30 changed files with 394 additions and 510 deletions
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@ -1,12 +1,12 @@
-name: Build
+name: Nix

 on:
  - push
  - pull_request

 jobs:
-  dist:
-    name: Create distribution
+  tests:
+    name: NixOS tests
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@ -30,21 +30,17 @@ jobs:
      - name: Restore Nix store
        uses: nix-community/cache-nix-action@v5
        with:
-          primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: nix-small-${{ runner.os }}-
+          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-

-      - name: Build for test
-        id: build-test
-        run: >-
-          export FORTIFY_REV="$(git rev-parse --short HEAD)" &&
-          sed -i.old 's/version = /version = "0.0.0-'$FORTIFY_REV'"; # version = /' package.nix &&
-          nix build --print-out-paths --print-build-logs .#dist &&
-          mv package.nix.old package.nix &&
-          echo "rev=$FORTIFY_REV" >> $GITHUB_OUTPUT
+      - name: Run tests
+        run: |
+          nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
+          nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests

-      - name: Upload test build
+      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
-          name: "fortify-${{ steps.build-test.outputs.rev }}"
+          name: "result"
          path: result/*
          retention-days: 1
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@ -1,52 +1,53 @@
-name: Release
+name: Create distribution

 on:
  push:
    tags:
-      - 'v*'
+      - '*'

 jobs:
  release:
-    name: Create release
+    name: Release
    runs-on: ubuntu-latest
+    container:
+      image: node:16-bookworm-slim
    steps:
+      - name: Get dependencies
+        run: >-
+          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list &&
+          apt-get update &&
+          apt-get install -y
+          acl
+          git
+          gcc
+          pkg-config
+          libwayland-dev
+          wayland-protocols/bookworm-backports
+          libxcb1-dev
+          libacl1-dev
+        if: ${{ runner.os == 'Linux' }}
+
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0

      - name: Setup go
        uses: https://github.com/actions/setup-go@v5
        with:
          go-version: '>=1.23.0'

-      - name: Install Nix
-        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-        with:
-          # explicitly enable sandbox
-          install_options: --daemon
-          extra_nix_config: |
-            sandbox = true
-            system-features = nixos-test benchmark big-parallel kvm
-          enable_kvm: true
-
-      - name: Ensure environment
+      - name: Go generate
        run: >-
-          apt-get update && apt-get install -y sqlite3
-        if: ${{ runner.os == 'Linux' }}
-
-      - name: Restore Nix store
-        uses: nix-community/cache-nix-action@v5
-        with:
-          primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: nix-small-${{ runner.os }}-
+          go generate ./...

      - name: Build for release
-        id: build-test
-        run: nix build --print-out-paths --print-build-logs .#dist
+        run: FORTIFY_VERSION='${{ github.ref_name }}' ./dist/release.sh

      - name: Release
        id: use-go-action
        uses: https://gitea.com/actions/release-action@main
        with:
          files: |-
-            result/fortify-**
+            dist/fortify-**
          api_key: '${{secrets.RELEASE_TOKEN}}'
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@ -1,46 +1,62 @@
-name: Test
+name: Tests

 on:
  - push
  - pull_request

 jobs:
-  tests:
-    name: Run NixOS test
+  test:
+    name: Go tests
    runs-on: ubuntu-latest
+    container:
+      image: node:16-bookworm-slim
    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-        with:
-          # explicitly enable sandbox
-          install_options: --daemon
-          extra_nix_config: |
-            sandbox = true
-            system-features = nixos-test benchmark big-parallel kvm
-          enable_kvm: true
+      - name: Enable backports
+        run: >-
+          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list
+        if: ${{ runner.os == 'Linux' }}

      - name: Ensure environment
        run: >-
-          apt-get update && apt-get install -y sqlite3
+          apt-get update && apt-get install -y curl wget sudo libxml2
        if: ${{ runner.os == 'Linux' }}

-      - name: Restore Nix store
-        uses: nix-community/cache-nix-action@v5
+      - name: Get dependencies
+        uses: awalsh128/cache-apt-pkgs-action@latest
        with:
-          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: nix-${{ runner.os }}-
+          packages: acl git gcc pkg-config libwayland-dev wayland-protocols/bookworm-backports libxcb1-dev libacl1-dev
+          version: 1.0
+          #execute_install_scripts: true
+        if: ${{ runner.os == 'Linux' }}
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup go
+        uses: https://github.com/actions/setup-go@v5
+        with:
+          go-version: '>=1.23.0'
+
+      - name: Go generate
+        run: >-
+          go generate ./...

      - name: Run tests
-        run: |
-          nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
-          nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
+        run: >-
+          go test ./...

-      - name: Upload test output
+      - name: Build for test
+        id: build-test
+        run: >-
+          FORTIFY_VERSION="$(git rev-parse --short HEAD)"
+          bash -c './dist/release.sh &&
+          echo "rev=$FORTIFY_VERSION" >> $GITHUB_OUTPUT'
+
+      - name: Upload test build
        uses: actions/upload-artifact@v3
        with:
-          name: "result"
-          path: result/*
+          name: "fortify-${{ steps.build-test.outputs.rev }}"
+          path: dist/fortify-*
          retention-days: 1
--- a/acl/c.go
+++ b/acl/c.go
@ -9,7 +9,7 @@ import (
 )

 /*
-#cgo linux pkg-config: --static libacl
+#cgo linux pkg-config: libacl

 #include <stdlib.h>
 #include <sys/acl.h>
--- a/internal/proc/priv/init/payload.go
+++ b/internal/proc/priv/init/payload.go
--- a/internal/proc/priv/init/main.go
+++ b/internal/proc/priv/init/main.go
@ -1,13 +1,15 @@
-package init0
+package main

 import (
 	"errors"
 	"os"
 	"os/exec"
 	"os/signal"
+	"path"
 	"syscall"
 	"time"

+	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
@ -21,7 +23,7 @@ const (
 // everything beyond this point runs within pid namespace
 // proceed with caution!

-func Main() {
+func main() {
 	// sharing stdout with shim
 	// USE WITH CAUTION
 	fmsg.SetPrefix("init")
@ -37,12 +39,20 @@ func Main() {
 		panic("unreachable")
 	}

+	// re-exec
+	if len(os.Args) > 0 && (os.Args[0] != "finit" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
+		if err := syscall.Exec(os.Args[0], []string{"finit"}, os.Environ()); err != nil {
+			fmsg.Println("cannot re-exec self:", err)
+			// continue anyway
+		}
+	}
+
 	// receive setup payload
 	var (
-		payload    Payload
+		payload    init0.Payload
 		closeSetup func() error
 	)
-	if f, err := proc.Receive(Env, &payload); err != nil {
+	if f, err := proc.Receive(init0.Env, &payload); err != nil {
 		if errors.Is(err, proc.ErrInvalid) {
 			fmsg.Fatal("invalid config descriptor")
 		}
@ -57,8 +67,8 @@ func Main() {
 		closeSetup = f

 		// child does not need to see this
-		if err = os.Unsetenv(Env); err != nil {
-			fmsg.Printf("cannot unset %s: %v", Env, err)
+		if err = os.Unsetenv(init0.Env); err != nil {
+			fmsg.Printf("cannot unset %s: %v", init0.Env, err)
 			// not fatal
 		} else {
 			fmsg.VPrintln("received configuration")
--- a/cmd/fpkg/proc.go
+++ b/cmd/fpkg/proc.go
@ -12,18 +12,12 @@ import (
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

-const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
-
-var (
-	Fmain = compPoison
-)
-
 func fortifyApp(config *fst.Config, beforeFail func()) {
 	var (
 		cmd *exec.Cmd
 		st  io.WriteCloser
 	)
-	if p, ok := internal.Path(Fmain); !ok {
+	if p, ok := internal.Check(internal.Fortify); !ok {
 		beforeFail()
 		fmsg.Fatal("invalid fortify path, this copy of fpkg is not compiled correctly")
 		panic("unreachable")
--- a/cmd/fpkg/with.go
+++ b/cmd/fpkg/with.go
@ -62,7 +62,7 @@ func withCacheDir(action string, command []string, workDir string, app *bundleIn
 			AppID:    app.AppID,
 			Username: "nixos",
 			Inner:    path.Join("/data/data", app.ID, "cache"),
-			Outer:    pathSet.cacheDir, // this also ensures cacheDir via shim
+			Outer:    pathSet.cacheDir, // this also ensures cacheDir via fshim
 			Sandbox: &fst.SandboxConfig{
 				Hostname:     formatHostname(app.Name) + "-" + action,
 				NoNewSession: dropShell,
--- a/internal/proc/priv/shim/payload.go
+++ b/internal/proc/priv/shim/payload.go
@ -1,6 +1,8 @@
-package shim
+package shim0

-import "git.gensokyo.uk/security/fortify/helper/bwrap"
+import (
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
+)

 const Env = "FORTIFY_SHIM"

--- a/internal/proc/priv/shim/manager.go
+++ b/internal/proc/priv/shim/manager.go
@ -1,20 +1,24 @@
 package shim

 import (
-	"context"
 	"encoding/gob"
 	"errors"
 	"os"
 	"os/exec"
+	"os/signal"
 	"strconv"
 	"strings"
+	"syscall"
 	"time"

+	shim0 "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
 )

+const shimSetupTimeout = 5 * time.Second
+
 // used by the parent process

 type Shim struct {
@ -29,12 +33,10 @@ type Shim struct {
 	// fallback exit notifier with error returned killing the process
 	killFallback chan error
 	// shim setup payload
-	payload *Payload
-	// monitor to shim encoder
-	encoder *gob.Encoder
+	payload *shim0.Payload
 }

-func New(uid uint32, aid string, supp []string, payload *Payload) *Shim {
+func New(uid uint32, aid string, supp []string, payload *shim0.Payload) *Shim {
 	return &Shim{uid: uid, aid: aid, supp: supp, payload: payload}
 }

@ -54,29 +56,28 @@ func (s *Shim) WaitFallback() chan error {
 }

 func (s *Shim) Start() (*time.Time, error) {
-	// prepare user switcher invocation
+	// start user switcher process and save time
 	var fsu string
-	if p, ok := internal.Path(internal.Fsu); !ok {
-		fmsg.Fatal("invalid fsu path, this copy of fortify is not compiled correctly")
+	if p, ok := internal.Check(internal.Fsu); !ok {
+		fmsg.Fatal("invalid fsu path, this copy of fshim is not compiled correctly")
 		panic("unreachable")
 	} else {
 		fsu = p
 	}
 	s.cmd = exec.Command(fsu)

-	// pass shim setup pipe
+	var encoder *gob.Encoder
 	if fd, e, err := proc.Setup(&s.cmd.ExtraFiles); err != nil {
 		return nil, fmsg.WrapErrorSuffix(err,
 			"cannot create shim setup pipe:")
 	} else {
-		s.encoder = e
+		encoder = e
 		s.cmd.Env = []string{
-			Env + "=" + strconv.Itoa(fd),
+			shim0.Env + "=" + strconv.Itoa(fd),
 			"FORTIFY_APP_ID=" + s.aid,
 		}
 	}

-	// format fsu supplementary groups
 	if len(s.supp) > 0 {
 		fmsg.VPrintf("attaching supplementary group ids %s", s.supp)
 		s.cmd.Env = append(s.cmd.Env, "FORTIFY_GROUPS="+strings.Join(s.supp, " "))
@ -91,17 +92,13 @@ func (s *Shim) Start() (*time.Time, error) {
 	}

 	fmsg.VPrintln("starting shim via fsu:", s.cmd)
-	// withhold messages to stderr
-	fmsg.Suspend()
+	fmsg.Suspend() // withhold messages to stderr
 	if err := s.cmd.Start(); err != nil {
 		return nil, fmsg.WrapErrorSuffix(err,
 			"cannot start fsu:")
 	}
 	startTime := time.Now().UTC()
-	return &startTime, nil
-}

-func (s *Shim) Serve(ctx context.Context) error {
 	// kill shim if something goes wrong and an error is returned
 	s.killFallback = make(chan error, 1)
 	killShim := func() {
@ -111,31 +108,30 @@ func (s *Shim) Serve(ctx context.Context) error {
 	}
 	defer func() { killShim() }()

-	encodeErr := make(chan error)
-	go func() { encodeErr <- s.encoder.Encode(s.payload) }()
+	// take alternative exit path on signal
+	sig := make(chan os.Signal, 2)
+	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		v := <-sig
+		fmsg.Printf("got %s after program start", v)
+		s.killFallback <- nil
+		signal.Ignore(syscall.SIGINT, syscall.SIGTERM)
+	}()
+
+	shimErr := make(chan error)
+	go func() { shimErr <- encoder.Encode(s.payload) }()

 	select {
-	// encode return indicates setup completion
-	case err := <-encodeErr:
+	case err := <-shimErr:
 		if err != nil {
-			return fmsg.WrapErrorSuffix(err,
+			return &startTime, fmsg.WrapErrorSuffix(err,
 				"cannot transmit shim config:")
 		}
 		killShim = func() {}
-		return nil
-
-	// setup canceled before payload was accepted
-	case <-ctx.Done():
-		err := ctx.Err()
-		if errors.Is(err, context.Canceled) {
-			return fmsg.WrapError(errors.New("shim setup canceled"),
-				"shim setup canceled")
-		}
-		if errors.Is(err, context.DeadlineExceeded) {
-			return fmsg.WrapError(errors.New("deadline exceeded waiting for shim"),
-				"deadline exceeded waiting for shim")
-		}
-		// unreachable
-		return err
+	case <-time.After(shimSetupTimeout):
+		return &startTime, fmsg.WrapError(errors.New("timed out waiting for shim"),
+			"timed out waiting for shim")
 	}
+
+	return &startTime, nil
 }
--- a/internal/proc/priv/shim/main.go
+++ b/internal/proc/priv/shim/main.go
@ -1,4 +1,4 @@
-package shim
+package main

 import (
 	"errors"
@ -7,18 +7,19 @@ import (
 	"strconv"
 	"syscall"

+	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
+	shim "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/proc"
-	init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
 )

 // everything beyond this point runs as unconstrained target user
 // proceed with caution!

-func Main() {
+func main() {
 	// sharing stdout with fortify
 	// USE WITH CAUTION
 	fmsg.SetPrefix("shim")
@ -30,19 +31,27 @@ func Main() {
 	}

 	// re-exec
-	if len(os.Args) > 0 && (os.Args[0] != "fortify" || os.Args[1] != "shim" || len(os.Args) != 2) && path.IsAbs(os.Args[0]) {
-		if err := syscall.Exec(os.Args[0], []string{"fortify", "shim"}, os.Environ()); err != nil {
+	if len(os.Args) > 0 && (os.Args[0] != "fshim" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
+		if err := syscall.Exec(os.Args[0], []string{"fshim"}, os.Environ()); err != nil {
 			fmsg.Println("cannot re-exec self:", err)
 			// continue anyway
 		}
 	}

+	// check path to finit
+	var finitPath string
+	if p, ok := internal.Path(internal.Finit); !ok {
+		fmsg.Fatal("invalid finit path, this copy of fshim is not compiled correctly")
+	} else {
+		finitPath = p
+	}
+
 	// receive setup payload
 	var (
-		payload    Payload
+		payload    shim.Payload
 		closeSetup func() error
 	)
-	if f, err := proc.Receive(Env, &payload); err != nil {
+	if f, err := proc.Receive(shim.Env, &payload); err != nil {
 		if errors.Is(err, proc.ErrInvalid) {
 			fmsg.Fatal("invalid config descriptor")
 		}
@ -124,17 +133,12 @@ func Main() {
 		}()
 	}

-	// bind fortify inside sandbox
-	var (
-		innerSbin    = path.Join(fst.Tmp, "sbin")
-		innerFortify = path.Join(innerSbin, "fortify")
-		innerInit    = path.Join(innerSbin, "init")
-	)
-	conf.Bind(proc.MustExecutable(), innerFortify)
-	conf.Symlink("fortify", innerInit)
+	// bind finit inside sandbox
+	finitInnerPath := path.Join(fst.Tmp, "sbin", "init")
+	conf.Bind(finitPath, finitInnerPath)

 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
-	if b, err := helper.NewBwrap(conf, nil, innerInit,
+	if b, err := helper.NewBwrap(conf, nil, finitInnerPath,
 		func(int, int) []string { return make([]string, 0) }); err != nil {
 		fmsg.Fatalf("malformed sandbox config: %v", err)
 	} else {
--- a/cmd/fsu/main.go
+++ b/cmd/fsu/main.go
@ -24,6 +24,7 @@ const (

 var (
 	Fmain = compPoison
+	Fshim = compPoison
 )

 func main() {
@ -40,12 +41,17 @@ func main() {
 		log.Fatal("this program must not be started by root")
 	}

-	var fmain string
+	var fmain, fshim string
 	if p, ok := checkPath(Fmain); !ok {
 		log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
 	} else {
 		fmain = p
 	}
+	if p, ok := checkPath(Fshim); !ok {
+		log.Fatal("invalid fshim path, this copy of fsu is not compiled correctly")
+	} else {
+		fshim = p
+	}

 	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
 	if p, err := os.Readlink(pexe); err != nil {
@ -136,7 +142,7 @@ func main() {
 	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+	if err := syscall.Exec(fshim, []string{"fshim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}

--- a/dist/install.sh
+++ b/dist/install.sh
@ -4,6 +4,8 @@ cd "$(dirname -- "$0")" || exit 1
 install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
 install -vDm0755 "bin/fpkg" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fpkg"

+install -vDm0755 "bin/fshim" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fshim"
+install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit"
 install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"

 install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"
--- a/dist/release.sh
+++ b/dist/release.sh
@ -8,11 +8,13 @@ mkdir -p "${out}"
 cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
 cp -rv "comp" "${out}"

-go generate ./...
-go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
+go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
  -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
+  -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
  -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
-  -X main.Fmain=/usr/bin/fortify" ./...
+  -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
+  -X main.Fmain=/usr/bin/fortify
+  -X main.Fshim=/usr/libexec/fortify/fshim" ./...

 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
 rm -rf "./${out}"
--- a/flake.nix
+++ b/flake.nix
@ -95,134 +95,72 @@
      packages = forAllSystems (
        system:
        let
-          inherit (self.packages.${system}) fortify;
          pkgs = nixpkgsFor.${system};
        in
        {
          default = self.packages.${system}.fortify;
+
          fortify = pkgs.callPackage ./package.nix { };
+        }
+      );

-          dist =
-            pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; }
-              ''
-                # go requires XDG_CACHE_HOME for the build cache
-                export XDG_CACHE_HOME="$(mktemp -d)"
+      devShells = forAllSystems (system: {
+        default = nixpkgsFor.${system}.mkShell {
+          buildInputs = with nixpkgsFor.${system}; self.packages.${system}.fortify.buildInputs;
+        };

-                # get a different workdir as go does not like /build
-                cd $(mktemp -d) && cp -r ${fortify.src}/. . && chmod -R +w .
+        fhs = nixpkgsFor.${system}.buildFHSEnv {
+          pname = "fortify-fhs";
+          inherit (self.packages.${system}.fortify) version;
+          targetPkgs =
+            pkgs: with pkgs; [
+              go
+              gcc
+              pkg-config
+              acl
+              wayland
+              wayland-scanner
+              wayland-protocols
+              xorg.libxcb
+            ];
+          extraOutputsToInstall = [ "dev" ];
+          profile = ''
+            export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
+          '';
+        };

-                export FORTIFY_VERSION="v${fortify.version}"
-                ./dist/release.sh && mkdir $out && cp -v "dist/fortify-$FORTIFY_VERSION.tar.gz"* $out
-              '';
+        withPackage = nixpkgsFor.${system}.mkShell {
+          buildInputs =
+            with nixpkgsFor.${system};
+            self.packages.${system}.fortify.buildInputs ++ [ self.packages.${system}.fortify ];
+        };

-          fhs = pkgs.buildFHSEnv {
-            pname = "fortify-fhs";
-            inherit (fortify) version;
-            targetPkgs =
-              pkgs:
-              with pkgs;
-              [
-                go
-                gcc
-                pkg-config
-                wayland-scanner
-              ]
-              ++ (
-                with pkgs.pkgsStatic;
-                [
-                  musl
-                  libffi
-                  acl
-                  wayland
-                  wayland-protocols
-                ]
-                ++ (with xorg; [
-                  libxcb
-                  libXau
-                  libXdmcp
+        generateDoc =
+          let
+            pkgs = nixpkgsFor.${system};
+            inherit (pkgs) lib;

-                  xorgproto
-                ])
-              );
-            extraOutputsToInstall = [ "dev" ];
-            profile = ''
-              export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
+            doc =
+              let
+                eval = lib.evalModules {
+                  specialArgs = {
+                    inherit pkgs;
+                  };
+                  modules = [ ./options.nix ];
+                };
+                cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
+              in
+              pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
+            docText = pkgs.runCommand "fortify-module-docs.md" { } ''
+              cat ${doc.optionsCommonMark} > $out
+              sed -i '/*Declared by:*/,+1 d' $out
+            '';
+          in
+          nixpkgsFor.${system}.mkShell {
+            shellHook = ''
+              exec cat ${docText} > options.md
            '';
          };
-        }
-      );
-
-      devShells = forAllSystems (
-        system:
-        let
-          inherit (self.packages.${system}) fortify fhs;
-          pkgs = nixpkgsFor.${system};
-        in
-        {
-          default = pkgs.mkShell {
-            buildInputs =
-              with pkgs;
-              [
-                go
-                gcc
-              ]
-              # buildInputs
-              ++ (
-                with pkgsStatic;
-                [
-                  musl
-                  libffi
-                  acl
-                  wayland
-                  wayland-protocols
-                ]
-                ++ (with xorg; [
-                  libxcb
-                  libXau
-                  libXdmcp
-                ])
-              )
-              # nativeBuildInputs
-              ++ [
-                pkg-config
-                wayland-scanner
-                makeBinaryWrapper
-              ];
-          };
-
-          fhs = fhs.env;
-
-          withPackage = nixpkgsFor.${system}.mkShell {
-            buildInputs = [ self.packages.${system}.fortify ] ++ self.devShells.${system}.default.buildInputs;
-          };
-
-          generateDoc =
-            let
-              pkgs = nixpkgsFor.${system};
-              inherit (pkgs) lib;
-
-              doc =
-                let
-                  eval = lib.evalModules {
-                    specialArgs = {
-                      inherit pkgs;
-                    };
-                    modules = [ ./options.nix ];
-                  };
-                  cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
-                in
-                pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
-              docText = pkgs.runCommand "fortify-module-docs.md" { } ''
-                cat ${doc.optionsCommonMark} > $out
-                sed -i '/*Declared by:*/,+1 d' $out
-              '';
-            in
-            nixpkgsFor.${system}.mkShell {
-              shellHook = ''
-                exec cat ${docText} > options.md
-              '';
-            };
-        }
-      );
+      });
    };
 }
--- a/helper/bwrap.go
+++ b/helper/bwrap.go
@ -49,11 +49,6 @@ func (b *bubblewrap) StartNotify(ready chan error) error {
 		return errors.New("exec: already started")
 	}

-	// pass sync fd to bwrap
-	if b.sync != nil {
-		b.Cmd.Args = append(b.Cmd.Args, "--sync-fd", strconv.Itoa(int(proc.ExtraFile(b.Cmd, b.sync))))
-	}
-
 	// prepare bwrap pipe and args
 	if argsFD, _, err := b.control.prepareCmd(b.Cmd); err != nil {
 		return err
@ -81,6 +76,10 @@ func (b *bubblewrap) StartNotify(ready chan error) error {
 		b.Cmd.Env = append(b.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=-1")
 	}

+	if b.sync != nil {
+		b.Cmd.Args = append(b.Cmd.Args, "--sync-fd", strconv.Itoa(int(proc.ExtraFile(b.Cmd, b.sync))))
+	}
+
 	if err := b.Cmd.Start(); err != nil {
 		return err
 	}
--- a/internal/app/app.go
+++ b/internal/app/app.go
@ -1,34 +1,28 @@
 package app

 import (
-	"context"
 	"sync"
 	"sync/atomic"

+	"git.gensokyo.uk/security/fortify/cmd/fshim/ipc/shim"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/linux"
-	"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
 )

 type App interface {
 	// ID returns a copy of App's unique ID.
 	ID() fst.ID
-	// Run sets up the system and runs the App.
-	Run(ctx context.Context, rs *RunState) error
+	// Start sets up the system and starts the App.
+	Start() error
+	// Wait waits for App's process to exit and reverts system setup.
+	Wait() (int, error)
+	// WaitErr returns error returned by the underlying wait syscall.
+	WaitErr() error

 	Seal(config *fst.Config) error
 	String() string
 }

-type RunState struct {
-	// Start is true if fsu is successfully started.
-	Start bool
-	// ExitCode is the value returned by shim.
-	ExitCode int
-	// WaitErr is error returned by the underlying wait syscall.
-	WaitErr error
-}
-
 type app struct {
 	// single-use config reference
 	ct *appCt
@ -41,6 +35,8 @@ type app struct {
 	shim *shim.Shim
 	// child process related information
 	seal *appSeal
+	// error returned waiting for process
+	waitErr error

 	lock sync.RWMutex
 }
@ -68,6 +64,10 @@ func (a *app) String() string {
 	return "(unsealed fortified app)"
 }

+func (a *app) WaitErr() error {
+	return a.waitErr
+}
+
 func New(os linux.System) (App, error) {
 	a := new(app)
 	a.id = new(fst.ID)
--- a/internal/app/start.go
+++ b/internal/app/start.go
@ -1,31 +1,26 @@
 package app

 import (
-	"context"
 	"errors"
 	"fmt"
 	"os/exec"
 	"path/filepath"
 	"strings"
-	"time"

+	shim0 "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
+	"git.gensokyo.uk/security/fortify/cmd/fshim/ipc/shim"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
 	"git.gensokyo.uk/security/fortify/internal/state"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )

-const shimSetupTimeout = 5 * time.Second
-
-func (a *app) Run(ctx context.Context, rs *RunState) error {
+// Start selects a user switcher and starts shim.
+// Note that Wait must be called regardless of error returned by Start.
+func (a *app) Start() error {
 	a.lock.Lock()
 	defer a.lock.Unlock()

-	if rs == nil {
-		panic("attempted to pass nil state to run")
-	}
-
 	// resolve exec paths
 	shimExec := [2]string{helper.BubblewrapName}
 	if len(a.seal.command) > 0 {
@ -50,7 +45,7 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {
 		uint32(a.seal.sys.UID()),
 		a.seal.sys.user.as,
 		a.seal.sys.user.supp,
-		&shim.Payload{
+		&shim0.Payload{
 			Argv:  a.seal.command,
 			Exec:  shimExec,
 			Bwrap: a.seal.sys.bwrap,
@ -69,30 +64,10 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {
 	// export sync pipe from sys
 	a.seal.sys.bwrap.SetSync(a.seal.sys.Sync())

-	// start shim via manager
-	waitErr := make(chan error, 1)
 	if startTime, err := a.shim.Start(); err != nil {
 		return err
 	} else {
-		// shim process created
-		rs.Start = true
-
-		shimSetupCtx, shimSetupCancel := context.WithDeadline(ctx, time.Now().Add(shimSetupTimeout))
-		defer shimSetupCancel()
-
-		// start waiting for shim
-		go func() {
-			waitErr <- a.shim.Unwrap().Wait()
-			// cancel shim setup in case shim died before receiving payload
-			shimSetupCancel()
-		}()
-
-		// send payload
-		if err = a.shim.Serve(shimSetupCtx); err != nil {
-			return err
-		}
-
-		// shim accepted setup payload, create process state
+		// shim start and setup success, create process state
 		sd := state.State{
 			ID:     *a.id,
 			PID:    a.shim.Unwrap().Process.Pid,
@ -106,40 +81,109 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {
 			err0.InnerErr = c.Save(&sd)
 		})
 		a.seal.sys.saveState = true
-		if err = err0.equiv("cannot save process state:"); err != nil {
-			return err
-		}
+		return err0.equiv("cannot save process state:")
+	}
+}
+
+// StateStoreError is returned for a failed state save
+type StateStoreError struct {
+	// whether inner function was called
+	Inner bool
+	// error returned by state.Store Do method
+	DoErr error
+	// error returned by state.Backend Save method
+	InnerErr error
+	// any other errors needing to be tracked
+	Err error
+}
+
+func (e *StateStoreError) equiv(a ...any) error {
+	if e.Inner && e.DoErr == nil && e.InnerErr == nil && e.Err == nil {
+		return nil
+	} else {
+		return fmsg.WrapErrorSuffix(e, a...)
+	}
+}
+
+func (e *StateStoreError) Error() string {
+	if e.Inner && e.InnerErr != nil {
+		return e.InnerErr.Error()
 	}

-	select {
-	// wait for process and resolve exit code
-	case err := <-waitErr:
-		if err != nil {
-			var exitError *exec.ExitError
-			if !errors.As(err, &exitError) {
-				// should be unreachable
-				rs.WaitErr = err
+	if e.DoErr != nil {
+		return e.DoErr.Error()
+	}
+
+	if e.Err != nil {
+		return e.Err.Error()
+	}
+
+	return "(nil)"
+}
+
+func (e *StateStoreError) Unwrap() (errs []error) {
+	errs = make([]error, 0, 3)
+	if e.DoErr != nil {
+		errs = append(errs, e.DoErr)
+	}
+	if e.InnerErr != nil {
+		errs = append(errs, e.InnerErr)
+	}
+	if e.Err != nil {
+		errs = append(errs, e.Err)
+	}
+	return
+}
+
+type RevertCompoundError interface {
+	Error() string
+	Unwrap() []error
+}
+
+func (a *app) Wait() (int, error) {
+	a.lock.Lock()
+	defer a.lock.Unlock()
+
+	if a.shim == nil {
+		fmsg.VPrintln("shim not initialised, skipping cleanup")
+		return 1, nil
+	}
+
+	var r int
+
+	if cmd := a.shim.Unwrap(); cmd == nil {
+		// failure prior to process start
+		r = 255
+	} else {
+		wait := make(chan error, 1)
+		go func() { wait <- cmd.Wait() }()
+
+		select {
+		// wait for process and resolve exit code
+		case err := <-wait:
+			if err != nil {
+				var exitError *exec.ExitError
+				if !errors.As(err, &exitError) {
+					// should be unreachable
+					a.waitErr = err
+				}
+
+				// store non-zero return code
+				r = exitError.ExitCode()
+			} else {
+				r = cmd.ProcessState.ExitCode()
 			}
+			fmsg.VPrintf("process %d exited with exit code %d", cmd.Process.Pid, r)

-			// store non-zero return code
-			rs.ExitCode = exitError.ExitCode()
-		} else {
-			rs.ExitCode = a.shim.Unwrap().ProcessState.ExitCode()
+		// alternative exit path when kill was unsuccessful
+		case err := <-a.shim.WaitFallback():
+			r = 255
+			if err != nil {
+				fmsg.Printf("cannot terminate shim on faulted setup: %v", err)
+			} else {
+				fmsg.VPrintln("alternative exit path selected")
+			}
 		}
-		if fmsg.Verbose() {
-			fmsg.VPrintf("process %d exited with exit code %d", a.shim.Unwrap().Process.Pid, rs.ExitCode)
-		}
-
-	// this is reached when a fault makes an already running shim impossible to continue execution
-	// however a kill signal could not be delivered (should actually always happen like that since fsu)
-	// the effects of this is similar to the alternative exit path and ensures shim death
-	case err := <-a.shim.WaitFallback():
-		rs.ExitCode = 255
-		fmsg.Printf("cannot terminate shim on faulted setup: %v", err)
-
-	// alternative exit path relying on shim behaviour on monitor process exit
-	case <-ctx.Done():
-		fmsg.VPrintln("alternative exit path selected")
 	}

 	// child process exited, resume output
@ -218,60 +262,5 @@ func (a *app) Run(ctx context.Context, rs *RunState) error {
 	})

 	e.Err = a.seal.store.Close()
-	return e.equiv("error returned during cleanup:", e)
-}
-
-// StateStoreError is returned for a failed state save
-type StateStoreError struct {
-	// whether inner function was called
-	Inner bool
-	// error returned by state.Store Do method
-	DoErr error
-	// error returned by state.Backend Save method
-	InnerErr error
-	// any other errors needing to be tracked
-	Err error
-}
-
-func (e *StateStoreError) equiv(a ...any) error {
-	if e.Inner && e.DoErr == nil && e.InnerErr == nil && e.Err == nil {
-		return nil
-	} else {
-		return fmsg.WrapErrorSuffix(e, a...)
-	}
-}
-
-func (e *StateStoreError) Error() string {
-	if e.Inner && e.InnerErr != nil {
-		return e.InnerErr.Error()
-	}
-
-	if e.DoErr != nil {
-		return e.DoErr.Error()
-	}
-
-	if e.Err != nil {
-		return e.Err.Error()
-	}
-
-	return "(nil)"
-}
-
-func (e *StateStoreError) Unwrap() (errs []error) {
-	errs = make([]error, 0, 3)
-	if e.DoErr != nil {
-		errs = append(errs, e.DoErr)
-	}
-	if e.InnerErr != nil {
-		errs = append(errs, e.InnerErr)
-	}
-	if e.Err != nil {
-		errs = append(errs, e.Err)
-	}
-	return
-}
-
-type RevertCompoundError interface {
-	Error() string
-	Unwrap() []error
+	return r, e.equiv("error returned during cleanup:", e)
 }
--- a/internal/linux/std.go
+++ b/internal/linux/std.go
@ -73,7 +73,7 @@ func (s *Std) Uid(aid int) (int, error) {

 	u.uid = -1
 	if fsu, ok := internal.Check(internal.Fsu); !ok {
-		fmsg.Fatal("invalid fsu path, this copy of fortify is not compiled correctly")
+		fmsg.Fatal("invalid fsu path, this copy of fshim is not compiled correctly")
 		panic("unreachable")
 	} else {
 		cmd := exec.Command(fsu)
--- a/internal/path.go
+++ b/internal/path.go
@ -3,7 +3,9 @@ package internal
 import "path"

 var (
-	Fsu = compPoison
+	Fortify = compPoison
+	Fsu     = compPoison
+	Finit   = compPoison
 )

 func Path(p string) (string, bool) {
--- a/internal/prctl.go
+++ b/internal/prctl.go
@ -12,7 +12,7 @@ func PR_SET_DUMPABLE__SUID_DUMP_DISABLE() error {
 }

 func PR_SET_PDEATHSIG__SIGKILL() error {
-	if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGKILL), 0); errno != 0 {
+	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGKILL), 0); errno != 0 {
 		return errno
 	}

--- a/internal/proc/fd.go
+++ b/internal/proc/fd.go
@ -12,7 +12,6 @@ var (
 	ErrInvalid = errors.New("bad file descriptor")
 )

-// Setup appends the read end of a pipe for payload transmission and returns its fd.
 func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
 	if r, w, err := os.Pipe(); err != nil {
 		return -1, nil, err
@ -23,8 +22,6 @@ func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
 	}
 }

-// Receive retrieves payload pipe fd from the environment,
-// receives its payload and returns the Close method of the pipe.
 func Receive(key string, e any) (func() error, error) {
 	var setup *os.File

--- a/internal/proc/priv/init/early.go
+++ b/internal/proc/priv/init/early.go
@ -1,18 +0,0 @@
-package init0
-
-import (
-	"os"
-	"path"
-
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-)
-
-// used by the parent process
-
-// TryArgv0 calls [Main] if argv0 indicates the process is started from a file named "init".
-func TryArgv0() {
-	if len(os.Args) > 0 && path.Base(os.Args[0]) == "init" {
-		Main()
-		fmsg.Exit(0)
-	}
-}
--- a/internal/proc/self.go
+++ b/internal/proc/self.go
@ -1,26 +0,0 @@
-package proc
-
-import (
-	"os"
-	"sync"
-
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-)
-
-var (
-	executable     string
-	executableOnce sync.Once
-)
-
-func copyExecutable() {
-	if name, err := os.Executable(); err != nil {
-		fmsg.Fatalf("cannot read executable path: %v", err)
-	} else {
-		executable = name
-	}
-}
-
-func MustExecutable() string {
-	executableOnce.Do(copyExecutable)
-	return executable
-}
--- a/main.go
+++ b/main.go
@ -1,17 +1,14 @@
 package main

 import (
-	"context"
 	_ "embed"
 	"flag"
 	"fmt"
 	"os"
-	"os/signal"
 	"os/user"
 	"strconv"
 	"strings"
 	"sync"
-	"syscall"
 	"text/tabwriter"

 	"git.gensokyo.uk/security/fortify/dbus"
@ -20,8 +17,6 @@ import (
 	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/linux"
-	init0 "git.gensokyo.uk/security/fortify/internal/proc/priv/init"
-	"git.gensokyo.uk/security/fortify/internal/proc/priv/shim"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )

@ -55,9 +50,6 @@ func (g *gl) Set(v string) error {
 }

 func main() {
-	// early init argv0 check, skips root check and duplicate PR_SET_DUMPABLE
-	init0.TryArgv0()
-
 	if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
 		fmsg.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
 		// not fatal: this program runs as the privileged user
@ -288,15 +280,6 @@ func main() {

 		// invoke app
 		runApp(config)
-
-	// internal commands
-	case "shim":
-		shim.Main()
-		fmsg.Exit(0)
-	case "init":
-		init0.Main()
-		fmsg.Exit(0)
-
 	default:
 		fmsg.Fatalf("%q is not a valid command", args[0])
 	}
@ -305,38 +288,27 @@ func main() {
 }

 func runApp(config *fst.Config) {
-	rs := new(app.RunState)
-	ctx, cancel := context.WithCancel(context.Background())
-
-	// handle signals for graceful shutdown
-	sig := make(chan os.Signal, 2)
-	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		v := <-sig
-		fmsg.Printf("got %s after program start", v)
-		cancel()
-		signal.Ignore(syscall.SIGINT, syscall.SIGTERM)
-	}()
-
-	if a, err := app.New(sys); err != nil {
+	a, err := app.New(sys)
+	if err != nil {
 		fmsg.Fatalf("cannot create app: %s\n", err)
 	} else if err = a.Seal(config); err != nil {
 		logBaseError(err, "cannot seal app:")
 		fmsg.Exit(1)
-	} else if err = a.Run(ctx, rs); err != nil {
-		if !rs.Start {
-			logBaseError(err, "cannot start app:")
-		} else {
-			logWaitError(err)
+	} else if err = a.Start(); err != nil {
+		logBaseError(err, "cannot start app:")
+	}
+
+	var r int
+	// wait must be called regardless of result of start
+	if r, err = a.Wait(); err != nil {
+		if r < 1 {
+			r = 1
 		}
+		logWaitError(err)
 	}
-	if rs.WaitErr != nil {
-		fmsg.Println("inner wait failed:", rs.WaitErr)
+	if err = a.WaitErr(); err != nil {
+		fmsg.Println("inner wait failed:", err)
 	}
-	if rs.ExitCode < 0 {
-		fmsg.VPrintf("got negative exit %v", rs.ExitCode)
-		fmsg.Exit(1)
-	}
-	fmsg.Exit(rs.ExitCode)
+	fmsg.Exit(r)
 	panic("unreachable")
 }
--- a/options.md
+++ b/options.md
@ -36,7 +36,7 @@ package


 *Default:*
-` <derivation fortify-0.2.10> `
+` <derivation fortify-0.2.8> `



--- a/package.nix
+++ b/package.nix
@ -5,17 +5,16 @@
  xdg-dbus-proxy,
  bubblewrap,
  pkg-config,
-  libffi,
  acl,
  wayland,
-  wayland-protocols,
  wayland-scanner,
+  wayland-protocols,
  xorg,
 }:

 buildGoModule rec {
  pname = "fortify";
-  version = "0.2.10";
+  version = "0.2.9";

  src = builtins.path {
    name = "fortify-src";
@ -28,32 +27,36 @@ buildGoModule rec {
    lib.attrsets.foldlAttrs
      (
        ldflags: name: value:
-        ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
+        ldflags
+        ++ [
+          "-X"
+          "git.gensokyo.uk/security/fortify/internal.${name}=${value}"
+        ]
      )
      [
-        "-s -w"
-        "-X main.Fmain=${placeholder "out"}/libexec/fortify"
+        "-s"
+        "-w"
+        "-X"
+        "main.Fmain=${placeholder "out"}/libexec/fortify"
+        "-X"
+        "main.Fshim=${placeholder "out"}/libexec/fshim"
      ]
      {
        Version = "v${version}";
        Fsu = "/run/wrappers/bin/fsu";
+        Finit = "${placeholder "out"}/libexec/finit";
+        Fortify = "${placeholder "out"}/bin/fortify";
      };

  # nix build environment does not allow acls
  GO_TEST_SKIP_ACL = 1;

-  buildInputs =
-    [
-      libffi
-      acl
-      wayland
-      wayland-protocols
-    ]
-    ++ (with xorg; [
-      libxcb
-      libXau
-      libXdmcp
-    ]);
+  buildInputs = [
+    acl
+    wayland
+    wayland-protocols
+    xorg.libxcb
+  ];

  nativeBuildInputs = [
    pkg-config
--- a/test.nix
+++ b/test.nix
@ -51,7 +51,7 @@ nixosTest {
          mako

          # For go tests:
-          self.packages.${system}.fhs
+          self.devShells.${system}.fhs
        ];

        variables = {
--- a/wl/c.go
+++ b/wl/c.go
@ -4,13 +4,12 @@ package wl
 //go:generate sh -c "wayland-scanner private-code `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.c"

 /*
-#cgo linux pkg-config: --static wayland-client
+#cgo linux pkg-config: wayland-client
 #cgo freebsd openbsd LDFLAGS: -lwayland-client

 #include <stdint.h>
 #include <stdlib.h>
 #include <stdio.h>
-#include <string.h>

 #include <unistd.h>
 #include <sys/socket.h>
--- a/xcb/c.go
+++ b/xcb/c.go
@ -6,7 +6,7 @@ import (
 )

 /*
-#cgo linux pkg-config: --static xcb
+#cgo linux pkg-config: xcb

 #include <stdlib.h>
 #include <xcb/xcb.h>