internal/wayland: reimplement connect/bind code

The old implementation is relocated to system/wayland/deprecated.go. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-11-16 01:23:16 +09:00 · 2025-11-16 01:23:16 +09:00 · 61972d61f6
commit 61972d61f6
parent fe40af7b7e
10 changed files with 254 additions and 267 deletions
--- a/internal/system/dispatcher.go
+++ b/internal/system/dispatcher.go
@ -6,9 +6,11 @@ import (
 	"log"
 	"os"

+	"hakurei.app/container/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/acl"
 	"hakurei.app/internal/dbus"
+	"hakurei.app/internal/wayland"
 	"hakurei.app/internal/xcb"
 )

@ -45,6 +47,8 @@ type syscallDispatcher interface {
 	// aclUpdate provides [acl.Update].
 	aclUpdate(name string, uid int, perms ...acl.Perm) error

+	waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error)
+
 	// xcbChangeHosts provides [xcb.ChangeHosts].
 	xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error

@ -76,6 +80,10 @@ func (k direct) aclUpdate(name string, uid int, perms ...acl.Perm) error {
 	return acl.Update(name, uid, perms...)
 }

+func (k direct) waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error) {
+	return wayland.New(displayPath, bindPath, appID, instanceID)
+}
+
 func (k direct) xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error {
 	return xcb.ChangeHosts(mode, family, address)
 }
--- a/internal/system/dispatcher_test.go
+++ b/internal/system/dispatcher_test.go
@ -8,10 +8,12 @@ import (
 	"testing"
 	"unsafe"

+	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
 	"hakurei.app/internal/acl"
 	"hakurei.app/internal/dbus"
+	"hakurei.app/internal/wayland"
 	"hakurei.app/internal/xcb"
 )

@ -268,6 +270,15 @@ func (k *kstub) aclUpdate(name string, uid int, perms ...acl.Perm) error {
 		stub.CheckArgReflect(k.Stub, "perms", perms, 2))
 }

+func (k *kstub) waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error) {
+	k.Helper()
+	return nil, k.Expects("waylandNew").Error(
+		stub.CheckArgReflect(k.Stub, "displayPath", displayPath, 0),
+		stub.CheckArgReflect(k.Stub, "bindPath", bindPath, 1),
+		stub.CheckArg(k.Stub, "appID", appID, 2),
+		stub.CheckArg(k.Stub, "instanceID", instanceID, 3))
+}
+
 func (k *kstub) xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error {
 	k.Helper()
 	return k.Expects("xcbChangeHosts").Error(
--- a/internal/system/wayland.go
+++ b/internal/system/wayland.go
@ -8,83 +8,74 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/acl"
-	"hakurei.app/system/wayland"
+	"hakurei.app/internal/wayland"
 )

-type waylandConn interface {
-	Attach(p string) (err error)
-	Bind(pathname, appID, instanceID string) (*os.File, error)
-	Close() error
-}
-
 // Wayland maintains a wayland socket with security-context-v1 attached via [wayland].
 // The socket stops accepting connections once the pipe referred to by sync is closed.
 // The socket is pathname only and is destroyed on revert.
 func (sys *I) Wayland(dst, src *check.Absolute, appID, instanceID string) *I {
 	sys.ops = append(sys.ops, &waylandOp{nil,
-		dst.String(), src.String(),
-		appID, instanceID,
-		new(wayland.Conn)})
+		dst, src, appID, instanceID})
 	return sys
 }

 // waylandOp implements [I.Wayland].
 type waylandOp struct {
-	sync              *os.File
-	dst, src          string
+	ctx               *wayland.SecurityContext
+	dst, src          *check.Absolute
 	appID, instanceID string
-
-	conn waylandConn
 }

 func (w *waylandOp) Type() hst.Enablement { return Process }

-func (w *waylandOp) apply(sys *I) error {
-	if err := w.conn.Attach(w.src); err != nil {
+func (w *waylandOp) apply(sys *I) (err error) {
+	if w.ctx, err = sys.waylandNew(w.src, w.dst, w.appID, w.instanceID); err != nil {
 		return newOpError("wayland", err, false)
 	} else {
-		sys.msg.Verbosef("wayland attached on %q", w.src)
-	}
+		sys.msg.Verbosef("wayland pathname socket on %q via %q", w.dst, w.src)

-	if sp, err := w.conn.Bind(w.dst, w.appID, w.instanceID); err != nil {
-		return newOpError("wayland", err, false)
-	} else {
-		w.sync = sp
-		sys.msg.Verbosef("wayland listening on %q", w.dst)
-		if err = sys.chmod(w.dst, 0); err != nil {
+		if err = sys.chmod(w.dst.String(), 0); err != nil {
+			if closeErr := w.ctx.Close(); closeErr != nil {
+				return newOpError("wayland", errors.Join(err, closeErr), false)
+			}
 			return newOpError("wayland", err, false)
 		}
-		return newOpError("wayland", sys.aclUpdate(w.dst, sys.uid, acl.Read, acl.Write, acl.Execute), false)
+
+		if err = sys.aclUpdate(w.dst.String(), sys.uid, acl.Read, acl.Write, acl.Execute); err != nil {
+			if closeErr := w.ctx.Close(); closeErr != nil {
+				return newOpError("wayland", errors.Join(err, closeErr), false)
+			}
+			return newOpError("wayland", err, false)
+		}
+
+		return nil
 	}
 }

 func (w *waylandOp) revert(sys *I, _ *Criteria) error {
 	var (
 		hangupErr error
-		closeErr  error
 		removeErr error
 	)

-	sys.msg.Verbosef("detaching from wayland on %q", w.src)
-	if w.sync != nil {
-		hangupErr = w.sync.Close()
+	sys.msg.Verbosef("hanging up wayland socket on %q", w.dst)
+	if w.ctx != nil {
+		hangupErr = w.ctx.Close()
 	}
-	closeErr = w.conn.Close()
-
-	sys.msg.Verbosef("removing wayland socket on %q", w.dst)
-	if err := sys.remove(w.dst); err != nil && !errors.Is(err, os.ErrNotExist) {
+	if err := sys.remove(w.dst.String()); err != nil && !errors.Is(err, os.ErrNotExist) {
 		removeErr = err
 	}

-	return newOpError("wayland", errors.Join(hangupErr, closeErr, removeErr), true)
+	return newOpError("wayland", errors.Join(hangupErr, removeErr), true)
 }

 func (w *waylandOp) Is(o Op) bool {
 	target, ok := o.(*waylandOp)
 	return ok && w != nil && target != nil &&
-		w.dst == target.dst && w.src == target.src &&
+		w.dst.Is(target.dst) && w.src.Is(target.src) &&
 		w.appID == target.appID && w.instanceID == target.instanceID
 }

-func (w *waylandOp) Path() string   { return w.dst }
+func (w *waylandOp) Path() string   { return w.dst.String() }
 func (w *waylandOp) String() string { return fmt.Sprintf("wayland socket at %q", w.dst) }
--- a/internal/system/wayland_test.go
+++ b/internal/system/wayland_test.go
@ -7,196 +7,62 @@ import (

 	"hakurei.app/container/stub"
 	"hakurei.app/internal/acl"
-	"hakurei.app/system/wayland"
 )

-type stubWaylandConn struct {
-	t *testing.T
-
-	wantAttach string
-	attachErr  error
-	attached   bool
-
-	wantBind [3]string
-	bindErr  error
-	bound    bool
-
-	closeErr error
-	closed   bool
-}
-
-func (conn *stubWaylandConn) Attach(p string) (err error) {
-	conn.t.Helper()
-
-	if conn.attached {
-		conn.t.Fatal("Attach called twice")
-	}
-	conn.attached = true
-
-	err = conn.attachErr
-	if p != conn.wantAttach {
-		conn.t.Errorf("Attach: p = %q, want %q", p, conn.wantAttach)
-		err = stub.ErrCheck
-	}
-	return
-}
-
-func (conn *stubWaylandConn) Bind(pathname, appID, instanceID string) (*os.File, error) {
-	conn.t.Helper()
-
-	if !conn.attached {
-		conn.t.Fatal("Bind called before Attach")
-	}
-
-	if conn.bound {
-		conn.t.Fatal("Bind called twice")
-	}
-	conn.bound = true
-
-	if pathname != conn.wantBind[0] {
-		conn.t.Errorf("Attach: pathname = %q, want %q", pathname, conn.wantBind[0])
-		return nil, stub.ErrCheck
-	}
-	if appID != conn.wantBind[1] {
-		conn.t.Errorf("Attach: appID = %q, want %q", appID, conn.wantBind[1])
-		return nil, stub.ErrCheck
-	}
-	if instanceID != conn.wantBind[2] {
-		conn.t.Errorf("Attach: instanceID = %q, want %q", instanceID, conn.wantBind[2])
-		return nil, stub.ErrCheck
-	}
-	return nil, conn.bindErr
-}
-
-func (conn *stubWaylandConn) Close() error {
-	conn.t.Helper()
-
-	if !conn.attached {
-		conn.t.Fatal("Close called before Attach")
-	}
-	if !conn.bound {
-		conn.t.Fatal("Close called before Bind")
-	}
-
-	if conn.closed {
-		conn.t.Fatal("Close called twice")
-	}
-	conn.closed = true
-	return conn.closeErr
-}
-
 func TestWaylandOp(t *testing.T) {
 	t.Parallel()

 	checkOpBehaviour(t, []opBehaviourTestCase{
-		{"attach", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
-			"org.chromium.Chromium",
-			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"},
-				attachErr: stub.UniqueError(5)},
-		}, nil, &OpError{Op: "wayland", Err: stub.UniqueError(5)}, nil, nil},
-
-		{"bind", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
-			"org.chromium.Chromium",
-			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"},
-				bindErr: stub.UniqueError(4)},
-		}, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
-		}, &OpError{Op: "wayland", Err: stub.UniqueError(4)}, nil, nil},
-
 		{"chmod", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}},
 		}, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
 			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, stub.UniqueError(3)),
-		}, &OpError{Op: "wayland", Err: stub.UniqueError(3)}, nil, nil},
+		}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(3), os.ErrInvalid)}, nil, nil},

 		{"aclUpdate", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}},
 		}, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
 			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
 			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, stub.UniqueError(2)),
-		}, &OpError{Op: "wayland", Err: stub.UniqueError(2)}, nil, nil},
+		}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(2), os.ErrInvalid)}, nil, nil},

 		{"remove", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}},
 		}, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
 			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
 			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
 		}, nil, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"detaching from wayland on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"removing wayland socket on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"hanging up wayland socket on %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland")}}, nil, nil),
 			call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, stub.UniqueError(1)),
 		}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(1)), Revert: true}},

-		{"close", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
-			"org.chromium.Chromium",
-			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"},
-				closeErr: stub.UniqueError(0)},
-		}, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
-			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
-			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
-		}, nil, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"detaching from wayland on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"removing wayland socket on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
-			call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, nil),
-		}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(0)), Revert: true}},
-
 		{"success", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}},
 		}, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
 			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
 			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
 		}, nil, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"detaching from wayland on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"removing wayland socket on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"hanging up wayland socket on %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland")}}, nil, nil),
 			call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, nil),
 		}, nil},
 	})
@ -210,93 +76,81 @@ func TestWaylandOp(t *testing.T) {
 				"ebf083d1b175911782d413369b64ce7c",
 			)
 		}, []Op{&waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}}, stub.Expect{}},
 	})

 	checkOpIs(t, []opIsTestCase{
 		{"dst differs", &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7d/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7d/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, false},

 		{"src differs", &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-1",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-1"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, false},

 		{"appID differs", &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, false},

 		{"instanceID differs", &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7d",
-			new(wayland.Conn),
 		}, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, false},

 		{"equals", &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, true},
 	})

 	checkOpMeta(t, []opMetaTestCase{
 		{"chromium", &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, Process, "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
 			`wayland socket at "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"`},
 	})
--- a/internal/wayland/conn.go
+++ b/internal/wayland/conn.go
@ -1,47 +1,85 @@
 package wayland

 import (
+	"errors"
 	"os"
 	"syscall"
+
+	"hakurei.app/container/check"
 )

-func bindRawConn(done chan struct{}, rc syscall.RawConn, p, appID, instanceID string) ([2]int, error) {
+// SecurityContext holds resources associated with a Wayland security_context.
+type SecurityContext struct {
+	// Pipe with its write end passed to security-context-v1.
+	closeFds [2]int
+}
+
+// Close releases any resources held by [SecurityContext], and prevents further
+// connections to its associated socket.
+func (sc *SecurityContext) Close() error {
+	if sc == nil {
+		return os.ErrInvalid
+	}
+	return errors.Join(
+		syscall.Close(sc.closeFds[1]),
+		syscall.Close(sc.closeFds[0]),
+	)
+}
+
+// New creates a new security context on the Wayland display at displayPath
+// and associates it with a new socket bound to bindPath.
+//
+// New does not attach a finalizer to the resulting [SecurityContext] struct.
+// The caller is responsible for calling [SecurityContext.Close].
+//
+// A non-nil error unwraps to concrete type [Error].
+func New(displayPath, bindPath *check.Absolute, appID, instanceID string) (*SecurityContext, error) {
+	// ensure bindPath is available
+	if f, err := os.Create(bindPath.String()); err != nil {
+		return nil, &Error{Cause: RHostCreate, Errno: err}
+	} else if err = f.Close(); err != nil {
+		return nil, &Error{Cause: RHostCreate, Errno: err}
+	} else if err = os.Remove(bindPath.String()); err != nil {
+		return nil, &Error{Cause: RHostCreate, Errno: err}
+	}
+
+	if fd, err := syscall.Socket(syscall.AF_UNIX, syscall.SOCK_STREAM|syscall.SOCK_CLOEXEC, 0); err != nil {
+		return nil, &Error{RHostSocket, err}
+	} else if err = syscall.Connect(fd, &syscall.SockaddrUnix{Name: displayPath.String()}); err != nil {
+		_ = syscall.Close(fd)
+		return nil, &Error{RHostConnect, err}
+	} else {
+		closeFds, bindErr := bindSecurityContext(fd, bindPath, appID, instanceID)
+		if bindErr != nil {
+			// do not leak the pipe and socket
+			err = errors.Join(bindErr, // already wrapped
+				syscall.Close(closeFds[1]),
+				syscall.Close(closeFds[0]),
+				syscall.Close(fd),
+			)
+		}
+		return &SecurityContext{closeFds}, err
+	}
+}
+
+// bindSecurityContext binds a socket associated to a security context created on serverFd,
+// returning the pipe file descriptors used for security-context-v1 close_fd.
+//
+// A non-nil error unwraps to concrete type [Error].
+func bindSecurityContext(serverFd int, bindPath *check.Absolute, appID, instanceID string) ([2]int, error) {
+	// write end passed to security-context-v1 close_fd
 	var closeFds [2]int
 	if err := syscall.Pipe2(closeFds[0:], syscall.O_CLOEXEC); err != nil {
 		return closeFds, err
 	}

-	setupDone := make(chan error, 1) // does not block with c.done
-
-	go func() {
-		if err := rc.Control(func(fd uintptr) {
-			// allow the Bind method to return after setup
-			setupDone <- bind(fd, p, appID, instanceID, uintptr(closeFds[1]))
-			close(setupDone)
-
-			// keep socket alive until done is requested
-			<-done
-		}); err != nil {
-			setupDone <- err
-		}
-
-		// notify Close that rc.Control has returned
-		close(done)
-	}()
-
-	// return write end of the pipe
-	return closeFds, <-setupDone
-}
-
-func bind(fd uintptr, p, appID, instanceID string, syncFd uintptr) error {
-	// ensure p is available
-	if f, err := os.Create(p); err != nil {
-		return err
-	} else if err = f.Close(); err != nil {
-		return err
-	} else if err = os.Remove(p); err != nil {
-		return err
+	// returned error is already wrapped
+	if err := bindWaylandFd(bindPath.String(), uintptr(serverFd), appID, instanceID, uintptr(closeFds[1])); err != nil {
+		return closeFds, errors.Join(err,
+			syscall.Close(closeFds[1]),
+			syscall.Close(closeFds[0]),
+		)
+	} else {
+		return closeFds, nil
 	}
-
-	return bindWaylandFd(p, fd, appID, instanceID, syncFd)
 }
--- a/internal/wayland/wayland-client-helper.c
+++ b/internal/wayland/wayland-client-helper.c
@ -33,7 +33,7 @@ static const struct wl_registry_listener registry_listener = {

 hakurei_wayland_res hakurei_bind_wayland_fd(
    char *socket_path,
-    int fd,
+    int server_fd,
    const char *app_id,
    const char *instance_id,
    int close_fd) {
@ -47,7 +47,7 @@ hakurei_wayland_res hakurei_bind_wayland_fd(
  struct sockaddr_un sockaddr = {0};
  struct wp_security_context_v1 *security_context;

-  display = wl_display_connect_to_fd(fd);
+  display = wl_display_connect_to_fd(server_fd);
  if (display == NULL) {
    res = HAKUREI_WAYLAND_CONNECT;
    goto out;
--- a/internal/wayland/wayland-client-helper.h
+++ b/internal/wayland/wayland-client-helper.h
@ -14,11 +14,18 @@ typedef enum {
  HAKUREI_WAYLAND_BIND,
  /* listen failed, errno */
  HAKUREI_WAYLAND_LISTEN,
+
+  /* ensure pathname failed, implemented in conn.go */
+  HAKUREI_WAYLAND_HOST_CREAT,
+  /* socket for host server failed, implemented in conn.go */
+  HAKUREI_WAYLAND_HOST_SOCKET,
+  /* connect for host server failed, implemented in conn.go */
+  HAKUREI_WAYLAND_HOST_CONNECT,
 } hakurei_wayland_res;

 hakurei_wayland_res hakurei_bind_wayland_fd(
    char *socket_path,
-    int fd,
+    int server_fd,
    const char *app_id,
    const char *instance_id,
    int close_fd);
--- a/internal/wayland/wayland.go
+++ b/internal/wayland/wayland.go
@ -31,10 +31,10 @@ const (
 )

 type (
-	// Res is the outcome of a call to hakurei_bind_wayland_fd.
+	// Res is the outcome of a call to [New].
 	Res = C.hakurei_wayland_res

-	// An Error represents a failure during hakurei_bind_wayland_fd.
+	// An Error represents a failure during [New].
 	Error struct {
 		// Where the failure occurred.
 		Cause Res
@ -68,6 +68,13 @@ const (
 	RBind Res = C.HAKUREI_WAYLAND_BIND
 	// RListen is returned if listen failed. The global errno is set.
 	RListen Res = C.HAKUREI_WAYLAND_LISTEN
+
+	// RHostCreate is returned if ensuring pathname availability failed. Returned by [New].
+	RHostCreate Res = C.HAKUREI_WAYLAND_HOST_CREAT
+	// RHostSocket is returned if socket failed for host server. Returned by [New].
+	RHostSocket Res = C.HAKUREI_WAYLAND_HOST_SOCKET
+	// RHostConnect is returned if connect failed for host server. Returned by [New].
+	RHostConnect Res = C.HAKUREI_WAYLAND_HOST_CONNECT
 )

 func (e *Error) Unwrap() error   { return e.Errno }
@ -95,6 +102,16 @@ func (e *Error) Error() string {
 		}
 		return e.Errno.Error()

+	case RHostCreate:
+		if e.Errno == nil {
+			return "cannot ensure wayland pathname socket"
+		}
+		return e.Errno.Error()
+	case RHostSocket:
+		return e.withPrefix("socket for host wayland server")
+	case RHostConnect:
+		return e.withPrefix("connect to host wayland server")
+
 	default:
 		return e.withPrefix("impossible outcome") /* not reached */
 	}
--- a/internal/wayland/wayland_test.go
+++ b/internal/wayland/wayland_test.go
@ -1,6 +1,7 @@
 package wayland_test

 import (
+	"os"
 	"syscall"
 	"testing"

@ -58,6 +59,25 @@ func TestError(t *testing.T) {
 			Cause: wayland.RSocket,
 		}, "socket operation failed"},

+		{"host create", wayland.Error{
+			Cause: wayland.RHostCreate,
+		}, "cannot ensure wayland pathname socket"},
+
+		{"host create path", wayland.Error{
+			Cause: wayland.RHostCreate,
+			Errno: &os.PathError{Op: "create", Path: "/proc/nonexistent", Err: syscall.EEXIST},
+		}, "create /proc/nonexistent: file exists"},
+
+		{"host socket", wayland.Error{
+			Cause: wayland.RHostSocket,
+			Errno: stub.UniqueError(5),
+		}, "socket for host wayland server: unique error 5 injected by the test suite"},
+
+		{"host connect", wayland.Error{
+			Cause: wayland.RHostConnect,
+			Errno: stub.UniqueError(6),
+		}, "connect to host wayland server: unique error 6 injected by the test suite"},
+
 		{"invalid", wayland.Error{
 			Cause: 0xbad,
 		}, "impossible outcome"},
--- a/system/wayland/deprecated.go
+++ b/system/wayland/deprecated.go
@ -15,6 +15,9 @@ import (
 	"hakurei.app/internal/wayland"
 )

+//go:linkname bindWaylandFd hakurei.app/internal/wayland.bindWaylandFd
+func bindWaylandFd(socketPath string, fd uintptr, appID, instanceID string, syncFd uintptr) error
+
 // Conn represents a connection to the wayland display server.
 //
 // Deprecated: this interface is being replaced.
@ -60,9 +63,6 @@ func (c *Conn) Close() error {
 	return nil
 }

-//go:linkname bindRawConn hakurei.app/internal/wayland.bindRawConn
-func bindRawConn(done chan struct{}, rc syscall.RawConn, p, appID, instanceID string) ([2]int, error)
-
 // Bind binds the new socket to pathname.
 func (c *Conn) Bind(pathname, appID, instanceID string) (*os.File, error) {
 	c.mu.Lock()
@ -88,6 +88,47 @@ func (c *Conn) Bind(pathname, appID, instanceID string) (*os.File, error) {
 	}
 }

+func bindRawConn(done chan struct{}, rc syscall.RawConn, p, appID, instanceID string) ([2]int, error) {
+	var closeFds [2]int
+	if err := syscall.Pipe2(closeFds[0:], syscall.O_CLOEXEC); err != nil {
+		return closeFds, err
+	}
+
+	setupDone := make(chan error, 1) // does not block with c.done
+
+	go func() {
+		if err := rc.Control(func(fd uintptr) {
+			// allow the Bind method to return after setup
+			setupDone <- bind(fd, p, appID, instanceID, uintptr(closeFds[1]))
+			close(setupDone)
+
+			// keep socket alive until done is requested
+			<-done
+		}); err != nil {
+			setupDone <- err
+		}
+
+		// notify Close that rc.Control has returned
+		close(done)
+	}()
+
+	// return write end of the pipe
+	return closeFds, <-setupDone
+}
+
+func bind(fd uintptr, p, appID, instanceID string, syncFd uintptr) error {
+	// ensure p is available
+	if f, err := os.Create(p); err != nil {
+		return err
+	} else if err = f.Close(); err != nil {
+		return err
+	} else if err = os.Remove(p); err != nil {
+		return err
+	}
+
+	return bindWaylandFd(p, fd, appID, instanceID, syncFd)
+}
+
 const (
 	// WaylandDisplay contains the name of the server socket
 	// (https://gitlab.freedesktop.org/wayland/wayland/-/blob/1.23.1/src/wayland-client.c#L1147)