log.Printf("uid %d: %v", uid, err)
+			} else if stat.Uid != uid {
+				// appears to be unreachable
+				if !continuous {
+					cancel()
+				}
+				ok.Store(true)
+				log.Printf("got uid %d instead of %d", stat.Uid, uid)
+			}
+			n.Add(1)
+		}
+	}
+}
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("raceattr: ")
+
+	p := flag.String("target", "/sdcard/raceattr", "pathname of test file")
+	u0 := flag.Int("uid0", 1<<10-1, "first uid")
+	u1 := flag.Int("uid1", 1<<10-2, "second uid")
+	count := flag.Int("count", 1, "threads per uid")
+	continuous := flag.Bool("continuous", false, "keep running even after reproduce")
+	flag.Parse()
+
+	if os.Geteuid() != 0 {
+		log.Fatal("this program must run as root")
+	}
+
+	ctx, cancel := signal.NotifyContext(
+		context.Background(),
+		syscall.SIGINT,
+		syscall.SIGTERM,
+		syscall.SIGHUP,
+	)
+
+	if err := os.WriteFile(*p, nil, 0); err != nil {
+		log.Fatal(err)
+	}
+
+	var (
+		wg sync.WaitGroup
+
+		n  atomic.Uint64
+		ok atomic.Bool
+	)
+
+	if *count < 1 {
+		*count = 1
+	}
+	for range *count {
+		wg.Go(newStatAs(ctx, cancel, &n, &ok, uint32(*u0), *p, *continuous))
+		if *u1 >= 0 {
+			wg.Go(newStatAs(ctx, cancel, &n, &ok, uint32(*u1), *p, *continuous))
+		}
+	}
+
+	wg.Wait()
+	if !*continuous && ok.Load() {
+		log.Printf("reproduced after %d calls", n.Load())
+	}
+}

container/container.go

@@ -21,6 +21,7 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
+	"hakurei.app/internal/landlock"
 	"hakurei.app/message"
 )
 
@@ -28,9 +29,6 @@ const (
 	// CancelSignal is the signal expected by container init on context cancel.
 	// A custom [Container.Cancel] function must eventually deliver this signal.
 	CancelSignal = SIGUSR2
-
-	// Timeout for writing initParams to Container.setup.
-	initSetupTimeout = 5 * time.Second
 )
 
 type (
@@ -53,7 +51,7 @@ type (
 		ExtraFiles []*os.File
 
 		// Write end of a pipe connected to the init to deliver [Params].
-		setup *os.File
+		setup [2]*os.File
 		// Cancels the context passed to the underlying cmd.
 		cancel context.CancelFunc
 		// Closed after Wait returns. Keeps the spawning thread alive.
@@ -287,14 +285,16 @@ func (p *Container) Start() error {
 	}
 
 	// place setup pipe before user supplied extra files, this is later restored by init
-	if fd, f, err := Setup(&p.cmd.ExtraFiles); err != nil {
+	if r, w, err := os.Pipe(); err != nil {
 		return &StartError{
 			Fatal: true,
 			Step:  "set up params stream",
 			Err:   err,
 		}
 	} else {
-		p.setup = f
+		fd := 3 + len(p.cmd.ExtraFiles)
+		p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, r)
+		p.setup[0], p.setup[1] = r, w
 		p.cmd.Env = []string{setupEnv + "=" + strconv.Itoa(fd)}
 	}
 	p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, p.ExtraFiles...)
@@ -308,7 +308,7 @@ func (p *Container) Start() error {
 		done <- func() error {
 			// PR_SET_NO_NEW_PRIVS: thread-directed but acts on all processes
 			// created from the calling thread
-			if err := SetNoNewPrivs(); err != nil {
+			if err := setNoNewPrivs(); err != nil {
 				return &StartError{
 					Fatal: true,
 					Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
@@ -318,15 +318,17 @@ func (p *Container) Start() error {
 
 			// landlock: depends on per-thread state but acts on a process group
 			{
-				rulesetAttr := &RulesetAttr{Scoped: LANDLOCK_SCOPE_SIGNAL}
+				rulesetAttr := &landlock.RulesetAttr{
+					Scoped: landlock.LANDLOCK_SCOPE_SIGNAL,
+				}
 				if !p.HostAbstract {
-					rulesetAttr.Scoped |= LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+					rulesetAttr.Scoped |= landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
 				}
 
-				if abi, err := LandlockGetABI(); err != nil {
-					if p.HostAbstract {
+				if abi, err := landlock.GetABI(); err != nil {
+					if p.HostAbstract || !p.HostNet {
 						// landlock can be skipped here as it restricts access
-						// to resources already covered by namespaces (pid)
+						// to resources already covered by namespaces (pid, net)
 						goto landlockOut
 					}
 					return &StartError{Step: "get landlock ABI", Err: err}
@@ -352,7 +354,7 @@ func (p *Container) Start() error {
 					}
 				} else {
 					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
-					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
+					if err = landlock.RestrictSelf(rulesetFd, 0); err != nil {
 						_ = Close(rulesetFd)
 						return &StartError{
 							Fatal: true,
@@ -428,24 +430,33 @@ func (p *Container) Start() error {
 // Serve serves [Container.Params] to the container init.
 //
 // Serve must only be called once.
-func (p *Container) Serve() error {
-	if p.setup == nil {
+func (p *Container) Serve() (err error) {
+	if p.setup[0] == nil || p.setup[1] == nil {
 		panic("invalid serve")
 	}
 
-	setup := p.setup
-	p.setup = nil
-	if err := setup.SetDeadline(time.Now().Add(initSetupTimeout)); err != nil {
+	done := make(chan struct{})
+	defer func() {
+		if closeErr := p.setup[1].Close(); err == nil {
+			err = closeErr
+		}
+
+		if err != nil {
+			p.cancel()
+		}
+		close(done)
+		p.setup[0], p.setup[1] = nil, nil
+	}()
+	if err = p.setup[0].Close(); err != nil {
 		return &StartError{
 			Fatal:       true,
-			Step:        "set init pipe deadline",
+			Step:        "close read end of init pipe",
 			Err:         err,
 			Passthrough: true,
 		}
 	}
 
 	if p.Path == nil {
-		p.cancel()
 		return &StartError{
 			Step:   "invalid executable pathname",
 			Err:    EINVAL,
@@ -461,18 +472,27 @@ func (p *Container) Serve() error {
 		p.SeccompRules = make([]std.NativeRule, 0)
 	}
 
-	err := gob.NewEncoder(setup).Encode(&initParams{
+	t := time.Now().UTC()
+	go func(f *os.File) {
+		select {
+		case <-p.ctx.Done():
+			if cancelErr := f.SetWriteDeadline(t); cancelErr != nil {
+				p.msg.Verbose(err)
+			}
+
+		case <-done:
+			p.msg.Verbose("setup payload took", time.Since(t))
+			return
+		}
+	}(p.setup[1])
+
+	return gob.NewEncoder(p.setup[1]).Encode(&initParams{
 		p.Params,
 		Getuid(),
 		Getgid(),
 		len(p.ExtraFiles),
 		p.msg.IsVerbose(),
 	})
-	_ = setup.Close()
-	if err != nil {
-		p.cancel()
-	}
-	return err
 }
 
 // Wait blocks until the container init process to exit and releases any

container/container_test.go

@@ -16,7 +16,6 @@ import (
 	"strings"
 	"syscall"
 	"testing"
-	"time"
 
 	"hakurei.app/check"
 	"hakurei.app/command"
@@ -26,6 +25,9 @@ import (
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
 	"hakurei.app/hst"
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/landlock"
+	"hakurei.app/internal/params"
 	"hakurei.app/ldd"
 	"hakurei.app/message"
 	"hakurei.app/vfs"
@@ -84,9 +86,9 @@ func TestStartError(t *testing.T) {
 		{"params env", &container.StartError{
 			Fatal: true,
 			Step:  "set up params stream",
-			Err:   container.ErrReceiveEnv,
+			Err:   params.ErrReceiveEnv,
 		}, "set up params stream: environment variable not set",
-			container.ErrReceiveEnv, syscall.EBADF,
+			params.ErrReceiveEnv, syscall.EBADF,
 			"cannot set up params stream: environment variable not set"},
 
 		{"params", &container.StartError{
@@ -436,11 +438,8 @@ func TestContainer(t *testing.T) {
 			wantOps, wantOpsCtx := tc.ops(t)
 			wantMnt := tc.mnt(t, wantOpsCtx)
 
-			ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
-			defer cancel()
-
 			var libPaths []*check.Absolute
-			c := helperNewContainerLibPaths(ctx, &libPaths, "container", strconv.Itoa(i))
+			c := helperNewContainerLibPaths(t.Context(), &libPaths, "container", strconv.Itoa(i))
 			c.Uid = tc.uid
 			c.Gid = tc.gid
 			c.Hostname = hostnameFromTestCase(tc.name)
@@ -450,7 +449,6 @@ func TestContainer(t *testing.T) {
 			} else {
 				c.Stdout, c.Stderr = os.Stdout, os.Stderr
 			}
-			c.WaitDelay = helperDefaultTimeout
 			*c.Ops = append(*c.Ops, *wantOps...)
 			c.SeccompRules = tc.rules
 			c.SeccompFlags = tc.flags | seccomp.AllowMultiarch
@@ -458,6 +456,15 @@ func TestContainer(t *testing.T) {
 			c.SeccompDisable = !tc.filter
 			c.RetainSession = tc.session
 			c.HostNet = tc.net
+			if info.CanDegrade {
+				if _, err := landlock.GetABI(); err != nil {
+					if !errors.Is(err, syscall.ENOSYS) {
+						t.Fatalf("LandlockGetABI: error = %v", err)
+					}
+					c.HostAbstract = true
+					t.Log("Landlock LSM is unavailable, enabling HostAbstract")
+				}
+			}
 
 			c.
 				Readonly(check.MustAbs(pathReadonly), 0755).
@@ -553,11 +560,10 @@ func testContainerCancel(
 ) func(t *testing.T) {
 	return func(t *testing.T) {
 		t.Parallel()
-		ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
+		ctx, cancel := context.WithCancel(t.Context())
 
 		c := helperNewContainer(ctx, "block")
 		c.Stdout, c.Stderr = os.Stdout, os.Stderr
-		c.WaitDelay = helperDefaultTimeout
 		if containerExtra != nil {
 			containerExtra(c)
 		}
@@ -738,8 +744,7 @@ func init() {
 const (
 	envDoCheck = "HAKUREI_TEST_DO_CHECK"
 
-	helperDefaultTimeout = 5 * time.Second
-	helperInnerPath      = "/usr/bin/helper"
+	helperInnerPath = "/usr/bin/helper"
 )
 
 var (

container/dispatcher.go

@@ -16,6 +16,7 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/ext"
 	"hakurei.app/internal/netlink"
+	"hakurei.app/internal/params"
 	"hakurei.app/message"
 )
 
@@ -56,7 +57,7 @@ type syscallDispatcher interface {
 	// isatty provides [Isatty].
 	isatty(fd int) bool
 	// receive provides [Receive].
-	receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error)
+	receive(key string, e any, fdp *int) (closeFunc func() error, err error)
 
 	// bindMount provides procPaths.bindMount.
 	bindMount(msg message.Msg, source, target string, flags uintptr) error
@@ -147,7 +148,7 @@ func (direct) lockOSThread() { runtime.LockOSThread() }
 
 func (direct) setPtracer(pid uintptr) error       { return ext.SetPtracer(pid) }
 func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) }
-func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }
+func (direct) setNoNewPrivs() error               { return setNoNewPrivs() }
 
 func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
 func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(hdrp, datap) }
@@ -155,8 +156,8 @@ func (direct) capBoundingSetDrop(cap uintptr) error            { return capBound
 func (direct) capAmbientClearAll() error                       { return capAmbientClearAll() }
 func (direct) capAmbientRaise(cap uintptr) error               { return capAmbientRaise(cap) }
 func (direct) isatty(fd int) bool                              { return ext.Isatty(fd) }
-func (direct) receive(key string, e any, fdp *uintptr) (func() error, error) {
-	return Receive(key, e, fdp)
+func (direct) receive(key string, e any, fdp *int) (func() error, error) {
+	return params.Receive(key, e, fdp)
 }
 
 func (direct) bindMount(msg message.Msg, source, target string, flags uintptr) error {

container/dispatcher_test.go

@@ -390,7 +390,7 @@ func (k *kstub) isatty(fd int) bool {
 	return expect.Ret.(bool)
 }
 
-func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error) {
+func (k *kstub) receive(key string, e any, fdp *int) (closeFunc func() error, err error) {
 	k.Helper()
 	expect := k.Expects("receive")
 
@@ -408,10 +408,17 @@ func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error
 		}
 		return nil
 	}
+
+	// avoid changing test cases
+	var fdpComp *uintptr
+	if fdp != nil {
+		fdpComp = new(uintptr(*fdp))
+	}
+
 	err = expect.Error(
 		stub.CheckArg(k.Stub, "key", key, 0),
 		stub.CheckArgReflect(k.Stub, "e", e, 1),
-		stub.CheckArgReflect(k.Stub, "fdp", fdp, 2))
+		stub.CheckArgReflect(k.Stub, "fdp", fdpComp, 2))
 
 	// 3 is unused so stores params
 	if expect.Args[3] != nil {
@@ -426,7 +433,7 @@ func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error
 	if expect.Args[4] != nil {
 		if v, ok := expect.Args[4].(uintptr); ok && v >= 3 {
 			if fdp != nil {
-				*fdp = v
+				*fdp = int(v)
 			}
 		}
 	}

container/init.go

@@ -19,6 +19,7 @@ import (
 	"hakurei.app/container/seccomp"
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
+	"hakurei.app/internal/params"
 	"hakurei.app/message"
 )
 
@@ -147,35 +148,33 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 
 	var (
-		params      initParams
-		closeSetup  func() error
-		setupFd     uintptr
-		offsetSetup int
+		param      initParams
+		closeSetup func() error
+		setupFd    int
 	)
-	if f, err := k.receive(setupEnv, &params, &setupFd); err != nil {
+	if f, err := k.receive(setupEnv, &param, &setupFd); err != nil {
 		if errors.Is(err, EBADF) {
 			k.fatal(msg, "invalid setup descriptor")
 		}
-		if errors.Is(err, ErrReceiveEnv) {
+		if errors.Is(err, params.ErrReceiveEnv) {
 			k.fatal(msg, setupEnv+" not set")
 		}
 
 		k.fatalf(msg, "cannot decode init setup payload: %v", err)
 	} else {
-		if params.Ops == nil {
+		if param.Ops == nil {
 			k.fatal(msg, "invalid setup parameters")
 		}
-		if params.ParentPerm == 0 {
-			params.ParentPerm = 0755
+		if param.ParentPerm == 0 {
+			param.ParentPerm = 0755
 		}
 
-		msg.SwapVerbose(params.Verbose)
+		msg.SwapVerbose(param.Verbose)
 		msg.Verbose("received setup parameters")
 		closeSetup = f
-		offsetSetup = int(setupFd + 1)
 	}
 
-	if !params.HostNet {
+	if !param.HostNet {
 		ctx, cancel := signal.NotifyContext(context.Background(), CancelSignal,
 			os.Interrupt, SIGTERM, SIGQUIT)
 		defer cancel() // for panics
@@ -188,7 +187,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
 	}
 	if err := k.writeFile(fhs.Proc+"self/uid_map",
-		append([]byte{}, strconv.Itoa(params.Uid)+" "+strconv.Itoa(params.HostUid)+" 1\n"...),
+		append([]byte{}, strconv.Itoa(param.Uid)+" "+strconv.Itoa(param.HostUid)+" 1\n"...),
 		0); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
@@ -198,7 +197,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "%v", err)
 	}
 	if err := k.writeFile(fhs.Proc+"self/gid_map",
-		append([]byte{}, strconv.Itoa(params.Gid)+" "+strconv.Itoa(params.HostGid)+" 1\n"...),
+		append([]byte{}, strconv.Itoa(param.Gid)+" "+strconv.Itoa(param.HostGid)+" 1\n"...),
 		0); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
@@ -207,8 +206,8 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 
 	oldmask := k.umask(0)
-	if params.Hostname != "" {
-		if err := k.sethostname([]byte(params.Hostname)); err != nil {
+	if param.Hostname != "" {
+		if err := k.sethostname([]byte(param.Hostname)); err != nil {
 			k.fatalf(msg, "cannot set hostname: %v", err)
 		}
 	}
@@ -221,7 +220,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 
 	ctx, cancel := context.WithCancel(context.Background())
-	state := &setupState{process: make(map[int]WaitStatus), Params: &params.Params, Msg: msg, Context: ctx}
+	state := &setupState{process: make(map[int]WaitStatus), Params: &param.Params, Msg: msg, Context: ctx}
 	defer cancel()
 
 	/* early is called right before pivot_root into intermediate root;
@@ -229,7 +228,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	difficult to obtain via library functions after pivot_root, and
 	implementations are expected to avoid changing the state of the mount
 	namespace */
-	for i, op := range *params.Ops {
+	for i, op := range *param.Ops {
 		if op == nil || !op.Valid() {
 			k.fatalf(msg, "invalid op at index %d", i)
 		}
@@ -272,7 +271,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	step sets up the container filesystem, and implementations are expected to
 	keep the host root and sysroot mount points intact but otherwise can do
 	whatever they need to. Calling chdir is allowed but discouraged. */
-	for i, op := range *params.Ops {
+	for i, op := range *param.Ops {
 		// ops already checked during early setup
 		if prefix, ok := op.prefix(); ok {
 			msg.Verbosef("%s %s", prefix, op)
@@ -328,7 +327,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot clear the ambient capability set: %v", err)
 	}
 	for i := uintptr(0); i <= lastcap; i++ {
-		if params.Privileged && i == CAP_SYS_ADMIN {
+		if param.Privileged && i == CAP_SYS_ADMIN {
 			continue
 		}
 		if err := k.capBoundingSetDrop(i); err != nil {
@@ -337,7 +336,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 
 	var keep [2]uint32
-	if params.Privileged {
+	if param.Privileged {
 		keep[capToIndex(CAP_SYS_ADMIN)] |= capToMask(CAP_SYS_ADMIN)
 
 		if err := k.capAmbientRaise(CAP_SYS_ADMIN); err != nil {
@@ -351,13 +350,13 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot capset: %v", err)
 	}
 
-	if !params.SeccompDisable {
-		rules := params.SeccompRules
+	if !param.SeccompDisable {
+		rules := param.SeccompRules
 		if len(rules) == 0 { // non-empty rules slice always overrides presets
-			msg.Verbosef("resolving presets %#x", params.SeccompPresets)
-			rules = seccomp.Preset(params.SeccompPresets, params.SeccompFlags)
+			msg.Verbosef("resolving presets %#x", param.SeccompPresets)
+			rules = seccomp.Preset(param.SeccompPresets, param.SeccompFlags)
 		}
-		if err := k.seccompLoad(rules, params.SeccompFlags); err != nil {
+		if err := k.seccompLoad(rules, param.SeccompFlags); err != nil {
 			// this also indirectly asserts PR_SET_NO_NEW_PRIVS
 			k.fatalf(msg, "cannot load syscall filter: %v", err)
 		}
@@ -366,10 +365,10 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		msg.Verbose("syscall filter not configured")
 	}
 
-	extraFiles := make([]*os.File, params.Count)
+	extraFiles := make([]*os.File, param.Count)
 	for i := range extraFiles {
 		// setup fd is placed before all extra files
-		extraFiles[i] = k.newFile(uintptr(offsetSetup+i), "extra file "+strconv.Itoa(i))
+		extraFiles[i] = k.newFile(uintptr(setupFd+1+i), "extra file "+strconv.Itoa(i))
 	}
 	k.umask(oldmask)
 
@@ -447,7 +446,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 
 	// called right before startup of initial process, all state changes to the
 	// current process is prohibited during late
-	for i, op := range *params.Ops {
+	for i, op := range *param.Ops {
 		// ops already checked during early setup
 		if err := op.late(state, k); err != nil {
 			if m, ok := messageFromError(err); ok {
@@ -468,14 +467,14 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot close setup pipe: %v", err)
 	}
 
-	cmd := exec.Command(params.Path.String())
+	cmd := exec.Command(param.Path.String())
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	cmd.Args = params.Args
-	cmd.Env = params.Env
+	cmd.Args = param.Args
+	cmd.Env = param.Env
 	cmd.ExtraFiles = extraFiles
-	cmd.Dir = params.Dir.String()
+	cmd.Dir = param.Dir.String()
 
-	msg.Verbosef("starting initial process %s", params.Path)
+	msg.Verbosef("starting initial process %s", param.Path)
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
@@ -493,9 +492,9 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	for {
 		select {
 		case s := <-sig:
-			if s == CancelSignal && params.ForwardCancel && cmd.Process != nil {
+			if s == CancelSignal && param.ForwardCancel && cmd.Process != nil {
 				msg.Verbose("forwarding context cancellation")
-				if err := k.signal(cmd, os.Interrupt); err != nil {
+				if err := k.signal(cmd, os.Interrupt); err != nil && !errors.Is(err, os.ErrProcessDone) {
 					k.printf(msg, "cannot forward cancellation: %v", err)
 				}
 				continue
@@ -525,7 +524,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 				cancel()
 
 				// start timeout early
-				go func() { time.Sleep(params.AdoptWaitDelay); close(timeout) }()
+				go func() { time.Sleep(param.AdoptWaitDelay); close(timeout) }()
 
 				// close initial process files; this also keeps them alive
 				for _, f := range extraFiles {

container/init_test.go

@@ -10,6 +10,7 @@ import (
 	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
+	"hakurei.app/internal/params"
 	"hakurei.app/internal/stub"
 )
 
@@ -40,7 +41,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
 				call("getpid", stub.ExpectArgs{}, 1, nil),
 				call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
-				call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, ErrReceiveEnv),
+				call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, params.ErrReceiveEnv),
 				call("fatal", stub.ExpectArgs{[]any{"HAKUREI_SETUP not set"}}, nil, nil),
 			},
 		}, nil},

container/landlock_test.go

@@ -1,65 +0,0 @@
-package container_test
-
-import (
-	"testing"
-	"unsafe"
-
-	"hakurei.app/container"
-)
-
-func TestLandlockString(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name        string
-		rulesetAttr *container.RulesetAttr
-		want        string
-	}{
-		{"nil", nil, "NULL"},
-		{"zero", new(container.RulesetAttr), "0"},
-		{"some", &container.RulesetAttr{Scoped: container.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
-		{"set", &container.RulesetAttr{
-			HandledAccessFS:  container.LANDLOCK_ACCESS_FS_MAKE_SYM | container.LANDLOCK_ACCESS_FS_IOCTL_DEV | container.LANDLOCK_ACCESS_FS_WRITE_FILE,
-			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP,
-			Scoped:           container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | container.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
-		{"all", &container.RulesetAttr{
-			HandledAccessFS: container.LANDLOCK_ACCESS_FS_EXECUTE |
-				container.LANDLOCK_ACCESS_FS_WRITE_FILE |
-				container.LANDLOCK_ACCESS_FS_READ_FILE |
-				container.LANDLOCK_ACCESS_FS_READ_DIR |
-				container.LANDLOCK_ACCESS_FS_REMOVE_DIR |
-				container.LANDLOCK_ACCESS_FS_REMOVE_FILE |
-				container.LANDLOCK_ACCESS_FS_MAKE_CHAR |
-				container.LANDLOCK_ACCESS_FS_MAKE_DIR |
-				container.LANDLOCK_ACCESS_FS_MAKE_REG |
-				container.LANDLOCK_ACCESS_FS_MAKE_SOCK |
-				container.LANDLOCK_ACCESS_FS_MAKE_FIFO |
-				container.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
-				container.LANDLOCK_ACCESS_FS_MAKE_SYM |
-				container.LANDLOCK_ACCESS_FS_REFER |
-				container.LANDLOCK_ACCESS_FS_TRUNCATE |
-				container.LANDLOCK_ACCESS_FS_IOCTL_DEV,
-			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP |
-				container.LANDLOCK_ACCESS_NET_CONNECT_TCP,
-			Scoped: container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
-				container.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			if got := tc.rulesetAttr.String(); got != tc.want {
-				t.Errorf("String: %s, want %s", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestLandlockAttrSize(t *testing.T) {
-	t.Parallel()
-	want := 24
-	if got := unsafe.Sizeof(container.RulesetAttr{}); got != uintptr(want) {
-		t.Errorf("Sizeof: %d, want %d", got, want)
-	}
-}

container/params.go

@@ -1,47 +0,0 @@
-package container
-
-import (
-	"encoding/gob"
-	"errors"
-	"os"
-	"strconv"
-	"syscall"
-)
-
-// Setup appends the read end of a pipe for setup params transmission and returns its fd.
-func Setup(extraFiles *[]*os.File) (int, *os.File, error) {
-	if r, w, err := os.Pipe(); err != nil {
-		return -1, nil, err
-	} else {
-		fd := 3 + len(*extraFiles)
-		*extraFiles = append(*extraFiles, r)
-		return fd, w, nil
-	}
-}
-
-var (
-	ErrReceiveEnv = errors.New("environment variable not set")
-)
-
-// Receive retrieves setup fd from the environment and receives params.
-func Receive(key string, e any, fdp *uintptr) (func() error, error) {
-	var setup *os.File
-
-	if s, ok := os.LookupEnv(key); !ok {
-		return nil, ErrReceiveEnv
-	} else {
-		if fd, err := strconv.Atoi(s); err != nil {
-			return nil, optionalErrorUnwrap(err)
-		} else {
-			setup = os.NewFile(uintptr(fd), "setup")
-			if setup == nil {
-				return nil, syscall.EDOM
-			}
-			if fdp != nil {
-				*fdp = setup.Fd()
-			}
-		}
-	}
-
-	return setup.Close, gob.NewDecoder(setup).Decode(e)
-}

container/syscall.go

@@ -7,8 +7,8 @@ import (
 	"hakurei.app/ext"
 )
 
-// SetNoNewPrivs sets the calling thread's no_new_privs attribute.
-func SetNoNewPrivs() error {
+// setNoNewPrivs sets the calling thread's no_new_privs attribute.
+func setNoNewPrivs() error {
 	return ext.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0)
 }
 

dist/hsurc.default

@@ -1 +0,0 @@
-1000 0

dist/install.sh

@@ -1,12 +0,0 @@
-#!/bin/sh
-cd "$(dirname -- "$0")" || exit 1
-
-install -vDm0755 "bin/hakurei" "${DESTDIR}/usr/bin/hakurei"
-install -vDm0755 "bin/sharefs" "${DESTDIR}/usr/bin/sharefs"
-
-install -vDm4511 "bin/hsu" "${DESTDIR}/usr/bin/hsu"
-if [ ! -f "${DESTDIR}/etc/hsurc" ]; then
-    install -vDm0400 "hsurc.default" "${DESTDIR}/etc/hsurc"
-fi
-
-install -vDm0644 "comp/_hakurei" "${DESTDIR}/usr/share/zsh/site-functions/_hakurei"

dist/release.sh

@@ -1,31 +0,0 @@
-#!/bin/sh -e
-cd "$(dirname -- "$0")/.."
-VERSION="${HAKUREI_VERSION:-untagged}"
-pname="hakurei-${VERSION}-$(go env GOARCH)"
-out="${DESTDIR:-dist}/${pname}"
-
-echo '# Preparing distribution files.'
-mkdir -p "${out}"
-cp -v "README.md" "dist/hsurc.default" "dist/install.sh" "${out}"
-cp -rv "dist/comp" "${out}"
-echo
-
-echo '# Building hakurei.'
-go generate ./...
-go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
-  -buildid= -linkmode external -extldflags=-static
-  -X hakurei.app/internal/info.buildVersion=${VERSION}
-  -X hakurei.app/internal/info.hakureiPath=/usr/bin/hakurei
-  -X hakurei.app/internal/info.hsuPath=/usr/bin/hsu
-  -X main.hakureiPath=/usr/bin/hakurei" ./...
-echo
-
-echo '# Testing hakurei.'
-go test -ldflags='-buildid= -linkmode external -extldflags=-static' ./...
-echo
-
-echo '# Creating distribution.'
-rm -f "${out}.tar.gz" && tar -C "${out}/.." -vczf "${out}.tar.gz" "${pname}"
-rm -rf "${out}"
-(cd "${out}/.." && sha512sum "${pname}.tar.gz" > "${pname}.tar.gz.sha512")
-echo

flake.nix

@@ -137,11 +137,10 @@
 
                 CC="musl-clang -O3 -Werror -Qunused-arguments" \
                 GOCACHE="$(mktemp -d)" \
-                HAKUREI_TEST_SKIP_ACL=1 \
                 PATH="${pkgs.pkgsStatic.musl.bin}/bin:$PATH" \
                 DESTDIR="$out" \
                 HAKUREI_VERSION="v${hakurei.version}" \
-                  ./dist/release.sh
+                  ./all.sh
               '';
         }
       );
@@ -196,6 +195,7 @@
                   ./test/interactive/vm.nix
                   ./test/interactive/hakurei.nix
                   ./test/interactive/trace.nix
+                  ./test/interactive/raceattr.nix
 
                   self.nixosModules.hakurei
                   home-manager.nixosModules.home-manager

hst/config.go

@@ -140,21 +140,29 @@ var (
 	ErrInsecure = errors.New("configuration is insecure")
 )
 
+const (
+	// VAllowInsecure allows use of compatibility options considered insecure
+	// under any configuration, to work around ecosystem-wide flaws.
+	VAllowInsecure = 1 << iota
+)
+
 // Validate checks [Config] and returns [AppError] if an invalid value is encountered.
-func (config *Config) Validate() error {
+func (config *Config) Validate(flags int) error {
+	const step = "validate configuration"
+
 	if config == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "invalid configuration"}
 	}
 
 	// this is checked again in hsu
 	if config.Identity < IdentityStart || config.Identity > IdentityEnd {
-		return &AppError{Step: "validate configuration", Err: ErrIdentityBounds,
+		return &AppError{Step: step, Err: ErrIdentityBounds,
 			Msg: "identity " + strconv.Itoa(config.Identity) + " out of range"}
 	}
 
 	if config.SchedPolicy < 0 || config.SchedPolicy > ext.SCHED_LAST {
-		return &AppError{Step: "validate configuration", Err: ErrSchedPolicyBounds,
+		return &AppError{Step: step, Err: ErrSchedPolicyBounds,
 			Msg: "scheduling policy " +
 				strconv.Itoa(int(config.SchedPolicy)) +
 				" out of range"}
@@ -168,34 +176,51 @@ func (config *Config) Validate() error {
 	}
 
 	if config.Container == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "configuration missing container state"}
 	}
 	if config.Container.Home == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "container configuration missing path to home directory"}
 	}
 	if config.Container.Shell == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "container configuration missing path to shell"}
 	}
 	if config.Container.Path == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "container configuration missing path to initial program"}
 	}
 
 	for key := range config.Container.Env {
 		if strings.IndexByte(key, '=') != -1 || strings.IndexByte(key, 0) != -1 {
-			return &AppError{Step: "validate configuration", Err: ErrEnviron,
+			return &AppError{Step: step, Err: ErrEnviron,
 				Msg: "invalid environment variable " + strconv.Quote(key)}
 		}
 	}
 
-	if et := config.Enablements.Unwrap(); !config.DirectPulse && et&EPulse != 0 {
-		return &AppError{Step: "validate configuration", Err: ErrInsecure,
+	et := config.Enablements.Unwrap()
+	if !config.DirectPulse && et&EPulse != 0 {
+		return &AppError{Step: step, Err: ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}
 	}
 
+	if flags&VAllowInsecure == 0 {
+		switch {
+		case et&EWayland != 0 && config.DirectWayland:
+			return &AppError{Step: step, Err: ErrInsecure,
+				Msg: "direct_wayland is insecure and no longer supported"}
+
+		case et&EPipeWire != 0 && config.DirectPipeWire:
+			return &AppError{Step: step, Err: ErrInsecure,
+				Msg: "direct_pipewire is insecure and no longer supported"}
+
+		case et&EPulse != 0 && config.DirectPulse:
+			return &AppError{Step: step, Err: ErrInsecure,
+				Msg: "direct_pulse is insecure and no longer supported"}
+		}
+	}
+
 	return nil
 }
 

hst/config_test.go

@@ -14,65 +14,109 @@ func TestConfigValidate(t *testing.T) {
 	testCases := []struct {
 		name    string
 		config  *hst.Config
+		flags   int
 		wantErr error
 	}{
-		{"nil", nil, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"nil", nil, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "invalid configuration"}},
-		{"identity lower", &hst.Config{Identity: -1}, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
+
+		{"identity lower", &hst.Config{Identity: -1}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
 			Msg: "identity -1 out of range"}},
-		{"identity upper", &hst.Config{Identity: 10000}, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
+		{"identity upper", &hst.Config{Identity: 10000}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
 			Msg: "identity 10000 out of range"}},
-		{"sched lower", &hst.Config{SchedPolicy: -1}, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
+
+		{"sched lower", &hst.Config{SchedPolicy: -1}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
 			Msg: "scheduling policy -1 out of range"}},
-		{"sched upper", &hst.Config{SchedPolicy: 0xcafe}, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
+		{"sched upper", &hst.Config{SchedPolicy: 0xcafe}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
 			Msg: "scheduling policy 51966 out of range"}},
-		{"dbus session", &hst.Config{SessionBus: &hst.BusConfig{See: []string{""}}},
+
+		{"dbus session", &hst.Config{SessionBus: &hst.BusConfig{See: []string{""}}}, 0,
 			&hst.BadInterfaceError{Interface: "", Segment: "session"}},
-		{"dbus system", &hst.Config{SystemBus: &hst.BusConfig{See: []string{""}}},
+		{"dbus system", &hst.Config{SystemBus: &hst.BusConfig{See: []string{""}}}, 0,
 			&hst.BadInterfaceError{Interface: "", Segment: "system"}},
-		{"container", &hst.Config{}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+
+		{"container", &hst.Config{}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "configuration missing container state"}},
-		{"home", &hst.Config{Container: &hst.ContainerConfig{}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"home", &hst.Config{Container: &hst.ContainerConfig{}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to home directory"}},
 		{"shell", &hst.Config{Container: &hst.ContainerConfig{
 			Home: fhs.AbsTmp,
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to shell"}},
 		{"path", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to initial program"}},
+
 		{"env equals", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 			Env:   map[string]string{"TERM=": ""},
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM="`}},
 		{"env NUL", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 			Env:   map[string]string{"TERM\x00": ""},
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM\x00"`}},
-		{"insecure pulse", &hst.Config{Enablements: hst.NewEnablements(hst.EPulse), Container: &hst.ContainerConfig{
+
+		{"insecure pulse", &hst.Config{Enablements: new(hst.EPulse), Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}},
+
+		{"direct wayland", &hst.Config{Enablements: new(hst.EWayland), DirectWayland: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "direct_wayland is insecure and no longer supported"}},
+		{"direct wayland allow", &hst.Config{Enablements: new(hst.EWayland), DirectWayland: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, hst.VAllowInsecure, nil},
+
+		{"direct pipewire", &hst.Config{Enablements: new(hst.EPipeWire), DirectPipeWire: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "direct_pipewire is insecure and no longer supported"}},
+		{"direct pipewire allow", &hst.Config{Enablements: new(hst.EPipeWire), DirectPipeWire: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, hst.VAllowInsecure, nil},
+
+		{"direct pulse", &hst.Config{Enablements: new(hst.EPulse), DirectPulse: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "direct_pulse is insecure and no longer supported"}},
+		{"direct pulse allow", &hst.Config{Enablements: new(hst.EPulse), DirectPulse: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, hst.VAllowInsecure, nil},
+
 		{"valid", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
-		}}, nil},
+		}}, 0, nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			if err := tc.config.Validate(); !reflect.DeepEqual(err, tc.wantErr) {
+			if err := tc.config.Validate(tc.flags); !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("Validate: error = %#v, want %#v", err, tc.wantErr)
 			}
 		})

hst/enablement.go

@@ -7,12 +7,12 @@ import (
 	"syscall"
 )
 
-// Enablement represents an optional host service to export to the target user.
-type Enablement byte
+// Enablements denotes optional host service to export to the target user.
+type Enablements byte
 
 const (
 	// EWayland exposes a Wayland pathname socket via security-context-v1.
-	EWayland Enablement = 1 << iota
+	EWayland Enablements = 1 << iota
 	// EX11 adds the target user via X11 ChangeHosts and exposes the X11
 	// pathname socket.
 	EX11
@@ -28,8 +28,8 @@ const (
 	EM
 )
 
-// String returns a string representation of the flags set on [Enablement].
-func (e Enablement) String() string {
+// String returns a string representation of the flags set on [Enablements].
+func (e Enablements) String() string {
 	switch e {
 	case 0:
 		return "(no enablements)"
@@ -47,7 +47,7 @@ func (e Enablement) String() string {
 		buf := new(strings.Builder)
 		buf.Grow(32)
 
-		for i := Enablement(1); i < EM; i <<= 1 {
+		for i := Enablements(1); i < EM; i <<= 1 {
 			if e&i != 0 {
 				buf.WriteString(", " + i.String())
 			}
@@ -60,12 +60,6 @@ func (e Enablement) String() string {
 	}
 }
 
-// NewEnablements returns the address of [Enablement] as [Enablements].
-func NewEnablements(e Enablement) *Enablements { return (*Enablements)(&e) }
-
-// Enablements is the [json] adapter for [Enablement].
-type Enablements Enablement
-
 // enablementsJSON is the [json] representation of [Enablements].
 type enablementsJSON = struct {
 	Wayland  bool `json:"wayland,omitempty"`
@@ -75,24 +69,21 @@ type enablementsJSON = struct {
 	Pulse    bool `json:"pulse,omitempty"`
 }
 
-// Unwrap returns the underlying [Enablement].
-func (e *Enablements) Unwrap() Enablement {
+// Unwrap returns the value pointed to by e.
+func (e *Enablements) Unwrap() Enablements {
 	if e == nil {
 		return 0
 	}
-	return Enablement(*e)
+	return *e
 }
 
-func (e *Enablements) MarshalJSON() ([]byte, error) {
-	if e == nil {
-		return nil, syscall.EINVAL
-	}
+func (e Enablements) MarshalJSON() ([]byte, error) {
 	return json.Marshal(&enablementsJSON{
-		Wayland:  Enablement(*e)&EWayland != 0,
-		X11:      Enablement(*e)&EX11 != 0,
-		DBus:     Enablement(*e)&EDBus != 0,
-		PipeWire: Enablement(*e)&EPipeWire != 0,
-		Pulse:    Enablement(*e)&EPulse != 0,
+		Wayland:  e&EWayland != 0,
+		X11:      e&EX11 != 0,
+		DBus:     e&EDBus != 0,
+		PipeWire: e&EPipeWire != 0,
+		Pulse:    e&EPulse != 0,
 	})
 }
 
@@ -106,22 +97,21 @@ func (e *Enablements) UnmarshalJSON(data []byte) error {
 		return err
 	}
 
-	var ve Enablement
+	*e = 0
 	if v.Wayland {
-		ve |= EWayland
+		*e |= EWayland
 	}
 	if v.X11 {
-		ve |= EX11
+		*e |= EX11
 	}
 	if v.DBus {
-		ve |= EDBus
+		*e |= EDBus
 	}
 	if v.PipeWire {
-		ve |= EPipeWire
+		*e |= EPipeWire
 	}
 	if v.Pulse {
-		ve |= EPulse
+		*e |= EPulse
 	}
-	*e = Enablements(ve)
 	return nil
 }

hst/enablement_test.go

@@ -13,7 +13,7 @@ func TestEnablementString(t *testing.T) {
 	t.Parallel()
 
 	testCases := []struct {
-		flags hst.Enablement
+		flags hst.Enablements
 		want  string
 	}{
 		{0, "(no enablements)"},
@@ -59,13 +59,13 @@ func TestEnablements(t *testing.T) {
 		sData string
 	}{
 		{"nil", nil, "null", `{"value":null,"magic":3236757504}`},
-		{"zero", hst.NewEnablements(0), `{}`, `{"value":{},"magic":3236757504}`},
-		{"wayland", hst.NewEnablements(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
-		{"x11", hst.NewEnablements(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
-		{"dbus", hst.NewEnablements(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
-		{"pipewire", hst.NewEnablements(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
-		{"pulse", hst.NewEnablements(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
-		{"all", hst.NewEnablements(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
+		{"zero", new(hst.Enablements(0)), `{}`, `{"value":{},"magic":3236757504}`},
+		{"wayland", new(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
+		{"x11", new(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
+		{"dbus", new(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
+		{"pipewire", new(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
+		{"pulse", new(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
+		{"all", new(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
 	}
 
 	for _, tc := range testCases {
@@ -137,7 +137,7 @@ func TestEnablements(t *testing.T) {
 		})
 
 		t.Run("val", func(t *testing.T) {
-			if got := hst.NewEnablements(hst.EWayland | hst.EPulse).Unwrap(); got != hst.EWayland|hst.EPulse {
+			if got := new(hst.EWayland | hst.EPulse).Unwrap(); got != hst.EWayland|hst.EPulse {
 				t.Errorf("Unwrap: %v", got)
 			}
 		})
@@ -146,9 +146,6 @@ func TestEnablements(t *testing.T) {
 	t.Run("passthrough", func(t *testing.T) {
 		t.Parallel()
 
-		if _, err := (*hst.Enablements)(nil).MarshalJSON(); !errors.Is(err, syscall.EINVAL) {
-			t.Errorf("MarshalJSON: error = %v", err)
-		}
 		if err := (*hst.Enablements)(nil).UnmarshalJSON(nil); !errors.Is(err, syscall.EINVAL) {
 			t.Errorf("UnmarshalJSON: error = %v", err)
 		}

hst/fs.go

@@ -56,8 +56,10 @@ type Ops interface {
 
 // ApplyState holds the address of [Ops] and any relevant application state.
 type ApplyState struct {
-	// AutoEtcPrefix is the prefix for [FSBind] in autoetc [FSBind.Special] condition.
+	// Prefix for [FSBind] in autoetc [FSBind.Special] condition.
 	AutoEtcPrefix string
+	// Whether to skip remounting root.
+	NoRemountRoot bool
 
 	Ops
 }

hst/fsoverlay.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"hakurei.app/check"
+	"hakurei.app/fhs"
 )
 
 func init() { gob.Register(new(FSOverlay)) }
@@ -69,9 +70,12 @@ func (o *FSOverlay) Apply(z *ApplyState) {
 		return
 	}
 
-	if o.Upper != nil && o.Work != nil { // rw
+	if o.Upper != nil && o.Work != nil {
 		z.Overlay(o.Target, o.Upper, o.Work, o.Lower...)
-	} else { // ro
+		if o.Target.Is(fhs.AbsRoot) {
+			z.NoRemountRoot = true
+		}
+	} else {
 		z.OverlayReadonly(o.Target, o.Lower...)
 	}
 }

hst/fsoverlay_test.go

@@ -49,5 +49,18 @@ func TestFSOverlay(t *testing.T) {
 			Lower:  ms("/tmp/.src0", "/tmp/.src1"),
 		}}, m("/mnt/src"), ms("/tmp/.src0", "/tmp/.src1"),
 			"*/mnt/src:/tmp/.src0:/tmp/.src1"},
+
+		{"no remount root", &hst.FSOverlay{
+			Target: m("/"),
+			Lower:  ms("/tmp/.src0", "/tmp/.src1"),
+			Upper:  m("/tmp/upper"),
+			Work:   m("/tmp/work"),
+		}, true, container.Ops{&container.MountOverlayOp{
+			Target: m("/"),
+			Lower:  ms("/tmp/.src0", "/tmp/.src1"),
+			Upper:  m("/tmp/upper"),
+			Work:   m("/tmp/work"),
+		}}, m("/"), ms("/tmp/upper", "/tmp/work", "/tmp/.src0", "/tmp/.src1"),
+			"w*/:/tmp/upper:/tmp/work:/tmp/.src0:/tmp/.src1"},
 	})
 }

hst/hst.go

@@ -72,7 +72,7 @@ func Template() *Config {
 	return &Config{
 		ID: "org.chromium.Chromium",
 
-		Enablements: NewEnablements(EWayland | EDBus | EPipeWire),
+		Enablements: new(EWayland | EDBus | EPipeWire),
 
 		SessionBus: &BusConfig{
 			See: nil,

internal/acl/acl_test.go

@@ -11,9 +11,11 @@ import (
 	"path/filepath"
 	"reflect"
 	"strconv"
+	"syscall"
 	"testing"
 
 	"hakurei.app/internal/acl"
+	"hakurei.app/internal/info"
 )
 
 const testFileName = "acl.test"
@@ -24,8 +26,14 @@ var (
 )
 
 func TestUpdate(t *testing.T) {
-	if os.Getenv("HAKUREI_TEST_SKIP_ACL") == "1" {
-		t.Skip("acl test skipped")
+	if info.CanDegrade {
+		name := filepath.Join(t.TempDir(), "check-degrade")
+		if err := os.WriteFile(name, nil, 0); err != nil {
+			t.Fatal(err)
+		}
+		if err := acl.Update(name, os.Geteuid()); errors.Is(err, syscall.ENOTSUP) {
+			t.Skip(err)
+		}
 	}
 
 	testFilePath := filepath.Join(t.TempDir(), testFileName)

internal/info/optional_skip.go

@@ -0,0 +1,7 @@
+//go:build !noskip
+
+package info
+
+// CanDegrade is whether tests are allowed to transparently degrade or skip due
+// to required system features being denied or unavailable.
+const CanDegrade = true

internal/info/optional_strict.go

@@ -0,0 +1,5 @@
+//go:build noskip
+
+package info
+
+const CanDegrade = false

internal/kobject/event.go

@@ -0,0 +1,90 @@
+package kobject
+
+import (
+	"errors"
+	"strconv"
+	"strings"
+	"unsafe"
+
+	"hakurei.app/internal/uevent"
+)
+
+// Event is a [uevent.Message] with known environment variables processed.
+type Event struct {
+	// alloc_uevent_skb: action_string
+	Action uevent.KobjectAction `json:"action"`
+	// alloc_uevent_skb: devpath
+	DevPath string `json:"devpath"`
+
+	// Uninterpreted environment variable pairs. An entry missing a separator
+	// gains the value "\x00".
+	Env map[string]string `json:"env"`
+
+	// SEQNUM value set by the kernel.
+	Sequence uint64 `json:"seqnum"`
+	// SYNTH_UUID value set on trigger, nil denotes a non-synthetic event.
+	Synth *uevent.UUID `json:"synth_uuid,omitempty"`
+	// SUBSYSTEM value set by the kernel.
+	Subsystem string `json:"subsystem"`
+}
+
+// Populate populates e with the contents of a [uevent.Message].
+//
+// The ACTION and DEVPATH environment variables are ignored and assumed to be
+// consistent with the header.
+func (e *Event) Populate(reportErr func(error), m *uevent.Message) {
+	if reportErr == nil {
+		reportErr = func(error) {}
+	}
+
+	*e = Event{
+		Action:  m.Action,
+		DevPath: m.DevPath,
+		Env:     make(map[string]string),
+	}
+
+	for _, s := range m.Env {
+		k, v, ok := strings.Cut(s, "=")
+		if !ok {
+			if _, ok = e.Env[s]; !ok {
+				e.Env[s] = "\x00"
+			}
+			continue
+		}
+
+		switch k {
+		case "ACTION", "DEVPATH":
+			continue
+
+		case "SEQNUM":
+			seq, err := strconv.ParseUint(v, 10, 64)
+			if err != nil {
+				if _e := errors.Unwrap(err); _e != nil {
+					err = _e
+				}
+				reportErr(err)
+
+				e.Env[k] = v
+				continue
+			}
+			e.Sequence = seq
+
+		case "SYNTH_UUID":
+			var uuid uevent.UUID
+			err := uuid.UnmarshalText(unsafe.Slice(unsafe.StringData(v), len(v)))
+			if err != nil {
+				reportErr(err)
+
+				e.Env[k] = v
+				continue
+			}
+			e.Synth = &uuid
+
+		case "SUBSYSTEM":
+			e.Subsystem = v
+
+		default:
+			e.Env[k] = v
+		}
+	}
+}

internal/kobject/event_test.go

@@ -0,0 +1,92 @@
+package kobject_test
+
+import (
+	"reflect"
+	"strconv"
+	"testing"
+
+	"hakurei.app/internal/kobject"
+	"hakurei.app/internal/uevent"
+)
+
+func TestEvent(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		msg  uevent.Message
+		want kobject.Event
+		errs []error
+	}{
+		{"sample coldboot qemu", uevent.Message{
+			Action:  uevent.KOBJ_ADD,
+			DevPath: "/devices/LNXSYSTM:00/LNXPWRBN:00",
+			Env: []string{
+				"ACTION=add",
+				"DEVPATH=/devices/LNXSYSTM:00/LNXPWRBN:00",
+				"SUBSYSTEM=acpi",
+				"SYNTH_UUID=fe4d7c9d-b8c6-4a70-9ef1-3d8a58d18eed",
+				"MODALIAS=acpi:LNXPWRBN:",
+				"SEQNUM=777",
+			}}, kobject.Event{
+			Action:  uevent.KOBJ_ADD,
+			DevPath: "/devices/LNXSYSTM:00/LNXPWRBN:00",
+			Env: map[string]string{
+				"MODALIAS": "acpi:LNXPWRBN:",
+			},
+			Sequence: 777,
+			Synth: &uevent.UUID{
+				0xfe, 0x4d, 0x7c, 0x9d,
+				0xb8, 0xc6,
+				0x4a, 0x70,
+				0x9e, 0xf1,
+				0x3d, 0x8a, 0x58, 0xd1, 0x8e, 0xed,
+			},
+			Subsystem: "acpi",
+		}, []error{}},
+
+		{"nil reportErr", uevent.Message{Env: []string{
+			"SEQNUM=\x00",
+		}}, kobject.Event{Env: map[string]string{
+			"SEQNUM": "\x00",
+		}}, nil},
+
+		{"bad SEQNUM SYNTH_UUID", uevent.Message{Env: []string{
+			"SEQNUM=\x00",
+			"SYNTH_UUID=\x00",
+			"SUBSYSTEM=\x00",
+		}}, kobject.Event{Subsystem: "\x00", Env: map[string]string{
+			"SEQNUM":     "\x00",
+			"SYNTH_UUID": "\x00",
+		}}, []error{strconv.ErrSyntax, uevent.UUIDSizeError(1)}},
+
+		{"bad sep", uevent.Message{Env: []string{
+			"SYNTH_UUID",
+		}}, kobject.Event{Env: map[string]string{
+			"SYNTH_UUID": "\x00",
+		}}, []error{}},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var f func(error)
+			gotErrs := make([]error, 0)
+			if tc.errs != nil {
+				f = func(err error) {
+					gotErrs = append(gotErrs, err)
+				}
+			}
+
+			var got kobject.Event
+			got.Populate(f, &tc.msg)
+
+			if !reflect.DeepEqual(&got, &tc.want) {
+				t.Errorf("Populate: %#v, want %#v", got, tc.want)
+			}
+			if tc.errs != nil && !reflect.DeepEqual(gotErrs, tc.errs) {
+				t.Errorf("Populate: errs = %v, want %v", gotErrs, tc.errs)
+			}
+		})
+	}
+}

internal/landlock/landlock.go

@@ -1,4 +1,4 @@
-package container
+package landlock
 
 import (
 	"strings"
@@ -14,11 +14,11 @@ const (
 	LANDLOCK_CREATE_RULESET_VERSION = 1 << iota
 )
 
-// LandlockAccessFS is bitmask of handled filesystem actions.
-type LandlockAccessFS uint64
+// AccessFS is bitmask of handled filesystem actions.
+type AccessFS uint64
 
 const (
-	LANDLOCK_ACCESS_FS_EXECUTE LandlockAccessFS = 1 << iota
+	LANDLOCK_ACCESS_FS_EXECUTE AccessFS = 1 << iota
 	LANDLOCK_ACCESS_FS_WRITE_FILE
 	LANDLOCK_ACCESS_FS_READ_FILE
 	LANDLOCK_ACCESS_FS_READ_DIR
@@ -38,8 +38,8 @@ const (
 	_LANDLOCK_ACCESS_FS_DELIM
 )
 
-// String returns a space-separated string of [LandlockAccessFS] flags.
-func (f LandlockAccessFS) String() string {
+// String returns a space-separated string of [AccessFS] flags.
+func (f AccessFS) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_FS_EXECUTE:
 		return "execute"
@@ -90,8 +90,8 @@ func (f LandlockAccessFS) String() string {
 		return "fs_ioctl_dev"
 
 	default:
-		var c []LandlockAccessFS
-		for i := LandlockAccessFS(1); i < _LANDLOCK_ACCESS_FS_DELIM; i <<= 1 {
+		var c []AccessFS
+		for i := AccessFS(1); i < _LANDLOCK_ACCESS_FS_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -107,18 +107,18 @@ func (f LandlockAccessFS) String() string {
 	}
 }
 
-// LandlockAccessNet is bitmask of handled network actions.
-type LandlockAccessNet uint64
+// AccessNet is bitmask of handled network actions.
+type AccessNet uint64
 
 const (
-	LANDLOCK_ACCESS_NET_BIND_TCP LandlockAccessNet = 1 << iota
+	LANDLOCK_ACCESS_NET_BIND_TCP AccessNet = 1 << iota
 	LANDLOCK_ACCESS_NET_CONNECT_TCP
 
 	_LANDLOCK_ACCESS_NET_DELIM
 )
 
-// String returns a space-separated string of [LandlockAccessNet] flags.
-func (f LandlockAccessNet) String() string {
+// String returns a space-separated string of [AccessNet] flags.
+func (f AccessNet) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_NET_BIND_TCP:
 		return "bind_tcp"
@@ -127,8 +127,8 @@ func (f LandlockAccessNet) String() string {
 		return "connect_tcp"
 
 	default:
-		var c []LandlockAccessNet
-		for i := LandlockAccessNet(1); i < _LANDLOCK_ACCESS_NET_DELIM; i <<= 1 {
+		var c []AccessNet
+		for i := AccessNet(1); i < _LANDLOCK_ACCESS_NET_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -144,18 +144,18 @@ func (f LandlockAccessNet) String() string {
 	}
 }
 
-// LandlockScope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
-type LandlockScope uint64
+// Scope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
+type Scope uint64
 
 const (
-	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET LandlockScope = 1 << iota
+	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET Scope = 1 << iota
 	LANDLOCK_SCOPE_SIGNAL
 
 	_LANDLOCK_SCOPE_DELIM
 )
 
-// String returns a space-separated string of [LandlockScope] flags.
-func (f LandlockScope) String() string {
+// String returns a space-separated string of [Scope] flags.
+func (f Scope) String() string {
 	switch f {
 	case LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET:
 		return "abstract_unix_socket"
@@ -164,8 +164,8 @@ func (f LandlockScope) String() string {
 		return "signal"
 
 	default:
-		var c []LandlockScope
-		for i := LandlockScope(1); i < _LANDLOCK_SCOPE_DELIM; i <<= 1 {
+		var c []Scope
+		for i := Scope(1); i < _LANDLOCK_SCOPE_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -184,12 +184,12 @@ func (f LandlockScope) String() string {
 // RulesetAttr is equivalent to struct landlock_ruleset_attr.
 type RulesetAttr struct {
 	// Bitmask of handled filesystem actions.
-	HandledAccessFS LandlockAccessFS
+	HandledAccessFS AccessFS
 	// Bitmask of handled network actions.
-	HandledAccessNet LandlockAccessNet
+	HandledAccessNet AccessNet
 	// Bitmask of scopes restricting a Landlock domain from accessing outside
 	// resources (e.g. IPCs).
-	Scoped LandlockScope
+	Scoped Scope
 }
 
 // String returns a user-facing description of [RulesetAttr].
@@ -239,13 +239,13 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 	return fd, nil
 }
 
-// LandlockGetABI returns the ABI version supported by the kernel.
-func LandlockGetABI() (int, error) {
+// GetABI returns the ABI version supported by the kernel.
+func GetABI() (int, error) {
 	return (*RulesetAttr)(nil).Create(LANDLOCK_CREATE_RULESET_VERSION)
 }
 
-// LandlockRestrictSelf applies a loaded ruleset to the calling thread.
-func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
+// RestrictSelf applies a loaded ruleset to the calling thread.
+func RestrictSelf(rulesetFd int, flags uintptr) error {
 	r, _, errno := syscall.Syscall(
 		ext.SYS_LANDLOCK_RESTRICT_SELF,
 		uintptr(rulesetFd),

internal/landlock/landlock_test.go

@@ -0,0 +1,65 @@
+package landlock_test
+
+import (
+	"testing"
+	"unsafe"
+
+	"hakurei.app/internal/landlock"
+)
+
+func TestLandlockString(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name        string
+		rulesetAttr *landlock.RulesetAttr
+		want        string
+	}{
+		{"nil", nil, "NULL"},
+		{"zero", new(landlock.RulesetAttr), "0"},
+		{"some", &landlock.RulesetAttr{Scoped: landlock.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
+		{"set", &landlock.RulesetAttr{
+			HandledAccessFS:  landlock.LANDLOCK_ACCESS_FS_MAKE_SYM | landlock.LANDLOCK_ACCESS_FS_IOCTL_DEV | landlock.LANDLOCK_ACCESS_FS_WRITE_FILE,
+			HandledAccessNet: landlock.LANDLOCK_ACCESS_NET_BIND_TCP,
+			Scoped:           landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | landlock.LANDLOCK_SCOPE_SIGNAL,
+		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
+		{"all", &landlock.RulesetAttr{
+			HandledAccessFS: landlock.LANDLOCK_ACCESS_FS_EXECUTE |
+				landlock.LANDLOCK_ACCESS_FS_WRITE_FILE |
+				landlock.LANDLOCK_ACCESS_FS_READ_FILE |
+				landlock.LANDLOCK_ACCESS_FS_READ_DIR |
+				landlock.LANDLOCK_ACCESS_FS_REMOVE_DIR |
+				landlock.LANDLOCK_ACCESS_FS_REMOVE_FILE |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_CHAR |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_DIR |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_REG |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_SOCK |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_FIFO |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_SYM |
+				landlock.LANDLOCK_ACCESS_FS_REFER |
+				landlock.LANDLOCK_ACCESS_FS_TRUNCATE |
+				landlock.LANDLOCK_ACCESS_FS_IOCTL_DEV,
+			HandledAccessNet: landlock.LANDLOCK_ACCESS_NET_BIND_TCP |
+				landlock.LANDLOCK_ACCESS_NET_CONNECT_TCP,
+			Scoped: landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
+				landlock.LANDLOCK_SCOPE_SIGNAL,
+		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := tc.rulesetAttr.String(); got != tc.want {
+				t.Errorf("String: %s, want %s", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestLandlockAttrSize(t *testing.T) {
+	t.Parallel()
+	want := 24
+	if got := unsafe.Sizeof(landlock.RulesetAttr{}); got != uintptr(want) {
+		t.Errorf("Sizeof: %d, want %d", got, want)
+	}
+}

internal/outcome/dispatcher.go

@@ -17,6 +17,7 @@ import (
 	"hakurei.app/ext"
 	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/info"
+	"hakurei.app/internal/params"
 	"hakurei.app/message"
 )
 
@@ -84,7 +85,7 @@ type syscallDispatcher interface {
 	// setDumpable provides [container.SetDumpable].
 	setDumpable(dumpable uintptr) error
 	// receive provides [container.Receive].
-	receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error)
+	receive(key string, e any, fdp *int) (closeFunc func() error, err error)
 
 	// containerStart provides the Start method of [container.Container].
 	containerStart(z *container.Container) error
@@ -154,8 +155,8 @@ func (direct) prctl(op, arg2, arg3 uintptr) error { return ext.Prctl(op, arg2, a
 func (direct) overflowUid(msg message.Msg) int    { return container.OverflowUid(msg) }
 func (direct) overflowGid(msg message.Msg) int    { return container.OverflowGid(msg) }
 func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) }
-func (direct) receive(key string, e any, fdp *uintptr) (func() error, error) {
-	return container.Receive(key, e, fdp)
+func (direct) receive(key string, e any, fdp *int) (func() error, error) {
+	return params.Receive(key, e, fdp)
 }
 
 func (direct) containerStart(z *container.Container) error { return z.Start() }

internal/outcome/dispatcher_test.go

@@ -401,12 +401,12 @@ func (k *kstub) setDumpable(dumpable uintptr) error {
 		stub.CheckArg(k.Stub, "dumpable", dumpable, 0))
 }
 
-func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error) {
+func (k *kstub) receive(key string, e any, fdp *int) (closeFunc func() error, err error) {
 	k.Helper()
 	expect := k.Expects("receive")
 	reflect.ValueOf(e).Elem().Set(reflect.ValueOf(expect.Args[1]))
 	if expect.Args[2] != nil {
-		*fdp = expect.Args[2].(uintptr)
+		*fdp = int(expect.Args[2].(uintptr))
 	}
 	return func() error { return k.Expects("closeReceive").Err }, expect.Error(
 		stub.CheckArg(k.Stub, "key", key, 0))
@@ -690,38 +690,38 @@ func (panicMsgContext) Value(any) any               { panic("unreachable") }
 // This type is meant to be embedded in partial syscallDispatcher implementations.
 type panicDispatcher struct{}
 
-func (panicDispatcher) new(func(k syscallDispatcher, msg message.Msg))      { panic("unreachable") }
-func (panicDispatcher) getppid() int                                        { panic("unreachable") }
-func (panicDispatcher) getpid() int                                         { panic("unreachable") }
-func (panicDispatcher) getuid() int                                         { panic("unreachable") }
-func (panicDispatcher) getgid() int                                         { panic("unreachable") }
-func (panicDispatcher) lookupEnv(string) (string, bool)                     { panic("unreachable") }
-func (panicDispatcher) pipe() (*os.File, *os.File, error)                   { panic("unreachable") }
-func (panicDispatcher) stat(string) (os.FileInfo, error)                    { panic("unreachable") }
-func (panicDispatcher) open(string) (osFile, error)                         { panic("unreachable") }
-func (panicDispatcher) readdir(string) ([]os.DirEntry, error)               { panic("unreachable") }
-func (panicDispatcher) tempdir() string                                     { panic("unreachable") }
-func (panicDispatcher) mkdir(string, os.FileMode) error                     { panic("unreachable") }
-func (panicDispatcher) removeAll(string) error                              { panic("unreachable") }
-func (panicDispatcher) exit(int)                                            { panic("unreachable") }
-func (panicDispatcher) evalSymlinks(string) (string, error)                 { panic("unreachable") }
-func (panicDispatcher) prctl(uintptr, uintptr, uintptr) error               { panic("unreachable") }
-func (panicDispatcher) lookupGroupId(string) (string, error)                { panic("unreachable") }
-func (panicDispatcher) lookPath(string) (string, error)                     { panic("unreachable") }
-func (panicDispatcher) cmdOutput(*exec.Cmd) ([]byte, error)                 { panic("unreachable") }
-func (panicDispatcher) overflowUid(message.Msg) int                         { panic("unreachable") }
-func (panicDispatcher) overflowGid(message.Msg) int                         { panic("unreachable") }
-func (panicDispatcher) setDumpable(uintptr) error                           { panic("unreachable") }
-func (panicDispatcher) receive(string, any, *uintptr) (func() error, error) { panic("unreachable") }
-func (panicDispatcher) containerStart(*container.Container) error           { panic("unreachable") }
-func (panicDispatcher) containerServe(*container.Container) error           { panic("unreachable") }
-func (panicDispatcher) containerWait(*container.Container) error            { panic("unreachable") }
-func (panicDispatcher) mustHsuPath() *check.Absolute                        { panic("unreachable") }
-func (panicDispatcher) dbusAddress() (string, string)                       { panic("unreachable") }
-func (panicDispatcher) setupContSignal(int) (io.ReadCloser, func(), error)  { panic("unreachable") }
-func (panicDispatcher) getMsg() message.Msg                                 { panic("unreachable") }
-func (panicDispatcher) fatal(...any)                                        { panic("unreachable") }
-func (panicDispatcher) fatalf(string, ...any)                               { panic("unreachable") }
+func (panicDispatcher) new(func(k syscallDispatcher, msg message.Msg))     { panic("unreachable") }
+func (panicDispatcher) getppid() int                                       { panic("unreachable") }
+func (panicDispatcher) getpid() int                                        { panic("unreachable") }
+func (panicDispatcher) getuid() int                                        { panic("unreachable") }
+func (panicDispatcher) getgid() int                                        { panic("unreachable") }
+func (panicDispatcher) lookupEnv(string) (string, bool)                    { panic("unreachable") }
+func (panicDispatcher) pipe() (*os.File, *os.File, error)                  { panic("unreachable") }
+func (panicDispatcher) stat(string) (os.FileInfo, error)                   { panic("unreachable") }
+func (panicDispatcher) open(string) (osFile, error)                        { panic("unreachable") }
+func (panicDispatcher) readdir(string) ([]os.DirEntry, error)              { panic("unreachable") }
+func (panicDispatcher) tempdir() string                                    { panic("unreachable") }
+func (panicDispatcher) mkdir(string, os.FileMode) error                    { panic("unreachable") }
+func (panicDispatcher) removeAll(string) error                             { panic("unreachable") }
+func (panicDispatcher) exit(int)                                           { panic("unreachable") }
+func (panicDispatcher) evalSymlinks(string) (string, error)                { panic("unreachable") }
+func (panicDispatcher) prctl(uintptr, uintptr, uintptr) error              { panic("unreachable") }
+func (panicDispatcher) lookupGroupId(string) (string, error)               { panic("unreachable") }
+func (panicDispatcher) lookPath(string) (string, error)                    { panic("unreachable") }
+func (panicDispatcher) cmdOutput(*exec.Cmd) ([]byte, error)                { panic("unreachable") }
+func (panicDispatcher) overflowUid(message.Msg) int                        { panic("unreachable") }
+func (panicDispatcher) overflowGid(message.Msg) int                        { panic("unreachable") }
+func (panicDispatcher) setDumpable(uintptr) error                          { panic("unreachable") }
+func (panicDispatcher) receive(string, any, *int) (func() error, error)    { panic("unreachable") }
+func (panicDispatcher) containerStart(*container.Container) error          { panic("unreachable") }
+func (panicDispatcher) containerServe(*container.Container) error          { panic("unreachable") }
+func (panicDispatcher) containerWait(*container.Container) error           { panic("unreachable") }
+func (panicDispatcher) mustHsuPath() *check.Absolute                       { panic("unreachable") }
+func (panicDispatcher) dbusAddress() (string, string)                      { panic("unreachable") }
+func (panicDispatcher) setupContSignal(int) (io.ReadCloser, func(), error) { panic("unreachable") }
+func (panicDispatcher) getMsg() message.Msg                                { panic("unreachable") }
+func (panicDispatcher) fatal(...any)                                       { panic("unreachable") }
+func (panicDispatcher) fatalf(string, ...any)                              { panic("unreachable") }
 
 func (panicDispatcher) notifyContext(context.Context, ...os.Signal) (context.Context, context.CancelFunc) {
 	panic("unreachable")

internal/outcome/finalise.go

@@ -32,7 +32,14 @@ type outcome struct {
 	syscallDispatcher
 }
 
-func (k *outcome) finalise(ctx context.Context, msg message.Msg, id *hst.ID, config *hst.Config) error {
+// finalise prepares an outcome for main.
+func (k *outcome) finalise(
+	ctx context.Context,
+	msg message.Msg,
+	id *hst.ID,
+	config *hst.Config,
+	flags int,
+) error {
 	if ctx == nil || id == nil {
 		// unreachable
 		panic("invalid call to finalise")
@@ -43,7 +50,7 @@ func (k *outcome) finalise(ctx context.Context, msg message.Msg, id *hst.ID, con
 	}
 	k.ctx = ctx
 
-	if err := config.Validate(); err != nil {
+	if err := config.Validate(flags); err != nil {
 		return err
 	}
 

internal/outcome/outcome.go

@@ -194,7 +194,7 @@ type outcomeStateSys struct {
 	// Copied from [hst.Config]. Safe for read by outcomeOp.toSystem.
 	appId string
 	// Copied from [hst.Config]. Safe for read by outcomeOp.toSystem.
-	et hst.Enablement
+	et hst.Enablements
 
 	// Copied from [hst.Config]. Safe for read by spWaylandOp.toSystem only.
 	directWayland bool

internal/outcome/process.go

@@ -13,7 +13,6 @@ import (
 	"time"
 
 	"hakurei.app/check"
-	"hakurei.app/container"
 	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/info"
@@ -298,12 +297,12 @@ func (k *outcome) main(msg message.Msg, identifierFd int) {
 					// accumulate enablements of remaining instances
 					var (
 						// alive enablement bits
-						rt hst.Enablement
+						rt hst.Enablements
 						// alive instance count
 						n int
 					)
 					for eh := range entries {
-						var et hst.Enablement
+						var et hst.Enablements
 						if et, err = eh.Load(nil); err != nil {
 							perror(err, "read state header of instance "+eh.ID.String())
 						} else {
@@ -372,17 +371,18 @@ func (k *outcome) start(ctx context.Context, msg message.Msg,
 	// shim runs in the same session as monitor; see shim.go for behaviour
 	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGCONT) }
 
-	var shimPipe *os.File
-	if fd, w, err := container.Setup(&cmd.ExtraFiles); err != nil {
+	var shimPipe [2]*os.File
+	if r, w, err := os.Pipe(); err != nil {
 		return cmd, nil, &hst.AppError{Step: "create shim setup pipe", Err: err}
 	} else {
-		shimPipe = w
 		cmd.Env = []string{
 			// passed through to shim by hsu
-			shimEnv + "=" + strconv.Itoa(fd),
+			shimEnv + "=" + strconv.Itoa(3+len(cmd.ExtraFiles)),
 			// interpreted by hsu
 			"HAKUREI_IDENTITY=" + k.state.identity.String(),
 		}
+		cmd.ExtraFiles = append(cmd.ExtraFiles, r)
+		shimPipe[0], shimPipe[1] = r, w
 	}
 
 	if len(k.supp) > 0 {
@@ -393,12 +393,16 @@ func (k *outcome) start(ctx context.Context, msg message.Msg,
 
 	msg.Verbosef("setuid helper at %s", hsuPath)
 	if err := cmd.Start(); err != nil {
+		_, _ = shimPipe[0].Close(), shimPipe[1].Close()
 		msg.Resume()
-		return cmd, shimPipe, &hst.AppError{Step: "start setuid wrapper", Err: err}
+		return cmd, nil, &hst.AppError{Step: "start setuid wrapper", Err: err}
+	}
+	if err := shimPipe[0].Close(); err != nil {
+		msg.Verbose(err)
 	}
 
 	*startTime = time.Now().UTC()
-	return cmd, shimPipe, nil
+	return cmd, shimPipe[1], nil
 }
 
 // serveShim serves outcomeState through the shim setup pipe.
@@ -411,11 +415,11 @@ func serveShim(msg message.Msg, shimPipe *os.File, state *outcomeState) error {
 		msg.Verbose(err.Error())
 	}
 	if err := gob.NewEncoder(shimPipe).Encode(state); err != nil {
+		_ = shimPipe.Close()
 		msg.Resume()
 		return &hst.AppError{Step: "transmit shim config", Err: err}
 	}
-	_ = shimPipe.Close()
-	return nil
+	return shimPipe.Close()
 }
 
 // printMessageError prints the error message according to [message.GetMessage],

internal/outcome/run.go

@@ -18,7 +18,13 @@ import (
 func IsPollDescriptor(fd uintptr) bool
 
 // Main runs an app according to [hst.Config] and terminates. Main does not return.
-func Main(ctx context.Context, msg message.Msg, config *hst.Config, fd int) {
+func Main(
+	ctx context.Context,
+	msg message.Msg,
+	config *hst.Config,
+	flags int,
+	fd int,
+) {
 	// avoids runtime internals or standard streams
 	if fd >= 0 {
 		if IsPollDescriptor(uintptr(fd)) || fd < 3 {
@@ -34,7 +40,7 @@ func Main(ctx context.Context, msg message.Msg, config *hst.Config, fd int) {
 	k := outcome{syscallDispatcher: direct{msg}}
 
 	finaliseTime := time.Now()
-	if err := k.finalise(ctx, msg, &id, config); err != nil {
+	if err := k.finalise(ctx, msg, &id, config, flags); err != nil {
 		printMessageError(msg.GetLogger().Fatalln, "cannot seal app:", err)
 		panic("unreachable")
 	}

internal/outcome/run_test.go

@@ -288,7 +288,7 @@ func TestOutcomeRun(t *testing.T) {
 				},
 				Filter: true,
 			},
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
+			Enablements: new(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 
 			Container: &hst.ContainerConfig{
 				Filesystem: []hst.FilesystemConfigJSON{
@@ -427,7 +427,7 @@ func TestOutcomeRun(t *testing.T) {
 			DirectPipeWire: true,
 
 			ID:          "org.chromium.Chromium",
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
+			Enablements: new(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 			Container: &hst.ContainerConfig{
 				Env: nil,
 				Filesystem: []hst.FilesystemConfigJSON{

internal/outcome/shim.go

@@ -20,6 +20,7 @@ import (
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
 	"hakurei.app/hst"
+	"hakurei.app/internal/params"
 	"hakurei.app/internal/pipewire"
 	"hakurei.app/message"
 )
@@ -197,7 +198,7 @@ func shimEntrypoint(k syscallDispatcher) {
 		if errors.Is(err, syscall.EBADF) {
 			k.fatal("invalid config descriptor")
 		}
-		if errors.Is(err, container.ErrReceiveEnv) {
+		if errors.Is(err, params.ErrReceiveEnv) {
 			k.fatal(shimEnv + " not set")
 		}
 

internal/outcome/shim_test.go

@@ -16,6 +16,7 @@ import (
 	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/env"
+	"hakurei.app/internal/params"
 	"hakurei.app/internal/stub"
 )
 
@@ -172,7 +173,7 @@ func TestShimEntrypoint(t *testing.T) {
 			call("setDumpable", stub.ExpectArgs{uintptr(ext.SUID_DUMP_DISABLE)}, nil, nil),
 			call("getppid", stub.ExpectArgs{}, 0xbad, nil),
 			call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil),
-			call("receive", stub.ExpectArgs{"HAKUREI_SHIM", outcomeState{}, nil}, nil, container.ErrReceiveEnv),
+			call("receive", stub.ExpectArgs{"HAKUREI_SHIM", outcomeState{}, nil}, nil, params.ErrReceiveEnv),
 			call("fatal", stub.ExpectArgs{[]any{"HAKUREI_SHIM not set"}}, nil, nil),
 
 			// deferred

internal/outcome/spcontainer.go

@@ -290,7 +290,9 @@ func (s *spFilesystemOp) toContainer(state *outcomeStateParams) error {
 	if state.Container.Flags&hst.FDevice == 0 {
 		state.params.Remount(fhs.AbsDev, syscall.MS_RDONLY)
 	}
-	state.params.Remount(fhs.AbsRoot, syscall.MS_RDONLY)
+	if !state.as.NoRemountRoot {
+		state.params.Remount(fhs.AbsRoot, syscall.MS_RDONLY)
+	}
 
 	state.params.Env = make([]string, 0, len(state.env))
 	for key, value := range state.env {

internal/outcome/sppulse_test.go

@@ -21,7 +21,7 @@ func TestSpPulseOp(t *testing.T) {
 	newConfig := func() *hst.Config {
 		config := hst.Template()
 		config.DirectPulse = true
-		config.Enablements = hst.NewEnablements(hst.EPulse)
+		config.Enablements = new(hst.EPulse)
 		return config
 	}
 

internal/params/params.go

@@ -0,0 +1,42 @@
+// Package params provides helpers for receiving setup payload from parent.
+package params
+
+import (
+	"encoding/gob"
+	"errors"
+	"os"
+	"strconv"
+	"syscall"
+)
+
+// ErrReceiveEnv is returned by [Receive] if setup fd is not present in environment.
+var ErrReceiveEnv = errors.New("environment variable not set")
+
+// Receive retrieves setup fd from the environment and receives params.
+//
+// The file descriptor written to the value pointed to by fdp must not be passed
+// to any system calls. It is made available for ordering file descriptor only.
+func Receive(key string, v any, fdp *int) (func() error, error) {
+	var setup *os.File
+
+	if s, ok := os.LookupEnv(key); !ok {
+		return nil, ErrReceiveEnv
+	} else {
+		if fd, err := strconv.Atoi(s); err != nil {
+			if _err := errors.Unwrap(err); _err != nil {
+				err = _err
+			}
+			return nil, err
+		} else {
+			setup = os.NewFile(uintptr(fd), "setup")
+			if setup == nil {
+				return nil, syscall.EDOM
+			}
+			if fdp != nil {
+				*fdp = fd
+			}
+		}
+	}
+
+	return setup.Close, gob.NewDecoder(setup).Decode(v)
+}

internal/params/params_test.go

@@ -1,4 +1,4 @@
-package container_test
+package params_test
 
 import (
 	"encoding/gob"
@@ -9,7 +9,7 @@ import (
 	"syscall"
 	"testing"
 
-	"hakurei.app/container"
+	"hakurei.app/internal/params"
 )
 
 func TestSetupReceive(t *testing.T) {
@@ -30,8 +30,8 @@ func TestSetupReceive(t *testing.T) {
 			})
 		}
 
-		if _, err := container.Receive(key, nil, nil); !errors.Is(err, container.ErrReceiveEnv) {
-			t.Errorf("Receive: error = %v, want %v", err, container.ErrReceiveEnv)
+		if _, err := params.Receive(key, nil, nil); !errors.Is(err, params.ErrReceiveEnv) {
+			t.Errorf("Receive: error = %v, want %v", err, params.ErrReceiveEnv)
 		}
 	})
 
@@ -39,7 +39,7 @@ func TestSetupReceive(t *testing.T) {
 		const key = "TEST_ENV_FORMAT"
 		t.Setenv(key, "")
 
-		if _, err := container.Receive(key, nil, nil); !errors.Is(err, strconv.ErrSyntax) {
+		if _, err := params.Receive(key, nil, nil); !errors.Is(err, strconv.ErrSyntax) {
 			t.Errorf("Receive: error = %v, want %v", err, strconv.ErrSyntax)
 		}
 	})
@@ -48,7 +48,7 @@ func TestSetupReceive(t *testing.T) {
 		const key = "TEST_ENV_RANGE"
 		t.Setenv(key, "-1")
 
-		if _, err := container.Receive(key, nil, nil); !errors.Is(err, syscall.EDOM) {
+		if _, err := params.Receive(key, nil, nil); !errors.Is(err, syscall.EDOM) {
 			t.Errorf("Receive: error = %v, want %v", err, syscall.EDOM)
 		}
 	})
@@ -60,16 +60,22 @@ func TestSetupReceive(t *testing.T) {
 
 			encoderDone := make(chan error, 1)
 			extraFiles := make([]*os.File, 0, 1)
-			deadline, _ := t.Deadline()
-			if fd, f, err := container.Setup(&extraFiles); err != nil {
+			if r, w, err := os.Pipe(); err != nil {
 				t.Fatalf("Setup: error = %v", err)
-			} else if fd != 3 {
-				t.Fatalf("Setup: fd = %d, want 3", fd)
 			} else {
-				if err = f.SetDeadline(deadline); err != nil {
-					t.Fatal(err.Error())
+				t.Cleanup(func() {
+					if err = errors.Join(r.Close(), w.Close()); err != nil {
+						t.Fatal(err)
+					}
+				})
+
+				extraFiles = append(extraFiles, r)
+				if deadline, ok := t.Deadline(); ok {
+					if err = w.SetDeadline(deadline); err != nil {
+						t.Fatal(err)
+					}
 				}
-				go func() { encoderDone <- gob.NewEncoder(f).Encode(payload) }()
+				go func() { encoderDone <- gob.NewEncoder(w).Encode(payload) }()
 			}
 
 			if len(extraFiles) != 1 {
@@ -87,13 +93,13 @@ func TestSetupReceive(t *testing.T) {
 
 			var (
 				gotPayload []uint64
-				fdp        *uintptr
+				fdp        *int
 			)
 			if !useNilFdp {
-				fdp = new(uintptr)
+				fdp = new(int)
 			}
 			var closeFile func() error
-			if f, err := container.Receive(key, &gotPayload, fdp); err != nil {
+			if f, err := params.Receive(key, &gotPayload, fdp); err != nil {
 				t.Fatalf("Receive: error = %v", err)
 			} else {
 				closeFile = f
@@ -103,7 +109,7 @@ func TestSetupReceive(t *testing.T) {
 				}
 			}
 			if !useNilFdp {
-				if int(*fdp) != dupFd {
+				if *fdp != dupFd {
 					t.Errorf("Fd: %d, want %d", *fdp, dupFd)
 				}
 			}

internal/pkg/dir_test.go

@@ -184,6 +184,32 @@ func TestFlatten(t *testing.T) {
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("WVpvsVqVKg9Nsh744x57h51AuWUoUR2nnh8Md-EYBQpk6ziyTuUn6PLtF2e0Eu_d"), nil},
 
+		{"sample no assume checksum", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M":       {Mode: fs.ModeDir | 0500},
+			"checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M/check": {Mode: 0400, Data: []byte{}},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/_wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")},
+			"identifier/_wEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")},
+
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M"},
+			{Mode: 0400, Path: "checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M/check", Data: []byte{}},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_wEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")},
+
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("OC290t23aimNo2Rp2pPwan5GI2KRLRdOwYxXQMD9jw0QROgHnNXWodoWdV0hwu2w"), nil},
+
 		{"sample tar step unpack", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0500},
 

internal/pkg/exec.go

@@ -40,9 +40,6 @@ type ExecPath struct {
 	W bool
 }
 
-// SetSchedIdle is whether to set [ext.SCHED_IDLE] scheduling priority.
-var SetSchedIdle bool
-
 // GetArtifactFunc is the function signature of [FContext.GetArtifact].
 type GetArtifactFunc func(Artifact) (*check.Absolute, unique.Handle[Checksum])
 
@@ -400,6 +397,7 @@ const SeccompPresets = std.PresetStrict &
 func (a *execArtifact) makeContainer(
 	ctx context.Context,
 	msg message.Msg,
+	flags int,
 	hostNet bool,
 	temp, work *check.Absolute,
 	getArtifact GetArtifactFunc,
@@ -426,8 +424,9 @@ func (a *execArtifact) makeContainer(
 	z.SeccompFlags |= seccomp.AllowMultiarch
 	z.ParentPerm = 0700
 	z.HostNet = hostNet
+	z.HostAbstract = flags&CHostAbstract != 0
 	z.Hostname = "cure"
-	z.SetScheduler = SetSchedIdle
+	z.SetScheduler = flags&CSchedIdle != 0
 	z.SchedPolicy = ext.SCHED_IDLE
 	if z.HostNet {
 		z.Hostname = "cure-net"
@@ -563,6 +562,7 @@ func (c *Cache) EnterExec(
 	var z *container.Container
 	z, err = e.makeContainer(
 		ctx, c.msg,
+		c.flags,
 		hostNet,
 		temp, work,
 		func(a Artifact) (*check.Absolute, unique.Handle[Checksum]) {
@@ -602,7 +602,7 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 	msg := f.GetMessage()
 	var z *container.Container
 	if z, err = a.makeContainer(
-		ctx, msg, hostNet,
+		ctx, msg, f.cache.flags, hostNet,
 		f.GetTempDir(), f.GetWorkDir(),
 		f.GetArtifact,
 		f.cache.Ident,

internal/pkg/exec_test.go

@@ -33,8 +33,7 @@ func TestExec(t *testing.T) {
 	)
 
 	checkWithCache(t, []cacheTestCase{
-		{"offline", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			c.SetStrict(true)
+		{"offline", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()
 
 			cureMany(t, c, []cureStep{
@@ -111,8 +110,7 @@ func TestExec(t *testing.T) {
 			testtoolDestroy(t, base, c)
 		}, pkg.MustDecode("Q5DluWQCAeohLoiGRImurwFp3vdz9IfQCoj7Fuhh73s4KQPRHpEQEnHTdNHmB8Fx")},
 
-		{"net", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			c.SetStrict(true)
+		{"net", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()
 
 			wantChecksum := pkg.MustDecode(
@@ -146,8 +144,7 @@ func TestExec(t *testing.T) {
 			testtoolDestroy(t, base, c)
 		}, pkg.MustDecode("bPYvvqxpfV7xcC1EptqyKNK1klLJgYHMDkzBcoOyK6j_Aj5hb0mXNPwTwPSK5F6Z")},
 
-		{"overlay root", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			c.SetStrict(true)
+		{"overlay root", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()
 
 			cureMany(t, c, []cureStep{
@@ -172,8 +169,7 @@ func TestExec(t *testing.T) {
 			testtoolDestroy(t, base, c)
 		}, pkg.MustDecode("PO2DSSCa4yoSgEYRcCSZfQfwow1yRigL3Ry-hI0RDI4aGuFBha-EfXeSJnG_5_Rl")},
 
-		{"overlay work", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			c.SetStrict(true)
+		{"overlay work", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()
 
 			cureMany(t, c, []cureStep{
@@ -203,8 +199,7 @@ func TestExec(t *testing.T) {
 			testtoolDestroy(t, base, c)
 		}, pkg.MustDecode("iaRt6l_Wm2n-h5UsDewZxQkCmjZjyL8r7wv32QT2kyV55-Lx09Dq4gfg9BiwPnKs")},
 
-		{"multiple layers", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			c.SetStrict(true)
+		{"multiple layers", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()
 
 			cureMany(t, c, []cureStep{
@@ -256,8 +251,7 @@ func TestExec(t *testing.T) {
 			testtoolDestroy(t, base, c)
 		}, pkg.MustDecode("O2YzyR7IUGU5J2CADy0hUZ3A5NkP_Vwzs4UadEdn2oMZZVWRtH0xZGJ3HXiimTnZ")},
 
-		{"overlay layer promotion", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			c.SetStrict(true)
+		{"overlay layer promotion", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()
 
 			cureMany(t, c, []cureStep{

internal/pkg/file_test.go

@@ -11,9 +11,7 @@ func TestFile(t *testing.T) {
 	t.Parallel()
 
 	checkWithCache(t, []cacheTestCase{
-		{"file", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			c.SetStrict(true)
-
+		{"file", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			cureMany(t, c, []cureStep{
 				{"short", pkg.NewFile("null", []byte{0}), base.Append(
 					"identifier",

internal/pkg/ir_test.go

@@ -85,7 +85,7 @@ func TestIRRoundtrip(t *testing.T) {
 	testCasesCache := make([]cacheTestCase, len(testCases))
 	for i, tc := range testCases {
 		want := tc.a
-		testCasesCache[i] = cacheTestCase{tc.name, nil,
+		testCasesCache[i] = cacheTestCase{tc.name, 0, nil,
 			func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 				r, w := io.Pipe()
 

internal/pkg/net_test.go

@@ -32,7 +32,7 @@ func TestHTTPGet(t *testing.T) {
 	}))
 
 	checkWithCache(t, []cacheTestCase{
-		{"direct", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+		{"direct", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			var r pkg.RContext
 			rCacheVal := reflect.ValueOf(&r).Elem().FieldByName("cache")
 			reflect.NewAt(
@@ -94,7 +94,7 @@ func TestHTTPGet(t *testing.T) {
 			}
 		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C")},
 
-		{"cure", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+		{"cure", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			var r pkg.RContext
 			rCacheVal := reflect.ValueOf(&r).Elem().FieldByName("cache")
 			reflect.NewAt(

internal/pkg/pkg.go

@@ -13,7 +13,6 @@ import (
 	"hash"
 	"io"
 	"io/fs"
-	"iter"
 	"maps"
 	"os"
 	"path/filepath"
@@ -331,23 +330,6 @@ type FloodArtifact interface {
 	Artifact
 }
 
-// Flood returns an iterator over the dependency tree of an [Artifact].
-func Flood(a Artifact) iter.Seq[Artifact] {
-	return func(yield func(Artifact) bool) {
-		for _, d := range a.Dependencies() {
-			if !yield(d) {
-				return
-			}
-
-			for d0 := range Flood(d) {
-				if !yield(d0) {
-					return
-				}
-			}
-		}
-	}
-}
-
 // TrivialArtifact refers to an [Artifact] that cures without requiring that
 // any other [Artifact] is cured before it. Its dependency tree is ignored after
 // computing its identifier.
@@ -506,6 +488,49 @@ type pendingArtifactDep struct {
 	*sync.WaitGroup
 }
 
+const (
+	// CValidateKnown arranges for [KnownChecksum] outcomes to be validated to
+	// match its intended checksum.
+	//
+	// A correct implementation of [KnownChecksum] does not successfully cure
+	// with output not matching its intended checksum. When an implementation
+	// fails to perform this validation correctly, the on-disk format enters
+	// an inconsistent state (correctable by [Cache.Scrub]).
+	//
+	// This flag causes [Cache.Cure] to always compute the checksum, and reject
+	// a cure if it does not match the intended checksum.
+	//
+	// This behaviour significantly reduces performance and is not recommended
+	// outside of testing a custom [Artifact] implementation.
+	CValidateKnown = 1 << iota
+
+	// CSchedIdle arranges for the [ext.SCHED_IDLE] scheduling priority to be
+	// set for [KindExec] and [KindExecNet] containers.
+	CSchedIdle
+
+	// CAssumeChecksum enables the use of [KnownChecksum] for duplicate function
+	// call suppression via the on-disk cache.
+	//
+	// This may cause incorrect cure outcome if an impossible checksum is
+	// specified that matches an output already present in the on-disk cache.
+	// This may be avoided by purposefully specifying a statistically
+	// unattainable checksum, like the zero value.
+	//
+	// While this optimisation might seem appealing, it is almost never
+	// applicable in real world use. Almost every time this path was taken, it
+	// was caused by an incorrect checksum accidentally left behind while
+	// bumping a package. Only enable this if you are really sure you need it.
+	CAssumeChecksum
+
+	// CHostAbstract disables restriction of sandboxed processes from connecting
+	// to an abstract UNIX socket created by a host process.
+	//
+	// This is considered less secure in some systems, but does not introduce
+	// impurity due to [KindExecNet] being [KnownChecksum]. This flag exists
+	// to support kernels without Landlock LSM enabled.
+	CHostAbstract
+)
+
 // Cache is a support layer that implementations of [Artifact] can use to store
 // cured [Artifact] data in a content addressed fashion.
 type Cache struct {
@@ -525,12 +550,8 @@ type Cache struct {
 
 	// Directory where all [Cache] related files are placed.
 	base *check.Absolute
-
-	// Whether to validate [FileArtifact.Cure] for a [KnownChecksum] file. This
-	// significantly reduces performance.
-	strict bool
-	// Maximum size of a dependency graph.
-	threshold uintptr
+	// Immutable cure options set by [Open].
+	flags int
 
 	// Artifact to [unique.Handle] of identifier cache.
 	artifact sync.Map
@@ -563,22 +584,6 @@ type Cache struct {
 	inExec atomic.Bool
 }
 
-// IsStrict returns whether the [Cache] strictly verifies checksums.
-func (c *Cache) IsStrict() bool { return c.strict }
-
-// SetStrict sets whether the [Cache] strictly verifies checksums, even when
-// the implementation promises to validate them internally. This significantly
-// reduces performance and is not recommended outside of testing.
-//
-// This method is not safe for concurrent use with any other method.
-func (c *Cache) SetStrict(strict bool) { c.strict = strict }
-
-// SetThreshold imposes a maximum size on the dependency graph, checked on every
-// call to Cure. The zero value disables this check entirely.
-//
-// This method is not safe for concurrent use with any other method.
-func (c *Cache) SetThreshold(threshold uintptr) { c.threshold = threshold }
-
 // extIdent is a [Kind] concatenated with [ID].
 type extIdent [wordSize + len(ID{})]byte
 
@@ -1058,7 +1063,7 @@ func (c *Cache) finaliseIdent(
 // [FileArtifact] to the filesystem. If err is nil, the caller is responsible
 // for closing the resulting [io.ReadCloser].
 func (c *Cache) openFile(f FileArtifact) (r io.ReadCloser, err error) {
-	if kc, ok := f.(KnownChecksum); ok {
+	if kc, ok := f.(KnownChecksum); c.flags&CAssumeChecksum != 0 && ok {
 		c.checksumMu.RLock()
 		r, err = os.Open(c.base.Append(
 			dirChecksum,
@@ -1229,14 +1234,6 @@ func (e InvalidArtifactError) Error() string {
 	return "artifact " + Encode(e) + " cannot be cured"
 }
 
-// DependencyError refers to an artifact with a dependency tree larger than the
-// threshold specified by a previous call to [Cache.SetThreshold].
-type DependencyError struct{ A Artifact }
-
-func (e DependencyError) Error() string {
-	return "artifact has too many dependencies"
-}
-
 // Cure cures the [Artifact] and returns its pathname and [Checksum]. Direct
 // calls to Cure are not subject to the cures limit.
 func (c *Cache) Cure(a Artifact) (
@@ -1252,18 +1249,6 @@ func (c *Cache) Cure(a Artifact) (
 	default:
 	}
 
-	if c.threshold > 0 {
-		var n uintptr
-		for range Flood(a) {
-			if n == c.threshold {
-				err = DependencyError{a}
-				return
-			}
-			n++
-		}
-		c.msg.Verbosef("visited %d artifacts", n)
-	}
-
 	return c.cure(a, true)
 }
 
@@ -1521,16 +1506,18 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 			checksums,
 		)
 
-		c.checksumMu.RLock()
-		checksumFi, err = os.Stat(checksumPathname.String())
-		c.checksumMu.RUnlock()
+		if c.flags&CAssumeChecksum != 0 {
+			c.checksumMu.RLock()
+			checksumFi, err = os.Stat(checksumPathname.String())
+			c.checksumMu.RUnlock()
 
-		if err != nil {
-			if !errors.Is(err, os.ErrNotExist) {
-				return
+			if err != nil {
+				if !errors.Is(err, os.ErrNotExist) {
+					return
+				}
+
+				checksumFi, err = nil, nil
 			}
-
-			checksumFi, err = nil, nil
 		}
 	}
 
@@ -1586,7 +1573,7 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 		}
 		r, err = f.Cure(&RContext{common{c}})
 		if err == nil {
-			if checksumPathname == nil || c.IsStrict() {
+			if checksumPathname == nil || c.flags&CValidateKnown != 0 {
 				h := sha512.New384()
 				hbw := c.getWriter(h)
 				_, err = io.Copy(w, io.TeeReader(r, hbw))
@@ -1603,7 +1590,7 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 					if checksumPathname == nil {
 						checksum = unique.Make(Checksum(buf[:]))
 						checksums = Encode(Checksum(buf[:]))
-					} else if c.IsStrict() {
+					} else if c.flags&CValidateKnown != 0 {
 						if got := Checksum(buf[:]); got != checksum.Value() {
 							err = &ChecksumMismatchError{
 								Got:  got,
@@ -1841,10 +1828,10 @@ func (c *Cache) Close() {
 func Open(
 	ctx context.Context,
 	msg message.Msg,
-	cures int,
+	flags, cures int,
 	base *check.Absolute,
 ) (*Cache, error) {
-	return open(ctx, msg, cures, base, true)
+	return open(ctx, msg, flags, cures, base, true)
 }
 
 // open implements Open but allows omitting the [lockedfile] lock when called
@@ -1852,7 +1839,7 @@ func Open(
 func open(
 	ctx context.Context,
 	msg message.Msg,
-	cures int,
+	flags, cures int,
 	base *check.Absolute,
 	lock bool,
 ) (*Cache, error) {
@@ -1874,6 +1861,7 @@ func open(
 
 	c := Cache{
 		cures: make(chan struct{}, cures),
+		flags: flags,
 
 		msg:  msg,
 		base: base,

internal/pkg/pkg_test.go

@@ -24,6 +24,8 @@ import (
 	"hakurei.app/check"
 	"hakurei.app/container"
 	"hakurei.app/fhs"
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/landlock"
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/stub"
 	"hakurei.app/message"
@@ -33,7 +35,7 @@ import (
 func unsafeOpen(
 	ctx context.Context,
 	msg message.Msg,
-	cures int,
+	flags, cures int,
 	base *check.Absolute,
 	lock bool,
 ) (*pkg.Cache, error)
@@ -228,7 +230,7 @@ func TestIdent(t *testing.T) {
 	var cache *pkg.Cache
 	if a, err := check.NewAbs(t.TempDir()); err != nil {
 		t.Fatal(err)
-	} else if cache, err = pkg.Open(t.Context(), msg, 0, a); err != nil {
+	} else if cache, err = pkg.Open(t.Context(), msg, 0, 0, a); err != nil {
 		t.Fatal(err)
 	}
 	t.Cleanup(cache.Close)
@@ -252,6 +254,7 @@ func TestIdent(t *testing.T) {
 // on test completion.
 type cacheTestCase struct {
 	name  string
+	flags int
 	early func(t *testing.T, base *check.Absolute)
 	f     func(t *testing.T, base *check.Absolute, c *pkg.Cache)
 	want  pkg.Checksum
@@ -288,8 +291,20 @@ func checkWithCache(t *testing.T, testCases []cacheTestCase) {
 			msg := message.New(log.New(os.Stderr, "cache: ", 0))
 			msg.SwapVerbose(testing.Verbose())
 
+			flags := tc.flags
+
+			if info.CanDegrade {
+				if _, err := landlock.GetABI(); err != nil {
+					if !errors.Is(err, syscall.ENOSYS) {
+						t.Fatalf("LandlockGetABI: error = %v", err)
+					}
+					flags |= pkg.CHostAbstract
+					t.Log("Landlock LSM is unavailable, setting CHostAbstract")
+				}
+			}
+
 			var scrubFunc func() error // scrub after hashing
-			if c, err := pkg.Open(t.Context(), msg, 1<<4, base); err != nil {
+			if c, err := pkg.Open(t.Context(), msg, flags, 1<<4, base); err != nil {
 				t.Fatalf("Open: error = %v", err)
 			} else {
 				t.Cleanup(c.Close)
@@ -468,9 +483,7 @@ func TestCache(t *testing.T) {
 	}()
 
 	testCases := []cacheTestCase{
-		{"file", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			c.SetStrict(true)
-
+		{"file", pkg.CValidateKnown | pkg.CAssumeChecksum, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			identifier := (pkg.ID)(bytes.Repeat([]byte{
 				0x75, 0xe6, 0x9d, 0x6d, 0xe7, 0x9f,
 			}, 8))
@@ -593,7 +606,7 @@ func TestCache(t *testing.T) {
 			if c0, err := unsafeOpen(
 				t.Context(),
 				message.New(nil),
-				0, base, false,
+				0, 0, base, false,
 			); err != nil {
 				t.Fatalf("open: error = %v", err)
 			} else {
@@ -627,7 +640,7 @@ func TestCache(t *testing.T) {
 			}
 		}, pkg.MustDecode("St9rlE-mGZ5gXwiv_hzQ_B8bZP-UUvSNmf4nHUZzCMOumb6hKnheZSe0dmnuc4Q2")},
 
-		{"directory", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+		{"directory", pkg.CAssumeChecksum, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			id := pkg.MustDecode(
 				"HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY",
 			)
@@ -804,9 +817,7 @@ func TestCache(t *testing.T) {
 			})
 		}, pkg.MustDecode("WVpvsVqVKg9Nsh744x57h51AuWUoUR2nnh8Md-EYBQpk6ziyTuUn6PLtF2e0Eu_d")},
 
-		{"pending", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			c.SetStrict(true)
-
+		{"pending", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			wantErr := stub.UniqueError(0xcafe)
 			n, ready := make(chan struct{}), make(chan struct{})
 			go func() {
@@ -876,7 +887,54 @@ func TestCache(t *testing.T) {
 			<-wCureDone
 		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C")},
 
-		{"scrub", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+		{"no assume checksum", 0, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			makeGarbage := func(work *check.Absolute, wantErr error) error {
+				if err := os.Mkdir(work.String(), 0700); err != nil {
+					return err
+				}
+
+				if err := os.WriteFile(work.Append(
+					"check",
+				).String(), nil, 0400); err != nil {
+					return err
+				}
+
+				return wantErr
+			}
+
+			wantChecksum := pkg.MustDecode("Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")
+
+			cureMany(t, c, []cureStep{
+				{"create", overrideChecksum{wantChecksum, overrideIdent{pkg.ID{0xff, 0}, &stubArtifact{
+					kind: pkg.KindTar,
+					cure: func(t *pkg.TContext) error {
+						return makeGarbage(t.GetWorkDir(), nil)
+					},
+				}}}, base.Append(
+					"identifier",
+					pkg.Encode(pkg.ID{0xff, 0}),
+				), wantChecksum, nil},
+
+				{"reject", overrideChecksum{wantChecksum, overrideIdent{pkg.ID{0xfe, 1}, &stubArtifact{
+					kind: pkg.KindTar,
+					cure: func(t *pkg.TContext) error {
+						return makeGarbage(t.GetWorkDir(), stub.UniqueError(0xbad))
+					},
+				}}}, nil, pkg.Checksum{}, stub.UniqueError(0xbad)},
+
+				{"match", overrideChecksum{wantChecksum, overrideIdent{pkg.ID{0xff, 1}, &stubArtifact{
+					kind: pkg.KindTar,
+					cure: func(t *pkg.TContext) error {
+						return makeGarbage(t.GetWorkDir(), nil)
+					},
+				}}}, base.Append(
+					"identifier",
+					pkg.Encode(pkg.ID{0xff, 1}),
+				), wantChecksum, nil},
+			})
+		}, pkg.MustDecode("OC290t23aimNo2Rp2pPwan5GI2KRLRdOwYxXQMD9jw0QROgHnNXWodoWdV0hwu2w")},
+
+		{"scrub", 0, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			cureMany(t, c, []cureStep{
 				{"bad measured file", newStubFile(
 					pkg.KindHTTPGet,
@@ -1182,7 +1240,7 @@ func (a earlyFailureF) Cure(*pkg.FContext) error {
 
 func TestDependencyCureErrorEarly(t *testing.T) {
 	checkWithCache(t, []cacheTestCase{
-		{"early", nil, func(t *testing.T, _ *check.Absolute, c *pkg.Cache) {
+		{"early", 0, nil, func(t *testing.T, _ *check.Absolute, c *pkg.Cache) {
 			_, _, err := c.Cure(earlyFailureF(8))
 			if !errors.Is(err, stub.UniqueError(0xcafe)) {
 				t.Fatalf("Cure: error = %v", err)
@@ -1205,7 +1263,7 @@ func TestNew(t *testing.T) {
 		if _, err := pkg.Open(
 			t.Context(),
 			message.New(nil),
-			0, check.MustAbs(container.Nonexistent),
+			0, 0, check.MustAbs(container.Nonexistent),
 		); !reflect.DeepEqual(err, wantErr) {
 			t.Errorf("Open: error = %#v, want %#v", err, wantErr)
 		}
@@ -1233,7 +1291,7 @@ func TestNew(t *testing.T) {
 		if _, err := pkg.Open(
 			t.Context(),
 			message.New(nil),
-			0, tempDir.Append("cache"),
+			0, 0, tempDir.Append("cache"),
 		); !reflect.DeepEqual(err, wantErr) {
 			t.Errorf("Open: error = %#v, want %#v", err, wantErr)
 		}

internal/pkg/tar_test.go

@@ -21,7 +21,7 @@ func TestTar(t *testing.T) {
 	t.Parallel()
 
 	checkWithCache(t, []cacheTestCase{
-		{"http", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+		{"http", 0, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			checkTarHTTP(t, base, c, fstest.MapFS{
 				".": {Mode: fs.ModeDir | 0700},
 
@@ -42,7 +42,7 @@ func TestTar(t *testing.T) {
 			))
 		}, pkg.MustDecode("NQTlc466JmSVLIyWklm_u8_g95jEEb98PxJU-kjwxLpfdjwMWJq0G8ze9R4Vo1Vu")},
 
-		{"http expand", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+		{"http expand", 0, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			checkTarHTTP(t, base, c, fstest.MapFS{
 				".": {Mode: fs.ModeDir | 0700},
 

internal/rosa/all.go

@@ -47,6 +47,7 @@ const (
 	Bison
 	Bzip2
 	CMake
+	Connman
 	Coreutils
 	Curl
 	DBus
@@ -63,6 +64,7 @@ const (
 	GenInitCPIO
 	Gettext
 	Git
+	GnuTLS
 	Go
 	Gperf
 	Grep
@@ -129,6 +131,7 @@ const (
 	PythonPygments
 	QEMU
 	Rdfind
+	Readline
 	Rsync
 	Sed
 	Setuptools
@@ -304,6 +307,17 @@ var (
 	artifactsOnce [_toolchainEnd][len(artifactsM)]sync.Once
 )
 
+// zero zeros the value pointed to by p.
+func zero[T any](p *T) { var v T; *p = v }
+
+// DropCaches arranges for all cached [pkg.Artifact] to be freed some time after
+// it returns. Must not be used concurrently with any other function from this
+// package.
+func DropCaches() {
+	zero(&artifacts)
+	zero(&artifactsOnce)
+}
+
 // GetMetadata returns [Metadata] of a [PArtifact].
 func GetMetadata(p PArtifact) *Metadata { return &artifactsM[p] }
 

internal/rosa/all_test.go

@@ -19,6 +19,18 @@ func TestLoad(t *testing.T) {
 	}
 }
 
+func BenchmarkAll(b *testing.B) {
+	for b.Loop() {
+		for i := range rosa.PresetEnd {
+			rosa.Std.Load(rosa.PArtifact(i))
+		}
+
+		b.StopTimer()
+		rosa.DropCaches()
+		b.StartTimer()
+	}
+}
+
 func TestResolveName(t *testing.T) {
 	t.Parallel()
 

internal/rosa/cmake.go

@@ -10,8 +10,8 @@ import (
 
 func (t Toolchain) newCMake() (pkg.Artifact, string) {
 	const (
-		version  = "4.3.0"
-		checksum = "amBtnY2eGsEdlrB-cTRuOESBTsIqtyaxWlEKNlnp2EWLwAKWINjssilo4KXE6El9"
+		version  = "4.3.1"
+		checksum = "RHpzZiM1kJ5bwLjo9CpXSeHJJg3hTtV9QxBYpQoYwKFtRh5YhGWpShrqZCSOzQN6"
 	)
 	return t.NewPackage("cmake", version, pkg.NewHTTPGetTar(
 		nil, "https://github.com/Kitware/CMake/releases/download/"+

internal/rosa/connman.go

@@ -0,0 +1,109 @@
+package rosa
+
+import "hakurei.app/internal/pkg"
+
+func (t Toolchain) newConnman() (pkg.Artifact, string) {
+	const (
+		version  = "2.0"
+		checksum = "MhVTdJOhndnZn2SWd8URKo_Pj7Zvc14tntEbrVOf9L3yVWJvpb3v3Q6104tWJgtW"
+	)
+	return t.NewPackage("connman", version, pkg.NewHTTPGetTar(
+		nil, "https://git.kernel.org/pub/scm/network/connman/connman.git/"+
+			"snapshot/connman-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	), &PackageAttr{
+		Patches: []KV{
+			{"alpine-musl-res", `musl does not implement res_ninit
+
+--- a/gweb/gresolv.c
++++ b/gweb/gresolv.c
+@@ -877,8 +877,6 @@
+ 	resolv->index = index;
+ 	resolv->nameserver_list = NULL;
+ 
+-	res_ninit(&resolv->res);
+-
+ 	return resolv;
+ }
+ 
+@@ -918,8 +916,6 @@
+ 
+ 	flush_nameservers(resolv);
+ 
+-	res_nclose(&resolv->res);
+-
+ 	g_free(resolv);
+ }
+ 
+@@ -1022,24 +1018,19 @@
+ 	debug(resolv, "hostname %s", hostname);
+ 
+ 	if (!resolv->nameserver_list) {
+-		int i;
+-
+-		for (i = 0; i < resolv->res.nscount; i++) {
+-			char buf[100];
+-			int family = resolv->res.nsaddr_list[i].sin_family;
+-			void *sa_addr = &resolv->res.nsaddr_list[i].sin_addr;
+-
+-			if (family != AF_INET &&
+-					resolv->res._u._ext.nsaddrs[i]) {
+-				family = AF_INET6;
+-				sa_addr = &resolv->res._u._ext.nsaddrs[i]->sin6_addr;
++		FILE *f = fopen("/etc/resolv.conf", "r");
++		if (f) {
++			char line[256], *s;
++			int i;
++			while (fgets(line, sizeof(line), f)) {
++				if (strncmp(line, "nameserver", 10) || !isspace(line[10]))
++					continue;
++				for (s = &line[11]; isspace(s[0]); s++);
++				for (i = 0; s[i] && !isspace(s[i]); i++);
++				s[i] = 0;
++				g_resolv_add_nameserver(resolv, s, 53, 0);
+ 			}
+-
+-			if (family != AF_INET && family != AF_INET6)
+-				continue;
+-
+-			if (inet_ntop(family, sa_addr, buf, sizeof(buf)))
+-				g_resolv_add_nameserver(resolv, buf, 53, 0);
++			fclose(f);
+ 		}
+ 
+ 		if (!resolv->nameserver_list)
+`},
+		},
+	}, &MakeHelper{
+		Generate: "./bootstrap",
+	},
+		Automake,
+		Libtool,
+		PkgConfig,
+
+		DBus,
+		IPTables,
+		GnuTLS,
+		Readline,
+		KernelHeaders,
+	), version
+}
+func init() {
+	artifactsM[Connman] = Metadata{
+		f: Toolchain.newConnman,
+
+		Name:        "connman",
+		Description: "a daemon for managing Internet connections",
+		Website:     "https://git.kernel.org/pub/scm/network/connman/connman.git/",
+
+		Dependencies: P{
+			DBus,
+			IPTables,
+			GnuTLS,
+			Readline,
+		},
+
+		ID: 337,
+	}
+}

internal/rosa/git.go

@@ -105,7 +105,9 @@ func (t Toolchain) NewViaGit(
 git \
 	-c advice.detachedHead=false \
 	clone \
+	--depth=1 \
 	--revision=`+rev+` \
+	--shallow-submodules \
 	--recurse-submodules \
 	`+url+` \
 	/work

internal/rosa/gnu.go

@@ -1,6 +1,10 @@
 package rosa
 
-import "hakurei.app/internal/pkg"
+import (
+	"runtime"
+
+	"hakurei.app/internal/pkg"
+)
 
 func (t Toolchain) newM4() (pkg.Artifact, string) {
 	const (
@@ -754,8 +758,8 @@ func init() {
 
 func (t Toolchain) newParallel() (pkg.Artifact, string) {
 	const (
-		version  = "20260222"
-		checksum = "4wxjMi3G2zMxr9hvLcIn6D7_12A3e5UNObeTPhzn7mDAYwsZApmmkxfGPyllQQ7E"
+		version  = "20260322"
+		checksum = "gHoPmFkOO62ev4xW59HqyMlodhjp8LvTsBOwsVKHUUdfrt7KwB8koXmSVqQ4VOrB"
 	)
 	return t.NewPackage("parallel", version, pkg.NewHTTPGetTar(
 		nil, "https://ftpmirror.gnu.org/gnu/parallel/parallel-"+version+".tar.bz2",
@@ -837,6 +841,222 @@ func init() {
 	}
 }
 
+func (t Toolchain) newReadline() (pkg.Artifact, string) {
+	const (
+		version  = "8.3"
+		checksum = "r-lcGRJq_MvvBpOq47Z2Y1OI2iqrmtcqhTLVXR0xWo37ZpC2uT_md7gKq5o_qTMV"
+	)
+	return t.NewPackage("readline", version, pkg.NewHTTPGetTar(
+		nil, "https://ftp.gnu.org/gnu/readline/readline-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	), nil, &MakeHelper{
+		Configure: []KV{
+			{"with-curses"},
+			{"with-shared-termcap-library"},
+		},
+	},
+		Ncurses,
+	), version
+}
+func init() {
+	artifactsM[Readline] = Metadata{
+		f: Toolchain.newReadline,
+
+		Name:        "readline",
+		Description: "provides a set of functions for use by applications that allow users to edit command lines as they are typed in",
+		Website:     "https://tiswww.cwru.edu/php/chet/readline/rltop.html",
+
+		Dependencies: P{
+			Ncurses,
+		},
+
+		ID: 4173,
+	}
+}
+
+func (t Toolchain) newGnuTLS() (pkg.Artifact, string) {
+	const (
+		version  = "3.8.12"
+		checksum = "VPdP-nRydQQRJcnma-YA7CJYA_kzTJ2rb3QFeP6D27emSyInJ8sQ-Wzn518I38dl"
+	)
+
+	var configureExtra []KV
+	switch runtime.GOARCH {
+	case "arm64":
+		configureExtra = []KV{
+			{"disable-hardware-acceleration"},
+		}
+	}
+
+	return t.NewPackage("gnutls", version, t.NewViaGit(
+		"https://gitlab.com/gnutls/gnutls.git",
+		"refs/tags/"+version,
+		mustDecode(checksum),
+	), &PackageAttr{
+		Patches: []KV{
+			{"bootstrap-remove-gtk-doc", `diff --git a/bootstrap.conf b/bootstrap.conf
+index 1c3cc61e6..32bae9387 100644
+--- a/bootstrap.conf
++++ b/bootstrap.conf
+@@ -50,7 +50,6 @@ bison      2.4
+ gettext    0.17
+ git        1.4.4
+ gperf      -
+-gtkdocize  -
+ perl       5.5
+ wget       -
+ "
+diff --git a/configure.ac b/configure.ac
+index 5057536e5..731558a15 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -403,11 +403,6 @@ if test "$enable_fuzzer_target" != "no";then
+ 	AC_DEFINE([FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION], 1, [Enable fuzzer target -not for production])
+ fi
+ 
+-dnl
+-dnl check for gtk-doc
+-dnl
+-GTK_DOC_CHECK([1.14],[--flavour no-tmpl])
+-
+ AM_GNU_GETTEXT([external])
+ AM_GNU_GETTEXT_VERSION([0.19])
+ m4_ifdef([AM_GNU_GET][TEXT_REQUIRE_VERSION],[
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index fb1390d70..52f0ad9af 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -33,9 +33,6 @@ IMAGES = \
+ 	pkcs11-vision.png
+ 
+ SUBDIRS = examples scripts credentials latex
+-if ENABLE_GTK_DOC
+-SUBDIRS += reference
+-endif
+ 
+ -include $(top_srcdir)/doc/doc.mk
+ 
+diff --git a/doc/reference/Makefile.am b/doc/reference/Makefile.am
+index f10c8ed3c..b711b58ec 100644
+--- a/doc/reference/Makefile.am
++++ b/doc/reference/Makefile.am
+@@ -82,13 +82,4 @@ include $(top_srcdir)/gtk-doc.make
+ # e.g. EXTRA_DIST += version.xml.in
+ EXTRA_DIST += version.xml.in
+ 
+-# Comment this out if you want 'make check' to test you doc status
+-# and run some sanity checks
+-if ENABLE_GTK_DOC
+-TESTS_ENVIRONMENT = \
+-  DOC_MODULE=$(DOC_MODULE) DOC_MAIN_SGML_FILE=$(DOC_MAIN_SGML_FILE) \
+-  SRCDIR=$(abs_srcdir) BUILDDIR=$(abs_builddir)
+-#TESTS = $(GTKDOC_CHECK)
+-endif
+-
+ -include $(top_srcdir)/git.mk
+`},
+
+			{"alpine-tests-certtool", `I think this tests is simply wrong.
+When a PIN is given, the program should run in batch mode.
+So the question for "Enter password" should _not_ be present.
+
+DO NOT REMOVE UNLESS VERIFIED IT'S NOT ACTUALLY NECESSARY ANYMORE.
+
+--- a/tests/cert-tests/certtool.sh	2019-02-07 07:33:45.960887338 +0000
++++ b/tests/cert-tests/certtool.sh	2019-02-07 07:36:14.550955051 +0000
+@@ -49,7 +49,7 @@
+ 
+ 	#check whether password is being honoured
+ 	#some CI runners need GNUTLS_PIN (GNUTLS_PIN=${PASS})
+-	${SETSID} "${CERTTOOL}" --generate-self-signed --load-privkey ${TMPFILE1} --template ${srcdir}/templates/template-test.tmpl --ask-pass >${TMPFILE2} 2>&1 <<EOF
++	GNUTLS_PIN=${PASS} ${SETSID} "${CERTTOOL}" --generate-self-signed --load-privkey ${TMPFILE1} --template ${srcdir}/templates/template-test.tmpl --ask-pass >${TMPFILE2} 2>&1 <<EOF
+ $PASS
+ EOF
+ 	if test $? != 0;then
+@@ -59,7 +59,7 @@
+ 	fi
+ 
+ 	grep "Enter password" ${TMPFILE2} >/dev/null 2>&1
+-	if test $? != 0;then
++	if test $? != 1; then
+ 		cat ${TMPFILE2}
+ 		echo "No password was asked"
+ 		exit 1
+`},
+
+			{"test-kernel-version-ksh", `diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh
+index 1b78b8cf1..350156a86 100644
+--- a/tests/scripts/common.sh
++++ b/tests/scripts/common.sh
+@@ -279,10 +279,6 @@ kernel_version_check() {
+ 	kernel_major=$(echo $kernel_version | cut -d. -f1 2>/dev/null)
+ 	kernel_minor=$(echo $kernel_version | cut -d. -f2 2>/dev/null)
+ 
+-	if ! [[ "$kernel_major" =~ ^[0-9]+$ ]] || ! [[ "$kernel_minor" =~ ^[0-9]+$ ]]; then
+-		return 1
+-	fi
+-
+ 	if [ "$kernel_major" -lt "$required_major" ]; then
+ 		return 1
+ 	fi
+`},
+		},
+	}, &MakeHelper{
+		Generate: "./bootstrap --skip-po --no-git --gnulib-srcdir=gnulib",
+
+		Configure: append([]KV{
+			{"disable-doc"},
+			{"disable-openssl-compatibility"},
+
+			{"with-default-trust-store-file", "/system/etc/ssl/certs/ca-bundle.crt"},
+			{"with-default-trust-store-pkcs11", "pkcs11:"},
+
+			{"with-zlib", "link"},
+			{"with-zstd", "link"},
+		}, configureExtra...),
+	},
+		Gzip,
+		Automake,
+		Libtool,
+		Bison,
+		Gettext,
+		Gperf,
+		PkgConfig,
+
+		Python,
+		Texinfo,
+		Diffutils,
+		NSSCACert,
+
+		Libev,
+		Zlib,
+		Zstd,
+		P11Kit,
+		nettle3,
+		Libunistring,
+	), version
+}
+func init() {
+	artifactsM[GnuTLS] = Metadata{
+		f: Toolchain.newGnuTLS,
+
+		Name:        "gnutls",
+		Description: "a secure communications library implementing the SSL, TLS and DTLS protocols",
+		Website:     "https://gnutls.org",
+
+		Dependencies: P{
+			Zlib,
+			Zstd,
+			P11Kit,
+			nettle3,
+			Libunistring,
+		},
+
+		ID: 1221,
+	}
+}
+
 func (t Toolchain) newBinutils() (pkg.Artifact, string) {
 	const (
 		version  = "2.46.0"
@@ -921,15 +1141,22 @@ func init() {
 func (t Toolchain) newMPC() (pkg.Artifact, string) {
 	const (
 		version  = "1.4.0"
-		checksum = "75Sgr2hcDTltHYgFaHsRGsFgW74i2jqAUS0oXaBdJYKjMj_CvEeJ1zwGbNYjEl1H"
+		checksum = "TbrxLiE3ipQrHz_F3Xzz4zqBAnkMWyjhNwIK6wh9360RZ39xMt8rxfW3LxA9SnvU"
 	)
-	return t.NewPackage("mpc", version, pkg.NewHTTPGet(
-		nil, "https://ftpmirror.gnu.org/gnu/mpc/mpc-"+version+".tar.xz",
+	return t.NewPackage("mpc", version, t.NewViaGit(
+		"https://gitlab.inria.fr/mpc/mpc.git",
+		"refs/tags/"+version,
 		mustDecode(checksum),
 	), &PackageAttr{
-		SourceKind: SourceKindTarXZ,
-	}, (*MakeHelper)(nil),
-		XZ,
+		// does not find mpc-impl.h otherwise
+		EnterSource: true,
+	}, &MakeHelper{
+		InPlace:  true,
+		Generate: "autoreconf -vfi",
+	},
+		Automake,
+		Libtool,
+		Texinfo,
 
 		MPFR,
 	), version

internal/rosa/go.go

@@ -73,7 +73,7 @@ func (t Toolchain) newGoLatest() (pkg.Artifact, string) {
 	case "amd64":
 		bootstrapExtra = append(bootstrapExtra, t.newGoBootstrap())
 
-	case "arm64":
+	case "arm64", "riscv64":
 		bootstrapEnv = append(bootstrapEnv, "GOROOT_BOOTSTRAP=/system")
 		bootstrapExtra = t.AppendPresets(bootstrapExtra, gcc)
 		finalEnv = append(finalEnv, "CGO_ENABLED=0")
@@ -141,8 +141,8 @@ rm \
 	)
 
 	const (
-		version  = "1.26.1"
-		checksum = "DdC5Ea-aCYPUHNObQh_09uWU0vn4e-8Ben850Vq-5OoamDRrXhuYI4YQ_BOFgaT0"
+		version  = "1.26.2"
+		checksum = "v-6BE89_1g3xYf-9oIYpJKFXlo3xKHYJj2_VGkaUq8ZVkIVQmLwrto-xGG03OISH"
 	)
 	return t.newGo(
 		version,

internal/rosa/gtk.go

@@ -1,8 +1,6 @@
 package rosa
 
 import (
-	"strings"
-
 	"hakurei.app/fhs"
 	"hakurei.app/internal/pkg"
 )
@@ -10,16 +8,13 @@ import (
 func (t Toolchain) newGLib() (pkg.Artifact, string) {
 	const (
 		version  = "2.88.0"
-		checksum = "bCLkAmp1o_Po4cXDbC06AyjLyxkBxyNJnflwBpSdf4W8K6dc9xKj6Pm3JYbHPdDf"
+		checksum = "T79Cg4z6j-sDZ2yIwvbY4ccRv2-fbwbqgcw59F5NQ6qJT6z4v261vbYp3dHO6Ma3"
 	)
-	return t.NewPackage("glib", version, pkg.NewHTTPGet(
-		nil, "https://download.gnome.org/sources/glib/"+
-			strings.Join(strings.SplitN(version, ".", 3)[:2], ".")+
-			"/glib-"+version+".tar.xz",
+	return t.NewPackage("glib", version, t.NewViaGit(
+		"https://gitlab.gnome.org/GNOME/glib.git",
+		"refs/tags/"+version,
 		mustDecode(checksum),
 	), &PackageAttr{
-		SourceKind: SourceKindTarXZ,
-
 		Paths: []pkg.ExecPath{
 			pkg.Path(fhs.AbsEtc.Append(
 				"machine-id",
@@ -39,7 +34,6 @@ func (t Toolchain) newGLib() (pkg.Artifact, string) {
 			{"Ddefault_library", "both"},
 		},
 	},
-		XZ,
 		PythonPackaging,
 		Bash,
 

internal/rosa/kernel.go

@@ -2,12 +2,12 @@ package rosa
 
 import "hakurei.app/internal/pkg"
 
-const kernelVersion = "6.12.78"
+const kernelVersion = "6.12.80"
 
 var kernelSource = pkg.NewHTTPGetTar(
 	nil, "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/"+
 		"snapshot/linux-"+kernelVersion+".tar.gz",
-	mustDecode("iUlZA-nv04TUOL0TmgDGBjaOe0sIaXTqLvuR4owYgHMZM8vecusnMMqbeuuZP4_G"),
+	mustDecode("_iJEAYoQISJxefuWZYfv0RPWUmHHIjHQw33Fapix-irXrEIREP5ruK37UJW4uMZO"),
 	pkg.TarGzip,
 )
 

internal/rosa/kernel_amd64.config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.12.78 Kernel Configuration
+# Linux/x86 6.12.80 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="clang version 22.1.2"
 CONFIG_GCC_VERSION=0

internal/rosa/kernel_arm64.config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 6.12.78 Kernel Configuration
+# Linux/arm64 6.12.80 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="clang version 21.1.8"
 CONFIG_GCC_VERSION=0

internal/rosa/kernel_riscv64.go

@@ -0,0 +1,8 @@
+package rosa
+
+import _ "embed"
+
+//go:embed kernel_riscv64.config
+var kernelConfig []byte
+
+const kernelName = "bzImage"

internal/rosa/libbsd.go

@@ -5,15 +5,20 @@ import "hakurei.app/internal/pkg"
 func (t Toolchain) newLibmd() (pkg.Artifact, string) {
 	const (
 		version  = "1.1.0"
-		checksum = "72w7Na04b9ji6nOe2h-Tz5JeQ6iStDZN3FOG1JNZ9M_jMO8K2FceG6DZv7lYThZJ"
+		checksum = "9apYqPPZm0j5HQT8sCsVIhnVIqRD7XgN7kPIaTwTqnTuUq5waUAMq4M7ev8CODJ1"
 	)
-	return t.NewPackage("libmd", version, pkg.NewHTTPGet(
-		nil, "https://libbsd.freedesktop.org/releases/libmd-"+version+".tar.xz",
+	return t.NewPackage("libmd", version, t.NewViaGit(
+		"https://git.hadrons.org/git/libmd.git",
+		"refs/tags/"+version,
 		mustDecode(checksum),
-	), &PackageAttr{
-		SourceKind: SourceKindTarXZ,
-	}, (*MakeHelper)(nil),
-		XZ,
+	), nil, &MakeHelper{
+		Generate: "echo '" + version + "' > .dist-version && ./autogen",
+		ScriptMakeEarly: `
+install -D /usr/src/libmd/src/helper.c src/helper.c
+`,
+	},
+		Automake,
+		Libtool,
 	), version
 }
 func init() {
@@ -31,15 +36,17 @@ func init() {
 func (t Toolchain) newLibbsd() (pkg.Artifact, string) {
 	const (
 		version  = "0.12.2"
-		checksum = "MEJ9MuLai32-gSJUrfmlDgGl7rszjdSxgb3ph9AcI5jv70VwlwwXJy1kxdAixm5Y"
+		checksum = "NVS0xFLTwSP8JiElEftsZ-e1_C-IgJhHrHE77RwKt5178M7r087waO-zYx2_dfGX"
 	)
-	return t.NewPackage("libbsd", version, pkg.NewHTTPGet(
-		nil, "https://libbsd.freedesktop.org/releases/libbsd-"+version+".tar.xz",
+	return t.NewPackage("libbsd", version, t.NewViaGit(
+		"https://gitlab.freedesktop.org/libbsd/libbsd.git",
+		"refs/tags/"+version,
 		mustDecode(checksum),
-	), &PackageAttr{
-		SourceKind: SourceKindTarXZ,
-	}, (*MakeHelper)(nil),
-		XZ,
+	), nil, &MakeHelper{
+		Generate: "echo '" + version + "' > .dist-version && ./autogen",
+	},
+		Automake,
+		Libtool,
 
 		Libmd,
 	), version

internal/rosa/libcap.go

@@ -4,8 +4,8 @@ import "hakurei.app/internal/pkg"
 
 func (t Toolchain) newLibcap() (pkg.Artifact, string) {
 	const (
-		version  = "2.77"
-		checksum = "2GOTFU4cl2QoS7Dv5wh0c9-hxsQwIzMB9Y_gfAo5xKHqcM13fiHt1RbPkfemzjmB"
+		version  = "2.78"
+		checksum = "wFdUkBhFMD9InPnrBZyegWrlPSAg_9JiTBC-eSFyWWlmbzL2qjh2mKxr9Kx2a8ut"
 	)
 	return t.NewPackage("libcap", version, pkg.NewHTTPGetTar(
 		nil, "https://git.kernel.org/pub/scm/libs/libcap/libcap.git/"+

internal/rosa/libxml2.go

@@ -1,26 +1,22 @@
 package rosa
 
-import (
-	"strings"
-
-	"hakurei.app/internal/pkg"
-)
+import "hakurei.app/internal/pkg"
 
 func (t Toolchain) newLibxml2() (pkg.Artifact, string) {
 	const (
 		version  = "2.15.2"
-		checksum = "xba8VCofMsbWmQypA2__M9_RXNq9HDEuccjib6-tOni6OPngplRoAsYdY3NdYf8o"
+		checksum = "zwQvCIBnjzUFY-inX5ckfNT3mIezsCRV55C_Iztde5OnRTB3u33lfO5h03g7DK_8"
 	)
-	return t.NewPackage("libxml2", version, pkg.NewHTTPGet(
-		nil, "https://download.gnome.org/sources/libxml2/"+
-			strings.Join(strings.Split(version, ".")[:2], ".")+
-			"/libxml2-"+version+".tar.xz",
+	return t.NewPackage("libxml2", version, t.NewViaGit(
+		"https://gitlab.gnome.org/GNOME/libxml2.git",
+		"refs/tags/v"+version,
 		mustDecode(checksum),
 	), &PackageAttr{
-		SourceKind: SourceKindTarXZ,
-	}, (*MakeHelper)(nil),
+		// can't create shell.out: Read-only file system
+		Writable: true,
+	}, (*MesonHelper)(nil),
+		Git,
 		Diffutils,
-		XZ,
 	), version
 }
 func init() {

internal/rosa/libxslt.go

@@ -1,28 +1,24 @@
 package rosa
 
-import (
-	"strings"
-
-	"hakurei.app/internal/pkg"
-)
+import "hakurei.app/internal/pkg"
 
 func (t Toolchain) newLibxslt() (pkg.Artifact, string) {
 	const (
 		version  = "1.1.45"
-		checksum = "vw72UbREQnA3YDYuZ9-93hDr9BYCaKV6oh_U4Kt4n1Js_na4E-nFj-ksZnZ0kvEK"
+		checksum = "MZc_dyUWpHChkWDKa5iycrECxBsRd4ZMbYfL4VojTbung593mlH2tHGmxYB6NFYT"
 	)
-	return t.NewPackage("libxslt", version, pkg.NewHTTPGet(
-		nil, "https://download.gnome.org/sources/libxslt/"+
-			strings.Join(strings.Split(version, ".")[:2], ".")+
-			"/libxslt-"+version+".tar.xz",
+	return t.NewPackage("libxslt", version, t.NewViaGit(
+		"https://gitlab.gnome.org/GNOME/libxslt.git",
+		"refs/tags/v"+version,
 		mustDecode(checksum),
-	), &PackageAttr{
-		SourceKind: SourceKindTarXZ,
-	}, &MakeHelper{
+	), nil, &MakeHelper{
+		Generate: "NOCONFIGURE=1 ./autogen.sh",
+
 		// python libxml2 cyclic dependency
 		SkipCheck: true,
 	},
-		XZ,
+		Automake,
+		Libtool,
 		Python,
 		PkgConfig,
 

internal/rosa/llvm.go

@@ -13,8 +13,8 @@ import (
 // llvmAttr holds the attributes that will be applied to a new [pkg.Artifact]
 // containing a LLVM variant.
 type llvmAttr struct {
-	// Passed through to PackageAttr.Flag.
-	flags int
+	// Enabled projects and runtimes.
+	pr int
 
 	// Concatenated with default environment for PackageAttr.Env.
 	env []string
@@ -24,8 +24,6 @@ type llvmAttr struct {
 	append []string
 	// Passed through to PackageAttr.NonStage0.
 	nonStage0 []pkg.Artifact
-	// Passed through to PackageAttr.Paths.
-	paths []pkg.ExecPath
 	// Concatenated with default fixup for CMakeHelper.Script.
 	script string
 
@@ -75,19 +73,18 @@ func llvmFlagName(flag int) string {
 
 // newLLVMVariant returns a [pkg.Artifact] containing a LLVM variant.
 func (t Toolchain) newLLVMVariant(variant string, attr *llvmAttr) pkg.Artifact {
-
 	if attr == nil {
 		panic("LLVM attr must be non-nil")
 	}
 
 	var projects, runtimes []string
 	for i := 1; i < llvmProjectAll; i <<= 1 {
-		if attr.flags&i != 0 {
+		if attr.pr&i != 0 {
 			projects = append(projects, llvmFlagName(i))
 		}
 	}
 	for i := (llvmProjectAll + 1) << 1; i < llvmRuntimeAll; i <<= 1 {
-		if attr.flags&i != 0 {
+		if attr.pr&i != 0 {
 			runtimes = append(runtimes, llvmFlagName(i))
 		}
 	}
@@ -126,7 +123,7 @@ func (t Toolchain) newLLVMVariant(variant string, attr *llvmAttr) pkg.Artifact {
 		}...)
 	}
 
-	if attr.flags&llvmProjectClang != 0 {
+	if attr.pr&llvmProjectClang != 0 {
 		cache = append(cache, []KV{
 			{"CLANG_DEFAULT_LINKER", "lld"},
 			{"CLANG_DEFAULT_CXX_STDLIB", "libc++"},
@@ -134,30 +131,30 @@ func (t Toolchain) newLLVMVariant(variant string, attr *llvmAttr) pkg.Artifact {
 			{"CLANG_DEFAULT_UNWINDLIB", "libunwind"},
 		}...)
 	}
-	if attr.flags&llvmProjectLld != 0 {
+	if attr.pr&llvmProjectLld != 0 {
 		script += `
 ln -s ld.lld /work/system/bin/ld
 `
 	}
-	if attr.flags&llvmRuntimeCompilerRT != 0 {
+	if attr.pr&llvmRuntimeCompilerRT != 0 {
 		if attr.append == nil {
 			cache = append(cache, []KV{
 				{"COMPILER_RT_USE_LLVM_UNWINDER", "ON"},
 			}...)
 		}
 	}
-	if attr.flags&llvmRuntimeLibunwind != 0 {
+	if attr.pr&llvmRuntimeLibunwind != 0 {
 		cache = append(cache, []KV{
 			{"LIBUNWIND_USE_COMPILER_RT", "ON"},
 		}...)
 	}
-	if attr.flags&llvmRuntimeLibcxx != 0 {
+	if attr.pr&llvmRuntimeLibcxx != 0 {
 		cache = append(cache, []KV{
 			{"LIBCXX_HAS_MUSL_LIBC", "ON"},
 			{"LIBCXX_USE_COMPILER_RT", "ON"},
 		}...)
 	}
-	if attr.flags&llvmRuntimeLibcxxABI != 0 {
+	if attr.pr&llvmRuntimeLibcxxABI != 0 {
 		cache = append(cache, []KV{
 			{"LIBCXXABI_USE_COMPILER_RT", "ON"},
 			{"LIBCXXABI_USE_LLVM_UNWINDER", "ON"},
@@ -170,7 +167,22 @@ ln -s ld.lld /work/system/bin/ld
 		mustDecode(llvmChecksum),
 		pkg.TarGzip,
 	), &PackageAttr{
-		Patches:   attr.patches,
+		Patches: slices.Concat(attr.patches, []KV{
+			{"increase-stack-size-unconditional", `diff --git a/llvm/lib/Support/Threading.cpp b/llvm/lib/Support/Threading.cpp
+index 9da357a7ebb9..b2931510c1ae 100644
+--- a/llvm/lib/Support/Threading.cpp
++++ b/llvm/lib/Support/Threading.cpp
+@@ -80,7 +80,7 @@ unsigned llvm::ThreadPoolStrategy::compute_thread_count() const {
+ // keyword.
+ #include "llvm/Support/thread.h"
+ 
+-#if defined(__APPLE__)
++#if defined(__APPLE__) || 1
+   // Darwin's default stack size for threads except the main one is only 512KB,
+   // which is not enough for some/many normal LLVM compilations. This implements
+   // the same interface as std::thread but requests the same stack size as the
+`},
+		}),
 		NonStage0: attr.nonStage0,
 
 		Env: slices.Concat([]string{
@@ -178,8 +190,7 @@ ln -s ld.lld /work/system/bin/ld
 			"ROSA_LLVM_RUNTIMES=" + strings.Join(runtimes, ";"),
 		}, attr.env),
 
-		Paths: attr.paths,
-		Flag:  TExclusive,
+		Flag: TExclusive,
 	}, &CMakeHelper{
 		Variant: variant,
 
@@ -201,15 +212,19 @@ ln -s ld.lld /work/system/bin/ld
 
 // newLLVM returns LLVM toolchain across multiple [pkg.Artifact].
 func (t Toolchain) newLLVM() (musl, compilerRT, runtimes, clang pkg.Artifact) {
-	var target string
-	switch runtime.GOARCH {
-	case "386", "amd64":
-		target = "X86"
-	case "arm64":
-		target = "AArch64"
+	target := "'AArch64;RISCV;X86'"
+	if t.isStage0() {
+		switch runtime.GOARCH {
+		case "386", "amd64":
+			target = "X86"
+		case "arm64":
+			target = "AArch64"
+		case "riscv64":
+			target = "RISCV"
 
-	default:
-		panic("unsupported target " + runtime.GOARCH)
+		default:
+			panic("unsupported target " + runtime.GOARCH)
+		}
 	}
 
 	minimalDeps := []KV{
@@ -231,7 +246,7 @@ func (t Toolchain) newLLVM() (musl, compilerRT, runtimes, clang pkg.Artifact) {
 			{"CMAKE_CXX_COMPILER_TARGET", ""},
 
 			{"COMPILER_RT_BUILD_BUILTINS", "ON"},
-			{"COMPILER_RT_DEFAULT_TARGET_ONLY", "ON"},
+			{"COMPILER_RT_DEFAULT_TARGET_ONLY", "OFF"},
 			{"COMPILER_RT_SANITIZERS_TO_BUILD", "asan"},
 			{"LLVM_ENABLE_PER_TARGET_RUNTIME_DIR", "ON"},
 
@@ -275,7 +290,7 @@ ln -s \
 		env: stage0ExclConcat(t, []string{},
 			"LDFLAGS="+earlyLDFLAGS(false),
 		),
-		flags: llvmRuntimeLibunwind | llvmRuntimeLibcxx | llvmRuntimeLibcxxABI,
+		pr: llvmRuntimeLibunwind | llvmRuntimeLibcxx | llvmRuntimeLibcxxABI,
 		cmake: slices.Concat([]KV{
 			// libc++ not yet available
 			{"CMAKE_CXX_COMPILER_WORKS", "ON"},
@@ -291,7 +306,7 @@ ln -s \
 	})
 
 	clang = t.newLLVMVariant("clang", &llvmAttr{
-		flags: llvmProjectClang | llvmProjectLld,
+		pr: llvmProjectClang | llvmProjectLld,
 		env: stage0ExclConcat(t, []string{},
 			"CFLAGS="+earlyCFLAGS,
 			"CXXFLAGS="+earlyCXXFLAGS(),
@@ -314,7 +329,7 @@ ln -s clang++ /work/system/bin/c++
 ninja check-all
 `,
 
-		patches: slices.Concat([]KV{
+		patches: []KV{
 			{"add-rosa-vendor", `diff --git a/llvm/include/llvm/TargetParser/Triple.h b/llvm/include/llvm/TargetParser/Triple.h
 index 9c83abeeb3b1..5acfe5836a23 100644
 --- a/llvm/include/llvm/TargetParser/Triple.h
@@ -486,7 +501,7 @@ index 64324a3f8b01..15ce70b68217 100644
                                     "/System/Library/Frameworks"};
  
 `},
-		}, clangPatches),
+		},
 	})
 
 	return

internal/rosa/llvm_amd64.go

@@ -1,4 +0,0 @@
-package rosa
-
-// clangPatches are patches applied to the LLVM source tree for building clang.
-var clangPatches []KV

internal/rosa/llvm_arm64.go

@@ -1,12 +0,0 @@
-package rosa
-
-// clangPatches are patches applied to the LLVM source tree for building clang.
-var clangPatches []KV
-
-// one version behind, latest fails 5 tests with 2 flaky on arm64
-const (
-	llvmVersionMajor = "21"
-	llvmVersion      = llvmVersionMajor + ".1.8"
-
-	llvmChecksum = "8SUpqDkcgwOPsqHVtmf9kXfFeVmjVxl4LMn-qSE1AI_Xoeju-9HaoPNGtidyxyka"
-)

internal/rosa/llvm_latest.go

@@ -1,11 +1,9 @@
-//go:build !arm64
-
 package rosa
 
 // latest version of LLVM, conditional to temporarily avoid broken new releases
 const (
 	llvmVersionMajor = "22"
-	llvmVersion      = llvmVersionMajor + ".1.2"
+	llvmVersion      = llvmVersionMajor + ".1.3"
 
-	llvmChecksum = "FwsmurWDVyYYQlOowowFjekwIGSB5__aKTpW_VGP3eWoZGXvBny-bOn1DuQ1U5xE"
+	llvmChecksum = "CUwnpzua_y28HZ9oI0NmcKL2wClsSjFpgY9do5-7cCZJHI5KNF64vfwGvY0TYyR3"
 )

internal/rosa/ncurses.go

@@ -18,6 +18,8 @@ func (t Toolchain) newNcurses() (pkg.Artifact, string) {
 		Configure: []KV{
 			{"with-pkg-config"},
 			{"enable-pc-files"},
+			{"with-shared"},
+			{"with-cxx-shared"},
 		},
 	},
 		PkgConfig,

internal/rosa/netfilter.go

@@ -53,24 +53,24 @@ func init() {
 func (t Toolchain) newLibnftnl() (pkg.Artifact, string) {
 	const (
 		version  = "1.3.1"
-		checksum = "A6EFNv2TbOcjcsXX2hQ-pKsF5FvlSh-BNEf9LrgnVH4nDjcv6NbtyHkTriz9kIEu"
+		checksum = "91ou66K-I17iX6DB6hiQkhhC_v4DFW5iDGzwjVRNbJNEmKqowLZBlh3FY-ZDO0r9"
 	)
-	return t.NewPackage("libnftnl", version, pkg.NewHTTPGet(
-		nil, "https://www.netfilter.org/projects/libnftnl/files/"+
-			"libnftnl-"+version+".tar.xz",
+	return t.NewPackage("libnftnl", version, t.NewViaGit(
+		"https://git.netfilter.org/libnftnl",
+		"refs/tags/libnftnl-"+version,
 		mustDecode(checksum),
 	), &PackageAttr{
-		SourceKind: SourceKindTarXZ,
-
 		Env: []string{
 			"CFLAGS=-D_GNU_SOURCE",
 		},
 	}, &MakeHelper{
+		Generate: "./autogen.sh",
 		Configure: []KV{
 			{"enable-static"},
 		},
 	},
-		XZ,
+		Automake,
+		Libtool,
 		PkgConfig,
 
 		Libmnl,
@@ -96,15 +96,13 @@ func init() {
 func (t Toolchain) newIPTables() (pkg.Artifact, string) {
 	const (
 		version  = "1.8.13"
-		checksum = "JsNI7dyZHnHLtDkKWAxzAIMZ5t-ff3LkSPqNJsn5VM5Eq2m1bA5NKI-XfMRpQsg6"
+		checksum = "TUA-cFIAsiMvtRR-XzQvXzoIhJUOc9J2gQDJCbBRjmgmVfGfPTCf58wL7e-cUKVQ"
 	)
-	return t.NewPackage("iptables", version, pkg.NewHTTPGet(
-		nil, "https://www.netfilter.org/projects/iptables/files/"+
-			"iptables-"+version+".tar.xz",
+	return t.NewPackage("iptables", version, t.NewViaGit(
+		"https://git.netfilter.org/iptables",
+		"refs/tags/v"+version,
 		mustDecode(checksum),
 	), &PackageAttr{
-		SourceKind: SourceKindTarXZ,
-
 		ScriptEarly: `
 rm \
 	extensions/libxt_connlabel.txlate \
@@ -115,6 +113,7 @@ sed -i \
 	extensions/libebt_snat.txlate
 `,
 	}, &MakeHelper{
+		Generate: "./autogen.sh",
 		Configure: []KV{
 			{"enable-static"},
 		},
@@ -123,7 +122,8 @@ ln -s ../system/bin/bash /bin/
 chmod +w /etc/ && ln -s ../usr/src/iptables/etc/ethertypes /etc/
 		`,
 	},
-		XZ,
+		Automake,
+		Libtool,
 		PkgConfig,
 		Bash,
 		Python,

internal/rosa/openssl.go

@@ -4,8 +4,8 @@ import "hakurei.app/internal/pkg"
 
 func (t Toolchain) newOpenSSL() (pkg.Artifact, string) {
 	const (
-		version  = "3.6.1"
-		checksum = "boMAj2SIVIFXHswZva3qHJuFEpc32rxCCu07wjMPsVe9nn_976BGMmW_5P1zthgg"
+		version  = "3.6.2"
+		checksum = "jH004dXTiE01Hp0kyShkWXwrSHEksZi4i_3v47D9H9Uz9LQ1aMwF7mrl2Tb4t_XA"
 	)
 	return t.NewPackage("openssl", version, pkg.NewHTTPGetTar(
 		nil, "https://github.com/openssl/openssl/releases/download/"+

internal/rosa/perl.go

@@ -8,8 +8,8 @@ import (
 
 func (t Toolchain) newPerl() (pkg.Artifact, string) {
 	const (
-		version  = "5.42.1"
-		checksum = "FsJVq5CZFA7nZklfUl1eC6z2ECEu02XaB1pqfHSKtRLZWpnaBjlB55QOhjKpjkQ2"
+		version  = "5.42.2"
+		checksum = "Me_xFfgkRnVyG0sE6a74TktK2OUq9Z1LVJNEu_9RdZG3S2fbjfzNiuk2SJqHAgbm"
 	)
 	return t.NewPackage("perl", version, pkg.NewHTTPGetTar(
 		nil, "https://www.cpan.org/src/5.0/perl-"+version+".tar.gz",

internal/rosa/python.go

@@ -9,8 +9,8 @@ import (
 
 func (t Toolchain) newPython() (pkg.Artifact, string) {
 	const (
-		version  = "3.14.3"
-		checksum = "ajEC32WPmn9Jvll0n4gGvlTvhMPUHb2H_j5_h9jf_esHmkZBRfAumDcKY7nTTsCH"
+		version  = "3.14.4"
+		checksum = "X0VRAAGOlCVldh4J9tRAE-YrJtDvqfQTJaqxKPXNX6YTPlwpR9GwA5WRIZDO-63s"
 	)
 	return t.NewPackage("python", version, pkg.NewHTTPGetTar(
 		nil, "https://www.python.org/ftp/python/"+version+

internal/rosa/rosa.go

@@ -56,6 +56,8 @@ func linuxArch() string {
 		return "x86_64"
 	case "arm64":
 		return "aarch64"
+	case "riscv64":
+		return "riscv64"
 
 	default:
 		panic("unsupported target " + runtime.GOARCH)

internal/rosa/rosa_test.go

@@ -60,7 +60,7 @@ func getCache(t *testing.T) *pkg.Cache {
 			msg := message.New(log.New(os.Stderr, "rosa: ", 0))
 			msg.SwapVerbose(true)
 
-			if buildTestCache, err = pkg.Open(ctx, msg, 0, a); err != nil {
+			if buildTestCache, err = pkg.Open(ctx, msg, 0, 0, a); err != nil {
 				t.Fatal(err)
 			}
 		}
@@ -91,3 +91,13 @@ func TestCureAll(t *testing.T) {
 		})
 	}
 }
+
+func BenchmarkStage3(b *testing.B) {
+	for b.Loop() {
+		rosa.Std.Load(rosa.LLVMClang)
+
+		b.StopTimer()
+		rosa.DropCaches()
+		b.StartTimer()
+	}
+}

internal/rosa/stage0.go

@@ -67,6 +67,8 @@ func NewStage0() pkg.Artifact {
 			seed = "tqM1Li15BJ-uFG8zU-XjgFxoN_kuzh1VxrSDVUVa0vGmo-NeWapSftH739sY8EAg"
 		case "arm64":
 			seed = "CJj3ZSnRyLmFHlWIQtTPQD9oikOZY4cD_mI3v_-LIYc2hhg-cq_CZFBLzQBAkFIn"
+		case "riscv64":
+			seed = "FcszJjcVWdKAnn-bt8qmUn5GUUTjv_xQjXOWkUpOplRkG3Ckob3StUoAi5KQ5-QF"
 
 		default:
 			panic("unsupported target " + runtime.GOARCH)

internal/rosa/tamago.go

@@ -8,8 +8,8 @@ import (
 
 func (t Toolchain) newTamaGo() (pkg.Artifact, string) {
 	const (
-		version  = "1.26.1"
-		checksum = "fimZnklQcYWGsTQU8KepLn-yCYaTfNdMI9DCg6NJVQv-3gOJnUEO9mqRCMAHnEXZ"
+		version  = "1.26.2"
+		checksum = "5xlhWq2NGhYCjt0y73QkydJ386lxg6-HkiO84ne6ByQSJBDat7-HSVzNA6jy7Laz"
 	)
 	return t.New("tamago-go"+version, 0, t.AppendPresets(nil,
 		Bash,

internal/rosa/util-linux.go

@@ -8,8 +8,8 @@ import (
 
 func (t Toolchain) newUtilLinux() (pkg.Artifact, string) {
 	const (
-		version  = "2.41.3"
-		checksum = "gPTd5JJ2ho_Rd0qainuogcLiiWwKSXEZPXN3yCCRl0m0KBgMaqwFuMjYgu9z8zCH"
+		version  = "2.42"
+		checksum = "Uy8Nxg9DsW5YwDoeaZeZTyQJ2YmnaaL_fSsQXsLUiFFUd7wnZeD_3SEaVO7ClJlk"
 	)
 	return t.NewPackage("util-linux", version, pkg.NewHTTPGetTar(
 		nil, "https://www.kernel.org/pub/linux/utils/util-linux/"+

internal/rosa/wayland.go

@@ -54,8 +54,8 @@ func init() {
 
 func (t Toolchain) newWaylandProtocols() (pkg.Artifact, string) {
 	const (
-		version  = "1.47"
-		checksum = "B_NodZ7AQfCstcx7kgbaVjpkYOzbAQq0a4NOk-SA8bQixAE20FY3p1-6gsbPgHn9"
+		version  = "1.48"
+		checksum = "xvfHCBIzXGwOqOu9b8dfhGw_U29Pd-g4JBwpYIaxee8SwEbxi6NaVU-Y1Q7wY4jK"
 	)
 	return t.NewPackage("wayland-protocols", version, pkg.NewHTTPGetTar(
 		nil, "https://gitlab.freedesktop.org/wayland/wayland-protocols/"+

internal/rosa/xz.go

@@ -4,8 +4,8 @@ import "hakurei.app/internal/pkg"
 
 func (t Toolchain) newXZ() (pkg.Artifact, string) {
 	const (
-		version  = "5.8.2"
-		checksum = "rXT-XCp9R2q6cXqJ5qenp0cmGPfiENQiU3BWtUVeVgArfRmSsISeUJgvCR3zI0a0"
+		version  = "5.8.3"
+		checksum = "nCdayphPGdIdVoAZ2hR4vYlhDG9LeVKho_i7ealTud4Vxy5o5dWe0VwFlN7utuUL"
 	)
 	return t.NewPackage("xz", version, pkg.NewHTTPGetTar(
 		nil, "https://github.com/tukaani-project/xz/releases/download/"+

internal/store/data.go

@@ -24,7 +24,7 @@ func entryEncode(w io.Writer, s *hst.State) error {
 }
 
 // entryDecodeHeader calls entryReadHeader, returning [hst.AppError] for a non-nil error.
-func entryDecodeHeader(r io.Reader) (hst.Enablement, error) {
+func entryDecodeHeader(r io.Reader) (hst.Enablements, error) {
 	if et, err := entryReadHeader(r); err != nil {
 		return 0, &hst.AppError{Step: "decode state header", Err: err}
 	} else {
@@ -32,20 +32,23 @@ func entryDecodeHeader(r io.Reader) (hst.Enablement, error) {
 	}
 }
 
-// entryDecode decodes [hst.State] from [io.Reader] and stores the result in the value pointed to by p.
-// entryDecode validates the embedded [hst.Config] value.
+// entryDecode decodes [hst.State] from [io.Reader] and stores the result in the
+// value pointed to by p. entryDecode validates the embedded [hst.Config] value.
 //
 // A non-nil error returned by entryDecode is of type [hst.AppError].
-func entryDecode(r io.Reader, p *hst.State) (hst.Enablement, error) {
+func entryDecode(r io.Reader, p *hst.State) (hst.Enablements, error) {
 	if et, err := entryDecodeHeader(r); err != nil {
 		return et, err
 	} else if err = gob.NewDecoder(r).Decode(&p); err != nil {
 		return et, &hst.AppError{Step: "decode state body", Err: err}
-	} else if err = p.Config.Validate(); err != nil {
+	} else if err = p.Config.Validate(hst.VAllowInsecure); err != nil {
 		return et, err
 	} else if p.Enablements.Unwrap() != et {
 		return et, &hst.AppError{Step: "validate state enablement", Err: os.ErrInvalid,
-			Msg: fmt.Sprintf("state entry %s has unexpected enablement byte %#x, %#x", p.ID.String(), byte(p.Enablements.Unwrap()), byte(et))}
+			Msg: fmt.Sprintf(
+				"state entry %s has unexpected enablement byte %#x, %#x",
+				p.ID.String(), byte(p.Enablements.Unwrap()), byte(et),
+			)}
 	} else {
 		return et, nil
 	}

internal/store/header.go

@@ -14,22 +14,25 @@ import (
 const (
 	// entryHeaderMagic are magic bytes at the beginning of the state entry file.
 	entryHeaderMagic = "\x00\xff\xca\xfe"
-	// entryHeaderRevision follows entryHeaderMagic and is incremented for revisions of the format.
+	// entryHeaderRevision follows entryHeaderMagic and is incremented for
+	// revisions of the format.
 	entryHeaderRevision = "\x00\x00"
-	// entryHeaderSize is the fixed size of the header in bytes, including the enablement byte and its complement.
+	// entryHeaderSize is the fixed size of the header in bytes, including the
+	// enablement byte and its complement.
 	entryHeaderSize = len(entryHeaderMagic+entryHeaderRevision) + 2
 )
 
-// entryHeaderEncode encodes a state entry header for a [hst.Enablement] byte.
-func entryHeaderEncode(et hst.Enablement) *[entryHeaderSize]byte {
+// entryHeaderEncode encodes a state entry header for a [hst.Enablements] byte.
+func entryHeaderEncode(et hst.Enablements) *[entryHeaderSize]byte {
 	data := [entryHeaderSize]byte([]byte(
-		entryHeaderMagic + entryHeaderRevision + string([]hst.Enablement{et, ^et}),
+		entryHeaderMagic + entryHeaderRevision + string([]hst.Enablements{et, ^et}),
 	))
 	return &data
 }
 
-// entryHeaderDecode validates a state entry header and returns the [hst.Enablement] byte.
-func entryHeaderDecode(data *[entryHeaderSize]byte) (hst.Enablement, error) {
+// entryHeaderDecode validates a state entry header and returns the
+// [hst.Enablements] byte.
+func entryHeaderDecode(data *[entryHeaderSize]byte) (hst.Enablements, error) {
 	if magic := data[:len(entryHeaderMagic)]; string(magic) != entryHeaderMagic {
 		return 0, errors.New("invalid header " + hex.EncodeToString(magic))
 	}
@@ -41,7 +44,7 @@ func entryHeaderDecode(data *[entryHeaderSize]byte) (hst.Enablement, error) {
 	if et != ^data[len(entryHeaderMagic+entryHeaderRevision)+1] {
 		return 0, errors.New("header enablement value is inconsistent")
 	}
-	return hst.Enablement(et), nil
+	return hst.Enablements(et), nil
 }
 
 // EntrySizeError is returned for a file too small to hold a state entry header.
@@ -68,8 +71,8 @@ func entryCheckFile(fi os.FileInfo) error {
 	return nil
 }
 
-// entryReadHeader reads [hst.Enablement] from an [io.Reader].
-func entryReadHeader(r io.Reader) (hst.Enablement, error) {
+// entryReadHeader reads [hst.Enablements] from an [io.Reader].
+func entryReadHeader(r io.Reader) (hst.Enablements, error) {
 	var data [entryHeaderSize]byte
 	if n, err := r.Read(data[:]); err != nil {
 		return 0, err
@@ -79,8 +82,8 @@ func entryReadHeader(r io.Reader) (hst.Enablement, error) {
 	return entryHeaderDecode(&data)
 }
 
-// entryWriteHeader writes [hst.Enablement] header to an [io.Writer].
-func entryWriteHeader(w io.Writer, et hst.Enablement) error {
+// entryWriteHeader writes [hst.Enablements] header to an [io.Writer].
+func entryWriteHeader(w io.Writer, et hst.Enablements) error {
 	_, err := w.Write(entryHeaderEncode(et)[:])
 	return err
 }

internal/store/header_test.go

@@ -20,7 +20,7 @@ func TestEntryHeader(t *testing.T) {
 	testCases := []struct {
 		name string
 		data [entryHeaderSize]byte
-		et   hst.Enablement
+		et   hst.Enablements
 		err  error
 	}{
 		{"complement mismatch", [entryHeaderSize]byte{0x00, 0xff, 0xca, 0xfe, 0x00, 0x00,