diff --git a/system/dispatcher.go b/system/dispatcher.go
index f8de2ff..36defd1 100644
--- a/system/dispatcher.go
+++ b/system/dispatcher.go
@@ -3,6 +3,7 @@ package system
 import (
 	"io"
 	"io/fs"
+	"log"
 	"os"
 
 	"hakurei.app/system/acl"
@@ -37,6 +38,9 @@ type syscallDispatcher interface {
 	// remove provides os.Remove.
 	remove(name string) error
 
+	// println provides [log.Println].
+	println(v ...any)
+
 	// aclUpdate provides [acl.Update].
 	aclUpdate(name string, uid int, perms ...acl.Perm) error
 
@@ -71,6 +75,8 @@ func (k direct) chmod(name string, mode os.FileMode) error { return os.Chmod(nam
 func (k direct) link(oldname, newname string) error        { return os.Link(oldname, newname) }
 func (k direct) remove(name string) error                  { return os.Remove(name) }
 
+func (k direct) println(v ...any) { log.Println(v...) }
+
 func (k direct) aclUpdate(name string, uid int, perms ...acl.Perm) error {
 	return acl.Update(name, uid, perms...)
 }
diff --git a/system/dispatcher_test.go b/system/dispatcher_test.go
index 7bd4e6d..9676929 100644
--- a/system/dispatcher_test.go
+++ b/system/dispatcher_test.go
@@ -273,6 +273,14 @@ func (k *kstub) remove(name string) error {
 		stub.CheckArg(k.Stub, "name", name, 0))
 }
 
+func (k *kstub) println(v ...any) {
+	k.Helper()
+	k.Expects("println")
+	if !stub.CheckArgReflect(k.Stub, "v", v, 0) {
+		k.FailNow()
+	}
+}
+
 func (k *kstub) aclUpdate(name string, uid int, perms ...acl.Perm) error {
 	k.Helper()
 	return k.Expects("aclUpdate").Error(
diff --git a/system/wayland.go b/system/wayland.go
index fac6ee7..2dd0d98 100644
--- a/system/wayland.go
+++ b/system/wayland.go
@@ -9,11 +9,17 @@ import (
 	"hakurei.app/system/wayland"
 )
 
+type waylandConn interface {
+	Attach(p string) (err error)
+	Bind(pathname, appID, instanceID string) (*os.File, error)
+	Close() error
+}
+
 // Wayland maintains a wayland socket with security-context-v1 attached via [wayland].
 // The socket stops accepting connections once the pipe referred to by sync is closed.
 // The socket is pathname only and is destroyed on revert.
 func (sys *I) Wayland(syncFd **os.File, dst, src, appID, instanceID string) *I {
-	sys.ops = append(sys.ops, &waylandOp{syncFd, dst, src, appID, instanceID, wayland.Conn{}})
+	sys.ops = append(sys.ops, &waylandOp{syncFd, dst, src, appID, instanceID, new(wayland.Conn)})
 	return sys
 }
 
@@ -23,7 +29,7 @@ type waylandOp struct {
 	dst, src          string
 	appID, instanceID string
 
-	conn wayland.Conn
+	conn waylandConn
 }
 
 func (w *waylandOp) Type() Enablement { return Process }
@@ -34,43 +40,32 @@ func (w *waylandOp) apply(sys *I) error {
 		return errors.New("invalid sync")
 	}
 
-	// the Wayland op is not repeatable
-	if *w.sync != nil {
-		// this is a misuse of the API; do not return a wrapped error
-		return errors.New("attempted to attach multiple wayland sockets")
-	}
-
 	if err := w.conn.Attach(w.src); err != nil {
 		return newOpError("wayland", err, false)
 	} else {
-		msg.Verbosef("wayland attached on %q", w.src)
+		sys.verbosef("wayland attached on %q", w.src)
 	}
 
 	if sp, err := w.conn.Bind(w.dst, w.appID, w.instanceID); err != nil {
 		return newOpError("wayland", err, false)
 	} else {
 		*w.sync = sp
-		msg.Verbosef("wayland listening on %q", w.dst)
-		if err = os.Chmod(w.dst, 0); err != nil {
+		sys.verbosef("wayland listening on %q", w.dst)
+		if err = sys.chmod(w.dst, 0); err != nil {
 			return newOpError("wayland", err, false)
 		}
-		return newOpError("wayland", acl.Update(w.dst, sys.uid, acl.Read, acl.Write, acl.Execute), false)
+		return newOpError("wayland", sys.aclUpdate(w.dst, sys.uid, acl.Read, acl.Write, acl.Execute), false)
 	}
 }
 
-func (w *waylandOp) revert(_ *I, ec *Criteria) error {
-	if ec.hasType(w.Type()) {
-		msg.Verbosef("removing wayland socket on %q", w.dst)
-		if err := os.Remove(w.dst); err != nil && !errors.Is(err, os.ErrNotExist) {
-			return newOpError("wayland", err, true)
-		}
-
-		msg.Verbosef("detaching from wayland on %q", w.src)
-		return newOpError("wayland", w.conn.Close(), true)
-	} else {
-		msg.Verbosef("skipping wayland cleanup on %q", w.dst)
-		return nil
+func (w *waylandOp) revert(sys *I, _ *Criteria) error {
+	sys.verbosef("removing wayland socket on %q", w.dst)
+	if err := sys.remove(w.dst); err != nil && !errors.Is(err, os.ErrNotExist) {
+		return newOpError("wayland", err, true)
 	}
+
+	sys.verbosef("detaching from wayland on %q", w.src)
+	return newOpError("wayland", w.conn.Close(), true)
 }
 
 func (w *waylandOp) Is(o Op) bool {
diff --git a/system/wayland_test.go b/system/wayland_test.go
new file mode 100644
index 0000000..3ae6247
--- /dev/null
+++ b/system/wayland_test.go
@@ -0,0 +1,329 @@
+package system
+
+import (
+	"errors"
+	"os"
+	"testing"
+
+	"hakurei.app/container/stub"
+	"hakurei.app/system/acl"
+	"hakurei.app/system/wayland"
+)
+
+type stubWaylandConn struct {
+	t *testing.T
+
+	wantAttach string
+	attachErr  error
+	attached   bool
+
+	wantBind [3]string
+	bindErr  error
+	bound    bool
+
+	closeErr error
+	closed   bool
+}
+
+func (conn *stubWaylandConn) Attach(p string) (err error) {
+	conn.t.Helper()
+
+	if conn.attached {
+		conn.t.Fatal("Attach called twice")
+	}
+	conn.attached = true
+
+	err = conn.attachErr
+	if p != conn.wantAttach {
+		conn.t.Errorf("Attach: p = %q, want %q", p, conn.wantAttach)
+		err = stub.ErrCheck
+	}
+	return
+}
+
+func (conn *stubWaylandConn) Bind(pathname, appID, instanceID string) (*os.File, error) {
+	conn.t.Helper()
+
+	if !conn.attached {
+		conn.t.Fatal("Bind called before Attach")
+	}
+
+	if conn.bound {
+		conn.t.Fatal("Bind called twice")
+	}
+	conn.bound = true
+
+	if pathname != conn.wantBind[0] {
+		conn.t.Errorf("Attach: pathname = %q, want %q", pathname, conn.wantBind[0])
+		return nil, stub.ErrCheck
+	}
+	if appID != conn.wantBind[1] {
+		conn.t.Errorf("Attach: appID = %q, want %q", appID, conn.wantBind[1])
+		return nil, stub.ErrCheck
+	}
+	if instanceID != conn.wantBind[2] {
+		conn.t.Errorf("Attach: instanceID = %q, want %q", instanceID, conn.wantBind[2])
+		return nil, stub.ErrCheck
+	}
+	return nil, conn.bindErr
+}
+
+func (conn *stubWaylandConn) Close() error {
+	conn.t.Helper()
+
+	if !conn.attached {
+		conn.t.Fatal("Close called before Attach")
+	}
+	if !conn.bound {
+		conn.t.Fatal("Close called before Bind")
+	}
+
+	if conn.closed {
+		conn.t.Fatal("Close called twice")
+	}
+	conn.closed = true
+	return conn.closeErr
+}
+
+func TestWaylandOp(t *testing.T) {
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"invalid sync", 0xdeadbeef, 0xff, &waylandOp{
+			nil,
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			nil,
+		}, nil, errors.New("invalid sync"), nil, nil},
+
+		{"attach", 0xdeadbeef, 0xff, &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
+				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"},
+				attachErr: stub.UniqueError(5)},
+		}, nil, &OpError{Op: "wayland", Err: stub.UniqueError(5)}, nil, nil},
+
+		{"bind", 0xdeadbeef, 0xff, &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
+				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"},
+				bindErr: stub.UniqueError(4)},
+		}, []stub.Call{
+			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+		}, &OpError{Op: "wayland", Err: stub.UniqueError(4)}, nil, nil},
+
+		{"chmod", 0xdeadbeef, 0xff, &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
+				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}},
+		}, []stub.Call{
+			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, stub.UniqueError(3)),
+		}, &OpError{Op: "wayland", Err: stub.UniqueError(3)}, nil, nil},
+
+		{"aclUpdate", 0xdeadbeef, 0xff, &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
+				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}},
+		}, []stub.Call{
+			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
+			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xdeadbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, stub.UniqueError(2)),
+		}, &OpError{Op: "wayland", Err: stub.UniqueError(2)}, nil, nil},
+
+		{"remove", 0xdeadbeef, 0xff, &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
+				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}},
+		}, []stub.Call{
+			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
+			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xdeadbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
+		}, nil, []stub.Call{
+			call("verbosef", stub.ExpectArgs{"removing wayland socket on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, stub.UniqueError(1)),
+		}, &OpError{Op: "wayland", Err: stub.UniqueError(1), Revert: true}},
+
+		{"close", 0xdeadbeef, 0xff, &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
+				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"},
+				closeErr: stub.UniqueError(0)},
+		}, []stub.Call{
+			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
+			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xdeadbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
+		}, nil, []stub.Call{
+			call("verbosef", stub.ExpectArgs{"removing wayland socket on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"detaching from wayland on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+		}, &OpError{Op: "wayland", Err: stub.UniqueError(0), Revert: true}},
+
+		{"success", 0xdeadbeef, 0xff, &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
+				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}},
+		}, []stub.Call{
+			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
+			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xdeadbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
+		}, nil, []stub.Call{
+			call("verbosef", stub.ExpectArgs{"removing wayland socket on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"detaching from wayland on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+		}, nil},
+	})
+
+	checkOpsBuilder(t, "Wayland", []opsBuilderTestCase{
+		{"chromium", 0xcafe, func(_ *testing.T, sys *I) {
+			sys.Wayland(
+				new(*os.File),
+				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+				"/run/user/1971/wayland-0",
+				"org.chromium.Chromium",
+				"ebf083d1b175911782d413369b64ce7c",
+			)
+		}, []Op{&waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			new(wayland.Conn),
+		}}, stub.Expect{}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"dst differs", &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7d/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			new(wayland.Conn),
+		}, &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			new(wayland.Conn),
+		}, false},
+
+		{"src differs", &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-1",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			new(wayland.Conn),
+		}, &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			new(wayland.Conn),
+		}, false},
+
+		{"appID differs", &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			new(wayland.Conn),
+		}, &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			new(wayland.Conn),
+		}, false},
+
+		{"instanceID differs", &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7d",
+			new(wayland.Conn),
+		}, &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			new(wayland.Conn),
+		}, false},
+
+		{"equals", &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			new(wayland.Conn),
+		}, &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			new(wayland.Conn),
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"chromium", &waylandOp{
+			new(*os.File),
+			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			"/run/user/1971/wayland-0",
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+			new(wayland.Conn),
+		}, Process, "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			`wayland socket at "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"`},
+	})
+}