release: 0.4.2

Signed-off-by: Ophestra <cat@gensokyo.uk>
cmd/dist: optionally skip tests
2026-05-10 16:16:59 +09:00 · 2026-05-10 04:15:07 +09:00 · 2026-05-10 04:01:06 +09:00 · 2026-05-09 10:51:19 +09:00 · 2026-05-09 00:33:27 +09:00 · 2026-05-09 00:16:06 +09:00
420 changed files with 62383 additions and 11217 deletions
@@ -89,23 +89,6 @@ jobs:
          path: result/*
          retention-days: 1

-  hpkg:
-    name: Hpkg
-    runs-on: nix
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Run NixOS test
-        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.hpkg
-
-      - name: Upload test output
-        uses: actions/upload-artifact@v3
-        with:
-          name: "hpkg-vm-output"
-          path: result/*
-          retention-days: 1
-
  check:
    name: Flake checks
    needs:
@@ -114,7 +97,6 @@ jobs:
      - sandbox
      - sandbox-race
      - sharefs
-      - hpkg
    runs-on: nix
    steps:
      - name: Checkout
@@ -1,5 +0,0 @@
-DO NOT ADD NEW ACTIONS HERE
-
-This port is solely for releasing to the github mirror and serves no purpose during development.
-All development happens at https://git.gensokyo.uk/security/hakurei. If you wish to contribute,
-request for an account on git.gensokyo.uk.
@@ -1,46 +0,0 @@
-name: Release
-
-on:
-  push:
-    tags:
-      - 'v*'
-
-jobs:
-  release:
-    name: Create release
-    runs-on: ubuntu-latest
-
-    permissions:
-      packages: write
-      contents: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install Nix
-        uses: nixbuild/nix-quick-install-action@v32
-        with:
-          nix_conf: |
-            keep-env-derivations = true
-            keep-outputs = true
-
-      - name: Restore and cache Nix store
-        uses: nix-community/cache-nix-action@v6
-        with:
-          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: build-${{ runner.os }}-
-          gc-max-store-size-linux: 1G
-          purge: true
-          purge-prefixes: build-${{ runner.os }}-
-          purge-created: 60
-          purge-primary-key: never
-
-      - name: Build for release
-        run: nix build --print-out-paths --print-build-logs .#dist
-
-      - name: Release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |-
-            result/hakurei-**
@@ -1,48 +0,0 @@
-name: Test
-
-on:
-  - push
-
-jobs:
-  dist:
-    name: Create distribution
-    runs-on: ubuntu-latest
-    permissions:
-      actions: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install Nix
-        uses: nixbuild/nix-quick-install-action@v32
-        with:
-          nix_conf: |
-            keep-env-derivations = true
-            keep-outputs = true
-
-      - name: Restore and cache Nix store
-        uses: nix-community/cache-nix-action@v6
-        with:
-          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: build-${{ runner.os }}-
-          gc-max-store-size-linux: 1G
-          purge: true
-          purge-prefixes: build-${{ runner.os }}-
-          purge-created: 60
-          purge-primary-key: never
-
-      - name: Build for test
-        id: build-test
-        run: >-
-          export HAKUREI_REV="$(git rev-parse --short HEAD)" &&
-          sed -i.old 's/version = /version = "0.0.0-'$HAKUREI_REV'"; # version = /' package.nix &&
-          nix build --print-out-paths --print-build-logs .#dist &&
-          mv package.nix.old package.nix &&
-          echo "rev=$HAKUREI_REV" >> $GITHUB_OUTPUT
-
-      - name: Upload test build
-        uses: actions/upload-artifact@v4
-        with:
-          name: "hakurei-${{ steps.build-test.outputs.rev }}"
-          path: result/*
-          retention-days: 1
@@ -1,36 +1,15 @@
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-*.pkg
-/hakurei
-
-# Test binary, built with `go test -c`
+# produced by tools and text editors
+*.qcow2
 *.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
 *.out
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
-
-# Go workspace file
-go.work
-go.work.sum
-
-# env file
-.env
 .idea
 .vscode

 # go generate
 /cmd/hakurei/LICENSE
-/internal/pkg/testdata/testtool
+/cmd/mbf/internal/pkgserver/ui/static
+/internal/pkg/internal/testtool/testtool
+/internal/rosa/hakurei_current.tar.gz

-# release
-/dist/hakurei-*
-
-# interactive nixos vm
-nixos.qcow2
+# cmd/dist default destination
+/dist
@@ -1,5 +1,5 @@
 <p align="center">
-  <a href="https://git.gensokyo.uk/security/hakurei">
+  <a href="https://git.gensokyo.uk/rosa/hakurei">
    <picture>
      <img src="https://basement.gensokyo.uk/images/yukari1.png" width="200px" alt="Yukari">
    </picture>
@@ -8,171 +8,58 @@

 <p align="center">
  <a href="https://pkg.go.dev/hakurei.app"><img src="https://pkg.go.dev/badge/hakurei.app.svg" alt="Go Reference" /></a>
-  <a href="https://git.gensokyo.uk/security/hakurei/actions"><img src="https://git.gensokyo.uk/security/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
+  <a href="https://git.gensokyo.uk/rosa/hakurei/actions"><img src="https://git.gensokyo.uk/rosa/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
  <br/>
-  <a href="https://git.gensokyo.uk/security/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/security/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
+  <a href="https://git.gensokyo.uk/rosa/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/rosa/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
  <a href="https://goreportcard.com/report/hakurei.app"><img src="https://goreportcard.com/badge/hakurei.app" alt="Go Report Card" /></a>
  <a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
 </p>

-Hakurei is a tool for running sandboxed graphical applications as dedicated subordinate users on the Linux kernel.
-It implements the application container of [planterette (WIP)](https://git.gensokyo.uk/security/planterette),
-a self-contained Android-like package manager with modern security features.
+Hakurei is a tool for running sandboxed desktop applications as dedicated
+subordinate users on the Linux kernel. It implements the application container
+of [planterette (WIP)](https://git.gensokyo.uk/rosa/planterette), a
+self-contained Android-like package manager with modern security features.

-## NixOS Module usage
+Interaction with hakurei happens entirely through structures described by
+package [hst](https://pkg.go.dev/hakurei.app/hst). No native API is available
+due to internal details of uid isolation.

-The NixOS module currently requires home-manager to configure subordinate users. Full module documentation can be found [here](options.md).
+## Notable Packages

-To use the module, import it into your configuration with
+Package [container](https://pkg.go.dev/hakurei.app/container) is general purpose
+container tooling. It is used by the hakurei shim process running as the target
+subordinate user to set up the application container. It has a single dependency,
+[libseccomp](https://github.com/seccomp/libseccomp), to create BPF programs
+for the [system call filter](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html).

-```nix
-{
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+Package [internal/pkg](https://pkg.go.dev/hakurei.app/internal/pkg) provides
+infrastructure for hermetic builds. This replaces the legacy nix-based testing
+framework and serves as the build system of Rosa OS, currently developed under
+package [internal/rosa](https://pkg.go.dev/hakurei.app/internal/rosa).

-    hakurei = {
-      url = "git+https://git.gensokyo.uk/security/hakurei";
+## Dependencies

-      # Optional but recommended to limit the size of your system closure.
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-  };
+`container` depends on:

-  outputs = { self, nixpkgs, hakurei, ... }:
-  {
-    nixosConfigurations.hakurei = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        hakurei.nixosModules.hakurei
-      ];
-    };
-  };
-}
-```
+- [libseccomp](https://github.com/seccomp/libseccomp) to generate BPF programs.

-This adds the `environment.hakurei` option:
+`cmd/hakurei` depends on:

-```nix
-{ pkgs, ... }:
+- [acl](https://savannah.nongnu.org/projects/acl/) to export sockets to
+  subordinate users.
+- [wayland](https://gitlab.freedesktop.org/wayland/wayland) to set up
+  [security-context-v1](https://wayland.app/protocols/security-context-v1).
+- [xcb](https://xcb.freedesktop.org/) to grant and revoke subordinate users
+  access to the X server.

-{
-  environment.hakurei = {
-    enable = true;
-    stateDir = "/var/lib/hakurei";
-    users = {
-      alice = 0;
-      nixos = 10;
-    };
+`cmd/sharefs` depends on:

-    commonPaths = [
-      {
-        src = "/sdcard";
-        write = true;
-      }
-    ];
+- [fuse](https://github.com/libfuse/libfuse) to implement the filesystem.

-    extraHomeConfig = {
-      home.stateVersion = "23.05";
-    };
+New dependencies will generally not be added. Patches adding new dependencies
+are very likely to be rejected.

-    apps = {
-      "org.chromium.Chromium" = {
-        name = "chromium";
-        identity = 1;
-        packages = [ pkgs.chromium ];
-        userns = true;
-        mapRealUid = true;
-        dbus = {
-          system = {
-            filter = true;
-            talk = [
-              "org.bluez"
-              "org.freedesktop.Avahi"
-              "org.freedesktop.UPower"
-            ];
-          };
-          session =
-            f:
-            f {
-              talk = [
-                "org.freedesktop.FileManager1"
-                "org.freedesktop.Notifications"
-                "org.freedesktop.ScreenSaver"
-                "org.freedesktop.secrets"
-                "org.kde.kwalletd5"
-                "org.kde.kwalletd6"
-              ];
-              own = [
-                "org.chromium.Chromium.*"
-                "org.mpris.MediaPlayer2.org.chromium.Chromium.*"
-                "org.mpris.MediaPlayer2.chromium.*"
-              ];
-              call = { };
-              broadcast = { };
-            };
-        };
-      };
+## NixOS Module (deprecated)

-      "org.claws_mail.Claws-Mail" = {
-        name = "claws-mail";
-        identity = 2;
-        packages = [ pkgs.claws-mail ];
-        gpu = false;
-        capability.pulse = false;
-      };
-
-      "org.weechat" = {
-        name = "weechat";
-        identity = 3;
-        shareUid = true;
-        packages = [ pkgs.weechat ];
-        capability = {
-          wayland = false;
-          x11 = false;
-          dbus = true;
-          pulse = false;
-        };
-      };
-
-      "dev.vencord.Vesktop" = {
-        name = "discord";
-        identity = 3;
-        shareUid = true;
-        packages = [ pkgs.vesktop ];
-        share = pkgs.vesktop;
-        command = "vesktop --ozone-platform-hint=wayland";
-        userns = true;
-        mapRealUid = true;
-        capability.x11 = true;
-        dbus = {
-          session =
-            f:
-            f {
-              talk = [ "org.kde.StatusNotifierWatcher" ];
-              own = [ ];
-              call = { };
-              broadcast = { };
-            };
-          system.filter = true;
-        };
-      };
-
-      "io.looking-glass" = {
-        name = "looking-glass-client";
-        identity = 4;
-        useCommonPaths = false;
-        groups = [ "plugdev" ];
-        extraPaths = [
-          {
-            src = "/dev/shm/looking-glass";
-            write = true;
-          }
-        ];
-        extraConfig = {
-          programs.looking-glass-client.enable = true;
-        };
-      };
-    };
-  };
-}
-```
+The NixOS module is in maintenance mode and will be removed once planterette is
+feature-complete. Full module documentation can be found [here](options.md).
@@ -0,0 +1,3 @@
+#!/bin/sh -e
+
+HAKUREI_DIST_MAKE='' exec "$(dirname -- "$0")/cmd/dist/dist.sh"
@@ -2,10 +2,10 @@
 package check

 import (
-	"encoding/json"
+	"encoding"
 	"errors"
 	"fmt"
-	"path"
+	"path/filepath"
 	"slices"
 	"strings"
 	"syscall"
@@ -30,6 +30,16 @@ func (e AbsoluteError) Is(target error) bool {
 // Absolute holds a pathname checked to be absolute.
 type Absolute struct{ pathname unique.Handle[string] }

+var (
+	_ encoding.TextAppender    = new(Absolute)
+	_ encoding.TextMarshaler   = new(Absolute)
+	_ encoding.TextUnmarshaler = new(Absolute)
+
+	_ encoding.BinaryAppender    = new(Absolute)
+	_ encoding.BinaryMarshaler   = new(Absolute)
+	_ encoding.BinaryUnmarshaler = new(Absolute)
+)
+
 // ok returns whether [Absolute] is not the zero value.
 func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }

@@ -61,7 +71,7 @@ func (a *Absolute) Is(v *Absolute) bool {

 // NewAbs checks pathname and returns a new [Absolute] if pathname is absolute.
 func NewAbs(pathname string) (*Absolute, error) {
-	if !path.IsAbs(pathname) {
+	if !filepath.IsAbs(pathname) {
 		return nil, AbsoluteError(pathname)
 	}
 	return unsafeAbs(pathname), nil
@@ -76,46 +86,35 @@ func MustAbs(pathname string) *Absolute {
 	}
 }

-// Append calls [path.Join] with [Absolute] as the first element.
+// Append calls [filepath.Join] with [Absolute] as the first element.
 func (a *Absolute) Append(elem ...string) *Absolute {
-	return unsafeAbs(path.Join(append([]string{a.String()}, elem...)...))
+	return unsafeAbs(filepath.Join(append([]string{a.String()}, elem...)...))
 }

-// Dir calls [path.Dir] with [Absolute] as its argument.
-func (a *Absolute) Dir() *Absolute { return unsafeAbs(path.Dir(a.String())) }
+// Dir calls [filepath.Dir] with [Absolute] as its argument.
+func (a *Absolute) Dir() *Absolute { return unsafeAbs(filepath.Dir(a.String())) }

-// GobEncode returns the checked pathname.
-func (a *Absolute) GobEncode() ([]byte, error) {
-	return []byte(a.String()), nil
+// AppendText appends the checked pathname.
+func (a *Absolute) AppendText(data []byte) ([]byte, error) {
+	return append(data, a.String()...), nil
 }

-// GobDecode stores data if it represents an absolute pathname.
-func (a *Absolute) GobDecode(data []byte) error {
+// MarshalText returns the checked pathname.
+func (a *Absolute) MarshalText() ([]byte, error) { return a.AppendText(nil) }
+
+// UnmarshalText stores data if it represents an absolute pathname.
+func (a *Absolute) UnmarshalText(data []byte) error {
 	pathname := string(data)
-	if !path.IsAbs(pathname) {
+	if !filepath.IsAbs(pathname) {
 		return AbsoluteError(pathname)
 	}
 	a.pathname = unique.Make(pathname)
 	return nil
 }

-// MarshalJSON returns a JSON representation of the checked pathname.
-func (a *Absolute) MarshalJSON() ([]byte, error) {
-	return json.Marshal(a.String())
-}
-
-// UnmarshalJSON stores data if it represents an absolute pathname.
-func (a *Absolute) UnmarshalJSON(data []byte) error {
-	var pathname string
-	if err := json.Unmarshal(data, &pathname); err != nil {
-		return err
-	}
-	if !path.IsAbs(pathname) {
-		return AbsoluteError(pathname)
-	}
-	a.pathname = unique.Make(pathname)
-	return nil
-}
+func (a *Absolute) AppendBinary(data []byte) ([]byte, error) { return a.AppendText(data) }
+func (a *Absolute) MarshalBinary() ([]byte, error)           { return a.MarshalText() }
+func (a *Absolute) UnmarshalBinary(data []byte) error        { return a.UnmarshalText(data) }

 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {
@@ -11,12 +11,12 @@ import (
 	"testing"
 	_ "unsafe" // for go:linkname

-	. "hakurei.app/container/check"
+	. "hakurei.app/check"
 )

 // unsafeAbs returns check.Absolute on any string value.
 //
-//go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
+//go:linkname unsafeAbs hakurei.app/check.unsafeAbs
 func unsafeAbs(pathname string) *Absolute

 func TestAbsoluteError(t *testing.T) {
@@ -170,20 +170,20 @@ func TestCodecAbsolute(t *testing.T) {

 		{"good", MustAbs("/etc"),
 			nil,
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",

 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
 			AbsoluteError("etc"),
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",

 			`"etc"`, `{"val":"etc","magic":3236757504}`},
 		{"zero", nil,
 			new(AbsoluteError),
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
 			`""`, `{"val":"","magic":3236757504}`},
 	}

@@ -347,15 +347,6 @@ func TestCodecAbsolute(t *testing.T) {
 			})
 		})
 	}
-
-	t.Run("json passthrough", func(t *testing.T) {
-		t.Parallel()
-
-		wantErr := "invalid character ':' looking for beginning of value"
-		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
-			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
-		}
-	})
 }

 func TestAbsoluteWrap(t *testing.T) {
@@ -4,14 +4,23 @@ import "strings"

 const (
 	// SpecialOverlayEscape is the escape string for overlay mount options.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayEscape = `\`
 	// SpecialOverlayOption is the separator string between overlay mount options.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayOption = ","
 	// SpecialOverlayPath is the separator string between overlay paths.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayPath = ":"
 )

-// EscapeOverlayDataSegment escapes a string for formatting into the data argument of an overlay mount call.
+// EscapeOverlayDataSegment escapes a string for formatting into the data
+// argument of an overlay mount system call.
+//
+// Deprecated: This is no longer used and will be removed in 0.5.
 func EscapeOverlayDataSegment(s string) string {
 	if s == "" {
 		return ""
@@ -3,7 +3,7 @@ package check_test
 import (
 	"testing"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func TestEscapeOverlayDataSegment(t *testing.T) {
@@ -1,11 +1,11 @@
 #compdef hakurei

-_hakurei_app() {
+_hakurei_run() {
  __hakurei_files
  return $?
 }

-_hakurei_run() {
+_hakurei_exec() {
  _arguments \
    '--id[Reverse-DNS style Application identifier, leave empty to inherit instance identifier]:id' \
    '-a[Application identity]: :_numbers' \
@@ -57,9 +57,9 @@ __hakurei_instances() {
 {
  local -a _hakurei_cmds
  _hakurei_cmds=(
-    "app:Load and start container from configuration file"
-    "run:Configure and start a permissive container"
-    "show:Show live or local app configuration"
+    "run:Load and start container from configuration file"
+    "exec:Configure and start a permissive container"
+    "show:Show live or local instance configuration"
    "ps:List active instances"
    "version:Display version information"
    "license:Show full license text"
@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+TOOLCHAIN_VERSION="$(go version)"
+cd "$(dirname -- "$0")/../.."
+echo "Building cmd/dist using ${TOOLCHAIN_VERSION}."
+FLAGS=''
+if test -n "$VERBOSE"; then
+    FLAGS="$FLAGS -v"
+fi
+go run $FLAGS --tags=dist ./cmd/dist
@@ -0,0 +1,249 @@
+//go:build dist
+
+package main
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"crypto/sha512"
+	_ "embed"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"io/fs"
+	"log"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+)
+
+// getenv looks up an environment variable, and returns fallback if it is unset.
+func getenv(key, fallback string) string {
+	if v, ok := os.LookupEnv(key); ok {
+		return v
+	}
+	return fallback
+}
+
+// mustRun runs a command with the current process's environment and panics
+// on error or non-zero exit code.
+func mustRun(ctx context.Context, name string, arg ...string) {
+	cmd := exec.CommandContext(ctx, name, arg...)
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+	if err := cmd.Run(); err != nil {
+		panic(err)
+	}
+}
+
+//go:embed comp/_hakurei
+var comp []byte
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("")
+
+	verbose := os.Getenv("VERBOSE") != ""
+	runTests := os.Getenv("HAKUREI_DIST_MAKE") == ""
+	version := getenv("HAKUREI_VERSION", "untagged")
+	prefix := getenv("PREFIX", "/usr")
+	destdir := getenv("DESTDIR", "dist")
+
+	if verbose {
+		log.Println()
+	}
+
+	if err := os.MkdirAll(destdir, 0755); err != nil {
+		log.Fatal(err)
+	}
+	s, err := os.MkdirTemp(destdir, ".dist.*")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer func() {
+		var code int
+
+		if err = os.RemoveAll(s); err != nil {
+			code = 1
+			log.Println(err)
+		}
+
+		if r := recover(); r != nil {
+			code = 1
+			log.Println(r)
+		}
+
+		os.Exit(code)
+	}()
+
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
+	defer cancel()
+
+	verboseFlag := "-v"
+	if !verbose {
+		verboseFlag = "-buildvcs=false"
+	}
+
+	log.Printf("Building hakurei for %s/%s.", runtime.GOOS, runtime.GOARCH)
+	mustRun(ctx, "go", "generate", "./...")
+	mustRun(
+		ctx, "go", "build",
+		"-trimpath",
+		verboseFlag, "-o", s,
+		"-ldflags=-s -w "+
+			"-buildid= -linkmode external -extldflags=-static "+
+			"-X hakurei.app/internal/info.buildVersion="+version+" "+
+			"-X hakurei.app/internal/info.hakureiPath="+prefix+"/bin/hakurei "+
+			"-X hakurei.app/internal/info.hsuPath="+prefix+"/bin/hsu "+
+			"-X main.hakureiPath="+prefix+"/bin/hakurei",
+		"./...",
+	)
+	log.Println()
+
+	if runTests {
+		log.Println("##### Testing Hakurei.")
+		mustRun(
+			ctx, "go", "test",
+			"-ldflags=-buildid= -linkmode external -extldflags=-static",
+			"./...",
+		)
+		log.Println()
+	}
+
+	log.Println("##### Creating distribution.")
+	const suffix = ".tar.gz"
+	distName := "hakurei-" + version + "-" + runtime.GOARCH
+	var f *os.File
+	if f, err = os.OpenFile(
+		filepath.Join(s, distName+suffix),
+		os.O_CREATE|os.O_EXCL|os.O_WRONLY,
+		0644,
+	); err != nil {
+		panic(err)
+	}
+	defer func() {
+		if f == nil {
+			return
+		}
+		if err = f.Close(); err != nil {
+			log.Println(err)
+		}
+	}()
+
+	h := sha512.New()
+	gw, _ := gzip.NewWriterLevel(io.MultiWriter(f, h), gzip.BestCompression)
+	tw := tar.NewWriter(gw)
+
+	mustWriteHeader := func(name string, size int64, mode os.FileMode) {
+		header := tar.Header{
+			Name:  filepath.Join(distName, name),
+			Size:  size,
+			Mode:  int64(mode),
+			Uname: "root",
+			Gname: "root",
+		}
+
+		if mode&os.ModeDir != 0 {
+			header.Typeflag = tar.TypeDir
+			fmt.Printf("%s %s\n", mode, name)
+		} else {
+			header.Typeflag = tar.TypeReg
+			fmt.Printf("%s %s (%d bytes)\n", mode, name, size)
+		}
+
+		if err = tw.WriteHeader(&header); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFile := func(name string, data []byte, mode os.FileMode) {
+		mustWriteHeader(name, int64(len(data)), mode)
+		if mode&os.ModeDir != 0 {
+			return
+		}
+		if _, err = tw.Write(data); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFromPath := func(dst, src string, mode os.FileMode) {
+		var r *os.File
+		if r, err = os.Open(src); err != nil {
+			panic(err)
+		}
+
+		var fi os.FileInfo
+		if fi, err = r.Stat(); err != nil {
+			_ = r.Close()
+			panic(err)
+		}
+
+		if mode == 0 {
+			mode = fi.Mode()
+		}
+
+		mustWriteHeader(dst, fi.Size(), mode)
+		if _, err = io.Copy(tw, r); err != nil {
+			_ = r.Close()
+			panic(err)
+		} else if err = r.Close(); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFile(".", nil, fs.ModeDir|0755)
+	mustWriteFile("comp/", nil, os.ModeDir|0755)
+	mustWriteFile("comp/_hakurei", comp, 0644)
+	mustWriteFile("install.sh", []byte(`#!/bin/sh -e
+cd "$(dirname -- "$0")" || exit 1
+
+install -vDm0755 "bin/hakurei" "${DESTDIR}`+prefix+`/bin/hakurei"
+install -vDm0755 "bin/sharefs" "${DESTDIR}`+prefix+`/bin/sharefs"
+
+install -vDm4511 "bin/hsu" "${DESTDIR}`+prefix+`/bin/hsu"
+if [ ! -f "${DESTDIR}/etc/hsurc" ]; then
+    install -vDm0400 "hsurc.default" "${DESTDIR}/etc/hsurc"
+fi
+
+install -vDm0644 "comp/_hakurei" "${DESTDIR}`+prefix+`/share/zsh/site-functions/_hakurei"
+`), 0755)
+
+	mustWriteFromPath("README.md", "README.md", 0)
+	mustWriteFile("hsurc.default", []byte("1000 0"), 0400)
+	mustWriteFromPath("bin/hsu", filepath.Join(s, "hsu"), 04511)
+	for _, name := range []string{
+		"hakurei",
+		"sharefs",
+	} {
+		mustWriteFromPath(
+			filepath.Join("bin", name),
+			filepath.Join(s, name),
+			0,
+		)
+	}
+
+	if err = tw.Close(); err != nil {
+		panic(err)
+	} else if err = gw.Close(); err != nil {
+		panic(err)
+	} else if err = f.Close(); err != nil {
+		panic(err)
+	}
+	f = nil
+
+	if err = os.WriteFile(
+		filepath.Join(destdir, distName+suffix+".sha512"),
+		append(hex.AppendEncode(nil, h.Sum(nil)), "  "+distName+suffix+"\n"...),
+		0644,
+	); err != nil {
+		panic(err)
+	}
+	if err = os.Rename(
+		filepath.Join(s, distName+suffix),
+		filepath.Join(destdir, distName+suffix),
+	); err != nil {
+		panic(err)
+	}
+}
@@ -0,0 +1,131 @@
+// The earlyinit is part of the Rosa OS initramfs and serves as the system init.
+//
+// This program is an internal detail of Rosa OS and is not usable on its own.
+// It is not covered by the compatibility promise.
+package main
+
+import (
+	"log"
+	"os"
+	"runtime"
+	"strings"
+	. "syscall"
+)
+
+func main() {
+	runtime.LockOSThread()
+	log.SetFlags(0)
+	log.SetPrefix("earlyinit: ")
+
+	var (
+		option map[string]string
+		flags  []string
+	)
+	if len(os.Args) > 1 {
+		option = make(map[string]string)
+		for _, s := range os.Args[1:] {
+			key, value, ok := strings.Cut(s, "=")
+			if !ok {
+				flags = append(flags, s)
+				continue
+			}
+			option[key] = value
+		}
+	}
+
+	if err := Mount(
+		"devtmpfs",
+		"/dev/",
+		"devtmpfs",
+		MS_NOSUID|MS_NOEXEC,
+		"",
+	); err != nil {
+		log.Fatalf("cannot mount devtmpfs: %v", err)
+	}
+
+	// The kernel might be unable to set up the console. When that happens,
+	// printk is called with "Warning: unable to open an initial console."
+	// and the init runs with no files. The checkfds runtime function
+	// populates 0-2 by opening /dev/null for them.
+	//
+	// This check replaces 1 and 2 with /dev/kmsg to improve the chance
+	// of output being visible to the user.
+	if fi, err := os.Stdout.Stat(); err == nil {
+		if stat, ok := fi.Sys().(*Stat_t); ok {
+			if stat.Rdev == 0x103 {
+				var fd int
+				if fd, err = Open(
+					"/dev/kmsg",
+					O_WRONLY|O_CLOEXEC,
+					0,
+				); err != nil {
+					log.Fatalf("cannot open kmsg: %v", err)
+				}
+
+				if err = Dup3(fd, Stdout, 0); err != nil {
+					log.Fatalf("cannot open stdout: %v", err)
+				}
+				if err = Dup3(fd, Stderr, 0); err != nil {
+					log.Fatalf("cannot open stderr: %v", err)
+				}
+
+				if err = Close(fd); err != nil {
+					log.Printf("cannot close kmsg: %v", err)
+				}
+			}
+		}
+	}
+
+	// staying in rootfs, these are no longer used
+	must(os.Remove("/root"))
+	must(os.Remove("/init"))
+
+	must(os.Mkdir("/proc", 0))
+	mustSyscall("mount proc", Mount(
+		"proc",
+		"/proc",
+		"proc",
+		MS_NOSUID|MS_NOEXEC|MS_NODEV,
+		"hidepid=1",
+	))
+
+	must(os.Mkdir("/sys", 0))
+	mustSyscall("mount sysfs", Mount(
+		"sysfs",
+		"/sys",
+		"sysfs",
+		0,
+		"",
+	))
+
+	// after top level has been set up
+	mustSyscall("remount root", Mount(
+		"",
+		"/",
+		"",
+		MS_REMOUNT|MS_BIND|
+			MS_RDONLY|MS_NODEV|MS_NOSUID|MS_NOEXEC,
+		"",
+	))
+
+	must(os.WriteFile(
+		"/sys/module/firmware_class/parameters/path",
+		[]byte("/system/lib/firmware"),
+		0,
+	))
+
+}
+
+// mustSyscall calls [log.Fatalln] if err is non-nil.
+func mustSyscall(action string, err error) {
+	if err != nil {
+		log.Fatalln("cannot "+action+":", err)
+	}
+}
+
+// must calls [log.Fatal] with err if it is non-nil.
+func must(err error) {
+	if err != nil {
+		log.Fatal(err)
+	}
+}
@@ -2,6 +2,7 @@ package main

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -11,11 +12,11 @@ import (
 	"strconv"
 	"sync"
 	"time"
-	_ "unsafe" // for go:linkname

+	"hakurei.app/check"
 	"hakurei.app/command"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/env"
@@ -26,14 +27,20 @@ import (

 // optionalErrorUnwrap calls [errors.Unwrap] and returns the resulting value
 // if it is not nil, or the original value if it is.
-//
-//go:linkname optionalErrorUnwrap hakurei.app/container.optionalErrorUnwrap
-func optionalErrorUnwrap(err error) error
+func optionalErrorUnwrap(err error) error {
+	if underlyingErr := errors.Unwrap(err); underlyingErr != nil {
+		return underlyingErr
+	}
+	return err
+}
+
+var errSuccess = errors.New("success")

 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
-		flagVerbose bool
-		flagJSON    bool
+		flagVerbose  bool
+		flagInsecure bool
+		flagJSON     bool
 	)
 	c := command.New(out, log.Printf, "hakurei", func([]string) error {
 		msg.SwapVerbose(flagVerbose)
@@ -51,6 +58,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
+		Flag(&flagInsecure, "insecure", command.BoolFlag(false), "Allow use of insecure compatibility options").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")

 	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
@@ -59,9 +67,9 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		var (
 			flagIdentifierFile int
 		)
-		c.NewCommand("app", "Load and start container from configuration file", func(args []string) error {
+		c.NewCommand("run", "Load and start container from configuration file", func(args []string) error {
 			if len(args) < 1 {
-				log.Fatal("app requires at least 1 argument")
+				log.Fatal("run requires at least 1 argument")
 			}

 			config := tryPath(msg, args[0])
@@ -69,7 +77,12 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				config.Container.Args = append(config.Container.Args, args[1:]...)
 			}

-			outcome.Main(ctx, msg, config, flagIdentifierFile)
+			var flags int
+			if flagInsecure {
+				flags |= hst.VAllowInsecure
+			}
+
+			outcome.Main(ctx, msg, config, flags, flagIdentifierFile)
 			panic("unreachable")
 		}).
 			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
@@ -89,12 +102,15 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			flagHomeDir  string
 			flagUserName string

+			flagSchedPolicy   string
+			flagSchedPriority int
+
 			flagPrivateRuntime, flagPrivateTmpdir bool

 			flagWayland, flagX11, flagDBus, flagPipeWire, flagPulse bool
 		)

-		c.NewCommand("run", "Configure and start a permissive container", func(args []string) error {
+		c.NewCommand("exec", "Configure and start a permissive container", func(args []string) error {
 			if flagIdentity < hst.IdentityStart || flagIdentity > hst.IdentityEnd {
 				log.Fatalf("identity %d out of range", flagIdentity)
 			}
@@ -131,12 +147,12 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 					log.Fatal(optionalErrorUnwrap(err))
 					return err
 				} else if progPath, err = check.NewAbs(p); err != nil {
-					log.Fatal(err.Error())
+					log.Fatal(err)
 					return err
 				}
 			}

-			var et hst.Enablement
+			var et hst.Enablements
 			if flagWayland {
 				et |= hst.EWayland
 			}
@@ -150,11 +166,11 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				et |= hst.EPipeWire
 			}

-			config := &hst.Config{
+			config := hst.Config{
 				ID:          flagID,
 				Identity:    flagIdentity,
 				Groups:      flagGroups,
-				Enablements: hst.NewEnablements(et),
+				Enablements: &et,

 				Container: &hst.ContainerConfig{
 					Filesystem: []hst.FilesystemConfigJSON{
@@ -177,6 +193,13 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				},
 			}

+			if err := config.SchedPolicy.UnmarshalText(
+				[]byte(flagSchedPolicy),
+			); err != nil {
+				log.Fatal(err)
+			}
+			config.SchedPriority = ext.Int(flagSchedPriority)
+
 			// bind GPU stuff
 			if et&(hst.EX11|hst.EWayland) != 0 {
 				config.Container.Filesystem = append(config.Container.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
@@ -214,7 +237,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 					homeDir = passwd.HomeDir
 				}
 				if a, err := check.NewAbs(homeDir); err != nil {
-					log.Fatal(err.Error())
+					log.Fatal(err)
 					return err
 				} else {
 					config.Container.Home = a
@@ -234,11 +257,11 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 					config.SessionBus = dbus.NewConfig(flagID, true, flagDBusMpris)
 				} else {
 					if f, err := os.Open(flagDBusConfigSession); err != nil {
-						log.Fatal(err.Error())
+						log.Fatal(err)
 					} else {
 						decodeJSON(log.Fatal, "load session bus proxy config", f, &config.SessionBus)
 						if err = f.Close(); err != nil {
-							log.Fatal(err.Error())
+							log.Fatal(err)
 						}
 					}
 				}
@@ -246,11 +269,11 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				// system bus proxy is optional
 				if flagDBusConfigSystem != "nil" {
 					if f, err := os.Open(flagDBusConfigSystem); err != nil {
-						log.Fatal(err.Error())
+						log.Fatal(err)
 					} else {
 						decodeJSON(log.Fatal, "load system bus proxy config", f, &config.SystemBus)
 						if err = f.Close(); err != nil {
-							log.Fatal(err.Error())
+							log.Fatal(err)
 						}
 					}
 				}
@@ -266,7 +289,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}

-			outcome.Main(ctx, msg, config, -1)
+			outcome.Main(ctx, msg, &config, 0, -1)
 			panic("unreachable")
 		}).
 			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),
@@ -287,6 +310,10 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				"Container home directory").
 			Flag(&flagUserName, "u", command.StringFlag("chronos"),
 				"Passwd user name within sandbox").
+			Flag(&flagSchedPolicy, "policy", command.StringFlag(""),
+				"Scheduling policy to set for the container").
+			Flag(&flagSchedPriority, "priority", command.IntFlag(0),
+				"Scheduling priority to set for the container").
 			Flag(&flagPrivateRuntime, "private-runtime", command.BoolFlag(false),
 				"Do not share XDG_RUNTIME_DIR between containers under the same identity").
 			Flag(&flagPrivateTmpdir, "private-tmpdir", command.BoolFlag(false),
@@ -308,7 +335,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			flagShort   bool
 			flagNoStore bool
 		)
-		c.NewCommand("show", "Show live or local app configuration", func(args []string) error {
+		c.NewCommand("show", "Show live or local instance configuration", func(args []string) error {
 			switch len(args) {
 			case 0: // system
 				printShowSystem(os.Stdout, flagShort, flagJSON)
@@ -20,12 +20,12 @@ func TestHelp(t *testing.T) {
 	}{
 		{
 			"main", []string{}, `
-Usage:	hakurei [-h | --help] [-v] [--json] COMMAND [OPTIONS]
+Usage:	hakurei [-h | --help] [-v] [--insecure] [--json] COMMAND [OPTIONS]

 Commands:
-    app         Load and start container from configuration file
-    run         Configure and start a permissive container
-    show        Show live or local app configuration
+    run         Load and start container from configuration file
+    exec        Configure and start a permissive container
+    show        Show live or local instance configuration
    ps          List active instances
    version     Display version information
    license     Show full license text
@@ -35,8 +35,8 @@ Commands:
 `,
 		},
 		{
-			"run", []string{"run", "-h"}, `
-Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
+			"exec", []string{"exec", "-h"}, `
+Usage:	hakurei exec [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--policy <value>] [--priority <int>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]

 Flags:
  -X	Enable direct connection to X11
@@ -60,6 +60,10 @@ Flags:
    	Allow owning MPRIS D-Bus path, has no effect if custom config is available
  -pipewire
    	Enable connection to PipeWire via SecurityContext
+  -policy string
+    	Scheduling policy to set for the container
+  -priority int
+    	Scheduling priority to set for the container
  -private-runtime
    	Do not share XDG_RUNTIME_DIR between containers under the same identity
  -private-tmpdir
@@ -5,7 +5,7 @@ import (
 	"strings"
 	"testing"

-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 )

 func TestDecodeJSON(t *testing.T) {
@@ -1,8 +1,42 @@
+// Hakurei runs user-specified containers as subordinate users.
+//
+// This program is generally invoked by another, higher level program, which
+// creates container configuration via package [hst] or an implementation of it.
+//
+// The parent may leave files open and specify their file descriptor for various
+// uses. In these cases, standard streams and netpoll files are treated as
+// invalid file descriptors and rejected. All string representations must be in
+// decimal.
+//
+// When specifying a [hst.Config] JSON stream or file to the run subcommand, the
+// argument "-" is equivalent to stdin. Otherwise, file descriptor rules
+// described above applies. Invalid file descriptors are treated as file names
+// in their string representation, with the exception that if a netpoll file
+// descriptor is attempted, the program fails.
+//
+// The flag --identifier-fd can be optionally specified to the run subcommand to
+// receive the identifier of the newly started instance. File descriptor rules
+// described above applies, and the file must be writable. This is sent after
+// its state is made available, so the client must not attempt to poll for it.
+// This uses the internal binary format of [hst.ID].
+//
+// For the show and ps subcommands, the flag --json can be applied to the main
+// hakurei command to serialise output in JSON when applicable. Additionally,
+// the flag --short targeting each subcommand is used to omit some information
+// in both JSON and user-facing output. Only JSON-encoded output is covered
+// under the compatibility promise.
+//
+// A template for [hst.Config] demonstrating all available configuration fields
+// is returned by [hst.Template]. The JSON-encoded equivalent of this can be
+// obtained via the template subcommand. Fields left unpopulated in the template
+// (the direct_* family of fields, which are insecure under any configuration if
+// enabled) are unsupported.
+//
+// For simple (but insecure) testing scenarios, the exec subcommand can be used
+// to generate a simple, permissive configuration in-memory. See its help
+// message for all available options.
 package main

-// this works around go:embed '..' limitation
-//go:generate cp ../../LICENSE .
-
 import (
 	"context"
 	_ "embed"
@@ -13,15 +47,13 @@ import (
 	"syscall"

 	"hakurei.app/container"
+	"hakurei.app/ext"
 	"hakurei.app/message"
 )

-var (
-	errSuccess = errors.New("success")
-
-	//go:embed LICENSE
-	license string
-)
+//go:generate cp ../../LICENSE .
+//go:embed LICENSE
+var license string

 // earlyHardeningErrs are errors collected while setting up early hardening feature.
 type earlyHardeningErrs struct{ yamaLSM, dumpable error }
@@ -30,13 +62,13 @@ func main() {
 	// early init path, skips root check and duplicate PR_SET_DUMPABLE
 	container.TryArgv0(nil)

-	log.SetPrefix("hakurei: ")
 	log.SetFlags(0)
+	log.SetPrefix("hakurei: ")
 	msg := message.New(log.Default())

 	early := earlyHardeningErrs{
-		yamaLSM:  container.SetPtracer(0),
-		dumpable: container.SetDumpable(container.SUID_DUMP_DISABLE),
+		yamaLSM:  ext.SetPtracer(0),
+		dumpable: ext.SetDumpable(ext.SUID_DUMP_DISABLE),
 	}

 	if os.Geteuid() == 0 {
@@ -17,8 +17,9 @@ import (
 )

 // tryPath attempts to read [hst.Config] from multiple sources.
-// tryPath reads from [os.Stdin] if name has value "-".
-// Otherwise, name is passed to tryFd, and if that returns nil, name is passed to [os.Open].
+//
+// tryPath reads from [os.Stdin] if name has value "-". Otherwise, name is
+// passed to tryFd, and if that returns nil, name is passed to [os.Open].
 func tryPath(msg message.Msg, name string) (config *hst.Config) {
 	var r io.ReadCloser
 	config = new(hst.Config)
@@ -46,7 +47,8 @@ func tryPath(msg message.Msg, name string) (config *hst.Config) {
 	return
 }

-// tryFd returns a [io.ReadCloser] if name represents an integer corresponding to a valid file descriptor.
+// tryFd returns a [io.ReadCloser] if name represents an integer corresponding
+// to a valid file descriptor.
 func tryFd(msg message.Msg, name string) io.ReadCloser {
 	if v, err := strconv.Atoi(name); err != nil {
 		if !errors.Is(err, strconv.ErrSyntax) {
@@ -60,7 +62,12 @@ func tryFd(msg message.Msg, name string) io.ReadCloser {

 		msg.Verbosef("trying config stream from %d", v)
 		fd := uintptr(v)
-		if _, _, errno := syscall.Syscall(syscall.SYS_FCNTL, fd, syscall.F_GETFD, 0); errno != 0 {
+		if _, _, errno := syscall.Syscall(
+			syscall.SYS_FCNTL,
+			fd,
+			syscall.F_GETFD,
+			0,
+		); errno != 0 {
 			if errors.Is(errno, syscall.EBADF) { // reject bad fd
 				return nil
 			}
@@ -75,10 +82,12 @@ func tryFd(msg message.Msg, name string) io.ReadCloser {
 	}
 }

-// shortLengthMin is the minimum length a short form identifier can have and still be interpreted as an identifier.
+// shortLengthMin is the minimum length a short form identifier can have and
+// still be interpreted as an identifier.
 const shortLengthMin = 1 << 3

-// shortIdentifier returns an eight character short representation of [hst.ID] from its random bytes.
+// shortIdentifier returns an eight character short representation of [hst.ID]
+// from its random bytes.
 func shortIdentifier(id *hst.ID) string {
 	return shortIdentifierString(id.String())
 }
@@ -88,7 +97,8 @@ func shortIdentifierString(s string) string {
 	return s[len(hst.ID{}) : len(hst.ID{})+shortLengthMin]
 }

-// tryIdentifier attempts to match [hst.State] from a [hex] representation of [hst.ID] or a prefix of its lower half.
+// tryIdentifier attempts to match [hst.State] from a [hex] representation of
+// [hst.ID] or a prefix of its lower half.
 func tryIdentifier(msg message.Msg, name string, s *store.Store) *hst.State {
 	const (
 		likeShort = 1 << iota
@@ -96,7 +106,8 @@ func tryIdentifier(msg message.Msg, name string, s *store.Store) *hst.State {
 	)

 	var likely uintptr
-	if len(name) >= shortLengthMin && len(name) <= len(hst.ID{}) { // half the hex representation
+	// half the hex representation
+	if len(name) >= shortLengthMin && len(name) <= len(hst.ID{}) {
 		// cannot safely decode here due to unknown alignment
 		for _, c := range name {
 			if c >= '0' && c <= '9' {
@@ -6,7 +6,7 @@ import (
 	"testing"
 	"time"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
@@ -56,7 +56,7 @@ func printShowInstance(
 	t := newPrinter(output)
 	defer t.MustFlush()

-	if err := config.Validate(); err != nil {
+	if err := config.Validate(hst.VAllowInsecure); err != nil {
 		valid = false
 		if m, ok := message.GetMessage(err); ok {
 			mustPrint(output, "Error: "+m+"!\n\n")
@@ -7,7 +7,7 @@ import (
 	"testing"
 	"time"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
@@ -32,7 +32,7 @@ var (
 		PID:     0xbeef,
 		ShimPID: 0xcafe,
 		Config: &hst.Config{
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
+			Enablements: new(hst.EWayland | hst.EPipeWire),
 			Identity:    1,
 			Container: &hst.ContainerConfig{
 				Shell: check.MustAbs("/bin/sh"),
@@ -1,7 +0,0 @@
-This program is a proof of concept and is now deprecated. It is only kept
-around for API demonstration purposes and to make the most out of the test
-suite.
-
-This program is replaced by planterette, which can be found at
-https://git.gensokyo.uk/security/planterette. Development effort should be
-focused there instead.
@@ -1,173 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"log"
-	"os"
-
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
-	"hakurei.app/hst"
-)
-
-type appInfo struct {
-	Name    string `json:"name"`
-	Version string `json:"version"`
-
-	// passed through to [hst.Config]
-	ID string `json:"id"`
-	// passed through to [hst.Config]
-	Identity int `json:"identity"`
-	// passed through to [hst.Config]
-	Groups []string `json:"groups,omitempty"`
-	// passed through to [hst.Config]
-	Devel bool `json:"devel,omitempty"`
-	// passed through to [hst.Config]
-	Userns bool `json:"userns,omitempty"`
-	// passed through to [hst.Config]
-	HostNet bool `json:"net,omitempty"`
-	// passed through to [hst.Config]
-	HostAbstract bool `json:"abstract,omitempty"`
-	// passed through to [hst.Config]
-	Device bool `json:"dev,omitempty"`
-	// passed through to [hst.Config]
-	Tty bool `json:"tty,omitempty"`
-	// passed through to [hst.Config]
-	MapRealUID bool `json:"map_real_uid,omitempty"`
-	// passed through to [hst.Config]
-	DirectWayland bool `json:"direct_wayland,omitempty"`
-	// passed through to [hst.Config]
-	SystemBus *hst.BusConfig `json:"system_bus,omitempty"`
-	// passed through to [hst.Config]
-	SessionBus *hst.BusConfig `json:"session_bus,omitempty"`
-	// passed through to [hst.Config]
-	Enablements *hst.Enablements `json:"enablements,omitempty"`
-
-	// passed through to [hst.Config]
-	Multiarch bool `json:"multiarch,omitempty"`
-	// passed through to [hst.Config]
-	Bluetooth bool `json:"bluetooth,omitempty"`
-
-	// allow gpu access within sandbox
-	GPU bool `json:"gpu"`
-	// store path to nixGL mesa wrappers
-	Mesa string `json:"mesa,omitempty"`
-	// store path to nixGL source
-	NixGL string `json:"nix_gl,omitempty"`
-	// store path to activate-and-exec script
-	Launcher *check.Absolute `json:"launcher"`
-	// store path to /run/current-system
-	CurrentSystem *check.Absolute `json:"current_system"`
-	// store path to home-manager activation package
-	ActivationPackage string `json:"activation_package"`
-}
-
-func (app *appInfo) toHst(pathSet *appPathSet, pathname *check.Absolute, argv []string, flagDropShell bool) *hst.Config {
-	config := &hst.Config{
-		ID: app.ID,
-
-		Enablements: app.Enablements,
-
-		SystemBus:     app.SystemBus,
-		SessionBus:    app.SessionBus,
-		DirectWayland: app.DirectWayland,
-
-		Identity: app.Identity,
-		Groups:   app.Groups,
-
-		Container: &hst.ContainerConfig{
-			Hostname: formatHostname(app.Name),
-			Filesystem: []hst.FilesystemConfigJSON{
-				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
-				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}},
-				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
-				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsPrivateTmp.Append("app")}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsEtc.Append("resolv.conf"), Optional: true}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block"), Optional: true}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus"), Optional: true}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("class"), Optional: true}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("dev"), Optional: true}},
-				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("devices"), Optional: true}},
-				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}},
-			},
-
-			Username: "hakurei",
-			Shell:    pathShell,
-			Home:     pathDataData.Append(app.ID),
-
-			Path: pathname,
-			Args: argv,
-		},
-		ExtraPerms: []hst.ExtraPermConfig{
-			{Path: dataHome, Execute: true},
-			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-		},
-	}
-
-	if app.Devel {
-		config.Container.Flags |= hst.FDevel
-	}
-	if app.Userns {
-		config.Container.Flags |= hst.FUserns
-	}
-	if app.HostNet {
-		config.Container.Flags |= hst.FHostNet
-	}
-	if app.HostAbstract {
-		config.Container.Flags |= hst.FHostAbstract
-	}
-	if app.Device {
-		config.Container.Flags |= hst.FDevice
-	}
-	if app.Tty || flagDropShell {
-		config.Container.Flags |= hst.FTty
-	}
-	if app.MapRealUID {
-		config.Container.Flags |= hst.FMapRealUID
-	}
-	if app.Multiarch {
-		config.Container.Flags |= hst.FMultiarch
-	}
-	config.Container.Flags |= hst.FShareRuntime | hst.FShareTmpdir
-	return config
-}
-
-func loadAppInfo(name string, beforeFail func()) *appInfo {
-	bundle := new(appInfo)
-	if f, err := os.Open(name); err != nil {
-		beforeFail()
-		log.Fatalf("cannot open bundle: %v", err)
-	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
-		beforeFail()
-		log.Fatalf("cannot parse bundle metadata: %v", err)
-	} else if err = f.Close(); err != nil {
-		log.Printf("cannot close bundle metadata: %v", err)
-		// not fatal
-	}
-
-	if bundle.ID == "" {
-		beforeFail()
-		log.Fatal("application identifier must not be empty")
-	}
-	if bundle.Launcher == nil {
-		beforeFail()
-		log.Fatal("launcher must not be empty")
-	}
-	if bundle.CurrentSystem == nil {
-		beforeFail()
-		log.Fatal("current-system must not be empty")
-	}
-
-	return bundle
-}
-
-func formatHostname(name string) string {
-	if h, err := os.Hostname(); err != nil {
-		log.Printf("cannot get hostname: %v", err)
-		return "hakurei-" + name
-	} else {
-		return h + "-" + name
-	}
-}
@@ -1,256 +0,0 @@
-{
-  nixpkgsFor,
-  system,
-  nixpkgs,
-  home-manager,
-}:
-
-{
-  lib,
-  stdenv,
-  closureInfo,
-  writeScript,
-  runtimeShell,
-  writeText,
-  symlinkJoin,
-  vmTools,
-  runCommand,
-  fetchFromGitHub,
-
-  zstd,
-  nix,
-  sqlite,
-
-  name ? throw "name is required",
-  version ? throw "version is required",
-  pname ? "${name}-${version}",
-  modules ? [ ],
-  nixosModules ? [ ],
-  script ? ''
-    exec "$SHELL" "$@"
-  '',
-
-  id ? name,
-  identity ? throw "identity is required",
-  groups ? [ ],
-  userns ? false,
-  net ? true,
-  dev ? false,
-  no_new_session ? false,
-  map_real_uid ? false,
-  direct_wayland ? false,
-  system_bus ? null,
-  session_bus ? null,
-
-  allow_wayland ? true,
-  allow_x11 ? false,
-  allow_dbus ? true,
-  allow_audio ? true,
-  gpu ? allow_wayland || allow_x11,
-}:
-
-let
-  inherit (lib) optionals;
-
-  homeManagerConfiguration = home-manager.lib.homeManagerConfiguration {
-    pkgs = nixpkgsFor.${system};
-    modules = modules ++ [
-      {
-        home = {
-          username = "hakurei";
-          homeDirectory = "/data/data/${id}";
-          stateVersion = "22.11";
-        };
-      }
-    ];
-  };
-
-  launcher = writeScript "hakurei-${pname}" ''
-    #!${runtimeShell} -el
-    ${script}
-  '';
-
-  extraNixOSConfig =
-    { pkgs, ... }:
-    {
-      environment = {
-        etc.nixpkgs.source = nixpkgs.outPath;
-        systemPackages = [ pkgs.nix ];
-      };
-
-      imports = nixosModules;
-    };
-  nixos = nixpkgs.lib.nixosSystem {
-    inherit system;
-    modules = [
-      extraNixOSConfig
-      { nix.settings.experimental-features = [ "flakes" ]; }
-      { nix.settings.experimental-features = [ "nix-command" ]; }
-      { boot.isContainer = true; }
-      { system.stateVersion = "22.11"; }
-    ];
-  };
-
-  etc = vmTools.runInLinuxVM (
-    runCommand "etc" { } ''
-      mkdir -p /etc
-      ${nixos.config.system.build.etcActivationCommands}
-
-      # remove unused files
-      rm -rf /etc/sudoers
-
-      mkdir -p $out
-      tar -C /etc -cf "$out/etc.tar" .
-    ''
-  );
-
-  extendSessionDefault = id: ext: {
-    filter = true;
-
-    talk = [ "org.freedesktop.Notifications" ] ++ ext.talk;
-    own =
-      (optionals (id != null) [
-        "${id}.*"
-        "org.mpris.MediaPlayer2.${id}.*"
-      ])
-      ++ ext.own;
-
-    inherit (ext) call broadcast;
-  };
-
-  nixGL = fetchFromGitHub {
-    owner = "nix-community";
-    repo = "nixGL";
-    rev = "310f8e49a149e4c9ea52f1adf70cdc768ec53f8a";
-    hash = "sha256-lnzZQYG0+EXl/6NkGpyIz+FEOc/DSEG57AP1VsdeNrM=";
-  };
-
-  mesaWrappers =
-    let
-      isIntelX86Platform = system == "x86_64-linux";
-      nixGLPackages = import (nixGL + "/default.nix") {
-        pkgs = nixpkgs.legacyPackages.${system};
-        enable32bits = isIntelX86Platform;
-        enableIntelX86Extensions = isIntelX86Platform;
-      };
-    in
-    symlinkJoin {
-      name = "nixGL-mesa";
-      paths = with nixGLPackages; [
-        nixGLIntel
-        nixVulkanIntel
-      ];
-    };
-
-  info = builtins.toJSON {
-    inherit
-      name
-      version
-      id
-      identity
-      launcher
-      groups
-      userns
-      net
-      dev
-      no_new_session
-      map_real_uid
-      direct_wayland
-      system_bus
-      gpu
-      ;
-
-    session_bus =
-      if session_bus != null then
-        (session_bus (extendSessionDefault id))
-      else
-        (extendSessionDefault id {
-          talk = [ ];
-          own = [ ];
-          call = { };
-          broadcast = { };
-        });
-
-    enablements = {
-      wayland = allow_wayland;
-      x11 = allow_x11;
-      dbus = allow_dbus;
-      pipewire = allow_audio;
-    };
-
-    mesa = if gpu then mesaWrappers else null;
-    nix_gl = if gpu then nixGL else null;
-    current_system = nixos.config.system.build.toplevel;
-    activation_package = homeManagerConfiguration.activationPackage;
-  };
-in
-
-stdenv.mkDerivation {
-  name = "${pname}.pkg";
-  inherit version;
-  __structuredAttrs = true;
-
-  nativeBuildInputs = [
-    zstd
-    nix
-    sqlite
-  ];
-
-  buildCommand = ''
-    NIX_ROOT="$(mktemp -d)"
-    export USER="nobody"
-
-    # create bootstrap store
-    bootstrapClosureInfo="${
-      closureInfo {
-        rootPaths = [
-          nix
-          nixos.config.system.build.toplevel
-        ];
-      }
-    }"
-    echo "copying bootstrap store paths..."
-    mkdir -p "$NIX_ROOT/nix/store"
-    xargs -n 1 -a "$bootstrapClosureInfo/store-paths" cp -at "$NIX_ROOT/nix/store/"
-    NIX_REMOTE="local?root=$NIX_ROOT" nix-store --load-db < "$bootstrapClosureInfo/registration"
-    NIX_REMOTE="local?root=$NIX_ROOT" nix-store --optimise
-    sqlite3 "$NIX_ROOT/nix/var/nix/db/db.sqlite" "UPDATE ValidPaths SET registrationTime = ''${SOURCE_DATE_EPOCH}"
-    chmod -R +r "$NIX_ROOT/nix/var"
-
-    # create binary cache
-    closureInfo="${
-      closureInfo {
-        rootPaths = [
-          homeManagerConfiguration.activationPackage
-          launcher
-        ]
-        ++ optionals gpu [
-          mesaWrappers
-          nixGL
-        ];
-      }
-    }"
-    echo "copying application paths..."
-    TMP_STORE="$(mktemp -d)"
-    mkdir -p "$TMP_STORE/nix/store"
-    xargs -n 1 -a "$closureInfo/store-paths" cp -at "$TMP_STORE/nix/store/"
-    NIX_REMOTE="local?root=$TMP_STORE" nix-store --load-db < "$closureInfo/registration"
-    sqlite3 "$TMP_STORE/nix/var/nix/db/db.sqlite" "UPDATE ValidPaths SET registrationTime = ''${SOURCE_DATE_EPOCH}"
-    NIX_REMOTE="local?root=$TMP_STORE" nix --offline --extra-experimental-features nix-command \
-        --verbose --log-format raw-with-logs \
-        copy --all --no-check-sigs --to \
-        "file://$NIX_ROOT/res?compression=zstd&compression-level=19&parallel-compression=true"
-
-    # package /etc
-    mkdir -p "$NIX_ROOT/etc"
-    tar -C "$NIX_ROOT/etc" -xf "${etc}/etc.tar"
-
-    # write metadata
-    cp "${writeText "bundle.json" info}" "$NIX_ROOT/bundle.json"
-
-    # create an intermediate file to improve zstd performance
-    INTER="$(mktemp)"
-    tar -C "$NIX_ROOT" -cf "$INTER" .
-    zstd -T0 -19 -fo "$out" "$INTER"
-  '';
-}
@@ -1,335 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"log"
-	"os"
-	"os/signal"
-	"path"
-	"syscall"
-
-	"hakurei.app/command"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
-	"hakurei.app/hst"
-	"hakurei.app/message"
-)
-
-var (
-	errSuccess = errors.New("success")
-)
-
-func main() {
-	log.SetPrefix("hpkg: ")
-	log.SetFlags(0)
-	msg := message.New(log.Default())
-
-	if err := os.Setenv("SHELL", pathShell.String()); err != nil {
-		log.Fatalf("cannot set $SHELL: %v", err)
-	}
-
-	if os.Geteuid() == 0 {
-		log.Fatal("this program must not run as root")
-	}
-
-	ctx, stop := signal.NotifyContext(context.Background(),
-		syscall.SIGINT, syscall.SIGTERM)
-	defer stop() // unreachable
-
-	var (
-		flagVerbose   bool
-		flagDropShell bool
-	)
-	c := command.New(os.Stderr, log.Printf, "hpkg", func([]string) error { msg.SwapVerbose(flagVerbose); return nil }).
-		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
-		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next hakurei action")
-
-	{
-		var (
-			flagDropShellActivate bool
-		)
-		c.NewCommand("install", "Install an application from its package", func(args []string) error {
-			if len(args) != 1 {
-				log.Println("invalid argument")
-				return syscall.EINVAL
-			}
-			pkgPath := args[0]
-			if !path.IsAbs(pkgPath) {
-				if dir, err := os.Getwd(); err != nil {
-					log.Printf("cannot get current directory: %v", err)
-					return err
-				} else {
-					pkgPath = path.Join(dir, pkgPath)
-				}
-			}
-
-			/*
-				Look up paths to programs started by hpkg.
-				This is done here to ease error handling as cleanup is not yet required.
-			*/
-
-			var (
-				_     = lookPath("zstd")
-				tar   = lookPath("tar")
-				chmod = lookPath("chmod")
-				rm    = lookPath("rm")
-			)
-
-			/*
-				Extract package and set up for cleanup.
-			*/
-
-			var workDir *check.Absolute
-			if p, err := os.MkdirTemp("", "hpkg.*"); err != nil {
-				log.Printf("cannot create temporary directory: %v", err)
-				return err
-			} else if workDir, err = check.NewAbs(p); err != nil {
-				log.Printf("invalid temporary directory: %v", err)
-				return err
-			}
-			cleanup := func() {
-				// should be faster than a native implementation
-				mustRun(msg, chmod, "-R", "+w", workDir.String())
-				mustRun(msg, rm, "-rf", workDir.String())
-			}
-			beforeRunFail.Store(&cleanup)
-
-			mustRun(msg, tar, "-C", workDir.String(), "-xf", pkgPath)
-
-			/*
-				Parse bundle and app metadata, do pre-install checks.
-			*/
-
-			bundle := loadAppInfo(path.Join(workDir.String(), "bundle.json"), cleanup)
-			pathSet := pathSetByApp(bundle.ID)
-
-			a := bundle
-			if s, err := os.Stat(pathSet.metaPath.String()); err != nil {
-				if !os.IsNotExist(err) {
-					cleanup()
-					log.Printf("cannot access %q: %v", pathSet.metaPath, err)
-					return err
-				}
-				// did not modify app, clean installation condition met later
-			} else if s.IsDir() {
-				cleanup()
-				log.Printf("metadata path %q is not a file", pathSet.metaPath)
-				return syscall.EBADMSG
-			} else {
-				a = loadAppInfo(pathSet.metaPath.String(), cleanup)
-				if a.ID != bundle.ID {
-					cleanup()
-					log.Printf("app %q claims to have identifier %q",
-						bundle.ID, a.ID)
-					return syscall.EBADE
-				}
-				// sec: should verify credentials
-			}
-
-			if a != bundle {
-				// do not try to re-install
-				if a.NixGL == bundle.NixGL &&
-					a.CurrentSystem == bundle.CurrentSystem &&
-					a.Launcher == bundle.Launcher &&
-					a.ActivationPackage == bundle.ActivationPackage {
-					cleanup()
-					log.Printf("package %q is identical to local application %q",
-						pkgPath, a.ID)
-					return errSuccess
-				}
-
-				// identity determines uid
-				if a.Identity != bundle.Identity {
-					cleanup()
-					log.Printf("package %q identity %d differs from installed %d",
-						pkgPath, bundle.Identity, a.Identity)
-					return syscall.EBADE
-				}
-
-				// sec: should compare version string
-				msg.Verbosef("installing application %q version %q over local %q",
-					bundle.ID, bundle.Version, a.Version)
-			} else {
-				msg.Verbosef("application %q clean installation", bundle.ID)
-				// sec: should install credentials
-			}
-
-			/*
-				Setup steps for files owned by the target user.
-			*/
-
-			withCacheDir(ctx, msg, "install", []string{
-				// export inner bundle path in the environment
-				"export BUNDLE=" + hst.PrivateTmp + "/bundle",
-				// replace inner /etc
-				"mkdir -p etc",
-				"chmod -R +w etc",
-				"rm -rf etc",
-				"cp -dRf $BUNDLE/etc etc",
-				// replace inner /nix
-				"mkdir -p nix",
-				"chmod -R +w nix",
-				"rm -rf nix",
-				"cp -dRf /nix nix",
-				// copy from binary cache
-				"nix copy --offline --no-check-sigs --all --from file://$BUNDLE/res --to $PWD",
-				// deduplicate nix store
-				"nix store --offline --store $PWD optimise",
-				// make cache directory world-readable for autoetc
-				"chmod 0755 .",
-			}, workDir, bundle, pathSet, flagDropShell, cleanup)
-
-			if bundle.GPU {
-				withCacheDir(ctx, msg, "mesa-wrappers", []string{
-					// link nixGL mesa wrappers
-					"mkdir -p nix/.nixGL",
-					"ln -s " + bundle.Mesa + "/bin/nixGLIntel nix/.nixGL/nixGL",
-					"ln -s " + bundle.Mesa + "/bin/nixVulkanIntel nix/.nixGL/nixVulkan",
-				}, workDir, bundle, pathSet, false, cleanup)
-			}
-
-			/*
-				Activate home-manager generation.
-			*/
-
-			withNixDaemon(ctx, msg, "activate", []string{
-				// clean up broken links
-				"mkdir -p .local/state/{nix,home-manager}",
-				"chmod -R +w .local/state/{nix,home-manager}",
-				"rm -rf .local/state/{nix,home-manager}",
-				// run activation script
-				bundle.ActivationPackage + "/activate",
-			}, false, func(config *hst.Config) *hst.Config { return config },
-				bundle, pathSet, flagDropShellActivate, cleanup)
-
-			/*
-				Installation complete. Write metadata to block re-installs or downgrades.
-			*/
-
-			// serialise metadata to ensure consistency
-			if f, err := os.OpenFile(pathSet.metaPath.String()+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
-				cleanup()
-				log.Printf("cannot create metadata file: %v", err)
-				return err
-			} else if err = json.NewEncoder(f).Encode(bundle); err != nil {
-				cleanup()
-				log.Printf("cannot write metadata: %v", err)
-				return err
-			} else if err = f.Close(); err != nil {
-				log.Printf("cannot close metadata file: %v", err)
-				// not fatal
-			}
-
-			if err := os.Rename(pathSet.metaPath.String()+"~", pathSet.metaPath.String()); err != nil {
-				cleanup()
-				log.Printf("cannot rename metadata file: %v", err)
-				return err
-			}
-
-			cleanup()
-			return errSuccess
-		}).
-			Flag(&flagDropShellActivate, "s", command.BoolFlag(false), "Drop to a shell on activation")
-	}
-
-	{
-		var (
-			flagDropShellNixGL bool
-			flagAutoDrivers    bool
-		)
-		c.NewCommand("start", "Start an application", func(args []string) error {
-			if len(args) < 1 {
-				log.Println("invalid argument")
-				return syscall.EINVAL
-			}
-
-			/*
-				Parse app metadata.
-			*/
-
-			id := args[0]
-			pathSet := pathSetByApp(id)
-			a := loadAppInfo(pathSet.metaPath.String(), func() {})
-			if a.ID != id {
-				log.Printf("app %q claims to have identifier %q", id, a.ID)
-				return syscall.EBADE
-			}
-
-			/*
-				Prepare nixGL.
-			*/
-
-			if a.GPU && flagAutoDrivers {
-				withNixDaemon(ctx, msg, "nix-gl", []string{
-					"mkdir -p /nix/.nixGL/auto",
-					"rm -rf /nix/.nixGL/auto",
-					"export NIXPKGS_ALLOW_UNFREE=1",
-					"nix build --impure " +
-						"--out-link /nix/.nixGL/auto/opengl " +
-						"--override-input nixpkgs path:/etc/nixpkgs " +
-						"path:" + a.NixGL,
-					"nix build --impure " +
-						"--out-link /nix/.nixGL/auto/vulkan " +
-						"--override-input nixpkgs path:/etc/nixpkgs " +
-						"path:" + a.NixGL + "#nixVulkanNvidia",
-				}, true, func(config *hst.Config) *hst.Config {
-					config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
-						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsEtc.Append("resolv.conf"), Optional: true}},
-						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block"), Optional: true}},
-						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus"), Optional: true}},
-						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("class"), Optional: true}},
-						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("dev"), Optional: true}},
-						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("devices"), Optional: true}},
-					}...)
-					appendGPUFilesystem(config)
-					return config
-				}, a, pathSet, flagDropShellNixGL, func() {})
-			}
-
-			/*
-				Create app configuration.
-			*/
-
-			pathname := a.Launcher
-			argv := make([]string, 1, len(args))
-			if flagDropShell {
-				pathname = pathShell
-				argv[0] = bash
-			} else {
-				argv[0] = a.Launcher.String()
-			}
-			argv = append(argv, args[1:]...)
-			config := a.toHst(pathSet, pathname, argv, flagDropShell)
-
-			/*
-				Expose GPU devices.
-			*/
-
-			if a.GPU {
-				config.Container.Filesystem = append(config.Container.Filesystem,
-					hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append(".nixGL"), Target: hst.AbsPrivateTmp.Append("nixGL")}})
-				appendGPUFilesystem(config)
-			}
-
-			/*
-				Spawn app.
-			*/
-
-			mustRunApp(ctx, msg, config, func() {})
-			return errSuccess
-		}).
-			Flag(&flagDropShellNixGL, "s", command.BoolFlag(false), "Drop to a shell on nixGL build").
-			Flag(&flagAutoDrivers, "auto-drivers", command.BoolFlag(false), "Attempt automatic opengl driver detection")
-	}
-
-	c.MustParse(os.Args[1:], func(err error) {
-		msg.Verbosef("command returned %v", err)
-		if errors.Is(err, errSuccess) {
-			msg.BeforeExit()
-			os.Exit(0)
-		}
-	})
-	log.Fatal("unreachable")
-}
@@ -1,117 +0,0 @@
-package main
-
-import (
-	"log"
-	"os"
-	"os/exec"
-	"strconv"
-	"sync/atomic"
-
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
-	"hakurei.app/hst"
-	"hakurei.app/message"
-)
-
-const bash = "bash"
-
-var (
-	dataHome *check.Absolute
-)
-
-func init() {
-	// dataHome
-	if a, err := check.NewAbs(os.Getenv("HAKUREI_DATA_HOME")); err == nil {
-		dataHome = a
-	} else {
-		dataHome = fhs.AbsVarLib.Append("hakurei/" + strconv.Itoa(os.Getuid()))
-	}
-}
-
-var (
-	pathBin = fhs.AbsRoot.Append("bin")
-
-	pathNix           = check.MustAbs("/nix/")
-	pathNixStore      = pathNix.Append("store/")
-	pathCurrentSystem = fhs.AbsRun.Append("current-system")
-	pathSwBin         = pathCurrentSystem.Append("sw/bin/")
-	pathShell         = pathSwBin.Append(bash)
-
-	pathData     = check.MustAbs("/data")
-	pathDataData = pathData.Append("data")
-)
-
-func lookPath(file string) string {
-	if p, err := exec.LookPath(file); err != nil {
-		log.Fatalf("%s: command not found", file)
-		return ""
-	} else {
-		return p
-	}
-}
-
-var beforeRunFail = new(atomic.Pointer[func()])
-
-func mustRun(msg message.Msg, name string, arg ...string) {
-	msg.Verbosef("spawning process: %q %q", name, arg)
-	cmd := exec.Command(name, arg...)
-	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	if err := cmd.Run(); err != nil {
-		if f := beforeRunFail.Swap(nil); f != nil {
-			(*f)()
-		}
-		log.Fatalf("%s: %v", name, err)
-	}
-}
-
-type appPathSet struct {
-	// ${dataHome}/${id}
-	baseDir *check.Absolute
-	// ${baseDir}/app
-	metaPath *check.Absolute
-	// ${baseDir}/files
-	homeDir *check.Absolute
-	// ${baseDir}/cache
-	cacheDir *check.Absolute
-	// ${baseDir}/cache/nix
-	nixPath *check.Absolute
-}
-
-func pathSetByApp(id string) *appPathSet {
-	pathSet := new(appPathSet)
-	pathSet.baseDir = dataHome.Append(id)
-	pathSet.metaPath = pathSet.baseDir.Append("app")
-	pathSet.homeDir = pathSet.baseDir.Append("files")
-	pathSet.cacheDir = pathSet.baseDir.Append("cache")
-	pathSet.nixPath = pathSet.cacheDir.Append("nix")
-	return pathSet
-}
-
-func appendGPUFilesystem(config *hst.Config) {
-	config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
-		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("dri"), Device: true, Optional: true}},
-		// mali
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("mali"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("mali0"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("umplock"), Device: true, Optional: true}},
-		// nvidia
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidiactl"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-modeset"), Device: true, Optional: true}},
-		// nvidia OpenCL/CUDA
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-uvm"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-uvm-tools"), Device: true, Optional: true}},
-
-		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia0"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia1"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia2"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia3"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia4"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia5"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia6"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia7"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia8"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia9"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia10"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia11"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia12"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia13"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia14"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia15"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia16"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia17"), Device: true, Optional: true}},
-		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia18"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia19"), Device: true, Optional: true}},
-	}...)
-}
@@ -1,61 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"io"
-	"log"
-	"os"
-	"os/exec"
-
-	"hakurei.app/hst"
-	"hakurei.app/internal/info"
-	"hakurei.app/message"
-)
-
-var hakureiPathVal = info.MustHakureiPath().String()
-
-func mustRunApp(ctx context.Context, msg message.Msg, config *hst.Config, beforeFail func()) {
-	var (
-		cmd *exec.Cmd
-		st  io.WriteCloser
-	)
-
-	if r, w, err := os.Pipe(); err != nil {
-		beforeFail()
-		log.Fatalf("cannot pipe: %v", err)
-	} else {
-		if msg.IsVerbose() {
-			cmd = exec.CommandContext(ctx, hakureiPathVal, "-v", "app", "3")
-		} else {
-			cmd = exec.CommandContext(ctx, hakureiPathVal, "app", "3")
-		}
-		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-		cmd.ExtraFiles = []*os.File{r}
-		st = w
-	}
-
-	go func() {
-		if err := json.NewEncoder(st).Encode(config); err != nil {
-			beforeFail()
-			log.Fatalf("cannot send configuration: %v", err)
-		}
-	}()
-
-	if err := cmd.Start(); err != nil {
-		beforeFail()
-		log.Fatalf("cannot start hakurei: %v", err)
-	}
-	if err := cmd.Wait(); err != nil {
-		var exitError *exec.ExitError
-		if errors.As(err, &exitError) {
-			beforeFail()
-			msg.BeforeExit()
-			os.Exit(exitError.ExitCode())
-		} else {
-			beforeFail()
-			log.Fatalf("cannot wait: %v", err)
-		}
-	}
-}
@@ -1,62 +0,0 @@
-{ pkgs, ... }:
-{
-  users.users = {
-    alice = {
-      isNormalUser = true;
-      description = "Alice Foobar";
-      password = "foobar";
-      uid = 1000;
-    };
-  };
-
-  home-manager.users.alice.home.stateVersion = "24.11";
-
-  # Automatically login on tty1 as a normal user:
-  services.getty.autologinUser = "alice";
-
-  environment = {
-    variables = {
-      SWAYSOCK = "/tmp/sway-ipc.sock";
-      WLR_RENDERER = "pixman";
-    };
-  };
-
-  # Automatically configure and start Sway when logging in on tty1:
-  programs.bash.loginShellInit = ''
-    if [ "$(tty)" = "/dev/tty1" ]; then
-      set -e
-
-      mkdir -p ~/.config/sway
-      (sed s/Mod4/Mod1/ /etc/sway/config &&
-      echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill' &&
-      echo 'output Virtual-1 res 1680x1050') > ~/.config/sway/config
-
-      sway --validate
-      systemd-cat --identifier=session sway && touch /tmp/sway-exit-ok
-    fi
-  '';
-
-  programs.sway.enable = true;
-
-  virtualisation = {
-    diskSize = 6 * 1024;
-
-    qemu.options = [
-      # Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
-      "-vga none -device virtio-gpu-pci"
-
-      # Increase zstd performance:
-      "-smp 8"
-    ];
-  };
-
-  environment.hakurei = {
-    enable = true;
-    stateDir = "/var/lib/hakurei";
-    users.alice = 0;
-
-    extraHomeConfig = {
-      home.stateVersion = "23.05";
-    };
-  };
-}
@@ -1,34 +0,0 @@
-{
-  testers,
-  callPackage,
-
-  system,
-  self,
-}:
-let
-  buildPackage = self.buildPackage.${system};
-in
-testers.nixosTest {
-  name = "hpkg";
-  nodes.machine = {
-    environment.etc = {
-      "foot.pkg".source = callPackage ./foot.nix { inherit buildPackage; };
-    };
-
-    imports = [
-      ./configuration.nix
-
-      self.nixosModules.hakurei
-      self.inputs.home-manager.nixosModules.home-manager
-    ];
-  };
-
-  # adapted from nixos sway integration tests
-
-  # testScriptWithTypes:49: error: Cannot call function of unknown type
-  #           (machine.succeed if succeed else machine.execute)(
-  #           ^
-  # Found 1 error in 1 file (checked 1 source file)
-  skipTypeCheck = true;
-  testScript = builtins.readFile ./test.py;
-}
@@ -1,48 +0,0 @@
-{
-  lib,
-  buildPackage,
-  foot,
-  wayland-utils,
-  inconsolata,
-}:
-
-buildPackage {
-  name = "foot";
-  inherit (foot) version;
-
-  identity = 2;
-  id = "org.codeberg.dnkl.foot";
-
-  modules = [
-    {
-      home.packages = [
-        foot
-
-        # For wayland-info:
-        wayland-utils
-      ];
-    }
-  ];
-
-  nixosModules = [
-    {
-      # To help with OCR:
-      environment.etc."xdg/foot/foot.ini".text = lib.generators.toINI { } {
-        main = {
-          font = "inconsolata:size=14";
-        };
-        colors = rec {
-          foreground = "000000";
-          background = "ffffff";
-          regular2 = foreground;
-        };
-      };
-
-      fonts.packages = [ inconsolata ];
-    }
-  ];
-
-  script = ''
-    exec foot "$@"
-  '';
-}
@@ -1,110 +0,0 @@
-import json
-import shlex
-
-q = shlex.quote
-NODE_GROUPS = ["nodes", "floating_nodes"]
-
-
-def swaymsg(command: str = "", succeed=True, type="command"):
-    assert command != "" or type != "command", "Must specify command or type"
-    shell = q(f"swaymsg -t {q(type)} -- {q(command)}")
-    with machine.nested(
-            f"sending swaymsg {shell!r}" + " (allowed to fail)" * (not succeed)
-    ):
-        ret = (machine.succeed if succeed else machine.execute)(
-            f"su - alice -c {shell}"
-        )
-
-    # execute also returns a status code, but disregard.
-    if not succeed:
-        _, ret = ret
-
-    if not succeed and not ret:
-        return None
-
-    parsed = json.loads(ret)
-    return parsed
-
-
-def walk(tree):
-    yield tree
-    for group in NODE_GROUPS:
-        for node in tree.get(group, []):
-            yield from walk(node)
-
-
-def wait_for_window(pattern):
-    def func(last_chance):
-        nodes = (node["name"] for node in walk(swaymsg(type="get_tree")))
-
-        if last_chance:
-            nodes = list(nodes)
-            machine.log(f"Last call! Current list of windows: {nodes}")
-
-        return any(pattern in name for name in nodes)
-
-    retry(func)
-
-
-def collect_state_ui(name):
-    swaymsg(f"exec hakurei ps > '/tmp/{name}.ps'")
-    machine.copy_from_vm(f"/tmp/{name}.ps", "")
-    swaymsg(f"exec hakurei --json ps > '/tmp/{name}.json'")
-    machine.copy_from_vm(f"/tmp/{name}.json", "")
-    machine.screenshot(name)
-
-
-def check_state(name, enablements):
-    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei --json ps"))
-    if len(instances) != 1:
-        raise Exception(f"unexpected state length {len(instances)}")
-    instance = instances[0]
-
-    if len(instance['container']['args']) != 1 or not (instance['container']['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (instance['container']['args'][0]):
-        raise Exception(f"unexpected args {instance['container']['args']}")
-
-    if instance['enablements'] != enablements:
-        raise Exception(f"unexpected enablements {instance['enablements']}")
-
-
-start_all()
-machine.wait_for_unit("multi-user.target")
-
-# To check hakurei's version:
-print(machine.succeed("sudo -u alice -i hakurei version"))
-
-# Wait for Sway to complete startup:
-machine.wait_for_file("/run/user/1000/wayland-1")
-machine.wait_for_file("/tmp/sway-ipc.sock")
-
-# Prepare hpkg directory:
-machine.succeed("install -dm 0700 -o alice -g users /var/lib/hakurei/1000")
-
-# Install hpkg app:
-swaymsg("exec hpkg -v install /etc/foot.pkg && touch /tmp/hpkg-install-ok")
-machine.wait_for_file("/tmp/hpkg-install-ok")
-
-# Start app (foot) with Wayland enablement:
-swaymsg("exec hpkg -v start org.codeberg.dnkl.foot")
-wait_for_window("hakurei@machine-foot")
-machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
-machine.wait_for_file("/tmp/hakurei.0/tmpdir/2/success-client")
-collect_state_ui("app_wayland")
-check_state("foot", {"wayland": True, "dbus": True, "pipewire": True})
-# Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002"))
-machine.send_chars("exit\n")
-machine.wait_until_fails("pgrep foot")
-# Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002")
-
-# Exit Sway and verify process exit status 0:
-swaymsg("exit", succeed=False)
-machine.wait_for_file("/tmp/sway-exit-ok")
-
-# Print hakurei share and rundir contents:
-print(machine.succeed("find /tmp/hakurei.0 "
-    + "-path '/tmp/hakurei.0/runtime/*/*' -prune -o "
-    + "-path '/tmp/hakurei.0/tmpdir/*/*' -prune -o "
-    + "-print"))
-print(machine.fail("ls /run/user/1000/hakurei"))
@@ -1,130 +0,0 @@
-package main
-
-import (
-	"context"
-	"os"
-	"strings"
-
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
-	"hakurei.app/hst"
-	"hakurei.app/message"
-)
-
-func withNixDaemon(
-	ctx context.Context,
-	msg message.Msg,
-	action string, command []string, net bool, updateConfig func(config *hst.Config) *hst.Config,
-	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
-) {
-	flags := hst.FMultiarch | hst.FUserns // nix sandbox requires userns
-	if net {
-		flags |= hst.FHostNet
-	}
-	if dropShell {
-		flags |= hst.FTty
-	}
-
-	mustRunAppDropShell(ctx, msg, updateConfig(&hst.Config{
-		ID: app.ID,
-
-		ExtraPerms: []hst.ExtraPermConfig{
-			{Path: dataHome, Execute: true},
-			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-		},
-
-		Identity: app.Identity,
-
-		Container: &hst.ContainerConfig{
-			Hostname: formatHostname(app.Name) + "-" + action,
-
-			Filesystem: []hst.FilesystemConfigJSON{
-				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
-				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}},
-				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
-				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}},
-			},
-
-			Username: "hakurei",
-			Shell:    pathShell,
-			Home:     pathDataData.Append(app.ID),
-
-			Path: pathShell,
-			Args: []string{bash, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
-				// start nix-daemon
-				"nix-daemon --store / & " +
-				// wait for socket to appear
-				"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
-				// create directory so nix stops complaining
-				"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
-				strings.Join(command, " && ") +
-				// terminate nix-daemon
-				" && pkill nix-daemon",
-			},
-
-			Flags: flags,
-		},
-	}), dropShell, beforeFail)
-}
-
-func withCacheDir(
-	ctx context.Context,
-	msg message.Msg,
-	action string, command []string, workDir *check.Absolute,
-	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
-) {
-	flags := hst.FMultiarch
-	if dropShell {
-		flags |= hst.FTty
-	}
-
-	mustRunAppDropShell(ctx, msg, &hst.Config{
-		ID: app.ID,
-
-		ExtraPerms: []hst.ExtraPermConfig{
-			{Path: dataHome, Execute: true},
-			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-			{Path: workDir, Execute: true},
-		},
-
-		Identity: app.Identity,
-
-		Container: &hst.ContainerConfig{
-			Hostname: formatHostname(app.Name) + "-" + action,
-
-			Filesystem: []hst.FilesystemConfigJSON{
-				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: workDir.Append(fhs.Etc), Special: true}},
-				{FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}},
-				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
-				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
-				{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsPrivateTmp.Append("bundle")}},
-				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID, "cache"), Source: pathSet.cacheDir, Write: true, Ensure: true}},
-			},
-
-			Username: "nixos",
-			Shell:    pathShell,
-			Home:     pathDataData.Append(app.ID, "cache"),
-
-			Path: pathShell,
-			Args: []string{bash, "-lc", strings.Join(command, " && ")},
-
-			Flags: flags,
-		},
-	}, dropShell, beforeFail)
-}
-
-func mustRunAppDropShell(ctx context.Context, msg message.Msg, config *hst.Config, dropShell bool, beforeFail func()) {
-	if dropShell {
-		if config.Container != nil {
-			config.Container.Args = []string{bash, "-l"}
-		}
-		mustRunApp(ctx, msg, config, beforeFail)
-		beforeFail()
-		msg.BeforeExit()
-		os.Exit(0)
-	}
-	mustRunApp(ctx, msg, config, beforeFail)
-}
@@ -0,0 +1,7 @@
+//go:build !rosa
+
+package main
+
+// hsuConfPath is an absolute pathname to the hsu configuration file. Its
+// contents are interpreted by parseConfig.
+const hsuConfPath = "/etc/hsurc"
@@ -0,0 +1,7 @@
+//go:build rosa
+
+package main
+
+// hsuConfPath is the pathname to the hsu configuration file, specific to
+// Rosa OS. Its contents are interpreted by parseConfig.
+const hsuConfPath = "/system/etc/hsurc"
@@ -1,6 +1,6 @@
 package main

-/* copied from hst and must never be changed */
+/* keep in sync with hst */

 const (
 	userOffset = 100000
@@ -1,13 +1,64 @@
+// hsu starts the hakurei shim as the target subordinate user.
+//
+// The hsu program must be installed with the setuid and setgid bit set, and
+// owned by root. A configuration file must be installed at /etc/hsurc with
+// permission bits 0400, and owned by root. Each line of the file specifies a
+// hakurei userid to kernel uid mapping. A line consists of the decimal string
+// representation of the uid of the user wishing to start hakurei containers,
+// followed by a space, followed by the decimal string representation of its
+// userid. Duplicate uid entries are ignored, with the first occurrence taking
+// effect.
+//
+// For example, to map the kernel uid 1000 to the hakurei user id 0:
+//
+//	1000 0
+//
+// # Internals
+//
+// Hakurei and hsu holds pathnames pointing to each other set at link time. For
+// this reason, a distribution of hakurei has fixed installation prefix. Since
+// this program is never invoked by the user, behaviour described in the
+// following paragraphs are considered an internal detail and not covered by the
+// compatibility promise.
+//
+// After checking credentials, hsu checks via /proc/ the absolute pathname of
+// its parent process, and fails if it does not match the hakurei pathname set
+// at link time. This is not a security feature: the priv-side is considered
+// trusted, and this feature makes no attempt to address the racy nature of
+// querying /proc/, or debuggers attached to the parent process. Instead, this
+// aims to discourage misuse and reduce confusion if the user accidentally
+// stumbles upon this program. It also prevents accidental use of the incorrect
+// installation of hsu in some environments.
+//
+// Since target container environment variables are set up in shim via the
+// [container] infrastructure, the environment is used for parameters from the
+// parent process.
+//
+// HAKUREI_SHIM specifies a single byte between '3' and '9' representing the
+// setup pipe file descriptor. It is passed as is to the shim process and is the
+// only value in the environment of the shim process. Since hsurc is not
+// accessible to the parent process, leaving this unset causes hsu to print the
+// corresponding hakurei user id of the parent and terminate.
+//
+// HAKUREI_IDENTITY specifies the identity of the instance being started and is
+// used to produce the kernel uid alongside hakurei user id looked up from hsurc.
+//
+// HAKUREI_GROUPS specifies supplementary groups to inherit from the credentials
+// of the parent process in a ' ' separated list of decimal string
+// representations of gid. This has the unfortunate consequence of allowing
+// users mapped via hsurc to effectively drop group membership, so special care
+// must be taken to ensure this does not lead to an increase in access. This is
+// not applicable to Rosa OS since unsigned code execution is not permitted
+// outside hakurei containers, and is generally nonapplicable to the security
+// model of hakurei, where all untrusted code runs within containers.
 package main

-// minimise imports to avoid inadvertently calling init or global variable functions
-
 import (
 	"bytes"
 	"fmt"
 	"log"
 	"os"
-	"path"
+	"path/filepath"
 	"runtime"
 	"slices"
 	"strconv"
@@ -16,10 +67,13 @@ import (
 )

 const (
-	// envIdentity is the name of the environment variable holding a
-	// single byte representing the shim setup pipe file descriptor.
+	// envShim is the name of the environment variable holding a single byte
+	// representing the shim setup pipe file descriptor.
 	envShim = "HAKUREI_SHIM"
-	// envGroups holds a ' ' separated list of string representations of
+	// envIdentity is the name of the environment variable holding a decimal
+	// string representation of the current application identity.
+	envIdentity = "HAKUREI_IDENTITY"
+	// envGroups holds a ' ' separated list of decimal string representations of
 	// supplementary group gid. Membership requirements are enforced.
 	envGroups = "HAKUREI_GROUPS"
 )
@@ -35,7 +89,6 @@ func main() {

 	log.SetFlags(0)
 	log.SetPrefix("hsu: ")
-	log.SetOutput(os.Stderr)

 	if os.Geteuid() != 0 {
 		log.Fatal("this program must be owned by uid 0 and have the setuid bit set")
@@ -49,13 +102,13 @@ func main() {
 		log.Fatal("this program must not be started by root")
 	}

-	if !path.IsAbs(hakureiPath) {
+	if !filepath.IsAbs(hakureiPath) {
 		log.Fatal("this program is compiled incorrectly")
 		return
 	}

 	var toolPath string
-	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
+	pexe := filepath.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
 	if p, err := os.Readlink(pexe); err != nil {
 		log.Fatalf("cannot read parent executable path: %v", err)
 	} else if strings.HasSuffix(p, " (deleted)") {
@@ -99,8 +152,6 @@ func main() {
 		// last possible uid outcome
 		uidEnd = 999919999
 	)
-
-	// cast to int for use with library functions
 	uid := int(toUser(userid, identity))

 	// final bounds check to catch any bugs
@@ -136,7 +187,6 @@ func main() {
 	}

 	// careful! users in the allowlist is effectively allowed to drop groups via hsu
-
 	if err := syscall.Setresgid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set gid: %v", err)
 	}
@@ -146,10 +196,21 @@ func main() {
 	if err := syscall.Setresuid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set uid: %v", err)
 	}
-	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
+
+	if _, _, errno := syscall.AllThreadsSyscall(
+		syscall.SYS_PRCTL,
+		PR_SET_NO_NEW_PRIVS, 1,
+		0,
+	); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(toolPath, []string{"hakurei", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+
+	if err := syscall.Exec(toolPath, []string{
+		"hakurei",
+		"shim",
+	}, []string{
+		envShim + "=" + shimSetupFd,
+	}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}

@@ -18,8 +18,9 @@ const (
 	useridEnd = useridStart + rangeSize - 1
 )

-// parseUint32Fast parses a string representation of an unsigned 32-bit integer value
-// using the fast path only. This limits the range of values it is defined in.
+// parseUint32Fast parses a string representation of an unsigned 32-bit integer
+// value using the fast path only. This limits the range of values it is defined
+// in but is perfectly adequate for this use case.
 func parseUint32Fast(s string) (uint32, error) {
 	sLen := len(s)
 	if sLen < 1 {
@@ -40,12 +41,14 @@ func parseUint32Fast(s string) (uint32, error) {
 	return n, nil
 }

-// parseConfig reads a list of allowed users from r until it encounters puid or [io.EOF].
+// parseConfig reads a list of allowed users from r until it encounters puid or
+// [io.EOF].
 //
-// Each line of the file specifies a hakurei userid to kernel uid mapping. A line consists
-// of the string representation of the uid of the user wishing to start hakurei containers,
-// followed by a space, followed by the string representation of its userid. Duplicate uid
-// entries are ignored, with the first occurrence taking effect.
+// Each line of the file specifies a hakurei userid to kernel uid mapping. A
+// line consists of the string representation of the uid of the user wishing to
+// start hakurei containers, followed by a space, followed by the string
+// representation of its userid. Duplicate uid entries are ignored, with the
+// first occurrence taking effect.
 //
 // All string representations are parsed by calling parseUint32Fast.
 func parseConfig(r io.Reader, puid uint32) (userid uint32, ok bool, err error) {
@@ -81,10 +84,6 @@ func parseConfig(r io.Reader, puid uint32) (userid uint32, ok bool, err error) {
 	return useridEnd + 1, false, s.Err()
 }

-// hsuConfPath is an absolute pathname to the hsu configuration file.
-// Its contents are interpreted by parseConfig.
-const hsuConfPath = "/etc/hsurc"
-
 // mustParseConfig calls parseConfig to interpret the contents of hsuConfPath,
 // terminating the program if an error is encountered, the syntax is incorrect,
 // or the current user is not authorised to use hsu because its uid is missing.
@@ -112,10 +111,6 @@ func mustParseConfig(puid int) (userid uint32) {
 	return
 }

-// envIdentity is the name of the environment variable holding a
-// string representation of the current application identity.
-var envIdentity = "HAKUREI_IDENTITY"
-
 // mustReadIdentity calls parseUint32Fast to interpret the value stored in envIdentity,
 // terminating the program if the value is not set, malformed, or out of bounds.
 func mustReadIdentity() uint32 {
@@ -0,0 +1,135 @@
+package main
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"hakurei.app/check"
+	"hakurei.app/container"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+// cache refers to an instance of [pkg.Cache] that might be open.
+type cache struct {
+	ctx context.Context
+	msg message.Msg
+
+	// Should generally not be used directly.
+	c *pkg.Cache
+
+	cures, jobs int
+	// Primarily to work around missing landlock LSM.
+	hostAbstract bool
+	// Set SCHED_IDLE.
+	idle bool
+	// Unset [pkg.CSuppressInit].
+	verboseInit bool
+	// Loaded artifact of [rosa.QEMU].
+	qemu pkg.Artifact
+
+	base string
+}
+
+// open opens the underlying [pkg.Cache].
+func (cache *cache) open() (err error) {
+	if cache.c != nil {
+		return os.ErrInvalid
+	}
+
+	var base *check.Absolute
+	if cache.base, err = filepath.Abs(cache.base); err != nil {
+		return
+	} else if base, err = check.NewAbs(cache.base); err != nil {
+		return
+	}
+
+	var flags int
+	if cache.idle {
+		flags |= pkg.CSchedIdle
+	}
+	if cache.hostAbstract {
+		flags |= pkg.CHostAbstract
+	}
+	if !cache.verboseInit {
+		flags |= pkg.CSuppressInit
+	}
+
+	done := make(chan struct{})
+	defer close(done)
+	go func() {
+		select {
+		case <-cache.ctx.Done():
+			if testing.Testing() {
+				return
+			}
+			os.Exit(2)
+
+		case <-done:
+			return
+		}
+	}()
+
+	cache.msg.Verbosef("opening cache at %s", base)
+	cache.c, err = pkg.Open(
+		cache.ctx,
+		cache.msg,
+		flags,
+		cache.cures,
+		cache.jobs,
+		base,
+	)
+	if err != nil {
+		return
+	}
+	done <- struct{}{}
+
+	if cache.qemu != nil {
+		var pathname *check.Absolute
+		pathname, _, err = cache.c.Cure(cache.qemu)
+		if err != nil {
+			cache.c.Close()
+			return
+		}
+
+		pkg.RegisterArch("riscv64", container.BinfmtEntry{
+			Offset: 0,
+			Magic:  "\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00",
+			Mask:   "\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
+			Interpreter: pathname.Append(
+				"system/bin",
+				"qemu-riscv64",
+			),
+		})
+		pkg.RegisterArch("arm64", container.BinfmtEntry{
+			Offset: 0,
+			Magic:  "\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00",
+			Mask:   "\xff\xff\xff\xff\xff\xff\xff\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
+			Interpreter: pathname.Append(
+				"system/bin",
+				"qemu-aarch64",
+			),
+		})
+	}
+
+	return
+}
+
+// Close closes the underlying [pkg.Cache] if it is open.
+func (cache *cache) Close() {
+	if cache.c != nil {
+		cache.c.Close()
+	}
+}
+
+// Do calls f on the underlying cache and returns its error value.
+func (cache *cache) Do(f func(cache *pkg.Cache) error) error {
+	if cache.c == nil {
+		if err := cache.open(); err != nil {
+			return err
+		}
+	}
+	return f(cache.c)
+}
@@ -0,0 +1,37 @@
+package main
+
+import (
+	"log"
+	"os"
+	"testing"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+func TestCache(t *testing.T) {
+	t.Parallel()
+
+	cm := cache{
+		ctx:  t.Context(),
+		msg:  message.New(log.New(os.Stderr, "check: ", 0)),
+		base: t.TempDir(),
+
+		hostAbstract: true, idle: true,
+	}
+	defer cm.Close()
+	cm.Close()
+
+	if err := cm.open(); err != nil {
+		t.Fatalf("open: error = %v", err)
+	}
+	if err := cm.open(); err != os.ErrInvalid {
+		t.Errorf("(duplicate) open: error = %v", err)
+	}
+
+	if err := cm.Do(func(cache *pkg.Cache) error {
+		return cache.Scrub(0)
+	}); err != nil {
+		t.Errorf("Scrub: error = %v", err)
+	}
+}
@@ -0,0 +1,354 @@
+package main
+
+import (
+	"context"
+	"encoding/binary"
+	"errors"
+	"io"
+	"log"
+	"math"
+	"net"
+	"os"
+	"sync"
+	"syscall"
+	"testing"
+	"time"
+	"unique"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+)
+
+// daemonTimeout is the maximum amount of time cureFromIR will wait on I/O.
+const daemonTimeout = 30 * time.Second
+
+// daemonDeadline returns the deadline corresponding to daemonTimeout, or the
+// zero value when running in a test.
+func daemonDeadline() time.Time {
+	if testing.Testing() {
+		return time.Time{}
+	}
+	return time.Now().Add(daemonTimeout)
+}
+
+const (
+	// remoteNoReply notifies that the client will not receive a cure reply.
+	remoteNoReply = 1 << iota
+)
+
+// cureFromIR services an IR curing request.
+func cureFromIR(
+	cache *pkg.Cache,
+	conn net.Conn,
+	flags uint64,
+) (pkg.Artifact, error) {
+	a, decodeErr := cache.NewDecoder(conn).Decode()
+	if decodeErr != nil {
+		_, err := conn.Write([]byte("\x00" + decodeErr.Error()))
+		return nil, errors.Join(decodeErr, err, conn.Close())
+	}
+
+	pathname, _, cureErr := cache.Cure(a)
+	if flags&remoteNoReply != 0 {
+		return a, errors.Join(cureErr, conn.Close())
+	}
+	if err := conn.SetWriteDeadline(daemonDeadline()); err != nil {
+		return a, errors.Join(cureErr, err, conn.Close())
+	}
+	if cureErr != nil {
+		_, err := conn.Write([]byte("\x00" + cureErr.Error()))
+		return a, errors.Join(cureErr, err, conn.Close())
+	}
+	_, err := conn.Write([]byte(pathname.String()))
+	if testing.Testing() && errors.Is(err, io.ErrClosedPipe) {
+		return a, nil
+	}
+	return a, errors.Join(err, conn.Close())
+}
+
+const (
+	// specialCancel is a message consisting of a single identifier referring
+	// to a curing artifact to be cancelled.
+	specialCancel = iota
+	// specialAbort requests for all pending cures to be aborted. It has no
+	// message body.
+	specialAbort
+
+	// remoteSpecial denotes a special message with custom layout.
+	remoteSpecial = math.MaxUint64
+)
+
+// writeSpecialHeader writes the header of a remoteSpecial message.
+func writeSpecialHeader(conn net.Conn, kind uint64) error {
+	var sh [16]byte
+	binary.LittleEndian.PutUint64(sh[:], remoteSpecial)
+	binary.LittleEndian.PutUint64(sh[8:], kind)
+	if n, err := conn.Write(sh[:]); err != nil {
+		return err
+	} else if n != len(sh) {
+		return io.ErrShortWrite
+	}
+	return nil
+}
+
+// cancelIdent reads an identifier from conn and cancels the corresponding cure.
+func cancelIdent(
+	cache *pkg.Cache,
+	conn net.Conn,
+) (*pkg.ID, bool, error) {
+	var ident pkg.ID
+	if _, err := io.ReadFull(conn, ident[:]); err != nil {
+		return nil, false, errors.Join(err, conn.Close())
+	}
+	ok := cache.Cancel(unique.Make(ident))
+	return &ident, ok, conn.Close()
+}
+
+// serve services connections from a [net.UnixListener].
+func serve(
+	ctx context.Context,
+	log *log.Logger,
+	cm *cache,
+	ul *net.UnixListener,
+) error {
+	ul.SetUnlinkOnClose(true)
+	if cm.c == nil {
+		if err := cm.open(); err != nil {
+			return errors.Join(err, ul.Close())
+		}
+	}
+
+	var wg sync.WaitGroup
+	defer wg.Wait()
+
+	wg.Go(func() {
+		for {
+			if ctx.Err() != nil {
+				break
+			}
+
+			conn, err := ul.AcceptUnix()
+			if err != nil {
+				if !errors.Is(err, os.ErrDeadlineExceeded) {
+					log.Println(err)
+				}
+				continue
+			}
+			wg.Go(func() {
+				done := make(chan struct{})
+				defer close(done)
+				go func() {
+					select {
+					case <-ctx.Done():
+						_ = conn.SetDeadline(time.Now())
+
+					case <-done:
+						return
+					}
+				}()
+
+				if _err := conn.SetReadDeadline(daemonDeadline()); _err != nil {
+					log.Println(_err)
+					if _err = conn.Close(); _err != nil {
+						log.Println(_err)
+					}
+					return
+				}
+
+				var word [8]byte
+				if _, _err := io.ReadFull(conn, word[:]); _err != nil {
+					log.Println(_err)
+					if _err = conn.Close(); _err != nil {
+						log.Println(_err)
+					}
+					return
+				}
+				flags := binary.LittleEndian.Uint64(word[:])
+
+				if flags == remoteSpecial {
+					if _, _err := io.ReadFull(conn, word[:]); _err != nil {
+						log.Println(_err)
+						if _err = conn.Close(); _err != nil {
+							log.Println(_err)
+						}
+						return
+					}
+					switch special := binary.LittleEndian.Uint64(word[:]); special {
+					default:
+						log.Printf("invalid special %d", special)
+
+					case specialCancel:
+						if id, ok, _err := cancelIdent(cm.c, conn); _err != nil {
+							log.Println(_err)
+						} else if !ok {
+							log.Println(
+								"attempting to cancel invalid artifact",
+								pkg.Encode(*id),
+							)
+						} else {
+							log.Println(
+								"cancelled artifact",
+								pkg.Encode(*id),
+							)
+						}
+
+					case specialAbort:
+						log.Println("aborting all pending cures")
+						cm.c.Abort()
+						if _err := conn.Close(); _err != nil {
+							log.Println(_err)
+						}
+					}
+
+					return
+				}
+
+				if a, _err := cureFromIR(cm.c, conn, flags); _err != nil {
+					log.Println(_err)
+				} else {
+					log.Printf(
+						"fulfilled artifact %s",
+						pkg.Encode(cm.c.Ident(a).Value()),
+					)
+				}
+			})
+		}
+	})
+
+	<-ctx.Done()
+	if err := ul.SetDeadline(time.Now()); err != nil {
+		return errors.Join(err, ul.Close())
+	}
+	wg.Wait()
+	return ul.Close()
+}
+
+// dial wraps [net.DialUnix] with a context.
+func dial(ctx context.Context, addr *net.UnixAddr) (
+	done chan<- struct{},
+	conn *net.UnixConn,
+	err error,
+) {
+	conn, err = net.DialUnix("unix", nil, addr)
+	if err != nil {
+		return
+	}
+
+	d := make(chan struct{})
+	done = d
+	go func() {
+		select {
+		case <-ctx.Done():
+			_ = conn.SetDeadline(time.Now())
+
+		case <-d:
+			return
+		}
+	}()
+	return
+}
+
+// cureRemote cures a [pkg.Artifact] on a daemon.
+func cureRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	a pkg.Artifact,
+	flags uint64,
+) (*check.Absolute, error) {
+	if flags == remoteSpecial {
+		return nil, syscall.EINVAL
+	}
+
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return nil, err
+	}
+	defer close(done)
+
+	if n, flagErr := conn.Write(binary.LittleEndian.AppendUint64(nil, flags)); flagErr != nil {
+		return nil, errors.Join(flagErr, conn.Close())
+	} else if n != 8 {
+		return nil, errors.Join(io.ErrShortWrite, conn.Close())
+	}
+
+	if err = pkg.NewIR().EncodeAll(conn, a); err != nil {
+		return nil, errors.Join(err, conn.Close())
+	} else if err = conn.CloseWrite(); err != nil {
+		return nil, errors.Join(err, conn.Close())
+	}
+
+	if flags&remoteNoReply != 0 {
+		return nil, conn.Close()
+	}
+
+	payload, recvErr := io.ReadAll(conn)
+	if err = errors.Join(recvErr, conn.Close()); err != nil {
+		if errors.Is(err, os.ErrDeadlineExceeded) {
+			if cancelErr := ctx.Err(); cancelErr != nil {
+				err = cancelErr
+			}
+		}
+		return nil, err
+	}
+
+	if len(payload) > 0 && payload[0] == 0 {
+		return nil, errors.New(string(payload[1:]))
+	}
+
+	var p *check.Absolute
+	p, err = check.NewAbs(string(payload))
+	return p, err
+}
+
+// cancelRemote cancels a [pkg.Artifact] curing on a daemon.
+func cancelRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	a pkg.Artifact,
+	wait bool,
+) error {
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return err
+	}
+	defer close(done)
+
+	if err = writeSpecialHeader(conn, specialCancel); err != nil {
+		return errors.Join(err, conn.Close())
+	}
+
+	var n int
+	id := pkg.NewIR().Ident(a).Value()
+	if n, err = conn.Write(id[:]); err != nil {
+		return errors.Join(err, conn.Close())
+	} else if n != len(id) {
+		return errors.Join(io.ErrShortWrite, conn.Close())
+	}
+	if wait {
+		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
+			err = nil
+		}
+	}
+	return errors.Join(err, conn.Close())
+}
+
+// abortRemote aborts all [pkg.Artifact] curing on a daemon.
+func abortRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	wait bool,
+) error {
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return err
+	}
+	defer close(done)
+
+	err = writeSpecialHeader(conn, specialAbort)
+	if wait && err == nil {
+		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
+			err = nil
+		}
+	}
+	return errors.Join(err, conn.Close())
+}
@@ -0,0 +1,146 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"io"
+	"log"
+	"net"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
+	"testing"
+	"time"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+func TestNoReply(t *testing.T) {
+	t.Parallel()
+	if !daemonDeadline().IsZero() {
+		t.Fatal("daemonDeadline did not return the zero value")
+	}
+
+	c, err := pkg.Open(
+		t.Context(),
+		message.New(log.New(os.Stderr, "cir: ", 0)),
+		0, 0, 0,
+		check.MustAbs(t.TempDir()),
+	)
+	if err != nil {
+		t.Fatalf("Open: error = %v", err)
+	}
+	defer c.Close()
+
+	client, server := net.Pipe()
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		go func() {
+			<-t.Context().Done()
+			if _err := client.SetDeadline(time.Now()); _err != nil && !errors.Is(_err, io.ErrClosedPipe) {
+				panic(_err)
+			}
+		}()
+
+		if _err := c.EncodeAll(
+			client,
+			pkg.NewFile("check", []byte{0}),
+		); _err != nil {
+			panic(_err)
+		} else if _err = client.Close(); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	a, cureErr := cureFromIR(c, server, remoteNoReply)
+	if cureErr != nil {
+		t.Fatalf("cureFromIR: error = %v", cureErr)
+	}
+
+	<-done
+	wantIdent := pkg.MustDecode("fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG")
+	if gotIdent := c.Ident(a).Value(); gotIdent != wantIdent {
+		t.Errorf(
+			"cureFromIR: %s, want %s",
+			pkg.Encode(gotIdent), pkg.Encode(wantIdent),
+		)
+	}
+}
+
+func TestDaemon(t *testing.T) {
+	t.Parallel()
+
+	var buf bytes.Buffer
+	logger := log.New(&buf, "daemon: ", 0)
+
+	addr := net.UnixAddr{
+		Name: filepath.Join(t.TempDir(), "daemon"),
+		Net:  "unix",
+	}
+
+	ctx, cancel := context.WithCancel(t.Context())
+	defer cancel()
+
+	cm := cache{
+		ctx:  ctx,
+		msg:  message.New(logger),
+		base: t.TempDir(),
+	}
+	defer cm.Close()
+
+	ul, err := net.ListenUnix("unix", &addr)
+	if err != nil {
+		t.Fatalf("ListenUnix: error = %v", err)
+	}
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		if _err := serve(ctx, logger, &cm, ul); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	if err = cancelRemote(ctx, &addr, pkg.NewFile("nonexistent", nil), true); err != nil {
+		t.Fatalf("cancelRemote: error = %v", err)
+	}
+
+	if err = abortRemote(ctx, &addr, true); err != nil {
+		t.Fatalf("abortRemote: error = %v", err)
+	}
+
+	// keep this last for synchronisation
+	var p *check.Absolute
+	p, err = cureRemote(ctx, &addr, pkg.NewFile("check", []byte{0}), 0)
+	if err != nil {
+		t.Fatalf("cureRemote: error = %v", err)
+	}
+
+	cancel()
+	<-done
+
+	const want = "fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG"
+	if got := filepath.Base(p.String()); got != want {
+		t.Errorf("cureRemote: %s, want %s", got, want)
+	}
+
+	wantLog := []string{
+		"",
+		"daemon: aborting all pending cures",
+		"daemon: attempting to cancel invalid artifact kQm9fmnCmXST1-MMmxzcau2oKZCXXrlZydo4PkeV5hO_2PKfeC8t98hrbV_ZZx_j",
+		"daemon: fulfilled artifact fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG",
+	}
+	gotLog := strings.Split(buf.String(), "\n")
+	slices.Sort(gotLog)
+	if !slices.Equal(gotLog, wantLog) {
+		t.Errorf(
+			"serve: logged\n%s\nwant\n%s",
+			strings.Join(gotLog, "\n"), strings.Join(wantLog, "\n"),
+		)
+	}
+}
@@ -0,0 +1,114 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+)
+
+// commandInfo implements the info subcommand.
+func commandInfo(
+	cm *cache,
+	args []string,
+	w io.Writer,
+	writeStatus bool,
+	r *rosa.Report,
+) (err error) {
+	if len(args) == 0 {
+		return errors.New("info requires at least 1 argument")
+	}
+
+	// recovered by HandleAccess
+	mustPrintln := func(a ...any) {
+		if _, _err := fmt.Fprintln(w, a...); _err != nil {
+			panic(_err)
+		}
+	}
+	mustPrint := func(a ...any) {
+		if _, _err := fmt.Fprint(w, a...); _err != nil {
+			panic(_err)
+		}
+	}
+
+	for i, name := range args {
+		if p, ok := rosa.ResolveName(name); !ok {
+			return fmt.Errorf("unknown artifact %q", name)
+		} else {
+			var suffix string
+			if version := rosa.Std.Version(p); version != rosa.Unversioned {
+				suffix += "-" + version
+			}
+			mustPrintln("name        : " + name + suffix)
+
+			meta := rosa.GetMetadata(p)
+			mustPrintln("description : " + meta.Description)
+			if meta.Website != "" {
+				mustPrintln("website     : " +
+					strings.TrimSuffix(meta.Website, "/"))
+			}
+			if len(meta.Dependencies) > 0 {
+				mustPrint("depends on  :")
+				for _, d := range meta.Dependencies {
+					s := rosa.GetMetadata(d).Name
+					if version := rosa.Std.Version(d); version != rosa.Unversioned {
+						s += "-" + version
+					}
+					mustPrint(" " + s)
+				}
+				mustPrintln()
+			}
+
+			const statusPrefix = "status      : "
+			if writeStatus {
+				if r == nil {
+					var f io.ReadSeekCloser
+					err = cm.Do(func(cache *pkg.Cache) (err error) {
+						f, err = cache.OpenStatus(rosa.Std.Load(p))
+						return
+					})
+					if err != nil {
+						if errors.Is(err, os.ErrNotExist) {
+							mustPrintln(
+								statusPrefix + "not yet cured",
+							)
+						} else {
+							return
+						}
+					} else {
+						mustPrint(statusPrefix)
+						_, err = io.Copy(w, f)
+						if err = errors.Join(err, f.Close()); err != nil {
+							return
+						}
+					}
+				} else if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					status, n := r.ArtifactOf(cache.Ident(rosa.Std.Load(p)))
+					if status == nil {
+						mustPrintln(
+							statusPrefix + "not in report",
+						)
+					} else {
+						mustPrintln("size        :", n)
+						mustPrint(statusPrefix)
+						if _, err = w.Write(status); err != nil {
+							return
+						}
+					}
+					return
+				}); err != nil {
+					return
+				}
+			}
+
+			if i != len(args)-1 {
+				mustPrintln()
+			}
+		}
+	}
+	return nil
+}
@@ -0,0 +1,181 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"syscall"
+	"testing"
+	"unsafe"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+)
+
+func TestInfo(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name    string
+		args    []string
+		status  map[string]string
+		report  string
+		want    string
+		wantErr any
+	}{
+		{"qemu", []string{"qemu"}, nil, "", `
+name        : qemu-` + rosa.Std.Version(rosa.QEMU) + `
+description : a generic and open source machine emulator and virtualizer
+website     : https://www.qemu.org
+depends on  : glib-` + rosa.Std.Version(rosa.GLib) + ` zstd-` + rosa.Std.Version(rosa.Zstd) + `
+`, nil},
+
+		{"multi", []string{"hakurei", "hakurei-dist"}, nil, "", `
+name        : hakurei-` + rosa.Std.Version(rosa.Hakurei) + `
+description : low-level userspace tooling for Rosa OS
+website     : https://hakurei.app
+
+name        : hakurei-dist-` + rosa.Std.Version(rosa.HakureiDist) + `
+description : low-level userspace tooling for Rosa OS (distribution tarball)
+website     : https://hakurei.app
+`, nil},
+
+		{"nonexistent", []string{"zlib", "\x00"}, nil, "", `
+name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+description : lossless data-compression library
+website     : https://zlib.net
+
+`, fmt.Errorf("unknown artifact %q", "\x00")},
+
+		{"status cache", []string{"zlib", "zstd"}, map[string]string{
+			"zstd":    "internal/pkg (amd64) on satori\n",
+			"hakurei": "internal/pkg (amd64) on satori\n\n",
+		}, "", `
+name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+description : lossless data-compression library
+website     : https://zlib.net
+status      : not yet cured
+
+name        : zstd-` + rosa.Std.Version(rosa.Zstd) + `
+description : a fast compression algorithm
+website     : https://facebook.github.io/zstd
+status      : internal/pkg (amd64) on satori
+`, nil},
+
+		{"status cache perm", []string{"zlib"}, map[string]string{
+			"zlib": "\x00",
+		}, "", `
+name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+description : lossless data-compression library
+website     : https://zlib.net
+`, func(cm *cache) error {
+			return &os.PathError{
+				Op:   "open",
+				Path: filepath.Join(cm.base, "status", pkg.Encode(cm.c.Ident(rosa.Std.Load(rosa.Zlib)).Value())),
+				Err:  syscall.EACCES,
+			}
+		}},
+
+		{"status report", []string{"zlib"}, nil, strings.Repeat("\x00", len(pkg.Checksum{})+8), `
+name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+description : lossless data-compression library
+website     : https://zlib.net
+status      : not in report
+`, nil},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				cm  *cache
+				buf strings.Builder
+				r   *rosa.Report
+			)
+
+			if tc.status != nil || tc.report != "" {
+				cm = &cache{
+					ctx:  context.Background(),
+					msg:  message.New(log.New(os.Stderr, "info: ", 0)),
+					base: t.TempDir(),
+				}
+				defer cm.Close()
+			}
+
+			if tc.report != "" {
+				pathname := filepath.Join(t.TempDir(), "report")
+				err := os.WriteFile(
+					pathname,
+					unsafe.Slice(unsafe.StringData(tc.report), len(tc.report)),
+					0400,
+				)
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				r, err = rosa.OpenReport(pathname)
+				if err != nil {
+					t.Fatal(err)
+				}
+				defer func() {
+					if err = r.Close(); err != nil {
+						t.Fatal(err)
+					}
+				}()
+			}
+
+			if tc.status != nil {
+				for name, status := range tc.status {
+					p, ok := rosa.ResolveName(name)
+					if !ok {
+						t.Fatalf("invalid name %q", name)
+					}
+					perm := os.FileMode(0400)
+					if status == "\x00" {
+						perm = 0
+					}
+					if err := cm.Do(func(cache *pkg.Cache) error {
+						return os.WriteFile(filepath.Join(
+							cm.base,
+							"status",
+							pkg.Encode(cache.Ident(rosa.Std.Load(p)).Value()),
+						), unsafe.Slice(unsafe.StringData(status), len(status)), perm)
+					}); err != nil {
+						t.Fatalf("Do: error = %v", err)
+					}
+				}
+			}
+
+			var wantErr error
+			switch c := tc.wantErr.(type) {
+			case error:
+				wantErr = c
+			case func(cm *cache) error:
+				wantErr = c(cm)
+			default:
+				if tc.wantErr != nil {
+					t.Fatalf("invalid wantErr %#v", tc.wantErr)
+				}
+			}
+
+			if err := commandInfo(
+				cm,
+				tc.args,
+				&buf,
+				cm != nil,
+				r,
+			); !reflect.DeepEqual(err, wantErr) {
+				t.Fatalf("commandInfo: error = %v, want %v", err, wantErr)
+			}
+
+			if got := buf.String(); got != strings.TrimPrefix(tc.want, "\n") {
+				t.Errorf("commandInfo:\n%s\nwant\n%s", got, tc.want)
+			}
+		})
+	}
+}
@@ -0,0 +1,202 @@
+// Package pkgserver implements the package metadata service backend.
+package pkgserver
+
+import (
+	"context"
+	"encoding/json"
+	"log"
+	"net/http"
+	"net/url"
+	"path"
+	"strconv"
+	"sync"
+	"time"
+
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/rosa"
+)
+
+// for lazy initialisation of serveInfo
+var (
+	infoPayload struct {
+		// Current package count.
+		Count int `json:"count"`
+		// Hakurei version, set at link time.
+		HakureiVersion string `json:"hakurei_version"`
+	}
+	infoPayloadOnce sync.Once
+)
+
+// handleInfo writes constant system information.
+func handleInfo(w http.ResponseWriter, _ *http.Request) {
+	infoPayloadOnce.Do(func() {
+		infoPayload.Count = int(rosa.PresetUnexportedStart)
+		infoPayload.HakureiVersion = info.Version()
+	})
+	// TODO(mae): cache entire response if no additional fields are planned
+	writeAPIPayload(w, infoPayload)
+}
+
+// newStatusHandler returns a [http.HandlerFunc] that offers status files for
+// viewing or download, if available.
+func (index *packageIndex) newStatusHandler(disposition bool) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		m, ok := index.names[path.Base(r.URL.Path)]
+		if !ok || !m.HasReport {
+			http.NotFound(w, r)
+			return
+		}
+
+		contentType := "text/plain; charset=utf-8"
+		if disposition {
+			contentType = "application/octet-stream"
+
+			// quoting like this is unsound, but okay, because metadata is hardcoded
+			contentDisposition := `attachment; filename="`
+			contentDisposition += m.Name + "-"
+			if m.Version != "" {
+				contentDisposition += m.Version + "-"
+			}
+			contentDisposition += m.ids + `.log"`
+			w.Header().Set("Content-Disposition", contentDisposition)
+		}
+		w.Header().Set("Content-Type", contentType)
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+		if err := func() (err error) {
+			defer index.handleAccess(&err)()
+			_, err = w.Write(m.status)
+			return
+		}(); err != nil {
+			log.Println(err)
+			http.Error(
+				w, "cannot deliver status, contact maintainers",
+				http.StatusInternalServerError,
+			)
+		}
+	}
+}
+
+// handleGet writes a slice of metadata with specified order.
+func (index *packageIndex) handleGet(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit, err := strconv.Atoi(q.Get("limit"))
+	if err != nil || limit > 100 || limit < 1 {
+		http.Error(
+			w, "limit must be an integer between 1 and 100",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	i, err := strconv.Atoi(q.Get("index"))
+	if err != nil || i >= len(index.sorts[0]) || i < 0 {
+		http.Error(
+			w, "index must be an integer between 0 and "+
+				strconv.Itoa(int(rosa.PresetUnexportedStart-1)),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	sort, err := strconv.Atoi(q.Get("sort"))
+	if err != nil || sort >= len(index.sorts) || sort < 0 {
+		http.Error(
+			w, "sort must be an integer between 0 and "+
+				strconv.Itoa(sortOrderEnd),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	values := index.sorts[sort][i:min(i+limit, len(index.sorts[sort]))]
+	writeAPIPayload(w, &struct {
+		Values []*metadata `json:"values"`
+	}{values})
+}
+
+func (index *packageIndex) handleSearch(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit, err := strconv.Atoi(q.Get("limit"))
+	if err != nil || limit > 100 || limit < 1 {
+		http.Error(
+			w, "limit must be an integer between 1 and 100",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	i, err := strconv.Atoi(q.Get("index"))
+	if err != nil || i >= len(index.sorts[0]) || i < 0 {
+		http.Error(
+			w, "index must be an integer between 0 and "+
+				strconv.Itoa(int(rosa.PresetUnexportedStart-1)),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	search, err := url.QueryUnescape(q.Get("search"))
+	if len(search) > 100 || err != nil {
+		http.Error(
+			w, "search must be a string between 0 and 100 characters long",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	desc := q.Get("desc") == "true"
+	n, res, err := index.performSearchQuery(limit, i, search, desc)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+	writeAPIPayload(w, &struct {
+		Count  int            `json:"count"`
+		Values []searchResult `json:"values"`
+	}{n, res})
+}
+
+// apiVersion is the name of the current API revision, as part of the pattern.
+const apiVersion = "v1"
+
+// registerAPI registers API handler functions.
+func (index *packageIndex) registerAPI(mux *http.ServeMux) {
+	mux.HandleFunc("GET /api/"+apiVersion+"/info", handleInfo)
+	mux.HandleFunc("GET /api/"+apiVersion+"/get", index.handleGet)
+	mux.HandleFunc("GET /api/"+apiVersion+"/search", index.handleSearch)
+	mux.HandleFunc("GET /api/"+apiVersion+"/status/", index.newStatusHandler(false))
+	mux.HandleFunc("GET /status/", index.newStatusHandler(true))
+}
+
+// Register arranges for mux to service API requests.
+func Register(ctx context.Context, mux *http.ServeMux, report *rosa.Report) error {
+	var index packageIndex
+	index.search = make(searchCache)
+	if err := index.populate(report); err != nil {
+		return err
+	}
+	ticker := time.NewTicker(1 * time.Minute)
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				ticker.Stop()
+				return
+			case <-ticker.C:
+				index.search.clean()
+			}
+		}
+	}()
+	index.registerAPI(mux)
+	return nil
+}
+
+// writeAPIPayload sets headers common to API responses and encodes payload as
+// JSON for the response body.
+func writeAPIPayload(w http.ResponseWriter, payload any) {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Expires", "0")
+
+	if err := json.NewEncoder(w).Encode(payload); err != nil {
+		log.Println(err)
+		http.Error(
+			w, "cannot encode payload, contact maintainers",
+			http.StatusInternalServerError,
+		)
+	}
+}
@@ -0,0 +1,181 @@
+package pkgserver
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"slices"
+	"strconv"
+	"testing"
+
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/rosa"
+)
+
+// prefix is prepended to every API path.
+const prefix = "/api/" + apiVersion + "/"
+
+func TestAPIInfo(t *testing.T) {
+	t.Parallel()
+
+	w := httptest.NewRecorder()
+	handleInfo(w, httptest.NewRequestWithContext(
+		t.Context(),
+		http.MethodGet,
+		prefix+"info",
+		nil,
+	))
+
+	resp := w.Result()
+	checkStatus(t, resp, http.StatusOK)
+	checkAPIHeader(t, w.Header())
+
+	checkPayload(t, resp, struct {
+		Count          int    `json:"count"`
+		HakureiVersion string `json:"hakurei_version"`
+	}{int(rosa.PresetUnexportedStart), info.Version()})
+}
+
+func TestAPIGet(t *testing.T) {
+	t.Parallel()
+	const target = prefix + "get"
+
+	index := newIndex(t)
+	newRequest := func(suffix string) *httptest.ResponseRecorder {
+		w := httptest.NewRecorder()
+		index.handleGet(w, httptest.NewRequestWithContext(
+			t.Context(),
+			http.MethodGet,
+			target+suffix,
+			nil,
+		))
+		return w
+	}
+
+	checkValidate := func(t *testing.T, suffix string, vmin, vmax int, wantErr string) {
+		t.Run("invalid", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=invalid")
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+		})
+
+		t.Run("min", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmin-1))
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+
+			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmin))
+			resp = w.Result()
+			checkStatus(t, resp, http.StatusOK)
+		})
+
+		t.Run("max", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmax+1))
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+
+			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmax))
+			resp = w.Result()
+			checkStatus(t, resp, http.StatusOK)
+		})
+	}
+
+	t.Run("limit", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "index=0&sort=0&limit", 1, 100,
+			"limit must be an integer between 1 and 100",
+		)
+	})
+
+	t.Run("index", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "limit=1&sort=0&index", 0, int(rosa.PresetUnexportedStart-1),
+			"index must be an integer between 0 and "+strconv.Itoa(int(rosa.PresetUnexportedStart-1)),
+		)
+	})
+
+	t.Run("sort", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "index=0&limit=1&sort", 0, int(sortOrderEnd),
+			"sort must be an integer between 0 and "+strconv.Itoa(int(sortOrderEnd)),
+		)
+	})
+
+	checkWithSuffix := func(name, suffix string, want []*metadata) {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest(suffix)
+			resp := w.Result()
+			checkStatus(t, resp, http.StatusOK)
+			checkAPIHeader(t, w.Header())
+			checkPayloadFunc(t, resp, func(got *struct {
+				Values []*metadata `json:"values"`
+			}) bool {
+				return slices.EqualFunc(got.Values, want, func(a, b *metadata) bool {
+					return (a.Version == b.Version ||
+						a.Version == rosa.Unversioned ||
+						b.Version == rosa.Unversioned) &&
+						a.HasReport == b.HasReport &&
+						a.Name == b.Name &&
+						a.Description == b.Description &&
+						a.Website == b.Website
+				})
+			})
+
+		})
+	}
+
+	checkWithSuffix("declarationAscending", "?limit=2&index=1&sort=0", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(1),
+			Version:  rosa.Std.Version(1),
+		},
+		{
+			Metadata: rosa.GetMetadata(2),
+			Version:  rosa.Std.Version(2),
+		},
+	})
+	checkWithSuffix("declarationAscending offset", "?limit=3&index=5&sort=0", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(5),
+			Version:  rosa.Std.Version(5),
+		},
+		{
+			Metadata: rosa.GetMetadata(6),
+			Version:  rosa.Std.Version(6),
+		},
+		{
+			Metadata: rosa.GetMetadata(7),
+			Version:  rosa.Std.Version(7),
+		},
+	})
+	checkWithSuffix("declarationDescending", "?limit=3&index=0&sort=1", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 1),
+			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 1),
+		},
+		{
+			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 2),
+			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 2),
+		},
+		{
+			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 3),
+			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 3),
+		},
+	})
+	checkWithSuffix("declarationDescending offset", "?limit=1&index=37&sort=1", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 38),
+			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 38),
+		},
+	})
+}
@@ -0,0 +1,106 @@
+package pkgserver
+
+import (
+	"cmp"
+	"errors"
+	"slices"
+	"strings"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+)
+
+const (
+	declarationAscending = iota
+	declarationDescending
+	nameAscending
+	nameDescending
+	sizeAscending
+	sizeDescending
+
+	sortOrderEnd = iota - 1
+)
+
+// packageIndex refers to metadata by name and various sort orders.
+type packageIndex struct {
+	sorts  [sortOrderEnd + 1][rosa.PresetUnexportedStart]*metadata
+	names  map[string]*metadata
+	search searchCache
+	// Taken from [rosa.Report] if available.
+	handleAccess func(*error) func()
+}
+
+// metadata holds [rosa.Metadata] extended with additional information.
+type metadata struct {
+	p rosa.PArtifact
+	*rosa.Metadata
+
+	// Populated via [rosa.Toolchain.Version], [rosa.Unversioned] is equivalent
+	// to the zero value. Otherwise, the zero value is invalid.
+	Version string `json:"version,omitempty"`
+	// Output data size, available if present in report.
+	Size int64 `json:"size,omitempty"`
+	// Whether the underlying [pkg.Artifact] is present in the report.
+	HasReport bool `json:"report"`
+
+	// Ident string encoded ahead of time.
+	ids string
+	// Backed by [rosa.Report], access must be prepared by HandleAccess.
+	status []byte
+}
+
+// populate deterministically populates packageIndex, optionally with a report.
+func (index *packageIndex) populate(report *rosa.Report) (err error) {
+	if report != nil {
+		defer report.HandleAccess(&err)()
+		index.handleAccess = report.HandleAccess
+	}
+
+	var work [rosa.PresetUnexportedStart]*metadata
+	index.names = make(map[string]*metadata)
+	ir := pkg.NewIR()
+	for p := range rosa.PresetUnexportedStart {
+		m := metadata{
+			p: p,
+
+			Metadata: rosa.GetMetadata(p),
+			Version:  rosa.Std.Version(p),
+		}
+		if m.Version == "" {
+			return errors.New("invalid version from " + m.Name)
+		}
+		if m.Version == rosa.Unversioned {
+			m.Version = ""
+		}
+
+		if report != nil {
+			id := ir.Ident(rosa.Std.Load(p))
+			m.ids = pkg.Encode(id.Value())
+			m.status, m.Size = report.ArtifactOf(id)
+			m.HasReport = m.Size >= 0
+		}
+
+		work[p] = &m
+		index.names[m.Name] = &m
+	}
+
+	index.sorts[declarationAscending] = work
+	index.sorts[declarationDescending] = work
+	slices.Reverse(index.sorts[declarationDescending][:])
+
+	index.sorts[nameAscending] = work
+	slices.SortFunc(index.sorts[nameAscending][:], func(a, b *metadata) int {
+		return strings.Compare(a.Name, b.Name)
+	})
+	index.sorts[nameDescending] = index.sorts[nameAscending]
+	slices.Reverse(index.sorts[nameDescending][:])
+
+	index.sorts[sizeAscending] = work
+	slices.SortFunc(index.sorts[sizeAscending][:], func(a, b *metadata) int {
+		return cmp.Compare(a.Size, b.Size)
+	})
+	index.sorts[sizeDescending] = index.sorts[sizeAscending]
+	slices.Reverse(index.sorts[sizeDescending][:])
+
+	return
+}
@@ -0,0 +1,96 @@
+package pkgserver
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"reflect"
+	"testing"
+)
+
+// newIndex returns the address of a newly populated packageIndex.
+func newIndex(t *testing.T) *packageIndex {
+	t.Helper()
+
+	var index packageIndex
+	if err := index.populate(nil); err != nil {
+		t.Fatalf("populate: error = %v", err)
+	}
+	return &index
+}
+
+// checkStatus checks response status code.
+func checkStatus(t *testing.T, resp *http.Response, want int) {
+	t.Helper()
+
+	if resp.StatusCode != want {
+		t.Errorf(
+			"StatusCode: %s, want %s",
+			http.StatusText(resp.StatusCode),
+			http.StatusText(want),
+		)
+	}
+}
+
+// checkHeader checks the value of a header entry.
+func checkHeader(t *testing.T, h http.Header, key, want string) {
+	t.Helper()
+
+	if got := h.Get(key); got != want {
+		t.Errorf("%s: %q, want %q", key, got, want)
+	}
+}
+
+// checkAPIHeader checks common entries set for API endpoints.
+func checkAPIHeader(t *testing.T, h http.Header) {
+	t.Helper()
+
+	checkHeader(t, h, "Content-Type", "application/json; charset=utf-8")
+	checkHeader(t, h, "Cache-Control", "no-cache, no-store, must-revalidate")
+	checkHeader(t, h, "Pragma", "no-cache")
+	checkHeader(t, h, "Expires", "0")
+}
+
+// checkPayloadFunc checks the JSON response of an API endpoint by passing it to f.
+func checkPayloadFunc[T any](
+	t *testing.T,
+	resp *http.Response,
+	f func(got *T) bool,
+) {
+	t.Helper()
+
+	var got T
+	r := io.Reader(resp.Body)
+	if testing.Verbose() {
+		var buf bytes.Buffer
+		r = io.TeeReader(r, &buf)
+		defer func() { t.Helper(); t.Log(buf.String()) }()
+	}
+	if err := json.NewDecoder(r).Decode(&got); err != nil {
+		t.Fatalf("Decode: error = %v", err)
+	}
+
+	if !f(&got) {
+		t.Errorf("Body: %#v", got)
+	}
+}
+
+// checkPayload checks the JSON response of an API endpoint.
+func checkPayload[T any](t *testing.T, resp *http.Response, want T) {
+	t.Helper()
+
+	checkPayloadFunc(t, resp, func(got *T) bool {
+		return reflect.DeepEqual(got, &want)
+	})
+}
+
+func checkError(t *testing.T, resp *http.Response, error string, code int) {
+	t.Helper()
+
+	checkStatus(t, resp, code)
+	if got, _ := io.ReadAll(resp.Body); string(got) != fmt.Sprintln(error) {
+		t.Errorf("Body: %q, want %q", string(got), error)
+	}
+}
@@ -0,0 +1,81 @@
+package pkgserver
+
+import (
+	"cmp"
+	"maps"
+	"regexp"
+	"slices"
+	"time"
+)
+
+type searchCache map[string]searchCacheEntry
+type searchResult struct {
+	NameIndices [][]int `json:"name_matches"`
+	DescIndices [][]int `json:"desc_matches,omitempty"`
+	Score       float64 `json:"score"`
+	*metadata
+}
+type searchCacheEntry struct {
+	query   string
+	results []searchResult
+	expiry  time.Time
+}
+
+func (index *packageIndex) performSearchQuery(limit int, i int, search string, desc bool) (int, []searchResult, error) {
+	query := search
+	if desc {
+		query += ";withDesc"
+	}
+	entry, ok := index.search[query]
+	if ok && len(entry.results) > 0 {
+		return len(entry.results), entry.results[min(i, len(entry.results)-1):min(i+limit, len(entry.results))], nil
+	}
+
+	regex, err := regexp.Compile(search)
+	if err != nil {
+		return 0, make([]searchResult, 0), err
+	}
+	res := make([]searchResult, 0)
+	for p := range maps.Values(index.names) {
+		nameIndices := regex.FindAllIndex([]byte(p.Name), -1)
+		var descIndices [][]int = nil
+		if desc {
+			descIndices = regex.FindAllIndex([]byte(p.Description), -1)
+		}
+		if nameIndices == nil && descIndices == nil {
+			continue
+		}
+		score := float64(indexsum(nameIndices)) / (float64(len(nameIndices)) + 1)
+		if desc {
+			score += float64(indexsum(descIndices)) / (float64(len(descIndices)) + 1) / 10.0
+		}
+		res = append(res, searchResult{
+			NameIndices: nameIndices,
+			DescIndices: descIndices,
+			Score:       score,
+			metadata:    p,
+		})
+	}
+	slices.SortFunc(res[:], func(a, b searchResult) int { return -cmp.Compare(a.Score, b.Score) })
+	expiry := time.Now().Add(1 * time.Minute)
+	entry = searchCacheEntry{
+		query:   search,
+		results: res,
+		expiry:  expiry,
+	}
+	index.search[query] = entry
+
+	return len(res), res[i:min(i+limit, len(entry.results))], nil
+}
+func (s *searchCache) clean() {
+	maps.DeleteFunc(*s, func(_ string, v searchCacheEntry) bool {
+		return v.expiry.Before(time.Now())
+	})
+}
+func indexsum(in [][]int) int {
+	sum := 0
+	for i := 0; i < len(in); i++ {
+		sum += in[i][1] - in[i][0]
+	}
+	return sum
+}
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="stylesheet" href="style.css">
+    <title>Hakurei PkgServer</title>
+    <script src="index.js"></script>
+</head>
+<body>
+<h1>Hakurei PkgServer</h1>
+<div class="top-controls" id="top-controls-regular">
+    <p>Showing entries <span id="entry-counter"></span>.</p>
+    <span id="search-bar">
+        <label for="search">Search: </label>
+        <input type="text" name="search" id="search"/>
+        <button onclick="doSearch()">Find</button>
+        <label for="include-desc">Include descriptions: </label>
+        <input type="checkbox" name="include-desc" id="include-desc" checked/>
+    </span>
+    <div><label for="count">Entries per page: </label><select name="count" id="count">
+        <option value="10">10</option>
+        <option value="20">20</option>
+        <option value="30">30</option>
+        <option value="50">50</option>
+    </select></div>
+    <div><label for="sort">Sort by: </label><select name="sort" id="sort">
+        <option value="0">Definition (ascending)</option>
+        <option value="1">Definition (descending)</option>
+        <option value="2">Name (ascending)</option>
+        <option value="3">Name (descending)</option>
+        <option value="4">Size (ascending)</option>
+        <option value="5">Size (descending)</option>
+    </select></div>
+</div>
+<div class="top-controls" id="search-top-controls" hidden>
+    <p>Showing search results <span id="search-entry-counter"></span> for query "<span id="search-query"></span>".</p>
+    <button onclick="exitSearch()">Back</button>
+    <div><label for="search-count">Entries per page: </label><select name="search-count" id="search-count">
+        <option value="10">10</option>
+        <option value="20">20</option>
+        <option value="30">30</option>
+        <option value="50">50</option>
+    </select></div>
+    <p>Sorted by best match</p>
+</div>
+<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
+<table id="pkg-list">
+    <tr><td>Loading...</td></tr>
+</table>
+<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
+<footer>
+    <p>&copy;<a href="https://hakurei.app/">Hakurei</a> (<span id="hakurei-version">unknown</span>). Licensed under the MIT license.</p>
+</footer>
+<script>main();</script>
+</body>
+</html>
@@ -0,0 +1,331 @@
+interface PackageIndexEntry {
+    name: string
+    size?: number
+    description?: string
+    website?: string
+    version?: string
+    report?: boolean
+}
+
+function entryToHTML(entry: PackageIndexEntry | SearchResult): HTMLTableRowElement {
+    let v = entry.version != null ? `<span>${escapeHtml(entry.version)}</span>` : ""
+    let s = entry.size != null && entry.size > 0 ? `<p>Size: ${toByteSizeString(entry.size)} (${entry.size})</p>` : ""
+    let n: string
+    let d: string
+    if ('name_matches' in entry) {
+        n = `<h2>${nameMatches(entry as SearchResult)} ${v}</h2>`
+    } else {
+        n = `<h2>${escapeHtml(entry.name)} ${v}</h2>`
+    }
+    if ('desc_matches' in entry && STATE.getIncludeDescriptions()) {
+        d = descMatches(entry as SearchResult)
+    } else {
+        d = (entry as PackageIndexEntry).description != null ? `<p>${escapeHtml((entry as PackageIndexEntry).description)}</p>` : ""
+    }
+    let w = entry.website != null ? `<a href="${encodeURI(entry.website)}">Website</a>` : ""
+    let r = entry.report ? `Log (<a href=\"${encodeURI('/api/v1/status/' + entry.name)}\">View</a> | <a href=\"${encodeURI('/status/' + entry.name)}\">Download</a>)` : ""
+    let row = <HTMLTableRowElement>(document.createElement('tr'))
+    row.innerHTML = `<td>
+            ${n}
+            ${d}
+            ${s}
+            ${w}
+            ${r}
+        </td>`
+    return row
+}
+
+function nameMatches(sr: SearchResult): string {
+    return markMatches(sr.name, sr.name_matches)
+}
+
+function descMatches(sr: SearchResult): string {
+    return markMatches(sr.description!, sr.desc_matches)
+}
+
+function markMatches(str: string, indices: [number, number][]): string {
+    if (indices == null) {
+        return str
+    }
+    let out: string = ""
+    let j = 0
+    for (let i = 0; i < str.length; i++) {
+        if (j < indices.length) {
+            if (i === indices[j][0]) {
+                out += `<mark>${escapeHtmlChar(str[i])}`
+                continue
+            }
+            if (i === indices[j][1]) {
+                out += `</mark>${escapeHtmlChar(str[i])}`
+                j++
+                continue
+            }
+        }
+        out += escapeHtmlChar(str[i])
+    }
+    if (indices[j] !== undefined) {
+        out += "</mark>"
+    }
+    return out
+}
+
+function toByteSizeString(bytes: number): string {
+    if (bytes == null) return `unspecified`
+    if (bytes < 1024) return `${bytes}B`
+    if (bytes < Math.pow(1024, 2)) return `${(bytes / 1024).toFixed(2)}kiB`
+    if (bytes < Math.pow(1024, 3)) return `${(bytes / Math.pow(1024, 2)).toFixed(2)}MiB`
+    if (bytes < Math.pow(1024, 4)) return `${(bytes / Math.pow(1024, 3)).toFixed(2)}GiB`
+    if (bytes < Math.pow(1024, 5)) return `${(bytes / Math.pow(1024, 4)).toFixed(2)}TiB`
+    return "not only is it big, it's large"
+}
+
+const API_VERSION = 1
+const ENDPOINT = `/api/v${API_VERSION}`
+
+interface InfoPayload {
+    count?: number
+    hakurei_version?: string
+}
+
+async function infoRequest(): Promise<InfoPayload> {
+    const res = await fetch(`${ENDPOINT}/info`)
+    const payload = await res.json()
+    return payload as InfoPayload
+}
+
+interface GetPayload {
+    values?: PackageIndexEntry[]
+}
+
+enum SortOrders {
+    DeclarationAscending,
+    DeclarationDescending,
+    NameAscending,
+    NameDescending
+}
+
+async function getRequest(limit: number, index: number, sort: SortOrders): Promise<GetPayload> {
+    const res = await fetch(`${ENDPOINT}/get?limit=${limit}&index=${index}&sort=${sort.valueOf()}`)
+    const payload = await res.json()
+    return payload as GetPayload
+}
+
+interface SearchResult extends PackageIndexEntry {
+    name_matches: [number, number][]
+    desc_matches: [number, number][]
+    score: number
+}
+
+interface SearchPayload {
+    count?: number
+    values?: SearchResult[]
+}
+
+async function searchRequest(limit: number, index: number, search: string, desc: boolean): Promise<SearchPayload> {
+    const res = await fetch(`${ENDPOINT}/search?limit=${limit}&index=${index}&search=${encodeURIComponent(search)}&desc=${desc}`)
+    if (!res.ok) {
+        exitSearch()
+        alert("invalid search query!")
+        return Promise.reject(res.statusText)
+    }
+    const payload = await res.json()
+    return payload as SearchPayload
+}
+
+class State {
+    entriesPerPage: number = 10
+    entryIndex: number = 0
+    maxTotal: number = 0
+    maxEntries: number = 0
+    sort: SortOrders = SortOrders.DeclarationAscending
+    search: boolean = false
+
+    getEntriesPerPage(): number {
+        return this.entriesPerPage
+    }
+
+    setEntriesPerPage(entriesPerPage: number) {
+        this.entriesPerPage = entriesPerPage
+        this.setEntryIndex(Math.floor(this.getEntryIndex() / entriesPerPage) * entriesPerPage)
+    }
+
+    getEntryIndex(): number {
+        return this.entryIndex
+    }
+
+    setEntryIndex(entryIndex: number) {
+        this.entryIndex = entryIndex
+        this.updatePage()
+        this.updateRange()
+        this.updateListings()
+    }
+
+    getMaxTotal(): number {
+        return this.maxTotal
+    }
+
+    setMaxTotal(max: number) {
+        this.maxTotal = max
+    }
+
+    getSortOrder(): SortOrders {
+        return this.sort
+    }
+
+    setSortOrder(sortOrder: SortOrders) {
+        this.sort = sortOrder
+        this.setEntryIndex(0)
+    }
+
+    updatePage() {
+        let page = Math.ceil(((this.getEntryIndex() + this.getEntriesPerPage()) - 1) / this.getEntriesPerPage())
+        for (let e of document.getElementsByClassName("page-number")) {
+            (e as HTMLInputElement).value = String(page)
+        }
+    }
+
+    updateRange() {
+        let max = Math.min(this.getEntryIndex() + this.getEntriesPerPage(), this.getMaxTotal())
+        document.getElementById("entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.getMaxTotal()}`
+        if (this.search) {
+            document.getElementById("search-entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.maxTotal}/${this.maxEntries}`
+            document.getElementById("search-query")!.innerHTML = `<code>${escapeHtml(this.getSearchQuery())}</code>`
+        }
+    }
+
+    getSearchQuery(): string {
+        let queryString = document.getElementById("search")!;
+        return (queryString as HTMLInputElement).value
+    }
+
+    getIncludeDescriptions(): boolean {
+        let includeDesc = document.getElementById("include-desc")!;
+        return (includeDesc as HTMLInputElement).checked
+    }
+
+    updateListings() {
+        if (this.search) {
+            searchRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSearchQuery(), this.getIncludeDescriptions())
+                .then(res => {
+                    let table = document.getElementById("pkg-list")!
+                    table.innerHTML = ''
+                    for (let row of res.values!) {
+                        table.appendChild(entryToHTML(row))
+                    }
+                    STATE.maxTotal = res.count!
+                    STATE.updateRange()
+                    if(res.count! < 1) {
+                        exitSearch()
+                        alert("no results found!")
+                    }
+                })
+        } else {
+            getRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSortOrder())
+                .then(res => {
+                    let table = document.getElementById("pkg-list")!
+                    table.innerHTML = ''
+                    for (let row of res.values!) {
+                        table.appendChild(entryToHTML(row))
+                    }
+                })
+        }
+    }
+}
+
+let STATE: State
+
+
+function lastPageIndex(): number {
+    return Math.floor(STATE.getMaxTotal() / STATE.getEntriesPerPage()) * STATE.getEntriesPerPage()
+}
+
+function setPage(page: number) {
+    STATE.setEntryIndex(Math.max(0, Math.min(STATE.getEntriesPerPage() * (page - 1), lastPageIndex())))
+}
+
+
+function escapeHtml(str?: string): string {
+    let out: string = ''
+    if (str == undefined) return ""
+    for (let i = 0; i < str.length; i++) {
+        out += escapeHtmlChar(str[i])
+    }
+    return out
+}
+
+function escapeHtmlChar(char: string): string {
+    if (char.length != 1) return char
+    switch (char[0]) {
+        case '&':
+            return "&amp;"
+        case '<':
+            return "&lt;"
+        case '>':
+            return "&gt;"
+        case '"':
+            return "&quot;"
+        case "'":
+            return "&apos;"
+        default:
+            return char
+    }
+}
+
+function firstPage() {
+    STATE.setEntryIndex(0)
+}
+
+function prevPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.max(0, index - STATE.getEntriesPerPage()))
+}
+
+function lastPage() {
+    STATE.setEntryIndex(lastPageIndex())
+}
+
+function nextPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.min(lastPageIndex(), index + STATE.getEntriesPerPage()))
+}
+
+function doSearch() {
+    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
+    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
+    STATE.search = true;
+    STATE.setEntryIndex(0);
+}
+
+function exitSearch() {
+    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
+    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
+    STATE.search = false;
+    STATE.setMaxTotal(STATE.maxEntries)
+    STATE.setEntryIndex(0)
+}
+
+function main() {
+    STATE = new State()
+    infoRequest()
+        .then(res => {
+            STATE.maxEntries = res.count!
+            STATE.setMaxTotal(STATE.maxEntries)
+            document.getElementById("hakurei-version")!.textContent = res.hakurei_version!
+            STATE.updateRange()
+            STATE.updateListings()
+        })
+    for (let e of document.getElementsByClassName("page-number")) {
+        e.addEventListener("change", (_) => {
+            setPage(parseInt((e as HTMLInputElement).value))
+        })
+    }
+    document.getElementById("count")?.addEventListener("change", (event) => {
+        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
+    })
+    document.getElementById("sort")?.addEventListener("change", (event) => {
+        STATE.setSortOrder(parseInt((event.target as HTMLSelectElement).value))
+    })
+    document.getElementById("search")?.addEventListener("keyup", (event) => {
+        if (event.key === 'Enter') doSearch()
+    })
+}
@@ -0,0 +1,21 @@
+.page-number {
+  width: 2em;
+  text-align: center;
+}
+.page-number {
+  width: 2em;
+  text-align: center;
+}
+
+@media (prefers-color-scheme: dark) {
+  html {
+    background-color: #2c2c2c;
+    color: ghostwhite;
+  }
+}
+@media (prefers-color-scheme: light) {
+  html {
+    background-color: #d3d3d3;
+    color: black;
+  }
+}
@@ -0,0 +1,8 @@
+{
+  "compilerOptions": {
+    "target": "ES2024",
+    "strict": true,
+    "alwaysStrict": true,
+    "outDir": "static"
+  }
+}
@@ -0,0 +1,9 @@
+// Package ui holds the static web UI.
+package ui
+
+import "net/http"
+
+// Register arranges for mux to serve the embedded frontend.
+func Register(mux *http.ServeMux) {
+	mux.Handle("GET /", http.FileServer(http.FS(static)))
+}
@@ -0,0 +1,21 @@
+//go:build frontend
+
+package ui
+
+import (
+	"embed"
+	"io/fs"
+)
+
+//go:generate tsc
+//go:generate cp index.html style.css static
+//go:embed static
+var _static embed.FS
+
+var static = func() fs.FS {
+	if f, err := fs.Sub(_static, "static"); err != nil {
+		panic(err)
+	} else {
+		return f
+	}
+}()
@@ -0,0 +1,7 @@
+//go:build !frontend
+
+package ui
+
+import "testing/fstest"
+
+var static fstest.MapFS
@@ -1,23 +1,50 @@
+// The mbf program is a frontend for [hakurei.app/internal/rosa].
+//
+// This program is not covered by the compatibility promise. The command line
+// interface, available packages and their behaviour, and even the on-disk
+// format, may change at any time.
+//
+// # Name
+//
+// The name mbf stands for maiden's best friend, as a tribute to the DOOM source
+// port of [the same name]. This name is a placeholder and is subject to change.
+//
+// [the same name]: https://www.doomwiki.org/wiki/MBF
 package main

 import (
 	"context"
+	"crypto/sha512"
 	"errors"
 	"fmt"
+	"io"
 	"log"
+	"net"
+	"net/http"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"runtime"
+	"strconv"
+	"sync"
+	"sync/atomic"
 	"syscall"
+	"time"
 	"unique"

+	"hakurei.app/check"
 	"hakurei.app/command"
 	"hakurei.app/container"
-	"hakurei.app/container/check"
+	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/rosa"
 	"hakurei.app/message"
+
+	"hakurei.app/cmd/mbf/internal/pkgserver"
+	"hakurei.app/cmd/mbf/internal/pkgserver/ui"
 )

 func main() {
@@ -31,62 +58,141 @@ func main() {
 		log.Fatal("this program must not run as root")
 	}

-	var cache *pkg.Cache
 	ctx, stop := signal.NotifyContext(context.Background(),
 		syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
 	defer stop()
-	defer func() {
-		if cache != nil {
-			cache.Close()
-		}

-		if r := recover(); r != nil {
-			fmt.Println(r)
-			log.Fatal("consider scrubbing the on-disk cache")
-		}
-	}()
+	var cm cache
+	defer func() { cm.Close() }()

 	var (
-		flagQuiet  bool
-		flagCures  int
-		flagBase   string
-		flagTShift int
-	)
-	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) (err error) {
-		msg.SwapVerbose(!flagQuiet)
+		flagQuiet bool
+		flagQEMU  bool
+		flagArch  string
+		flagCheck bool
+		flagLTO   bool

-		var base *check.Absolute
-		if flagBase, err = filepath.Abs(flagBase); err != nil {
-			return
-		} else if base, err = check.NewAbs(flagBase); err != nil {
-			return
+		flagCrossOverride int
+
+		addr net.UnixAddr
+	)
+	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) error {
+		msg.SwapVerbose(!flagQuiet)
+		cm.ctx, cm.msg = ctx, msg
+		cm.base = os.ExpandEnv(cm.base)
+		if cm.base == "" {
+			cm.base = "cache"
 		}
-		if cache, err = pkg.Open(ctx, msg, flagCures, base); err == nil {
-			if flagTShift < 0 {
-				cache.SetThreshold(0)
-			} else if flagTShift > 31 {
-				cache.SetThreshold(1 << 31)
-			} else {
-				cache.SetThreshold(1 << flagTShift)
+
+		addr.Net = "unix"
+		addr.Name = os.ExpandEnv(addr.Name)
+		if addr.Name == "" {
+			addr.Name = filepath.Join(cm.base, "daemon")
+		}
+
+		var flags int
+		if !flagCheck {
+			flags |= rosa.OptSkipCheck
+		}
+		if !flagLTO {
+			flags |= rosa.OptLLVMNoLTO
+		}
+		rosa.DropCaches("", flags)
+		cross := flagArch != "" && flagArch != runtime.GOARCH
+		if flagQEMU || cross {
+			cm.qemu = rosa.Std.Load(rosa.QEMU)
+		}
+
+		if cross {
+			if flagCrossOverride != -1 {
+				flags = flagCrossOverride
+			}
+
+			rosa.DropCaches(flagArch, flags)
+			if !rosa.HasStage0() {
+				return pkg.UnsupportedArchError(flagArch)
 			}
 		}
-		return
+
+		return nil
 	}).Flag(
 		&flagQuiet,
 		"q", command.BoolFlag(false),
 		"Do not print cure messages",
 	).Flag(
-		&flagCures,
+		&flagQEMU,
+		"register", command.BoolFlag(false),
+		"Enable additional target architectures",
+	).Flag(
+		&flagArch,
+		"arch", command.StringFlag(runtime.GOARCH),
+		"Target architecture",
+	).Flag(
+		&flagLTO,
+		"lto", command.BoolFlag(false),
+		"Enable LTO in stage2 and stage3 LLVM toolchains",
+	).Flag(
+		&flagCheck,
+		"check", command.BoolFlag(true),
+		"Run test suites",
+	).Flag(
+		&flagCrossOverride,
+		"cross-flags", command.IntFlag(-1),
+		"Override non-native target preset flags",
+	).Flag(
+		&cm.verboseInit,
+		"v", command.BoolFlag(false),
+		"Do not suppress verbose output from init",
+	).Flag(
+		&cm.cures,
 		"cures", command.IntFlag(0),
 		"Maximum number of dependencies to cure at any given time",
 	).Flag(
-		&flagBase,
-		"d", command.StringFlag("cache"),
+		&cm.jobs,
+		"jobs", command.IntFlag(0),
+		"Preferred number of jobs to run, when applicable",
+	).Flag(
+		&cm.base,
+		"d", command.StringFlag("$MBF_CACHE_DIR"),
 		"Directory to store cured artifacts",
 	).Flag(
-		&flagTShift,
-		"tshift", command.IntFlag(-1),
-		"Dependency graph size exponent, to the power of 2",
+		&cm.idle,
+		"sched-idle", command.BoolFlag(false),
+		"Set SCHED_IDLE scheduling policy",
+	).Flag(
+		&cm.hostAbstract,
+		"host-abstract", command.BoolFlag(
+			os.Getenv("MBF_HOST_ABSTRACT") != "",
+		),
+		"Do not restrict networked cure containers from connecting to host "+
+			"abstract UNIX sockets",
+	).Flag(
+		&addr.Name,
+		"socket", command.StringFlag("$MBF_DAEMON_SOCKET"),
+		"Pathname of socket to bind to",
+	)
+
+	c.NewCommand(
+		"checksum", "Compute checksum of data read from standard input",
+		func([]string) error {
+			done := make(chan struct{})
+			defer close(done)
+			go func() {
+				select {
+				case <-ctx.Done():
+					os.Exit(1)
+				case <-done:
+					return
+				}
+			}()
+
+			h := sha512.New384()
+			if _, err := io.Copy(h, os.Stdin); err != nil {
+				return err
+			}
+			log.Println(pkg.Encode(pkg.Checksum(h.Sum(nil))))
+			return nil
+		},
 	)

 	{
@@ -100,7 +206,9 @@ func main() {
 				if flagShifts < 0 || flagShifts > 31 {
 					flagShifts = 12
 				}
-				return cache.Scrub(runtime.NumCPU() << flagShifts)
+				return cm.Do(func(cache *pkg.Cache) error {
+					return cache.Scrub(runtime.NumCPU() << flagShifts)
+				})
 			},
 		).Flag(
 			&flagShifts,
@@ -109,50 +217,298 @@ func main() {
 		)
 	}

+	{
+		var (
+			flagBind   string
+			flagStatus bool
+			flagReport string
+		)
+		c.NewCommand(
+			"info",
+			"Display out-of-band metadata of an artifact",
+			func(args []string) (err error) {
+				const shutdownTimeout = 15 * time.Second
+
+				var r *rosa.Report
+				if flagReport != "" {
+					if r, err = rosa.OpenReport(flagReport); err != nil {
+						return err
+					}
+					defer func() {
+						if closeErr := r.Close(); err == nil {
+							err = closeErr
+						}
+					}()
+					defer r.HandleAccess(&err)()
+				}
+
+				if flagBind == "" {
+					return commandInfo(&cm, args, os.Stdout, flagStatus, r)
+				}
+
+				var mux http.ServeMux
+				ui.Register(&mux)
+				if err = pkgserver.Register(ctx, &mux, r); err != nil {
+					return
+				}
+
+				server := http.Server{Addr: flagBind, Handler: &mux}
+				go func() {
+					<-ctx.Done()
+					cc, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
+					defer cancel()
+					if _err := server.Shutdown(cc); _err != nil {
+						log.Fatal(_err)
+					}
+				}()
+
+				msg.Verbosef("listening on %q", flagBind)
+				err = server.ListenAndServe()
+				if errors.Is(err, http.ErrServerClosed) {
+					err = nil
+				}
+				return
+			},
+		).Flag(
+			&flagBind,
+			"bind", command.StringFlag(""),
+			"TCP address for the server to listen on",
+		).Flag(
+			&flagStatus,
+			"status", command.BoolFlag(false),
+			"Display cure status if available",
+		).Flag(
+			&flagReport,
+			"report", command.StringFlag(""),
+			"Load cure status from this report file instead of cache",
+		)
+	}
+
 	c.NewCommand(
-		"stage3",
-		"Check for toolchain 3-stage non-determinism",
+		"report",
+		"Generate an artifact cure report for the current cache",
 		func(args []string) (err error) {
-			_, _, _, stage1 := (rosa.Std - 2).NewLLVM()
-			_, _, _, stage2 := (rosa.Std - 1).NewLLVM()
-			_, _, _, stage3 := rosa.Std.NewLLVM()
+			var w *os.File
+			switch len(args) {
+			case 0:
+				w = os.Stdout
+
+			case 1:
+				if w, err = os.OpenFile(
+					args[0],
+					os.O_CREATE|os.O_EXCL|syscall.O_WRONLY,
+					0400,
+				); err != nil {
+					return
+				}
+				defer func() {
+					closeErr := w.Close()
+					if err == nil {
+						err = closeErr
+					}
+				}()
+
+			default:
+				return errors.New("report requires 1 argument")
+			}
+
+			if ext.Isatty(int(w.Fd())) {
+				return errors.New("output appears to be a terminal")
+			}
+			return cm.Do(func(cache *pkg.Cache) error {
+				return rosa.WriteReport(msg, w, cache)
+			})
+		},
+	)
+
+	{
+		var flagJobs int
+		c.NewCommand("updates", command.UsageInternal, func([]string) error {
 			var (
-				pathname *check.Absolute
-				checksum [2]unique.Handle[pkg.Checksum]
+				errsMu sync.Mutex
+				errs   []error
+
+				n atomic.Uint64
 			)

-			if pathname, _, err = cache.Cure(stage1); err != nil {
-				return err
-			}
-			log.Println("stage1:", pathname)
+			w := make(chan rosa.PArtifact)
+			var wg sync.WaitGroup
+			for range max(flagJobs, 1) {
+				wg.Go(func() {
+					for p := range w {
+						meta := rosa.GetMetadata(p)
+						if meta.ID == 0 {
+							continue
+						}

-			if pathname, checksum[0], err = cache.Cure(stage2); err != nil {
-				return err
-			}
-			log.Println("stage2:", pathname)
-			if pathname, checksum[1], err = cache.Cure(stage3); err != nil {
-				return err
-			}
-			log.Println("stage3:", pathname)
+						v, err := meta.GetVersions(ctx)
+						if err != nil {
+							errsMu.Lock()
+							errs = append(errs, err)
+							errsMu.Unlock()
+							continue
+						}

-			if checksum[0] != checksum[1] {
-				err = &pkg.ChecksumMismatchError{
-					Got:  checksum[0].Value(),
-					Want: checksum[1].Value(),
+						if current, latest :=
+							rosa.Std.Version(p),
+							meta.GetLatest(v); current != latest {
+
+							n.Add(1)
+							log.Printf("%s %s < %s", meta.Name, current, latest)
+							continue
+						}
+
+						msg.Verbosef("%s is up to date", meta.Name)
+					}
+				})
+			}
+
+		done:
+			for i := range rosa.PresetEnd {
+				select {
+				case w <- rosa.PArtifact(i):
+					break
+				case <-ctx.Done():
+					break done
 				}
-			} else {
-				log.Println(
-					"stage2 is identical to stage3",
-					"("+pkg.Encode(checksum[0].Value())+")",
-				)
 			}
-			return
+			close(w)
+			wg.Wait()
+
+			if v := n.Load(); v > 0 {
+				errs = append(errs, errors.New(strconv.Itoa(int(v))+
+					" package(s) are out of date"))
+			}
+			return errors.Join(errs...)
+		}).Flag(
+			&flagJobs,
+			"j", command.IntFlag(32),
+			"Maximum number of simultaneous connections",
+		)
+	}
+
+	c.NewCommand(
+		"daemon",
+		"Service artifact IR with Rosa OS extensions",
+		func(args []string) error {
+			ul, err := net.ListenUnix("unix", &addr)
+			if err != nil {
+				return err
+			}
+			log.Printf("listening on pathname socket at %s", addr.Name)
+			return serve(ctx, log.Default(), &cm, ul)
 		},
 	)

 	{
 		var (
-			flagDump string
+			flagGentoo   string
+			flagChecksum string
+
+			flagStage0 bool
+		)
+		c.NewCommand(
+			"stage3",
+			"Check for toolchain 3-stage non-determinism",
+			func(args []string) (err error) {
+				t := rosa.Std
+				if flagGentoo != "" {
+					t -= 3 // magic number to discourage misuse
+
+					var checksum pkg.Checksum
+					if len(flagChecksum) != 0 {
+						if err = pkg.Decode(&checksum, flagChecksum); err != nil {
+							return
+						}
+					}
+					rosa.SetGentooStage3(flagGentoo, checksum)
+				}
+
+				var (
+					pathname *check.Absolute
+					checksum [2]unique.Handle[pkg.Checksum]
+				)
+
+				if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					pathname, _, err = cache.Cure(
+						(t - 2).Load(rosa.LLVM),
+					)
+					return
+				}); err != nil {
+					return
+				}
+				log.Println("stage1:", pathname)
+
+				if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					pathname, checksum[0], err = cache.Cure(
+						(t - 1).Load(rosa.LLVM),
+					)
+					return
+				}); err != nil {
+					return
+				}
+				log.Println("stage2:", pathname)
+				if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					pathname, checksum[1], err = cache.Cure(
+						t.Load(rosa.LLVM),
+					)
+					return
+				}); err != nil {
+					return
+				}
+				log.Println("stage3:", pathname)
+
+				if checksum[0] != checksum[1] {
+					err = &pkg.ChecksumMismatchError{
+						Got:  checksum[0].Value(),
+						Want: checksum[1].Value(),
+					}
+				} else {
+					log.Println(
+						"stage2 is identical to stage3",
+						"("+pkg.Encode(checksum[0].Value())+")",
+					)
+				}
+
+				if flagStage0 {
+					if err = cm.Do(func(cache *pkg.Cache) (err error) {
+						pathname, _, err = cache.Cure(
+							t.Load(rosa.Stage0),
+						)
+						return
+					}); err != nil {
+						return
+					}
+					log.Println(pathname)
+				}
+
+				return
+			},
+		).Flag(
+			&flagGentoo,
+			"gentoo", command.StringFlag(""),
+			"Bootstrap from a Gentoo stage3 tarball",
+		).Flag(
+			&flagChecksum,
+			"checksum", command.StringFlag(""),
+			"Checksum of Gentoo stage3 tarball",
+		).Flag(
+			&flagStage0,
+			"stage0", command.BoolFlag(false),
+			"Create bootstrap stage0 tarball",
+		)
+	}
+
+	{
+		var (
+			flagDump    string
+			flagEnter   bool
+			flagExport  string
+			flagRemote  bool
+			flagNoReply bool
+
+			flagBoot bool
+			flagStd  bool
 		)
 		c.NewCommand(
 			"cure",
@@ -161,15 +517,55 @@ func main() {
 				if len(args) != 1 {
 					return errors.New("cure requires 1 argument")
 				}
-				if p, ok := rosa.ResolveName(args[0]); !ok {
-					return fmt.Errorf("unsupported artifact %q", args[0])
-				} else if flagDump == "" {
-					pathname, _, err := cache.Cure(rosa.Std.Load(p))
-					if err == nil {
-						log.Println(pathname)
+				p, ok := rosa.ResolveName(args[0])
+				if !ok {
+					return fmt.Errorf("unknown artifact %q", args[0])
+				}
+
+				t := rosa.Std
+				if flagBoot {
+					t -= 2
+				} else if flagStd {
+					t -= 1
+				}
+
+				switch {
+				default:
+					var pathname *check.Absolute
+					err := cm.Do(func(cache *pkg.Cache) (err error) {
+						pathname, _, err = cache.Cure(t.Load(p))
+						return
+					})
+					if err != nil {
+						return err
 					}
-					return err
-				} else {
+					log.Println(pathname)
+
+					if flagExport != "" {
+						msg.Verbosef("exporting %s to %s...", args[0], flagExport)
+
+						var f *os.File
+						if f, err = os.OpenFile(
+							flagExport,
+							os.O_WRONLY|os.O_CREATE|os.O_EXCL,
+							0400,
+						); err != nil {
+							return err
+						} else if _, err = pkg.Flatten(
+							os.DirFS(pathname.String()),
+							".",
+							f,
+						); err != nil {
+							_ = f.Close()
+							return err
+						} else if err = f.Close(); err != nil {
+							return err
+						}
+					}
+
+					return nil
+
+				case flagDump != "":
 					f, err := os.OpenFile(
 						flagDump,
 						os.O_WRONLY|os.O_CREATE|os.O_EXCL,
@@ -179,26 +575,256 @@ func main() {
 						return err
 					}

-					if err = cache.EncodeAll(f, rosa.Std.Load(p)); err != nil {
+					if err = pkg.NewIR().EncodeAll(f, rosa.Std.Load(p)); err != nil {
 						_ = f.Close()
 						return err
 					}

 					return f.Close()
+
+				case flagEnter:
+					return cm.Do(func(cache *pkg.Cache) error {
+						return cache.EnterExec(
+							ctx,
+							t.Load(p),
+							true, os.Stdin, os.Stdout, os.Stderr,
+							rosa.AbsSystem.Append("bin", "mksh"),
+							"sh",
+						)
+					})
+
+				case flagRemote:
+					var flags uint64
+					if flagNoReply {
+						flags |= remoteNoReply
+					}
+					a := t.Load(p)
+					pathname, err := cureRemote(ctx, &addr, a, flags)
+					if !flagNoReply && err == nil {
+						log.Println(pathname)
+					}
+
+					if errors.Is(err, context.Canceled) {
+						cc, cancel := context.WithDeadline(context.Background(), daemonDeadline())
+						defer cancel()
+
+						if _err := cancelRemote(cc, &addr, a, false); _err != nil {
+							log.Println(err)
+						}
+					}
+
+					return err
 				}
 			},
-		).
-			Flag(
-				&flagDump,
-				"dump", command.StringFlag(""),
-				"Write IR to specified pathname and terminate",
-			)
+		).Flag(
+			&flagDump,
+			"dump", command.StringFlag(""),
+			"Write IR to specified pathname and terminate",
+		).Flag(
+			&flagExport,
+			"export", command.StringFlag(""),
+			"Export cured artifact to specified pathname",
+		).Flag(
+			&flagEnter,
+			"enter", command.BoolFlag(false),
+			"Enter cure container with an interactive shell",
+		).Flag(
+			&flagRemote,
+			"daemon", command.BoolFlag(false),
+			"Cure artifact on the daemon",
+		).Flag(
+			&flagNoReply,
+			"no-reply", command.BoolFlag(false),
+			"Do not receive a reply from the daemon",
+		).Flag(
+			&flagBoot,
+			"boot", command.BoolFlag(false),
+			"Build on the stage0 toolchain",
+		).Flag(
+			&flagStd,
+			"std", command.BoolFlag(false),
+			"Build on the intermediate toolchain",
+		)
 	}

+	c.NewCommand(
+		"abort",
+		"Abort all pending cures on the daemon",
+		func([]string) error { return abortRemote(ctx, &addr, false) },
+	)
+
+	{
+		var (
+			flagNet     bool
+			flagSession bool
+
+			flagWithToolchain bool
+		)
+		c.NewCommand(
+			"shell",
+			"Interactive shell in the specified Rosa OS environment",
+			func(args []string) error {
+				presets := make([]rosa.PArtifact, len(args)+3)
+				for i, arg := range args {
+					p, ok := rosa.ResolveName(arg)
+					if !ok {
+						return fmt.Errorf("unknown artifact %q", arg)
+					}
+					presets[i] = p
+				}
+
+				base := rosa.LLVM
+				if !flagWithToolchain {
+					base = rosa.Musl
+				}
+				presets = append(presets,
+					base,
+					rosa.Mksh,
+					rosa.Toybox,
+				)
+
+				root := make(pkg.Collect, 0, 6+len(args))
+				root = rosa.Std.AppendPresets(root, presets...)
+
+				if err := cm.Do(func(cache *pkg.Cache) error {
+					_, _, err := cache.Cure(&root)
+					return err
+				}); err == nil {
+					return errors.New("unreachable")
+				} else if !pkg.IsCollected(err) {
+					return err
+				}
+
+				type cureRes struct {
+					pathname *check.Absolute
+					checksum unique.Handle[pkg.Checksum]
+				}
+				cured := make(map[pkg.Artifact]cureRes)
+				for _, a := range root {
+					if err := cm.Do(func(cache *pkg.Cache) error {
+						pathname, checksum, err := cache.Cure(a)
+						if err == nil {
+							cured[a] = cureRes{pathname, checksum}
+						}
+						return err
+					}); err != nil {
+						return err
+					}
+				}
+
+				// explicitly open for direct error-free use from this point
+				if cm.c == nil {
+					if err := cm.open(); err != nil {
+						return err
+					}
+				}
+
+				layers := pkg.PromoteLayers(root, func(a pkg.Artifact) (
+					*check.Absolute,
+					unique.Handle[pkg.Checksum],
+				) {
+					res := cured[a]
+					return res.pathname, res.checksum
+				}, func(i int, d pkg.Artifact) {
+					r := pkg.Encode(cm.c.Ident(d).Value())
+					if s, ok := d.(fmt.Stringer); ok {
+						if name := s.String(); name != "" {
+							r += "-" + name
+						}
+					}
+					msg.Verbosef("promoted layer %d as %s", i, r)
+				})
+
+				z := container.New(ctx, msg)
+				z.WaitDelay = 3 * time.Second
+				z.SeccompPresets = pkg.SeccompPresets
+				z.SeccompFlags |= seccomp.AllowMultiarch
+				z.ParentPerm = 0700
+				z.HostNet = flagNet
+				z.RetainSession = flagSession
+				z.Hostname = "localhost"
+				z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
+				z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
+				z.Quiet = !cm.verboseInit
+				if s, ok := os.LookupEnv("TERM"); ok {
+					z.Env = append(z.Env, "TERM="+s)
+				}
+
+				var tempdir *check.Absolute
+				if s, err := filepath.Abs(os.TempDir()); err != nil {
+					return err
+				} else if tempdir, err = check.NewAbs(s); err != nil {
+					return err
+				}
+
+				z.Dir = fhs.AbsRoot
+				z.Env = []string{
+					"SHELL=/system/bin/mksh",
+					"PATH=/system/bin",
+					"HOME=/",
+				}
+				z.Path = rosa.AbsSystem.Append("bin", "mksh")
+				z.Args = []string{"mksh"}
+				z.
+					OverlayEphemeral(fhs.AbsRoot, layers...).
+					Place(
+						fhs.AbsEtc.Append("hosts"),
+						[]byte("127.0.0.1 localhost\n"),
+					).
+					Place(
+						fhs.AbsEtc.Append("passwd"),
+						[]byte("media_rw:x:1023:1023::/:/system/bin/sh\n"+
+							"nobody:x:65534:65534::/proc/nonexistent:/system/bin/false\n"),
+					).
+					Place(
+						fhs.AbsEtc.Append("group"),
+						[]byte("media_rw:x:1023:\nnobody:x:65534:\n"),
+					).
+					Bind(tempdir, fhs.AbsTmp, std.BindWritable).
+					Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
+
+				if err := z.Start(); err != nil {
+					return err
+				}
+				if err := z.Serve(); err != nil {
+					return err
+				}
+				return z.Wait()
+			},
+		).Flag(
+			&flagNet,
+			"net", command.BoolFlag(false),
+			"Share host net namespace",
+		).Flag(
+			&flagSession,
+			"session", command.BoolFlag(true),
+			"Retain session",
+		).Flag(
+			&flagWithToolchain,
+			"with-toolchain", command.BoolFlag(false),
+			"Include the stage2 LLVM toolchain",
+		)
+
+	}
+
+	c.Command(
+		"help",
+		"Show this help message",
+		func([]string) error { c.PrintHelp(); return nil },
+	)
+
 	c.MustParse(os.Args[1:], func(err error) {
-		if cache != nil {
-			cache.Close()
+		cm.Close()
+		if w, ok := err.(interface{ Unwrap() []error }); !ok {
+			log.Fatal(err)
+		} else {
+			errs := w.Unwrap()
+			for i, e := range errs {
+				if i == len(errs)-1 {
+					log.Fatal(e)
+				}
+				log.Println(e)
+			}
 		}
-		log.Fatal(err)
 	})
 }
@@ -0,0 +1,47 @@
+package main
+
+import (
+	"net"
+	"os"
+	"testing"
+
+	"hakurei.app/internal/rosa"
+)
+
+func TestMain(m *testing.M) {
+	rosa.DropCaches("", rosa.OptLLVMNoLTO)
+	os.Exit(m.Run())
+}
+
+func TestCureAll(t *testing.T) {
+	t.Parallel()
+	const env = "ROSA_TEST_DAEMON"
+
+	if !testing.Verbose() {
+		t.Skip("verbose flag not set")
+	}
+
+	pathname, ok := os.LookupEnv(env)
+	if !ok {
+		t.Skip(env + " not set")
+	}
+
+	addr := net.UnixAddr{Net: "unix", Name: pathname}
+	t.Cleanup(func() {
+		if t.Failed() {
+			if err := abortRemote(t.Context(), &addr, false); err != nil {
+				t.Fatal(err)
+			}
+		}
+	})
+
+	for i := range rosa.PresetEnd {
+		p := rosa.PArtifact(i)
+		t.Run(rosa.GetMetadata(p).Name, func(t *testing.T) {
+			_, err := cureRemote(t.Context(), &addr, rosa.Std.Load(p), 0)
+			if err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
@@ -7,8 +7,8 @@
 #endif

 #define SHAREFS_MEDIA_RW_ID (1 << 10) - 1 /* owning gid presented to userspace */
-#define SHAREFS_PERM_DIR 0700             /* permission bits for directories presented to userspace */
-#define SHAREFS_PERM_REG 0600             /* permission bits for regular files presented to userspace */
+#define SHAREFS_PERM_DIR 0770             /* permission bits for directories presented to userspace */
+#define SHAREFS_PERM_REG 0660             /* permission bits for regular files presented to userspace */
 #define SHAREFS_FORBIDDEN_FLAGS O_DIRECT  /* these open flags are cleared unconditionally */

 /* sharefs_private is populated by sharefs_init and contains process-wide context */
@@ -19,21 +19,21 @@ import (
 	"encoding/gob"
 	"errors"
 	"fmt"
-	"io"
 	"log"
 	"os"
 	"os/exec"
 	"os/signal"
-	"path"
+	"path/filepath"
 	"runtime"
 	"runtime/cgo"
 	"strconv"
 	"syscall"
 	"unsafe"

+	"hakurei.app/check"
 	"hakurei.app/container"
-	"hakurei.app/container/check"
 	"hakurei.app/container/std"
+	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/helper/proc"
 	"hakurei.app/internal/info"
@@ -84,7 +84,10 @@ func destroySetup(private_data unsafe.Pointer) (ok bool) {
 }

 //export sharefs_init
-func sharefs_init(_ *C.struct_fuse_conn_info, cfg *C.struct_fuse_config) unsafe.Pointer {
+func sharefs_init(
+	_ *C.struct_fuse_conn_info,
+	cfg *C.struct_fuse_config,
+) unsafe.Pointer {
 	ctx := C.fuse_get_context()
 	priv := (*C.struct_sharefs_private)(ctx.private_data)
 	setup := cgo.Handle(priv.setup).Value().(*setupState)
@@ -102,7 +105,11 @@ func sharefs_init(_ *C.struct_fuse_conn_info, cfg *C.struct_fuse_config) unsafe.
 	cfg.negative_timeout = 0

 	// all future filesystem operations happen through this dirfd
-	if fd, err := syscall.Open(setup.Source.String(), syscall.O_DIRECTORY|syscall.O_RDONLY|syscall.O_CLOEXEC, 0); err != nil {
+	if fd, err := syscall.Open(
+		setup.Source.String(),
+		syscall.O_DIRECTORY|syscall.O_RDONLY|syscall.O_CLOEXEC,
+		0,
+	); err != nil {
 		log.Printf("cannot open %q: %v", setup.Source, err)
 		goto fail
 	} else if err = syscall.Fchdir(fd); err != nil {
@@ -137,9 +144,9 @@ func sharefs_destroy(private_data unsafe.Pointer) {
 func showHelp(args *fuseArgs) {
 	executableName := sharefsName
 	if args.argc > 0 {
-		executableName = path.Base(C.GoString(*args.argv))
+		executableName = filepath.Base(C.GoString(*args.argv))
 	} else if name, err := os.Executable(); err == nil {
-		executableName = path.Base(name)
+		executableName = filepath.Base(name)
 	}

 	fmt.Printf("usage: %s [options] <mountpoint>\n\n", executableName)
@@ -168,8 +175,11 @@ func parseOpts(args *fuseArgs, setup *setupState, log *log.Logger) (ok bool) {
 		// Decimal string representation of gid to set when running as root.
 		setgid *C.char

-		// Decimal string representation of open file descriptor to read setupState from.
-		// This is an internal detail for containerisation and must not be specified directly.
+		// Decimal string representation of open file descriptor to read
+		// setupState from.
+		//
+		// This is an internal detail for containerisation and must not be
+		// specified directly.
 		setup *C.char
 	}

@@ -252,7 +262,8 @@ func parseOpts(args *fuseArgs, setup *setupState, log *log.Logger) (ok bool) {
 	return true
 }

-// copyArgs returns a heap allocated copy of an argument slice in fuse_args representation.
+// copyArgs returns a heap allocated copy of an argument slice in fuse_args
+// representation.
 func copyArgs(s ...string) fuseArgs {
 	if len(s) == 0 {
 		return fuseArgs{argc: 0, argv: nil, allocated: 0}
@@ -268,6 +279,7 @@ func copyArgs(s ...string) fuseArgs {
 func freeArgs(args *fuseArgs) { C.fuse_opt_free_args(args) }

 // unsafeAddArgument adds an argument to fuseArgs via fuse_opt_add_arg.
+//
 // The last byte of arg must be 0.
 func unsafeAddArgument(args *fuseArgs, arg string) {
 	C.fuse_opt_add_arg(args, (*C.char)(unsafe.Pointer(unsafe.StringData(arg))))
@@ -287,8 +299,8 @@ func _main(s ...string) (exitCode int) {
 	args := copyArgs(s...)
 	defer freeArgs(&args)

-	// this causes the kernel to enforce access control based on
-	// struct stat populated by sharefs_getattr
+	// this causes the kernel to enforce access control based on struct stat
+	// populated by sharefs_getattr
 	unsafeAddArgument(&args, "-odefault_permissions\x00")

 	var priv C.struct_sharefs_private
@@ -441,12 +453,7 @@ func _main(s ...string) (exitCode int) {
 		// keep fuse_parse_cmdline happy in the container
 		z.Tmpfs(check.MustAbs(container.Nonexistent), 1<<10, 0755)

-		if a, err := check.NewAbs(container.MustExecutable(msg)); err != nil {
-			log.Println(err)
-			return 5
-		} else {
-			z.Path = a
-		}
+		z.Path = fhs.AbsProcSelfExe
 		z.Args = s
 		z.ForwardCancel = true
 		z.SeccompPresets |= std.PresetStrict
@@ -457,15 +464,19 @@ func _main(s ...string) (exitCode int) {
 			z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
 		}
 		z.Bind(z.Path, z.Path, 0)
-		setup.Fuse = int(proc.ExtraFileSlice(&z.ExtraFiles, os.NewFile(uintptr(C.fuse_session_fd(se)), "fuse")))
+		setup.Fuse = int(proc.ExtraFileSlice(
+			&z.ExtraFiles,
+			os.NewFile(uintptr(C.fuse_session_fd(se)), "fuse"),
+		))

-		var setupWriter io.WriteCloser
-		if fd, w, err := container.Setup(&z.ExtraFiles); err != nil {
+		var setupPipe [2]*os.File
+		if r, w, err := os.Pipe(); err != nil {
 			log.Println(err)
 			return 5
 		} else {
-			z.Args = append(z.Args, "-osetup="+strconv.Itoa(fd))
-			setupWriter = w
+			z.Args = append(z.Args, "-osetup="+strconv.Itoa(3+len(z.ExtraFiles)))
+			z.ExtraFiles = append(z.ExtraFiles, r)
+			setupPipe[0], setupPipe[1] = r, w
 		}

 		if err := z.Start(); err != nil {
@@ -476,6 +487,9 @@ func _main(s ...string) (exitCode int) {
 			}
 			return 5
 		}
+		if err := setupPipe[0].Close(); err != nil {
+			log.Println(err)
+		}
 		if err := z.Serve(); err != nil {
 			if m, ok := message.GetMessage(err); ok {
 				log.Println(m)
@@ -485,10 +499,10 @@ func _main(s ...string) (exitCode int) {
 			return 5
 		}

-		if err := gob.NewEncoder(setupWriter).Encode(&setup); err != nil {
+		if err := gob.NewEncoder(setupPipe[1]).Encode(&setup); err != nil {
 			log.Println(err)
 			return 5
-		} else if err = setupWriter.Close(); err != nil {
+		} else if err = setupPipe[1].Close(); err != nil {
 			log.Println(err)
 		}

@@ -6,7 +6,7 @@ import (
 	"reflect"
 	"testing"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func TestParseOpts(t *testing.T) {
@@ -1,3 +1,10 @@
+// The sharefs FUSE filesystem is a permissionless shared filesystem.
+//
+// This filesystem is the primary means of file sharing between hakurei
+// application containers. It serves the same purpose in Rosa OS as /sdcard
+// does in AOSP.
+//
+// See help message for all available options.
 package main

 import (
@@ -20,11 +20,14 @@
  };

  virtualisation = {
+    # Hopefully reduces spurious test failures:
+    memorySize = if pkgs.stdenv.hostPlatform.is32bit then 2046 else 8192;
+
    diskSize = 6 * 1024;

    qemu.options = [
      # Increase test performance:
-      "-smp 8"
+      "-smp 16"
    ];
  };

@@ -28,7 +28,7 @@ testers.nixosTest {
        # For go tests:
        (pkgs.writeShellScriptBin "sharefs-workload-hakurei-tests" ''
          cp -r "${self.packages.${system}.hakurei.src}" "/sdcard/hakurei" && cd "/sdcard/hakurei"
-          ${fhs}/bin/hakurei-fhs -c 'CC="clang -O3 -Werror" go test ./...'
+          ${fhs}/bin/hakurei-fhs -c 'ROSA_SKIP_BINFMT=1 CC="clang -O3 -Werror" go test ./...'
        '')
      ];

@@ -0,0 +1,122 @@
+//go:build raceattr
+
+// The raceattr program reproduces vfs inode file attribute race.
+//
+// Even though libfuse high-level API presents the address of a struct stat
+// alongside struct fuse_context, file attributes are actually inherent to the
+// inode, instead of the specific call from userspace. The kernel implementation
+// in fs/fuse/xattr.c appears to make stale data in the inode (set by a previous
+// call) impossible or very unlikely to reach userspace via the stat family of
+// syscalls. However, when using default_permissions to have the VFS check
+// permissions, this race still happens, despite the resulting struct stat being
+// correct when overriding the check via capabilities otherwise.
+//
+// This program reproduces the failure, but because of its continuous nature, it
+// is provided independent of the vm integration test suite.
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"os"
+	"os/signal"
+	"runtime"
+	"sync"
+	"sync/atomic"
+	"syscall"
+)
+
+func newStatAs(
+	ctx context.Context, cancel context.CancelFunc,
+	n *atomic.Uint64, ok *atomic.Bool,
+	uid uint32, pathname string,
+	continuous bool,
+) func() {
+	return func() {
+		runtime.LockOSThread()
+		defer cancel()
+
+		if _, _, errno := syscall.Syscall(
+			syscall.SYS_SETUID, uintptr(uid),
+			0, 0,
+		); errno != 0 {
+			cancel()
+			log.Printf("cannot set uid to %d: %s", uid, errno)
+		}
+
+		var stat syscall.Stat_t
+		for {
+			if ctx.Err() != nil {
+				return
+			}
+
+			if err := syscall.Lstat(pathname, &stat); err != nil {
+				// SHAREFS_PERM_DIR not world executable, or
+				// SHAREFS_PERM_REG not world readable
+				if !continuous {
+					cancel()
+				}
+				ok.Store(true)
+				log.Printf("uid %d: %v", uid, err)
+			} else if stat.Uid != uid {
+				// appears to be unreachable
+				if !continuous {
+					cancel()
+				}
+				ok.Store(true)
+				log.Printf("got uid %d instead of %d", stat.Uid, uid)
+			}
+			n.Add(1)
+		}
+	}
+}
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("raceattr: ")
+
+	p := flag.String("target", "/sdcard/raceattr", "pathname of test file")
+	u0 := flag.Int("uid0", 1<<10-1, "first uid")
+	u1 := flag.Int("uid1", 1<<10-2, "second uid")
+	count := flag.Int("count", 1, "threads per uid")
+	continuous := flag.Bool("continuous", false, "keep running even after reproduce")
+	flag.Parse()
+
+	if os.Geteuid() != 0 {
+		log.Fatal("this program must run as root")
+	}
+
+	ctx, cancel := signal.NotifyContext(
+		context.Background(),
+		syscall.SIGINT,
+		syscall.SIGTERM,
+		syscall.SIGHUP,
+	)
+
+	if err := os.WriteFile(*p, nil, 0); err != nil {
+		log.Fatal(err)
+	}
+
+	var (
+		wg sync.WaitGroup
+
+		n  atomic.Uint64
+		ok atomic.Bool
+	)
+
+	if *count < 1 {
+		*count = 1
+	}
+	for range *count {
+		wg.Go(newStatAs(ctx, cancel, &n, &ok, uint32(*u0), *p, *continuous))
+		if *u1 >= 0 {
+			wg.Go(newStatAs(ctx, cancel, &n, &ok, uint32(*u1), *p, *continuous))
+		}
+	}
+
+	wg.Wait()
+	if !*continuous && ok.Load() {
+		log.Printf("reproduced after %d calls", n.Load())
+	}
+}
@@ -4,14 +4,13 @@ import (
 	"encoding/gob"
 	"fmt"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 func init() { gob.Register(new(AutoEtcOp)) }

-// Etc appends an [Op] that expands host /etc into a toplevel symlink mirror with /etc semantics.
-// This is not a generic setup op. It is implemented here to reduce ipc overhead.
+// Etc is a helper for appending [AutoEtcOp] to [Ops].
 func (f *Ops) Etc(host *check.Absolute, prefix string) *Ops {
 	e := &AutoEtcOp{prefix}
 	f.Mkdir(fhs.AbsEtc, 0755)
@@ -20,6 +19,9 @@ func (f *Ops) Etc(host *check.Absolute, prefix string) *Ops {
 	return f
 }

+// AutoEtcOp expands host /etc into a toplevel symlink mirror with /etc semantics.
+//
+// This is not a generic setup op. It is implemented here to reduce ipc overhead.
 type AutoEtcOp struct{ Prefix string }

 func (e *AutoEtcOp) Valid() bool                                { return e != nil }
@@ -5,8 +5,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestAutoEtcOp(t *testing.T) {
@@ -4,20 +4,22 @@ import (
 	"encoding/gob"
 	"fmt"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 	"hakurei.app/message"
 )

 func init() { gob.Register(new(AutoRootOp)) }

-// Root appends an [Op] that expands a directory into a toplevel bind mount mirror on container root.
-// This is not a generic setup op. It is implemented here to reduce ipc overhead.
+// Root is a helper for appending [AutoRootOp] to [Ops].
 func (f *Ops) Root(host *check.Absolute, flags int) *Ops {
 	*f = append(*f, &AutoRootOp{host, flags, nil})
 	return f
 }

+// AutoRootOp expands a directory into a toplevel bind mount mirror on container root.
+//
+// This is not a generic setup op. It is implemented here to reduce ipc overhead.
 type AutoRootOp struct {
 	Host *check.Absolute
 	// passed through to bindMount
@@ -5,9 +5,9 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/container/std"
-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 	"hakurei.app/message"
 )

@@ -0,0 +1,46 @@
+package container
+
+import (
+	"strings"
+	"unsafe"
+
+	"hakurei.app/check"
+)
+
+// escapeBinfmt escapes magic/mask sequences in a [BinfmtEntry].
+func escapeBinfmt(buf *strings.Builder, s string) string {
+	const lowerhex = "0123456789abcdef"
+
+	buf.Reset()
+	for _, c := range unsafe.Slice(unsafe.StringData(s), len(s)) {
+		switch c {
+		case 0, '\\', ':':
+			buf.WriteString(`\x`)
+			buf.WriteByte(lowerhex[c>>4])
+			buf.WriteByte(lowerhex[c&0xf])
+
+		default:
+			buf.WriteByte(c)
+		}
+	}
+	return buf.String()
+}
+
+// BinfmtEntry is an entry to be registered by the init process.
+type BinfmtEntry struct {
+	// The offset of the magic/mask in the file, counted in bytes.
+	Offset byte
+	// The byte sequence binfmt_misc is matching for.
+	Magic string
+	// An (optional, defaults to all 0xff) mask.
+	Mask string
+	// The program that should be invoked with the binary as first argument.
+	Interpreter *check.Absolute
+}
+
+// Valid returns whether e can be registered into the kernel.
+func (e *BinfmtEntry) Valid() bool {
+	return e != nil &&
+		int(e.Offset)+max(len(e.Magic), len(e.Mask)) < 128 &&
+		e.Interpreter != nil && len(e.Interpreter.String()) < 128
+}
@@ -0,0 +1,62 @@
+package container
+
+import (
+	"strings"
+	"testing"
+
+	"hakurei.app/fhs"
+)
+
+func TestEscapeBinfmt(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name  string
+		magic string
+		want  string
+	}{
+		{"packed DOS applications", "\x0eDEX", "\x0eDEX"},
+
+		{"riscv64 magic",
+			"\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00",
+			"\x7fELF\x02\x01\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\x02\\x00\xf3\\x00"},
+		{"riscv64 mask",
+			"\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
+			"\xff\xff\xff\xff\xff\xff\xff\\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := escapeBinfmt(new(strings.Builder), tc.magic)
+			if got != tc.want {
+				t.Errorf("escapeBinfmt: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestBinfmtEntry(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name  string
+		e     BinfmtEntry
+		valid bool
+	}{
+		{"zero", BinfmtEntry{}, false},
+		{"large offset", BinfmtEntry{Offset: 128}, false},
+		{"long magic", BinfmtEntry{Magic: strings.Repeat("\x00", 128)}, false},
+		{"long mask", BinfmtEntry{Mask: strings.Repeat("\x00", 128)}, false},
+		{"valid", BinfmtEntry{Interpreter: fhs.AbsRoot}, true},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if tc.e.Valid() != tc.valid {
+				t.Errorf("Valid: %v", !tc.valid)
+			}
+		})
+	}
+}
@@ -3,6 +3,8 @@ package container
 import (
 	"syscall"
 	"unsafe"
+
+	"hakurei.app/ext"
 )

 const (
@@ -16,6 +18,7 @@ const (
 	CAP_SETPCAP      = 0x8
 	CAP_NET_ADMIN    = 0xc
 	CAP_DAC_OVERRIDE = 0x1
+	CAP_SETFCAP      = 0x1f
 )

 type (
@@ -50,10 +53,16 @@ func capset(hdrp *capHeader, datap *[2]capData) error {
 }

 // capBoundingSetDrop drops a capability from the calling thread's capability bounding set.
-func capBoundingSetDrop(cap uintptr) error { return Prctl(syscall.PR_CAPBSET_DROP, cap, 0) }
+func capBoundingSetDrop(cap uintptr) error {
+	return ext.Prctl(syscall.PR_CAPBSET_DROP, cap, 0)
+}

 // capAmbientClearAll clears the ambient capability set of the calling thread.
-func capAmbientClearAll() error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0) }
+func capAmbientClearAll() error {
+	return ext.Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0)
+}

 // capAmbientRaise adds to the ambient capability set of the calling thread.
-func capAmbientRaise(cap uintptr) error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap) }
+func capAmbientRaise(cap uintptr) error {
+	return ext.Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap)
+}
@@ -1,4 +1,5 @@
-// Package container implements unprivileged Linux containers with built-in support for syscall filtering.
+// Package container implements unprivileged Linux containers with built-in
+// support for syscall filtering.
 package container

 import (
@@ -15,10 +16,12 @@ import (
 	. "syscall"
 	"time"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
+	"hakurei.app/internal/landlock"
 	"hakurei.app/message"
 )

@@ -26,9 +29,6 @@ const (
 	// CancelSignal is the signal expected by container init on context cancel.
 	// A custom [Container.Cancel] function must eventually deliver this signal.
 	CancelSignal = SIGUSR2
-
-	// Timeout for writing initParams to Container.setup.
-	initSetupTimeout = 5 * time.Second
 )

 type (
@@ -37,26 +37,39 @@ type (
 	Container struct {
 		// Whether the container init should stay alive after its parent terminates.
 		AllowOrphan bool
+		// Whether to set SchedPolicy and SchedPriority via sched_setscheduler(2).
+		SetScheduler bool
+		// Scheduling policy to set via sched_setscheduler(2).
+		SchedPolicy ext.SchedPolicy
+		// Scheduling priority to set via sched_setscheduler(2). The zero value
+		// implies the minimum value supported by the current SchedPolicy.
+		SchedPriority ext.Int
 		// Cgroup fd, nil to disable.
 		Cgroup *int
-		// ExtraFiles passed through to initial process in the container,
-		// with behaviour identical to its [exec.Cmd] counterpart.
+		// ExtraFiles passed through to initial process in the container, with
+		// behaviour identical to its [exec.Cmd] counterpart.
 		ExtraFiles []*os.File

-		// param pipe for shim and init
-		setup *os.File
-		// cancels cmd
+		// Write end of a pipe connected to the init to deliver [Params].
+		setup [2]*os.File
+		// Cancels the context passed to the underlying cmd.
 		cancel context.CancelFunc
-		// closed after Wait returns
+		// Closed after Wait returns. Keeps the spawning thread alive.
 		wait chan struct{}

 		Stdin  io.Reader
 		Stdout io.Writer
 		Stderr io.Writer

-		Cancel    func(cmd *exec.Cmd) error
+		// Custom cancellation behaviour for the underlying [exec.Cmd]. Must
+		// deliver [CancelSignal] before returning.
+		Cancel func(cmd *exec.Cmd) error
+		// Copied to the underlying [exec.Cmd].
 		WaitDelay time.Duration

+		// Suppress verbose output of init.
+		Quiet bool
+
 		cmd *exec.Cmd
 		ctx context.Context
 		msg message.Msg
@@ -78,12 +91,20 @@ type (
 		// Time to wait for processes lingering after the initial process terminates.
 		AdoptWaitDelay time.Duration

+		// Map uid/gid 0 in the init process. Requires [FstypeProc] attached to
+		// [fhs.Proc] in the container filesystem.
+		InitAsRoot bool
 		// Mapped Uid in user namespace.
 		Uid int
 		// Mapped Gid in user namespace.
 		Gid int
 		// Hostname value in UTS namespace.
 		Hostname string
+		// Register binfmt_misc entries.
+		Binfmt []BinfmtEntry
+		// Alternative pathname to attach binfmt_misc filesystem. The zero value
+		// requires [FstypeProc] to be made available at [fhs.Proc].
+		BinfmtPath *check.Absolute
 		// Sequential container setup ops.
 		*Ops

@@ -174,31 +195,24 @@ var (
 	closeOnExecErr  error
 )

-// ensureCloseOnExec ensures all currently open file descriptors have the syscall.FD_CLOEXEC flag set.
-// This is only ran once as it is intended to handle files left open by the parent, and any file opened
-// on this side should already have syscall.FD_CLOEXEC set.
+// ensureCloseOnExec ensures all currently open file descriptors have the
+// syscall.FD_CLOEXEC flag set.
+//
+// This is only ran once as it is intended to handle files left open by the
+// parent, and any file opened on this side should already have
+// syscall.FD_CLOEXEC set.
 func ensureCloseOnExec() error {
-	closeOnExecOnce.Do(func() {
-		const fdPrefixPath = "/proc/self/fd/"
-
-		var entries []os.DirEntry
-		if entries, closeOnExecErr = os.ReadDir(fdPrefixPath); closeOnExecErr != nil {
-			return
-		}
-
-		var fd int
-		for _, ent := range entries {
-			if fd, closeOnExecErr = strconv.Atoi(ent.Name()); closeOnExecErr != nil {
-				break // not reached
-			}
-			CloseOnExec(fd)
-		}
-	})
+	closeOnExecOnce.Do(func() { closeOnExecErr = doCloseOnExec() })

 	if closeOnExecErr == nil {
 		return nil
 	}
-	return &StartError{Fatal: true, Step: "set FD_CLOEXEC on all open files", Err: closeOnExecErr, Passthrough: true}
+	return &StartError{
+		Fatal:       true,
+		Step:        "set FD_CLOEXEC on all open files",
+		Err:         closeOnExecErr,
+		Passthrough: true,
+	}
 }

 // Start starts the container init. The init process blocks until Serve is called.
@@ -210,6 +224,9 @@ func (p *Container) Start() error {
 	if p.cmd.Process != nil {
 		return errors.New("container: already started")
 	}
+	if !p.InitAsRoot && len(p.Binfmt) > 0 {
+		return errors.New("container: init as root required, but not enabled")
+	}

 	if err := ensureCloseOnExec(); err != nil {
 		return err
@@ -280,12 +297,30 @@ func (p *Container) Start() error {
 	if !p.HostNet {
 		p.cmd.SysProcAttr.Cloneflags |= CLONE_NEWNET
 	}
+	if p.InitAsRoot {
+		p.cmd.SysProcAttr.AmbientCaps = append(p.cmd.SysProcAttr.AmbientCaps,
+			// mappings during init as root
+			CAP_SETFCAP,
+		)
+
+		if !p.SeccompDisable &&
+			len(p.SeccompRules) == 0 &&
+			p.SeccompPresets&std.PresetDenyNS != 0 {
+			return errors.New("container: as root requires late namespace creation")
+		}
+	}

 	// place setup pipe before user supplied extra files, this is later restored by init
-	if fd, f, err := Setup(&p.cmd.ExtraFiles); err != nil {
-		return &StartError{true, "set up params stream", err, false, false}
+	if r, w, err := os.Pipe(); err != nil {
+		return &StartError{
+			Fatal: true,
+			Step:  "set up params stream",
+			Err:   err,
+		}
 	} else {
-		p.setup = f
+		fd := 3 + len(p.cmd.ExtraFiles)
+		p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, r)
+		p.setup[0], p.setup[1] = r, w
 		p.cmd.Env = []string{setupEnv + "=" + strconv.Itoa(fd)}
 	}
 	p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, p.ExtraFiles...)
@@ -295,43 +330,60 @@ func (p *Container) Start() error {
 		runtime.LockOSThread()
 		p.wait = make(chan struct{})

-		done <- func() error { // setup depending on per-thread state must happen here
-			// PR_SET_NO_NEW_PRIVS: depends on per-thread state but acts on all processes created from that thread
-			if err := SetNoNewPrivs(); err != nil {
-				return &StartError{true, "prctl(PR_SET_NO_NEW_PRIVS)", err, false, false}
+		// setup depending on per-thread state must happen here
+		done <- func() error {
+			// PR_SET_NO_NEW_PRIVS: thread-directed but acts on all processes
+			// created from the calling thread
+			if err := setNoNewPrivs(); err != nil {
+				return &StartError{
+					Fatal: true,
+					Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
+					Err:   err,
+				}
 			}

 			// landlock: depends on per-thread state but acts on a process group
 			{
-				rulesetAttr := &RulesetAttr{Scoped: LANDLOCK_SCOPE_SIGNAL}
+				rulesetAttr := &landlock.RulesetAttr{
+					Scoped: landlock.LANDLOCK_SCOPE_SIGNAL,
+				}
 				if !p.HostAbstract {
-					rulesetAttr.Scoped |= LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+					rulesetAttr.Scoped |= landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
 				}

-				if abi, err := LandlockGetABI(); err != nil {
-					if p.HostAbstract {
-						// landlock can be skipped here as it restricts access to resources
-						// already covered by namespaces (pid)
+				if abi, err := landlock.GetABI(); err != nil {
+					if p.HostAbstract || !p.HostNet {
+						// landlock can be skipped here as it restricts access
+						// to resources already covered by namespaces (pid, net)
 						goto landlockOut
 					}
-					return &StartError{false, "get landlock ABI", err, false, false}
+					return &StartError{Step: "get landlock ABI", Err: err}
 				} else if abi < 6 {
 					if p.HostAbstract {
 						// see above comment
 						goto landlockOut
 					}
-					return &StartError{false, "kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET", ENOSYS, true, false}
-				} else {
-					p.msg.Verbosef("landlock abi version %d", abi)
+					return &StartError{
+						Step:   "kernel too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET",
+						Err:    ENOSYS,
+						Origin: true,
+					}
 				}

 				if rulesetFd, err := rulesetAttr.Create(0); err != nil {
-					return &StartError{true, "create landlock ruleset", err, false, false}
+					return &StartError{
+						Fatal: true,
+						Step:  "create landlock ruleset",
+						Err:   err,
+					}
 				} else {
-					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
-					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
+					if err = landlock.RestrictSelf(rulesetFd, 0); err != nil {
 						_ = Close(rulesetFd)
-						return &StartError{true, "enforce landlock ruleset", err, false, false}
+						return &StartError{
+							Fatal: true,
+							Step:  "enforce landlock ruleset",
+							Err:   err,
+						}
 					}
 					if err = Close(rulesetFd); err != nil {
 						p.msg.Verbosef("cannot close landlock ruleset: %v", err)
@@ -342,9 +394,51 @@ func (p *Container) Start() error {
 			landlockOut:
 			}

-			p.msg.Verbose("starting container init")
+			// sched_setscheduler: thread-directed but acts on all processes
+			// created from the calling thread
+			if p.SetScheduler {
+				if p.SchedPolicy < 0 || p.SchedPolicy > ext.SCHED_LAST {
+					return &StartError{
+						Fatal: false,
+						Step:  "set scheduling policy",
+						Err:   EINVAL,
+					}
+				}
+
+				var param schedParam
+				if priority, err := p.SchedPolicy.GetPriorityMin(); err != nil {
+					return &StartError{
+						Fatal: true,
+						Step:  "get minimum priority",
+						Err:   err,
+					}
+				} else {
+					param.priority = max(priority, p.SchedPriority)
+				}
+
+				p.msg.Verbosef(
+					"setting scheduling policy %s priority %d",
+					p.SchedPolicy, param.priority,
+				)
+				if err := schedSetscheduler(
+					0, // calling thread
+					p.SchedPolicy,
+					&param,
+				); err != nil {
+					return &StartError{
+						Fatal: true,
+						Step:  "set scheduling policy",
+						Err:   err,
+					}
+				}
+			}
+
 			if err := p.cmd.Start(); err != nil {
-				return &StartError{false, "start container init", err, false, true}
+				return &StartError{
+					Step:        "start container init",
+					Err:         err,
+					Passthrough: true,
+				}
 			}
 			return nil
 		}()
@@ -356,21 +450,40 @@ func (p *Container) Start() error {
 }

 // Serve serves [Container.Params] to the container init.
+//
 // Serve must only be called once.
-func (p *Container) Serve() error {
-	if p.setup == nil {
+func (p *Container) Serve() (err error) {
+	if p.setup[0] == nil || p.setup[1] == nil {
 		panic("invalid serve")
 	}

-	setup := p.setup
-	p.setup = nil
-	if err := setup.SetDeadline(time.Now().Add(initSetupTimeout)); err != nil {
-		return &StartError{true, "set init pipe deadline", err, false, true}
+	done := make(chan struct{})
+	defer func() {
+		if closeErr := p.setup[1].Close(); err == nil {
+			err = closeErr
+		}
+
+		if err != nil {
+			p.cancel()
+		}
+		close(done)
+		p.setup[0], p.setup[1] = nil, nil
+	}()
+	if err = p.setup[0].Close(); err != nil {
+		return &StartError{
+			Fatal:       true,
+			Step:        "close read end of init pipe",
+			Err:         err,
+			Passthrough: true,
+		}
 	}

 	if p.Path == nil {
-		p.cancel()
-		return &StartError{false, "invalid executable pathname", EINVAL, true, false}
+		return &StartError{
+			Step:   "invalid executable pathname",
+			Err:    EINVAL,
+			Origin: true,
+		}
 	}

 	// do not transmit nil
@@ -381,21 +494,30 @@ func (p *Container) Serve() error {
 		p.SeccompRules = make([]std.NativeRule, 0)
 	}

-	err := gob.NewEncoder(setup).Encode(&initParams{
+	t := time.Now().UTC()
+	go func(f *os.File) {
+		select {
+		case <-p.ctx.Done():
+			if cancelErr := f.SetWriteDeadline(t); cancelErr != nil {
+				p.msg.Verbose(err)
+			}
+
+		case <-done:
+			return
+		}
+	}(p.setup[1])
+
+	return gob.NewEncoder(p.setup[1]).Encode(&initParams{
 		p.Params,
 		Getuid(),
 		Getgid(),
 		len(p.ExtraFiles),
-		p.msg.IsVerbose(),
+		p.msg.IsVerbose() && !p.Quiet,
 	})
-	_ = setup.Close()
-	if err != nil {
-		p.cancel()
-	}
-	return err
 }

-// Wait waits for the container init process to exit and releases any resources associated with the [Container].
+// Wait blocks until the container init process to exit and releases any
+// resources associated with the [Container].
 func (p *Container) Wait() error {
 	if p.cmd == nil || p.cmd.Process == nil {
 		return EINVAL
@@ -440,11 +562,13 @@ func (p *Container) StderrPipe() (r io.ReadCloser, err error) {
 }

 func (p *Container) String() string {
-	return fmt.Sprintf("argv: %q, filter: %v, rules: %d, flags: %#x, presets: %#x",
-		p.Args, !p.SeccompDisable, len(p.SeccompRules), int(p.SeccompFlags), int(p.SeccompPresets))
+	return fmt.Sprintf(
+		"argv: %q, filter: %v, rules: %d, flags: %#x, presets: %#x",
+		p.Args, !p.SeccompDisable, len(p.SeccompRules), int(p.SeccompFlags), int(p.SeccompPresets),
+	)
 }

-// ProcessState returns the address to os.ProcessState held by the underlying [exec.Cmd].
+// ProcessState returns the address of os.ProcessState held by the underlying [exec.Cmd].
 func (p *Container) ProcessState() *os.ProcessState {
 	if p.cmd == nil {
 		return nil
@@ -452,7 +576,8 @@ func (p *Container) ProcessState() *os.ProcessState {
 	return p.cmd.ProcessState
 }

-// New returns the address to a new instance of [Container] that requires further initialisation before use.
+// New returns the address to a new instance of [Container]. This value requires
+// further initialisation before use.
 func New(ctx context.Context, msg message.Msg) *Container {
 	if msg == nil {
 		msg = message.New(nil)
@@ -461,12 +586,18 @@ func New(ctx context.Context, msg message.Msg) *Container {
 	p := &Container{ctx: ctx, msg: msg, Params: Params{Ops: new(Ops)}}
 	c, cancel := context.WithCancel(ctx)
 	p.cancel = cancel
-	p.cmd = exec.CommandContext(c, MustExecutable(msg))
+	p.cmd = exec.CommandContext(c, fhs.ProcSelfExe)
 	return p
 }

 // NewCommand calls [New] and initialises the [Params.Path] and [Params.Args] fields.
-func NewCommand(ctx context.Context, msg message.Msg, pathname *check.Absolute, name string, args ...string) *Container {
+func NewCommand(
+	ctx context.Context,
+	msg message.Msg,
+	pathname *check.Absolute,
+	name string,
+	args ...string,
+) *Container {
 	z := New(ctx, msg)
 	z.Path = pathname
 	z.Args = append([]string{name}, args...)
@@ -17,17 +17,22 @@ import (
 	"syscall"
 	"testing"
 	"time"
+	"unsafe"

+	"hakurei.app/check"
 	"hakurei.app/command"
 	"hakurei.app/container"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/container/vfs"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 	"hakurei.app/hst"
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/landlock"
+	"hakurei.app/internal/params"
 	"hakurei.app/ldd"
 	"hakurei.app/message"
+	"hakurei.app/vfs"
 )

 // Note: this package requires cgo, which is unavailable in the Go playground.
@@ -83,9 +88,9 @@ func TestStartError(t *testing.T) {
 		{"params env", &container.StartError{
 			Fatal: true,
 			Step:  "set up params stream",
-			Err:   container.ErrReceiveEnv,
+			Err:   params.ErrReceiveEnv,
 		}, "set up params stream: environment variable not set",
-			container.ErrReceiveEnv, syscall.EBADF,
+			params.ErrReceiveEnv, syscall.EBADF,
 			"cannot set up params stream: environment variable not set"},

 		{"params", &container.StartError{
@@ -230,6 +235,9 @@ func earlyMnt(mnt ...*vfs.MountInfoEntry) func(*testing.T, context.Context) []*v
 	return func(*testing.T, context.Context) []*vfs.MountInfoEntry { return mnt }
 }

+//go:linkname toHost hakurei.app/container.toHost
+func toHost(name string) string
+
 var containerTestCases = []struct {
 	name    string
 	filter  bool
@@ -258,7 +266,7 @@ var containerTestCases = []struct {
 		1000, 100, nil, 0, std.PresetExt},
 	{"custom rules", true, true, true, false,
 		emptyOps, emptyMnt,
-		1, 31, []std.NativeRule{{Syscall: std.ScmpSyscall(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
+		1, 31, []std.NativeRule{{Syscall: ext.SyscallNum(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},

 	{"tmpfs", true, false, false, true,
 		earlyOps(new(container.Ops).
@@ -329,13 +337,15 @@ var containerTestCases = []struct {
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
-					"rw,lowerdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
+					"rw"+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower0")).(*check.Absolute).String())+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",upperdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("upper")).(*check.Absolute).String())+
+						toHost(ctx.Value(testVal("upper")).(*check.Absolute).String())+
 						",workdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("work")).(*check.Absolute).String())+
+						toHost(ctx.Value(testVal("work")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,uuid=on,userxattr"),
 			}
 		},
@@ -385,9 +395,11 @@ var containerTestCases = []struct {
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
-					"ro,lowerdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
+					"ro"+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower0")).(*check.Absolute).String())+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,userxattr"),
 			}
 		},
@@ -397,49 +409,18 @@ var containerTestCases = []struct {
 func TestContainer(t *testing.T) {
 	t.Parallel()

-	t.Run("cancel", testContainerCancel(nil, func(t *testing.T, c *container.Container) {
-		wantErr := context.Canceled
-		wantExitCode := 0
-		if err := c.Wait(); !reflect.DeepEqual(err, wantErr) {
-			if m, ok := container.InternalMessageFromError(err); ok {
-				t.Error(m)
-			}
-			t.Errorf("Wait: error = %#v, want %#v", err, wantErr)
-		}
-		if ps := c.ProcessState(); ps == nil {
-			t.Errorf("ProcessState unexpectedly returned nil")
-		} else if code := ps.ExitCode(); code != wantExitCode {
-			t.Errorf("ExitCode: %d, want %d", code, wantExitCode)
-		}
-	}))
-
-	t.Run("forward", testContainerCancel(func(c *container.Container) {
-		c.ForwardCancel = true
-	}, func(t *testing.T, c *container.Container) {
-		var exitError *exec.ExitError
-		if err := c.Wait(); !errors.As(err, &exitError) {
-			if m, ok := container.InternalMessageFromError(err); ok {
-				t.Error(m)
-			}
-			t.Errorf("Wait: error = %v", err)
-		}
-		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
-			t.Errorf("ExitCode: %d, want %d", code, blockExitCodeInterrupt)
-		}
-	}))
-
+	var suffix string
+runTests:
 	for i, tc := range containerTestCases {
-		t.Run(tc.name, func(t *testing.T) {
+		_suffix := suffix
+		t.Run(tc.name+_suffix, func(t *testing.T) {
 			t.Parallel()

 			wantOps, wantOpsCtx := tc.ops(t)
 			wantMnt := tc.mnt(t, wantOpsCtx)

-			ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
-			defer cancel()
-
 			var libPaths []*check.Absolute
-			c := helperNewContainerLibPaths(ctx, &libPaths, "container", strconv.Itoa(i))
+			c := helperNewContainerLibPaths(t.Context(), &libPaths, "container", strconv.Itoa(i))
 			c.Uid = tc.uid
 			c.Gid = tc.gid
 			c.Hostname = hostnameFromTestCase(tc.name)
@@ -449,7 +430,6 @@ func TestContainer(t *testing.T) {
 			} else {
 				c.Stdout, c.Stderr = os.Stdout, os.Stderr
 			}
-			c.WaitDelay = helperDefaultTimeout
 			*c.Ops = append(*c.Ops, *wantOps...)
 			c.SeccompRules = tc.rules
 			c.SeccompFlags = tc.flags | seccomp.AllowMultiarch
@@ -457,6 +437,20 @@ func TestContainer(t *testing.T) {
 			c.SeccompDisable = !tc.filter
 			c.RetainSession = tc.session
 			c.HostNet = tc.net
+			c.InitAsRoot = _suffix != ""
+			c.Env = append(c.Env, "HAKUREI_TEST_SUFFIX="+_suffix)
+			if info.CanDegrade {
+				if _, err := landlock.GetABI(); err != nil {
+					if !errors.Is(err, syscall.ENOSYS) {
+						t.Fatalf("LandlockGetABI: error = %v", err)
+					}
+					c.HostAbstract = true
+					t.Log("Landlock LSM is unavailable, enabling HostAbstract")
+				}
+			}
+			if c.InitAsRoot {
+				c.SeccompPresets &= ^std.PresetDenyNS
+			}

 			c.
 				Readonly(check.MustAbs(pathReadonly), 0755).
@@ -525,6 +519,11 @@ func TestContainer(t *testing.T) {
 			}
 		})
 	}
+
+	if suffix == "" {
+		suffix = " as root"
+		goto runTests
+	}
 }

 func ent(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoEntry {
@@ -547,50 +546,118 @@ func hostnameFromTestCase(name string) string {
 }

 func testContainerCancel(
+	t *testing.T,
 	containerExtra func(c *container.Container),
-	waitCheck func(t *testing.T, c *container.Container),
-) func(t *testing.T) {
-	return func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
+	waitCheck func(ps *os.ProcessState, waitErr error),
+) {
+	ctx, cancel := context.WithCancel(t.Context())

-		c := helperNewContainer(ctx, "block")
-		c.Stdout, c.Stderr = os.Stdout, os.Stderr
-		c.WaitDelay = helperDefaultTimeout
-		if containerExtra != nil {
-			containerExtra(c)
-		}
-
-		ready := make(chan struct{})
-		if r, w, err := os.Pipe(); err != nil {
-			t.Fatalf("cannot pipe: %v", err)
-		} else {
-			c.ExtraFiles = append(c.ExtraFiles, w)
-			go func() {
-				defer close(ready)
-				if _, err = r.Read(make([]byte, 1)); err != nil {
-					panic(err.Error())
-				}
-			}()
-		}
-
-		if err := c.Start(); err != nil {
-			if m, ok := container.InternalMessageFromError(err); ok {
-				t.Fatal(m)
-			} else {
-				t.Fatalf("cannot start container: %v", err)
-			}
-		} else if err = c.Serve(); err != nil {
-			if m, ok := container.InternalMessageFromError(err); ok {
-				t.Error(m)
-			} else {
-				t.Errorf("cannot serve setup params: %v", err)
-			}
-		}
-		<-ready
-		cancel()
-		waitCheck(t, c)
+	c := helperNewContainer(ctx, "block")
+	c.Stdout, c.Stderr = os.Stdout, os.Stderr
+	if containerExtra != nil {
+		containerExtra(c)
 	}
+
+	ready := make(chan struct{})
+	var waitErr error
+	r, w, err := os.Pipe()
+	if err != nil {
+		t.Fatalf("cannot pipe: %v", err)
+	}
+
+	c.ExtraFiles = append(c.ExtraFiles, w)
+	go func() {
+		defer close(ready)
+		if _, _err := r.Read(make([]byte, 1)); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	if err = c.Start(); err != nil {
+		if m, ok := container.InternalMessageFromError(err); ok {
+			t.Fatal(m)
+		} else {
+			t.Fatalf("cannot start container: %v", err)
+		}
+	}
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		waitErr = c.Wait()
+		_ = r.SetReadDeadline(time.Now())
+	}()
+
+	if err = c.Serve(); err != nil {
+		if m, ok := container.InternalMessageFromError(err); ok {
+			t.Error(m)
+		} else {
+			t.Errorf("cannot serve setup params: %v", err)
+		}
+	}
+	<-ready
+	cancel()
+	<-done
+	waitCheck(c.ProcessState(), waitErr)
+}
+
+func TestForward(t *testing.T) {
+	t.Parallel()
+
+	f := func(ps *os.ProcessState, waitErr error) {
+		var exitError *exec.ExitError
+		if !errors.As(waitErr, &exitError) {
+			if m, ok := container.InternalMessageFromError(waitErr); ok {
+				t.Error(m)
+			}
+			t.Errorf("Wait: error = %v", waitErr)
+		}
+		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
+			t.Errorf("ExitCode: %d, want %d", code, blockExitCodeInterrupt)
+		}
+	}
+	t.Run("direct", func(t *testing.T) {
+		t.Parallel()
+		testContainerCancel(t, func(c *container.Container) {
+			c.ForwardCancel = true
+		}, f)
+	})
+	t.Run("as root", func(t *testing.T) {
+		testContainerCancel(t, func(c *container.Container) {
+			c.ForwardCancel = true
+			c.InitAsRoot = true
+			c.Proc(fhs.AbsProc)
+		}, f)
+	})
+}
+
+func TestCancel(t *testing.T) {
+	t.Parallel()
+
+	f := func(ps *os.ProcessState, waitErr error) {
+		wantErr := context.Canceled
+		if !reflect.DeepEqual(waitErr, wantErr) {
+			if m, ok := container.InternalMessageFromError(waitErr); ok {
+				t.Error(m)
+			}
+			t.Errorf("Wait: error = %#v, want %#v", waitErr, wantErr)
+		}
+		if ps == nil {
+			t.Errorf("ProcessState unexpectedly returned nil")
+		} else if code := ps.ExitCode(); code != 0 {
+			t.Errorf("ExitCode: %d, want %d", code, 0)
+		}
+	}
+	t.Run("direct", func(t *testing.T) {
+		t.Parallel()
+		testContainerCancel(t, nil, f)
+	})
+	t.Run("as root", func(t *testing.T) {
+		testContainerCancel(t, func(c *container.Container) {
+			c.InitAsRoot = true
+			c.Proc(fhs.AbsProc)
+		}, f)
+	})
 }

 func TestContainerString(t *testing.T) {
@@ -626,6 +693,8 @@ func init() {
 		})

 		c.Command("container", command.UsageInternal, func(args []string) error {
+			asRoot := os.Getenv("HAKUREI_TEST_SUFFIX") == " as root"
+
 			if len(args) != 1 {
 				return syscall.EINVAL
 			}
@@ -643,6 +712,66 @@ func init() {
 				return fmt.Errorf("gid: %d, want %d", gid, tc.gid)
 			}

+			// no attack surface increase during as root due to no_new_privs
+			var wantBounding uintptr = 1
+			asRootNot := " not"
+			if !asRoot {
+				wantBounding = 0
+				asRootNot = ""
+			}
+
+			const (
+				PR_CAP_AMBIENT        = 0x2f
+				PR_CAP_AMBIENT_IS_SET = 0x1
+			)
+			for i := range container.LastCap(nil) + 1 {
+				r, _, errno := syscall.Syscall(
+					syscall.SYS_PRCTL,
+					PR_CAP_AMBIENT,
+					PR_CAP_AMBIENT_IS_SET,
+					i,
+				)
+				if errno != 0 {
+					return os.NewSyscallError("prctl", errno)
+				}
+				if r != 0 {
+					return fmt.Errorf("capability %d in ambient set", i)
+				}
+
+				r, _, errno = syscall.Syscall(
+					syscall.SYS_PRCTL,
+					syscall.PR_CAPBSET_READ,
+					i,
+					0,
+				)
+				if errno != 0 {
+					return os.NewSyscallError("prctl", errno)
+				}
+				if r != wantBounding {
+					return fmt.Errorf("capability %d%s in bounding set", i, asRootNot)
+				}
+			}
+
+			const _LINUX_CAPABILITY_VERSION_3 = 0x20080522
+			var capData struct {
+				effective   uint32
+				permitted   uint32
+				inheritable uint32
+			}
+			if _, _, errno := syscall.Syscall(syscall.SYS_CAPGET, uintptr(unsafe.Pointer(&struct {
+				version uint32
+				pid     int32
+			}{_LINUX_CAPABILITY_VERSION_3, 0})), uintptr(unsafe.Pointer(&capData)), 0); errno != 0 {
+				return os.NewSyscallError("capget", errno)
+			}
+
+			if max(capData.effective, capData.permitted, capData.inheritable) != 0 {
+				return fmt.Errorf(
+					"effective = %d, permitted = %d, inheritable = %d",
+					capData.effective, capData.permitted, capData.inheritable,
+				)
+			}
+
 			wantHost := hostnameFromTestCase(tc.name)
 			if host, err := os.Hostname(); err != nil {
 				return fmt.Errorf("cannot get hostname: %v", err)
@@ -737,8 +866,7 @@ func init() {
 const (
 	envDoCheck = "HAKUREI_TEST_DO_CHECK"

-	helperDefaultTimeout = 5 * time.Second
-	helperInnerPath      = "/usr/bin/helper"
+	helperInnerPath = "/usr/bin/helper"
 )

 var (
@@ -761,7 +889,7 @@ func TestMain(m *testing.M) {
 		}
 		c.MustParse(os.Args[1:], func(err error) {
 			if err != nil {
-				log.Fatal(err.Error())
+				log.Fatal(err)
 			}
 		})
 		return
@@ -773,14 +901,13 @@ func TestMain(m *testing.M) {
 func helperNewContainerLibPaths(ctx context.Context, libPaths *[]*check.Absolute, args ...string) (c *container.Container) {
 	msg := message.New(nil)
 	msg.SwapVerbose(testing.Verbose())
-	executable := check.MustAbs(container.MustExecutable(msg))

 	c = container.NewCommand(ctx, msg, absHelperInnerPath, "helper", args...)
 	c.Env = append(c.Env, envDoCheck+"=1")
-	c.Bind(executable, absHelperInnerPath, 0)
+	c.Bind(fhs.AbsProcSelfExe, absHelperInnerPath, 0)

 	// in case test has cgo enabled
-	if entries, err := ldd.Resolve(ctx, msg, executable); err != nil {
+	if entries, err := ldd.Resolve(ctx, msg, nil); err != nil {
 		log.Fatalf("ldd: %v", err)
 	} else {
 		*libPaths = ldd.Path(entries)
@@ -1,8 +1,10 @@
 package container

 import (
+	"context"
 	"io"
 	"io/fs"
+	"net"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -12,6 +14,9 @@ import (

 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
+	"hakurei.app/ext"
+	"hakurei.app/internal/netlink"
+	"hakurei.app/internal/params"
 	"hakurei.app/message"
 )

@@ -21,7 +26,8 @@ type osFile interface {
 	fs.File
 }

-// syscallDispatcher provides methods that make state-dependent system calls as part of their behaviour.
+// syscallDispatcher provides methods that make state-dependent system calls as
+// part of their behaviour.
 type syscallDispatcher interface {
 	// new starts a goroutine with a new instance of syscallDispatcher.
 	// A syscallDispatcher must never be used in any goroutine other than the one owning it,
@@ -51,7 +57,7 @@ type syscallDispatcher interface {
 	// isatty provides [Isatty].
 	isatty(fd int) bool
 	// receive provides [Receive].
-	receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error)
+	receive(key string, e any, fdp *int) (closeFunc func() error, err error)

 	// bindMount provides procPaths.bindMount.
 	bindMount(msg message.Msg, source, target string, flags uintptr) error
@@ -59,10 +65,12 @@ type syscallDispatcher interface {
 	remount(msg message.Msg, target string, flags uintptr) error
 	// mountTmpfs provides mountTmpfs.
 	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
+	// mountOverlay provides mountOverlay.
+	mountOverlay(target string, options [][2]string) error
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
 	// mustLoopback provides mustLoopback.
-	mustLoopback(msg message.Msg)
+	mustLoopback(ctx context.Context, msg message.Msg)

 	// seccompLoad provides [seccomp.Load].
 	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
@@ -140,18 +148,18 @@ func (k direct) new(f func(k syscallDispatcher)) { go f(k) }

 func (direct) lockOSThread() { runtime.LockOSThread() }

-func (direct) setPtracer(pid uintptr) error       { return SetPtracer(pid) }
-func (direct) setDumpable(dumpable uintptr) error { return SetDumpable(dumpable) }
-func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }
+func (direct) setPtracer(pid uintptr) error       { return ext.SetPtracer(pid) }
+func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) }
+func (direct) setNoNewPrivs() error               { return setNoNewPrivs() }

 func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
 func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(hdrp, datap) }
 func (direct) capBoundingSetDrop(cap uintptr) error            { return capBoundingSetDrop(cap) }
 func (direct) capAmbientClearAll() error                       { return capAmbientClearAll() }
 func (direct) capAmbientRaise(cap uintptr) error               { return capAmbientRaise(cap) }
-func (direct) isatty(fd int) bool                              { return Isatty(fd) }
-func (direct) receive(key string, e any, fdp *uintptr) (func() error, error) {
-	return Receive(key, e, fdp)
+func (direct) isatty(fd int) bool                              { return ext.Isatty(fd) }
+func (direct) receive(key string, e any, fdp *int) (func() error, error) {
+	return params.Receive(key, e, fdp)
 }

 func (direct) bindMount(msg message.Msg, source, target string, flags uintptr) error {
@@ -163,10 +171,56 @@ func (direct) remount(msg message.Msg, target string, flags uintptr) error {
 func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
 	return mountTmpfs(k, fsname, target, flags, size, perm)
 }
+func (k direct) mountOverlay(target string, options [][2]string) error {
+	return mountOverlay(target, options)
+}
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
-func (direct) mustLoopback(msg message.Msg) { mustLoopback(msg) }
+func (direct) mustLoopback(ctx context.Context, msg message.Msg) {
+	var lo int
+	if ifi, err := net.InterfaceByName("lo"); err != nil {
+		msg.GetLogger().Fatalln(err)
+	} else {
+		lo = ifi.Index
+	}
+
+	c, err := netlink.DialRoute(0)
+	if err != nil {
+		msg.GetLogger().Fatalln(err)
+	}
+
+	must := func(err error) {
+		if err == nil {
+			return
+		}
+		if closeErr := c.Close(); closeErr != nil {
+			msg.Verbosef("cannot close RTNETLINK: %v", closeErr)
+		}
+
+		switch err.(type) {
+		case *os.SyscallError:
+			msg.GetLogger().Fatalf("cannot %v", err)
+
+		case syscall.Errno:
+			msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
+
+		default:
+			if err == context.DeadlineExceeded || err == context.Canceled {
+				msg.GetLogger().Fatalf("interrupted RTNETLINK operation")
+			}
+			msg.GetLogger().Fatal("RTNETLINK answers with malformed message")
+		}
+	}
+	must(c.SendNewaddrLo(ctx, uint32(lo)))
+	must(c.SendIfInfomsg(ctx, syscall.RTM_NEWLINK, 0, &syscall.IfInfomsg{
+		Family: syscall.AF_UNSPEC,
+		Index:  int32(lo),
+		Flags:  syscall.IFF_UP,
+		Change: syscall.IFF_UP,
+	}))
+	must(c.Close())
+}

 func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)
@@ -2,6 +2,7 @@ package container

 import (
 	"bytes"
+	"context"
 	"fmt"
 	"io"
 	"io/fs"
@@ -18,7 +19,7 @@ import (

 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 	"hakurei.app/message"
 )

@@ -238,8 +239,11 @@ func sliceAddr[S any](s []S) *[]S { return &s }

 func newCheckedFile(t *testing.T, name, wantData string, closeErr error) osFile {
 	f := &checkedOsFile{t: t, name: name, want: wantData, closeErr: closeErr}
-	// check happens in Close, and cleanup is not guaranteed to run, so relying on it for sloppy implementations will cause sporadic test results
-	f.cleanup = runtime.AddCleanup(f, func(name string) { f.t.Fatalf("checkedOsFile %s became unreachable without a call to Close", name) }, f.name)
+	// check happens in Close, and cleanup is not guaranteed to run, so relying
+	// on it for sloppy implementations will cause sporadic test results
+	f.cleanup = runtime.AddCleanup(f, func(name string) {
+		panic("checkedOsFile " + name + " became unreachable without a call to Close")
+	}, name)
 	return f
 }

@@ -386,7 +390,7 @@ func (k *kstub) isatty(fd int) bool {
 	return expect.Ret.(bool)
 }

-func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error) {
+func (k *kstub) receive(key string, e any, fdp *int) (closeFunc func() error, err error) {
 	k.Helper()
 	expect := k.Expects("receive")

@@ -404,10 +408,17 @@ func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error
 		}
 		return nil
 	}
+
+	// avoid changing test cases
+	var fdpComp *uintptr
+	if fdp != nil {
+		fdpComp = new(uintptr(*fdp))
+	}
+
 	err = expect.Error(
 		stub.CheckArg(k.Stub, "key", key, 0),
 		stub.CheckArgReflect(k.Stub, "e", e, 1),
-		stub.CheckArgReflect(k.Stub, "fdp", fdp, 2))
+		stub.CheckArgReflect(k.Stub, "fdp", fdpComp, 2))

 	// 3 is unused so stores params
 	if expect.Args[3] != nil {
@@ -422,7 +433,7 @@ func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error
 	if expect.Args[4] != nil {
 		if v, ok := expect.Args[4].(uintptr); ok && v >= 3 {
 			if fdp != nil {
-				*fdp = v
+				*fdp = int(v)
 			}
 		}
 	}
@@ -457,6 +468,14 @@ func (k *kstub) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 		stub.CheckArg(k.Stub, "perm", perm, 4))
 }

+func (k *kstub) mountOverlay(target string, options [][2]string) error {
+	k.Helper()
+	return k.Expects("mountOverlay").Error(
+		stub.CheckArg(k.Stub, "target", target, 0),
+		stub.CheckArgReflect(k.Stub, "options", options, 1),
+	)
+}
+
 func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 	k.Helper()
 	return k.Expects("ensureFile").Error(
@@ -465,7 +484,7 @@ func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 		stub.CheckArg(k.Stub, "pperm", pperm, 2))
 }

-func (*kstub) mustLoopback(message.Msg) { /* noop */ }
+func (*kstub) mustLoopback(context.Context, message.Msg) { /* noop */ }

 func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	k.Helper()
@@ -5,9 +5,9 @@ import (
 	"os"
 	"syscall"

-	"hakurei.app/container/check"
-	"hakurei.app/container/vfs"
+	"hakurei.app/check"
 	"hakurei.app/message"
+	"hakurei.app/vfs"
 )

 // messageFromError returns a printable error message for a supported concrete type.
@@ -43,7 +43,8 @@ func messageFromError(err error) (m string, ok bool) {
 }

 // messagePrefix checks and prefixes the error message of a non-pointer error.
-// While this is usable for pointer errors, such use should be avoided as nil check is omitted.
+// While this is usable for pointer errors, such use should be avoided as nil
+// check is omitted.
 func messagePrefix[T error](prefix string, err error) (string, bool) {
 	var targetError T
 	if errors.As(err, &targetError) {
@@ -117,6 +118,10 @@ func errnoFallback(op, path string, err error) (syscall.Errno, *os.PathError) {

 // mount wraps syscall.Mount for error handling.
 func mount(source, target, fstype string, flags uintptr, data string) error {
+	if max(len(source), len(target), len(data))+1 > os.Getpagesize() {
+		return &MountError{source, target, fstype, flags, data, syscall.ENOMEM}
+	}
+
 	err := syscall.Mount(source, target, fstype, flags, data)
 	if err == nil {
 		return nil
@@ -8,9 +8,9 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
-	"hakurei.app/container/vfs"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
+	"hakurei.app/vfs"
 )

 func TestMessageFromError(t *testing.T) {
@@ -1,34 +0,0 @@
-package container
-
-import (
-	"fmt"
-	"log"
-	"os"
-	"sync"
-
-	"hakurei.app/message"
-)
-
-var (
-	executable     string
-	executableOnce sync.Once
-)
-
-func copyExecutable(msg message.Msg) {
-	if name, err := os.Executable(); err != nil {
-		m := fmt.Sprintf("cannot read executable path: %v", err)
-		if msg != nil {
-			msg.BeforeExit()
-			msg.GetLogger().Fatal(m)
-		} else {
-			log.Fatal(m)
-		}
-	} else {
-		executable = name
-	}
-}
-
-func MustExecutable(msg message.Msg) string {
-	executableOnce.Do(func() { copyExecutable(msg) })
-	return executable
-}
@@ -1,18 +0,0 @@
-package container_test
-
-import (
-	"os"
-	"testing"
-
-	"hakurei.app/container"
-	"hakurei.app/message"
-)
-
-func TestExecutable(t *testing.T) {
-	t.Parallel()
-	for i := 0; i < 16; i++ {
-		if got := container.MustExecutable(message.New(nil)); got != os.Args[0] {
-			t.Errorf("MustExecutable: %q, want %q", got, os.Args[0])
-		}
-	}
-}
@@ -7,16 +7,21 @@ import (
 	"log"
 	"os"
 	"os/exec"
-	"path"
+	"os/signal"
+	"path/filepath"
 	"slices"
 	"strconv"
+	"strings"
 	"sync"
 	"sync/atomic"
 	. "syscall"
 	"time"

-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
+	"hakurei.app/internal/params"
 	"hakurei.app/message"
 )

@@ -33,12 +38,12 @@ const (
 	- This path is only accessible by init and root:
 	  The container init sets SUID_DUMP_DISABLE and terminates if that fails.

-	It should be noted that none of this should become relevant at any point since the resulting
-	intermediate root tmpfs should be effectively anonymous. */
+	It should be noted that none of this should become relevant at any point
+	since the resulting intermediate root tmpfs should be effectively anonymous. */
 	intermediateHostPath = fhs.Proc + "self/fd"

-	// setupEnv is the name of the environment variable holding the string representation of
-	// the read end file descriptor of the setup params pipe.
+	// setupEnv is the name of the environment variable holding the string
+	// representation of the read end file descriptor of the setup params pipe.
 	setupEnv = "HAKUREI_SETUP"

 	// exitUnexpectedWait4 is the exit code if wait4 returns an unexpected errno.
@@ -59,7 +64,8 @@ type (
 		// late is called right before starting the initial process.
 		late(state *setupState, k syscallDispatcher) error

-		// prefix returns a log message prefix, and whether this Op prints no identifying message on its own.
+		// prefix returns a log message prefix, and whether this Op prints no
+		// identifying message on its own.
 		prefix() (string, bool)

 		Is(op Op) bool
@@ -71,9 +77,11 @@ type (
 	setupState struct {
 		nonrepeatable uintptr

-		// Whether early reaping has concluded. Must only be accessed in the wait4 loop.
+		// Whether early reaping has concluded. Must only be accessed in the
+		// wait4 loop.
 		processConcluded bool
-		// Process to syscall.WaitStatus populated in the wait4 loop. Freed after early reaping concludes.
+		// Process to syscall.WaitStatus populated in the wait4 loop. Freed
+		// after early reaping concludes.
 		process map[int]WaitStatus
 		// Synchronises access to process.
 		processMu sync.RWMutex
@@ -142,64 +150,76 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}

 	var (
-		params      initParams
-		closeSetup  func() error
-		setupFd     uintptr
-		offsetSetup int
+		param      initParams
+		closeSetup func() error
+		setupFd    int
 	)
-	if f, err := k.receive(setupEnv, &params, &setupFd); err != nil {
+	if f, err := k.receive(setupEnv, &param, &setupFd); err != nil {
 		if errors.Is(err, EBADF) {
 			k.fatal(msg, "invalid setup descriptor")
 		}
-		if errors.Is(err, ErrReceiveEnv) {
+		if errors.Is(err, params.ErrReceiveEnv) {
 			k.fatal(msg, setupEnv+" not set")
 		}

 		k.fatalf(msg, "cannot decode init setup payload: %v", err)
 	} else {
-		if params.Ops == nil {
+		if param.Ops == nil {
 			k.fatal(msg, "invalid setup parameters")
 		}
-		if params.ParentPerm == 0 {
-			params.ParentPerm = 0755
+		if param.ParentPerm == 0 {
+			param.ParentPerm = 0755
 		}

-		msg.SwapVerbose(params.Verbose)
+		msg.SwapVerbose(param.Verbose)
 		msg.Verbose("received setup parameters")
 		closeSetup = f
-		offsetSetup = int(setupFd + 1)
 	}

-	if !params.HostNet {
-		k.mustLoopback(msg)
+	if !param.HostNet {
+		ctx, cancel := signal.NotifyContext(context.Background(), CancelSignal,
+			os.Interrupt, SIGTERM, SIGQUIT)
+		defer cancel() // for panics
+		k.mustLoopback(ctx, msg)
+		cancel()
+	}
+
+	uid, gid := param.Uid, param.Gid
+	if param.InitAsRoot {
+		uid, gid = 0, 0
 	}

 	// write uid/gid map here so parent does not need to set dumpable
-	if err := k.setDumpable(SUID_DUMP_USER); err != nil {
+	if err := k.setDumpable(ext.SUID_DUMP_USER); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
 	}
-	if err := k.writeFile(fhs.Proc+"self/uid_map",
-		append([]byte{}, strconv.Itoa(params.Uid)+" "+strconv.Itoa(params.HostUid)+" 1\n"...),
-		0); err != nil {
+	if err := k.writeFile(
+		fhs.Proc+"self/uid_map",
+		[]byte(strconv.Itoa(uid)+" "+strconv.Itoa(param.HostUid)+" 1\n"),
+		0,
+	); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-	if err := k.writeFile(fhs.Proc+"self/setgroups",
+	if err := k.writeFile(
+		fhs.Proc+"self/setgroups",
 		[]byte("deny\n"),
-		0); err != nil && !os.IsNotExist(err) {
+		0,
+	); err != nil && !os.IsNotExist(err) {
 		k.fatalf(msg, "%v", err)
 	}
 	if err := k.writeFile(fhs.Proc+"self/gid_map",
-		append([]byte{}, strconv.Itoa(params.Gid)+" "+strconv.Itoa(params.HostGid)+" 1\n"...),
-		0); err != nil {
+		[]byte(strconv.Itoa(gid)+" "+strconv.Itoa(param.HostGid)+" 1\n"),
+		0,
+	); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-	if err := k.setDumpable(SUID_DUMP_DISABLE); err != nil {
+	if err := k.setDumpable(ext.SUID_DUMP_DISABLE); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_DISABLE: %v", err)
 	}

 	oldmask := k.umask(0)
-	if params.Hostname != "" {
-		if err := k.sethostname([]byte(params.Hostname)); err != nil {
+	if param.Hostname != "" {
+		if err := k.sethostname([]byte(param.Hostname)); err != nil {
 			k.fatalf(msg, "cannot set hostname: %v", err)
 		}
 	}
@@ -212,14 +232,32 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}

 	ctx, cancel := context.WithCancel(context.Background())
-	state := &setupState{process: make(map[int]WaitStatus), Params: &params.Params, Msg: msg, Context: ctx}
+	state := &setupState{process: make(map[int]WaitStatus), Params: &param.Params, Msg: msg, Context: ctx}
 	defer cancel()

+	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
+		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
+	}
+	if err := k.chdir(intermediateHostPath); err != nil {
+		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
+	}
+
+	if len(param.Binfmt) > 0 {
+		for i, e := range param.Binfmt {
+			if pathname, err := k.evalSymlinks(e.Interpreter.String()); err != nil {
+				k.fatal(msg, err)
+			} else if param.Binfmt[i].Interpreter, err = check.NewAbs(pathname); err != nil {
+				k.fatal(msg, err)
+			}
+		}
+	}
+
 	/* early is called right before pivot_root into intermediate root;
-	this step is mostly for gathering information that would otherwise be difficult to obtain
-	via library functions after pivot_root, and implementations are expected to avoid changing
-	the state of the mount namespace */
-	for i, op := range *params.Ops {
+	this step is mostly for gathering information that would otherwise be
+	difficult to obtain via library functions after pivot_root, and
+	implementations are expected to avoid changing the state of the mount
+	namespace */
+	for i, op := range *param.Ops {
 		if op == nil || !op.Valid() {
 			k.fatalf(msg, "invalid op at index %d", i)
 		}
@@ -233,13 +271,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}

-	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
-		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
-	}
-	if err := k.chdir(intermediateHostPath); err != nil {
-		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
-	}
-
 	if err := k.mkdir(sysrootDir, 0755); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
@@ -258,11 +289,11 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot enter intermediate root: %v", err)
 	}

-	/* apply is called right after pivot_root and entering the new root;
-	this step sets up the container filesystem, and implementations are expected to keep the host root
-	and sysroot mount points intact but otherwise can do whatever they need to;
-	chdir is allowed but discouraged */
-	for i, op := range *params.Ops {
+	/* apply is called right after pivot_root and entering the new root. This
+	step sets up the container filesystem, and implementations are expected to
+	keep the host root and sysroot mount points intact but otherwise can do
+	whatever they need to. Calling chdir is allowed but discouraged. */
+	for i, op := range *param.Ops {
 		// ops already checked during early setup
 		if prefix, ok := op.prefix(); ok {
 			msg.Verbosef("%s %s", prefix, op)
@@ -276,6 +307,48 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}

+	if len(param.Binfmt) > 0 {
+		const interpreter = "/interpreter"
+
+		if param.BinfmtPath == nil {
+			param.BinfmtPath = fhs.AbsProcSys.Append("fs/binfmt_misc")
+		}
+		binfmt := sysrootPath + param.BinfmtPath.String()
+		if err := k.mkdirAll(binfmt, 0); err != nil {
+			k.fatal(msg, err)
+		}
+		if err := k.mount(
+			SourceBinfmtMisc,
+			binfmt,
+			FstypeBinfmtMisc,
+			MS_NOSUID|MS_NOEXEC|MS_NODEV,
+			zeroString,
+		); err != nil {
+			k.fatal(msg, err)
+		}
+
+		var buf strings.Builder
+		buf.Grow(1920)
+
+		register := binfmt + "/register"
+		for i, e := range param.Binfmt {
+			if err := k.symlink(hostPath+e.Interpreter.String(), interpreter); err != nil {
+				k.fatal(msg, err)
+			} else if err = k.writeFile(register, []byte(":"+
+				strconv.Itoa(i)+":"+
+				"M:"+
+				strconv.Itoa(int(e.Offset))+":"+
+				escapeBinfmt(&buf, e.Magic)+":"+
+				escapeBinfmt(&buf, e.Mask)+":"+
+				interpreter+":"+
+				"F"), 0); err != nil {
+				k.fatal(msg, err)
+			} else if err = k.remove(interpreter); err != nil {
+				k.fatal(msg, err)
+			}
+		}
+	}
+
 	// setup requiring host root complete at this point
 	if err := k.mount(hostDir, hostDir, zeroString, MS_SILENT|MS_REC|MS_PRIVATE, zeroString); err != nil {
 		k.fatalf(msg, "cannot make host root rprivate: %v", optionalErrorUnwrap(err))
@@ -286,7 +359,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {

 	{
 		var fd int
-		if err := IgnoringEINTR(func() (err error) {
+		if err := ext.IgnoringEINTR(func() (err error) {
 			fd, err = k.open(fhs.Root, O_DIRECTORY|O_RDONLY, 0)
 			return
 		}); err != nil {
@@ -314,11 +387,19 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}

+	var keepCaps []uintptr
+	if param.Privileged {
+		keepCaps = append(keepCaps, CAP_SYS_ADMIN, CAP_SETPCAP)
+	}
+	if param.InitAsRoot {
+		keepCaps = append(keepCaps, CAP_SETFCAP)
+	}
+
 	if err := k.capAmbientClearAll(); err != nil {
 		k.fatalf(msg, "cannot clear the ambient capability set: %v", err)
 	}
-	for i := uintptr(0); i <= lastcap; i++ {
-		if params.Privileged && i == CAP_SYS_ADMIN {
+	for i := range lastcap + 1 {
+		if slices.Contains(keepCaps, i) {
 			continue
 		}
 		if err := k.capBoundingSetDrop(i); err != nil {
@@ -327,27 +408,30 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}

 	var keep [2]uint32
-	if params.Privileged {
-		keep[capToIndex(CAP_SYS_ADMIN)] |= capToMask(CAP_SYS_ADMIN)
-
-		if err := k.capAmbientRaise(CAP_SYS_ADMIN); err != nil {
-			k.fatalf(msg, "cannot raise CAP_SYS_ADMIN: %v", err)
-		}
+	for _, c := range keepCaps {
+		keep[capToIndex(c)] |= capToMask(c)
 	}
+
 	if err := k.capset(
 		&capHeader{_LINUX_CAPABILITY_VERSION_3, 0},
-		&[2]capData{{0, keep[0], keep[0]}, {0, keep[1], keep[1]}},
+		&[2]capData{{keep[0], keep[0], keep[0]}, {keep[1], keep[1], keep[1]}},
 	); err != nil {
 		k.fatalf(msg, "cannot capset: %v", err)
 	}

-	if !params.SeccompDisable {
-		rules := params.SeccompRules
-		if len(rules) == 0 { // non-empty rules slice always overrides presets
-			msg.Verbosef("resolving presets %#x", params.SeccompPresets)
-			rules = seccomp.Preset(params.SeccompPresets, params.SeccompFlags)
+	for _, c := range keepCaps {
+		if err := k.capAmbientRaise(c); err != nil {
+			k.fatalf(msg, "cannot raise %#x: %v", c, err)
 		}
-		if err := k.seccompLoad(rules, params.SeccompFlags); err != nil {
+	}
+
+	if !param.SeccompDisable {
+		rules := param.SeccompRules
+		if len(rules) == 0 { // non-empty rules slice always overrides presets
+			msg.Verbosef("resolving presets %#x", param.SeccompPresets)
+			rules = seccomp.Preset(param.SeccompPresets, param.SeccompFlags)
+		}
+		if err := k.seccompLoad(rules, param.SeccompFlags); err != nil {
 			// this also indirectly asserts PR_SET_NO_NEW_PRIVS
 			k.fatalf(msg, "cannot load syscall filter: %v", err)
 		}
@@ -356,10 +440,10 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		msg.Verbose("syscall filter not configured")
 	}

-	extraFiles := make([]*os.File, params.Count)
+	extraFiles := make([]*os.File, param.Count)
 	for i := range extraFiles {
 		// setup fd is placed before all extra files
-		extraFiles[i] = k.newFile(uintptr(offsetSetup+i), "extra file "+strconv.Itoa(i))
+		extraFiles[i] = k.newFile(uintptr(setupFd+1+i), "extra file "+strconv.Itoa(i))
 	}
 	k.umask(oldmask)

@@ -437,7 +521,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {

 	// called right before startup of initial process, all state changes to the
 	// current process is prohibited during late
-	for i, op := range *params.Ops {
+	for i, op := range *param.Ops {
 		// ops already checked during early setup
 		if err := op.late(state, k); err != nil {
 			if m, ok := messageFromError(err); ok {
@@ -458,14 +542,22 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot close setup pipe: %v", err)
 	}

-	cmd := exec.Command(params.Path.String())
+	cmd := exec.Command(param.Path.String())
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	cmd.Args = params.Args
-	cmd.Env = params.Env
+	cmd.Args = param.Args
+	cmd.Env = param.Env
 	cmd.ExtraFiles = extraFiles
-	cmd.Dir = params.Dir.String()
+	cmd.Dir = param.Dir.String()

-	msg.Verbosef("starting initial process %s", params.Path)
+	if param.InitAsRoot {
+		cmd.SysProcAttr = &SysProcAttr{
+			Cloneflags:  CLONE_NEWUSER,
+			UidMappings: []SysProcIDMap{{ContainerID: param.Uid, HostID: 0, Size: 1}},
+			GidMappings: []SysProcIDMap{{ContainerID: param.Gid, HostID: 0, Size: 1}},
+		}
+	}
+
+	msg.Verbosef("starting initial process %s", param.Path)
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
@@ -483,9 +575,9 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	for {
 		select {
 		case s := <-sig:
-			if s == CancelSignal && params.ForwardCancel && cmd.Process != nil {
+			if s == CancelSignal && param.ForwardCancel && cmd.Process != nil {
 				msg.Verbose("forwarding context cancellation")
-				if err := k.signal(cmd, os.Interrupt); err != nil {
+				if err := k.signal(cmd, os.Interrupt); err != nil && !errors.Is(err, os.ErrProcessDone) {
 					k.printf(msg, "cannot forward cancellation: %v", err)
 				}
 				continue
@@ -515,7 +607,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 				cancel()

 				// start timeout early
-				go func() { time.Sleep(params.AdoptWaitDelay); close(timeout) }()
+				go func() { time.Sleep(param.AdoptWaitDelay); close(timeout) }()

 				// close initial process files; this also keeps them alive
 				for _, f := range extraFiles {
@@ -559,7 +651,7 @@ func TryArgv0(msg message.Msg) {
 		msg = message.New(log.Default())
 	}

-	if len(os.Args) > 0 && path.Base(os.Args[0]) == initName {
+	if len(os.Args) > 0 && filepath.Base(os.Args[0]) == initName {
 		Init(msg)
 		msg.BeforeExit()
 		os.Exit(0)
@@ -7,10 +7,11 @@ import (
 	"testing"
 	"time"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/container/stub"
+	"hakurei.app/internal/params"
+	"hakurei.app/internal/stub"
 )

 func TestInitEntrypoint(t *testing.T) {
@@ -40,7 +41,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
 				call("getpid", stub.ExpectArgs{}, 1, nil),
 				call("setPtracer", stub.ExpectArgs{uintptr(0)}, nil, nil),
-				call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, ErrReceiveEnv),
+				call("receive", stub.ExpectArgs{"HAKUREI_SETUP", new(initParams), new(uintptr)}, nil, params.ErrReceiveEnv),
 				call("fatal", stub.ExpectArgs{[]any{"HAKUREI_SETUP not set"}}, nil, nil),
 			},
 		}, nil},
@@ -331,6 +332,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("fatalf", stub.ExpectArgs{"invalid op at index %d", []any{0}}, nil, nil),
 				/* end early */
@@ -369,6 +372,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("fatalf", stub.ExpectArgs{"invalid op at index %d", []any{0}}, nil, nil),
 				/* end early */
@@ -407,6 +412,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", stub.UniqueError(61)),
 				call("fatalf", stub.ExpectArgs{"cannot prepare op at index %d: %v", []any{0, stub.UniqueError(61)}}, nil, nil),
@@ -446,6 +453,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", &os.PathError{Op: "readlink", Path: "/", Err: stub.UniqueError(60)}),
 				call("fatal", stub.ExpectArgs{[]any{"cannot readlink /: unique error 60 injected by the test suite"}}, nil, nil),
@@ -485,9 +494,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				/* begin early */
-				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
-				/* end early */
 				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, stub.UniqueError(58)),
 				call("fatalf", stub.ExpectArgs{"cannot mount intermediate root: %v", []any{stub.UniqueError(58)}}, nil, nil),
 			},
@@ -525,9 +531,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				/* begin early */
-				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
-				/* end early */
 				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
 				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, stub.UniqueError(56)),
 				call("fatalf", stub.ExpectArgs{"cannot enter intermediate host path: %v", []any{stub.UniqueError(56)}}, nil, nil),
@@ -566,11 +569,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, stub.UniqueError(54)),
 				call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(54)}}, nil, nil),
 			},
@@ -608,11 +611,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, stub.UniqueError(52)),
 				call("fatalf", stub.ExpectArgs{"cannot bind sysroot: %v", []any{stub.UniqueError(52)}}, nil, nil),
@@ -651,11 +654,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, stub.UniqueError(50)),
@@ -695,11 +698,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -740,11 +743,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -786,11 +789,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -841,11 +844,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -896,11 +899,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -952,11 +955,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1009,11 +1012,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1068,11 +1071,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1128,11 +1131,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1189,11 +1192,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1251,11 +1254,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1314,11 +1317,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1378,11 +1381,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1443,11 +1446,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1509,11 +1512,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1583,11 +1586,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1621,7 +1624,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
-				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1653,8 +1655,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, stub.UniqueError(19)),
-				call("fatalf", stub.ExpectArgs{"cannot raise CAP_SYS_ADMIN: %v", []any{stub.UniqueError(19)}}, nil, nil),
+				call("fatalf", stub.ExpectArgs{"cannot raise %#x: %v", []any{uintptr(0x15), stub.UniqueError(19)}}, nil, nil),
 			},
 		}, nil},

@@ -1690,11 +1693,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1728,7 +1731,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
-				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1760,8 +1762,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
-				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, stub.UniqueError(17)),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, stub.UniqueError(17)),
 				call("fatalf", stub.ExpectArgs{"cannot capset: %v", []any{stub.UniqueError(17)}}, nil, nil),
 			},
 		}, nil},
@@ -1798,11 +1799,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1836,7 +1837,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
-				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1868,8 +1868,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
+				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{std.FilterPreset(0xf)}}, nil, nil),
 				call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, stub.UniqueError(15)),
 				call("fatalf", stub.ExpectArgs{"cannot load syscall filter: %v", []any{stub.UniqueError(15)}}, nil, nil),
@@ -1907,11 +1908,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2031,11 +2032,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2131,11 +2132,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2231,11 +2232,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2322,11 +2323,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2417,11 +2418,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2519,11 +2520,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2658,11 +2659,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2696,7 +2697,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
-				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -2728,8 +2728,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
+				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{std.FilterPreset(0xf)}}, nil, nil),
 				call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"%d filter rules loaded", []any{73}}, nil, nil),
@@ -6,20 +6,22 @@ import (
 	"os"
 	"syscall"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/container/std"
 )

 func init() { gob.Register(new(BindMountOp)) }

-// Bind appends an [Op] that bind mounts host path [BindMountOp.Source] on container path [BindMountOp.Target].
+// Bind is a helper for appending [BindMountOp] to [Ops].
 func (f *Ops) Bind(source, target *check.Absolute, flags int) *Ops {
 	*f = append(*f, &BindMountOp{nil, source, target, flags})
 	return f
 }

-// BindMountOp bind mounts host path Source on container path Target.
-// Note that Flags uses bits declared in this package and should not be set with constants in [syscall].
+// BindMountOp creates a bind mount from host path Source to container path Target.
+//
+// Note that Flags uses bits declared in the [std] package and should not be set
+// with constants in [syscall].
 type BindMountOp struct {
 	sourceFinal, Source, Target *check.Absolute

@@ -6,9 +6,9 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 	"hakurei.app/container/std"
-	"hakurei.app/container/stub"
+	"hakurei.app/internal/stub"
 )

 func TestBindMountOp(t *testing.T) {
@@ -12,8 +12,8 @@ import (
 	"syscall"
 	"time"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 func init() { gob.Register(new(DaemonOp)) }
@@ -24,8 +24,7 @@ const (
 	daemonTimeout = 5 * time.Second
 )

-// Daemon appends an [Op] that starts a daemon in the container and blocks until
-// [DaemonOp.Target] appears.
+// Daemon is a helper for appending [DaemonOp] to [Ops].
 func (f *Ops) Daemon(target, path *check.Absolute, args ...string) *Ops {
 	*f = append(*f, &DaemonOp{target, path, args})
 	return f
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 	"hakurei.app/message"
 )

@@ -3,11 +3,11 @@ package container
 import (
 	"encoding/gob"
 	"fmt"
-	"path"
+	"path/filepath"
 	. "syscall"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 func init() { gob.Register(new(MountDevOp)) }
@@ -19,7 +19,9 @@ func (f *Ops) Dev(target *check.Absolute, mqueue bool) *Ops {
 }

 // DevWritable appends an [Op] that mounts a writable subset of host /dev.
-// There is usually no good reason to write to /dev, so this should always be followed by a [RemountOp].
+//
+// There is usually no good reason to write to /dev, so this should always be
+// followed by a [RemountOp].
 func (f *Ops) DevWritable(target *check.Absolute, mqueue bool) *Ops {
 	*f = append(*f, &MountDevOp{target, mqueue, true})
 	return f
@@ -44,7 +46,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	}

 	for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} {
-		targetPath := path.Join(target, name)
+		targetPath := filepath.Join(target, name)
 		if err := k.ensureFile(targetPath, 0444, state.ParentPerm); err != nil {
 			return err
 		}
@@ -60,7 +62,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	for i, name := range []string{"stdin", "stdout", "stderr"} {
 		if err := k.symlink(
 			fhs.Proc+"self/fd/"+string(rune(i+'0')),
-			path.Join(target, name),
+			filepath.Join(target, name),
 		); err != nil {
 			return err
 		}
@@ -70,13 +72,13 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 		{fhs.Proc + "kcore", "core"},
 		{"pts/ptmx", "ptmx"},
 	} {
-		if err := k.symlink(pair[0], path.Join(target, pair[1])); err != nil {
+		if err := k.symlink(pair[0], filepath.Join(target, pair[1])); err != nil {
 			return err
 		}
 	}

-	devShmPath := path.Join(target, "shm")
-	devPtsPath := path.Join(target, "pts")
+	devShmPath := filepath.Join(target, "shm")
+	devPtsPath := filepath.Join(target, "pts")
 	for _, name := range []string{devShmPath, devPtsPath} {
 		if err := k.mkdir(name, state.ParentPerm); err != nil {
 			return err
@@ -90,7 +92,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {

 	if state.RetainSession {
 		if k.isatty(Stdout) {
-			consolePath := path.Join(target, "console")
+			consolePath := filepath.Join(target, "console")
 			if err := k.ensureFile(consolePath, 0444, state.ParentPerm); err != nil {
 				return err
 			}
@@ -108,7 +110,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	}

 	if d.Mqueue {
-		mqueueTarget := path.Join(target, "mqueue")
+		mqueueTarget := filepath.Join(target, "mqueue")
 		if err := k.mkdir(mqueueTarget, state.ParentPerm); err != nil {
 			return err
 		}
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMountDevOp(t *testing.T) {
@@ -5,12 +5,12 @@ import (
 	"fmt"
 	"os"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(MkdirOp)) }

-// Mkdir appends an [Op] that creates a directory in the container filesystem.
+// Mkdir is a helper for appending [MkdirOp] to [Ops].
 func (f *Ops) Mkdir(name *check.Absolute, perm os.FileMode) *Ops {
 	*f = append(*f, &MkdirOp{name, perm})
 	return f
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMkdirOp(t *testing.T) {
@@ -4,10 +4,10 @@ import (
 	"encoding/gob"
 	"fmt"
 	"slices"
-	"strings"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 )

 const (
@@ -54,8 +54,11 @@ func (e *OverlayArgumentError) Error() string {
 	}
 }

-// Overlay appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target].
-func (f *Ops) Overlay(target, state, work *check.Absolute, layers ...*check.Absolute) *Ops {
+// Overlay is a helper for appending [MountOverlayOp] to [Ops].
+func (f *Ops) Overlay(
+	target, state, work *check.Absolute,
+	layers ...*check.Absolute,
+) *Ops {
 	*f = append(*f, &MountOverlayOp{
 		Target: target,
 		Lower:  layers,
@@ -65,13 +68,12 @@ func (f *Ops) Overlay(target, state, work *check.Absolute, layers ...*check.Abso
 	return f
 }

-// OverlayEphemeral appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target]
-// with an ephemeral upperdir and workdir.
+// OverlayEphemeral appends a [MountOverlayOp] with an ephemeral upperdir and workdir.
 func (f *Ops) OverlayEphemeral(target *check.Absolute, layers ...*check.Absolute) *Ops {
 	return f.Overlay(target, fhs.AbsRoot, nil, layers...)
 }

-// OverlayReadonly appends an [Op] that mounts the overlay pseudo filesystem readonly on [MountOverlayOp.Target]
+// OverlayReadonly appends a readonly [MountOverlayOp].
 func (f *Ops) OverlayReadonly(target *check.Absolute, layers ...*check.Absolute) *Ops {
 	return f.Overlay(target, nil, nil, layers...)
 }
@@ -82,25 +84,34 @@ type MountOverlayOp struct {

 	// Any filesystem, does not need to be on a writable filesystem.
 	Lower []*check.Absolute
-	// formatted for [OptionOverlayLowerdir], resolved, prefixed and escaped during early
+	// Formatted for [OptionOverlayLowerdir].
+	//
+	// Resolved, prefixed and escaped during early.
 	lower []string
+
 	// The upperdir is normally on a writable filesystem.
 	//
-	// If Work is nil and Upper holds the special value [fhs.AbsRoot],
-	// an ephemeral upperdir and workdir will be set up.
+	// If Work is nil and Upper holds the special value [fhs.AbsRoot], an
+	// ephemeral upperdir and workdir will be set up.
 	//
-	// If both Work and Upper are nil, upperdir and workdir is omitted and the overlay is mounted readonly.
+	// If both Work and Upper are nil, upperdir and workdir is omitted and the
+	// overlay is mounted readonly.
 	Upper *check.Absolute
-	// formatted for [OptionOverlayUpperdir], resolved, prefixed and escaped during early
+	// Formatted for [OptionOverlayUpperdir].
+	//
+	// Resolved, prefixed and escaped during early.
 	upper string
+
 	// The workdir needs to be an empty directory on the same filesystem as upperdir.
 	Work *check.Absolute
-	// formatted for [OptionOverlayWorkdir], resolved, prefixed and escaped during early
+	// Formatted for [OptionOverlayWorkdir].
+	//
+	// Resolved, prefixed and escaped during early.
 	work string

 	ephemeral bool

-	// used internally for mounting to the intermediate root
+	// Used internally for mounting to the intermediate root.
 	noPrefix bool
 }

@@ -139,7 +150,7 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 			if v, err := k.evalSymlinks(o.Upper.String()); err != nil {
 				return err
 			} else {
-				o.upper = check.EscapeOverlayDataSegment(toHost(v))
+				o.upper = toHost(v)
 			}
 		}

@@ -147,7 +158,7 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 			if v, err := k.evalSymlinks(o.Work.String()); err != nil {
 				return err
 			} else {
-				o.work = check.EscapeOverlayDataSegment(toHost(v))
+				o.work = toHost(v)
 			}
 		}
 	}
@@ -157,12 +168,39 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 		if v, err := k.evalSymlinks(a.String()); err != nil {
 			return err
 		} else {
-			o.lower[i] = check.EscapeOverlayDataSegment(toHost(v))
+			o.lower[i] = toHost(v)
 		}
 	}
 	return nil
 }

+// mountOverlay sets up an overlay mount via [ext.FS].
+func mountOverlay(target string, options [][2]string) error {
+	fs, err := ext.OpenFS(SourceOverlay, 0)
+	if err != nil {
+		return err
+	}
+	if err = fs.SetString("source", SourceOverlay); err != nil {
+		_ = fs.Close()
+		return err
+	}
+	for _, option := range options {
+		if err = fs.SetString(option[0], option[1]); err != nil {
+			_ = fs.Close()
+			return err
+		}
+	}
+	if err = fs.SetFlag(OptionOverlayUserxattr); err != nil {
+		_ = fs.Close()
+		return err
+	}
+	if err = fs.Mount(target, 0); err != nil {
+		_ = fs.Close()
+		return err
+	}
+	return fs.Close()
+}
+
 func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 	target := o.Target.String()
 	if !o.noPrefix {
@@ -183,7 +221,7 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 		}
 	}

-	options := make([]string, 0, 4)
+	options := make([][2]string, 0, 2+len(o.lower))

 	if o.upper == zeroString && o.work == zeroString { // readonly
 		if len(o.Lower) < 2 {
@@ -194,15 +232,16 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 		if len(o.Lower) == 0 {
 			return &OverlayArgumentError{OverlayEmptyLower, zeroString}
 		}
-		options = append(options,
-			OptionOverlayUpperdir+"="+o.upper,
-			OptionOverlayWorkdir+"="+o.work)
+		options = append(options, [][2]string{
+			{OptionOverlayUpperdir, o.upper},
+			{OptionOverlayWorkdir, o.work},
+		}...)
+	}
+	for _, lower := range o.lower {
+		options = append(options, [2]string{OptionOverlayLowerdir + "+", lower})
 	}
-	options = append(options,
-		OptionOverlayLowerdir+"="+strings.Join(o.lower, check.SpecialOverlayPath),
-		OptionOverlayUserxattr)

-	return k.mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, check.SpecialOverlayOption))
+	return k.mountOverlay(target, options)
 }

 func (o *MountOverlayOp) late(*setupState, syscallDispatcher) error { return nil }
@@ -5,8 +5,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMountOverlayOp(t *testing.T) {
@@ -97,13 +97,12 @@ func TestMountOverlayOp(t *testing.T) {
 			call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0705)}, nil, nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.upper.*"}, "overlay.upper.32768", nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.work.*"}, "overlay.work.32768", nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot", "overlay", uintptr(0), "" +
-				"upperdir=overlay.upper.32768," +
-				"workdir=overlay.work.32768," +
-				"lowerdir=" +
-				`/host/var/lib/planterette/base/debian\:f92c9052:` +
-				`/host/var/lib/planterette/app/org.chromium.Chromium@debian\:f92c9052,` +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot", [][2]string{
+				{"upperdir", "overlay.upper.32768"},
+				{"workdir", "overlay.work.32768"},
+				{"lowerdir+", `/host/var/lib/planterette/base/debian:f92c9052`},
+				{"lowerdir+", `/host/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052`},
+			}}, nil, nil),
 		}, nil},

 		{"short lower ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
@@ -129,11 +128,10 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/nix/store", os.FileMode(0755)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/nix/store", "overlay", uintptr(0), "" +
-				"lowerdir=" +
-				"/host/mnt-root/nix/.ro-store:" +
-				"/host/mnt-root/nix/.ro-store0," +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/nix/store", [][2]string{
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store"},
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store0"},
+			}}, nil, nil),
 		}, nil},

 		{"success ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
@@ -147,11 +145,10 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0755)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
-				"lowerdir=" +
-				"/host/mnt-root/nix/.ro-store:" +
-				"/host/mnt-root/nix/.ro-store0," +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store"},
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store0"},
+			}}, nil, nil),
 		}, nil},

 		{"nil lower", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -219,7 +216,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "upperdir=/host/mnt-root/nix/.rw-store/.upper,workdir=/host/mnt-root/nix/.rw-store/.work,lowerdir=/host/mnt-root/nix/ro-store,userxattr"}, nil, stub.UniqueError(0)),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
+				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
+			}}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},

 		{"success single layer", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -233,11 +234,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
-				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
-				"workdir=/host/mnt-root/nix/.rw-store/.work," +
-				"lowerdir=/host/mnt-root/nix/ro-store," +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
+				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
+			}}, nil, nil),
 		}, nil},

 		{"success", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -261,16 +262,15 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store3"}, "/mnt-root/nix/ro-store3", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
-				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
-				"workdir=/host/mnt-root/nix/.rw-store/.work," +
-				"lowerdir=" +
-				"/host/mnt-root/nix/ro-store:" +
-				"/host/mnt-root/nix/ro-store0:" +
-				"/host/mnt-root/nix/ro-store1:" +
-				"/host/mnt-root/nix/ro-store2:" +
-				"/host/mnt-root/nix/ro-store3," +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
+				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store0"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store1"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store2"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store3"},
+			}}, nil, nil),
 		}, nil},
 	})

@@ -5,8 +5,8 @@ import (
 	"fmt"
 	"syscall"

-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
+	"hakurei.app/check"
+	"hakurei.app/fhs"
 )

 const (
@@ -16,7 +16,7 @@ const (

 func init() { gob.Register(new(TmpfileOp)) }

-// Place appends an [Op] that places a file in container path [TmpfileOp.Path] containing [TmpfileOp.Data].
+// Place is a helper for appending [TmpfileOp] to [Ops].
 func (f *Ops) Place(name *check.Absolute, data []byte) *Ops {
 	*f = append(*f, &TmpfileOp{name, data})
 	return f
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestTmpfileOp(t *testing.T) {
@@ -21,7 +21,7 @@ func TestTmpfileOp(t *testing.T) {
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), stub.UniqueError(5)),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, (*checkedOsFile)(nil), stub.UniqueError(5)),
 		}, stub.UniqueError(5)},

 		{"Write", &Params{ParentPerm: 0700}, &TmpfileOp{
@@ -35,14 +35,14 @@ func TestTmpfileOp(t *testing.T) {
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, stub.UniqueError(3)), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.Close", sampleDataString, stub.UniqueError(3)), nil),
 		}, stub.UniqueError(3)},

 		{"ensureFile", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.ensureFile", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, stub.UniqueError(2)),
 		}, stub.UniqueError(2)},

@@ -50,29 +50,29 @@ func TestTmpfileOp(t *testing.T) {
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.bindMount", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
-			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, stub.UniqueError(1)),
+			call("bindMount", stub.ExpectArgs{"tmp.bindMount", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, stub.UniqueError(1)),
 		}, stub.UniqueError(1)},

 		{"remove", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.remove", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
-			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
-			call("remove", stub.ExpectArgs{"tmp.32768"}, nil, stub.UniqueError(0)),
+			call("bindMount", stub.ExpectArgs{"tmp.remove", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
+			call("remove", stub.ExpectArgs{"tmp.remove"}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},

 		{"success", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.success", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
-			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
-			call("remove", stub.ExpectArgs{"tmp.32768"}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"tmp.success", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
+			call("remove", stub.ExpectArgs{"tmp.success"}, nil, nil),
 		}, nil},
 	})

@@ -5,12 +5,12 @@ import (
 	"fmt"
 	. "syscall"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(MountProcOp)) }

-// Proc appends an [Op] that mounts a private instance of proc.
+// Proc is a helper for appending [MountProcOp] to [Ops].
 func (f *Ops) Proc(target *check.Absolute) *Ops {
 	*f = append(*f, &MountProcOp{target})
 	return f
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestMountProcOp(t *testing.T) {
@@ -4,12 +4,12 @@ import (
 	"encoding/gob"
 	"fmt"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(RemountOp)) }

-// Remount appends an [Op] that applies [RemountOp.Flags] on container path [RemountOp.Target].
+// Remount is a helper for appending [RemountOp] to [Ops].
 func (f *Ops) Remount(target *check.Absolute, flags uintptr) *Ops {
 	*f = append(*f, &RemountOp{target, flags})
 	return f
@@ -4,8 +4,8 @@ import (
 	"syscall"
 	"testing"

-	"hakurei.app/container/check"
-	"hakurei.app/container/stub"
+	"hakurei.app/check"
+	"hakurei.app/internal/stub"
 )

 func TestRemountOp(t *testing.T) {
@@ -3,9 +3,9 @@ package container
 import (
 	"encoding/gob"
 	"fmt"
-	"path"
+	"path/filepath"

-	"hakurei.app/container/check"
+	"hakurei.app/check"
 )

 func init() { gob.Register(new(SymlinkOp)) }
@@ -30,7 +30,7 @@ func (l *SymlinkOp) Valid() bool { return l != nil && l.Target != nil && l.LinkN

 func (l *SymlinkOp) early(_ *setupState, k syscallDispatcher) error {
 	if l.Dereference {
-		if !path.IsAbs(l.LinkName) {
+		if !filepath.IsAbs(l.LinkName) {
 			return check.AbsoluteError(l.LinkName)
 		}
 		if name, err := k.readlink(l.LinkName); err != nil {
@@ -44,7 +44,7 @@ func (l *SymlinkOp) early(_ *setupState, k syscallDispatcher) error {

 func (l *SymlinkOp) apply(state *setupState, k syscallDispatcher) error {
 	target := toSysroot(l.Target.String())
-	if err := k.mkdirAll(path.Dir(target), state.ParentPerm); err != nil {
+	if err := k.mkdirAll(filepath.Dir(target), state.ParentPerm); err != nil {
 		return err
 	}
 	return k.symlink(l.LinkName, target)
--- a/Show More
+++ b/Show More