release: 0.2.5

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
migrate to git.gensokyo.uk/security/fortify
2024-12-20 00:28:48 +09:00 · 2024-12-20 00:20:02 +09:00 · 2024-12-19 21:36:17 +09:00 · 2024-12-19 18:19:47 +09:00 · 2024-12-19 11:48:48 +09:00 · 2024-12-19 11:14:31 +09:00
86 changed files with 1928 additions and 996 deletions
--- a/.gitea/workflows/nix.yml
+++ b/.gitea/workflows/nix.yml
@ -0,0 +1,46 @@
+name: Nix
+
+on:
+  - push
+  - pull_request
+
+jobs:
+  tests:
+    name: NixOS tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          install_options: --daemon
+          extra_nix_config: |
+            sandbox = true
+            system-features = nixos-test benchmark big-parallel kvm
+          enable_kvm: true
+
+      - name: Ensure environment
+        run: >-
+          apt-get update && apt-get install -y sqlite3
+        if: ${{ runner.os == 'Linux' }}
+
+      - name: Restore Nix store
+        uses: nix-community/cache-nix-action@v5
+        with:
+          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-
+
+      - name: Run tests
+        run: |
+          nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
+          nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
+
+      - name: Upload test output
+        uses: actions/upload-artifact@v3
+        with:
+          name: "result"
+          path: result/*
+          retention-days: 1
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@ -1,4 +1,4 @@
-name: release
+name: Create distribution

 on:
  push:
@ -7,6 +7,7 @@ on:

 jobs:
  release:
+    name: Release
    runs-on: ubuntu-latest
    container:
      image: node:16-bookworm-slim
@ -16,6 +17,7 @@ jobs:
          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list &&
          apt-get update &&
          apt-get install -y
+          acl
          git
          gcc
          pkg-config
@ -39,21 +41,13 @@ jobs:
        run: >-
          go generate ./...

-      - name: Build for Linux
-        run: >-
-          go build -v -ldflags '-s -w
-          -X git.ophivana.moe/security/fortify/internal.Version=${{ github.ref_name }}
-          -X git.ophivana.moe/security/fortify/internal.Fsu=/usr/bin/fsu
-          -X git.ophivana.moe/security/fortify/internal.Finit=/usr/libexec/fortify/finit
-          -X main.Fmain=/usr/bin/fortify
-          -X main.Fshim=/usr/libexec/fortify/fshim'
-          -o bin/ ./... &&
-          (cd bin && sha512sum --tag -b * > sha512sums)
+      - name: Build for release
+        run: FORTIFY_VERSION='${{ github.ref_name }}' ./dist/release.sh

      - name: Release
        id: use-go-action
        uses: https://gitea.com/actions/release-action@main
        with:
          files: |-
-            bin/**
+            dist/fortify-**
          api_key: '${{secrets.RELEASE_TOKEN}}'
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@ -1,4 +1,4 @@
-name: test
+name: Tests

 on:
  - push
@ -6,22 +6,27 @@ on:

 jobs:
  test:
+    name: Go tests
    runs-on: ubuntu-latest
    container:
      image: node:16-bookworm-slim
    steps:
-      - name: Get dependencies
+      - name: Enable backports
        run: >-
-          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list &&
-          apt-get update &&
-          apt-get install -y
-          git
-          gcc
-          pkg-config
-          libwayland-dev
-          wayland-protocols/bookworm-backports
-          libxcb1-dev
-          libacl1-dev
+          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list
+        if: ${{ runner.os == 'Linux' }}
+
+      - name: Ensure environment
+        run: >-
+          apt-get update && apt-get install -y curl wget sudo libxml2
+        if: ${{ runner.os == 'Linux' }}
+
+      - name: Get dependencies
+        uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: acl git gcc pkg-config libwayland-dev wayland-protocols/bookworm-backports libxcb1-dev libacl1-dev
+          version: 1.0
+          #execute_install_scripts: true
        if: ${{ runner.os == 'Linux' }}

      - name: Checkout
@ -42,13 +47,16 @@ jobs:
        run: >-
          go test ./...

-      - name: Build for Linux
+      - name: Build for test
+        id: build-test
        run: >-
-          go build -v -ldflags '-s -w
-          -X git.ophivana.moe/security/fortify/internal.Version=${{ github.ref_name }}
-          -X git.ophivana.moe/security/fortify/internal.Fsu=/usr/bin/fsu
-          -X git.ophivana.moe/security/fortify/internal.Finit=/usr/libexec/fortify/finit
-          -X main.Fmain=/usr/bin/fortify
-          -X main.Fshim=/usr/libexec/fortify/fshim'
-          -o bin/ ./... &&
-          (cd bin && sha512sum --tag -b * > sha512sums)
+          FORTIFY_VERSION="$(git rev-parse --short HEAD)"
+          bash -c './dist/release.sh &&
+          echo "rev=$FORTIFY_VERSION" >> $GITHUB_OUTPUT'
+
+      - name: Upload test build
+        uses: actions/upload-artifact@v3
+        with:
+          name: "fortify-${{ steps.build-test.outputs.rev }}"
+          path: dist/fortify-*
+          retention-days: 1
--- a/.gitignore
+++ b/.gitignore
@ -26,3 +26,6 @@ go.work.sum

 # go generate
 security-context-v1-protocol.*
+
+# release
+/dist/fortify-*
--- a/README.md
+++ b/README.md
@ -1,8 +1,8 @@
 Fortify
 =======

-[![Go Reference](https://pkg.go.dev/badge/git.ophivana.moe/security/fortify.svg)](https://pkg.go.dev/git.ophivana.moe/security/fortify)
-[![Go Report Card](https://goreportcard.com/badge/git.ophivana.moe/security/fortify)](https://goreportcard.com/report/git.ophivana.moe/security/fortify)
+[![Go Reference](https://pkg.go.dev/badge/git.gensokyo.uk/security/fortify.svg)](https://pkg.go.dev/git.gensokyo.uk/security/fortify)
+[![Go Report Card](https://goreportcard.com/badge/git.gensokyo.uk/security/fortify)](https://goreportcard.com/report/git.gensokyo.uk/security/fortify)

 Lets you run graphical applications as another user in a confined environment with a nice NixOS
 module to configure target users and provide launchers and desktop files for your privileged user.
@ -18,7 +18,7 @@ Why would you want this?
 If you have a flakes-enabled nix environment, you can try out the tool by running:

 ```shell
-nix run git+https://git.ophivana.moe/security/fortify -- help
+nix run git+https://git.gensokyo.uk/security/fortify -- help
 ```

 ## Module usage
@ -35,7 +35,7 @@ To use the module, import it into your configuration with
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";

    fortify = {
-      url = "git+https://git.ophivana.moe/security/fortify";
+      url = "git+https://git.gensokyo.uk/security/fortify";

      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
--- a/acl/acl.go
+++ b/acl/acl.go
@ -0,0 +1,19 @@
+// Package acl implements simple ACL manipulation via libacl.
+package acl
+
+type Perms []Perm
+
+func (ps Perms) String() string {
+	var s = []byte("---")
+	for _, p := range ps {
+		switch p {
+		case Read:
+			s[0] = 'r'
+		case Write:
+			s[1] = 'w'
+		case Execute:
+			s[2] = 'x'
+		}
+	}
+	return string(s)
+}
--- a/acl/acl_getfacl_test.go
+++ b/acl/acl_getfacl_test.go
@ -0,0 +1,156 @@
+package acl_test
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"os/exec"
+	"strconv"
+)
+
+type (
+	getFAclInvocation struct {
+		cmd *exec.Cmd
+		val []*getFAclResp
+		pe  []error
+	}
+
+	getFAclResp struct {
+		typ  fAclType
+		cred int32
+		val  fAclPerm
+
+		raw []byte
+	}
+
+	fAclPerm uintptr
+	fAclType uint8
+)
+
+const fAclBufSize = 16
+
+const (
+	fAclPermRead fAclPerm = 1 << iota
+	fAclPermWrite
+	fAclPermExecute
+)
+
+const (
+	fAclTypeUser fAclType = iota
+	fAclTypeGroup
+	fAclTypeMask
+	fAclTypeOther
+)
+
+func (c *getFAclInvocation) run(name string) error {
+	if c.cmd != nil {
+		panic("attempted to run twice")
+	}
+
+	c.cmd = exec.Command("getfacl", "--omit-header", "--absolute-names", "--numeric", name)
+
+	scanErr := make(chan error, 1)
+	if p, err := c.cmd.StdoutPipe(); err != nil {
+		return err
+	} else {
+		go c.parse(p, scanErr)
+	}
+
+	if err := c.cmd.Start(); err != nil {
+		return err
+	}
+
+	return errors.Join(<-scanErr, c.cmd.Wait())
+}
+
+func (c *getFAclInvocation) parse(pipe io.Reader, scanErr chan error) {
+	c.val = make([]*getFAclResp, 0, 4+fAclBufSize)
+
+	s := bufio.NewScanner(pipe)
+	for s.Scan() {
+		fields := bytes.SplitN(s.Bytes(), []byte{':'}, 3)
+		if len(fields) != 3 {
+			continue
+		}
+
+		resp := getFAclResp{}
+
+		switch string(fields[0]) {
+		case "user":
+			resp.typ = fAclTypeUser
+		case "group":
+			resp.typ = fAclTypeGroup
+		case "mask":
+			resp.typ = fAclTypeMask
+		case "other":
+			resp.typ = fAclTypeOther
+		default:
+			c.pe = append(c.pe, fmt.Errorf("unknown type %s", string(fields[0])))
+			continue
+		}
+
+		if len(fields[1]) == 0 {
+			resp.cred = -1
+		} else {
+			if cred, err := strconv.Atoi(string(fields[1])); err != nil {
+				c.pe = append(c.pe, err)
+				continue
+			} else {
+				resp.cred = int32(cred)
+				if resp.cred < 0 {
+					c.pe = append(c.pe, fmt.Errorf("credential %d out of range", resp.cred))
+					continue
+				}
+			}
+		}
+
+		if len(fields[2]) != 3 {
+			c.pe = append(c.pe, fmt.Errorf("invalid perm length %d", len(fields[2])))
+			continue
+		} else {
+			switch fields[2][0] {
+			case 'r':
+				resp.val |= fAclPermRead
+			case '-':
+			default:
+				c.pe = append(c.pe, fmt.Errorf("invalid perm %v", fields[2][0]))
+				continue
+			}
+			switch fields[2][1] {
+			case 'w':
+				resp.val |= fAclPermWrite
+			case '-':
+			default:
+				c.pe = append(c.pe, fmt.Errorf("invalid perm %v", fields[2][1]))
+				continue
+			}
+			switch fields[2][2] {
+			case 'x':
+				resp.val |= fAclPermExecute
+			case '-':
+			default:
+				c.pe = append(c.pe, fmt.Errorf("invalid perm %v", fields[2][2]))
+				continue
+			}
+		}
+
+		resp.raw = make([]byte, len(s.Bytes()))
+		copy(resp.raw, s.Bytes())
+		c.val = append(c.val, &resp)
+	}
+	scanErr <- s.Err()
+}
+
+func (r *getFAclResp) String() string {
+	if r.raw != nil && len(r.raw) > 0 {
+		return string(r.raw)
+	}
+
+	return "(user-initialised resp value)"
+}
+
+func (r *getFAclResp) equals(typ fAclType, cred int32, val fAclPerm) bool {
+	return r.typ == typ && r.cred == cred && r.val == val
+}
--- a/acl/acl_test.go
+++ b/acl/acl_test.go
@ -0,0 +1,125 @@
+package acl_test
+
+import (
+	"errors"
+	"os"
+	"path"
+	"reflect"
+	"testing"
+
+	"git.gensokyo.uk/security/fortify/acl"
+)
+
+const testFileName = "acl.test"
+
+var (
+	uid  = os.Geteuid()
+	cred = int32(os.Geteuid())
+)
+
+func TestUpdatePerm(t *testing.T) {
+	if os.Getenv("GO_TEST_SKIP_ACL") == "1" {
+		t.Log("acl test skipped")
+		t.SkipNow()
+	}
+
+	testFilePath := path.Join(t.TempDir(), testFileName)
+
+	if f, err := os.Create(testFilePath); err != nil {
+		t.Fatalf("Create: error = %v", err)
+	} else {
+		if err = f.Close(); err != nil {
+			t.Fatalf("Close: error = %v", err)
+		}
+	}
+	defer func() {
+		if err := os.Remove(testFilePath); err != nil {
+			t.Fatalf("Remove: error = %v", err)
+		}
+	}()
+
+	cur := getfacl(t, testFilePath)
+
+	t.Run("default entry count", func(t *testing.T) {
+		if len(cur) != 3 {
+			t.Fatalf("unexpected test file acl length %d", len(cur))
+		}
+	})
+
+	t.Run("default clear mask", func(t *testing.T) {
+		if err := acl.UpdatePerm(testFilePath, uid); err != nil {
+			t.Fatalf("UpdatePerm: error = %v", err)
+		}
+		if cur = getfacl(t, testFilePath); len(cur) != 4 {
+			t.Fatalf("UpdatePerm: %v", cur)
+		}
+	})
+
+	t.Run("default clear consistency", func(t *testing.T) {
+		if err := acl.UpdatePerm(testFilePath, uid); err != nil {
+			t.Fatalf("UpdatePerm: error = %v", err)
+		}
+		if val := getfacl(t, testFilePath); !reflect.DeepEqual(val, cur) {
+			t.Fatalf("UpdatePerm: %v, want %v", val, cur)
+		}
+	})
+
+	testUpdate(t, testFilePath, "r--", cur, fAclPermRead, acl.Read)
+	testUpdate(t, testFilePath, "-w-", cur, fAclPermWrite, acl.Write)
+	testUpdate(t, testFilePath, "--x", cur, fAclPermExecute, acl.Execute)
+	testUpdate(t, testFilePath, "-wx", cur, fAclPermWrite|fAclPermExecute, acl.Write, acl.Execute)
+	testUpdate(t, testFilePath, "r-x", cur, fAclPermRead|fAclPermExecute, acl.Read, acl.Execute)
+	testUpdate(t, testFilePath, "rw-", cur, fAclPermRead|fAclPermWrite, acl.Read, acl.Write)
+	testUpdate(t, testFilePath, "rwx", cur, fAclPermRead|fAclPermWrite|fAclPermExecute, acl.Read, acl.Write, acl.Execute)
+}
+
+func testUpdate(t *testing.T, testFilePath, name string, cur []*getFAclResp, val fAclPerm, perms ...acl.Perm) {
+	t.Run(name, func(t *testing.T) {
+		t.Cleanup(func() {
+			if err := acl.UpdatePerm(testFilePath, uid); err != nil {
+				t.Fatalf("UpdatePerm: error = %v", err)
+			}
+			if v := getfacl(t, testFilePath); !reflect.DeepEqual(v, cur) {
+				t.Fatalf("UpdatePerm: %v, want %v", v, cur)
+			}
+		})
+
+		if err := acl.UpdatePerm(testFilePath, uid, perms...); err != nil {
+			t.Fatalf("UpdatePerm: error = %v", err)
+		}
+		r := respByCred(getfacl(t, testFilePath), fAclTypeUser, cred)
+		if r == nil {
+			t.Fatalf("UpdatePerm did not add an ACL entry")
+		}
+		if !r.equals(fAclTypeUser, cred, val) {
+			t.Fatalf("UpdatePerm(%s) = %s", name, r)
+		}
+	})
+}
+
+func getfacl(t *testing.T, name string) []*getFAclResp {
+	c := new(getFAclInvocation)
+	if err := c.run(name); err != nil {
+		t.Fatalf("getfacl: error = %v", err)
+	}
+	if len(c.pe) != 0 {
+		t.Errorf("errors encountered parsing getfacl output\n%s", errors.Join(c.pe...).Error())
+	}
+	return c.val
+}
+
+func respByCred(v []*getFAclResp, typ fAclType, cred int32) *getFAclResp {
+	j := -1
+	for i, r := range v {
+		if r.typ == typ && r.cred == cred {
+			if j != -1 {
+				panic("invalid acl")
+			}
+			j = i
+		}
+	}
+	if j == -1 {
+		return nil
+	}
+	return v[j]
+}
--- a/acl/c.go
+++ b/acl/c.go
@ -1,50 +1,95 @@
 package acl

+import "C"
 import (
 	"errors"
-	"fmt"
+	"runtime"
 	"syscall"
 	"unsafe"
 )

-//#include <stdlib.h>
-//#include <sys/acl.h>
-//#include <acl/libacl.h>
-//#cgo linux LDFLAGS: -lacl
-import "C"
+/*
+#cgo linux pkg-config: libacl

-type acl struct {
-	val   C.acl_t
-	freed bool
+#include <stdlib.h>
+#include <sys/acl.h>
+#include <acl/libacl.h>
+
+static acl_t _go_acl_get_file(const char *path_p, acl_type_t type) {
+	acl_t acl = acl_get_file(path_p, type);
+	free((void *)path_p);
+	return acl;
 }

-func aclGetFile(path string, t C.acl_type_t) (*acl, error) {
-	p := C.CString(path)
-	a, err := C.acl_get_file(p, t)
-	C.free(unsafe.Pointer(p))
+static int _go_acl_set_file(const char *path_p, acl_type_t type, acl_t acl) {
+	if (acl_valid(acl) != 0) {
+		return -1;
+	}

+	int ret = acl_set_file(path_p, type, acl);
+	free((void *)path_p);
+	return ret;
+}
+*/
+import "C"
+
+func getFile(name string, t C.acl_type_t) (*ACL, error) {
+	a, err := C._go_acl_get_file(C.CString(name), t)
 	if errors.Is(err, syscall.ENODATA) {
 		err = nil
 	}
-	return &acl{val: a, freed: false}, err
+
+	return newACL(a), err
 }

-func (a *acl) setFile(path string, t C.acl_type_t) error {
-	if C.acl_valid(a.val) != 0 {
-		return fmt.Errorf("invalid acl")
-	}
-
-	p := C.CString(path)
-	_, err := C.acl_set_file(p, t, a.val)
-	C.free(unsafe.Pointer(p))
+func (acl *ACL) setFile(name string, t C.acl_type_t) error {
+	_, err := C._go_acl_set_file(C.CString(name), t, acl.acl)
 	return err
 }

-func (a *acl) removeEntry(tt C.acl_tag_t, tq int) error {
+func newACL(a C.acl_t) *ACL {
+	acl := &ACL{a}
+	runtime.SetFinalizer(acl, (*ACL).free)
+	return acl
+}
+
+type ACL struct {
+	acl C.acl_t
+}
+
+func (acl *ACL) free() {
+	C.acl_free(unsafe.Pointer(acl.acl))
+
+	// no need for a finalizer anymore
+	runtime.SetFinalizer(acl, nil)
+}
+
+const (
+	Read    = C.ACL_READ
+	Write   = C.ACL_WRITE
+	Execute = C.ACL_EXECUTE
+
+	TypeDefault = C.ACL_TYPE_DEFAULT
+	TypeAccess  = C.ACL_TYPE_ACCESS
+
+	UndefinedTag = C.ACL_UNDEFINED_TAG
+	UserObj      = C.ACL_USER_OBJ
+	User         = C.ACL_USER
+	GroupObj     = C.ACL_GROUP_OBJ
+	Group        = C.ACL_GROUP
+	Mask         = C.ACL_MASK
+	Other        = C.ACL_OTHER
+)
+
+type (
+	Perm C.acl_perm_t
+)
+
+func (acl *ACL) removeEntry(tt C.acl_tag_t, tq int) error {
 	var e C.acl_entry_t

 	// get first entry
-	if r, err := C.acl_get_entry(a.val, C.ACL_FIRST_ENTRY, &e); err != nil {
+	if r, err := C.acl_get_entry(acl.acl, C.ACL_FIRST_ENTRY, &e); err != nil {
 		return err
 	} else if r == 0 {
 		// return on acl with no entries
@ -52,7 +97,7 @@ func (a *acl) removeEntry(tt C.acl_tag_t, tq int) error {
 	}

 	for {
-		if r, err := C.acl_get_entry(a.val, C.ACL_NEXT_ENTRY, &e); err != nil {
+		if r, err := C.acl_get_entry(acl.acl, C.ACL_NEXT_ENTRY, &e); err != nil {
 			return err
 		} else if r == 0 {
 			// return on drained acl
@ -84,16 +129,68 @@ func (a *acl) removeEntry(tt C.acl_tag_t, tq int) error {

 		// delete on match
 		if t == tt && q == tq {
-			_, err := C.acl_delete_entry(a.val, e)
+			_, err := C.acl_delete_entry(acl.acl, e)
 			return err
 		}
 	}
 }

-func (a *acl) free() {
-	if a.freed {
-		panic("acl already freed")
+func UpdatePerm(name string, uid int, perms ...Perm) error {
+	// read acl from file
+	a, err := getFile(name, TypeAccess)
+	if err != nil {
+		return err
 	}
-	C.acl_free(unsafe.Pointer(a.val))
-	a.freed = true
+	// free acl on return if get is successful
+	defer a.free()
+
+	// remove existing entry
+	if err = a.removeEntry(User, uid); err != nil {
+		return err
+	}
+
+	// create new entry if perms are passed
+	if len(perms) > 0 {
+		// create new acl entry
+		var e C.acl_entry_t
+		if _, err = C.acl_create_entry(&a.acl, &e); err != nil {
+			return err
+		}
+
+		// get perm set of new entry
+		var p C.acl_permset_t
+		if _, err = C.acl_get_permset(e, &p); err != nil {
+			return err
+		}
+
+		// add target perms
+		for _, perm := range perms {
+			if _, err = C.acl_add_perm(p, C.acl_perm_t(perm)); err != nil {
+				return err
+			}
+		}
+
+		// set perm set to new entry
+		if _, err = C.acl_set_permset(e, p); err != nil {
+			return err
+		}
+
+		// set user tag to new entry
+		if _, err = C.acl_set_tag_type(e, User); err != nil {
+			return err
+		}
+
+		// set qualifier (uid) to new entry
+		if _, err = C.acl_set_qualifier(e, unsafe.Pointer(&uid)); err != nil {
+			return err
+		}
+	}
+
+	// calculate mask after update
+	if _, err = C.acl_calc_mask(&a.acl); err != nil {
+		return err
+	}
+
+	// write acl to file
+	return a.setFile(name, TypeAccess)
 }
--- a/acl/export.go
+++ b/acl/export.go
@ -1,107 +0,0 @@
-// Package acl implements simple ACL manipulation via libacl.
-package acl
-
-import "unsafe"
-
-//#include <stdlib.h>
-//#include <sys/acl.h>
-//#include <acl/libacl.h>
-//#cgo linux LDFLAGS: -lacl
-import "C"
-
-const (
-	Read    = C.ACL_READ
-	Write   = C.ACL_WRITE
-	Execute = C.ACL_EXECUTE
-
-	TypeDefault = C.ACL_TYPE_DEFAULT
-	TypeAccess  = C.ACL_TYPE_ACCESS
-
-	UndefinedTag = C.ACL_UNDEFINED_TAG
-	UserObj      = C.ACL_USER_OBJ
-	User         = C.ACL_USER
-	GroupObj     = C.ACL_GROUP_OBJ
-	Group        = C.ACL_GROUP
-	Mask         = C.ACL_MASK
-	Other        = C.ACL_OTHER
-)
-
-type (
-	Perm  C.acl_perm_t
-	Perms []Perm
-)
-
-func (ps Perms) String() string {
-	var s = []byte("---")
-	for _, p := range ps {
-		switch p {
-		case Read:
-			s[0] = 'r'
-		case Write:
-			s[1] = 'w'
-		case Execute:
-			s[2] = 'x'
-		}
-	}
-	return string(s)
-}
-
-func UpdatePerm(path string, uid int, perms ...Perm) error {
-	// read acl from file
-	a, err := aclGetFile(path, TypeAccess)
-	if err != nil {
-		return err
-	}
-	// free acl on return if get is successful
-	defer a.free()
-
-	// remove existing entry
-	if err = a.removeEntry(User, uid); err != nil {
-		return err
-	}
-
-	// create new entry if perms are passed
-	if len(perms) > 0 {
-		// create new acl entry
-		var e C.acl_entry_t
-		if _, err = C.acl_create_entry(&a.val, &e); err != nil {
-			return err
-		}
-
-		// get perm set of new entry
-		var p C.acl_permset_t
-		if _, err = C.acl_get_permset(e, &p); err != nil {
-			return err
-		}
-
-		// add target perms
-		for _, perm := range perms {
-			if _, err = C.acl_add_perm(p, C.acl_perm_t(perm)); err != nil {
-				return err
-			}
-		}
-
-		// set perm set to new entry
-		if _, err = C.acl_set_permset(e, p); err != nil {
-			return err
-		}
-
-		// set user tag to new entry
-		if _, err = C.acl_set_tag_type(e, User); err != nil {
-			return err
-		}
-
-		// set qualifier (uid) to new entry
-		if _, err = C.acl_set_qualifier(e, unsafe.Pointer(&uid)); err != nil {
-			return err
-		}
-	}
-
-	// calculate mask after update
-	if _, err = C.acl_calc_mask(&a.val); err != nil {
-		return err
-	}
-
-	// write acl to file
-	return a.setFile(path, TypeAccess)
-}
--- a/cmd/finit/main.go
+++ b/cmd/finit/main.go
@ -1,19 +1,18 @@
 package main

 import (
-	"encoding/gob"
 	"errors"
 	"os"
 	"os/exec"
 	"os/signal"
 	"path"
-	"strconv"
 	"syscall"
 	"time"

-	init0 "git.ophivana.moe/security/fortify/cmd/finit/ipc"
-	"git.ophivana.moe/security/fortify/internal"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
+	"git.gensokyo.uk/security/fortify/internal"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/proc"
 )

 const (
@ -48,30 +47,24 @@ func main() {
 		}
 	}

-	// setup pipe fd from environment
-	var setup *os.File
-	if s, ok := os.LookupEnv(init0.Env); !ok {
-		fmsg.Fatal("FORTIFY_INIT not set")
-		panic("unreachable")
-	} else {
-		if fd, err := strconv.Atoi(s); err != nil {
-			fmsg.Fatalf("cannot parse %q: %v", s, err)
-			panic("unreachable")
-		} else {
-			setup = os.NewFile(uintptr(fd), "setup")
-			if setup == nil {
+	// receive setup payload
+	var (
+		payload    init0.Payload
+		closeSetup func() error
+	)
+	if f, err := proc.Receive(init0.Env, &payload); err != nil {
+		if errors.Is(err, proc.ErrInvalid) {
 			fmsg.Fatal("invalid config descriptor")
-				panic("unreachable")
-			}
 		}
+		if errors.Is(err, proc.ErrNotSet) {
+			fmsg.Fatal("FORTIFY_INIT not set")
 		}

-	var payload init0.Payload
-	if err := gob.NewDecoder(setup).Decode(&payload); err != nil {
-		fmsg.Fatal("cannot decode init setup payload:", err)
+		fmsg.Fatalf("cannot decode init setup payload: %v", err)
 		panic("unreachable")
 	} else {
 		fmsg.SetVerbose(payload.Verbose)
+		closeSetup = f

 		// child does not need to see this
 		if err = os.Unsetenv(init0.Env); err != nil {
@ -98,7 +91,7 @@ func main() {
 	fmsg.Suspend()

 	// close setup pipe as setup is now complete
-	if err := setup.Close(); err != nil {
+	if err := closeSetup(); err != nil {
 		fmsg.Println("cannot close setup pipe:", err)
 		// not fatal
 	}
--- a/cmd/fshim/ipc/payload.go
+++ b/cmd/fshim/ipc/payload.go
@ -1,11 +1,7 @@
 package shim0

 import (
-	"encoding/gob"
-	"net"
-
-	"git.ophivana.moe/security/fortify/helper/bwrap"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
 )

 const Env = "FORTIFY_SHIM"
@ -23,13 +19,3 @@ type Payload struct {
 	// verbosity pass through
 	Verbose bool
 }
-
-func (p *Payload) Serve(conn *net.UnixConn) error {
-	if err := gob.NewEncoder(conn).Encode(*p); err != nil {
-		return fmsg.WrapErrorSuffix(err,
-			"cannot stream shim payload:")
-	}
-
-	return fmsg.WrapErrorSuffix(conn.Close(),
-		"cannot close setup connection:")
-}
--- a/cmd/fshim/ipc/shim/shim.go
+++ b/cmd/fshim/ipc/shim/shim.go
@ -1,22 +1,20 @@
 package shim

 import (
+	"encoding/gob"
 	"errors"
-	"net"
 	"os"
 	"os/exec"
 	"os/signal"
+	"strconv"
 	"strings"
-	"sync"
-	"sync/atomic"
 	"syscall"
 	"time"

-	"git.ophivana.moe/security/fortify/acl"
-	shim0 "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
-	"git.ophivana.moe/security/fortify/internal"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
-	"git.ophivana.moe/security/fortify/internal/proc"
+	shim0 "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
+	"git.gensokyo.uk/security/fortify/internal"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/proc"
 )

 const shimSetupTimeout = 5 * time.Second
@ -32,20 +30,14 @@ type Shim struct {
 	aid string
 	// string representation of supplementary group ids
 	supp []string
-	// path to setup socket
-	socket string
-	// shim setup abort reason and completion
-	abort     chan error
-	abortErr  atomic.Pointer[error]
-	abortOnce sync.Once
 	// fallback exit notifier with error returned killing the process
 	killFallback chan error
 	// shim setup payload
 	payload *shim0.Payload
 }

-func New(uid uint32, aid string, supp []string, socket string, payload *shim0.Payload) *Shim {
-	return &Shim{uid: uid, aid: aid, supp: supp, socket: socket, payload: payload}
+func New(uid uint32, aid string, supp []string, payload *shim0.Payload) *Shim {
+	return &Shim{uid: uid, aid: aid, supp: supp, payload: payload}
 }

 func (s *Shim) String() string {
@ -59,39 +51,11 @@ func (s *Shim) Unwrap() *exec.Cmd {
 	return s.cmd
 }

-func (s *Shim) Abort(err error) {
-	s.abortOnce.Do(func() {
-		s.abortErr.Store(&err)
-		// s.abort is buffered so this will never block
-		s.abort <- err
-	})
-}
-
-func (s *Shim) AbortWait(err error) {
-	s.Abort(err)
-	<-s.abort
-}
-
 func (s *Shim) WaitFallback() chan error {
 	return s.killFallback
 }

 func (s *Shim) Start() (*time.Time, error) {
-	var (
-		cf     chan *net.UnixConn
-		accept func()
-	)
-
-	// listen on setup socket
-	if c, a, err := s.serve(); err != nil {
-		return nil, fmsg.WrapErrorSuffix(err,
-			"cannot listen on shim setup socket:")
-	} else {
-		// accepts a connection after each call to accept
-		// connections are sent to the channel cf
-		cf, accept = c, a
-	}
-
 	// start user switcher process and save time
 	var fsu string
 	if p, ok := internal.Check(internal.Fsu); !ok {
@ -101,10 +65,19 @@ func (s *Shim) Start() (*time.Time, error) {
 		fsu = p
 	}
 	s.cmd = exec.Command(fsu)
+
+	var encoder *gob.Encoder
+	if fd, e, err := proc.Setup(&s.cmd.ExtraFiles); err != nil {
+		return nil, fmsg.WrapErrorSuffix(err,
+			"cannot create shim setup pipe:")
+	} else {
+		encoder = e
 		s.cmd.Env = []string{
-		shim0.Env + "=" + s.socket,
+			shim0.Env + "=" + strconv.Itoa(fd),
 			"FORTIFY_APP_ID=" + s.aid,
 		}
+	}
+
 	if len(s.supp) > 0 {
 		fmsg.VPrintf("attaching supplementary group ids %s", s.supp)
 		s.cmd.Env = append(s.cmd.Env, "FORTIFY_GROUPS="+strings.Join(s.supp, " "))
@ -145,117 +118,20 @@ func (s *Shim) Start() (*time.Time, error) {
 		signal.Ignore(syscall.SIGINT, syscall.SIGTERM)
 	}()

-	accept()
-	var conn *net.UnixConn
+	shimErr := make(chan error)
+	go func() { shimErr <- encoder.Encode(s.payload) }()
+
 	select {
-	case c := <-cf:
-		if c == nil {
-			return &startTime, fmsg.WrapErrorSuffix(*s.abortErr.Load(), "cannot accept call on setup socket:")
-		} else {
-			conn = c
-		}
-	case <-time.After(shimSetupTimeout):
-		err := fmsg.WrapError(errors.New("timed out waiting for shim"),
-			"timed out waiting for shim to connect")
-		s.AbortWait(err)
-		return &startTime, err
-	}
-
-	// authenticate against called provided uid and shim pid
-	if cred, err := peerCred(conn); err != nil {
-		return &startTime, fmsg.WrapErrorSuffix(*s.abortErr.Load(), "cannot retrieve shim credentials:")
-	} else if cred.Uid != s.uid {
-		fmsg.Printf("process %d owned by user %d tried to connect, expecting %d",
-			cred.Pid, cred.Uid, s.uid)
-		err = errors.New("compromised fortify build")
-		s.Abort(err)
-		return &startTime, err
-	} else if cred.Pid != int32(s.cmd.Process.Pid) {
-		fmsg.Printf("process %d tried to connect to shim setup socket, expecting shim %d",
-			cred.Pid, s.cmd.Process.Pid)
-		err = errors.New("compromised target user")
-		s.Abort(err)
-		return &startTime, err
-	}
-
-	// serve payload
-	// this also closes the connection
-	err := s.payload.Serve(conn)
-	if err == nil {
-		killShim = func() {}
-	}
-	s.Abort(err) // aborting with nil indicates success
-	return &startTime, err
-}
-
-func (s *Shim) serve() (chan *net.UnixConn, func(), error) {
-	if s.abort != nil {
-		panic("attempted to serve shim setup twice")
-	}
-	s.abort = make(chan error, 1)
-
-	cf := make(chan *net.UnixConn)
-	accept := make(chan struct{}, 1)
-
-	if l, err := net.ListenUnix("unix", &net.UnixAddr{Name: s.socket, Net: "unix"}); err != nil {
-		return nil, nil, err
-	} else {
-		l.SetUnlinkOnClose(true)
-
-		fmsg.VPrintf("listening on shim setup socket %q", s.socket)
-		if err = acl.UpdatePerm(s.socket, int(s.uid), acl.Read, acl.Write, acl.Execute); err != nil {
-			fmsg.Println("cannot append ACL entry to shim setup socket:", err)
-			s.Abort(err) // ensures setup socket cleanup
-		}
-
-		go func() {
-			cfWg := new(sync.WaitGroup)
-			for {
-				select {
-				case err = <-s.abort:
+	case err := <-shimErr:
 		if err != nil {
-						fmsg.VPrintln("aborting shim setup, reason:", err)
+			return &startTime, fmsg.WrapErrorSuffix(err,
+				"cannot transmit shim config:")
 		}
-					if err = l.Close(); err != nil {
-						fmsg.Println("cannot close setup socket:", err)
-					}
-					close(s.abort)
-					go func() {
-						cfWg.Wait()
-						close(cf)
-					}()
-					return
-				case <-accept:
-					cfWg.Add(1)
-					go func() {
-						defer cfWg.Done()
-						if conn, err0 := l.AcceptUnix(); err0 != nil {
-							// breaks loop
-							s.Abort(err0)
-							// receiver sees nil value and loads err0 stored during abort
-							cf <- nil
-						} else {
-							cf <- conn
-						}
-					}()
-				}
-			}
-		}()
+		killShim = func() {}
+	case <-time.After(shimSetupTimeout):
+		return &startTime, fmsg.WrapError(errors.New("timed out waiting for shim"),
+			"timed out waiting for shim")
 	}

-	return cf, func() { accept <- struct{}{} }, nil
-}
-
-// peerCred fetches peer credentials of conn
-func peerCred(conn *net.UnixConn) (ucred *syscall.Ucred, err error) {
-	var raw syscall.RawConn
-	if raw, err = conn.SyscallConn(); err != nil {
-		return
-	}
-
-	err0 := raw.Control(func(fd uintptr) {
-		ucred, err = syscall.GetsockoptUcred(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERCRED)
-	})
-	err = errors.Join(err, err0)
-	return
+	return &startTime, nil
 }
--- a/cmd/fshim/main.go
+++ b/cmd/fshim/main.go
@ -1,18 +1,18 @@
 package main

 import (
-	"encoding/gob"
-	"net"
+	"errors"
 	"os"
 	"path"
 	"strconv"
 	"syscall"

-	init0 "git.ophivana.moe/security/fortify/cmd/finit/ipc"
-	shim "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
-	"git.ophivana.moe/security/fortify/helper"
-	"git.ophivana.moe/security/fortify/internal"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
+	shim "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
+	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/internal"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/proc"
 )

 // everything beyond this point runs as unconstrained target user
@ -37,15 +37,6 @@ func main() {
 		}
 	}

-	// lookup socket path from environment
-	var socketPath string
-	if s, ok := os.LookupEnv(shim.Env); !ok {
-		fmsg.Fatal("FORTIFY_SHIM not set")
-		panic("unreachable")
-	} else {
-		socketPath = s
-	}
-
 	// check path to finit
 	var finitPath string
 	if p, ok := internal.Path(internal.Finit); !ok {
@ -54,21 +45,24 @@ func main() {
 		finitPath = p
 	}

-	// dial setup socket
-	var conn *net.UnixConn
-	if c, err := net.DialUnix("unix", nil, &net.UnixAddr{Name: socketPath, Net: "unix"}); err != nil {
-		fmsg.Fatal(err.Error())
-		panic("unreachable")
-	} else {
-		conn = c
+	// receive setup payload
+	var (
+		payload    shim.Payload
+		closeSetup func() error
+	)
+	if f, err := proc.Receive(shim.Env, &payload); err != nil {
+		if errors.Is(err, proc.ErrInvalid) {
+			fmsg.Fatal("invalid config descriptor")
+		}
+		if errors.Is(err, proc.ErrNotSet) {
+			fmsg.Fatal("FORTIFY_SHIM not set")
 		}

-	// decode payload gob stream
-	var payload shim.Payload
-	if err := gob.NewDecoder(conn).Decode(&payload); err != nil {
-		fmsg.Fatalf("cannot decode shim payload: %v", err)
+		fmsg.Fatalf("cannot decode shim setup payload: %v", err)
+		panic("unreachable")
 	} else {
 		fmsg.SetVerbose(payload.Verbose)
+		closeSetup = f
 	}

 	if payload.Bwrap == nil {
@ -81,8 +75,8 @@ func main() {
 	}

 	// close setup socket
-	if err := conn.Close(); err != nil {
-		fmsg.Println("cannot close setup socket:", err)
+	if err := closeSetup(); err != nil {
+		fmsg.Println("cannot close setup pipe:", err)
 		// not fatal
 	}

@ -110,17 +104,14 @@ func main() {

 	var extraFiles []*os.File

-	// share config pipe
-	if r, w, err := os.Pipe(); err != nil {
+	// serve setup payload
+	if fd, encoder, err := proc.Setup(&extraFiles); err != nil {
 		fmsg.Fatalf("cannot pipe: %v", err)
 	} else {
-		conf.SetEnv[init0.Env] = strconv.Itoa(3 + len(extraFiles))
-		extraFiles = append(extraFiles, r)
-
-		fmsg.VPrintln("transmitting config to init")
+		conf.SetEnv[init0.Env] = strconv.Itoa(fd)
 		go func() {
-			// stream config to pipe
-			if err = gob.NewEncoder(w).Encode(&ic); err != nil {
+			fmsg.VPrintln("transmitting config to init")
+			if err = encoder.Encode(&ic); err != nil {
 				fmsg.Fatalf("cannot transmit init config: %v", err)
 			}
 		}()
--- a/cmd/fsu/main.go
+++ b/cmd/fsu/main.go
@ -83,17 +83,17 @@ func main() {
 		uid += aid
 	}

-	// pass through setup path to shim
-	var shimSetupPath string
+	// pass through setup fd to shim
+	var shimSetupFd string
 	if s, ok := os.LookupEnv(envShim); !ok {
 		// fortify requests target uid
 		// print resolved uid and exit
 		fmt.Print(uid)
 		os.Exit(0)
-	} else if !path.IsAbs(s) {
-		log.Fatal("FORTIFY_SHIM is not absolute")
+	} else if len(s) != 1 || s[0] > '9' || s[0] < '3' {
+		log.Fatal("FORTIFY_SHIM holds an invalid value")
 	} else {
-		shimSetupPath = s
+		shimSetupFd = s
 	}

 	// supplementary groups
@ -123,6 +123,11 @@ func main() {
 		suppGroups = []int{uid}
 	}

+	// final bounds check to catch any bugs
+	if uid < 1000000 || uid >= 2000000 {
+		panic("uid out of bounds")
+	}
+
 	// careful! users in the allowlist is effectively allowed to drop groups via fsu

 	if err := syscall.Setresgid(uid, uid, uid); err != nil {
@ -137,7 +142,7 @@ func main() {
 	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(fshim, []string{"fshim"}, []string{envShim + "=" + shimSetupPath}); err != nil {
+	if err := syscall.Exec(fshim, []string{"fshim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}

--- a/cmd/fuserdb/main.go
+++ b/cmd/fuserdb/main.go
@ -9,7 +9,7 @@ import (
 	"path"
 	"strconv"

-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

 func main() {
--- a/cmd/fuserdb/payload.go
+++ b/cmd/fuserdb/payload.go
@ -5,7 +5,7 @@ import (
 	"os"
 	"path"

-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

 type payloadU struct {
--- a/dbus/config_test.go
+++ b/dbus/config_test.go
@ -9,7 +9,7 @@ import (
 	"strings"
 	"testing"

-	"git.ophivana.moe/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/dbus"
 )

 func TestConfig_Args(t *testing.T) {
--- a/dbus/dbus_test.go
+++ b/dbus/dbus_test.go
@ -5,8 +5,8 @@ import (
 	"strings"
 	"testing"

-	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/helper"
 )

 func TestNew(t *testing.T) {
--- a/dbus/proxy.go
+++ b/dbus/proxy.go
@ -6,8 +6,8 @@ import (
 	"io"
 	"sync"

-	"git.ophivana.moe/security/fortify/helper"
-	"git.ophivana.moe/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
 )

 // ProxyName is the file name or path to the proxy program.
--- a/dbus/run.go
+++ b/dbus/run.go
@ -9,9 +9,9 @@ import (
 	"strconv"
 	"strings"

-	"git.ophivana.moe/security/fortify/helper"
-	"git.ophivana.moe/security/fortify/helper/bwrap"
-	"git.ophivana.moe/security/fortify/ldd"
+	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/ldd"
 )

 // Start launches the D-Bus proxy and sets up the Wait method.
--- a/dbus/samples_test.go
+++ b/dbus/samples_test.go
@ -3,7 +3,7 @@ package dbus_test
 import (
 	"sync"

-	"git.ophivana.moe/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/dbus"
 )

 var samples = []dbusTestCase{
--- a/dbus/stub_test.go
+++ b/dbus/stub_test.go
@ -3,7 +3,7 @@ package dbus_test
 import (
 	"testing"

-	"git.ophivana.moe/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/helper"
 )

 func TestHelperChildStub(t *testing.T) {
--- a/dist/fsurc.default
+++ b/dist/fsurc.default
@ -0,0 +1 @@
+1000 0
--- a/dist/install.sh
+++ b/dist/install.sh
@ -0,0 +1,10 @@
+#!/bin/sh
+cd "$(dirname -- "$0")" || exit 1
+
+install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
+install -vDm0755 "bin/fshim" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fshim"
+install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit"
+install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"
+
+install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"
+install -vDm0400 "fsurc.default" "${FORTIFY_INSTALL_PREFIX}/etc/fsurc"
--- a/dist/release.sh
+++ b/dist/release.sh
@ -0,0 +1,19 @@
+#!/bin/sh -e
+cd "$(dirname -- "$0")/.."
+VERSION="${FORTIFY_VERSION:-untagged}"
+pname="fortify-${VERSION}"
+out="dist/${pname}"
+
+mkdir -p "${out}"
+cp "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
+
+go build -v -o "${out}/bin/" -ldflags "-s -w
+  -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
+  -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
+  -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
+  -X main.Fmain=/usr/bin/fortify
+  -X main.Fshim=/usr/libexec/fortify/fshim" ./...
+
+rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
+rm -rf "./${out}"
+sha512sum "${out}.tar.gz" > "${out}.tar.gz.sha512"
--- a/error.go
+++ b/error.go
@ -3,8 +3,8 @@ package main
 import (
 	"errors"

-	"git.ophivana.moe/security/fortify/internal/app"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

 func logWaitError(err error) {
--- a/flake.lock
+++ b/flake.lock
@ -1,12 +1,33 @@
 {
  "nodes": {
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733951536,
+        "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-24.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1733348545,
-        "narHash": "sha256-b4JrUmqT0vFNx42aEN9LTWOHomkTKL/ayLopflVf81U=",
+        "lastModified": 1734298236,
+        "narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9ecb50d2fae8680be74c08bb0a995c5383747f89",
+        "rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec",
        "type": "github"
      },
      "original": {
@ -18,6 +39,7 @@
    },
    "root": {
      "inputs": {
+        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@ -3,10 +3,19 @@

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small";
+
+    home-manager = {
+      url = "github:nix-community/home-manager/release-24.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs =
-    { self, nixpkgs }:
+    {
+      self,
+      nixpkgs,
+      home-manager,
+    }:
    let
      supportedSystems = [
        "aarch64-linux"
@ -20,6 +29,55 @@
    {
      nixosModules.fortify = import ./nixos.nix;

+      checks = forAllSystems (
+        system:
+        let
+          pkgs = nixpkgsFor.${system};
+
+          inherit (pkgs)
+            runCommandLocal
+            callPackage
+            nixfmt-rfc-style
+            deadnix
+            statix
+            ;
+        in
+        {
+          check-formatting =
+            runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; }
+              ''
+                cd ${./.}
+
+                echo "running nixfmt..."
+                nixfmt --check .
+
+                touch $out
+              '';
+
+          check-lint =
+            runCommandLocal "check-lint"
+              {
+                nativeBuildInputs = [
+                  deadnix
+                  statix
+                ];
+              }
+              ''
+                cd ${./.}
+
+                echo "running deadnix..."
+                deadnix --fail
+
+                echo "running statix..."
+                statix check .
+
+                touch $out
+              '';
+
+          nixos-tests = callPackage ./test.nix { inherit system self home-manager; };
+        }
+      );
+
      packages = forAllSystems (
        system:
        let
@ -37,6 +95,26 @@
          buildInputs = with nixpkgsFor.${system}; self.packages.${system}.fortify.buildInputs;
        };

+        fhs = nixpkgsFor.${system}.buildFHSEnv {
+          pname = "fortify-fhs";
+          inherit (self.packages.${system}.fortify) version;
+          targetPkgs =
+            pkgs: with pkgs; [
+              go
+              gcc
+              pkg-config
+              acl
+              wayland
+              wayland-scanner
+              wayland-protocols
+              xorg.libxcb
+            ];
+          extraOutputsToInstall = [ "dev" ];
+          profile = ''
+            export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
+          '';
+        };
+
        withPackage = nixpkgsFor.${system}.mkShell {
          buildInputs =
            with nixpkgsFor.${system};
@ -56,7 +134,7 @@
                  };
                  modules = [ ./options.nix ];
                };
-                cleanEval = lib.filterAttrsRecursive (n: v: n != "_module") eval;
+                cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
              in
              pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
            docText = pkgs.runCommand "fortify-module-docs.md" { } ''
--- a/internal/app/config.go
+++ b/internal/app/config.go
@ -1,12 +1,12 @@
-package app
+package fst

 import (
 	"errors"

-	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/helper/bwrap"
-	"git.ophivana.moe/security/fortify/internal/linux"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 const fTmp = "/fortify"
--- a/fst/id.go
+++ b/fst/id.go
@ -0,0 +1,48 @@
+package fst
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"errors"
+	"fmt"
+)
+
+type ID [16]byte
+
+var (
+	ErrInvalidLength = errors.New("string representation must have a length of 32")
+)
+
+func (a *ID) String() string {
+	return hex.EncodeToString(a[:])
+}
+
+func NewAppID(id *ID) error {
+	_, err := rand.Read(id[:])
+	return err
+}
+
+func ParseAppID(id *ID, s string) error {
+	if len(s) != 32 {
+		return ErrInvalidLength
+	}
+
+	for i, b := range s {
+		if b < '0' || b > 'f' {
+			return fmt.Errorf("invalid char %q at byte %d", b, i)
+		}
+
+		v := uint8(b)
+		if v > '9' {
+			v = 10 + v - 'a'
+		} else {
+			v -= '0'
+		}
+		if i%2 == 0 {
+			v <<= 4
+		}
+		id[i/2] += v
+	}
+
+	return nil
+}
--- a/fst/id_test.go
+++ b/fst/id_test.go
@ -0,0 +1,63 @@
+package fst_test
+
+import (
+	"errors"
+	"testing"
+
+	"git.gensokyo.uk/security/fortify/fst"
+)
+
+func TestParseAppID(t *testing.T) {
+	t.Run("bad length", func(t *testing.T) {
+		if err := fst.ParseAppID(new(fst.ID), "meow"); !errors.Is(err, fst.ErrInvalidLength) {
+			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, fst.ErrInvalidLength)
+		}
+	})
+
+	t.Run("bad byte", func(t *testing.T) {
+		wantErr := "invalid char '\\n' at byte 15"
+		if err := fst.ParseAppID(new(fst.ID), "02bc7f8936b2af6\n\ne2535cd71ef0bb7"); err == nil || err.Error() != wantErr {
+			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, wantErr)
+		}
+	})
+
+	t.Run("fuzz 16 iterations", func(t *testing.T) {
+		for i := 0; i < 16; i++ {
+			testParseAppIDWithRandom(t)
+		}
+	})
+}
+
+func FuzzParseAppID(f *testing.F) {
+	for i := 0; i < 16; i++ {
+		id := new(fst.ID)
+		if err := fst.NewAppID(id); err != nil {
+			panic(err.Error())
+		}
+		f.Add(id[0], id[1], id[2], id[3], id[4], id[5], id[6], id[7], id[8], id[9], id[10], id[11], id[12], id[13], id[14], id[15])
+	}
+
+	f.Fuzz(func(t *testing.T, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15 byte) {
+		testParseAppID(t, &fst.ID{b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15})
+	})
+}
+
+func testParseAppIDWithRandom(t *testing.T) {
+	id := new(fst.ID)
+	if err := fst.NewAppID(id); err != nil {
+		t.Fatalf("cannot generate app ID: %v", err)
+	}
+	testParseAppID(t, id)
+}
+
+func testParseAppID(t *testing.T, id *fst.ID) {
+	s := id.String()
+	got := new(fst.ID)
+	if err := fst.ParseAppID(got, s); err != nil {
+		t.Fatalf("cannot parse app ID: %v", err)
+	}
+
+	if *got != *id {
+		t.Fatalf("ParseAppID(%#v) = \n%#v, want \n%#v", s, got, id)
+	}
+}
--- a/fst/shared.go
+++ b/fst/shared.go
@ -0,0 +1,2 @@
+// Package fst exports shared fortify types.
+package fst
--- a/go.mod
+++ b/go.mod
@ -1,3 +1,3 @@
-module git.ophivana.moe/security/fortify
+module git.gensokyo.uk/security/fortify

 go 1.22
--- a/helper/args_test.go
+++ b/helper/args_test.go
@ -6,7 +6,7 @@ import (
 	"strings"
 	"testing"

-	"git.ophivana.moe/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/helper"
 )

 func Test_argsFD_String(t *testing.T) {
--- a/helper/bwrap.go
+++ b/helper/bwrap.go
@ -8,8 +8,8 @@ import (
 	"strconv"
 	"sync"

-	"git.ophivana.moe/security/fortify/helper/bwrap"
-	"git.ophivana.moe/security/fortify/internal/proc"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/internal/proc"
 )

 // BubblewrapName is the file name or path to bubblewrap.
--- a/helper/bwrap_test.go
+++ b/helper/bwrap_test.go
@ -7,8 +7,8 @@ import (
 	"strings"
 	"testing"

-	"git.ophivana.moe/security/fortify/helper"
-	"git.ophivana.moe/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
 )

 func TestBwrap(t *testing.T) {
--- a/helper/direct_test.go
+++ b/helper/direct_test.go
@ -5,7 +5,7 @@ import (
 	"os"
 	"testing"

-	"git.ophivana.moe/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/helper"
 )

 func TestDirect(t *testing.T) {
--- a/helper/helper_test.go
+++ b/helper/helper_test.go
@ -6,7 +6,7 @@ import (
 	"testing"
 	"time"

-	"git.ophivana.moe/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/helper"
 )

 var (
--- a/helper/pipe.go
+++ b/helper/pipe.go
@ -6,7 +6,7 @@ import (
 	"os"
 	"os/exec"

-	"git.ophivana.moe/security/fortify/internal/proc"
+	"git.gensokyo.uk/security/fortify/internal/proc"
 )

 type pipes struct {
--- a/helper/stub.go
+++ b/helper/stub.go
@ -10,8 +10,8 @@ import (
 	"syscall"
 	"testing"

-	"git.ophivana.moe/security/fortify/helper/bwrap"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

 // InternalChildStub is an internal function but exported because it is cross-package;
--- a/helper/stub_test.go
+++ b/helper/stub_test.go
@ -3,7 +3,7 @@ package helper_test
 import (
 	"testing"

-	"git.ophivana.moe/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/helper"
 )

 func TestHelperChildStub(t *testing.T) {
--- a/internal/app/app.go
+++ b/internal/app/app.go
@ -2,14 +2,16 @@ package app

 import (
 	"sync"
+	"sync/atomic"

-	"git.ophivana.moe/security/fortify/cmd/fshim/ipc/shim"
-	"git.ophivana.moe/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/cmd/fshim/ipc/shim"
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/linux"
 )

 type App interface {
 	// ID returns a copy of App's unique ID.
-	ID() ID
+	ID() fst.ID
 	// Start sets up the system and starts the App.
 	Start() error
 	// Wait waits for App's process to exit and reverts system setup.
@ -17,13 +19,16 @@ type App interface {
 	// WaitErr returns error returned by the underlying wait syscall.
 	WaitErr() error

-	Seal(config *Config) error
+	Seal(config *fst.Config) error
 	String() string
 }

 type app struct {
+	// single-use config reference
+	ct *appCt
+
 	// application unique identifier
-	id *ID
+	id *fst.ID
 	// operating system interface
 	os linux.System
 	// shim process manager
@ -36,7 +41,7 @@ type app struct {
 	lock sync.RWMutex
 }

-func (a *app) ID() ID {
+func (a *app) ID() fst.ID {
 	return *a.id
 }

@ -65,7 +70,28 @@ func (a *app) WaitErr() error {

 func New(os linux.System) (App, error) {
 	a := new(app)
-	a.id = new(ID)
+	a.id = new(fst.ID)
 	a.os = os
-	return a, newAppID(a.id)
+	return a, fst.NewAppID(a.id)
+}
+
+// appCt ensures its wrapped val is only accessed once
+type appCt struct {
+	val  *fst.Config
+	done *atomic.Bool
+}
+
+func (a *appCt) Unwrap() *fst.Config {
+	if !a.done.Load() {
+		defer a.done.Store(true)
+		return a.val
+	}
+	panic("attempted to access config reference twice")
+}
+
+func newAppCt(config *fst.Config) (ct *appCt) {
+	ct = new(appCt)
+	ct.done = new(atomic.Bool)
+	ct.val = config
+	return ct
 }
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@ -1,25 +1,25 @@
 package app_test

 import (
-	"git.ophivana.moe/security/fortify/acl"
-	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/helper/bwrap"
-	"git.ophivana.moe/security/fortify/internal/app"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/acl"
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 var testCasesNixos = []sealTestCase{
 	{
 		"nixos chromium direct wayland", new(stubNixOS),
-		&app.Config{
+		&fst.Config{
 			ID:      "org.chromium.Chromium",
 			Command: []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
-			Confinement: app.ConfinementConfig{
+			Confinement: fst.ConfinementConfig{
 				AppID: 1, Groups: []string{}, Username: "u0_a1",
 				Outer: "/var/lib/persist/module/fortify/0/1",
-				Sandbox: &app.SandboxConfig{
+				Sandbox: &fst.SandboxConfig{
 					UserNS: true, Net: true, MapRealUID: true, DirectWayland: true, Env: nil,
-					Filesystem: []*app.FilesystemConfig{
+					Filesystem: []*fst.FilesystemConfig{
 						{Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true},
 						{Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true},
 						{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
@ -48,7 +48,7 @@ var testCasesNixos = []sealTestCase{
 				Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
 			},
 		},
-		app.ID{
+		fst.ID{
 			0x8e, 0x2c, 0x76, 0xb0,
 			0x66, 0xda, 0xbe, 0x57,
 			0x4c, 0xf0, 0x73, 0xbd,
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@ -1,25 +1,25 @@
 package app_test

 import (
-	"git.ophivana.moe/security/fortify/acl"
-	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/helper/bwrap"
-	"git.ophivana.moe/security/fortify/internal/app"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/acl"
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 var testCasesPd = []sealTestCase{
 	{
 		"nixos permissive defaults no enablements", new(stubNixOS),
-		&app.Config{
+		&fst.Config{
 			Command: make([]string, 0),
-			Confinement: app.ConfinementConfig{
+			Confinement: fst.ConfinementConfig{
 				AppID:    0,
 				Username: "chronos",
 				Outer:    "/home/chronos",
 			},
 		},
-		app.ID{
+		fst.ID{
 			0x4a, 0x45, 0x0b, 0x65,
 			0x96, 0xd7, 0xbc, 0x15,
 			0xbd, 0x01, 0x78, 0x0e,
@ -190,10 +190,10 @@ var testCasesPd = []sealTestCase{
 	},
 	{
 		"nixos permissive defaults chromium", new(stubNixOS),
-		&app.Config{
+		&fst.Config{
 			ID:      "org.chromium.Chromium",
 			Command: []string{"/run/current-system/sw/bin/zsh", "-c", "exec chromium "},
-			Confinement: app.ConfinementConfig{
+			Confinement: fst.ConfinementConfig{
 				AppID:    9,
 				Groups:   []string{"video"},
 				Username: "chronos",
@ -232,7 +232,7 @@ var testCasesPd = []sealTestCase{
 				Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
 			},
 		},
-		app.ID{
+		fst.ID{
 			0xeb, 0xf0, 0x83, 0xd1,
 			0xb1, 0x75, 0x91, 0x17,
 			0x82, 0xd4, 0x13, 0x36,
--- a/internal/app/app_stub_test.go
+++ b/internal/app/app_stub_test.go
@ -7,7 +7,7 @@ import (
 	"os/user"
 	"strconv"

-	"git.ophivana.moe/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/linux"
 )

 // fs methods are not implemented using a real FS
--- a/internal/app/app_test.go
+++ b/internal/app/app_test.go
@ -6,17 +6,18 @@ import (
 	"testing"
 	"time"

-	"git.ophivana.moe/security/fortify/helper/bwrap"
-	"git.ophivana.moe/security/fortify/internal/app"
-	"git.ophivana.moe/security/fortify/internal/linux"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 type sealTestCase struct {
 	name      string
 	os        linux.System
-	config    *app.Config
-	id        app.ID
+	config    *fst.Config
+	id        fst.ID
 	wantSys   *system.I
 	wantBwrap *bwrap.Config
 }
--- a/internal/app/export_test.go
+++ b/internal/app/export_test.go
@ -1,12 +1,13 @@
 package app

 import (
-	"git.ophivana.moe/security/fortify/helper/bwrap"
-	"git.ophivana.moe/security/fortify/internal/linux"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

-func NewWithID(id ID, os linux.System) App {
+func NewWithID(id fst.ID, os linux.System) App {
 	a := new(app)
 	a.id = &id
 	a.os = os
--- a/internal/app/id.go
+++ b/internal/app/id.go
@ -1,17 +0,0 @@
-package app
-
-import (
-	"crypto/rand"
-	"encoding/hex"
-)
-
-type ID [16]byte
-
-func (a *ID) String() string {
-	return hex.EncodeToString(a[:])
-}
-
-func newAppID(id *ID) error {
-	_, err := rand.Read(id[:])
-	return err
-}
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@ -8,11 +8,12 @@ import (
 	"regexp"
 	"strconv"

-	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
-	"git.ophivana.moe/security/fortify/internal/linux"
-	"git.ophivana.moe/security/fortify/internal/state"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/state"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 var (
@ -59,7 +60,7 @@ type appSeal struct {
 }

 // Seal seals the app launch context
-func (a *app) Seal(config *Config) error {
+func (a *app) Seal(config *fst.Config) error {
 	a.lock.Lock()
 	defer a.lock.Unlock()

@ -147,7 +148,7 @@ func (a *app) Seal(config *Config) error {
 		fmsg.VPrintln("sandbox configuration not supplied, PROCEED WITH CAUTION")

 		// permissive defaults
-		conf := &SandboxConfig{
+		conf := &fst.SandboxConfig{
 			UserNS:       true,
 			Net:          true,
 			NoNewSession: true,
@ -157,7 +158,7 @@ func (a *app) Seal(config *Config) error {
 		if d, err := a.os.ReadDir("/"); err != nil {
 			return err
 		} else {
-			b := make([]*FilesystemConfig, 0, len(d))
+			b := make([]*fst.FilesystemConfig, 0, len(d))
 			for _, ent := range d {
 				p := "/" + ent.Name()
 				switch p {
@ -169,7 +170,7 @@ func (a *app) Seal(config *Config) error {
 				case "/etc":

 				default:
-					b = append(b, &FilesystemConfig{Src: p, Write: true, Must: true})
+					b = append(b, &fst.FilesystemConfig{Src: p, Write: true, Must: true})
 				}
 			}
 			conf.Filesystem = append(conf.Filesystem, b...)
@ -178,7 +179,7 @@ func (a *app) Seal(config *Config) error {
 		if d, err := a.os.ReadDir("/run"); err != nil {
 			return err
 		} else {
-			b := make([]*FilesystemConfig, 0, len(d))
+			b := make([]*fst.FilesystemConfig, 0, len(d))
 			for _, ent := range d {
 				name := ent.Name()
 				switch name {
@ -186,7 +187,7 @@ func (a *app) Seal(config *Config) error {
 				case "dbus":
 				default:
 					p := "/run/" + name
-					b = append(b, &FilesystemConfig{Src: p, Write: true, Must: true})
+					b = append(b, &fst.FilesystemConfig{Src: p, Write: true, Must: true})
 				}
 			}
 			conf.Filesystem = append(conf.Filesystem, b...)
@ -198,7 +199,7 @@ func (a *app) Seal(config *Config) error {
 		}
 		// bind GPU stuff
 		if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
-			conf.Filesystem = append(conf.Filesystem, &FilesystemConfig{Src: "/dev/dri", Device: true})
+			conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true})
 		}

 		config.Confinement.Sandbox = conf
@ -217,7 +218,7 @@ func (a *app) Seal(config *Config) error {
 	// open process state store
 	// the simple store only starts holding an open file after first action
 	// store activity begins after Start is called and must end before Wait
-	seal.store = state.NewSimple(seal.RunDirPath, seal.sys.user.as)
+	seal.store = state.NewMulti(seal.RunDirPath)

 	// initialise system interface with full uid
 	seal.sys.I = system.New(seal.sys.user.uid)
@ -236,5 +237,6 @@ func (a *app) Seal(config *Config) error {

 	// seal app and release lock
 	a.seal = seal
+	a.ct = newAppCt(config)
 	return nil
 }
--- a/internal/app/share.dbus.go
+++ b/internal/app/share.dbus.go
@ -3,9 +3,9 @@ package app
 import (
 	"path"

-	"git.ophivana.moe/security/fortify/acl"
-	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/acl"
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 const (
--- a/internal/app/share.display.go
+++ b/internal/app/share.display.go
@ -4,10 +4,10 @@ import (
 	"errors"
 	"path"

-	"git.ophivana.moe/security/fortify/acl"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
-	"git.ophivana.moe/security/fortify/internal/linux"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/acl"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 const (
--- a/internal/app/share.pulse.go
+++ b/internal/app/share.pulse.go
@ -6,9 +6,9 @@ import (
 	"io/fs"
 	"path"

-	"git.ophivana.moe/security/fortify/internal/fmsg"
-	"git.ophivana.moe/security/fortify/internal/linux"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 const (
--- a/internal/app/share.runtime.go
+++ b/internal/app/share.runtime.go
@ -3,8 +3,8 @@ package app
 import (
 	"path"

-	"git.ophivana.moe/security/fortify/acl"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/acl"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 const (
--- a/internal/app/share.system.go
+++ b/internal/app/share.system.go
@ -3,9 +3,9 @@ package app
 import (
 	"path"

-	"git.ophivana.moe/security/fortify/acl"
-	"git.ophivana.moe/security/fortify/internal/linux"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/acl"
+	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 const (
--- a/internal/app/start.go
+++ b/internal/app/start.go
@ -4,16 +4,15 @@ import (
 	"errors"
 	"fmt"
 	"os/exec"
-	"path"
 	"path/filepath"
 	"strings"

-	shim0 "git.ophivana.moe/security/fortify/cmd/fshim/ipc"
-	"git.ophivana.moe/security/fortify/cmd/fshim/ipc/shim"
-	"git.ophivana.moe/security/fortify/helper"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
-	"git.ophivana.moe/security/fortify/internal/state"
-	"git.ophivana.moe/security/fortify/internal/system"
+	shim0 "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
+	"git.gensokyo.uk/security/fortify/cmd/fshim/ipc/shim"
+	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/state"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 // Start selects a user switcher and starts shim.
@ -46,7 +45,6 @@ func (a *app) Start() error {
 		uint32(a.seal.sys.UID()),
 		a.seal.sys.user.as,
 		a.seal.sys.user.supp,
-		path.Join(a.seal.share, "shim"),
 		&shim0.Payload{
 			Argv:  a.seal.command,
 			Exec:  shimExec,
@ -70,17 +68,16 @@ func (a *app) Start() error {
 	} else {
 		// shim start and setup success, create process state
 		sd := state.State{
+			ID:     *a.id,
 			PID:    a.shim.Unwrap().Process.Pid,
-			Command:    a.seal.command,
-			Capability: a.seal.et,
-			Argv:       a.shim.Unwrap().Args,
+			Config: a.ct.Unwrap(),
 			Time:   *startTime,
 		}

 		// register process state
 		var err0 = new(StateStoreError)
-		err0.Inner, err0.DoErr = a.seal.store.Do(func(b state.Backend) {
-			err0.InnerErr = b.Save(&sd)
+		err0.Inner, err0.DoErr = a.seal.store.Do(a.seal.sys.user.aid, func(c state.Cursor) {
+			err0.InnerErr = c.Save(&sd)
 		})
 		a.seal.sys.saveState = true
 		return err0.equiv("cannot save process state:")
@ -202,11 +199,11 @@ func (a *app) Wait() (int, error) {

 	// update store and revert app setup transaction
 	e := new(StateStoreError)
-	e.Inner, e.DoErr = a.seal.store.Do(func(b state.Backend) {
+	e.Inner, e.DoErr = a.seal.store.Do(a.seal.sys.user.aid, func(b state.Cursor) {
 		e.InnerErr = func() error {
 			// destroy defunct state entry
 			if cmd := a.shim.Unwrap(); cmd != nil && a.seal.sys.saveState {
-				if err := b.Destroy(cmd.Process.Pid); err != nil {
+				if err := b.Destroy(*a.id); err != nil {
 					return err
 				}
 			}
@ -227,8 +224,12 @@ func (a *app) Wait() (int, error) {
 				}

 				// accumulate capabilities of other launchers
-				for _, s := range states {
-					*rt |= s.Capability
+				for i, s := range states {
+					if s.Config != nil {
+						*rt |= s.Config.Confinement.Enablements
+					} else {
+						fmsg.Printf("state entry %d does not contain config", i)
+					}
 				}
 			}
 			// invert accumulated enablements for cleanup
@ -249,12 +250,6 @@ func (a *app) Wait() (int, error) {
 				}
 			}

-			if a.shim.Unwrap() == nil {
-				fmsg.VPrintln("fault before shim start")
-			} else {
-				a.shim.AbortWait(errors.New("shim exited"))
-			}
-
 			if a.seal.sys.needRevert {
 				if err := a.seal.sys.Revert(ec); err != nil {
 					return err.(RevertCompoundError)
--- a/internal/app/system.go
+++ b/internal/app/system.go
@ -1,10 +1,10 @@
 package app

 import (
-	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/helper/bwrap"
-	"git.ophivana.moe/security/fortify/internal/linux"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 // appSealSys encapsulates app seal behaviour with OS interactions
--- a/internal/linux/interface.go
+++ b/internal/linux/interface.go
@ -7,7 +7,7 @@ import (
 	"path"
 	"strconv"

-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

 // System provides safe access to operating system resources.
@ -39,8 +39,6 @@ type System interface {
 	Paths() Paths
 	// Uid invokes fsu and returns target uid.
 	Uid(aid int) (int, error)
-	// SdBooted implements https://www.freedesktop.org/software/systemd/man/sd_booted.html
-	SdBooted() bool
 }

 // Paths contains environment dependent paths used by fortify.
--- a/internal/linux/std.go
+++ b/internal/linux/std.go
@ -1,7 +1,6 @@
 package linux

 import (
-	"errors"
 	"io"
 	"io/fs"
 	"os"
@ -10,8 +9,8 @@ import (
 	"strconv"
 	"sync"

-	"git.ophivana.moe/security/fortify/internal"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

 // Std implements System using the standard library.
@ -19,9 +18,6 @@ type Std struct {
 	paths     Paths
 	pathsOnce sync.Once

-	sdBooted     bool
-	sdBootedOnce sync.Once
-
 	uidOnce sync.Once
 	uidCopy map[int]struct {
 		uid int
@ -90,31 +86,3 @@ func (s *Std) Uid(aid int) (int, error) {
 		return u.uid, u.err
 	}
 }
-
-func (s *Std) SdBooted() bool {
-	s.sdBootedOnce.Do(func() { s.sdBooted = copySdBooted() })
-	return s.sdBooted
-}
-
-const systemdCheckPath = "/run/systemd/system"
-
-func copySdBooted() bool {
-	if v, err := sdBooted(); err != nil {
-		fmsg.Println("cannot read systemd marker:", err)
-		return false
-	} else {
-		return v
-	}
-}
-
-func sdBooted() (bool, error) {
-	_, err := os.Stat(systemdCheckPath)
-	if err != nil {
-		if errors.Is(err, fs.ErrNotExist) {
-			err = nil
-		}
-		return false, err
-	}
-
-	return true, nil
-}
--- a/internal/proc/fd.go
+++ b/internal/proc/fd.go
@ -0,0 +1,42 @@
+package proc
+
+import (
+	"encoding/gob"
+	"errors"
+	"os"
+	"strconv"
+)
+
+var (
+	ErrNotSet  = errors.New("environment variable not set")
+	ErrInvalid = errors.New("bad file descriptor")
+)
+
+func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
+	if r, w, err := os.Pipe(); err != nil {
+		return -1, nil, err
+	} else {
+		fd := 3 + len(*extraFiles)
+		*extraFiles = append(*extraFiles, r)
+		return fd, gob.NewEncoder(w), nil
+	}
+}
+
+func Receive(key string, e any) (func() error, error) {
+	var setup *os.File
+
+	if s, ok := os.LookupEnv(key); !ok {
+		return nil, ErrNotSet
+	} else {
+		if fd, err := strconv.Atoi(s); err != nil {
+			return nil, err
+		} else {
+			setup = os.NewFile(uintptr(fd), "setup")
+			if setup == nil {
+				return nil, ErrInvalid
+			}
+		}
+	}
+
+	return func() error { return setup.Close() }, gob.NewDecoder(setup).Decode(e)
+}
--- a/internal/state/multi.go
+++ b/internal/state/multi.go
@ -0,0 +1,292 @@
+package state
+
+import (
+	"encoding/gob"
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"path"
+	"strconv"
+	"sync"
+	"syscall"
+
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+)
+
+// fine-grained locking and access
+type multiStore struct {
+	base string
+
+	// initialised backends
+	backends *sync.Map
+
+	lock sync.RWMutex
+}
+
+func (s *multiStore) Do(aid int, f func(c Cursor)) (bool, error) {
+	s.lock.RLock()
+	defer s.lock.RUnlock()
+
+	// load or initialise new backend
+	b := new(multiBackend)
+	if v, ok := s.backends.LoadOrStore(aid, b); ok {
+		b = v.(*multiBackend)
+	} else {
+		b.lock.Lock()
+		b.path = path.Join(s.base, strconv.Itoa(aid))
+
+		// ensure directory
+		if err := os.MkdirAll(b.path, 0700); err != nil && !errors.Is(err, fs.ErrExist) {
+			s.backends.CompareAndDelete(aid, b)
+			return false, err
+		}
+
+		// open locker file
+		if l, err := os.OpenFile(b.path+".lock", os.O_RDWR|os.O_CREATE, 0600); err != nil {
+			s.backends.CompareAndDelete(aid, b)
+			return false, err
+		} else {
+			b.lockfile = l
+		}
+		b.lock.Unlock()
+	}
+
+	// lock backend
+	if err := b.lockFile(); err != nil {
+		return false, err
+	}
+
+	// expose backend methods without exporting the pointer
+	c := new(struct{ *multiBackend })
+	c.multiBackend = b
+	f(b)
+	// disable access to the backend on a best-effort basis
+	c.multiBackend = nil
+
+	// unlock backend
+	return true, b.unlockFile()
+}
+
+func (s *multiStore) List() ([]int, error) {
+	var entries []os.DirEntry
+
+	// read base directory to get all aids
+	if v, err := os.ReadDir(s.base); err != nil && !errors.Is(err, os.ErrNotExist) {
+		return nil, err
+	} else {
+		entries = v
+	}
+
+	aidsBuf := make([]int, 0, len(entries))
+	for _, e := range entries {
+		// skip non-directories
+		if !e.IsDir() {
+			fmsg.VPrintf("skipped non-directory entry %q", e.Name())
+			continue
+		}
+
+		// skip non-numerical names
+		if v, err := strconv.Atoi(e.Name()); err != nil {
+			fmsg.VPrintf("skipped non-aid entry %q", e.Name())
+			continue
+		} else {
+			if v < 0 || v > 9999 {
+				fmsg.VPrintf("skipped out of bounds entry %q", e.Name())
+				continue
+			}
+
+			aidsBuf = append(aidsBuf, v)
+		}
+	}
+
+	return append([]int(nil), aidsBuf...), nil
+}
+
+func (s *multiStore) Close() error {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+
+	var errs []error
+	s.backends.Range(func(_, value any) bool {
+		b := value.(*multiBackend)
+		errs = append(errs, b.close())
+		return true
+	})
+
+	return errors.Join(errs...)
+}
+
+type multiBackend struct {
+	path string
+
+	// created/opened by prepare
+	lockfile *os.File
+
+	lock sync.RWMutex
+}
+
+func (b *multiBackend) filename(id *fst.ID) string {
+	return path.Join(b.path, id.String())
+}
+
+func (b *multiBackend) lockFileAct(lt int) (err error) {
+	op := "LockAct"
+	switch lt {
+	case syscall.LOCK_EX:
+		op = "Lock"
+	case syscall.LOCK_UN:
+		op = "Unlock"
+	}
+
+	for {
+		err = syscall.Flock(int(b.lockfile.Fd()), lt)
+		if !errors.Is(err, syscall.EINTR) {
+			break
+		}
+	}
+	if err != nil {
+		return &fs.PathError{
+			Op:   op,
+			Path: b.lockfile.Name(),
+			Err:  err,
+		}
+	}
+	return nil
+}
+
+func (b *multiBackend) lockFile() error {
+	return b.lockFileAct(syscall.LOCK_EX)
+}
+
+func (b *multiBackend) unlockFile() error {
+	return b.lockFileAct(syscall.LOCK_UN)
+}
+
+// reads all launchers in simpleBackend
+// file contents are ignored if decode is false
+func (b *multiBackend) load(decode bool) (Entries, error) {
+	b.lock.RLock()
+	defer b.lock.RUnlock()
+
+	// read directory contents, should only contain files named after ids
+	var entries []os.DirEntry
+	if pl, err := os.ReadDir(b.path); err != nil {
+		return nil, err
+	} else {
+		entries = pl
+	}
+
+	// allocate as if every entry is valid
+	// since that should be the case assuming no external interference happens
+	r := make(Entries, len(entries))
+
+	for _, e := range entries {
+		if e.IsDir() {
+			return nil, fmt.Errorf("unexpected directory %q in store", e.Name())
+		}
+
+		id := new(fst.ID)
+		if err := fst.ParseAppID(id, e.Name()); err != nil {
+			return nil, err
+		}
+
+		// run in a function to better handle file closing
+		if err := func() error {
+			// open state file for reading
+			if f, err := os.Open(path.Join(b.path, e.Name())); err != nil {
+				return err
+			} else {
+				defer func() {
+					if f.Close() != nil {
+						// unreachable
+						panic("foreign state file closed prematurely")
+					}
+				}()
+
+				s := new(State)
+				r[*id] = s
+
+				// append regardless, but only parse if required, used to implement Len
+				if decode {
+					if err = gob.NewDecoder(f).Decode(s); err != nil {
+						return err
+					}
+
+					if s.ID != *id {
+						return fmt.Errorf("state entry %s has unexpected id %s", id, &s.ID)
+					}
+				}
+
+				return nil
+			}
+		}(); err != nil {
+			return nil, err
+		}
+	}
+
+	return r, nil
+}
+
+// Save writes process state to filesystem
+func (b *multiBackend) Save(state *State) error {
+	b.lock.Lock()
+	defer b.lock.Unlock()
+
+	if state.Config == nil {
+		return errors.New("state does not contain config")
+	}
+
+	statePath := b.filename(&state.ID)
+
+	// create and open state data file
+	if f, err := os.OpenFile(statePath, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600); err != nil {
+		return err
+	} else {
+		defer func() {
+			if f.Close() != nil {
+				// unreachable
+				panic("state file closed prematurely")
+			}
+		}()
+		// encode into state file
+		return gob.NewEncoder(f).Encode(state)
+	}
+}
+
+func (b *multiBackend) Destroy(id fst.ID) error {
+	b.lock.Lock()
+	defer b.lock.Unlock()
+
+	return os.Remove(b.filename(&id))
+}
+
+func (b *multiBackend) Load() (Entries, error) {
+	return b.load(true)
+}
+
+func (b *multiBackend) Len() (int, error) {
+	// rn consists of only nil entries but has the correct length
+	rn, err := b.load(false)
+	return len(rn), err
+}
+
+func (b *multiBackend) close() error {
+	b.lock.Lock()
+	defer b.lock.Unlock()
+
+	err := b.lockfile.Close()
+	if err == nil || errors.Is(err, os.ErrInvalid) || errors.Is(err, os.ErrClosed) {
+		return nil
+	}
+	return err
+}
+
+// NewMulti returns an instance of the multi-file store.
+func NewMulti(runDir string) Store {
+	b := new(multiStore)
+	b.base = path.Join(runDir, "state")
+	b.backends = new(sync.Map)
+	return b
+}
--- a/internal/state/multi_test.go
+++ b/internal/state/multi_test.go
@ -0,0 +1,11 @@
+package state_test
+
+import (
+	"testing"
+
+	"git.gensokyo.uk/security/fortify/internal/state"
+)
+
+func TestMulti(t *testing.T) {
+	testStore(t, state.NewMulti(t.TempDir()))
+}
--- a/internal/state/print.go
+++ b/internal/state/print.go
@ -1,62 +1,45 @@
 package state

 import (
-	"errors"
 	"fmt"
 	"os"
-	"path"
-	"strconv"
 	"strings"
 	"text/tabwriter"
 	"time"

-	"git.ophivana.moe/security/fortify/internal/fmsg"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 // MustPrintLauncherStateSimpleGlobal prints active launcher states of all simple stores
 // in an implementation-specific way.
 func MustPrintLauncherStateSimpleGlobal(w **tabwriter.Writer, runDir string) {
 	now := time.Now().UTC()
+	s := NewMulti(runDir)

 	// read runtime directory to get all UIDs
-	if dirs, err := os.ReadDir(path.Join(runDir, "state")); err != nil && !errors.Is(err, os.ErrNotExist) {
-		fmsg.Fatal("cannot read runtime directory:", err)
+	if aids, err := s.List(); err != nil {
+		fmsg.Fatal("cannot list store:", err)
 	} else {
-		for _, e := range dirs {
-			// skip non-directories
-			if !e.IsDir() {
-				fmsg.VPrintf("skipped non-directory entry %q", e.Name())
-				continue
-			}
-
-			// skip non-numerical names
-			if _, err = strconv.Atoi(e.Name()); err != nil {
-				fmsg.VPrintf("skipped non-uid entry %q", e.Name())
-				continue
-			}
-
-			// obtain temporary store
-			s := NewSimple(runDir, e.Name()).(*simpleStore)
-
+		for _, aid := range aids {
 			// print states belonging to this store
-			s.mustPrintLauncherState(w, now)
+			s.(*multiStore).mustPrintLauncherState(aid, w, now)
+		}
+	}

 	// mustPrintLauncherState causes store activity so store needs to be closed
-			if err = s.Close(); err != nil {
-				fmsg.Printf("cannot close store for user %q: %s", e.Name(), err)
-			}
-		}
+	if err := s.Close(); err != nil {
+		fmsg.Printf("cannot close store: %v", err)
 	}
 }

-func (s *simpleStore) mustPrintLauncherState(w **tabwriter.Writer, now time.Time) {
+func (s *multiStore) mustPrintLauncherState(aid int, w **tabwriter.Writer, now time.Time) {
 	var innerErr error

-	if ok, err := s.Do(func(b Backend) {
+	if ok, err := s.Do(aid, func(c Cursor) {
 		innerErr = func() error {
 			// read launcher states
-			states, err := b.Load()
+			states, err := c.Load()
 			if err != nil {
 				return err
 			}
@ -82,40 +65,54 @@ func (s *simpleStore) mustPrintLauncherState(w **tabwriter.Writer, now time.Time
 					continue
 				}

-				// build enablements string
-				ets := strings.Builder{}
+				// build enablements and command string
+				var (
+					ets *strings.Builder
+					cs  = "(No command information)"
+				)
+
+				// check if enablements are provided
+				if state.Config != nil {
+					ets = new(strings.Builder)
 					// append enablement strings in order
 					for i := system.Enablement(0); i < system.Enablement(system.ELen); i++ {
-					if state.Capability.Has(i) {
+						if state.Config.Confinement.Enablements.Has(i) {
 							ets.WriteString(", " + i.String())
 						}
 					}
-				// prevent an empty string when
+
+					cs = fmt.Sprintf("%q", state.Config.Command)
+				}
+				if ets != nil {
+					// prevent an empty string
 					if ets.Len() == 0 {
 						ets.WriteString("(No enablements)")
 					}
+				} else {
+					ets = new(strings.Builder)
+					ets.WriteString("(No confinement information)")
+				}

 				if !fmsg.Verbose() {
-					_, _ = fmt.Fprintf(*w, "\t%d\t%s\t%s\t%s\t%s\n",
-						state.PID, s.path[len(s.path)-1], now.Sub(state.Time).Round(time.Second).String(), strings.TrimPrefix(ets.String(), ", "),
-						state.Command)
+					_, _ = fmt.Fprintf(*w, "\t%d\t%d\t%s\t%s\t%s\n",
+						state.PID, aid, now.Sub(state.Time).Round(time.Second).String(), strings.TrimPrefix(ets.String(), ", "), cs)
 				} else {
 					// emit argv instead when verbose
-					_, _ = fmt.Fprintf(*w, "\t%d\t%s\t%s\n",
-						state.PID, s.path[len(s.path)-1], state.Argv)
+					_, _ = fmt.Fprintf(*w, "\t%d\t%d\t%s\n",
+						state.PID, aid, state.ID)
 				}
 			}

 			return nil
 		}()
 	}); err != nil {
-		fmsg.Printf("cannot perform action on store %q: %s", path.Join(s.path...), err)
+		fmsg.Printf("cannot perform action on app %d: %v", aid, err)
 		if !ok {
 			fmsg.Fatal("store faulted before printing")
 		}
 	}

 	if innerErr != nil {
-		fmsg.Fatalf("cannot print launcher state for store %q: %s", path.Join(s.path...), innerErr)
+		fmsg.Fatalf("cannot print launcher state of app %d: %s", aid, innerErr)
 	}
 }
--- a/internal/state/simple.go
+++ b/internal/state/simple.go
@ -1,218 +0,0 @@
-package state
-
-import (
-	"encoding/gob"
-	"errors"
-	"io/fs"
-	"os"
-	"path"
-	"strconv"
-	"sync"
-	"syscall"
-)
-
-// file-based locking
-type simpleStore struct {
-	path []string
-
-	// created/opened by prepare
-	lockfile *os.File
-	// enforce prepare method
-	init sync.Once
-	// error returned by prepare
-	initErr error
-
-	lock sync.Mutex
-}
-
-func (s *simpleStore) Do(f func(b Backend)) (bool, error) {
-	s.init.Do(s.prepare)
-	if s.initErr != nil {
-		return false, s.initErr
-	}
-
-	s.lock.Lock()
-	defer s.lock.Unlock()
-
-	// lock store
-	if err := s.lockFile(); err != nil {
-		return false, err
-	}
-
-	// initialise new backend for caller
-	b := new(simpleBackend)
-	b.path = path.Join(s.path...)
-	f(b)
-	// disable backend
-	b.lock.Lock()
-
-	// unlock store
-	return true, s.unlockFile()
-}
-
-func (s *simpleStore) lockFileAct(lt int) (err error) {
-	op := "LockAct"
-	switch lt {
-	case syscall.LOCK_EX:
-		op = "Lock"
-	case syscall.LOCK_UN:
-		op = "Unlock"
-	}
-
-	for {
-		err = syscall.Flock(int(s.lockfile.Fd()), lt)
-		if !errors.Is(err, syscall.EINTR) {
-			break
-		}
-	}
-	if err != nil {
-		return &fs.PathError{
-			Op:   op,
-			Path: s.lockfile.Name(),
-			Err:  err,
-		}
-	}
-	return nil
-}
-
-func (s *simpleStore) lockFile() error {
-	return s.lockFileAct(syscall.LOCK_EX)
-}
-
-func (s *simpleStore) unlockFile() error {
-	return s.lockFileAct(syscall.LOCK_UN)
-}
-
-func (s *simpleStore) prepare() {
-	s.initErr = func() error {
-		prefix := path.Join(s.path...)
-		// ensure directory
-		if err := os.MkdirAll(prefix, 0700); err != nil && !errors.Is(err, fs.ErrExist) {
-			return err
-		}
-
-		// open locker file
-		if f, err := os.OpenFile(prefix+".lock", os.O_RDWR|os.O_CREATE, 0600); err != nil {
-			return err
-		} else {
-			s.lockfile = f
-		}
-
-		return nil
-	}()
-}
-
-func (s *simpleStore) Close() error {
-	s.lock.Lock()
-	defer s.lock.Unlock()
-
-	err := s.lockfile.Close()
-	if err == nil || errors.Is(err, os.ErrInvalid) || errors.Is(err, os.ErrClosed) {
-		return nil
-	}
-	return err
-}
-
-type simpleBackend struct {
-	path string
-
-	lock sync.RWMutex
-}
-
-func (b *simpleBackend) filename(pid int) string {
-	return path.Join(b.path, strconv.Itoa(pid))
-}
-
-// reads all launchers in simpleBackend
-// file contents are ignored if decode is false
-func (b *simpleBackend) load(decode bool) ([]*State, error) {
-	b.lock.RLock()
-	defer b.lock.RUnlock()
-
-	var (
-		r []*State
-		f *os.File
-	)
-
-	// read directory contents, should only contain files named after PIDs
-	if pl, err := os.ReadDir(b.path); err != nil {
-		return nil, err
-	} else {
-		for _, e := range pl {
-			// run in a function to better handle file closing
-			if err = func() error {
-				// open state file for reading
-				if f, err = os.Open(path.Join(b.path, e.Name())); err != nil {
-					return err
-				} else {
-					defer func() {
-						if f.Close() != nil {
-							// unreachable
-							panic("foreign state file closed prematurely")
-						}
-					}()
-
-					var s State
-					r = append(r, &s)
-
-					// append regardless, but only parse if required, used to implement Len
-					if decode {
-						return gob.NewDecoder(f).Decode(&s)
-					} else {
-						return nil
-					}
-				}
-			}(); err != nil {
-				return nil, err
-			}
-		}
-	}
-
-	return r, nil
-}
-
-// Save writes process state to filesystem
-func (b *simpleBackend) Save(state *State) error {
-	b.lock.Lock()
-	defer b.lock.Unlock()
-
-	statePath := b.filename(state.PID)
-
-	// create and open state data file
-	if f, err := os.OpenFile(statePath, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600); err != nil {
-		return err
-	} else {
-		defer func() {
-			if f.Close() != nil {
-				// unreachable
-				panic("state file closed prematurely")
-			}
-		}()
-		// encode into state file
-		return gob.NewEncoder(f).Encode(state)
-	}
-}
-
-func (b *simpleBackend) Destroy(pid int) error {
-	b.lock.Lock()
-	defer b.lock.Unlock()
-
-	return os.Remove(b.filename(pid))
-}
-
-func (b *simpleBackend) Load() ([]*State, error) {
-	return b.load(true)
-}
-
-func (b *simpleBackend) Len() (int, error) {
-	// rn consists of only nil entries but has the correct length
-	rn, err := b.load(false)
-	return len(rn), err
-}
-
-// NewSimple returns an instance of a file-based store.
-func NewSimple(runDir string, prefix ...string) Store {
-	b := new(simpleStore)
-	b.path = append([]string{runDir, "state"}, prefix...)
-	return b
-}
--- a/internal/state/state.go
+++ b/internal/state/state.go
@ -3,38 +3,42 @@ package state
 import (
 	"time"

-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/fst"
 )

+type Entries map[fst.ID]*State
+
 type Store interface {
 	// Do calls f exactly once and ensures store exclusivity until f returns.
 	// Returns whether f is called and any errors during the locking process.
-	// Backend provided to f becomes invalid as soon as f returns.
-	Do(f func(b Backend)) (bool, error)
+	// Cursor provided to f becomes invalid as soon as f returns.
+	Do(aid int, f func(c Cursor)) (ok bool, err error)
+
+	// List queries the store and returns a list of aids known to the store.
+	// Note that some or all returned aids might not have any active apps.
+	List() (aids []int, err error)

 	// Close releases any resources held by Store.
 	Close() error
 }

-// Backend provides access to the store
-type Backend interface {
+// Cursor provides access to the store
+type Cursor interface {
 	Save(state *State) error
-	Destroy(pid int) error
-	Load() ([]*State, error)
+	Destroy(id fst.ID) error
+	Load() (Entries, error)
 	Len() (int, error)
 }

 // State is the on-disk format for a fortified process's state information
 type State struct {
+	// fortify instance id
+	ID fst.ID `json:"instance"`
 	// child process PID value
-	PID int
-	// command used to seal the app
-	Command []string
-	// capability enablements applied to child
-	Capability system.Enablements
+	PID int `json:"pid"`
+	// sealed app configuration
+	Config *fst.Config `json:"config"`

-	// full argv whe launching
-	Argv []string
 	// process start time
 	Time time.Time
 }
--- a/internal/state/state_test.go
+++ b/internal/state/state_test.go
@ -0,0 +1,126 @@
+package state_test
+
+import (
+	"math/rand/v2"
+	"reflect"
+	"slices"
+	"testing"
+	"time"
+
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/state"
+)
+
+func testStore(t *testing.T, s state.Store) {
+	t.Run("list empty store", func(t *testing.T) {
+		if aids, err := s.List(); err != nil {
+			t.Fatalf("List: error = %v", err)
+		} else if len(aids) != 0 {
+			t.Fatalf("List: aids = %#v", aids)
+		}
+	})
+
+	const (
+		insertEntryChecked = iota
+		insertEntryNoCheck
+		insertEntryOtherApp
+
+		tl
+	)
+
+	var tc [tl]state.State
+	for i := 0; i < tl; i++ {
+		makeState(t, &tc[i])
+	}
+
+	do := func(aid int, f func(c state.Cursor)) {
+		if ok, err := s.Do(aid, f); err != nil {
+			t.Fatalf("Do: ok = %v, error = %v", ok, err)
+		}
+	}
+
+	insert := func(i, aid int) {
+		do(aid, func(c state.Cursor) {
+			if err := c.Save(&tc[i]); err != nil {
+				t.Fatalf("Save(&tc[%v]): error = %v", i, err)
+			}
+		})
+	}
+
+	check := func(i, aid int) {
+		do(aid, func(c state.Cursor) {
+			if entries, err := c.Load(); err != nil {
+				t.Fatalf("Load: error = %v", err)
+			} else if got, ok := entries[tc[i].ID]; !ok {
+				t.Fatalf("Load: entry %s missing",
+					&tc[i].ID)
+			} else {
+				got.Time = tc[i].Time
+				if !reflect.DeepEqual(got, &tc[i]) {
+					t.Fatalf("Load: entry %s got %#v, want %#v",
+						&tc[i].ID, got, &tc[i])
+				}
+			}
+		})
+	}
+
+	t.Run("insert entry checked", func(t *testing.T) {
+		insert(insertEntryChecked, 0)
+		check(insertEntryChecked, 0)
+	})
+
+	t.Run("insert entry unchecked", func(t *testing.T) {
+		insert(insertEntryNoCheck, 0)
+	})
+
+	t.Run("insert entry different aid", func(t *testing.T) {
+		insert(insertEntryOtherApp, 1)
+		check(insertEntryOtherApp, 1)
+	})
+
+	t.Run("check previous insertion", func(t *testing.T) {
+		check(insertEntryNoCheck, 0)
+	})
+
+	t.Run("list aids", func(t *testing.T) {
+		if aids, err := s.List(); err != nil {
+			t.Fatalf("List: error = %v", err)
+		} else {
+			slices.Sort(aids)
+			want := []int{0, 1}
+			if slices.Compare(aids, want) != 0 {
+				t.Fatalf("List() = %#v, want %#v", aids, want)
+			}
+		}
+	})
+
+	t.Run("clear aid 1", func(t *testing.T) {
+		do(1, func(c state.Cursor) {
+			if err := c.Destroy(tc[insertEntryOtherApp].ID); err != nil {
+				t.Fatalf("Destroy: error = %v", err)
+			}
+		})
+		do(1, func(c state.Cursor) {
+			if l, err := c.Len(); err != nil {
+				t.Fatalf("Len: error = %v", err)
+			} else if l != 0 {
+				t.Fatalf("Len() = %d, want 0", l)
+			}
+		})
+	})
+
+	t.Run("close store", func(t *testing.T) {
+		if err := s.Close(); err != nil {
+			t.Fatalf("Close: error = %v", err)
+		}
+	})
+}
+
+func makeState(t *testing.T, s *state.State) {
+	if err := fst.NewAppID(&s.ID); err != nil {
+		t.Fatalf("cannot create dummy state: %v", err)
+	}
+	s.Config = fst.Template()
+	s.PID = rand.Int()
+	s.Time = time.Now()
+}
--- a/internal/system/acl.go
+++ b/internal/system/acl.go
@ -4,8 +4,8 @@ import (
 	"fmt"
 	"slices"

-	"git.ophivana.moe/security/fortify/acl"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/acl"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

 // UpdatePerm appends an ephemeral acl update Op.
--- a/internal/system/acl_test.go
+++ b/internal/system/acl_test.go
@ -3,7 +3,7 @@ package system
 import (
 	"testing"

-	"git.ophivana.moe/security/fortify/acl"
+	"git.gensokyo.uk/security/fortify/acl"
 )

 func TestUpdatePerm(t *testing.T) {
--- a/internal/system/dbus.go
+++ b/internal/system/dbus.go
@ -7,8 +7,8 @@ import (
 	"strings"
 	"sync"

-	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

 var (
--- a/internal/system/mkdir.go
+++ b/internal/system/mkdir.go
@ -5,7 +5,7 @@ import (
 	"fmt"
 	"os"

-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

 // Ensure the existence and mode of a directory.
--- a/internal/system/op.go
+++ b/internal/system/op.go
@ -5,7 +5,7 @@ import (
 	"os"
 	"sync"

-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

 const (
--- a/internal/system/op_test.go
+++ b/internal/system/op_test.go
@ -4,7 +4,7 @@ import (
 	"strconv"
 	"testing"

-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 func TestNew(t *testing.T) {
--- a/internal/system/tmpfiles.go
+++ b/internal/system/tmpfiles.go
@ -7,8 +7,8 @@ import (
 	"os"
 	"strconv"

-	"git.ophivana.moe/security/fortify/acl"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/acl"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

 // CopyFile registers an Op that copies path dst from src.
--- a/internal/system/tmpfiles_test.go
+++ b/internal/system/tmpfiles_test.go
@ -4,7 +4,7 @@ import (
 	"strconv"
 	"testing"

-	"git.ophivana.moe/security/fortify/acl"
+	"git.gensokyo.uk/security/fortify/acl"
 )

 func TestCopyFile(t *testing.T) {
--- a/internal/system/wayland.go
+++ b/internal/system/wayland.go
@ -5,9 +5,9 @@ import (
 	"fmt"
 	"os"

-	"git.ophivana.moe/security/fortify/acl"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
-	"git.ophivana.moe/security/fortify/wl"
+	"git.gensokyo.uk/security/fortify/acl"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/wl"
 )

 // Wayland sets up a wayland socket with a security context attached.
--- a/internal/system/xhost.go
+++ b/internal/system/xhost.go
@ -3,8 +3,8 @@ package system
 import (
 	"fmt"

-	"git.ophivana.moe/security/fortify/internal/fmsg"
-	"git.ophivana.moe/security/fortify/xcb"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/xcb"
 )

 // ChangeHosts appends an X11 ChangeHosts command Op.
--- a/ldd/exec.go
+++ b/ldd/exec.go
@ -6,8 +6,8 @@ import (
 	"os/exec"
 	"strings"

-	"git.ophivana.moe/security/fortify/helper"
-	"git.ophivana.moe/security/fortify/helper/bwrap"
+	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/helper/bwrap"
 )

 func Exec(p string) ([]*Entry, error) {
--- a/ldd/ldd_test.go
+++ b/ldd/ldd_test.go
@ -6,7 +6,7 @@ import (
 	"strings"
 	"testing"

-	"git.ophivana.moe/security/fortify/ldd"
+	"git.gensokyo.uk/security/fortify/ldd"
 )

 func TestParseError(t *testing.T) {
--- a/main.go
+++ b/main.go
@ -11,13 +11,14 @@ import (
 	"sync"
 	"text/tabwriter"

-	"git.ophivana.moe/security/fortify/dbus"
-	"git.ophivana.moe/security/fortify/internal"
-	"git.ophivana.moe/security/fortify/internal/app"
-	"git.ophivana.moe/security/fortify/internal/fmsg"
-	"git.ophivana.moe/security/fortify/internal/linux"
-	"git.ophivana.moe/security/fortify/internal/state"
-	"git.ophivana.moe/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal"
+	"git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/state"
+	"git.gensokyo.uk/security/fortify/internal/system"
 )

 var (
@ -102,7 +103,7 @@ func main() {
 		fmt.Println(license)
 		fmsg.Exit(0)
 	case "template": // print full template configuration
-		if s, err := json.MarshalIndent(app.Template(), "", "  "); err != nil {
+		if s, err := json.MarshalIndent(fst.Template(), "", "  "); err != nil {
 			fmsg.Fatalf("cannot generate template: %v", err)
 			panic("unreachable")
 		} else {
@ -129,7 +130,7 @@ func main() {
 			fmsg.Fatal("app requires at least 1 argument")
 		}

-		config := new(app.Config)
+		config := new(fst.Config)
 		if f, err := os.Open(args[1]); err != nil {
 			fmsg.Fatalf("cannot access config file %q: %s", args[1], err)
 			panic("unreachable")
@ -179,7 +180,7 @@ func main() {
 		_ = set.Parse(args[1:])

 		// initialise config from flags
-		config := &app.Config{
+		config := &fst.Config{
 			ID:      fid,
 			Command: set.Args(),
 		}
@ -275,11 +276,7 @@ func main() {
 	panic("unreachable")
 }

-func runApp(config *app.Config) {
-	if os.SdBooted() {
-		fmsg.VPrintln("system booted with systemd as init system")
-	}
-
+func runApp(config *fst.Config) {
 	a, err := app.New(os)
 	if err != nil {
 		fmsg.Fatalf("cannot create app: %s\n", err)
--- a/nixos.nix
+++ b/nixos.nix
@ -10,7 +10,6 @@ let
    mkIf
    mkDefault
    mapAttrs
-    mapAttrsToList
    mergeAttrsList
    imap1
    foldr
--- a/options.md
+++ b/options.md
@ -36,7 +36,7 @@ package


 *Default:*
-` <derivation fortify-0.2.1> `
+` <derivation fortify-0.2.5> `



--- a/options.nix
+++ b/options.nix
@ -31,7 +31,6 @@ in
          let
            inherit (types)
              str
-              enum
              bool
              package
              anything
--- a/package.nix
+++ b/package.nix
@ -14,7 +14,7 @@

 buildGoModule rec {
  pname = "fortify";
-  version = "0.2.2";
+  version = "0.2.5";

  src = ./.;
  vendorHash = null;
@ -26,7 +26,7 @@ buildGoModule rec {
        ldflags
        ++ [
          "-X"
-          "git.ophivana.moe/security/fortify/internal.${name}=${value}"
+          "git.gensokyo.uk/security/fortify/internal.${name}=${value}"
        ]
      )
      [
@ -43,6 +43,9 @@ buildGoModule rec {
        Finit = "${placeholder "out"}/libexec/finit";
      };

+  # nix build environment does not allow acls
+  GO_TEST_SKIP_ACL = 1;
+
  buildInputs = [
    acl
    wayland
--- a/test.nix
+++ b/test.nix
@ -0,0 +1,221 @@
+{
+  system,
+  self,
+  home-manager,
+  nixosTest,
+}:
+
+nixosTest {
+  name = "fortify";
+
+  # adapted from nixos sway integration tests
+
+  # testScriptWithTypes:49: error: Cannot call function of unknown type
+  #           (machine.succeed if succeed else machine.execute)(
+  #           ^
+  # Found 1 error in 1 file (checked 1 source file)
+  skipTypeCheck = true;
+
+  nodes.machine =
+    { lib, pkgs, ... }:
+    {
+      users.users.alice = {
+        isNormalUser = true;
+        description = "Alice Foobar";
+        password = "foobar";
+        uid = 1000;
+      };
+
+      home-manager.users.alice.home.stateVersion = "24.11";
+
+      # Automatically login on tty1 as a normal user:
+      services.getty.autologinUser = "alice";
+
+      environment = {
+        systemPackages = with pkgs; [
+          # For glinfo and wayland-info:
+          mesa-demos
+          wayland-utils
+          alacritty
+
+          # For go tests:
+          self.devShells.${system}.fhs
+        ];
+
+        variables = {
+          SWAYSOCK = "/tmp/sway-ipc.sock";
+          WLR_RENDERER = "pixman";
+        };
+
+        # To help with OCR:
+        etc."xdg/foot/foot.ini".text = lib.generators.toINI { } {
+          main = {
+            font = "inconsolata:size=14";
+          };
+          colors = rec {
+            foreground = "000000";
+            background = "ffffff";
+            regular2 = foreground;
+          };
+        };
+      };
+
+      fonts.packages = [ pkgs.inconsolata ];
+
+      # Automatically configure and start Sway when logging in on tty1:
+      programs.bash.loginShellInit = ''
+        if [ "$(tty)" = "/dev/tty1" ]; then
+          set -e
+
+          mkdir -p ~/.config/sway
+          sed s/Mod4/Mod1/ /etc/sway/config > ~/.config/sway/config
+
+          sway --validate
+          sway && touch /tmp/sway-exit-ok
+        fi
+      '';
+
+      programs.sway.enable = true;
+
+      virtualisation.qemu.options = [
+        # Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
+        "-vga none -device virtio-gpu-pci"
+
+        # Increase Go test compiler performance:
+        "-smp 8"
+      ];
+
+      environment.fortify = {
+        enable = true;
+        stateDir = "/var/lib/fortify";
+        users.alice = 0;
+      };
+
+      imports = [
+        self.nixosModules.fortify
+        home-manager.nixosModules.home-manager
+      ];
+    };
+
+  testScript = ''
+    import shlex
+    import json
+
+    q = shlex.quote
+    NODE_GROUPS = ["nodes", "floating_nodes"]
+
+
+    def swaymsg(command: str = "", succeed=True, type="command"):
+        assert command != "" or type != "command", "Must specify command or type"
+        shell = q(f"swaymsg -t {q(type)} -- {q(command)}")
+        with machine.nested(
+            f"sending swaymsg {shell!r}" + " (allowed to fail)" * (not succeed)
+        ):
+            ret = (machine.succeed if succeed else machine.execute)(
+                f"su - alice -c {shell}"
+            )
+
+        # execute also returns a status code, but disregard.
+        if not succeed:
+            _, ret = ret
+
+        if not succeed and not ret:
+            return None
+
+        parsed = json.loads(ret)
+        return parsed
+
+
+    def walk(tree):
+        yield tree
+        for group in NODE_GROUPS:
+          for node in tree.get(group, []):
+              yield from walk(node)
+
+
+    def wait_for_window(pattern):
+        def func(last_chance):
+            nodes = (node["name"] for node in walk(swaymsg(type="get_tree")))
+
+            if last_chance:
+                nodes = list(nodes)
+                machine.log(f"Last call! Current list of windows: {nodes}")
+
+            return any(pattern in name for name in nodes)
+
+        retry(func)
+
+    def collect_state_ui(name):
+        swaymsg(f"exec fortify ps > '/tmp/{name}.ps'")
+        machine.copy_from_vm(f"/tmp/{name}.ps", "")
+        machine.screenshot(name)
+
+    start_all()
+    machine.wait_for_unit("multi-user.target")
+
+    # Run fortify Go tests outside of nix build:
+    machine.succeed("rm -rf /tmp/src && cp -a '${self.packages.${system}.fortify.src}' /tmp/src")
+    print(machine.succeed("fortify-fhs -c '(cd /tmp/src && go generate ./... && go test ./...)'"))
+
+    # To check sway's version:
+    print(machine.succeed("sway --version"))
+
+    # Wait for Sway to complete startup:
+    machine.wait_for_file("/run/user/1000/wayland-1")
+    machine.wait_for_file("/tmp/sway-ipc.sock")
+
+    # Create fortify aid 0 home directory:
+    machine.succeed("install -dm 0700 -o 1000000 -g 1000000 /var/lib/fortify/u0/a0")
+
+    # Start fortify outside Wayland session:
+    print(machine.succeed("sudo -u alice -i fortify -v run -a 0 touch /tmp/success-bare"))
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-bare")
+
+    # Start fortify within Wayland session:
+    swaymsg("exec fortify -v run --wayland touch /tmp/success-session")
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-session")
+
+    # Start a terminal (foot) within fortify on workspace 3:
+    machine.send_key("alt-3")
+    machine.sleep(3)
+    swaymsg("exec fortify run --wayland foot")
+    wait_for_window("u0_a0@machine")
+    machine.send_chars("wayland-info && touch /tmp/success-client\n")
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client")
+    collect_state_ui("foot_wayland_permissive")
+    # Verify acl on XDG_RUNTIME_DIR:
+    print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000"))
+    machine.send_chars("exit\n")
+    machine.wait_until_fails("pgrep foot")
+    # Verify acl cleanup on XDG_RUNTIME_DIR:
+    machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000")
+
+    # Start a terminal (foot) within fortify from a terminal on workspace 4:
+    machine.send_key("alt-4")
+    machine.sleep(3)
+    swaymsg("exec foot fortify run --wayland foot")
+    wait_for_window("u0_a0@machine")
+    machine.send_chars("wayland-info && touch /tmp/success-client-term\n")
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-term")
+    collect_state_ui("foot_wayland_permissive_term")
+    machine.send_chars("exit\n")
+    machine.wait_until_fails("pgrep foot")
+
+    # Test XWayland (foot does not support X):
+    swaymsg("exec fortify run -X alacritty")
+    wait_for_window("u0_a0@machine")
+    machine.send_chars("glinfo && touch /tmp/success-client-x11\n")
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/success-client-x11")
+    collect_state_ui("alacritty_x11_permissive")
+    machine.send_chars("exit\n")
+    machine.wait_until_fails("pgrep alacritty")
+
+    # Exit Sway and verify process exit status 0:
+    swaymsg("exit", succeed=False)
+    machine.wait_until_fails("pgrep -x sway")
+    machine.wait_for_file("/tmp/sway-exit-ok")
+
+    # Print fortify runDir contents:
+    print(machine.succeed("find /run/user/1000/fortify"))
+  '';
+}
--- a/xcb/c.go
+++ b/xcb/c.go
@ -1,33 +1,124 @@
 package xcb

 import (
-	"errors"
+	"runtime"
+	"unsafe"
 )

-//#include <stdlib.h>
-//#include <xcb/xcb.h>
-//#cgo linux LDFLAGS: -lxcb
+/*
+#cgo linux pkg-config: xcb
+
+#include <stdlib.h>
+#include <xcb/xcb.h>
+
+static int _go_xcb_change_hosts_checked(xcb_connection_t *c, uint8_t mode, uint8_t family, uint16_t address_len, const uint8_t *address) {
+	xcb_void_cookie_t cookie = xcb_change_hosts_checked(c, mode, family, address_len, address);
+	free((void *)address);
+
+	int errno = xcb_connection_has_error(c);
+	if (errno != 0)
+		return errno;
+
+	xcb_generic_error_t *e = xcb_request_check(c, cookie);
+	if (e != NULL) {
+		// don't want to deal with xcb errors
+		free((void *)e);
+		return -1;
+	}
+
+	return 0;
+}
+*/
 import "C"

-func xcbHandleConnectionError(c *C.xcb_connection_t) error {
-	if errno := C.xcb_connection_has_error(c); errno != 0 {
+const (
+	HostModeInsert = C.XCB_HOST_MODE_INSERT
+	HostModeDelete = C.XCB_HOST_MODE_DELETE
+
+	FamilyInternet          = C.XCB_FAMILY_INTERNET
+	FamilyDecnet            = C.XCB_FAMILY_DECNET
+	FamilyChaos             = C.XCB_FAMILY_CHAOS
+	FamilyServerInterpreted = C.XCB_FAMILY_SERVER_INTERPRETED
+	FamilyInternet6         = C.XCB_FAMILY_INTERNET_6
+)
+
+type (
+	HostMode = C.xcb_host_mode_t
+	Family   = C.xcb_family_t
+)
+
+func (conn *connection) changeHostsChecked(mode HostMode, family Family, address string) error {
+	errno := C._go_xcb_change_hosts_checked(
+		conn.c,
+		C.uint8_t(mode),
+		C.uint8_t(family),
+		C.uint16_t(len(address)),
+		(*C.uint8_t)(unsafe.Pointer(C.CString(address))),
+	)
 	switch errno {
-		case C.XCB_CONN_ERROR:
-			return errors.New("connection error")
-		case C.XCB_CONN_CLOSED_EXT_NOTSUPPORTED:
-			return errors.New("extension not supported")
-		case C.XCB_CONN_CLOSED_MEM_INSUFFICIENT:
-			return errors.New("memory not available")
-		case C.XCB_CONN_CLOSED_REQ_LEN_EXCEED:
-			return errors.New("request length exceeded")
-		case C.XCB_CONN_CLOSED_PARSE_ERR:
-			return errors.New("invalid display string")
-		case C.XCB_CONN_CLOSED_INVALID_SCREEN:
-			return errors.New("server has no screen matching display")
+	case 0:
+		return nil
+	case -1:
+		return ErrChangeHosts
 	default:
-			return errors.New("generic X11 failure")
+		return &ConnectionError{errno}
 	}
-	} else {
+}
+
+type connection struct{ c *C.xcb_connection_t }
+
+func connect() (*connection, error) {
+	conn := newConnection(C.xcb_connect(nil, nil))
+	return conn, conn.hasError()
+}
+
+func newConnection(c *C.xcb_connection_t) *connection {
+	conn := &connection{c}
+	runtime.SetFinalizer(conn, (*connection).disconnect)
+	return conn
+}
+
+const (
+	ConnError                 = C.XCB_CONN_ERROR
+	ConnClosedExtNotSupported = C.XCB_CONN_CLOSED_EXT_NOTSUPPORTED
+	ConnClosedMemInsufficient = C.XCB_CONN_CLOSED_MEM_INSUFFICIENT
+	ConnClosedReqLenExceed    = C.XCB_CONN_CLOSED_REQ_LEN_EXCEED
+	ConnClosedParseErr        = C.XCB_CONN_CLOSED_PARSE_ERR
+	ConnClosedInvalidScreen   = C.XCB_CONN_CLOSED_INVALID_SCREEN
+)
+
+type ConnectionError struct{ errno C.int }
+
+func (ce *ConnectionError) Error() string {
+	switch ce.errno {
+	case ConnError:
+		return "connection error"
+	case ConnClosedExtNotSupported:
+		return "extension not supported"
+	case ConnClosedMemInsufficient:
+		return "memory not available"
+	case ConnClosedReqLenExceed:
+		return "request length exceeded"
+	case ConnClosedParseErr:
+		return "invalid display string"
+	case ConnClosedInvalidScreen:
+		return "server has no screen matching display"
+	default:
+		return "generic X11 failure"
+	}
+}
+
+func (conn *connection) hasError() error {
+	errno := C.xcb_connection_has_error(conn.c)
+	if errno == 0 {
 		return nil
 	}
+	return &ConnectionError{errno}
+}
+
+func (conn *connection) disconnect() {
+	C.xcb_disconnect(conn.c)
+
+	// no need for a finalizer anymore
+	runtime.SetFinalizer(conn, nil)
 }
--- a/xcb/export.go
+++ b/xcb/export.go
@ -1,63 +1,22 @@
 // Package xcb implements X11 ChangeHosts via libxcb.
 package xcb

-//#include <stdlib.h>
-//#include <xcb/xcb.h>
-//#cgo linux LDFLAGS: -lxcb
-import "C"
 import (
 	"errors"
-	"unsafe"
 )

-const (
-	HostModeInsert = C.XCB_HOST_MODE_INSERT
-	HostModeDelete = C.XCB_HOST_MODE_DELETE
+var ErrChangeHosts = errors.New("xcb_change_hosts() failed")

-	FamilyInternet          = C.XCB_FAMILY_INTERNET
-	FamilyDecnet            = C.XCB_FAMILY_DECNET
-	FamilyChaos             = C.XCB_FAMILY_CHAOS
-	FamilyServerInterpreted = C.XCB_FAMILY_SERVER_INTERPRETED
-	FamilyInternet6         = C.XCB_FAMILY_INTERNET_6
-)
+func ChangeHosts(mode HostMode, family Family, address string) error {
+	var conn *connection

-type ConnectionError struct {
-	err error
+	if c, err := connect(); err != nil {
+		c.disconnect()
+		return err
+	} else {
+		defer c.disconnect()
+		conn = c
 	}

-func (e *ConnectionError) Error() string {
-	return e.err.Error()
-}
-
-func (e *ConnectionError) Unwrap() error {
-	return e.err
-}
-
-var (
-	ErrChangeHosts = errors.New("xcb_change_hosts() failed")
-)
-
-func ChangeHosts(mode, family C.uint8_t, address string) error {
-	c := C.xcb_connect(nil, nil)
-	defer C.xcb_disconnect(c)
-
-	if err := xcbHandleConnectionError(c); err != nil {
-		return &ConnectionError{err}
-	}
-
-	addr := C.CString(address)
-	cookie := C.xcb_change_hosts_checked(c, mode, family, C.ushort(len(address)), (*C.uchar)(unsafe.Pointer(addr)))
-	C.free(unsafe.Pointer(addr))
-
-	if err := xcbHandleConnectionError(c); err != nil {
-		return &ConnectionError{err}
-	}
-
-	e := C.xcb_request_check(c, cookie)
-	if e != nil {
-		defer C.free(unsafe.Pointer(e))
-		return ErrChangeHosts
-	}
-
-	return nil
+	return conn.changeHostsChecked(mode, family, address)
 }
Author	SHA1	Message	Date
Ophestra Umiker	195b717e01	release: 0.2.5 All checks were successful Tests / Go tests (push) Successful in 49s Details Create distribution / Release (push) Successful in 1m6s Details Nix / NixOS tests (push) Successful in 1m23s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-20 00:28:48 +09:00
Ophestra Umiker	df6fc298f6	migrate to git.gensokyo.uk/security/fortify All checks were successful Tests / Go tests (push) Successful in 2m55s Details Nix / NixOS tests (push) Successful in 5m10s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-20 00:20:02 +09:00
Ophestra Umiker	eae3034260	state: expose aids and use instance id as key All checks were successful Tests / Go tests (push) Successful in 39s Details Nix / NixOS tests (push) Successful in 3m26s Details Fortify state store instances was specific to aids due to outdated design decisions carried over from the ego rewrite. That no longer makes sense in the current application, so the interface now enables a single store object to manage all transient state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-19 21:36:17 +09:00
Ophestra Umiker	5ea7333431	fst: implement app id parser All checks were successful Tests / Go tests (push) Successful in 40s Details Nix / NixOS tests (push) Successful in 3m8s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-19 18:19:47 +09:00
Ophestra Umiker	f796622c35	state: rename simple store implementation All checks were successful Tests / Go tests (push) Successful in 42s Details Nix / NixOS tests (push) Successful in 3m4s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-19 11:48:48 +09:00
Ophestra Umiker	5d25bee786	fortify: remove systemd check All checks were successful Tests / Go tests (push) Successful in 38s Details Nix / NixOS tests (push) Successful in 3m3s Details This is no longer necessary as fortify no longer integrates with external user switchers. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-19 11:14:31 +09:00
Ophestra Umiker	b48ece3bb0	acl: use test-managed tmpdir All checks were successful Tests / Go tests (push) Successful in 44s Details Nix / NixOS tests (push) Successful in 3m7s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-19 11:08:13 +09:00
Ophestra Umiker	9f95f60400	release: 0.2.4 All checks were successful Tests / Go tests (push) Successful in 52s Details Create distribution / Release (push) Successful in 1m9s Details Nix / NixOS tests (push) Successful in 1m23s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 23:52:52 +09:00
Ophestra Umiker	90dd57f75d	workflows: cache nix store All checks were successful Tests / Go tests (push) Successful in 45s Details Nix / NixOS tests (push) Successful in 1m11s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 23:38:39 +09:00
Ophestra Umiker	141f2e3685	workflows: cache apt packages All checks were successful Tests / Go tests (push) Successful in 36s Details Nix / NixOS tests (push) Successful in 5m43s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 23:05:28 +09:00
Ophestra Umiker	73aa285e8f	workflows: upload nixos test output All checks were successful Tests / Go tests (push) Successful in 44s Details Nix / NixOS tests (push) Successful in 5m45s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 20:32:40 +09:00
Ophestra Umiker	6e87fc02dd	workflows: build and upload test distribution All checks were successful Tests / Go tests (push) Successful in 43s Details Nix / NixOS tests (push) Successful in 5m33s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 20:28:35 +09:00
Ophestra Umiker	52f21a19f3	cmd/fshim: switch to setup pipe All checks were successful Tests / Go tests (push) Successful in 38s Details Nix / NixOS tests (push) Successful in 5m43s Details The socket-based approach is no longer necessary as fsu allows extra files and sudo compatibility is no longer relevant. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 19:39:25 +09:00
Ophestra Umiker	7be53a2438	cmd/fshim: switch to generic setup func All checks were successful Tests / Go tests (push) Successful in 38s Details Nix / NixOS tests (push) Successful in 5m47s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 17:20:31 +09:00
Ophestra Umiker	7f29b37a32	proc: setup payload send Generic setup payload encoder adapted from fshim. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 17:20:01 +09:00
Ophestra Umiker	f69e8e753e	cmd/finit: switch to generic receive func All checks were successful Tests / Go tests (push) Successful in 38s Details Nix / NixOS tests (push) Successful in 5m40s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 16:49:19 +09:00
Ophestra Umiker	ef8fd37e9d	proc: setup payload receive Generic implementation of setup payload receiver adapted from finit. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 16:48:41 +09:00
Ophestra Umiker	2f676c9d6e	fst: rename from fipc All checks were successful Tests / Go tests (push) Successful in 38s Details Nix / NixOS tests (push) Successful in 5m48s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 15:50:46 +09:00
Ophestra Umiker	bbace8f84b	nix: increase cpu count All checks were successful Tests / Go tests (push) Successful in 38s Details Nix / NixOS tests (push) Successful in 5m41s Details This improves performance, especially when kvm is inaccessible. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 15:32:52 +09:00
Ophestra Umiker	2efedf56c0	nix: collect fortify ps output All checks were successful Tests / Go tests (push) Successful in 38s Details Nix / NixOS tests (push) Successful in 10m38s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 13:48:39 +09:00
Ophestra Umiker	b752ec4468	fipc: export config struct All checks were successful Tests / Go tests (push) Successful in 1m12s Details Nix / NixOS tests (push) Successful in 10m51s Details Also store full config as part of state. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 13:45:55 +09:00
Ophestra Umiker	5d00805a7c	nix: check acl rollback All checks were successful Tests / Go tests (push) Successful in 1m1s Details Nix / NixOS tests (push) Successful in 10m32s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-18 12:49:32 +09:00
Ophestra Umiker	7b6052a473	nix: run Go tests in nixos All checks were successful Tests / Go tests (push) Successful in 41s Details Nix / NixOS tests (push) Successful in 9m56s Details Nix build environment does not support ACLs in any filesystem. This allows acl tests to run. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-17 21:16:55 +09:00
Ophestra Umiker	38653c6ab5	release: 0.2.3 All checks were successful Tests / Go tests (push) Successful in 55s Details Create distribution / Release (push) Successful in 1m1s Details Nix / NixOS tests (push) Successful in 5m5s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-17 14:06:17 +09:00
Ophestra Umiker	b5cbbeab90	dist: generate distribution tarball All checks were successful Tests / Go tests (push) Successful in 46s Details Create distribution / Release (push) Successful in 49s Details Nix / NixOS tests (push) Successful in 5m9s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-17 14:02:54 +09:00
Ophestra Umiker	c3ba0c3cce	nix: rename nixos test All checks were successful Tests / Go tests (push) Successful in 39s Details Nix / NixOS tests (push) Successful in 5m0s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-17 13:02:12 +09:00
Ophestra Umiker	b453f70ca2	cmd/fsu: check uid range before syscall All checks were successful Tests / Go tests (push) Successful in 43s Details Nix / NixOS tests (push) Successful in 5m0s Details This limits potential exploits to the fortify uid range. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-17 13:01:36 +09:00
Ophestra Umiker	c2b178e626	xcb: refactor and clean up All checks were successful Tests / Go tests (push) Successful in 45s Details Nix / NixOS tests (push) Successful in 5m2s Details No clean way to write Go tests for this package. Will rely on NixOS tests for now. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-17 12:46:36 +09:00
Ophestra Umiker	aeda40fc92	nix: test x11 permissive defaults All checks were successful Tests / Go tests (push) Successful in 40s Details Nix / NixOS tests (push) Successful in 4m51s Details Also invoke glinfo/wayland-info as part of tests. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-17 12:40:29 +09:00
Ophestra Umiker	65dc39956f	workflows: set action names All checks were successful Tests / Go tests (push) Successful in 42s Details Nix / NixOS tests (push) Successful in 4m33s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-17 11:12:39 +09:00
Ophestra Umiker	35505c8a26	workflows: invoke nix flake checks All checks were successful check / nix-flake-check (push) Successful in 4m32s Details test / test (push) Successful in 37s Details Integration tests are implemented as nix flake checks. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-17 10:49:43 +09:00
Ophestra Umiker	3f993021f8	nix: permissive defaults nixos test All checks were successful test / test (push) Successful in 37s Details Adapted from nixos sway integration tests. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-16 22:56:10 +09:00
Ophestra Umiker	4d3bd5338f	nix: implement flake checks All checks were successful test / test (push) Successful in 36s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-16 20:54:28 +09:00
Ophestra Umiker	138666d753	nix: skip acl test All checks were successful test / test (push) Successful in 39s Details The nix build environment does not support ACLs. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-16 19:29:01 +09:00
Ophestra Umiker	f4628e181b	acl: create test file in tmpdir All checks were successful test / test (push) Successful in 37s Details Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-16 18:58:09 +09:00
Ophestra Umiker	c8a90666c5	acl: refactor and clean up All checks were successful test / test (push) Successful in 37s Details Move all C code to c.go, switch to pkg-config, set up finalizer for acl. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-16 18:27:19 +09:00
Ophestra Umiker	ee41b37606	acl: add tests All checks were successful test / test (push) Successful in 37s Details These tests test UpdatePerm correctness by parsing getfacl output. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>	2024-12-16 16:00:31 +09:00