From ddfb865e2d526485935099a8cd454929ed5f6176 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Thu, 4 Sep 2025 04:15:25 +0900
Subject: [PATCH] system/dispatcher: wrap syscall helper functions

This allows tests to stub all kernel behaviour, like in the container package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 system/acl.go             |  12 +-
 system/acl_test.go        | 254 ++++++++++++++++++++++++++------------
 system/dispatcher.go      |  30 +++++
 system/dispatcher_test.go | 215 ++++++++++++++++++++++++++++++++
 system/system.go          |   4 +-
 5 files changed, 427 insertions(+), 88 deletions(-)
 create mode 100644 system/dispatcher.go
 create mode 100644 system/dispatcher_test.go

diff --git a/system/acl.go b/system/acl.go
index 127b90b..4052d01 100644
--- a/system/acl.go
+++ b/system/acl.go
@@ -31,22 +31,22 @@ type ACLUpdateOp struct {
 func (a *ACLUpdateOp) Type() Enablement { return a.et }
 
 func (a *ACLUpdateOp) apply(sys *I) error {
-	msg.Verbose("applying ACL", a)
-	return newOpError("acl", acl.Update(a.path, sys.uid, a.perms...), false)
+	sys.verbose("applying ACL", a)
+	return newOpError("acl", sys.aclUpdate(a.path, sys.uid, a.perms...), false)
 }
 
 func (a *ACLUpdateOp) revert(sys *I, ec *Criteria) error {
 	if ec.hasType(a.Type()) {
-		msg.Verbose("stripping ACL", a)
-		err := acl.Update(a.path, sys.uid)
+		sys.verbose("stripping ACL", a)
+		err := sys.aclUpdate(a.path, sys.uid)
 		if errors.Is(err, os.ErrNotExist) {
 			// the ACL is effectively stripped if the file no longer exists
-			msg.Verbosef("target of ACL %s no longer exists", a)
+			sys.verbosef("target of ACL %s no longer exists", a)
 			err = nil
 		}
 		return newOpError("acl", err, true)
 	} else {
-		msg.Verbose("skipping ACL", a)
+		sys.verbose("skipping ACL", a)
 		return nil
 	}
 }
diff --git a/system/acl_test.go b/system/acl_test.go
index 6b050bb..897ea33 100644
--- a/system/acl_test.go
+++ b/system/acl_test.go
@@ -1,91 +1,183 @@
 package system
 
 import (
+	"os"
+	"syscall"
 	"testing"
 
-	"hakurei.app/container"
+	"hakurei.app/container/stub"
 	"hakurei.app/system/acl"
 )
 
-func TestUpdatePerm(t *testing.T) {
-	testCases := []struct {
-		path  string
-		perms []acl.Perm
-	}{
-		{"/run/user/1971/hakurei", []acl.Perm{acl.Execute}},
-		{"/tmp/hakurei.1971/tmpdir/150", []acl.Perm{acl.Read, acl.Write, acl.Execute}},
-	}
+func TestACLUpdateOp(t *testing.T) {
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"apply aclUpdate", 0xdeadbeef, 0xff,
+			&ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}, []stub.Call{
+				call("verbose", stub.ExpectArgs{[]any{"applying ACL", &ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}}}, nil, nil),
+				call("aclUpdate", stub.ExpectArgs{"/proc/nonexistent", 0xdeadbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, stub.UniqueError(1)),
+			}, &OpError{Op: "acl", Err: stub.UniqueError(1)}, nil, nil},
 
-	for _, tc := range testCases {
-		t.Run(tc.path+permSubTestSuffix(tc.perms), func(t *testing.T) {
-			sys := New(t.Context(), 150)
-			sys.UpdatePerm(tc.path, tc.perms...)
-			(&tcOp{Process, tc.path}).test(t, sys.ops, []Op{&ACLUpdateOp{Process, tc.path, tc.perms}}, "UpdatePerm")
-		})
-	}
-}
-
-func TestUpdatePermType(t *testing.T) {
-	testCases := []struct {
-		perms []acl.Perm
-		tcOp
-	}{
-		{[]acl.Perm{acl.Execute}, tcOp{User, "/tmp/hakurei.1971/tmpdir"}},
-		{[]acl.Perm{acl.Read, acl.Write, acl.Execute}, tcOp{User, "/tmp/hakurei.1971/tmpdir/150"}},
-		{[]acl.Perm{acl.Execute}, tcOp{Process, "/run/user/1971/hakurei/fcb8a12f7c482d183ade8288c3de78b5"}},
-		{[]acl.Perm{acl.Read}, tcOp{Process, "/tmp/hakurei.1971/fcb8a12f7c482d183ade8288c3de78b5/passwd"}},
-		{[]acl.Perm{acl.Read}, tcOp{Process, "/tmp/hakurei.1971/fcb8a12f7c482d183ade8288c3de78b5/group"}},
-		{[]acl.Perm{acl.Read, acl.Write, acl.Execute}, tcOp{EWayland, "/run/user/1971/wayland-0"}},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.path+"_"+TypeString(tc.et)+permSubTestSuffix(tc.perms), func(t *testing.T) {
-			sys := New(t.Context(), 150)
-			sys.UpdatePermType(tc.et, tc.path, tc.perms...)
-			tc.test(t, sys.ops, []Op{&ACLUpdateOp{tc.et, tc.path, tc.perms}}, "UpdatePermType")
-		})
-	}
-}
-
-func TestACLString(t *testing.T) {
-	testCases := []struct {
-		want  string
-		et    Enablement
-		perms []acl.Perm
-	}{
-		{`--- type: process path: "/proc/nonexistent"`, Process, []acl.Perm{}},
-		{`r-- type: user path: "/proc/nonexistent"`, User, []acl.Perm{acl.Read}},
-		{`-w- type: wayland path: "/proc/nonexistent"`, EWayland, []acl.Perm{acl.Write}},
-		{`--x type: x11 path: "/proc/nonexistent"`, EX11, []acl.Perm{acl.Execute}},
-		{`rw- type: dbus path: "/proc/nonexistent"`, EDBus, []acl.Perm{acl.Read, acl.Write}},
-		{`r-x type: pulseaudio path: "/proc/nonexistent"`, EPulse, []acl.Perm{acl.Read, acl.Execute}},
-		{`rwx type: user path: "/proc/nonexistent"`, User, []acl.Perm{acl.Read, acl.Write, acl.Execute}},
-		{`rwx type: process path: "/proc/nonexistent"`, Process, []acl.Perm{acl.Read, acl.Write, acl.Write, acl.Execute}},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.want, func(t *testing.T) {
-			a := &ACLUpdateOp{et: tc.et, perms: tc.perms, path: container.Nonexistent}
-			if got := a.String(); got != tc.want {
-				t.Errorf("String() = %v, want %v",
-					got, tc.want)
-			}
-		})
-	}
-}
-
-func permSubTestSuffix(perms []acl.Perm) (suffix string) {
-	for _, perm := range perms {
-		switch perm {
-		case acl.Read:
-			suffix += "_read"
-		case acl.Write:
-			suffix += "_write"
-		case acl.Execute:
-			suffix += "_execute"
-		default:
-			panic("unreachable")
-		}
-	}
-	return
+		{"revert aclUpdate", 0xdeadbeef, 0xff,
+			&ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}, []stub.Call{
+				call("verbose", stub.ExpectArgs{[]any{"applying ACL", &ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}}}, nil, nil),
+				call("aclUpdate", stub.ExpectArgs{"/proc/nonexistent", 0xdeadbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
+			}, nil, []stub.Call{
+				call("verbose", stub.ExpectArgs{[]any{"stripping ACL", &ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}}}, nil, nil),
+				call("aclUpdate", stub.ExpectArgs{"/proc/nonexistent", 0xdeadbeef, ([]acl.Perm)(nil)}, nil, stub.UniqueError(0)),
+			}, &OpError{Op: "acl", Err: stub.UniqueError(0), Revert: true}},
+
+		{"success revert skip", 0xdeadbeef, Process,
+			&ACLUpdateOp{User, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}, []stub.Call{
+				call("verbose", stub.ExpectArgs{[]any{"applying ACL", &ACLUpdateOp{User, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}}}, nil, nil),
+				call("aclUpdate", stub.ExpectArgs{"/proc/nonexistent", 0xdeadbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
+			}, nil, []stub.Call{
+				call("verbose", stub.ExpectArgs{[]any{"skipping ACL", &ACLUpdateOp{User, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}}}, nil, nil),
+			}, nil},
+
+		{"success revert aclUpdate ENOENT", 0xdeadbeef, 0xff,
+			&ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}, []stub.Call{
+				call("verbose", stub.ExpectArgs{[]any{"applying ACL", &ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}}}, nil, nil),
+				call("aclUpdate", stub.ExpectArgs{"/proc/nonexistent", 0xdeadbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
+			}, nil, []stub.Call{
+				call("verbose", stub.ExpectArgs{[]any{"stripping ACL", &ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}}}, nil, nil),
+				call("aclUpdate", stub.ExpectArgs{"/proc/nonexistent", 0xdeadbeef, ([]acl.Perm)(nil)}, nil, &os.PathError{Op: "acl_get_file", Path: "/proc/nonexistent", Err: syscall.ENOENT}),
+				call("verbosef", stub.ExpectArgs{"target of ACL %s no longer exists", []any{&ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}}}, nil, nil),
+			}, nil},
+
+		{"success", 0xdeadbeef, 0xff,
+			&ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}, []stub.Call{
+				call("verbose", stub.ExpectArgs{[]any{"applying ACL", &ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}}}, nil, nil),
+				call("aclUpdate", stub.ExpectArgs{"/proc/nonexistent", 0xdeadbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
+			}, nil, []stub.Call{
+				call("verbose", stub.ExpectArgs{[]any{"stripping ACL", &ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}}}, nil, nil),
+				call("aclUpdate", stub.ExpectArgs{"/proc/nonexistent", 0xdeadbeef, ([]acl.Perm)(nil)}, nil, nil),
+			}, nil},
+	})
+
+	checkOpsBuilder(t, "UpdatePerm", []opsBuilderTestCase{
+		{"simple",
+			0xdeadbeef,
+			func(sys *I) {
+				sys.
+					UpdatePerm("/run/user/1971/hakurei", acl.Execute).
+					UpdatePerm("/tmp/hakurei.0/tmpdir/150", acl.Read, acl.Write, acl.Execute)
+			}, []Op{
+				&ACLUpdateOp{Process, "/run/user/1971/hakurei", []acl.Perm{acl.Execute}},
+				&ACLUpdateOp{Process, "/tmp/hakurei.0/tmpdir/150", []acl.Perm{acl.Read, acl.Write, acl.Execute}},
+			}, stub.Expect{}},
+	})
+	checkOpsBuilder(t, "UpdatePermType", []opsBuilderTestCase{
+		{"tmpdirp", 0xdeadbeef, func(sys *I) {
+			sys.UpdatePermType(User, "/tmp/hakurei.0/tmpdir", acl.Execute)
+		}, []Op{
+			&ACLUpdateOp{User, "/tmp/hakurei.0/tmpdir", []acl.Perm{acl.Execute}},
+		}, stub.Expect{}},
+
+		{"tmpdir", 0xdeadbeef, func(sys *I) {
+			sys.UpdatePermType(User, "/tmp/hakurei.0/tmpdir/150", acl.Read, acl.Write, acl.Execute)
+		}, []Op{
+			&ACLUpdateOp{User, "/tmp/hakurei.0/tmpdir/150", []acl.Perm{acl.Read, acl.Write, acl.Execute}},
+		}, stub.Expect{}},
+
+		{"share", 0xdeadbeef, func(sys *I) {
+			sys.UpdatePermType(Process, "/run/user/1971/hakurei/fcb8a12f7c482d183ade8288c3de78b5", acl.Execute)
+		}, []Op{
+			&ACLUpdateOp{Process, "/run/user/1971/hakurei/fcb8a12f7c482d183ade8288c3de78b5", []acl.Perm{acl.Execute}},
+		}, stub.Expect{}},
+
+		{"passwd", 0xdeadbeef, func(sys *I) {
+			sys.
+				UpdatePermType(Process, "/tmp/hakurei.0/fcb8a12f7c482d183ade8288c3de78b5/passwd", acl.Read).
+				UpdatePermType(Process, "/tmp/hakurei.0/fcb8a12f7c482d183ade8288c3de78b5/group", acl.Read)
+		}, []Op{
+			&ACLUpdateOp{Process, "/tmp/hakurei.0/fcb8a12f7c482d183ade8288c3de78b5/passwd", []acl.Perm{acl.Read}},
+			&ACLUpdateOp{Process, "/tmp/hakurei.0/fcb8a12f7c482d183ade8288c3de78b5/group", []acl.Perm{acl.Read}},
+		}, stub.Expect{}},
+
+		{"wayland", 0xdeadbeef, func(sys *I) {
+			sys.UpdatePermType(EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute)
+		}, []Op{
+			&ACLUpdateOp{EWayland, "/run/user/1971/wayland-0", []acl.Perm{acl.Read, acl.Write, acl.Execute}},
+		}, stub.Expect{}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"nil", (*ACLUpdateOp)(nil), (*ACLUpdateOp)(nil), false},
+		{"zero", new(ACLUpdateOp), new(ACLUpdateOp), true},
+
+		{"et differs",
+			&ACLUpdateOp{
+				EWayland, "/run/user/1971/wayland-0",
+				[]acl.Perm{acl.Read, acl.Write, acl.Execute},
+			}, &ACLUpdateOp{
+				EX11, "/run/user/1971/wayland-0",
+				[]acl.Perm{acl.Read, acl.Write, acl.Execute},
+			}, false},
+
+		{"path differs", &ACLUpdateOp{
+			EWayland, "/run/user/1971/wayland-0",
+			[]acl.Perm{acl.Read, acl.Write, acl.Execute},
+		}, &ACLUpdateOp{
+			EWayland, "/run/user/1971/wayland-1",
+			[]acl.Perm{acl.Read, acl.Write, acl.Execute},
+		}, false},
+
+		{"perms differs", &ACLUpdateOp{
+			EWayland, "/run/user/1971/wayland-0",
+			[]acl.Perm{acl.Read, acl.Write, acl.Execute},
+		}, &ACLUpdateOp{
+			EWayland, "/run/user/1971/wayland-0",
+			[]acl.Perm{acl.Read, acl.Write},
+		}, false},
+
+		{"equals", &ACLUpdateOp{
+			EWayland, "/run/user/1971/wayland-0",
+			[]acl.Perm{acl.Read, acl.Write, acl.Execute},
+		}, &ACLUpdateOp{
+			EWayland, "/run/user/1971/wayland-0",
+			[]acl.Perm{acl.Read, acl.Write, acl.Execute},
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"clear",
+			&ACLUpdateOp{Process, "/proc/nonexistent", []acl.Perm{}},
+			Process, "/proc/nonexistent",
+			`--- type: process path: "/proc/nonexistent"`},
+
+		{"read",
+			&ACLUpdateOp{User, "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/0", []acl.Perm{acl.Read}},
+			User, "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/0",
+			`r-- type: user path: "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/0"`},
+
+		{"write",
+			&ACLUpdateOp{User, "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/1", []acl.Perm{acl.Write}},
+			User, "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/1",
+			`-w- type: user path: "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/1"`},
+
+		{"execute",
+			&ACLUpdateOp{User, "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/2", []acl.Perm{acl.Execute}},
+			User, "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/2",
+			`--x type: user path: "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/2"`},
+
+		{"wayland",
+			&ACLUpdateOp{EWayland, "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/wayland", []acl.Perm{acl.Read, acl.Write}},
+			EWayland, "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/wayland",
+			`rw- type: wayland path: "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/wayland"`},
+
+		{"x11",
+			&ACLUpdateOp{EX11, "/tmp/.X11-unix/X0", []acl.Perm{acl.Read, acl.Execute}},
+			EX11, "/tmp/.X11-unix/X0",
+			`r-x type: x11 path: "/tmp/.X11-unix/X0"`},
+
+		{"dbus",
+			&ACLUpdateOp{EDBus, "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/bus", []acl.Perm{acl.Write, acl.Execute}},
+			EDBus, "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/bus",
+			`-wx type: dbus path: "/tmp/hakurei.0/27d81d567f8fae7f33278eec45da9446/bus"`},
+
+		{"pulseaudio",
+			&ACLUpdateOp{EPulse, "/run/user/1971/hakurei/27d81d567f8fae7f33278eec45da9446/pulse", []acl.Perm{acl.Read, acl.Write, acl.Execute}},
+			EPulse, "/run/user/1971/hakurei/27d81d567f8fae7f33278eec45da9446/pulse",
+			`rwx type: pulseaudio path: "/run/user/1971/hakurei/27d81d567f8fae7f33278eec45da9446/pulse"`},
+	})
 }
diff --git a/system/dispatcher.go b/system/dispatcher.go
new file mode 100644
index 0000000..c483c81
--- /dev/null
+++ b/system/dispatcher.go
@@ -0,0 +1,30 @@
+package system
+
+import "hakurei.app/system/acl"
+
+// syscallDispatcher provides methods that make state-dependent system calls as part of their behaviour.
+// syscallDispatcher is embedded in [I], so all methods must be unexported.
+type syscallDispatcher interface {
+	// new starts a goroutine with a new instance of syscallDispatcher.
+	// A syscallDispatcher must never be used in any goroutine other than the one owning it,
+	// just synchronising access is not enough, as this is for test instrumentation.
+	new(f func(k syscallDispatcher))
+
+	// aclUpdate provides [acl.Update].
+	aclUpdate(name string, uid int, perms ...acl.Perm) error
+
+	verbose(v ...any)
+	verbosef(format string, v ...any)
+}
+
+// direct implements syscallDispatcher on the current kernel.
+type direct struct{}
+
+func (k direct) new(f func(k syscallDispatcher)) { go f(k) }
+
+func (k direct) aclUpdate(name string, uid int, perms ...acl.Perm) error {
+	return acl.Update(name, uid, perms...)
+}
+
+func (direct) verbose(v ...any)                 { msg.Verbose(v...) }
+func (direct) verbosef(format string, v ...any) { msg.Verbosef(format, v...) }
diff --git a/system/dispatcher_test.go b/system/dispatcher_test.go
new file mode 100644
index 0000000..e5b703f
--- /dev/null
+++ b/system/dispatcher_test.go
@@ -0,0 +1,215 @@
+package system
+
+import (
+	"reflect"
+	"slices"
+	"testing"
+
+	"hakurei.app/container/stub"
+	"hakurei.app/system/acl"
+)
+
+// call initialises a [stub.Call].
+// This keeps composites analysis happy without making the test cases too bloated.
+func call(name string, args stub.ExpectArgs, ret any, err error) stub.Call {
+	return stub.Call{Name: name, Args: args, Ret: ret, Err: err}
+}
+
+type opBehaviourTestCase struct {
+	name string
+	uid  int
+	ec   Enablement
+	op   Op
+
+	apply        []stub.Call
+	wantErrApply error
+
+	revert        []stub.Call
+	wantErrRevert error
+}
+
+func checkOpBehaviour(t *testing.T, testCases []opBehaviourTestCase) {
+	t.Helper()
+
+	t.Run("behaviour", func(t *testing.T) {
+		t.Helper()
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				t.Helper()
+
+				var ec *Criteria
+				if tc.ec != 0xff {
+					ec = (*Criteria)(&tc.ec)
+				}
+
+				defer stub.HandleExit()
+				sys, s := InternalNew(t, stub.Expect{Calls: slices.Concat(tc.apply, []stub.Call{{Name: stub.CallSeparator}}, tc.revert)}, tc.uid)
+				errApply := tc.op.apply(sys)
+				s.Expects(stub.CallSeparator)
+				if !reflect.DeepEqual(errApply, tc.wantErrApply) {
+					t.Errorf("apply: error = %v, want %v", errApply, tc.wantErrApply)
+				}
+				if errApply != nil {
+					goto out
+				}
+
+				if err := tc.op.revert(sys, ec); !reflect.DeepEqual(err, tc.wantErrRevert) {
+					t.Errorf("revert: error = %v, want %v", err, tc.wantErrRevert)
+				}
+
+			out:
+				s.VisitIncomplete(func(s *stub.Stub[syscallDispatcher]) {
+					count := s.Pos() - 1 // separator
+					if count < len(tc.apply) {
+						t.Errorf("apply: %d calls, want %d", count, len(tc.apply))
+					} else {
+						t.Errorf("revert: %d calls, want %d", count-len(tc.apply), len(tc.revert))
+					}
+				})
+			})
+		}
+	})
+}
+
+type opsBuilderTestCase struct {
+	name string
+	uid  int
+	f    func(sys *I)
+	want []Op
+	exp  stub.Expect
+}
+
+func checkOpsBuilder(t *testing.T, fname string, testCases []opsBuilderTestCase) {
+	t.Helper()
+
+	t.Run("build", func(t *testing.T) {
+		t.Helper()
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				t.Helper()
+
+				defer stub.HandleExit()
+				sys, s := InternalNew(t, tc.exp, tc.uid)
+				tc.f(sys)
+				s.VisitIncomplete(func(s *stub.Stub[syscallDispatcher]) {
+					t.Helper()
+
+					t.Errorf("%s: %d calls, want %d", fname, s.Pos(), s.Len())
+				})
+				if !slices.EqualFunc(sys.ops, tc.want, func(op Op, v Op) bool { return op.Is(v) }) {
+					t.Errorf("ops: %#v, want %#v", sys.ops, tc.want)
+				}
+			})
+		}
+	})
+}
+
+type opIsTestCase struct {
+	name  string
+	op, v Op
+	want  bool
+}
+
+func checkOpIs(t *testing.T, testCases []opIsTestCase) {
+	t.Helper()
+
+	t.Run("is", func(t *testing.T) {
+		t.Helper()
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				t.Helper()
+
+				if got := tc.op.Is(tc.v); got != tc.want {
+					t.Errorf("Is: %v, want %v", got, tc.want)
+				}
+			})
+		}
+	})
+}
+
+type opMetaTestCase struct {
+	name string
+	op   Op
+
+	wantType   Enablement
+	wantPath   string
+	wantString string
+}
+
+func checkOpMeta(t *testing.T, testCases []opMetaTestCase) {
+	t.Helper()
+
+	t.Run("meta", func(t *testing.T) {
+		t.Helper()
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				t.Helper()
+
+				t.Run("type", func(t *testing.T) {
+					t.Helper()
+
+					if got := tc.op.Type(); got != tc.wantType {
+						t.Errorf("Type: %q, want %q", got, tc.wantType)
+					}
+				})
+
+				t.Run("path", func(t *testing.T) {
+					t.Helper()
+
+					if got := tc.op.Path(); got != tc.wantPath {
+						t.Errorf("Path: %q, want %q", got, tc.wantPath)
+					}
+				})
+
+				t.Run("string", func(t *testing.T) {
+					t.Helper()
+
+					if got := tc.op.String(); got != tc.wantString {
+						t.Errorf("String: %s, want %s", got, tc.wantString)
+					}
+				})
+			})
+		}
+	})
+}
+
+// InternalNew initialises [I] with a stub syscallDispatcher.
+func InternalNew(t *testing.T, want stub.Expect, uid int) (*I, *stub.Stub[syscallDispatcher]) {
+	k := stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{s} }, want)
+	sys := New(t.Context(), uid)
+	sys.syscallDispatcher = &kstub{k}
+	return sys, k
+}
+
+type kstub struct{ *stub.Stub[syscallDispatcher] }
+
+func (k *kstub) new(f func(k syscallDispatcher)) { k.Helper(); k.New(f) }
+
+func (k *kstub) aclUpdate(name string, uid int, perms ...acl.Perm) error {
+	k.Helper()
+	return k.Expects("aclUpdate").Error(
+		stub.CheckArg(k.Stub, "name", name, 0),
+		stub.CheckArg(k.Stub, "uid", uid, 1),
+		stub.CheckArgReflect(k.Stub, "perms", perms, 2))
+}
+
+func (k *kstub) verbose(v ...any) {
+	k.Helper()
+	if k.Expects("verbose").Error(
+		stub.CheckArgReflect(k.Stub, "v", v, 0)) != nil {
+		k.FailNow()
+	}
+}
+
+func (k *kstub) verbosef(format string, v ...any) {
+	k.Helper()
+	if k.Expects("verbosef").Error(
+		stub.CheckArg(k.Stub, "format", format, 0),
+		stub.CheckArgReflect(k.Stub, "v", v, 1)) != nil {
+		k.FailNow()
+	}
+}
diff --git a/system/system.go b/system/system.go
index 1a65363..134e7ce 100644
--- a/system/system.go
+++ b/system/system.go
@@ -70,7 +70,7 @@ func New(ctx context.Context, uid int) (sys *I) {
 	if ctx == nil || uid < 0 {
 		panic("invalid call to New")
 	}
-	return &I{ctx: ctx, uid: uid}
+	return &I{ctx: ctx, uid: uid, syscallDispatcher: direct{}}
 }
 
 // An I provides deferred operating system interaction. [I] must not be copied.
@@ -86,6 +86,8 @@ type I struct {
 	committed bool
 	// the behaviour of Revert is only defined for up to one call
 	reverted bool
+
+	syscallDispatcher
 }
 
 func (sys *I) UID() int { return sys.uid }