release: 0.3.3

Signed-off-by: Ophestra <cat@gensokyo.uk>
sandbox: document less obvious parts of setup
2025-04-01 01:42:10 +09:00 · 2025-04-01 01:21:04 +09:00 · 2025-04-01 00:53:04 +09:00 · 2025-04-01 00:47:32 +09:00 · 2025-03-31 21:27:31 +09:00 · 2025-03-31 04:54:10 +09:00
220 changed files with 15016 additions and 6821 deletions
--- a/.gitea/workflows/nix.yml
+++ b/.gitea/workflows/nix.yml
@ -1,46 +0,0 @@
-name: Nix
-
-on:
-  - push
-  - pull_request
-
-jobs:
-  tests:
-    name: NixOS tests
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-        with:
-          # explicitly enable sandbox
-          install_options: --daemon
-          extra_nix_config: |
-            sandbox = true
-            system-features = nixos-test benchmark big-parallel kvm
-          enable_kvm: true
-
-      - name: Ensure environment
-        run: >-
-          apt-get update && apt-get install -y sqlite3
-        if: ${{ runner.os == 'Linux' }}
-
-      - name: Restore Nix store
-        uses: nix-community/cache-nix-action@v5
-        with:
-          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: nix-${{ runner.os }}-
-
-      - name: Run tests
-        run: |
-          nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
-          nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
-
-      - name: Upload test output
-        uses: actions/upload-artifact@v3
-        with:
-          name: "result"
-          path: result/*
-          retention-days: 1
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@ -1,53 +1,24 @@
-name: Create distribution
+name: Release

 on:
  push:
    tags:
-      - '*'
+      - 'v*'

 jobs:
  release:
-    name: Release
-    runs-on: ubuntu-latest
-    container:
-      image: node:16-bookworm-slim
+    name: Create release
+    runs-on: nix
    steps:
-      - name: Get dependencies
-        run: >-
-          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list &&
-          apt-get update &&
-          apt-get install -y
-          acl
-          git
-          gcc
-          pkg-config
-          libwayland-dev
-          wayland-protocols/bookworm-backports
-          libxcb1-dev
-          libacl1-dev
-        if: ${{ runner.os == 'Linux' }}
-
      - name: Checkout
        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup go
-        uses: https://github.com/actions/setup-go@v5
-        with:
-          go-version: '>=1.23.0'
-
-      - name: Go generate
-        run: >-
-          go generate ./...

      - name: Build for release
-        run: FORTIFY_VERSION='${{ github.ref_name }}' ./dist/release.sh
+        run: nix build --print-out-paths --print-build-logs .#dist

      - name: Release
-        id: use-go-action
        uses: https://gitea.com/actions/release-action@main
        with:
          files: |-
-            dist/fortify-**
+            result/fortify-**
          api_key: '${{secrets.RELEASE_TOKEN}}'
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@ -1,62 +1,130 @@
-name: Tests
+name: Test

 on:
  - push
  - pull_request

 jobs:
-  test:
-    name: Go tests
-    runs-on: ubuntu-latest
-    container:
-      image: node:16-bookworm-slim
+  fortify:
+    name: Fortify
+    runs-on: nix
    steps:
-      - name: Enable backports
-        run: >-
-          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list
-        if: ${{ runner.os == 'Linux' }}
-
-      - name: Ensure environment
-        run: >-
-          apt-get update && apt-get install -y curl wget sudo libxml2
-        if: ${{ runner.os == 'Linux' }}
-
-      - name: Get dependencies
-        uses: awalsh128/cache-apt-pkgs-action@latest
-        with:
-          packages: acl git gcc pkg-config libwayland-dev wayland-protocols/bookworm-backports libxcb1-dev libacl1-dev
-          version: 1.0
-          #execute_install_scripts: true
-        if: ${{ runner.os == 'Linux' }}
-
      - name: Checkout
        uses: actions/checkout@v4
+
+      - name: Run NixOS test
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fortify
+
+      - name: Upload test output
+        uses: actions/upload-artifact@v3
        with:
-          fetch-depth: 0
+          name: "fortify-vm-output"
+          path: result/*
+          retention-days: 1

-      - name: Setup go
-        uses: https://github.com/actions/setup-go@v5
+  race:
+    name: Fortify (race detector)
+    runs-on: nix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run NixOS test
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.race
+
+      - name: Upload test output
+        uses: actions/upload-artifact@v3
        with:
-          go-version: '>=1.23.0'
+          name: "fortify-race-vm-output"
+          path: result/*
+          retention-days: 1

-      - name: Go generate
-        run: >-
-          go generate ./...
+  sandbox:
+    name: Sandbox
+    runs-on: nix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4

-      - name: Run tests
-        run: >-
-          go test ./...
+      - name: Run NixOS test
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.sandbox
+
+      - name: Upload test output
+        uses: actions/upload-artifact@v3
+        with:
+          name: "sandbox-vm-output"
+          path: result/*
+          retention-days: 1
+
+  sandbox-race:
+    name: Sandbox (race detector)
+    runs-on: nix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run NixOS test
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.sandbox-race
+
+      - name: Upload test output
+        uses: actions/upload-artifact@v3
+        with:
+          name: "sandbox-race-vm-output"
+          path: result/*
+          retention-days: 1
+
+  fpkg:
+    name: Fpkg
+    runs-on: nix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run NixOS test
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fpkg
+
+      - name: Upload test output
+        uses: actions/upload-artifact@v3
+        with:
+          name: "fpkg-vm-output"
+          path: result/*
+          retention-days: 1
+
+  check:
+    name: Flake checks
+    needs:
+      - fortify
+      - race
+      - sandbox
+      - sandbox-race
+      - fpkg
+    runs-on: nix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run checks
+        run: nix --print-build-logs --experimental-features 'nix-command flakes' flake check
+
+  dist:
+    name: Create distribution
+    runs-on: nix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4

      - name: Build for test
        id: build-test
        run: >-
-          FORTIFY_VERSION="$(git rev-parse --short HEAD)"
-          bash -c './dist/release.sh &&
-          echo "rev=$FORTIFY_VERSION" >> $GITHUB_OUTPUT'
+          export FORTIFY_REV="$(git rev-parse --short HEAD)" &&
+          sed -i.old 's/version = /version = "0.0.0-'$FORTIFY_REV'"; # version = /' package.nix &&
+          nix build --print-out-paths --print-build-logs .#dist &&
+          mv package.nix.old package.nix &&
+          echo "rev=$FORTIFY_REV" >> $GITHUB_OUTPUT

      - name: Upload test build
        uses: actions/upload-artifact@v3
        with:
          name: "fortify-${{ steps.build-test.outputs.rev }}"
-          path: dist/fortify-*
+          path: result/*
          retention-days: 1
--- a/.gitignore
+++ b/.gitignore
@ -4,6 +4,7 @@
 *.dll
 *.so
 *.dylib
+*.pkg
 /fortify

 # Test binary, built with `go test -c`
--- a/acl/acl-update.c
+++ b/acl/acl-update.c
@ -0,0 +1,69 @@
+#include "acl-update.h"
+#include <stdlib.h>
+#include <stdbool.h>
+#include <sys/acl.h>
+#include <acl/libacl.h>
+
+int f_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms, size_t plen) {
+    int ret = -1;
+    bool v;
+    int i;
+    acl_t acl;
+    acl_entry_t entry;
+    acl_tag_t tag_type;
+    void *qualifier_p;
+    acl_permset_t permset;
+
+    acl = acl_get_file(path_p, ACL_TYPE_ACCESS);
+    if (acl == NULL)
+        goto out;
+
+    // prune entries by uid
+    for (i = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); i == 1; i = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) {
+        if (acl_get_tag_type(entry, &tag_type) != 0)
+            return -1;
+        if (tag_type != ACL_USER)
+            continue;
+
+        qualifier_p = acl_get_qualifier(entry);
+        if (qualifier_p == NULL)
+            return -1;
+        v = *(uid_t *)qualifier_p == uid;
+        acl_free(qualifier_p);
+
+        if (!v)
+            continue;
+
+        acl_delete_entry(acl, entry);
+    }
+
+    if (plen == 0)
+        goto set;
+
+    if (acl_create_entry(&acl, &entry) != 0)
+        goto out;
+    if (acl_get_permset(entry, &permset) != 0)
+        goto out;
+    for (i = 0; i < plen; i++) {
+        if (acl_add_perm(permset, perms[i]) != 0)
+            goto out;
+    }
+    if (acl_set_tag_type(entry, ACL_USER) != 0)
+        goto out;
+    if (acl_set_qualifier(entry, (void *)&uid) != 0)
+        goto out;
+
+set:
+    if (acl_calc_mask(&acl) != 0)
+        goto out;
+    if (acl_valid(acl) != 0)
+        goto out;
+    if (acl_set_file(path_p, ACL_TYPE_ACCESS, acl) == 0)
+        ret = 0;
+
+out:
+    free((void *)path_p);
+    if (acl != NULL)
+        acl_free((void *)acl);
+    return ret;
+}
--- a/acl/acl-update.h
+++ b/acl/acl-update.h
@ -0,0 +1,3 @@
+#include <sys/acl.h>
+
+int f_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms, size_t plen);
--- a/acl/acl.go
+++ b/acl/acl.go
@ -1,19 +1,36 @@
 // Package acl implements simple ACL manipulation via libacl.
 package acl

-type Perms []Perm
+/*
+#cgo linux pkg-config: --static libacl

-func (ps Perms) String() string {
-	var s = []byte("---")
-	for _, p := range ps {
-		switch p {
-		case Read:
-			s[0] = 'r'
-		case Write:
-			s[1] = 'w'
-		case Execute:
-			s[2] = 'x'
-		}
+#include "acl-update.h"
+*/
+import "C"
+
+type Perm C.acl_perm_t
+
+const (
+	Read    Perm = C.ACL_READ
+	Write   Perm = C.ACL_WRITE
+	Execute Perm = C.ACL_EXECUTE
+)
+
+// Update replaces ACL_USER entry with qualifier uid.
+func Update(name string, uid int, perms ...Perm) error {
+	var p *Perm
+	if len(perms) > 0 {
+		p = &perms[0]
 	}
-	return string(s)
+
+	r, err := C.f_acl_update_file_by_uid(
+		C.CString(name),
+		C.uid_t(uid),
+		(*C.acl_perm_t)(p),
+		C.size_t(len(perms)),
+	)
+	if r == 0 {
+		return nil
+	}
+	return err
 }
--- a/acl/acl_test.go
+++ b/acl/acl_test.go
@ -47,7 +47,7 @@ func TestUpdatePerm(t *testing.T) {
 	})

 	t.Run("default clear mask", func(t *testing.T) {
-		if err := acl.UpdatePerm(testFilePath, uid); err != nil {
+		if err := acl.Update(testFilePath, uid); err != nil {
 			t.Fatalf("UpdatePerm: error = %v", err)
 		}
 		if cur = getfacl(t, testFilePath); len(cur) != 4 {
@ -56,7 +56,7 @@ func TestUpdatePerm(t *testing.T) {
 	})

 	t.Run("default clear consistency", func(t *testing.T) {
-		if err := acl.UpdatePerm(testFilePath, uid); err != nil {
+		if err := acl.Update(testFilePath, uid); err != nil {
 			t.Fatalf("UpdatePerm: error = %v", err)
 		}
 		if val := getfacl(t, testFilePath); !reflect.DeepEqual(val, cur) {
@ -76,7 +76,7 @@ func TestUpdatePerm(t *testing.T) {
 func testUpdate(t *testing.T, testFilePath, name string, cur []*getFAclResp, val fAclPerm, perms ...acl.Perm) {
 	t.Run(name, func(t *testing.T) {
 		t.Cleanup(func() {
-			if err := acl.UpdatePerm(testFilePath, uid); err != nil {
+			if err := acl.Update(testFilePath, uid); err != nil {
 				t.Fatalf("UpdatePerm: error = %v", err)
 			}
 			if v := getfacl(t, testFilePath); !reflect.DeepEqual(v, cur) {
@ -84,7 +84,7 @@ func testUpdate(t *testing.T, testFilePath, name string, cur []*getFAclResp, val
 			}
 		})

-		if err := acl.UpdatePerm(testFilePath, uid, perms...); err != nil {
+		if err := acl.Update(testFilePath, uid, perms...); err != nil {
 			t.Fatalf("UpdatePerm: error = %v", err)
 		}
 		r := respByCred(getfacl(t, testFilePath), fAclTypeUser, cred)
--- a/acl/c.go
+++ b/acl/c.go
@ -1,196 +0,0 @@
-package acl
-
-import "C"
-import (
-	"errors"
-	"runtime"
-	"syscall"
-	"unsafe"
-)
-
-/*
-#cgo linux pkg-config: libacl
-
-#include <stdlib.h>
-#include <sys/acl.h>
-#include <acl/libacl.h>
-
-static acl_t _go_acl_get_file(const char *path_p, acl_type_t type) {
-	acl_t acl = acl_get_file(path_p, type);
-	free((void *)path_p);
-	return acl;
-}
-
-static int _go_acl_set_file(const char *path_p, acl_type_t type, acl_t acl) {
-	if (acl_valid(acl) != 0) {
-		return -1;
-	}
-
-	int ret = acl_set_file(path_p, type, acl);
-	free((void *)path_p);
-	return ret;
-}
-*/
-import "C"
-
-func getFile(name string, t C.acl_type_t) (*ACL, error) {
-	a, err := C._go_acl_get_file(C.CString(name), t)
-	if errors.Is(err, syscall.ENODATA) {
-		err = nil
-	}
-
-	return newACL(a), err
-}
-
-func (acl *ACL) setFile(name string, t C.acl_type_t) error {
-	_, err := C._go_acl_set_file(C.CString(name), t, acl.acl)
-	return err
-}
-
-func newACL(a C.acl_t) *ACL {
-	acl := &ACL{a}
-	runtime.SetFinalizer(acl, (*ACL).free)
-	return acl
-}
-
-type ACL struct {
-	acl C.acl_t
-}
-
-func (acl *ACL) free() {
-	C.acl_free(unsafe.Pointer(acl.acl))
-
-	// no need for a finalizer anymore
-	runtime.SetFinalizer(acl, nil)
-}
-
-const (
-	Read    = C.ACL_READ
-	Write   = C.ACL_WRITE
-	Execute = C.ACL_EXECUTE
-
-	TypeDefault = C.ACL_TYPE_DEFAULT
-	TypeAccess  = C.ACL_TYPE_ACCESS
-
-	UndefinedTag = C.ACL_UNDEFINED_TAG
-	UserObj      = C.ACL_USER_OBJ
-	User         = C.ACL_USER
-	GroupObj     = C.ACL_GROUP_OBJ
-	Group        = C.ACL_GROUP
-	Mask         = C.ACL_MASK
-	Other        = C.ACL_OTHER
-)
-
-type (
-	Perm C.acl_perm_t
-)
-
-func (acl *ACL) removeEntry(tt C.acl_tag_t, tq int) error {
-	var e C.acl_entry_t
-
-	// get first entry
-	if r, err := C.acl_get_entry(acl.acl, C.ACL_FIRST_ENTRY, &e); err != nil {
-		return err
-	} else if r == 0 {
-		// return on acl with no entries
-		return nil
-	}
-
-	for {
-		if r, err := C.acl_get_entry(acl.acl, C.ACL_NEXT_ENTRY, &e); err != nil {
-			return err
-		} else if r == 0 {
-			// return on drained acl
-			return nil
-		}
-
-		var (
-			q int
-			t C.acl_tag_t
-		)
-
-		// get current entry tag type
-		if _, err := C.acl_get_tag_type(e, &t); err != nil {
-			return err
-		}
-
-		// get current entry qualifier
-		if rq, err := C.acl_get_qualifier(e); err != nil {
-			// neither ACL_USER nor ACL_GROUP
-			if errors.Is(err, syscall.EINVAL) {
-				continue
-			}
-
-			return err
-		} else {
-			q = *(*int)(rq)
-			C.acl_free(rq)
-		}
-
-		// delete on match
-		if t == tt && q == tq {
-			_, err := C.acl_delete_entry(acl.acl, e)
-			return err
-		}
-	}
-}
-
-func UpdatePerm(name string, uid int, perms ...Perm) error {
-	// read acl from file
-	a, err := getFile(name, TypeAccess)
-	if err != nil {
-		return err
-	}
-	// free acl on return if get is successful
-	defer a.free()
-
-	// remove existing entry
-	if err = a.removeEntry(User, uid); err != nil {
-		return err
-	}
-
-	// create new entry if perms are passed
-	if len(perms) > 0 {
-		// create new acl entry
-		var e C.acl_entry_t
-		if _, err = C.acl_create_entry(&a.acl, &e); err != nil {
-			return err
-		}
-
-		// get perm set of new entry
-		var p C.acl_permset_t
-		if _, err = C.acl_get_permset(e, &p); err != nil {
-			return err
-		}
-
-		// add target perms
-		for _, perm := range perms {
-			if _, err = C.acl_add_perm(p, C.acl_perm_t(perm)); err != nil {
-				return err
-			}
-		}
-
-		// set perm set to new entry
-		if _, err = C.acl_set_permset(e, p); err != nil {
-			return err
-		}
-
-		// set user tag to new entry
-		if _, err = C.acl_set_tag_type(e, User); err != nil {
-			return err
-		}
-
-		// set qualifier (uid) to new entry
-		if _, err = C.acl_set_qualifier(e, unsafe.Pointer(&uid)); err != nil {
-			return err
-		}
-	}
-
-	// calculate mask after update
-	if _, err = C.acl_calc_mask(&a.acl); err != nil {
-		return err
-	}
-
-	// write acl to file
-	return a.setFile(name, TypeAccess)
-}
--- a/acl/perms.go
+++ b/acl/perms.go
@ -0,0 +1,18 @@
+package acl
+
+type Perms []Perm
+
+func (ps Perms) String() string {
+	var s = []byte("---")
+	for _, p := range ps {
+		switch p {
+		case Read:
+			s[0] = 'r'
+		case Write:
+			s[1] = 'w'
+		case Execute:
+			s[2] = 'x'
+		}
+	}
+	return string(s)
+}
--- a/cmd/finit/ipc/payload.go
+++ b/cmd/finit/ipc/payload.go
@ -1,13 +0,0 @@
-package init0
-
-const Env = "FORTIFY_INIT"
-
-type Payload struct {
-	// target full exec path
-	Argv0 string
-	// child full argv
-	Argv []string
-
-	// verbosity pass through
-	Verbose bool
-}
--- a/cmd/finit/main.go
+++ b/cmd/finit/main.go
@ -1,174 +0,0 @@
-package main
-
-import (
-	"errors"
-	"os"
-	"os/exec"
-	"os/signal"
-	"path"
-	"syscall"
-	"time"
-
-	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/proc"
-)
-
-const (
-	// time to wait for linger processes after death of initial process
-	residualProcessTimeout = 5 * time.Second
-)
-
-// everything beyond this point runs within pid namespace
-// proceed with caution!
-
-func main() {
-	// sharing stdout with shim
-	// USE WITH CAUTION
-	fmsg.SetPrefix("init")
-
-	// setting this prevents ptrace
-	if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
-		fmsg.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
-		panic("unreachable")
-	}
-
-	if os.Getpid() != 1 {
-		fmsg.Fatal("this process must run as pid 1")
-		panic("unreachable")
-	}
-
-	// re-exec
-	if len(os.Args) > 0 && (os.Args[0] != "finit" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
-		if err := syscall.Exec(os.Args[0], []string{"finit"}, os.Environ()); err != nil {
-			fmsg.Println("cannot re-exec self:", err)
-			// continue anyway
-		}
-	}
-
-	// receive setup payload
-	var (
-		payload    init0.Payload
-		closeSetup func() error
-	)
-	if f, err := proc.Receive(init0.Env, &payload); err != nil {
-		if errors.Is(err, proc.ErrInvalid) {
-			fmsg.Fatal("invalid config descriptor")
-		}
-		if errors.Is(err, proc.ErrNotSet) {
-			fmsg.Fatal("FORTIFY_INIT not set")
-		}
-
-		fmsg.Fatalf("cannot decode init setup payload: %v", err)
-		panic("unreachable")
-	} else {
-		fmsg.SetVerbose(payload.Verbose)
-		closeSetup = f
-
-		// child does not need to see this
-		if err = os.Unsetenv(init0.Env); err != nil {
-			fmsg.Printf("cannot unset %s: %v", init0.Env, err)
-			// not fatal
-		} else {
-			fmsg.VPrintln("received configuration")
-		}
-	}
-
-	// die with parent
-	if err := internal.PR_SET_PDEATHSIG__SIGKILL(); err != nil {
-		fmsg.Fatalf("prctl(PR_SET_PDEATHSIG, SIGKILL): %v", err)
-	}
-
-	cmd := exec.Command(payload.Argv0)
-	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	cmd.Args = payload.Argv
-	cmd.Env = os.Environ()
-
-	if err := cmd.Start(); err != nil {
-		fmsg.Fatalf("cannot start %q: %v", payload.Argv0, err)
-	}
-	fmsg.Suspend()
-
-	// close setup pipe as setup is now complete
-	if err := closeSetup(); err != nil {
-		fmsg.Println("cannot close setup pipe:", err)
-		// not fatal
-	}
-
-	sig := make(chan os.Signal, 2)
-	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
-
-	type winfo struct {
-		wpid    int
-		wstatus syscall.WaitStatus
-	}
-	info := make(chan winfo, 1)
-	done := make(chan struct{})
-
-	go func() {
-		var (
-			err     error
-			wpid    = -2
-			wstatus syscall.WaitStatus
-		)
-
-		// keep going until no child process is left
-		for wpid != -1 {
-			if err != nil {
-				break
-			}
-
-			if wpid != -2 {
-				info <- winfo{wpid, wstatus}
-			}
-
-			err = syscall.EINTR
-			for errors.Is(err, syscall.EINTR) {
-				wpid, err = syscall.Wait4(-1, &wstatus, 0, nil)
-			}
-		}
-		if !errors.Is(err, syscall.ECHILD) {
-			fmsg.Println("unexpected wait4 response:", err)
-		}
-
-		close(done)
-	}()
-
-	// closed after residualProcessTimeout has elapsed after initial process death
-	timeout := make(chan struct{})
-
-	r := 2
-	for {
-		select {
-		case s := <-sig:
-			fmsg.VPrintln("received", s.String())
-			fmsg.Resume() // output could still be withheld at this point, so resume is called
-			fmsg.Exit(0)
-		case w := <-info:
-			if w.wpid == cmd.Process.Pid {
-				// initial process exited, output is most likely available again
-				fmsg.Resume()
-
-				switch {
-				case w.wstatus.Exited():
-					r = w.wstatus.ExitStatus()
-				case w.wstatus.Signaled():
-					r = 128 + int(w.wstatus.Signal())
-				default:
-					r = 255
-				}
-
-				go func() {
-					time.Sleep(residualProcessTimeout)
-					close(timeout)
-				}()
-			}
-		case <-done:
-			fmsg.Exit(r)
-		case <-timeout:
-			fmsg.Println("timeout exceeded waiting for lingering processes")
-			fmsg.Exit(r)
-		}
-	}
-}
--- a/cmd/fpkg/app.go
+++ b/cmd/fpkg/app.go
@ -0,0 +1,150 @@
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"os"
+	"path"
+
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
+	"git.gensokyo.uk/security/fortify/system"
+)
+
+type appInfo struct {
+	Name    string `json:"name"`
+	Version string `json:"version"`
+
+	// passed through to [fst.Config]
+	ID string `json:"id"`
+	// passed through to [fst.Config]
+	AppID int `json:"app_id"`
+	// passed through to [fst.Config]
+	Groups []string `json:"groups,omitempty"`
+	// passed through to [fst.Config]
+	Devel bool `json:"devel,omitempty"`
+	// passed through to [fst.Config]
+	Userns bool `json:"userns,omitempty"`
+	// passed through to [fst.Config]
+	Net bool `json:"net,omitempty"`
+	// passed through to [fst.Config]
+	Dev bool `json:"dev,omitempty"`
+	// passed through to [fst.Config]
+	Tty bool `json:"tty,omitempty"`
+	// passed through to [fst.Config]
+	MapRealUID bool `json:"map_real_uid,omitempty"`
+	// passed through to [fst.Config]
+	DirectWayland bool `json:"direct_wayland,omitempty"`
+	// passed through to [fst.Config]
+	SystemBus *dbus.Config `json:"system_bus,omitempty"`
+	// passed through to [fst.Config]
+	SessionBus *dbus.Config `json:"session_bus,omitempty"`
+	// passed through to [fst.Config]
+	Enablements system.Enablement `json:"enablements"`
+
+	// passed through to [fst.Config]
+	Multiarch bool `json:"multiarch,omitempty"`
+	// passed through to [fst.Config]
+	Bluetooth bool `json:"bluetooth,omitempty"`
+
+	// allow gpu access within sandbox
+	GPU bool `json:"gpu"`
+	// store path to nixGL mesa wrappers
+	Mesa string `json:"mesa,omitempty"`
+	// store path to nixGL source
+	NixGL string `json:"nix_gl,omitempty"`
+	// store path to activate-and-exec script
+	Launcher string `json:"launcher"`
+	// store path to /run/current-system
+	CurrentSystem string `json:"current_system"`
+	// store path to home-manager activation package
+	ActivationPackage string `json:"activation_package"`
+}
+
+func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool) *fst.Config {
+	config := &fst.Config{
+		ID:   app.ID,
+		Path: argv[0],
+		Args: argv,
+		Confinement: fst.ConfinementConfig{
+			AppID:    app.AppID,
+			Groups:   app.Groups,
+			Username: "fortify",
+			Inner:    path.Join("/data/data", app.ID),
+			Outer:    pathSet.homeDir,
+			Shell:    shellPath,
+			Sandbox: &fst.SandboxConfig{
+				Hostname:      formatHostname(app.Name),
+				Devel:         app.Devel,
+				Userns:        app.Userns,
+				Net:           app.Net,
+				Dev:           app.Dev,
+				Tty:           app.Tty || flagDropShell,
+				MapRealUID:    app.MapRealUID,
+				DirectWayland: app.DirectWayland,
+				Filesystem: []*fst.FilesystemConfig{
+					{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
+					{Src: pathSet.metaPath, Dst: path.Join(fst.Tmp, "app"), Must: true},
+					{Src: "/etc/resolv.conf"},
+					{Src: "/sys/block"},
+					{Src: "/sys/bus"},
+					{Src: "/sys/class"},
+					{Src: "/sys/dev"},
+					{Src: "/sys/devices"},
+				},
+				Link: [][2]string{
+					{app.CurrentSystem, "/run/current-system"},
+					{"/run/current-system/sw/bin", "/bin"},
+					{"/run/current-system/sw/bin", "/usr/bin"},
+				},
+				Etc:     path.Join(pathSet.cacheDir, "etc"),
+				AutoEtc: true,
+			},
+			ExtraPerms: []*fst.ExtraPermConfig{
+				{Path: dataHome, Execute: true},
+				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+			},
+			SystemBus:   app.SystemBus,
+			SessionBus:  app.SessionBus,
+			Enablements: app.Enablements,
+		},
+	}
+	if app.Multiarch {
+		config.Confinement.Sandbox.Seccomp |= seccomp.FlagMultiarch
+	}
+	if app.Bluetooth {
+		config.Confinement.Sandbox.Seccomp |= seccomp.FlagBluetooth
+	}
+	return config
+}
+
+func loadAppInfo(name string, beforeFail func()) *appInfo {
+	bundle := new(appInfo)
+	if f, err := os.Open(name); err != nil {
+		beforeFail()
+		log.Fatalf("cannot open bundle: %v", err)
+	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
+		beforeFail()
+		log.Fatalf("cannot parse bundle metadata: %v", err)
+	} else if err = f.Close(); err != nil {
+		log.Printf("cannot close bundle metadata: %v", err)
+		// not fatal
+	}
+
+	if bundle.ID == "" {
+		beforeFail()
+		log.Fatal("application identifier must not be empty")
+	}
+
+	return bundle
+}
+
+func formatHostname(name string) string {
+	if h, err := os.Hostname(); err != nil {
+		log.Printf("cannot get hostname: %v", err)
+		return "fortify-" + name
+	} else {
+		return h + "-" + name
+	}
+}
--- a/cmd/fpkg/build.nix
+++ b/cmd/fpkg/build.nix
@ -0,0 +1,252 @@
+{
+  nixpkgsFor,
+  system,
+  nixpkgs,
+  home-manager,
+}:
+
+{
+  lib,
+  stdenv,
+  closureInfo,
+  writeScript,
+  runtimeShell,
+  writeText,
+  symlinkJoin,
+  vmTools,
+  runCommand,
+  fetchFromGitHub,
+
+  zstd,
+  nix,
+  sqlite,
+
+  name ? throw "name is required",
+  version ? throw "version is required",
+  pname ? "${name}-${version}",
+  modules ? [ ],
+  nixosModules ? [ ],
+  script ? ''
+    exec "$SHELL" "$@"
+  '',
+
+  id ? name,
+  app_id ? throw "app_id is required",
+  groups ? [ ],
+  userns ? false,
+  net ? true,
+  dev ? false,
+  no_new_session ? false,
+  map_real_uid ? false,
+  direct_wayland ? false,
+  system_bus ? null,
+  session_bus ? null,
+
+  allow_wayland ? true,
+  allow_x11 ? false,
+  allow_dbus ? true,
+  allow_pulse ? true,
+  gpu ? allow_wayland || allow_x11,
+}:
+
+let
+  inherit (lib) optionals;
+
+  homeManagerConfiguration = home-manager.lib.homeManagerConfiguration {
+    pkgs = nixpkgsFor.${system};
+    modules = modules ++ [
+      {
+        home = {
+          username = "fortify";
+          homeDirectory = "/data/data/${id}";
+          stateVersion = "22.11";
+        };
+      }
+    ];
+  };
+
+  launcher = writeScript "fortify-${pname}" ''
+    #!${runtimeShell} -el
+    ${script}
+  '';
+
+  extraNixOSConfig =
+    { pkgs, ... }:
+    {
+      environment = {
+        etc.nixpkgs.source = nixpkgs.outPath;
+        systemPackages = [ pkgs.nix ];
+      };
+
+      imports = nixosModules;
+    };
+  nixos = nixpkgs.lib.nixosSystem {
+    inherit system;
+    modules = [
+      extraNixOSConfig
+      { nix.settings.experimental-features = [ "flakes" ]; }
+      { nix.settings.experimental-features = [ "nix-command" ]; }
+      { boot.isContainer = true; }
+      { system.stateVersion = "22.11"; }
+    ];
+  };
+
+  etc = vmTools.runInLinuxVM (
+    runCommand "etc" { } ''
+      mkdir -p /etc
+      ${nixos.config.system.build.etcActivationCommands}
+
+      # remove unused files
+      rm -rf /etc/sudoers
+
+      mkdir -p $out
+      tar -C /etc -cf "$out/etc.tar" .
+    ''
+  );
+
+  extendSessionDefault = id: ext: {
+    filter = true;
+
+    talk = [ "org.freedesktop.Notifications" ] ++ ext.talk;
+    own =
+      (optionals (id != null) [
+        "${id}.*"
+        "org.mpris.MediaPlayer2.${id}.*"
+      ])
+      ++ ext.own;
+
+    inherit (ext) call broadcast;
+  };
+
+  nixGL = fetchFromGitHub {
+    owner = "nix-community";
+    repo = "nixGL";
+    rev = "310f8e49a149e4c9ea52f1adf70cdc768ec53f8a";
+    hash = "sha256-lnzZQYG0+EXl/6NkGpyIz+FEOc/DSEG57AP1VsdeNrM=";
+  };
+
+  mesaWrappers =
+    let
+      isIntelX86Platform = system == "x86_64-linux";
+      nixGLPackages = import (nixGL + "/default.nix") {
+        pkgs = nixpkgs.legacyPackages.${system};
+        enable32bits = isIntelX86Platform;
+        enableIntelX86Extensions = isIntelX86Platform;
+      };
+    in
+    symlinkJoin {
+      name = "nixGL-mesa";
+      paths = with nixGLPackages; [
+        nixGLIntel
+        nixVulkanIntel
+      ];
+    };
+
+  info = builtins.toJSON {
+    inherit
+      name
+      version
+      id
+      app_id
+      launcher
+      groups
+      userns
+      net
+      dev
+      no_new_session
+      map_real_uid
+      direct_wayland
+      system_bus
+      gpu
+      ;
+
+    session_bus =
+      if session_bus != null then
+        (session_bus (extendSessionDefault id))
+      else
+        (extendSessionDefault id {
+          talk = [ ];
+          own = [ ];
+          call = { };
+          broadcast = { };
+        });
+
+    enablements = (if allow_wayland then 1 else 0) + (if allow_x11 then 2 else 0) + (if allow_dbus then 4 else 0) + (if allow_pulse then 8 else 0);
+
+    mesa = if gpu then mesaWrappers else null;
+    nix_gl = if gpu then nixGL else null;
+    current_system = nixos.config.system.build.toplevel;
+    activation_package = homeManagerConfiguration.activationPackage;
+  };
+in
+
+stdenv.mkDerivation {
+  name = "${pname}.pkg";
+  inherit version;
+  __structuredAttrs = true;
+
+  nativeBuildInputs = [
+    zstd
+    nix
+    sqlite
+  ];
+
+  buildCommand = ''
+    NIX_ROOT="$(mktemp -d)"
+    export USER="nobody"
+
+    # create bootstrap store
+    bootstrapClosureInfo="${
+      closureInfo {
+        rootPaths = [
+          nix
+          nixos.config.system.build.toplevel
+        ];
+      }
+    }"
+    echo "copying bootstrap store paths..."
+    mkdir -p "$NIX_ROOT/nix/store"
+    xargs -n 1 -a "$bootstrapClosureInfo/store-paths" cp -at "$NIX_ROOT/nix/store/"
+    NIX_REMOTE="local?root=$NIX_ROOT" nix-store --load-db < "$bootstrapClosureInfo/registration"
+    NIX_REMOTE="local?root=$NIX_ROOT" nix-store --optimise
+    sqlite3 "$NIX_ROOT/nix/var/nix/db/db.sqlite" "UPDATE ValidPaths SET registrationTime = ''${SOURCE_DATE_EPOCH}"
+    chmod -R +r "$NIX_ROOT/nix/var"
+
+    # create binary cache
+    closureInfo="${
+      closureInfo {
+        rootPaths =
+          [
+            homeManagerConfiguration.activationPackage
+            launcher
+          ]
+          ++ optionals gpu [
+            mesaWrappers
+            nixGL
+          ];
+      }
+    }"
+    echo "copying application paths..."
+    TMP_STORE="$(mktemp -d)"
+    mkdir -p "$TMP_STORE/nix/store"
+    xargs -n 1 -a "$closureInfo/store-paths" cp -at "$TMP_STORE/nix/store/"
+    NIX_REMOTE="local?root=$TMP_STORE" nix-store --load-db < "$closureInfo/registration"
+    sqlite3 "$TMP_STORE/nix/var/nix/db/db.sqlite" "UPDATE ValidPaths SET registrationTime = ''${SOURCE_DATE_EPOCH}"
+    NIX_REMOTE="local?root=$TMP_STORE" nix --offline --extra-experimental-features nix-command \
+        --verbose --log-format raw-with-logs \
+        copy --all --no-check-sigs --to \
+        "file://$NIX_ROOT/res?compression=zstd&compression-level=19&parallel-compression=true"
+
+    # package /etc
+    mkdir -p "$NIX_ROOT/etc"
+    tar -C "$NIX_ROOT/etc" -xf "${etc}/etc.tar"
+
+    # write metadata
+    cp "${writeText "bundle.json" info}" "$NIX_ROOT/bundle.json"
+
+    # create an intermediate file to improve zstd performance
+    INTER="$(mktemp)"
+    tar -C "$NIX_ROOT" -cf "$INTER" .
+    zstd -T0 -19 -fo "$out" "$INTER"
+  '';
+}
--- a/cmd/fpkg/main.go
+++ b/cmd/fpkg/main.go
@ -0,0 +1,351 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"log"
+	"os"
+	"os/signal"
+	"path"
+	"syscall"
+
+	"git.gensokyo.uk/security/fortify/command"
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal"
+	"git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/sys"
+	"git.gensokyo.uk/security/fortify/sandbox"
+)
+
+const shellPath = "/run/current-system/sw/bin/bash"
+
+var (
+	errSuccess = errors.New("success")
+
+	std sys.State = new(sys.Std)
+)
+
+func init() {
+	fmsg.Prepare("fpkg")
+	if err := os.Setenv("SHELL", shellPath); err != nil {
+		log.Fatalf("cannot set $SHELL: %v", err)
+	}
+}
+
+func main() {
+	// early init path, skips root check and duplicate PR_SET_DUMPABLE
+	sandbox.TryArgv0(fmsg.Output{}, fmsg.Prepare, internal.InstallFmsg)
+
+	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
+		log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
+		// not fatal: this program runs as the privileged user
+	}
+
+	if os.Geteuid() == 0 {
+		log.Fatal("this program must not run as root")
+	}
+
+	ctx, stop := signal.NotifyContext(context.Background(),
+		syscall.SIGINT, syscall.SIGTERM)
+	defer stop() // unreachable
+
+	var (
+		flagVerbose   bool
+		flagDropShell bool
+	)
+	c := command.New(os.Stderr, log.Printf, "fpkg", func([]string) error {
+		internal.InstallFmsg(flagVerbose)
+		return nil
+	}).
+		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
+		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next fortify action")
+
+	c.Command("shim", command.UsageInternal, func([]string) error { app.ShimMain(); return errSuccess })
+
+	{
+		var (
+			flagDropShellActivate bool
+		)
+		c.NewCommand("install", "Install an application from its package", func(args []string) error {
+			if len(args) != 1 {
+				log.Println("invalid argument")
+				return syscall.EINVAL
+			}
+			pkgPath := args[0]
+			if !path.IsAbs(pkgPath) {
+				if dir, err := os.Getwd(); err != nil {
+					log.Printf("cannot get current directory: %v", err)
+					return err
+				} else {
+					pkgPath = path.Join(dir, pkgPath)
+				}
+			}
+
+			/*
+				Look up paths to programs started by fpkg.
+				This is done here to ease error handling as cleanup is not yet required.
+			*/
+
+			var (
+				_     = lookPath("zstd")
+				tar   = lookPath("tar")
+				chmod = lookPath("chmod")
+				rm    = lookPath("rm")
+			)
+
+			/*
+				Extract package and set up for cleanup.
+			*/
+
+			var workDir string
+			if p, err := os.MkdirTemp("", "fpkg.*"); err != nil {
+				log.Printf("cannot create temporary directory: %v", err)
+				return err
+			} else {
+				workDir = p
+			}
+			cleanup := func() {
+				// should be faster than a native implementation
+				mustRun(chmod, "-R", "+w", workDir)
+				mustRun(rm, "-rf", workDir)
+			}
+			beforeRunFail.Store(&cleanup)
+
+			mustRun(tar, "-C", workDir, "-xf", pkgPath)
+
+			/*
+				Parse bundle and app metadata, do pre-install checks.
+			*/
+
+			bundle := loadAppInfo(path.Join(workDir, "bundle.json"), cleanup)
+			pathSet := pathSetByApp(bundle.ID)
+
+			a := bundle
+			if s, err := os.Stat(pathSet.metaPath); err != nil {
+				if !os.IsNotExist(err) {
+					cleanup()
+					log.Printf("cannot access %q: %v", pathSet.metaPath, err)
+					return err
+				}
+				// did not modify app, clean installation condition met later
+			} else if s.IsDir() {
+				cleanup()
+				log.Printf("metadata path %q is not a file", pathSet.metaPath)
+				return syscall.EBADMSG
+			} else {
+				a = loadAppInfo(pathSet.metaPath, cleanup)
+				if a.ID != bundle.ID {
+					cleanup()
+					log.Printf("app %q claims to have identifier %q",
+						bundle.ID, a.ID)
+					return syscall.EBADE
+				}
+				// sec: should verify credentials
+			}
+
+			if a != bundle {
+				// do not try to re-install
+				if a.NixGL == bundle.NixGL &&
+					a.CurrentSystem == bundle.CurrentSystem &&
+					a.Launcher == bundle.Launcher &&
+					a.ActivationPackage == bundle.ActivationPackage {
+					cleanup()
+					log.Printf("package %q is identical to local application %q",
+						pkgPath, a.ID)
+					return errSuccess
+				}
+
+				// AppID determines uid
+				if a.AppID != bundle.AppID {
+					cleanup()
+					log.Printf("package %q app id %d differs from installed %d",
+						pkgPath, bundle.AppID, a.AppID)
+					return syscall.EBADE
+				}
+
+				// sec: should compare version string
+				fmsg.Verbosef("installing application %q version %q over local %q",
+					bundle.ID, bundle.Version, a.Version)
+			} else {
+				fmsg.Verbosef("application %q clean installation", bundle.ID)
+				// sec: should install credentials
+			}
+
+			/*
+				Setup steps for files owned by the target user.
+			*/
+
+			withCacheDir(ctx, "install", []string{
+				// export inner bundle path in the environment
+				"export BUNDLE=" + fst.Tmp + "/bundle",
+				// replace inner /etc
+				"mkdir -p etc",
+				"chmod -R +w etc",
+				"rm -rf etc",
+				"cp -dRf $BUNDLE/etc etc",
+				// replace inner /nix
+				"mkdir -p nix",
+				"chmod -R +w nix",
+				"rm -rf nix",
+				"cp -dRf /nix nix",
+				// copy from binary cache
+				"nix copy --offline --no-check-sigs --all --from file://$BUNDLE/res --to $PWD",
+				// deduplicate nix store
+				"nix store --offline --store $PWD optimise",
+				// make cache directory world-readable for autoetc
+				"chmod 0755 .",
+			}, workDir, bundle, pathSet, flagDropShell, cleanup)
+
+			if bundle.GPU {
+				withCacheDir(ctx, "mesa-wrappers", []string{
+					// link nixGL mesa wrappers
+					"mkdir -p nix/.nixGL",
+					"ln -s " + bundle.Mesa + "/bin/nixGLIntel nix/.nixGL/nixGL",
+					"ln -s " + bundle.Mesa + "/bin/nixVulkanIntel nix/.nixGL/nixVulkan",
+				}, workDir, bundle, pathSet, false, cleanup)
+			}
+
+			/*
+				Activate home-manager generation.
+			*/
+
+			withNixDaemon(ctx, "activate", []string{
+				// clean up broken links
+				"mkdir -p .local/state/{nix,home-manager}",
+				"chmod -R +w .local/state/{nix,home-manager}",
+				"rm -rf .local/state/{nix,home-manager}",
+				// run activation script
+				bundle.ActivationPackage + "/activate",
+			}, false, func(config *fst.Config) *fst.Config { return config },
+				bundle, pathSet, flagDropShellActivate, cleanup)
+
+			/*
+				Installation complete. Write metadata to block re-installs or downgrades.
+			*/
+
+			// serialise metadata to ensure consistency
+			if f, err := os.OpenFile(pathSet.metaPath+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
+				cleanup()
+				log.Printf("cannot create metadata file: %v", err)
+				return err
+			} else if err = json.NewEncoder(f).Encode(bundle); err != nil {
+				cleanup()
+				log.Printf("cannot write metadata: %v", err)
+				return err
+			} else if err = f.Close(); err != nil {
+				log.Printf("cannot close metadata file: %v", err)
+				// not fatal
+			}
+
+			if err := os.Rename(pathSet.metaPath+"~", pathSet.metaPath); err != nil {
+				cleanup()
+				log.Printf("cannot rename metadata file: %v", err)
+				return err
+			}
+
+			cleanup()
+			return errSuccess
+		}).
+			Flag(&flagDropShellActivate, "s", command.BoolFlag(false), "Drop to a shell on activation")
+	}
+
+	{
+		var (
+			flagDropShellNixGL bool
+			flagAutoDrivers    bool
+		)
+		c.NewCommand("start", "Start an application", func(args []string) error {
+			if len(args) < 1 {
+				log.Println("invalid argument")
+				return syscall.EINVAL
+			}
+
+			/*
+				Parse app metadata.
+			*/
+
+			id := args[0]
+			pathSet := pathSetByApp(id)
+			a := loadAppInfo(pathSet.metaPath, func() {})
+			if a.ID != id {
+				log.Printf("app %q claims to have identifier %q", id, a.ID)
+				return syscall.EBADE
+			}
+
+			/*
+				Prepare nixGL.
+			*/
+
+			if a.GPU && flagAutoDrivers {
+				withNixDaemon(ctx, "nix-gl", []string{
+					"mkdir -p /nix/.nixGL/auto",
+					"rm -rf /nix/.nixGL/auto",
+					"export NIXPKGS_ALLOW_UNFREE=1",
+					"nix build --impure " +
+						"--out-link /nix/.nixGL/auto/opengl " +
+						"--override-input nixpkgs path:/etc/nixpkgs " +
+						"path:" + a.NixGL,
+					"nix build --impure " +
+						"--out-link /nix/.nixGL/auto/vulkan " +
+						"--override-input nixpkgs path:/etc/nixpkgs " +
+						"path:" + a.NixGL + "#nixVulkanNvidia",
+				}, true, func(config *fst.Config) *fst.Config {
+					config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
+						{Src: "/etc/resolv.conf"},
+						{Src: "/sys/block"},
+						{Src: "/sys/bus"},
+						{Src: "/sys/class"},
+						{Src: "/sys/dev"},
+						{Src: "/sys/devices"},
+					}...)
+					appendGPUFilesystem(config)
+					return config
+				}, a, pathSet, flagDropShellNixGL, func() {})
+			}
+
+			/*
+				Create app configuration.
+			*/
+
+			argv := make([]string, 1, len(args))
+			if !flagDropShell {
+				argv[0] = a.Launcher
+			} else {
+				argv[0] = shellPath
+			}
+			argv = append(argv, args[1:]...)
+
+			config := a.toFst(pathSet, argv, flagDropShell)
+
+			/*
+				Expose GPU devices.
+			*/
+
+			if a.GPU {
+				config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,
+					&fst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(fst.Tmp, "nixGL")})
+				appendGPUFilesystem(config)
+			}
+
+			/*
+				Spawn app.
+			*/
+
+			mustRunApp(ctx, config, func() {})
+			return errSuccess
+		}).
+			Flag(&flagDropShellNixGL, "s", command.BoolFlag(false), "Drop to a shell on nixGL build").
+			Flag(&flagAutoDrivers, "auto-drivers", command.BoolFlag(false), "Attempt automatic opengl driver detection")
+	}
+
+	c.MustParse(os.Args[1:], func(err error) {
+		fmsg.Verbosef("command returned %v", err)
+		if errors.Is(err, errSuccess) {
+			fmsg.BeforeExit()
+			os.Exit(0)
+		}
+	})
+	log.Fatal("unreachable")
+}
--- a/cmd/fpkg/paths.go
+++ b/cmd/fpkg/paths.go
@ -0,0 +1,101 @@
+package main
+
+import (
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"strconv"
+	"sync/atomic"
+
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+)
+
+var (
+	dataHome string
+)
+
+func init() {
+	// dataHome
+	if p, ok := os.LookupEnv("FORTIFY_DATA_HOME"); ok {
+		dataHome = p
+	} else {
+		dataHome = "/var/lib/fortify/" + strconv.Itoa(os.Getuid())
+	}
+}
+
+func lookPath(file string) string {
+	if p, err := exec.LookPath(file); err != nil {
+		log.Fatalf("%s: command not found", file)
+		return ""
+	} else {
+		return p
+	}
+}
+
+var beforeRunFail = new(atomic.Pointer[func()])
+
+func mustRun(name string, arg ...string) {
+	fmsg.Verbosef("spawning process: %q %q", name, arg)
+	cmd := exec.Command(name, arg...)
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+	if err := cmd.Run(); err != nil {
+		if f := beforeRunFail.Swap(nil); f != nil {
+			(*f)()
+		}
+		log.Fatalf("%s: %v", name, err)
+	}
+}
+
+type appPathSet struct {
+	// ${dataHome}/${id}
+	baseDir string
+	// ${baseDir}/app
+	metaPath string
+	// ${baseDir}/files
+	homeDir string
+	// ${baseDir}/cache
+	cacheDir string
+	// ${baseDir}/cache/nix
+	nixPath string
+}
+
+func pathSetByApp(id string) *appPathSet {
+	pathSet := new(appPathSet)
+	pathSet.baseDir = path.Join(dataHome, id)
+	pathSet.metaPath = path.Join(pathSet.baseDir, "app")
+	pathSet.homeDir = path.Join(pathSet.baseDir, "files")
+	pathSet.cacheDir = path.Join(pathSet.baseDir, "cache")
+	pathSet.nixPath = path.Join(pathSet.cacheDir, "nix")
+	return pathSet
+}
+
+func appendGPUFilesystem(config *fst.Config) {
+	config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
+		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
+		{Src: "/dev/dri", Device: true},
+		// mali
+		{Src: "/dev/mali", Device: true},
+		{Src: "/dev/mali0", Device: true},
+		{Src: "/dev/umplock", Device: true},
+		// nvidia
+		{Src: "/dev/nvidiactl", Device: true},
+		{Src: "/dev/nvidia-modeset", Device: true},
+		// nvidia OpenCL/CUDA
+		{Src: "/dev/nvidia-uvm", Device: true},
+		{Src: "/dev/nvidia-uvm-tools", Device: true},
+
+		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
+		{Src: "/dev/nvidia0", Device: true}, {Src: "/dev/nvidia1", Device: true},
+		{Src: "/dev/nvidia2", Device: true}, {Src: "/dev/nvidia3", Device: true},
+		{Src: "/dev/nvidia4", Device: true}, {Src: "/dev/nvidia5", Device: true},
+		{Src: "/dev/nvidia6", Device: true}, {Src: "/dev/nvidia7", Device: true},
+		{Src: "/dev/nvidia8", Device: true}, {Src: "/dev/nvidia9", Device: true},
+		{Src: "/dev/nvidia10", Device: true}, {Src: "/dev/nvidia11", Device: true},
+		{Src: "/dev/nvidia12", Device: true}, {Src: "/dev/nvidia13", Device: true},
+		{Src: "/dev/nvidia14", Device: true}, {Src: "/dev/nvidia15", Device: true},
+		{Src: "/dev/nvidia16", Device: true}, {Src: "/dev/nvidia17", Device: true},
+		{Src: "/dev/nvidia18", Device: true}, {Src: "/dev/nvidia19", Device: true},
+	}...)
+}
--- a/cmd/fpkg/proc.go
+++ b/cmd/fpkg/proc.go
@ -0,0 +1,28 @@
+package main
+
+import (
+	"context"
+	"os"
+
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/app"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+)
+
+func mustRunApp(ctx context.Context, config *fst.Config, beforeFail func()) {
+	rs := new(fst.RunState)
+	a := app.MustNew(ctx, std)
+
+	if sa, err := a.Seal(config); err != nil {
+		fmsg.PrintBaseError(err, "cannot seal app:")
+		rs.ExitCode = 1
+	} else {
+		// this updates ExitCode
+		app.PrintRunStateErr(rs, sa.Run(rs))
+	}
+
+	if rs.ExitCode != 0 {
+		beforeFail()
+		os.Exit(rs.ExitCode)
+	}
+}
--- a/cmd/fpkg/test/configuration.nix
+++ b/cmd/fpkg/test/configuration.nix
@ -0,0 +1,60 @@
+{ pkgs, ... }:
+{
+  users.users = {
+    alice = {
+      isNormalUser = true;
+      description = "Alice Foobar";
+      password = "foobar";
+      uid = 1000;
+    };
+  };
+
+  home-manager.users.alice.home.stateVersion = "24.11";
+
+  # Automatically login on tty1 as a normal user:
+  services.getty.autologinUser = "alice";
+
+  environment = {
+    variables = {
+      SWAYSOCK = "/tmp/sway-ipc.sock";
+      WLR_RENDERER = "pixman";
+    };
+  };
+
+  # Automatically configure and start Sway when logging in on tty1:
+  programs.bash.loginShellInit = ''
+    if [ "$(tty)" = "/dev/tty1" ]; then
+      set -e
+
+      mkdir -p ~/.config/sway
+      (sed s/Mod4/Mod1/ /etc/sway/config &&
+      echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill' &&
+      echo 'output Virtual-1 res 1680x1050') > ~/.config/sway/config
+
+      sway --validate
+      systemd-cat --identifier=session sway && touch /tmp/sway-exit-ok
+    fi
+  '';
+
+  programs.sway.enable = true;
+
+  virtualisation = {
+    diskSize = 6 * 1024;
+
+    qemu.options = [
+      # Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
+      "-vga none -device virtio-gpu-pci"
+
+      # Increase zstd performance:
+      "-smp 8"
+    ];
+  };
+
+  environment.fortify = {
+    enable = true;
+    stateDir = "/var/lib/fortify";
+    users.alice = 0;
+
+    home-manager = _: _: { home.stateVersion = "23.05"; };
+  };
+}
--- a/cmd/fpkg/test/default.nix
+++ b/cmd/fpkg/test/default.nix
@ -0,0 +1,34 @@
+{
+  nixosTest,
+  callPackage,
+
+  system,
+  self,
+}:
+let
+  buildPackage = self.buildPackage.${system};
+in
+nixosTest {
+  name = "fpkg";
+  nodes.machine = {
+    environment.etc = {
+      "foot.pkg".source = callPackage ./foot.nix { inherit buildPackage; };
+    };
+
+    imports = [
+      ./configuration.nix
+
+      self.nixosModules.fortify
+      self.inputs.home-manager.nixosModules.home-manager
+    ];
+  };
+
+  # adapted from nixos sway integration tests
+
+  # testScriptWithTypes:49: error: Cannot call function of unknown type
+  #           (machine.succeed if succeed else machine.execute)(
+  #           ^
+  # Found 1 error in 1 file (checked 1 source file)
+  skipTypeCheck = true;
+  testScript = builtins.readFile ./test.py;
+}
--- a/cmd/fpkg/test/foot.nix
+++ b/cmd/fpkg/test/foot.nix
@ -0,0 +1,48 @@
+{
+  lib,
+  buildPackage,
+  foot,
+  wayland-utils,
+  inconsolata,
+}:
+
+buildPackage {
+  name = "foot";
+  inherit (foot) version;
+
+  app_id = 2;
+  id = "org.codeberg.dnkl.foot";
+
+  modules = [
+    {
+      home.packages = [
+        foot
+
+        # For wayland-info:
+        wayland-utils
+      ];
+    }
+  ];
+
+  nixosModules = [
+    {
+      # To help with OCR:
+      environment.etc."xdg/foot/foot.ini".text = lib.generators.toINI { } {
+        main = {
+          font = "inconsolata:size=14";
+        };
+        colors = rec {
+          foreground = "000000";
+          background = "ffffff";
+          regular2 = foreground;
+        };
+      };
+
+      fonts.packages = [ inconsolata ];
+    }
+  ];
+
+  script = ''
+    exec foot "$@"
+  '';
+}
--- a/cmd/fpkg/test/test.py
+++ b/cmd/fpkg/test/test.py
@ -0,0 +1,108 @@
+import json
+import shlex
+
+q = shlex.quote
+NODE_GROUPS = ["nodes", "floating_nodes"]
+
+
+def swaymsg(command: str = "", succeed=True, type="command"):
+    assert command != "" or type != "command", "Must specify command or type"
+    shell = q(f"swaymsg -t {q(type)} -- {q(command)}")
+    with machine.nested(
+            f"sending swaymsg {shell!r}" + " (allowed to fail)" * (not succeed)
+    ):
+        ret = (machine.succeed if succeed else machine.execute)(
+            f"su - alice -c {shell}"
+        )
+
+    # execute also returns a status code, but disregard.
+    if not succeed:
+        _, ret = ret
+
+    if not succeed and not ret:
+        return None
+
+    parsed = json.loads(ret)
+    return parsed
+
+
+def walk(tree):
+    yield tree
+    for group in NODE_GROUPS:
+        for node in tree.get(group, []):
+            yield from walk(node)
+
+
+def wait_for_window(pattern):
+    def func(last_chance):
+        nodes = (node["name"] for node in walk(swaymsg(type="get_tree")))
+
+        if last_chance:
+            nodes = list(nodes)
+            machine.log(f"Last call! Current list of windows: {nodes}")
+
+        return any(pattern in name for name in nodes)
+
+    retry(func)
+
+
+def collect_state_ui(name):
+    swaymsg(f"exec fortify ps > '/tmp/{name}.ps'")
+    machine.copy_from_vm(f"/tmp/{name}.ps", "")
+    swaymsg(f"exec fortify --json ps > '/tmp/{name}.json'")
+    machine.copy_from_vm(f"/tmp/{name}.json", "")
+    machine.screenshot(name)
+
+
+def check_state(name, enablements):
+    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 fortify --json ps"))
+    if len(instances) != 1:
+        raise Exception(f"unexpected state length {len(instances)}")
+    instance = next(iter(instances.values()))
+
+    config = instance['config']
+
+    if len(config['args']) != 1 or not (config['args'][0].startswith("/nix/store/")) or f"fortify-{name}-" not in (config['args'][0]):
+        raise Exception(f"unexpected args {instance['config']['args']}")
+
+    if config['confinement']['enablements'] != enablements:
+        raise Exception(f"unexpected enablements {instance['config']['confinement']['enablements']}")
+
+
+start_all()
+machine.wait_for_unit("multi-user.target")
+
+# To check fortify's version:
+print(machine.succeed("sudo -u alice -i fortify version"))
+
+# Wait for Sway to complete startup:
+machine.wait_for_file("/run/user/1000/wayland-1")
+machine.wait_for_file("/tmp/sway-ipc.sock")
+
+# Prepare fpkg directory:
+machine.succeed("install -dm 0700 -o alice -g users /var/lib/fortify/1000")
+
+# Install fpkg app:
+swaymsg("exec fpkg -v install /etc/foot.pkg && touch /tmp/fpkg-install-done")
+machine.wait_for_file("/tmp/fpkg-install-done")
+
+# Start app (foot) with Wayland enablement:
+swaymsg("exec fpkg -v start org.codeberg.dnkl.foot")
+wait_for_window("fortify@machine-foot")
+machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
+machine.wait_for_file("/tmp/fortify.1000/tmpdir/2/success-client")
+collect_state_ui("app_wayland")
+check_state("foot", 13)
+# Verify acl on XDG_RUNTIME_DIR:
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002"))
+machine.send_chars("exit\n")
+machine.wait_until_fails("pgrep foot")
+# Verify acl cleanup on XDG_RUNTIME_DIR:
+machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002")
+
+# Exit Sway and verify process exit status 0:
+swaymsg("exit", succeed=False)
+machine.wait_for_file("/tmp/sway-exit-ok")
+
+# Print fortify runDir contents:
+print(machine.succeed("find /run/user/1000/fortify"))
--- a/cmd/fpkg/with.go
+++ b/cmd/fpkg/with.go
@ -0,0 +1,110 @@
+package main
+
+import (
+	"context"
+	"path"
+	"strings"
+
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal"
+	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
+)
+
+func withNixDaemon(
+	ctx context.Context,
+	action string, command []string, net bool, updateConfig func(config *fst.Config) *fst.Config,
+	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
+) {
+	mustRunAppDropShell(ctx, updateConfig(&fst.Config{
+		ID:   app.ID,
+		Path: shellPath,
+		Args: []string{shellPath, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
+			// start nix-daemon
+			"nix-daemon --store / & " +
+			// wait for socket to appear
+			"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
+			// create directory so nix stops complaining
+			"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
+			strings.Join(command, " && ") +
+			// terminate nix-daemon
+			" && pkill nix-daemon",
+		},
+		Confinement: fst.ConfinementConfig{
+			AppID:    app.AppID,
+			Username: "fortify",
+			Inner:    path.Join("/data/data", app.ID),
+			Outer:    pathSet.homeDir,
+			Shell:    shellPath,
+			Sandbox: &fst.SandboxConfig{
+				Hostname: formatHostname(app.Name) + "-" + action,
+				Userns:   true, // nix sandbox requires userns
+				Net:      net,
+				Seccomp:  seccomp.FlagMultiarch,
+				Tty:      dropShell,
+				Filesystem: []*fst.FilesystemConfig{
+					{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
+				},
+				Link: [][2]string{
+					{app.CurrentSystem, "/run/current-system"},
+					{"/run/current-system/sw/bin", "/bin"},
+					{"/run/current-system/sw/bin", "/usr/bin"},
+				},
+				Etc:     path.Join(pathSet.cacheDir, "etc"),
+				AutoEtc: true,
+			},
+			ExtraPerms: []*fst.ExtraPermConfig{
+				{Path: dataHome, Execute: true},
+				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+			},
+		},
+	}), dropShell, beforeFail)
+}
+
+func withCacheDir(
+	ctx context.Context,
+	action string, command []string, workDir string,
+	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
+	mustRunAppDropShell(ctx, &fst.Config{
+		ID:   app.ID,
+		Path: shellPath,
+		Args: []string{shellPath, "-lc", strings.Join(command, " && ")},
+		Confinement: fst.ConfinementConfig{
+			AppID:    app.AppID,
+			Username: "nixos",
+			Inner:    path.Join("/data/data", app.ID, "cache"),
+			Outer:    pathSet.cacheDir, // this also ensures cacheDir via shim
+			Shell:    shellPath,
+			Sandbox: &fst.SandboxConfig{
+				Hostname: formatHostname(app.Name) + "-" + action,
+				Seccomp:  seccomp.FlagMultiarch,
+				Tty:      dropShell,
+				Filesystem: []*fst.FilesystemConfig{
+					{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
+					{Src: workDir, Dst: path.Join(fst.Tmp, "bundle"), Must: true},
+				},
+				Link: [][2]string{
+					{app.CurrentSystem, "/run/current-system"},
+					{"/run/current-system/sw/bin", "/bin"},
+					{"/run/current-system/sw/bin", "/usr/bin"},
+				},
+				Etc:     path.Join(workDir, "etc"),
+				AutoEtc: true,
+			},
+			ExtraPerms: []*fst.ExtraPermConfig{
+				{Path: dataHome, Execute: true},
+				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+				{Path: workDir, Execute: true},
+			},
+		},
+	}, dropShell, beforeFail)
+}
+
+func mustRunAppDropShell(ctx context.Context, config *fst.Config, dropShell bool, beforeFail func()) {
+	if dropShell {
+		config.Args = []string{shellPath, "-l"}
+		mustRunApp(ctx, config, beforeFail)
+		beforeFail()
+		internal.Exit(0)
+	}
+	mustRunApp(ctx, config, beforeFail)
+}
--- a/cmd/fshim/ipc/payload.go
+++ b/cmd/fshim/ipc/payload.go
@ -1,21 +0,0 @@
-package shim0
-
-import (
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
-)
-
-const Env = "FORTIFY_SHIM"
-
-type Payload struct {
-	// child full argv
-	Argv []string
-	// bwrap, target full exec path
-	Exec [2]string
-	// bwrap config
-	Bwrap *bwrap.Config
-	// sync fd
-	Sync *uintptr
-
-	// verbosity pass through
-	Verbose bool
-}
--- a/cmd/fshim/ipc/shim/shim.go
+++ b/cmd/fshim/ipc/shim/shim.go
@ -1,137 +0,0 @@
-package shim
-
-import (
-	"encoding/gob"
-	"errors"
-	"os"
-	"os/exec"
-	"os/signal"
-	"strconv"
-	"strings"
-	"syscall"
-	"time"
-
-	shim0 "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/proc"
-)
-
-const shimSetupTimeout = 5 * time.Second
-
-// used by the parent process
-
-type Shim struct {
-	// user switcher process
-	cmd *exec.Cmd
-	// uid of shim target user
-	uid uint32
-	// string representation of application id
-	aid string
-	// string representation of supplementary group ids
-	supp []string
-	// fallback exit notifier with error returned killing the process
-	killFallback chan error
-	// shim setup payload
-	payload *shim0.Payload
-}
-
-func New(uid uint32, aid string, supp []string, payload *shim0.Payload) *Shim {
-	return &Shim{uid: uid, aid: aid, supp: supp, payload: payload}
-}
-
-func (s *Shim) String() string {
-	if s.cmd == nil {
-		return "(unused shim manager)"
-	}
-	return s.cmd.String()
-}
-
-func (s *Shim) Unwrap() *exec.Cmd {
-	return s.cmd
-}
-
-func (s *Shim) WaitFallback() chan error {
-	return s.killFallback
-}
-
-func (s *Shim) Start() (*time.Time, error) {
-	// start user switcher process and save time
-	var fsu string
-	if p, ok := internal.Check(internal.Fsu); !ok {
-		fmsg.Fatal("invalid fsu path, this copy of fshim is not compiled correctly")
-		panic("unreachable")
-	} else {
-		fsu = p
-	}
-	s.cmd = exec.Command(fsu)
-
-	var encoder *gob.Encoder
-	if fd, e, err := proc.Setup(&s.cmd.ExtraFiles); err != nil {
-		return nil, fmsg.WrapErrorSuffix(err,
-			"cannot create shim setup pipe:")
-	} else {
-		encoder = e
-		s.cmd.Env = []string{
-			shim0.Env + "=" + strconv.Itoa(fd),
-			"FORTIFY_APP_ID=" + s.aid,
-		}
-	}
-
-	if len(s.supp) > 0 {
-		fmsg.VPrintf("attaching supplementary group ids %s", s.supp)
-		s.cmd.Env = append(s.cmd.Env, "FORTIFY_GROUPS="+strings.Join(s.supp, " "))
-	}
-	s.cmd.Stdin, s.cmd.Stdout, s.cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	s.cmd.Dir = "/"
-
-	// pass sync fd if set
-	if s.payload.Bwrap.Sync() != nil {
-		fd := proc.ExtraFile(s.cmd, s.payload.Bwrap.Sync())
-		s.payload.Sync = &fd
-	}
-
-	fmsg.VPrintln("starting shim via fsu:", s.cmd)
-	fmsg.Suspend() // withhold messages to stderr
-	if err := s.cmd.Start(); err != nil {
-		return nil, fmsg.WrapErrorSuffix(err,
-			"cannot start fsu:")
-	}
-	startTime := time.Now().UTC()
-
-	// kill shim if something goes wrong and an error is returned
-	s.killFallback = make(chan error, 1)
-	killShim := func() {
-		if err := s.cmd.Process.Signal(os.Interrupt); err != nil {
-			s.killFallback <- err
-		}
-	}
-	defer func() { killShim() }()
-
-	// take alternative exit path on signal
-	sig := make(chan os.Signal, 2)
-	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		v := <-sig
-		fmsg.Printf("got %s after program start", v)
-		s.killFallback <- nil
-		signal.Ignore(syscall.SIGINT, syscall.SIGTERM)
-	}()
-
-	shimErr := make(chan error)
-	go func() { shimErr <- encoder.Encode(s.payload) }()
-
-	select {
-	case err := <-shimErr:
-		if err != nil {
-			return &startTime, fmsg.WrapErrorSuffix(err,
-				"cannot transmit shim config:")
-		}
-		killShim = func() {}
-	case <-time.After(shimSetupTimeout):
-		return &startTime, fmsg.WrapError(errors.New("timed out waiting for shim"),
-			"timed out waiting for shim")
-	}
-
-	return &startTime, nil
-}
--- a/cmd/fshim/main.go
+++ b/cmd/fshim/main.go
@ -1,145 +0,0 @@
-package main
-
-import (
-	"errors"
-	"os"
-	"path"
-	"strconv"
-	"syscall"
-
-	init0 "git.gensokyo.uk/security/fortify/cmd/finit/ipc"
-	shim "git.gensokyo.uk/security/fortify/cmd/fshim/ipc"
-	"git.gensokyo.uk/security/fortify/helper"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/proc"
-)
-
-// everything beyond this point runs as unconstrained target user
-// proceed with caution!
-
-func main() {
-	// sharing stdout with fortify
-	// USE WITH CAUTION
-	fmsg.SetPrefix("shim")
-
-	// setting this prevents ptrace
-	if err := internal.PR_SET_DUMPABLE__SUID_DUMP_DISABLE(); err != nil {
-		fmsg.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
-		panic("unreachable")
-	}
-
-	// re-exec
-	if len(os.Args) > 0 && (os.Args[0] != "fshim" || len(os.Args) != 1) && path.IsAbs(os.Args[0]) {
-		if err := syscall.Exec(os.Args[0], []string{"fshim"}, os.Environ()); err != nil {
-			fmsg.Println("cannot re-exec self:", err)
-			// continue anyway
-		}
-	}
-
-	// check path to finit
-	var finitPath string
-	if p, ok := internal.Path(internal.Finit); !ok {
-		fmsg.Fatal("invalid finit path, this copy of fshim is not compiled correctly")
-	} else {
-		finitPath = p
-	}
-
-	// receive setup payload
-	var (
-		payload    shim.Payload
-		closeSetup func() error
-	)
-	if f, err := proc.Receive(shim.Env, &payload); err != nil {
-		if errors.Is(err, proc.ErrInvalid) {
-			fmsg.Fatal("invalid config descriptor")
-		}
-		if errors.Is(err, proc.ErrNotSet) {
-			fmsg.Fatal("FORTIFY_SHIM not set")
-		}
-
-		fmsg.Fatalf("cannot decode shim setup payload: %v", err)
-		panic("unreachable")
-	} else {
-		fmsg.SetVerbose(payload.Verbose)
-		closeSetup = f
-	}
-
-	if payload.Bwrap == nil {
-		fmsg.Fatal("bwrap config not supplied")
-	}
-
-	// restore bwrap sync fd
-	if payload.Sync != nil {
-		payload.Bwrap.SetSync(os.NewFile(*payload.Sync, "sync"))
-	}
-
-	// close setup socket
-	if err := closeSetup(); err != nil {
-		fmsg.Println("cannot close setup pipe:", err)
-		// not fatal
-	}
-
-	var ic init0.Payload
-
-	// resolve argv0
-	ic.Argv = payload.Argv
-	if len(ic.Argv) > 0 {
-		// looked up from $PATH by parent
-		ic.Argv0 = payload.Exec[1]
-	} else {
-		// no argv, look up shell instead
-		var ok bool
-		if payload.Bwrap.SetEnv == nil {
-			fmsg.Fatal("no command was specified and environment is unset")
-		}
-		if ic.Argv0, ok = payload.Bwrap.SetEnv["SHELL"]; !ok {
-			fmsg.Fatal("no command was specified and $SHELL was unset")
-		}
-
-		ic.Argv = []string{ic.Argv0}
-	}
-
-	conf := payload.Bwrap
-
-	var extraFiles []*os.File
-
-	// serve setup payload
-	if fd, encoder, err := proc.Setup(&extraFiles); err != nil {
-		fmsg.Fatalf("cannot pipe: %v", err)
-	} else {
-		conf.SetEnv[init0.Env] = strconv.Itoa(fd)
-		go func() {
-			fmsg.VPrintln("transmitting config to init")
-			if err = encoder.Encode(&ic); err != nil {
-				fmsg.Fatalf("cannot transmit init config: %v", err)
-			}
-		}()
-	}
-
-	helper.BubblewrapName = payload.Exec[0] // resolved bwrap path by parent
-	if b, err := helper.NewBwrap(conf, nil, finitPath,
-		func(int, int) []string { return make([]string, 0) }); err != nil {
-		fmsg.Fatalf("malformed sandbox config: %v", err)
-	} else {
-		cmd := b.Unwrap()
-		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-		cmd.ExtraFiles = extraFiles
-
-		if fmsg.Verbose() {
-			fmsg.VPrintln("bwrap args:", conf.Args())
-		}
-
-		// run and pass through exit code
-		if err = b.Start(); err != nil {
-			fmsg.Fatalf("cannot start target process: %v", err)
-		} else if err = b.Wait(); err != nil {
-			fmsg.VPrintln("wait:", err)
-		}
-		if b.Unwrap().ProcessState != nil {
-			fmsg.Exit(b.Unwrap().ProcessState.ExitCode())
-		} else {
-			fmsg.Exit(127)
-		}
-	}
-}
--- a/cmd/fsu/main.go
+++ b/cmd/fsu/main.go
@ -13,7 +13,6 @@ import (
 )

 const (
-	compPoison  = "INVALIDINVALIDINVALIDINVALIDINVALID"
 	fsuConfFile = "/etc/fsurc"
 	envShim     = "FORTIFY_SHIM"
 	envAID      = "FORTIFY_APP_ID"
@ -22,11 +21,6 @@ const (
 	PR_SET_NO_NEW_PRIVS = 0x26
 )

-var (
-	Fmain = compPoison
-	Fshim = compPoison
-)
-
 func main() {
 	log.SetFlags(0)
 	log.SetPrefix("fsu: ")
@ -41,25 +35,16 @@ func main() {
 		log.Fatal("this program must not be started by root")
 	}

-	var fmain, fshim string
-	if p, ok := checkPath(Fmain); !ok {
-		log.Fatal("invalid fortify path, this copy of fsu is not compiled correctly")
-	} else {
-		fmain = p
-	}
-	if p, ok := checkPath(Fshim); !ok {
-		log.Fatal("invalid fshim path, this copy of fsu is not compiled correctly")
-	} else {
-		fshim = p
-	}
-
+	var toolPath string
 	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
 	if p, err := os.Readlink(pexe); err != nil {
 		log.Fatalf("cannot read parent executable path: %v", err)
 	} else if strings.HasSuffix(p, " (deleted)") {
 		log.Fatal("fortify executable has been deleted")
-	} else if p != fmain {
+	} else if p != mustCheckPath(fmain) && p != mustCheckPath(fpkg) {
 		log.Fatal("this program must be started by fortify")
+	} else {
+		toolPath = p
 	}

 	// uid = 1000000 +
@ -67,8 +52,19 @@ func main() {
 	//           aid
 	uid := 1000000

+	// refuse to run if fsurc is not protected correctly
+	if s, err := os.Stat(fsuConfFile); err != nil {
+		log.Fatal(err)
+	} else if s.Mode().Perm() != 0400 {
+		log.Fatal("bad fsurc perm")
+	} else if st := s.Sys().(*syscall.Stat_t); st.Uid != 0 || st.Gid != 0 {
+		log.Fatal("fsurc must be owned by uid 0")
+	}
+
 	// authenticate before accepting user input
-	if fid, ok := parseConfig(fsuConfFile, puid); !ok {
+	if f, err := os.Open(fsuConfFile); err != nil {
+		log.Fatal(err)
+	} else if fid, ok := mustParseConfig(f, puid); !ok {
 		log.Fatalf("uid %d is not in the fsurc file", puid)
 	} else {
 		uid += fid * 10000
@ -142,13 +138,9 @@ func main() {
 	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(fshim, []string{"fshim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+	if err := syscall.Exec(toolPath, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}

 	panic("unreachable")
 }
-
-func checkPath(p string) (string, bool) {
-	return p, p != compPoison && p != "" && path.IsAbs(p)
-}
--- a/cmd/fsu/package.nix
+++ b/cmd/fsu/package.nix
@ -0,0 +1,30 @@
+{
+  lib,
+  buildGoModule,
+  fortify ? abort "fortify package required",
+}:
+
+buildGoModule {
+  pname = "${fortify.pname}-fsu";
+  inherit (fortify) version;
+
+  src = ./.;
+  inherit (fortify) vendorHash;
+  CGO_ENABLED = 0;
+
+  preBuild = ''
+    go mod init fsu >& /dev/null
+  '';
+
+  ldflags =
+    lib.attrsets.foldlAttrs
+      (
+        ldflags: name: value:
+        ldflags ++ [ "-X main.${name}=${value}" ]
+      )
+      [ "-s -w" ]
+      {
+        fmain = "${fortify}/libexec/fortify";
+        fpkg = "${fortify}/libexec/fpkg";
+      };
+}
--- a/cmd/fsu/parse.go
+++ b/cmd/fsu/parse.go
@ -4,10 +4,9 @@ import (
 	"bufio"
 	"errors"
 	"fmt"
+	"io"
 	"log"
-	"os"
 	"strings"
-	"syscall"
 )

 func parseUint32Fast(s string) (int, error) {
@ -23,55 +22,46 @@ func parseUint32Fast(s string) (int, error) {
 	for i, ch := range []byte(s) {
 		ch -= '0'
 		if ch > 9 {
-			return -1, fmt.Errorf("invalid character '%s' at index %d", string([]byte{ch}), i)
+			return -1, fmt.Errorf("invalid character '%s' at index %d", string(ch+'0'), i)
 		}
 		n = n*10 + int(ch)
 	}
 	return n, nil
 }

-func parseConfig(p string, puid int) (fid int, ok bool) {
-	// refuse to run if fsurc is not protected correctly
-	if s, err := os.Stat(p); err != nil {
-		log.Fatal(err)
-	} else if s.Mode().Perm() != 0400 {
-		log.Fatal("bad fsurc perm")
-	} else if st := s.Sys().(*syscall.Stat_t); st.Uid != 0 || st.Gid != 0 {
-		log.Fatal("fsurc must be owned by uid 0")
-	}
+func parseConfig(r io.Reader, puid int) (fid int, ok bool, err error) {
+	s := bufio.NewScanner(r)
+	var line, puid0 int
+	for s.Scan() {
+		line++

-	if r, err := os.Open(p); err != nil {
-		log.Fatal(err)
-		return -1, false
-	} else {
-		s := bufio.NewScanner(r)
-		var line int
-		for s.Scan() {
-			line++
-
-			// <puid> <fid>
-			lf := strings.SplitN(s.Text(), " ", 2)
-			if len(lf) != 2 {
-				log.Fatalf("invalid entry on line %d", line)
-			}
-
-			var puid0 int
-			if puid0, err = parseUint32Fast(lf[0]); err != nil || puid0 < 1 {
-				log.Fatalf("invalid parent uid on line %d", line)
-			}
-
-			ok = puid0 == puid
-			if ok {
-				// allowed fid range 0 to 99
-				if fid, err = parseUint32Fast(lf[1]); err != nil || fid < 0 || fid > 99 {
-					log.Fatalf("invalid fortify uid on line %d", line)
-				}
-				return
-			}
+		// <puid> <fid>
+		lf := strings.SplitN(s.Text(), " ", 2)
+		if len(lf) != 2 {
+			return -1, false, fmt.Errorf("invalid entry on line %d", line)
 		}
-		if err = s.Err(); err != nil {
-			log.Fatalf("cannot read fsurc: %v", err)
+
+		puid0, err = parseUint32Fast(lf[0])
+		if err != nil || puid0 < 1 {
+			return -1, false, fmt.Errorf("invalid parent uid on line %d", line)
+		}
+
+		ok = puid0 == puid
+		if ok {
+			// allowed fid range 0 to 99
+			if fid, err = parseUint32Fast(lf[1]); err != nil || fid < 0 || fid > 99 {
+				return -1, false, fmt.Errorf("invalid fortify uid on line %d", line)
+			}
+			return
 		}
-		return -1, false
 	}
+	return -1, false, s.Err()
+}
+
+func mustParseConfig(r io.Reader, puid int) (int, bool) {
+	fid, ok, err := parseConfig(r, puid)
+	if err != nil {
+		log.Fatal(err)
+	}
+	return fid, ok
 }
--- a/cmd/fsu/parse_test.go
+++ b/cmd/fsu/parse_test.go
@ -0,0 +1,96 @@
+package main
+
+import (
+	"bytes"
+	"strconv"
+	"testing"
+)
+
+func Test_parseUint32Fast(t *testing.T) {
+	t.Run("zero-length", func(t *testing.T) {
+		if _, err := parseUint32Fast(""); err == nil || err.Error() != "zero length string" {
+			t.Errorf(`parseUint32Fast(""): error = %v`, err)
+			return
+		}
+	})
+	t.Run("overflow", func(t *testing.T) {
+		if _, err := parseUint32Fast("10000000000"); err == nil || err.Error() != "string too long" {
+			t.Errorf("parseUint32Fast: error = %v", err)
+			return
+		}
+	})
+	t.Run("invalid byte", func(t *testing.T) {
+		if _, err := parseUint32Fast("meow"); err == nil || err.Error() != "invalid character 'm' at index 0" {
+			t.Errorf(`parseUint32Fast("meow"): error = %v`, err)
+			return
+		}
+	})
+	t.Run("full range", func(t *testing.T) {
+		testRange := func(i, end int) {
+			for ; i < end; i++ {
+				s := strconv.Itoa(i)
+				w := i
+				t.Run("parse "+s, func(t *testing.T) {
+					t.Parallel()
+					v, err := parseUint32Fast(s)
+					if err != nil {
+						t.Errorf("parseUint32Fast(%q): error = %v",
+							s, err)
+						return
+					}
+					if v != w {
+						t.Errorf("parseUint32Fast(%q): got %v",
+							s, v)
+						return
+					}
+				})
+			}
+		}
+
+		testRange(0, 5000)
+		testRange(105000, 110000)
+		testRange(23005000, 23010000)
+		testRange(456005000, 456010000)
+		testRange(7890005000, 7890010000)
+	})
+}
+
+func Test_parseConfig(t *testing.T) {
+	testCases := []struct {
+		name       string
+		puid, want int
+		wantErr    string
+		rc         string
+	}{
+		{"empty", 0, -1, "", ``},
+		{"invalid field", 0, -1, "invalid entry on line 1", `9`},
+		{"invalid puid", 0, -1, "invalid parent uid on line 1", `f 9`},
+		{"invalid fid", 1000, -1, "invalid fortify uid on line 1", `1000 f`},
+		{"match", 1000, 0, "", `1000 0`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			fid, ok, err := parseConfig(bytes.NewBufferString(tc.rc), tc.puid)
+			if err == nil && tc.wantErr != "" {
+				t.Errorf("parseConfig: error = %v; wantErr %q",
+					err, tc.wantErr)
+				return
+			}
+			if err != nil && err.Error() != tc.wantErr {
+				t.Errorf("parseConfig: error = %q; wantErr %q",
+					err, tc.wantErr)
+				return
+			}
+			if ok == (tc.want == -1) {
+				t.Errorf("parseConfig: ok = %v; want %v",
+					ok, tc.want)
+				return
+			}
+			if fid != tc.want {
+				t.Errorf("parseConfig: fid = %v; want %v",
+					fid, tc.want)
+			}
+		})
+	}
+}
--- a/cmd/fsu/path.go
+++ b/cmd/fsu/path.go
@ -0,0 +1,21 @@
+package main
+
+import (
+	"log"
+	"path"
+)
+
+const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
+
+var (
+	fmain = compPoison
+	fpkg  = compPoison
+)
+
+func mustCheckPath(p string) string {
+	if p != compPoison && p != "" && path.IsAbs(p) {
+		return p
+	}
+	log.Fatal("this program is compiled incorrectly")
+	return compPoison
+}
--- a/cmd/fuserdb/main.go
+++ b/cmd/fuserdb/main.go
@ -1,69 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"errors"
-	"flag"
-	"fmt"
-	"os"
-	"path"
-	"strconv"
-
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-)
-
-func main() {
-	fmsg.SetPrefix("fuserdb")
-
-	const varEmpty = "/var/empty"
-
-	out := flag.String("o", "userdb", "output directory")
-	homeDir := flag.String("d", varEmpty, "parent of home directories")
-	shell := flag.String("s", "/sbin/nologin", "absolute path to subordinate user shell")
-	flag.Parse()
-
-	type user struct {
-		name string
-		fid  int
-	}
-
-	users := make([]user, len(flag.Args()))
-	for i, s := range flag.Args() {
-		f := bytes.SplitN([]byte(s), []byte{':'}, 2)
-		if len(f) != 2 {
-			fmsg.Fatalf("invalid entry at index %d", i)
-		}
-		users[i].name = string(f[0])
-		if fid, err := strconv.Atoi(string(f[1])); err != nil {
-			fmsg.Fatal(err.Error())
-		} else {
-			users[i].fid = fid
-		}
-	}
-
-	if err := os.MkdirAll(*out, 0755); err != nil && !errors.Is(err, os.ErrExist) {
-		fmsg.Fatalf("cannot create output: %v", err)
-	}
-
-	for _, u := range users {
-		fidString := strconv.Itoa(u.fid)
-		for aid := 0; aid < 10000; aid++ {
-			userName := fmt.Sprintf("u%d_a%d", u.fid, aid)
-			uid := 1000000 + u.fid*10000 + aid
-			us := strconv.Itoa(uid)
-			realName := fmt.Sprintf("Fortify subordinate user %d (%s)", aid, u.name)
-			var homeDirectory string
-			if *homeDir != varEmpty {
-				homeDirectory = path.Join(*homeDir, "u"+fidString, "a"+strconv.Itoa(aid))
-			} else {
-				homeDirectory = varEmpty
-			}
-
-			writeUser(userName, uid, us, realName, homeDirectory, *shell, *out)
-			writeGroup(userName, uid, us, nil, *out)
-		}
-	}
-
-	fmsg.Printf("created %d entries", len(users)*2*10000)
-	fmsg.Exit(0)
-}
--- a/cmd/fuserdb/payload.go
+++ b/cmd/fuserdb/payload.go
@ -1,64 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"os"
-	"path"
-
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-)
-
-type payloadU struct {
-	UserName      string   `json:"userName"`
-	Uid           int      `json:"uid"`
-	Gid           int      `json:"gid"`
-	MemberOf      []string `json:"memberOf,omitempty"`
-	RealName      string   `json:"realName"`
-	HomeDirectory string   `json:"homeDirectory"`
-	Shell         string   `json:"shell"`
-}
-
-func writeUser(userName string, uid int, us string, realName, homeDirectory, shell string, out string) {
-	userFileName := userName + ".user"
-	if f, err := os.OpenFile(path.Join(out, userFileName), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644); err != nil {
-		fmsg.Fatalf("cannot create %s: %v", userName, err)
-	} else if err = json.NewEncoder(f).Encode(&payloadU{
-		UserName:      userName,
-		Uid:           uid,
-		Gid:           uid,
-		RealName:      realName,
-		HomeDirectory: homeDirectory,
-		Shell:         shell,
-	}); err != nil {
-		fmsg.Fatalf("cannot serialise %s: %v", userName, err)
-	} else if err = f.Close(); err != nil {
-		fmsg.Printf("cannot close %s: %v", userName, err)
-	}
-	if err := os.Symlink(userFileName, path.Join(out, us+".user")); err != nil {
-		fmsg.Fatalf("cannot link %s: %v", userName, err)
-	}
-}
-
-type payloadG struct {
-	GroupName string   `json:"groupName"`
-	Gid       int      `json:"gid"`
-	Members   []string `json:"members,omitempty"`
-}
-
-func writeGroup(groupName string, gid int, gs string, members []string, out string) {
-	groupFileName := groupName + ".group"
-	if f, err := os.OpenFile(path.Join(out, groupFileName), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644); err != nil {
-		fmsg.Fatalf("cannot create %s: %v", groupName, err)
-	} else if err = json.NewEncoder(f).Encode(&payloadG{
-		GroupName: groupName,
-		Gid:       gid,
-		Members:   members,
-	}); err != nil {
-		fmsg.Fatalf("cannot serialise %s: %v", groupName, err)
-	} else if err = f.Close(); err != nil {
-		fmsg.Printf("cannot close %s: %v", groupName, err)
-	}
-	if err := os.Symlink(groupFileName, path.Join(out, gs+".group")); err != nil {
-		fmsg.Fatalf("cannot link %s: %v", groupName, err)
-	}
-}
--- a/command/builder.go
+++ b/command/builder.go
@ -0,0 +1,65 @@
+package command
+
+import (
+	"flag"
+	"fmt"
+	"io"
+)
+
+// New initialises a root Node.
+func New(output io.Writer, logf LogFunc, name string, early HandlerFunc) Command {
+	c := rootNode{newNode(output, logf, name, "")}
+	c.f = early
+	return c
+}
+
+func newNode(output io.Writer, logf LogFunc, name, usage string) *node {
+	n := &node{
+		name: name, usage: usage,
+		out: output, logf: logf,
+		set: flag.NewFlagSet(name, flag.ContinueOnError),
+	}
+	n.set.SetOutput(output)
+	n.set.Usage = func() {
+		_ = n.writeHelp()
+		if n.suffix.Len() > 0 {
+			_, _ = fmt.Fprintln(output, "Flags:")
+			n.set.PrintDefaults()
+			_, _ = fmt.Fprintln(output)
+		}
+	}
+
+	return n
+}
+
+func (n *node) Command(name, usage string, f HandlerFunc) Node {
+	n.NewCommand(name, usage, f)
+	return n
+}
+
+func (n *node) NewCommand(name, usage string, f HandlerFunc) Flag[Node] {
+	if f == nil {
+		panic("invalid handler")
+	}
+	if name == "" || usage == "" {
+		panic("invalid subcommand")
+	}
+
+	s := newNode(n.out, n.logf, name, usage)
+	s.f = f
+	if !n.adopt(s) {
+		panic("attempted to initialise subcommand with non-unique name")
+	}
+	return s
+}
+
+func (n *node) New(name, usage string) Node {
+	if name == "" || usage == "" {
+		panic("invalid subcommand tree")
+	}
+	s := newNode(n.out, n.logf, name, usage)
+	if !n.adopt(s) {
+		panic("attempted to initialise subcommand tree with non-unique name")
+	}
+	return s
+}
--- a/command/builder_test.go
+++ b/command/builder_test.go
@ -0,0 +1,56 @@
+package command_test
+
+import (
+	"testing"
+
+	"git.gensokyo.uk/security/fortify/command"
+)
+
+func TestBuild(t *testing.T) {
+	c := command.New(nil, nil, "test", nil)
+	stubHandler := func([]string) error { panic("unreachable") }
+
+	t.Run("nil direct handler", func(t *testing.T) {
+		defer checkRecover(t, "Command", "invalid handler")
+		c.Command("name", "usage", nil)
+	})
+
+	t.Run("direct zero length", func(t *testing.T) {
+		wantPanic := "invalid subcommand"
+		t.Run("zero length name", func(t *testing.T) { defer checkRecover(t, "Command", wantPanic); c.Command("", "usage", stubHandler) })
+		t.Run("zero length usage", func(t *testing.T) { defer checkRecover(t, "Command", wantPanic); c.Command("name", "", stubHandler) })
+	})
+
+	t.Run("direct adopt unique names", func(t *testing.T) {
+		c.Command("d0", "usage", stubHandler)
+		c.Command("d1", "usage", stubHandler)
+	})
+
+	t.Run("direct adopt non-unique name", func(t *testing.T) {
+		defer checkRecover(t, "Command", "attempted to initialise subcommand with non-unique name")
+		c.Command("d0", "usage", stubHandler)
+	})
+
+	t.Run("zero length", func(t *testing.T) {
+		wantPanic := "invalid subcommand tree"
+		t.Run("zero length name", func(t *testing.T) { defer checkRecover(t, "New", wantPanic); c.New("", "usage") })
+		t.Run("zero length usage", func(t *testing.T) { defer checkRecover(t, "New", wantPanic); c.New("name", "") })
+	})
+
+	t.Run("direct adopt unique names", func(t *testing.T) {
+		c.New("t0", "usage")
+		c.New("t1", "usage")
+	})
+
+	t.Run("direct adopt non-unique name", func(t *testing.T) {
+		defer checkRecover(t, "Command", "attempted to initialise subcommand tree with non-unique name")
+		c.New("t0", "usage")
+	})
+}
+
+func checkRecover(t *testing.T, name, wantPanic string) {
+	if r := recover(); r != wantPanic {
+		t.Errorf("%s: panic = %v; wantPanic %v",
+			name, r, wantPanic)
+	}
+}
--- a/command/command.go
+++ b/command/command.go
@ -0,0 +1,55 @@
+// Package command implements generic nested command parsing.
+package command
+
+import (
+	"flag"
+	"strings"
+)
+
+// UsageInternal causes the command to be hidden from help text when set as the usage string.
+const UsageInternal = "internal"
+
+type (
+	// HandlerFunc is called when matching a directly handled subcommand tree.
+	HandlerFunc = func(args []string) error
+
+	// LogFunc is the function signature of a printf function.
+	LogFunc = func(format string, a ...any)
+
+	// FlagDefiner is a deferred flag definer value, usually encapsulating the default value.
+	FlagDefiner interface {
+		// Define defines the flag in set.
+		Define(b *strings.Builder, set *flag.FlagSet, p any, name, usage string)
+	}
+
+	Flag[T any] interface {
+		// Flag defines a generic flag type in Node's flag set.
+		Flag(p any, name string, value FlagDefiner, usage string) T
+	}
+
+	Command interface {
+		Parse(arguments []string) error
+
+		// MustParse determines exit outcomes for Parse errors
+		// and calls handleError if [HandlerFunc] returns a non-nil error.
+		MustParse(arguments []string, handleError func(error))
+
+		baseNode[Command]
+	}
+	Node baseNode[Node]
+
+	baseNode[T any] interface {
+		// Command appends a subcommand with direct command handling.
+		Command(name, usage string, f HandlerFunc) T
+
+		// New returns a new subcommand tree.
+		New(name, usage string) (sub Node)
+		// NewCommand returns a new subcommand with direct command handling.
+		NewCommand(name, usage string, f HandlerFunc) (sub Flag[Node])
+
+		// PrintHelp prints a help message to the configured writer.
+		PrintHelp()
+
+		Flag[T]
+	}
+)
--- a/command/flag.go
+++ b/command/flag.go
@ -0,0 +1,77 @@
+package command
+
+import (
+	"errors"
+	"flag"
+	"strings"
+)
+
+// FlagError wraps errors returned by [flag].
+type FlagError struct{ error }
+
+func (e FlagError) Success() bool { return errors.Is(e.error, flag.ErrHelp) }
+func (e FlagError) Is(target error) bool {
+	return (e.error == nil && target == nil) ||
+		((e.error != nil && target != nil) && e.error.Error() == target.Error())
+}
+
+func (n *node) Flag(p any, name string, value FlagDefiner, usage string) Node {
+	value.Define(&n.suffix, n.set, p, name, usage)
+	return n
+}
+
+// StringFlag is the default value of a string flag.
+type StringFlag string
+
+func (v StringFlag) Define(b *strings.Builder, set *flag.FlagSet, p any, name, usage string) {
+	set.StringVar(p.(*string), name, string(v), usage)
+	b.WriteString(" [" + prettyFlag(name) + " <value>]")
+}
+
+// IntFlag is the default value of an int flag.
+type IntFlag int
+
+func (v IntFlag) Define(b *strings.Builder, set *flag.FlagSet, p any, name, usage string) {
+	set.IntVar(p.(*int), name, int(v), usage)
+	b.WriteString(" [" + prettyFlag(name) + " <int>]")
+}
+
+// BoolFlag is the default value of a bool flag.
+type BoolFlag bool
+
+func (v BoolFlag) Define(b *strings.Builder, set *flag.FlagSet, p any, name, usage string) {
+	set.BoolVar(p.(*bool), name, bool(v), usage)
+	b.WriteString(" [" + prettyFlag(name) + "]")
+}
+
+// RepeatableFlag implements an ordered, repeatable string flag.
+type RepeatableFlag []string
+
+func (r *RepeatableFlag) String() string {
+	if r == nil {
+		return "<nil>"
+	}
+	return strings.Join(*r, " ")
+}
+
+func (r *RepeatableFlag) Set(v string) error {
+	*r = append(*r, v)
+	return nil
+}
+
+func (r *RepeatableFlag) Define(b *strings.Builder, set *flag.FlagSet, _ any, name, usage string) {
+	set.Var(r, name, usage)
+	b.WriteString(" [" + prettyFlag(name) + " <value>]")
+}
+
+// this has no effect on parse outcome
+func prettyFlag(name string) string {
+	switch len(name) {
+	case 0:
+		panic("zero length flag name")
+	case 1:
+		return "-" + name
+	default:
+		return "--" + name
+	}
+}
--- a/command/help.go
+++ b/command/help.go
@ -0,0 +1,53 @@
+package command
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+	"text/tabwriter"
+)
+
+var ErrHelp = errors.New("help requested")
+
+func (n *node) PrintHelp() { _ = n.writeHelp() }
+
+func (n *node) writeHelp() error {
+	if _, err := fmt.Fprintf(n.out,
+		"\nUsage:\t%s [-h | --help]%s COMMAND [OPTIONS]\n",
+		strings.Join(append(n.prefix, n.name), " "), &n.suffix,
+	); err != nil {
+		return err
+	}
+	if n.child != nil {
+		if _, err := fmt.Fprint(n.out, "\nCommands:\n"); err != nil {
+			return err
+		}
+	}
+
+	tw := tabwriter.NewWriter(n.out, 0, 1, 4, ' ', 0)
+	if err := n.child.writeCommands(tw); err != nil {
+		return err
+	}
+	if err := tw.Flush(); err != nil {
+		return err
+	}
+
+	_, err := n.out.Write([]byte{'\n'})
+	if err == nil {
+		err = ErrHelp
+	}
+	return err
+}
+
+func (n *node) writeCommands(w io.Writer) error {
+	if n == nil {
+		return nil
+	}
+	if n.usage != UsageInternal {
+		if _, err := fmt.Fprintf(w, "\t%s\t%s\n", n.name, n.usage); err != nil {
+			return err
+		}
+	}
+	return n.next.writeCommands(w)
+}
--- a/command/node.go
+++ b/command/node.go
@ -0,0 +1,40 @@
+package command
+
+import (
+	"flag"
+	"io"
+	"strings"
+)
+
+type node struct {
+	child, next *node
+	name, usage string
+
+	out  io.Writer
+	logf LogFunc
+
+	prefix []string
+	suffix strings.Builder
+
+	f   HandlerFunc
+	set *flag.FlagSet
+}
+
+func (n *node) adopt(v *node) bool {
+	if n.child != nil {
+		return n.child.append(v)
+	}
+	n.child = v
+	return true
+}
+
+func (n *node) append(v *node) bool {
+	if n.name == v.name {
+		return false
+	}
+	if n.next != nil {
+		return n.next.append(v)
+	}
+	n.next = v
+	return true
+}
--- a/command/parse.go
+++ b/command/parse.go
@ -0,0 +1,105 @@
+package command
+
+import (
+	"errors"
+	"log"
+	"os"
+)
+
+var (
+	ErrEmptyTree = errors.New("subcommand tree has no nodes")
+	ErrNoMatch   = errors.New("did not match any subcommand")
+)
+
+func (n *node) Parse(arguments []string) error {
+	if n.usage == "" { // root node has zero length usage
+		if n.next != nil {
+			panic("invalid toplevel state")
+		}
+		goto match
+	}
+
+	if len(arguments) == 0 {
+		// unreachable: zero length args cause upper level to return with a help message
+		panic("attempted to parse with zero length args")
+	}
+	if arguments[0] != n.name {
+		if n.next == nil {
+			n.printf("%q is not a valid command", arguments[0])
+			return ErrNoMatch
+		}
+		n.next.prefix = n.prefix
+		return n.next.Parse(arguments)
+	}
+	arguments = arguments[1:]
+
+match:
+	if n.child != nil {
+		// propagate help prefix early: flag set usage dereferences help
+		n.child.prefix = append(n.prefix, n.name)
+	}
+
+	if n.set.Parsed() {
+		panic("invalid set state")
+	}
+	if err := n.set.Parse(arguments); err != nil {
+		return FlagError{err}
+	}
+	args := n.set.Args()
+
+	if n.child != nil {
+		if n.f != nil {
+			if n.usage != "" { // root node early special case
+				panic("invalid subcommand tree state")
+			}
+
+			// special case: root node calls HandlerFunc for initialisation
+			if err := n.f(nil); err != nil {
+				return err
+			}
+		}
+
+		if len(args) == 0 {
+			return n.writeHelp()
+		}
+		return n.child.Parse(args)
+	}
+
+	if n.f == nil {
+		n.printf("%q has no subcommands", n.name)
+		return ErrEmptyTree
+	}
+	return n.f(args)
+}
+
+func (n *node) printf(format string, a ...any) {
+	if n.logf == nil {
+		log.Printf(format, a...)
+	} else {
+		n.logf(format, a...)
+	}
+}
+
+func (n *node) MustParse(arguments []string, handleError func(error)) {
+	switch err := n.Parse(arguments); err {
+	case nil:
+		return
+	case ErrHelp:
+		os.Exit(0)
+	case ErrNoMatch:
+		os.Exit(1)
+	case ErrEmptyTree:
+		os.Exit(1)
+	default:
+		var flagError FlagError
+		if !errors.As(err, &flagError) { // returned by HandlerFunc
+			handleError(err)
+			os.Exit(1)
+		}
+
+		if flagError.Success() {
+			os.Exit(0)
+		}
+		os.Exit(1)
+	}
+}
--- a/command/parse_test.go
+++ b/command/parse_test.go
@ -0,0 +1,344 @@
+package command_test
+
+import (
+	"bytes"
+	"errors"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"strings"
+	"testing"
+
+	"git.gensokyo.uk/security/fortify/command"
+)
+
+func TestParse(t *testing.T) {
+	testCases := []struct {
+		name      string
+		buildTree func(wout, wlog io.Writer) command.Command
+		args      []string
+		want      string
+		wantLog   string
+		wantErr   error
+	}{
+		{
+			"d=0 empty sub",
+			func(wout, wlog io.Writer) command.Command { return command.New(wout, newLogFunc(wlog), "root", nil) },
+			[]string{""},
+			"", "test: \"root\" has no subcommands\n", command.ErrEmptyTree,
+		},
+		{
+			"d=0 empty sub garbage",
+			func(wout, wlog io.Writer) command.Command { return command.New(wout, newLogFunc(wlog), "root", nil) },
+			[]string{"a", "b", "c", "d"},
+			"", "test: \"root\" has no subcommands\n", command.ErrEmptyTree,
+		},
+		{
+			"d=0 no match",
+			buildTestCommand,
+			[]string{"nonexistent"},
+			"", "test: \"nonexistent\" is not a valid command\n", command.ErrNoMatch,
+		},
+		{
+			"d=0 direct error",
+			buildTestCommand,
+			[]string{"error"},
+			"", "", errSuccess,
+		},
+		{
+			"d=0 direct error garbage",
+			buildTestCommand,
+			[]string{"error", "0", "1", "2"},
+			"", "", errSuccess,
+		},
+		{
+			"d=0 direct success out of order",
+			buildTestCommand,
+			[]string{"succeed"},
+			"", "", nil,
+		},
+		{
+			"d=0 direct success output",
+			buildTestCommand,
+			[]string{"print", "0", "1", "2"},
+			"012", "", nil,
+		},
+		{
+			"d=0 out of order string flag",
+			buildTestCommand,
+			[]string{"string", "--string", "64d3b4b7b21788585845060e2199a78f"},
+			"flag provided but not defined: -string\n\nUsage:\ttest string [-h | --help] COMMAND [OPTIONS]\n\n", "",
+			errors.New("flag provided but not defined: -string"),
+		},
+		{
+			"d=0 string flag",
+			buildTestCommand,
+			[]string{"--string", "64d3b4b7b21788585845060e2199a78f", "string"},
+			"64d3b4b7b21788585845060e2199a78f", "", nil,
+		},
+		{
+			"d=0 int flag",
+			buildTestCommand,
+			[]string{"--int", "2147483647", "int"},
+			"2147483647", "", nil,
+		},
+		{
+			"d=0 repeat flag",
+			buildTestCommand,
+			[]string{"--repeat", "0", "--repeat", "1", "--repeat", "2", "--repeat", "3", "--repeat", "4", "repeat"},
+			"[0 1 2 3 4]", "", nil,
+		},
+		{
+			"d=0 bool flag",
+			buildTestCommand,
+			[]string{"-v", "succeed"},
+			"", "test: verbose\n", nil,
+		},
+		{
+			"d=0 bool flag early error",
+			buildTestCommand,
+			[]string{"--fail", "succeed"},
+			"", "", errSuccess,
+		},
+
+		{
+			"d=1 empty sub",
+			buildTestCommand,
+			[]string{"empty"},
+			"", "test: \"empty\" has no subcommands\n", command.ErrEmptyTree,
+		},
+		{
+			"d=1 empty sub garbage",
+			buildTestCommand,
+			[]string{"empty", "a", "b", "c", "d"},
+			"", "test: \"empty\" has no subcommands\n", command.ErrEmptyTree,
+		},
+		{
+			"d=1 empty sub help",
+			buildTestCommand,
+			[]string{"empty", "-h"},
+			"\nUsage:\ttest empty [-h | --help] COMMAND [OPTIONS]\n\n", "", flag.ErrHelp,
+		},
+		{
+			"d=1 no match",
+			buildTestCommand,
+			[]string{"join", "23aa3bb0", "34986782", "d8859355", "cd9ac317", ", "},
+			"", "test: \"23aa3bb0\" is not a valid command\n", command.ErrNoMatch,
+		},
+		{
+			"d=1 direct success out",
+			buildTestCommand,
+			[]string{"join", "out", "23aa3bb0", "34986782", "d8859355", "cd9ac317", ", "},
+			"23aa3bb0, 34986782, d8859355, cd9ac317", "", nil,
+		},
+		{
+			"d=1 direct success log",
+			buildTestCommand,
+			[]string{"join", "log", "23aa3bb0", "34986782", "d8859355", "cd9ac317", ", "},
+			"", "test: 23aa3bb0, 34986782, d8859355, cd9ac317\n", nil,
+		},
+
+		{
+			"d=4 empty sub",
+			buildTestCommand,
+			[]string{"deep", "d=2", "d=3", "d=4"},
+			"", "test: \"d=4\" has no subcommands\n", command.ErrEmptyTree},
+
+		{
+			"d=0 help",
+			buildTestCommand,
+			[]string{},
+			`
+Usage:	test [-h | --help] [-v] [--fail] [--string <value>] [--int <int>] [--repeat <value>] COMMAND [OPTIONS]
+
+Commands:
+    error      return an error
+    print      wraps Fprint
+    string     print string passed by flag
+    int        print int passed by flag
+    repeat     print repeated values passed by flag
+    empty      empty subcommand
+    join       wraps strings.Join
+    succeed    this command succeeds
+    deep       top level of command tree with various levels
+
+`, "", command.ErrHelp,
+		},
+		{
+			"d=0 help flag",
+			buildTestCommand,
+			[]string{"-h"},
+			`
+Usage:	test [-h | --help] [-v] [--fail] [--string <value>] [--int <int>] [--repeat <value>] COMMAND [OPTIONS]
+
+Commands:
+    error      return an error
+    print      wraps Fprint
+    string     print string passed by flag
+    int        print int passed by flag
+    repeat     print repeated values passed by flag
+    empty      empty subcommand
+    join       wraps strings.Join
+    succeed    this command succeeds
+    deep       top level of command tree with various levels
+
+Flags:
+  -fail
+    	fail early
+  -int int
+    	store value for the "int" command (default -1)
+  -repeat value
+    	store value for the "repeat" command
+  -string string
+    	store value for the "string" command (default "default")
+  -v	verbose output
+
+`, "", flag.ErrHelp,
+		},
+
+		{
+			"d=1 help",
+			buildTestCommand,
+			[]string{"join"},
+			`
+Usage:	test join [-h | --help] COMMAND [OPTIONS]
+
+Commands:
+    out    write result to wout
+    log    log result to wlog
+
+`, "", command.ErrHelp,
+		},
+		{
+			"d=1 help flag",
+			buildTestCommand,
+			[]string{"join", "-h"},
+			`
+Usage:	test join [-h | --help] COMMAND [OPTIONS]
+
+Commands:
+    out    write result to wout
+    log    log result to wlog
+
+`, "", flag.ErrHelp,
+		},
+
+		{
+			"d=2 help",
+			buildTestCommand,
+			[]string{"deep", "d=2"},
+			`
+Usage:	test deep d=2 [-h | --help] COMMAND [OPTIONS]
+
+Commands:
+    d=3    relative third level
+
+`, "", command.ErrHelp,
+		},
+		{
+			"d=2 help flag",
+			buildTestCommand,
+			[]string{"deep", "d=2", "-h"},
+			`
+Usage:	test deep d=2 [-h | --help] COMMAND [OPTIONS]
+
+Commands:
+    d=3    relative third level
+
+`, "", flag.ErrHelp,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			wout, wlog := new(bytes.Buffer), new(bytes.Buffer)
+			c := tc.buildTree(wout, wlog)
+
+			if err := c.Parse(tc.args); !errors.Is(err, tc.wantErr) {
+				t.Errorf("Parse: error = %v; wantErr %v", err, tc.wantErr)
+			}
+			if got := wout.String(); got != tc.want {
+				t.Errorf("Parse: %s want %s", got, tc.want)
+			}
+			if gotLog := wlog.String(); gotLog != tc.wantLog {
+				t.Errorf("Parse: log = %s wantLog %s", gotLog, tc.wantLog)
+			}
+		})
+	}
+}
+
+var (
+	errJoinLen = errors.New("not enough arguments to join")
+	errSuccess = errors.New("success")
+)
+
+func buildTestCommand(wout, wlog io.Writer) (c command.Command) {
+	var (
+		flagVerbose bool
+		flagFail    bool
+
+		flagString string
+		flagInt    int
+		flagRepeat command.RepeatableFlag
+	)
+
+	logf := newLogFunc(wlog)
+	c = command.New(wout, logf, "test", func([]string) error {
+		if flagVerbose {
+			logf("verbose")
+		}
+		if flagFail {
+			return errSuccess
+		}
+		return nil
+	}).
+		Flag(&flagVerbose, "v", command.BoolFlag(false), "verbose output").
+		Flag(&flagFail, "fail", command.BoolFlag(false), "fail early").
+		Command("error", "return an error", func([]string) error {
+			return errSuccess
+		}).
+		Command("print", "wraps Fprint", func(args []string) error {
+			a := make([]any, len(args))
+			for i, v := range args {
+				a[i] = v
+			}
+			_, err := fmt.Fprint(wout, a...)
+			return err
+		}).
+		Flag(&flagString, "string", command.StringFlag("default"), "store value for the \"string\" command").
+		Command("string", "print string passed by flag", func(args []string) error { _, err := fmt.Fprint(wout, flagString); return err }).
+		Flag(&flagInt, "int", command.IntFlag(-1), "store value for the \"int\" command").
+		Command("int", "print int passed by flag", func(args []string) error { _, err := fmt.Fprint(wout, flagInt); return err }).
+		Flag(nil, "repeat", &flagRepeat, "store value for the \"repeat\" command").
+		Command("repeat", "print repeated values passed by flag", func(args []string) error { _, err := fmt.Fprint(wout, flagRepeat); return err })
+
+	c.New("empty", "empty subcommand")
+	c.New("hidden", command.UsageInternal)
+
+	c.New("join", "wraps strings.Join").
+		Command("out", "write result to wout", func(args []string) error {
+			if len(args) == 0 {
+				return errJoinLen
+			}
+			_, err := fmt.Fprint(wout, strings.Join(args[:len(args)-1], args[len(args)-1]))
+			return err
+		}).
+		Command("log", "log result to wlog", func(args []string) error {
+			if len(args) == 0 {
+				return errJoinLen
+			}
+			logf("%s", strings.Join(args[:len(args)-1], args[len(args)-1]))
+			return nil
+		})
+
+	c.Command("succeed", "this command succeeds", func([]string) error { return nil })
+
+	c.New("deep", "top level of command tree with various levels").
+		New("d=2", "relative second level").
+		New("d=3", "relative third level").
+		New("d=4", "relative fourth level")
+
+	return
+}
+
+func newLogFunc(w io.Writer) command.LogFunc { return log.New(w, "test: ", 0).Printf }
--- a/command/unreachable_test.go
+++ b/command/unreachable_test.go
@ -0,0 +1,54 @@
+package command
+
+import (
+	"flag"
+	"testing"
+)
+
+func TestParseUnreachable(t *testing.T) {
+	// top level bypasses name matching and recursive calls to Parse
+	// returns when encountering zero-length args
+	t.Run("zero-length args", func(t *testing.T) {
+		defer checkRecover(t, "Parse", "attempted to parse with zero length args")
+		_ = newNode(panicWriter{}, nil, " ", " ").Parse(nil)
+	})
+
+	// top level must not have siblings
+	t.Run("toplevel siblings", func(t *testing.T) {
+		defer checkRecover(t, "Parse", "invalid toplevel state")
+		n := newNode(panicWriter{}, nil, " ", "")
+		n.append(newNode(panicWriter{}, nil, "  ", " "))
+		_ = n.Parse(nil)
+	})
+
+	// a node with descendents must not have a direct handler
+	t.Run("sub handle conflict", func(t *testing.T) {
+		defer checkRecover(t, "Parse", "invalid subcommand tree state")
+		n := newNode(panicWriter{}, nil, " ", " ")
+		n.adopt(newNode(panicWriter{}, nil, " ", " "))
+		n.f = func([]string) error { panic("unreachable") }
+		_ = n.Parse([]string{" "})
+	})
+
+	// this would only happen if a node was matched twice
+	t.Run("parsed flag set", func(t *testing.T) {
+		defer checkRecover(t, "Parse", "invalid set state")
+		n := newNode(panicWriter{}, nil, " ", "")
+		set := flag.NewFlagSet("parsed", flag.ContinueOnError)
+		set.SetOutput(panicWriter{})
+		_ = set.Parse(nil)
+		n.set = set
+		_ = n.Parse(nil)
+	})
+}
+
+type panicWriter struct{}
+
+func (p panicWriter) Write([]byte) (int, error) { panic("unreachable") }
+
+func checkRecover(t *testing.T, name, wantPanic string) {
+	if r := recover(); r != wantPanic {
+		t.Errorf("%s: panic = %v; wantPanic %v",
+			name, r, wantPanic)
+	}
+}
--- a/command/wrap.go
+++ b/command/wrap.go
@ -0,0 +1,14 @@
+package command
+
+// the top level node wants [Command] returned for its builder methods
+type rootNode struct{ *node }
+
+func (r rootNode) Command(name, usage string, f HandlerFunc) Command {
+	r.node.Command(name, usage, f)
+	return r
+}
+
+func (r rootNode) Flag(p any, name string, value FlagDefiner, usage string) Command {
+	r.node.Flag(p, name, value, usage)
+	return r
+}
--- a/dbus/address.go
+++ b/dbus/address.go
@ -0,0 +1,186 @@
+package dbus
+
+import (
+	"bytes"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"slices"
+)
+
+type AddrEntry struct {
+	Method string      `json:"method"`
+	Values [][2]string `json:"values"`
+}
+
+// Parse parses D-Bus address according to
+// https://dbus.freedesktop.org/doc/dbus-specification.html#addresses
+func Parse(addr []byte) ([]AddrEntry, error) {
+	// Look for a semicolon
+	address := bytes.Split(bytes.TrimSuffix(addr, []byte{';'}), []byte{';'})
+
+	// Allocate for entries
+	v := make([]AddrEntry, len(address))
+
+	for i, s := range address {
+		var pairs [][]byte
+
+		// Look for the colon :
+		if method, list, ok := bytes.Cut(s, []byte{':'}); !ok {
+			return v, &BadAddressError{ErrNoColon, i, s, -1, nil}
+		} else {
+			pairs = bytes.Split(list, []byte{','})
+			v[i].Method = string(method)
+			v[i].Values = make([][2]string, len(pairs))
+		}
+
+		for j, pair := range pairs {
+			key, value, ok := bytes.Cut(pair, []byte{'='})
+			if !ok {
+				return v, &BadAddressError{ErrBadPairSep, i, s, j, pair}
+			}
+			if len(key) == 0 {
+				return v, &BadAddressError{ErrBadPairKey, i, s, j, pair}
+			}
+			if len(value) == 0 {
+				return v, &BadAddressError{ErrBadPairVal, i, s, j, pair}
+			}
+			v[i].Values[j][0] = string(key)
+
+			if val, errno := unescapeValue(value); errno != errSuccess {
+				return v, &BadAddressError{errno, i, s, j, pair}
+			} else {
+				v[i].Values[j][1] = string(val)
+			}
+		}
+	}
+
+	return v, nil
+}
+
+func unescapeValue(v []byte) (val []byte, errno ParseError) {
+	if l := len(v) - (bytes.Count(v, []byte{'%'}) * 2); l < 0 {
+		errno = ErrBadValLength
+		return
+	} else {
+		val = make([]byte, l)
+	}
+
+	var i, skip int
+	for iu, b := range v {
+		if skip > 0 {
+			skip--
+			continue
+		}
+
+		if ib := bytes.IndexByte([]byte("-_/.\\*"), b); ib != -1 { // - // _/.\*
+			goto opt
+		} else if b >= '0' && b <= '9' { // 0-9
+			goto opt
+		} else if b >= 'A' && b <= 'Z' { // A-Z
+			goto opt
+		} else if b >= 'a' && b <= 'z' { // a-z
+			goto opt
+		}
+
+		if b != '%' {
+			errno = ErrBadValByte
+			break
+		}
+
+		skip += 2
+		if iu+2 >= len(v) {
+			errno = ErrBadValHexLength
+			break
+		}
+		if c, err := hex.Decode(val[i:i+1], v[iu+1:iu+3]); err != nil {
+			if errors.As(err, new(hex.InvalidByteError)) {
+				errno = ErrBadValHexByte
+				break
+			}
+			// unreachable
+			panic(err.Error())
+		} else if c != 1 {
+			// unreachable
+			panic(fmt.Sprintf("invalid decode length %d", c))
+		}
+		i++
+		continue
+
+	opt:
+		val[i] = b
+		i++
+	}
+
+	return
+}
+
+type ParseError uint8
+
+func (e ParseError) Error() string {
+	switch e {
+	case errSuccess:
+		panic("attempted to return success as error")
+	case ErrNoColon:
+		return "address does not contain a colon"
+	case ErrBadPairSep:
+		return "'=' character not found"
+	case ErrBadPairKey:
+		return "'=' character has no key preceding it"
+	case ErrBadPairVal:
+		return "'=' character has no value following it"
+	case ErrBadValLength:
+		return "unescaped value has impossible length"
+	case ErrBadValByte:
+		return "in D-Bus address, characters other than [-0-9A-Za-z_/.\\*] should have been escaped"
+	case ErrBadValHexLength:
+		return "in D-Bus address, percent character was not followed by two hex digits"
+	case ErrBadValHexByte:
+		return "in D-Bus address, percent character was followed by characters other than hex digits"
+
+	default:
+		return fmt.Sprintf("parse error %d", e)
+	}
+}
+
+const (
+	errSuccess ParseError = iota
+	ErrNoColon
+	ErrBadPairSep
+	ErrBadPairKey
+	ErrBadPairVal
+	ErrBadValLength
+	ErrBadValByte
+	ErrBadValHexLength
+	ErrBadValHexByte
+)
+
+type BadAddressError struct {
+	// error type
+	Type ParseError
+
+	// bad entry position
+	EntryPos int
+	// bad entry value
+	EntryVal []byte
+
+	// bad pair position
+	PairPos int
+	// bad pair value
+	PairVal []byte
+}
+
+func (a *BadAddressError) Is(err error) bool {
+	var b *BadAddressError
+	return errors.As(err, &b) && a.Type == b.Type &&
+		a.EntryPos == b.EntryPos && slices.Equal(a.EntryVal, b.EntryVal) &&
+		a.PairPos == b.PairPos && slices.Equal(a.PairVal, b.PairVal)
+}
+
+func (a *BadAddressError) Error() string {
+	return a.Type.Error()
+}
+
+func (a *BadAddressError) Unwrap() error {
+	return a.Type
+}
--- a/dbus/address_escape_test.go
+++ b/dbus/address_escape_test.go
@ -0,0 +1,55 @@
+package dbus
+
+import (
+	"testing"
+)
+
+func TestUnescapeValue(t *testing.T) {
+	testCases := []struct {
+		value   string
+		want    string
+		wantErr ParseError
+	}{
+		// upstream test cases
+		{value: "abcde", want: "abcde"},
+		{value: "", want: ""},
+		{value: "%20%20", want: "  "},
+		{value: "%24", want: "$"},
+		{value: "%25", want: "%"},
+		{value: "abc%24", want: "abc$"},
+		{value: "%24abc", want: "$abc"},
+		{value: "abc%24abc", want: "abc$abc"},
+		{value: "/", want: "/"},
+		{value: "-", want: "-"},
+		{value: "_", want: "_"},
+		{value: "A", want: "A"},
+		{value: "I", want: "I"},
+		{value: "Z", want: "Z"},
+		{value: "a", want: "a"},
+		{value: "i", want: "i"},
+		{value: "z", want: "z"},
+		/* Bug: https://bugs.freedesktop.org/show_bug.cgi?id=53499 */
+		{value: "%c3%b6", want: "\xc3\xb6"},
+
+		{value: "%a", wantErr: ErrBadValHexLength},
+		{value: "%q", wantErr: ErrBadValHexLength},
+		{value: "%az", wantErr: ErrBadValHexByte},
+		{value: "%%", wantErr: ErrBadValLength},
+		{value: "%$$", wantErr: ErrBadValHexByte},
+		{value: "abc%a", wantErr: ErrBadValHexLength},
+		{value: "%axyz", wantErr: ErrBadValHexByte},
+		{value: "%", wantErr: ErrBadValLength},
+		{value: "$", wantErr: ErrBadValByte},
+		{value: " ", wantErr: ErrBadValByte},
+	}
+
+	for _, tc := range testCases {
+		t.Run("unescape "+tc.value, func(t *testing.T) {
+			if got, errno := unescapeValue([]byte(tc.value)); errno != tc.wantErr {
+				t.Errorf("unescapeValue() errno = %v, wantErr %v", errno, tc.wantErr)
+			} else if tc.wantErr == errSuccess && string(got) != tc.want {
+				t.Errorf("unescapeValue() = %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
--- a/dbus/address_test.go
+++ b/dbus/address_test.go
@ -0,0 +1,119 @@
+package dbus_test
+
+import (
+	"errors"
+	"reflect"
+	"testing"
+
+	"git.gensokyo.uk/security/fortify/dbus"
+)
+
+func TestParse(t *testing.T) {
+	testCases := []struct {
+		name    string
+		addr    string
+		want    []dbus.AddrEntry
+		wantErr error
+	}{
+		{
+			name: "simple session unix",
+			addr: "unix:path=/run/user/1971/bus",
+			want: []dbus.AddrEntry{{
+				Method: "unix",
+				Values: [][2]string{{"path", "/run/user/1971/bus"}},
+			}},
+		},
+		{
+			name: "simple upper escape",
+			addr: "debug:name=Test,cat=cute,escaped=%c3%b6",
+			want: []dbus.AddrEntry{{
+				Method: "debug",
+				Values: [][2]string{
+					{"name", "Test"},
+					{"cat", "cute"},
+					{"escaped", "\xc3\xb6"},
+				},
+			}},
+		},
+		{
+			name: "simple bad escape",
+			addr: "debug:name=%",
+			wantErr: &dbus.BadAddressError{Type: dbus.ErrBadValLength,
+				EntryPos: 0, EntryVal: []byte("debug:name=%"), PairPos: 0, PairVal: []byte("name=%")},
+		},
+
+		// upstream test cases
+		{
+			name: "full address success",
+			addr: "unix:path=/tmp/foo;debug:name=test,sliff=sloff;",
+			want: []dbus.AddrEntry{
+				{Method: "unix", Values: [][2]string{{"path", "/tmp/foo"}}},
+				{Method: "debug", Values: [][2]string{{"name", "test"}, {"sliff", "sloff"}}},
+			},
+		},
+		{
+			name: "empty address",
+			addr: "",
+			wantErr: &dbus.BadAddressError{Type: dbus.ErrNoColon,
+				EntryVal: []byte{}, PairPos: -1},
+		},
+		{
+			name: "no body",
+			addr: "foo",
+			wantErr: &dbus.BadAddressError{Type: dbus.ErrNoColon,
+				EntryPos: 0, EntryVal: []byte("foo"), PairPos: -1},
+		},
+		{
+			name: "no pair separator",
+			addr: "foo:bar",
+			wantErr: &dbus.BadAddressError{Type: dbus.ErrBadPairSep,
+				EntryPos: 0, EntryVal: []byte("foo:bar"), PairPos: 0, PairVal: []byte("bar")},
+		},
+		{
+			name: "no pair separator multi pair",
+			addr: "foo:bar,baz",
+			wantErr: &dbus.BadAddressError{Type: dbus.ErrBadPairSep,
+				EntryPos: 0, EntryVal: []byte("foo:bar,baz"), PairPos: 0, PairVal: []byte("bar")},
+		},
+		{
+			name: "no pair separator single valid pair",
+			addr: "foo:bar=foo,baz",
+			wantErr: &dbus.BadAddressError{Type: dbus.ErrBadPairSep,
+				EntryPos: 0, EntryVal: []byte("foo:bar=foo,baz"), PairPos: 1, PairVal: []byte("baz")},
+		},
+		{
+			name: "no body single valid address",
+			addr: "foo:bar=foo;baz",
+			wantErr: &dbus.BadAddressError{Type: dbus.ErrNoColon,
+				EntryPos: 1, EntryVal: []byte("baz"), PairPos: -1},
+		},
+		{
+			name: "no key",
+			addr: "foo:=foo",
+			wantErr: &dbus.BadAddressError{Type: dbus.ErrBadPairKey,
+				EntryPos: 0, EntryVal: []byte("foo:=foo"), PairPos: 0, PairVal: []byte("=foo")},
+		},
+		{
+			name: "no value",
+			addr: "foo:foo=",
+			wantErr: &dbus.BadAddressError{Type: dbus.ErrBadPairVal,
+				EntryPos: 0, EntryVal: []byte("foo:foo="), PairPos: 0, PairVal: []byte("foo=")},
+		},
+		{
+			name: "no pair separator single valid pair trailing",
+			addr: "foo:foo,bar=baz",
+			wantErr: &dbus.BadAddressError{Type: dbus.ErrBadPairSep,
+				EntryPos: 0, EntryVal: []byte("foo:foo,bar=baz"), PairPos: 0, PairVal: []byte("foo")},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got, err := dbus.Parse([]byte(tc.addr)); !errors.Is(err, tc.wantErr) {
+				t.Errorf("Parse() error = %v, wantErr %v", err, tc.wantErr)
+			} else if tc.wantErr == nil && !reflect.DeepEqual(got, tc.want) {
+				t.Errorf("Parse() = %#v, want %#v", got, tc.want)
+			}
+		})
+	}
+}
--- a/dbus/config_test.go
+++ b/dbus/config_test.go
@ -13,7 +13,7 @@ import (
 )

 func TestConfig_Args(t *testing.T) {
-	for _, tc := range testCases() {
+	for _, tc := range makeTestCases() {
 		if tc.wantErr {
 			// args does not check for nulls
 			continue
@ -30,7 +30,7 @@ func TestConfig_Args(t *testing.T) {
 }

 func TestNewConfigFromFile(t *testing.T) {
-	for _, tc := range testCases() {
+	for _, tc := range makeTestCases() {
 		name := new(strings.Builder)
 		name.WriteString("parse configuration file for application ")
 		name.WriteString(tc.id)
--- a/dbus/dbus_test.go
+++ b/dbus/dbus_test.go
@ -1,12 +1,22 @@
 package dbus_test

 import (
+	"bytes"
+	"context"
 	"errors"
+	"fmt"
+	"os"
+	"os/exec"
 	"strings"
+	"syscall"
 	"testing"
+	"time"

 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/internal"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/sandbox"
 )

 func TestNew(t *testing.T) {
@ -62,7 +72,7 @@ func TestProxy_Seal(t *testing.T) {
 	for id, tc := range testCasePairs() {
 		t.Run("create seal for "+id, func(t *testing.T) {
 			p := dbus.New(tc[0].bus, tc[1].bus)
-			if err := p.Seal(tc[0].c, tc[1].c); (errors.Is(err, helper.ErrContainsNull)) != tc[0].wantErr {
+			if err := p.Seal(tc[0].c, tc[1].c); (errors.Is(err, syscall.EINVAL)) != tc[0].wantErr {
 				t.Errorf("Seal(%p, %p) error = %v, wantErr %v",
 					tc[0].c, tc[1].c,
 					err, tc[0].wantErr)
@ -98,15 +108,20 @@ func TestProxy_Seal(t *testing.T) {
 }

 func TestProxy_Start_Wait_Close_String(t *testing.T) {
-	t.Run("sandboxed", func(t *testing.T) {
+	oldWaitDelay := helper.WaitDelay
+	helper.WaitDelay = 16 * time.Second
+	t.Cleanup(func() { helper.WaitDelay = oldWaitDelay })
+
+	t.Run("sandbox", func(t *testing.T) {
+		proxyName := dbus.ProxyName
+		dbus.ProxyName = os.Args[0]
+		t.Cleanup(func() { dbus.ProxyName = proxyName })
 		testProxyStartWaitCloseString(t, true)
 	})
-	t.Run("direct", func(t *testing.T) {
-		testProxyStartWaitCloseString(t, false)
-	})
+	t.Run("direct", func(t *testing.T) { testProxyStartWaitCloseString(t, false) })
 }

-func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
+func testProxyStartWaitCloseString(t *testing.T, useSandbox bool) {
 	for id, tc := range testCasePairs() {
 		// this test does not test errors
 		if tc[0].wantErr {
@ -123,12 +138,33 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 		})

 		t.Run("proxy for "+id, func(t *testing.T) {
-			helper.InternalReplaceExecCommand(t)
 			p := dbus.New(tc[0].bus, tc[1].bus)
+			p.CommandContext = func(ctx context.Context) (cmd *exec.Cmd) {
+				return exec.CommandContext(ctx, os.Args[0], "-test.v",
+					"-test.run=TestHelperInit", "--", "init")
+			}
+			p.CmdF = func(v any) {
+				if useSandbox {
+					container := v.(*sandbox.Container)
+					if container.Args[0] != dbus.ProxyName {
+						panic(fmt.Sprintf("unexpected argv0 %q", os.Args[0]))
+					}
+					container.Args = append([]string{os.Args[0], "-test.run=TestHelperStub", "--"}, container.Args[1:]...)
+				} else {
+					cmd := v.(*exec.Cmd)
+					if cmd.Args[0] != dbus.ProxyName {
+						panic(fmt.Sprintf("unexpected argv0 %q", os.Args[0]))
+					}
+					cmd.Err = nil
+					cmd.Path = os.Args[0]
+					cmd.Args = append([]string{os.Args[0], "-test.run=TestHelperStub", "--"}, cmd.Args[1:]...)
+				}
+			}
+			p.FilterF = func(v []byte) []byte { return bytes.SplitN(v, []byte("TestHelperInit\n"), 2)[1] }
 			output := new(strings.Builder)

-			t.Run("unsealed behaviour of "+id, func(t *testing.T) {
-				t.Run("unsealed string of "+id, func(t *testing.T) {
+			t.Run("unsealed", func(t *testing.T) {
+				t.Run("string", func(t *testing.T) {
 					want := "(unsealed dbus proxy)"
 					if got := p.String(); got != want {
 						t.Errorf("String() = %v, want %v",
@ -137,17 +173,17 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 					}
 				})

-				t.Run("unsealed start of "+id, func(t *testing.T) {
+				t.Run("start", func(t *testing.T) {
 					want := "proxy not sealed"
-					if err := p.Start(nil, nil, sandbox); err == nil || err.Error() != want {
+					if err := p.Start(context.Background(), nil, useSandbox); err == nil || err.Error() != want {
 						t.Errorf("Start() error = %v, wantErr %q",
 							err, errors.New(want))
 						return
 					}
 				})

-				t.Run("unsealed wait of "+id, func(t *testing.T) {
-					wantErr := "proxy not started"
+				t.Run("wait", func(t *testing.T) {
+					wantErr := "dbus: not started"
 					if err := p.Wait(); err == nil || err.Error() != wantErr {
 						t.Errorf("Wait() error = %v, wantErr %v",
 							err, wantErr)
@ -164,7 +200,7 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 				}
 			})

-			t.Run("sealed behaviour of "+id, func(t *testing.T) {
+			t.Run("sealed", func(t *testing.T) {
 				want := strings.Join(append(tc[0].want, tc[1].want...), " ")
 				if got := p.String(); got != want {
 					t.Errorf("String() = %v, want %v",
@ -172,14 +208,20 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 					return
 				}

-				t.Run("sealed start of "+id, func(t *testing.T) {
-					if err := p.Start(nil, output, sandbox); err != nil {
-						t.Errorf("Start(nil, nil) error = %v",
+				t.Run("start", func(t *testing.T) {
+					ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+					defer cancel()
+
+					if err := p.Start(ctx, output, useSandbox); err != nil {
+						t.Fatalf("Start(nil, nil) error = %v",
 							err)
 					}

-					t.Run("started string of "+id, func(t *testing.T) {
-						wantSubstr := dbus.ProxyName + " --args="
+					t.Run("string", func(t *testing.T) {
+						wantSubstr := fmt.Sprintf("%s -test.run=TestHelperStub -- --args=3 --fd=4", os.Args[0])
+						if useSandbox {
+							wantSubstr = fmt.Sprintf(`argv: ["%s" "-test.run=TestHelperStub" "--" "--args=3" "--fd=4"], flags: 0x0, seccomp: 0x3e`, os.Args[0])
+						}
 						if got := p.String(); !strings.Contains(got, wantSubstr) {
 							t.Errorf("String() = %v, want %v",
 								p.String(), wantSubstr)
@ -187,22 +229,8 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 						}
 					})

-					t.Run("sealed closing of "+id+" without status", func(t *testing.T) {
-						wantPanic := "attempted to close helper with no status pipe"
-						defer func() {
-							if r := recover(); r != wantPanic {
-								t.Errorf("Close() panic = %v, wantPanic %v",
-									r, wantPanic)
-							}
-						}()
-
-						if err := p.Close(); err != nil {
-							t.Errorf("Close() error = %v",
-								err)
-						}
-					})
-
-					t.Run("started wait of "+id, func(t *testing.T) {
+					t.Run("wait", func(t *testing.T) {
+						p.Close()
 						if err := p.Wait(); err != nil {
 							t.Errorf("Wait() error = %v\noutput: %s",
 								err, output.String())
@ -213,3 +241,11 @@ func testProxyStartWaitCloseString(t *testing.T, sandbox bool) {
 		})
 	}
 }
+
+func TestHelperInit(t *testing.T) {
+	if len(os.Args) != 5 || os.Args[4] != "init" {
+		return
+	}
+	sandbox.SetOutput(fmsg.Output{})
+	sandbox.Init(fmsg.Prepare, internal.InstallFmsg)
+}
--- a/dbus/proc.go
+++ b/dbus/proc.go
@ -0,0 +1,178 @@
+package dbus
+
+import (
+	"context"
+	"errors"
+	"io"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"slices"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/ldd"
+	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
+)
+
+// Start launches the D-Bus proxy.
+func (p *Proxy) Start(ctx context.Context, output io.Writer, useSandbox bool) error {
+	p.lock.Lock()
+	defer p.lock.Unlock()
+
+	if p.seal == nil {
+		return errors.New("proxy not sealed")
+	}
+
+	var h helper.Helper
+
+	c, cancel := context.WithCancelCause(ctx)
+	if !useSandbox {
+		h = helper.NewDirect(c, p.name, p.seal, true, argF, func(cmd *exec.Cmd) {
+			if p.CmdF != nil {
+				p.CmdF(cmd)
+			}
+			if output != nil {
+				cmd.Stdout, cmd.Stderr = output, output
+			}
+			cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
+			cmd.Env = make([]string, 0)
+		}, nil)
+	} else {
+		toolPath := p.name
+		if filepath.Base(p.name) == p.name {
+			if s, err := exec.LookPath(p.name); err != nil {
+				return err
+			} else {
+				toolPath = s
+			}
+		}
+
+		var libPaths []string
+		if entries, err := ldd.ExecFilter(ctx, p.CommandContext, p.FilterF, toolPath); err != nil {
+			return err
+		} else {
+			libPaths = ldd.Path(entries)
+		}
+
+		h = helper.New(
+			c, toolPath,
+			p.seal, true,
+			argF, func(container *sandbox.Container) {
+				container.Seccomp |= seccomp.FlagMultiarch
+				container.Hostname = "fortify-dbus"
+				container.CommandContext = p.CommandContext
+				if output != nil {
+					container.Stdout, container.Stderr = output, output
+				}
+
+				if p.CmdF != nil {
+					p.CmdF(container)
+				}
+
+				// these lib paths are unpredictable, so mount them first so they cannot cover anything
+				for _, name := range libPaths {
+					container.Bind(name, name, 0)
+				}
+
+				// upstream bus directories
+				upstreamPaths := make([]string, 0, 2)
+				for _, as := range []string{p.session[0], p.system[0]} {
+					if len(as) > 0 && strings.HasPrefix(as, "unix:path=/") {
+						// leave / intact
+						upstreamPaths = append(upstreamPaths, path.Dir(as[10:]))
+					}
+				}
+				slices.Sort(upstreamPaths)
+				upstreamPaths = slices.Compact(upstreamPaths)
+				for _, name := range upstreamPaths {
+					container.Bind(name, name, 0)
+				}
+
+				// parent directories of bind paths
+				sockDirPaths := make([]string, 0, 2)
+				if d := path.Dir(p.session[1]); path.IsAbs(d) {
+					sockDirPaths = append(sockDirPaths, d)
+				}
+				if d := path.Dir(p.system[1]); path.IsAbs(d) {
+					sockDirPaths = append(sockDirPaths, d)
+				}
+				slices.Sort(sockDirPaths)
+				sockDirPaths = slices.Compact(sockDirPaths)
+				for _, name := range sockDirPaths {
+					container.Bind(name, name, sandbox.BindWritable)
+				}
+
+				// xdg-dbus-proxy bin path
+				binPath := path.Dir(toolPath)
+				container.Bind(binPath, binPath, 0)
+			}, nil)
+	}
+
+	if err := h.Start(); err != nil {
+		cancel(err)
+		return err
+	}
+
+	p.helper = h
+	p.ctx = c
+	p.cancel = cancel
+	return nil
+}
+
+var proxyClosed = errors.New("proxy closed")
+
+// Wait blocks until xdg-dbus-proxy exits and releases resources.
+func (p *Proxy) Wait() error {
+	p.lock.RLock()
+	defer p.lock.RUnlock()
+
+	if p.helper == nil {
+		return errors.New("dbus: not started")
+	}
+
+	errs := make([]error, 3)
+
+	errs[0] = p.helper.Wait()
+	if p.cancel == nil &&
+		errors.Is(errs[0], context.Canceled) &&
+		errors.Is(context.Cause(p.ctx), proxyClosed) {
+		errs[0] = nil
+	}
+
+	// ensure socket removal so ephemeral directory is empty at revert
+	if err := os.Remove(p.session[1]); err != nil && !errors.Is(err, os.ErrNotExist) {
+		errs[1] = err
+	}
+	if p.sysP {
+		if err := os.Remove(p.system[1]); err != nil && !errors.Is(err, os.ErrNotExist) {
+			errs[2] = err
+		}
+	}
+
+	return errors.Join(errs...)
+}
+
+// Close cancels the context passed to the helper instance attached to xdg-dbus-proxy.
+func (p *Proxy) Close() {
+	p.lock.Lock()
+	defer p.lock.Unlock()
+
+	if p.cancel == nil {
+		panic("dbus: not started")
+	}
+	p.cancel(proxyClosed)
+	p.cancel = nil
+}
+
+func argF(argsFd, statFd int) []string {
+	if statFd == -1 {
+		return []string{"--args=" + strconv.Itoa(argsFd)}
+	} else {
+		return []string{"--args=" + strconv.Itoa(argsFd), "--fd=" + strconv.Itoa(statFd)}
+	}
+}
--- a/dbus/proxy.go
+++ b/dbus/proxy.go
@ -1,13 +1,14 @@
 package dbus

 import (
+	"context"
 	"errors"
 	"fmt"
 	"io"
+	"os/exec"
 	"sync"

 	"git.gensokyo.uk/security/fortify/helper"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
 )

 // ProxyName is the file name or path to the proxy program.
@ -18,30 +19,25 @@ var ProxyName = "xdg-dbus-proxy"
 // Once sealed, configuration changes will no longer be possible and attempting to do so will result in a panic.
 type Proxy struct {
 	helper helper.Helper
-	bwrap  *bwrap.Config
+	ctx    context.Context
+	cancel context.CancelCauseFunc

 	name    string
 	session [2]string
 	system  [2]string
+	CmdF    func(any)
+	sysP    bool
+
+	CommandContext func(ctx context.Context) (cmd *exec.Cmd)
+	FilterF        func([]byte) []byte

 	seal io.WriterTo
 	lock sync.RWMutex
 }

-func (p *Proxy) Session() [2]string {
-	return p.session
-}
-
-func (p *Proxy) System() [2]string {
-	return p.system
-}
-
-func (p *Proxy) Sealed() bool {
-	p.lock.RLock()
-	defer p.lock.RUnlock()
-
-	return p.seal != nil
-}
+func (p *Proxy) Session() [2]string { return p.session }
+func (p *Proxy) System() [2]string  { return p.system }
+func (p *Proxy) Sealed() bool       { p.lock.RLock(); defer p.lock.RUnlock(); return p.seal != nil }

 var (
 	ErrConfig = errors.New("no configuration to seal")
@ -56,7 +52,7 @@ func (p *Proxy) String() string {
 	defer p.lock.RUnlock()

 	if p.helper != nil {
-		return p.helper.Unwrap().String()
+		return p.helper.String()
 	}

 	if p.seal != nil {
@ -66,10 +62,6 @@ func (p *Proxy) String() string {
 	return "(unsealed dbus proxy)"
 }

-func (p *Proxy) Bwrap() []string {
-	return p.bwrap.Args()
-}
-
 // Seal seals the Proxy instance.
 func (p *Proxy) Seal(session, system *Config) error {
 	p.lock.Lock()
@ -89,6 +81,7 @@ func (p *Proxy) Seal(session, system *Config) error {
 	}
 	if system != nil {
 		args = append(args, system.Args(p.system)...)
+		p.sysP = true
 	}
 	if seal, err := helper.NewCheckedArgs(args); err != nil {
 		return err
--- a/dbus/run.go
+++ b/dbus/run.go
@ -1,140 +0,0 @@
-package dbus
-
-import (
-	"errors"
-	"io"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"strconv"
-	"strings"
-
-	"git.gensokyo.uk/security/fortify/helper"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
-	"git.gensokyo.uk/security/fortify/ldd"
-)
-
-// Start launches the D-Bus proxy and sets up the Wait method.
-// ready should be buffered and must only be received from once.
-func (p *Proxy) Start(ready chan error, output io.Writer, sandbox bool) error {
-	p.lock.Lock()
-	defer p.lock.Unlock()
-
-	if p.seal == nil {
-		return errors.New("proxy not sealed")
-	}
-
-	var (
-		h   helper.Helper
-		cmd *exec.Cmd
-
-		argF = func(argsFD, statFD int) []string {
-			if statFD == -1 {
-				return []string{"--args=" + strconv.Itoa(argsFD)}
-			} else {
-				return []string{"--args=" + strconv.Itoa(argsFD), "--fd=" + strconv.Itoa(statFD)}
-			}
-		}
-	)
-
-	if !sandbox {
-		h = helper.New(p.seal, p.name, argF)
-		cmd = h.Unwrap()
-		// xdg-dbus-proxy does not need to inherit the environment
-		cmd.Env = []string{}
-	} else {
-		// look up absolute path if name is just a file name
-		toolPath := p.name
-		if filepath.Base(p.name) == p.name {
-			if s, err := exec.LookPath(p.name); err == nil {
-				toolPath = s
-			}
-		}
-
-		// resolve libraries by parsing ldd output
-		var proxyDeps []*ldd.Entry
-		if path.IsAbs(toolPath) {
-			if l, err := ldd.Exec(toolPath); err != nil {
-				return err
-			} else {
-				proxyDeps = l
-			}
-		}
-
-		bc := &bwrap.Config{
-			Unshare:       nil,
-			Hostname:      "fortify-dbus",
-			Chdir:         "/",
-			Clearenv:      true,
-			NewSession:    true,
-			DieWithParent: true,
-		}
-
-		// resolve proxy socket directories
-		bindTarget := make(map[string]struct{}, 2)
-		for _, ps := range []string{p.session[1], p.system[1]} {
-			if pd := path.Dir(ps); len(pd) > 0 {
-				if pd[0] == '/' {
-					bindTarget[pd] = struct{}{}
-				}
-			}
-		}
-		for k := range bindTarget {
-			bc.Bind(k, k, false, true)
-		}
-
-		roBindTarget := make(map[string]struct{}, 2+1+len(proxyDeps))
-
-		// xdb-dbus-proxy bin and dependencies
-		roBindTarget[path.Dir(toolPath)] = struct{}{}
-		for _, ent := range proxyDeps {
-			if path.IsAbs(ent.Path) {
-				roBindTarget[path.Dir(ent.Path)] = struct{}{}
-			}
-		}
-
-		// resolve upstream bus directories
-		for _, as := range []string{p.session[0], p.system[0]} {
-			if len(as) > 0 && strings.HasPrefix(as, "unix:path=/") {
-				// leave / intact
-				roBindTarget[path.Dir(as[10:])] = struct{}{}
-			}
-		}
-
-		for k := range roBindTarget {
-			bc.Bind(k, k)
-		}
-
-		h = helper.MustNewBwrap(bc, p.seal, toolPath, argF)
-		cmd = h.Unwrap()
-		p.bwrap = bc
-	}
-
-	if output != nil {
-		cmd.Stdout = output
-		cmd.Stderr = output
-	}
-	if err := h.StartNotify(ready); err != nil {
-		return err
-	}
-
-	p.helper = h
-	return nil
-}
-
-// Wait waits for xdg-dbus-proxy to exit or fault.
-func (p *Proxy) Wait() error {
-	p.lock.RLock()
-	defer p.lock.RUnlock()
-
-	if p.helper == nil {
-		return errors.New("proxy not started")
-	}
-
-	return p.helper.Wait()
-}
-
-// Close closes the status file descriptor passed to xdg-dbus-proxy, causing it to stop.
-func (p *Proxy) Close() error {
-	return p.helper.Close()
-}
--- a/dbus/samples_test.go
+++ b/dbus/samples_test.go
@ -6,6 +6,12 @@ import (
 	"git.gensokyo.uk/security/fortify/dbus"
 )

+const (
+	sampleHostPath = "/tmp/bus"
+	sampleHostAddr = "unix:path=" + sampleHostPath
+	sampleBindPath = "/tmp/proxied_bus"
+)
+
 var samples = []dbusTestCase{
 	{
 		"org.chromium.Chromium", &dbus.Config{
@ -19,10 +25,10 @@ var samples = []dbusTestCase{
 			Log:       false,
 			Filter:    true,
 		}, false, false,
-		[2]string{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/bus"},
+		[2]string{sampleHostAddr, sampleBindPath},
 		[]string{
-			"unix:path=/run/user/1971/bus",
-			"/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/bus",
+			sampleHostAddr,
+			sampleBindPath,
 			"--filter",
 			"--talk=org.freedesktop.Notifications",
 			"--talk=org.freedesktop.FileManager1",
@ -48,9 +54,10 @@ var samples = []dbusTestCase{
 			Log:       false,
 			Filter:    true,
 		}, false, false,
-		[2]string{"unix:path=/run/dbus/system_bus_socket", "/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/system_bus_socket"},
-		[]string{"unix:path=/run/dbus/system_bus_socket",
-			"/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/system_bus_socket",
+		[2]string{sampleHostAddr, sampleBindPath},
+		[]string{
+			sampleHostAddr,
+			sampleBindPath,
 			"--filter",
 			"--talk=org.bluez",
 			"--talk=org.freedesktop.Avahi",
@ -68,10 +75,10 @@ var samples = []dbusTestCase{
 			Log:       false,
 			Filter:    true,
 		}, false, false,
-		[2]string{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/34c24f16a0d791d28835ededaf446033/bus"},
+		[2]string{sampleHostAddr, sampleBindPath},
 		[]string{
-			"unix:path=/run/user/1971/bus",
-			"/tmp/fortify.1971/34c24f16a0d791d28835ededaf446033/bus",
+			sampleHostAddr,
+			sampleBindPath,
 			"--filter",
 			"--talk=org.freedesktop.Notifications",
 			"--talk=org.kde.StatusNotifierWatcher",
@ -82,47 +89,47 @@ var samples = []dbusTestCase{
 	},

 	{
-		"moe.ophivana.CrashTestDummy", &dbus.Config{
-			See:       []string{"moe.ophivana.CrashTestDummy1"},
+		"uk.gensokyo.CrashTestDummy", &dbus.Config{
+			See:       []string{"uk.gensokyo.CrashTestDummy1"},
 			Talk:      []string{"org.freedesktop.Notifications"},
-			Own:       []string{"moe.ophivana.CrashTestDummy.*", "org.mpris.MediaPlayer2.moe.ophivana.CrashTestDummy.*"},
+			Own:       []string{"uk.gensokyo.CrashTestDummy.*", "org.mpris.MediaPlayer2.uk.gensokyo.CrashTestDummy.*"},
 			Call:      map[string]string{"org.freedesktop.portal.*": "*"},
 			Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
 			Log:       true,
 			Filter:    true,
 		}, false, false,
-		[2]string{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/5da7845287a936efbc2fa75d7d81e501/bus"},
+		[2]string{sampleHostAddr, sampleBindPath},
 		[]string{
-			"unix:path=/run/user/1971/bus",
-			"/tmp/fortify.1971/5da7845287a936efbc2fa75d7d81e501/bus",
+			sampleHostAddr,
+			sampleBindPath,
 			"--filter",
-			"--see=moe.ophivana.CrashTestDummy1",
+			"--see=uk.gensokyo.CrashTestDummy1",
 			"--talk=org.freedesktop.Notifications",
-			"--own=moe.ophivana.CrashTestDummy.*",
-			"--own=org.mpris.MediaPlayer2.moe.ophivana.CrashTestDummy.*",
+			"--own=uk.gensokyo.CrashTestDummy.*",
+			"--own=org.mpris.MediaPlayer2.uk.gensokyo.CrashTestDummy.*",
 			"--call=org.freedesktop.portal.*=*",
 			"--broadcast=org.freedesktop.portal.*=@/org/freedesktop/portal/*",
 			"--log"},
 	},
 	{
-		"moe.ophivana.CrashTestDummy1", &dbus.Config{
-			See:       []string{"moe.ophivana.CrashTestDummy"},
+		"uk.gensokyo.CrashTestDummy1", &dbus.Config{
+			See:       []string{"uk.gensokyo.CrashTestDummy"},
 			Talk:      []string{"org.freedesktop.Notifications"},
-			Own:       []string{"moe.ophivana.CrashTestDummy1.*", "org.mpris.MediaPlayer2.moe.ophivana.CrashTestDummy1.*"},
+			Own:       []string{"uk.gensokyo.CrashTestDummy1.*", "org.mpris.MediaPlayer2.uk.gensokyo.CrashTestDummy1.*"},
 			Call:      map[string]string{"org.freedesktop.portal.*": "*"},
 			Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
 			Log:       true,
 			Filter:    true,
 		}, false, true,
-		[2]string{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/5da7845287a936efbc2fa75d7d81e501/bus"},
+		[2]string{sampleHostAddr, sampleBindPath},
 		[]string{
-			"unix:path=/run/user/1971/bus",
-			"/tmp/fortify.1971/5da7845287a936efbc2fa75d7d81e501/bus",
+			sampleHostAddr,
+			sampleBindPath,
 			"--filter",
-			"--see=moe.ophivana.CrashTestDummy",
+			"--see=uk.gensokyo.CrashTestDummy",
 			"--talk=org.freedesktop.Notifications",
-			"--own=moe.ophivana.CrashTestDummy1.*",
-			"--own=org.mpris.MediaPlayer2.moe.ophivana.CrashTestDummy1.*",
+			"--own=uk.gensokyo.CrashTestDummy1.*",
+			"--own=org.mpris.MediaPlayer2.uk.gensokyo.CrashTestDummy1.*",
 			"--call=org.freedesktop.portal.*=*",
 			"--broadcast=org.freedesktop.portal.*=@/org/freedesktop/portal/*",
 			"--log"},
@ -145,7 +152,7 @@ var (
 	testCaseOnce sync.Once
 )

-func testCases() []dbusTestCase {
+func makeTestCases() []dbusTestCase {
 	testCaseOnce.Do(testCaseGenerate)
 	return testCasesV
 }
--- a/dbus/stub_test.go
+++ b/dbus/stub_test.go
@ -6,6 +6,4 @@ import (
 	"git.gensokyo.uk/security/fortify/helper"
 )

-func TestHelperChildStub(t *testing.T) {
-	helper.InternalChildStub()
-}
+func TestHelperStub(t *testing.T) { helper.InternalHelperStub() }
--- a/dbus/testdata/moe.ophivana.CrashTestDummy.json
+++ b/dbus/testdata/moe.ophivana.CrashTestDummy.json
@ -1,13 +1,13 @@
 {
  "see": [
-    "moe.ophivana.CrashTestDummy1"
+    "uk.gensokyo.CrashTestDummy1"
  ],
  "talk":[
    "org.freedesktop.Notifications"
  ],
  "own":[
-    "moe.ophivana.CrashTestDummy.*",
-    "org.mpris.MediaPlayer2.moe.ophivana.CrashTestDummy.*"
+    "uk.gensokyo.CrashTestDummy.*",
+    "org.mpris.MediaPlayer2.uk.gensokyo.CrashTestDummy.*"
  ],
  "call":{
    "org.freedesktop.portal.*":"*"
--- a/dist/install.sh
+++ b/dist/install.sh
@ -2,9 +2,11 @@
 cd "$(dirname -- "$0")" || exit 1

 install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
-install -vDm0755 "bin/fshim" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fshim"
-install -vDm0755 "bin/finit" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/finit"
-install -vDm0755 "bin/fuserdb" "${FORTIFY_INSTALL_PREFIX}/usr/libexec/fortify/fuserdb"
+install -vDm0755 "bin/fpkg" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fpkg"

 install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"
-install -vDm0400 "fsurc.default" "${FORTIFY_INSTALL_PREFIX}/etc/fsurc"
+if [ ! -f "${FORTIFY_INSTALL_PREFIX}/etc/fsurc" ]; then
+    install -vDm0400 "fsurc.default" "${FORTIFY_INSTALL_PREFIX}/etc/fsurc"
+fi
+
+install -vDm0644 "comp/_fortify" "${FORTIFY_INSTALL_PREFIX}/usr/share/zsh/site-functions/_fortify"
--- a/dist/release.sh
+++ b/dist/release.sh
@ -5,15 +5,16 @@ pname="fortify-${VERSION}"
 out="dist/${pname}"

 mkdir -p "${out}"
-cp "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
+cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
+cp -rv "comp" "${out}"

-go build -v -o "${out}/bin/" -ldflags "-s -w
-  -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
-  -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
-  -X git.gensokyo.uk/security/fortify/internal.Finit=/usr/libexec/fortify/finit
-  -X main.Fmain=/usr/bin/fortify
-  -X main.Fshim=/usr/libexec/fortify/fshim" ./...
+go generate ./...
+go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
+  -X git.gensokyo.uk/security/fortify/internal.version=${VERSION}
+  -X git.gensokyo.uk/security/fortify/internal.fsu=/usr/bin/fsu
+  -X main.fmain=/usr/bin/fortify
+  -X main.fpkg=/usr/bin/fpkg" ./...

 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
 rm -rf "./${out}"
-sha512sum "${out}.tar.gz" > "${out}.tar.gz.sha512"
+(cd dist && sha512sum "${pname}.tar.gz" > "${pname}.tar.gz.sha512")
--- a/error.go
+++ b/error.go
@ -1,55 +0,0 @@
-package main
-
-import (
-	"errors"
-
-	"git.gensokyo.uk/security/fortify/internal/app"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-)
-
-func logWaitError(err error) {
-	var e *fmsg.BaseError
-	if !fmsg.AsBaseError(err, &e) {
-		fmsg.Println("wait failed:", err)
-	} else {
-		// Wait only returns either *app.ProcessError or *app.StateStoreError wrapped in a *app.BaseError
-		var se *app.StateStoreError
-		if !errors.As(err, &se) {
-			// does not need special handling
-			fmsg.Print(e.Message())
-		} else {
-			// inner error are either unwrapped store errors
-			// or joined errors returned by *appSealTx revert
-			// wrapped in *app.BaseError
-			var ej app.RevertCompoundError
-			if !errors.As(se.InnerErr, &ej) {
-				// does not require special handling
-				fmsg.Print(e.Message())
-			} else {
-				errs := ej.Unwrap()
-
-				// every error here is wrapped in *app.BaseError
-				for _, ei := range errs {
-					var eb *fmsg.BaseError
-					if !errors.As(ei, &eb) {
-						// unreachable
-						fmsg.Println("invalid error type returned by revert:", ei)
-					} else {
-						// print inner *app.BaseError message
-						fmsg.Print(eb.Message())
-					}
-				}
-			}
-		}
-	}
-}
-
-func logBaseError(err error, message string) {
-	var e *fmsg.BaseError
-
-	if fmsg.AsBaseError(err, &e) {
-		fmsg.Print(e.Message())
-	} else {
-		fmsg.Println(message, err)
-	}
-}
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733951536,
-        "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
+        "lastModified": 1742655702,
+        "narHash": "sha256-jbqlw4sPArFtNtA1s3kLg7/A4fzP4GLk9bGbtUJg0JQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
+        "rev": "0948aeedc296f964140d9429223c7e4a0702a1ff",
        "type": "github"
      },
      "original": {
@ -23,16 +23,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1734298236,
-        "narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=",
+        "lastModified": 1743231893,
+        "narHash": "sha256-tpJsHMUPEhEnzySoQxx7+kA+KUtgWqvlcUBqROYNNt0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec",
+        "rev": "c570c1f5304493cafe133b8d843c7c1c4a10d3a6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.11-small",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -2,7 +2,7 @@
  description = "fortify sandbox tool and nixos module";

  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";

    home-manager = {
      url = "github:nix-community/home-manager/release-24.11";
@ -27,7 +27,21 @@
      nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; });
    in
    {
-      nixosModules.fortify = import ./nixos.nix;
+      nixosModules.fortify = import ./nixos.nix self.packages;
+
+      buildPackage = forAllSystems (
+        system:
+        nixpkgsFor.${system}.callPackage (
+          import ./cmd/fpkg/build.nix {
+            inherit
+              nixpkgsFor
+              system
+              nixpkgs
+              home-manager
+              ;
+          }
+        )
+      );

      checks = forAllSystems (
        system:
@ -43,18 +57,30 @@
            ;
        in
        {
-          check-formatting =
-            runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; }
-              ''
-                cd ${./.}
+          fortify = callPackage ./test { inherit system self; };
+          race = callPackage ./test {
+            inherit system self;
+            withRace = true;
+          };

-                echo "running nixfmt..."
-                nixfmt --check .
+          sandbox = callPackage ./test/sandbox { inherit self; };
+          sandbox-race = callPackage ./test/sandbox {
+            inherit self;
+            withRace = true;
+          };

-                touch $out
-              '';
+          fpkg = callPackage ./cmd/fpkg/test { inherit system self; };

-          check-lint =
+          formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
+            cd ${./.}
+
+            echo "running nixfmt..."
+            nixfmt --width=256 --check .
+
+            touch $out
+          '';
+
+          lint =
            runCommandLocal "check-lint"
              {
                nativeBuildInputs = [
@ -73,80 +99,92 @@

                touch $out
              '';
-
-          nixos-tests = callPackage ./test.nix { inherit system self home-manager; };
        }
      );

      packages = forAllSystems (
        system:
        let
+          inherit (self.packages.${system}) fortify fsu;
          pkgs = nixpkgsFor.${system};
        in
        {
-          default = self.packages.${system}.fortify;
+          default = fortify;
+          fortify = pkgs.pkgsStatic.callPackage ./package.nix {
+            inherit (pkgs)
+              # passthru.buildInputs
+              go
+              gcc

-          fortify = pkgs.callPackage ./package.nix { };
+              # nativeBuildInputs
+              pkg-config
+              wayland-scanner
+              makeBinaryWrapper
+
+              # appPackages
+              glibc
+              xdg-dbus-proxy
+
+              # fpkg
+              zstd
+              gnutar
+              coreutils
+              ;
+          };
+          fsu = pkgs.callPackage ./cmd/fsu/package.nix { inherit (self.packages.${system}) fortify; };
+
+          dist = pkgs.runCommand "${fortify.name}-dist" { buildInputs = fortify.targetPkgs ++ [ pkgs.pkgsStatic.musl ]; } ''
+            # go requires XDG_CACHE_HOME for the build cache
+            export XDG_CACHE_HOME="$(mktemp -d)"
+
+            # get a different workdir as go does not like /build
+            cd $(mktemp -d) \
+                && cp -r ${fortify.src}/. . \
+                && chmod +w cmd && cp -r ${fsu.src}/. cmd/fsu/ \
+                && chmod -R +w .
+
+            export FORTIFY_VERSION="v${fortify.version}"
+            ./dist/release.sh && mkdir $out && cp -v "dist/fortify-$FORTIFY_VERSION.tar.gz"* $out
+          '';
        }
      );

-      devShells = forAllSystems (system: {
-        default = nixpkgsFor.${system}.mkShell {
-          buildInputs = with nixpkgsFor.${system}; self.packages.${system}.fortify.buildInputs;
-        };
+      devShells = forAllSystems (
+        system:
+        let
+          inherit (self.packages.${system}) fortify;
+          pkgs = nixpkgsFor.${system};
+        in
+        {
+          default = pkgs.mkShell { buildInputs = fortify.targetPkgs; };
+          withPackage = pkgs.mkShell { buildInputs = [ fortify ] ++ fortify.targetPkgs; };

-        fhs = nixpkgsFor.${system}.buildFHSEnv {
-          pname = "fortify-fhs";
-          inherit (self.packages.${system}.fortify) version;
-          targetPkgs =
-            pkgs: with pkgs; [
-              go
-              gcc
-              pkg-config
-              acl
-              wayland
-              wayland-scanner
-              wayland-protocols
-              xorg.libxcb
-            ];
-          extraOutputsToInstall = [ "dev" ];
-          profile = ''
-            export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
-          '';
-        };
+          generateDoc =
+            let
+              inherit (pkgs) lib;

-        withPackage = nixpkgsFor.${system}.mkShell {
-          buildInputs =
-            with nixpkgsFor.${system};
-            self.packages.${system}.fortify.buildInputs ++ [ self.packages.${system}.fortify ];
-        };
-
-        generateDoc =
-          let
-            pkgs = nixpkgsFor.${system};
-            inherit (pkgs) lib;
-
-            doc =
-              let
-                eval = lib.evalModules {
-                  specialArgs = {
-                    inherit pkgs;
+              doc =
+                let
+                  eval = lib.evalModules {
+                    specialArgs = {
+                      inherit pkgs;
+                    };
+                    modules = [ (import ./options.nix self.packages) ];
                  };
-                  modules = [ ./options.nix ];
-                };
-                cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
-              in
-              pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
-            docText = pkgs.runCommand "fortify-module-docs.md" { } ''
-              cat ${doc.optionsCommonMark} > $out
-              sed -i '/*Declared by:*/,+1 d' $out
-            '';
-          in
-          nixpkgsFor.${system}.mkShell {
-            shellHook = ''
-              exec cat ${docText} > options.md
-            '';
-          };
-      });
+                  cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
+                in
+                pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
+              docText = pkgs.runCommand "fortify-module-docs.md" { } ''
+                cat ${doc.optionsCommonMark} > $out
+                sed -i '/*Declared by:*/,+1 d' $out
+              '';
+            in
+            pkgs.mkShell {
+              shellHook = ''
+                exec cat ${docText} > options.md
+              '';
+            };
+        }
+      );
    };
 }
--- a/fst/app.go
+++ b/fst/app.go
@ -0,0 +1,47 @@
+// Package fst exports shared fortify types.
+package fst
+
+import (
+	"time"
+)
+
+type App interface {
+	// ID returns a copy of [fst.ID] held by App.
+	ID() ID
+
+	// Seal determines the outcome of config as a [SealedApp].
+	// The value of config might be overwritten and must not be used again.
+	Seal(config *Config) (SealedApp, error)
+
+	String() string
+}
+
+type SealedApp interface {
+	// Run commits sealed system setup and starts the app process.
+	Run(rs *RunState) error
+}
+
+// RunState stores the outcome of a call to [SealedApp.Run].
+type RunState struct {
+	// Time is the exact point in time where the process was created.
+	// Location must be set to UTC.
+	//
+	// Time is nil if no process was ever created.
+	Time *time.Time
+	// ExitCode is the value returned by shim.
+	ExitCode int
+	// RevertErr is stored by the deferred revert call.
+	RevertErr error
+	// WaitErr is error returned by the underlying wait syscall.
+	WaitErr error
+}
+
+// Paths contains environment-dependent paths used by fortify.
+type Paths struct {
+	// path to shared directory (usually `/tmp/fortify.%d`)
+	SharePath string `json:"share_path"`
+	// XDG_RUNTIME_DIR value (usually `/run/user/%d`)
+	RuntimePath string `json:"runtime_path"`
+	// application runtime directory (usually `/run/user/%d/fortify`)
+	RunDirPath string `json:"run_dir_path"`
+}
--- a/fst/config.go
+++ b/fst/config.go
@ -1,24 +1,25 @@
 package fst

 import (
-	"errors"
-
 	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
-	"git.gensokyo.uk/security/fortify/internal/linux"
-	"git.gensokyo.uk/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
+	"git.gensokyo.uk/security/fortify/system"
 )

 const Tmp = "/.fortify"

-// Config is used to seal an *App
+// Config is used to seal an app
 type Config struct {
-	// D-Bus application ID
+	// reverse-DNS style arbitrary identifier string from config;
+	// passed to wayland security-context-v1 as application ID
+	// and used as part of defaults in dbus session proxy
 	ID string `json:"id"`
-	// value passed through to the child process as its argv
-	Command []string `json:"command"`

-	// child confinement configuration
+	// absolute path to executable file
+	Path string `json:"path,omitempty"`
+	// final args passed to container init
+	Args []string `json:"args"`
+
 	Confinement ConfinementConfig `json:"confinement"`
 }

@ -28,14 +29,18 @@ type ConfinementConfig struct {
 	AppID int `json:"app_id"`
 	// list of supplementary groups to inherit
 	Groups []string `json:"groups"`
-	// passwd username in the sandbox, defaults to chronos
+	// passwd username in container, defaults to passwd name of target uid or chronos
 	Username string `json:"username,omitempty"`
-	// home directory in sandbox, empty for outer
+	// home directory in container, empty for outer
 	Inner string `json:"home_inner"`
 	// home directory in init namespace
 	Outer string `json:"home"`
-	// bwrap sandbox confinement configuration
+	// absolute path to shell, empty for host shell
+	Shell string `json:"shell,omitempty"`
+	// abstract sandbox configuration
 	Sandbox *SandboxConfig `json:"sandbox"`
+	// extra acl ops, runs after everything else
+	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`

 	// reference to a system D-Bus proxy configuration,
 	// nil value disables system bus proxy
@ -44,139 +49,44 @@ type ConfinementConfig struct {
 	// nil value makes session bus proxy assume built-in defaults
 	SessionBus *dbus.Config `json:"session_bus,omitempty"`

-	// child capability enablements
-	Enablements system.Enablements `json:"enablements"`
+	// system resources to expose to the container
+	Enablements system.Enablement `json:"enablements"`
 }

-// SandboxConfig describes resources made available to the sandbox.
-type SandboxConfig struct {
-	// unix hostname within sandbox
-	Hostname string `json:"hostname,omitempty"`
-	// userns availability within sandbox
-	UserNS bool `json:"userns,omitempty"`
-	// share net namespace
-	Net bool `json:"net,omitempty"`
-	// share all devices
-	Dev bool `json:"dev,omitempty"`
-	// do not run in new session
-	NoNewSession bool `json:"no_new_session,omitempty"`
-	// map target user uid to privileged user uid in the user namespace
-	MapRealUID bool `json:"map_real_uid"`
-	// direct access to wayland socket
-	DirectWayland bool `json:"direct_wayland,omitempty"`
-
-	// final environment variables
-	Env map[string]string `json:"env"`
-	// sandbox host filesystem access
-	Filesystem []*FilesystemConfig `json:"filesystem"`
-	// symlinks created inside the sandbox
-	Link [][2]string `json:"symlink"`
-	// automatically set up /etc symlinks
-	AutoEtc bool `json:"auto_etc"`
-	// paths to override by mounting tmpfs over them
-	Override []string `json:"override"`
+type ExtraPermConfig struct {
+	Ensure  bool   `json:"ensure,omitempty"`
+	Path    string `json:"path"`
+	Read    bool   `json:"r,omitempty"`
+	Write   bool   `json:"w,omitempty"`
+	Execute bool   `json:"x,omitempty"`
 }

-type FilesystemConfig struct {
-	// mount point in sandbox, same as src if empty
-	Dst string `json:"dst,omitempty"`
-	// host filesystem path to make available to sandbox
-	Src string `json:"src"`
-	// write access
-	Write bool `json:"write,omitempty"`
-	// device access
-	Device bool `json:"dev,omitempty"`
-	// exit if unable to share
-	Must bool `json:"require,omitempty"`
-}
-
-// Bwrap returns the address of the corresponding bwrap.Config to s.
-// Note that remaining tmpfs entries must be queued by the caller prior to launch.
-func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error) {
-	if s == nil {
-		return nil, errors.New("nil sandbox config")
+func (e *ExtraPermConfig) String() string {
+	buf := make([]byte, 0, 5+len(e.Path))
+	buf = append(buf, '-', '-', '-')
+	if e.Ensure {
+		buf = append(buf, '+')
 	}
-
-	var uid int
-	if !s.MapRealUID {
-		uid = 65534
-	} else {
-		uid = os.Geteuid()
+	buf = append(buf, ':')
+	buf = append(buf, []byte(e.Path)...)
+	if e.Read {
+		buf[0] = 'r'
 	}
-
-	conf := (&bwrap.Config{
-		Net:           s.Net,
-		UserNS:        s.UserNS,
-		Hostname:      s.Hostname,
-		Clearenv:      true,
-		SetEnv:        s.Env,
-		NewSession:    !s.NoNewSession,
-		DieWithParent: true,
-		AsInit:        true,
-
-		// initialise map
-		Chmod: make(bwrap.ChmodConfig),
-	}).
-		SetUID(uid).SetGID(uid).
-		Procfs("/proc").
-		Tmpfs(Tmp, 4*1024)
-
-	if !s.Dev {
-		conf.DevTmpfs("/dev").Mqueue("/dev/mqueue")
-	} else {
-		conf.Bind("/dev", "/dev", false, true, true)
+	if e.Write {
+		buf[1] = 'w'
 	}
-
-	if !s.AutoEtc {
-		conf.Dir("/etc")
+	if e.Execute {
+		buf[2] = 'x'
 	}
-
-	for _, c := range s.Filesystem {
-		if c == nil {
-			continue
-		}
-		src := c.Src
-		dest := c.Dst
-		if c.Dst == "" {
-			dest = c.Src
-		}
-		conf.Bind(src, dest, !c.Must, c.Write, c.Device)
-	}
-
-	for _, l := range s.Link {
-		conf.Symlink(l[0], l[1])
-	}
-
-	if s.AutoEtc {
-		conf.Bind("/etc", Tmp+"/etc")
-
-		// link host /etc contents to prevent passwd/group from being overwritten
-		if d, err := os.ReadDir("/etc"); err != nil {
-			return nil, err
-		} else {
-			for _, ent := range d {
-				name := ent.Name()
-				switch name {
-				case "passwd":
-				case "group":
-
-				case "mtab":
-					conf.Symlink("/proc/mounts", "/etc/"+name)
-				default:
-					conf.Symlink(Tmp+"/etc/"+name, "/etc/"+name)
-				}
-			}
-		}
-	}
-
-	return conf, nil
+	return string(buf)
 }

 // Template returns a fully populated instance of Config.
 func Template() *Config {
 	return &Config{
-		ID: "org.chromium.Chromium",
-		Command: []string{
+		ID:   "org.chromium.Chromium",
+		Path: "/run/current-system/sw/bin/chromium",
+		Args: []string{
 			"chromium",
 			"--ignore-gpu-blocklist",
 			"--disable-smooth-scrolling",
@ -189,13 +99,17 @@ func Template() *Config {
 			Username: "chronos",
 			Outer:    "/var/lib/persist/home/org.chromium.Chromium",
 			Inner:    "/var/lib/fortify",
+			Shell:    "/run/current-system/sw/bin/zsh",
 			Sandbox: &SandboxConfig{
 				Hostname:      "localhost",
-				UserNS:        true,
+				Devel:         true,
+				Userns:        true,
 				Net:           true,
-				NoNewSession:  true,
-				MapRealUID:    true,
 				Dev:           true,
+				Seccomp:       seccomp.FlagMultiarch,
+				Tty:           true,
+				Multiarch:     true,
+				MapRealUID:    true,
 				DirectWayland: false,
 				// example API credentials pulled from Google Chrome
 				// DO NOT USE THESE IN A REAL BROWSER
@ -209,12 +123,18 @@ func Template() *Config {
 					{Src: "/run/current-system"},
 					{Src: "/run/opengl-driver"},
 					{Src: "/var/db/nix-channels"},
-					{Src: "/home/chronos", Write: true, Must: true},
+					{Src: "/var/lib/fortify/u0/org.chromium.Chromium",
+						Dst: "/data/data/org.chromium.Chromium", Write: true, Must: true},
 					{Src: "/dev/dri", Device: true},
 				},
-				Link:     [][2]string{{"/run/user/65534", "/run/user/150"}},
-				AutoEtc:  true,
-				Override: []string{"/var/run/nscd"},
+				Link:    [][2]string{{"/run/user/65534", "/run/user/150"}},
+				Etc:     "/etc",
+				AutoEtc: true,
+				Cover:   []string{"/var/run/nscd"},
+			},
+			ExtraPerms: []*ExtraPermConfig{
+				{Path: "/var/lib/fortify/u0", Ensure: true, Execute: true},
+				{Path: "/var/lib/fortify/u0/org.chromium.Chromium", Read: true, Write: true, Execute: true},
 			},
 			SystemBus: &dbus.Config{
 				See:       nil,
@ -236,7 +156,7 @@ func Template() *Config {
 				Log:       false,
 				Filter:    true,
 			},
-			Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
+			Enablements: system.EWayland | system.EDBus | system.EPulse,
 		},
 	}
 }
--- a/fst/info.go
+++ b/fst/info.go
@ -0,0 +1,5 @@
+package fst
+
+type Info struct {
+	User int `json:"user"`
+}
--- a/fst/path.go
+++ b/fst/path.go
@ -0,0 +1,11 @@
+package fst
+
+import (
+	"path/filepath"
+	"strings"
+)
+
+func deepContainsH(basepath, targpath string) (bool, error) {
+	rel, err := filepath.Rel(basepath, targpath)
+	return err == nil && rel != ".." && !strings.HasPrefix(rel, string([]byte{'.', '.', filepath.Separator})), err
+}
--- a/fst/path_test.go
+++ b/fst/path_test.go
@ -0,0 +1,85 @@
+package fst
+
+import (
+	"testing"
+)
+
+func TestDeepContainsH(t *testing.T) {
+	testCases := []struct {
+		name     string
+		basepath string
+		targpath string
+		want     bool
+		wantErr  bool
+	}{
+		{
+			name: "empty",
+			want: true,
+		},
+		{
+			name:     "equal abs",
+			basepath: "/run",
+			targpath: "/run",
+			want:     true,
+		},
+		{
+			name:     "equal rel",
+			basepath: "./run",
+			targpath: "run",
+			want:     true,
+		},
+		{
+			name:     "contains abs",
+			basepath: "/run",
+			targpath: "/run/dbus",
+			want:     true,
+		},
+		{
+			name:     "inverse contains abs",
+			basepath: "/run/dbus",
+			targpath: "/run",
+			want:     false,
+		},
+		{
+			name:     "contains rel",
+			basepath: "../run",
+			targpath: "../run/dbus",
+			want:     true,
+		},
+		{
+			name:     "inverse contains rel",
+			basepath: "../run/dbus",
+			targpath: "../run",
+			want:     false,
+		},
+		{
+			name:     "weird abs",
+			basepath: "/run/dbus",
+			targpath: "/run/dbus/../current-system",
+			want:     false,
+		},
+		{
+			name:     "weird rel",
+			basepath: "../run/dbus",
+			targpath: "../run/dbus/../current-system",
+			want:     false,
+		},
+
+		{
+			name:     "invalid mix",
+			basepath: "/run",
+			targpath: "./run",
+			wantErr:  true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got, err := deepContainsH(tc.basepath, tc.targpath); (err != nil) != tc.wantErr {
+				t.Errorf("deepContainsH() error = %v, wantErr %v", err, tc.wantErr)
+			} else if got != tc.want {
+				t.Errorf("deepContainsH() = %v, want %v", got, tc.want)
+			}
+		})
+	}
+}
--- a/fst/sandbox.go
+++ b/fst/sandbox.go
@ -0,0 +1,286 @@
+package fst
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"maps"
+	"path"
+	"slices"
+	"syscall"
+
+	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
+)
+
+// SandboxConfig describes resources made available to the sandbox.
+type (
+	SandboxConfig struct {
+		// container hostname
+		Hostname string `json:"hostname,omitempty"`
+
+		// extra seccomp flags
+		Seccomp seccomp.SyscallOpts `json:"seccomp"`
+		// allow ptrace and friends
+		Devel bool `json:"devel,omitempty"`
+		// allow userns creation in container
+		Userns bool `json:"userns,omitempty"`
+		// share host net namespace
+		Net bool `json:"net,omitempty"`
+		// expose main process tty
+		Tty bool `json:"tty,omitempty"`
+		// allow multiarch
+		Multiarch bool `json:"multiarch,omitempty"`
+
+		// initial process environment variables
+		Env map[string]string `json:"env"`
+		// map target user uid to privileged user uid in the user namespace
+		MapRealUID bool `json:"map_real_uid"`
+
+		// expose all devices
+		Dev bool `json:"dev,omitempty"`
+		// container host filesystem bind mounts
+		Filesystem []*FilesystemConfig `json:"filesystem"`
+		// create symlinks inside container filesystem
+		Link [][2]string `json:"symlink"`
+
+		// direct access to wayland socket; when this gets set no attempt is made to attach security-context-v1
+		// and the bare socket is mounted to the sandbox
+		DirectWayland bool `json:"direct_wayland,omitempty"`
+
+		// read-only /etc directory
+		Etc string `json:"etc,omitempty"`
+		// automatically set up /etc symlinks
+		AutoEtc bool `json:"auto_etc"`
+		// cover these paths or create them if they do not already exist
+		Cover []string `json:"cover"`
+	}
+
+	// SandboxSys encapsulates system functions used during [sandbox.Container] initialisation.
+	SandboxSys interface {
+		Getuid() int
+		Getgid() int
+		Paths() Paths
+		ReadDir(name string) ([]fs.DirEntry, error)
+		EvalSymlinks(path string) (string, error)
+
+		Println(v ...any)
+		Printf(format string, v ...any)
+	}
+
+	// FilesystemConfig is a representation of [sandbox.BindMount].
+	FilesystemConfig struct {
+		// mount point in container, same as src if empty
+		Dst string `json:"dst,omitempty"`
+		// host filesystem path to make available to the container
+		Src string `json:"src"`
+		// do not mount filesystem read-only
+		Write bool `json:"write,omitempty"`
+		// do not disable device files
+		Device bool `json:"dev,omitempty"`
+		// fail if the bind mount cannot be established for any reason
+		Must bool `json:"require,omitempty"`
+	}
+)
+
+// ToContainer initialises [sandbox.Params] via [SandboxConfig].
+// Note that remaining container setup must be queued by the [App] implementation.
+func (s *SandboxConfig) ToContainer(sys SandboxSys, uid, gid *int) (*sandbox.Params, map[string]string, error) {
+	if s == nil {
+		return nil, nil, syscall.EBADE
+	}
+
+	container := &sandbox.Params{
+		Hostname: s.Hostname,
+		Ops:      new(sandbox.Ops),
+		Seccomp:  s.Seccomp,
+	}
+
+	if s.Multiarch {
+		container.Seccomp |= seccomp.FlagMultiarch
+	}
+
+	/* this is only 4 KiB of memory on a 64-bit system,
+	permissive defaults on NixOS results in around 100 entries
+	so this capacity should eliminate copies for most setups */
+	*container.Ops = slices.Grow(*container.Ops, 1<<8)
+
+	if s.Devel {
+		container.Flags |= sandbox.FAllowDevel
+	}
+	if s.Userns {
+		container.Flags |= sandbox.FAllowUserns
+	}
+	if s.Net {
+		container.Flags |= sandbox.FAllowNet
+	}
+	if s.Tty {
+		container.Flags |= sandbox.FAllowTTY
+	}
+
+	if s.MapRealUID {
+		/* some programs fail to connect to dbus session running as a different uid
+		so this workaround is introduced to map priv-side caller uid in container */
+		container.Uid = sys.Getuid()
+		*uid = container.Uid
+		container.Gid = sys.Getgid()
+		*gid = container.Gid
+	} else {
+		*uid = sandbox.OverflowUid()
+		*gid = sandbox.OverflowGid()
+	}
+
+	container.
+		Proc("/proc").
+		Tmpfs(Tmp, 1<<12, 0755)
+
+	if !s.Dev {
+		container.Dev("/dev").Mqueue("/dev/mqueue")
+	} else {
+		container.Bind("/dev", "/dev", sandbox.BindDevice)
+	}
+
+	/* retrieve paths and hide them if they're made available in the sandbox;
+	this feature tries to improve user experience of permissive defaults, and
+	to warn about issues in custom configuration; it is NOT a security feature
+	and should not be treated as such, ALWAYS be careful with what you bind */
+	var hidePaths []string
+	sc := sys.Paths()
+	hidePaths = append(hidePaths, sc.RuntimePath, sc.SharePath)
+	_, systemBusAddr := dbus.Address()
+	if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
+		return nil, nil, err
+	} else {
+		// there is usually only one, do not preallocate
+		for _, entry := range entries {
+			if entry.Method != "unix" {
+				continue
+			}
+			for _, pair := range entry.Values {
+				if pair[0] == "path" {
+					if path.IsAbs(pair[1]) {
+						// get parent dir of socket
+						dir := path.Dir(pair[1])
+						if dir == "." || dir == "/" {
+							sys.Printf("dbus socket %q is in an unusual location", pair[1])
+						}
+						hidePaths = append(hidePaths, dir)
+					} else {
+						sys.Printf("dbus socket %q is not absolute", pair[1])
+					}
+				}
+			}
+		}
+	}
+	hidePathMatch := make([]bool, len(hidePaths))
+	for i := range hidePaths {
+		if err := evalSymlinks(sys, &hidePaths[i]); err != nil {
+			return nil, nil, err
+		}
+	}
+
+	for _, c := range s.Filesystem {
+		if c == nil {
+			continue
+		}
+
+		if !path.IsAbs(c.Src) {
+			return nil, nil, fmt.Errorf("src path %q is not absolute", c.Src)
+		}
+
+		dest := c.Dst
+		if c.Dst == "" {
+			dest = c.Src
+		} else if !path.IsAbs(dest) {
+			return nil, nil, fmt.Errorf("dst path %q is not absolute", dest)
+		}
+
+		srcH := c.Src
+		if err := evalSymlinks(sys, &srcH); err != nil {
+			return nil, nil, err
+		}
+
+		for i := range hidePaths {
+			// skip matched entries
+			if hidePathMatch[i] {
+				continue
+			}
+
+			if ok, err := deepContainsH(srcH, hidePaths[i]); err != nil {
+				return nil, nil, err
+			} else if ok {
+				hidePathMatch[i] = true
+				sys.Printf("hiding paths from %q", c.Src)
+			}
+		}
+
+		var flags int
+		if c.Write {
+			flags |= sandbox.BindWritable
+		}
+		if c.Device {
+			flags |= sandbox.BindDevice | sandbox.BindWritable
+		}
+		if !c.Must {
+			flags |= sandbox.BindOptional
+		}
+		container.Bind(c.Src, dest, flags)
+	}
+
+	// cover matched paths
+	for i, ok := range hidePathMatch {
+		if ok {
+			container.Tmpfs(hidePaths[i], 1<<13, 0755)
+		}
+	}
+
+	for _, l := range s.Link {
+		container.Link(l[0], l[1])
+	}
+
+	// perf: this might work better if implemented as a setup op in container init
+	if !s.AutoEtc {
+		if s.Etc != "" {
+			container.Bind(s.Etc, "/etc", 0)
+		}
+	} else {
+		etcPath := s.Etc
+		if etcPath == "" {
+			etcPath = "/etc"
+		}
+		container.Bind(etcPath, Tmp+"/etc", 0)
+
+		// link host /etc contents to prevent dropping passwd/group bind mounts
+		if d, err := sys.ReadDir(etcPath); err != nil {
+			return nil, nil, err
+		} else {
+			for _, ent := range d {
+				n := ent.Name()
+				switch n {
+				case "passwd":
+				case "group":
+
+				case "mtab":
+					container.Link("/proc/mounts", "/etc/"+n)
+				default:
+					container.Link(Tmp+"/etc/"+n, "/etc/"+n)
+				}
+			}
+		}
+	}
+
+	return container, maps.Clone(s.Env), nil
+}
+
+func evalSymlinks(sys SandboxSys, v *string) error {
+	if p, err := sys.EvalSymlinks(*v); err != nil {
+		if !errors.Is(err, fs.ErrNotExist) {
+			return err
+		}
+		sys.Printf("path %q does not yet exist", *v)
+	} else {
+		*v = p
+	}
+	return nil
+}
--- a/fst/shared.go
+++ b/fst/shared.go
@ -1,2 +0,0 @@
-// Package fst exports shared fortify types.
-package fst
--- a/go.mod
+++ b/go.mod
@ -1,3 +1,3 @@
 module git.gensokyo.uk/security/fortify

-go 1.22
+go 1.23
--- a/helper/args.go
+++ b/helper/args.go
@ -1,38 +1,17 @@
 package helper

 import (
-	"errors"
+	"bytes"
 	"io"
-	"strings"
+	"syscall"
 )

-var (
-	ErrContainsNull = errors.New("argument contains null character")
-)
-
-type argsWt []string
-
-// checks whether any element contains the null character
-// must be called before args use and args must not be modified after call
-func (a argsWt) check() error {
-	for _, arg := range a {
-		for _, b := range arg {
-			if b == '\x00' {
-				return ErrContainsNull
-			}
-		}
-	}
-
-	return nil
-}
+type argsWt [][]byte

 func (a argsWt) WriteTo(w io.Writer) (int64, error) {
-	// assuming already checked
-
 	nt := 0
-	// write null terminated arguments
 	for _, arg := range a {
-		n, err := w.Write([]byte(arg + "\x00"))
+		n, err := w.Write(arg)
 		nt += n

 		if err != nil {
@ -44,18 +23,32 @@ func (a argsWt) WriteTo(w io.Writer) (int64, error) {
 }

 func (a argsWt) String() string {
-	return strings.Join(a, " ")
+	return string(
+		bytes.TrimSuffix(
+			bytes.ReplaceAll(
+				bytes.Join(a, nil),
+				[]byte{0}, []byte{' '},
+			),
+			[]byte{' '},
+		),
+	)
 }

-// NewCheckedArgs returns a checked argument writer for args.
-// Callers must not retain any references to args.
-func NewCheckedArgs(args []string) (io.WriterTo, error) {
-	a := argsWt(args)
-	return a, a.check()
+// NewCheckedArgs returns a checked null-terminated argument writer for a copy of args.
+func NewCheckedArgs(args []string) (wt io.WriterTo, err error) {
+	a := make(argsWt, len(args))
+	for i, arg := range args {
+		a[i], err = syscall.ByteSliceFromString(arg)
+		if err != nil {
+			return
+		}
+	}
+	wt = a
+	return
 }

-// MustNewCheckedArgs returns a checked argument writer for args and panics if check fails.
-// Callers must not retain any references to args.
+// MustNewCheckedArgs returns a checked null-terminated argument writer for a copy of args.
+// If s contains a NUL byte this function panics instead of returning an error.
 func MustNewCheckedArgs(args []string) io.WriterTo {
 	a, err := NewCheckedArgs(args)
 	if err != nil {
--- a/helper/args_test.go
+++ b/helper/args_test.go
@ -4,34 +4,33 @@ import (
 	"errors"
 	"fmt"
 	"strings"
+	"syscall"
 	"testing"

 	"git.gensokyo.uk/security/fortify/helper"
 )

-func Test_argsFD_String(t *testing.T) {
+func TestArgsString(t *testing.T) {
 	wantString := strings.Join(wantArgs, " ")
 	if got := argsWt.(fmt.Stringer).String(); got != wantString {
-		t.Errorf("String(): got %v; want %v",
+		t.Errorf("String: %q, want %q",
 			got, wantString)
 	}
 }

 func TestNewCheckedArgs(t *testing.T) {
 	args := []string{"\x00"}
-	if _, err := helper.NewCheckedArgs(args); !errors.Is(err, helper.ErrContainsNull) {
-		t.Errorf("NewCheckedArgs(%q) error = %v, wantErr %v",
-			args,
-			err, helper.ErrContainsNull)
+	if _, err := helper.NewCheckedArgs(args); !errors.Is(err, syscall.EINVAL) {
+		t.Errorf("NewCheckedArgs: error = %v, wantErr %v",
+			err, syscall.EINVAL)
 	}

 	t.Run("must panic", func(t *testing.T) {
 		badPayload := []string{"\x00"}
 		defer func() {
-			wantPanic := "argument contains null character"
+			wantPanic := "invalid argument"
 			if r := recover(); r != wantPanic {
-				t.Errorf("MustNewCheckedArgs(%q) panic = %v, wantPanic %v",
-					badPayload,
+				t.Errorf("MustNewCheckedArgs: panic = %v, wantPanic %v",
 					r, wantPanic)
 			}
 		}()
--- a/helper/bwrap.go
+++ b/helper/bwrap.go
@ -1,151 +0,0 @@
-package helper
-
-import (
-	"errors"
-	"io"
-	"os"
-	"os/exec"
-	"strconv"
-	"sync"
-
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
-	"git.gensokyo.uk/security/fortify/internal/proc"
-)
-
-// BubblewrapName is the file name or path to bubblewrap.
-var BubblewrapName = "bwrap"
-
-type bubblewrap struct {
-	// bwrap child file name
-	name string
-
-	// bwrap pipes
-	p *pipes
-	// sync pipe
-	sync *os.File
-	// returns an array of arguments passed directly
-	// to the child process spawned by bwrap
-	argF func(argsFD, statFD int) []string
-
-	// pipes received by the child
-	// nil if no pipes are required
-	cp *pipes
-
-	lock sync.RWMutex
-	*exec.Cmd
-}
-
-func (b *bubblewrap) StartNotify(ready chan error) error {
-	b.lock.Lock()
-	defer b.lock.Unlock()
-
-	if ready != nil && b.cp == nil {
-		panic("attempted to start with status monitoring on a bwrap child initialised without pipes")
-	}
-
-	// Check for doubled Start calls before we defer failure cleanup. If the prior
-	// call to Start succeeded, we don't want to spuriously close its pipes.
-	if b.Cmd.Process != nil {
-		return errors.New("exec: already started")
-	}
-
-	// prepare bwrap pipe and args
-	if argsFD, _, err := b.p.prepareCmd(b.Cmd); err != nil {
-		return err
-	} else {
-		b.Cmd.Args = append(b.Cmd.Args, "--args", strconv.Itoa(argsFD), "--", b.name)
-	}
-
-	// prepare child args and pipes if enabled
-	if b.cp != nil {
-		b.cp.ready = ready
-		if argsFD, statFD, err := b.cp.prepareCmd(b.Cmd); err != nil {
-			return err
-		} else {
-			b.Cmd.Args = append(b.Cmd.Args, b.argF(argsFD, statFD)...)
-		}
-	} else {
-		b.Cmd.Args = append(b.Cmd.Args, b.argF(-1, -1)...)
-	}
-
-	if ready != nil {
-		b.Cmd.Env = append(b.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=1")
-	} else if b.cp != nil {
-		b.Cmd.Env = append(b.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=0")
-	} else {
-		b.Cmd.Env = append(b.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=-1")
-	}
-
-	if b.sync != nil {
-		b.Cmd.Args = append(b.Cmd.Args, "--sync-fd", strconv.Itoa(int(proc.ExtraFile(b.Cmd, b.sync))))
-	}
-
-	if err := b.Cmd.Start(); err != nil {
-		return err
-	}
-
-	// write bwrap args first
-	if err := b.p.readyWriteArgs(); err != nil {
-		return err
-	}
-
-	// write child args if enabled
-	if b.cp != nil {
-		if err := b.cp.readyWriteArgs(); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (b *bubblewrap) Close() error {
-	if b.cp == nil {
-		panic("attempted to close bwrap child initialised without pipes")
-	}
-
-	return b.cp.closeStatus()
-}
-
-func (b *bubblewrap) Start() error {
-	return b.StartNotify(nil)
-}
-
-func (b *bubblewrap) Unwrap() *exec.Cmd {
-	return b.Cmd
-}
-
-// MustNewBwrap initialises a new Bwrap instance with wt as the null-terminated argument writer.
-// If wt is nil, the child process spawned by bwrap will not get an argument pipe.
-// Function argF returns an array of arguments passed directly to the child process.
-func MustNewBwrap(conf *bwrap.Config, wt io.WriterTo, name string, argF func(argsFD, statFD int) []string) Helper {
-	b, err := NewBwrap(conf, wt, name, argF)
-	if err != nil {
-		panic(err.Error())
-	} else {
-		return b
-	}
-}
-
-// NewBwrap initialises a new Bwrap instance with wt as the null-terminated argument writer.
-// If wt is nil, the child process spawned by bwrap will not get an argument pipe.
-// Function argF returns an array of arguments passed directly to the child process.
-func NewBwrap(conf *bwrap.Config, wt io.WriterTo, name string, argF func(argsFD, statFD int) []string) (Helper, error) {
-	b := new(bubblewrap)
-
-	if args, err := NewCheckedArgs(conf.Args()); err != nil {
-		return nil, err
-	} else {
-		b.p = &pipes{args: args}
-	}
-
-	b.sync = conf.Sync()
-	b.argF = argF
-	b.name = name
-	if wt != nil {
-		b.cp = &pipes{args: wt}
-	}
-	b.Cmd = execCommand(BubblewrapName)
-
-	return b, nil
-}
--- a/helper/bwrap/arg.go
+++ b/helper/bwrap/arg.go
@ -1,77 +0,0 @@
-package bwrap
-
-import "encoding/gob"
-
-type Builder interface {
-	Len() int
-	Append(args *[]string)
-}
-
-type FSBuilder interface {
-	Path() string
-	Builder
-}
-
-func init() {
-	gob.Register(new(pairF))
-	gob.Register(new(stringF))
-}
-
-type pairF [3]string
-
-func (p *pairF) Path() string {
-	return p[2]
-}
-
-func (p *pairF) Len() int {
-	return len(p) // compiler replaces this with 3
-}
-
-func (p *pairF) Append(args *[]string) {
-	*args = append(*args, p[0], p[1], p[2])
-}
-
-type stringF [2]string
-
-func (s stringF) Path() string {
-	return s[1]
-}
-
-func (s stringF) Len() int {
-	return len(s) // compiler replaces this with 2
-}
-
-func (s stringF) Append(args *[]string) {
-	*args = append(*args, s[0], s[1])
-}
-
-// Args returns a slice of bwrap args corresponding to c.
-func (c *Config) Args() (args []string) {
-	builders := []Builder{
-		c.boolArgs(),
-		c.intArgs(),
-		c.stringArgs(),
-		c.pairArgs(),
-	}
-
-	// copy FSBuilder slice to builder slice
-	fb := make([]Builder, len(c.Filesystem)+1)
-	for i, f := range c.Filesystem {
-		fb[i] = f
-	}
-	fb[len(fb)-1] = c.Chmod
-	builders = append(builders, fb...)
-
-	// accumulate arg count
-	argc := 0
-	for _, b := range builders {
-		argc += b.Len()
-	}
-
-	args = make([]string, 0, argc)
-	for _, b := range builders {
-		b.Append(&args)
-	}
-
-	return
-}
--- a/helper/bwrap/arg.static.awkward.go
+++ b/helper/bwrap/arg.static.awkward.go
@ -1,13 +0,0 @@
-package bwrap
-
-const (
-	Tmpfs = iota
-	Dir
-	Symlink
-)
-
-var awkwardArgs = [...]string{
-	Tmpfs:   "--tmpfs",
-	Dir:     "--dir",
-	Symlink: "--symlink",
-}
--- a/helper/bwrap/arg.static.bool.go
+++ b/helper/bwrap/arg.static.bool.go
@ -1,81 +0,0 @@
-package bwrap
-
-const (
-	UnshareAll = iota
-	UnshareUser
-	UnshareIPC
-	UnsharePID
-	UnshareNet
-	UnshareUTS
-	UnshareCGroup
-	ShareNet
-
-	UserNS
-	Clearenv
-
-	NewSession
-	DieWithParent
-	AsInit
-)
-
-var boolArgs = [...][]string{
-	UnshareAll:    {"--unshare-all", "--unshare-user"},
-	UnshareUser:   {"--unshare-user"},
-	UnshareIPC:    {"--unshare-ipc"},
-	UnsharePID:    {"--unshare-pid"},
-	UnshareNet:    {"--unshare-net"},
-	UnshareUTS:    {"--unshare-uts"},
-	UnshareCGroup: {"--unshare-cgroup"},
-	ShareNet:      {"--share-net"},
-
-	UserNS:   {"--disable-userns", "--assert-userns-disabled"},
-	Clearenv: {"--clearenv"},
-
-	NewSession:    {"--new-session"},
-	DieWithParent: {"--die-with-parent"},
-	AsInit:        {"--as-pid-1"},
-}
-
-func (c *Config) boolArgs() Builder {
-	b := boolArg{
-		UserNS:   !c.UserNS,
-		Clearenv: c.Clearenv,
-
-		NewSession:    c.NewSession,
-		DieWithParent: c.DieWithParent,
-		AsInit:        c.AsInit,
-	}
-
-	if c.Unshare == nil {
-		b[UnshareAll] = true
-		b[ShareNet] = c.Net
-	} else {
-		b[UnshareUser] = c.Unshare.User
-		b[UnshareIPC] = c.Unshare.IPC
-		b[UnsharePID] = c.Unshare.PID
-		b[UnshareNet] = c.Unshare.Net
-		b[UnshareUTS] = c.Unshare.UTS
-		b[UnshareCGroup] = c.Unshare.CGroup
-	}
-
-	return &b
-}
-
-type boolArg [len(boolArgs)]bool
-
-func (b *boolArg) Len() (l int) {
-	for i, v := range b {
-		if v {
-			l += len(boolArgs[i])
-		}
-	}
-	return
-}
-
-func (b *boolArg) Append(args *[]string) {
-	for i, v := range b {
-		if v {
-			*args = append(*args, boolArgs[i]...)
-		}
-	}
-}
--- a/helper/bwrap/arg.static.int.go
+++ b/helper/bwrap/arg.static.int.go
@ -1,47 +0,0 @@
-package bwrap
-
-import "strconv"
-
-const (
-	UID = iota
-	GID
-	Perms
-	Size
-)
-
-var intArgs = [...]string{
-	UID:   "--uid",
-	GID:   "--gid",
-	Perms: "--perms",
-	Size:  "--size",
-}
-
-func (c *Config) intArgs() Builder {
-	// Arg types:
-	//   Perms
-	// are handled by the sequential builder
-
-	return &intArg{
-		UID: c.UID,
-		GID: c.GID,
-	}
-}
-
-type intArg [len(intArgs)]*int
-
-func (n *intArg) Len() (l int) {
-	for _, v := range n {
-		if v != nil {
-			l += 2
-		}
-	}
-	return
-}
-
-func (n *intArg) Append(args *[]string) {
-	for i, v := range n {
-		if v != nil {
-			*args = append(*args, intArgs[i], strconv.Itoa(*v))
-		}
-	}
-}
--- a/helper/bwrap/arg.static.pair.go
+++ b/helper/bwrap/arg.static.pair.go
@ -1,73 +0,0 @@
-package bwrap
-
-import (
-	"slices"
-)
-
-const (
-	SetEnv = iota
-
-	Bind
-	BindTry
-	DevBind
-	DevBindTry
-	ROBind
-	ROBindTry
-
-	Chmod
-)
-
-var pairArgs = [...]string{
-	SetEnv: "--setenv",
-
-	Bind:       "--bind",
-	BindTry:    "--bind-try",
-	DevBind:    "--dev-bind",
-	DevBindTry: "--dev-bind-try",
-	ROBind:     "--ro-bind",
-	ROBindTry:  "--ro-bind-try",
-
-	Chmod: "--chmod",
-}
-
-func (c *Config) pairArgs() Builder {
-	var n pairArg
-	n[SetEnv] = make([][2]string, len(c.SetEnv))
-	keys := make([]string, 0, len(c.SetEnv))
-	for k := range c.SetEnv {
-		keys = append(keys, k)
-	}
-	slices.Sort(keys)
-	for i, k := range keys {
-		n[SetEnv][i] = [2]string{k, c.SetEnv[k]}
-	}
-
-	// Arg types:
-	//   Bind
-	//   BindTry
-	//   DevBind
-	//   DevBindTry
-	//   ROBind
-	//   ROBindTry
-	//   Chmod
-	// are handled by the sequential builder
-
-	return &n
-}
-
-type pairArg [len(pairArgs)][][2]string
-
-func (p *pairArg) Len() (l int) {
-	for _, v := range p {
-		l += len(v) * 3
-	}
-	return
-}
-
-func (p *pairArg) Append(args *[]string) {
-	for i, arg := range p {
-		for _, v := range arg {
-			*args = append(*args, pairArgs[i], v[0], v[1])
-		}
-	}
-}
--- a/helper/bwrap/arg.static.string.go
+++ b/helper/bwrap/arg.static.string.go
@ -1,65 +0,0 @@
-package bwrap
-
-const (
-	Hostname = iota
-	Chdir
-	UnsetEnv
-	LockFile
-
-	RemountRO
-	Procfs
-	DevTmpfs
-	Mqueue
-)
-
-var stringArgs = [...]string{
-	Hostname: "--hostname",
-	Chdir:    "--chdir",
-	UnsetEnv: "--unsetenv",
-	LockFile: "--lock-file",
-
-	RemountRO: "--remount-ro",
-	Procfs:    "--proc",
-	DevTmpfs:  "--dev",
-	Mqueue:    "--mqueue",
-}
-
-func (c *Config) stringArgs() Builder {
-	n := stringArg{
-		UnsetEnv: c.UnsetEnv,
-		LockFile: c.LockFile,
-	}
-
-	if c.Hostname != "" {
-		n[Hostname] = []string{c.Hostname}
-	}
-	if c.Chdir != "" {
-		n[Chdir] = []string{c.Chdir}
-	}
-
-	// Arg types:
-	// 	 RemountRO
-	//   Procfs
-	//   DevTmpfs
-	//   Mqueue
-	// are handled by the sequential builder
-
-	return &n
-}
-
-type stringArg [len(stringArgs)][]string
-
-func (s *stringArg) Len() (l int) {
-	for _, arg := range s {
-		l += len(arg) * 2
-	}
-	return
-}
-
-func (s *stringArg) Append(args *[]string) {
-	for i, arg := range s {
-		for _, v := range arg {
-			*args = append(*args, stringArgs[i], v)
-		}
-	}
-}
--- a/helper/bwrap/config.go
+++ b/helper/bwrap/config.go
@ -1,205 +0,0 @@
-package bwrap
-
-import (
-	"encoding/gob"
-	"os"
-	"strconv"
-)
-
-func init() {
-	gob.Register(new(PermConfig[SymlinkConfig]))
-	gob.Register(new(PermConfig[*TmpfsConfig]))
-}
-
-type Config struct {
-	// unshare every namespace we support by default if nil
-	// (--unshare-all)
-	Unshare *UnshareConfig `json:"unshare,omitempty"`
-	// retain the network namespace (can only combine with nil Unshare)
-	// (--share-net)
-	Net bool `json:"net"`
-
-	// disable further use of user namespaces inside sandbox and fail unless
-	// further use of user namespace inside sandbox is disabled if false
-	// (--disable-userns) (--assert-userns-disabled)
-	UserNS bool `json:"userns"`
-
-	// custom uid in the sandbox, requires new user namespace
-	// (--uid UID)
-	UID *int `json:"uid,omitempty"`
-	// custom gid in the sandbox, requires new user namespace
-	// (--gid GID)
-	GID *int `json:"gid,omitempty"`
-	// custom hostname in the sandbox, requires new uts namespace
-	// (--hostname NAME)
-	Hostname string `json:"hostname,omitempty"`
-
-	// change directory
-	// (--chdir DIR)
-	Chdir string `json:"chdir,omitempty"`
-	// unset all environment variables
-	// (--clearenv)
-	Clearenv bool `json:"clearenv"`
-	// set environment variable
-	// (--setenv VAR VALUE)
-	SetEnv map[string]string `json:"setenv,omitempty"`
-	// unset environment variables
-	// (--unsetenv VAR)
-	UnsetEnv []string `json:"unsetenv,omitempty"`
-
-	// take a lock on file while sandbox is running
-	// (--lock-file DEST)
-	LockFile []string `json:"lock_file,omitempty"`
-
-	// ordered filesystem args
-	Filesystem []FSBuilder
-
-	// change permissions (must already exist)
-	// (--chmod OCTAL PATH)
-	Chmod ChmodConfig `json:"chmod,omitempty"`
-
-	// create a new terminal session
-	// (--new-session)
-	NewSession bool `json:"new_session"`
-	// kills with SIGKILL child process (COMMAND) when bwrap or bwrap's parent dies.
-	// (--die-with-parent)
-	DieWithParent bool `json:"die_with_parent"`
-	// do not install a reaper process with PID=1
-	// (--as-pid-1)
-	AsInit bool `json:"as_init"`
-
-	// keep this fd open while sandbox is running
-	// (--sync-fd FD)
-	sync *os.File
-
-	/* unmapped options include:
-	    --unshare-user-try           Create new user namespace if possible else continue by skipping it
-	    --unshare-cgroup-try         Create new cgroup namespace if possible else continue by skipping it
-	    --userns FD                  Use this user namespace (cannot combine with --unshare-user)
-	    --userns2 FD                 After setup switch to this user namespace, only useful with --userns
-	    --pidns FD                   Use this pid namespace (as parent namespace if using --unshare-pid)
-	    --exec-label LABEL           Exec label for the sandbox
-	    --file-label LABEL           File label for temporary sandbox content
-	    --file FD DEST               Copy from FD to destination DEST
-	    --bind-data FD DEST          Copy from FD to file which is bind-mounted on DEST
-	    --ro-bind-data FD DEST       Copy from FD to file which is readonly bind-mounted on DEST
-	    --seccomp FD                 Load and use seccomp rules from FD (not repeatable)
-	    --add-seccomp-fd FD          Load and use seccomp rules from FD (repeatable)
-	    --block-fd FD                Block on FD until some data to read is available
-	    --userns-block-fd FD         Block on FD until the user namespace is ready
-	    --info-fd FD                 Write information about the running container to FD
-	    --json-status-fd FD          Write container status to FD as multiple JSON documents
-	    --cap-add CAP                Add cap CAP when running as privileged user
-	    --cap-drop CAP               Drop cap CAP when running as privileged user
-
-	among which --args is used internally for passing arguments */
-}
-
-// Sync keep this fd open while sandbox is running
-// (--sync-fd FD)
-func (c *Config) Sync() *os.File {
-	return c.sync
-}
-
-type UnshareConfig struct {
-	// (--unshare-user)
-	// create new user namespace
-	User bool `json:"user"`
-	// (--unshare-ipc)
-	// create new ipc namespace
-	IPC bool `json:"ipc"`
-	// (--unshare-pid)
-	// create new pid namespace
-	PID bool `json:"pid"`
-	// (--unshare-net)
-	// create new network namespace
-	Net bool `json:"net"`
-	// (--unshare-uts)
-	// create new uts namespace
-	UTS bool `json:"uts"`
-	// (--unshare-cgroup)
-	// create new cgroup namespace
-	CGroup bool `json:"cgroup"`
-}
-
-type PermConfig[T FSBuilder] struct {
-	// set permissions of next argument
-	// (--perms OCTAL)
-	Mode *os.FileMode `json:"mode,omitempty"`
-	// path to get the new permission
-	// (--bind-data, --file, etc.)
-	Inner T `json:"path"`
-}
-
-func (p *PermConfig[T]) Path() string {
-	return p.Inner.Path()
-}
-
-func (p *PermConfig[T]) Len() int {
-	if p.Mode != nil {
-		return p.Inner.Len() + 2
-	} else {
-		return p.Inner.Len()
-	}
-}
-
-func (p *PermConfig[T]) Append(args *[]string) {
-	if p.Mode != nil {
-		*args = append(*args, intArgs[Perms], strconv.FormatInt(int64(*p.Mode), 8))
-	}
-	p.Inner.Append(args)
-}
-
-type TmpfsConfig struct {
-	// set size of tmpfs
-	// (--size BYTES)
-	Size int `json:"size,omitempty"`
-	// mount point of new tmpfs
-	// (--tmpfs DEST)
-	Dir string `json:"dir"`
-}
-
-func (t *TmpfsConfig) Path() string {
-	return t.Dir
-}
-
-func (t *TmpfsConfig) Len() int {
-	if t.Size > 0 {
-		return 4
-	} else {
-		return 2
-	}
-}
-
-func (t *TmpfsConfig) Append(args *[]string) {
-	if t.Size > 0 {
-		*args = append(*args, intArgs[Size], strconv.Itoa(t.Size))
-	}
-	*args = append(*args, awkwardArgs[Tmpfs], t.Dir)
-}
-
-type SymlinkConfig [2]string
-
-func (s SymlinkConfig) Path() string {
-	return s[1]
-}
-
-func (s SymlinkConfig) Len() int {
-	return 3
-}
-
-func (s SymlinkConfig) Append(args *[]string) {
-	*args = append(*args, awkwardArgs[Symlink], s[0], s[1])
-}
-
-type ChmodConfig map[string]os.FileMode
-
-func (c ChmodConfig) Len() int {
-	return len(c)
-}
-
-func (c ChmodConfig) Append(args *[]string) {
-	for path, mode := range c {
-		*args = append(*args, pairArgs[Chmod], strconv.FormatInt(int64(mode), 8), path)
-	}
-}
--- a/helper/bwrap/config.set.go
+++ b/helper/bwrap/config.set.go
@ -1,145 +0,0 @@
-package bwrap
-
-import "os"
-
-/*
-Bind binds mount src on host to dest in sandbox.
-
-Bind(src, dest) bind mount host path readonly on sandbox
-(--ro-bind SRC DEST).
-Bind(src, dest, true) equal to ROBind but ignores non-existent host path
-(--ro-bind-try SRC DEST).
-
-Bind(src, dest, false, true) bind mount host path on sandbox.
-(--bind SRC DEST).
-Bind(src, dest, true, true) equal to Bind but ignores non-existent host path
-(--bind-try SRC DEST).
-
-Bind(src, dest, false, true, true) bind mount host path on sandbox, allowing device access
-(--dev-bind SRC DEST).
-Bind(src, dest, true, true, true) equal to DevBind but ignores non-existent host path
-(--dev-bind-try SRC DEST).
-*/
-func (c *Config) Bind(src, dest string, opts ...bool) *Config {
-	var (
-		try   bool
-		write bool
-		dev   bool
-	)
-
-	if len(opts) > 0 {
-		try = opts[0]
-	}
-	if len(opts) > 1 {
-		write = opts[1]
-	}
-	if len(opts) > 2 {
-		dev = opts[2]
-	}
-
-	if dev {
-		if try {
-			c.Filesystem = append(c.Filesystem, &pairF{pairArgs[DevBindTry], src, dest})
-		} else {
-			c.Filesystem = append(c.Filesystem, &pairF{pairArgs[DevBind], src, dest})
-		}
-		return c
-	} else if write {
-		if try {
-			c.Filesystem = append(c.Filesystem, &pairF{pairArgs[BindTry], src, dest})
-		} else {
-			c.Filesystem = append(c.Filesystem, &pairF{pairArgs[Bind], src, dest})
-		}
-		return c
-	} else {
-		if try {
-			c.Filesystem = append(c.Filesystem, &pairF{pairArgs[ROBindTry], src, dest})
-		} else {
-			c.Filesystem = append(c.Filesystem, &pairF{pairArgs[ROBind], src, dest})
-		}
-		return c
-	}
-}
-
-// RemountRO remount path as readonly; does not recursively remount
-// (--remount-ro DEST)
-func (c *Config) RemountRO(dest string) *Config {
-	c.Filesystem = append(c.Filesystem, &stringF{stringArgs[RemountRO], dest})
-	return c
-}
-
-// Procfs mount new procfs in sandbox
-// (--proc DEST)
-func (c *Config) Procfs(dest string) *Config {
-	c.Filesystem = append(c.Filesystem, &stringF{stringArgs[Procfs], dest})
-	return c
-}
-
-// DevTmpfs mount new dev in sandbox
-// (--dev DEST)
-func (c *Config) DevTmpfs(dest string) *Config {
-	c.Filesystem = append(c.Filesystem, &stringF{stringArgs[DevTmpfs], dest})
-	return c
-}
-
-// Tmpfs mount new tmpfs in sandbox
-// (--tmpfs DEST)
-func (c *Config) Tmpfs(dest string, size int, perm ...os.FileMode) *Config {
-	tmpfs := &PermConfig[*TmpfsConfig]{Inner: &TmpfsConfig{Dir: dest}}
-	if size >= 0 {
-		tmpfs.Inner.Size = size
-	}
-	if len(perm) == 1 {
-		tmpfs.Mode = &perm[0]
-	}
-	c.Filesystem = append(c.Filesystem, tmpfs)
-	return c
-}
-
-// Mqueue mount new mqueue in sandbox
-// (--mqueue DEST)
-func (c *Config) Mqueue(dest string) *Config {
-	c.Filesystem = append(c.Filesystem, &stringF{stringArgs[Mqueue], dest})
-	return c
-}
-
-// Dir create dir in sandbox
-// (--dir DEST)
-func (c *Config) Dir(dest string) *Config {
-	c.Filesystem = append(c.Filesystem, &stringF{stringArgs[Dir], dest})
-	return c
-}
-
-// Symlink create symlink within sandbox
-// (--symlink SRC DEST)
-func (c *Config) Symlink(src, dest string, perm ...os.FileMode) *Config {
-	symlink := &PermConfig[SymlinkConfig]{Inner: SymlinkConfig{src, dest}}
-	if len(perm) == 1 {
-		symlink.Mode = &perm[0]
-	}
-	c.Filesystem = append(c.Filesystem, symlink)
-	return c
-}
-
-// SetUID sets custom uid in the sandbox, requires new user namespace (--uid UID).
-func (c *Config) SetUID(uid int) *Config {
-	if uid >= 0 {
-		c.UID = &uid
-	}
-	return c
-}
-
-// SetGID sets custom gid in the sandbox, requires new user namespace (--gid GID).
-func (c *Config) SetGID(gid int) *Config {
-	if gid >= 0 {
-		c.GID = &gid
-	}
-	return c
-}
-
-// SetSync sets the sync pipe kept open while sandbox is running
-// (--sync-fd FD)
-func (c *Config) SetSync(s *os.File) *Config {
-	c.sync = s
-	return c
-}
--- a/helper/bwrap/config_test.go
+++ b/helper/bwrap/config_test.go
@ -1,223 +0,0 @@
-package bwrap
-
-import (
-	"slices"
-	"testing"
-)
-
-func TestConfig_Args(t *testing.T) {
-	testCases := []struct {
-		name string
-		conf *Config
-		want []string
-	}{
-		{
-			name: "xdg-dbus-proxy constraint sample",
-			conf: (&Config{
-				Unshare:       nil,
-				UserNS:        false,
-				Clearenv:      true,
-				DieWithParent: true,
-			}).
-				Symlink("usr/bin", "/bin").
-				Symlink("var/home", "/home").
-				Symlink("usr/lib", "/lib").
-				Symlink("usr/lib64", "/lib64").
-				Symlink("run/media", "/media").
-				Symlink("var/mnt", "/mnt").
-				Symlink("var/opt", "/opt").
-				Symlink("sysroot/ostree", "/ostree").
-				Symlink("var/roothome", "/root").
-				Symlink("usr/sbin", "/sbin").
-				Symlink("var/srv", "/srv").
-				Bind("/run", "/run", false, true).
-				Bind("/tmp", "/tmp", false, true).
-				Bind("/var", "/var", false, true).
-				Bind("/run/user/1971/.dbus-proxy/", "/run/user/1971/.dbus-proxy/", false, true).
-				Bind("/boot", "/boot").
-				Bind("/dev", "/dev").
-				Bind("/proc", "/proc").
-				Bind("/sys", "/sys").
-				Bind("/sysroot", "/sysroot").
-				Bind("/usr", "/usr").
-				Bind("/etc", "/etc"),
-			want: []string{
-				"--unshare-all", "--unshare-user",
-				"--disable-userns", "--assert-userns-disabled",
-				"--clearenv", "--die-with-parent",
-				"--symlink", "usr/bin", "/bin",
-				"--symlink", "var/home", "/home",
-				"--symlink", "usr/lib", "/lib",
-				"--symlink", "usr/lib64", "/lib64",
-				"--symlink", "run/media", "/media",
-				"--symlink", "var/mnt", "/mnt",
-				"--symlink", "var/opt", "/opt",
-				"--symlink", "sysroot/ostree", "/ostree",
-				"--symlink", "var/roothome", "/root",
-				"--symlink", "usr/sbin", "/sbin",
-				"--symlink", "var/srv", "/srv",
-				"--bind", "/run", "/run",
-				"--bind", "/tmp", "/tmp",
-				"--bind", "/var", "/var",
-				"--bind", "/run/user/1971/.dbus-proxy/", "/run/user/1971/.dbus-proxy/",
-				"--ro-bind", "/boot", "/boot",
-				"--ro-bind", "/dev", "/dev",
-				"--ro-bind", "/proc", "/proc",
-				"--ro-bind", "/sys", "/sys",
-				"--ro-bind", "/sysroot", "/sysroot",
-				"--ro-bind", "/usr", "/usr",
-				"--ro-bind", "/etc", "/etc",
-			},
-		},
-		{
-			name: "fortify permissive default nixos",
-			conf: (&Config{
-				Unshare:  nil,
-				Net:      true,
-				UserNS:   true,
-				Clearenv: true,
-				SetEnv: map[string]string{
-					"HOME":              "/home/chronos",
-					"TERM":              "xterm-256color",
-					"FORTIFY_INIT":      "3",
-					"XDG_RUNTIME_DIR":   "/run/user/150",
-					"XDG_SESSION_CLASS": "user",
-					"XDG_SESSION_TYPE":  "tty",
-					"SHELL":             "/run/current-system/sw/bin/zsh",
-					"USER":              "chronos",
-				},
-				DieWithParent: true,
-				AsInit:        true,
-			}).SetUID(65534).SetGID(65534).
-				Procfs("/proc").DevTmpfs("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", false, true).
-				Bind("/boot", "/boot", false, true).
-				Bind("/etc", "/etc", false, true).
-				Bind("/home", "/home", false, true).
-				Bind("/lib", "/lib", false, true).
-				Bind("/lib64", "/lib64", false, true).
-				Bind("/nix", "/nix", false, true).
-				Bind("/root", "/root", false, true).
-				Bind("/srv", "/srv", false, true).
-				Bind("/sys", "/sys", false, true).
-				Bind("/usr", "/usr", false, true).
-				Bind("/var", "/var", false, true).
-				Bind("/run/NetworkManager", "/run/NetworkManager", false, true).
-				Bind("/run/agetty.reload", "/run/agetty.reload", false, true).
-				Bind("/run/binfmt", "/run/binfmt", false, true).
-				Bind("/run/booted-system", "/run/booted-system", false, true).
-				Bind("/run/credentials", "/run/credentials", false, true).
-				Bind("/run/cryptsetup", "/run/cryptsetup", false, true).
-				Bind("/run/current-system", "/run/current-system", false, true).
-				Bind("/run/host", "/run/host", false, true).
-				Bind("/run/keys", "/run/keys", false, true).
-				Bind("/run/libvirt", "/run/libvirt", false, true).
-				Bind("/run/libvirtd.pid", "/run/libvirtd.pid", false, true).
-				Bind("/run/lock", "/run/lock", false, true).
-				Bind("/run/log", "/run/log", false, true).
-				Bind("/run/lvm", "/run/lvm", false, true).
-				Bind("/run/mount", "/run/mount", false, true).
-				Bind("/run/nginx", "/run/nginx", false, true).
-				Bind("/run/nscd", "/run/nscd", false, true).
-				Bind("/run/opengl-driver", "/run/opengl-driver", false, true).
-				Bind("/run/pppd", "/run/pppd", false, true).
-				Bind("/run/resolvconf", "/run/resolvconf", false, true).
-				Bind("/run/sddm", "/run/sddm", false, true).
-				Bind("/run/syncoid", "/run/syncoid", false, true).
-				Bind("/run/systemd", "/run/systemd", false, true).
-				Bind("/run/tmpfiles.d", "/run/tmpfiles.d", false, true).
-				Bind("/run/udev", "/run/udev", false, true).
-				Bind("/run/udisks2", "/run/udisks2", false, true).
-				Bind("/run/utmp", "/run/utmp", false, true).
-				Bind("/run/virtlogd.pid", "/run/virtlogd.pid", false, true).
-				Bind("/run/wrappers", "/run/wrappers", false, true).
-				Bind("/run/zed.pid", "/run/zed.pid", false, true).
-				Bind("/run/zed.state", "/run/zed.state", false, true).
-				Bind("/tmp/fortify.1971/tmpdir/150", "/tmp", false, true).
-				Tmpfs("/tmp/fortify.1971", 1048576).
-				Tmpfs("/run/user", 1048576).
-				Tmpfs("/run/user/150", 8388608).
-				Bind("/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/passwd", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/passwd").
-				Bind("/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/group", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/group").
-				Bind("/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/passwd", "/etc/passwd").
-				Bind("/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/group", "/etc/group").
-				Tmpfs("/var/run/nscd", 8192),
-			want: []string{
-				"--unshare-all", "--unshare-user", "--share-net",
-				"--clearenv", "--die-with-parent", "--as-pid-1",
-				"--uid", "65534",
-				"--gid", "65534",
-				"--setenv", "FORTIFY_INIT", "3",
-				"--setenv", "HOME", "/home/chronos",
-				"--setenv", "SHELL", "/run/current-system/sw/bin/zsh",
-				"--setenv", "TERM", "xterm-256color",
-				"--setenv", "USER", "chronos",
-				"--setenv", "XDG_RUNTIME_DIR", "/run/user/150",
-				"--setenv", "XDG_SESSION_CLASS", "user",
-				"--setenv", "XDG_SESSION_TYPE", "tty",
-				"--proc", "/proc", "--dev", "/dev",
-				"--mqueue", "/dev/mqueue",
-				"--bind", "/bin", "/bin",
-				"--bind", "/boot", "/boot",
-				"--bind", "/etc", "/etc",
-				"--bind", "/home", "/home",
-				"--bind", "/lib", "/lib",
-				"--bind", "/lib64", "/lib64",
-				"--bind", "/nix", "/nix",
-				"--bind", "/root", "/root",
-				"--bind", "/srv", "/srv",
-				"--bind", "/sys", "/sys",
-				"--bind", "/usr", "/usr",
-				"--bind", "/var", "/var",
-				"--bind", "/run/NetworkManager", "/run/NetworkManager",
-				"--bind", "/run/agetty.reload", "/run/agetty.reload",
-				"--bind", "/run/binfmt", "/run/binfmt",
-				"--bind", "/run/booted-system", "/run/booted-system",
-				"--bind", "/run/credentials", "/run/credentials",
-				"--bind", "/run/cryptsetup", "/run/cryptsetup",
-				"--bind", "/run/current-system", "/run/current-system",
-				"--bind", "/run/host", "/run/host",
-				"--bind", "/run/keys", "/run/keys",
-				"--bind", "/run/libvirt", "/run/libvirt",
-				"--bind", "/run/libvirtd.pid", "/run/libvirtd.pid",
-				"--bind", "/run/lock", "/run/lock",
-				"--bind", "/run/log", "/run/log",
-				"--bind", "/run/lvm", "/run/lvm",
-				"--bind", "/run/mount", "/run/mount",
-				"--bind", "/run/nginx", "/run/nginx",
-				"--bind", "/run/nscd", "/run/nscd",
-				"--bind", "/run/opengl-driver", "/run/opengl-driver",
-				"--bind", "/run/pppd", "/run/pppd",
-				"--bind", "/run/resolvconf", "/run/resolvconf",
-				"--bind", "/run/sddm", "/run/sddm",
-				"--bind", "/run/syncoid", "/run/syncoid",
-				"--bind", "/run/systemd", "/run/systemd",
-				"--bind", "/run/tmpfiles.d", "/run/tmpfiles.d",
-				"--bind", "/run/udev", "/run/udev",
-				"--bind", "/run/udisks2", "/run/udisks2",
-				"--bind", "/run/utmp", "/run/utmp",
-				"--bind", "/run/virtlogd.pid", "/run/virtlogd.pid",
-				"--bind", "/run/wrappers", "/run/wrappers",
-				"--bind", "/run/zed.pid", "/run/zed.pid",
-				"--bind", "/run/zed.state", "/run/zed.state",
-				"--bind", "/tmp/fortify.1971/tmpdir/150", "/tmp",
-				"--size", "1048576", "--tmpfs", "/tmp/fortify.1971",
-				"--size", "1048576", "--tmpfs", "/run/user",
-				"--size", "8388608", "--tmpfs", "/run/user/150",
-				"--ro-bind", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/passwd", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/passwd",
-				"--ro-bind", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/group", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/group",
-				"--ro-bind", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/passwd", "/etc/passwd",
-				"--ro-bind", "/tmp/fortify.1971/67a97cc824a64ef789f16b20ca6ce311/group", "/etc/group",
-				"--size", "8192", "--tmpfs", "/var/run/nscd",
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			if got := tc.conf.Args(); !slices.Equal(got, tc.want) {
-				t.Errorf("Args() = %#v, want %#v", got, tc.want)
-			}
-		})
-	}
-}
--- a/helper/bwrap_test.go
+++ b/helper/bwrap_test.go
@ -1,112 +0,0 @@
-package helper_test
-
-import (
-	"errors"
-	"fmt"
-	"os"
-	"strings"
-	"testing"
-
-	"git.gensokyo.uk/security/fortify/helper"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
-)
-
-func TestBwrap(t *testing.T) {
-	sc := &bwrap.Config{
-		Unshare:       nil,
-		Net:           true,
-		UserNS:        false,
-		Hostname:      "localhost",
-		Chdir:         "/nonexistent",
-		Clearenv:      true,
-		NewSession:    true,
-		DieWithParent: true,
-		AsInit:        true,
-	}
-
-	t.Run("nonexistent bwrap name", func(t *testing.T) {
-		bubblewrapName := helper.BubblewrapName
-		helper.BubblewrapName = "/nonexistent"
-		t.Cleanup(func() {
-			helper.BubblewrapName = bubblewrapName
-		})
-
-		h := helper.MustNewBwrap(sc, argsWt, "fortify", argF)
-
-		if err := h.Start(); !errors.Is(err, os.ErrNotExist) {
-			t.Errorf("Start() error = %v, wantErr %v",
-				err, os.ErrNotExist)
-		}
-	})
-
-	t.Run("valid new helper nil check", func(t *testing.T) {
-		if got := helper.MustNewBwrap(sc, argsWt, "fortify", argF); got == nil {
-			t.Errorf("MustNewBwrap(%#v, %#v, %#v) got nil",
-				sc, argsWt, "fortify")
-			return
-		}
-	})
-
-	t.Run("invalid bwrap config new helper panic", func(t *testing.T) {
-		defer func() {
-			wantPanic := "argument contains null character"
-			if r := recover(); r != wantPanic {
-				t.Errorf("MustNewBwrap: panic = %q, want %q",
-					r, wantPanic)
-			}
-		}()
-
-		helper.MustNewBwrap(&bwrap.Config{Hostname: "\x00"}, nil, "fortify", argF)
-	})
-
-	t.Run("start notify without pipes panic", func(t *testing.T) {
-		defer func() {
-			wantPanic := "attempted to start with status monitoring on a bwrap child initialised without pipes"
-			if r := recover(); r != wantPanic {
-				t.Errorf("StartNotify: panic = %q, want %q",
-					r, wantPanic)
-			}
-		}()
-
-		panic(fmt.Sprintf("unreachable: %v",
-			helper.MustNewBwrap(sc, nil, "fortify", argF).StartNotify(make(chan error))))
-	})
-
-	t.Run("start without pipes", func(t *testing.T) {
-		helper.InternalReplaceExecCommand(t)
-
-		h := helper.MustNewBwrap(sc, nil, "crash-test-dummy", argFChecked)
-		cmd := h.Unwrap()
-
-		stdout, stderr := new(strings.Builder), new(strings.Builder)
-		cmd.Stdout, cmd.Stderr = stdout, stderr
-
-		t.Run("close without pipes panic", func(t *testing.T) {
-			defer func() {
-				wantPanic := "attempted to close bwrap child initialised without pipes"
-				if r := recover(); r != wantPanic {
-					t.Errorf("Close: panic = %q, want %q",
-						r, wantPanic)
-				}
-			}()
-
-			panic(fmt.Sprintf("unreachable: %v",
-				h.Close()))
-		})
-
-		if err := h.Start(); err != nil {
-			t.Errorf("Start() error = %v",
-				err)
-			return
-		}
-
-		if err := h.Wait(); err != nil {
-			t.Errorf("Wait() err = %v stderr = %s",
-				err, stderr)
-		}
-	})
-
-	t.Run("implementation compliance", func(t *testing.T) {
-		testHelper(t, func() helper.Helper { return helper.MustNewBwrap(sc, argsWt, "crash-test-dummy", argF) })
-	})
-}
--- a/helper/cmd.go
+++ b/helper/cmd.go
@ -0,0 +1,84 @@
+package helper
+
+import (
+	"context"
+	"errors"
+	"io"
+	"os"
+	"os/exec"
+	"slices"
+	"sync"
+	"syscall"
+
+	"git.gensokyo.uk/security/fortify/helper/proc"
+)
+
+// NewDirect initialises a new direct Helper instance with wt as the null-terminated argument writer.
+// Function argF returns an array of arguments passed directly to the child process.
+func NewDirect(
+	ctx context.Context,
+	name string,
+	wt io.WriterTo,
+	stat bool,
+	argF func(argsFd, statFd int) []string,
+	cmdF func(cmd *exec.Cmd),
+	extraFiles []*os.File,
+) Helper {
+	d, args := newHelperCmd(ctx, name, wt, stat, argF, extraFiles)
+	d.Args = append(d.Args, args...)
+	if cmdF != nil {
+		cmdF(d.Cmd)
+	}
+	return d
+}
+
+func newHelperCmd(
+	ctx context.Context,
+	name string,
+	wt io.WriterTo,
+	stat bool,
+	argF func(argsFd, statFd int) []string,
+	extraFiles []*os.File,
+) (cmd *helperCmd, args []string) {
+	cmd = new(helperCmd)
+	cmd.helperFiles, args = newHelperFiles(ctx, wt, stat, argF, extraFiles)
+	cmd.Cmd = exec.CommandContext(ctx, name)
+	cmd.Cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGTERM) }
+	cmd.WaitDelay = WaitDelay
+	return
+}
+
+// helperCmd provides a [exec.Cmd] wrapper around helper ipc.
+type helperCmd struct {
+	mu sync.RWMutex
+	*helperFiles
+	*exec.Cmd
+}
+
+func (h *helperCmd) Start() error {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+
+	// Check for doubled Start calls before we defer failure cleanup. If the prior
+	// call to Start succeeded, we don't want to spuriously close its pipes.
+	if h.Cmd != nil && h.Cmd.Process != nil {
+		return errors.New("helper: already started")
+	}
+
+	h.Env = slices.Grow(h.Env, 2)
+	if h.useArgsFd {
+		h.Env = append(h.Env, FortifyHelper+"=1")
+	} else {
+		h.Env = append(h.Env, FortifyHelper+"=0")
+	}
+	if h.useStatFd {
+		h.Env = append(h.Env, FortifyStatus+"=1")
+
+		// stat is populated on fulfill
+		h.Cancel = func() error { return h.stat.Close() }
+	} else {
+		h.Env = append(h.Env, FortifyStatus+"=0")
+	}
+
+	return proc.Fulfill(h.helperFiles.ctx, &h.ExtraFiles, h.Cmd.Start, h.files, h.extraFiles)
+}
--- a/helper/cmd_test.go
+++ b/helper/cmd_test.go
@ -0,0 +1,39 @@
+package helper_test
+
+import (
+	"context"
+	"errors"
+	"io"
+	"os"
+	"os/exec"
+	"testing"
+
+	"git.gensokyo.uk/security/fortify/helper"
+)
+
+func TestCmd(t *testing.T) {
+	t.Run("start non-existent helper path", func(t *testing.T) {
+		h := helper.NewDirect(context.Background(), "/proc/nonexistent", argsWt, false, argF, nil, nil)
+
+		if err := h.Start(); !errors.Is(err, os.ErrNotExist) {
+			t.Errorf("Start: error = %v, wantErr %v",
+				err, os.ErrNotExist)
+		}
+	})
+
+	t.Run("valid new helper nil check", func(t *testing.T) {
+		if got := helper.NewDirect(context.TODO(), "fortify", argsWt, false, argF, nil, nil); got == nil {
+			t.Errorf("NewDirect(%q, %q) got nil",
+				argsWt, "fortify")
+			return
+		}
+	})
+
+	t.Run("implementation compliance", func(t *testing.T) {
+		testHelper(t, func(ctx context.Context, setOutput func(stdoutP, stderrP *io.Writer), stat bool) helper.Helper {
+			return helper.NewDirect(ctx, os.Args[0], argsWt, stat, argF, func(cmd *exec.Cmd) {
+				setOutput(&cmd.Stdout, &cmd.Stderr)
+			}, nil)
+		})
+	})
+}
--- a/helper/container.go
+++ b/helper/container.go
@ -0,0 +1,76 @@
+package helper
+
+import (
+	"context"
+	"errors"
+	"io"
+	"os"
+	"os/exec"
+	"slices"
+	"sync"
+
+	"git.gensokyo.uk/security/fortify/helper/proc"
+	"git.gensokyo.uk/security/fortify/sandbox"
+)
+
+// New initialises a Helper instance with wt as the null-terminated argument writer.
+func New(
+	ctx context.Context,
+	name string,
+	wt io.WriterTo,
+	stat bool,
+	argF func(argsFd, statFd int) []string,
+	cmdF func(container *sandbox.Container),
+	extraFiles []*os.File,
+) Helper {
+	var args []string
+	h := new(helperContainer)
+	h.helperFiles, args = newHelperFiles(ctx, wt, stat, argF, extraFiles)
+	h.Container = sandbox.New(ctx, name, args...)
+	h.WaitDelay = WaitDelay
+	if cmdF != nil {
+		cmdF(h.Container)
+	}
+	return h
+}
+
+// helperContainer provides a [sandbox.Container] wrapper around helper ipc.
+type helperContainer struct {
+	started bool
+
+	mu sync.Mutex
+	*helperFiles
+	*sandbox.Container
+}
+
+func (h *helperContainer) Start() error {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+
+	if h.started {
+		return errors.New("helper: already started")
+	}
+	h.started = true
+
+	h.Env = slices.Grow(h.Env, 2)
+	if h.useArgsFd {
+		h.Env = append(h.Env, FortifyHelper+"=1")
+	} else {
+		h.Env = append(h.Env, FortifyHelper+"=0")
+	}
+	if h.useStatFd {
+		h.Env = append(h.Env, FortifyStatus+"=1")
+
+		// stat is populated on fulfill
+		h.Cancel = func(*exec.Cmd) error { return h.stat.Close() }
+	} else {
+		h.Env = append(h.Env, FortifyStatus+"=0")
+	}
+
+	return proc.Fulfill(h.helperFiles.ctx, &h.ExtraFiles, func() error {
+		if err := h.Container.Start(); err != nil {
+			return err
+		}
+		return h.Container.Serve()
+	}, h.files, h.extraFiles)
+}
--- a/helper/container_test.go
+++ b/helper/container_test.go
@ -0,0 +1,57 @@
+package helper_test
+
+import (
+	"context"
+	"io"
+	"os"
+	"os/exec"
+	"testing"
+
+	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/fortify/internal"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/sandbox"
+)
+
+func TestContainer(t *testing.T) {
+	t.Run("start empty container", func(t *testing.T) {
+		h := helper.New(context.Background(), "/nonexistent", argsWt, false, argF, nil, nil)
+
+		wantErr := "sandbox: starting an empty container"
+		if err := h.Start(); err == nil || err.Error() != wantErr {
+			t.Errorf("Start: error = %v, wantErr %q",
+				err, wantErr)
+		}
+	})
+
+	t.Run("valid new helper nil check", func(t *testing.T) {
+		if got := helper.New(context.TODO(), "fortify", argsWt, false, argF, nil, nil); got == nil {
+			t.Errorf("New(%q, %q) got nil",
+				argsWt, "fortify")
+			return
+		}
+	})
+
+	t.Run("implementation compliance", func(t *testing.T) {
+		testHelper(t, func(ctx context.Context, setOutput func(stdoutP, stderrP *io.Writer), stat bool) helper.Helper {
+			return helper.New(ctx, os.Args[0], argsWt, stat, argF, func(container *sandbox.Container) {
+				setOutput(&container.Stdout, &container.Stderr)
+				container.CommandContext = func(ctx context.Context) (cmd *exec.Cmd) {
+					return exec.CommandContext(ctx, os.Args[0], "-test.v",
+						"-test.run=TestHelperInit", "--", "init")
+				}
+				container.Bind("/", "/", 0)
+				container.Proc("/proc")
+				container.Dev("/dev")
+			}, nil)
+		})
+	})
+}
+
+func TestHelperInit(t *testing.T) {
+	if len(os.Args) != 5 || os.Args[4] != "init" {
+		return
+	}
+	sandbox.SetOutput(fmsg.Output{})
+	sandbox.Init(fmsg.Prepare, func(bool) { internal.InstallFmsg(false) })
+}
--- a/helper/direct.go
+++ b/helper/direct.go
@ -1,93 +0,0 @@
-package helper
-
-import (
-	"errors"
-	"io"
-	"os/exec"
-	"sync"
-)
-
-// direct wraps *exec.Cmd and manages status and args fd.
-// Args is always 3 and status if set is always 4.
-type direct struct {
-	// helper pipes
-	// cannot be nil
-	p *pipes
-
-	// returns an array of arguments passed directly
-	// to the helper process
-	argF func(argsFD, statFD int) []string
-
-	lock sync.RWMutex
-	*exec.Cmd
-}
-
-func (h *direct) StartNotify(ready chan error) error {
-	h.lock.Lock()
-	defer h.lock.Unlock()
-
-	// Check for doubled Start calls before we defer failure cleanup. If the prior
-	// call to Start succeeded, we don't want to spuriously close its pipes.
-	if h.Cmd.Process != nil {
-		return errors.New("exec: already started")
-	}
-
-	h.p.ready = ready
-	if argsFD, statFD, err := h.p.prepareCmd(h.Cmd); err != nil {
-		return err
-	} else {
-		h.Cmd.Args = append(h.Cmd.Args, h.argF(argsFD, statFD)...)
-	}
-
-	if ready != nil {
-		h.Cmd.Env = append(h.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=1")
-	} else {
-		h.Cmd.Env = append(h.Cmd.Env, FortifyHelper+"=1", FortifyStatus+"=0")
-	}
-
-	if err := h.Cmd.Start(); err != nil {
-		return err
-	}
-	if err := h.p.readyWriteArgs(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (h *direct) Wait() error {
-	h.lock.RLock()
-	defer h.lock.RUnlock()
-
-	if h.Cmd.Process == nil {
-		return errors.New("exec: not started")
-	}
-	defer h.p.mustClosePipes()
-	if h.Cmd.ProcessState != nil {
-		return errors.New("exec: Wait was already called")
-	}
-
-	return h.Cmd.Wait()
-}
-
-func (h *direct) Close() error {
-	return h.p.closeStatus()
-}
-
-func (h *direct) Start() error {
-	return h.StartNotify(nil)
-}
-
-func (h *direct) Unwrap() *exec.Cmd {
-	return h.Cmd
-}
-
-// New initialises a new direct Helper instance with wt as the null-terminated argument writer.
-// Function argF returns an array of arguments passed directly to the child process.
-func New(wt io.WriterTo, name string, argF func(argsFD, statFD int) []string) Helper {
-	if wt == nil {
-		panic("attempted to create helper with invalid argument writer")
-	}
-
-	return &direct{p: &pipes{args: wt}, argF: argF, Cmd: execCommand(name)}
-}
--- a/helper/direct_test.go
+++ b/helper/direct_test.go
@ -1,44 +0,0 @@
-package helper_test
-
-import (
-	"errors"
-	"os"
-	"testing"
-
-	"git.gensokyo.uk/security/fortify/helper"
-)
-
-func TestDirect(t *testing.T) {
-	t.Run("start non-existent helper path", func(t *testing.T) {
-		h := helper.New(argsWt, "/nonexistent", argF)
-
-		if err := h.Start(); !errors.Is(err, os.ErrNotExist) {
-			t.Errorf("Start() error = %v, wantErr %v",
-				err, os.ErrNotExist)
-		}
-	})
-
-	t.Run("valid new helper nil check", func(t *testing.T) {
-		if got := helper.New(argsWt, "fortify", argF); got == nil {
-			t.Errorf("New(%q, %q) got nil",
-				argsWt, "fortify")
-			return
-		}
-	})
-
-	t.Run("invalid new helper panic", func(t *testing.T) {
-		defer func() {
-			wantPanic := "attempted to create helper with invalid argument writer"
-			if r := recover(); r != wantPanic {
-				t.Errorf("New: panic = %q, want %q",
-					r, wantPanic)
-			}
-		}()
-
-		helper.New(nil, "fortify", argF)
-	})
-
-	t.Run("implementation compliance", func(t *testing.T) {
-		testHelper(t, func() helper.Helper { return helper.New(argsWt, "crash-test-dummy", argF) })
-	})
-}
--- a/helper/helper.go
+++ b/helper/helper.go
@ -1,36 +1,83 @@
-// Package helper runs external helpers with optional sandboxing and manages their status/args pipes.
+// Package helper runs external helpers with optional sandboxing.
 package helper

 import (
-	"errors"
-	"os/exec"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"time"
+
+	"git.gensokyo.uk/security/fortify/helper/proc"
 )

-var (
-	ErrStatusFault = errors.New("generic status pipe fault")
-	ErrStatusRead  = errors.New("unexpected status response")
-)
+var WaitDelay = 2 * time.Second

 const (
-	// FortifyHelper is set for the process launched by Helper.
+	// FortifyHelper is set to 1 when args fd is enabled and 0 otherwise.
 	FortifyHelper = "FORTIFY_HELPER"
-	// FortifyStatus is 1 when sync fd is enabled and 0 otherwise.
+	// FortifyStatus is set to 1 when stat fd is enabled and 0 otherwise.
 	FortifyStatus = "FORTIFY_STATUS"
 )

 type Helper interface {
-	// StartNotify starts the helper process.
-	// A status pipe is passed to the helper if ready is not nil.
-	StartNotify(ready chan error) error
 	// Start starts the helper process.
 	Start() error
-	// Close closes the status pipe.
-	// If helper is started without the status pipe, Close panics.
-	Close() error
-	// Wait calls wait on the child process and cleans up pipes.
+	// Wait blocks until Helper exits.
 	Wait() error
-	// Unwrap returns the underlying exec.Cmd instance.
-	Unwrap() *exec.Cmd
+
+	fmt.Stringer
 }

-var execCommand = exec.Command
+func newHelperFiles(
+	ctx context.Context,
+	wt io.WriterTo,
+	stat bool,
+	argF func(argsFd, statFd int) []string,
+	extraFiles []*os.File,
+) (hl *helperFiles, args []string) {
+	hl = new(helperFiles)
+	hl.ctx = ctx
+	hl.useArgsFd = wt != nil
+	hl.useStatFd = stat
+
+	hl.extraFiles = new(proc.ExtraFilesPre)
+	for _, f := range extraFiles {
+		_, v := hl.extraFiles.Append()
+		*v = f
+	}
+
+	argsFd := -1
+	if hl.useArgsFd {
+		f := proc.NewWriterTo(wt)
+		argsFd = int(proc.InitFile(f, hl.extraFiles))
+		hl.files = append(hl.files, f)
+	}
+
+	statFd := -1
+	if hl.useStatFd {
+		f := proc.NewStat(&hl.stat)
+		statFd = int(proc.InitFile(f, hl.extraFiles))
+		hl.files = append(hl.files, f)
+	}
+
+	args = argF(argsFd, statFd)
+	return
+}
+
+// helperFiles provides a generic wrapper around helper ipc.
+type helperFiles struct {
+	// whether argsFd is present
+	useArgsFd bool
+	// whether statFd is present
+	useStatFd bool
+
+	// closes statFd
+	stat io.Closer
+	// deferred extraFiles fulfillment
+	files []proc.File
+	// passed through to [proc.Fulfill] and [proc.InitFile]
+	extraFiles *proc.ExtraFilesPre
+
+	ctx context.Context
+}
--- a/helper/helper_test.go
+++ b/helper/helper_test.go
@ -1,6 +1,11 @@
 package helper_test

 import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
 	"strconv"
 	"strings"
 	"testing"
@ -23,145 +28,110 @@ var (
 	argsWt      = helper.MustNewCheckedArgs(wantArgs)
 )

-func argF(argsFD, statFD int) []string {
-	if argsFD == -1 {
+func argF(argsFd, statFd int) []string {
+	if argsFd == -1 {
 		panic("invalid args fd")
 	}

-	return argFChecked(argsFD, statFD)
+	return argFChecked(argsFd, statFd)
 }

-func argFChecked(argsFD, statFD int) []string {
-	if statFD == -1 {
-		return []string{"--args", strconv.Itoa(argsFD)}
-	} else {
-		return []string{"--args", strconv.Itoa(argsFD), "--fd", strconv.Itoa(statFD)}
+func argFChecked(argsFd, statFd int) (args []string) {
+	args = make([]string, 0, 6)
+	args = append(args, "-test.run=TestHelperStub", "--")
+	if argsFd > -1 {
+		args = append(args, "--args", strconv.Itoa(argsFd))
 	}
+	if statFd > -1 {
+		args = append(args, "--fd", strconv.Itoa(statFd))
+	}
+	return
 }

 // this function tests an implementation of the helper.Helper interface
-func testHelper(t *testing.T, createHelper func() helper.Helper) {
-	helper.InternalReplaceExecCommand(t)
+func testHelper(t *testing.T, createHelper func(ctx context.Context, setOutput func(stdoutP, stderrP *io.Writer), stat bool) helper.Helper) {
+	oldWaitDelay := helper.WaitDelay
+	helper.WaitDelay = 16 * time.Second
+	t.Cleanup(func() { helper.WaitDelay = oldWaitDelay })

 	t.Run("start helper with status channel and wait", func(t *testing.T) {
-		h := createHelper()
-		ready := make(chan error, 1)
-		cmd := h.Unwrap()
-
-		stdout, stderr := new(strings.Builder), new(strings.Builder)
-		cmd.Stdout, cmd.Stderr = stdout, stderr
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		stdout := new(strings.Builder)
+		h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, true)

 		t.Run("wait not yet started helper", func(t *testing.T) {
-			wantErr := "exec: not started"
-			if err := h.Wait(); err != nil && err.Error() != wantErr {
-				t.Errorf("Wait(%v) error = %v, wantErr %v",
-					ready,
-					err, wantErr)
-				return
-			}
+			defer func() {
+				r := recover()
+				if r == nil {
+					t.Fatalf("Wait did not panic")
+				}
+			}()
+			panic(fmt.Sprintf("unreachable: %v", h.Wait()))
 		})

 		t.Log("starting helper stub")
-		if err := h.StartNotify(ready); err != nil {
-			t.Errorf("StartNotify(%v) error = %v",
-				ready,
-				err)
+		if err := h.Start(); err != nil {
+			t.Errorf("Start: error = %v", err)
+			cancel()
 			return
 		}
+		t.Log("cancelling context")
+		cancel()

 		t.Run("start already started helper", func(t *testing.T) {
-			wantErr := "exec: already started"
-			if err := h.StartNotify(ready); err != nil && err.Error() != wantErr {
-				t.Errorf("StartNotify(%v) error = %v, wantErr %v",
-					ready,
+			wantErr := "helper: already started"
+			if err := h.Start(); err != nil && err.Error() != wantErr {
+				t.Errorf("Start: error = %v, wantErr %v",
 					err, wantErr)
 				return
 			}
 		})

-		t.Log("waiting on status channel with timeout")
-		select {
-		case <-time.NewTimer(5 * time.Second).C:
-			t.Errorf("never got a ready response")
-			t.Errorf("stdout:\n%s", stdout.String())
-			t.Errorf("stderr:\n%s", stderr.String())
-			if err := cmd.Process.Kill(); err != nil {
-				panic(err.Error())
-			}
-			return
-		case err := <-ready:
-			if err != nil {
-				t.Errorf("StartNotify(%v) latent error = %v",
-					ready,
-					err)
-			}
-		}
-
-		t.Log("closing status pipe")
-		if err := h.Close(); err != nil {
-			t.Errorf("Close() error = %v",
-				err)
-		}
-
 		t.Log("waiting on helper")
-		if err := h.Wait(); err != nil {
-			t.Errorf("Wait() err = %v stderr = %s",
-				err, stderr)
+		if err := h.Wait(); !errors.Is(err, context.Canceled) {
+			t.Errorf("Wait: error = %v",
+				err)
 		}

 		t.Run("wait already finalised helper", func(t *testing.T) {
 			wantErr := "exec: Wait was already called"
 			if err := h.Wait(); err != nil && err.Error() != wantErr {
-				t.Errorf("Wait(%v) error = %v, wantErr %v",
-					ready,
+				t.Errorf("Wait: error = %v, wantErr %v",
 					err, wantErr)
 				return
 			}
 		})

-		if got := stdout.String(); !strings.HasPrefix(got, wantPayload) {
-			t.Errorf("StartNotify(%v) stdout = %v, want %v",
-				ready,
+		if got := trimStdout(stdout); got != wantPayload {
+			t.Errorf("Start: stdout = %q, want %q",
 				got, wantPayload)
 		}
 	})

 	t.Run("start helper and wait", func(t *testing.T) {
-		h := createHelper()
-		cmd := h.Unwrap()
-
-		stdout, stderr := new(strings.Builder), new(strings.Builder)
-		cmd.Stdout, cmd.Stderr = stdout, stderr
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		stdout := new(strings.Builder)
+		h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, false)

 		if err := h.Start(); err != nil {
-			t.Errorf("Start() error = %v",
+			t.Errorf("Start: error = %v",
 				err)
 			return
 		}

-		t.Run("close helper without status pipe", func(t *testing.T) {
-			defer func() {
-				wantPanic := "attempted to close helper with no status pipe"
-				if r := recover(); r != wantPanic {
-					t.Errorf("Close() panic = %v, wantPanic %v",
-						r, wantPanic)
-				}
-			}()
-			if err := h.Close(); err != nil {
-				t.Errorf("Close() error = %v",
-					err)
-				return
-			}
-		})
-
 		if err := h.Wait(); err != nil {
-			t.Errorf("Wait() err = %v stderr = %s",
-				err, stderr)
+			t.Errorf("Wait: error = %v stdout = %q",
+				err, stdout)
 		}

-		if got := stdout.String(); !strings.HasPrefix(got, wantPayload) {
-			t.Errorf("Start() stdout = %v, want %v",
+		if got := trimStdout(stdout); got != wantPayload {
+			t.Errorf("Start: stdout = %q, want %q",
 				got, wantPayload)
 		}
 	})
 }
+
+func trimStdout(stdout fmt.Stringer) string {
+	return strings.TrimPrefix(stdout.String(), "=== RUN   TestHelperInit\n")
+}
--- a/helper/pipe.go
+++ b/helper/pipe.go
@ -1,149 +0,0 @@
-package helper
-
-import (
-	"errors"
-	"io"
-	"os"
-	"os/exec"
-
-	"git.gensokyo.uk/security/fortify/internal/proc"
-)
-
-type pipes struct {
-	args io.WriterTo
-
-	statP [2]*os.File
-	argsP [2]*os.File
-
-	ready chan error
-
-	cmd *exec.Cmd
-}
-
-func (p *pipes) pipe() error {
-	if p.statP[0] != nil || p.statP[1] != nil ||
-		p.argsP[0] != nil || p.argsP[1] != nil {
-		panic("attempted to pipe twice")
-	}
-	if p.args == nil {
-		panic("attempted to pipe without args")
-	}
-
-	// create pipes
-	if pr, pw, err := os.Pipe(); err != nil {
-		return err
-	} else {
-		p.argsP[0], p.argsP[1] = pr, pw
-	}
-
-	// create status pipes if ready signal is requested
-	if p.ready != nil {
-		if pr, pw, err := os.Pipe(); err != nil {
-			return err
-		} else {
-			p.statP[0], p.statP[1] = pr, pw
-		}
-	}
-
-	return nil
-}
-
-// calls pipe to create pipes and sets them up as ExtraFiles, returning their fd
-func (p *pipes) prepareCmd(cmd *exec.Cmd) (argsFd, statFd int, err error) {
-	argsFd, statFd = -1, -1
-	if err = p.pipe(); err != nil {
-		return
-	}
-
-	// save a reference of cmd for future use
-	p.cmd = cmd
-
-	argsFd = int(proc.ExtraFile(cmd, p.argsP[0]))
-	if p.ready != nil {
-		statFd = int(proc.ExtraFile(cmd, p.statP[1]))
-	}
-
-	return
-}
-
-func (p *pipes) readyWriteArgs() error {
-	statsP, argsP := p.statP[0], p.argsP[1]
-
-	// write arguments and close args pipe
-	if _, err := p.args.WriteTo(argsP); err != nil {
-		if err1 := p.cmd.Process.Kill(); err1 != nil {
-			// should be unreachable
-			panic(err1.Error())
-		}
-		return err
-	} else {
-		if err = argsP.Close(); err != nil {
-			if err1 := p.cmd.Process.Kill(); err1 != nil {
-				// should be unreachable
-				panic(err1.Error())
-			}
-			return err
-		}
-	}
-
-	if p.ready != nil {
-		// monitor stat pipe
-		go func() {
-			n, err := statsP.Read(make([]byte, 1))
-			switch n {
-			case -1:
-				if err1 := p.cmd.Process.Kill(); err1 != nil {
-					// should be unreachable
-					panic(err1.Error())
-				}
-				// ensure error is not nil
-				if err == nil {
-					err = ErrStatusFault
-				}
-				p.ready <- err
-			case 0:
-				// ensure error is not nil
-				if err == nil {
-					err = ErrStatusRead
-				}
-				p.ready <- err
-			case 1:
-				p.ready <- nil
-			default:
-				panic("unreachable") // unexpected read count
-			}
-		}()
-	}
-
-	return nil
-}
-
-func (p *pipes) mustClosePipes() {
-	if err := p.argsP[0].Close(); err != nil && !errors.Is(err, os.ErrClosed) {
-		// unreachable
-		panic(err.Error())
-	}
-	if err := p.argsP[1].Close(); err != nil && !errors.Is(err, os.ErrClosed) {
-		// unreachable
-		panic(err.Error())
-	}
-
-	if p.ready != nil {
-		if err := p.statP[0].Close(); err != nil && !errors.Is(err, os.ErrClosed) {
-			// unreachable
-			panic(err.Error())
-		}
-		if err := p.statP[1].Close(); err != nil && !errors.Is(err, os.ErrClosed) {
-			// unreachable
-			panic(err.Error())
-		}
-	}
-}
-
-func (p *pipes) closeStatus() error {
-	if p.ready == nil {
-		panic("attempted to close helper with no status pipe")
-	}
-
-	return p.statP[0].Close()
-}
--- a/helper/pipe_test.go
+++ b/helper/pipe_test.go
@ -1,42 +0,0 @@
-package helper
-
-import (
-	"testing"
-)
-
-func Test_pipes_pipe_mustClosePipes(t *testing.T) {
-	p := new(pipes)
-
-	t.Run("pipe without args", func(t *testing.T) {
-		defer func() {
-			wantPanic := "attempted to pipe without args"
-			if r := recover(); r != wantPanic {
-				t.Errorf("pipe() panic = %v, wantPanic %v",
-					r, wantPanic)
-			}
-		}()
-		_ = p.pipe()
-	})
-
-	p.args = MustNewCheckedArgs(make([]string, 0))
-	t.Run("obtain pipes", func(t *testing.T) {
-		if err := p.pipe(); err != nil {
-			t.Errorf("pipe() error = %v",
-				err)
-			return
-		}
-	})
-
-	t.Run("pipe twice", func(t *testing.T) {
-		defer func() {
-			wantPanic := "attempted to pipe twice"
-			if r := recover(); r != wantPanic {
-				t.Errorf("pipe() panic = %v, wantPanic %v",
-					r, wantPanic)
-			}
-		}()
-		_ = p.pipe()
-	})
-
-	p.mustClosePipes()
-}
--- a/helper/proc/files.go
+++ b/helper/proc/files.go
@ -0,0 +1,155 @@
+package proc
+
+import (
+	"context"
+	"os"
+	"os/exec"
+	"sync/atomic"
+	"syscall"
+	"time"
+)
+
+var FulfillmentTimeout = 2 * time.Second
+
+// A File is an extra file with deferred initialisation.
+type File interface {
+	// Init initialises File state. Init must not be called more than once.
+	Init(fd uintptr, v **os.File) uintptr
+	// Fd returns the fd value set on initialisation.
+	Fd() uintptr
+	// ErrCount returns count of error values emitted during fulfillment.
+	ErrCount() int
+	// Fulfill is called prior to process creation and must populate its corresponding file address.
+	// Calls to dispatchErr must match the return value of ErrCount.
+	// Fulfill must not be called more than once.
+	Fulfill(ctx context.Context, dispatchErr func(error)) error
+}
+
+// ExtraFilesPre is a linked list storing addresses of [os.File].
+type ExtraFilesPre struct {
+	n *ExtraFilesPre
+	v *os.File
+}
+
+// Append grows the list by one entry and returns an address of the address of [os.File] stored in the new entry.
+func (f *ExtraFilesPre) Append() (uintptr, **os.File) { return f.append(3) }
+
+// Files returns a slice pointing to a continuous segment of memory containing all addresses stored in f in order.
+func (f *ExtraFilesPre) Files() []*os.File { return f.copy(make([]*os.File, 0, f.len())) }
+
+func (f *ExtraFilesPre) append(i uintptr) (uintptr, **os.File) {
+	if f.n == nil {
+		f.n = new(ExtraFilesPre)
+		return i, &f.v
+	}
+	return f.n.append(i + 1)
+}
+func (f *ExtraFilesPre) len() uintptr {
+	if f == nil {
+		return 0
+	}
+	return f.n.len() + 1
+}
+func (f *ExtraFilesPre) copy(e []*os.File) []*os.File {
+	if f == nil {
+		// the public methods ensure the first call is never nil;
+		// the last element is unused, slice it off here
+		return e[:len(e)-1]
+	}
+	return f.n.copy(append(e, f.v))
+}
+
+// Fulfill calls the [File.Fulfill] method on all files, starts cmd and blocks until all fulfillment completes.
+func Fulfill(ctx context.Context,
+	v *[]*os.File, start func() error,
+	files []File, extraFiles *ExtraFilesPre,
+) (err error) {
+	var ecs int
+	for _, o := range files {
+		ecs += o.ErrCount()
+	}
+	ec := make(chan error, ecs)
+
+	c, cancel := context.WithTimeout(ctx, FulfillmentTimeout)
+	defer cancel()
+
+	for _, f := range files {
+		err = f.Fulfill(c, makeDispatchErr(f, ec))
+		if err != nil {
+			return
+		}
+	}
+
+	*v = extraFiles.Files()
+	if err = start(); err != nil {
+		return
+	}
+
+	for ecs > 0 {
+		select {
+		case err = <-ec:
+			ecs--
+			if err != nil {
+				break
+			}
+		case <-ctx.Done():
+			err = syscall.ECANCELED
+			break
+		}
+	}
+	return
+}
+
+// InitFile initialises f as part of the slice extraFiles points to,
+// and returns its final fd value.
+func InitFile(f File, extraFiles *ExtraFilesPre) (fd uintptr) { return f.Init(extraFiles.Append()) }
+
+// BaseFile implements the Init method of the File interface and provides indirect access to extra file state.
+type BaseFile struct {
+	fd uintptr
+	v  **os.File
+}
+
+func (f *BaseFile) Init(fd uintptr, v **os.File) uintptr {
+	if v == nil || fd < 3 {
+		panic("invalid extra file initial state")
+	}
+	if f.v != nil {
+		panic("extra file initialised twice")
+	}
+	f.fd, f.v = fd, v
+	return fd
+}
+
+func (f *BaseFile) Fd() uintptr {
+	if f.v == nil {
+		panic("use of uninitialised extra file")
+	}
+	return f.fd
+}
+
+func (f *BaseFile) Set(v *os.File) {
+	*f.v = v // runtime guards against use before init
+}
+
+func makeDispatchErr(f File, ec chan<- error) func(error) {
+	c := new(atomic.Int32)
+	c.Store(int32(f.ErrCount()))
+	return func(err error) {
+		if c.Add(-1) < 0 {
+			panic("unexpected error dispatches")
+		}
+		ec <- err
+	}
+}
+
+func ExtraFile(cmd *exec.Cmd, f *os.File) (fd uintptr) {
+	return ExtraFileSlice(&cmd.ExtraFiles, f)
+}
+
+func ExtraFileSlice(extraFiles *[]*os.File, f *os.File) (fd uintptr) {
+	// ExtraFiles: If non-nil, entry i becomes file descriptor 3+i.
+	fd = uintptr(3 + len(*extraFiles))
+	*extraFiles = append(*extraFiles, f)
+	return
+}
--- a/helper/proc/pipe.go
+++ b/helper/proc/pipe.go
@ -0,0 +1,110 @@
+package proc
+
+import (
+	"context"
+	"errors"
+	"io"
+	"os"
+	"runtime"
+)
+
+// NewWriterTo returns a [File] that receives content from wt on fulfillment.
+func NewWriterTo(wt io.WriterTo) File { return &writeToFile{wt: wt} }
+
+// writeToFile exports the read end of a pipe with data written by an [io.WriterTo].
+type writeToFile struct {
+	wt io.WriterTo
+	BaseFile
+}
+
+func (f *writeToFile) ErrCount() int { return 3 }
+func (f *writeToFile) Fulfill(ctx context.Context, dispatchErr func(error)) error {
+	r, w, err := os.Pipe()
+	if err != nil {
+		return err
+	}
+	f.Set(r)
+
+	done := make(chan struct{})
+	go func() {
+		_, err = f.wt.WriteTo(w)
+		dispatchErr(err)
+		dispatchErr(w.Close())
+		close(done)
+		runtime.KeepAlive(r)
+	}()
+	go func() {
+		select {
+		case <-done:
+			dispatchErr(nil)
+		case <-ctx.Done():
+			dispatchErr(w.Close()) // this aborts WriteTo with file already closed
+			runtime.KeepAlive(r)
+		}
+	}()
+
+	return nil
+}
+
+// NewStat returns a [File] implementing the behaviour
+// of the receiving end of xdg-dbus-proxy stat fd.
+func NewStat(s *io.Closer) File { return &statFile{s: s} }
+
+var (
+	ErrStatFault = errors.New("generic stat fd fault")
+	ErrStatRead  = errors.New("unexpected stat behaviour")
+)
+
+// statFile implements xdg-dbus-proxy stat fd behaviour.
+type statFile struct {
+	s *io.Closer
+	BaseFile
+}
+
+func (f *statFile) ErrCount() int { return 2 }
+func (f *statFile) Fulfill(ctx context.Context, dispatchErr func(error)) error {
+	r, w, err := os.Pipe()
+	if err != nil {
+		return err
+	}
+	f.Set(w)
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		var n int
+
+		n, err = r.Read(make([]byte, 1))
+		switch n {
+		case -1:
+			if err == nil {
+				err = ErrStatFault
+			}
+			dispatchErr(err)
+		case 0:
+			if err == nil {
+				err = ErrStatRead
+			}
+			dispatchErr(err)
+		case 1:
+			dispatchErr(err)
+		default:
+			panic("unreachable")
+		}
+		runtime.KeepAlive(w)
+	}()
+
+	go func() {
+		select {
+		case <-done:
+			dispatchErr(nil)
+		case <-ctx.Done():
+			dispatchErr(r.Close()) // this aborts Read with file already closed
+			runtime.KeepAlive(w)
+		}
+	}()
+
+	// this gets closed by the caller
+	*f.s = r
+	return nil
+}
--- a/helper/stub.go
+++ b/helper/stub.go
@ -2,95 +2,80 @@ package helper

 import (
 	"flag"
+	"fmt"
 	"io"
 	"os"
-	"os/exec"
 	"strconv"
-	"strings"
 	"syscall"
-	"testing"
-
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
 )

-// InternalChildStub is an internal function but exported because it is cross-package;
+// InternalHelperStub is an internal function but exported because it is cross-package;
 // it is part of the implementation of the helper stub.
-func InternalChildStub() {
+func InternalHelperStub() {
 	// this test mocks the helper process
-	if os.Getenv(FortifyHelper) != "1" ||
-		os.Getenv(FortifyStatus) == "-1" { // this indicates the stub is being invoked as a bwrap child without pipes
+	var ap, sp string
+	if v, ok := os.LookupEnv(FortifyHelper); !ok {
 		return
+	} else {
+		ap = v
+	}
+	if v, ok := os.LookupEnv(FortifyStatus); !ok {
+		panic(FortifyStatus)
+	} else {
+		sp = v
 	}

-	argsFD := flag.Int("args", -1, "")
-	statFD := flag.Int("fd", -1, "")
-	_ = flag.CommandLine.Parse(os.Args[4:])
+	genericStub(flagRestoreFiles(3, ap, sp))

-	switch os.Args[3] {
-	case "bwrap":
-		bwrapStub(argsFD, statFD)
+	os.Exit(0)
+}
+
+func newFile(fd int, name, p string) *os.File {
+	present := false
+	switch p {
+	case "0":
+	case "1":
+		present = true
 	default:
-		genericStub(argsFD, statFD)
+		panic(fmt.Sprintf("%s fd has unexpected presence value %q", name, p))
 	}

-	fmsg.Exit(0)
-}
-
-// InternalReplaceExecCommand is an internal function but exported because it is cross-package;
-// it is part of the implementation of the helper stub.
-func InternalReplaceExecCommand(t *testing.T) {
-	t.Cleanup(func() {
-		execCommand = exec.Command
-	})
-
-	// replace execCommand to have the resulting *exec.Cmd launch TestHelperChildStub
-	execCommand = func(name string, arg ...string) *exec.Cmd {
-		// pass through nonexistent path
-		if name == "/nonexistent" && len(arg) == 0 {
-			return exec.Command(name)
-		}
-
-		return exec.Command(os.Args[0], append([]string{"-test.run=TestHelperChildStub", "--", name}, arg...)...)
+	f := os.NewFile(uintptr(fd), name)
+	if !present && f != nil {
+		panic(fmt.Sprintf("%s fd set but not present", name))
 	}
+	if present && f == nil {
+		panic(fmt.Sprintf("%s fd preset but unset", name))
+	}
+
+	return f
 }

-func genericStub(argsFD, statFD *int) {
-	// simulate args pipe behaviour
-	func() {
-		if *argsFD == -1 {
-			panic("attempted to start helper without passing args pipe fd")
-		}
+func flagRestoreFiles(offset int, ap, sp string) (argsFile, statFile *os.File) {
+	argsFd := flag.Int("args", -1, "")
+	statFd := flag.Int("fd", -1, "")
+	_ = flag.CommandLine.Parse(os.Args[offset:])
+	argsFile = newFile(*argsFd, "args", ap)
+	statFile = newFile(*statFd, "stat", sp)
+	return
+}

-		f := os.NewFile(uintptr(*argsFD), "|0")
-		if f == nil {
-			panic("attempted to start helper without args pipe")
-		}
-
-		if _, err := io.Copy(os.Stdout, f); err != nil {
+func genericStub(argsFile, statFile *os.File) {
+	if argsFile != nil {
+		// this output is checked by parent
+		if _, err := io.Copy(os.Stdout, argsFile); err != nil {
 			panic("cannot read args: " + err.Error())
 		}
-	}()
-
-	var wait chan struct{}
+	}

 	// simulate status pipe behaviour
-	if os.Getenv(FortifyStatus) == "1" {
-		if *statFD == -1 {
-			panic("attempted to start helper with status reporting without passing status pipe fd")
+	if statFile != nil {
+		if _, err := statFile.Write([]byte{'x'}); err != nil {
+			panic("cannot write to status pipe: " + err.Error())
 		}

-		wait = make(chan struct{})
+		done := make(chan struct{})
 		go func() {
-			f := os.NewFile(uintptr(*statFD), "|1")
-			if f == nil {
-				panic("attempted to start with status reporting without status pipe")
-			}
-
-			if _, err := f.Write([]byte{'x'}); err != nil {
-				panic("cannot write to status pipe: " + err.Error())
-			}
-
 			// wait for status pipe close
 			var epoll int
 			if fd, err := syscall.EpollCreate1(0); err != nil {
@ -103,7 +88,7 @@ func genericStub(argsFD, statFD *int) {
 				}()
 				epoll = fd
 			}
-			if err := syscall.EpollCtl(epoll, syscall.EPOLL_CTL_ADD, int(f.Fd()), &syscall.EpollEvent{}); err != nil {
+			if err := syscall.EpollCtl(epoll, syscall.EPOLL_CTL_ADD, int(statFile.Fd()), &syscall.EpollEvent{}); err != nil {
 				panic("cannot add status pipe to epoll: " + err.Error())
 			}
 			events := make([]syscall.EpollEvent, 1)
@ -114,62 +99,8 @@ func genericStub(argsFD, statFD *int) {
 				panic(strconv.Itoa(int(events[0].Events)))

 			}
-			close(wait)
+			close(done)
 		}()
-	}
-
-	if wait != nil {
-		<-wait
-	}
-}
-
-func bwrapStub(argsFD, statFD *int) {
-	// the bwrap launcher does not ever launch with sync fd
-	if *statFD != -1 {
-		panic("attempted to launch bwrap with status monitoring")
-	}
-
-	// test args pipe behaviour
-	func() {
-		if *argsFD == -1 {
-			panic("attempted to start bwrap without passing args pipe fd")
-		}
-
-		f := os.NewFile(uintptr(*argsFD), "|0")
-		if f == nil {
-			panic("attempted to start helper without args pipe")
-		}
-
-		got, want := new(strings.Builder), new(strings.Builder)
-
-		if _, err := io.Copy(got, f); err != nil {
-			panic("cannot read args: " + err.Error())
-		}
-
-		// hardcoded bwrap configuration used by test
-		if _, err := MustNewCheckedArgs((&bwrap.Config{
-			Unshare:       nil,
-			Net:           true,
-			UserNS:        false,
-			Hostname:      "localhost",
-			Chdir:         "/nonexistent",
-			Clearenv:      true,
-			NewSession:    true,
-			DieWithParent: true,
-			AsInit:        true,
-		}).Args()).WriteTo(want); err != nil {
-			panic("cannot read want: " + err.Error())
-		}
-
-		if len(flag.CommandLine.Args()) > 0 && flag.CommandLine.Args()[0] == "crash-test-dummy" && got.String() != want.String() {
-			panic("bad bwrap args\ngot: " + got.String() + "\nwant: " + want.String())
-		}
-	}()
-
-	if err := syscall.Exec(
-		os.Args[0],
-		append([]string{os.Args[0], "-test.run=TestHelperChildStub", "--"}, flag.CommandLine.Args()...),
-		os.Environ()); err != nil {
-		panic("cannot start general stub: " + err.Error())
+		<-done
 	}
 }
--- a/helper/stub_test.go
+++ b/helper/stub_test.go
@ -6,6 +6,4 @@ import (
 	"git.gensokyo.uk/security/fortify/helper"
 )

-func TestHelperChildStub(t *testing.T) {
-	helper.InternalChildStub()
-}
+func TestHelperStub(t *testing.T) { helper.InternalHelperStub() }
--- a/internal/app/app.go
+++ b/internal/app/app.go
@ -1,97 +1,82 @@
 package app

 import (
+	"context"
+	"fmt"
+	"log"
 	"sync"
-	"sync/atomic"

-	"git.gensokyo.uk/security/fortify/cmd/fshim/ipc/shim"
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/fortify/internal/sys"
 )

-type App interface {
-	// ID returns a copy of App's unique ID.
-	ID() fst.ID
-	// Start sets up the system and starts the App.
-	Start() error
-	// Wait waits for App's process to exit and reverts system setup.
-	Wait() (int, error)
-	// WaitErr returns error returned by the underlying wait syscall.
-	WaitErr() error
+func New(ctx context.Context, os sys.State) (fst.App, error) {
+	a := new(app)
+	a.sys = os
+	a.ctx = ctx

-	Seal(config *fst.Config) error
-	String() string
+	id := new(fst.ID)
+	err := fst.NewAppID(id)
+	a.id = newID(id)
+
+	return a, err
+}
+
+func MustNew(ctx context.Context, os sys.State) fst.App {
+	a, err := New(ctx, os)
+	if err != nil {
+		log.Fatalf("cannot create app: %v", err)
+	}
+	return a
 }

 type app struct {
-	// single-use config reference
-	ct *appCt
+	id  *stringPair[fst.ID]
+	sys sys.State
+	ctx context.Context

-	// application unique identifier
-	id *fst.ID
-	// operating system interface
-	os linux.System
-	// shim process manager
-	shim *shim.Shim
-	// child process related information
-	seal *appSeal
-	// error returned waiting for process
-	waitErr error
-
-	lock sync.RWMutex
+	*outcome
+	mu sync.RWMutex
 }

-func (a *app) ID() fst.ID {
-	return *a.id
-}
+func (a *app) ID() fst.ID { a.mu.RLock(); defer a.mu.RUnlock(); return a.id.unwrap() }

 func (a *app) String() string {
 	if a == nil {
-		return "(invalid fortified app)"
+		return "(invalid app)"
 	}

-	a.lock.RLock()
-	defer a.lock.RUnlock()
+	a.mu.RLock()
+	defer a.mu.RUnlock()

-	if a.shim != nil {
-		return a.shim.String()
+	if a.outcome != nil {
+		if a.outcome.user.uid == nil {
+			return fmt.Sprintf("(sealed app %s with invalid uid)", a.id)
+		}
+		return fmt.Sprintf("(sealed app %s as uid %s)", a.id, a.outcome.user.uid)
 	}

-	if a.seal != nil {
-		return "(sealed fortified app as uid " + a.seal.sys.user.us + ")"
+	return fmt.Sprintf("(unsealed app %s)", a.id)
+}
+
+func (a *app) Seal(config *fst.Config) (fst.SealedApp, error) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+
+	if a.outcome != nil {
+		panic("app sealed twice")
+	}
+	if config == nil {
+		return nil, fmsg.WrapError(ErrConfig,
+			"attempted to seal app with nil config")
 	}

-	return "(unsealed fortified app)"
-}
-
-func (a *app) WaitErr() error {
-	return a.waitErr
-}
-
-func New(os linux.System) (App, error) {
-	a := new(app)
-	a.id = new(fst.ID)
-	a.os = os
-	return a, fst.NewAppID(a.id)
-}
-
-// appCt ensures its wrapped val is only accessed once
-type appCt struct {
-	val  *fst.Config
-	done *atomic.Bool
-}
-
-func (a *appCt) Unwrap() *fst.Config {
-	if !a.done.Load() {
-		defer a.done.Store(true)
-		return a.val
+	seal := new(outcome)
+	seal.id = a.id
+	err := seal.finalise(a.ctx, a.sys, config)
+	if err == nil {
+		a.outcome = seal
 	}
-	panic("attempted to access config reference twice")
-}
-
-func newAppCt(config *fst.Config) (ct *appCt) {
-	ct = new(appCt)
-	ct.done = new(atomic.Bool)
-	ct.val = config
-	return ct
+	return seal, err
 }
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@ -4,28 +4,28 @@ import (
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
-	"git.gensokyo.uk/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/fortify/system"
 )

 var testCasesNixos = []sealTestCase{
 	{
 		"nixos chromium direct wayland", new(stubNixOS),
 		&fst.Config{
-			ID:      "org.chromium.Chromium",
-			Command: []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
+			ID:   "org.chromium.Chromium",
+			Path: "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
 			Confinement: fst.ConfinementConfig{
 				AppID: 1, Groups: []string{}, Username: "u0_a1",
 				Outer: "/var/lib/persist/module/fortify/0/1",
 				Sandbox: &fst.SandboxConfig{
-					UserNS: true, Net: true, MapRealUID: true, DirectWayland: true, Env: nil,
+					Userns: true, Net: true, MapRealUID: true, DirectWayland: true, Env: nil, AutoEtc: true,
 					Filesystem: []*fst.FilesystemConfig{
 						{Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true},
 						{Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true},
 						{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
 						{Src: "/run/opengl-driver", Must: true}, {Src: "/dev/dri", Device: true},
-					}, AutoEtc: true,
-					Override: []string{"/var/run/nscd"},
+					},
+					Cover: []string{"/var/run/nscd"},
 				},
 				SystemBus: &dbus.Config{
 					Talk:   []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
@ -45,7 +45,7 @@ var testCasesNixos = []sealTestCase{
 					Call: map[string]string{}, Broadcast: map[string]string{},
 					Filter: true,
 				},
-				Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
+				Enablements: system.EWayland | system.EDBus | system.EPulse,
 			},
 		},
 		fst.ID{
@ -56,18 +56,15 @@ var testCasesNixos = []sealTestCase{
 		},
 		system.New(1000001).
 			Ensure("/tmp/fortify.1971", 0711).
-			Ephemeral(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1", 0711).
 			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/fortify.1971/tmpdir/1", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/1", acl.Read, acl.Write, acl.Execute).
 			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
 			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
-			Ephemeral(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute).
-			WriteType(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/passwd", "u0_a1:x:1971:1971:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n").
-			WriteType(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/group", "fortify:x:1971:\n").
-			Link("/run/user/1971/wayland-0", "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/wayland").
 			UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
+			Ephemeral(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute).
 			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse").
-			CopyFile("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie").
+			CopyFile(nil, "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
+			Ephemeral(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1", 0711).
 			MustProxyDBus("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
@ -91,134 +88,133 @@ var testCasesNixos = []sealTestCase{
 			}).
 			UpdatePerm("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write),
-		(&bwrap.Config{
-			Net:      true,
-			UserNS:   true,
-			Chdir:    "/var/lib/persist/module/fortify/0/1",
-			Clearenv: true,
-			SetEnv: map[string]string{
-				"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/1971/bus",
-				"DBUS_SYSTEM_BUS_ADDRESS":  "unix:path=/run/dbus/system_bus_socket",
-				"HOME":                     "/var/lib/persist/module/fortify/0/1",
-				"PULSE_COOKIE":             fst.Tmp + "/pulse-cookie",
-				"PULSE_SERVER":             "unix:/run/user/1971/pulse/native",
-				"SHELL":                    "/run/current-system/sw/bin/zsh",
-				"TERM":                     "xterm-256color",
-				"USER":                     "u0_a1",
-				"WAYLAND_DISPLAY":          "/run/user/1971/wayland-0",
-				"XDG_RUNTIME_DIR":          "/run/user/1971",
-				"XDG_SESSION_CLASS":        "user",
-				"XDG_SESSION_TYPE":         "tty",
+		&sandbox.Params{
+			Uid:   1971,
+			Gid:   100,
+			Flags: sandbox.FAllowNet | sandbox.FAllowUserns,
+			Dir:   "/var/lib/persist/module/fortify/0/1",
+			Path:  "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
+			Args:  []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
+			Env: []string{
+				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
+				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
+				"HOME=/var/lib/persist/module/fortify/0/1",
+				"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
+				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
+				"SHELL=/run/current-system/sw/bin/zsh",
+				"TERM=xterm-256color",
+				"USER=u0_a1",
+				"WAYLAND_DISPLAY=wayland-0",
+				"XDG_RUNTIME_DIR=/run/user/1971",
+				"XDG_SESSION_CLASS=user",
+				"XDG_SESSION_TYPE=tty",
 			},
-			Chmod:         make(bwrap.ChmodConfig),
-			NewSession:    true,
-			DieWithParent: true,
-			AsInit:        true,
-		}).SetUID(1971).SetGID(1971).
-			Procfs("/proc").
-			Tmpfs(fst.Tmp, 4096).
-			DevTmpfs("/dev").Mqueue("/dev/mqueue").
-			Bind("/bin", "/bin").
-			Bind("/usr/bin", "/usr/bin").
-			Bind("/nix/store", "/nix/store").
-			Bind("/run/current-system", "/run/current-system").
-			Bind("/sys/block", "/sys/block", true).
-			Bind("/sys/bus", "/sys/bus", true).
-			Bind("/sys/class", "/sys/class", true).
-			Bind("/sys/dev", "/sys/dev", true).
-			Bind("/sys/devices", "/sys/devices", true).
-			Bind("/run/opengl-driver", "/run/opengl-driver").
-			Bind("/dev/dri", "/dev/dri", true, true, true).
-			Bind("/etc", fst.Tmp+"/etc").
-			Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
-			Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-			Symlink(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-			Symlink(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-			Symlink(fst.Tmp+"/etc/default", "/etc/default").
-			Symlink(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-			Symlink(fst.Tmp+"/etc/fonts", "/etc/fonts").
-			Symlink(fst.Tmp+"/etc/fstab", "/etc/fstab").
-			Symlink(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-			Symlink(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-			Symlink(fst.Tmp+"/etc/hostid", "/etc/hostid").
-			Symlink(fst.Tmp+"/etc/hostname", "/etc/hostname").
-			Symlink(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-			Symlink(fst.Tmp+"/etc/hosts", "/etc/hosts").
-			Symlink(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-			Symlink(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-			Symlink(fst.Tmp+"/etc/issue", "/etc/issue").
-			Symlink(fst.Tmp+"/etc/kbd", "/etc/kbd").
-			Symlink(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-			Symlink(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-			Symlink(fst.Tmp+"/etc/localtime", "/etc/localtime").
-			Symlink(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-			Symlink(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-			Symlink(fst.Tmp+"/etc/lvm", "/etc/lvm").
-			Symlink(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-			Symlink(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-			Symlink(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-			Symlink(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-			Symlink("/proc/mounts", "/etc/mtab").
-			Symlink(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-			Symlink(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-			Symlink(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-			Symlink(fst.Tmp+"/etc/nix", "/etc/nix").
-			Symlink(fst.Tmp+"/etc/nixos", "/etc/nixos").
-			Symlink(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-			Symlink(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-			Symlink(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-			Symlink(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-			Symlink(fst.Tmp+"/etc/os-release", "/etc/os-release").
-			Symlink(fst.Tmp+"/etc/pam", "/etc/pam").
-			Symlink(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-			Symlink(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-			Symlink(fst.Tmp+"/etc/pki", "/etc/pki").
-			Symlink(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-			Symlink(fst.Tmp+"/etc/profile", "/etc/profile").
-			Symlink(fst.Tmp+"/etc/protocols", "/etc/protocols").
-			Symlink(fst.Tmp+"/etc/qemu", "/etc/qemu").
-			Symlink(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-			Symlink(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-			Symlink(fst.Tmp+"/etc/rpc", "/etc/rpc").
-			Symlink(fst.Tmp+"/etc/samba", "/etc/samba").
-			Symlink(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-			Symlink(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-			Symlink(fst.Tmp+"/etc/services", "/etc/services").
-			Symlink(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-			Symlink(fst.Tmp+"/etc/shadow", "/etc/shadow").
-			Symlink(fst.Tmp+"/etc/shells", "/etc/shells").
-			Symlink(fst.Tmp+"/etc/ssh", "/etc/ssh").
-			Symlink(fst.Tmp+"/etc/ssl", "/etc/ssl").
-			Symlink(fst.Tmp+"/etc/static", "/etc/static").
-			Symlink(fst.Tmp+"/etc/subgid", "/etc/subgid").
-			Symlink(fst.Tmp+"/etc/subuid", "/etc/subuid").
-			Symlink(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-			Symlink(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-			Symlink(fst.Tmp+"/etc/systemd", "/etc/systemd").
-			Symlink(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-			Symlink(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-			Symlink(fst.Tmp+"/etc/udev", "/etc/udev").
-			Symlink(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-			Symlink(fst.Tmp+"/etc/UPower", "/etc/UPower").
-			Symlink(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-			Symlink(fst.Tmp+"/etc/X11", "/etc/X11").
-			Symlink(fst.Tmp+"/etc/zfs", "/etc/zfs").
-			Symlink(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-			Symlink(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-			Symlink(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-			Symlink(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-			Symlink(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
-			Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", false, true).
-			Tmpfs("/run/user", 1048576).
-			Tmpfs("/run/user/1971", 8388608).
-			Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", false, true).
-			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/passwd", "/etc/passwd").
-			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/group", "/etc/group").
-			Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/wayland", "/run/user/1971/wayland-0").
-			Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native").
-			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/pulse-cookie", fst.Tmp+"/pulse-cookie").
-			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus").
-			Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket").
-			Tmpfs("/var/run/nscd", 8192),
+			Ops: new(sandbox.Ops).
+				Proc("/proc").
+				Tmpfs(fst.Tmp, 4096, 0755).
+				Dev("/dev").Mqueue("/dev/mqueue").
+				Bind("/bin", "/bin", 0).
+				Bind("/usr/bin", "/usr/bin", 0).
+				Bind("/nix/store", "/nix/store", 0).
+				Bind("/run/current-system", "/run/current-system", 0).
+				Bind("/sys/block", "/sys/block", sandbox.BindOptional).
+				Bind("/sys/bus", "/sys/bus", sandbox.BindOptional).
+				Bind("/sys/class", "/sys/class", sandbox.BindOptional).
+				Bind("/sys/dev", "/sys/dev", sandbox.BindOptional).
+				Bind("/sys/devices", "/sys/devices", sandbox.BindOptional).
+				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
+				Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
+				Bind("/etc", fst.Tmp+"/etc", 0).
+				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
+				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
+				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
+				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
+				Link(fst.Tmp+"/etc/default", "/etc/default").
+				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
+				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
+				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
+				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
+				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
+				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
+				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
+				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
+				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
+				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
+				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
+				Link(fst.Tmp+"/etc/issue", "/etc/issue").
+				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
+				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
+				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
+				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
+				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
+				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
+				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
+				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
+				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
+				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
+				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
+				Link("/proc/mounts", "/etc/mtab").
+				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
+				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
+				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
+				Link(fst.Tmp+"/etc/nix", "/etc/nix").
+				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
+				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
+				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
+				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
+				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
+				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
+				Link(fst.Tmp+"/etc/pam", "/etc/pam").
+				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
+				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
+				Link(fst.Tmp+"/etc/pki", "/etc/pki").
+				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
+				Link(fst.Tmp+"/etc/profile", "/etc/profile").
+				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
+				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
+				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
+				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
+				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
+				Link(fst.Tmp+"/etc/samba", "/etc/samba").
+				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
+				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
+				Link(fst.Tmp+"/etc/services", "/etc/services").
+				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
+				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
+				Link(fst.Tmp+"/etc/shells", "/etc/shells").
+				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
+				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
+				Link(fst.Tmp+"/etc/static", "/etc/static").
+				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
+				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
+				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
+				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
+				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
+				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
+				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
+				Link(fst.Tmp+"/etc/udev", "/etc/udev").
+				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
+				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
+				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
+				Link(fst.Tmp+"/etc/X11", "/etc/X11").
+				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
+				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
+				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
+				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
+				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
+				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
+				Tmpfs("/run/user", 4096, 0755).
+				Tmpfs("/run/user/1971", 8388608, 0700).
+				Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", sandbox.BindWritable).
+				Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", sandbox.BindWritable).
+				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n")).
+				Place("/etc/group", []byte("fortify:x:100:\n")).
+				Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0).
+				Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native", 0).
+				Place(fst.Tmp+"/pulse-cookie", nil).
+				Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus", 0).
+				Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket", 0).
+				Tmpfs("/var/run/nscd", 8192, 0755),
+		},
 	},
 }
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@ -1,18 +1,19 @@
 package app_test

 import (
+	"os"
+
 	"git.gensokyo.uk/security/fortify/acl"
 	"git.gensokyo.uk/security/fortify/dbus"
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
-	"git.gensokyo.uk/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/fortify/system"
 )

 var testCasesPd = []sealTestCase{
 	{
 		"nixos permissive defaults no enablements", new(stubNixOS),
 		&fst.Config{
-			Command: make([]string, 0),
 			Confinement: fst.ConfinementConfig{
 				AppID:    0,
 				Username: "chronos",
@ -27,171 +28,134 @@ var testCasesPd = []sealTestCase{
 		},
 		system.New(1000000).
 			Ensure("/tmp/fortify.1971", 0711).
-			Ephemeral(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac", 0711).
 			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
-			Ensure("/tmp/fortify.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute).
-			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
-			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
-			Ephemeral(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", acl.Execute).
-			WriteType(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n").
-			WriteType(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "fortify:x:65534:\n"),
-		(&bwrap.Config{
-			Net:      true,
-			UserNS:   true,
-			Clearenv: true,
-			Chdir:    "/home/chronos",
-			SetEnv: map[string]string{
-				"HOME":              "/home/chronos",
-				"SHELL":             "/run/current-system/sw/bin/zsh",
-				"TERM":              "xterm-256color",
-				"USER":              "chronos",
-				"XDG_RUNTIME_DIR":   "/run/user/65534",
-				"XDG_SESSION_CLASS": "user",
-				"XDG_SESSION_TYPE":  "tty"},
-			Chmod:         make(bwrap.ChmodConfig),
-			DieWithParent: true,
-			AsInit:        true,
-		}).SetUID(65534).SetGID(65534).
-			Procfs("/proc").
-			Tmpfs(fst.Tmp, 4096).
-			DevTmpfs("/dev").Mqueue("/dev/mqueue").
-			Bind("/bin", "/bin", false, true).
-			Bind("/boot", "/boot", false, true).
-			Bind("/home", "/home", false, true).
-			Bind("/lib", "/lib", false, true).
-			Bind("/lib64", "/lib64", false, true).
-			Bind("/nix", "/nix", false, true).
-			Bind("/root", "/root", false, true).
-			Bind("/srv", "/srv", false, true).
-			Bind("/sys", "/sys", false, true).
-			Bind("/usr", "/usr", false, true).
-			Bind("/var", "/var", false, true).
-			Bind("/run/agetty.reload", "/run/agetty.reload", false, true).
-			Bind("/run/binfmt", "/run/binfmt", false, true).
-			Bind("/run/booted-system", "/run/booted-system", false, true).
-			Bind("/run/credentials", "/run/credentials", false, true).
-			Bind("/run/cryptsetup", "/run/cryptsetup", false, true).
-			Bind("/run/current-system", "/run/current-system", false, true).
-			Bind("/run/host", "/run/host", false, true).
-			Bind("/run/keys", "/run/keys", false, true).
-			Bind("/run/libvirt", "/run/libvirt", false, true).
-			Bind("/run/libvirtd.pid", "/run/libvirtd.pid", false, true).
-			Bind("/run/lock", "/run/lock", false, true).
-			Bind("/run/log", "/run/log", false, true).
-			Bind("/run/lvm", "/run/lvm", false, true).
-			Bind("/run/mount", "/run/mount", false, true).
-			Bind("/run/NetworkManager", "/run/NetworkManager", false, true).
-			Bind("/run/nginx", "/run/nginx", false, true).
-			Bind("/run/nixos", "/run/nixos", false, true).
-			Bind("/run/nscd", "/run/nscd", false, true).
-			Bind("/run/opengl-driver", "/run/opengl-driver", false, true).
-			Bind("/run/pppd", "/run/pppd", false, true).
-			Bind("/run/resolvconf", "/run/resolvconf", false, true).
-			Bind("/run/sddm", "/run/sddm", false, true).
-			Bind("/run/store", "/run/store", false, true).
-			Bind("/run/syncoid", "/run/syncoid", false, true).
-			Bind("/run/system", "/run/system", false, true).
-			Bind("/run/systemd", "/run/systemd", false, true).
-			Bind("/run/tmpfiles.d", "/run/tmpfiles.d", false, true).
-			Bind("/run/udev", "/run/udev", false, true).
-			Bind("/run/udisks2", "/run/udisks2", false, true).
-			Bind("/run/utmp", "/run/utmp", false, true).
-			Bind("/run/virtlogd.pid", "/run/virtlogd.pid", false, true).
-			Bind("/run/wrappers", "/run/wrappers", false, true).
-			Bind("/run/zed.pid", "/run/zed.pid", false, true).
-			Bind("/run/zed.state", "/run/zed.state", false, true).
-			Bind("/etc", fst.Tmp+"/etc").
-			Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
-			Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-			Symlink(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-			Symlink(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-			Symlink(fst.Tmp+"/etc/default", "/etc/default").
-			Symlink(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-			Symlink(fst.Tmp+"/etc/fonts", "/etc/fonts").
-			Symlink(fst.Tmp+"/etc/fstab", "/etc/fstab").
-			Symlink(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-			Symlink(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-			Symlink(fst.Tmp+"/etc/hostid", "/etc/hostid").
-			Symlink(fst.Tmp+"/etc/hostname", "/etc/hostname").
-			Symlink(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-			Symlink(fst.Tmp+"/etc/hosts", "/etc/hosts").
-			Symlink(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-			Symlink(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-			Symlink(fst.Tmp+"/etc/issue", "/etc/issue").
-			Symlink(fst.Tmp+"/etc/kbd", "/etc/kbd").
-			Symlink(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-			Symlink(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-			Symlink(fst.Tmp+"/etc/localtime", "/etc/localtime").
-			Symlink(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-			Symlink(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-			Symlink(fst.Tmp+"/etc/lvm", "/etc/lvm").
-			Symlink(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-			Symlink(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-			Symlink(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-			Symlink(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-			Symlink("/proc/mounts", "/etc/mtab").
-			Symlink(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-			Symlink(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-			Symlink(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-			Symlink(fst.Tmp+"/etc/nix", "/etc/nix").
-			Symlink(fst.Tmp+"/etc/nixos", "/etc/nixos").
-			Symlink(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-			Symlink(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-			Symlink(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-			Symlink(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-			Symlink(fst.Tmp+"/etc/os-release", "/etc/os-release").
-			Symlink(fst.Tmp+"/etc/pam", "/etc/pam").
-			Symlink(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-			Symlink(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-			Symlink(fst.Tmp+"/etc/pki", "/etc/pki").
-			Symlink(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-			Symlink(fst.Tmp+"/etc/profile", "/etc/profile").
-			Symlink(fst.Tmp+"/etc/protocols", "/etc/protocols").
-			Symlink(fst.Tmp+"/etc/qemu", "/etc/qemu").
-			Symlink(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-			Symlink(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-			Symlink(fst.Tmp+"/etc/rpc", "/etc/rpc").
-			Symlink(fst.Tmp+"/etc/samba", "/etc/samba").
-			Symlink(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-			Symlink(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-			Symlink(fst.Tmp+"/etc/services", "/etc/services").
-			Symlink(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-			Symlink(fst.Tmp+"/etc/shadow", "/etc/shadow").
-			Symlink(fst.Tmp+"/etc/shells", "/etc/shells").
-			Symlink(fst.Tmp+"/etc/ssh", "/etc/ssh").
-			Symlink(fst.Tmp+"/etc/ssl", "/etc/ssl").
-			Symlink(fst.Tmp+"/etc/static", "/etc/static").
-			Symlink(fst.Tmp+"/etc/subgid", "/etc/subgid").
-			Symlink(fst.Tmp+"/etc/subuid", "/etc/subuid").
-			Symlink(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-			Symlink(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-			Symlink(fst.Tmp+"/etc/systemd", "/etc/systemd").
-			Symlink(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-			Symlink(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-			Symlink(fst.Tmp+"/etc/udev", "/etc/udev").
-			Symlink(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-			Symlink(fst.Tmp+"/etc/UPower", "/etc/UPower").
-			Symlink(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-			Symlink(fst.Tmp+"/etc/X11", "/etc/X11").
-			Symlink(fst.Tmp+"/etc/zfs", "/etc/zfs").
-			Symlink(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-			Symlink(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-			Symlink(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-			Symlink(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-			Symlink(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
-			Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", false, true).
-			Tmpfs("/run/user", 1048576).
-			Tmpfs("/run/user/65534", 8388608).
-			Bind("/home/chronos", "/home/chronos", false, true).
-			Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/passwd", "/etc/passwd").
-			Bind("/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac/group", "/etc/group").
-			Tmpfs("/var/run/nscd", 8192),
+			Ensure("/tmp/fortify.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
+		&sandbox.Params{
+			Flags: sandbox.FAllowNet | sandbox.FAllowUserns | sandbox.FAllowTTY,
+			Dir:   "/home/chronos",
+			Path:  "/run/current-system/sw/bin/zsh",
+			Args:  []string{"/run/current-system/sw/bin/zsh"},
+			Env: []string{
+				"HOME=/home/chronos",
+				"SHELL=/run/current-system/sw/bin/zsh",
+				"TERM=xterm-256color",
+				"USER=chronos",
+				"XDG_RUNTIME_DIR=/run/user/65534",
+				"XDG_SESSION_CLASS=user",
+				"XDG_SESSION_TYPE=tty",
+			},
+			Ops: new(sandbox.Ops).
+				Proc("/proc").
+				Tmpfs(fst.Tmp, 4096, 0755).
+				Dev("/dev").Mqueue("/dev/mqueue").
+				Bind("/bin", "/bin", sandbox.BindWritable).
+				Bind("/boot", "/boot", sandbox.BindWritable).
+				Bind("/home", "/home", sandbox.BindWritable).
+				Bind("/lib", "/lib", sandbox.BindWritable).
+				Bind("/lib64", "/lib64", sandbox.BindWritable).
+				Bind("/nix", "/nix", sandbox.BindWritable).
+				Bind("/root", "/root", sandbox.BindWritable).
+				Bind("/run", "/run", sandbox.BindWritable).
+				Bind("/srv", "/srv", sandbox.BindWritable).
+				Bind("/sys", "/sys", sandbox.BindWritable).
+				Bind("/usr", "/usr", sandbox.BindWritable).
+				Bind("/var", "/var", sandbox.BindWritable).
+				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
+				Tmpfs("/run/user/1971", 8192, 0755).
+				Tmpfs("/run/dbus", 8192, 0755).
+				Bind("/etc", fst.Tmp+"/etc", 0).
+				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
+				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
+				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
+				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
+				Link(fst.Tmp+"/etc/default", "/etc/default").
+				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
+				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
+				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
+				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
+				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
+				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
+				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
+				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
+				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
+				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
+				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
+				Link(fst.Tmp+"/etc/issue", "/etc/issue").
+				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
+				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
+				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
+				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
+				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
+				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
+				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
+				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
+				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
+				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
+				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
+				Link("/proc/mounts", "/etc/mtab").
+				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
+				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
+				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
+				Link(fst.Tmp+"/etc/nix", "/etc/nix").
+				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
+				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
+				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
+				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
+				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
+				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
+				Link(fst.Tmp+"/etc/pam", "/etc/pam").
+				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
+				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
+				Link(fst.Tmp+"/etc/pki", "/etc/pki").
+				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
+				Link(fst.Tmp+"/etc/profile", "/etc/profile").
+				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
+				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
+				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
+				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
+				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
+				Link(fst.Tmp+"/etc/samba", "/etc/samba").
+				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
+				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
+				Link(fst.Tmp+"/etc/services", "/etc/services").
+				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
+				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
+				Link(fst.Tmp+"/etc/shells", "/etc/shells").
+				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
+				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
+				Link(fst.Tmp+"/etc/static", "/etc/static").
+				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
+				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
+				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
+				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
+				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
+				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
+				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
+				Link(fst.Tmp+"/etc/udev", "/etc/udev").
+				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
+				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
+				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
+				Link(fst.Tmp+"/etc/X11", "/etc/X11").
+				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
+				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
+				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
+				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
+				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
+				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
+				Tmpfs("/run/user", 4096, 0755).
+				Tmpfs("/run/user/65534", 8388608, 0700).
+				Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", sandbox.BindWritable).
+				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
+				Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
+				Place("/etc/group", []byte("fortify:x:65534:\n")).
+				Tmpfs("/var/run/nscd", 8192, 0755),
+		},
 	},
 	{
 		"nixos permissive defaults chromium", new(stubNixOS),
 		&fst.Config{
-			ID:      "org.chromium.Chromium",
-			Command: []string{"/run/current-system/sw/bin/zsh", "-c", "exec chromium "},
+			ID:   "org.chromium.Chromium",
+			Args: []string{"zsh", "-c", "exec chromium "},
 			Confinement: fst.ConfinementConfig{
 				AppID:    9,
 				Groups:   []string{"video"},
@ -228,7 +192,7 @@ var testCasesPd = []sealTestCase{
 					},
 					Filter: true,
 				},
-				Enablements: system.EWayland.Mask() | system.EDBus.Mask() | system.EPulse.Mask(),
+				Enablements: system.EWayland | system.EDBus | system.EPulse,
 			},
 		},
 		fst.ID{
@ -239,18 +203,15 @@ var testCasesPd = []sealTestCase{
 		},
 		system.New(1000009).
 			Ensure("/tmp/fortify.1971", 0711).
-			Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0711).
 			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/fortify.1971/tmpdir/9", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/9", acl.Read, acl.Write, acl.Execute).
+			Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0711).
+			Wayland(new(*os.File), "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
 			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
 			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
 			Ephemeral(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", acl.Execute).
-			WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n").
-			WriteType(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "fortify:x:65534:\n").
-			Ensure("/tmp/fortify.1971/wayland", 0711).
-			Wayland("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
 			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse").
-			CopyFile("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", "/home/ophestra/xdg/config/pulse/cookie").
+			CopyFile(new([]byte), "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
 			MustProxyDBus("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.Notifications",
@ -283,168 +244,136 @@ var testCasesPd = []sealTestCase{
 			}).
 			UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
-		(&bwrap.Config{
-			Net:      true,
-			UserNS:   true,
-			Chdir:    "/home/chronos",
-			Clearenv: true,
-			SetEnv: map[string]string{
-				"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/65534/bus",
-				"DBUS_SYSTEM_BUS_ADDRESS":  "unix:path=/run/dbus/system_bus_socket",
-				"HOME":                     "/home/chronos",
-				"PULSE_COOKIE":             fst.Tmp + "/pulse-cookie",
-				"PULSE_SERVER":             "unix:/run/user/65534/pulse/native",
-				"SHELL":                    "/run/current-system/sw/bin/zsh",
-				"TERM":                     "xterm-256color",
-				"USER":                     "chronos",
-				"WAYLAND_DISPLAY":          "/run/user/65534/wayland-0",
-				"XDG_RUNTIME_DIR":          "/run/user/65534",
-				"XDG_SESSION_CLASS":        "user",
-				"XDG_SESSION_TYPE":         "tty",
+		&sandbox.Params{
+			Flags: sandbox.FAllowNet | sandbox.FAllowUserns | sandbox.FAllowTTY,
+			Dir:   "/home/chronos",
+			Path:  "/run/current-system/sw/bin/zsh",
+			Args:  []string{"zsh", "-c", "exec chromium "},
+			Env: []string{
+				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
+				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
+				"HOME=/home/chronos",
+				"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
+				"PULSE_SERVER=unix:/run/user/65534/pulse/native",
+				"SHELL=/run/current-system/sw/bin/zsh",
+				"TERM=xterm-256color",
+				"USER=chronos",
+				"WAYLAND_DISPLAY=wayland-0",
+				"XDG_RUNTIME_DIR=/run/user/65534",
+				"XDG_SESSION_CLASS=user",
+				"XDG_SESSION_TYPE=tty",
 			},
-			Chmod:         make(bwrap.ChmodConfig),
-			DieWithParent: true,
-			AsInit:        true,
-		}).SetUID(65534).SetGID(65534).
-			Procfs("/proc").
-			Tmpfs(fst.Tmp, 4096).
-			DevTmpfs("/dev").Mqueue("/dev/mqueue").
-			Bind("/bin", "/bin", false, true).
-			Bind("/boot", "/boot", false, true).
-			Bind("/home", "/home", false, true).
-			Bind("/lib", "/lib", false, true).
-			Bind("/lib64", "/lib64", false, true).
-			Bind("/nix", "/nix", false, true).
-			Bind("/root", "/root", false, true).
-			Bind("/srv", "/srv", false, true).
-			Bind("/sys", "/sys", false, true).
-			Bind("/usr", "/usr", false, true).
-			Bind("/var", "/var", false, true).
-			Bind("/run/agetty.reload", "/run/agetty.reload", false, true).
-			Bind("/run/binfmt", "/run/binfmt", false, true).
-			Bind("/run/booted-system", "/run/booted-system", false, true).
-			Bind("/run/credentials", "/run/credentials", false, true).
-			Bind("/run/cryptsetup", "/run/cryptsetup", false, true).
-			Bind("/run/current-system", "/run/current-system", false, true).
-			Bind("/run/host", "/run/host", false, true).
-			Bind("/run/keys", "/run/keys", false, true).
-			Bind("/run/libvirt", "/run/libvirt", false, true).
-			Bind("/run/libvirtd.pid", "/run/libvirtd.pid", false, true).
-			Bind("/run/lock", "/run/lock", false, true).
-			Bind("/run/log", "/run/log", false, true).
-			Bind("/run/lvm", "/run/lvm", false, true).
-			Bind("/run/mount", "/run/mount", false, true).
-			Bind("/run/NetworkManager", "/run/NetworkManager", false, true).
-			Bind("/run/nginx", "/run/nginx", false, true).
-			Bind("/run/nixos", "/run/nixos", false, true).
-			Bind("/run/nscd", "/run/nscd", false, true).
-			Bind("/run/opengl-driver", "/run/opengl-driver", false, true).
-			Bind("/run/pppd", "/run/pppd", false, true).
-			Bind("/run/resolvconf", "/run/resolvconf", false, true).
-			Bind("/run/sddm", "/run/sddm", false, true).
-			Bind("/run/store", "/run/store", false, true).
-			Bind("/run/syncoid", "/run/syncoid", false, true).
-			Bind("/run/system", "/run/system", false, true).
-			Bind("/run/systemd", "/run/systemd", false, true).
-			Bind("/run/tmpfiles.d", "/run/tmpfiles.d", false, true).
-			Bind("/run/udev", "/run/udev", false, true).
-			Bind("/run/udisks2", "/run/udisks2", false, true).
-			Bind("/run/utmp", "/run/utmp", false, true).
-			Bind("/run/virtlogd.pid", "/run/virtlogd.pid", false, true).
-			Bind("/run/wrappers", "/run/wrappers", false, true).
-			Bind("/run/zed.pid", "/run/zed.pid", false, true).
-			Bind("/run/zed.state", "/run/zed.state", false, true).
-			Bind("/dev/dri", "/dev/dri", true, true, true).
-			Bind("/etc", fst.Tmp+"/etc").
-			Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa").
-			Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-			Symlink(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-			Symlink(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-			Symlink(fst.Tmp+"/etc/default", "/etc/default").
-			Symlink(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-			Symlink(fst.Tmp+"/etc/fonts", "/etc/fonts").
-			Symlink(fst.Tmp+"/etc/fstab", "/etc/fstab").
-			Symlink(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-			Symlink(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-			Symlink(fst.Tmp+"/etc/hostid", "/etc/hostid").
-			Symlink(fst.Tmp+"/etc/hostname", "/etc/hostname").
-			Symlink(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-			Symlink(fst.Tmp+"/etc/hosts", "/etc/hosts").
-			Symlink(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-			Symlink(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-			Symlink(fst.Tmp+"/etc/issue", "/etc/issue").
-			Symlink(fst.Tmp+"/etc/kbd", "/etc/kbd").
-			Symlink(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-			Symlink(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-			Symlink(fst.Tmp+"/etc/localtime", "/etc/localtime").
-			Symlink(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-			Symlink(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-			Symlink(fst.Tmp+"/etc/lvm", "/etc/lvm").
-			Symlink(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-			Symlink(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-			Symlink(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-			Symlink(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-			Symlink("/proc/mounts", "/etc/mtab").
-			Symlink(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-			Symlink(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-			Symlink(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-			Symlink(fst.Tmp+"/etc/nix", "/etc/nix").
-			Symlink(fst.Tmp+"/etc/nixos", "/etc/nixos").
-			Symlink(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-			Symlink(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-			Symlink(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-			Symlink(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-			Symlink(fst.Tmp+"/etc/os-release", "/etc/os-release").
-			Symlink(fst.Tmp+"/etc/pam", "/etc/pam").
-			Symlink(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-			Symlink(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-			Symlink(fst.Tmp+"/etc/pki", "/etc/pki").
-			Symlink(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-			Symlink(fst.Tmp+"/etc/profile", "/etc/profile").
-			Symlink(fst.Tmp+"/etc/protocols", "/etc/protocols").
-			Symlink(fst.Tmp+"/etc/qemu", "/etc/qemu").
-			Symlink(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-			Symlink(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-			Symlink(fst.Tmp+"/etc/rpc", "/etc/rpc").
-			Symlink(fst.Tmp+"/etc/samba", "/etc/samba").
-			Symlink(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-			Symlink(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-			Symlink(fst.Tmp+"/etc/services", "/etc/services").
-			Symlink(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-			Symlink(fst.Tmp+"/etc/shadow", "/etc/shadow").
-			Symlink(fst.Tmp+"/etc/shells", "/etc/shells").
-			Symlink(fst.Tmp+"/etc/ssh", "/etc/ssh").
-			Symlink(fst.Tmp+"/etc/ssl", "/etc/ssl").
-			Symlink(fst.Tmp+"/etc/static", "/etc/static").
-			Symlink(fst.Tmp+"/etc/subgid", "/etc/subgid").
-			Symlink(fst.Tmp+"/etc/subuid", "/etc/subuid").
-			Symlink(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-			Symlink(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-			Symlink(fst.Tmp+"/etc/systemd", "/etc/systemd").
-			Symlink(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-			Symlink(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-			Symlink(fst.Tmp+"/etc/udev", "/etc/udev").
-			Symlink(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-			Symlink(fst.Tmp+"/etc/UPower", "/etc/UPower").
-			Symlink(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-			Symlink(fst.Tmp+"/etc/X11", "/etc/X11").
-			Symlink(fst.Tmp+"/etc/zfs", "/etc/zfs").
-			Symlink(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-			Symlink(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-			Symlink(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-			Symlink(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-			Symlink(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
-			Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", false, true).
-			Tmpfs("/run/user", 1048576).
-			Tmpfs("/run/user/65534", 8388608).
-			Bind("/home/chronos", "/home/chronos", false, true).
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/passwd", "/etc/passwd").
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/group", "/etc/group").
-			Bind("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/65534/wayland-0").
-			Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native").
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/pulse-cookie", fst.Tmp+"/pulse-cookie").
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus").
-			Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket").
-			Tmpfs("/var/run/nscd", 8192),
+			Ops: new(sandbox.Ops).
+				Proc("/proc").
+				Tmpfs(fst.Tmp, 4096, 0755).
+				Dev("/dev").Mqueue("/dev/mqueue").
+				Bind("/bin", "/bin", sandbox.BindWritable).
+				Bind("/boot", "/boot", sandbox.BindWritable).
+				Bind("/home", "/home", sandbox.BindWritable).
+				Bind("/lib", "/lib", sandbox.BindWritable).
+				Bind("/lib64", "/lib64", sandbox.BindWritable).
+				Bind("/nix", "/nix", sandbox.BindWritable).
+				Bind("/root", "/root", sandbox.BindWritable).
+				Bind("/run", "/run", sandbox.BindWritable).
+				Bind("/srv", "/srv", sandbox.BindWritable).
+				Bind("/sys", "/sys", sandbox.BindWritable).
+				Bind("/usr", "/usr", sandbox.BindWritable).
+				Bind("/var", "/var", sandbox.BindWritable).
+				Bind("/dev/dri", "/dev/dri", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
+				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
+				Tmpfs("/run/user/1971", 8192, 0755).
+				Tmpfs("/run/dbus", 8192, 0755).
+				Bind("/etc", fst.Tmp+"/etc", 0).
+				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
+				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
+				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
+				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
+				Link(fst.Tmp+"/etc/default", "/etc/default").
+				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
+				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
+				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
+				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
+				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
+				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
+				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
+				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
+				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
+				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
+				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
+				Link(fst.Tmp+"/etc/issue", "/etc/issue").
+				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
+				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
+				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
+				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
+				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
+				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
+				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
+				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
+				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
+				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
+				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
+				Link("/proc/mounts", "/etc/mtab").
+				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
+				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
+				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
+				Link(fst.Tmp+"/etc/nix", "/etc/nix").
+				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
+				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
+				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
+				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
+				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
+				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
+				Link(fst.Tmp+"/etc/pam", "/etc/pam").
+				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
+				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
+				Link(fst.Tmp+"/etc/pki", "/etc/pki").
+				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
+				Link(fst.Tmp+"/etc/profile", "/etc/profile").
+				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
+				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
+				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
+				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
+				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
+				Link(fst.Tmp+"/etc/samba", "/etc/samba").
+				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
+				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
+				Link(fst.Tmp+"/etc/services", "/etc/services").
+				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
+				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
+				Link(fst.Tmp+"/etc/shells", "/etc/shells").
+				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
+				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
+				Link(fst.Tmp+"/etc/static", "/etc/static").
+				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
+				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
+				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
+				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
+				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
+				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
+				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
+				Link(fst.Tmp+"/etc/udev", "/etc/udev").
+				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
+				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
+				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
+				Link(fst.Tmp+"/etc/X11", "/etc/X11").
+				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
+				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
+				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
+				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
+				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
+				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
+				Tmpfs("/run/user", 4096, 0755).
+				Tmpfs("/run/user/65534", 8388608, 0700).
+				Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", sandbox.BindWritable).
+				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
+				Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
+				Place("/etc/group", []byte("fortify:x:65534:\n")).
+				Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0).
+				Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native", 0).
+				Place(fst.Tmp+"/pulse-cookie", nil).
+				Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0).
+				Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0).
+				Tmpfs("/var/run/nscd", 8192, 0755),
+		},
 	},
 }
--- a/internal/app/app_stub_test.go
+++ b/internal/app/app_stub_test.go
@ -2,12 +2,12 @@ package app_test

 import (
 	"fmt"
-	"io"
 	"io/fs"
+	"log"
 	"os/user"
 	"strconv"

-	"git.gensokyo.uk/security/fortify/internal/linux"
+	"git.gensokyo.uk/security/fortify/fst"
 )

 // fs methods are not implemented using a real FS
@ -17,9 +17,16 @@ type stubNixOS struct {
 	usernameErr map[string]error
 }

-func (s *stubNixOS) Geteuid() int {
-	return 1971
-}
+func (s *stubNixOS) Getuid() int                              { return 1971 }
+func (s *stubNixOS) Getgid() int                              { return 100 }
+func (s *stubNixOS) TempDir() string                          { return "/tmp" }
+func (s *stubNixOS) MustExecutable() string                   { return "/run/wrappers/bin/fortify" }
+func (s *stubNixOS) Exit(code int)                            { panic("called exit on stub with code " + strconv.Itoa(code)) }
+func (s *stubNixOS) EvalSymlinks(path string) (string, error) { return path, nil }
+func (s *stubNixOS) Uid(aid int) (int, error)                 { return 1000000 + 0*10000 + aid, nil }
+
+func (s *stubNixOS) Println(v ...any)               { log.Println(v...) }
+func (s *stubNixOS) Printf(format string, v ...any) { log.Printf(format, v...) }

 func (s *stubNixOS) LookupEnv(key string) (string, bool) {
 	switch key {
@ -40,10 +47,6 @@ func (s *stubNixOS) LookupEnv(key string) (string, bool) {
 	}
 }

-func (s *stubNixOS) TempDir() string {
-	return "/tmp"
-}
-
 func (s *stubNixOS) LookPath(file string) (string, error) {
 	if s.lookPathErr != nil {
 		if err, ok := s.lookPathErr[file]; ok {
@ -52,19 +55,13 @@ func (s *stubNixOS) LookPath(file string) (string, error) {
 	}

 	switch file {
-	case "sudo":
-		return "/run/wrappers/bin/sudo", nil
-	case "machinectl":
-		return "/home/ophestra/.nix-profile/bin/machinectl", nil
+	case "zsh":
+		return "/run/current-system/sw/bin/zsh", nil
 	default:
 		panic(fmt.Sprintf("attempted to look up unexpected executable %q", file))
 	}
 }

-func (s *stubNixOS) Executable() (string, error) {
-	return "/home/ophestra/.nix-profile/bin/fortify", nil
-}
-
 func (s *stubNixOS) LookupGroup(name string) (*user.Group, error) {
 	switch name {
 	case "video":
@ -128,26 +125,10 @@ func (s *stubNixOS) Open(name string) (fs.File, error) {
 	}
 }

-func (s *stubNixOS) Exit(code int) {
-	panic("called exit on stub with code " + strconv.Itoa(code))
-}
-
-func (s *stubNixOS) Stdout() io.Writer {
-	panic("requested stdout")
-}
-
-func (s *stubNixOS) Paths() linux.Paths {
-	return linux.Paths{
+func (s *stubNixOS) Paths() fst.Paths {
+	return fst.Paths{
 		SharePath:   "/tmp/fortify.1971",
 		RuntimePath: "/run/user/1971",
 		RunDirPath:  "/run/user/1971/fortify",
 	}
 }
-
-func (s *stubNixOS) Uid(aid int) (int, error) {
-	return 1000000 + 0*10000 + aid, nil
-}
-
-func (s *stubNixOS) SdBooted() bool {
-	return true
-}
--- a/internal/app/app_test.go
+++ b/internal/app/app_test.go
@ -1,25 +1,26 @@
 package app_test

 import (
+	"encoding/json"
 	"io/fs"
 	"reflect"
 	"testing"
 	"time"

 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
 	"git.gensokyo.uk/security/fortify/internal/app"
-	"git.gensokyo.uk/security/fortify/internal/linux"
-	"git.gensokyo.uk/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/internal/sys"
+	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/fortify/system"
 )

 type sealTestCase struct {
-	name      string
-	os        linux.System
-	config    *fst.Config
-	id        fst.ID
-	wantSys   *system.I
-	wantBwrap *bwrap.Config
+	name          string
+	os            sys.State
+	config        *fst.Config
+	id            fst.ID
+	wantSys       *system.I
+	wantContainer *sandbox.Params
 }

 func TestApp(t *testing.T) {
@ -28,17 +29,21 @@ func TestApp(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			a := app.NewWithID(tc.id, tc.os)
-
+			var (
+				gotSys       *system.I
+				gotContainer *sandbox.Params
+			)
 			if !t.Run("seal", func(t *testing.T) {
-				if err := a.Seal(tc.config); err != nil {
+				if sa, err := a.Seal(tc.config); err != nil {
 					t.Errorf("Seal: error = %v", err)
+					return
+				} else {
+					gotSys, gotContainer = app.AppIParams(a, sa)
 				}
 			}) {
 				return
 			}

-			gotSys, gotBwrap := app.AppSystemBwrap(a)
-
 			t.Run("compare sys", func(t *testing.T) {
 				if !gotSys.Equal(tc.wantSys) {
 					t.Errorf("Seal: sys = %#v, want %#v",
@ -46,16 +51,24 @@ func TestApp(t *testing.T) {
 				}
 			})

-			t.Run("compare bwrap", func(t *testing.T) {
-				if !reflect.DeepEqual(gotBwrap, tc.wantBwrap) {
-					t.Errorf("seal: bwrap = %#v, want %#v",
-						gotBwrap, tc.wantBwrap)
+			t.Run("compare params", func(t *testing.T) {
+				if !reflect.DeepEqual(gotContainer, tc.wantContainer) {
+					t.Errorf("seal: params =\n%s\n, want\n%s",
+						mustMarshal(gotContainer), mustMarshal(tc.wantContainer))
 				}
 			})
 		})
 	}
 }

+func mustMarshal(v any) string {
+	if b, err := json.Marshal(v); err != nil {
+		panic(err.Error())
+	} else {
+		return string(b)
+	}
+}
+
 func stubDirEntries(names ...string) (e []fs.DirEntry, err error) {
 	e = make([]fs.DirEntry, len(names))
 	for i, name := range names {
--- a/internal/app/errors.go
+++ b/internal/app/errors.go
@ -0,0 +1,179 @@
+package app
+
+import (
+	"errors"
+	"log"
+
+	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/fortify/internal/fmsg"
+)
+
+func PrintRunStateErr(rs *fst.RunState, runErr error) {
+	if runErr != nil {
+		if rs.Time == nil {
+			fmsg.PrintBaseError(runErr, "cannot start app:")
+		} else {
+			var e *fmsg.BaseError
+			if !fmsg.AsBaseError(runErr, &e) {
+				log.Println("wait failed:", runErr)
+			} else {
+				// Wait only returns either *app.ProcessError or *app.StateStoreError wrapped in a *app.BaseError
+				var se *StateStoreError
+				if !errors.As(runErr, &se) {
+					// does not need special handling
+					log.Print(e.Message())
+				} else {
+					// inner error are either unwrapped store errors
+					// or joined errors returned by *appSealTx revert
+					// wrapped in *app.BaseError
+					var ej RevertCompoundError
+					if !errors.As(se.InnerErr, &ej) {
+						// does not require special handling
+						log.Print(e.Message())
+					} else {
+						errs := ej.Unwrap()
+
+						// every error here is wrapped in *app.BaseError
+						for _, ei := range errs {
+							var eb *fmsg.BaseError
+							if !errors.As(ei, &eb) {
+								// unreachable
+								log.Println("invalid error type returned by revert:", ei)
+							} else {
+								// print inner *app.BaseError message
+								log.Print(eb.Message())
+							}
+						}
+					}
+				}
+			}
+		}
+
+		if rs.ExitCode == 0 {
+			rs.ExitCode = 126
+		}
+	}
+
+	if rs.RevertErr != nil {
+		var stateStoreError *StateStoreError
+		if !errors.As(rs.RevertErr, &stateStoreError) || stateStoreError == nil {
+			fmsg.PrintBaseError(rs.RevertErr, "generic fault during cleanup:")
+			goto out
+		}
+
+		if stateStoreError.Err != nil {
+			if len(stateStoreError.Err) == 2 {
+				if stateStoreError.Err[0] != nil {
+					if joinedErrs, ok := stateStoreError.Err[0].(interface{ Unwrap() []error }); !ok {
+						fmsg.PrintBaseError(stateStoreError.Err[0], "generic fault during revert:")
+					} else {
+						for _, err := range joinedErrs.Unwrap() {
+							if err != nil {
+								fmsg.PrintBaseError(err, "fault during revert:")
+							}
+						}
+					}
+				}
+				if stateStoreError.Err[1] != nil {
+					log.Printf("cannot close store: %v", stateStoreError.Err[1])
+				}
+			} else {
+				log.Printf("fault during cleanup: %v",
+					errors.Join(stateStoreError.Err...))
+			}
+		}
+
+		if stateStoreError.OpErr != nil {
+			log.Printf("blind revert due to store fault: %v",
+				stateStoreError.OpErr)
+		}
+
+		if stateStoreError.DoErr != nil {
+			fmsg.PrintBaseError(stateStoreError.DoErr, "state store operation unsuccessful:")
+		}
+
+		if stateStoreError.Inner && stateStoreError.InnerErr != nil {
+			fmsg.PrintBaseError(stateStoreError.InnerErr, "cannot destroy state entry:")
+		}
+
+	out:
+		if rs.ExitCode == 0 {
+			rs.ExitCode = 128
+		}
+	}
+	if rs.WaitErr != nil {
+		log.Println("inner wait failed:", rs.WaitErr)
+	}
+}
+
+// StateStoreError is returned for a failed state save
+type StateStoreError struct {
+	// whether inner function was called
+	Inner bool
+	// returned by the Save/Destroy method of [state.Cursor]
+	InnerErr error
+	// returned by the Do method of [state.Store]
+	DoErr error
+	// stores an arbitrary store operation error
+	OpErr error
+	// stores arbitrary errors
+	Err []error
+}
+
+// save saves arbitrary errors in [StateStoreError] once.
+func (e *StateStoreError) save(errs []error) {
+	if len(errs) == 0 || e.Err != nil {
+		panic("invalid call to save")
+	}
+	e.Err = errs
+}
+
+func (e *StateStoreError) equiv(a ...any) error {
+	if e.Inner && e.InnerErr == nil && e.DoErr == nil && e.OpErr == nil && errors.Join(e.Err...) == nil {
+		return nil
+	} else {
+		return fmsg.WrapErrorSuffix(e, a...)
+	}
+}
+
+func (e *StateStoreError) Error() string {
+	if e.Inner && e.InnerErr != nil {
+		return e.InnerErr.Error()
+	}
+	if e.DoErr != nil {
+		return e.DoErr.Error()
+	}
+	if e.OpErr != nil {
+		return e.OpErr.Error()
+	}
+	if err := errors.Join(e.Err...); err != nil {
+		return err.Error()
+	}
+
+	// equiv nullifies e for values where this is reached
+	panic("unreachable")
+}
+
+func (e *StateStoreError) Unwrap() (errs []error) {
+	errs = make([]error, 0, 3)
+	if e.InnerErr != nil {
+		errs = append(errs, e.InnerErr)
+	}
+	if e.DoErr != nil {
+		errs = append(errs, e.DoErr)
+	}
+	if e.OpErr != nil {
+		errs = append(errs, e.OpErr)
+	}
+	if err := errors.Join(e.Err...); err != nil {
+		errs = append(errs, err)
+	}
+	return
+}
+
+// A RevertCompoundError encapsulates errors returned by
+// the Revert method of [system.I].
+type RevertCompoundError interface {
+	Error() string
+	Unwrap() []error
+}
--- a/internal/app/export_test.go
+++ b/internal/app/export_test.go
@ -2,19 +2,23 @@ package app

 import (
 	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/helper/bwrap"
-	"git.gensokyo.uk/security/fortify/internal/linux"
-	"git.gensokyo.uk/security/fortify/internal/system"
+	"git.gensokyo.uk/security/fortify/internal/sys"
+	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/fortify/system"
 )

-func NewWithID(id fst.ID, os linux.System) App {
+func NewWithID(id fst.ID, os sys.State) fst.App {
 	a := new(app)
-	a.id = &id
-	a.os = os
+	a.id = newID(&id)
+	a.sys = os
 	return a
 }

-func AppSystemBwrap(a App) (*system.I, *bwrap.Config) {
+func AppIParams(a fst.App, sa fst.SealedApp) (*system.I, *sandbox.Params) {
 	v := a.(*app)
-	return v.seal.sys.I, v.seal.sys.bwrap
+	seal := sa.(*outcome)
+	if v.outcome != seal || v.id != seal.id {
+		panic("broken app/outcome link")
+	}
+	return seal.sys, seal.container
 }
--- a/Show More
+++ b/Show More