diff --git a/internal/app/instance/common/container.go b/internal/app/instance/common/container.go
index 370997a..cb3eb59 100644
--- a/internal/app/instance/common/container.go
+++ b/internal/app/instance/common/container.go
@@ -6,7 +6,6 @@ import (
 	"io/fs"
 	"maps"
 	"path"
-	"slices"
 	"syscall"
 
 	"git.gensokyo.uk/security/fortify/dbus"
@@ -16,6 +15,10 @@ import (
 	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
 )
 
+// in practice there should be less than 30 entries added by the runtime;
+// allocating slightly more as a margin for future expansion
+const preallocateOpsCount = 1 << 5
+
 // NewContainer initialises [sandbox.Params] via [fst.ContainerConfig].
 // Note that remaining container setup must be queued by the caller.
 func NewContainer(s *fst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox.Params, map[string]string, error) {
@@ -25,19 +28,18 @@ func NewContainer(s *fst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 
 	container := &sandbox.Params{
 		Hostname: s.Hostname,
-		Ops:      new(sandbox.Ops),
 		Seccomp:  s.Seccomp,
 	}
 
+	{
+		ops := make(sandbox.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
+		container.Ops = &ops
+	}
+
 	if s.Multiarch {
 		container.Seccomp |= seccomp.FilterMultiarch
 	}
 
-	/* this is only 4 KiB of memory on a 64-bit system,
-	permissive defaults on NixOS results in around 100 entries
-	so this capacity should eliminate copies for most setups */
-	*container.Ops = slices.Grow(*container.Ops, 1<<8)
-
 	if s.Devel {
 		container.Flags |= sandbox.FAllowDevel
 	}
diff --git a/internal/app/internal/setuid/seal.go b/internal/app/internal/setuid/seal.go
index edf7c87..91a3926 100644
--- a/internal/app/internal/setuid/seal.go
+++ b/internal/app/internal/setuid/seal.go
@@ -529,8 +529,10 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 	}
 	slices.Sort(seal.container.Env)
 
-	fmsg.Verbosef("created application seal for uid %s (%s) groups: %v, argv: %s",
-		seal.user.uid, seal.user.username, config.Groups, seal.container.Args)
+	if fmsg.Load() {
+		fmsg.Verbosef("created application seal for uid %s (%s) groups: %v, argv: %s, ops: %d",
+			seal.user.uid, seal.user.username, config.Groups, seal.container.Args, len(*seal.container.Ops))
+	}
 
 	return nil
 }