diff --git a/sandbox/container_test.go b/sandbox/container_test.go
index 70b8560..41fd849 100644
--- a/sandbox/container_test.go
+++ b/sandbox/container_test.go
@@ -67,7 +67,7 @@ func TestContainer(t *testing.T) {
 			ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 			defer cancel()
 
-			container := sandbox.New(ctx, "/tmp/sandbox.test", "-test.v",
+			container := sandbox.New(ctx, "/usr/bin/sandbox.test", "-test.v",
 				"-test.run=TestHelperCheckContainer", "--", "check", tc.host)
 			container.Uid = 1000
 			container.Gid = 100
@@ -87,7 +87,8 @@ func TestContainer(t *testing.T) {
 			container.
 				Tmpfs("/tmp", 0, 0755).
 				Bind(os.Args[0], os.Args[0], 0).
-				Link(os.Args[0], "/tmp/sandbox.test")
+				Mkdir("/usr/bin").
+				Link(os.Args[0], "/usr/bin/sandbox.test")
 			// in case test has cgo enabled
 			var libPaths []string
 			if entries, err := ldd.ExecFilter(ctx,
diff --git a/sandbox/sequential.go b/sandbox/sequential.go
index 1ffe4e7..f9c2e29 100644
--- a/sandbox/sequential.go
+++ b/sandbox/sequential.go
@@ -234,3 +234,31 @@ func (f *Ops) Link(target, linkName string) *Ops {
 	*f = append(*f, &Symlink{target, linkName})
 	return f
 }
+
+func init() { gob.Register(new(Mkdir)) }
+
+// Mkdir creates a directory in the container filesystem.
+type Mkdir string
+
+func (m Mkdir) apply(*Params) error {
+	v := string(m)
+
+	if !path.IsAbs(v) {
+		return msg.WrapErr(syscall.EBADE,
+			fmt.Sprintf("path %q is not absolute", v))
+	}
+
+	target := toSysroot(v)
+	if err := os.MkdirAll(target, 0755); err != nil {
+		return msg.WrapErr(err, err.Error())
+	}
+	return nil
+}
+
+func (m Mkdir) Is(op Op) bool  { vm, ok := op.(Mkdir); return ok && m == vm }
+func (Mkdir) prefix() string   { return "creating" }
+func (m Mkdir) String() string { return fmt.Sprintf("directory %q", string(m)) }
+func (f *Ops) Mkdir(dest string) *Ops {
+	*f = append(*f, Mkdir(dest))
+	return f
+}