From c9facb746b7be0f2d8f6b9b2227340ba2ec12060 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Tue, 26 Aug 2025 00:52:49 +0900
Subject: [PATCH] hst/config: remove data field, rename dir to home

There is no reason to give the home directory special treatment, as this behaviour can be quite confusing. The home directory also does not necessarily require its own mount point, it could be provided by a parent or simply be ephemeral.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 cmd/hakurei/command.go               |  2 +-
 cmd/hakurei/print.go                 |  4 ++--
 cmd/hakurei/print_test.go            | 13 +++++--------
 cmd/hpkg/app.go                      |  4 ++--
 cmd/hpkg/with.go                     |  8 ++++----
 hst/config.go                        |  9 ++++-----
 hst/hst.go                           |  3 +--
 hst/hst_test.go                      |  3 +--
 internal/app/app_nixos_linux_test.go |  5 +++--
 internal/app/app_pd_linux_test.go    |  6 ++----
 internal/app/process_linux.go        |  1 -
 internal/app/seal_linux.go           | 14 ++++----------
 internal/app/shim_linux.go           | 17 -----------------
 nixos.nix                            | 12 ++++++++++--
 test/sandbox/case/device.nix         |  2 +-
 test/sandbox/case/mapuid.nix         |  2 +-
 test/sandbox/case/pd.nix             |  1 -
 test/sandbox/case/pdlike.nix         |  2 +-
 test/sandbox/case/preset.nix         |  2 +-
 test/sandbox/case/tty.nix            |  2 +-
 20 files changed, 44 insertions(+), 68 deletions(-)

diff --git a/cmd/hakurei/command.go b/cmd/hakurei/command.go
index 2eee5de..d706bd2 100644
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@@ -121,7 +121,7 @@ func buildCommand(out io.Writer) command.Command {
 				log.Fatal(err.Error())
 				return err
 			} else {
-				config.Data = a
+				config.Home = a
 			}
 
 			var e system.Enablement
diff --git a/cmd/hakurei/print.go b/cmd/hakurei/print.go
index 20bfdde..15798a2 100644
--- a/cmd/hakurei/print.go
+++ b/cmd/hakurei/print.go
@@ -81,8 +81,8 @@ func printShowInstance(
 	if len(config.Groups) > 0 {
 		t.Printf(" Groups:\t%s\n", strings.Join(config.Groups, ", "))
 	}
-	if config.Data != nil {
-		t.Printf(" Data:\t%s\n", config.Data)
+	if config.Home != nil {
+		t.Printf(" Home:\t%s\n", config.Home)
 	}
 	if config.Container != nil {
 		params := config.Container
diff --git a/cmd/hakurei/print_test.go b/cmd/hakurei/print_test.go
index 6feb681..a097898 100644
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
@@ -39,7 +39,7 @@ func Test_printShowInstance(t *testing.T) {
  Identity:       9 (org.chromium.Chromium)
  Enablements:    wayland, dbus, pulseaudio
  Groups:         video, dialout, plugdev
- Data:           /var/lib/hakurei/u0/org.chromium.Chromium
+ Home:           /data/data/org.chromium.Chromium
  Hostname:       localhost
  Flags:          userns devel net abstract device tty mapuid
  Path:           /run/current-system/sw/bin/chromium
@@ -116,7 +116,7 @@ App
  Identity:       9 (org.chromium.Chromium)
  Enablements:    wayland, dbus, pulseaudio
  Groups:         video, dialout, plugdev
- Data:           /var/lib/hakurei/u0/org.chromium.Chromium
+ Home:           /data/data/org.chromium.Chromium
  Hostname:       localhost
  Flags:          userns devel net abstract device tty mapuid
  Path:           /run/current-system/sw/bin/chromium
@@ -236,8 +236,7 @@ App
     },
     "username": "chronos",
     "shell": "/run/current-system/sw/bin/zsh",
-    "data": "/var/lib/hakurei/u0/org.chromium.Chromium",
-    "dir": "/data/data/org.chromium.Chromium",
+    "home": "/data/data/org.chromium.Chromium",
     "extra_perms": [
       {
         "ensure": true,
@@ -393,8 +392,7 @@ App
   },
   "username": "chronos",
   "shell": "/run/current-system/sw/bin/zsh",
-  "data": "/var/lib/hakurei/u0/org.chromium.Chromium",
-  "dir": "/data/data/org.chromium.Chromium",
+  "home": "/data/data/org.chromium.Chromium",
   "extra_perms": [
     {
       "ensure": true,
@@ -604,8 +602,7 @@ func Test_printPs(t *testing.T) {
       },
       "username": "chronos",
       "shell": "/run/current-system/sw/bin/zsh",
-      "data": "/var/lib/hakurei/u0/org.chromium.Chromium",
-      "dir": "/data/data/org.chromium.Chromium",
+      "home": "/data/data/org.chromium.Chromium",
       "extra_perms": [
         {
           "ensure": true,
diff --git a/cmd/hpkg/app.go b/cmd/hpkg/app.go
index 37c114c..5fd5e64 100644
--- a/cmd/hpkg/app.go
+++ b/cmd/hpkg/app.go
@@ -78,8 +78,7 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
 
 		Username: "hakurei",
 		Shell:    pathShell,
-		Data:     pathSet.homeDir,
-		Dir:      pathDataData.Append(app.ID),
+		Home:     pathDataData.Append(app.ID),
 
 		Identity: app.Identity,
 		Groups:   app.Groups,
@@ -106,6 +105,7 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
 				{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("class"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("dev"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("devices"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}},
 			},
 		},
 		ExtraPerms: []*hst.ExtraPermConfig{
diff --git a/cmd/hpkg/with.go b/cmd/hpkg/with.go
index 03b2e5f..1895a06 100644
--- a/cmd/hpkg/with.go
+++ b/cmd/hpkg/with.go
@@ -33,8 +33,7 @@ func withNixDaemon(
 
 		Username: "hakurei",
 		Shell:    pathShell,
-		Data:     pathSet.homeDir,
-		Dir:      pathDataData.Append(app.ID),
+		Home:     pathDataData.Append(app.ID),
 		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
@@ -54,6 +53,7 @@ func withNixDaemon(
 				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: container.AbsFHSUsrBin, Linkname: pathSwBin.String()}},
+				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}},
 			},
 		},
 	}), dropShell, beforeFail)
@@ -71,8 +71,7 @@ func withCacheDir(
 
 		Username: "nixos",
 		Shell:    pathShell,
-		Data:     pathSet.cacheDir, // this also ensures cacheDir via shim
-		Dir:      pathDataData.Append(app.ID, "cache"),
+		Home:     pathDataData.Append(app.ID, "cache"),
 		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
@@ -92,6 +91,7 @@ func withCacheDir(
 				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: container.AbsFHSUsrBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsTmp.Append("bundle")}},
+				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID, "cache"), Source: pathSet.cacheDir, Write: true, Ensure: true}},
 			},
 		},
 	}, dropShell, beforeFail)
diff --git a/hst/config.go b/hst/config.go
index 7ee2587..ee216fa 100644
--- a/hst/config.go
+++ b/hst/config.go
@@ -42,11 +42,10 @@ type (
 		Username string `json:"username,omitempty"`
 		// absolute path to shell
 		Shell *container.Absolute `json:"shell"`
-		// absolute path to home directory in the init mount namespace
-		Data *container.Absolute `json:"data"`
-		// directory to enter and use as home in the container mount namespace, nil for Data
-		Dir *container.Absolute `json:"dir,omitempty"`
-		// extra acl ops, dispatches before container init
+		// directory to enter and use as home in the container mount namespace
+		Home *container.Absolute `json:"home"`
+
+		// extra acl ops to perform before setuid
 		ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
 
 		// numerical application id, used for init user namespace credentials
diff --git a/hst/hst.go b/hst/hst.go
index 5704904..6549450 100644
--- a/hst/hst.go
+++ b/hst/hst.go
@@ -65,8 +65,7 @@ func Template() *Config {
 
 		Username: "chronos",
 		Shell:    container.AbsFHSRun.Append("current-system/sw/bin/zsh"),
-		Data:     container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"),
-		Dir:      container.MustAbs("/data/data/org.chromium.Chromium"),
+		Home:     container.MustAbs("/data/data/org.chromium.Chromium"),
 		ExtraPerms: []*ExtraPermConfig{
 			{Path: container.AbsFHSVarLib.Append("hakurei/u0"), Ensure: true, Execute: true},
 			{Path: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"), Read: true, Write: true, Execute: true},
diff --git a/hst/hst_test.go b/hst/hst_test.go
index b36e8d2..0405721 100644
--- a/hst/hst_test.go
+++ b/hst/hst_test.go
@@ -61,8 +61,7 @@ func TestTemplate(t *testing.T) {
 	},
 	"username": "chronos",
 	"shell": "/run/current-system/sw/bin/zsh",
-	"data": "/var/lib/hakurei/u0/org.chromium.Chromium",
-	"dir": "/data/data/org.chromium.Chromium",
+	"home": "/data/data/org.chromium.Chromium",
 	"extra_perms": [
 		{
 			"ensure": true,
diff --git a/internal/app/app_nixos_linux_test.go b/internal/app/app_nixos_linux_test.go
index 4200aaa..fb90ee8 100644
--- a/internal/app/app_nixos_linux_test.go
+++ b/internal/app/app_nixos_linux_test.go
@@ -41,6 +41,7 @@ var testCasesNixos = []sealTestCase{
 					f(&hst.FSBind{Source: m("/run/opengl-driver")}),
 					f(&hst.FSBind{Source: m("/dev/dri"), Device: true, Optional: true}),
 					f(&hst.FSBind{Source: m("/etc/"), Target: m("/etc/"), Special: true}),
+					f(&hst.FSBind{Source: m("/var/lib/persist/module/hakurei/0/1"), Write: true, Ensure: true}),
 				},
 			},
 			SystemBus: &dbus.Config{
@@ -64,7 +65,7 @@ var testCasesNixos = []sealTestCase{
 			DirectWayland: true,
 
 			Username: "u0_a1",
-			Data:     m("/var/lib/persist/module/hakurei/0/1"),
+			Home:     m("/var/lib/persist/module/hakurei/0/1"),
 			Identity: 1, Groups: []string{},
 		},
 		state.ID{
@@ -145,11 +146,11 @@ var testCasesNixos = []sealTestCase{
 				Bind(m("/run/opengl-driver"), m("/run/opengl-driver"), 0).
 				Bind(m("/dev/dri"), m("/dev/dri"), container.BindDevice|container.BindWritable|container.BindOptional).
 				Etc(m("/etc/"), "8e2c76b066dabe574cf073bdb46eb5c1").
+				Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), container.BindWritable|container.BindEnsure).
 				Remount(m("/dev/"), syscall.MS_RDONLY).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/1"), m("/run/user/1971"), container.BindWritable).
 				Bind(m("/tmp/hakurei.1971/tmpdir/1"), m("/tmp/"), container.BindWritable).
-				Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), container.BindWritable).
 				Place(m("/etc/passwd"), []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
 				Place(m("/etc/group"), []byte("hakurei:x:100:\n")).
 				Bind(m("/run/user/1971/wayland-0"), m("/run/user/1971/wayland-0"), 0).
diff --git a/internal/app/app_pd_linux_test.go b/internal/app/app_pd_linux_test.go
index 8afedf1..9e4c27e 100644
--- a/internal/app/app_pd_linux_test.go
+++ b/internal/app/app_pd_linux_test.go
@@ -16,7 +16,7 @@ import (
 var testCasesPd = []sealTestCase{
 	{
 		"nixos permissive defaults no enablements", new(stubNixOS),
-		&hst.Config{Username: "chronos", Data: m("/home/chronos")},
+		&hst.Config{Username: "chronos", Home: m("/home/chronos")},
 		state.ID{
 			0x4a, 0x45, 0x0b, 0x65,
 			0x96, 0xd7, 0xbc, 0x15,
@@ -56,7 +56,6 @@ var testCasesPd = []sealTestCase{
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/0"), m("/run/user/65534"), container.BindWritable).
 				Bind(m("/tmp/hakurei.1971/tmpdir/0"), m("/tmp/"), container.BindWritable).
-				Bind(m("/home/chronos"), m("/home/chronos"), container.BindWritable).
 				Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
 				Remount(m("/"), syscall.MS_RDONLY),
@@ -75,7 +74,7 @@ var testCasesPd = []sealTestCase{
 			Identity: 9,
 			Groups:   []string{"video"},
 			Username: "chronos",
-			Data:     m("/home/chronos"),
+			Home:     m("/home/chronos"),
 			SessionBus: &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.Notifications",
@@ -193,7 +192,6 @@ var testCasesPd = []sealTestCase{
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/9"), m("/run/user/65534"), container.BindWritable).
 				Bind(m("/tmp/hakurei.1971/tmpdir/9"), m("/tmp/"), container.BindWritable).
-				Bind(m("/home/chronos"), m("/home/chronos"), container.BindWritable).
 				Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
 				Bind(m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/65534/wayland-0"), 0).
diff --git a/internal/app/process_linux.go b/internal/app/process_linux.go
index c6df6fe..57b49ee 100644
--- a/internal/app/process_linux.go
+++ b/internal/app/process_linux.go
@@ -128,7 +128,6 @@ func (seal *outcome) Run(rs *RunState) error {
 			os.Getpid(),
 			seal.waitDelay,
 			seal.container,
-			seal.user.data.String(),
 			hlog.Load(),
 		})
 	}()
diff --git a/internal/app/seal_linux.go b/internal/app/seal_linux.go
index c2b580b..36984c5 100644
--- a/internal/app/seal_linux.go
+++ b/internal/app/seal_linux.go
@@ -144,8 +144,6 @@ type hsuUser struct {
 	// supplementary group ids
 	supp []string
 
-	// home directory host path
-	data *container.Absolute
 	// app user home directory
 	home *container.Absolute
 	// passwd database username
@@ -161,8 +159,8 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 	if config == nil {
 		return hlog.WrapErr(syscall.EINVAL, syscall.EINVAL.Error())
 	}
-	if config.Data == nil {
-		return hlog.WrapErr(os.ErrInvalid, "invalid data directory")
+	if config.Home == nil {
+		return hlog.WrapErr(os.ErrInvalid, "invalid path to home directory")
 	}
 
 	{
@@ -183,8 +181,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 
 	seal.user = hsuUser{
 		aid:      newInt(config.Identity),
-		data:     config.Data,
-		home:     config.Dir,
+		home:     config.Home,
 		username: config.Username,
 	}
 	if seal.user.username == "" {
@@ -194,9 +191,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		return hlog.WrapErr(ErrName,
 			fmt.Sprintf("invalid user name %q", seal.user.username))
 	}
-	if seal.user.home == nil {
-		seal.user.home = seal.user.data
-	}
 	if u, err := sys.Uid(seal.user.aid.unwrap()); err != nil {
 		return err
 	} else {
@@ -244,6 +238,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 			Tty:          true,
 
 			Filesystem: []hst.FilesystemConfigJSON{
+				// autoroot, includes the home directory
 				{&hst.FSBind{
 					Target:  container.AbsFHSRoot,
 					Source:  container.AbsFHSRoot,
@@ -347,7 +342,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		if seal.user.username != "" {
 			username = seal.user.username
 		}
-		seal.container.Bind(seal.user.data, seal.user.home, container.BindWritable)
 		seal.container.Dir = seal.user.home
 		seal.env["HOME"] = seal.user.home.String()
 		seal.env["USER"] = username
diff --git a/internal/app/shim_linux.go b/internal/app/shim_linux.go
index b1eddcb..33ede52 100644
--- a/internal/app/shim_linux.go
+++ b/internal/app/shim_linux.go
@@ -34,8 +34,6 @@ type shimParams struct {
 
 	// finalised container params
 	Container *container.Params
-	// path to outer home directory
-	Home string
 
 	// verbosity pass through
 	Verbose bool
@@ -142,21 +140,6 @@ func ShimMain() {
 		// not fatal
 	}
 
-	// ensure home directory as target user
-	if s, err := os.Stat(params.Home); err != nil {
-		if os.IsNotExist(err) {
-			if err = os.Mkdir(params.Home, 0700); err != nil {
-				log.Fatalf("cannot create home directory: %v", err)
-			}
-		} else {
-			log.Fatalf("cannot access home directory: %v", err)
-		}
-
-		// home directory is created, proceed
-	} else if !s.IsDir() {
-		log.Fatalf("path %q is not a directory", params.Home)
-	}
-
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	cancelContainer.Store(&stop)
 	z := container.New(ctx)
diff --git a/nixos.nix b/nixos.nix
index 62e981f..e2382bc 100644
--- a/nixos.nix
+++ b/nixos.nix
@@ -121,7 +121,7 @@ in
                     direct_wayland = app.insecureWayland;
 
                     username = getsubname fid app.identity;
-                    data = getsubhome fid app.identity;
+                    home = getsubhome fid app.identity;
 
                     inherit (cfg) shell;
                     inherit (app) identity groups enablements;
@@ -210,7 +210,15 @@ in
                               linkname = config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver-32"."L+".argument;
                             }
                           ]
-                        );
+                        )
+                        ++ [
+                          {
+                            type = "bind";
+                            src = getsubhome fid app.identity;
+                            write = true;
+                            ensure = true;
+                          }
+                        ];
                     };
                   };
 
diff --git a/test/sandbox/case/device.nix b/test/sandbox/case/device.nix
index c1a2f5f..5d607d9 100644
--- a/test/sandbox/case/device.nix
+++ b/test/sandbox/case/device.nix
@@ -228,10 +228,10 @@ in
       (ent "/" "/.hakurei/.ro-store" "rw,relatime" "overlay" "overlay" "ro,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,redirect_dir=nofollow,userxattr")
       (ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,userxattr")
       (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/var/lib/hakurei/u0/a4" "/var/lib/hakurei/u0/a4" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
       (ent "/tmp/hakurei.1000/runtime/4" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/tmp/hakurei.1000/tmpdir/4" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
-      (ent "/var/lib/hakurei/u0/a4" "/var/lib/hakurei/u0/a4" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
       (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
       (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
diff --git a/test/sandbox/case/mapuid.nix b/test/sandbox/case/mapuid.nix
index 3ef5f24..c18bf79 100644
--- a/test/sandbox/case/mapuid.nix
+++ b/test/sandbox/case/mapuid.nix
@@ -255,10 +255,10 @@ in
       (ent "/" "/.hakurei/.ro-store" "rw,relatime" "overlay" "overlay" "ro,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,redirect_dir=nofollow,userxattr")
       (ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,userxattr")
       (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/var/lib/hakurei/u0/a3" "/var/lib/hakurei/u0/a3" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
       (ent "/tmp/hakurei.1000/runtime/3" "/run/user/1000" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/tmp/hakurei.1000/tmpdir/3" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
-      (ent "/var/lib/hakurei/u0/a3" "/var/lib/hakurei/u0/a3" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003")
       (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003")
       (ent ignore "/run/user/1000/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
diff --git a/test/sandbox/case/pd.nix b/test/sandbox/case/pd.nix
index 6d58ad5..14b62b4 100644
--- a/test/sandbox/case/pd.nix
+++ b/test/sandbox/case/pd.nix
@@ -188,7 +188,6 @@
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000000,gid=1000000")
       (ent "/tmp/hakurei.1000/runtime/0" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/tmp/hakurei.1000/tmpdir/0" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
-      (ent "/var/lib/hakurei/u0/a0" "/var/lib/hakurei/u0/a0" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000000,gid=1000000")
       (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000000,gid=1000000")
     ];
diff --git a/test/sandbox/case/pdlike.nix b/test/sandbox/case/pdlike.nix
index ea34147..c87ab46 100644
--- a/test/sandbox/case/pdlike.nix
+++ b/test/sandbox/case/pdlike.nix
@@ -250,10 +250,10 @@ in
       (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
       (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/var/lib/hakurei/u0/a5" "/var/lib/hakurei/u0/a5" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000005,gid=1000005")
       (ent "/tmp/hakurei.1000/runtime/5" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/tmp/hakurei.1000/tmpdir/5" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
-      (ent "/var/lib/hakurei/u0/a5" "/var/lib/hakurei/u0/a5" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000005,gid=1000005")
       (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000005,gid=1000005")
       (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
diff --git a/test/sandbox/case/preset.nix b/test/sandbox/case/preset.nix
index 41f612f..d8f6879 100644
--- a/test/sandbox/case/preset.nix
+++ b/test/sandbox/case/preset.nix
@@ -248,10 +248,10 @@ in
       (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
       (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/var/lib/hakurei/u0/a1" "/var/lib/hakurei/u0/a1" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
       (ent "/tmp/hakurei.1000/runtime/1" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/tmp/hakurei.1000/tmpdir/1" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
-      (ent "/var/lib/hakurei/u0/a1" "/var/lib/hakurei/u0/a1" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001")
       (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001")
       (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
diff --git a/test/sandbox/case/tty.nix b/test/sandbox/case/tty.nix
index d95cbb8..15b60ad 100644
--- a/test/sandbox/case/tty.nix
+++ b/test/sandbox/case/tty.nix
@@ -260,10 +260,10 @@ in
       (ent "/" "/.hakurei/.ro-store" "rw,relatime" "overlay" "overlay" "ro,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,redirect_dir=nofollow,userxattr")
       (ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,uuid=on,userxattr")
       (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/var/lib/hakurei/u0/a2" "/var/lib/hakurei/u0/a2" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
       (ent "/tmp/hakurei.1000/runtime/2" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/tmp/hakurei.1000/tmpdir/2" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
-      (ent "/var/lib/hakurei/u0/a2" "/var/lib/hakurei/u0/a2" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
       (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
       (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")