internal/pipewire: expose connection props

Unused in hakurei but could be useful when the package is moved out of internal. Signed-off-by: Ophestra <cat@gensokyo.uk>
internal/pipewire: include remaining size in recvmsg wrapper
2025-12-09 06:51:12 +09:00 · 2025-12-09 06:36:46 +09:00 · 2025-12-09 06:28:33 +09:00 · 2025-12-09 06:21:41 +09:00 · 2025-12-09 06:02:15 +09:00 · 2025-12-09 05:25:41 +09:00
211 changed files with 9755 additions and 1338 deletions
@@ -0,0 +1,2 @@
 ColumnLimit: 0
 IndentWidth: 4
@@ -2,7 +2,6 @@ name: Test
 on:
  - push
  - pull_request
 jobs:
  hakurei:
@@ -11,21 +11,25 @@ import (
 	"strconv"
 	"sync"
 	"time"
-	_ "unsafe"
+	_ "unsafe" // for go:linkname
 	"hakurei.app/command"
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
-	"hakurei.app/internal"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/env"
 	"hakurei.app/internal/info"
 	"hakurei.app/internal/outcome"
 	"hakurei.app/message"
 	"hakurei.app/system/dbus"
 )
 // optionalErrorUnwrap calls [errors.Unwrap] and returns the resulting value
 // if it is not nil, or the original value if it is.
 //
 //go:linkname optionalErrorUnwrap hakurei.app/container.optionalErrorUnwrap
-func optionalErrorUnwrap(_ error) error
+func optionalErrorUnwrap(err error) error
 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
@@ -88,7 +92,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			flagPrivateRuntime, flagPrivateTmpdir bool
-			flagWayland, flagX11, flagDBus, flagPulse bool
+			flagWayland, flagX11, flagDBus, flagPipeWire, flagPulse bool
 		)
 		c.NewCommand("run", "Configure and start a permissive container", func(args []string) error {
@@ -143,8 +147,8 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			if flagDBus {
 				et |= hst.EDBus
 			}
-			if flagPulse {
+			if flagPipeWire || flagPulse {
-				et |= hst.EPulse
+				et |= hst.EPipeWire
 			}
 			config := &hst.Config{
@@ -183,6 +187,14 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}})
 			}
 			// start pipewire-pulse: this most likely exists on host if PipeWire is available
 			if flagPulse {
 				config.Container.Filesystem = append(config.Container.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSDaemon{
 					Target: fhs.AbsRunUser.Append(strconv.Itoa(container.OverflowUid(msg)), "pulse/native"),
 					Exec:   shell, Args: []string{"-lc", "exec pipewire-pulse"},
 				}})
 			}
 			config.Container.Filesystem = append(config.Container.Filesystem,
 				// opportunistically bind kvm
 				hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
@@ -294,8 +306,10 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				"Enable direct connection to X11").
 			Flag(&flagDBus, "dbus", command.BoolFlag(false),
 				"Enable proxied connection to D-Bus").
 			Flag(&flagPipeWire, "pipewire", command.BoolFlag(false),
 				"Enable connection to PipeWire via SecurityContext").
 			Flag(&flagPulse, "pulse", command.BoolFlag(false),
-				"Enable direct connection to PulseAudio")
+				"Enable PulseAudio compatibility daemon")
 	}
 	{
@@ -350,7 +364,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		}).Flag(&flagShort, "short", command.BoolFlag(false), "Print instance id")
 	}
-	c.Command("version", "Display version information", func(args []string) error { fmt.Println(internal.Version()); return errSuccess })
+	c.Command("version", "Display version information", func(args []string) error { fmt.Println(info.Version()); return errSuccess })
 	c.Command("license", "Show full license text", func(args []string) error { fmt.Println(license); return errSuccess })
 	c.Command("template", "Produce a config template", func(args []string) error { encodeJSON(log.Fatal, os.Stdout, false, hst.Template()); return errSuccess })
 	c.Command("help", "Show this help message", func([]string) error { c.PrintHelp(); return errSuccess })
@@ -36,7 +36,7 @@ Commands:
 		},
 		{
 			"run", []string{"run", "-h"}, `
-Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pulse] COMMAND [OPTIONS]
+Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
 Flags:
  -X	Enable direct connection to X11
@@ -58,12 +58,14 @@ Flags:
    	Reverse-DNS style Application identifier, leave empty to inherit instance identifier
  -mpris
    	Allow owning MPRIS D-Bus path, has no effect if custom config is available
  -pipewire
    	Enable connection to PipeWire via SecurityContext
  -private-runtime
    	Do not share XDG_RUNTIME_DIR between containers under the same identity
  -private-tmpdir
    	Do not share TMPDIR between containers under the same identity
  -pulse
-    	Enable direct connection to PulseAudio
+    	Enable PulseAudio compatibility daemon
  -u string
    	Passwd user name within sandbox (default "chronos")
  -wayland
@@ -1,18 +1,13 @@
-package main_test
+package main
 import (
 	"io"
 	"reflect"
 	"strings"
 	"testing"
 	_ "unsafe"
 	"hakurei.app/container/stub"
 )
 //go:linkname decodeJSON hakurei.app/cmd/hakurei.decodeJSON
 func decodeJSON(fatal func(v ...any), op string, r io.Reader, v any)
 func TestDecodeJSON(t *testing.T) {
 	t.Parallel()
@@ -62,9 +57,6 @@ func TestDecodeJSON(t *testing.T) {
 	}
 }
 //go:linkname encodeJSON hakurei.app/cmd/hakurei.encodeJSON
 func encodeJSON(fatal func(v ...any), output io.Writer, short bool, v any)
 func TestEncodeJSON(t *testing.T) {
 	t.Parallel()
@@ -74,7 +66,7 @@ func TestEncodeJSON(t *testing.T) {
 		want string
 	}{
 		{"marshaler", errorJSONMarshaler{},
-			`cannot encode json for main_test.errorJSONMarshaler: unique error 3735928559 injected by the test suite`},
+			`cannot encode json for main.errorJSONMarshaler: unique error 3735928559 injected by the test suite`},
 		{"default", func() {},
 			`cannot write json: json: unsupported type: func()`},
 	}
@@ -12,8 +12,6 @@ import (
 	"time"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
 	"hakurei.app/internal/env"
 	"hakurei.app/internal/outcome"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
@@ -23,21 +21,19 @@ import (
 func printShowSystem(output io.Writer, short, flagJSON bool) {
 	t := newPrinter(output)
 	defer t.MustFlush()
-
+	hi := outcome.Info()
 	info := &hst.Info{Version: internal.Version(), User: new(outcome.Hsu).MustID(nil)}
 	env.CopyPaths().Copy(&info.Paths, info.User)
 	if flagJSON {
-		encodeJSON(log.Fatal, output, short, info)
+		encodeJSON(log.Fatal, output, short, hi)
 		return
 	}
-	t.Printf("Version:\t%s\n", info.Version)
+	t.Printf("Version:\t%s (libwayland %s)\n", hi.Version, hi.WaylandVersion)
-	t.Printf("User:\t%d\n", info.User)
+	t.Printf("User:\t%d\n", hi.User)
-	t.Printf("TempDir:\t%s\n", info.TempDir)
+	t.Printf("TempDir:\t%s\n", hi.TempDir)
-	t.Printf("SharePath:\t%s\n", info.SharePath)
+	t.Printf("SharePath:\t%s\n", hi.SharePath)
-	t.Printf("RuntimePath:\t%s\n", info.RuntimePath)
+	t.Printf("RuntimePath:\t%s\n", hi.RuntimePath)
-	t.Printf("RunDirPath:\t%s\n", info.RunDirPath)
+	t.Printf("RunDirPath:\t%s\n", hi.RunDirPath)
 }
 // printShowInstance writes a representation of [hst.State] or [hst.Config] to output.
@@ -90,12 +86,6 @@ func printShowInstance(
 		t.Printf(" Groups:\t%s\n", strings.Join(config.Groups, ", "))
 	}
 	if config.Container != nil {
 		if config.Container.Home != nil {
 			t.Printf(" Home:\t%s\n", config.Container.Home)
 		}
 		if config.Container.Hostname != "" {
 			t.Printf(" Hostname:\t%s\n", config.Container.Hostname)
 		}
 		flags := config.Container.Flags.String()
 		// this is included in the upper hst.Config struct but is relevant here
@@ -110,6 +100,12 @@ func printShowInstance(
 		}
 		t.Printf(" Flags:\t%s\n", flags)
 		if config.Container.Home != nil {
 			t.Printf(" Home:\t%s\n", config.Container.Home)
 		}
 		if config.Container.Hostname != "" {
 			t.Printf(" Hostname:\t%s\n", config.Container.Hostname)
 		}
 		if config.Container.Path != nil {
 			t.Printf(" Path:\t%s\n", config.Container.Path)
 		}
@@ -32,7 +32,7 @@ var (
 		PID:     0xbeef,
 		ShimPID: 0xcafe,
 		Config: &hst.Config{
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EPulse),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
 			Identity:    1,
 			Container: &hst.ContainerConfig{
 				Shell: check.MustAbs("/bin/sh"),
@@ -62,11 +62,11 @@ func TestPrintShowInstance(t *testing.T) {
 		{"nil", nil, nil, false, false, "Error: invalid configuration!\n\n", false},
 		{"config", nil, hst.Template(), false, false, `App
 Identity:       9 (org.chromium.Chromium)
- Enablements:    wayland, dbus, pulseaudio
+ Enablements:    wayland, dbus, pipewire
 Groups:         video, dialout, plugdev
 Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
 Home:           /data/data/org.chromium.Chromium
 Hostname:       localhost
 Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
 Path:           /run/current-system/sw/bin/chromium
 Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
@@ -159,11 +159,11 @@ Session bus
 App
 Identity:       9 (org.chromium.Chromium)
- Enablements:    wayland, dbus, pulseaudio
+ Enablements:    wayland, dbus, pipewire
 Groups:         video, dialout, plugdev
 Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
 Home:           /data/data/org.chromium.Chromium
 Hostname:       localhost
 Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
 Path:           /run/current-system/sw/bin/chromium
 Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
@@ -215,7 +215,7 @@ App
  "enablements": {
    "wayland": true,
    "dbus": true,
-    "pulse": true
+    "pipewire": true
  },
  "session_bus": {
    "see": null,
@@ -366,7 +366,7 @@ App
  "enablements": {
    "wayland": true,
    "dbus": true,
-    "pulse": true
+    "pipewire": true
  },
  "session_bus": {
    "see": null,
@@ -564,7 +564,7 @@ func TestPrintPs(t *testing.T) {
    "enablements": {
      "wayland": true,
      "dbus": true,
-      "pulse": true
+      "pipewire": true
    },
    "session_bus": {
      "see": null,
@@ -715,7 +715,7 @@ func TestPrintPs(t *testing.T) {
    "shim_pid": 51966,
    "enablements": {
      "wayland": true,
-      "pulse": true
+      "pipewire": true
    },
    "identity": 1,
    "groups": null,
@@ -45,7 +45,7 @@
  allow_wayland ? true,
  allow_x11 ? false,
  allow_dbus ? true,
-  allow_pulse ? true,
+  allow_audio ? true,
  gpu ? allow_wayland || allow_x11,
 }:
@@ -175,7 +175,7 @@ let
      wayland = allow_wayland;
      x11 = allow_x11;
      dbus = allow_dbus;
-      pulse = allow_pulse;
+      pipewire = allow_audio;
    };
    mesa = if gpu then mesaWrappers else null;
@@ -10,11 +10,11 @@ import (
 	"os/exec"
 	"hakurei.app/hst"
-	"hakurei.app/internal"
+	"hakurei.app/internal/info"
 	"hakurei.app/message"
 )
-var hakureiPathVal = internal.MustHakureiPath().String()
+var hakureiPathVal = info.MustHakureiPath().String()
 func mustRunApp(ctx context.Context, msg message.Msg, config *hst.Config, beforeFail func()) {
 	var (
@@ -90,13 +90,13 @@ wait_for_window("hakurei@machine-foot")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
 machine.wait_for_file("/tmp/hakurei.0/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
-check_state("foot", {"wayland": True, "dbus": True, "pulse": True})
+check_state("foot", {"wayland": True, "dbus": True, "pipewire": True})
 # Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot")
 # Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002")
+machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002")
 # Exit Sway and verify process exit status 0:
 swaymsg("exit", succeed=False)
@@ -107,4 +107,4 @@ print(machine.succeed("find /tmp/hakurei.0 "
    + "-path '/tmp/hakurei.0/runtime/*/*' -prune -o "
    + "-path '/tmp/hakurei.0/tmpdir/*/*' -prune -o "
    + "-print"))
-print(machine.succeed("find /run/user/1000/hakurei"))
+print(machine.fail("ls /run/user/1000/hakurei"))
@@ -59,6 +59,7 @@ func (e *AutoEtcOp) apply(state *setupState, k syscallDispatcher) error {
 	return nil
 }
 func (e *AutoEtcOp) late(*setupState, syscallDispatcher) error { return nil }
 func (e *AutoEtcOp) hostPath() *check.Absolute { return fhs.AbsEtc.Append(e.hostRel()) }
 func (e *AutoEtcOp) hostRel() string           { return ".host/" + e.Prefix }
@@ -69,6 +69,7 @@ func (r *AutoRootOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return nil
 }
 func (r *AutoRootOp) late(*setupState, syscallDispatcher) error { return nil }
 func (r *AutoRootOp) Is(op Op) bool {
 	vr, ok := op.(*AutoRootOp)
@@ -56,7 +56,7 @@ func NewAbs(pathname string) (*Absolute, error) {
 // MustAbs calls [NewAbs] and panics on error.
 func MustAbs(pathname string) *Absolute {
 	if a, err := NewAbs(pathname); err != nil {
-		panic(err.Error())
+		panic(err)
 	} else {
 		return a
 	}
@@ -14,8 +14,10 @@ import (
 	. "hakurei.app/container/check"
 )
 // unsafeAbs returns check.Absolute on any string value.
 //
 //go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
-func unsafeAbs(_ string) *Absolute
+func unsafeAbs(pathname string) *Absolute
 func TestAbsoluteError(t *testing.T) {
 	t.Parallel()
@@ -82,9 +84,9 @@ func TestNewAbs(t *testing.T) {
 		t.Parallel()
 		defer func() {
-			wantPanic := `path "etc" is not absolute`
+			wantPanic := &AbsoluteError{Pathname: "etc"}
-			if r := recover(); r != wantPanic {
+			if r := recover(); !reflect.DeepEqual(r, wantPanic) {
 				t.Errorf("MustAbs: panic = %v; want %v", r, wantPanic)
 			}
 		}()
@@ -21,6 +21,7 @@ import (
 	"hakurei.app/command"
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/container/vfs"
@@ -29,6 +30,45 @@ import (
 	"hakurei.app/message"
 )
 // Note: this package requires cgo, which is unavailable in the Go playground.
 func Example() {
 	// Must be called early if the current process starts containers.
 	container.TryArgv0(nil)
 	// Configure the container.
 	z := container.New(context.Background(), nil)
 	z.Hostname = "hakurei-example"
 	z.Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
 	z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
 	// Bind / for demonstration.
 	z.Bind(fhs.AbsRoot, fhs.AbsRoot, 0)
 	if name, err := exec.LookPath("hostname"); err != nil {
 		panic(err)
 	} else {
 		z.Path = check.MustAbs(name)
 	}
 	// This completes the first stage of container setup and starts the container init process.
 	// The new process blocks until the Serve method is called.
 	if err := z.Start(); err != nil {
 		panic(err)
 	}
 	// This serves the setup payload to the container init process,
 	// starting the second stage of container setup.
 	if err := z.Serve(); err != nil {
 		panic(err)
 	}
 	// Must be called if the Start method succeeds.
 	if err := z.Wait(); err != nil {
 		panic(err)
 	}
 	// Output: hakurei-example
 }
 func TestStartError(t *testing.T) {
 	t.Parallel()
@@ -722,12 +762,14 @@ func TestMain(m *testing.M) {
 func helperNewContainerLibPaths(ctx context.Context, libPaths *[]*check.Absolute, args ...string) (c *container.Container) {
 	msg := message.New(nil)
 	msg.SwapVerbose(testing.Verbose())
 	executable := check.MustAbs(container.MustExecutable(msg))
 	c = container.NewCommand(ctx, msg, absHelperInnerPath, "helper", args...)
 	c.Env = append(c.Env, envDoCheck+"=1")
-	c.Bind(check.MustAbs(os.Args[0]), absHelperInnerPath, 0)
+	c.Bind(executable, absHelperInnerPath, 0)
 	// in case test has cgo enabled
-	if entries, err := ldd.Exec(ctx, msg, os.Args[0]); err != nil {
+	if entries, err := ldd.Resolve(ctx, msg, executable); err != nil {
 		log.Fatalf("ldd: %v", err)
 	} else {
 		*libPaths = ldd.Path(entries)
@@ -759,7 +759,8 @@ func (k *kstub) checkMsg(msg message.Msg) {
 }
 func (k *kstub) GetLogger() *log.Logger { panic("unreachable") }
-func (k *kstub) IsVerbose() bool        { panic("unreachable") }
+
 func (k *kstub) IsVerbose() bool { k.Helper(); return k.Expects("isVerbose").Ret.(bool) }
 func (k *kstub) SwapVerbose(verbose bool) bool {
 	k.Helper()
@@ -7,31 +7,36 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/vfs"
 	"hakurei.app/message"
 )
 // messageFromError returns a printable error message for a supported concrete type.
-func messageFromError(err error) (string, bool) {
+func messageFromError(err error) (m string, ok bool) {
-	if m, ok := messagePrefixP[MountError]("cannot ", err); ok {
+	if m, ok = messagePrefixP[MountError]("cannot ", err); ok {
-		return m, ok
+		return
 	}
-	if m, ok := messagePrefixP[os.PathError]("cannot ", err); ok {
+	if m, ok = messagePrefixP[os.PathError]("cannot ", err); ok {
-		return m, ok
+		return
 	}
-	if m, ok := messagePrefixP[check.AbsoluteError]("", err); ok {
+	if m, ok = messagePrefixP[check.AbsoluteError](zeroString, err); ok {
-		return m, ok
+		return
 	}
-	if m, ok := messagePrefix[OpRepeatError]("", err); ok {
+	if m, ok = messagePrefix[OpRepeatError](zeroString, err); ok {
-		return m, ok
+		return
 	}
-	if m, ok := messagePrefix[OpStateError]("", err); ok {
+	if m, ok = messagePrefix[OpStateError](zeroString, err); ok {
-		return m, ok
+		return
 	}
-	if m, ok := messagePrefixP[vfs.DecoderError]("cannot ", err); ok {
+	if m, ok = messagePrefixP[vfs.DecoderError]("cannot ", err); ok {
-		return m, ok
+		return
 	}
-	if m, ok := messagePrefix[TmpfsSizeError]("", err); ok {
+	if m, ok = messagePrefix[TmpfsSizeError](zeroString, err); ok {
-		return m, ok
+		return
 	}
 	if m, ok = message.GetMessage(err); ok {
 		return
 	}
 	return zeroString, false
@@ -8,8 +8,10 @@ import (
 /* constants in this file bypass abs check, be extremely careful when changing them! */
 // unsafeAbs returns check.Absolute on any string value.
 //
 //go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
-func unsafeAbs(_ string) *check.Absolute
+func unsafeAbs(pathname string) *check.Absolute
 var (
 	// AbsRoot is [Root] as [check.Absolute].
@@ -34,6 +36,8 @@ var (
 	// AbsDev is [Dev] as [check.Absolute].
 	AbsDev = unsafeAbs(Dev)
 	// AbsDevShm is [DevShm] as [check.Absolute].
 	AbsDevShm = unsafeAbs(DevShm)
 	// AbsProc is [Proc] as [check.Absolute].
 	AbsProc = unsafeAbs(Proc)
 	// AbsSys is [Sys] as [check.Absolute].
@@ -29,6 +29,8 @@ const (
 	// Dev points to the root directory for device nodes.
 	Dev = "/dev/"
 	// DevShm is the place for POSIX shared memory segments, as created via shm_open(3).
 	DevShm = "/dev/shm/"
 	// Proc points to a virtual kernel file system exposing the process list and other functionality.
 	Proc = "/proc/"
 	// ProcSys points to a hierarchy below /proc/ that exposes a number of kernel tunables.
@@ -1,6 +1,7 @@
 package container
 import (
 	"context"
 	"errors"
 	"fmt"
 	"log"
@@ -9,6 +10,8 @@ import (
 	"path"
 	"slices"
 	"strconv"
 	"sync"
 	"sync/atomic"
 	. "syscall"
 	"time"
@@ -18,24 +21,28 @@ import (
 )
 const (
-	/* intermediate tmpfs mount point
+	/* intermediateHostPath is the pathname of the intermediate tmpfs mount point.
-	this path might seem like a weird choice, however there are many good reasons to use it:
+	This path might seem like a weird choice, however there are many good reasons to use it:
-	- the contents of this path is never exposed to the container:
+	- The contents of this path is never exposed to the container:
-	  the tmpfs root established here effectively becomes anonymous after pivot_root
+	  The tmpfs root established here effectively becomes anonymous after pivot_root.
-	- it is safe to assume this path exists and is a directory:
+	- It is safe to assume this path exists and is a directory:
-	  this program will not work correctly without a proper /proc and neither will most others
+	  This program will not work correctly without a proper /proc and neither will most others.
-	- this path belongs to the container init:
+	- This path belongs to the container init:
-	  the container init is not any more privileged or trusted than the rest of the container
+	  The container init is not any more privileged or trusted than the rest of the container.
-	- this path is only accessible by init and root:
+	- This path is only accessible by init and root:
-	  the container init sets SUID_DUMP_DISABLE and terminates if that fails;
+	  The container init sets SUID_DUMP_DISABLE and terminates if that fails.
-	it should be noted that none of this should become relevant at any point since the resulting
+	It should be noted that none of this should become relevant at any point since the resulting
-	intermediate root tmpfs should be effectively anonymous */
+	intermediate root tmpfs should be effectively anonymous. */
 	intermediateHostPath = fhs.Proc + "self/fd"
-	// setup params file descriptor
+	// setupEnv is the name of the environment variable holding the string representation of
 	// the read end file descriptor of the setup params pipe.
 	setupEnv = "HAKUREI_SETUP"
 	// exitUnexpectedWait4 is the exit code if wait4 returns an unexpected errno.
 	exitUnexpectedWait4 = 2
 )
 type (
@@ -49,6 +56,8 @@ type (
 		early(state *setupState, k syscallDispatcher) error
 		// apply is called in intermediate root.
 		apply(state *setupState, k syscallDispatcher) error
 		// late is called right before starting the initial process.
 		late(state *setupState, k syscallDispatcher) error
 		// prefix returns a log message prefix, and whether this Op prints no identifying message on its own.
 		prefix() (string, bool)
@@ -61,11 +70,29 @@ type (
 	// setupState persists context between Ops.
 	setupState struct {
 		nonrepeatable uintptr
 		// Whether early reaping has concluded. Must only be accessed in the wait4 loop.
 		processConcluded bool
 		// Process to syscall.WaitStatus populated in the wait4 loop. Freed after early reaping concludes.
 		process map[int]WaitStatus
 		// Synchronises access to process.
 		processMu sync.RWMutex
 		*Params
 		context.Context
 		message.Msg
 	}
 )
 // terminated returns whether the specified pid has been reaped, and its
 // syscall.WaitStatus if it had. This is only usable by [Op].
 func (state *setupState) terminated(pid int) (wstatus WaitStatus, ok bool) {
 	state.processMu.RLock()
 	wstatus, ok = state.process[pid]
 	state.processMu.RUnlock()
 	return
 }
 // Grow grows the slice Ops points to using [slices.Grow].
 func (f *Ops) Grow(n int) { *f = slices.Grow(*f, n) }
@@ -180,7 +207,9 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot make / rslave: %v", optionalErrorUnwrap(err))
 	}
-	state := &setupState{Params: &params.Params, Msg: msg}
+	ctx, cancel := context.WithCancel(context.Background())
 	state := &setupState{process: make(map[int]WaitStatus), Params: &params.Params, Msg: msg, Context: ctx}
 	defer cancel()
 	/* early is called right before pivot_root into intermediate root;
 	this step is mostly for gathering information that would otherwise be difficult to obtain
@@ -330,22 +359,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 	k.umask(oldmask)
-	if err := closeSetup(); err != nil {
+	// winfo represents an exited process from wait4.
 		k.fatalf(msg, "cannot close setup pipe: %v", err)
 	}
 	cmd := exec.Command(params.Path.String())
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	cmd.Args = params.Args
 	cmd.Env = params.Env
 	cmd.ExtraFiles = extraFiles
 	cmd.Dir = params.Dir.String()
 	msg.Verbosef("starting initial program %s", params.Path)
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
 	type winfo struct {
 		wpid    int
 		wstatus WaitStatus
@@ -355,9 +369,13 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	// when there are no longer any processes left to reap
 	info := make(chan winfo, 1)
 	// whether initial process has started
 	var initialProcessStarted atomic.Bool
 	k.new(func(k syscallDispatcher) {
 		k.lockOSThread()
 	wait4:
 		var (
 			err     error
 			wpid    = -2
@@ -371,7 +389,21 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 			}
 			if wpid != -2 {
-				info <- winfo{wpid, wstatus}
+				if !state.processConcluded {
 					state.processMu.Lock()
 					if state.process == nil {
 						// early reaping has already concluded at this point
 						state.processConcluded = true
 						info <- winfo{wpid, wstatus}
 					} else {
 						// initial process has not yet been created, and the
 						// info channel is not yet being received from
 						state.process[wpid] = wstatus
 					}
 					state.processMu.Unlock()
 				} else {
 					info <- winfo{wpid, wstatus}
 				}
 			}
 			err = EINTR
@@ -379,13 +411,55 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 				wpid, err = k.wait4(-1, &wstatus, 0, nil)
 			}
 		}
 		if !errors.Is(err, ECHILD) {
 			k.printf(msg, "unexpected wait4 response: %v", err)
 		} else if !initialProcessStarted.Load() {
 			// initial process has not yet been reached and all daemons
 			// terminated or none were started in the first place
 			time.Sleep(500 * time.Microsecond)
 			goto wait4
 		}
 		close(info)
 	})
 	// called right before startup of initial process, all state changes to the
 	// current process is prohibited during late
 	for i, op := range *params.Ops {
 		// ops already checked during early setup
 		if err := op.late(state, k); err != nil {
 			if m, ok := messageFromError(err); ok {
 				k.fatal(msg, m)
 			} else if errors.Is(err, context.DeadlineExceeded) {
 				k.fatalf(msg, "%s deadline exceeded", op.String())
 			} else {
 				k.fatalf(msg, "cannot complete op at index %d: %v", i, err)
 			}
 		}
 	}
 	// early reaping has concluded, this must happen before initial process is created
 	state.processMu.Lock()
 	state.process = nil
 	state.processMu.Unlock()
 	if err := closeSetup(); err != nil {
 		k.fatalf(msg, "cannot close setup pipe: %v", err)
 	}
 	cmd := exec.Command(params.Path.String())
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	cmd.Args = params.Args
 	cmd.Env = params.Env
 	cmd.ExtraFiles = extraFiles
 	cmd.Dir = params.Dir.String()
 	msg.Verbosef("starting initial process %s", params.Path)
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
 	initialProcessStarted.Store(true)
 	// handle signals to dump withheld messages
 	sig := make(chan os.Signal, 2)
 	k.notify(sig, CancelSignal,
@@ -394,7 +468,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	// closed after residualProcessTimeout has elapsed after initial process death
 	timeout := make(chan struct{})
-	r := 2
+	r := exitUnexpectedWait4
 	for {
 		select {
 		case s := <-sig:
@@ -426,6 +500,9 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 			}
 			if w.wpid == cmd.Process.Pid {
 				// cancel Op context early
 				cancel()
 				// start timeout early
 				go func() { time.Sleep(params.AdoptWaitDelay); close(timeout) }()
@@ -1983,11 +1983,20 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(13)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, nil, stub.UniqueError(12)),
 				call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(12)}}, nil, nil),
 			},
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
 				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
 				// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil, stub.PanicExit}, 0, syscall.ECHILD),
 			}}},
 		}, nil},
 		{"lowlastcap signaled cancel forward error", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
@@ -2062,10 +2071,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(10)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- CancelSignal }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{"forwarding context cancellation"}}, nil, nil),
 				// magicWait4Signal as ret causes wait4 stub to unblock
@@ -2162,10 +2171,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(7)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- syscall.SIGQUIT }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"got %s, forwarding to initial process", []any{"quit"}}, nil, nil),
 				// magicWait4Signal as ret causes wait4 stub to unblock
@@ -2262,10 +2271,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(7)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- os.Interrupt }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"got %s", []any{"interrupt"}}, nil, nil),
 				call("beforeExit", stub.ExpectArgs{}, nil, nil),
@@ -2353,10 +2362,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(5)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
@@ -2448,10 +2457,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(3)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
@@ -2586,10 +2595,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(1)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
@@ -2728,10 +2737,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(11), "extra file 1"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(12), "extra file 2"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(0)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/bin/zsh")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/bin/zsh", []string{"zsh", "-c", "exec vim"}, []string{"DISPLAY=:0"}, "/.hakurei"}, &os.Process{Pid: 0xcafe}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
@@ -90,6 +90,7 @@ func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return k.bindMount(state, source, target, flags)
 }
 func (b *BindMountOp) late(*setupState, syscallDispatcher) error { return nil }
 func (b *BindMountOp) Is(op Op) bool {
 	vb, ok := op.(*BindMountOp)
@@ -0,0 +1,134 @@
 package container
 import (
 	"context"
 	"encoding/gob"
 	"errors"
 	"fmt"
 	"os"
 	"os/exec"
 	"slices"
 	"strconv"
 	"syscall"
 	"time"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 )
 func init() { gob.Register(new(DaemonOp)) }
 const (
 	// daemonTimeout is the duration a [DaemonOp] is allowed to block before the
 	// [DaemonOp.Target] marker becomes available.
 	daemonTimeout = 5 * time.Second
 )
 // Daemon appends an [Op] that starts a daemon in the container and blocks until
 // [DaemonOp.Target] appears.
 func (f *Ops) Daemon(target, path *check.Absolute, args ...string) *Ops {
 	*f = append(*f, &DaemonOp{target, path, args})
 	return f
 }
 // DaemonOp starts a daemon in the container and blocks until Target appears.
 type DaemonOp struct {
 	// Pathname indicating readiness of daemon.
 	Target *check.Absolute
 	// Absolute pathname passed to [exec.Cmd].
 	Path *check.Absolute
 	// Arguments (excl. first) passed to [exec.Cmd].
 	Args []string
 }
 // earlyTerminationError is returned by [DaemonOp] when a daemon terminates
 // before [DaemonOp.Target] appears.
 type earlyTerminationError struct {
 	// Returned by [DaemonOp.String].
 	op string
 	// Copied from wait4 loop.
 	wstatus syscall.WaitStatus
 }
 func (e *earlyTerminationError) Error() string {
 	res := ""
 	switch {
 	case e.wstatus.Exited():
 		res = "exit status " + strconv.Itoa(e.wstatus.ExitStatus())
 	case e.wstatus.Signaled():
 		res = "signal: " + e.wstatus.Signal().String()
 	case e.wstatus.Stopped():
 		res = "stop signal: " + e.wstatus.StopSignal().String()
 		if e.wstatus.StopSignal() == syscall.SIGTRAP && e.wstatus.TrapCause() != 0 {
 			res += " (trap " + strconv.Itoa(e.wstatus.TrapCause()) + ")"
 		}
 	case e.wstatus.Continued():
 		res = "continued"
 	}
 	if e.wstatus.CoreDump() {
 		res += " (core dumped)"
 	}
 	return res
 }
 func (e *earlyTerminationError) Message() string { return e.op + " " + e.Error() }
 func (d *DaemonOp) Valid() bool                                { return d != nil && d.Target != nil && d.Path != nil }
 func (d *DaemonOp) early(*setupState, syscallDispatcher) error { return nil }
 func (d *DaemonOp) apply(*setupState, syscallDispatcher) error { return nil }
 func (d *DaemonOp) late(state *setupState, k syscallDispatcher) error {
 	cmd := exec.CommandContext(state.Context, d.Path.String(), d.Args...)
 	cmd.Env = state.Env
 	cmd.Dir = fhs.Root
 	if state.IsVerbose() {
 		cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
 	}
 	// WaitDelay: left unset because lifetime is bound by AdoptWaitDelay on cancellation
 	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGTERM) }
 	state.Verbosef("starting %s", d.String())
 	if err := k.start(cmd); err != nil {
 		return err
 	}
 	deadline := time.Now().Add(daemonTimeout)
 	var wstatusErr error
 	for {
 		if _, err := k.stat(d.Target.String()); err != nil {
 			if !errors.Is(err, os.ErrNotExist) {
 				_ = k.signal(cmd, os.Kill)
 				return err
 			}
 			if time.Now().After(deadline) {
 				_ = k.signal(cmd, os.Kill)
 				return context.DeadlineExceeded
 			}
 			if wstatusErr != nil {
 				return wstatusErr
 			}
 			if wstatus, ok := state.terminated(cmd.Process.Pid); ok {
 				// check once again: process could have satisfied Target between stat and the lookup
 				wstatusErr = &earlyTerminationError{d.String(), wstatus}
 				continue
 			}
 			time.Sleep(500 * time.Microsecond)
 			continue
 		}
 		state.Verbosef("daemon process %d ready", cmd.Process.Pid)
 		return nil
 	}
 }
 func (d *DaemonOp) Is(op Op) bool {
 	vd, ok := op.(*DaemonOp)
 	return ok && d.Valid() && vd.Valid() &&
 		d.Target.Is(vd.Target) && d.Path.Is(vd.Path) &&
 		slices.Equal(d.Args, vd.Args)
 }
 func (*DaemonOp) prefix() (string, bool) { return zeroString, false }
 func (d *DaemonOp) String() string       { return fmt.Sprintf("daemon providing %q", d.Target) }
@@ -0,0 +1,127 @@
 package container
 import (
 	"os"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 	"hakurei.app/message"
 )
 func TestEarlyTerminationError(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		err  error
 		want string
 		msg  string
 	}{
 		{"exited", &earlyTerminationError{
 			`daemon providing "/run/user/1971/pulse/native"`, 127 << 8,
 		}, "exit status 127", `daemon providing "/run/user/1971/pulse/native" exit status 127`},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			if got := tc.err.Error(); got != tc.want {
 				t.Errorf("Error: %q, want %q", got, tc.want)
 			}
 			if got := tc.err.(message.Error).Message(); got != tc.msg {
 				t.Errorf("Message: %s, want %s", got, tc.msg)
 			}
 		})
 	}
 }
 func TestDaemonOp(t *testing.T) {
 	t.Parallel()
 	checkSimple(t, "DaemonOp.late", []simpleTestCase{
 		{"success", func(k *kstub) error {
 			state := setupState{Params: &Params{Env: []string{"\x00"}}, Context: t.Context(), Msg: k}
 			return (&DaemonOp{
 				Target: check.MustAbs("/run/user/1971/pulse/native"),
 				Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 				Args:   []string{"-v"},
 			}).late(&state, k)
 		}, stub.Expect{Calls: []stub.Call{
 			call("isVerbose", stub.ExpectArgs{}, true, nil),
 			call("verbosef", stub.ExpectArgs{"starting %s", []any{`daemon providing "/run/user/1971/pulse/native"`}}, nil, nil),
 			call("start", stub.ExpectArgs{"/run/current-system/sw/bin/pipewire-pulse", []string{"/run/current-system/sw/bin/pipewire-pulse", "-v"}, []string{"\x00"}, "/"}, &os.Process{Pid: 0xcafe}, nil),
 			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
 			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
 			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
 			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), nil),
 			call("verbosef", stub.ExpectArgs{"daemon process %d ready", []any{0xcafe}}, nil, nil),
 		}}, nil},
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*DaemonOp)(nil), false},
 		{"zero", new(DaemonOp), false},
 		{"valid", &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 			Args:   []string{"-v"},
 		}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"pipewire-pulse", new(Ops).Daemon(
 			check.MustAbs("/run/user/1971/pulse/native"),
 			check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"), "-v",
 		), Ops{
 			&DaemonOp{
 				Target: check.MustAbs("/run/user/1971/pulse/native"),
 				Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 				Args:   []string{"-v"},
 			},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(DaemonOp), new(DaemonOp), false},
 		{"args differs", &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 			Args:   []string{"-v"},
 		}, &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 		}, false},
 		{"path differs", &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire"),
 		}, &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 		}, false},
 		{"target differs", &DaemonOp{
 			Target: check.MustAbs("/run/user/65534/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 		}, &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 		}, false},
 		{"equals", &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 		}, &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 		}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"pipewire-pulse", &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 		}, zeroString, `daemon providing "/run/user/1971/pulse/native"`},
 	})
 }
@@ -126,6 +126,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return k.mountTmpfs(SourceTmpfs, devShmPath, MS_NOSUID|MS_NODEV, 0, 01777)
 }
 func (d *MountDevOp) late(*setupState, syscallDispatcher) error { return nil }
 func (d *MountDevOp) Is(op Op) bool {
 	vd, ok := op.(*MountDevOp)
@@ -27,6 +27,7 @@ func (m *MkdirOp) early(*setupState, syscallDispatcher) error { return nil }
 func (m *MkdirOp) apply(_ *setupState, k syscallDispatcher) error {
 	return k.mkdirAll(toSysroot(m.Path.String()), m.Perm)
 }
 func (m *MkdirOp) late(*setupState, syscallDispatcher) error { return nil }
 func (m *MkdirOp) Is(op Op) bool {
 	vm, ok := op.(*MkdirOp)
@@ -205,6 +205,8 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 	return k.mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, check.SpecialOverlayOption))
 }
 func (o *MountOverlayOp) late(*setupState, syscallDispatcher) error { return nil }
 func (o *MountOverlayOp) Is(op Op) bool {
 	vo, ok := op.(*MountOverlayOp)
 	return ok && o.Valid() && vo.Valid() &&
@@ -57,6 +57,7 @@ func (t *TmpfileOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return nil
 }
 func (t *TmpfileOp) late(*setupState, syscallDispatcher) error { return nil }
 func (t *TmpfileOp) Is(op Op) bool {
 	vt, ok := op.(*TmpfileOp)
@@ -28,6 +28,7 @@ func (p *MountProcOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return k.mount(SourceProc, target, FstypeProc, MS_NOSUID|MS_NOEXEC|MS_NODEV, zeroString)
 }
 func (p *MountProcOp) late(*setupState, syscallDispatcher) error { return nil }
 func (p *MountProcOp) Is(op Op) bool {
 	vp, ok := op.(*MountProcOp)
@@ -26,6 +26,7 @@ func (*RemountOp) early(*setupState, syscallDispatcher) error { return nil }
 func (r *RemountOp) apply(state *setupState, k syscallDispatcher) error {
 	return k.remount(state, toSysroot(r.Target.String()), r.Flags)
 }
 func (r *RemountOp) late(*setupState, syscallDispatcher) error { return nil }
 func (r *RemountOp) Is(op Op) bool {
 	vr, ok := op.(*RemountOp)
@@ -50,6 +50,8 @@ func (l *SymlinkOp) apply(state *setupState, k syscallDispatcher) error {
 	return k.symlink(l.LinkName, target)
 }
 func (l *SymlinkOp) late(*setupState, syscallDispatcher) error { return nil }
 func (l *SymlinkOp) Is(op Op) bool {
 	vl, ok := op.(*SymlinkOp)
 	return ok && l.Valid() && vl.Valid() &&
@@ -48,6 +48,7 @@ func (t *MountTmpfsOp) apply(_ *setupState, k syscallDispatcher) error {
 	}
 	return k.mountTmpfs(t.FSName, toSysroot(t.Path.String()), t.Flags, t.Size, t.Perm)
 }
 func (t *MountTmpfsOp) late(*setupState, syscallDispatcher) error { return nil }
 func (t *MountTmpfsOp) Is(op Op) bool {
 	vt, ok := op.(*MountTmpfsOp)
@@ -9,136 +9,130 @@
 #define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
-int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
+int32_t hakurei_scmp_make_filter(
-                                 uint32_t arch, uint32_t multiarch,
+    int *ret_p, uintptr_t allocate_p,
-                                 struct hakurei_syscall_rule *rules,
+    uint32_t arch, uint32_t multiarch,
-                                 size_t rules_sz, hakurei_export_flag flags) {
+    struct hakurei_syscall_rule *rules,
-  int i;
+    size_t rules_sz, hakurei_export_flag flags) {
-  int last_allowed_family;
+    int i;
-  int disallowed;
+    int last_allowed_family;
-  struct hakurei_syscall_rule *rule;
+    int disallowed;
-  void *buf;
+    struct hakurei_syscall_rule *rule;
-  size_t len = 0;
+    void *buf;
    size_t len = 0;
-  int32_t res = 0; /* refer to resPrefix for message */
+    int32_t res = 0; /* refer to resPrefix for message */
-  /* Blocklist all but unix, inet, inet6 and netlink */
+    /* Blocklist all but unix, inet, inet6 and netlink */
-  struct {
+    struct {
-    int family;
+        int family;
-    hakurei_export_flag flags_mask;
+        hakurei_export_flag flags_mask;
-  } socket_family_allowlist[] = {
+    } socket_family_allowlist[] = {
-      /* NOTE: Keep in numerical order */
+        /* NOTE: Keep in numerical order */
-      {AF_UNSPEC, 0},
+        {AF_UNSPEC, 0},
-      {AF_LOCAL, 0},
+        {AF_LOCAL, 0},
-      {AF_INET, 0},
+        {AF_INET, 0},
-      {AF_INET6, 0},
+        {AF_INET6, 0},
-      {AF_NETLINK, 0},
+        {AF_NETLINK, 0},
-      {AF_CAN, HAKUREI_EXPORT_CAN},
+        {AF_CAN, HAKUREI_EXPORT_CAN},
-      {AF_BLUETOOTH, HAKUREI_EXPORT_BLUETOOTH},
+        {AF_BLUETOOTH, HAKUREI_EXPORT_BLUETOOTH},
-  };
+    };
-  scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
+    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
-  if (ctx == NULL) {
+    if (ctx == NULL) {
-    res = 1;
+        res = 1;
    goto out;
  } else
    errno = 0;
  /* We only really need to handle arches on multiarch systems.
   * If only one arch is supported the default is fine */
  if (arch != 0) {
    /* This *adds* the target arch, instead of replacing the
     * native one. This is not ideal, because we'd like to only
     * allow the target arch, but we can't really disallow the
     * native arch at this point, because then bubblewrap
     * couldn't continue running. */
    *ret_p = seccomp_arch_add(ctx, arch);
    if (*ret_p < 0 && *ret_p != -EEXIST) {
      res = 2;
      goto out;
    }
    if (flags & HAKUREI_EXPORT_MULTIARCH && multiarch != 0) {
      *ret_p = seccomp_arch_add(ctx, multiarch);
      if (*ret_p < 0 && *ret_p != -EEXIST) {
        res = 3;
        goto out;
-      }
+    } else
-    }
+        errno = 0;
  }
-  for (i = 0; i < rules_sz; i++) {
+    /* We only really need to handle arches on multiarch systems.
-    rule = &rules[i];
+     * If only one arch is supported the default is fine */
-    assert(rule->m_errno == EPERM || rule->m_errno == ENOSYS);
+    if (arch != 0) {
        /* This *adds* the target arch, instead of replacing the
         * native one. This is not ideal, because we'd like to only
         * allow the target arch, but we can't really disallow the
         * native arch at this point, because then bubblewrap
         * couldn't continue running. */
        *ret_p = seccomp_arch_add(ctx, arch);
        if (*ret_p < 0 && *ret_p != -EEXIST) {
            res = 2;
            goto out;
        }
-    if (rule->arg)
+        if (flags & HAKUREI_EXPORT_MULTIARCH && multiarch != 0) {
-      *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno),
+            *ret_p = seccomp_arch_add(ctx, multiarch);
-                                rule->syscall, 1, *rule->arg);
+            if (*ret_p < 0 && *ret_p != -EEXIST) {
-    else
+                res = 3;
-      *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno),
+                goto out;
-                                rule->syscall, 0);
+            }
-
+        }
    if (*ret_p == -EFAULT) {
      res = 4;
      goto out;
    } else if (*ret_p < 0) {
      res = 5;
      goto out;
    }
  }
  /* Socket filtering doesn't work on e.g. i386, so ignore failures here
   * However, we need to user seccomp_rule_add_exact to avoid libseccomp doing
   * something else: https://github.com/seccomp/libseccomp/issues/8 */
  last_allowed_family = -1;
  for (i = 0; i < LEN(socket_family_allowlist); i++) {
    if (socket_family_allowlist[i].flags_mask != 0 &&
        (socket_family_allowlist[i].flags_mask & flags) !=
            socket_family_allowlist[i].flags_mask)
      continue;
    for (disallowed = last_allowed_family + 1;
         disallowed < socket_family_allowlist[i].family; disallowed++) {
      /* Blocklist the in-between valid families */
      seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT),
                             SCMP_SYS(socket), 1,
                             SCMP_A0(SCMP_CMP_EQ, disallowed));
    }
    last_allowed_family = socket_family_allowlist[i].family;
  }
  /* Blocklist the rest */
  seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
                         SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
  if (allocate_p == 0) {
    *ret_p = seccomp_load(ctx);
    if (*ret_p != 0) {
      res = 7;
      goto out;
    }
  } else {
    *ret_p = seccomp_export_bpf_mem(ctx, NULL, &len);
    if (*ret_p != 0) {
      res = 6;
      goto out;
    }
-    buf = hakurei_scmp_allocate(allocate_p, len);
+    for (i = 0; i < rules_sz; i++) {
-    if (buf == NULL) {
+        rule = &rules[i];
-      res = 4;
+        assert(rule->m_errno == EPERM || rule->m_errno == ENOSYS);
-      goto out;
+
        if (rule->arg)
            *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), rule->syscall, 1, *rule->arg);
        else
            *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), rule->syscall, 0);
        if (*ret_p == -EFAULT) {
            res = 4;
            goto out;
        } else if (*ret_p < 0) {
            res = 5;
            goto out;
        }
    }
-    *ret_p = seccomp_export_bpf_mem(ctx, buf, &len);
+    /* Socket filtering doesn't work on e.g. i386, so ignore failures here
-    if (*ret_p != 0) {
+     * However, we need to user seccomp_rule_add_exact to avoid libseccomp doing
-      res = 6;
+     * something else: https://github.com/seccomp/libseccomp/issues/8 */
-      goto out;
+    last_allowed_family = -1;
    for (i = 0; i < LEN(socket_family_allowlist); i++) {
        if (socket_family_allowlist[i].flags_mask != 0 &&
            (socket_family_allowlist[i].flags_mask & flags) != socket_family_allowlist[i].flags_mask)
            continue;
        for (disallowed = last_allowed_family + 1; disallowed < socket_family_allowlist[i].family; disallowed++) {
            /* Blocklist the in-between valid families */
            seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, disallowed));
        }
        last_allowed_family = socket_family_allowlist[i].family;
    }
    /* Blocklist the rest */
    seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
    if (allocate_p == 0) {
        *ret_p = seccomp_load(ctx);
        if (*ret_p != 0) {
            res = 7;
            goto out;
        }
    } else {
        *ret_p = seccomp_export_bpf_mem(ctx, NULL, &len);
        if (*ret_p != 0) {
            res = 6;
            goto out;
        }
        buf = hakurei_scmp_allocate(allocate_p, len);
        if (buf == NULL) {
            res = 4;
            goto out;
        }
        *ret_p = seccomp_export_bpf_mem(ctx, buf, &len);
        if (*ret_p != 0) {
            res = 6;
            goto out;
        }
    }
  }
 out:
-  if (ctx)
+    if (ctx)
-    seccomp_release(ctx);
+        seccomp_release(ctx);
-  return res;
+    return res;
 }
@@ -1,25 +1,26 @@
 #include <seccomp.h>
 #include <stdint.h>
-#if (SCMP_VER_MAJOR < 2) || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) ||     \
+#if (SCMP_VER_MAJOR < 2) || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) || \
    (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 5 && SCMP_VER_MICRO < 1)
 #error This package requires libseccomp >= v2.5.1
 #endif
 typedef enum {
-  HAKUREI_EXPORT_MULTIARCH = 1 << 0,
+    HAKUREI_EXPORT_MULTIARCH = 1 << 0,
-  HAKUREI_EXPORT_CAN = 1 << 1,
+    HAKUREI_EXPORT_CAN = 1 << 1,
-  HAKUREI_EXPORT_BLUETOOTH = 1 << 2,
+    HAKUREI_EXPORT_BLUETOOTH = 1 << 2,
 } hakurei_export_flag;
 struct hakurei_syscall_rule {
-  int syscall;
+    int syscall;
-  int m_errno;
+    int m_errno;
-  struct scmp_arg_cmp *arg;
+    struct scmp_arg_cmp *arg;
 };
 extern void *hakurei_scmp_allocate(uintptr_t f, size_t len);
-int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
+int32_t hakurei_scmp_make_filter(
-                                 uint32_t arch, uint32_t multiarch,
+    int *ret_p, uintptr_t allocate_p,
-                                 struct hakurei_syscall_rule *rules,
+    uint32_t arch, uint32_t multiarch,
-                                 size_t rules_sz, hakurei_export_flag flags);
+    struct hakurei_syscall_rule *rules,
    size_t rules_sz, hakurei_export_flag flags);
@@ -7,8 +7,10 @@ import (
 	"hakurei.app/container/stub"
 )
 // Made available here to check panic recovery behaviour.
 //
 //go:linkname handleExitNew hakurei.app/container/stub.handleExitNew
-func handleExitNew(_ testing.TB)
+func handleExitNew(t testing.TB)
 // overrideTFailNow overrides the Fail and FailNow method.
 type overrideTFailNow struct {
@@ -17,7 +17,8 @@ _hakurei_run() {
    '--wayland[Enable connection to Wayland via security-context-v1]' \
    '-X[Enable direct connection to X11]' \
    '--dbus[Enable proxied connection to D-Bus]' \
-    '--pulse[Enable direct connection to PulseAudio]' \
+    '--pipewire[Enable connection to PipeWire via SecurityContext]' \
    '--pulse[Enable PulseAudio compatibility daemon]' \
    '--dbus-config[Path to session bus proxy config file]: :_files -g "*.json"' \
    '--dbus-system[Path to system bus proxy config file]: :_files -g "*.json"' \
    '--mpris[Allow owning MPRIS D-Bus path]' \
@@ -10,9 +10,9 @@ cp -rv "dist/comp" "${out}"
 go generate ./...
 go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
-  -X hakurei.app/internal.buildVersion=${VERSION}
+  -X hakurei.app/internal/info.buildVersion=${VERSION}
-  -X hakurei.app/internal.hakureiPath=/usr/bin/hakurei
+  -X hakurei.app/internal/info.hakureiPath=/usr/bin/hakurei
-  -X hakurei.app/internal.hsuPath=/usr/bin/hsu
+  -X hakurei.app/internal/info.hsuPath=/usr/bin/hsu
  -X main.hakureiPath=/usr/bin/hakurei" ./...
 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
@@ -114,7 +114,7 @@
            inherit (pkgs)
              # passthru.buildInputs
              go
-              gcc
+              clang
              # nativeBuildInputs
              pkg-config
@@ -129,6 +129,10 @@
              zstd
              gnutar
              coreutils
              # for check
              util-linux
              nettools
              ;
          };
          hsu = pkgs.callPackage ./cmd/hsu/package.nix { inherit (self.packages.${system}) hakurei; };
@@ -144,7 +148,7 @@
                && chmod -R +w .
            export HAKUREI_VERSION="v${hakurei.version}"
-            ./dist/release.sh && mkdir $out && cp -v "dist/hakurei-$HAKUREI_VERSION.tar.gz"* $out
+            CC="clang -O3 -Werror" ./dist/release.sh && mkdir $out && cp -v "dist/hakurei-$HAKUREI_VERSION.tar.gz"* $out
          '';
        }
      );
@@ -0,0 +1,73 @@
 // Package helper exposes the internal/helper package.
 //
 // Deprecated: This package will be removed in 0.4.
 package helper
 import (
 	"context"
 	"io"
 	"os"
 	"os/exec"
 	"time"
 	_ "unsafe" // for go:linkname
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/internal/helper"
 	"hakurei.app/message"
 )
 //go:linkname WaitDelay hakurei.app/internal/helper.WaitDelay
 var WaitDelay time.Duration
 const (
 	// HakureiHelper is set to 1 when args fd is enabled and 0 otherwise.
 	HakureiHelper = helper.HakureiHelper
 	// HakureiStatus is set to 1 when stat fd is enabled and 0 otherwise.
 	HakureiStatus = helper.HakureiStatus
 )
 type Helper = helper.Helper
 // NewCheckedArgs returns a checked null-terminated argument writer for a copy of args.
 //
 //go:linkname NewCheckedArgs hakurei.app/internal/helper.NewCheckedArgs
 func NewCheckedArgs(args ...string) (wt io.WriterTo, err error)
 // MustNewCheckedArgs returns a checked null-terminated argument writer for a copy of args.
 // If s contains a NUL byte this function panics instead of returning an error.
 //
 //go:linkname MustNewCheckedArgs hakurei.app/internal/helper.MustNewCheckedArgs
 func MustNewCheckedArgs(args ...string) io.WriterTo
 // NewDirect initialises a new direct Helper instance with wt as the null-terminated argument writer.
 // Function argF returns an array of arguments passed directly to the child process.
 //
 //go:linkname NewDirect hakurei.app/internal/helper.NewDirect
 func NewDirect(
 	ctx context.Context,
 	name string,
 	wt io.WriterTo,
 	stat bool,
 	argF func(argsFd, statFd int) []string,
 	cmdF func(cmd *exec.Cmd),
 	extraFiles []*os.File,
 ) Helper
 // New initialises a Helper instance with wt as the null-terminated argument writer.
 //
 //go:linkname New hakurei.app/internal/helper.New
 func New(
 	ctx context.Context,
 	msg message.Msg,
 	pathname *check.Absolute, name string,
 	wt io.WriterTo,
 	stat bool,
 	argF func(argsFd, statFd int) []string,
 	cmdF func(z *container.Container),
 	extraFiles []*os.File,
 ) Helper
 // InternalHelperStub is an internal function but exported because it is cross-package;
 // it is part of the implementation of the helper stub.
 func InternalHelperStub() { helper.InternalHelperStub() }
@@ -0,0 +1,63 @@
 // Deprecated: This package will be removed in 0.4.
 package proc
 import (
 	"context"
 	"io"
 	"os"
 	"os/exec"
 	"time"
 	_ "unsafe" // for go:linkname
 	"hakurei.app/internal/helper/proc"
 )
 //go:linkname FulfillmentTimeout hakurei.app/internal/helper/proc.FulfillmentTimeout
 var FulfillmentTimeout time.Duration
 // A File is an extra file with deferred initialisation.
 type File = proc.File
 // ExtraFilesPre is a linked list storing addresses of [os.File].
 type ExtraFilesPre = proc.ExtraFilesPre
 // Fulfill calls the [File.Fulfill] method on all files, starts cmd and blocks until all fulfillment completes.
 //
 //go:linkname Fulfill hakurei.app/internal/helper/proc.Fulfill
 func Fulfill(ctx context.Context,
 	v *[]*os.File, start func() error,
 	files []File, extraFiles *ExtraFilesPre,
 ) (err error)
 // InitFile initialises f as part of the slice extraFiles points to,
 // and returns its final fd value.
 //
 //go:linkname InitFile hakurei.app/internal/helper/proc.InitFile
 func InitFile(f File, extraFiles *ExtraFilesPre) (fd uintptr)
 // BaseFile implements the Init method of the File interface and provides indirect access to extra file state.
 type BaseFile = proc.BaseFile
 //go:linkname ExtraFile hakurei.app/internal/helper/proc.ExtraFile
 func ExtraFile(cmd *exec.Cmd, f *os.File) (fd uintptr)
 //go:linkname ExtraFileSlice hakurei.app/internal/helper/proc.ExtraFileSlice
 func ExtraFileSlice(extraFiles *[]*os.File, f *os.File) (fd uintptr)
 // NewWriterTo returns a [File] that receives content from wt on fulfillment.
 //
 //go:linkname NewWriterTo hakurei.app/internal/helper/proc.NewWriterTo
 func NewWriterTo(wt io.WriterTo) File
 // NewStat returns a [File] implementing the behaviour
 // of the receiving end of xdg-dbus-proxy stat fd.
 //
 //go:linkname NewStat hakurei.app/internal/helper/proc.NewStat
 func NewStat(s *io.Closer) File
 var (
 	//go:linkname ErrStatFault hakurei.app/internal/helper/proc.ErrStatFault
 	ErrStatFault error
 	//go:linkname ErrStatRead hakurei.app/internal/helper/proc.ErrStatRead
 	ErrStatRead error
 )
@@ -23,9 +23,20 @@ type Config struct {
 	// System D-Bus proxy configuration.
 	// If set to nil, system bus proxy is disabled.
 	SystemBus *BusConfig `json:"system_bus,omitempty"`
 	// Direct access to wayland socket, no attempt is made to attach security-context-v1
 	// and the bare socket is made available to the container.
 	//
 	// This option is unsupported and most likely enables full control over the Wayland
 	// session. Do not set this to true unless you are sure you know what you are doing.
 	DirectWayland bool `json:"direct_wayland,omitempty"`
 	// Direct access to PulseAudio socket, no attempt is made to establish pipewire-pulse
 	// server via a PipeWire socket with a SecurityContext attached and the bare socket
 	// is made available to the container.
 	//
 	// This option is unsupported and enables arbitrary code execution as the PulseAudio
 	// server. Do not set this to true, this is insecure under any configuration.
 	DirectPulse bool `json:"direct_pulse,omitempty"`
 	// Extra acl updates to perform before setuid.
 	ExtraPerms []ExtraPermConfig `json:"extra_perms,omitempty"`
@@ -49,6 +60,9 @@ var (
 	// ErrEnviron is returned by [Config.Validate] if an environment variable name contains '=' or NUL.
 	ErrEnviron = errors.New("invalid environment variable name")
 	// ErrInsecure is returned by [Config.Validate] if the configuration is considered insecure.
 	ErrInsecure = errors.New("configuration is insecure")
 )
 // Validate checks [Config] and returns [AppError] if an invalid value is encountered.
@@ -95,6 +109,11 @@ func (config *Config) Validate() error {
 		}
 	}
 	if et := config.Enablements.Unwrap(); !config.DirectPulse && et&EPulse != 0 {
 		return &AppError{Step: "validate configuration", Err: ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}
 	}
 	return nil
 }
@@ -53,6 +53,12 @@ func TestConfigValidate(t *testing.T) {
 			Env:   map[string]string{"TERM\x00": ""},
 		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM\x00"`}},
 		{"insecure pulse", &hst.Config{Enablements: hst.NewEnablements(hst.EPulse), Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}},
 		{"valid", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
@@ -17,6 +17,8 @@ const (
 	EX11
 	// EDBus enables the per-container xdg-dbus-proxy daemon.
 	EDBus
 	// EPipeWire exposes a pipewire pathname socket via SecurityContext.
 	EPipeWire
 	// EPulse copies the PulseAudio cookie to [hst.PrivateTmp] and exposes the PulseAudio socket.
 	EPulse
@@ -35,6 +37,8 @@ func (e Enablement) String() string {
 		return "x11"
 	case EDBus:
 		return "dbus"
 	case EPipeWire:
 		return "pipewire"
 	case EPulse:
 		return "pulseaudio"
 	default:
@@ -62,10 +66,11 @@ type Enablements Enablement
 // enablementsJSON is the [json] representation of [Enablements].
 type enablementsJSON = struct {
-	Wayland bool `json:"wayland,omitempty"`
+	Wayland  bool `json:"wayland,omitempty"`
-	X11     bool `json:"x11,omitempty"`
+	X11      bool `json:"x11,omitempty"`
-	DBus    bool `json:"dbus,omitempty"`
+	DBus     bool `json:"dbus,omitempty"`
-	Pulse   bool `json:"pulse,omitempty"`
+	PipeWire bool `json:"pipewire,omitempty"`
 	Pulse    bool `json:"pulse,omitempty"`
 }
 // Unwrap returns the underlying [Enablement].
@@ -81,10 +86,11 @@ func (e *Enablements) MarshalJSON() ([]byte, error) {
 		return nil, syscall.EINVAL
 	}
 	return json.Marshal(&enablementsJSON{
-		Wayland: Enablement(*e)&EWayland != 0,
+		Wayland:  Enablement(*e)&EWayland != 0,
-		X11:     Enablement(*e)&EX11 != 0,
+		X11:      Enablement(*e)&EX11 != 0,
-		DBus:    Enablement(*e)&EDBus != 0,
+		DBus:     Enablement(*e)&EDBus != 0,
-		Pulse:   Enablement(*e)&EPulse != 0,
+		PipeWire: Enablement(*e)&EPipeWire != 0,
 		Pulse:    Enablement(*e)&EPulse != 0,
 	})
 }
@@ -108,6 +114,9 @@ func (e *Enablements) UnmarshalJSON(data []byte) error {
 	if v.DBus {
 		ve |= EDBus
 	}
 	if v.PipeWire {
 		ve |= EPipeWire
 	}
 	if v.Pulse {
 		ve |= EPulse
 	}
@@ -32,6 +32,7 @@ func TestEnablementString(t *testing.T) {
 		{hst.EWayland | hst.EDBus | hst.EPulse, "wayland, dbus, pulseaudio"},
 		{hst.EX11 | hst.EDBus | hst.EPulse, "x11, dbus, pulseaudio"},
 		{hst.EWayland | hst.EX11 | hst.EDBus | hst.EPulse, "wayland, x11, dbus, pulseaudio"},
 		{hst.EM - 1, "wayland, x11, dbus, pipewire, pulseaudio"},
 		{1 << 5, "e20"},
 		{1 << 6, "e40"},
@@ -62,8 +63,9 @@ func TestEnablements(t *testing.T) {
 		{"wayland", hst.NewEnablements(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
 		{"x11", hst.NewEnablements(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
 		{"dbus", hst.NewEnablements(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
 		{"pipewire", hst.NewEnablements(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
 		{"pulse", hst.NewEnablements(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
-		{"all", hst.NewEnablements(hst.EWayland | hst.EX11 | hst.EDBus | hst.EPulse), `{"wayland":true,"x11":true,"dbus":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pulse":true},"magic":3236757504}`},
+		{"all", hst.NewEnablements(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
 	}
 	for _, tc := range testCases {
@@ -45,6 +45,9 @@ type Ops interface {
 	Root(host *check.Absolute, flags int) Ops
 	// Etc appends an op that expands host /etc into a toplevel symlink mirror with /etc semantics.
 	Etc(host *check.Absolute, prefix string) Ops
 	// Daemon appends an op that starts a daemon in the container and blocks until target appears.
 	Daemon(target, path *check.Absolute, args ...string) Ops
 }
 // ApplyState holds the address of [Ops] and any relevant application state.
@@ -124,6 +127,12 @@ func (f *FilesystemConfigJSON) MarshalJSON() ([]byte, error) {
 			*FSLink
 		}{fsType{FilesystemLink}, cv}
 	case *FSDaemon:
 		v = &struct {
 			fsType
 			*FSDaemon
 		}{fsType{FilesystemDaemon}, cv}
 	default:
 		return nil, FSImplError{f.FilesystemConfig}
 	}
@@ -152,6 +161,9 @@ func (f *FilesystemConfigJSON) UnmarshalJSON(data []byte) error {
 	case FilesystemLink:
 		*f = FilesystemConfigJSON{new(FSLink)}
 	case FilesystemDaemon:
 		*f = FilesystemConfigJSON{new(FSDaemon)}
 	default:
 		return FSTypeError(t.Type)
 	}
@@ -84,6 +84,16 @@ func TestFilesystemConfigJSON(t *testing.T) {
 		}, nil,
 			`{"type":"link","dst":"/run/current-system","linkname":"/run/current-system","dereference":true}`,
 			`{"fs":{"type":"link","dst":"/run/current-system","linkname":"/run/current-system","dereference":true},"magic":3236757504}`},
 		{"daemon", hst.FilesystemConfigJSON{
 			FilesystemConfig: &hst.FSDaemon{
 				Target: m("/run/user/1971/pulse/native"),
 				Exec:   m("/run/current-system/sw/bin/pipewire-pulse"),
 				Args:   []string{"-v"},
 			},
 		}, nil,
 			`{"type":"daemon","dst":"/run/user/1971/pulse/native","path":"/run/current-system/sw/bin/pipewire-pulse","args":["-v"]}`,
 			`{"fs":{"type":"daemon","dst":"/run/user/1971/pulse/native","path":"/run/current-system/sw/bin/pipewire-pulse","args":["-v"]},"magic":3236757504}`},
 	}
 	for _, tc := range testCases {
@@ -345,6 +355,10 @@ func (p opsAdapter) Etc(host *check.Absolute, prefix string) hst.Ops {
 	return opsAdapter{p.Ops.Etc(host, prefix)}
 }
 func (p opsAdapter) Daemon(target, path *check.Absolute, args ...string) hst.Ops {
 	return opsAdapter{p.Ops.Daemon(target, path, args...)}
 }
 func m(pathname string) *check.Absolute { return check.MustAbs(pathname) }
 func ms(pathnames ...string) []*check.Absolute {
 	as := make([]*check.Absolute, len(pathnames))
@@ -0,0 +1,48 @@
 package hst
 import (
 	"encoding/gob"
 	"hakurei.app/container/check"
 )
 func init() { gob.Register(new(FSDaemon)) }
 // FilesystemDaemon is the type string of a daemon.
 const FilesystemDaemon = "daemon"
 // FSDaemon represents a daemon to be started in the container.
 type FSDaemon struct {
 	// Pathname indicating readiness of daemon.
 	Target *check.Absolute `json:"dst"`
 	// Absolute pathname to daemon executable file.
 	Exec *check.Absolute `json:"path"`
 	// Arguments (excl. first) passed to daemon.
 	Args []string `json:"args"`
 }
 func (d *FSDaemon) Valid() bool { return d != nil && d.Target != nil && d.Exec != nil }
 func (d *FSDaemon) Path() *check.Absolute {
 	if !d.Valid() {
 		return nil
 	}
 	return d.Target
 }
 func (d *FSDaemon) Host() []*check.Absolute { return nil }
 func (d *FSDaemon) Apply(z *ApplyState) {
 	if !d.Valid() {
 		return
 	}
 	z.Daemon(d.Target, d.Exec, d.Args...)
 }
 func (d *FSDaemon) String() string {
 	if !d.Valid() {
 		return "<invalid>"
 	}
 	return "daemon:" + d.Target.String()
 }
@@ -0,0 +1,29 @@
 package hst_test
 import (
 	"testing"
 	"hakurei.app/container"
 	"hakurei.app/hst"
 )
 func TestFSDaemon(t *testing.T) {
 	t.Parallel()
 	checkFs(t, []fsTestCase{
 		{"nil", (*hst.FSDaemon)(nil), false, nil, nil, nil, "<invalid>"},
 		{"zero", new(hst.FSDaemon), false, nil, nil, nil, "<invalid>"},
 		{"pipewire-pulse", &hst.FSDaemon{
 			Target: m("/run/user/1971/pulse/native"),
 			Exec:   m("/run/current-system/sw/bin/pipewire-pulse"),
 			Args:   []string{"-v"},
 		}, true, container.Ops{
 			&container.DaemonOp{
 				Target: m("/run/user/1971/pulse/native"),
 				Path:   m("/run/current-system/sw/bin/pipewire-pulse"),
 				Args:   []string{"-v"},
 			},
 		}, m("/run/user/1971/pulse/native"), nil, `daemon:/run/user/1971/pulse/native`},
 	})
 }
@@ -54,6 +54,9 @@ type Paths struct {
 // Info holds basic system information collected from the implementation.
 type Info struct {
 	// WaylandVersion is the libwayland value of WAYLAND_VERSION.
 	WaylandVersion string `json:"WAYLAND_VERSION"`
 	// Version is a hardcoded version string.
 	Version string `json:"version"`
 	// User is the userid according to hsu.
@@ -67,7 +70,7 @@ func Template() *Config {
 	return &Config{
 		ID: "org.chromium.Chromium",
-		Enablements: NewEnablements(EWayland | EDBus | EPulse),
+		Enablements: NewEnablements(EWayland | EDBus | EPipeWire),
 		SessionBus: &BusConfig{
 			See: nil,
@@ -89,7 +92,6 @@ func Template() *Config {
 			Log:       false,
 			Filter:    true,
 		},
 		DirectWayland: false,
 		ExtraPerms: []ExtraPermConfig{
 			{Path: fhs.AbsVarLib.Append("hakurei/u0"), Ensure: true, Execute: true},
@@ -105,7 +105,7 @@ func TestTemplate(t *testing.T) {
 	"enablements": {
 		"wayland": true,
 		"dbus": true,
-		"pulse": true
+		"pipewire": true
 	},
 	"session_bus": {
 		"see": null,
@@ -6,11 +6,13 @@ import (
 	"reflect"
 	"testing"
 	"time"
-	_ "unsafe"
+	_ "unsafe" // for go:linkname
 	"hakurei.app/hst"
 )
 // Made available here to check time encoding behaviour of [hst.ID].
 //
 //go:linkname newInstanceID hakurei.app/hst.newInstanceID
 func newInstanceID(id *hst.ID, p uint64) error
@@ -13,7 +13,7 @@ import (
 	"strconv"
 	"testing"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
 )
 const testFileName = "acl.test"
@@ -0,0 +1,90 @@
 #include "libacl-helper.h"
 #include <acl/libacl.h>
 #include <stdbool.h>
 #include <stdlib.h>
 #include <sys/acl.h>
 int hakurei_acl_update_file_by_uid(const char *path_p, uid_t uid,
                                   acl_perm_t *perms, size_t plen) {
    int ret;
    bool v;
    int i;
    acl_t acl;
    acl_entry_t entry;
    acl_tag_t tag_type;
    void *qualifier_p;
    acl_permset_t permset;
    ret = -1; /* acl_get_file */
    acl = acl_get_file(path_p, ACL_TYPE_ACCESS);
    if (acl == NULL)
        goto out;
    /* prune entries by uid */
    for (i = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); i == 1;
         i = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) {
        ret = -2; /* acl_get_tag_type */
        if (acl_get_tag_type(entry, &tag_type) != 0)
            goto out;
        if (tag_type != ACL_USER)
            continue;
        ret = -3; /* acl_get_qualifier */
        qualifier_p = acl_get_qualifier(entry);
        if (qualifier_p == NULL)
            goto out;
        v = *(uid_t *)qualifier_p == uid;
        acl_free(qualifier_p);
        if (!v)
            continue;
        ret = -4; /* acl_delete_entry */
        if (acl_delete_entry(acl, entry) != 0)
            goto out;
    }
    if (plen == 0)
        goto set;
    ret = -5; /* acl_create_entry */
    if (acl_create_entry(&acl, &entry) != 0)
        goto out;
    ret = -6; /* acl_get_permset */
    if (acl_get_permset(entry, &permset) != 0)
        goto out;
    ret = -7; /* acl_add_perm */
    for (i = 0; i < plen; i++) {
        if (acl_add_perm(permset, perms[i]) != 0)
            goto out;
    }
    ret = -8; /* acl_set_tag_type */
    if (acl_set_tag_type(entry, ACL_USER) != 0)
        goto out;
    ret = -9; /* acl_set_qualifier */
    if (acl_set_qualifier(entry, (void *)&uid) != 0)
        goto out;
 set:
    ret = -10; /* acl_calc_mask */
    if (acl_calc_mask(&acl) != 0)
        goto out;
    ret = -11; /* acl_valid */
    if (acl_valid(acl) != 0)
        goto out;
    ret = -12; /* acl_set_file */
    if (acl_set_file(path_p, ACL_TYPE_ACCESS, acl) == 0)
        ret = 0;
 out:
    free((void *)path_p);
    if (acl != NULL)
        acl_free((void *)acl);
    return ret;
 }
@@ -3,7 +3,7 @@ package acl_test
 import (
 	"testing"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
 )
 func TestPerms(t *testing.T) {
@@ -5,7 +5,7 @@ import (
 	"reflect"
 	"testing"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/dbus"
 )
 func TestParse(t *testing.T) {
@@ -7,7 +7,7 @@ import (
 	"testing"
 	"hakurei.app/hst"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/dbus"
 )
 func TestConfigArgs(t *testing.T) {
@@ -11,9 +11,9 @@ import (
 	"testing"
 	"time"
-	"hakurei.app/helper"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/helper"
 	"hakurei.app/message"
 	"hakurei.app/system/dbus"
 )
 func TestFinalise(t *testing.T) {
@@ -12,7 +12,7 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 	"hakurei.app/ldd"
 )
@@ -54,7 +54,7 @@ func (p *Proxy) Start() error {
 		}
 		var libPaths []*check.Absolute
-		if entries, err := ldd.Exec(ctx, p.msg, toolPath.String()); err != nil {
+		if entries, err := ldd.Resolve(ctx, p.msg, toolPath); err != nil {
 			return err
 		} else {
 			libPaths = ldd.Path(entries)
@@ -5,7 +5,7 @@ import (
 	"testing"
 	"hakurei.app/container"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 func TestMain(m *testing.M) { container.TryArgv0(nil); helper.InternalHelperStub(); os.Exit(m.Run()) }
@@ -6,8 +6,8 @@ import (
 	"sync"
 	"syscall"
 	"hakurei.app/helper"
 	"hakurei.app/hst"
 	"hakurei.app/internal/helper"
 	"hakurei.app/message"
 )
@@ -7,7 +7,7 @@ import (
 	"syscall"
 	"testing"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 func TestArgsString(t *testing.T) {
@@ -10,7 +10,7 @@ import (
 	"sync"
 	"syscall"
-	"hakurei.app/helper/proc"
+	"hakurei.app/internal/helper/proc"
 )
 // NewDirect initialises a new direct Helper instance with wt as the null-terminated argument writer.
@@ -9,7 +9,7 @@ import (
 	"testing"
 	"hakurei.app/container"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 func TestCmd(t *testing.T) {
@@ -11,7 +11,7 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/check"
-	"hakurei.app/helper/proc"
+	"hakurei.app/internal/helper/proc"
 	"hakurei.app/message"
 )
@@ -9,7 +9,7 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 func TestContainer(t *testing.T) {
@@ -8,7 +8,7 @@ import (
 	"os"
 	"time"
-	"hakurei.app/helper/proc"
+	"hakurei.app/internal/helper/proc"
 )
 var WaitDelay = 2 * time.Second
@@ -13,7 +13,7 @@ import (
 	"testing"
 	"time"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 var (
@@ -5,7 +5,7 @@ import (
 	"testing"
 	"hakurei.app/container"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 func TestMain(m *testing.M) { container.TryArgv0(nil); helper.InternalHelperStub(); os.Exit(m.Run()) }
@@ -1,4 +1,4 @@
-package internal
+package info
 import (
 	"log"
@@ -1,4 +1,4 @@
-package internal
+package info
 import (
 	"reflect"
@@ -1,4 +1,4 @@
-package internal
+package info
 // FallbackVersion is returned when a version string was not set by the linker.
 const FallbackVersion = "dirty"
@@ -14,9 +14,9 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/internal"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/info"
 	"hakurei.app/message"
 	"hakurei.app/system/dbus"
 )
 // osFile represents [os.File].
@@ -156,7 +156,7 @@ func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) erro
 	return seccomp.Load(rules, flags)
 }
-func (direct) mustHsuPath() *check.Absolute { return internal.MustHsuPath() }
+func (direct) mustHsuPath() *check.Absolute { return info.MustHsuPath() }
 func (direct) dbusAddress() (session, system string) { return dbus.Address() }
@@ -24,8 +24,8 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
 	"hakurei.app/internal/system"
 	"hakurei.app/message"
 	"hakurei.app/system"
 )
 // call initialises a [stub.Call].
@@ -8,8 +8,8 @@ import (
 	"os/user"
 	"hakurei.app/hst"
 	"hakurei.app/internal/system"
 	"hakurei.app/message"
 	"hakurei.app/system"
 )
 func newWithMessage(msg string) error { return newWithMessageError(msg, os.ErrInvalid) }
@@ -9,12 +9,24 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/acl"
 	"hakurei.app/internal/env"
 	"hakurei.app/internal/info"
 	"hakurei.app/internal/system"
 	"hakurei.app/internal/wayland"
 	"hakurei.app/message"
 	"hakurei.app/system"
 	"hakurei.app/system/acl"
 )
 // Info returns the address to a populated [hst.Info].
 //
 // This must not be called from within package outcome.
 func Info() *hst.Info {
 	hi := hst.Info{WaylandVersion: wayland.Version,
 		Version: info.Version(), User: new(Hsu).MustID(nil)}
 	env.CopyPaths().Copy(&hi.Paths, hi.User)
 	return &hi
 }
 // envAllocSize is the initial size of the env map pre-allocated when the configured env map is nil.
 // It should be large enough to fit all insertions by outcomeOp.toContainer.
 const envAllocSize = 1 << 6
@@ -160,6 +172,8 @@ type outcomeStateSys struct {
 	// Copied from [hst.Config]. Safe for read by spWaylandOp.toSystem only.
 	directWayland bool
 	// Copied from [hst.Config]. Safe for read by spPulseOp.toSystem only.
 	directPulse bool
 	// Copied header from [hst.Config]. Safe for read by spFilesystemOp.toSystem only.
 	extraPerms []hst.ExtraPermConfig
 	// Copied address from [hst.Config]. Safe for read by spDBusOp.toSystem only.
@@ -173,7 +187,8 @@ type outcomeStateSys struct {
 func (s *outcomeState) newSys(config *hst.Config, sys *system.I) *outcomeStateSys {
 	return &outcomeStateSys{
 		appId: config.ID, et: config.Enablements.Unwrap(),
-		directWayland: config.DirectWayland, extraPerms: config.ExtraPerms,
+		directWayland: config.DirectWayland, directPulse: config.DirectPulse,
 		extraPerms: config.ExtraPerms,
 		sessionBus: config.SessionBus, systemBus: config.SystemBus,
 		sys: sys, outcomeState: s,
 	}
@@ -280,6 +295,7 @@ func (state *outcomeStateSys) toSystem() error {
 		// optional via enablements
 		&spWaylandOp{},
 		&spX11Op{},
 		spPipeWireOp{},
 		&spPulseOp{},
 		&spDBusOp{},
@@ -16,10 +16,10 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
-	"hakurei.app/internal"
+	"hakurei.app/internal/info"
 	"hakurei.app/internal/store"
 	"hakurei.app/internal/system"
 	"hakurei.app/message"
 	"hakurei.app/system"
 )
 const (
@@ -39,7 +39,7 @@ func (k *outcome) main(msg message.Msg, identifierFd int) {
 	}
 	// read comp value early for early failure
-	hsuPath := internal.MustHsuPath()
+	hsuPath := info.MustHsuPath()
 	const (
 		// transitions to processCommit, or processFinal on failure
@@ -12,6 +12,8 @@ import (
 // IsPollDescriptor reports whether fd is the descriptor being used by the poller.
 //
 // Made available here to determine and reject impossible fd.
 //
 //go:linkname IsPollDescriptor internal/poll.IsPollDescriptor
 func IsPollDescriptor(fd uintptr) bool
@@ -21,13 +21,13 @@ import (
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/hst"
 	"hakurei.app/internal/acl"
 	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/system"
 	"hakurei.app/message"
 	"hakurei.app/system"
 	"hakurei.app/system/acl"
 	"hakurei.app/system/dbus"
 )
-func TestOutcomeMain(t *testing.T) {
+func TestOutcomeRun(t *testing.T) {
 	t.Parallel()
 	msg := message.New(nil)
 	msg.SwapVerbose(testing.Verbose())
@@ -67,18 +67,8 @@ func TestOutcomeMain(t *testing.T) {
 				"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 			).
-			// ensureRuntimeDir
+			// spPipeWireOp
-			Ensure(m("/run/user/1971"), 0700).
+			PipeWire(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pipewire")).
 			UpdatePermType(system.User, m("/run/user/1971"), acl.Execute).
 			Ensure(m("/run/user/1971/hakurei"), 0700).
 			UpdatePermType(system.User, m("/run/user/1971/hakurei"), acl.Execute).
 			// runtime
 			Ephemeral(system.Process, m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), 0700).
 			UpdatePerm(m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), acl.Execute).
 			// spPulseOp
 			Link(m("/run/user/1971/pulse/native"), m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pulse")).
 			// spDBusOp
 			MustProxyDBus(
@@ -106,8 +96,7 @@ func TestOutcomeMain(t *testing.T) {
 				"GOOGLE_DEFAULT_CLIENT_ID=77185425430.apps.googleusercontent.com",
 				"GOOGLE_DEFAULT_CLIENT_SECRET=OTJgUOQcT7lO7GsGZq2G4IlT",
 				"HOME=/data/data/org.chromium.Chromium",
-				"PULSE_COOKIE=/.hakurei/pulse-cookie",
+				"PIPEWIRE_REMOTE=/run/user/1971/pipewire-0",
 				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=chronos",
@@ -141,10 +130,10 @@ func TestOutcomeMain(t *testing.T) {
 				Proc(fhs.AbsProc).
 				Tmpfs(hst.AbsPrivateTmp, 1<<12, 0755).
 				Bind(fhs.AbsDev, fhs.AbsDev, std.BindWritable|std.BindDevice).
-				Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777).
+				Tmpfs(fhs.AbsDevShm, 0, 01777).
 				// spRuntimeOp
-				Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
+				Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
 				Bind(m("/tmp/hakurei.0/runtime/9"), m("/run/user/1971"), std.BindWritable).
 				// spTmpdirOp
@@ -157,9 +146,8 @@ func TestOutcomeMain(t *testing.T) {
 				// spWaylandOp
 				Bind(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/wayland"), m("/run/user/1971/wayland-0"), 0).
-				// spPulseOp
+				// spPipeWireOp
-				Bind(m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pulse"), m("/run/user/1971/pulse/native"), 0).
+				Bind(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pipewire"), m("/run/user/1971/pipewire-0"), 0).
 				Place(m("/.hakurei/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
 				// spDBusOp
 				Bind(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bus"), m("/run/user/1971/bus"), 0).
@@ -243,8 +231,8 @@ func TestOutcomeMain(t *testing.T) {
 				Proc(m("/proc/")).
 				Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
 				DevWritable(m("/dev/"), true).
-				Tmpfs(m("/dev/shm"), 0, 01777).
+				Tmpfs(m("/dev/shm/"), 0, 01777).
-				Tmpfs(m("/run/user/"), 4096, 0755).
+				Tmpfs(m("/run/user/"), xdgRuntimeDirSize, 0755).
 				Bind(m("/tmp/hakurei.0/runtime/0"), m("/run/user/65534"), std.BindWritable).
 				Bind(m("/tmp/hakurei.0/tmpdir/0"), m("/tmp/"), std.BindWritable).
 				Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
@@ -298,7 +286,7 @@ func TestOutcomeMain(t *testing.T) {
 				},
 				Filter: true,
 			},
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPulse),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 			Container: &hst.ContainerConfig{
 				Filesystem: []hst.FilesystemConfigJSON{
@@ -347,10 +335,7 @@ func TestOutcomeMain(t *testing.T) {
 			Ensure(m("/tmp/hakurei.0/tmpdir/9"), 01700).UpdatePermType(system.User, m("/tmp/hakurei.0/tmpdir/9"), acl.Read, acl.Write, acl.Execute).
 			Ephemeral(system.Process, m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c"), 0711).
 			Wayland(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
-			Ensure(m("/run/user/1971"), 0700).UpdatePermType(system.User, m("/run/user/1971"), acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
+			PipeWire(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/pipewire")).
 			Ensure(m("/run/user/1971/hakurei"), 0700).UpdatePermType(system.User, m("/run/user/1971/hakurei"), acl.Execute).
 			Ephemeral(system.Process, m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c"), 0700).UpdatePermType(system.Process, m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c"), acl.Execute).
 			Link(m("/run/user/1971/pulse/native"), m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse")).
 			MustProxyDBus(&hst.BusConfig{
 				Talk: []string{
 					"org.freedesktop.Notifications",
@@ -397,8 +382,7 @@ func TestOutcomeMain(t *testing.T) {
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket",
 				"HOME=/home/chronos",
-				"PULSE_COOKIE=" + hst.PrivateTmp + "/pulse-cookie",
+				"PIPEWIRE_REMOTE=/run/user/65534/pipewire-0",
 				"PULSE_SERVER=unix:/run/user/65534/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=chronos",
@@ -412,15 +396,14 @@ func TestOutcomeMain(t *testing.T) {
 				Proc(m("/proc/")).
 				Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
 				DevWritable(m("/dev/"), true).
-				Tmpfs(m("/dev/shm"), 0, 01777).
+				Tmpfs(m("/dev/shm/"), 0, 01777).
-				Tmpfs(m("/run/user/"), 4096, 0755).
+				Tmpfs(m("/run/user/"), xdgRuntimeDirSize, 0755).
 				Bind(m("/tmp/hakurei.0/runtime/9"), m("/run/user/65534"), std.BindWritable).
 				Bind(m("/tmp/hakurei.0/tmpdir/9"), m("/tmp/"), std.BindWritable).
 				Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
 				Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/65534/wayland-0"), 0).
-				Bind(m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse"), m("/run/user/65534/pulse/native"), 0).
+				Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/pipewire"), m("/run/user/65534/pipewire-0"), 0).
 				Place(m(hst.PrivateTmp+"/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
 				Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/bus"), m("/run/user/65534/bus"), 0).
 				Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/system_bus_socket"), m("/var/run/dbus/system_bus_socket"), 0).
 				Bind(m("/dev/dri"), m("/dev/dri"), std.BindWritable|std.BindDevice|std.BindOptional).
@@ -440,7 +423,7 @@ func TestOutcomeMain(t *testing.T) {
 		{"nixos chromium direct wayland", new(stubNixOS), &hst.Config{
 			ID:          "org.chromium.Chromium",
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPulse),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 			Container: &hst.ContainerConfig{
 				Env: nil,
 				Filesystem: []hst.FilesystemConfigJSON{
@@ -502,9 +485,8 @@ func TestOutcomeMain(t *testing.T) {
 			Ensure(m("/run/user/1971"), 0700).UpdatePermType(system.User, m("/run/user/1971"), acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
 			Ensure(m("/run/user/1971/hakurei"), 0700).UpdatePermType(system.User, m("/run/user/1971/hakurei"), acl.Execute).
 			UpdatePermType(hst.EWayland, m("/run/user/1971/wayland-0"), acl.Read, acl.Write, acl.Execute).
 			Ephemeral(system.Process, m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1"), 0700).UpdatePermType(system.Process, m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1"), acl.Execute).
 			Link(m("/run/user/1971/pulse/native"), m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse")).
 			Ephemeral(system.Process, m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1"), 0711).
 			PipeWire(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/pipewire")).
 			MustProxyDBus(&hst.BusConfig{
 				Talk: []string{
 					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
@@ -544,8 +526,7 @@ func TestOutcomeMain(t *testing.T) {
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket",
 				"HOME=/var/lib/persist/module/hakurei/0/1",
-				"PULSE_COOKIE=" + hst.PrivateTmp + "/pulse-cookie",
+				"PIPEWIRE_REMOTE=/run/user/1971/pipewire-0",
 				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=u0_a1",
@@ -558,15 +539,14 @@ func TestOutcomeMain(t *testing.T) {
 				Proc(m("/proc/")).
 				Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
 				DevWritable(m("/dev/"), true).
-				Tmpfs(m("/dev/shm"), 0, 01777).
+				Tmpfs(m("/dev/shm/"), 0, 01777).
-				Tmpfs(m("/run/user/"), 4096, 0755).
+				Tmpfs(m("/run/user/"), xdgRuntimeDirSize, 0755).
 				Bind(m("/tmp/hakurei.0/runtime/1"), m("/run/user/1971"), std.BindWritable).
 				Bind(m("/tmp/hakurei.0/tmpdir/1"), m("/tmp/"), std.BindWritable).
 				Place(m("/etc/passwd"), []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
 				Place(m("/etc/group"), []byte("hakurei:x:100:\n")).
 				Bind(m("/run/user/1971/wayland-0"), m("/run/user/1971/wayland-0"), 0).
-				Bind(m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse"), m("/run/user/1971/pulse/native"), 0).
+				Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/pipewire"), m("/run/user/1971/pipewire-0"), 0).
 				Place(m(hst.PrivateTmp+"/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
 				Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/bus"), m("/run/user/1971/bus"), 0).
 				Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket"), m("/var/run/dbus/system_bus_socket"), 0).
 				Bind(m("/bin"), m("/bin"), 0).
@@ -10,53 +10,53 @@ static int hakurei_shim_fd = -1;
 /* see shim.go for handling of the message */
 static inline ssize_t hakurei_shim_write(hakurei_shim_msg msg) {
-  int savedErrno = errno;
+    int savedErrno = errno;
-  unsigned char buf = (unsigned char)msg;
+    unsigned char buf = (unsigned char)msg;
-  ssize_t ret = write(hakurei_shim_fd, &buf, 1);
+    ssize_t ret = write(hakurei_shim_fd, &buf, 1);
-  if (ret == -1 && errno != EAGAIN)
+    if (ret == -1 && errno != EAGAIN)
-    exit(EXIT_FAILURE);
+        exit(EXIT_FAILURE);
-  errno = savedErrno;
+    errno = savedErrno;
-  return ret;
+    return ret;
 }
 static void hakurei_shim_sigaction(int sig, siginfo_t *si, void *ucontext) {
-  if (sig != SIGCONT || si == NULL) {
+    if (sig != SIGCONT || si == NULL) {
-    hakurei_shim_write(HAKUREI_SHIM_INVALID);
+        hakurei_shim_write(HAKUREI_SHIM_INVALID);
-    return;
+        return;
-  }
+    }
-  if (si->si_pid == hakurei_shim_param_ppid) {
+    if (si->si_pid == hakurei_shim_param_ppid) {
-    hakurei_shim_write(HAKUREI_SHIM_EXIT_REQUESTED);
+        hakurei_shim_write(HAKUREI_SHIM_EXIT_REQUESTED);
-    return;
+        return;
-  }
+    }
-  hakurei_shim_write(HAKUREI_SHIM_BAD_PID);
+    hakurei_shim_write(HAKUREI_SHIM_BAD_PID);
-  if (getppid() != hakurei_shim_param_ppid)
+    if (getppid() != hakurei_shim_param_ppid)
-    hakurei_shim_write(HAKUREI_SHIM_ORPHAN);
+        hakurei_shim_write(HAKUREI_SHIM_ORPHAN);
 }
 void hakurei_shim_setup_cont_signal(pid_t ppid, int fd) {
-  if (hakurei_shim_param_ppid != -1 || hakurei_shim_fd != -1)
+    if (hakurei_shim_param_ppid != -1 || hakurei_shim_fd != -1)
-    *(int *)NULL = 0; /* unreachable */
+        *(volatile int *)NULL = 0; /* unreachable */
-  struct sigaction new_action = {0}, old_action = {0};
+    struct sigaction new_action = {0}, old_action = {0};
-  if (sigaction(SIGCONT, NULL, &old_action) != 0)
+    if (sigaction(SIGCONT, NULL, &old_action) != 0)
-    return;
+        return;
-  if (old_action.sa_handler != SIG_DFL) {
+    if (old_action.sa_handler != SIG_DFL) {
-    errno = ENOTRECOVERABLE;
+        errno = ENOTRECOVERABLE;
-    return;
+        return;
-  }
+    }
-  new_action.sa_sigaction = hakurei_shim_sigaction;
+    new_action.sa_sigaction = hakurei_shim_sigaction;
-  if (sigemptyset(&new_action.sa_mask) != 0)
+    if (sigemptyset(&new_action.sa_mask) != 0)
-    return;
+        return;
-  new_action.sa_flags = SA_ONSTACK | SA_SIGINFO;
+    new_action.sa_flags = SA_ONSTACK | SA_SIGINFO;
-  if (sigaction(SIGCONT, &new_action, NULL) != 0)
+    if (sigaction(SIGCONT, &new_action, NULL) != 0)
-    return;
+        return;
-  errno = 0;
+    errno = 0;
-  hakurei_shim_param_ppid = ppid;
+    hakurei_shim_param_ppid = ppid;
-  hakurei_shim_fd = fd;
+    hakurei_shim_fd = fd;
 }
@@ -2,10 +2,10 @@
 /* see shim.go for documentation */
 typedef enum {
-  HAKUREI_SHIM_EXIT_REQUESTED,
+    HAKUREI_SHIM_EXIT_REQUESTED,
-  HAKUREI_SHIM_ORPHAN,
+    HAKUREI_SHIM_ORPHAN,
-  HAKUREI_SHIM_INVALID,
+    HAKUREI_SHIM_INVALID,
-  HAKUREI_SHIM_BAD_PID,
+    HAKUREI_SHIM_BAD_PID,
 } hakurei_shim_msg;
 void hakurei_shim_setup_cont_signal(pid_t ppid, int fd);
@@ -66,10 +66,10 @@ func TestShimEntrypoint(t *testing.T) {
 			Proc(fhs.AbsProc).
 			Tmpfs(hst.AbsPrivateTmp, 1<<12, 0755).
 			Bind(fhs.AbsDev, fhs.AbsDev, std.BindWritable|std.BindDevice).
-			Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777).
+			Tmpfs(fhs.AbsDevShm, 0, 01777).
 			// spRuntimeOp
-			Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
+			Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
 			Bind(m("/tmp/hakurei.10/runtime/9999"), m("/run/user/1000"), std.BindWritable).
 			// spTmpdirOp
--- a/Show More
+++ b/Show More