release: 0.3.3

Signed-off-by: Ophestra <cat@gensokyo.uk>
sandbox: document less obvious parts of setup
2025-04-01 01:42:10 +09:00 · 2025-04-01 01:21:04 +09:00 · 2025-04-01 00:53:04 +09:00 · 2025-04-01 00:47:32 +09:00 · 2025-03-31 21:27:31 +09:00 · 2025-03-31 04:54:10 +09:00
191 changed files with 10962 additions and 6421 deletions
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@ -5,25 +5,107 @@ on:
  - pull_request
 jobs:
-  test:
+  fortify:
-    name: Run NixOS test
+    name: Fortify
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-      - name: Run tests
+      - name: Run NixOS test
-        run: |
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fortify
          nix --print-build-logs --experimental-features 'nix-command flakes' flake check
          nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
-          name: "nixos-vm-output"
+          name: "fortify-vm-output"
          path: result/*
          retention-days: 1
  race:
    name: Fortify (race detector)
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run NixOS test
        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.race
      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
          name: "fortify-race-vm-output"
          path: result/*
          retention-days: 1
  sandbox:
    name: Sandbox
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run NixOS test
        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.sandbox
      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
          name: "sandbox-vm-output"
          path: result/*
          retention-days: 1
  sandbox-race:
    name: Sandbox (race detector)
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run NixOS test
        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.sandbox-race
      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
          name: "sandbox-race-vm-output"
          path: result/*
          retention-days: 1
  fpkg:
    name: Fpkg
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run NixOS test
        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fpkg
      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
          name: "fpkg-vm-output"
          path: result/*
          retention-days: 1
  check:
    name: Flake checks
    needs:
      - fortify
      - race
      - sandbox
      - sandbox-race
      - fpkg
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run checks
        run: nix --print-build-logs --experimental-features 'nix-command flakes' flake check
  dist:
    name: Create distribution
    runs-on: nix
--- a/acl/acl-update.c
+++ b/acl/acl-update.c
@ -0,0 +1,69 @@
 #include "acl-update.h"
 #include <stdlib.h>
 #include <stdbool.h>
 #include <sys/acl.h>
 #include <acl/libacl.h>
 int f_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms, size_t plen) {
    int ret = -1;
    bool v;
    int i;
    acl_t acl;
    acl_entry_t entry;
    acl_tag_t tag_type;
    void *qualifier_p;
    acl_permset_t permset;
    acl = acl_get_file(path_p, ACL_TYPE_ACCESS);
    if (acl == NULL)
        goto out;
    // prune entries by uid
    for (i = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); i == 1; i = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) {
        if (acl_get_tag_type(entry, &tag_type) != 0)
            return -1;
        if (tag_type != ACL_USER)
            continue;
        qualifier_p = acl_get_qualifier(entry);
        if (qualifier_p == NULL)
            return -1;
        v = *(uid_t *)qualifier_p == uid;
        acl_free(qualifier_p);
        if (!v)
            continue;
        acl_delete_entry(acl, entry);
    }
    if (plen == 0)
        goto set;
    if (acl_create_entry(&acl, &entry) != 0)
        goto out;
    if (acl_get_permset(entry, &permset) != 0)
        goto out;
    for (i = 0; i < plen; i++) {
        if (acl_add_perm(permset, perms[i]) != 0)
            goto out;
    }
    if (acl_set_tag_type(entry, ACL_USER) != 0)
        goto out;
    if (acl_set_qualifier(entry, (void *)&uid) != 0)
        goto out;
 set:
    if (acl_calc_mask(&acl) != 0)
        goto out;
    if (acl_valid(acl) != 0)
        goto out;
    if (acl_set_file(path_p, ACL_TYPE_ACCESS, acl) == 0)
        ret = 0;
 out:
    free((void *)path_p);
    if (acl != NULL)
        acl_free((void *)acl);
    return ret;
 }
--- a/acl/acl-update.h
+++ b/acl/acl-update.h
@ -0,0 +1,3 @@
 #include <sys/acl.h>
 int f_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms, size_t plen);
--- a/acl/acl.go
+++ b/acl/acl.go
@ -1,19 +1,36 @@
 // Package acl implements simple ACL manipulation via libacl.
 package acl
-type Perms []Perm
+/*
 #cgo linux pkg-config: --static libacl
-func (ps Perms) String() string {
+#include "acl-update.h"
-	var s = []byte("---")
+*/
-	for _, p := range ps {
+import "C"
-		switch p {
+
-		case Read:
+type Perm C.acl_perm_t
-			s[0] = 'r'
+
-		case Write:
+const (
-			s[1] = 'w'
+	Read    Perm = C.ACL_READ
-		case Execute:
+	Write   Perm = C.ACL_WRITE
-			s[2] = 'x'
+	Execute Perm = C.ACL_EXECUTE
-		}
+)
 // Update replaces ACL_USER entry with qualifier uid.
 func Update(name string, uid int, perms ...Perm) error {
 	var p *Perm
 	if len(perms) > 0 {
 		p = &perms[0]
 	}
-	return string(s)
+
 	r, err := C.f_acl_update_file_by_uid(
 		C.CString(name),
 		C.uid_t(uid),
 		(*C.acl_perm_t)(p),
 		C.size_t(len(perms)),
 	)
 	if r == 0 {
 		return nil
 	}
 	return err
 }
--- a/acl/acl_test.go
+++ b/acl/acl_test.go
@ -47,7 +47,7 @@ func TestUpdatePerm(t *testing.T) {
 	})
 	t.Run("default clear mask", func(t *testing.T) {
-		if err := acl.UpdatePerm(testFilePath, uid); err != nil {
+		if err := acl.Update(testFilePath, uid); err != nil {
 			t.Fatalf("UpdatePerm: error = %v", err)
 		}
 		if cur = getfacl(t, testFilePath); len(cur) != 4 {
@ -56,7 +56,7 @@ func TestUpdatePerm(t *testing.T) {
 	})
 	t.Run("default clear consistency", func(t *testing.T) {
-		if err := acl.UpdatePerm(testFilePath, uid); err != nil {
+		if err := acl.Update(testFilePath, uid); err != nil {
 			t.Fatalf("UpdatePerm: error = %v", err)
 		}
 		if val := getfacl(t, testFilePath); !reflect.DeepEqual(val, cur) {
@ -76,7 +76,7 @@ func TestUpdatePerm(t *testing.T) {
 func testUpdate(t *testing.T, testFilePath, name string, cur []*getFAclResp, val fAclPerm, perms ...acl.Perm) {
 	t.Run(name, func(t *testing.T) {
 		t.Cleanup(func() {
-			if err := acl.UpdatePerm(testFilePath, uid); err != nil {
+			if err := acl.Update(testFilePath, uid); err != nil {
 				t.Fatalf("UpdatePerm: error = %v", err)
 			}
 			if v := getfacl(t, testFilePath); !reflect.DeepEqual(v, cur) {
@ -84,7 +84,7 @@ func testUpdate(t *testing.T, testFilePath, name string, cur []*getFAclResp, val
 			}
 		})
-		if err := acl.UpdatePerm(testFilePath, uid, perms...); err != nil {
+		if err := acl.Update(testFilePath, uid, perms...); err != nil {
 			t.Fatalf("UpdatePerm: error = %v", err)
 		}
 		r := respByCred(getfacl(t, testFilePath), fAclTypeUser, cred)
--- a/acl/c.go
+++ b/acl/c.go
@ -1,196 +0,0 @@
 package acl
 import "C"
 import (
 	"errors"
 	"runtime"
 	"syscall"
 	"unsafe"
 )
 /*
 #cgo linux pkg-config: --static libacl
 #include <stdlib.h>
 #include <sys/acl.h>
 #include <acl/libacl.h>
 static acl_t _go_acl_get_file(const char *path_p, acl_type_t type) {
 	acl_t acl = acl_get_file(path_p, type);
 	free((void *)path_p);
 	return acl;
 }
 static int _go_acl_set_file(const char *path_p, acl_type_t type, acl_t acl) {
 	if (acl_valid(acl) != 0) {
 		return -1;
 	}
 	int ret = acl_set_file(path_p, type, acl);
 	free((void *)path_p);
 	return ret;
 }
 */
 import "C"
 func getFile(name string, t C.acl_type_t) (*ACL, error) {
 	a, err := C._go_acl_get_file(C.CString(name), t)
 	if errors.Is(err, syscall.ENODATA) {
 		err = nil
 	}
 	return newACL(a), err
 }
 func (acl *ACL) setFile(name string, t C.acl_type_t) error {
 	_, err := C._go_acl_set_file(C.CString(name), t, acl.acl)
 	return err
 }
 func newACL(a C.acl_t) *ACL {
 	acl := &ACL{a}
 	runtime.SetFinalizer(acl, (*ACL).free)
 	return acl
 }
 type ACL struct {
 	acl C.acl_t
 }
 func (acl *ACL) free() {
 	C.acl_free(unsafe.Pointer(acl.acl))
 	// no need for a finalizer anymore
 	runtime.SetFinalizer(acl, nil)
 }
 const (
 	Read    = C.ACL_READ
 	Write   = C.ACL_WRITE
 	Execute = C.ACL_EXECUTE
 	TypeDefault = C.ACL_TYPE_DEFAULT
 	TypeAccess  = C.ACL_TYPE_ACCESS
 	UndefinedTag = C.ACL_UNDEFINED_TAG
 	UserObj      = C.ACL_USER_OBJ
 	User         = C.ACL_USER
 	GroupObj     = C.ACL_GROUP_OBJ
 	Group        = C.ACL_GROUP
 	Mask         = C.ACL_MASK
 	Other        = C.ACL_OTHER
 )
 type (
 	Perm C.acl_perm_t
 )
 func (acl *ACL) removeEntry(tt C.acl_tag_t, tq int) error {
 	var e C.acl_entry_t
 	// get first entry
 	if r, err := C.acl_get_entry(acl.acl, C.ACL_FIRST_ENTRY, &e); err != nil {
 		return err
 	} else if r == 0 {
 		// return on acl with no entries
 		return nil
 	}
 	for {
 		if r, err := C.acl_get_entry(acl.acl, C.ACL_NEXT_ENTRY, &e); err != nil {
 			return err
 		} else if r == 0 {
 			// return on drained acl
 			return nil
 		}
 		var (
 			q int
 			t C.acl_tag_t
 		)
 		// get current entry tag type
 		if _, err := C.acl_get_tag_type(e, &t); err != nil {
 			return err
 		}
 		// get current entry qualifier
 		if rq, err := C.acl_get_qualifier(e); err != nil {
 			// neither ACL_USER nor ACL_GROUP
 			if errors.Is(err, syscall.EINVAL) {
 				continue
 			}
 			return err
 		} else {
 			q = *(*int)(rq)
 			C.acl_free(rq)
 		}
 		// delete on match
 		if t == tt && q == tq {
 			_, err := C.acl_delete_entry(acl.acl, e)
 			return err
 		}
 	}
 }
 func UpdatePerm(name string, uid int, perms ...Perm) error {
 	// read acl from file
 	a, err := getFile(name, TypeAccess)
 	if err != nil {
 		return err
 	}
 	// free acl on return if get is successful
 	defer a.free()
 	// remove existing entry
 	if err = a.removeEntry(User, uid); err != nil {
 		return err
 	}
 	// create new entry if perms are passed
 	if len(perms) > 0 {
 		// create new acl entry
 		var e C.acl_entry_t
 		if _, err = C.acl_create_entry(&a.acl, &e); err != nil {
 			return err
 		}
 		// get perm set of new entry
 		var p C.acl_permset_t
 		if _, err = C.acl_get_permset(e, &p); err != nil {
 			return err
 		}
 		// add target perms
 		for _, perm := range perms {
 			if _, err = C.acl_add_perm(p, C.acl_perm_t(perm)); err != nil {
 				return err
 			}
 		}
 		// set perm set to new entry
 		if _, err = C.acl_set_permset(e, p); err != nil {
 			return err
 		}
 		// set user tag to new entry
 		if _, err = C.acl_set_tag_type(e, User); err != nil {
 			return err
 		}
 		// set qualifier (uid) to new entry
 		if _, err = C.acl_set_qualifier(e, unsafe.Pointer(&uid)); err != nil {
 			return err
 		}
 	}
 	// calculate mask after update
 	if _, err = C.acl_calc_mask(&a.acl); err != nil {
 		return err
 	}
 	// write acl to file
 	return a.setFile(name, TypeAccess)
 }
--- a/acl/perms.go
+++ b/acl/perms.go
@ -0,0 +1,18 @@
 package acl
 type Perms []Perm
 func (ps Perms) String() string {
 	var s = []byte("---")
 	for _, p := range ps {
 		switch p {
 		case Read:
 			s[0] = 'r'
 		case Write:
 			s[1] = 'w'
 		case Execute:
 			s[2] = 'x'
 		}
 	}
 	return string(s)
 }
--- a/cmd/fpkg/app.go
+++ b/cmd/fpkg/app.go
@ -0,0 +1,150 @@
 package main
 import (
 	"encoding/json"
 	"log"
 	"os"
 	"path"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
 	"git.gensokyo.uk/security/fortify/system"
 )
 type appInfo struct {
 	Name    string `json:"name"`
 	Version string `json:"version"`
 	// passed through to [fst.Config]
 	ID string `json:"id"`
 	// passed through to [fst.Config]
 	AppID int `json:"app_id"`
 	// passed through to [fst.Config]
 	Groups []string `json:"groups,omitempty"`
 	// passed through to [fst.Config]
 	Devel bool `json:"devel,omitempty"`
 	// passed through to [fst.Config]
 	Userns bool `json:"userns,omitempty"`
 	// passed through to [fst.Config]
 	Net bool `json:"net,omitempty"`
 	// passed through to [fst.Config]
 	Dev bool `json:"dev,omitempty"`
 	// passed through to [fst.Config]
 	Tty bool `json:"tty,omitempty"`
 	// passed through to [fst.Config]
 	MapRealUID bool `json:"map_real_uid,omitempty"`
 	// passed through to [fst.Config]
 	DirectWayland bool `json:"direct_wayland,omitempty"`
 	// passed through to [fst.Config]
 	SystemBus *dbus.Config `json:"system_bus,omitempty"`
 	// passed through to [fst.Config]
 	SessionBus *dbus.Config `json:"session_bus,omitempty"`
 	// passed through to [fst.Config]
 	Enablements system.Enablement `json:"enablements"`
 	// passed through to [fst.Config]
 	Multiarch bool `json:"multiarch,omitempty"`
 	// passed through to [fst.Config]
 	Bluetooth bool `json:"bluetooth,omitempty"`
 	// allow gpu access within sandbox
 	GPU bool `json:"gpu"`
 	// store path to nixGL mesa wrappers
 	Mesa string `json:"mesa,omitempty"`
 	// store path to nixGL source
 	NixGL string `json:"nix_gl,omitempty"`
 	// store path to activate-and-exec script
 	Launcher string `json:"launcher"`
 	// store path to /run/current-system
 	CurrentSystem string `json:"current_system"`
 	// store path to home-manager activation package
 	ActivationPackage string `json:"activation_package"`
 }
 func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool) *fst.Config {
 	config := &fst.Config{
 		ID:   app.ID,
 		Path: argv[0],
 		Args: argv,
 		Confinement: fst.ConfinementConfig{
 			AppID:    app.AppID,
 			Groups:   app.Groups,
 			Username: "fortify",
 			Inner:    path.Join("/data/data", app.ID),
 			Outer:    pathSet.homeDir,
 			Shell:    shellPath,
 			Sandbox: &fst.SandboxConfig{
 				Hostname:      formatHostname(app.Name),
 				Devel:         app.Devel,
 				Userns:        app.Userns,
 				Net:           app.Net,
 				Dev:           app.Dev,
 				Tty:           app.Tty || flagDropShell,
 				MapRealUID:    app.MapRealUID,
 				DirectWayland: app.DirectWayland,
 				Filesystem: []*fst.FilesystemConfig{
 					{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
 					{Src: pathSet.metaPath, Dst: path.Join(fst.Tmp, "app"), Must: true},
 					{Src: "/etc/resolv.conf"},
 					{Src: "/sys/block"},
 					{Src: "/sys/bus"},
 					{Src: "/sys/class"},
 					{Src: "/sys/dev"},
 					{Src: "/sys/devices"},
 				},
 				Link: [][2]string{
 					{app.CurrentSystem, "/run/current-system"},
 					{"/run/current-system/sw/bin", "/bin"},
 					{"/run/current-system/sw/bin", "/usr/bin"},
 				},
 				Etc:     path.Join(pathSet.cacheDir, "etc"),
 				AutoEtc: true,
 			},
 			ExtraPerms: []*fst.ExtraPermConfig{
 				{Path: dataHome, Execute: true},
 				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 			},
 			SystemBus:   app.SystemBus,
 			SessionBus:  app.SessionBus,
 			Enablements: app.Enablements,
 		},
 	}
 	if app.Multiarch {
 		config.Confinement.Sandbox.Seccomp |= seccomp.FlagMultiarch
 	}
 	if app.Bluetooth {
 		config.Confinement.Sandbox.Seccomp |= seccomp.FlagBluetooth
 	}
 	return config
 }
 func loadAppInfo(name string, beforeFail func()) *appInfo {
 	bundle := new(appInfo)
 	if f, err := os.Open(name); err != nil {
 		beforeFail()
 		log.Fatalf("cannot open bundle: %v", err)
 	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
 		beforeFail()
 		log.Fatalf("cannot parse bundle metadata: %v", err)
 	} else if err = f.Close(); err != nil {
 		log.Printf("cannot close bundle metadata: %v", err)
 		// not fatal
 	}
 	if bundle.ID == "" {
 		beforeFail()
 		log.Fatal("application identifier must not be empty")
 	}
 	return bundle
 }
 func formatHostname(name string) string {
 	if h, err := os.Hostname(); err != nil {
 		log.Printf("cannot get hostname: %v", err)
 		return "fortify-" + name
 	} else {
 		return h + "-" + name
 	}
 }
--- a/cmd/fpkg/build.nix
+++ b/cmd/fpkg/build.nix
@ -7,6 +7,8 @@
 {
  lib,
  stdenv,
  closureInfo,
  writeScript,
  runtimeShell,
  writeText,
@ -15,12 +17,15 @@
  runCommand,
  fetchFromGitHub,
  zstd,
  nix,
  sqlite,
  name ? throw "name is required",
  version ? throw "version is required",
  pname ? "${name}-${version}",
  modules ? [ ],
  nixosModules ? [ ],
  script ? ''
    exec "$SHELL" "$@"
  '',
@ -72,6 +77,8 @@ let
        etc.nixpkgs.source = nixpkgs.outPath;
        systemPackages = [ pkgs.nix ];
      };
      imports = nixosModules;
    };
  nixos = nixpkgs.lib.nixosSystem {
    inherit system;
@ -164,11 +171,7 @@ let
          broadcast = { };
        });
-    enablements =
+    enablements = (if allow_wayland then 1 else 0) + (if allow_x11 then 2 else 0) + (if allow_dbus then 4 else 0) + (if allow_pulse then 8 else 0);
      (if allow_wayland then 1 else 0)
      + (if allow_x11 then 2 else 0)
      + (if allow_dbus then 4 else 0)
      + (if allow_pulse then 8 else 0);
    mesa = if gpu then mesaWrappers else null;
    nix_gl = if gpu then nixGL else null;
@ -177,26 +180,73 @@ let
  };
 in
-writeScript "fortify-${pname}-bundle-prelude" ''
+stdenv.mkDerivation {
-  #!${runtimeShell} -el
+  name = "${pname}.pkg";
-  OUT="$(mktemp -d)"
+  inherit version;
-  TAR="$(mktemp -u)"
+  __structuredAttrs = true;
  set -x
-  nix copy --no-check-sigs --to "$OUT" "${nix}" "${nixos.config.system.build.toplevel}"
+  nativeBuildInputs = [
-  nix store --store "$OUT" optimise
+    zstd
-  chmod -R +r "$OUT/nix/var"
+    nix
-  nix copy --no-check-sigs --to "file://$OUT/res?compression=zstd&compression-level=19&parallel-compression=true" \
+    sqlite
-    "${homeManagerConfiguration.activationPackage}" \
+  ];
    "${launcher}" ${if gpu then "${mesaWrappers} ${nixGL}" else ""}
  mkdir -p "$OUT/etc"
  tar -C "$OUT/etc" -xf "${etc}/etc.tar"
  cp "${writeText "bundle.json" info}" "$OUT/bundle.json"
-  # creating an intermediate file improves zstd performance
+  buildCommand = ''
-  tar -C "$OUT" -cf "$TAR" .
+    NIX_ROOT="$(mktemp -d)"
-  chmod +w -R "$OUT" && rm -rf "$OUT"
+    export USER="nobody"
-  zstd -T0 -19 -fo "${pname}.pkg" "$TAR"
+    # create bootstrap store
-  rm "$TAR"
+    bootstrapClosureInfo="${
-''
+      closureInfo {
        rootPaths = [
          nix
          nixos.config.system.build.toplevel
        ];
      }
    }"
    echo "copying bootstrap store paths..."
    mkdir -p "$NIX_ROOT/nix/store"
    xargs -n 1 -a "$bootstrapClosureInfo/store-paths" cp -at "$NIX_ROOT/nix/store/"
    NIX_REMOTE="local?root=$NIX_ROOT" nix-store --load-db < "$bootstrapClosureInfo/registration"
    NIX_REMOTE="local?root=$NIX_ROOT" nix-store --optimise
    sqlite3 "$NIX_ROOT/nix/var/nix/db/db.sqlite" "UPDATE ValidPaths SET registrationTime = ''${SOURCE_DATE_EPOCH}"
    chmod -R +r "$NIX_ROOT/nix/var"
    # create binary cache
    closureInfo="${
      closureInfo {
        rootPaths =
          [
            homeManagerConfiguration.activationPackage
            launcher
          ]
          ++ optionals gpu [
            mesaWrappers
            nixGL
          ];
      }
    }"
    echo "copying application paths..."
    TMP_STORE="$(mktemp -d)"
    mkdir -p "$TMP_STORE/nix/store"
    xargs -n 1 -a "$closureInfo/store-paths" cp -at "$TMP_STORE/nix/store/"
    NIX_REMOTE="local?root=$TMP_STORE" nix-store --load-db < "$closureInfo/registration"
    sqlite3 "$TMP_STORE/nix/var/nix/db/db.sqlite" "UPDATE ValidPaths SET registrationTime = ''${SOURCE_DATE_EPOCH}"
    NIX_REMOTE="local?root=$TMP_STORE" nix --offline --extra-experimental-features nix-command \
        --verbose --log-format raw-with-logs \
        copy --all --no-check-sigs --to \
        "file://$NIX_ROOT/res?compression=zstd&compression-level=19&parallel-compression=true"
    # package /etc
    mkdir -p "$NIX_ROOT/etc"
    tar -C "$NIX_ROOT/etc" -xf "${etc}/etc.tar"
    # write metadata
    cp "${writeText "bundle.json" info}" "$NIX_ROOT/bundle.json"
    # create an intermediate file to improve zstd performance
    INTER="$(mktemp)"
    tar -C "$NIX_ROOT" -cf "$INTER" .
    zstd -T0 -19 -fo "$out" "$INTER"
  '';
 }
--- a/cmd/fpkg/bundle.go
+++ b/cmd/fpkg/bundle.go
@ -1,90 +0,0 @@
 package main
 import (
 	"encoding/json"
 	"log"
 	"os"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
 type bundleInfo struct {
 	Name    string `json:"name"`
 	Version string `json:"version"`
 	// passed through to [fst.Config]
 	ID string `json:"id"`
 	// passed through to [fst.Config]
 	AppID int `json:"app_id"`
 	// passed through to [fst.Config]
 	Groups []string `json:"groups,omitempty"`
 	// passed through to [fst.Config]
 	UserNS bool `json:"userns,omitempty"`
 	// passed through to [fst.Config]
 	Net bool `json:"net,omitempty"`
 	// passed through to [fst.Config]
 	Dev bool `json:"dev,omitempty"`
 	// passed through to [fst.Config]
 	NoNewSession bool `json:"no_new_session,omitempty"`
 	// passed through to [fst.Config]
 	MapRealUID bool `json:"map_real_uid,omitempty"`
 	// passed through to [fst.Config]
 	DirectWayland bool `json:"direct_wayland,omitempty"`
 	// passed through to [fst.Config]
 	SystemBus *dbus.Config `json:"system_bus,omitempty"`
 	// passed through to [fst.Config]
 	SessionBus *dbus.Config `json:"session_bus,omitempty"`
 	// passed through to [fst.Config]
 	Enablements system.Enablements `json:"enablements"`
 	// passed through inverted to [bwrap.SyscallPolicy]
 	Devel bool `json:"devel,omitempty"`
 	// passed through to [bwrap.SyscallPolicy]
 	Multiarch bool `json:"multiarch,omitempty"`
 	// passed through to [bwrap.SyscallPolicy]
 	Bluetooth bool `json:"bluetooth,omitempty"`
 	// allow gpu access within sandbox
 	GPU bool `json:"gpu"`
 	// store path to nixGL mesa wrappers
 	Mesa string `json:"mesa,omitempty"`
 	// store path to nixGL source
 	NixGL string `json:"nix_gl,omitempty"`
 	// store path to activate-and-exec script
 	Launcher string `json:"launcher"`
 	// store path to /run/current-system
 	CurrentSystem string `json:"current_system"`
 	// store path to home-manager activation package
 	ActivationPackage string `json:"activation_package"`
 }
 func loadBundleInfo(name string, beforeFail func()) *bundleInfo {
 	bundle := new(bundleInfo)
 	if f, err := os.Open(name); err != nil {
 		beforeFail()
 		log.Fatalf("cannot open bundle: %v", err)
 	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
 		beforeFail()
 		log.Fatalf("cannot parse bundle metadata: %v", err)
 	} else if err = f.Close(); err != nil {
 		log.Printf("cannot close bundle metadata: %v", err)
 		// not fatal
 	}
 	if bundle.ID == "" {
 		beforeFail()
 		log.Fatal("application identifier must not be empty")
 	}
 	return bundle
 }
 func formatHostname(name string) string {
 	if h, err := os.Hostname(); err != nil {
 		log.Printf("cannot get hostname: %v", err)
 		return "fortify-" + name
 	} else {
 		return h + "-" + name
 	}
 }
--- a/cmd/fpkg/install.go
+++ b/cmd/fpkg/install.go
@ -1,191 +0,0 @@
 package main
 import (
 	"encoding/json"
 	"flag"
 	"log"
 	"os"
 	"path"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 func actionInstall(args []string) {
 	set := flag.NewFlagSet("install", flag.ExitOnError)
 	var (
 		dropShellInstall  bool
 		dropShellActivate bool
 	)
 	set.BoolVar(&dropShellInstall, "si", false, "Drop to a shell on installation")
 	set.BoolVar(&dropShellActivate, "sa", false, "Drop to a shell on activation")
 	// Ignore errors; set is set for ExitOnError.
 	_ = set.Parse(args)
 	args = set.Args()
 	if len(args) != 1 {
 		log.Fatal("invalid argument")
 	}
 	pkgPath := args[0]
 	if !path.IsAbs(pkgPath) {
 		if dir, err := os.Getwd(); err != nil {
 			log.Fatalf("cannot get current directory: %v", err)
 		} else {
 			pkgPath = path.Join(dir, pkgPath)
 		}
 	}
 	/*
 		Look up paths to programs started by fpkg.
 		This is done here to ease error handling as cleanup is not yet required.
 	*/
 	var (
 		_     = lookPath("zstd")
 		tar   = lookPath("tar")
 		chmod = lookPath("chmod")
 		rm    = lookPath("rm")
 	)
 	/*
 		Extract package and set up for cleanup.
 	*/
 	var workDir string
 	if p, err := os.MkdirTemp("", "fpkg.*"); err != nil {
 		log.Fatalf("cannot create temporary directory: %v", err)
 	} else {
 		workDir = p
 	}
 	cleanup := func() {
 		// should be faster than a native implementation
 		mustRun(chmod, "-R", "+w", workDir)
 		mustRun(rm, "-rf", workDir)
 	}
 	beforeRunFail.Store(&cleanup)
 	mustRun(tar, "-C", workDir, "-xf", pkgPath)
 	/*
 		Parse bundle and app metadata, do pre-install checks.
 	*/
 	bundle := loadBundleInfo(path.Join(workDir, "bundle.json"), cleanup)
 	pathSet := pathSetByApp(bundle.ID)
 	app := bundle
 	if s, err := os.Stat(pathSet.metaPath); err != nil {
 		if !os.IsNotExist(err) {
 			cleanup()
 			log.Fatalf("cannot access %q: %v", pathSet.metaPath, err)
 		}
 		// did not modify app, clean installation condition met later
 	} else if s.IsDir() {
 		cleanup()
 		log.Fatalf("metadata path %q is not a file", pathSet.metaPath)
 	} else {
 		app = loadBundleInfo(pathSet.metaPath, cleanup)
 		if app.ID != bundle.ID {
 			cleanup()
 			log.Fatalf("app %q claims to have identifier %q", bundle.ID, app.ID)
 		}
 		// sec: should verify credentials
 	}
 	if app != bundle {
 		// do not try to re-install
 		if app.NixGL == bundle.NixGL &&
 			app.CurrentSystem == bundle.CurrentSystem &&
 			app.Launcher == bundle.Launcher &&
 			app.ActivationPackage == bundle.ActivationPackage {
 			cleanup()
 			log.Printf("package %q is identical to local application %q", pkgPath, app.ID)
 			internal.Exit(0)
 		}
 		// AppID determines uid
 		if app.AppID != bundle.AppID {
 			cleanup()
 			log.Fatalf("package %q app id %d differs from installed %d", pkgPath, bundle.AppID, app.AppID)
 		}
 		// sec: should compare version string
 		fmsg.Verbosef("installing application %q version %q over local %q", bundle.ID, bundle.Version, app.Version)
 	} else {
 		fmsg.Verbosef("application %q clean installation", bundle.ID)
 		// sec: should install credentials
 	}
 	/*
 		Setup steps for files owned by the target user.
 	*/
 	withCacheDir("install", []string{
 		// export inner bundle path in the environment
 		"export BUNDLE=" + fst.Tmp + "/bundle",
 		// replace inner /etc
 		"mkdir -p etc",
 		"chmod -R +w etc",
 		"rm -rf etc",
 		"cp -dRf $BUNDLE/etc etc",
 		// replace inner /nix
 		"mkdir -p nix",
 		"chmod -R +w nix",
 		"rm -rf nix",
 		"cp -dRf /nix nix",
 		// copy from binary cache
 		"nix copy --offline --no-check-sigs --all --from file://$BUNDLE/res --to $PWD",
 		// deduplicate nix store
 		"nix store --offline --store $PWD optimise",
 		// make cache directory world-readable for autoetc
 		"chmod 0755 .",
 	}, workDir, bundle, pathSet, dropShellInstall, cleanup)
 	if bundle.GPU {
 		withCacheDir("mesa-wrappers", []string{
 			// link nixGL mesa wrappers
 			"mkdir -p nix/.nixGL",
 			"ln -s " + bundle.Mesa + "/bin/nixGLIntel nix/.nixGL/nixGL",
 			"ln -s " + bundle.Mesa + "/bin/nixVulkanIntel nix/.nixGL/nixVulkan",
 		}, workDir, bundle, pathSet, false, cleanup)
 	}
 	/*
 		Activate home-manager generation.
 	*/
 	withNixDaemon("activate", []string{
 		// clean up broken links
 		"mkdir -p .local/state/{nix,home-manager}",
 		"chmod -R +w .local/state/{nix,home-manager}",
 		"rm -rf .local/state/{nix,home-manager}",
 		// run activation script
 		bundle.ActivationPackage + "/activate",
 	}, false, func(config *fst.Config) *fst.Config { return config }, bundle, pathSet, dropShellActivate, cleanup)
 	/*
 		Installation complete. Write metadata to block re-installs or downgrades.
 	*/
 	// serialise metadata to ensure consistency
 	if f, err := os.OpenFile(pathSet.metaPath+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
 		cleanup()
 		log.Fatalf("cannot create metadata file: %v", err)
 	} else if err = json.NewEncoder(f).Encode(bundle); err != nil {
 		cleanup()
 		log.Fatalf("cannot write metadata: %v", err)
 	} else if err = f.Close(); err != nil {
 		log.Printf("cannot close metadata file: %v", err)
 		// not fatal
 	}
 	if err := os.Rename(pathSet.metaPath+"~", pathSet.metaPath); err != nil {
 		cleanup()
 		log.Fatalf("cannot rename metadata file: %v", err)
 	}
 	cleanup()
 }
--- a/cmd/fpkg/main.go
+++ b/cmd/fpkg/main.go
@ -1,50 +1,351 @@
 package main
 import (
-	"flag"
+	"context"
 	"encoding/json"
 	"errors"
 	"log"
 	"os"
 	"os/signal"
 	"path"
 	"syscall"
 	"git.gensokyo.uk/security/fortify/command"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/sys"
 	"git.gensokyo.uk/security/fortify/sandbox"
 )
-const shell = "/run/current-system/sw/bin/bash"
+const shellPath = "/run/current-system/sw/bin/bash"
 var (
 	errSuccess = errors.New("success")
 	std sys.State = new(sys.Std)
 )
 func init() {
-	if err := os.Setenv("SHELL", shell); err != nil {
+	fmsg.Prepare("fpkg")
 	if err := os.Setenv("SHELL", shellPath); err != nil {
 		log.Fatalf("cannot set $SHELL: %v", err)
 	}
 }
 var (
 	flagVerbose bool
 )
 func init() {
 	flag.BoolVar(&flagVerbose, "v", false, "Verbose output")
 }
 func main() {
-	fmsg.Prepare("fpkg")
+	// early init path, skips root check and duplicate PR_SET_DUMPABLE
 	sandbox.TryArgv0(fmsg.Output{}, fmsg.Prepare, internal.InstallFmsg)
-	flag.Parse()
+	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
-	fmsg.Store(flagVerbose)
+		log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
-
+		// not fatal: this program runs as the privileged user
 	args := flag.Args()
 	if len(args) < 1 {
 		log.Fatal("invalid argument")
 	}
-	switch args[0] {
+	if os.Geteuid() == 0 {
-	case "install":
+		log.Fatal("this program must not run as root")
 		actionInstall(args[1:])
 	case "start":
 		actionStart(args[1:])
 	default:
 		log.Fatal("invalid argument")
 	}
-	internal.Exit(0)
+	ctx, stop := signal.NotifyContext(context.Background(),
 		syscall.SIGINT, syscall.SIGTERM)
 	defer stop() // unreachable
 	var (
 		flagVerbose   bool
 		flagDropShell bool
 	)
 	c := command.New(os.Stderr, log.Printf, "fpkg", func([]string) error {
 		internal.InstallFmsg(flagVerbose)
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
 		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next fortify action")
 	c.Command("shim", command.UsageInternal, func([]string) error { app.ShimMain(); return errSuccess })
 	{
 		var (
 			flagDropShellActivate bool
 		)
 		c.NewCommand("install", "Install an application from its package", func(args []string) error {
 			if len(args) != 1 {
 				log.Println("invalid argument")
 				return syscall.EINVAL
 			}
 			pkgPath := args[0]
 			if !path.IsAbs(pkgPath) {
 				if dir, err := os.Getwd(); err != nil {
 					log.Printf("cannot get current directory: %v", err)
 					return err
 				} else {
 					pkgPath = path.Join(dir, pkgPath)
 				}
 			}
 			/*
 				Look up paths to programs started by fpkg.
 				This is done here to ease error handling as cleanup is not yet required.
 			*/
 			var (
 				_     = lookPath("zstd")
 				tar   = lookPath("tar")
 				chmod = lookPath("chmod")
 				rm    = lookPath("rm")
 			)
 			/*
 				Extract package and set up for cleanup.
 			*/
 			var workDir string
 			if p, err := os.MkdirTemp("", "fpkg.*"); err != nil {
 				log.Printf("cannot create temporary directory: %v", err)
 				return err
 			} else {
 				workDir = p
 			}
 			cleanup := func() {
 				// should be faster than a native implementation
 				mustRun(chmod, "-R", "+w", workDir)
 				mustRun(rm, "-rf", workDir)
 			}
 			beforeRunFail.Store(&cleanup)
 			mustRun(tar, "-C", workDir, "-xf", pkgPath)
 			/*
 				Parse bundle and app metadata, do pre-install checks.
 			*/
 			bundle := loadAppInfo(path.Join(workDir, "bundle.json"), cleanup)
 			pathSet := pathSetByApp(bundle.ID)
 			a := bundle
 			if s, err := os.Stat(pathSet.metaPath); err != nil {
 				if !os.IsNotExist(err) {
 					cleanup()
 					log.Printf("cannot access %q: %v", pathSet.metaPath, err)
 					return err
 				}
 				// did not modify app, clean installation condition met later
 			} else if s.IsDir() {
 				cleanup()
 				log.Printf("metadata path %q is not a file", pathSet.metaPath)
 				return syscall.EBADMSG
 			} else {
 				a = loadAppInfo(pathSet.metaPath, cleanup)
 				if a.ID != bundle.ID {
 					cleanup()
 					log.Printf("app %q claims to have identifier %q",
 						bundle.ID, a.ID)
 					return syscall.EBADE
 				}
 				// sec: should verify credentials
 			}
 			if a != bundle {
 				// do not try to re-install
 				if a.NixGL == bundle.NixGL &&
 					a.CurrentSystem == bundle.CurrentSystem &&
 					a.Launcher == bundle.Launcher &&
 					a.ActivationPackage == bundle.ActivationPackage {
 					cleanup()
 					log.Printf("package %q is identical to local application %q",
 						pkgPath, a.ID)
 					return errSuccess
 				}
 				// AppID determines uid
 				if a.AppID != bundle.AppID {
 					cleanup()
 					log.Printf("package %q app id %d differs from installed %d",
 						pkgPath, bundle.AppID, a.AppID)
 					return syscall.EBADE
 				}
 				// sec: should compare version string
 				fmsg.Verbosef("installing application %q version %q over local %q",
 					bundle.ID, bundle.Version, a.Version)
 			} else {
 				fmsg.Verbosef("application %q clean installation", bundle.ID)
 				// sec: should install credentials
 			}
 			/*
 				Setup steps for files owned by the target user.
 			*/
 			withCacheDir(ctx, "install", []string{
 				// export inner bundle path in the environment
 				"export BUNDLE=" + fst.Tmp + "/bundle",
 				// replace inner /etc
 				"mkdir -p etc",
 				"chmod -R +w etc",
 				"rm -rf etc",
 				"cp -dRf $BUNDLE/etc etc",
 				// replace inner /nix
 				"mkdir -p nix",
 				"chmod -R +w nix",
 				"rm -rf nix",
 				"cp -dRf /nix nix",
 				// copy from binary cache
 				"nix copy --offline --no-check-sigs --all --from file://$BUNDLE/res --to $PWD",
 				// deduplicate nix store
 				"nix store --offline --store $PWD optimise",
 				// make cache directory world-readable for autoetc
 				"chmod 0755 .",
 			}, workDir, bundle, pathSet, flagDropShell, cleanup)
 			if bundle.GPU {
 				withCacheDir(ctx, "mesa-wrappers", []string{
 					// link nixGL mesa wrappers
 					"mkdir -p nix/.nixGL",
 					"ln -s " + bundle.Mesa + "/bin/nixGLIntel nix/.nixGL/nixGL",
 					"ln -s " + bundle.Mesa + "/bin/nixVulkanIntel nix/.nixGL/nixVulkan",
 				}, workDir, bundle, pathSet, false, cleanup)
 			}
 			/*
 				Activate home-manager generation.
 			*/
 			withNixDaemon(ctx, "activate", []string{
 				// clean up broken links
 				"mkdir -p .local/state/{nix,home-manager}",
 				"chmod -R +w .local/state/{nix,home-manager}",
 				"rm -rf .local/state/{nix,home-manager}",
 				// run activation script
 				bundle.ActivationPackage + "/activate",
 			}, false, func(config *fst.Config) *fst.Config { return config },
 				bundle, pathSet, flagDropShellActivate, cleanup)
 			/*
 				Installation complete. Write metadata to block re-installs or downgrades.
 			*/
 			// serialise metadata to ensure consistency
 			if f, err := os.OpenFile(pathSet.metaPath+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
 				cleanup()
 				log.Printf("cannot create metadata file: %v", err)
 				return err
 			} else if err = json.NewEncoder(f).Encode(bundle); err != nil {
 				cleanup()
 				log.Printf("cannot write metadata: %v", err)
 				return err
 			} else if err = f.Close(); err != nil {
 				log.Printf("cannot close metadata file: %v", err)
 				// not fatal
 			}
 			if err := os.Rename(pathSet.metaPath+"~", pathSet.metaPath); err != nil {
 				cleanup()
 				log.Printf("cannot rename metadata file: %v", err)
 				return err
 			}
 			cleanup()
 			return errSuccess
 		}).
 			Flag(&flagDropShellActivate, "s", command.BoolFlag(false), "Drop to a shell on activation")
 	}
 	{
 		var (
 			flagDropShellNixGL bool
 			flagAutoDrivers    bool
 		)
 		c.NewCommand("start", "Start an application", func(args []string) error {
 			if len(args) < 1 {
 				log.Println("invalid argument")
 				return syscall.EINVAL
 			}
 			/*
 				Parse app metadata.
 			*/
 			id := args[0]
 			pathSet := pathSetByApp(id)
 			a := loadAppInfo(pathSet.metaPath, func() {})
 			if a.ID != id {
 				log.Printf("app %q claims to have identifier %q", id, a.ID)
 				return syscall.EBADE
 			}
 			/*
 				Prepare nixGL.
 			*/
 			if a.GPU && flagAutoDrivers {
 				withNixDaemon(ctx, "nix-gl", []string{
 					"mkdir -p /nix/.nixGL/auto",
 					"rm -rf /nix/.nixGL/auto",
 					"export NIXPKGS_ALLOW_UNFREE=1",
 					"nix build --impure " +
 						"--out-link /nix/.nixGL/auto/opengl " +
 						"--override-input nixpkgs path:/etc/nixpkgs " +
 						"path:" + a.NixGL,
 					"nix build --impure " +
 						"--out-link /nix/.nixGL/auto/vulkan " +
 						"--override-input nixpkgs path:/etc/nixpkgs " +
 						"path:" + a.NixGL + "#nixVulkanNvidia",
 				}, true, func(config *fst.Config) *fst.Config {
 					config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
 						{Src: "/etc/resolv.conf"},
 						{Src: "/sys/block"},
 						{Src: "/sys/bus"},
 						{Src: "/sys/class"},
 						{Src: "/sys/dev"},
 						{Src: "/sys/devices"},
 					}...)
 					appendGPUFilesystem(config)
 					return config
 				}, a, pathSet, flagDropShellNixGL, func() {})
 			}
 			/*
 				Create app configuration.
 			*/
 			argv := make([]string, 1, len(args))
 			if !flagDropShell {
 				argv[0] = a.Launcher
 			} else {
 				argv[0] = shellPath
 			}
 			argv = append(argv, args[1:]...)
 			config := a.toFst(pathSet, argv, flagDropShell)
 			/*
 				Expose GPU devices.
 			*/
 			if a.GPU {
 				config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,
 					&fst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(fst.Tmp, "nixGL")})
 				appendGPUFilesystem(config)
 			}
 			/*
 				Spawn app.
 			*/
 			mustRunApp(ctx, config, func() {})
 			return errSuccess
 		}).
 			Flag(&flagDropShellNixGL, "s", command.BoolFlag(false), "Drop to a shell on nixGL build").
 			Flag(&flagAutoDrivers, "auto-drivers", command.BoolFlag(false), "Attempt automatic opengl driver detection")
 	}
 	c.MustParse(os.Args[1:], func(err error) {
 		fmsg.Verbosef("command returned %v", err)
 		if errors.Is(err, errSuccess) {
 			fmsg.BeforeExit()
 			os.Exit(0)
 		}
 	})
 	log.Fatal("unreachable")
 }
--- a/cmd/fpkg/paths.go
+++ b/cmd/fpkg/paths.go
@ -8,6 +8,7 @@ import (
 	"strconv"
 	"sync/atomic"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
@ -69,3 +70,32 @@ func pathSetByApp(id string) *appPathSet {
 	pathSet.nixPath = path.Join(pathSet.cacheDir, "nix")
 	return pathSet
 }
 func appendGPUFilesystem(config *fst.Config) {
 	config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
 		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
 		{Src: "/dev/dri", Device: true},
 		// mali
 		{Src: "/dev/mali", Device: true},
 		{Src: "/dev/mali0", Device: true},
 		{Src: "/dev/umplock", Device: true},
 		// nvidia
 		{Src: "/dev/nvidiactl", Device: true},
 		{Src: "/dev/nvidia-modeset", Device: true},
 		// nvidia OpenCL/CUDA
 		{Src: "/dev/nvidia-uvm", Device: true},
 		{Src: "/dev/nvidia-uvm-tools", Device: true},
 		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
 		{Src: "/dev/nvidia0", Device: true}, {Src: "/dev/nvidia1", Device: true},
 		{Src: "/dev/nvidia2", Device: true}, {Src: "/dev/nvidia3", Device: true},
 		{Src: "/dev/nvidia4", Device: true}, {Src: "/dev/nvidia5", Device: true},
 		{Src: "/dev/nvidia6", Device: true}, {Src: "/dev/nvidia7", Device: true},
 		{Src: "/dev/nvidia8", Device: true}, {Src: "/dev/nvidia9", Device: true},
 		{Src: "/dev/nvidia10", Device: true}, {Src: "/dev/nvidia11", Device: true},
 		{Src: "/dev/nvidia12", Device: true}, {Src: "/dev/nvidia13", Device: true},
 		{Src: "/dev/nvidia14", Device: true}, {Src: "/dev/nvidia15", Device: true},
 		{Src: "/dev/nvidia16", Device: true}, {Src: "/dev/nvidia17", Device: true},
 		{Src: "/dev/nvidia18", Device: true}, {Src: "/dev/nvidia19", Device: true},
 	}...)
 }
--- a/cmd/fpkg/proc.go
+++ b/cmd/fpkg/proc.go
@ -1,65 +1,28 @@
 package main
 import (
-	"encoding/json"
+	"context"
 	"errors"
 	"io"
 	"log"
 	"os"
 	"os/exec"
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal"
+	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
-const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
+func mustRunApp(ctx context.Context, config *fst.Config, beforeFail func()) {
 	rs := new(fst.RunState)
 	a := app.MustNew(ctx, std)
-var (
+	if sa, err := a.Seal(config); err != nil {
-	Fmain = compPoison
+		fmsg.PrintBaseError(err, "cannot seal app:")
-)
+		rs.ExitCode = 1
 func fortifyApp(config *fst.Config, beforeFail func()) {
 	var (
 		cmd *exec.Cmd
 		st  io.WriteCloser
 	)
 	if p, ok := internal.Path(Fmain); !ok {
 		beforeFail()
 		log.Fatal("invalid fortify path, this copy of fpkg is not compiled correctly")
 	} else if r, w, err := os.Pipe(); err != nil {
 		beforeFail()
 		log.Fatalf("cannot pipe: %v", err)
 	} else {
-		if fmsg.Load() {
+		// this updates ExitCode
-			cmd = exec.Command(p, "-v", "app", "3")
+		app.PrintRunStateErr(rs, sa.Run(rs))
 		} else {
 			cmd = exec.Command(p, "app", "3")
 		}
 		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 		cmd.ExtraFiles = []*os.File{r}
 		st = w
 	}
-	go func() {
+	if rs.ExitCode != 0 {
 		if err := json.NewEncoder(st).Encode(config); err != nil {
 			beforeFail()
 			log.Fatalf("cannot send configuration: %v", err)
 		}
 	}()
 	if err := cmd.Start(); err != nil {
 		beforeFail()
-		log.Fatalf("cannot start fortify: %v", err)
+		os.Exit(rs.ExitCode)
 	}
 	if err := cmd.Wait(); err != nil {
 		var exitError *exec.ExitError
 		if errors.As(err, &exitError) {
 			beforeFail()
 			internal.Exit(exitError.ExitCode())
 		} else {
 			beforeFail()
 			log.Fatalf("cannot wait: %v", err)
 		}
 	}
 }
--- a/cmd/fpkg/start.go
+++ b/cmd/fpkg/start.go
@ -1,178 +0,0 @@
 package main
 import (
 	"flag"
 	"log"
 	"path"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/internal"
 )
 func actionStart(args []string) {
 	set := flag.NewFlagSet("start", flag.ExitOnError)
 	var (
 		dropShell      bool
 		dropShellNixGL bool
 		autoDrivers    bool
 	)
 	set.BoolVar(&dropShell, "s", false, "Drop to a shell")
 	set.BoolVar(&dropShellNixGL, "sg", false, "Drop to a shell on nixGL build")
 	set.BoolVar(&autoDrivers, "autodrivers", false, "Attempt automatic opengl driver detection")
 	// Ignore errors; set is set for ExitOnError.
 	_ = set.Parse(args)
 	args = set.Args()
 	if len(args) < 1 {
 		log.Fatal("invalid argument")
 	}
 	/*
 		Parse app metadata.
 	*/
 	id := args[0]
 	pathSet := pathSetByApp(id)
 	app := loadBundleInfo(pathSet.metaPath, func() {})
 	if app.ID != id {
 		log.Fatalf("app %q claims to have identifier %q", id, app.ID)
 	}
 	/*
 		Prepare nixGL.
 	*/
 	if app.GPU && autoDrivers {
 		withNixDaemon("nix-gl", []string{
 			"mkdir -p /nix/.nixGL/auto",
 			"rm -rf /nix/.nixGL/auto",
 			"export NIXPKGS_ALLOW_UNFREE=1",
 			"nix build --impure " +
 				"--out-link /nix/.nixGL/auto/opengl " +
 				"--override-input nixpkgs path:/etc/nixpkgs " +
 				"path:" + app.NixGL,
 			"nix build --impure " +
 				"--out-link /nix/.nixGL/auto/vulkan " +
 				"--override-input nixpkgs path:/etc/nixpkgs " +
 				"path:" + app.NixGL + "#nixVulkanNvidia",
 		}, true, func(config *fst.Config) *fst.Config {
 			config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
 				{Src: "/etc/resolv.conf"},
 				{Src: "/sys/block"},
 				{Src: "/sys/bus"},
 				{Src: "/sys/class"},
 				{Src: "/sys/dev"},
 				{Src: "/sys/devices"},
 			}...)
 			appendGPUFilesystem(config)
 			return config
 		}, app, pathSet, dropShellNixGL, func() {})
 	}
 	/*
 		Create app configuration.
 	*/
 	command := make([]string, 1, len(args))
 	if !dropShell {
 		command[0] = app.Launcher
 	} else {
 		command[0] = shell
 	}
 	command = append(command, args[1:]...)
 	config := &fst.Config{
 		ID:      app.ID,
 		Command: command,
 		Confinement: fst.ConfinementConfig{
 			AppID:    app.AppID,
 			Groups:   app.Groups,
 			Username: "fortify",
 			Inner:    path.Join("/data/data", app.ID),
 			Outer:    pathSet.homeDir,
 			Sandbox: &fst.SandboxConfig{
 				Hostname:      formatHostname(app.Name),
 				UserNS:        app.UserNS,
 				Net:           app.Net,
 				Dev:           app.Dev,
 				Syscall:       &bwrap.SyscallPolicy{DenyDevel: !app.Devel, Multiarch: app.Multiarch, Bluetooth: app.Bluetooth},
 				NoNewSession:  app.NoNewSession || dropShell,
 				MapRealUID:    app.MapRealUID,
 				DirectWayland: app.DirectWayland,
 				Filesystem: []*fst.FilesystemConfig{
 					{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
 					{Src: pathSet.metaPath, Dst: path.Join(fst.Tmp, "app"), Must: true},
 					{Src: "/etc/resolv.conf"},
 					{Src: "/sys/block"},
 					{Src: "/sys/bus"},
 					{Src: "/sys/class"},
 					{Src: "/sys/dev"},
 					{Src: "/sys/devices"},
 				},
 				Link: [][2]string{
 					{app.CurrentSystem, "/run/current-system"},
 					{"/run/current-system/sw/bin", "/bin"},
 					{"/run/current-system/sw/bin", "/usr/bin"},
 				},
 				Etc:     path.Join(pathSet.cacheDir, "etc"),
 				AutoEtc: true,
 			},
 			ExtraPerms: []*fst.ExtraPermConfig{
 				{Path: dataHome, Execute: true},
 				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 			},
 			SystemBus:   app.SystemBus,
 			SessionBus:  app.SessionBus,
 			Enablements: app.Enablements,
 		},
 	}
 	/*
 		Expose GPU devices.
 	*/
 	if app.GPU {
 		config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,
 			&fst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(fst.Tmp, "nixGL")})
 		appendGPUFilesystem(config)
 	}
 	/*
 		Spawn app.
 	*/
 	fortifyApp(config, func() {})
 	internal.Exit(0)
 }
 func appendGPUFilesystem(config *fst.Config) {
 	config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
 		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
 		{Src: "/dev/dri", Device: true},
 		// mali
 		{Src: "/dev/mali", Device: true},
 		{Src: "/dev/mali0", Device: true},
 		{Src: "/dev/umplock", Device: true},
 		// nvidia
 		{Src: "/dev/nvidiactl", Device: true},
 		{Src: "/dev/nvidia-modeset", Device: true},
 		// nvidia OpenCL/CUDA
 		{Src: "/dev/nvidia-uvm", Device: true},
 		{Src: "/dev/nvidia-uvm-tools", Device: true},
 		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
 		{Src: "/dev/nvidia0", Device: true}, {Src: "/dev/nvidia1", Device: true},
 		{Src: "/dev/nvidia2", Device: true}, {Src: "/dev/nvidia3", Device: true},
 		{Src: "/dev/nvidia4", Device: true}, {Src: "/dev/nvidia5", Device: true},
 		{Src: "/dev/nvidia6", Device: true}, {Src: "/dev/nvidia7", Device: true},
 		{Src: "/dev/nvidia8", Device: true}, {Src: "/dev/nvidia9", Device: true},
 		{Src: "/dev/nvidia10", Device: true}, {Src: "/dev/nvidia11", Device: true},
 		{Src: "/dev/nvidia12", Device: true}, {Src: "/dev/nvidia13", Device: true},
 		{Src: "/dev/nvidia14", Device: true}, {Src: "/dev/nvidia15", Device: true},
 		{Src: "/dev/nvidia16", Device: true}, {Src: "/dev/nvidia17", Device: true},
 		{Src: "/dev/nvidia18", Device: true}, {Src: "/dev/nvidia19", Device: true},
 	}...)
 }
--- a/cmd/fpkg/test/configuration.nix
+++ b/cmd/fpkg/test/configuration.nix
@ -0,0 +1,60 @@
 { pkgs, ... }:
 {
  users.users = {
    alice = {
      isNormalUser = true;
      description = "Alice Foobar";
      password = "foobar";
      uid = 1000;
    };
  };
  home-manager.users.alice.home.stateVersion = "24.11";
  # Automatically login on tty1 as a normal user:
  services.getty.autologinUser = "alice";
  environment = {
    variables = {
      SWAYSOCK = "/tmp/sway-ipc.sock";
      WLR_RENDERER = "pixman";
    };
  };
  # Automatically configure and start Sway when logging in on tty1:
  programs.bash.loginShellInit = ''
    if [ "$(tty)" = "/dev/tty1" ]; then
      set -e
      mkdir -p ~/.config/sway
      (sed s/Mod4/Mod1/ /etc/sway/config &&
      echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill' &&
      echo 'output Virtual-1 res 1680x1050') > ~/.config/sway/config
      sway --validate
      systemd-cat --identifier=session sway && touch /tmp/sway-exit-ok
    fi
  '';
  programs.sway.enable = true;
  virtualisation = {
    diskSize = 6 * 1024;
    qemu.options = [
      # Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
      "-vga none -device virtio-gpu-pci"
      # Increase zstd performance:
      "-smp 8"
    ];
  };
  environment.fortify = {
    enable = true;
    stateDir = "/var/lib/fortify";
    users.alice = 0;
    home-manager = _: _: { home.stateVersion = "23.05"; };
  };
 }
--- a/cmd/fpkg/test/default.nix
+++ b/cmd/fpkg/test/default.nix
@ -0,0 +1,34 @@
 {
  nixosTest,
  callPackage,
  system,
  self,
 }:
 let
  buildPackage = self.buildPackage.${system};
 in
 nixosTest {
  name = "fpkg";
  nodes.machine = {
    environment.etc = {
      "foot.pkg".source = callPackage ./foot.nix { inherit buildPackage; };
    };
    imports = [
      ./configuration.nix
      self.nixosModules.fortify
      self.inputs.home-manager.nixosModules.home-manager
    ];
  };
  # adapted from nixos sway integration tests
  # testScriptWithTypes:49: error: Cannot call function of unknown type
  #           (machine.succeed if succeed else machine.execute)(
  #           ^
  # Found 1 error in 1 file (checked 1 source file)
  skipTypeCheck = true;
  testScript = builtins.readFile ./test.py;
 }
--- a/cmd/fpkg/test/foot.nix
+++ b/cmd/fpkg/test/foot.nix
@ -0,0 +1,48 @@
 {
  lib,
  buildPackage,
  foot,
  wayland-utils,
  inconsolata,
 }:
 buildPackage {
  name = "foot";
  inherit (foot) version;
  app_id = 2;
  id = "org.codeberg.dnkl.foot";
  modules = [
    {
      home.packages = [
        foot
        # For wayland-info:
        wayland-utils
      ];
    }
  ];
  nixosModules = [
    {
      # To help with OCR:
      environment.etc."xdg/foot/foot.ini".text = lib.generators.toINI { } {
        main = {
          font = "inconsolata:size=14";
        };
        colors = rec {
          foreground = "000000";
          background = "ffffff";
          regular2 = foreground;
        };
      };
      fonts.packages = [ inconsolata ];
    }
  ];
  script = ''
    exec foot "$@"
  '';
 }
--- a/cmd/fpkg/test/test.py
+++ b/cmd/fpkg/test/test.py
@ -0,0 +1,108 @@
 import json
 import shlex
 q = shlex.quote
 NODE_GROUPS = ["nodes", "floating_nodes"]
 def swaymsg(command: str = "", succeed=True, type="command"):
    assert command != "" or type != "command", "Must specify command or type"
    shell = q(f"swaymsg -t {q(type)} -- {q(command)}")
    with machine.nested(
            f"sending swaymsg {shell!r}" + " (allowed to fail)" * (not succeed)
    ):
        ret = (machine.succeed if succeed else machine.execute)(
            f"su - alice -c {shell}"
        )
    # execute also returns a status code, but disregard.
    if not succeed:
        _, ret = ret
    if not succeed and not ret:
        return None
    parsed = json.loads(ret)
    return parsed
 def walk(tree):
    yield tree
    for group in NODE_GROUPS:
        for node in tree.get(group, []):
            yield from walk(node)
 def wait_for_window(pattern):
    def func(last_chance):
        nodes = (node["name"] for node in walk(swaymsg(type="get_tree")))
        if last_chance:
            nodes = list(nodes)
            machine.log(f"Last call! Current list of windows: {nodes}")
        return any(pattern in name for name in nodes)
    retry(func)
 def collect_state_ui(name):
    swaymsg(f"exec fortify ps > '/tmp/{name}.ps'")
    machine.copy_from_vm(f"/tmp/{name}.ps", "")
    swaymsg(f"exec fortify --json ps > '/tmp/{name}.json'")
    machine.copy_from_vm(f"/tmp/{name}.json", "")
    machine.screenshot(name)
 def check_state(name, enablements):
    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 fortify --json ps"))
    if len(instances) != 1:
        raise Exception(f"unexpected state length {len(instances)}")
    instance = next(iter(instances.values()))
    config = instance['config']
    if len(config['args']) != 1 or not (config['args'][0].startswith("/nix/store/")) or f"fortify-{name}-" not in (config['args'][0]):
        raise Exception(f"unexpected args {instance['config']['args']}")
    if config['confinement']['enablements'] != enablements:
        raise Exception(f"unexpected enablements {instance['config']['confinement']['enablements']}")
 start_all()
 machine.wait_for_unit("multi-user.target")
 # To check fortify's version:
 print(machine.succeed("sudo -u alice -i fortify version"))
 # Wait for Sway to complete startup:
 machine.wait_for_file("/run/user/1000/wayland-1")
 machine.wait_for_file("/tmp/sway-ipc.sock")
 # Prepare fpkg directory:
 machine.succeed("install -dm 0700 -o alice -g users /var/lib/fortify/1000")
 # Install fpkg app:
 swaymsg("exec fpkg -v install /etc/foot.pkg && touch /tmp/fpkg-install-done")
 machine.wait_for_file("/tmp/fpkg-install-done")
 # Start app (foot) with Wayland enablement:
 swaymsg("exec fpkg -v start org.codeberg.dnkl.foot")
 wait_for_window("fortify@machine-foot")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
 machine.wait_for_file("/tmp/fortify.1000/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
 check_state("foot", 13)
 # Verify acl on XDG_RUNTIME_DIR:
 print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot")
 # Verify acl cleanup on XDG_RUNTIME_DIR:
 machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002")
 # Exit Sway and verify process exit status 0:
 swaymsg("exit", succeed=False)
 machine.wait_for_file("/tmp/sway-exit-ok")
 # Print fortify runDir contents:
 print(machine.succeed("find /run/user/1000/fortify"))
--- a/cmd/fpkg/with.go
+++ b/cmd/fpkg/with.go
@ -1,21 +1,24 @@
 package main
 import (
 	"context"
 	"path"
 	"strings"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
 )
 func withNixDaemon(
 	ctx context.Context,
 	action string, command []string, net bool, updateConfig func(config *fst.Config) *fst.Config,
-	app *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
+	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
 ) {
-	fortifyAppDropShell(updateConfig(&fst.Config{
+	mustRunAppDropShell(ctx, updateConfig(&fst.Config{
-		ID: app.ID,
+		ID:   app.ID,
-		Command: []string{shell, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
+		Path: shellPath,
 		Args: []string{shellPath, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
 			// start nix-daemon
 			"nix-daemon --store / & " +
 			// wait for socket to appear
@ -31,12 +34,13 @@ func withNixDaemon(
 			Username: "fortify",
 			Inner:    path.Join("/data/data", app.ID),
 			Outer:    pathSet.homeDir,
 			Shell:    shellPath,
 			Sandbox: &fst.SandboxConfig{
-				Hostname:     formatHostname(app.Name) + "-" + action,
+				Hostname: formatHostname(app.Name) + "-" + action,
-				UserNS:       true, // nix sandbox requires userns
+				Userns:   true, // nix sandbox requires userns
-				Net:          net,
+				Net:      net,
-				Syscall:      &bwrap.SyscallPolicy{Multiarch: true},
+				Seccomp:  seccomp.FlagMultiarch,
-				NoNewSession: dropShell,
+				Tty:      dropShell,
 				Filesystem: []*fst.FilesystemConfig{
 					{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
 				},
@ -56,19 +60,24 @@ func withNixDaemon(
 	}), dropShell, beforeFail)
 }
-func withCacheDir(action string, command []string, workDir string, app *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
+func withCacheDir(
-	fortifyAppDropShell(&fst.Config{
+	ctx context.Context,
-		ID:      app.ID,
+	action string, command []string, workDir string,
-		Command: []string{shell, "-lc", strings.Join(command, " && ")},
+	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
 	mustRunAppDropShell(ctx, &fst.Config{
 		ID:   app.ID,
 		Path: shellPath,
 		Args: []string{shellPath, "-lc", strings.Join(command, " && ")},
 		Confinement: fst.ConfinementConfig{
 			AppID:    app.AppID,
 			Username: "nixos",
 			Inner:    path.Join("/data/data", app.ID, "cache"),
 			Outer:    pathSet.cacheDir, // this also ensures cacheDir via shim
 			Shell:    shellPath,
 			Sandbox: &fst.SandboxConfig{
-				Hostname:     formatHostname(app.Name) + "-" + action,
+				Hostname: formatHostname(app.Name) + "-" + action,
-				Syscall:      &bwrap.SyscallPolicy{Multiarch: true},
+				Seccomp:  seccomp.FlagMultiarch,
-				NoNewSession: dropShell,
+				Tty:      dropShell,
 				Filesystem: []*fst.FilesystemConfig{
 					{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
 					{Src: workDir, Dst: path.Join(fst.Tmp, "bundle"), Must: true},
@ -90,12 +99,12 @@ func withCacheDir(action string, command []string, workDir string, app *bundleIn
 	}, dropShell, beforeFail)
 }
-func fortifyAppDropShell(config *fst.Config, dropShell bool, beforeFail func()) {
+func mustRunAppDropShell(ctx context.Context, config *fst.Config, dropShell bool, beforeFail func()) {
 	if dropShell {
-		config.Command = []string{shell, "-l"}
+		config.Args = []string{shellPath, "-l"}
-		fortifyApp(config, beforeFail)
+		mustRunApp(ctx, config, beforeFail)
 		beforeFail()
 		internal.Exit(0)
 	}
-	fortifyApp(config, beforeFail)
+	mustRunApp(ctx, config, beforeFail)
 }
--- a/cmd/fsu/main.go
+++ b/cmd/fsu/main.go
@ -13,7 +13,6 @@ import (
 )
 const (
 	compPoison  = "INVALIDINVALIDINVALIDINVALIDINVALID"
 	fsuConfFile = "/etc/fsurc"
 	envShim     = "FORTIFY_SHIM"
 	envAID      = "FORTIFY_APP_ID"
@ -22,10 +21,6 @@ const (
 	PR_SET_NO_NEW_PRIVS = 0x26
 )
 var (
 	Fmain = compPoison
 )
 func main() {
 	log.SetFlags(0)
 	log.SetPrefix("fsu: ")
@ -40,20 +35,16 @@ func main() {
 		log.Fatal("this program must not be started by root")
 	}
-	var fmain string
+	var toolPath string
 	if p, ok := checkPath(Fmain); !ok {
 		log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
 	} else {
 		fmain = p
 	}
 	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
 	if p, err := os.Readlink(pexe); err != nil {
 		log.Fatalf("cannot read parent executable path: %v", err)
 	} else if strings.HasSuffix(p, " (deleted)") {
 		log.Fatal("fortify executable has been deleted")
-	} else if p != fmain {
+	} else if p != mustCheckPath(fmain) && p != mustCheckPath(fpkg) {
 		log.Fatal("this program must be started by fortify")
 	} else {
 		toolPath = p
 	}
 	// uid = 1000000 +
@ -147,13 +138,9 @@ func main() {
 	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(fmain, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+	if err := syscall.Exec(toolPath, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}
 	panic("unreachable")
 }
 func checkPath(p string) (string, bool) {
 	return p, p != compPoison && p != "" && path.IsAbs(p)
 }
--- a/cmd/fsu/package.nix
+++ b/cmd/fsu/package.nix
@ -0,0 +1,30 @@
 {
  lib,
  buildGoModule,
  fortify ? abort "fortify package required",
 }:
 buildGoModule {
  pname = "${fortify.pname}-fsu";
  inherit (fortify) version;
  src = ./.;
  inherit (fortify) vendorHash;
  CGO_ENABLED = 0;
  preBuild = ''
    go mod init fsu >& /dev/null
  '';
  ldflags =
    lib.attrsets.foldlAttrs
      (
        ldflags: name: value:
        ldflags ++ [ "-X main.${name}=${value}" ]
      )
      [ "-s -w" ]
      {
        fmain = "${fortify}/libexec/fortify";
        fpkg = "${fortify}/libexec/fpkg";
      };
 }
--- a/cmd/fsu/path.go
+++ b/cmd/fsu/path.go
@ -0,0 +1,21 @@
 package main
 import (
 	"log"
 	"path"
 )
 const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
 var (
 	fmain = compPoison
 	fpkg  = compPoison
 )
 func mustCheckPath(p string) string {
 	if p != compPoison && p != "" && path.IsAbs(p) {
 		return p
 	}
 	log.Fatal("this program is compiled incorrectly")
 	return compPoison
 }
--- a/command/builder.go
+++ b/command/builder.go
@ -0,0 +1,65 @@
 package command
 import (
 	"flag"
 	"fmt"
 	"io"
 )
 // New initialises a root Node.
 func New(output io.Writer, logf LogFunc, name string, early HandlerFunc) Command {
 	c := rootNode{newNode(output, logf, name, "")}
 	c.f = early
 	return c
 }
 func newNode(output io.Writer, logf LogFunc, name, usage string) *node {
 	n := &node{
 		name: name, usage: usage,
 		out: output, logf: logf,
 		set: flag.NewFlagSet(name, flag.ContinueOnError),
 	}
 	n.set.SetOutput(output)
 	n.set.Usage = func() {
 		_ = n.writeHelp()
 		if n.suffix.Len() > 0 {
 			_, _ = fmt.Fprintln(output, "Flags:")
 			n.set.PrintDefaults()
 			_, _ = fmt.Fprintln(output)
 		}
 	}
 	return n
 }
 func (n *node) Command(name, usage string, f HandlerFunc) Node {
 	n.NewCommand(name, usage, f)
 	return n
 }
 func (n *node) NewCommand(name, usage string, f HandlerFunc) Flag[Node] {
 	if f == nil {
 		panic("invalid handler")
 	}
 	if name == "" || usage == "" {
 		panic("invalid subcommand")
 	}
 	s := newNode(n.out, n.logf, name, usage)
 	s.f = f
 	if !n.adopt(s) {
 		panic("attempted to initialise subcommand with non-unique name")
 	}
 	return s
 }
 func (n *node) New(name, usage string) Node {
 	if name == "" || usage == "" {
 		panic("invalid subcommand tree")
 	}
 	s := newNode(n.out, n.logf, name, usage)
 	if !n.adopt(s) {
 		panic("attempted to initialise subcommand tree with non-unique name")
 	}
 	return s
 }
--- a/command/builder_test.go
+++ b/command/builder_test.go
@ -0,0 +1,56 @@
 package command_test
 import (
 	"testing"
 	"git.gensokyo.uk/security/fortify/command"
 )
 func TestBuild(t *testing.T) {
 	c := command.New(nil, nil, "test", nil)
 	stubHandler := func([]string) error { panic("unreachable") }
 	t.Run("nil direct handler", func(t *testing.T) {
 		defer checkRecover(t, "Command", "invalid handler")
 		c.Command("name", "usage", nil)
 	})
 	t.Run("direct zero length", func(t *testing.T) {
 		wantPanic := "invalid subcommand"
 		t.Run("zero length name", func(t *testing.T) { defer checkRecover(t, "Command", wantPanic); c.Command("", "usage", stubHandler) })
 		t.Run("zero length usage", func(t *testing.T) { defer checkRecover(t, "Command", wantPanic); c.Command("name", "", stubHandler) })
 	})
 	t.Run("direct adopt unique names", func(t *testing.T) {
 		c.Command("d0", "usage", stubHandler)
 		c.Command("d1", "usage", stubHandler)
 	})
 	t.Run("direct adopt non-unique name", func(t *testing.T) {
 		defer checkRecover(t, "Command", "attempted to initialise subcommand with non-unique name")
 		c.Command("d0", "usage", stubHandler)
 	})
 	t.Run("zero length", func(t *testing.T) {
 		wantPanic := "invalid subcommand tree"
 		t.Run("zero length name", func(t *testing.T) { defer checkRecover(t, "New", wantPanic); c.New("", "usage") })
 		t.Run("zero length usage", func(t *testing.T) { defer checkRecover(t, "New", wantPanic); c.New("name", "") })
 	})
 	t.Run("direct adopt unique names", func(t *testing.T) {
 		c.New("t0", "usage")
 		c.New("t1", "usage")
 	})
 	t.Run("direct adopt non-unique name", func(t *testing.T) {
 		defer checkRecover(t, "Command", "attempted to initialise subcommand tree with non-unique name")
 		c.New("t0", "usage")
 	})
 }
 func checkRecover(t *testing.T, name, wantPanic string) {
 	if r := recover(); r != wantPanic {
 		t.Errorf("%s: panic = %v; wantPanic %v",
 			name, r, wantPanic)
 	}
 }
--- a/command/command.go
+++ b/command/command.go
@ -0,0 +1,55 @@
 // Package command implements generic nested command parsing.
 package command
 import (
 	"flag"
 	"strings"
 )
 // UsageInternal causes the command to be hidden from help text when set as the usage string.
 const UsageInternal = "internal"
 type (
 	// HandlerFunc is called when matching a directly handled subcommand tree.
 	HandlerFunc = func(args []string) error
 	// LogFunc is the function signature of a printf function.
 	LogFunc = func(format string, a ...any)
 	// FlagDefiner is a deferred flag definer value, usually encapsulating the default value.
 	FlagDefiner interface {
 		// Define defines the flag in set.
 		Define(b *strings.Builder, set *flag.FlagSet, p any, name, usage string)
 	}
 	Flag[T any] interface {
 		// Flag defines a generic flag type in Node's flag set.
 		Flag(p any, name string, value FlagDefiner, usage string) T
 	}
 	Command interface {
 		Parse(arguments []string) error
 		// MustParse determines exit outcomes for Parse errors
 		// and calls handleError if [HandlerFunc] returns a non-nil error.
 		MustParse(arguments []string, handleError func(error))
 		baseNode[Command]
 	}
 	Node baseNode[Node]
 	baseNode[T any] interface {
 		// Command appends a subcommand with direct command handling.
 		Command(name, usage string, f HandlerFunc) T
 		// New returns a new subcommand tree.
 		New(name, usage string) (sub Node)
 		// NewCommand returns a new subcommand with direct command handling.
 		NewCommand(name, usage string, f HandlerFunc) (sub Flag[Node])
 		// PrintHelp prints a help message to the configured writer.
 		PrintHelp()
 		Flag[T]
 	}
 )
--- a/command/flag.go
+++ b/command/flag.go
@ -0,0 +1,77 @@
 package command
 import (
 	"errors"
 	"flag"
 	"strings"
 )
 // FlagError wraps errors returned by [flag].
 type FlagError struct{ error }
 func (e FlagError) Success() bool { return errors.Is(e.error, flag.ErrHelp) }
 func (e FlagError) Is(target error) bool {
 	return (e.error == nil && target == nil) ||
 		((e.error != nil && target != nil) && e.error.Error() == target.Error())
 }
 func (n *node) Flag(p any, name string, value FlagDefiner, usage string) Node {
 	value.Define(&n.suffix, n.set, p, name, usage)
 	return n
 }
 // StringFlag is the default value of a string flag.
 type StringFlag string
 func (v StringFlag) Define(b *strings.Builder, set *flag.FlagSet, p any, name, usage string) {
 	set.StringVar(p.(*string), name, string(v), usage)
 	b.WriteString(" [" + prettyFlag(name) + " <value>]")
 }
 // IntFlag is the default value of an int flag.
 type IntFlag int
 func (v IntFlag) Define(b *strings.Builder, set *flag.FlagSet, p any, name, usage string) {
 	set.IntVar(p.(*int), name, int(v), usage)
 	b.WriteString(" [" + prettyFlag(name) + " <int>]")
 }
 // BoolFlag is the default value of a bool flag.
 type BoolFlag bool
 func (v BoolFlag) Define(b *strings.Builder, set *flag.FlagSet, p any, name, usage string) {
 	set.BoolVar(p.(*bool), name, bool(v), usage)
 	b.WriteString(" [" + prettyFlag(name) + "]")
 }
 // RepeatableFlag implements an ordered, repeatable string flag.
 type RepeatableFlag []string
 func (r *RepeatableFlag) String() string {
 	if r == nil {
 		return "<nil>"
 	}
 	return strings.Join(*r, " ")
 }
 func (r *RepeatableFlag) Set(v string) error {
 	*r = append(*r, v)
 	return nil
 }
 func (r *RepeatableFlag) Define(b *strings.Builder, set *flag.FlagSet, _ any, name, usage string) {
 	set.Var(r, name, usage)
 	b.WriteString(" [" + prettyFlag(name) + " <value>]")
 }
 // this has no effect on parse outcome
 func prettyFlag(name string) string {
 	switch len(name) {
 	case 0:
 		panic("zero length flag name")
 	case 1:
 		return "-" + name
 	default:
 		return "--" + name
 	}
 }
--- a/command/help.go
+++ b/command/help.go
@ -0,0 +1,53 @@
 package command
 import (
 	"errors"
 	"fmt"
 	"io"
 	"strings"
 	"text/tabwriter"
 )
 var ErrHelp = errors.New("help requested")
 func (n *node) PrintHelp() { _ = n.writeHelp() }
 func (n *node) writeHelp() error {
 	if _, err := fmt.Fprintf(n.out,
 		"\nUsage:\t%s [-h | --help]%s COMMAND [OPTIONS]\n",
 		strings.Join(append(n.prefix, n.name), " "), &n.suffix,
 	); err != nil {
 		return err
 	}
 	if n.child != nil {
 		if _, err := fmt.Fprint(n.out, "\nCommands:\n"); err != nil {
 			return err
 		}
 	}
 	tw := tabwriter.NewWriter(n.out, 0, 1, 4, ' ', 0)
 	if err := n.child.writeCommands(tw); err != nil {
 		return err
 	}
 	if err := tw.Flush(); err != nil {
 		return err
 	}
 	_, err := n.out.Write([]byte{'\n'})
 	if err == nil {
 		err = ErrHelp
 	}
 	return err
 }
 func (n *node) writeCommands(w io.Writer) error {
 	if n == nil {
 		return nil
 	}
 	if n.usage != UsageInternal {
 		if _, err := fmt.Fprintf(w, "\t%s\t%s\n", n.name, n.usage); err != nil {
 			return err
 		}
 	}
 	return n.next.writeCommands(w)
 }
--- a/command/node.go
+++ b/command/node.go
@ -0,0 +1,40 @@
 package command
 import (
 	"flag"
 	"io"
 	"strings"
 )
 type node struct {
 	child, next *node
 	name, usage string
 	out  io.Writer
 	logf LogFunc
 	prefix []string
 	suffix strings.Builder
 	f   HandlerFunc
 	set *flag.FlagSet
 }
 func (n *node) adopt(v *node) bool {
 	if n.child != nil {
 		return n.child.append(v)
 	}
 	n.child = v
 	return true
 }
 func (n *node) append(v *node) bool {
 	if n.name == v.name {
 		return false
 	}
 	if n.next != nil {
 		return n.next.append(v)
 	}
 	n.next = v
 	return true
 }
--- a/command/parse.go
+++ b/command/parse.go
@ -0,0 +1,105 @@
 package command
 import (
 	"errors"
 	"log"
 	"os"
 )
 var (
 	ErrEmptyTree = errors.New("subcommand tree has no nodes")
 	ErrNoMatch   = errors.New("did not match any subcommand")
 )
 func (n *node) Parse(arguments []string) error {
 	if n.usage == "" { // root node has zero length usage
 		if n.next != nil {
 			panic("invalid toplevel state")
 		}
 		goto match
 	}
 	if len(arguments) == 0 {
 		// unreachable: zero length args cause upper level to return with a help message
 		panic("attempted to parse with zero length args")
 	}
 	if arguments[0] != n.name {
 		if n.next == nil {
 			n.printf("%q is not a valid command", arguments[0])
 			return ErrNoMatch
 		}
 		n.next.prefix = n.prefix
 		return n.next.Parse(arguments)
 	}
 	arguments = arguments[1:]
 match:
 	if n.child != nil {
 		// propagate help prefix early: flag set usage dereferences help
 		n.child.prefix = append(n.prefix, n.name)
 	}
 	if n.set.Parsed() {
 		panic("invalid set state")
 	}
 	if err := n.set.Parse(arguments); err != nil {
 		return FlagError{err}
 	}
 	args := n.set.Args()
 	if n.child != nil {
 		if n.f != nil {
 			if n.usage != "" { // root node early special case
 				panic("invalid subcommand tree state")
 			}
 			// special case: root node calls HandlerFunc for initialisation
 			if err := n.f(nil); err != nil {
 				return err
 			}
 		}
 		if len(args) == 0 {
 			return n.writeHelp()
 		}
 		return n.child.Parse(args)
 	}
 	if n.f == nil {
 		n.printf("%q has no subcommands", n.name)
 		return ErrEmptyTree
 	}
 	return n.f(args)
 }
 func (n *node) printf(format string, a ...any) {
 	if n.logf == nil {
 		log.Printf(format, a...)
 	} else {
 		n.logf(format, a...)
 	}
 }
 func (n *node) MustParse(arguments []string, handleError func(error)) {
 	switch err := n.Parse(arguments); err {
 	case nil:
 		return
 	case ErrHelp:
 		os.Exit(0)
 	case ErrNoMatch:
 		os.Exit(1)
 	case ErrEmptyTree:
 		os.Exit(1)
 	default:
 		var flagError FlagError
 		if !errors.As(err, &flagError) { // returned by HandlerFunc
 			handleError(err)
 			os.Exit(1)
 		}
 		if flagError.Success() {
 			os.Exit(0)
 		}
 		os.Exit(1)
 	}
 }
--- a/command/parse_test.go
+++ b/command/parse_test.go
@ -0,0 +1,344 @@
 package command_test
 import (
 	"bytes"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
 	"log"
 	"strings"
 	"testing"
 	"git.gensokyo.uk/security/fortify/command"
 )
 func TestParse(t *testing.T) {
 	testCases := []struct {
 		name      string
 		buildTree func(wout, wlog io.Writer) command.Command
 		args      []string
 		want      string
 		wantLog   string
 		wantErr   error
 	}{
 		{
 			"d=0 empty sub",
 			func(wout, wlog io.Writer) command.Command { return command.New(wout, newLogFunc(wlog), "root", nil) },
 			[]string{""},
 			"", "test: \"root\" has no subcommands\n", command.ErrEmptyTree,
 		},
 		{
 			"d=0 empty sub garbage",
 			func(wout, wlog io.Writer) command.Command { return command.New(wout, newLogFunc(wlog), "root", nil) },
 			[]string{"a", "b", "c", "d"},
 			"", "test: \"root\" has no subcommands\n", command.ErrEmptyTree,
 		},
 		{
 			"d=0 no match",
 			buildTestCommand,
 			[]string{"nonexistent"},
 			"", "test: \"nonexistent\" is not a valid command\n", command.ErrNoMatch,
 		},
 		{
 			"d=0 direct error",
 			buildTestCommand,
 			[]string{"error"},
 			"", "", errSuccess,
 		},
 		{
 			"d=0 direct error garbage",
 			buildTestCommand,
 			[]string{"error", "0", "1", "2"},
 			"", "", errSuccess,
 		},
 		{
 			"d=0 direct success out of order",
 			buildTestCommand,
 			[]string{"succeed"},
 			"", "", nil,
 		},
 		{
 			"d=0 direct success output",
 			buildTestCommand,
 			[]string{"print", "0", "1", "2"},
 			"012", "", nil,
 		},
 		{
 			"d=0 out of order string flag",
 			buildTestCommand,
 			[]string{"string", "--string", "64d3b4b7b21788585845060e2199a78f"},
 			"flag provided but not defined: -string\n\nUsage:\ttest string [-h | --help] COMMAND [OPTIONS]\n\n", "",
 			errors.New("flag provided but not defined: -string"),
 		},
 		{
 			"d=0 string flag",
 			buildTestCommand,
 			[]string{"--string", "64d3b4b7b21788585845060e2199a78f", "string"},
 			"64d3b4b7b21788585845060e2199a78f", "", nil,
 		},
 		{
 			"d=0 int flag",
 			buildTestCommand,
 			[]string{"--int", "2147483647", "int"},
 			"2147483647", "", nil,
 		},
 		{
 			"d=0 repeat flag",
 			buildTestCommand,
 			[]string{"--repeat", "0", "--repeat", "1", "--repeat", "2", "--repeat", "3", "--repeat", "4", "repeat"},
 			"[0 1 2 3 4]", "", nil,
 		},
 		{
 			"d=0 bool flag",
 			buildTestCommand,
 			[]string{"-v", "succeed"},
 			"", "test: verbose\n", nil,
 		},
 		{
 			"d=0 bool flag early error",
 			buildTestCommand,
 			[]string{"--fail", "succeed"},
 			"", "", errSuccess,
 		},
 		{
 			"d=1 empty sub",
 			buildTestCommand,
 			[]string{"empty"},
 			"", "test: \"empty\" has no subcommands\n", command.ErrEmptyTree,
 		},
 		{
 			"d=1 empty sub garbage",
 			buildTestCommand,
 			[]string{"empty", "a", "b", "c", "d"},
 			"", "test: \"empty\" has no subcommands\n", command.ErrEmptyTree,
 		},
 		{
 			"d=1 empty sub help",
 			buildTestCommand,
 			[]string{"empty", "-h"},
 			"\nUsage:\ttest empty [-h | --help] COMMAND [OPTIONS]\n\n", "", flag.ErrHelp,
 		},
 		{
 			"d=1 no match",
 			buildTestCommand,
 			[]string{"join", "23aa3bb0", "34986782", "d8859355", "cd9ac317", ", "},
 			"", "test: \"23aa3bb0\" is not a valid command\n", command.ErrNoMatch,
 		},
 		{
 			"d=1 direct success out",
 			buildTestCommand,
 			[]string{"join", "out", "23aa3bb0", "34986782", "d8859355", "cd9ac317", ", "},
 			"23aa3bb0, 34986782, d8859355, cd9ac317", "", nil,
 		},
 		{
 			"d=1 direct success log",
 			buildTestCommand,
 			[]string{"join", "log", "23aa3bb0", "34986782", "d8859355", "cd9ac317", ", "},
 			"", "test: 23aa3bb0, 34986782, d8859355, cd9ac317\n", nil,
 		},
 		{
 			"d=4 empty sub",
 			buildTestCommand,
 			[]string{"deep", "d=2", "d=3", "d=4"},
 			"", "test: \"d=4\" has no subcommands\n", command.ErrEmptyTree},
 		{
 			"d=0 help",
 			buildTestCommand,
 			[]string{},
 			`
 Usage:	test [-h | --help] [-v] [--fail] [--string <value>] [--int <int>] [--repeat <value>] COMMAND [OPTIONS]
 Commands:
    error      return an error
    print      wraps Fprint
    string     print string passed by flag
    int        print int passed by flag
    repeat     print repeated values passed by flag
    empty      empty subcommand
    join       wraps strings.Join
    succeed    this command succeeds
    deep       top level of command tree with various levels
 `, "", command.ErrHelp,
 		},
 		{
 			"d=0 help flag",
 			buildTestCommand,
 			[]string{"-h"},
 			`
 Usage:	test [-h | --help] [-v] [--fail] [--string <value>] [--int <int>] [--repeat <value>] COMMAND [OPTIONS]
 Commands:
    error      return an error
    print      wraps Fprint
    string     print string passed by flag
    int        print int passed by flag
    repeat     print repeated values passed by flag
    empty      empty subcommand
    join       wraps strings.Join
    succeed    this command succeeds
    deep       top level of command tree with various levels
 Flags:
  -fail
    	fail early
  -int int
    	store value for the "int" command (default -1)
  -repeat value
    	store value for the "repeat" command
  -string string
    	store value for the "string" command (default "default")
  -v	verbose output
 `, "", flag.ErrHelp,
 		},
 		{
 			"d=1 help",
 			buildTestCommand,
 			[]string{"join"},
 			`
 Usage:	test join [-h | --help] COMMAND [OPTIONS]
 Commands:
    out    write result to wout
    log    log result to wlog
 `, "", command.ErrHelp,
 		},
 		{
 			"d=1 help flag",
 			buildTestCommand,
 			[]string{"join", "-h"},
 			`
 Usage:	test join [-h | --help] COMMAND [OPTIONS]
 Commands:
    out    write result to wout
    log    log result to wlog
 `, "", flag.ErrHelp,
 		},
 		{
 			"d=2 help",
 			buildTestCommand,
 			[]string{"deep", "d=2"},
 			`
 Usage:	test deep d=2 [-h | --help] COMMAND [OPTIONS]
 Commands:
    d=3    relative third level
 `, "", command.ErrHelp,
 		},
 		{
 			"d=2 help flag",
 			buildTestCommand,
 			[]string{"deep", "d=2", "-h"},
 			`
 Usage:	test deep d=2 [-h | --help] COMMAND [OPTIONS]
 Commands:
    d=3    relative third level
 `, "", flag.ErrHelp,
 		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			wout, wlog := new(bytes.Buffer), new(bytes.Buffer)
 			c := tc.buildTree(wout, wlog)
 			if err := c.Parse(tc.args); !errors.Is(err, tc.wantErr) {
 				t.Errorf("Parse: error = %v; wantErr %v", err, tc.wantErr)
 			}
 			if got := wout.String(); got != tc.want {
 				t.Errorf("Parse: %s want %s", got, tc.want)
 			}
 			if gotLog := wlog.String(); gotLog != tc.wantLog {
 				t.Errorf("Parse: log = %s wantLog %s", gotLog, tc.wantLog)
 			}
 		})
 	}
 }
 var (
 	errJoinLen = errors.New("not enough arguments to join")
 	errSuccess = errors.New("success")
 )
 func buildTestCommand(wout, wlog io.Writer) (c command.Command) {
 	var (
 		flagVerbose bool
 		flagFail    bool
 		flagString string
 		flagInt    int
 		flagRepeat command.RepeatableFlag
 	)
 	logf := newLogFunc(wlog)
 	c = command.New(wout, logf, "test", func([]string) error {
 		if flagVerbose {
 			logf("verbose")
 		}
 		if flagFail {
 			return errSuccess
 		}
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "verbose output").
 		Flag(&flagFail, "fail", command.BoolFlag(false), "fail early").
 		Command("error", "return an error", func([]string) error {
 			return errSuccess
 		}).
 		Command("print", "wraps Fprint", func(args []string) error {
 			a := make([]any, len(args))
 			for i, v := range args {
 				a[i] = v
 			}
 			_, err := fmt.Fprint(wout, a...)
 			return err
 		}).
 		Flag(&flagString, "string", command.StringFlag("default"), "store value for the \"string\" command").
 		Command("string", "print string passed by flag", func(args []string) error { _, err := fmt.Fprint(wout, flagString); return err }).
 		Flag(&flagInt, "int", command.IntFlag(-1), "store value for the \"int\" command").
 		Command("int", "print int passed by flag", func(args []string) error { _, err := fmt.Fprint(wout, flagInt); return err }).
 		Flag(nil, "repeat", &flagRepeat, "store value for the \"repeat\" command").
 		Command("repeat", "print repeated values passed by flag", func(args []string) error { _, err := fmt.Fprint(wout, flagRepeat); return err })
 	c.New("empty", "empty subcommand")
 	c.New("hidden", command.UsageInternal)
 	c.New("join", "wraps strings.Join").
 		Command("out", "write result to wout", func(args []string) error {
 			if len(args) == 0 {
 				return errJoinLen
 			}
 			_, err := fmt.Fprint(wout, strings.Join(args[:len(args)-1], args[len(args)-1]))
 			return err
 		}).
 		Command("log", "log result to wlog", func(args []string) error {
 			if len(args) == 0 {
 				return errJoinLen
 			}
 			logf("%s", strings.Join(args[:len(args)-1], args[len(args)-1]))
 			return nil
 		})
 	c.Command("succeed", "this command succeeds", func([]string) error { return nil })
 	c.New("deep", "top level of command tree with various levels").
 		New("d=2", "relative second level").
 		New("d=3", "relative third level").
 		New("d=4", "relative fourth level")
 	return
 }
 func newLogFunc(w io.Writer) command.LogFunc { return log.New(w, "test: ", 0).Printf }
--- a/command/unreachable_test.go
+++ b/command/unreachable_test.go
@ -0,0 +1,54 @@
 package command
 import (
 	"flag"
 	"testing"
 )
 func TestParseUnreachable(t *testing.T) {
 	// top level bypasses name matching and recursive calls to Parse
 	// returns when encountering zero-length args
 	t.Run("zero-length args", func(t *testing.T) {
 		defer checkRecover(t, "Parse", "attempted to parse with zero length args")
 		_ = newNode(panicWriter{}, nil, " ", " ").Parse(nil)
 	})
 	// top level must not have siblings
 	t.Run("toplevel siblings", func(t *testing.T) {
 		defer checkRecover(t, "Parse", "invalid toplevel state")
 		n := newNode(panicWriter{}, nil, " ", "")
 		n.append(newNode(panicWriter{}, nil, "  ", " "))
 		_ = n.Parse(nil)
 	})
 	// a node with descendents must not have a direct handler
 	t.Run("sub handle conflict", func(t *testing.T) {
 		defer checkRecover(t, "Parse", "invalid subcommand tree state")
 		n := newNode(panicWriter{}, nil, " ", " ")
 		n.adopt(newNode(panicWriter{}, nil, " ", " "))
 		n.f = func([]string) error { panic("unreachable") }
 		_ = n.Parse([]string{" "})
 	})
 	// this would only happen if a node was matched twice
 	t.Run("parsed flag set", func(t *testing.T) {
 		defer checkRecover(t, "Parse", "invalid set state")
 		n := newNode(panicWriter{}, nil, " ", "")
 		set := flag.NewFlagSet("parsed", flag.ContinueOnError)
 		set.SetOutput(panicWriter{})
 		_ = set.Parse(nil)
 		n.set = set
 		_ = n.Parse(nil)
 	})
 }
 type panicWriter struct{}
 func (p panicWriter) Write([]byte) (int, error) { panic("unreachable") }
 func checkRecover(t *testing.T, name, wantPanic string) {
 	if r := recover(); r != wantPanic {
 		t.Errorf("%s: panic = %v; wantPanic %v",
 			name, r, wantPanic)
 	}
 }
--- a/command/wrap.go
+++ b/command/wrap.go
@ -0,0 +1,14 @@
 package command
 // the top level node wants [Command] returned for its builder methods
 type rootNode struct{ *node }
 func (r rootNode) Command(name, usage string, f HandlerFunc) Command {
 	r.node.Command(name, usage, f)
 	return r
 }
 func (r rootNode) Flag(p any, name string, value FlagDefiner, usage string) Command {
 	r.node.Flag(p, name, value, usage)
 	return r
 }
--- a/dbus/dbus_test.go
+++ b/dbus/dbus_test.go
@ -1,14 +1,22 @@
 package dbus_test
 import (
 	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"os"
 	"os/exec"
 	"strings"
 	"syscall"
 	"testing"
 	"time"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/sandbox"
 )
 func TestNew(t *testing.T) {
@ -64,7 +72,7 @@ func TestProxy_Seal(t *testing.T) {
 	for id, tc := range testCasePairs() {
 		t.Run("create seal for "+id, func(t *testing.T) {
 			p := dbus.New(tc[0].bus, tc[1].bus)
-			if err := p.Seal(tc[0].c, tc[1].c); (errors.Is(err, helper.ErrContainsNull)) != tc[0].wantErr {
+			if err := p.Seal(tc[0].c, tc[1].c); (errors.Is(err, syscall.EINVAL)) != tc[0].wantErr {
 				t.Errorf("Seal(%p, %p) error = %v, wantErr %v",
 					tc[0].c, tc[1].c,
 					err, tc[0].wantErr)
@ -100,15 +108,20 @@ func TestProxy_Seal(t *testing.T) {
 }
 func TestProxy_Start_Wait_Close_String(t *testing.T) {
-	t.Run("sandboxed", func(t *testing.T) {
+	oldWaitDelay := helper.WaitDelay
 	helper.WaitDelay = 16 * time.Second
 	t.Cleanup(func() { helper.WaitDelay = oldWaitDelay })
 	t.Run("sandbox", func(t *testing.T) {
 		proxyName := dbus.ProxyName
 		dbus.ProxyName = os.Args[0]
 		t.Cleanup(func() { dbus.ProxyName = proxyName })
 		testProxyStartWaitCloseString(t, true)
 	})
-	t.Run("direct", func(t *testing.T) {
+	t.Run("direct", func(t *testing.T) { testProxyStartWaitCloseString(t, false) })
 		testProxyStartWaitCloseString(t, false)
 	})
 }
-func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
+func testProxyStartWaitCloseString(t *testing.T, useSandbox bool) {
 	for id, tc := range testCasePairs() {
 		// this test does not test errors
 		if tc[0].wantErr {
@ -125,14 +138,33 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 		})
 		t.Run("proxy for "+id, func(t *testing.T) {
 			helper.InternalReplaceExecCommand(t)
 			overridePath(t)
 			p := dbus.New(tc[0].bus, tc[1].bus)
 			p.CommandContext = func(ctx context.Context) (cmd *exec.Cmd) {
 				return exec.CommandContext(ctx, os.Args[0], "-test.v",
 					"-test.run=TestHelperInit", "--", "init")
 			}
 			p.CmdF = func(v any) {
 				if useSandbox {
 					container := v.(*sandbox.Container)
 					if container.Args[0] != dbus.ProxyName {
 						panic(fmt.Sprintf("unexpected argv0 %q", os.Args[0]))
 					}
 					container.Args = append([]string{os.Args[0], "-test.run=TestHelperStub", "--"}, container.Args[1:]...)
 				} else {
 					cmd := v.(*exec.Cmd)
 					if cmd.Args[0] != dbus.ProxyName {
 						panic(fmt.Sprintf("unexpected argv0 %q", os.Args[0]))
 					}
 					cmd.Err = nil
 					cmd.Path = os.Args[0]
 					cmd.Args = append([]string{os.Args[0], "-test.run=TestHelperStub", "--"}, cmd.Args[1:]...)
 				}
 			}
 			p.FilterF = func(v []byte) []byte { return bytes.SplitN(v, []byte("TestHelperInit\n"), 2)[1] }
 			output := new(strings.Builder)
-			t.Run("unsealed behaviour of "+id, func(t *testing.T) {
+			t.Run("unsealed", func(t *testing.T) {
-				t.Run("unsealed string of "+id, func(t *testing.T) {
+				t.Run("string", func(t *testing.T) {
 					want := "(unsealed dbus proxy)"
 					if got := p.String(); got != want {
 						t.Errorf("String() = %v, want %v",
@ -141,16 +173,16 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 					}
 				})
-				t.Run("unsealed start of "+id, func(t *testing.T) {
+				t.Run("start", func(t *testing.T) {
 					want := "proxy not sealed"
-					if err := p.Start(context.Background(), nil, sandbox); err == nil || err.Error() != want {
+					if err := p.Start(context.Background(), nil, useSandbox); err == nil || err.Error() != want {
 						t.Errorf("Start() error = %v, wantErr %q",
 							err, errors.New(want))
 						return
 					}
 				})
-				t.Run("unsealed wait of "+id, func(t *testing.T) {
+				t.Run("wait", func(t *testing.T) {
 					wantErr := "dbus: not started"
 					if err := p.Wait(); err == nil || err.Error() != wantErr {
 						t.Errorf("Wait() error = %v, wantErr %v",
@ -168,7 +200,7 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 				}
 			})
-			t.Run("sealed behaviour of "+id, func(t *testing.T) {
+			t.Run("sealed", func(t *testing.T) {
 				want := strings.Join(append(tc[0].want, tc[1].want...), " ")
 				if got := p.String(); got != want {
 					t.Errorf("String() = %v, want %v",
@ -176,17 +208,20 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 					return
 				}
-				t.Run("sealed start of "+id, func(t *testing.T) {
+				t.Run("start", func(t *testing.T) {
 					ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 					defer cancel()
-					if err := p.Start(ctx, output, sandbox); err != nil {
+					if err := p.Start(ctx, output, useSandbox); err != nil {
 						t.Fatalf("Start(nil, nil) error = %v",
 							err)
 					}
-					t.Run("started string of "+id, func(t *testing.T) {
+					t.Run("string", func(t *testing.T) {
-						wantSubstr := dbus.ProxyName + " --args="
+						wantSubstr := fmt.Sprintf("%s -test.run=TestHelperStub -- --args=3 --fd=4", os.Args[0])
 						if useSandbox {
 							wantSubstr = fmt.Sprintf(`argv: ["%s" "-test.run=TestHelperStub" "--" "--args=3" "--fd=4"], flags: 0x0, seccomp: 0x3e`, os.Args[0])
 						}
 						if got := p.String(); !strings.Contains(got, wantSubstr) {
 							t.Errorf("String() = %v, want %v",
 								p.String(), wantSubstr)
@ -194,7 +229,7 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 						}
 					})
-					t.Run("started wait of "+id, func(t *testing.T) {
+					t.Run("wait", func(t *testing.T) {
 						p.Close()
 						if err := p.Wait(); err != nil {
 							t.Errorf("Wait() error = %v\noutput: %s",
@ -207,10 +242,10 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 	}
 }
-func overridePath(t *testing.T) {
+func TestHelperInit(t *testing.T) {
-	proxyName := dbus.ProxyName
+	if len(os.Args) != 5 || os.Args[4] != "init" {
-	dbus.ProxyName = "/nonexistent-xdg-dbus-proxy"
+		return
-	t.Cleanup(func() {
+	}
-		dbus.ProxyName = proxyName
+	sandbox.SetOutput(fmsg.Output{})
-	})
+	sandbox.Init(fmsg.Prepare, internal.InstallFmsg)
 }
--- a/dbus/proc.go
+++ b/dbus/proc.go
@ -0,0 +1,178 @@
 package dbus
 import (
 	"context"
 	"errors"
 	"io"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"slices"
 	"strconv"
 	"strings"
 	"syscall"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/ldd"
 	"git.gensokyo.uk/security/fortify/sandbox"
 	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
 )
 // Start launches the D-Bus proxy.
 func (p *Proxy) Start(ctx context.Context, output io.Writer, useSandbox bool) error {
 	p.lock.Lock()
 	defer p.lock.Unlock()
 	if p.seal == nil {
 		return errors.New("proxy not sealed")
 	}
 	var h helper.Helper
 	c, cancel := context.WithCancelCause(ctx)
 	if !useSandbox {
 		h = helper.NewDirect(c, p.name, p.seal, true, argF, func(cmd *exec.Cmd) {
 			if p.CmdF != nil {
 				p.CmdF(cmd)
 			}
 			if output != nil {
 				cmd.Stdout, cmd.Stderr = output, output
 			}
 			cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
 			cmd.Env = make([]string, 0)
 		}, nil)
 	} else {
 		toolPath := p.name
 		if filepath.Base(p.name) == p.name {
 			if s, err := exec.LookPath(p.name); err != nil {
 				return err
 			} else {
 				toolPath = s
 			}
 		}
 		var libPaths []string
 		if entries, err := ldd.ExecFilter(ctx, p.CommandContext, p.FilterF, toolPath); err != nil {
 			return err
 		} else {
 			libPaths = ldd.Path(entries)
 		}
 		h = helper.New(
 			c, toolPath,
 			p.seal, true,
 			argF, func(container *sandbox.Container) {
 				container.Seccomp |= seccomp.FlagMultiarch
 				container.Hostname = "fortify-dbus"
 				container.CommandContext = p.CommandContext
 				if output != nil {
 					container.Stdout, container.Stderr = output, output
 				}
 				if p.CmdF != nil {
 					p.CmdF(container)
 				}
 				// these lib paths are unpredictable, so mount them first so they cannot cover anything
 				for _, name := range libPaths {
 					container.Bind(name, name, 0)
 				}
 				// upstream bus directories
 				upstreamPaths := make([]string, 0, 2)
 				for _, as := range []string{p.session[0], p.system[0]} {
 					if len(as) > 0 && strings.HasPrefix(as, "unix:path=/") {
 						// leave / intact
 						upstreamPaths = append(upstreamPaths, path.Dir(as[10:]))
 					}
 				}
 				slices.Sort(upstreamPaths)
 				upstreamPaths = slices.Compact(upstreamPaths)
 				for _, name := range upstreamPaths {
 					container.Bind(name, name, 0)
 				}
 				// parent directories of bind paths
 				sockDirPaths := make([]string, 0, 2)
 				if d := path.Dir(p.session[1]); path.IsAbs(d) {
 					sockDirPaths = append(sockDirPaths, d)
 				}
 				if d := path.Dir(p.system[1]); path.IsAbs(d) {
 					sockDirPaths = append(sockDirPaths, d)
 				}
 				slices.Sort(sockDirPaths)
 				sockDirPaths = slices.Compact(sockDirPaths)
 				for _, name := range sockDirPaths {
 					container.Bind(name, name, sandbox.BindWritable)
 				}
 				// xdg-dbus-proxy bin path
 				binPath := path.Dir(toolPath)
 				container.Bind(binPath, binPath, 0)
 			}, nil)
 	}
 	if err := h.Start(); err != nil {
 		cancel(err)
 		return err
 	}
 	p.helper = h
 	p.ctx = c
 	p.cancel = cancel
 	return nil
 }
 var proxyClosed = errors.New("proxy closed")
 // Wait blocks until xdg-dbus-proxy exits and releases resources.
 func (p *Proxy) Wait() error {
 	p.lock.RLock()
 	defer p.lock.RUnlock()
 	if p.helper == nil {
 		return errors.New("dbus: not started")
 	}
 	errs := make([]error, 3)
 	errs[0] = p.helper.Wait()
 	if p.cancel == nil &&
 		errors.Is(errs[0], context.Canceled) &&
 		errors.Is(context.Cause(p.ctx), proxyClosed) {
 		errs[0] = nil
 	}
 	// ensure socket removal so ephemeral directory is empty at revert
 	if err := os.Remove(p.session[1]); err != nil && !errors.Is(err, os.ErrNotExist) {
 		errs[1] = err
 	}
 	if p.sysP {
 		if err := os.Remove(p.system[1]); err != nil && !errors.Is(err, os.ErrNotExist) {
 			errs[2] = err
 		}
 	}
 	return errors.Join(errs...)
 }
 // Close cancels the context passed to the helper instance attached to xdg-dbus-proxy.
 func (p *Proxy) Close() {
 	p.lock.Lock()
 	defer p.lock.Unlock()
 	if p.cancel == nil {
 		panic("dbus: not started")
 	}
 	p.cancel(proxyClosed)
 	p.cancel = nil
 }
 func argF(argsFd, statFd int) []string {
 	if statFd == -1 {
 		return []string{"--args=" + strconv.Itoa(argsFd)}
 	} else {
 		return []string{"--args=" + strconv.Itoa(argsFd), "--fd=" + strconv.Itoa(statFd)}
 	}
 }
--- a/dbus/proxy.go
+++ b/dbus/proxy.go
@ -5,10 +5,10 @@ import (
 	"errors"
 	"fmt"
 	"io"
 	"os/exec"
 	"sync"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 )
 // ProxyName is the file name or path to the proxy program.
@ -19,15 +19,18 @@ var ProxyName = "xdg-dbus-proxy"
 // Once sealed, configuration changes will no longer be possible and attempting to do so will result in a panic.
 type Proxy struct {
 	helper helper.Helper
 	bwrap  *bwrap.Config
 	ctx    context.Context
 	cancel context.CancelCauseFunc
 	name    string
 	session [2]string
 	system  [2]string
 	CmdF    func(any)
 	sysP    bool
 	CommandContext func(ctx context.Context) (cmd *exec.Cmd)
 	FilterF        func([]byte) []byte
 	seal io.WriterTo
 	lock sync.RWMutex
 }
--- a/dbus/run.go
+++ b/dbus/run.go
@ -1,175 +0,0 @@
 package dbus
 import (
 	"context"
 	"errors"
 	"io"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/ldd"
 )
 // Start launches the D-Bus proxy.
 func (p *Proxy) Start(ctx context.Context, output io.Writer, sandbox bool) error {
 	p.lock.Lock()
 	defer p.lock.Unlock()
 	if p.seal == nil {
 		return errors.New("proxy not sealed")
 	}
 	var (
 		h helper.Helper
 		argF = func(argsFD, statFD int) []string {
 			if statFD == -1 {
 				return []string{"--args=" + strconv.Itoa(argsFD)}
 			} else {
 				return []string{"--args=" + strconv.Itoa(argsFD), "--fd=" + strconv.Itoa(statFD)}
 			}
 		}
 	)
 	if !sandbox {
 		h = helper.New(p.seal, p.name, argF)
 		// xdg-dbus-proxy does not need to inherit the environment
 		h.SetEnv(make([]string, 0))
 	} else {
 		// look up absolute path if name is just a file name
 		toolPath := p.name
 		if filepath.Base(p.name) == p.name {
 			if s, err := exec.LookPath(p.name); err != nil {
 				return err
 			} else {
 				toolPath = s
 			}
 		}
 		// resolve libraries by parsing ldd output
 		var proxyDeps []*ldd.Entry
 		if toolPath != "/nonexistent-xdg-dbus-proxy" {
 			if l, err := ldd.Exec(ctx, toolPath); err != nil {
 				return err
 			} else {
 				proxyDeps = l
 			}
 		}
 		bc := &bwrap.Config{
 			Unshare:       nil,
 			Hostname:      "fortify-dbus",
 			Chdir:         "/",
 			Syscall:       &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true},
 			Clearenv:      true,
 			NewSession:    true,
 			DieWithParent: true,
 		}
 		// resolve proxy socket directories
 		bindTarget := make(map[string]struct{}, 2)
 		for _, ps := range []string{p.session[1], p.system[1]} {
 			if pd := path.Dir(ps); len(pd) > 0 {
 				if pd[0] == '/' {
 					bindTarget[pd] = struct{}{}
 				}
 			}
 		}
 		for k := range bindTarget {
 			bc.Bind(k, k, false, true)
 		}
 		roBindTarget := make(map[string]struct{}, 2+1+len(proxyDeps))
 		// xdb-dbus-proxy bin and dependencies
 		roBindTarget[path.Dir(toolPath)] = struct{}{}
 		for _, ent := range proxyDeps {
 			if path.IsAbs(ent.Path) {
 				roBindTarget[path.Dir(ent.Path)] = struct{}{}
 			}
 			if path.IsAbs(ent.Name) {
 				roBindTarget[path.Dir(ent.Name)] = struct{}{}
 			}
 		}
 		// resolve upstream bus directories
 		for _, as := range []string{p.session[0], p.system[0]} {
 			if len(as) > 0 && strings.HasPrefix(as, "unix:path=/") {
 				// leave / intact
 				roBindTarget[path.Dir(as[10:])] = struct{}{}
 			}
 		}
 		for k := range roBindTarget {
 			bc.Bind(k, k)
 		}
 		h = helper.MustNewBwrap(bc, toolPath, p.seal, argF, nil, nil)
 		p.bwrap = bc
 	}
 	if output != nil {
 		h.Stdout(output).Stderr(output)
 	}
 	c, cancel := context.WithCancelCause(ctx)
 	if err := h.Start(c, true); err != nil {
 		cancel(err)
 		return err
 	}
 	p.helper = h
 	p.ctx = c
 	p.cancel = cancel
 	return nil
 }
 var proxyClosed = errors.New("proxy closed")
 // Wait blocks until xdg-dbus-proxy exits and releases resources.
 func (p *Proxy) Wait() error {
 	p.lock.RLock()
 	defer p.lock.RUnlock()
 	if p.helper == nil {
 		return errors.New("dbus: not started")
 	}
 	errs := make([]error, 3)
 	errs[0] = p.helper.Wait()
 	if p.cancel == nil &&
 		errors.Is(errs[0], context.Canceled) &&
 		errors.Is(context.Cause(p.ctx), proxyClosed) {
 		errs[0] = nil
 	}
 	// ensure socket removal so ephemeral directory is empty at revert
 	if err := os.Remove(p.session[1]); err != nil && !errors.Is(err, os.ErrNotExist) {
 		errs[1] = err
 	}
 	if p.sysP {
 		if err := os.Remove(p.system[1]); err != nil && !errors.Is(err, os.ErrNotExist) {
 			errs[2] = err
 		}
 	}
 	return errors.Join(errs...)
 }
 // Close cancels the context passed to the helper instance attached to xdg-dbus-proxy.
 func (p *Proxy) Close() {
 	p.lock.Lock()
 	defer p.lock.Unlock()
 	if p.cancel == nil {
 		panic("dbus: not started")
 	}
 	p.cancel(proxyClosed)
 	p.cancel = nil
 }
--- a/dbus/samples_test.go
+++ b/dbus/samples_test.go
@ -6,6 +6,12 @@ import (
 	"git.gensokyo.uk/security/fortify/dbus"
 )
 const (
 	sampleHostPath = "/tmp/bus"
 	sampleHostAddr = "unix:path=" + sampleHostPath
 	sampleBindPath = "/tmp/proxied_bus"
 )
 var samples = []dbusTestCase{
 	{
 		"org.chromium.Chromium", &dbus.Config{
@ -19,10 +25,10 @@ var samples = []dbusTestCase{
 			Log:       false,
 			Filter:    true,
 		}, false, false,
-		[2]string{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/bus"},
+		[2]string{sampleHostAddr, sampleBindPath},
 		[]string{
-			"unix:path=/run/user/1971/bus",
+			sampleHostAddr,
-			"/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/bus",
+			sampleBindPath,
 			"--filter",
 			"--talk=org.freedesktop.Notifications",
 			"--talk=org.freedesktop.FileManager1",
@ -48,9 +54,10 @@ var samples = []dbusTestCase{
 			Log:       false,
 			Filter:    true,
 		}, false, false,
-		[2]string{"unix:path=/run/dbus/system_bus_socket", "/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/system_bus_socket"},
+		[2]string{sampleHostAddr, sampleBindPath},
-		[]string{"unix:path=/run/dbus/system_bus_socket",
+		[]string{
-			"/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/system_bus_socket",
+			sampleHostAddr,
 			sampleBindPath,
 			"--filter",
 			"--talk=org.bluez",
 			"--talk=org.freedesktop.Avahi",
@ -68,10 +75,10 @@ var samples = []dbusTestCase{
 			Log:       false,
 			Filter:    true,
 		}, false, false,
-		[2]string{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/34c24f16a0d791d28835ededaf446033/bus"},
+		[2]string{sampleHostAddr, sampleBindPath},
 		[]string{
-			"unix:path=/run/user/1971/bus",
+			sampleHostAddr,
-			"/tmp/fortify.1971/34c24f16a0d791d28835ededaf446033/bus",
+			sampleBindPath,
 			"--filter",
 			"--talk=org.freedesktop.Notifications",
 			"--talk=org.kde.StatusNotifierWatcher",
@ -91,10 +98,10 @@ var samples = []dbusTestCase{
 			Log:       true,
 			Filter:    true,
 		}, false, false,
-		[2]string{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/5da7845287a936efbc2fa75d7d81e501/bus"},
+		[2]string{sampleHostAddr, sampleBindPath},
 		[]string{
-			"unix:path=/run/user/1971/bus",
+			sampleHostAddr,
-			"/tmp/fortify.1971/5da7845287a936efbc2fa75d7d81e501/bus",
+			sampleBindPath,
 			"--filter",
 			"--see=uk.gensokyo.CrashTestDummy1",
 			"--talk=org.freedesktop.Notifications",
@ -114,10 +121,10 @@ var samples = []dbusTestCase{
 			Log:       true,
 			Filter:    true,
 		}, false, true,
-		[2]string{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/5da7845287a936efbc2fa75d7d81e501/bus"},
+		[2]string{sampleHostAddr, sampleBindPath},
 		[]string{
-			"unix:path=/run/user/1971/bus",
+			sampleHostAddr,
-			"/tmp/fortify.1971/5da7845287a936efbc2fa75d7d81e501/bus",
+			sampleBindPath,
 			"--filter",
 			"--see=uk.gensokyo.CrashTestDummy",
 			"--talk=org.freedesktop.Notifications",
--- a/dbus/stub_test.go
+++ b/dbus/stub_test.go
@ -6,6 +6,4 @@ import (
 	"git.gensokyo.uk/security/fortify/helper"
 )
-func TestHelperChildStub(t *testing.T) {
+func TestHelperStub(t *testing.T) { helper.InternalHelperStub() }
 	helper.InternalChildStub()
 }
--- a/dist/release.sh
+++ b/dist/release.sh
@ -10,9 +10,10 @@ cp -rv "comp" "${out}"
 go generate ./...
 go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
-  -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
+  -X git.gensokyo.uk/security/fortify/internal.version=${VERSION}
-  -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
+  -X git.gensokyo.uk/security/fortify/internal.fsu=/usr/bin/fsu
-  -X main.Fmain=/usr/bin/fortify" ./...
+  -X main.fmain=/usr/bin/fortify
  -X main.fpkg=/usr/bin/fpkg" ./...
 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
 rm -rf "./${out}"
--- a/error.go
+++ b/error.go
@ -1,56 +0,0 @@
 package main
 import (
 	"errors"
 	"log"
 	"git.gensokyo.uk/security/fortify/internal/app"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 func logWaitError(err error) {
 	var e *fmsg.BaseError
 	if !fmsg.AsBaseError(err, &e) {
 		log.Println("wait failed:", err)
 	} else {
 		// Wait only returns either *app.ProcessError or *app.StateStoreError wrapped in a *app.BaseError
 		var se *app.StateStoreError
 		if !errors.As(err, &se) {
 			// does not need special handling
 			log.Print(e.Message())
 		} else {
 			// inner error are either unwrapped store errors
 			// or joined errors returned by *appSealTx revert
 			// wrapped in *app.BaseError
 			var ej app.RevertCompoundError
 			if !errors.As(se.InnerErr, &ej) {
 				// does not require special handling
 				log.Print(e.Message())
 			} else {
 				errs := ej.Unwrap()
 				// every error here is wrapped in *app.BaseError
 				for _, ei := range errs {
 					var eb *fmsg.BaseError
 					if !errors.As(ei, &eb) {
 						// unreachable
 						log.Println("invalid error type returned by revert:", ei)
 					} else {
 						// print inner *app.BaseError message
 						log.Print(eb.Message())
 					}
 				}
 			}
 		}
 	}
 }
 func logBaseError(err error, message string) {
 	var e *fmsg.BaseError
 	if fmsg.AsBaseError(err, &e) {
 		log.Print(e.Message())
 	} else {
 		log.Println(message, err)
 	}
 }
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1736373539,
+        "lastModified": 1742655702,
-        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
+        "narHash": "sha256-jbqlw4sPArFtNtA1s3kLg7/A4fzP4GLk9bGbtUJg0JQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
+        "rev": "0948aeedc296f964140d9429223c7e4a0702a1ff",
        "type": "github"
      },
      "original": {
@ -23,16 +23,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1739333913,
+        "lastModified": 1743231893,
-        "narHash": "sha256-JXt5FtySR+yBm5ny8zG/hX1IybF/7R66jZfXxXSb6wY=",
+        "narHash": "sha256-tpJsHMUPEhEnzySoQxx7+kA+KUtgWqvlcUBqROYNNt0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "7d83f668aee9e41d574c398a9bb569047e8a3f5d",
+        "rev": "c570c1f5304493cafe133b8d843c7c1c4a10d3a6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.11-small",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -2,7 +2,7 @@
  description = "fortify sandbox tool and nixos module";
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
    home-manager = {
      url = "github:nix-community/home-manager/release-24.11";
@ -27,12 +27,12 @@
      nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; });
    in
    {
-      nixosModules.fortify = import ./nixos.nix;
+      nixosModules.fortify = import ./nixos.nix self.packages;
      buildPackage = forAllSystems (
        system:
        nixpkgsFor.${system}.callPackage (
-          import ./bundle.nix {
+          import ./cmd/fpkg/build.nix {
            inherit
              nixpkgsFor
              system
@ -57,18 +57,30 @@
            ;
        in
        {
-          check-formatting =
+          fortify = callPackage ./test { inherit system self; };
-            runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; }
+          race = callPackage ./test {
-              ''
+            inherit system self;
-                cd ${./.}
+            withRace = true;
          };
-                echo "running nixfmt..."
+          sandbox = callPackage ./test/sandbox { inherit self; };
-                nixfmt --check .
+          sandbox-race = callPackage ./test/sandbox {
            inherit self;
            withRace = true;
          };
-                touch $out
+          fpkg = callPackage ./cmd/fpkg/test { inherit system self; };
              '';
-          check-lint =
+          formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
            cd ${./.}
            echo "running nixfmt..."
            nixfmt --width=256 --check .
            touch $out
          '';
          lint =
            runCommandLocal "check-lint"
              {
                nativeBuildInputs = [
@ -87,123 +99,68 @@
                touch $out
              '';
          nixos-tests = callPackage ./test.nix {
            inherit system self home-manager;
            inherit (self.packages.${system}) fortify;
          };
        }
      );
      packages = forAllSystems (
        system:
        let
-          inherit (self.packages.${system}) fortify;
+          inherit (self.packages.${system}) fortify fsu;
          pkgs = nixpkgsFor.${system};
        in
        {
-          default = self.packages.${system}.fortify;
+          default = fortify;
-          fortify = pkgs.callPackage ./package.nix { };
+          fortify = pkgs.pkgsStatic.callPackage ./package.nix {
            inherit (pkgs)
              # passthru.buildInputs
              go
              gcc
-          dist =
+              # nativeBuildInputs
-            pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; }
+              pkg-config
-              ''
+              wayland-scanner
-                # go requires XDG_CACHE_HOME for the build cache
+              makeBinaryWrapper
                export XDG_CACHE_HOME="$(mktemp -d)"
-                # get a different workdir as go does not like /build
+              # appPackages
-                cd $(mktemp -d) && cp -r ${fortify.src}/. . && chmod -R +w .
+              glibc
              xdg-dbus-proxy
-                export FORTIFY_VERSION="v${fortify.version}"
+              # fpkg
-                ./dist/release.sh && mkdir $out && cp -v "dist/fortify-$FORTIFY_VERSION.tar.gz"* $out
+              zstd
-              '';
+              gnutar
-
+              coreutils
-          fhs = pkgs.buildFHSEnv {
+              ;
            pname = "fortify-fhs";
            inherit (fortify) version;
            targetPkgs =
              pkgs:
              with pkgs;
              [
                go
                gcc
                pkg-config
                wayland-scanner
              ]
              ++ (
                with pkgs.pkgsStatic;
                [
                  musl
                  libffi
                  libseccomp
                  acl
                  wayland
                  wayland-protocols
                ]
                ++ (with xorg; [
                  libxcb
                  libXau
                  libXdmcp
                  xorgproto
                ])
              );
            extraOutputsToInstall = [ "dev" ];
            profile = ''
              export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
            '';
          };
          fsu = pkgs.callPackage ./cmd/fsu/package.nix { inherit (self.packages.${system}) fortify; };
          dist = pkgs.runCommand "${fortify.name}-dist" { buildInputs = fortify.targetPkgs ++ [ pkgs.pkgsStatic.musl ]; } ''
            # go requires XDG_CACHE_HOME for the build cache
            export XDG_CACHE_HOME="$(mktemp -d)"
            # get a different workdir as go does not like /build
            cd $(mktemp -d) \
                && cp -r ${fortify.src}/. . \
                && chmod +w cmd && cp -r ${fsu.src}/. cmd/fsu/ \
                && chmod -R +w .
            export FORTIFY_VERSION="v${fortify.version}"
            ./dist/release.sh && mkdir $out && cp -v "dist/fortify-$FORTIFY_VERSION.tar.gz"* $out
          '';
        }
      );
      devShells = forAllSystems (
        system:
        let
-          inherit (self.packages.${system}) fortify fhs;
+          inherit (self.packages.${system}) fortify;
          pkgs = nixpkgsFor.${system};
        in
        {
-          default = pkgs.mkShell {
+          default = pkgs.mkShell { buildInputs = fortify.targetPkgs; };
-            buildInputs =
+          withPackage = pkgs.mkShell { buildInputs = [ fortify ] ++ fortify.targetPkgs; };
              with pkgs;
              [
                go
                gcc
              ]
              # buildInputs
              ++ (
                with pkgsStatic;
                [
                  musl
                  libffi
                  libseccomp
                  acl
                  wayland
                  wayland-protocols
                ]
                ++ (with xorg; [
                  libxcb
                  libXau
                  libXdmcp
                ])
              )
              # nativeBuildInputs
              ++ [
                pkg-config
                wayland-scanner
                makeBinaryWrapper
              ];
          };
          fhs = fhs.env;
          withPackage = nixpkgsFor.${system}.mkShell {
            buildInputs = [ self.packages.${system}.fortify ] ++ self.devShells.${system}.default.buildInputs;
          };
          generateDoc =
            let
              pkgs = nixpkgsFor.${system};
              inherit (pkgs) lib;
              doc =
@ -212,7 +169,7 @@
                    specialArgs = {
                      inherit pkgs;
                    };
-                    modules = [ ./options.nix ];
+                    modules = [ (import ./options.nix self.packages) ];
                  };
                  cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
                in
@ -222,7 +179,7 @@
                sed -i '/*Declared by:*/,+1 d' $out
              '';
            in
-            nixpkgsFor.${system}.mkShell {
+            pkgs.mkShell {
              shellHook = ''
                exec cat ${docText} > options.md
              '';
--- a/fst/app.go
+++ b/fst/app.go
@ -0,0 +1,47 @@
 // Package fst exports shared fortify types.
 package fst
 import (
 	"time"
 )
 type App interface {
 	// ID returns a copy of [fst.ID] held by App.
 	ID() ID
 	// Seal determines the outcome of config as a [SealedApp].
 	// The value of config might be overwritten and must not be used again.
 	Seal(config *Config) (SealedApp, error)
 	String() string
 }
 type SealedApp interface {
 	// Run commits sealed system setup and starts the app process.
 	Run(rs *RunState) error
 }
 // RunState stores the outcome of a call to [SealedApp.Run].
 type RunState struct {
 	// Time is the exact point in time where the process was created.
 	// Location must be set to UTC.
 	//
 	// Time is nil if no process was ever created.
 	Time *time.Time
 	// ExitCode is the value returned by shim.
 	ExitCode int
 	// RevertErr is stored by the deferred revert call.
 	RevertErr error
 	// WaitErr is error returned by the underlying wait syscall.
 	WaitErr error
 }
 // Paths contains environment-dependent paths used by fortify.
 type Paths struct {
 	// path to shared directory (usually `/tmp/fortify.%d`)
 	SharePath string `json:"share_path"`
 	// XDG_RUNTIME_DIR value (usually `/run/user/%d`)
 	RuntimePath string `json:"runtime_path"`
 	// application runtime directory (usually `/run/user/%d/fortify`)
 	RunDirPath string `json:"run_dir_path"`
 }
--- a/fst/config.go
+++ b/fst/config.go
@ -2,18 +2,23 @@ package fst
 import (
 	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
-	"git.gensokyo.uk/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/system"
 )
 const Tmp = "/.fortify"
 // Config is used to seal an app
 type Config struct {
-	// application ID
+	// reverse-DNS style arbitrary identifier string from config;
 	// passed to wayland security-context-v1 as application ID
 	// and used as part of defaults in dbus session proxy
 	ID string `json:"id"`
-	// value passed through to the child process as its argv
+
-	Command []string `json:"command"`
+	// absolute path to executable file
 	Path string `json:"path,omitempty"`
 	// final args passed to container init
 	Args []string `json:"args"`
 	Confinement ConfinementConfig `json:"confinement"`
 }
@ -24,15 +29,17 @@ type ConfinementConfig struct {
 	AppID int `json:"app_id"`
 	// list of supplementary groups to inherit
 	Groups []string `json:"groups"`
-	// passwd username in the sandbox, defaults to passwd name of target uid or chronos
+	// passwd username in container, defaults to passwd name of target uid or chronos
 	Username string `json:"username,omitempty"`
-	// home directory in sandbox, empty for outer
+	// home directory in container, empty for outer
 	Inner string `json:"home_inner"`
 	// home directory in init namespace
 	Outer string `json:"home"`
-	// bwrap sandbox confinement configuration
+	// absolute path to shell, empty for host shell
 	Shell string `json:"shell,omitempty"`
 	// abstract sandbox configuration
 	Sandbox *SandboxConfig `json:"sandbox"`
-	// extra acl entries to append
+	// extra acl ops, runs after everything else
 	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
 	// reference to a system D-Bus proxy configuration,
@ -42,8 +49,8 @@ type ConfinementConfig struct {
 	// nil value makes session bus proxy assume built-in defaults
 	SessionBus *dbus.Config `json:"session_bus,omitempty"`
-	// system resources to expose to the sandbox
+	// system resources to expose to the container
-	Enablements system.Enablements `json:"enablements"`
+	Enablements system.Enablement `json:"enablements"`
 }
 type ExtraPermConfig struct {
@ -74,24 +81,12 @@ func (e *ExtraPermConfig) String() string {
 	return string(buf)
 }
 type FilesystemConfig struct {
 	// mount point in sandbox, same as src if empty
 	Dst string `json:"dst,omitempty"`
 	// host filesystem path to make available to sandbox
 	Src string `json:"src"`
 	// write access
 	Write bool `json:"write,omitempty"`
 	// device access
 	Device bool `json:"dev,omitempty"`
 	// fail if mount fails
 	Must bool `json:"require,omitempty"`
 }
 // Template returns a fully populated instance of Config.
 func Template() *Config {
 	return &Config{
-		ID: "org.chromium.Chromium",
+		ID:   "org.chromium.Chromium",
-		Command: []string{
+		Path: "/run/current-system/sw/bin/chromium",
 		Args: []string{
 			"chromium",
 			"--ignore-gpu-blocklist",
 			"--disable-smooth-scrolling",
@ -104,13 +99,16 @@ func Template() *Config {
 			Username: "chronos",
 			Outer:    "/var/lib/persist/home/org.chromium.Chromium",
 			Inner:    "/var/lib/fortify",
 			Shell:    "/run/current-system/sw/bin/zsh",
 			Sandbox: &SandboxConfig{
 				Hostname:      "localhost",
-				UserNS:        true,
+				Devel:         true,
 				Userns:        true,
 				Net:           true,
 				Dev:           true,
-				Syscall:       &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true},
+				Seccomp:       seccomp.FlagMultiarch,
-				NoNewSession:  true,
+				Tty:           true,
 				Multiarch:     true,
 				MapRealUID:    true,
 				DirectWayland: false,
 				// example API credentials pulled from Google Chrome
@ -129,10 +127,10 @@ func Template() *Config {
 						Dst: "/data/data/org.chromium.Chromium", Write: true, Must: true},
 					{Src: "/dev/dri", Device: true},
 				},
-				Link:     [][2]string{{"/run/user/65534", "/run/user/150"}},
+				Link:    [][2]string{{"/run/user/65534", "/run/user/150"}},
-				Etc:      "/etc",
+				Etc:     "/etc",
-				AutoEtc:  true,
+				AutoEtc: true,
-				Override: []string{"/var/run/nscd"},
+				Cover:   []string{"/var/run/nscd"},
 			},
 			ExtraPerms: []*ExtraPermConfig{
 				{Path: "/var/lib/fortify/u0", Ensure: true, Execute: true},
@ -158,7 +156,7 @@ func Template() *Config {
 				Log:       false,
 				Filter:    true,
 			},
-			Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
+			Enablements: system.EWayland | system.EDBus | system.EPulse,
 		},
 	}
 }
--- a/fst/sandbox.go
+++ b/fst/sandbox.go
@ -4,111 +4,153 @@ import (
 	"errors"
 	"fmt"
 	"io/fs"
 	"maps"
 	"path"
 	"slices"
 	"syscall"
 	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
 	"git.gensokyo.uk/security/fortify/internal/linux"
 )
 // SandboxConfig describes resources made available to the sandbox.
-type SandboxConfig struct {
+type (
-	// unix hostname within sandbox
+	SandboxConfig struct {
-	Hostname string `json:"hostname,omitempty"`
+		// container hostname
-	// allow userns within sandbox
+		Hostname string `json:"hostname,omitempty"`
 	UserNS bool `json:"userns,omitempty"`
 	// share net namespace
 	Net bool `json:"net,omitempty"`
 	// share all devices
 	Dev bool `json:"dev,omitempty"`
 	// seccomp syscall filter policy
 	Syscall *bwrap.SyscallPolicy `json:"syscall"`
 	// do not run in new session
 	NoNewSession bool `json:"no_new_session,omitempty"`
 	// map target user uid to privileged user uid in the user namespace
 	MapRealUID bool `json:"map_real_uid"`
 	// direct access to wayland socket
 	DirectWayland bool `json:"direct_wayland,omitempty"`
-	// final environment variables
+		// extra seccomp flags
-	Env map[string]string `json:"env"`
+		Seccomp seccomp.SyscallOpts `json:"seccomp"`
-	// sandbox host filesystem access
+		// allow ptrace and friends
-	Filesystem []*FilesystemConfig `json:"filesystem"`
+		Devel bool `json:"devel,omitempty"`
-	// symlinks created inside the sandbox
+		// allow userns creation in container
-	Link [][2]string `json:"symlink"`
+		Userns bool `json:"userns,omitempty"`
-	// read-only /etc directory
+		// share host net namespace
-	Etc string `json:"etc,omitempty"`
+		Net bool `json:"net,omitempty"`
-	// automatically set up /etc symlinks
+		// expose main process tty
-	AutoEtc bool `json:"auto_etc"`
+		Tty bool `json:"tty,omitempty"`
-	// paths to override by mounting tmpfs over them
+		// allow multiarch
-	Override []string `json:"override"`
+		Multiarch bool `json:"multiarch,omitempty"`
 }
-// Bwrap returns the address of the corresponding bwrap.Config to s.
+		// initial process environment variables
-// Note that remaining tmpfs entries must be queued by the caller prior to launch.
+		Env map[string]string `json:"env"`
-func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
+		// map target user uid to privileged user uid in the user namespace
 		MapRealUID bool `json:"map_real_uid"`
 		// expose all devices
 		Dev bool `json:"dev,omitempty"`
 		// container host filesystem bind mounts
 		Filesystem []*FilesystemConfig `json:"filesystem"`
 		// create symlinks inside container filesystem
 		Link [][2]string `json:"symlink"`
 		// direct access to wayland socket; when this gets set no attempt is made to attach security-context-v1
 		// and the bare socket is mounted to the sandbox
 		DirectWayland bool `json:"direct_wayland,omitempty"`
 		// read-only /etc directory
 		Etc string `json:"etc,omitempty"`
 		// automatically set up /etc symlinks
 		AutoEtc bool `json:"auto_etc"`
 		// cover these paths or create them if they do not already exist
 		Cover []string `json:"cover"`
 	}
 	// SandboxSys encapsulates system functions used during [sandbox.Container] initialisation.
 	SandboxSys interface {
 		Getuid() int
 		Getgid() int
 		Paths() Paths
 		ReadDir(name string) ([]fs.DirEntry, error)
 		EvalSymlinks(path string) (string, error)
 		Println(v ...any)
 		Printf(format string, v ...any)
 	}
 	// FilesystemConfig is a representation of [sandbox.BindMount].
 	FilesystemConfig struct {
 		// mount point in container, same as src if empty
 		Dst string `json:"dst,omitempty"`
 		// host filesystem path to make available to the container
 		Src string `json:"src"`
 		// do not mount filesystem read-only
 		Write bool `json:"write,omitempty"`
 		// do not disable device files
 		Device bool `json:"dev,omitempty"`
 		// fail if the bind mount cannot be established for any reason
 		Must bool `json:"require,omitempty"`
 	}
 )
 // ToContainer initialises [sandbox.Params] via [SandboxConfig].
 // Note that remaining container setup must be queued by the [App] implementation.
 func (s *SandboxConfig) ToContainer(sys SandboxSys, uid, gid *int) (*sandbox.Params, map[string]string, error) {
 	if s == nil {
-		return nil, errors.New("nil sandbox config")
+		return nil, nil, syscall.EBADE
 	}
-	if s.Syscall == nil {
+	container := &sandbox.Params{
 		fmsg.Verbose("syscall filter not configured, PROCEED WITH CAUTION")
 	}
 	var uid int
 	if !s.MapRealUID {
 		uid = 65534
 	} else {
 		uid = os.Geteuid()
 	}
 	conf := (&bwrap.Config{
 		Net:      s.Net,
 		UserNS:   s.UserNS,
 		Hostname: s.Hostname,
-		Clearenv: true,
+		Ops:      new(sandbox.Ops),
-		SetEnv:   s.Env,
+		Seccomp:  s.Seccomp,
 	}
-		/* this is only 4 KiB of memory on a 64-bit system,
+	if s.Multiarch {
-		permissive defaults on NixOS results in around 100 entries
+		container.Seccomp |= seccomp.FlagMultiarch
-		so this capacity should eliminate copies for most setups */
+	}
 		Filesystem: make([]bwrap.FSBuilder, 0, 256),
-		Syscall:       s.Syscall,
+	/* this is only 4 KiB of memory on a 64-bit system,
-		NewSession:    !s.NoNewSession,
+	permissive defaults on NixOS results in around 100 entries
-		DieWithParent: true,
+	so this capacity should eliminate copies for most setups */
-		AsInit:        true,
+	*container.Ops = slices.Grow(*container.Ops, 1<<8)
-		// initialise unconditionally as Once cannot be justified
+	if s.Devel {
-		// for saving such a miniscule amount of memory
+		container.Flags |= sandbox.FAllowDevel
-		Chmod: make(bwrap.ChmodConfig),
+	}
-	}).
+	if s.Userns {
-		SetUID(uid).SetGID(uid).
+		container.Flags |= sandbox.FAllowUserns
-		Procfs("/proc").
+	}
-		Tmpfs(Tmp, 4*1024)
+	if s.Net {
 		container.Flags |= sandbox.FAllowNet
 	}
 	if s.Tty {
 		container.Flags |= sandbox.FAllowTTY
 	}
 	if s.MapRealUID {
 		/* some programs fail to connect to dbus session running as a different uid
 		so this workaround is introduced to map priv-side caller uid in container */
 		container.Uid = sys.Getuid()
 		*uid = container.Uid
 		container.Gid = sys.Getgid()
 		*gid = container.Gid
 	} else {
 		*uid = sandbox.OverflowUid()
 		*gid = sandbox.OverflowGid()
 	}
 	container.
 		Proc("/proc").
 		Tmpfs(Tmp, 1<<12, 0755)
 	if !s.Dev {
-		conf.DevTmpfs("/dev").Mqueue("/dev/mqueue")
+		container.Dev("/dev").Mqueue("/dev/mqueue")
 	} else {
-		conf.Bind("/dev", "/dev", false, true, true)
+		container.Bind("/dev", "/dev", sandbox.BindDevice)
 	}
-	if !s.AutoEtc {
+	/* retrieve paths and hide them if they're made available in the sandbox;
-		if s.Etc == "" {
+	this feature tries to improve user experience of permissive defaults, and
-			conf.Dir("/etc")
+	to warn about issues in custom configuration; it is NOT a security feature
-		} else {
+	and should not be treated as such, ALWAYS be careful with what you bind */
 			conf.Bind(s.Etc, "/etc")
 		}
 	}
 	// retrieve paths and hide them if they're made available in the sandbox
 	var hidePaths []string
-	sc := os.Paths()
+	sc := sys.Paths()
 	hidePaths = append(hidePaths, sc.RuntimePath, sc.SharePath)
 	_, systemBusAddr := dbus.Address()
 	if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
-		return nil, err
+		return nil, nil, err
 	} else {
 		// there is usually only one, do not preallocate
 		for _, entry := range entries {
@ -121,11 +163,11 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
 						// get parent dir of socket
 						dir := path.Dir(pair[1])
 						if dir == "." || dir == "/" {
-							fmsg.Verbosef("dbus socket %q is in an unusual location", pair[1])
+							sys.Printf("dbus socket %q is in an unusual location", pair[1])
 						}
 						hidePaths = append(hidePaths, dir)
 					} else {
-						fmsg.Verbosef("dbus socket %q is not absolute", pair[1])
+						sys.Printf("dbus socket %q is not absolute", pair[1])
 					}
 				}
 			}
@ -133,8 +175,8 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
 	}
 	hidePathMatch := make([]bool, len(hidePaths))
 	for i := range hidePaths {
-		if err := evalSymlinks(os, &hidePaths[i]); err != nil {
+		if err := evalSymlinks(sys, &hidePaths[i]); err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 	}
@ -144,19 +186,19 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
 		}
 		if !path.IsAbs(c.Src) {
-			return nil, fmt.Errorf("src path %q is not absolute", c.Src)
+			return nil, nil, fmt.Errorf("src path %q is not absolute", c.Src)
 		}
 		dest := c.Dst
 		if c.Dst == "" {
 			dest = c.Src
 		} else if !path.IsAbs(dest) {
-			return nil, fmt.Errorf("dst path %q is not absolute", dest)
+			return nil, nil, fmt.Errorf("dst path %q is not absolute", dest)
 		}
 		srcH := c.Src
-		if err := evalSymlinks(os, &srcH); err != nil {
+		if err := evalSymlinks(sys, &srcH); err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		for i := range hidePaths {
@ -166,62 +208,77 @@ func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
 			}
 			if ok, err := deepContainsH(srcH, hidePaths[i]); err != nil {
-				return nil, err
+				return nil, nil, err
 			} else if ok {
 				hidePathMatch[i] = true
-				fmsg.Verbosef("hiding paths from %q", c.Src)
+				sys.Printf("hiding paths from %q", c.Src)
 			}
 		}
-		conf.Bind(c.Src, dest, !c.Must, c.Write, c.Device)
+		var flags int
 		if c.Write {
 			flags |= sandbox.BindWritable
 		}
 		if c.Device {
 			flags |= sandbox.BindDevice | sandbox.BindWritable
 		}
 		if !c.Must {
 			flags |= sandbox.BindOptional
 		}
 		container.Bind(c.Src, dest, flags)
 	}
-	// hide marked paths before setting up shares
+	// cover matched paths
 	for i, ok := range hidePathMatch {
 		if ok {
-			conf.Tmpfs(hidePaths[i], 8192)
+			container.Tmpfs(hidePaths[i], 1<<13, 0755)
 		}
 	}
 	for _, l := range s.Link {
-		conf.Symlink(l[0], l[1])
+		container.Link(l[0], l[1])
 	}
-	if s.AutoEtc {
+	// perf: this might work better if implemented as a setup op in container init
-		etc := s.Etc
+	if !s.AutoEtc {
-		if etc == "" {
+		if s.Etc != "" {
-			etc = "/etc"
+			container.Bind(s.Etc, "/etc", 0)
 		}
-		conf.Bind(etc, Tmp+"/etc")
+	} else {
 		etcPath := s.Etc
 		if etcPath == "" {
 			etcPath = "/etc"
 		}
 		container.Bind(etcPath, Tmp+"/etc", 0)
-		// link host /etc contents to prevent passwd/group from being overwritten
+		// link host /etc contents to prevent dropping passwd/group bind mounts
-		if d, err := os.ReadDir(etc); err != nil {
+		if d, err := sys.ReadDir(etcPath); err != nil {
-			return nil, err
+			return nil, nil, err
 		} else {
 			for _, ent := range d {
-				name := ent.Name()
+				n := ent.Name()
-				switch name {
+				switch n {
 				case "passwd":
 				case "group":
 				case "mtab":
-					conf.Symlink("/proc/mounts", "/etc/"+name)
+					container.Link("/proc/mounts", "/etc/"+n)
 				default:
-					conf.Symlink(Tmp+"/etc/"+name, "/etc/"+name)
+					container.Link(Tmp+"/etc/"+n, "/etc/"+n)
 				}
 			}
 		}
 	}
-	return conf, nil
+	return container, maps.Clone(s.Env), nil
 }
-func evalSymlinks(os linux.System, v *string) error {
+func evalSymlinks(sys SandboxSys, v *string) error {
-	if p, err := os.EvalSymlinks(*v); err != nil {
+	if p, err := sys.EvalSymlinks(*v); err != nil {
 		if !errors.Is(err, fs.ErrNotExist) {
 			return err
 		}
-		fmsg.Verbosef("path %q does not yet exist", *v)
+		sys.Printf("path %q does not yet exist", *v)
 	} else {
 		*v = p
 	}
--- a/fst/shared.go
+++ b/fst/shared.go
@ -1,2 +0,0 @@
 // Package fst exports shared fortify types.
 package fst
--- a/go.mod
+++ b/go.mod
@ -1,3 +1,3 @@
 module git.gensokyo.uk/security/fortify
-go 1.22
+go 1.23
--- a/helper/args.go
+++ b/helper/args.go
@ -1,38 +1,17 @@
 package helper
 import (
-	"errors"
+	"bytes"
 	"io"
-	"strings"
+	"syscall"
 )
-var (
+type argsWt [][]byte
 	ErrContainsNull = errors.New("argument contains null character")
 )
 type argsWt []string
 // checks whether any element contains the null character
 // must be called before args use and args must not be modified after call
 func (a argsWt) check() error {
 	for _, arg := range a {
 		for _, b := range arg {
 			if b == '\x00' {
 				return ErrContainsNull
 			}
 		}
 	}
 	return nil
 }
 func (a argsWt) WriteTo(w io.Writer) (int64, error) {
 	// assuming already checked
 	nt := 0
 	// write null terminated arguments
 	for _, arg := range a {
-		n, err := w.Write([]byte(arg + "\x00"))
+		n, err := w.Write(arg)
 		nt += n
 		if err != nil {
@ -44,18 +23,32 @@ func (a argsWt) WriteTo(w io.Writer) (int64, error) {
 }
 func (a argsWt) String() string {
-	return strings.Join(a, " ")
+	return string(
 		bytes.TrimSuffix(
 			bytes.ReplaceAll(
 				bytes.Join(a, nil),
 				[]byte{0}, []byte{' '},
 			),
 			[]byte{' '},
 		),
 	)
 }
-// NewCheckedArgs returns a checked argument writer for args.
+// NewCheckedArgs returns a checked null-terminated argument writer for a copy of args.
-// Callers must not retain any references to args.
+func NewCheckedArgs(args []string) (wt io.WriterTo, err error) {
-func NewCheckedArgs(args []string) (io.WriterTo, error) {
+	a := make(argsWt, len(args))
-	a := argsWt(args)
+	for i, arg := range args {
-	return a, a.check()
+		a[i], err = syscall.ByteSliceFromString(arg)
 		if err != nil {
 			return
 		}
 	}
 	wt = a
 	return
 }
-// MustNewCheckedArgs returns a checked argument writer for args and panics if check fails.
+// MustNewCheckedArgs returns a checked null-terminated argument writer for a copy of args.
-// Callers must not retain any references to args.
+// If s contains a NUL byte this function panics instead of returning an error.
 func MustNewCheckedArgs(args []string) io.WriterTo {
 	a, err := NewCheckedArgs(args)
 	if err != nil {
--- a/helper/args_test.go
+++ b/helper/args_test.go
@ -4,34 +4,33 @@ import (
 	"errors"
 	"fmt"
 	"strings"
 	"syscall"
 	"testing"
 	"git.gensokyo.uk/security/fortify/helper"
 )
-func Test_argsFD_String(t *testing.T) {
+func TestArgsString(t *testing.T) {
 	wantString := strings.Join(wantArgs, " ")
 	if got := argsWt.(fmt.Stringer).String(); got != wantString {
-		t.Errorf("String(): got %v; want %v",
+		t.Errorf("String: %q, want %q",
 			got, wantString)
 	}
 }
 func TestNewCheckedArgs(t *testing.T) {
 	args := []string{"\x00"}
-	if _, err := helper.NewCheckedArgs(args); !errors.Is(err, helper.ErrContainsNull) {
+	if _, err := helper.NewCheckedArgs(args); !errors.Is(err, syscall.EINVAL) {
-		t.Errorf("NewCheckedArgs(%q) error = %v, wantErr %v",
+		t.Errorf("NewCheckedArgs: error = %v, wantErr %v",
-			args,
+			err, syscall.EINVAL)
 			err, helper.ErrContainsNull)
 	}
 	t.Run("must panic", func(t *testing.T) {
 		badPayload := []string{"\x00"}
 		defer func() {
-			wantPanic := "argument contains null character"
+			wantPanic := "invalid argument"
 			if r := recover(); r != wantPanic {
-				t.Errorf("MustNewCheckedArgs(%q) panic = %v, wantPanic %v",
+				t.Errorf("MustNewCheckedArgs: panic = %v, wantPanic %v",
 					badPayload,
 					r, wantPanic)
 			}
 		}()
--- a/helper/bwrap.go
+++ b/helper/bwrap.go
@ -1,87 +0,0 @@
 package helper
 import (
 	"context"
 	"errors"
 	"io"
 	"os"
 	"slices"
 	"strconv"
 	"sync"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 )
 // BubblewrapName is the file name or path to bubblewrap.
 var BubblewrapName = "bwrap"
 type bubblewrap struct {
 	// final args fd of bwrap process
 	argsFd uintptr
 	// name of the command to run in bwrap
 	name string
 	lock sync.RWMutex
 	*helperCmd
 }
 func (b *bubblewrap) Start(ctx context.Context, stat bool) error {
 	b.lock.Lock()
 	defer b.lock.Unlock()
 	// Check for doubled Start calls before we defer failure cleanup. If the prior
 	// call to Start succeeded, we don't want to spuriously close its pipes.
 	if b.Cmd != nil && b.Cmd.Process != nil {
 		return errors.New("exec: already started")
 	}
 	args := b.finalise(ctx, stat)
 	b.Cmd.Args = slices.Grow(b.Cmd.Args, 4+len(args))
 	b.Cmd.Args = append(b.Cmd.Args, "--args", strconv.Itoa(int(b.argsFd)), "--", b.name)
 	b.Cmd.Args = append(b.Cmd.Args, args...)
 	return proc.Fulfill(ctx, b.Cmd, b.files, b.extraFiles)
 }
 // MustNewBwrap initialises a new Bwrap instance with wt as the null-terminated argument writer.
 // If wt is nil, the child process spawned by bwrap will not get an argument pipe.
 // Function argF returns an array of arguments passed directly to the child process.
 func MustNewBwrap(
 	conf *bwrap.Config, name string,
 	wt io.WriterTo, argF func(argsFD, statFD int) []string,
 	extraFiles []*os.File,
 	syncFd *os.File,
 ) Helper {
 	b, err := NewBwrap(conf, name, wt, argF, extraFiles, syncFd)
 	if err != nil {
 		panic(err.Error())
 	} else {
 		return b
 	}
 }
 // NewBwrap initialises a new Bwrap instance with wt as the null-terminated argument writer.
 // If wt is nil, the child process spawned by bwrap will not get an argument pipe.
 // Function argF returns an array of arguments passed directly to the child process.
 func NewBwrap(
 	conf *bwrap.Config, name string,
 	wt io.WriterTo, argF func(argsFd, statFd int) []string,
 	extraFiles []*os.File,
 	syncFd *os.File,
 ) (Helper, error) {
 	b := new(bubblewrap)
 	b.name = name
 	b.helperCmd = newHelperCmd(b, BubblewrapName, wt, argF, extraFiles)
 	if v, err := NewCheckedArgs(conf.Args(syncFd, b.extraFiles, &b.files)); err != nil {
 		return nil, err
 	} else {
 		f := proc.NewWriterTo(v)
 		b.argsFd = proc.InitFile(f, b.extraFiles)
 		b.files = append(b.files, f)
 	}
 	return b, nil
 }
--- a/helper/bwrap/arg.go
+++ b/helper/bwrap/arg.go
@ -1,72 +0,0 @@
 package bwrap
 import (
 	"os"
 	"slices"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 )
 type Builder interface {
 	Len() int
 	Append(args *[]string)
 }
 type FSBuilder interface {
 	Path() string
 	Builder
 }
 type FDBuilder interface {
 	proc.File
 	Builder
 }
 // Args returns a slice of bwrap args corresponding to c.
 func (c *Config) Args(syncFd *os.File, extraFiles *proc.ExtraFilesPre, files *[]proc.File) (args []string) {
 	builders := []Builder{
 		c.boolArgs(),
 		c.intArgs(),
 		c.stringArgs(),
 		c.pairArgs(),
 		c.seccompArgs(),
 		newFile(SyncFd.String(), syncFd),
 	}
 	builders = slices.Grow(builders, len(c.Filesystem)+1)
 	for _, f := range c.Filesystem {
 		builders = append(builders, f)
 	}
 	builders = append(builders, c.Chmod)
 	argc := 0
 	fc := 0
 	for _, b := range builders {
 		l := b.Len()
 		if l < 1 {
 			continue
 		}
 		argc += l
 		if f, ok := b.(FDBuilder); ok {
 			fc++
 			proc.InitFile(f, extraFiles)
 		}
 	}
 	fc++ // allocate extra slot for stat fd
 	args = make([]string, 0, argc)
 	*files = slices.Grow(*files, fc)
 	for _, b := range builders {
 		if b.Len() < 1 {
 			continue
 		}
 		b.Append(&args)
 		if f, ok := b.(FDBuilder); ok {
 			*files = append(*files, f)
 		}
 	}
 	return
 }
--- a/helper/bwrap/builder.go
+++ b/helper/bwrap/builder.go
@ -1,199 +0,0 @@
 package bwrap
 import (
 	"os"
 )
 /*
 Bind binds mount src on host to dest in sandbox.
 Bind(src, dest) bind mount host path readonly on sandbox
 (--ro-bind SRC DEST).
 Bind(src, dest, true) equal to ROBind but ignores non-existent host path
 (--ro-bind-try SRC DEST).
 Bind(src, dest, false, true) bind mount host path on sandbox.
 (--bind SRC DEST).
 Bind(src, dest, true, true) equal to Bind but ignores non-existent host path
 (--bind-try SRC DEST).
 Bind(src, dest, false, true, true) bind mount host path on sandbox, allowing device access
 (--dev-bind SRC DEST).
 Bind(src, dest, true, true, true) equal to DevBind but ignores non-existent host path
 (--dev-bind-try SRC DEST).
 */
 func (c *Config) Bind(src, dest string, opts ...bool) *Config {
 	var (
 		try   bool
 		write bool
 		dev   bool
 	)
 	if len(opts) > 0 {
 		try = opts[0]
 	}
 	if len(opts) > 1 {
 		write = opts[1]
 	}
 	if len(opts) > 2 {
 		dev = opts[2]
 	}
 	if dev {
 		if try {
 			c.Filesystem = append(c.Filesystem, &pairF{DevBindTry.String(), src, dest})
 		} else {
 			c.Filesystem = append(c.Filesystem, &pairF{DevBind.String(), src, dest})
 		}
 		return c
 	} else if write {
 		if try {
 			c.Filesystem = append(c.Filesystem, &pairF{BindTry.String(), src, dest})
 		} else {
 			c.Filesystem = append(c.Filesystem, &pairF{Bind.String(), src, dest})
 		}
 		return c
 	} else {
 		if try {
 			c.Filesystem = append(c.Filesystem, &pairF{ROBindTry.String(), src, dest})
 		} else {
 			c.Filesystem = append(c.Filesystem, &pairF{ROBind.String(), src, dest})
 		}
 		return c
 	}
 }
 // Write copy from FD to destination DEST
 // (--file FD DEST)
 func (c *Config) Write(dest string, payload []byte) *Config {
 	c.Filesystem = append(c.Filesystem, &DataConfig{Dest: dest, Data: payload, Type: DataWrite})
 	return c
 }
 /*
 CopyBind copy from FD to file which is readonly bind-mounted on DEST
 (--ro-bind-data FD DEST)
 CopyBind(dest, payload, true) copy from FD to file which is bind-mounted on DEST
 (--bind-data FD DEST)
 */
 func (c *Config) CopyBind(dest string, payload []byte, opts ...bool) *Config {
 	var p *[]byte
 	c.CopyBindRef(dest, &p, opts...)
 	*p = payload
 	return c
 }
 // CopyBindRef is the same as CopyBind but writes the address of DataConfig.Data.
 func (c *Config) CopyBindRef(dest string, payloadRef **[]byte, opts ...bool) *Config {
 	t := DataROBind
 	if len(opts) > 0 && opts[0] {
 		t = DataBind
 	}
 	d := &DataConfig{Dest: dest, Type: t}
 	*payloadRef = &d.Data
 	c.Filesystem = append(c.Filesystem, d)
 	return c
 }
 // Dir create dir in sandbox
 // (--dir DEST)
 func (c *Config) Dir(dest string) *Config {
 	c.Filesystem = append(c.Filesystem, &stringF{Dir.String(), dest})
 	return c
 }
 // RemountRO remount path as readonly; does not recursively remount
 // (--remount-ro DEST)
 func (c *Config) RemountRO(dest string) *Config {
 	c.Filesystem = append(c.Filesystem, &stringF{RemountRO.String(), dest})
 	return c
 }
 // Procfs mount new procfs in sandbox
 // (--proc DEST)
 func (c *Config) Procfs(dest string) *Config {
 	c.Filesystem = append(c.Filesystem, &stringF{Procfs.String(), dest})
 	return c
 }
 // DevTmpfs mount new dev in sandbox
 // (--dev DEST)
 func (c *Config) DevTmpfs(dest string) *Config {
 	c.Filesystem = append(c.Filesystem, &stringF{DevTmpfs.String(), dest})
 	return c
 }
 // Mqueue mount new mqueue in sandbox
 // (--mqueue DEST)
 func (c *Config) Mqueue(dest string) *Config {
 	c.Filesystem = append(c.Filesystem, &stringF{Mqueue.String(), dest})
 	return c
 }
 // Tmpfs mount new tmpfs in sandbox
 // (--tmpfs DEST)
 func (c *Config) Tmpfs(dest string, size int, perm ...os.FileMode) *Config {
 	tmpfs := &PermConfig[*TmpfsConfig]{Inner: &TmpfsConfig{Dir: dest}}
 	if size >= 0 {
 		tmpfs.Inner.Size = size
 	}
 	if len(perm) == 1 {
 		tmpfs.Mode = &perm[0]
 	}
 	c.Filesystem = append(c.Filesystem, tmpfs)
 	return c
 }
 // Overlay mount overlayfs on DEST, with writes going to an invisible tmpfs
 // (--tmp-overlay DEST)
 func (c *Config) Overlay(dest string, src ...string) *Config {
 	c.Filesystem = append(c.Filesystem, &OverlayConfig{Src: src, Dest: dest})
 	return c
 }
 // Join mount overlayfs read-only on DEST
 // (--ro-overlay DEST)
 func (c *Config) Join(dest string, src ...string) *Config {
 	c.Filesystem = append(c.Filesystem, &OverlayConfig{Src: src, Dest: dest, Persist: new([2]string)})
 	return c
 }
 // Persist mount overlayfs on DEST, with RWSRC as the host path for writes and
 // WORKDIR an empty directory on the same filesystem as RWSRC
 // (--overlay RWSRC WORKDIR DEST)
 func (c *Config) Persist(dest, rwsrc, workdir string, src ...string) *Config {
 	if rwsrc == "" || workdir == "" {
 		panic("persist called without required paths")
 	}
 	c.Filesystem = append(c.Filesystem, &OverlayConfig{Src: src, Dest: dest, Persist: &[2]string{rwsrc, workdir}})
 	return c
 }
 // Symlink create symlink within sandbox
 // (--symlink SRC DEST)
 func (c *Config) Symlink(src, dest string, perm ...os.FileMode) *Config {
 	symlink := &PermConfig[SymlinkConfig]{Inner: SymlinkConfig{src, dest}}
 	if len(perm) == 1 {
 		symlink.Mode = &perm[0]
 	}
 	c.Filesystem = append(c.Filesystem, symlink)
 	return c
 }
 // SetUID sets custom uid in the sandbox, requires new user namespace (--uid UID).
 func (c *Config) SetUID(uid int) *Config {
 	if uid >= 0 {
 		c.UID = &uid
 	}
 	return c
 }
 // SetGID sets custom gid in the sandbox, requires new user namespace (--gid GID).
 func (c *Config) SetGID(gid int) *Config {
 	if gid >= 0 {
 		c.GID = &gid
 	}
 	return c
 }
--- a/helper/bwrap/config.go
+++ b/helper/bwrap/config.go
@ -1,104 +0,0 @@
 package bwrap
 type Config struct {
 	// unshare every namespace we support by default if nil
 	// (--unshare-all)
 	Unshare *UnshareConfig `json:"unshare,omitempty"`
 	// retain the network namespace (can only combine with nil Unshare)
 	// (--share-net)
 	Net bool `json:"net"`
 	// disable further use of user namespaces inside sandbox and fail unless
 	// further use of user namespace inside sandbox is disabled if false
 	// (--disable-userns) (--assert-userns-disabled)
 	UserNS bool `json:"userns"`
 	// custom uid in the sandbox, requires new user namespace
 	// (--uid UID)
 	UID *int `json:"uid,omitempty"`
 	// custom gid in the sandbox, requires new user namespace
 	// (--gid GID)
 	GID *int `json:"gid,omitempty"`
 	// custom hostname in the sandbox, requires new uts namespace
 	// (--hostname NAME)
 	Hostname string `json:"hostname,omitempty"`
 	// change directory
 	// (--chdir DIR)
 	Chdir string `json:"chdir,omitempty"`
 	// unset all environment variables
 	// (--clearenv)
 	Clearenv bool `json:"clearenv"`
 	// set environment variable
 	// (--setenv VAR VALUE)
 	SetEnv map[string]string `json:"setenv,omitempty"`
 	// unset environment variables
 	// (--unsetenv VAR)
 	UnsetEnv []string `json:"unsetenv,omitempty"`
 	// take a lock on file while sandbox is running
 	// (--lock-file DEST)
 	LockFile []string `json:"lock_file,omitempty"`
 	// ordered filesystem args
 	Filesystem []FSBuilder `json:"filesystem,omitempty"`
 	// change permissions (must already exist)
 	// (--chmod OCTAL PATH)
 	Chmod ChmodConfig `json:"chmod,omitempty"`
 	// load and use seccomp rules from FD (not repeatable)
 	// (--seccomp FD)
 	Syscall *SyscallPolicy
 	// create a new terminal session
 	// (--new-session)
 	NewSession bool `json:"new_session"`
 	// kills with SIGKILL child process (COMMAND) when bwrap or bwrap's parent dies.
 	// (--die-with-parent)
 	DieWithParent bool `json:"die_with_parent"`
 	// do not install a reaper process with PID=1
 	// (--as-pid-1)
 	AsInit bool `json:"as_init"`
 	/* unmapped options include:
 	    --unshare-user-try           Create new user namespace if possible else continue by skipping it
 	    --unshare-cgroup-try         Create new cgroup namespace if possible else continue by skipping it
 	    --userns FD                  Use this user namespace (cannot combine with --unshare-user)
 	    --userns2 FD                 After setup switch to this user namespace, only useful with --userns
 	    --pidns FD                   Use this pid namespace (as parent namespace if using --unshare-pid)
 	    --bind-fd FD DEST            Bind open directory or path fd on DEST
 	    --ro-bind-fd FD DEST         Bind open directory or path fd read-only on DEST
 	    --exec-label LABEL           Exec label for the sandbox
 	    --file-label LABEL           File label for temporary sandbox content
 	    --add-seccomp-fd FD          Load and use seccomp rules from FD (repeatable)
 	    --block-fd FD                Block on FD until some data to read is available
 	    --userns-block-fd FD         Block on FD until the user namespace is ready
 	    --info-fd FD                 Write information about the running container to FD
 	    --json-status-fd FD          Write container status to FD as multiple JSON documents
 	    --cap-add CAP                Add cap CAP when running as privileged user
 	    --cap-drop CAP               Drop cap CAP when running as privileged user
 	among which --args is used internally for passing arguments */
 }
 type UnshareConfig struct {
 	// (--unshare-user)
 	// create new user namespace
 	User bool `json:"user"`
 	// (--unshare-ipc)
 	// create new ipc namespace
 	IPC bool `json:"ipc"`
 	// (--unshare-pid)
 	// create new pid namespace
 	PID bool `json:"pid"`
 	// (--unshare-net)
 	// create new network namespace
 	Net bool `json:"net"`
 	// (--unshare-uts)
 	// create new uts namespace
 	UTS bool `json:"uts"`
 	// (--unshare-cgroup)
 	// create new cgroup namespace
 	CGroup bool `json:"cgroup"`
 }
--- a/helper/bwrap/config_test.go
+++ b/helper/bwrap/config_test.go
@ -1,257 +0,0 @@
 package bwrap_test
 import (
 	"log"
 	"os"
 	"slices"
 	"testing"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 	"git.gensokyo.uk/security/fortify/helper/seccomp"
 )
 func TestConfig_Args(t *testing.T) {
 	seccomp.CPrintln = log.Println
 	t.Cleanup(func() { seccomp.CPrintln = nil })
 	testCases := []struct {
 		name string
 		conf *bwrap.Config
 		want []string
 	}{
 		{
 			"bind", (new(bwrap.Config)).
 				Bind("/etc", "/.fortify/etc").
 				Bind("/etc", "/.fortify/etc", true).
 				Bind("/run", "/.fortify/run", false, true).
 				Bind("/sys/devices", "/.fortify/sys/devices", true, true).
 				Bind("/dev/dri", "/.fortify/dev/dri", false, true, true).
 				Bind("/dev/dri", "/.fortify/dev/dri", true, true, true),
 			[]string{
 				"--unshare-all", "--unshare-user",
 				"--disable-userns", "--assert-userns-disabled",
 				// Bind("/etc", "/.fortify/etc")
 				"--ro-bind", "/etc", "/.fortify/etc",
 				// Bind("/etc", "/.fortify/etc", true)
 				"--ro-bind-try", "/etc", "/.fortify/etc",
 				// Bind("/run", "/.fortify/run", false, true)
 				"--bind", "/run", "/.fortify/run",
 				// Bind("/sys/devices", "/.fortify/sys/devices", true, true)
 				"--bind-try", "/sys/devices", "/.fortify/sys/devices",
 				// Bind("/dev/dri", "/.fortify/dev/dri", false, true, true)
 				"--dev-bind", "/dev/dri", "/.fortify/dev/dri",
 				// Bind("/dev/dri", "/.fortify/dev/dri", true, true, true)
 				"--dev-bind-try", "/dev/dri", "/.fortify/dev/dri",
 			},
 		},
 		{
 			"dir remount-ro proc dev mqueue", (new(bwrap.Config)).
 				Dir("/.fortify").
 				RemountRO("/home").
 				Procfs("/proc").
 				DevTmpfs("/dev").
 				Mqueue("/dev/mqueue"),
 			[]string{
 				"--unshare-all", "--unshare-user",
 				"--disable-userns", "--assert-userns-disabled",
 				// Dir("/.fortify")
 				"--dir", "/.fortify",
 				// RemountRO("/home")
 				"--remount-ro", "/home",
 				// Procfs("/proc")
 				"--proc", "/proc",
 				// DevTmpfs("/dev")
 				"--dev", "/dev",
 				// Mqueue("/dev/mqueue")
 				"--mqueue", "/dev/mqueue",
 			},
 		},
 		{
 			"tmpfs", (new(bwrap.Config)).
 				Tmpfs("/run/user", 8192).
 				Tmpfs("/run/dbus", 8192, 0755),
 			[]string{
 				"--unshare-all", "--unshare-user",
 				"--disable-userns", "--assert-userns-disabled",
 				// Tmpfs("/run/user", 8192)
 				"--size", "8192", "--tmpfs", "/run/user",
 				// Tmpfs("/run/dbus", 8192, 0755)
 				"--perms", "755", "--size", "8192", "--tmpfs", "/run/dbus",
 			},
 		},
 		{
 			"symlink", (new(bwrap.Config)).
 				Symlink("/.fortify/sbin/init", "/sbin/init").
 				Symlink("/.fortify/sbin/init", "/sbin/init", 0755),
 			[]string{
 				"--unshare-all", "--unshare-user",
 				"--disable-userns", "--assert-userns-disabled",
 				// Symlink("/.fortify/sbin/init", "/sbin/init")
 				"--symlink", "/.fortify/sbin/init", "/sbin/init",
 				// Symlink("/.fortify/sbin/init", "/sbin/init", 0755)
 				"--perms", "755", "--symlink", "/.fortify/sbin/init", "/sbin/init",
 			},
 		},
 		{
 			"overlayfs", (new(bwrap.Config)).
 				Overlay("/etc", "/etc").
 				Join("/.fortify/bin", "/bin", "/usr/bin", "/usr/local/bin").
 				Persist("/nix", "/data/data/org.chromium.Chromium/overlay/rwsrc", "/data/data/org.chromium.Chromium/workdir", "/data/app/org.chromium.Chromium/nix"),
 			[]string{
 				"--unshare-all", "--unshare-user",
 				"--disable-userns", "--assert-userns-disabled",
 				// Overlay("/etc", "/etc")
 				"--overlay-src", "/etc", "--tmp-overlay", "/etc",
 				// Join("/.fortify/bin", "/bin", "/usr/bin", "/usr/local/bin")
 				"--overlay-src", "/bin", "--overlay-src", "/usr/bin",
 				"--overlay-src", "/usr/local/bin", "--ro-overlay", "/.fortify/bin",
 				// Persist("/nix", "/data/data/org.chromium.Chromium/overlay/rwsrc", "/data/data/org.chromium.Chromium/workdir", "/data/app/org.chromium.Chromium/nix")
 				"--overlay-src", "/data/app/org.chromium.Chromium/nix",
 				"--overlay", "/data/data/org.chromium.Chromium/overlay/rwsrc", "/data/data/org.chromium.Chromium/workdir", "/nix",
 			},
 		},
 		{
 			"copy", (new(bwrap.Config)).
 				Write("/.fortify/version", make([]byte, 8)).
 				CopyBind("/etc/group", make([]byte, 8)).
 				CopyBind("/etc/passwd", make([]byte, 8), true),
 			[]string{
 				"--unshare-all", "--unshare-user",
 				"--disable-userns", "--assert-userns-disabled",
 				// Write("/.fortify/version", make([]byte, 8))
 				"--file", "3", "/.fortify/version",
 				// CopyBind("/etc/group", make([]byte, 8))
 				"--ro-bind-data", "4", "/etc/group",
 				// CopyBind("/etc/passwd", make([]byte, 8), true)
 				"--bind-data", "5", "/etc/passwd",
 			},
 		},
 		{
 			"unshare", &bwrap.Config{Unshare: &bwrap.UnshareConfig{
 				User:   false,
 				IPC:    false,
 				PID:    false,
 				Net:    false,
 				UTS:    false,
 				CGroup: false,
 			}},
 			[]string{"--disable-userns", "--assert-userns-disabled"},
 		},
 		{
 			"uid gid sync", (new(bwrap.Config)).
 				SetUID(1971).
 				SetGID(100),
 			[]string{
 				"--unshare-all", "--unshare-user",
 				"--disable-userns", "--assert-userns-disabled",
 				// SetUID(1971)
 				"--uid", "1971",
 				// SetGID(100)
 				"--gid", "100",
 			},
 		},
 		{
 			"hostname chdir setenv unsetenv lockfile chmod syscall", &bwrap.Config{
 				Hostname: "fortify",
 				Chdir:    "/.fortify",
 				SetEnv:   map[string]string{"FORTIFY_INIT": "/.fortify/sbin/init"},
 				UnsetEnv: []string{"HOME", "HOST"},
 				LockFile: []string{"/.fortify/lock"},
 				Syscall:  new(bwrap.SyscallPolicy),
 				Chmod:    map[string]os.FileMode{"/.fortify/sbin/init": 0755},
 			},
 			[]string{
 				"--unshare-all", "--unshare-user",
 				"--disable-userns", "--assert-userns-disabled",
 				// Hostname: "fortify"
 				"--hostname", "fortify",
 				// Chdir: "/.fortify"
 				"--chdir", "/.fortify",
 				// UnsetEnv: []string{"HOME", "HOST"}
 				"--unsetenv", "HOME",
 				"--unsetenv", "HOST",
 				// LockFile: []string{"/.fortify/lock"},
 				"--lock-file", "/.fortify/lock",
 				// SetEnv: map[string]string{"FORTIFY_INIT": "/.fortify/sbin/init"}
 				"--setenv", "FORTIFY_INIT", "/.fortify/sbin/init",
 				// Syscall: new(bwrap.SyscallPolicy),
 				"--seccomp", "3",
 				// Chmod: map[string]os.FileMode{"/.fortify/sbin/init": 0755}
 				"--chmod", "755", "/.fortify/sbin/init",
 			},
 		},
 		{
 			"xdg-dbus-proxy constraint sample", (&bwrap.Config{Clearenv: true, DieWithParent: true}).
 				Symlink("usr/bin", "/bin").
 				Symlink("var/home", "/home").
 				Symlink("usr/lib", "/lib").
 				Symlink("usr/lib64", "/lib64").
 				Symlink("run/media", "/media").
 				Symlink("var/mnt", "/mnt").
 				Symlink("var/opt", "/opt").
 				Symlink("sysroot/ostree", "/ostree").
 				Symlink("var/roothome", "/root").
 				Symlink("usr/sbin", "/sbin").
 				Symlink("var/srv", "/srv").
 				Bind("/run", "/run", false, true).
 				Bind("/tmp", "/tmp", false, true).
 				Bind("/var", "/var", false, true).
 				Bind("/run/user/1971/.dbus-proxy/", "/run/user/1971/.dbus-proxy/", false, true).
 				Bind("/boot", "/boot").
 				Bind("/dev", "/dev").
 				Bind("/proc", "/proc").
 				Bind("/sys", "/sys").
 				Bind("/sysroot", "/sysroot").
 				Bind("/usr", "/usr").
 				Bind("/etc", "/etc"),
 			[]string{
 				"--unshare-all", "--unshare-user",
 				"--disable-userns", "--assert-userns-disabled",
 				"--clearenv", "--die-with-parent",
 				"--symlink", "usr/bin", "/bin",
 				"--symlink", "var/home", "/home",
 				"--symlink", "usr/lib", "/lib",
 				"--symlink", "usr/lib64", "/lib64",
 				"--symlink", "run/media", "/media",
 				"--symlink", "var/mnt", "/mnt",
 				"--symlink", "var/opt", "/opt",
 				"--symlink", "sysroot/ostree", "/ostree",
 				"--symlink", "var/roothome", "/root",
 				"--symlink", "usr/sbin", "/sbin",
 				"--symlink", "var/srv", "/srv",
 				"--bind", "/run", "/run",
 				"--bind", "/tmp", "/tmp",
 				"--bind", "/var", "/var",
 				"--bind", "/run/user/1971/.dbus-proxy/", "/run/user/1971/.dbus-proxy/",
 				"--ro-bind", "/boot", "/boot",
 				"--ro-bind", "/dev", "/dev",
 				"--ro-bind", "/proc", "/proc",
 				"--ro-bind", "/sys", "/sys",
 				"--ro-bind", "/sysroot", "/sysroot",
 				"--ro-bind", "/usr", "/usr",
 				"--ro-bind", "/etc", "/etc",
 			},
 		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			if got := tc.conf.Args(nil, new(proc.ExtraFilesPre), new([]proc.File)); !slices.Equal(got, tc.want) {
 				t.Errorf("Args() = %#v, want %#v", got, tc.want)
 			}
 		})
 	}
 	// test persist validation
 	t.Run("invalid persist", func(t *testing.T) {
 		defer func() {
 			wantPanic := "persist called without required paths"
 			if r := recover(); r != wantPanic {
 				t.Errorf("Persist() panic = %v; wantPanic %v", r, wantPanic)
 			}
 		}()
 		(new(bwrap.Config)).Persist("/run", "", "")
 	})
 }
--- a/helper/bwrap/seccomp.go
+++ b/helper/bwrap/seccomp.go
@ -1,85 +0,0 @@
 package bwrap
 import (
 	"fmt"
 	"strconv"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 	"git.gensokyo.uk/security/fortify/helper/seccomp"
 )
 type SyscallPolicy struct {
 	// disable fortify extensions
 	Compat bool `json:"compat"`
 	// deny development syscalls
 	DenyDevel bool `json:"deny_devel"`
 	// deny multiarch/emulation syscalls
 	Multiarch bool `json:"multiarch"`
 	// allow PER_LINUX32
 	Linux32 bool `json:"linux32"`
 	// allow AF_CAN
 	Can bool `json:"can"`
 	// allow AF_BLUETOOTH
 	Bluetooth bool `json:"bluetooth"`
 }
 func (c *Config) seccompArgs() FDBuilder {
 	// explicitly disable syscall filter
 	if c.Syscall == nil {
 		// nil File skips builder
 		return new(seccompBuilder)
 	}
 	var (
 		opts    seccomp.SyscallOpts
 		optd    []string
 		optCond = [...]struct {
 			v bool
 			o seccomp.SyscallOpts
 			d string
 		}{
 			{!c.Syscall.Compat, seccomp.FlagExt, "fortify"},
 			{!c.UserNS, seccomp.FlagDenyNS, "denyns"},
 			{c.NewSession, seccomp.FlagDenyTTY, "denytty"},
 			{c.Syscall.DenyDevel, seccomp.FlagDenyDevel, "denydevel"},
 			{c.Syscall.Multiarch, seccomp.FlagMultiarch, "multiarch"},
 			{c.Syscall.Linux32, seccomp.FlagLinux32, "linux32"},
 			{c.Syscall.Can, seccomp.FlagCan, "can"},
 			{c.Syscall.Bluetooth, seccomp.FlagBluetooth, "bluetooth"},
 		}
 	)
 	if seccomp.CPrintln != nil {
 		optd = make([]string, 1, len(optCond)+1)
 		optd[0] = "common"
 	}
 	for _, opt := range optCond {
 		if opt.v {
 			opts |= opt.o
 			if seccomp.CPrintln != nil {
 				optd = append(optd, opt.d)
 			}
 		}
 	}
 	if seccomp.CPrintln != nil {
 		seccomp.CPrintln(fmt.Sprintf("seccomp flags: %s", optd))
 	}
 	return &seccompBuilder{seccomp.NewFile(opts)}
 }
 type seccompBuilder struct{ proc.File }
 func (s *seccompBuilder) Len() int {
 	if s == nil || s.File == nil {
 		return 0
 	}
 	return 2
 }
 func (s *seccompBuilder) Append(args *[]string) {
 	if s == nil || s.File == nil {
 		return
 	}
 	*args = append(*args, Seccomp.String(), strconv.Itoa(int(s.Fd())))
 }
--- a/helper/bwrap/sequential.go
+++ b/helper/bwrap/sequential.go
@ -1,273 +0,0 @@
 package bwrap
 import (
 	"encoding/gob"
 	"fmt"
 	"io"
 	"os"
 	"strconv"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 )
 func init() {
 	gob.Register(new(PermConfig[SymlinkConfig]))
 	gob.Register(new(PermConfig[*TmpfsConfig]))
 	gob.Register(new(OverlayConfig))
 	gob.Register(new(DataConfig))
 }
 type PositionalArg int
 func (p PositionalArg) String() string { return positionalArgs[p] }
 const (
 	Tmpfs PositionalArg = iota
 	Symlink
 	Bind
 	BindTry
 	DevBind
 	DevBindTry
 	ROBind
 	ROBindTry
 	Chmod
 	Dir
 	RemountRO
 	Procfs
 	DevTmpfs
 	Mqueue
 	Perms
 	Size
 	OverlaySrc
 	Overlay
 	TmpOverlay
 	ROOverlay
 	SyncFd
 	Seccomp
 	File
 	BindData
 	ROBindData
 )
 var positionalArgs = [...]string{
 	Tmpfs:   "--tmpfs",
 	Symlink: "--symlink",
 	Bind:       "--bind",
 	BindTry:    "--bind-try",
 	DevBind:    "--dev-bind",
 	DevBindTry: "--dev-bind-try",
 	ROBind:     "--ro-bind",
 	ROBindTry:  "--ro-bind-try",
 	Chmod:     "--chmod",
 	Dir:       "--dir",
 	RemountRO: "--remount-ro",
 	Procfs:    "--proc",
 	DevTmpfs:  "--dev",
 	Mqueue:    "--mqueue",
 	Perms: "--perms",
 	Size:  "--size",
 	OverlaySrc: "--overlay-src",
 	Overlay:    "--overlay",
 	TmpOverlay: "--tmp-overlay",
 	ROOverlay:  "--ro-overlay",
 	SyncFd:  "--sync-fd",
 	Seccomp: "--seccomp",
 	File:       "--file",
 	BindData:   "--bind-data",
 	ROBindData: "--ro-bind-data",
 }
 type PermConfig[T FSBuilder] struct {
 	// set permissions of next argument
 	// (--perms OCTAL)
 	Mode *os.FileMode `json:"mode,omitempty"`
 	// path to get the new permission
 	// (--bind-data, --file, etc.)
 	Inner T `json:"path"`
 }
 func (p *PermConfig[T]) Path() string { return p.Inner.Path() }
 func (p *PermConfig[T]) Len() int {
 	if p.Mode != nil {
 		return p.Inner.Len() + 2
 	} else {
 		return p.Inner.Len()
 	}
 }
 func (p *PermConfig[T]) Append(args *[]string) {
 	if p.Mode != nil {
 		*args = append(*args, Perms.String(), strconv.FormatInt(int64(*p.Mode), 8))
 	}
 	p.Inner.Append(args)
 }
 type TmpfsConfig struct {
 	// set size of tmpfs
 	// (--size BYTES)
 	Size int `json:"size,omitempty"`
 	// mount point of new tmpfs
 	// (--tmpfs DEST)
 	Dir string `json:"dir"`
 }
 func (t *TmpfsConfig) Path() string { return t.Dir }
 func (t *TmpfsConfig) Len() int {
 	if t.Size > 0 {
 		return 4
 	} else {
 		return 2
 	}
 }
 func (t *TmpfsConfig) Append(args *[]string) {
 	if t.Size > 0 {
 		*args = append(*args, Size.String(), strconv.Itoa(t.Size))
 	}
 	*args = append(*args, Tmpfs.String(), t.Dir)
 }
 type OverlayConfig struct {
 	/*
 		read files from SRC in the following overlay
 		(--overlay-src SRC)
 	*/
 	Src []string `json:"src,omitempty"`
 	/*
 		mount overlayfs on DEST, with RWSRC as the host path for writes and
 		WORKDIR an empty directory on the same filesystem as RWSRC
 		(--overlay RWSRC WORKDIR DEST)
 		if nil, mount overlayfs on DEST, with writes going to an invisible tmpfs
 		(--tmp-overlay DEST)
 		if either strings are empty, mount overlayfs read-only on DEST
 		(--ro-overlay DEST)
 	*/
 	Persist *[2]string `json:"persist,omitempty"`
 	/*
 		--overlay RWSRC WORKDIR DEST
 		--tmp-overlay DEST
 		--ro-overlay DEST
 	*/
 	Dest string `json:"dest"`
 }
 func (o *OverlayConfig) Path() string { return o.Dest }
 func (o *OverlayConfig) Len() int {
 	// (--tmp-overlay DEST) or (--ro-overlay DEST)
 	p := 2
 	// (--overlay RWSRC WORKDIR DEST)
 	if o.Persist != nil && o.Persist[0] != "" && o.Persist[1] != "" {
 		p = 4
 	}
 	return p + len(o.Src)*2
 }
 func (o *OverlayConfig) Append(args *[]string) {
 	// --overlay-src SRC
 	for _, src := range o.Src {
 		*args = append(*args, OverlaySrc.String(), src)
 	}
 	if o.Persist != nil {
 		if o.Persist[0] != "" && o.Persist[1] != "" {
 			// --overlay RWSRC WORKDIR
 			*args = append(*args, Overlay.String(), o.Persist[0], o.Persist[1])
 		} else {
 			// --ro-overlay
 			*args = append(*args, ROOverlay.String())
 		}
 	} else {
 		// --tmp-overlay
 		*args = append(*args, TmpOverlay.String())
 	}
 	// DEST
 	*args = append(*args, o.Dest)
 }
 type SymlinkConfig [2]string
 func (s SymlinkConfig) Path() string          { return s[1] }
 func (s SymlinkConfig) Len() int              { return 3 }
 func (s SymlinkConfig) Append(args *[]string) { *args = append(*args, Symlink.String(), s[0], s[1]) }
 type ChmodConfig map[string]os.FileMode
 func (c ChmodConfig) Len() int { return len(c) }
 func (c ChmodConfig) Append(args *[]string) {
 	for path, mode := range c {
 		*args = append(*args, Chmod.String(), strconv.FormatInt(int64(mode), 8), path)
 	}
 }
 const (
 	DataWrite = iota
 	DataBind
 	DataROBind
 )
 type DataConfig struct {
 	Dest string `json:"dest"`
 	Data []byte `json:"data,omitempty"`
 	Type int    `json:"type"`
 	proc.File
 }
 func (d *DataConfig) Path() string { return d.Dest }
 func (d *DataConfig) Len() int {
 	if d == nil || d.Data == nil {
 		return 0
 	}
 	return 3
 }
 func (d *DataConfig) Init(fd uintptr, v **os.File) uintptr {
 	if d.File != nil {
 		panic("file initialised twice")
 	}
 	d.File = proc.NewWriterTo(d)
 	return d.File.Init(fd, v)
 }
 func (d *DataConfig) WriteTo(w io.Writer) (int64, error) {
 	n, err := w.Write(d.Data)
 	return int64(n), err
 }
 func (d *DataConfig) Append(args *[]string) {
 	if d == nil || d.Data == nil {
 		return
 	}
 	var a PositionalArg
 	switch d.Type {
 	case DataWrite:
 		a = File
 	case DataBind:
 		a = BindData
 	case DataROBind:
 		a = ROBindData
 	default:
 		panic(fmt.Sprintf("invalid type %d", a))
 	}
 	*args = append(*args, a.String(), strconv.Itoa(int(d.Fd())), d.Dest)
 }
--- a/helper/bwrap/static.go
+++ b/helper/bwrap/static.go
@ -1,249 +0,0 @@
 package bwrap
 import (
 	"slices"
 	"strconv"
 )
 /*
 	static boolean args
 */
 type BoolArg int
 func (b BoolArg) Unwrap() []string {
 	return boolArgs[b]
 }
 const (
 	UnshareAll BoolArg = iota
 	UnshareUser
 	UnshareIPC
 	UnsharePID
 	UnshareNet
 	UnshareUTS
 	UnshareCGroup
 	ShareNet
 	UserNS
 	Clearenv
 	NewSession
 	DieWithParent
 	AsInit
 )
 var boolArgs = [...][]string{
 	UnshareAll:    {"--unshare-all", "--unshare-user"},
 	UnshareUser:   {"--unshare-user"},
 	UnshareIPC:    {"--unshare-ipc"},
 	UnsharePID:    {"--unshare-pid"},
 	UnshareNet:    {"--unshare-net"},
 	UnshareUTS:    {"--unshare-uts"},
 	UnshareCGroup: {"--unshare-cgroup"},
 	ShareNet:      {"--share-net"},
 	UserNS:   {"--disable-userns", "--assert-userns-disabled"},
 	Clearenv: {"--clearenv"},
 	NewSession:    {"--new-session"},
 	DieWithParent: {"--die-with-parent"},
 	AsInit:        {"--as-pid-1"},
 }
 func (c *Config) boolArgs() Builder {
 	b := boolArg{
 		UserNS:   !c.UserNS,
 		Clearenv: c.Clearenv,
 		NewSession:    c.NewSession,
 		DieWithParent: c.DieWithParent,
 		AsInit:        c.AsInit,
 	}
 	if c.Unshare == nil {
 		b[UnshareAll] = true
 		b[ShareNet] = c.Net
 	} else {
 		b[UnshareUser] = c.Unshare.User
 		b[UnshareIPC] = c.Unshare.IPC
 		b[UnsharePID] = c.Unshare.PID
 		b[UnshareNet] = c.Unshare.Net
 		b[UnshareUTS] = c.Unshare.UTS
 		b[UnshareCGroup] = c.Unshare.CGroup
 	}
 	return &b
 }
 type boolArg [len(boolArgs)]bool
 func (b *boolArg) Len() (l int) {
 	for i, v := range b {
 		if v {
 			l += len(boolArgs[i])
 		}
 	}
 	return
 }
 func (b *boolArg) Append(args *[]string) {
 	for i, v := range b {
 		if v {
 			*args = append(*args, BoolArg(i).Unwrap()...)
 		}
 	}
 }
 /*
 	static integer args
 */
 type IntArg int
 func (i IntArg) Unwrap() string {
 	return intArgs[i]
 }
 const (
 	UID IntArg = iota
 	GID
 )
 var intArgs = [...]string{
 	UID: "--uid",
 	GID: "--gid",
 }
 func (c *Config) intArgs() Builder {
 	return &intArg{
 		UID: c.UID,
 		GID: c.GID,
 	}
 }
 type intArg [len(intArgs)]*int
 func (n *intArg) Len() (l int) {
 	for _, v := range n {
 		if v != nil {
 			l += 2
 		}
 	}
 	return
 }
 func (n *intArg) Append(args *[]string) {
 	for i, v := range n {
 		if v != nil {
 			*args = append(*args, IntArg(i).Unwrap(), strconv.Itoa(*v))
 		}
 	}
 }
 /*
 	static string args
 */
 type StringArg int
 func (s StringArg) Unwrap() string {
 	return stringArgs[s]
 }
 const (
 	Hostname StringArg = iota
 	Chdir
 	UnsetEnv
 	LockFile
 )
 var stringArgs = [...]string{
 	Hostname: "--hostname",
 	Chdir:    "--chdir",
 	UnsetEnv: "--unsetenv",
 	LockFile: "--lock-file",
 }
 func (c *Config) stringArgs() Builder {
 	n := stringArg{
 		UnsetEnv: c.UnsetEnv,
 		LockFile: c.LockFile,
 	}
 	if c.Hostname != "" {
 		n[Hostname] = []string{c.Hostname}
 	}
 	if c.Chdir != "" {
 		n[Chdir] = []string{c.Chdir}
 	}
 	return &n
 }
 type stringArg [len(stringArgs)][]string
 func (s *stringArg) Len() (l int) {
 	for _, arg := range s {
 		l += len(arg) * 2
 	}
 	return
 }
 func (s *stringArg) Append(args *[]string) {
 	for i, arg := range s {
 		for _, v := range arg {
 			*args = append(*args, StringArg(i).Unwrap(), v)
 		}
 	}
 }
 /*
 	static pair args
 */
 type PairArg int
 func (p PairArg) Unwrap() string {
 	return pairArgs[p]
 }
 const (
 	SetEnv PairArg = iota
 )
 var pairArgs = [...]string{
 	SetEnv: "--setenv",
 }
 func (c *Config) pairArgs() Builder {
 	var n pairArg
 	n[SetEnv] = make([][2]string, len(c.SetEnv))
 	keys := make([]string, 0, len(c.SetEnv))
 	for k := range c.SetEnv {
 		keys = append(keys, k)
 	}
 	slices.Sort(keys)
 	for i, k := range keys {
 		n[SetEnv][i] = [2]string{k, c.SetEnv[k]}
 	}
 	return &n
 }
 type pairArg [len(pairArgs)][][2]string
 func (p *pairArg) Len() (l int) {
 	for _, v := range p {
 		l += len(v) * 3
 	}
 	return
 }
 func (p *pairArg) Append(args *[]string) {
 	for i, arg := range p {
 		for _, v := range arg {
 			*args = append(*args, PairArg(i).Unwrap(), v[0], v[1])
 		}
 	}
 }
--- a/helper/bwrap/trivial.go
+++ b/helper/bwrap/trivial.go
@ -1,52 +0,0 @@
 package bwrap
 import (
 	"context"
 	"encoding/gob"
 	"os"
 	"strconv"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 )
 func init() {
 	gob.Register(new(pairF))
 	gob.Register(new(stringF))
 }
 type pairF [3]string
 func (p *pairF) Path() string          { return p[2] }
 func (p *pairF) Len() int              { return len(p) }
 func (p *pairF) Append(args *[]string) { *args = append(*args, p[0], p[1], p[2]) }
 type stringF [2]string
 func (s stringF) Path() string          { return s[1] }
 func (s stringF) Len() int              { return len(s) /* compiler replaces this with 2 */ }
 func (s stringF) Append(args *[]string) { *args = append(*args, s[0], s[1]) }
 func newFile(name string, f *os.File) FDBuilder { return &fileF{name: name, file: f} }
 type fileF struct {
 	name string
 	file *os.File
 	proc.BaseFile
 }
 func (f *fileF) ErrCount() int                                  { return 0 }
 func (f *fileF) Fulfill(_ context.Context, _ func(error)) error { f.Set(f.file); return nil }
 func (f *fileF) Len() int {
 	if f.file == nil {
 		return 0
 	}
 	return 2
 }
 func (f *fileF) Append(args *[]string) {
 	if f.file == nil {
 		return
 	}
 	*args = append(*args, f.name, strconv.Itoa(int(f.Fd())))
 }
--- a/helper/bwrap_test.go
+++ b/helper/bwrap_test.go
@ -1,103 +0,0 @@
 package helper_test
 import (
 	"context"
 	"errors"
 	"os"
 	"strings"
 	"testing"
 	"time"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 )
 func TestBwrap(t *testing.T) {
 	sc := &bwrap.Config{
 		Net:           true,
 		Hostname:      "localhost",
 		Chdir:         "/nonexistent",
 		Clearenv:      true,
 		NewSession:    true,
 		DieWithParent: true,
 		AsInit:        true,
 	}
 	t.Run("nonexistent bwrap name", func(t *testing.T) {
 		bubblewrapName := helper.BubblewrapName
 		helper.BubblewrapName = "/nonexistent"
 		t.Cleanup(func() {
 			helper.BubblewrapName = bubblewrapName
 		})
 		h := helper.MustNewBwrap(
 			sc, "fortify",
 			argsWt, argF,
 			nil, nil,
 		)
 		if err := h.Start(context.Background(), false); !errors.Is(err, os.ErrNotExist) {
 			t.Errorf("Start: error = %v, wantErr %v",
 				err, os.ErrNotExist)
 		}
 	})
 	t.Run("valid new helper nil check", func(t *testing.T) {
 		if got := helper.MustNewBwrap(
 			sc, "fortify",
 			argsWt, argF,
 			nil, nil,
 		); got == nil {
 			t.Errorf("MustNewBwrap(%#v, %#v, %#v) got nil",
 				sc, argsWt, "fortify")
 			return
 		}
 	})
 	t.Run("invalid bwrap config new helper panic", func(t *testing.T) {
 		defer func() {
 			wantPanic := "argument contains null character"
 			if r := recover(); r != wantPanic {
 				t.Errorf("MustNewBwrap: panic = %q, want %q",
 					r, wantPanic)
 			}
 		}()
 		helper.MustNewBwrap(
 			&bwrap.Config{Hostname: "\x00"}, "fortify",
 			nil, argF,
 			nil, nil,
 		)
 	})
 	t.Run("start without pipes", func(t *testing.T) {
 		helper.InternalReplaceExecCommand(t)
 		h := helper.MustNewBwrap(
 			sc, "crash-test-dummy",
 			nil, argFChecked,
 			nil, nil,
 		)
 		stdout, stderr := new(strings.Builder), new(strings.Builder)
 		h.Stdout(stdout).Stderr(stderr)
 		c, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
 		if err := h.Start(c, false); err != nil {
 			t.Errorf("Start: error = %v",
 				err)
 			return
 		}
 		if err := h.Wait(); err != nil {
 			t.Errorf("Wait() err = %v stderr = %s",
 				err, stderr)
 		}
 	})
 	t.Run("implementation compliance", func(t *testing.T) {
 		testHelper(t, func() helper.Helper { return helper.MustNewBwrap(sc, "crash-test-dummy", argsWt, argF, nil, nil) })
 	})
 }
--- a/helper/cmd.go
+++ b/helper/cmd.go
@ -0,0 +1,84 @@
 package helper
 import (
 	"context"
 	"errors"
 	"io"
 	"os"
 	"os/exec"
 	"slices"
 	"sync"
 	"syscall"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 )
 // NewDirect initialises a new direct Helper instance with wt as the null-terminated argument writer.
 // Function argF returns an array of arguments passed directly to the child process.
 func NewDirect(
 	ctx context.Context,
 	name string,
 	wt io.WriterTo,
 	stat bool,
 	argF func(argsFd, statFd int) []string,
 	cmdF func(cmd *exec.Cmd),
 	extraFiles []*os.File,
 ) Helper {
 	d, args := newHelperCmd(ctx, name, wt, stat, argF, extraFiles)
 	d.Args = append(d.Args, args...)
 	if cmdF != nil {
 		cmdF(d.Cmd)
 	}
 	return d
 }
 func newHelperCmd(
 	ctx context.Context,
 	name string,
 	wt io.WriterTo,
 	stat bool,
 	argF func(argsFd, statFd int) []string,
 	extraFiles []*os.File,
 ) (cmd *helperCmd, args []string) {
 	cmd = new(helperCmd)
 	cmd.helperFiles, args = newHelperFiles(ctx, wt, stat, argF, extraFiles)
 	cmd.Cmd = exec.CommandContext(ctx, name)
 	cmd.Cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGTERM) }
 	cmd.WaitDelay = WaitDelay
 	return
 }
 // helperCmd provides a [exec.Cmd] wrapper around helper ipc.
 type helperCmd struct {
 	mu sync.RWMutex
 	*helperFiles
 	*exec.Cmd
 }
 func (h *helperCmd) Start() error {
 	h.mu.Lock()
 	defer h.mu.Unlock()
 	// Check for doubled Start calls before we defer failure cleanup. If the prior
 	// call to Start succeeded, we don't want to spuriously close its pipes.
 	if h.Cmd != nil && h.Cmd.Process != nil {
 		return errors.New("helper: already started")
 	}
 	h.Env = slices.Grow(h.Env, 2)
 	if h.useArgsFd {
 		h.Env = append(h.Env, FortifyHelper+"=1")
 	} else {
 		h.Env = append(h.Env, FortifyHelper+"=0")
 	}
 	if h.useStatFd {
 		h.Env = append(h.Env, FortifyStatus+"=1")
 		// stat is populated on fulfill
 		h.Cancel = func() error { return h.stat.Close() }
 	} else {
 		h.Env = append(h.Env, FortifyStatus+"=0")
 	}
 	return proc.Fulfill(h.helperFiles.ctx, &h.ExtraFiles, h.Cmd.Start, h.files, h.extraFiles)
 }
--- a/helper/cmd_test.go
+++ b/helper/cmd_test.go
@ -0,0 +1,39 @@
 package helper_test
 import (
 	"context"
 	"errors"
 	"io"
 	"os"
 	"os/exec"
 	"testing"
 	"git.gensokyo.uk/security/fortify/helper"
 )
 func TestCmd(t *testing.T) {
 	t.Run("start non-existent helper path", func(t *testing.T) {
 		h := helper.NewDirect(context.Background(), "/proc/nonexistent", argsWt, false, argF, nil, nil)
 		if err := h.Start(); !errors.Is(err, os.ErrNotExist) {
 			t.Errorf("Start: error = %v, wantErr %v",
 				err, os.ErrNotExist)
 		}
 	})
 	t.Run("valid new helper nil check", func(t *testing.T) {
 		if got := helper.NewDirect(context.TODO(), "fortify", argsWt, false, argF, nil, nil); got == nil {
 			t.Errorf("NewDirect(%q, %q) got nil",
 				argsWt, "fortify")
 			return
 		}
 	})
 	t.Run("implementation compliance", func(t *testing.T) {
 		testHelper(t, func(ctx context.Context, setOutput func(stdoutP, stderrP *io.Writer), stat bool) helper.Helper {
 			return helper.NewDirect(ctx, os.Args[0], argsWt, stat, argF, func(cmd *exec.Cmd) {
 				setOutput(&cmd.Stdout, &cmd.Stderr)
 			}, nil)
 		})
 	})
 }
--- a/helper/container.go
+++ b/helper/container.go
@ -0,0 +1,76 @@
 package helper
 import (
 	"context"
 	"errors"
 	"io"
 	"os"
 	"os/exec"
 	"slices"
 	"sync"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 	"git.gensokyo.uk/security/fortify/sandbox"
 )
 // New initialises a Helper instance with wt as the null-terminated argument writer.
 func New(
 	ctx context.Context,
 	name string,
 	wt io.WriterTo,
 	stat bool,
 	argF func(argsFd, statFd int) []string,
 	cmdF func(container *sandbox.Container),
 	extraFiles []*os.File,
 ) Helper {
 	var args []string
 	h := new(helperContainer)
 	h.helperFiles, args = newHelperFiles(ctx, wt, stat, argF, extraFiles)
 	h.Container = sandbox.New(ctx, name, args...)
 	h.WaitDelay = WaitDelay
 	if cmdF != nil {
 		cmdF(h.Container)
 	}
 	return h
 }
 // helperContainer provides a [sandbox.Container] wrapper around helper ipc.
 type helperContainer struct {
 	started bool
 	mu sync.Mutex
 	*helperFiles
 	*sandbox.Container
 }
 func (h *helperContainer) Start() error {
 	h.mu.Lock()
 	defer h.mu.Unlock()
 	if h.started {
 		return errors.New("helper: already started")
 	}
 	h.started = true
 	h.Env = slices.Grow(h.Env, 2)
 	if h.useArgsFd {
 		h.Env = append(h.Env, FortifyHelper+"=1")
 	} else {
 		h.Env = append(h.Env, FortifyHelper+"=0")
 	}
 	if h.useStatFd {
 		h.Env = append(h.Env, FortifyStatus+"=1")
 		// stat is populated on fulfill
 		h.Cancel = func(*exec.Cmd) error { return h.stat.Close() }
 	} else {
 		h.Env = append(h.Env, FortifyStatus+"=0")
 	}
 	return proc.Fulfill(h.helperFiles.ctx, &h.ExtraFiles, func() error {
 		if err := h.Container.Start(); err != nil {
 			return err
 		}
 		return h.Container.Serve()
 	}, h.files, h.extraFiles)
 }
--- a/helper/container_test.go
+++ b/helper/container_test.go
@ -0,0 +1,57 @@
 package helper_test
 import (
 	"context"
 	"io"
 	"os"
 	"os/exec"
 	"testing"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/sandbox"
 )
 func TestContainer(t *testing.T) {
 	t.Run("start empty container", func(t *testing.T) {
 		h := helper.New(context.Background(), "/nonexistent", argsWt, false, argF, nil, nil)
 		wantErr := "sandbox: starting an empty container"
 		if err := h.Start(); err == nil || err.Error() != wantErr {
 			t.Errorf("Start: error = %v, wantErr %q",
 				err, wantErr)
 		}
 	})
 	t.Run("valid new helper nil check", func(t *testing.T) {
 		if got := helper.New(context.TODO(), "fortify", argsWt, false, argF, nil, nil); got == nil {
 			t.Errorf("New(%q, %q) got nil",
 				argsWt, "fortify")
 			return
 		}
 	})
 	t.Run("implementation compliance", func(t *testing.T) {
 		testHelper(t, func(ctx context.Context, setOutput func(stdoutP, stderrP *io.Writer), stat bool) helper.Helper {
 			return helper.New(ctx, os.Args[0], argsWt, stat, argF, func(container *sandbox.Container) {
 				setOutput(&container.Stdout, &container.Stderr)
 				container.CommandContext = func(ctx context.Context) (cmd *exec.Cmd) {
 					return exec.CommandContext(ctx, os.Args[0], "-test.v",
 						"-test.run=TestHelperInit", "--", "init")
 				}
 				container.Bind("/", "/", 0)
 				container.Proc("/proc")
 				container.Dev("/dev")
 			}, nil)
 		})
 	})
 }
 func TestHelperInit(t *testing.T) {
 	if len(os.Args) != 5 || os.Args[4] != "init" {
 		return
 	}
 	sandbox.SetOutput(fmsg.Output{})
 	sandbox.Init(fmsg.Prepare, func(bool) { internal.InstallFmsg(false) })
 }
--- a/helper/direct.go
+++ b/helper/direct.go
@ -1,40 +0,0 @@
 package helper
 import (
 	"context"
 	"errors"
 	"io"
 	"sync"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 )
 // direct wraps *exec.Cmd and manages status and args fd.
 // Args is always 3 and status if set is always 4.
 type direct struct {
 	lock sync.RWMutex
 	*helperCmd
 }
 func (h *direct) Start(ctx context.Context, stat bool) error {
 	h.lock.Lock()
 	defer h.lock.Unlock()
 	// Check for doubled Start calls before we defer failure cleanup. If the prior
 	// call to Start succeeded, we don't want to spuriously close its pipes.
 	if h.Cmd != nil && h.Cmd.Process != nil {
 		return errors.New("exec: already started")
 	}
 	args := h.finalise(ctx, stat)
 	h.Cmd.Args = append(h.Cmd.Args, args...)
 	return proc.Fulfill(ctx, h.Cmd, h.files, h.extraFiles)
 }
 // New initialises a new direct Helper instance with wt as the null-terminated argument writer.
 // Function argF returns an array of arguments passed directly to the child process.
 func New(wt io.WriterTo, name string, argF func(argsFd, statFd int) []string) Helper {
 	d := new(direct)
 	d.helperCmd = newHelperCmd(d, name, wt, argF, nil)
 	return d
 }
--- a/helper/direct_test.go
+++ b/helper/direct_test.go
@ -1,33 +0,0 @@
 package helper_test
 import (
 	"context"
 	"errors"
 	"os"
 	"testing"
 	"git.gensokyo.uk/security/fortify/helper"
 )
 func TestDirect(t *testing.T) {
 	t.Run("start non-existent helper path", func(t *testing.T) {
 		h := helper.New(argsWt, "/nonexistent", argF)
 		if err := h.Start(context.Background(), false); !errors.Is(err, os.ErrNotExist) {
 			t.Errorf("Start: error = %v, wantErr %v",
 				err, os.ErrNotExist)
 		}
 	})
 	t.Run("valid new helper nil check", func(t *testing.T) {
 		if got := helper.New(argsWt, "fortify", argF); got == nil {
 			t.Errorf("New(%q, %q) got nil",
 				argsWt, "fortify")
 			return
 		}
 	})
 	t.Run("implementation compliance", func(t *testing.T) {
 		testHelper(t, func() helper.Helper { return helper.New(argsWt, "crash-test-dummy", argF) })
 	})
 }
--- a/helper/helper.go
+++ b/helper/helper.go
@ -1,4 +1,4 @@
-// Package helper runs external helpers with optional sandboxing and manages their status/args pipes.
+// Package helper runs external helpers with optional sandboxing.
 package helper
 import (
@ -6,17 +6,12 @@ import (
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
 	"slices"
 	"syscall"
 	"time"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 )
-var (
+var WaitDelay = 2 * time.Second
 	WaitDelay = 2 * time.Second
 )
 const (
 	// FortifyHelper is set to 1 when args fd is enabled and 0 otherwise.
@ -26,62 +21,56 @@ const (
 )
 type Helper interface {
 	// Stdin sets the standard input of Helper.
 	Stdin(r io.Reader) Helper
 	// Stdout sets the standard output of Helper.
 	Stdout(w io.Writer) Helper
 	// Stderr sets the standard error of Helper.
 	Stderr(w io.Writer) Helper
 	// SetEnv sets the environment of Helper.
 	SetEnv(env []string) Helper
 	// Start starts the helper process.
-	// A status pipe is passed to the helper if stat is true.
+	Start() error
-	Start(ctx context.Context, stat bool) error
+	// Wait blocks until Helper exits.
 	// Wait blocks until Helper exits and releases all its resources.
 	Wait() error
 	fmt.Stringer
 }
-func newHelperCmd(
+func newHelperFiles(
-	h Helper, name string,
+	ctx context.Context,
-	wt io.WriterTo, argF func(argsFd, statFd int) []string,
+	wt io.WriterTo,
 	stat bool,
 	argF func(argsFd, statFd int) []string,
 	extraFiles []*os.File,
-) (cmd *helperCmd) {
+) (hl *helperFiles, args []string) {
-	cmd = new(helperCmd)
+	hl = new(helperFiles)
 	hl.ctx = ctx
 	hl.useArgsFd = wt != nil
 	hl.useStatFd = stat
-	cmd.r = h
+	hl.extraFiles = new(proc.ExtraFilesPre)
 	cmd.name = name
 	cmd.extraFiles = new(proc.ExtraFilesPre)
 	for _, f := range extraFiles {
-		_, v := cmd.extraFiles.Append()
+		_, v := hl.extraFiles.Append()
 		*v = f
 	}
 	argsFd := -1
-	if wt != nil {
+	if hl.useArgsFd {
 		f := proc.NewWriterTo(wt)
-		argsFd = int(proc.InitFile(f, cmd.extraFiles))
+		argsFd = int(proc.InitFile(f, hl.extraFiles))
-		cmd.files = append(cmd.files, f)
+		hl.files = append(hl.files, f)
 		cmd.hasArgsFd = true
 	}
 	cmd.argF = func(statFd int) []string { return argF(argsFd, statFd) }
 	statFd := -1
 	if hl.useStatFd {
 		f := proc.NewStat(&hl.stat)
 		statFd = int(proc.InitFile(f, hl.extraFiles))
 		hl.files = append(hl.files, f)
 	}
 	args = argF(argsFd, statFd)
 	return
 }
-// helperCmd wraps Cmd and implements methods shared across all Helper implementations.
+// helperFiles provides a generic wrapper around helper ipc.
-type helperCmd struct {
+type helperFiles struct {
 	// ref to parent
 	r Helper
 	// returns an array of arguments passed directly
 	// to the helper process
 	argF func(statFd int) []string
 	// whether argsFd is present
-	hasArgsFd bool
+	useArgsFd bool
 	// whether statFd is present
 	useStatFd bool
 	// closes statFd
 	stat io.Closer
@ -90,45 +79,5 @@ type helperCmd struct {
 	// passed through to [proc.Fulfill] and [proc.InitFile]
 	extraFiles *proc.ExtraFilesPre
-	name           string
+	ctx context.Context
 	stdin          io.Reader
 	stdout, stderr io.Writer
 	env            []string
 	*exec.Cmd
 }
 func (h *helperCmd) Stdin(r io.Reader) Helper   { h.stdin = r; return h.r }
 func (h *helperCmd) Stdout(w io.Writer) Helper  { h.stdout = w; return h.r }
 func (h *helperCmd) Stderr(w io.Writer) Helper  { h.stderr = w; return h.r }
 func (h *helperCmd) SetEnv(env []string) Helper { h.env = env; return h.r }
 // finalise initialises the underlying [exec.Cmd] object.
 func (h *helperCmd) finalise(ctx context.Context, stat bool) (args []string) {
 	h.Cmd = commandContext(ctx, h.name)
 	h.Cmd.Stdin, h.Cmd.Stdout, h.Cmd.Stderr = h.stdin, h.stdout, h.stderr
 	h.Cmd.Env = slices.Grow(h.env, 2)
 	if h.hasArgsFd {
 		h.Cmd.Env = append(h.Cmd.Env, FortifyHelper+"=1")
 	} else {
 		h.Cmd.Env = append(h.Cmd.Env, FortifyHelper+"=0")
 	}
 	h.Cmd.Cancel = func() error { return h.Cmd.Process.Signal(syscall.SIGTERM) }
 	h.Cmd.WaitDelay = WaitDelay
 	statFd := -1
 	if stat {
 		f := proc.NewStat(&h.stat)
 		statFd = int(proc.InitFile(f, h.extraFiles))
 		h.files = append(h.files, f)
 		h.Cmd.Env = append(h.Cmd.Env, FortifyStatus+"=1")
 		// stat is populated on fulfill
 		h.Cmd.Cancel = func() error { return h.stat.Close() }
 	} else {
 		h.Cmd.Env = append(h.Cmd.Env, FortifyStatus+"=0")
 	}
 	return h.argF(statFd)
 }
 var commandContext = exec.CommandContext
--- a/helper/helper_test.go
+++ b/helper/helper_test.go
@ -4,6 +4,8 @@ import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"strconv"
 	"strings"
 	"testing"
@ -35,7 +37,8 @@ func argF(argsFd, statFd int) []string {
 }
 func argFChecked(argsFd, statFd int) (args []string) {
-	args = make([]string, 0, 4)
+	args = make([]string, 0, 6)
 	args = append(args, "-test.run=TestHelperStub", "--")
 	if argsFd > -1 {
 		args = append(args, "--args", strconv.Itoa(argsFd))
 	}
@ -46,14 +49,15 @@ func argFChecked(argsFd, statFd int) (args []string) {
 }
 // this function tests an implementation of the helper.Helper interface
-func testHelper(t *testing.T, createHelper func() helper.Helper) {
+func testHelper(t *testing.T, createHelper func(ctx context.Context, setOutput func(stdoutP, stderrP *io.Writer), stat bool) helper.Helper) {
-	helper.InternalReplaceExecCommand(t)
+	oldWaitDelay := helper.WaitDelay
 	helper.WaitDelay = 16 * time.Second
 	t.Cleanup(func() { helper.WaitDelay = oldWaitDelay })
 	t.Run("start helper with status channel and wait", func(t *testing.T) {
-		h := createHelper()
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-
+		stdout := new(strings.Builder)
-		stdout, stderr := new(strings.Builder), new(strings.Builder)
+		h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, true)
 		h.Stdout(stdout).Stderr(stderr)
 		t.Run("wait not yet started helper", func(t *testing.T) {
 			defer func() {
@ -65,10 +69,8 @@ func testHelper(t *testing.T, createHelper func() helper.Helper) {
 			panic(fmt.Sprintf("unreachable: %v", h.Wait()))
 		})
 		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		t.Log("starting helper stub")
-		if err := h.Start(ctx, true); err != nil {
+		if err := h.Start(); err != nil {
 			t.Errorf("Start: error = %v", err)
 			cancel()
 			return
@ -77,8 +79,8 @@ func testHelper(t *testing.T, createHelper func() helper.Helper) {
 		cancel()
 		t.Run("start already started helper", func(t *testing.T) {
-			wantErr := "exec: already started"
+			wantErr := "helper: already started"
-			if err := h.Start(ctx, true); err != nil && err.Error() != wantErr {
+			if err := h.Start(); err != nil && err.Error() != wantErr {
 				t.Errorf("Start: error = %v, wantErr %v",
 					err, wantErr)
 				return
@ -87,8 +89,8 @@ func testHelper(t *testing.T, createHelper func() helper.Helper) {
 		t.Log("waiting on helper")
 		if err := h.Wait(); !errors.Is(err, context.Canceled) {
-			t.Errorf("Wait() err = %v stderr = %s",
+			t.Errorf("Wait: error = %v",
-				err, stderr)
+				err)
 		}
 		t.Run("wait already finalised helper", func(t *testing.T) {
@ -100,34 +102,36 @@ func testHelper(t *testing.T, createHelper func() helper.Helper) {
 			}
 		})
-		if got := stdout.String(); !strings.HasPrefix(got, wantPayload) {
+		if got := trimStdout(stdout); got != wantPayload {
-			t.Errorf("Start: stdout = %v, want %v",
+			t.Errorf("Start: stdout = %q, want %q",
 				got, wantPayload)
 		}
 	})
 	t.Run("start helper and wait", func(t *testing.T) {
 		h := createHelper()
 		stdout, stderr := new(strings.Builder), new(strings.Builder)
 		h.Stdout(stdout).Stderr(stderr)
 		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
 		stdout := new(strings.Builder)
 		h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, false)
-		if err := h.Start(ctx, false); err != nil {
+		if err := h.Start(); err != nil {
-			t.Errorf("Start() error = %v",
+			t.Errorf("Start: error = %v",
 				err)
 			return
 		}
 		if err := h.Wait(); err != nil {
-			t.Errorf("Wait() err = %v stdout = %s stderr = %s",
+			t.Errorf("Wait: error = %v stdout = %q",
-				err, stdout, stderr)
+				err, stdout)
 		}
-		if got := stdout.String(); !strings.HasPrefix(got, wantPayload) {
+		if got := trimStdout(stdout); got != wantPayload {
-			t.Errorf("Start() stdout = %v, want %v",
+			t.Errorf("Start: stdout = %q, want %q",
 				got, wantPayload)
 		}
 	})
 }
 func trimStdout(stdout fmt.Stringer) string {
 	return strings.TrimPrefix(stdout.String(), "=== RUN   TestHelperInit\n")
 }
--- a/helper/proc/files.go
+++ b/helper/proc/files.go
@ -60,7 +60,10 @@ func (f *ExtraFilesPre) copy(e []*os.File) []*os.File {
 }
 // Fulfill calls the [File.Fulfill] method on all files, starts cmd and blocks until all fulfillment completes.
-func Fulfill(ctx context.Context, cmd *exec.Cmd, files []File, extraFiles *ExtraFilesPre) (err error) {
+func Fulfill(ctx context.Context,
 	v *[]*os.File, start func() error,
 	files []File, extraFiles *ExtraFilesPre,
 ) (err error) {
 	var ecs int
 	for _, o := range files {
 		ecs += o.ErrCount()
@ -77,8 +80,8 @@ func Fulfill(ctx context.Context, cmd *exec.Cmd, files []File, extraFiles *Extra
 		}
 	}
-	cmd.ExtraFiles = extraFiles.Files()
+	*v = extraFiles.Files()
-	if err = cmd.Start(); err != nil {
+	if err = start(); err != nil {
 		return
 	}
--- a/helper/proc/pipe.go
+++ b/helper/proc/pipe.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"io"
 	"os"
 	"runtime"
 )
 // NewWriterTo returns a [File] that receives content from wt on fulfillment.
@ -25,13 +26,20 @@ func (f *writeToFile) Fulfill(ctx context.Context, dispatchErr func(error)) erro
 	f.Set(r)
 	done := make(chan struct{})
-	go func() { _, err = f.wt.WriteTo(w); dispatchErr(err); dispatchErr(w.Close()); close(done) }()
+	go func() {
 		_, err = f.wt.WriteTo(w)
 		dispatchErr(err)
 		dispatchErr(w.Close())
 		close(done)
 		runtime.KeepAlive(r)
 	}()
 	go func() {
 		select {
 		case <-done:
 			dispatchErr(nil)
 		case <-ctx.Done():
 			dispatchErr(w.Close()) // this aborts WriteTo with file already closed
 			runtime.KeepAlive(r)
 		}
 	}()
@ -83,6 +91,7 @@ func (f *statFile) Fulfill(ctx context.Context, dispatchErr func(error)) error {
 		default:
 			panic("unreachable")
 		}
 		runtime.KeepAlive(w)
 	}()
 	go func() {
@ -91,6 +100,7 @@ func (f *statFile) Fulfill(ctx context.Context, dispatchErr func(error)) error {
 			dispatchErr(nil)
 		case <-ctx.Done():
 			dispatchErr(r.Close()) // this aborts Read with file already closed
 			runtime.KeepAlive(w)
 		}
 	}()
--- a/helper/seccomp/seccomp.go
+++ b/helper/seccomp/seccomp.go
@ -1,88 +0,0 @@
 package seccomp
 /*
 #cgo linux pkg-config: --static libseccomp
 #include "seccomp-export.h"
 */
 import "C"
 import (
 	"errors"
 	"fmt"
 	"runtime"
 )
 var CPrintln func(v ...any)
 var resErr = [...]error{
 	0: nil,
 	1: errors.New("seccomp_init failed"),
 	2: errors.New("seccomp_arch_add failed"),
 	3: errors.New("seccomp_arch_add failed (multiarch)"),
 	4: errors.New("internal libseccomp failure"),
 	5: errors.New("seccomp_rule_add failed"),
 	6: errors.New("seccomp_export_bpf failed"),
 }
 type SyscallOpts = C.f_syscall_opts
 const (
 	flagVerbose SyscallOpts = C.F_VERBOSE
 	// FlagExt are project-specific extensions.
 	FlagExt SyscallOpts = C.F_EXT
 	// FlagDenyNS denies namespace setup syscalls.
 	FlagDenyNS SyscallOpts = C.F_DENY_NS
 	// FlagDenyTTY denies faking input.
 	FlagDenyTTY SyscallOpts = C.F_DENY_TTY
 	// FlagDenyDevel denies development-related syscalls.
 	FlagDenyDevel SyscallOpts = C.F_DENY_DEVEL
 	// FlagMultiarch allows multiarch/emulation.
 	FlagMultiarch SyscallOpts = C.F_MULTIARCH
 	// FlagLinux32 sets PER_LINUX32.
 	FlagLinux32 SyscallOpts = C.F_LINUX32
 	// FlagCan allows AF_CAN.
 	FlagCan SyscallOpts = C.F_CAN
 	// FlagBluetooth allows AF_BLUETOOTH.
 	FlagBluetooth SyscallOpts = C.F_BLUETOOTH
 )
 func exportFilter(fd uintptr, opts SyscallOpts) error {
 	var (
 		arch      C.uint32_t = 0
 		multiarch C.uint32_t = 0
 	)
 	switch runtime.GOARCH {
 	case "386":
 		arch = C.SCMP_ARCH_X86
 	case "amd64":
 		arch = C.SCMP_ARCH_X86_64
 		multiarch = C.SCMP_ARCH_X86
 	case "arm":
 		arch = C.SCMP_ARCH_ARM
 	case "arm64":
 		arch = C.SCMP_ARCH_AARCH64
 		multiarch = C.SCMP_ARCH_ARM
 	}
 	// this removes repeated transitions between C and Go execution
 	// when producing log output via F_println and CPrintln is nil
 	if CPrintln != nil {
 		opts |= flagVerbose
 	}
 	res, err := C.f_export_bpf(C.int(fd), arch, multiarch, opts)
 	if re := resErr[res]; re != nil {
 		if err == nil {
 			return re
 		}
 		return fmt.Errorf("%s: %v", re.Error(), err)
 	}
 	return err
 }
 //export F_println
 func F_println(v *C.char) {
 	if CPrintln != nil {
 		CPrintln(C.GoString(v))
 	}
 }
--- a/helper/stub.go
+++ b/helper/stub.go
@ -1,25 +1,17 @@
 package helper
 import (
 	"context"
 	"flag"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
 	"strconv"
 	"strings"
 	"syscall"
 	"testing"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 	"git.gensokyo.uk/security/fortify/internal"
 )
-// InternalChildStub is an internal function but exported because it is cross-package;
+// InternalHelperStub is an internal function but exported because it is cross-package;
 // it is part of the implementation of the helper stub.
-func InternalChildStub() {
+func InternalHelperStub() {
 	// this test mocks the helper process
 	var ap, sp string
 	if v, ok := os.LookupEnv(FortifyHelper); !ok {
@ -33,30 +25,9 @@ func InternalChildStub() {
 		sp = v
 	}
-	switch os.Args[3] {
+	genericStub(flagRestoreFiles(3, ap, sp))
 	case "bwrap":
 		bwrapStub()
 	default:
 		genericStub(flagRestoreFiles(4, ap, sp))
 	}
-	internal.Exit(0)
+	os.Exit(0)
 }
 // InternalReplaceExecCommand is an internal function but exported because it is cross-package;
 // it is part of the implementation of the helper stub.
 func InternalReplaceExecCommand(t *testing.T) {
 	t.Cleanup(func() { commandContext = exec.CommandContext })
 	// replace execCommand to have the resulting *exec.Cmd launch TestHelperChildStub
 	commandContext = func(ctx context.Context, name string, arg ...string) *exec.Cmd {
 		// pass through nonexistent path
 		if name == "/nonexistent" && len(arg) == 0 {
 			return exec.CommandContext(ctx, name)
 		}
 		return exec.CommandContext(ctx, os.Args[0], append([]string{"-test.run=TestHelperChildStub", "--", name}, arg...)...)
 	}
 }
 func newFile(fd int, name, p string) *os.File {
@ -133,42 +104,3 @@ func genericStub(argsFile, statFile *os.File) {
 		<-done
 	}
 }
 func bwrapStub() {
 	// the bwrap launcher does not launch with a typical sync fd
 	argsFile, _ := flagRestoreFiles(4, "1", "0")
 	// test args pipe behaviour
 	func() {
 		got, want := new(strings.Builder), new(strings.Builder)
 		if _, err := io.Copy(got, argsFile); err != nil {
 			panic("cannot read bwrap args: " + err.Error())
 		}
 		// hardcoded bwrap configuration used by test
 		sc := &bwrap.Config{
 			Net:           true,
 			Hostname:      "localhost",
 			Chdir:         "/nonexistent",
 			Clearenv:      true,
 			NewSession:    true,
 			DieWithParent: true,
 			AsInit:        true,
 		}
 		if _, err := MustNewCheckedArgs(sc.Args(nil, new(proc.ExtraFilesPre), new([]proc.File))).
 			WriteTo(want); err != nil {
 			panic("cannot read want: " + err.Error())
 		}
 		if len(flag.CommandLine.Args()) > 0 && flag.CommandLine.Args()[0] == "crash-test-dummy" && got.String() != want.String() {
 			panic("bad bwrap args\ngot: " + got.String() + "\nwant: " + want.String())
 		}
 	}()
 	if err := syscall.Exec(
 		os.Args[0],
 		append([]string{os.Args[0], "-test.run=TestHelperChildStub", "--"}, flag.CommandLine.Args()...),
 		os.Environ()); err != nil {
 		panic("cannot start general stub: " + err.Error())
 	}
 }
--- a/helper/stub_test.go
+++ b/helper/stub_test.go
@ -6,6 +6,4 @@ import (
 	"git.gensokyo.uk/security/fortify/helper"
 )
-func TestHelperChildStub(t *testing.T) {
+func TestHelperStub(t *testing.T) { helper.InternalHelperStub() }
 	helper.InternalChildStub()
 }
--- a/internal/app/app.go
+++ b/internal/app/app.go
@ -2,71 +2,81 @@ package app
 import (
 	"context"
 	"fmt"
 	"log"
 	"sync"
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/app/shim"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/sys"
 )
-type App interface {
+func New(ctx context.Context, os sys.State) (fst.App, error) {
-	// ID returns a copy of App's unique ID.
+	a := new(app)
-	ID() fst.ID
+	a.sys = os
-	// Run sets up the system and runs the App.
+	a.ctx = ctx
 	Run(ctx context.Context, rs *RunState) error
-	Seal(config *fst.Config) error
+	id := new(fst.ID)
-	String() string
+	err := fst.NewAppID(id)
 	a.id = newID(id)
 	return a, err
 }
-type RunState struct {
+func MustNew(ctx context.Context, os sys.State) fst.App {
-	// Start is true if fsu is successfully started.
+	a, err := New(ctx, os)
-	Start bool
+	if err != nil {
-	// ExitCode is the value returned by shim.
+		log.Fatalf("cannot create app: %v", err)
-	ExitCode int
+	}
-	// WaitErr is error returned by the underlying wait syscall.
+	return a
 	WaitErr error
 }
 type app struct {
-	// application unique identifier
+	id  *stringPair[fst.ID]
-	id *fst.ID
+	sys sys.State
-	// operating system interface
+	ctx context.Context
 	os linux.System
 	// shim process manager
 	shim *shim.Shim
 	// child process related information
 	seal *appSeal
-	lock sync.RWMutex
+	*outcome
 	mu sync.RWMutex
 }
-func (a *app) ID() fst.ID {
+func (a *app) ID() fst.ID { a.mu.RLock(); defer a.mu.RUnlock(); return a.id.unwrap() }
 	return *a.id
 }
 func (a *app) String() string {
 	if a == nil {
-		return "(invalid fortified app)"
+		return "(invalid app)"
 	}
-	a.lock.RLock()
+	a.mu.RLock()
-	defer a.lock.RUnlock()
+	defer a.mu.RUnlock()
-	if a.shim != nil {
+	if a.outcome != nil {
-		return a.shim.String()
+		if a.outcome.user.uid == nil {
 			return fmt.Sprintf("(sealed app %s with invalid uid)", a.id)
 		}
 		return fmt.Sprintf("(sealed app %s as uid %s)", a.id, a.outcome.user.uid)
 	}
-	if a.seal != nil {
+	return fmt.Sprintf("(unsealed app %s)", a.id)
 		return "(sealed fortified app as uid " + a.seal.sys.user.us + ")"
 	}
 	return "(unsealed fortified app)"
 }
-func New(os linux.System) (App, error) {
+func (a *app) Seal(config *fst.Config) (fst.SealedApp, error) {
-	a := new(app)
+	a.mu.Lock()
-	a.id = new(fst.ID)
+	defer a.mu.Unlock()
-	a.os = os
+
-	return a, fst.NewAppID(a.id)
+	if a.outcome != nil {
 		panic("app sealed twice")
 	}
 	if config == nil {
 		return nil, fmsg.WrapError(ErrConfig,
 			"attempted to seal app with nil config")
 	}
 	seal := new(outcome)
 	seal.id = a.id
 	err := seal.finalise(a.ctx, a.sys, config)
 	if err == nil {
 		a.outcome = seal
 	}
 	return seal, err
 }
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@ -4,28 +4,28 @@ import (
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/system"
 )
 var testCasesNixos = []sealTestCase{
 	{
 		"nixos chromium direct wayland", new(stubNixOS),
 		&fst.Config{
-			ID:      "org.chromium.Chromium",
+			ID:   "org.chromium.Chromium",
-			Command: []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
+			Path: "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
 			Confinement: fst.ConfinementConfig{
 				AppID: 1, Groups: []string{}, Username: "u0_a1",
 				Outer: "/var/lib/persist/module/fortify/0/1",
 				Sandbox: &fst.SandboxConfig{
-					UserNS: true, Net: true, MapRealUID: true, DirectWayland: true, Env: nil,
+					Userns: true, Net: true, MapRealUID: true, DirectWayland: true, Env: nil, AutoEtc: true,
 					Filesystem: []*fst.FilesystemConfig{
 						{Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true},
 						{Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true},
 						{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
 						{Src: "/run/opengl-driver", Must: true}, {Src: "/dev/dri", Device: true},
-					}, AutoEtc: true,
+					},
-					Override: []string{"/var/run/nscd"},
+					Cover: []string{"/var/run/nscd"},
 				},
 				SystemBus: &dbus.Config{
 					Talk:   []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
@ -45,7 +45,7 @@ var testCasesNixos = []sealTestCase{
 					Call: map[string]string{}, Broadcast: map[string]string{},
 					Filter: true,
 				},
-				Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
+				Enablements: system.EWayland | system.EDBus | system.EPulse,
 			},
 		},
 		fst.ID{
@ -56,15 +56,15 @@ var testCasesNixos = []sealTestCase{
 		},
 		system.New(1000001).
 			Ensure("/tmp/fortify.1971", 0711).
 			Ephemeral(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1", 0711).
 			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/fortify.1971/tmpdir/1", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/1", acl.Read, acl.Write, acl.Execute).
 			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
 			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
 			Ephemeral(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute).
 			UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
 			Ephemeral(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute).
 			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse").
 			CopyFile(nil, "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
 			Ephemeral(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1", 0711).
 			MustProxyDBus("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
@ -88,136 +88,133 @@ var testCasesNixos = []sealTestCase{
 			}).
 			UpdatePerm("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write),
-		(&bwrap.Config{
+		&sandbox.Params{
-			Net:      true,
+			Uid:   1971,
-			UserNS:   true,
+			Gid:   100,
-			Chdir:    "/var/lib/persist/module/fortify/0/1",
+			Flags: sandbox.FAllowNet | sandbox.FAllowUserns,
-			Clearenv: true,
+			Dir:   "/var/lib/persist/module/fortify/0/1",
-			SetEnv: map[string]string{
+			Path:  "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
-				"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/1971/bus",
+			Args:  []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
-				"DBUS_SYSTEM_BUS_ADDRESS":  "unix:path=/run/dbus/system_bus_socket",
+			Env: []string{
-				"HOME":                     "/var/lib/persist/module/fortify/0/1",
+				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
-				"PULSE_COOKIE":             fst.Tmp + "/pulse-cookie",
+				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
-				"PULSE_SERVER":             "unix:/run/user/1971/pulse/native",
+				"HOME=/var/lib/persist/module/fortify/0/1",
-				"SHELL":                    "/run/current-system/sw/bin/zsh",
+				"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
-				"TERM":                     "xterm-256color",
+				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
-				"USER":                     "u0_a1",
+				"SHELL=/run/current-system/sw/bin/zsh",
-				"WAYLAND_DISPLAY":          "wayland-0",
+				"TERM=xterm-256color",
-				"XDG_RUNTIME_DIR":          "/run/user/1971",
+				"USER=u0_a1",
-				"XDG_SESSION_CLASS":        "user",
+				"WAYLAND_DISPLAY=wayland-0",
-				"XDG_SESSION_TYPE":         "tty",
+				"XDG_RUNTIME_DIR=/run/user/1971",
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
-			Chmod:         make(bwrap.ChmodConfig),
+			Ops: new(sandbox.Ops).
-			NewSession:    true,
+				Proc("/proc").
-			DieWithParent: true,
+				Tmpfs(fst.Tmp, 4096, 0755).
-			AsInit:        true,
+				Dev("/dev").Mqueue("/dev/mqueue").
-		}).SetUID(1971).SetGID(1971).
+				Bind("/bin", "/bin", 0).
-			Procfs("/proc").
+				Bind("/usr/bin", "/usr/bin", 0).
-			Tmpfs(fst.Tmp, 4096).
+				Bind("/nix/store", "/nix/store", 0).
-			DevTmpfs("/dev").Mqueue("/dev/mqueue").
+				Bind("/run/current-system", "/run/current-system", 0).
-			Bind("/bin", "/bin").
+				Bind("/sys/block", "/sys/block", sandbox.BindOptional).
-			Bind("/usr/bin", "/usr/bin").
+				Bind("/sys/bus", "/sys/bus", sandbox.BindOptional).
-			Bind("/nix/store", "/nix/store").
+				Bind("/sys/class", "/sys/class", sandbox.BindOptional).
-			Bind("/run/current-system", "/run/current-system").
+				Bind("/sys/dev", "/sys/dev", sandbox.BindOptional).
-			Bind("/sys/block", "/sys/block", true).
+				Bind("/sys/devices", "/sys/devices", sandbox.BindOptional).
-			Bind("/sys/bus", "/sys/bus", true).
+				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
-			Bind("/sys/class", "/sys/class", true).
+				Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
-			Bind("/sys/dev", "/sys/dev", true).
+				Bind("/etc", fst.Tmp+"/etc", 0).
-			Bind("/sys/devices", "/sys/devices", true).
+				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
-			Bind("/run/opengl-driver", "/run/opengl-driver").
+				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-			Bind("/dev/dri", "/dev/dri", true, true, true).
+				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-			Bind("/etc", fst.Tmp+"/etc").
+				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-			Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
+				Link(fst.Tmp+"/etc/default", "/etc/default").
-			Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
+				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-			Symlink(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
+				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
-			Symlink(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
+				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
-			Symlink(fst.Tmp+"/etc/default", "/etc/default").
+				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-			Symlink(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
+				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-			Symlink(fst.Tmp+"/etc/fonts", "/etc/fonts").
+				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
-			Symlink(fst.Tmp+"/etc/fstab", "/etc/fstab").
+				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
-			Symlink(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
+				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-			Symlink(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
+				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
-			Symlink(fst.Tmp+"/etc/hostid", "/etc/hostid").
+				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-			Symlink(fst.Tmp+"/etc/hostname", "/etc/hostname").
+				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-			Symlink(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
+				Link(fst.Tmp+"/etc/issue", "/etc/issue").
-			Symlink(fst.Tmp+"/etc/hosts", "/etc/hosts").
+				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
-			Symlink(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
+				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-			Symlink(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
+				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-			Symlink(fst.Tmp+"/etc/issue", "/etc/issue").
+				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
-			Symlink(fst.Tmp+"/etc/kbd", "/etc/kbd").
+				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-			Symlink(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
+				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-			Symlink(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
+				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
-			Symlink(fst.Tmp+"/etc/localtime", "/etc/localtime").
+				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-			Symlink(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
+				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-			Symlink(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
+				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-			Symlink(fst.Tmp+"/etc/lvm", "/etc/lvm").
+				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-			Symlink(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
+				Link("/proc/mounts", "/etc/mtab").
-			Symlink(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
+				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-			Symlink(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
+				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-			Symlink(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
+				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-			Symlink("/proc/mounts", "/etc/mtab").
+				Link(fst.Tmp+"/etc/nix", "/etc/nix").
-			Symlink(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
+				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
-			Symlink(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
+				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-			Symlink(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
+				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-			Symlink(fst.Tmp+"/etc/nix", "/etc/nix").
+				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-			Symlink(fst.Tmp+"/etc/nixos", "/etc/nixos").
+				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-			Symlink(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
+				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
-			Symlink(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
+				Link(fst.Tmp+"/etc/pam", "/etc/pam").
-			Symlink(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
+				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-			Symlink(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
+				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-			Symlink(fst.Tmp+"/etc/os-release", "/etc/os-release").
+				Link(fst.Tmp+"/etc/pki", "/etc/pki").
-			Symlink(fst.Tmp+"/etc/pam", "/etc/pam").
+				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-			Symlink(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
+				Link(fst.Tmp+"/etc/profile", "/etc/profile").
-			Symlink(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
+				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
-			Symlink(fst.Tmp+"/etc/pki", "/etc/pki").
+				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
-			Symlink(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
+				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-			Symlink(fst.Tmp+"/etc/profile", "/etc/profile").
+				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-			Symlink(fst.Tmp+"/etc/protocols", "/etc/protocols").
+				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
-			Symlink(fst.Tmp+"/etc/qemu", "/etc/qemu").
+				Link(fst.Tmp+"/etc/samba", "/etc/samba").
-			Symlink(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
+				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-			Symlink(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
+				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-			Symlink(fst.Tmp+"/etc/rpc", "/etc/rpc").
+				Link(fst.Tmp+"/etc/services", "/etc/services").
-			Symlink(fst.Tmp+"/etc/samba", "/etc/samba").
+				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-			Symlink(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
+				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
-			Symlink(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
+				Link(fst.Tmp+"/etc/shells", "/etc/shells").
-			Symlink(fst.Tmp+"/etc/services", "/etc/services").
+				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
-			Symlink(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
+				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
-			Symlink(fst.Tmp+"/etc/shadow", "/etc/shadow").
+				Link(fst.Tmp+"/etc/static", "/etc/static").
-			Symlink(fst.Tmp+"/etc/shells", "/etc/shells").
+				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
-			Symlink(fst.Tmp+"/etc/ssh", "/etc/ssh").
+				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
-			Symlink(fst.Tmp+"/etc/ssl", "/etc/ssl").
+				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-			Symlink(fst.Tmp+"/etc/static", "/etc/static").
+				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-			Symlink(fst.Tmp+"/etc/subgid", "/etc/subgid").
+				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
-			Symlink(fst.Tmp+"/etc/subuid", "/etc/subuid").
+				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-			Symlink(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
+				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-			Symlink(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
+				Link(fst.Tmp+"/etc/udev", "/etc/udev").
-			Symlink(fst.Tmp+"/etc/systemd", "/etc/systemd").
+				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-			Symlink(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
+				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
-			Symlink(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
+				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-			Symlink(fst.Tmp+"/etc/udev", "/etc/udev").
+				Link(fst.Tmp+"/etc/X11", "/etc/X11").
-			Symlink(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
+				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
-			Symlink(fst.Tmp+"/etc/UPower", "/etc/UPower").
+				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-			Symlink(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
+				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-			Symlink(fst.Tmp+"/etc/X11", "/etc/X11").
+				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-			Symlink(fst.Tmp+"/etc/zfs", "/etc/zfs").
+				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-			Symlink(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
+				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
-			Symlink(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
+				Tmpfs("/run/user", 4096, 0755).
-			Symlink(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
+				Tmpfs("/run/user/1971", 8388608, 0700).
-			Symlink(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
+				Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", sandbox.BindWritable).
-			Symlink(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
+				Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", sandbox.BindWritable).
-			Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", false, true).
+				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n")).
-			Tmpfs("/run/user", 1048576).
+				Place("/etc/group", []byte("fortify:x:100:\n")).
-			Tmpfs("/run/user/1971", 8388608).
+				Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0).
-			Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", false, true).
+				Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native", 0).
-			CopyBind("/etc/passwd", []byte("u0_a1:x:1971:1971:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n")).
+				Place(fst.Tmp+"/pulse-cookie", nil).
-			CopyBind("/etc/group", []byte("fortify:x:1971:\n")).
+				Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus", 0).
-			Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0").
+				Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket", 0).
-			Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native").
+				Tmpfs("/var/run/nscd", 8192, 0755),
-			CopyBind(fst.Tmp+"/pulse-cookie", nil).
+		},
 			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus").
 			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket").
 			Tmpfs("/var/run/nscd", 8192).
 			Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
 			Symlink("fortify", "/.fortify/sbin/init"),
 	},
 }
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@ -1,18 +1,19 @@
 package app_test
 import (
 	"os"
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/system"
 )
 var testCasesPd = []sealTestCase{
 	{
 		"nixos permissive defaults no enablements", new(stubNixOS),
 		&fst.Config{
 			Command: make([]string, 0),
 			Confinement: fst.ConfinementConfig{
 				AppID:    0,
 				Username: "chronos",
@ -27,142 +28,134 @@ var testCasesPd = []sealTestCase{
 		},
 		system.New(1000000).
 			Ensure("/tmp/fortify.1971", 0711).
 			Ephemeral(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac", 0711).
 			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
-			Ensure("/tmp/fortify.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute).
+			Ensure("/tmp/fortify.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
-			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
+		&sandbox.Params{
-			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
+			Flags: sandbox.FAllowNet | sandbox.FAllowUserns | sandbox.FAllowTTY,
-			Ephemeral(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", acl.Execute),
+			Dir:   "/home/chronos",
-		(&bwrap.Config{
+			Path:  "/run/current-system/sw/bin/zsh",
-			Net:      true,
+			Args:  []string{"/run/current-system/sw/bin/zsh"},
-			UserNS:   true,
+			Env: []string{
-			Clearenv: true,
+				"HOME=/home/chronos",
-			Syscall:  new(bwrap.SyscallPolicy),
+				"SHELL=/run/current-system/sw/bin/zsh",
-			Chdir:    "/home/chronos",
+				"TERM=xterm-256color",
-			SetEnv: map[string]string{
+				"USER=chronos",
-				"HOME":              "/home/chronos",
+				"XDG_RUNTIME_DIR=/run/user/65534",
-				"SHELL":             "/run/current-system/sw/bin/zsh",
+				"XDG_SESSION_CLASS=user",
-				"TERM":              "xterm-256color",
+				"XDG_SESSION_TYPE=tty",
-				"USER":              "chronos",
+			},
-				"XDG_RUNTIME_DIR":   "/run/user/65534",
+			Ops: new(sandbox.Ops).
-				"XDG_SESSION_CLASS": "user",
+				Proc("/proc").
-				"XDG_SESSION_TYPE":  "tty"},
+				Tmpfs(fst.Tmp, 4096, 0755).
-			Chmod:         make(bwrap.ChmodConfig),
+				Dev("/dev").Mqueue("/dev/mqueue").
-			DieWithParent: true,
+				Bind("/bin", "/bin", sandbox.BindWritable).
-			AsInit:        true,
+				Bind("/boot", "/boot", sandbox.BindWritable).
-		}).SetUID(65534).SetGID(65534).
+				Bind("/home", "/home", sandbox.BindWritable).
-			Procfs("/proc").
+				Bind("/lib", "/lib", sandbox.BindWritable).
-			Tmpfs(fst.Tmp, 4096).
+				Bind("/lib64", "/lib64", sandbox.BindWritable).
-			DevTmpfs("/dev").Mqueue("/dev/mqueue").
+				Bind("/nix", "/nix", sandbox.BindWritable).
-			Bind("/bin", "/bin", false, true).
+				Bind("/root", "/root", sandbox.BindWritable).
-			Bind("/boot", "/boot", false, true).
+				Bind("/run", "/run", sandbox.BindWritable).
-			Bind("/home", "/home", false, true).
+				Bind("/srv", "/srv", sandbox.BindWritable).
-			Bind("/lib", "/lib", false, true).
+				Bind("/sys", "/sys", sandbox.BindWritable).
-			Bind("/lib64", "/lib64", false, true).
+				Bind("/usr", "/usr", sandbox.BindWritable).
-			Bind("/nix", "/nix", false, true).
+				Bind("/var", "/var", sandbox.BindWritable).
-			Bind("/root", "/root", false, true).
+				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
-			Bind("/run", "/run", false, true).
+				Tmpfs("/run/user/1971", 8192, 0755).
-			Bind("/srv", "/srv", false, true).
+				Tmpfs("/run/dbus", 8192, 0755).
-			Bind("/sys", "/sys", false, true).
+				Bind("/etc", fst.Tmp+"/etc", 0).
-			Bind("/usr", "/usr", false, true).
+				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
-			Bind("/var", "/var", false, true).
+				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-			Bind("/dev/kvm", "/dev/kvm", true, true, true).
+				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-			Tmpfs("/run/user/1971", 8192).
+				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-			Tmpfs("/run/dbus", 8192).
+				Link(fst.Tmp+"/etc/default", "/etc/default").
-			Bind("/etc", fst.Tmp+"/etc").
+				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-			Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
+				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
-			Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
+				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
-			Symlink(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
+				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-			Symlink(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
+				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-			Symlink(fst.Tmp+"/etc/default", "/etc/default").
+				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
-			Symlink(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
+				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
-			Symlink(fst.Tmp+"/etc/fonts", "/etc/fonts").
+				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-			Symlink(fst.Tmp+"/etc/fstab", "/etc/fstab").
+				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
-			Symlink(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
+				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-			Symlink(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
+				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-			Symlink(fst.Tmp+"/etc/hostid", "/etc/hostid").
+				Link(fst.Tmp+"/etc/issue", "/etc/issue").
-			Symlink(fst.Tmp+"/etc/hostname", "/etc/hostname").
+				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
-			Symlink(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
+				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-			Symlink(fst.Tmp+"/etc/hosts", "/etc/hosts").
+				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-			Symlink(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
+				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
-			Symlink(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
+				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-			Symlink(fst.Tmp+"/etc/issue", "/etc/issue").
+				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-			Symlink(fst.Tmp+"/etc/kbd", "/etc/kbd").
+				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
-			Symlink(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
+				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-			Symlink(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
+				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-			Symlink(fst.Tmp+"/etc/localtime", "/etc/localtime").
+				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-			Symlink(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
+				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-			Symlink(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
+				Link("/proc/mounts", "/etc/mtab").
-			Symlink(fst.Tmp+"/etc/lvm", "/etc/lvm").
+				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-			Symlink(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
+				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-			Symlink(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
+				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-			Symlink(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
+				Link(fst.Tmp+"/etc/nix", "/etc/nix").
-			Symlink(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
+				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
-			Symlink("/proc/mounts", "/etc/mtab").
+				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-			Symlink(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
+				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-			Symlink(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
+				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-			Symlink(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
+				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-			Symlink(fst.Tmp+"/etc/nix", "/etc/nix").
+				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
-			Symlink(fst.Tmp+"/etc/nixos", "/etc/nixos").
+				Link(fst.Tmp+"/etc/pam", "/etc/pam").
-			Symlink(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
+				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-			Symlink(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
+				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-			Symlink(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
+				Link(fst.Tmp+"/etc/pki", "/etc/pki").
-			Symlink(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
+				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-			Symlink(fst.Tmp+"/etc/os-release", "/etc/os-release").
+				Link(fst.Tmp+"/etc/profile", "/etc/profile").
-			Symlink(fst.Tmp+"/etc/pam", "/etc/pam").
+				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
-			Symlink(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
+				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
-			Symlink(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
+				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-			Symlink(fst.Tmp+"/etc/pki", "/etc/pki").
+				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-			Symlink(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
+				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
-			Symlink(fst.Tmp+"/etc/profile", "/etc/profile").
+				Link(fst.Tmp+"/etc/samba", "/etc/samba").
-			Symlink(fst.Tmp+"/etc/protocols", "/etc/protocols").
+				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-			Symlink(fst.Tmp+"/etc/qemu", "/etc/qemu").
+				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-			Symlink(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
+				Link(fst.Tmp+"/etc/services", "/etc/services").
-			Symlink(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
+				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-			Symlink(fst.Tmp+"/etc/rpc", "/etc/rpc").
+				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
-			Symlink(fst.Tmp+"/etc/samba", "/etc/samba").
+				Link(fst.Tmp+"/etc/shells", "/etc/shells").
-			Symlink(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
+				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
-			Symlink(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
+				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
-			Symlink(fst.Tmp+"/etc/services", "/etc/services").
+				Link(fst.Tmp+"/etc/static", "/etc/static").
-			Symlink(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
+				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
-			Symlink(fst.Tmp+"/etc/shadow", "/etc/shadow").
+				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
-			Symlink(fst.Tmp+"/etc/shells", "/etc/shells").
+				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-			Symlink(fst.Tmp+"/etc/ssh", "/etc/ssh").
+				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-			Symlink(fst.Tmp+"/etc/ssl", "/etc/ssl").
+				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
-			Symlink(fst.Tmp+"/etc/static", "/etc/static").
+				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-			Symlink(fst.Tmp+"/etc/subgid", "/etc/subgid").
+				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-			Symlink(fst.Tmp+"/etc/subuid", "/etc/subuid").
+				Link(fst.Tmp+"/etc/udev", "/etc/udev").
-			Symlink(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
+				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-			Symlink(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
+				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
-			Symlink(fst.Tmp+"/etc/systemd", "/etc/systemd").
+				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-			Symlink(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
+				Link(fst.Tmp+"/etc/X11", "/etc/X11").
-			Symlink(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
+				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
-			Symlink(fst.Tmp+"/etc/udev", "/etc/udev").
+				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-			Symlink(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
+				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-			Symlink(fst.Tmp+"/etc/UPower", "/etc/UPower").
+				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-			Symlink(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
+				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-			Symlink(fst.Tmp+"/etc/X11", "/etc/X11").
+				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
-			Symlink(fst.Tmp+"/etc/zfs", "/etc/zfs").
+				Tmpfs("/run/user", 4096, 0755).
-			Symlink(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
+				Tmpfs("/run/user/65534", 8388608, 0700).
-			Symlink(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
+				Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", sandbox.BindWritable).
-			Symlink(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
+				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
-			Symlink(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
+				Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-			Symlink(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
+				Place("/etc/group", []byte("fortify:x:65534:\n")).
-			Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", false, true).
+				Tmpfs("/var/run/nscd", 8192, 0755),
-			Tmpfs("/run/user", 1048576).
+		},
 			Tmpfs("/run/user/65534", 8388608).
 			Bind("/home/chronos", "/home/chronos", false, true).
 			CopyBind("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 			CopyBind("/etc/group", []byte("fortify:x:65534:\n")).
 			Tmpfs("/var/run/nscd", 8192).
 			Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
 			Symlink("fortify", "/.fortify/sbin/init"),
 	},
 	{
 		"nixos permissive defaults chromium", new(stubNixOS),
 		&fst.Config{
-			ID:      "org.chromium.Chromium",
+			ID:   "org.chromium.Chromium",
-			Command: []string{"/run/current-system/sw/bin/zsh", "-c", "exec chromium "},
+			Args: []string{"zsh", "-c", "exec chromium "},
 			Confinement: fst.ConfinementConfig{
 				AppID:    9,
 				Groups:   []string{"video"},
@ -199,7 +192,7 @@ var testCasesPd = []sealTestCase{
 					},
 					Filter: true,
 				},
-				Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
+				Enablements: system.EWayland | system.EDBus | system.EPulse,
 			},
 		},
 		fst.ID{
@ -210,14 +203,13 @@ var testCasesPd = []sealTestCase{
 		},
 		system.New(1000009).
 			Ensure("/tmp/fortify.1971", 0711).
 			Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0711).
 			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/fortify.1971/tmpdir/9", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/9", acl.Read, acl.Write, acl.Execute).
 			Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0711).
 			Wayland(new(*os.File), "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
 			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
 			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
 			Ephemeral(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", acl.Execute).
 			Ensure("/tmp/fortify.1971/wayland", 0711).
 			Wayland("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
 			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse").
 			CopyFile(new([]byte), "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
 			MustProxyDBus("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{
@ -252,141 +244,136 @@ var testCasesPd = []sealTestCase{
 			}).
 			UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
-		(&bwrap.Config{
+		&sandbox.Params{
-			Net:      true,
+			Flags: sandbox.FAllowNet | sandbox.FAllowUserns | sandbox.FAllowTTY,
-			UserNS:   true,
+			Dir:   "/home/chronos",
-			Chdir:    "/home/chronos",
+			Path:  "/run/current-system/sw/bin/zsh",
-			Clearenv: true,
+			Args:  []string{"zsh", "-c", "exec chromium "},
-			Syscall:  new(bwrap.SyscallPolicy),
+			Env: []string{
-			SetEnv: map[string]string{
+				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
-				"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/65534/bus",
+				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
-				"DBUS_SYSTEM_BUS_ADDRESS":  "unix:path=/run/dbus/system_bus_socket",
+				"HOME=/home/chronos",
-				"HOME":                     "/home/chronos",
+				"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
-				"PULSE_COOKIE":             fst.Tmp + "/pulse-cookie",
+				"PULSE_SERVER=unix:/run/user/65534/pulse/native",
-				"PULSE_SERVER":             "unix:/run/user/65534/pulse/native",
+				"SHELL=/run/current-system/sw/bin/zsh",
-				"SHELL":                    "/run/current-system/sw/bin/zsh",
+				"TERM=xterm-256color",
-				"TERM":                     "xterm-256color",
+				"USER=chronos",
-				"USER":                     "chronos",
+				"WAYLAND_DISPLAY=wayland-0",
-				"WAYLAND_DISPLAY":          "wayland-0",
+				"XDG_RUNTIME_DIR=/run/user/65534",
-				"XDG_RUNTIME_DIR":          "/run/user/65534",
+				"XDG_SESSION_CLASS=user",
-				"XDG_SESSION_CLASS":        "user",
+				"XDG_SESSION_TYPE=tty",
 				"XDG_SESSION_TYPE":         "tty",
 			},
-			Chmod:         make(bwrap.ChmodConfig),
+			Ops: new(sandbox.Ops).
-			DieWithParent: true,
+				Proc("/proc").
-			AsInit:        true,
+				Tmpfs(fst.Tmp, 4096, 0755).
-		}).SetUID(65534).SetGID(65534).
+				Dev("/dev").Mqueue("/dev/mqueue").
-			Procfs("/proc").
+				Bind("/bin", "/bin", sandbox.BindWritable).
-			Tmpfs(fst.Tmp, 4096).
+				Bind("/boot", "/boot", sandbox.BindWritable).
-			DevTmpfs("/dev").Mqueue("/dev/mqueue").
+				Bind("/home", "/home", sandbox.BindWritable).
-			Bind("/bin", "/bin", false, true).
+				Bind("/lib", "/lib", sandbox.BindWritable).
-			Bind("/boot", "/boot", false, true).
+				Bind("/lib64", "/lib64", sandbox.BindWritable).
-			Bind("/home", "/home", false, true).
+				Bind("/nix", "/nix", sandbox.BindWritable).
-			Bind("/lib", "/lib", false, true).
+				Bind("/root", "/root", sandbox.BindWritable).
-			Bind("/lib64", "/lib64", false, true).
+				Bind("/run", "/run", sandbox.BindWritable).
-			Bind("/nix", "/nix", false, true).
+				Bind("/srv", "/srv", sandbox.BindWritable).
-			Bind("/root", "/root", false, true).
+				Bind("/sys", "/sys", sandbox.BindWritable).
-			Bind("/run", "/run", false, true).
+				Bind("/usr", "/usr", sandbox.BindWritable).
-			Bind("/srv", "/srv", false, true).
+				Bind("/var", "/var", sandbox.BindWritable).
-			Bind("/sys", "/sys", false, true).
+				Bind("/dev/dri", "/dev/dri", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
-			Bind("/usr", "/usr", false, true).
+				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
-			Bind("/var", "/var", false, true).
+				Tmpfs("/run/user/1971", 8192, 0755).
-			Bind("/dev/dri", "/dev/dri", true, true, true).
+				Tmpfs("/run/dbus", 8192, 0755).
-			Bind("/dev/kvm", "/dev/kvm", true, true, true).
+				Bind("/etc", fst.Tmp+"/etc", 0).
-			Tmpfs("/run/user/1971", 8192).
+				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
-			Tmpfs("/run/dbus", 8192).
+				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-			Bind("/etc", fst.Tmp+"/etc").
+				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-			Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
+				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-			Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
+				Link(fst.Tmp+"/etc/default", "/etc/default").
-			Symlink(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
+				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-			Symlink(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
+				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
-			Symlink(fst.Tmp+"/etc/default", "/etc/default").
+				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
-			Symlink(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
+				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-			Symlink(fst.Tmp+"/etc/fonts", "/etc/fonts").
+				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-			Symlink(fst.Tmp+"/etc/fstab", "/etc/fstab").
+				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
-			Symlink(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
+				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
-			Symlink(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
+				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-			Symlink(fst.Tmp+"/etc/hostid", "/etc/hostid").
+				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
-			Symlink(fst.Tmp+"/etc/hostname", "/etc/hostname").
+				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-			Symlink(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
+				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-			Symlink(fst.Tmp+"/etc/hosts", "/etc/hosts").
+				Link(fst.Tmp+"/etc/issue", "/etc/issue").
-			Symlink(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
+				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
-			Symlink(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
+				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-			Symlink(fst.Tmp+"/etc/issue", "/etc/issue").
+				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-			Symlink(fst.Tmp+"/etc/kbd", "/etc/kbd").
+				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
-			Symlink(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
+				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-			Symlink(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
+				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-			Symlink(fst.Tmp+"/etc/localtime", "/etc/localtime").
+				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
-			Symlink(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
+				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-			Symlink(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
+				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-			Symlink(fst.Tmp+"/etc/lvm", "/etc/lvm").
+				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-			Symlink(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
+				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-			Symlink(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
+				Link("/proc/mounts", "/etc/mtab").
-			Symlink(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
+				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-			Symlink(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
+				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-			Symlink("/proc/mounts", "/etc/mtab").
+				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-			Symlink(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
+				Link(fst.Tmp+"/etc/nix", "/etc/nix").
-			Symlink(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
+				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
-			Symlink(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
+				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-			Symlink(fst.Tmp+"/etc/nix", "/etc/nix").
+				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-			Symlink(fst.Tmp+"/etc/nixos", "/etc/nixos").
+				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-			Symlink(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
+				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-			Symlink(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
+				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
-			Symlink(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
+				Link(fst.Tmp+"/etc/pam", "/etc/pam").
-			Symlink(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
+				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-			Symlink(fst.Tmp+"/etc/os-release", "/etc/os-release").
+				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-			Symlink(fst.Tmp+"/etc/pam", "/etc/pam").
+				Link(fst.Tmp+"/etc/pki", "/etc/pki").
-			Symlink(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
+				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-			Symlink(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
+				Link(fst.Tmp+"/etc/profile", "/etc/profile").
-			Symlink(fst.Tmp+"/etc/pki", "/etc/pki").
+				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
-			Symlink(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
+				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
-			Symlink(fst.Tmp+"/etc/profile", "/etc/profile").
+				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-			Symlink(fst.Tmp+"/etc/protocols", "/etc/protocols").
+				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-			Symlink(fst.Tmp+"/etc/qemu", "/etc/qemu").
+				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
-			Symlink(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
+				Link(fst.Tmp+"/etc/samba", "/etc/samba").
-			Symlink(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
+				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-			Symlink(fst.Tmp+"/etc/rpc", "/etc/rpc").
+				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-			Symlink(fst.Tmp+"/etc/samba", "/etc/samba").
+				Link(fst.Tmp+"/etc/services", "/etc/services").
-			Symlink(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
+				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-			Symlink(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
+				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
-			Symlink(fst.Tmp+"/etc/services", "/etc/services").
+				Link(fst.Tmp+"/etc/shells", "/etc/shells").
-			Symlink(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
+				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
-			Symlink(fst.Tmp+"/etc/shadow", "/etc/shadow").
+				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
-			Symlink(fst.Tmp+"/etc/shells", "/etc/shells").
+				Link(fst.Tmp+"/etc/static", "/etc/static").
-			Symlink(fst.Tmp+"/etc/ssh", "/etc/ssh").
+				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
-			Symlink(fst.Tmp+"/etc/ssl", "/etc/ssl").
+				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
-			Symlink(fst.Tmp+"/etc/static", "/etc/static").
+				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-			Symlink(fst.Tmp+"/etc/subgid", "/etc/subgid").
+				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-			Symlink(fst.Tmp+"/etc/subuid", "/etc/subuid").
+				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
-			Symlink(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
+				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-			Symlink(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
+				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-			Symlink(fst.Tmp+"/etc/systemd", "/etc/systemd").
+				Link(fst.Tmp+"/etc/udev", "/etc/udev").
-			Symlink(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
+				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-			Symlink(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
+				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
-			Symlink(fst.Tmp+"/etc/udev", "/etc/udev").
+				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-			Symlink(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
+				Link(fst.Tmp+"/etc/X11", "/etc/X11").
-			Symlink(fst.Tmp+"/etc/UPower", "/etc/UPower").
+				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
-			Symlink(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
+				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-			Symlink(fst.Tmp+"/etc/X11", "/etc/X11").
+				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-			Symlink(fst.Tmp+"/etc/zfs", "/etc/zfs").
+				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-			Symlink(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
+				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-			Symlink(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
+				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
-			Symlink(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
+				Tmpfs("/run/user", 4096, 0755).
-			Symlink(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
+				Tmpfs("/run/user/65534", 8388608, 0700).
-			Symlink(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
+				Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", sandbox.BindWritable).
-			Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", false, true).
+				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
-			Tmpfs("/run/user", 1048576).
+				Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-			Tmpfs("/run/user/65534", 8388608).
+				Place("/etc/group", []byte("fortify:x:65534:\n")).
-			Bind("/home/chronos", "/home/chronos", false, true).
+				Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0).
-			CopyBind("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
+				Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native", 0).
-			CopyBind("/etc/group", []byte("fortify:x:65534:\n")).
+				Place(fst.Tmp+"/pulse-cookie", nil).
-			Bind("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/65534/wayland-0").
+				Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0).
-			Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native").
+				Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0).
-			CopyBind(fst.Tmp+"/pulse-cookie", nil).
+				Tmpfs("/var/run/nscd", 8192, 0755),
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
+		},
 			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
 			Tmpfs("/var/run/nscd", 8192).
 			Bind("/run/wrappers/bin/fortify", "/.fortify/sbin/fortify").
 			Symlink("fortify", "/.fortify/sbin/init"),
 	},
 }
--- a/internal/app/app_stub_test.go
+++ b/internal/app/app_stub_test.go
@ -3,10 +3,11 @@ package app_test
 import (
 	"fmt"
 	"io/fs"
 	"log"
 	"os/user"
 	"strconv"
-	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/fst"
 )
 // fs methods are not implemented using a real FS
@ -16,13 +17,17 @@ type stubNixOS struct {
 	usernameErr map[string]error
 }
-func (s *stubNixOS) Geteuid() int                             { return 1971 }
+func (s *stubNixOS) Getuid() int                              { return 1971 }
 func (s *stubNixOS) Getgid() int                              { return 100 }
 func (s *stubNixOS) TempDir() string                          { return "/tmp" }
 func (s *stubNixOS) MustExecutable() string                   { return "/run/wrappers/bin/fortify" }
 func (s *stubNixOS) Exit(code int)                            { panic("called exit on stub with code " + strconv.Itoa(code)) }
 func (s *stubNixOS) EvalSymlinks(path string) (string, error) { return path, nil }
 func (s *stubNixOS) Uid(aid int) (int, error)                 { return 1000000 + 0*10000 + aid, nil }
 func (s *stubNixOS) Println(v ...any)               { log.Println(v...) }
 func (s *stubNixOS) Printf(format string, v ...any) { log.Printf(format, v...) }
 func (s *stubNixOS) LookupEnv(key string) (string, bool) {
 	switch key {
 	case "SHELL":
@ -50,10 +55,8 @@ func (s *stubNixOS) LookPath(file string) (string, error) {
 	}
 	switch file {
-	case "sudo":
+	case "zsh":
-		return "/run/wrappers/bin/sudo", nil
+		return "/run/current-system/sw/bin/zsh", nil
 	case "machinectl":
 		return "/home/ophestra/.nix-profile/bin/machinectl", nil
 	default:
 		panic(fmt.Sprintf("attempted to look up unexpected executable %q", file))
 	}
@ -122,8 +125,8 @@ func (s *stubNixOS) Open(name string) (fs.File, error) {
 	}
 }
-func (s *stubNixOS) Paths() linux.Paths {
+func (s *stubNixOS) Paths() fst.Paths {
-	return linux.Paths{
+	return fst.Paths{
 		SharePath:   "/tmp/fortify.1971",
 		RuntimePath: "/run/user/1971",
 		RunDirPath:  "/run/user/1971/fortify",
--- a/internal/app/app_test.go
+++ b/internal/app/app_test.go
@ -8,19 +8,19 @@ import (
 	"time"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/internal/app"
-	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/sys"
-	"git.gensokyo.uk/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/sandbox"
 	"git.gensokyo.uk/security/fortify/system"
 )
 type sealTestCase struct {
-	name      string
+	name          string
-	os        linux.System
+	os            sys.State
-	config    *fst.Config
+	config        *fst.Config
-	id        fst.ID
+	id            fst.ID
-	wantSys   *system.I
+	wantSys       *system.I
-	wantBwrap *bwrap.Config
+	wantContainer *sandbox.Params
 }
 func TestApp(t *testing.T) {
@ -29,17 +29,21 @@ func TestApp(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			a := app.NewWithID(tc.id, tc.os)
-
+			var (
 				gotSys       *system.I
 				gotContainer *sandbox.Params
 			)
 			if !t.Run("seal", func(t *testing.T) {
-				if err := a.Seal(tc.config); err != nil {
+				if sa, err := a.Seal(tc.config); err != nil {
 					t.Errorf("Seal: error = %v", err)
 					return
 				} else {
 					gotSys, gotContainer = app.AppIParams(a, sa)
 				}
 			}) {
 				return
 			}
 			gotSys, gotBwrap := app.AppSystemBwrap(a)
 			t.Run("compare sys", func(t *testing.T) {
 				if !gotSys.Equal(tc.wantSys) {
 					t.Errorf("Seal: sys = %#v, want %#v",
@ -47,10 +51,10 @@ func TestApp(t *testing.T) {
 				}
 			})
-			t.Run("compare bwrap", func(t *testing.T) {
+			t.Run("compare params", func(t *testing.T) {
-				if !reflect.DeepEqual(gotBwrap, tc.wantBwrap) {
+				if !reflect.DeepEqual(gotContainer, tc.wantContainer) {
-					t.Errorf("seal: bwrap =\n%s\n, want\n%s",
+					t.Errorf("seal: params =\n%s\n, want\n%s",
-						mustMarshal(gotBwrap), mustMarshal(tc.wantBwrap))
+						mustMarshal(gotContainer), mustMarshal(tc.wantContainer))
 				}
 			})
 		})
--- a/internal/app/errors.go
+++ b/internal/app/errors.go
@ -0,0 +1,179 @@
 package app
 import (
 	"errors"
 	"log"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 func PrintRunStateErr(rs *fst.RunState, runErr error) {
 	if runErr != nil {
 		if rs.Time == nil {
 			fmsg.PrintBaseError(runErr, "cannot start app:")
 		} else {
 			var e *fmsg.BaseError
 			if !fmsg.AsBaseError(runErr, &e) {
 				log.Println("wait failed:", runErr)
 			} else {
 				// Wait only returns either *app.ProcessError or *app.StateStoreError wrapped in a *app.BaseError
 				var se *StateStoreError
 				if !errors.As(runErr, &se) {
 					// does not need special handling
 					log.Print(e.Message())
 				} else {
 					// inner error are either unwrapped store errors
 					// or joined errors returned by *appSealTx revert
 					// wrapped in *app.BaseError
 					var ej RevertCompoundError
 					if !errors.As(se.InnerErr, &ej) {
 						// does not require special handling
 						log.Print(e.Message())
 					} else {
 						errs := ej.Unwrap()
 						// every error here is wrapped in *app.BaseError
 						for _, ei := range errs {
 							var eb *fmsg.BaseError
 							if !errors.As(ei, &eb) {
 								// unreachable
 								log.Println("invalid error type returned by revert:", ei)
 							} else {
 								// print inner *app.BaseError message
 								log.Print(eb.Message())
 							}
 						}
 					}
 				}
 			}
 		}
 		if rs.ExitCode == 0 {
 			rs.ExitCode = 126
 		}
 	}
 	if rs.RevertErr != nil {
 		var stateStoreError *StateStoreError
 		if !errors.As(rs.RevertErr, &stateStoreError) || stateStoreError == nil {
 			fmsg.PrintBaseError(rs.RevertErr, "generic fault during cleanup:")
 			goto out
 		}
 		if stateStoreError.Err != nil {
 			if len(stateStoreError.Err) == 2 {
 				if stateStoreError.Err[0] != nil {
 					if joinedErrs, ok := stateStoreError.Err[0].(interface{ Unwrap() []error }); !ok {
 						fmsg.PrintBaseError(stateStoreError.Err[0], "generic fault during revert:")
 					} else {
 						for _, err := range joinedErrs.Unwrap() {
 							if err != nil {
 								fmsg.PrintBaseError(err, "fault during revert:")
 							}
 						}
 					}
 				}
 				if stateStoreError.Err[1] != nil {
 					log.Printf("cannot close store: %v", stateStoreError.Err[1])
 				}
 			} else {
 				log.Printf("fault during cleanup: %v",
 					errors.Join(stateStoreError.Err...))
 			}
 		}
 		if stateStoreError.OpErr != nil {
 			log.Printf("blind revert due to store fault: %v",
 				stateStoreError.OpErr)
 		}
 		if stateStoreError.DoErr != nil {
 			fmsg.PrintBaseError(stateStoreError.DoErr, "state store operation unsuccessful:")
 		}
 		if stateStoreError.Inner && stateStoreError.InnerErr != nil {
 			fmsg.PrintBaseError(stateStoreError.InnerErr, "cannot destroy state entry:")
 		}
 	out:
 		if rs.ExitCode == 0 {
 			rs.ExitCode = 128
 		}
 	}
 	if rs.WaitErr != nil {
 		log.Println("inner wait failed:", rs.WaitErr)
 	}
 }
 // StateStoreError is returned for a failed state save
 type StateStoreError struct {
 	// whether inner function was called
 	Inner bool
 	// returned by the Save/Destroy method of [state.Cursor]
 	InnerErr error
 	// returned by the Do method of [state.Store]
 	DoErr error
 	// stores an arbitrary store operation error
 	OpErr error
 	// stores arbitrary errors
 	Err []error
 }
 // save saves arbitrary errors in [StateStoreError] once.
 func (e *StateStoreError) save(errs []error) {
 	if len(errs) == 0 || e.Err != nil {
 		panic("invalid call to save")
 	}
 	e.Err = errs
 }
 func (e *StateStoreError) equiv(a ...any) error {
 	if e.Inner && e.InnerErr == nil && e.DoErr == nil && e.OpErr == nil && errors.Join(e.Err...) == nil {
 		return nil
 	} else {
 		return fmsg.WrapErrorSuffix(e, a...)
 	}
 }
 func (e *StateStoreError) Error() string {
 	if e.Inner && e.InnerErr != nil {
 		return e.InnerErr.Error()
 	}
 	if e.DoErr != nil {
 		return e.DoErr.Error()
 	}
 	if e.OpErr != nil {
 		return e.OpErr.Error()
 	}
 	if err := errors.Join(e.Err...); err != nil {
 		return err.Error()
 	}
 	// equiv nullifies e for values where this is reached
 	panic("unreachable")
 }
 func (e *StateStoreError) Unwrap() (errs []error) {
 	errs = make([]error, 0, 3)
 	if e.InnerErr != nil {
 		errs = append(errs, e.InnerErr)
 	}
 	if e.DoErr != nil {
 		errs = append(errs, e.DoErr)
 	}
 	if e.OpErr != nil {
 		errs = append(errs, e.OpErr)
 	}
 	if err := errors.Join(e.Err...); err != nil {
 		errs = append(errs, err)
 	}
 	return
 }
 // A RevertCompoundError encapsulates errors returned by
 // the Revert method of [system.I].
 type RevertCompoundError interface {
 	Error() string
 	Unwrap() []error
 }
--- a/internal/app/export_test.go
+++ b/internal/app/export_test.go
@ -2,19 +2,23 @@ package app
 import (
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/internal/sys"
-	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/system"
 )
-func NewWithID(id fst.ID, os linux.System) App {
+func NewWithID(id fst.ID, os sys.State) fst.App {
 	a := new(app)
-	a.id = &id
+	a.id = newID(&id)
-	a.os = os
+	a.sys = os
 	return a
 }
-func AppSystemBwrap(a App) (*system.I, *bwrap.Config) {
+func AppIParams(a fst.App, sa fst.SealedApp) (*system.I, *sandbox.Params) {
 	v := a.(*app)
-	return v.seal.sys.I, v.seal.sys.bwrap
+	seal := sa.(*outcome)
 	if v.outcome != seal || v.id != seal.id {
 		panic("broken app/outcome link")
 	}
 	return seal.sys, seal.container
 }
--- a/internal/app/init/early.go
+++ b/internal/app/init/early.go
@ -1,18 +0,0 @@
 package init0
 import (
 	"os"
 	"path"
 	"git.gensokyo.uk/security/fortify/internal"
 )
 // used by the parent process
 // TryArgv0 calls [Main] if argv0 indicates the process is started from a file named "init".
 func TryArgv0() {
 	if len(os.Args) > 0 && path.Base(os.Args[0]) == "init" {
 		Main()
 		internal.Exit(0)
 	}
 }
--- a/internal/app/init/main.go
+++ b/internal/app/init/main.go
@ -1,165 +0,0 @@
 package init0
 import (
 	"errors"
 	"log"
 	"os"
 	"os/exec"
 	"os/signal"
 	"syscall"
 	"time"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 const (
 	// time to wait for linger processes after death of initial process
 	residualProcessTimeout = 5 * time.Second
 )
 // everything beyond this point runs within pid namespace
 // proceed with caution!
 func Main() {
 	// sharing stdout with shim
 	// USE WITH CAUTION
 	fmsg.Prepare("init")
 	// setting this prevents ptrace
 	if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
 		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
 	}
 	if os.Getpid() != 1 {
 		log.Fatal("this process must run as pid 1")
 	}
 	// receive setup payload
 	var (
 		payload    Payload
 		closeSetup func() error
 	)
 	if f, err := proc.Receive(Env, &payload); err != nil {
 		if errors.Is(err, proc.ErrInvalid) {
 			log.Fatal("invalid config descriptor")
 		}
 		if errors.Is(err, proc.ErrNotSet) {
 			log.Fatal("FORTIFY_INIT not set")
 		}
 		log.Fatalf("cannot decode init setup payload: %v", err)
 	} else {
 		fmsg.Store(payload.Verbose)
 		closeSetup = f
 		// child does not need to see this
 		if err = os.Unsetenv(Env); err != nil {
 			log.Printf("cannot unset %s: %v", Env, err)
 			// not fatal
 		} else {
 			fmsg.Verbose("received configuration")
 		}
 	}
 	// die with parent
 	if err := internal.PR_SET_PDEATHSIG__SIGKILL(); err != nil {
 		log.Fatalf("prctl(PR_SET_PDEATHSIG, SIGKILL): %v", err)
 	}
 	cmd := exec.Command(payload.Argv0)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	cmd.Args = payload.Argv
 	cmd.Env = os.Environ()
 	if err := cmd.Start(); err != nil {
 		log.Fatalf("cannot start %q: %v", payload.Argv0, err)
 	}
 	fmsg.Suspend()
 	// close setup pipe as setup is now complete
 	if err := closeSetup(); err != nil {
 		log.Println("cannot close setup pipe:", err)
 		// not fatal
 	}
 	sig := make(chan os.Signal, 2)
 	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
 	type winfo struct {
 		wpid    int
 		wstatus syscall.WaitStatus
 	}
 	info := make(chan winfo, 1)
 	done := make(chan struct{})
 	go func() {
 		var (
 			err     error
 			wpid    = -2
 			wstatus syscall.WaitStatus
 		)
 		// keep going until no child process is left
 		for wpid != -1 {
 			if err != nil {
 				break
 			}
 			if wpid != -2 {
 				info <- winfo{wpid, wstatus}
 			}
 			err = syscall.EINTR
 			for errors.Is(err, syscall.EINTR) {
 				wpid, err = syscall.Wait4(-1, &wstatus, 0, nil)
 			}
 		}
 		if !errors.Is(err, syscall.ECHILD) {
 			log.Println("unexpected wait4 response:", err)
 		}
 		close(done)
 	}()
 	// closed after residualProcessTimeout has elapsed after initial process death
 	timeout := make(chan struct{})
 	r := 2
 	for {
 		select {
 		case s := <-sig:
 			if fmsg.Resume() {
 				fmsg.Verbosef("terminating on %s after process start", s.String())
 			} else {
 				fmsg.Verbosef("terminating on %s", s.String())
 			}
 			internal.Exit(0)
 		case w := <-info:
 			if w.wpid == cmd.Process.Pid {
 				// initial process exited, output is most likely available again
 				fmsg.Resume()
 				switch {
 				case w.wstatus.Exited():
 					r = w.wstatus.ExitStatus()
 				case w.wstatus.Signaled():
 					r = 128 + int(w.wstatus.Signal())
 				default:
 					r = 255
 				}
 				go func() {
 					time.Sleep(residualProcessTimeout)
 					close(timeout)
 				}()
 			}
 		case <-done:
 			internal.Exit(r)
 		case <-timeout:
 			log.Println("timeout exceeded waiting for lingering processes")
 			internal.Exit(r)
 		}
 	}
 }
--- a/internal/app/init/payload.go
+++ b/internal/app/init/payload.go
@ -1,13 +0,0 @@
 package init0
 const Env = "FORTIFY_INIT"
 type Payload struct {
 	// target full exec path
 	Argv0 string
 	// child full argv
 	Argv []string
 	// verbosity pass through
 	Verbose bool
 }
--- a/internal/app/process.go
+++ b/internal/app/process.go
@ -0,0 +1,180 @@
 package app
 import (
 	"context"
 	"errors"
 	"log"
 	"os/exec"
 	"time"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/state"
 	"git.gensokyo.uk/security/fortify/system"
 )
 const shimSetupTimeout = 5 * time.Second
 func (seal *outcome) Run(rs *fst.RunState) error {
 	if !seal.f.CompareAndSwap(false, true) {
 		// run does much more than just starting a process; calling it twice, even if the first call fails, will result
 		// in inconsistent state that is impossible to clean up; return here to limit damage and hopefully give the
 		// other Run a chance to return
 		panic("attempted to run twice")
 	}
 	if rs == nil {
 		panic("invalid state")
 	}
 	// read comp values early to allow for early failure
 	fmsg.Verbosef("version %s", internal.Version())
 	fmsg.Verbosef("setuid helper at %s", internal.MustFsuPath())
 	/*
 		prepare/revert os state
 	*/
 	if err := seal.sys.Commit(seal.ctx); err != nil {
 		return err
 	}
 	store := state.NewMulti(seal.runDirPath)
 	deferredStoreFunc := func(c state.Cursor) error { return nil }
 	defer func() {
 		var revertErr error
 		storeErr := new(StateStoreError)
 		storeErr.Inner, storeErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
 			revertErr = func() error {
 				storeErr.InnerErr = deferredStoreFunc(c)
 				/*
 					revert app setup transaction
 				*/
 				var rt system.Enablement
 				ec := system.Process
 				if states, err := c.Load(); err != nil {
 					// revert per-process state here to limit damage
 					storeErr.OpErr = err
 					return seal.sys.Revert((*system.Criteria)(&ec))
 				} else {
 					if l := len(states); l == 0 {
 						fmsg.Verbose("no other launchers active, will clean up globals")
 						ec |= system.User
 					} else {
 						fmsg.Verbosef("found %d active launchers, cleaning up without globals", l)
 					}
 					// accumulate enablements of remaining launchers
 					for i, s := range states {
 						if s.Config != nil {
 							rt |= s.Config.Confinement.Enablements
 						} else {
 							log.Printf("state entry %d does not contain config", i)
 						}
 					}
 				}
 				ec |= rt ^ (system.EWayland | system.EX11 | system.EDBus | system.EPulse)
 				if fmsg.Load() {
 					if ec > 0 {
 						fmsg.Verbose("reverting operations type", system.TypeString(ec))
 					}
 				}
 				return seal.sys.Revert((*system.Criteria)(&ec))
 			}()
 		})
 		storeErr.save([]error{revertErr, store.Close()})
 		rs.RevertErr = storeErr.equiv("error returned during cleanup:")
 	}()
 	/*
 		shim process lifecycle
 	*/
 	waitErr := make(chan error, 1)
 	cmd := new(shimProcess)
 	if startTime, err := cmd.Start(
 		seal.user.aid.String(),
 		seal.user.supp,
 	); err != nil {
 		return err
 	} else {
 		// whether/when the fsu process was created
 		rs.Time = startTime
 	}
 	ctx, cancel := context.WithTimeout(seal.ctx, shimSetupTimeout)
 	defer cancel()
 	go func() {
 		waitErr <- cmd.Unwrap().Wait()
 		// cancel shim setup in case shim died before receiving payload
 		cancel()
 	}()
 	if err := cmd.Serve(ctx, &shimParams{
 		Container: seal.container,
 		Home:      seal.user.data,
 		Verbose: fmsg.Load(),
 	}); err != nil {
 		return err
 	}
 	// shim accepted setup payload, create process state
 	sd := state.State{
 		ID:   seal.id.unwrap(),
 		PID:  cmd.Unwrap().Process.Pid,
 		Time: *rs.Time,
 	}
 	var earlyStoreErr = new(StateStoreError) // returned after blocking on waitErr
 	earlyStoreErr.Inner, earlyStoreErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
 		earlyStoreErr.InnerErr = c.Save(&sd, seal.ct)
 	})
 	// destroy defunct state entry
 	deferredStoreFunc = func(c state.Cursor) error { return c.Destroy(seal.id.unwrap()) }
 	select {
 	case err := <-waitErr: // block until fsu/shim returns
 		if err != nil {
 			var exitError *exec.ExitError
 			if !errors.As(err, &exitError) {
 				// should be unreachable
 				rs.WaitErr = err
 			}
 			// store non-zero return code
 			rs.ExitCode = exitError.ExitCode()
 		} else {
 			rs.ExitCode = cmd.Unwrap().ProcessState.ExitCode()
 		}
 		if fmsg.Load() {
 			fmsg.Verbosef("process %d exited with exit code %d", cmd.Unwrap().Process.Pid, rs.ExitCode)
 		}
 	// this is reached when a fault makes an already running shim impossible to continue execution
 	// however a kill signal could not be delivered (should actually always happen like that since fsu)
 	// the effects of this is similar to the alternative exit path and ensures shim death
 	case err := <-cmd.Fallback():
 		rs.ExitCode = 255
 		log.Printf("cannot terminate shim on faulted setup: %v", err)
 	// alternative exit path relying on shim behaviour on monitor process exit
 	case <-seal.ctx.Done():
 		fmsg.Verbose("alternative exit path selected")
 	}
 	fmsg.Resume()
 	if seal.sync != nil {
 		if err := seal.sync.Close(); err != nil {
 			log.Printf("cannot close wayland security context: %v", err)
 		}
 	}
 	if seal.dbusMsg != nil {
 		seal.dbusMsg()
 	}
 	return earlyStoreErr.equiv("cannot save process state:")
 }
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@ -2,24 +2,48 @@ package app
 import (
 	"bytes"
 	"context"
 	"encoding/gob"
 	"errors"
 	"fmt"
 	"io"
 	"io/fs"
 	"os"
 	"path"
 	"regexp"
-	"strconv"
+	"slices"
 	"strings"
 	"sync/atomic"
 	"syscall"
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/sys"
-	"git.gensokyo.uk/security/fortify/internal/state"
+	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/sandbox/wl"
 	"git.gensokyo.uk/security/fortify/system"
 )
 const (
 	home  = "HOME"
 	shell = "SHELL"
 	xdgConfigHome   = "XDG_CONFIG_HOME"
 	xdgRuntimeDir   = "XDG_RUNTIME_DIR"
 	xdgSessionClass = "XDG_SESSION_CLASS"
 	xdgSessionType  = "XDG_SESSION_TYPE"
 	term    = "TERM"
 	display = "DISPLAY"
 	pulseServer = "PULSE_SERVER"
 	pulseCookie = "PULSE_COOKIE"
 	dbusSessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
 	dbusSystemBusAddress  = "DBUS_SYSTEM_BUS_ADDRESS"
 )
 var (
@ -27,182 +51,196 @@ var (
 	ErrUser   = errors.New("invalid aid")
 	ErrHome   = errors.New("invalid home directory")
 	ErrName   = errors.New("invalid username")
 	ErrXDisplay = errors.New(display + " unset")
 	ErrPulseCookie = errors.New("pulse cookie not present")
 	ErrPulseSocket = errors.New("pulse socket not present")
 	ErrPulseMode   = errors.New("unexpected pulse socket mode")
 )
 var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z0-9_-]{0,30}\\$)$")
-// appSeal seals the application with child-related information
+// outcome stores copies of various parts of [fst.Config]
-type appSeal struct {
+type outcome struct {
-	// app unique ID string representation
+	// copied from initialising [app]
-	id string
+	id *stringPair[fst.ID]
 	// copied from [sys.State] response
 	runDirPath string
 	// initial [fst.Config] gob stream for state data;
 	// this is prepared ahead of time as config is clobbered during seal creation
 	ct io.WriterTo
 	// dump dbus proxy message buffer
 	dbusMsg func()
-	// freedesktop application ID
+	user fsuUser
-	fid string
+	sys  *system.I
-	// argv to start process with in the final confined environment
+	ctx  context.Context
 	command []string
 	// persistent process state store
 	store state.Store
-	// process-specific share directory path
+	container *sandbox.Params
-	share string
+	env       map[string]string
-	// process-specific share directory path local to XDG_RUNTIME_DIR
+	sync      *os.File
 	shareLocal string
-	// pass-through enablement tracking from config
+	f atomic.Bool
 	et system.Enablements
 	// initial config gob encoding buffer
 	ct io.WriterTo
 	// wayland socket direct access
 	directWayland bool
 	// extra UpdatePerm ops
 	extraPerms []*sealedExtraPerm
 	// prevents sharing from happening twice
 	shared bool
 	// seal system-level component
 	sys *appSealSys
 	linux.Paths
 	// protected by upstream mutex
 }
-type sealedExtraPerm struct {
+// shareHost holds optional share directory state that must not be accessed directly
-	name   string
+type shareHost struct {
-	perms  acl.Perms
+	// whether XDG_RUNTIME_DIR is used post fsu
-	ensure bool
+	useRuntimeDir bool
 	// process-specific directory in tmpdir, empty if unused
 	sharePath string
 	// process-specific directory in XDG_RUNTIME_DIR, empty if unused
 	runtimeSharePath string
 	seal *outcome
 	sc   fst.Paths
 }
-// Seal seals the app launch context
+// ensureRuntimeDir must be called if direct access to paths within XDG_RUNTIME_DIR is required
-func (a *app) Seal(config *fst.Config) error {
+func (share *shareHost) ensureRuntimeDir() {
-	a.lock.Lock()
+	if share.useRuntimeDir {
-	defer a.lock.Unlock()
+		return
 	}
 	share.useRuntimeDir = true
 	share.seal.sys.Ensure(share.sc.RunDirPath, 0700)
 	share.seal.sys.UpdatePermType(system.User, share.sc.RunDirPath, acl.Execute)
 	share.seal.sys.Ensure(share.sc.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
 	share.seal.sys.UpdatePermType(system.User, share.sc.RuntimePath, acl.Execute)
 }
-	if a.seal != nil {
+// instance returns a process-specific share path within tmpdir
-		panic("app sealed twice")
+func (share *shareHost) instance() string {
 	if share.sharePath != "" {
 		return share.sharePath
 	}
 	share.sharePath = path.Join(share.sc.SharePath, share.seal.id.String())
 	share.seal.sys.Ephemeral(system.Process, share.sharePath, 0711)
 	return share.sharePath
 }
 // runtime returns a process-specific share path within XDG_RUNTIME_DIR
 func (share *shareHost) runtime() string {
 	if share.runtimeSharePath != "" {
 		return share.runtimeSharePath
 	}
 	share.ensureRuntimeDir()
 	share.runtimeSharePath = path.Join(share.sc.RunDirPath, share.seal.id.String())
 	share.seal.sys.Ephemeral(system.Process, share.runtimeSharePath, 0700)
 	share.seal.sys.UpdatePerm(share.runtimeSharePath, acl.Execute)
 	return share.runtimeSharePath
 }
 // fsuUser stores post-fsu credentials and metadata
 type fsuUser struct {
 	// application id
 	aid *stringPair[int]
 	// target uid resolved by fid:aid
 	uid *stringPair[int]
 	// supplementary group ids
 	supp []string
 	// home directory host path
 	data string
 	// app user home directory
 	home string
 	// passwd database username
 	username string
 }
 func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Config) error {
 	if seal.ctx != nil {
 		panic("finalise called twice")
 	}
 	seal.ctx = ctx
 	{
 		// encode initial configuration for state tracking
 		ct := new(bytes.Buffer)
 		if err := gob.NewEncoder(ct).Encode(config); err != nil {
 			return fmsg.WrapErrorSuffix(err,
 				"cannot encode initial config:")
 		}
 		seal.ct = ct
 	}
-	if config == nil {
+	// allowed aid range 0 to 9999, this is checked again in fsu
 		return fmsg.WrapError(ErrConfig,
 			"attempted to seal app with nil config")
 	}
 	// create seal
 	seal := new(appSeal)
 	// encode initial configuration for state tracking
 	ct := new(bytes.Buffer)
 	if err := gob.NewEncoder(ct).Encode(config); err != nil {
 		return fmsg.WrapErrorSuffix(err,
 			"cannot encode initial config:")
 	}
 	seal.ct = ct
 	// fetch system constants
 	seal.Paths = a.os.Paths()
 	// pass through config values
 	seal.id = a.id.String()
 	seal.fid = config.ID
 	seal.command = config.Command
 	// create seal system component
 	seal.sys = new(appSealSys)
 	// mapped uid
 	if config.Confinement.Sandbox != nil && config.Confinement.Sandbox.MapRealUID {
 		seal.sys.mappedID = a.os.Geteuid()
 	} else {
 		seal.sys.mappedID = 65534
 	}
 	seal.sys.mappedIDString = strconv.Itoa(seal.sys.mappedID)
 	seal.sys.runtime = path.Join("/run/user", seal.sys.mappedIDString)
 	// validate uid and set user info
 	if config.Confinement.AppID < 0 || config.Confinement.AppID > 9999 {
 		return fmsg.WrapError(ErrUser,
 			fmt.Sprintf("aid %d out of range", config.Confinement.AppID))
 	}
-	seal.sys.user = appUser{
+
-		aid:      config.Confinement.AppID,
+	seal.user = fsuUser{
-		as:       strconv.Itoa(config.Confinement.AppID),
+		aid:      newInt(config.Confinement.AppID),
 		data:     config.Confinement.Outer,
 		home:     config.Confinement.Inner,
 		username: config.Confinement.Username,
 	}
-	if seal.sys.user.username == "" {
+	if seal.user.username == "" {
-		seal.sys.user.username = "chronos"
+		seal.user.username = "chronos"
-	} else if !posixUsername.MatchString(seal.sys.user.username) ||
+	} else if !posixUsername.MatchString(seal.user.username) ||
-		len(seal.sys.user.username) >= internal.Sysconf_SC_LOGIN_NAME_MAX() {
+		len(seal.user.username) >= internal.Sysconf_SC_LOGIN_NAME_MAX() {
 		return fmsg.WrapError(ErrName,
-			fmt.Sprintf("invalid user name %q", seal.sys.user.username))
+			fmt.Sprintf("invalid user name %q", seal.user.username))
 	}
-	if seal.sys.user.data == "" || !path.IsAbs(seal.sys.user.data) {
+	if seal.user.data == "" || !path.IsAbs(seal.user.data) {
 		return fmsg.WrapError(ErrHome,
-			fmt.Sprintf("invalid home directory %q", seal.sys.user.data))
+			fmt.Sprintf("invalid home directory %q", seal.user.data))
 	}
-	if seal.sys.user.home == "" {
+	if seal.user.home == "" {
-		seal.sys.user.home = seal.sys.user.data
+		seal.user.home = seal.user.data
 	}
-
+	if u, err := sys.Uid(seal.user.aid.unwrap()); err != nil {
-	// invoke fsu for full uid
+		return err
 	if u, err := a.os.Uid(seal.sys.user.aid); err != nil {
 		return fmsg.WrapErrorSuffix(err,
 			"cannot obtain uid from fsu:")
 	} else {
-		seal.sys.user.uid = u
+		seal.user.uid = newInt(u)
 		seal.sys.user.us = strconv.Itoa(u)
 	}
-
+	seal.user.supp = make([]string, len(config.Confinement.Groups))
 	// resolve supplementary group ids from names
 	seal.sys.user.supp = make([]string, len(config.Confinement.Groups))
 	for i, name := range config.Confinement.Groups {
-		if g, err := a.os.LookupGroup(name); err != nil {
+		if g, err := sys.LookupGroup(name); err != nil {
 			return fmsg.WrapError(err,
 				fmt.Sprintf("unknown group %q", name))
 		} else {
-			seal.sys.user.supp[i] = g.Gid
+			seal.user.supp[i] = g.Gid
 		}
 	}
-	// build extra perms
+	// this also falls back to host path if encountering an invalid path
-	seal.extraPerms = make([]*sealedExtraPerm, len(config.Confinement.ExtraPerms))
+	if !path.IsAbs(config.Confinement.Shell) {
-	for i, p := range config.Confinement.ExtraPerms {
+		config.Confinement.Shell = "/bin/sh"
-		if p == nil {
+		if s, ok := sys.LookupEnv(shell); ok && path.IsAbs(s) {
-			continue
+			config.Confinement.Shell = s
 		}
 		seal.extraPerms[i] = new(sealedExtraPerm)
 		seal.extraPerms[i].name = p.Path
 		seal.extraPerms[i].perms = make(acl.Perms, 0, 3)
 		if p.Read {
 			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Read)
 		}
 		if p.Write {
 			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Write)
 		}
 		if p.Execute {
 			seal.extraPerms[i].perms = append(seal.extraPerms[i].perms, acl.Execute)
 		}
 		seal.extraPerms[i].ensure = p.Ensure
 	}
 	// do not use the value of shell before this point
-	// map sandbox config to bwrap
+	// permissive defaults
 	if config.Confinement.Sandbox == nil {
 		fmsg.Verbose("sandbox configuration not supplied, PROCEED WITH CAUTION")
-		// permissive defaults
+		// fsu clears the environment so resolve paths early
 		if !path.IsAbs(config.Path) {
 			if len(config.Args) > 0 {
 				if p, err := sys.LookPath(config.Args[0]); err != nil {
 					return fmsg.WrapError(err, err.Error())
 				} else {
 					config.Path = p
 				}
 			} else {
 				config.Path = config.Confinement.Shell
 			}
 		}
 		conf := &fst.SandboxConfig{
-			UserNS:       true,
+			Userns:  true,
-			Net:          true,
+			Net:     true,
-			Syscall:      new(bwrap.SyscallPolicy),
+			Tty:     true,
-			NoNewSession: true,
+			AutoEtc: true,
 			AutoEtc:      true,
 		}
 		// bind entries in /
-		if d, err := a.os.ReadDir("/"); err != nil {
+		if d, err := sys.ReadDir("/"); err != nil {
 			return err
 		} else {
 			b := make([]*fst.FilesystemConfig, 0, len(d))
@ -224,11 +262,11 @@ func (a *app) Seal(config *fst.Config) error {
 		// hide nscd from sandbox if present
 		nscd := "/var/run/nscd"
-		if _, err := a.os.Stat(nscd); !errors.Is(err, fs.ErrNotExist) {
+		if _, err := sys.Stat(nscd); !errors.Is(err, fs.ErrNotExist) {
-			conf.Override = append(conf.Override, nscd)
+			conf.Cover = append(conf.Cover, nscd)
 		}
 		// bind GPU stuff
-		if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
+		if config.Confinement.Enablements&(system.EX11|system.EWayland) != 0 {
 			conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true})
 		}
 		// opportunistically bind kvm
@ -236,38 +274,288 @@ func (a *app) Seal(config *fst.Config) error {
 		config.Confinement.Sandbox = conf
 	}
-	seal.directWayland = config.Confinement.Sandbox.DirectWayland
+
-	if b, err := config.Confinement.Sandbox.Bwrap(a.os); err != nil {
+	var mapuid, mapgid *stringPair[int]
-		return err
+	{
-	} else {
+		var uid, gid int
-		seal.sys.bwrap = b
+		var err error
-	}
+		seal.container, seal.env, err = config.Confinement.Sandbox.ToContainer(sys, &uid, &gid)
-	seal.sys.override = config.Confinement.Sandbox.Override
+		if err != nil {
-	if seal.sys.bwrap.SetEnv == nil {
+			return fmsg.WrapErrorSuffix(err,
-		seal.sys.bwrap.SetEnv = make(map[string]string)
+				"cannot initialise container configuration:")
 		}
 		if !path.IsAbs(config.Path) {
 			return fmsg.WrapError(syscall.EINVAL,
 				"invalid program path")
 		}
 		if len(config.Args) == 0 {
 			config.Args = []string{config.Path}
 		}
 		seal.container.Path = config.Path
 		seal.container.Args = config.Args
 		mapuid = newInt(uid)
 		mapgid = newInt(gid)
 		if seal.env == nil {
 			seal.env = make(map[string]string, 1<<6)
 		}
 	}
-	// open process state store
+	// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as mapped uid
-	// the simple store only starts holding an open file after first action
+	innerRuntimeDir := path.Join("/run/user", mapuid.String())
-	// store activity begins after Start is called and must end before Wait
+	seal.container.Tmpfs("/run/user", 1<<12, 0755)
-	seal.store = state.NewMulti(seal.RunDirPath)
+	seal.container.Tmpfs(innerRuntimeDir, 1<<23, 0700)
 	seal.env[xdgRuntimeDir] = innerRuntimeDir
 	seal.env[xdgSessionClass] = "user"
 	seal.env[xdgSessionType] = "tty"
-	// initialise system interface with full uid
+	share := &shareHost{seal: seal, sc: sys.Paths()}
-	seal.sys.I = system.New(seal.sys.user.uid)
+	seal.runDirPath = share.sc.RunDirPath
 	seal.sys = system.New(seal.user.uid.unwrap())
-	// pass through enablements
+	{
-	seal.et = config.Confinement.Enablements
+		seal.sys.Ensure(share.sc.SharePath, 0711)
-
+		tmpdir := path.Join(share.sc.SharePath, "tmpdir")
-	// this method calls all share methods in sequence
+		seal.sys.Ensure(tmpdir, 0700)
-	if err := seal.setupShares([2]*dbus.Config{config.Confinement.SessionBus, config.Confinement.SystemBus}, a.os); err != nil {
+		seal.sys.UpdatePermType(system.User, tmpdir, acl.Execute)
-		return err
+		tmpdirInst := path.Join(tmpdir, seal.user.aid.String())
 		seal.sys.Ensure(tmpdirInst, 01700)
 		seal.sys.UpdatePermType(system.User, tmpdirInst, acl.Read, acl.Write, acl.Execute)
 		// mount inner /tmp from share so it shares persistence and storage behaviour of host /tmp
 		seal.container.Bind(tmpdirInst, "/tmp", sandbox.BindWritable)
 	}
-	// verbose log seal information
+	{
-	fmsg.Verbosef("created application seal for uid %s (%s) groups: %v, command: %s",
+		homeDir := "/var/empty"
-		seal.sys.user.us, seal.sys.user.username, config.Confinement.Groups, config.Command)
+		if seal.user.home != "" {
 			homeDir = seal.user.home
 		}
 		username := "chronos"
 		if seal.user.username != "" {
 			username = seal.user.username
 		}
 		seal.container.Bind(seal.user.data, homeDir, sandbox.BindWritable)
 		seal.container.Dir = homeDir
 		seal.env["HOME"] = homeDir
 		seal.env["USER"] = username
 		seal.env[shell] = config.Confinement.Shell
 		seal.container.Place("/etc/passwd",
 			[]byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Fortify:"+homeDir+":"+config.Confinement.Shell+"\n"))
 		seal.container.Place("/etc/group",
 			[]byte("fortify:x:"+mapgid.String()+":\n"))
 	}
 	// pass TERM for proper terminal I/O in initial process
 	if t, ok := sys.LookupEnv(term); ok {
 		seal.env[term] = t
 	}
 	if config.Confinement.Enablements&system.EWayland != 0 {
 		// outer wayland socket (usually `/run/user/%d/wayland-%d`)
 		var socketPath string
 		if name, ok := sys.LookupEnv(wl.WaylandDisplay); !ok {
 			fmsg.Verbose(wl.WaylandDisplay + " is not set, assuming " + wl.FallbackName)
 			socketPath = path.Join(share.sc.RuntimePath, wl.FallbackName)
 		} else if !path.IsAbs(name) {
 			socketPath = path.Join(share.sc.RuntimePath, name)
 		} else {
 			socketPath = name
 		}
 		innerPath := path.Join(innerRuntimeDir, wl.FallbackName)
 		seal.env[wl.WaylandDisplay] = wl.FallbackName
 		if !config.Confinement.Sandbox.DirectWayland { // set up security-context-v1
 			appID := config.ID
 			if appID == "" {
 				// use instance ID in case app id is not set
 				appID = "uk.gensokyo.fortify." + seal.id.String()
 			}
 			// downstream socket paths
 			outerPath := path.Join(share.instance(), "wayland")
 			seal.sys.Wayland(&seal.sync, outerPath, socketPath, appID, seal.id.String())
 			seal.container.Bind(outerPath, innerPath, 0)
 		} else { // bind mount wayland socket (insecure)
 			fmsg.Verbose("direct wayland access, PROCEED WITH CAUTION")
 			share.ensureRuntimeDir()
 			seal.container.Bind(socketPath, innerPath, 0)
 			seal.sys.UpdatePermType(system.EWayland, socketPath, acl.Read, acl.Write, acl.Execute)
 		}
 	}
 	if config.Confinement.Enablements&system.EX11 != 0 {
 		if d, ok := sys.LookupEnv(display); !ok {
 			return fmsg.WrapError(ErrXDisplay,
 				"DISPLAY is not set")
 		} else {
 			seal.sys.ChangeHosts("#" + seal.user.uid.String())
 			seal.env[display] = d
 			seal.container.Bind("/tmp/.X11-unix", "/tmp/.X11-unix", 0)
 		}
 	}
 	if config.Confinement.Enablements&system.EPulse != 0 {
 		// PulseAudio runtime directory (usually `/run/user/%d/pulse`)
 		pulseRuntimeDir := path.Join(share.sc.RuntimePath, "pulse")
 		// PulseAudio socket (usually `/run/user/%d/pulse/native`)
 		pulseSocket := path.Join(pulseRuntimeDir, "native")
 		if _, err := sys.Stat(pulseRuntimeDir); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio directory %q:", pulseRuntimeDir))
 			}
 			return fmsg.WrapError(ErrPulseSocket,
 				fmt.Sprintf("PulseAudio directory %q not found", pulseRuntimeDir))
 		}
 		if s, err := sys.Stat(pulseSocket); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio socket %q:", pulseSocket))
 			}
 			return fmsg.WrapError(ErrPulseSocket,
 				fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pulseRuntimeDir))
 		} else {
 			if m := s.Mode(); m&0o006 != 0o006 {
 				return fmsg.WrapError(ErrPulseMode,
 					fmt.Sprintf("unexpected permissions on %q:", pulseSocket), m)
 			}
 		}
 		// hard link pulse socket into target-executable share
 		innerPulseRuntimeDir := path.Join(share.runtime(), "pulse")
 		innerPulseSocket := path.Join(innerRuntimeDir, "pulse", "native")
 		seal.sys.Link(pulseSocket, innerPulseRuntimeDir)
 		seal.container.Bind(innerPulseRuntimeDir, innerPulseSocket, 0)
 		seal.env[pulseServer] = "unix:" + innerPulseSocket
 		// publish current user's pulse cookie for target user
 		if src, err := discoverPulseCookie(sys); err != nil {
 			// not fatal
 			fmsg.Verbose(strings.TrimSpace(err.(*fmsg.BaseError).Message()))
 		} else {
 			innerDst := fst.Tmp + "/pulse-cookie"
 			seal.env[pulseCookie] = innerDst
 			var payload *[]byte
 			seal.container.PlaceP(innerDst, &payload)
 			seal.sys.CopyFile(payload, src, 256, 256)
 		}
 	}
 	if config.Confinement.Enablements&system.EDBus != 0 {
 		// ensure dbus session bus defaults
 		if config.Confinement.SessionBus == nil {
 			config.Confinement.SessionBus = dbus.NewConfig(config.ID, true, true)
 		}
 		// downstream socket paths
 		sharePath := share.instance()
 		sessionPath, systemPath := path.Join(sharePath, "bus"), path.Join(sharePath, "system_bus_socket")
 		// configure dbus proxy
 		if f, err := seal.sys.ProxyDBus(
 			config.Confinement.SessionBus, config.Confinement.SystemBus,
 			sessionPath, systemPath,
 		); err != nil {
 			return err
 		} else {
 			seal.dbusMsg = f
 		}
 		// share proxy sockets
 		sessionInner := path.Join(innerRuntimeDir, "bus")
 		seal.env[dbusSessionBusAddress] = "unix:path=" + sessionInner
 		seal.container.Bind(sessionPath, sessionInner, 0)
 		seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
 		if config.Confinement.SystemBus != nil {
 			systemInner := "/run/dbus/system_bus_socket"
 			seal.env[dbusSystemBusAddress] = "unix:path=" + systemInner
 			seal.container.Bind(systemPath, systemInner, 0)
 			seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
 		}
 	}
 	for _, dest := range config.Confinement.Sandbox.Cover {
 		seal.container.Tmpfs(dest, 1<<13, 0755)
 	}
 	// append ExtraPerms last
 	for _, p := range config.Confinement.ExtraPerms {
 		if p == nil {
 			continue
 		}
 		if p.Ensure {
 			seal.sys.Ensure(p.Path, 0700)
 		}
 		perms := make(acl.Perms, 0, 3)
 		if p.Read {
 			perms = append(perms, acl.Read)
 		}
 		if p.Write {
 			perms = append(perms, acl.Write)
 		}
 		if p.Execute {
 			perms = append(perms, acl.Execute)
 		}
 		seal.sys.UpdatePermType(system.User, p.Path, perms...)
 	}
 	// flatten and sort env for deterministic behaviour
 	seal.container.Env = make([]string, 0, len(seal.env))
 	for k, v := range seal.env {
 		if strings.IndexByte(k, '=') != -1 {
 			return fmsg.WrapError(syscall.EINVAL,
 				fmt.Sprintf("invalid environment variable %s", k))
 		}
 		seal.container.Env = append(seal.container.Env, k+"="+v)
 	}
 	slices.Sort(seal.container.Env)
 	fmsg.Verbosef("created application seal for uid %s (%s) groups: %v, argv: %s",
 		seal.user.uid, seal.user.username, config.Confinement.Groups, seal.container.Args)
 	// seal app and release lock
 	a.seal = seal
 	return nil
 }
 // discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
 func discoverPulseCookie(sys sys.State) (string, error) {
 	if p, ok := sys.LookupEnv(pulseCookie); ok {
 		return p, nil
 	}
 	// dotfile $HOME/.pulse-cookie
 	if p, ok := sys.LookupEnv(home); ok {
 		p = path.Join(p, ".pulse-cookie")
 		if s, err := sys.Stat(p); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return p, fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
 			}
 			// not found, try next method
 		} else if !s.IsDir() {
 			return p, nil
 		}
 	}
 	// $XDG_CONFIG_HOME/pulse/cookie
 	if p, ok := sys.LookupEnv(xdgConfigHome); ok {
 		p = path.Join(p, "pulse", "cookie")
 		if s, err := sys.Stat(p); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return p, fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
 			}
 			// not found, try next method
 		} else if !s.IsDir() {
 			return p, nil
 		}
 	}
 	return "", fmsg.WrapError(ErrPulseCookie,
 		fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
 			pulseCookie, xdgConfigHome, home))
 }
--- a/internal/app/share.go
+++ b/internal/app/share.go
@ -1,339 +0,0 @@
 package app
 import (
 	"errors"
 	"fmt"
 	"io/fs"
 	"path"
 	"strings"
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/linux"
 	"git.gensokyo.uk/security/fortify/internal/system"
 	"git.gensokyo.uk/security/fortify/wl"
 )
 const (
 	home  = "HOME"
 	shell = "SHELL"
 	xdgConfigHome   = "XDG_CONFIG_HOME"
 	xdgRuntimeDir   = "XDG_RUNTIME_DIR"
 	xdgSessionClass = "XDG_SESSION_CLASS"
 	xdgSessionType  = "XDG_SESSION_TYPE"
 	term    = "TERM"
 	display = "DISPLAY"
 	pulseServer = "PULSE_SERVER"
 	pulseCookie = "PULSE_COOKIE"
 	dbusSessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
 	dbusSystemBusAddress  = "DBUS_SYSTEM_BUS_ADDRESS"
 )
 var (
 	ErrXDisplay = errors.New(display + " unset")
 	ErrPulseCookie = errors.New("pulse cookie not present")
 	ErrPulseSocket = errors.New("pulse socket not present")
 	ErrPulseMode   = errors.New("unexpected pulse socket mode")
 )
 func (seal *appSeal) setupShares(bus [2]*dbus.Config, os linux.System) error {
 	if seal.shared {
 		panic("seal shared twice")
 	}
 	seal.shared = true
 	/*
 		Tmpdir-based share directory
 	*/
 	// ensure Share (e.g. `/tmp/fortify.%d`)
 	// acl is unnecessary as this directory is world executable
 	seal.sys.Ensure(seal.SharePath, 0711)
 	// ensure process-specific share (e.g. `/tmp/fortify.%d/%s`)
 	// acl is unnecessary as this directory is world executable
 	seal.share = path.Join(seal.SharePath, seal.id)
 	seal.sys.Ephemeral(system.Process, seal.share, 0711)
 	// ensure child tmpdir parent directory (e.g. `/tmp/fortify.%d/tmpdir`)
 	targetTmpdirParent := path.Join(seal.SharePath, "tmpdir")
 	seal.sys.Ensure(targetTmpdirParent, 0700)
 	seal.sys.UpdatePermType(system.User, targetTmpdirParent, acl.Execute)
 	// ensure child tmpdir (e.g. `/tmp/fortify.%d/tmpdir/%d`)
 	targetTmpdir := path.Join(targetTmpdirParent, seal.sys.user.as)
 	seal.sys.Ensure(targetTmpdir, 01700)
 	seal.sys.UpdatePermType(system.User, targetTmpdir, acl.Read, acl.Write, acl.Execute)
 	seal.sys.bwrap.Bind(targetTmpdir, "/tmp", false, true)
 	/*
 		XDG runtime directory
 	*/
 	// mount tmpfs on inner runtime (e.g. `/run/user/%d`)
 	seal.sys.bwrap.Tmpfs("/run/user", 1*1024*1024)
 	seal.sys.bwrap.Tmpfs(seal.sys.runtime, 8*1024*1024)
 	// point to inner runtime path `/run/user/%d`
 	seal.sys.bwrap.SetEnv[xdgRuntimeDir] = seal.sys.runtime
 	seal.sys.bwrap.SetEnv[xdgSessionClass] = "user"
 	seal.sys.bwrap.SetEnv[xdgSessionType] = "tty"
 	// ensure RunDir (e.g. `/run/user/%d/fortify`)
 	seal.sys.Ensure(seal.RunDirPath, 0700)
 	seal.sys.UpdatePermType(system.User, seal.RunDirPath, acl.Execute)
 	// ensure runtime directory ACL (e.g. `/run/user/%d`)
 	seal.sys.Ensure(seal.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
 	seal.sys.UpdatePermType(system.User, seal.RuntimePath, acl.Execute)
 	// ensure process-specific share local to XDG_RUNTIME_DIR (e.g. `/run/user/%d/fortify/%s`)
 	seal.shareLocal = path.Join(seal.RunDirPath, seal.id)
 	seal.sys.Ephemeral(system.Process, seal.shareLocal, 0700)
 	seal.sys.UpdatePerm(seal.shareLocal, acl.Execute)
 	/*
 		Inner passwd database
 	*/
 	// look up shell
 	sh := "/bin/sh"
 	if s, ok := os.LookupEnv(shell); ok {
 		seal.sys.bwrap.SetEnv[shell] = s
 		sh = s
 	}
 	// bind home directory
 	homeDir := "/var/empty"
 	if seal.sys.user.home != "" {
 		homeDir = seal.sys.user.home
 	}
 	username := "chronos"
 	if seal.sys.user.username != "" {
 		username = seal.sys.user.username
 	}
 	seal.sys.bwrap.Bind(seal.sys.user.data, homeDir, false, true)
 	seal.sys.bwrap.Chdir = homeDir
 	seal.sys.bwrap.SetEnv["HOME"] = homeDir
 	seal.sys.bwrap.SetEnv["USER"] = username
 	// generate /etc/passwd and /etc/group
 	seal.sys.bwrap.CopyBind("/etc/passwd",
 		[]byte(username+":x:"+seal.sys.mappedIDString+":"+seal.sys.mappedIDString+":Fortify:"+homeDir+":"+sh+"\n"))
 	seal.sys.bwrap.CopyBind("/etc/group",
 		[]byte("fortify:x:"+seal.sys.mappedIDString+":\n"))
 	/*
 		Display servers
 	*/
 	// pass $TERM to launcher
 	if t, ok := os.LookupEnv(term); ok {
 		seal.sys.bwrap.SetEnv[term] = t
 	}
 	// set up wayland
 	if seal.et.Has(system.EWayland) {
 		var socketPath string
 		if name, ok := os.LookupEnv(wl.WaylandDisplay); !ok {
 			fmsg.Verbose(wl.WaylandDisplay + " is not set, assuming " + wl.FallbackName)
 			socketPath = path.Join(seal.RuntimePath, wl.FallbackName)
 		} else if !path.IsAbs(name) {
 			socketPath = path.Join(seal.RuntimePath, name)
 		} else {
 			socketPath = name
 		}
 		innerPath := path.Join(seal.sys.runtime, wl.FallbackName)
 		seal.sys.bwrap.SetEnv[wl.WaylandDisplay] = wl.FallbackName
 		if !seal.directWayland { // set up security-context-v1
 			socketDir := path.Join(seal.SharePath, "wayland")
 			outerPath := path.Join(socketDir, seal.id)
 			seal.sys.Ensure(socketDir, 0711)
 			appID := seal.fid
 			if appID == "" {
 				// use instance ID in case app id is not set
 				appID = "uk.gensokyo.fortify." + seal.id
 			}
 			seal.sys.Wayland(outerPath, socketPath, appID, seal.id)
 			seal.sys.bwrap.Bind(outerPath, innerPath)
 		} else { // bind mount wayland socket (insecure)
 			fmsg.Verbose("direct wayland access, PROCEED WITH CAUTION")
 			seal.sys.bwrap.Bind(socketPath, innerPath)
 			// ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`)
 			seal.sys.UpdatePermType(system.EWayland, socketPath, acl.Read, acl.Write, acl.Execute)
 		}
 	}
 	// set up X11
 	if seal.et.Has(system.EX11) {
 		// discover X11 and grant user permission via the `ChangeHosts` command
 		if d, ok := os.LookupEnv(display); !ok {
 			return fmsg.WrapError(ErrXDisplay,
 				"DISPLAY is not set")
 		} else {
 			seal.sys.ChangeHosts("#" + seal.sys.user.us)
 			seal.sys.bwrap.SetEnv[display] = d
 			seal.sys.bwrap.Bind("/tmp/.X11-unix", "/tmp/.X11-unix")
 		}
 	}
 	/*
 		PulseAudio server and authentication
 	*/
 	if seal.et.Has(system.EPulse) {
 		// check PulseAudio directory presence (e.g. `/run/user/%d/pulse`)
 		pd := path.Join(seal.RuntimePath, "pulse")
 		ps := path.Join(pd, "native")
 		if _, err := os.Stat(pd); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio directory %q:", pd))
 			}
 			return fmsg.WrapError(ErrPulseSocket,
 				fmt.Sprintf("PulseAudio directory %q not found", pd))
 		}
 		// check PulseAudio socket permission (e.g. `/run/user/%d/pulse/native`)
 		if s, err := os.Stat(ps); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio socket %q:", ps))
 			}
 			return fmsg.WrapError(ErrPulseSocket,
 				fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pd))
 		} else {
 			if m := s.Mode(); m&0o006 != 0o006 {
 				return fmsg.WrapError(ErrPulseMode,
 					fmt.Sprintf("unexpected permissions on %q:", ps), m)
 			}
 		}
 		// hard link pulse socket into target-executable share
 		psi := path.Join(seal.shareLocal, "pulse")
 		p := path.Join(seal.sys.runtime, "pulse", "native")
 		seal.sys.Link(ps, psi)
 		seal.sys.bwrap.Bind(psi, p)
 		seal.sys.bwrap.SetEnv[pulseServer] = "unix:" + p
 		// publish current user's pulse cookie for target user
 		if src, err := discoverPulseCookie(os); err != nil {
 			// not fatal
 			fmsg.Verbose(strings.TrimSpace(err.(*fmsg.BaseError).Message()))
 		} else {
 			innerDst := fst.Tmp + "/pulse-cookie"
 			seal.sys.bwrap.SetEnv[pulseCookie] = innerDst
 			payload := new([]byte)
 			seal.sys.bwrap.CopyBindRef(innerDst, &payload)
 			seal.sys.CopyFile(payload, src, 256, 256)
 		}
 	}
 	/*
 		D-Bus proxy
 	*/
 	if seal.et.Has(system.EDBus) {
 		// ensure dbus session bus defaults
 		if bus[0] == nil {
 			bus[0] = dbus.NewConfig(seal.fid, true, true)
 		}
 		// downstream socket paths
 		sessionPath, systemPath := path.Join(seal.share, "bus"), path.Join(seal.share, "system_bus_socket")
 		// configure dbus proxy
 		if f, err := seal.sys.ProxyDBus(bus[0], bus[1], sessionPath, systemPath); err != nil {
 			return err
 		} else {
 			seal.dbusMsg = f
 		}
 		// share proxy sockets
 		sessionInner := path.Join(seal.sys.runtime, "bus")
 		seal.sys.bwrap.SetEnv[dbusSessionBusAddress] = "unix:path=" + sessionInner
 		seal.sys.bwrap.Bind(sessionPath, sessionInner)
 		seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
 		if bus[1] != nil {
 			systemInner := "/run/dbus/system_bus_socket"
 			seal.sys.bwrap.SetEnv[dbusSystemBusAddress] = "unix:path=" + systemInner
 			seal.sys.bwrap.Bind(systemPath, systemInner)
 			seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
 		}
 	}
 	/*
 		Miscellaneous
 	*/
 	// queue overriding tmpfs at the end of seal.sys.bwrap.Filesystem
 	for _, dest := range seal.sys.override {
 		seal.sys.bwrap.Tmpfs(dest, 8*1024)
 	}
 	// mount fortify in sandbox for init
 	seal.sys.bwrap.Bind(os.MustExecutable(), path.Join(fst.Tmp, "sbin/fortify"))
 	seal.sys.bwrap.Symlink("fortify", path.Join(fst.Tmp, "sbin/init"))
 	// append extra perms
 	for _, p := range seal.extraPerms {
 		if p == nil {
 			continue
 		}
 		if p.ensure {
 			seal.sys.Ensure(p.name, 0700)
 		}
 		seal.sys.UpdatePermType(system.User, p.name, p.perms...)
 	}
 	return nil
 }
 // discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
 func discoverPulseCookie(os linux.System) (string, error) {
 	if p, ok := os.LookupEnv(pulseCookie); ok {
 		return p, nil
 	}
 	// dotfile $HOME/.pulse-cookie
 	if p, ok := os.LookupEnv(home); ok {
 		p = path.Join(p, ".pulse-cookie")
 		if s, err := os.Stat(p); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return p, fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
 			}
 			// not found, try next method
 		} else if !s.IsDir() {
 			return p, nil
 		}
 	}
 	// $XDG_CONFIG_HOME/pulse/cookie
 	if p, ok := os.LookupEnv(xdgConfigHome); ok {
 		p = path.Join(p, "pulse", "cookie")
 		if s, err := os.Stat(p); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return p, fmsg.WrapErrorSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
 			}
 			// not found, try next method
 		} else if !s.IsDir() {
 			return p, nil
 		}
 	}
 	return "", fmsg.WrapError(ErrPulseCookie,
 		fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
 			pulseCookie, xdgConfigHome, home))
 }
--- a/internal/app/shim.go
+++ b/internal/app/shim.go
@ -0,0 +1,212 @@
 package app
 import (
 	"context"
 	"encoding/gob"
 	"errors"
 	"log"
 	"os"
 	"os/exec"
 	"os/signal"
 	"strconv"
 	"strings"
 	"syscall"
 	"time"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/sandbox"
 )
 const shimEnv = "FORTIFY_SHIM"
 type shimParams struct {
 	// finalised container params
 	Container *sandbox.Params
 	// path to outer home directory
 	Home string
 	// verbosity pass through
 	Verbose bool
 }
 // ShimMain is the main function of the shim process and runs as the unconstrained target user.
 func ShimMain() {
 	fmsg.Prepare("shim")
 	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
 		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
 	}
 	var (
 		params     shimParams
 		closeSetup func() error
 	)
 	if f, err := sandbox.Receive(shimEnv, &params, nil); err != nil {
 		if errors.Is(err, sandbox.ErrInvalid) {
 			log.Fatal("invalid config descriptor")
 		}
 		if errors.Is(err, sandbox.ErrNotSet) {
 			log.Fatal("FORTIFY_SHIM not set")
 		}
 		log.Fatalf("cannot receive shim setup params: %v", err)
 	} else {
 		internal.InstallFmsg(params.Verbose)
 		closeSetup = f
 	}
 	if params.Container == nil || params.Container.Ops == nil {
 		log.Fatal("invalid container params")
 	}
 	// close setup socket
 	if err := closeSetup(); err != nil {
 		log.Printf("cannot close setup pipe: %v", err)
 		// not fatal
 	}
 	// ensure home directory as target user
 	if s, err := os.Stat(params.Home); err != nil {
 		if os.IsNotExist(err) {
 			if err = os.Mkdir(params.Home, 0700); err != nil {
 				log.Fatalf("cannot create home directory: %v", err)
 			}
 		} else {
 			log.Fatalf("cannot access home directory: %v", err)
 		}
 		// home directory is created, proceed
 	} else if !s.IsDir() {
 		log.Fatalf("path %q is not a directory", params.Home)
 	}
 	var name string
 	if len(params.Container.Args) > 0 {
 		name = params.Container.Args[0]
 	}
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	defer stop() // unreachable
 	container := sandbox.New(ctx, name)
 	container.Params = *params.Container
 	container.Stdin, container.Stdout, container.Stderr = os.Stdin, os.Stdout, os.Stderr
 	container.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) }
 	container.WaitDelay = 2 * time.Second
 	if err := container.Start(); err != nil {
 		fmsg.PrintBaseError(err, "cannot start container:")
 		os.Exit(1)
 	}
 	if err := container.Serve(); err != nil {
 		fmsg.PrintBaseError(err, "cannot configure container:")
 	}
 	if err := container.Wait(); err != nil {
 		var exitError *exec.ExitError
 		if !errors.As(err, &exitError) {
 			if errors.Is(err, context.Canceled) {
 				os.Exit(2)
 			}
 			log.Printf("wait: %v", err)
 			os.Exit(127)
 		}
 		os.Exit(exitError.ExitCode())
 	}
 }
 type shimProcess struct {
 	// user switcher process
 	cmd *exec.Cmd
 	// fallback exit notifier with error returned killing the process
 	killFallback chan error
 	// monitor to shim encoder
 	encoder *gob.Encoder
 }
 func (s *shimProcess) Unwrap() *exec.Cmd    { return s.cmd }
 func (s *shimProcess) Fallback() chan error { return s.killFallback }
 func (s *shimProcess) String() string {
 	if s.cmd == nil {
 		return "(unused shim manager)"
 	}
 	return s.cmd.String()
 }
 func (s *shimProcess) Start(
 	aid string,
 	supp []string,
 ) (*time.Time, error) {
 	// prepare user switcher invocation
 	fsuPath := internal.MustFsuPath()
 	s.cmd = exec.Command(fsuPath)
 	// pass shim setup pipe
 	if fd, e, err := sandbox.Setup(&s.cmd.ExtraFiles); err != nil {
 		return nil, fmsg.WrapErrorSuffix(err,
 			"cannot create shim setup pipe:")
 	} else {
 		s.encoder = e
 		s.cmd.Env = []string{
 			shimEnv + "=" + strconv.Itoa(fd),
 			"FORTIFY_APP_ID=" + aid,
 		}
 	}
 	// format fsu supplementary groups
 	if len(supp) > 0 {
 		fmsg.Verbosef("attaching supplementary group ids %s", supp)
 		s.cmd.Env = append(s.cmd.Env, "FORTIFY_GROUPS="+strings.Join(supp, " "))
 	}
 	s.cmd.Stdin, s.cmd.Stdout, s.cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	s.cmd.Dir = "/"
 	fmsg.Verbose("starting shim via fsu:", s.cmd)
 	// withhold messages to stderr
 	fmsg.Suspend()
 	if err := s.cmd.Start(); err != nil {
 		return nil, fmsg.WrapErrorSuffix(err,
 			"cannot start fsu:")
 	}
 	startTime := time.Now().UTC()
 	return &startTime, nil
 }
 func (s *shimProcess) Serve(ctx context.Context, params *shimParams) error {
 	// kill shim if something goes wrong and an error is returned
 	s.killFallback = make(chan error, 1)
 	killShim := func() {
 		if err := s.cmd.Process.Signal(os.Interrupt); err != nil {
 			s.killFallback <- err
 		}
 	}
 	defer func() { killShim() }()
 	encodeErr := make(chan error)
 	go func() { encodeErr <- s.encoder.Encode(params) }()
 	select {
 	// encode return indicates setup completion
 	case err := <-encodeErr:
 		if err != nil {
 			return fmsg.WrapErrorSuffix(err,
 				"cannot transmit shim config:")
 		}
 		killShim = func() {}
 		return nil
 	// setup canceled before payload was accepted
 	case <-ctx.Done():
 		err := ctx.Err()
 		if errors.Is(err, context.Canceled) {
 			return fmsg.WrapError(syscall.ECANCELED,
 				"shim setup canceled")
 		}
 		if errors.Is(err, context.DeadlineExceeded) {
 			return fmsg.WrapError(syscall.ETIMEDOUT,
 				"deadline exceeded waiting for shim")
 		}
 		// unreachable
 		return err
 	}
 }
--- a/internal/app/shim/main.go
+++ b/internal/app/shim/main.go
@ -1,153 +0,0 @@
 package shim
 import (
 	"context"
 	"errors"
 	"log"
 	"os"
 	"os/exec"
 	"os/signal"
 	"path"
 	"strconv"
 	"syscall"
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 	"git.gensokyo.uk/security/fortify/helper/seccomp"
 	"git.gensokyo.uk/security/fortify/internal"
 	init0 "git.gensokyo.uk/security/fortify/internal/app/init"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 // everything beyond this point runs as unconstrained target user
 // proceed with caution!
 func Main() {
 	// sharing stdout with fortify
 	// USE WITH CAUTION
 	fmsg.Prepare("shim")
 	// setting this prevents ptrace
 	if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
 		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
 	}
 	// receive setup payload
 	var (
 		payload    Payload
 		closeSetup func() error
 	)
 	if f, err := proc.Receive(Env, &payload); err != nil {
 		if errors.Is(err, proc.ErrInvalid) {
 			log.Fatal("invalid config descriptor")
 		}
 		if errors.Is(err, proc.ErrNotSet) {
 			log.Fatal("FORTIFY_SHIM not set")
 		}
 		log.Fatalf("cannot decode shim setup payload: %v", err)
 	} else {
 		fmsg.Store(payload.Verbose)
 		closeSetup = f
 	}
 	if payload.Bwrap == nil {
 		log.Fatal("bwrap config not supplied")
 	}
 	// restore bwrap sync fd
 	var syncFd *os.File
 	if payload.Sync != nil {
 		syncFd = os.NewFile(*payload.Sync, "sync")
 	}
 	// close setup socket
 	if err := closeSetup(); err != nil {
 		log.Println("cannot close setup pipe:", err)
 		// not fatal
 	}
 	// ensure home directory as target user
 	if s, err := os.Stat(payload.Home); err != nil {
 		if os.IsNotExist(err) {
 			if err = os.Mkdir(payload.Home, 0700); err != nil {
 				log.Fatalf("cannot create home directory: %v", err)
 			}
 		} else {
 			log.Fatalf("cannot access home directory: %v", err)
 		}
 		// home directory is created, proceed
 	} else if !s.IsDir() {
 		log.Fatalf("data path %q is not a directory", payload.Home)
 	}
 	var ic init0.Payload
 	// resolve argv0
 	ic.Argv = payload.Argv
 	if len(ic.Argv) > 0 {
 		// looked up from $PATH by parent
 		ic.Argv0 = payload.Exec[1]
 	} else {
 		// no argv, look up shell instead
 		var ok bool
 		if payload.Bwrap.SetEnv == nil {
 			log.Fatal("no command was specified and environment is unset")
 		}
 		if ic.Argv0, ok = payload.Bwrap.SetEnv["SHELL"]; !ok {
 			log.Fatal("no command was specified and $SHELL was unset")
 		}
 		ic.Argv = []string{ic.Argv0}
 	}
 	conf := payload.Bwrap
 	var extraFiles []*os.File
 	// serve setup payload
 	if fd, encoder, err := proc.Setup(&extraFiles); err != nil {
 		log.Fatalf("cannot pipe: %v", err)
 	} else {
 		conf.SetEnv[init0.Env] = strconv.Itoa(fd)
 		go func() {
 			fmsg.Verbose("transmitting config to init")
 			if err = encoder.Encode(&ic); err != nil {
 				log.Fatalf("cannot transmit init config: %v", err)
 			}
 		}()
 	}
 	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
 	if fmsg.Load() {
 		seccomp.CPrintln = log.Println
 	}
 	if b, err := helper.NewBwrap(
 		conf, path.Join(fst.Tmp, "sbin/init"),
 		nil, func(int, int) []string { return make([]string, 0) },
 		extraFiles,
 		syncFd,
 	); err != nil {
 		log.Fatalf("malformed sandbox config: %v", err)
 	} else {
 		b.Stdin(os.Stdin).Stdout(os.Stdout).Stderr(os.Stderr)
 		ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 		defer stop() // unreachable
 		// run and pass through exit code
 		if err = b.Start(ctx, false); err != nil {
 			log.Fatalf("cannot start target process: %v", err)
 		} else if err = b.Wait(); err != nil {
 			var exitError *exec.ExitError
 			if !errors.As(err, &exitError) {
 				log.Printf("wait: %v", err)
 				internal.Exit(127)
 				panic("unreachable")
 			}
 			internal.Exit(exitError.ExitCode())
 			panic("unreachable")
 		}
 	}
 }
--- a/internal/app/shim/manager.go
+++ b/internal/app/shim/manager.go
@ -1,139 +0,0 @@
 package shim
 import (
 	"context"
 	"encoding/gob"
 	"errors"
 	"os"
 	"os/exec"
 	"strconv"
 	"strings"
 	"time"
 	"git.gensokyo.uk/security/fortify/helper/proc"
 	"git.gensokyo.uk/security/fortify/internal"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )
 // used by the parent process
 type Shim struct {
 	// user switcher process
 	cmd *exec.Cmd
 	// fallback exit notifier with error returned killing the process
 	killFallback chan error
 	// monitor to shim encoder
 	encoder *gob.Encoder
 	// bwrap --sync-fd value
 	sync *uintptr
 }
 func (s *Shim) String() string {
 	if s.cmd == nil {
 		return "(unused shim manager)"
 	}
 	return s.cmd.String()
 }
 func (s *Shim) Unwrap() *exec.Cmd {
 	return s.cmd
 }
 func (s *Shim) WaitFallback() chan error {
 	return s.killFallback
 }
 func (s *Shim) Start(
 	// string representation of application id
 	aid string,
 	// string representation of supplementary group ids
 	supp []string,
 	// bwrap --sync-fd
 	syncFd *os.File,
 ) (*time.Time, error) {
 	// prepare user switcher invocation
 	var fsu string
 	if p, ok := internal.Path(internal.Fsu); !ok {
 		return nil, fmsg.WrapError(errors.New("bad fsu path"),
 			"invalid fsu path, this copy of fortify is not compiled correctly")
 	} else {
 		fsu = p
 	}
 	s.cmd = exec.Command(fsu)
 	// pass shim setup pipe
 	if fd, e, err := proc.Setup(&s.cmd.ExtraFiles); err != nil {
 		return nil, fmsg.WrapErrorSuffix(err,
 			"cannot create shim setup pipe:")
 	} else {
 		s.encoder = e
 		s.cmd.Env = []string{
 			Env + "=" + strconv.Itoa(fd),
 			"FORTIFY_APP_ID=" + aid,
 		}
 	}
 	// format fsu supplementary groups
 	if len(supp) > 0 {
 		fmsg.Verbosef("attaching supplementary group ids %s", supp)
 		s.cmd.Env = append(s.cmd.Env, "FORTIFY_GROUPS="+strings.Join(supp, " "))
 	}
 	s.cmd.Stdin, s.cmd.Stdout, s.cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	s.cmd.Dir = "/"
 	// pass sync fd if set
 	if syncFd != nil {
 		fd := proc.ExtraFile(s.cmd, syncFd)
 		s.sync = &fd
 	}
 	fmsg.Verbose("starting shim via fsu:", s.cmd)
 	// withhold messages to stderr
 	fmsg.Suspend()
 	if err := s.cmd.Start(); err != nil {
 		return nil, fmsg.WrapErrorSuffix(err,
 			"cannot start fsu:")
 	}
 	startTime := time.Now().UTC()
 	return &startTime, nil
 }
 func (s *Shim) Serve(ctx context.Context, payload *Payload) error {
 	// kill shim if something goes wrong and an error is returned
 	s.killFallback = make(chan error, 1)
 	killShim := func() {
 		if err := s.cmd.Process.Signal(os.Interrupt); err != nil {
 			s.killFallback <- err
 		}
 	}
 	defer func() { killShim() }()
 	payload.Sync = s.sync
 	encodeErr := make(chan error)
 	go func() { encodeErr <- s.encoder.Encode(payload) }()
 	select {
 	// encode return indicates setup completion
 	case err := <-encodeErr:
 		if err != nil {
 			return fmsg.WrapErrorSuffix(err,
 				"cannot transmit shim config:")
 		}
 		killShim = func() {}
 		return nil
 	// setup canceled before payload was accepted
 	case <-ctx.Done():
 		err := ctx.Err()
 		if errors.Is(err, context.Canceled) {
 			return fmsg.WrapError(errors.New("shim setup canceled"),
 				"shim setup canceled")
 		}
 		if errors.Is(err, context.DeadlineExceeded) {
 			return fmsg.WrapError(errors.New("deadline exceeded waiting for shim"),
 				"deadline exceeded waiting for shim")
 		}
 		// unreachable
 		return err
 	}
 }
--- a/internal/app/shim/payload.go
+++ b/internal/app/shim/payload.go
@ -1,23 +0,0 @@
 package shim
 import (
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 )
 const Env = "FORTIFY_SHIM"
 type Payload struct {
 	// child full argv
 	Argv []string
 	// bwrap, target full exec path
 	Exec [2]string
 	// bwrap config
 	Bwrap *bwrap.Config
 	// path to outer home directory
 	Home string
 	// sync fd
 	Sync *uintptr
 	// verbosity pass through
 	Verbose bool
 }
--- a/internal/app/start.go
+++ b/internal/app/start.go
@ -1,267 +0,0 @@
 package app
 import (
 	"context"
 	"errors"
 	"fmt"
 	"log"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"time"
 	"git.gensokyo.uk/security/fortify/helper"
 	"git.gensokyo.uk/security/fortify/internal/app/shim"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/internal/state"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
 const shimSetupTimeout = 5 * time.Second
 func (a *app) Run(ctx context.Context, rs *RunState) error {
 	a.lock.Lock()
 	defer a.lock.Unlock()
 	if rs == nil {
 		panic("attempted to pass nil state to run")
 	}
 	// resolve exec paths
 	shimExec := [2]string{helper.BubblewrapName}
 	if len(a.seal.command) > 0 {
 		shimExec[1] = a.seal.command[0]
 	}
 	for i, n := range shimExec {
 		if len(n) == 0 {
 			continue
 		}
 		if filepath.Base(n) == n {
 			if s, err := exec.LookPath(n); err == nil {
 				shimExec[i] = s
 			} else {
 				return fmsg.WrapError(err,
 					fmt.Sprintf("executable file %q not found in $PATH", n))
 			}
 		}
 	}
 	// startup will go ahead, commit system setup
 	if err := a.seal.sys.Commit(ctx); err != nil {
 		return err
 	}
 	a.seal.sys.needRevert = true
 	// start shim via manager
 	a.shim = new(shim.Shim)
 	waitErr := make(chan error, 1)
 	if startTime, err := a.shim.Start(
 		a.seal.sys.user.as,
 		a.seal.sys.user.supp,
 		a.seal.sys.Sync(),
 	); err != nil {
 		return err
 	} else {
 		// shim process created
 		rs.Start = true
 		shimSetupCtx, shimSetupCancel := context.WithDeadline(ctx, time.Now().Add(shimSetupTimeout))
 		defer shimSetupCancel()
 		// start waiting for shim
 		go func() {
 			waitErr <- a.shim.Unwrap().Wait()
 			// cancel shim setup in case shim died before receiving payload
 			shimSetupCancel()
 		}()
 		// send payload
 		if err = a.shim.Serve(shimSetupCtx, &shim.Payload{
 			Argv:  a.seal.command,
 			Exec:  shimExec,
 			Bwrap: a.seal.sys.bwrap,
 			Home:  a.seal.sys.user.data,
 			Verbose: fmsg.Load(),
 		}); err != nil {
 			return err
 		}
 		// shim accepted setup payload, create process state
 		sd := state.State{
 			ID:   *a.id,
 			PID:  a.shim.Unwrap().Process.Pid,
 			Time: *startTime,
 		}
 		// register process state
 		var err0 = new(StateStoreError)
 		err0.Inner, err0.DoErr = a.seal.store.Do(a.seal.sys.user.aid, func(c state.Cursor) {
 			err0.InnerErr = c.Save(&sd, a.seal.ct)
 		})
 		a.seal.sys.saveState = true
 		if err = err0.equiv("cannot save process state:"); err != nil {
 			return err
 		}
 	}
 	select {
 	// wait for process and resolve exit code
 	case err := <-waitErr:
 		if err != nil {
 			var exitError *exec.ExitError
 			if !errors.As(err, &exitError) {
 				// should be unreachable
 				rs.WaitErr = err
 			}
 			// store non-zero return code
 			rs.ExitCode = exitError.ExitCode()
 		} else {
 			rs.ExitCode = a.shim.Unwrap().ProcessState.ExitCode()
 		}
 		if fmsg.Load() {
 			fmsg.Verbosef("process %d exited with exit code %d", a.shim.Unwrap().Process.Pid, rs.ExitCode)
 		}
 	// this is reached when a fault makes an already running shim impossible to continue execution
 	// however a kill signal could not be delivered (should actually always happen like that since fsu)
 	// the effects of this is similar to the alternative exit path and ensures shim death
 	case err := <-a.shim.WaitFallback():
 		rs.ExitCode = 255
 		log.Printf("cannot terminate shim on faulted setup: %v", err)
 	// alternative exit path relying on shim behaviour on monitor process exit
 	case <-ctx.Done():
 		fmsg.Verbose("alternative exit path selected")
 	}
 	// child process exited, resume output
 	fmsg.Resume()
 	// print queued up dbus messages
 	if a.seal.dbusMsg != nil {
 		a.seal.dbusMsg()
 	}
 	// update store and revert app setup transaction
 	e := new(StateStoreError)
 	e.Inner, e.DoErr = a.seal.store.Do(a.seal.sys.user.aid, func(b state.Cursor) {
 		e.InnerErr = func() error {
 			// destroy defunct state entry
 			if cmd := a.shim.Unwrap(); cmd != nil && a.seal.sys.saveState {
 				if err := b.Destroy(*a.id); err != nil {
 					return err
 				}
 			}
 			// enablements of remaining launchers
 			rt, ec := new(system.Enablements), new(system.Criteria)
 			ec.Enablements = new(system.Enablements)
 			ec.Set(system.Process)
 			if states, err := b.Load(); err != nil {
 				return err
 			} else {
 				if l := len(states); l == 0 {
 					// cleanup globals as the final launcher
 					fmsg.Verbose("no other launchers active, will clean up globals")
 					ec.Set(system.User)
 				} else {
 					fmsg.Verbosef("found %d active launchers, cleaning up without globals", l)
 				}
 				// accumulate capabilities of other launchers
 				for i, s := range states {
 					if s.Config != nil {
 						*rt |= s.Config.Confinement.Enablements
 					} else {
 						log.Printf("state entry %d does not contain config", i)
 					}
 				}
 			}
 			// invert accumulated enablements for cleanup
 			for i := system.Enablement(0); i < system.Enablement(system.ELen); i++ {
 				if !rt.Has(i) {
 					ec.Set(i)
 				}
 			}
 			if fmsg.Load() {
 				labels := make([]string, 0, system.ELen+1)
 				for i := system.Enablement(0); i < system.Enablement(system.ELen+2); i++ {
 					if ec.Has(i) {
 						labels = append(labels, system.TypeString(i))
 					}
 				}
 				if len(labels) > 0 {
 					fmsg.Verbose("reverting operations labelled", strings.Join(labels, ", "))
 				}
 			}
 			if a.seal.sys.needRevert {
 				if err := a.seal.sys.Revert(ec); err != nil {
 					return err.(RevertCompoundError)
 				}
 			}
 			return nil
 		}()
 	})
 	e.Err = a.seal.store.Close()
 	return e.equiv("error returned during cleanup:", e)
 }
 // StateStoreError is returned for a failed state save
 type StateStoreError struct {
 	// whether inner function was called
 	Inner bool
 	// error returned by state.Store Do method
 	DoErr error
 	// error returned by state.Backend Save method
 	InnerErr error
 	// any other errors needing to be tracked
 	Err error
 }
 func (e *StateStoreError) equiv(a ...any) error {
 	if e.Inner && e.DoErr == nil && e.InnerErr == nil && e.Err == nil {
 		return nil
 	} else {
 		return fmsg.WrapErrorSuffix(e, a...)
 	}
 }
 func (e *StateStoreError) Error() string {
 	if e.Inner && e.InnerErr != nil {
 		return e.InnerErr.Error()
 	}
 	if e.DoErr != nil {
 		return e.DoErr.Error()
 	}
 	if e.Err != nil {
 		return e.Err.Error()
 	}
 	return "(nil)"
 }
 func (e *StateStoreError) Unwrap() (errs []error) {
 	errs = make([]error, 0, 3)
 	if e.DoErr != nil {
 		errs = append(errs, e.DoErr)
 	}
 	if e.InnerErr != nil {
 		errs = append(errs, e.InnerErr)
 	}
 	if e.Err != nil {
 		errs = append(errs, e.Err)
 	}
 	return
 }
 type RevertCompoundError interface {
 	Error() string
 	Unwrap() []error
 }
--- a/internal/app/strings.go
+++ b/internal/app/strings.go
@ -0,0 +1,19 @@
 package app
 import (
 	"strconv"
 	"git.gensokyo.uk/security/fortify/fst"
 )
 func newInt(v int) *stringPair[int]        { return &stringPair[int]{v, strconv.Itoa(v)} }
 func newID(id *fst.ID) *stringPair[fst.ID] { return &stringPair[fst.ID]{*id, id.String()} }
 // stringPair stores a value and its string representation.
 type stringPair[T comparable] struct {
 	v T
 	s string
 }
 func (s *stringPair[T]) unwrap() T      { return s.v }
 func (s *stringPair[T]) String() string { return s.s }
--- a/internal/app/system.go
+++ b/internal/app/system.go
@ -1,51 +0,0 @@
 package app
 import (
 	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/internal/system"
 )
 // appSealSys encapsulates app seal behaviour with OS interactions
 type appSealSys struct {
 	bwrap *bwrap.Config
 	// paths to override by mounting tmpfs over them
 	override []string
 	// default formatted XDG_RUNTIME_DIR of User
 	runtime string
 	// target user sealed from config
 	user appUser
 	// mapped uid and gid in user namespace
 	mappedID int
 	// string representation of mappedID
 	mappedIDString string
 	needRevert bool
 	saveState  bool
 	*system.I
 	// protected by upstream mutex
 }
 type appUser struct {
 	// full uid resolved by fsu
 	uid int
 	// string representation of uid
 	us string
 	// supplementary group ids
 	supp []string
 	// application id
 	aid int
 	// string representation of aid
 	as string
 	// home directory host path
 	data string
 	// app user home directory
 	home string
 	// passwd database username
 	username string
 }
--- a/internal/comp.go
+++ b/internal/comp.go
@ -3,10 +3,15 @@ package internal
 const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
 var (
-	Version = compPoison
+	version = compPoison
 )
-// Check validates string value set at compile time.
+// check validates string value set at compile time.
-func Check(s string) (string, bool) {
+func check(s string) (string, bool) { return s, s != compPoison && s != "" }
-	return s, s != compPoison && s != ""
+
 func Version() string {
 	if v, ok := check(version); ok {
 		return v
 	}
 	return "impure"
 }
--- a/internal/fmsg/errors.go
+++ b/internal/fmsg/errors.go
@ -2,7 +2,9 @@ package fmsg
 import (
 	"fmt"
 	"log"
 	"reflect"
 	"strings"
 )
 // baseError implements a basic error container
@ -70,3 +72,17 @@ func AsBaseError(err error, target **BaseError) bool {
 	*target = v.Convert(baseErrorType).Interface().(*BaseError)
 	return true
 }
 func PrintBaseError(err error, fallback string) {
 	var e *BaseError
 	if AsBaseError(err, &e) {
 		if msg := e.Message(); strings.TrimSpace(msg) != "" {
 			log.Print(msg)
 			return
 		}
 		Verbose("*"+fallback, err)
 		return
 	}
 	log.Println(fallback, err)
 }
--- a/internal/fmsg/msg.go
+++ b/internal/fmsg/msg.go
@ -0,0 +1,12 @@
 package fmsg
 type Output struct{}
 func (Output) IsVerbose() bool                         { return Load() }
 func (Output) Verbose(v ...any)                        { Verbose(v...) }
 func (Output) Verbosef(format string, v ...any)        { Verbosef(format, v...) }
 func (Output) WrapErr(err error, a ...any) error       { return WrapError(err, a...) }
 func (Output) PrintBaseErr(err error, fallback string) { PrintBaseError(err, fallback) }
 func (Output) Suspend()                                { Suspend() }
 func (Output) Resume() bool                            { return Resume() }
 func (Output) BeforeExit()                             { BeforeExit() }
--- a/internal/output.go
+++ b/internal/output.go
@ -0,0 +1,17 @@
 package internal
 import (
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	"git.gensokyo.uk/security/fortify/sandbox"
 	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
 	"git.gensokyo.uk/security/fortify/system"
 )
 func InstallFmsg(verbose bool) {
 	fmsg.Store(verbose)
 	sandbox.SetOutput(fmsg.Output{})
 	system.SetOutput(fmsg.Output{})
 	if verbose {
 		seccomp.SetOutput(fmsg.Verbose)
 	}
 }
--- a/internal/path.go
+++ b/internal/path.go
@ -1,11 +1,23 @@
 package internal
-import "path"
+import (
 	"log"
 	"path"
-var (
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
 	Fsu = compPoison
 )
-func Path(p string) (string, bool) {
+var (
-	return p, p != compPoison && p != "" && path.IsAbs(p)
+	fsu = compPoison
 )
 func MustFsuPath() string {
 	if name, ok := checkPath(fsu); ok {
 		return name
 	}
 	fmsg.BeforeExit()
 	log.Fatal("invalid fsu path, this program is compiled incorrectly")
 	return compPoison
 }
 func checkPath(p string) (string, bool) { return p, p != compPoison && p != "" && path.IsAbs(p) }
--- a/internal/prctl.go
+++ b/internal/prctl.go
@ -1,20 +0,0 @@
 package internal
 import "syscall"
 func PR_SET_DUMPABLE__SUID_DUMP_DISABLE() error {
 	// linux/sched/coredump.h
 	if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_DUMPABLE, 0, 0); errno != 0 {
 		return errno
 	}
 	return nil
 }
 func PR_SET_PDEATHSIG__SIGKILL() error {
 	if _, _, errno := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGKILL), 0); errno != 0 {
 		return errno
 	}
 	return nil
 }
--- a/internal/state/multi.go
+++ b/internal/state/multi.go
@ -33,10 +33,10 @@ func (s *multiStore) Do(aid int, f func(c Cursor)) (bool, error) {
 	// load or initialise new backend
 	b := new(multiBackend)
 	b.lock.Lock()
 	if v, ok := s.backends.LoadOrStore(aid, b); ok {
 		b = v.(*multiBackend)
 	} else {
 		b.lock.Lock()
 		b.path = path.Join(s.base, strconv.Itoa(aid))
 		// ensure directory
--- a/Show More
+++ b/Show More
		`@ -0,0 +1,3 @@`
							`#include <sys/acl.h>`

							`int f_acl_update_file_by_uid(const char path_p, uid_t uid, acl_perm_t perms, size_t plen);`
		`@ -1,2 +0,0 @@`
			`// Package fst exports shared fortify types.`
			`package fst`
`@ -1,3 +1,3 @@`
	`module git.gensokyo.uk/security/fortify`	`module git.gensokyo.uk/security/fortify`

	`go 1.22`	`go 1.23`