release: 0.3.2

Signed-off-by: Ophestra <cat@gensokyo.uk>
container: load initial process started before syscall
2025-12-09 08:12:52 +09:00 · 2025-12-09 08:12:22 +09:00 · 2025-12-09 06:51:12 +09:00 · 2025-12-09 06:36:46 +09:00 · 2025-12-09 06:28:33 +09:00 · 2025-12-09 06:21:41 +09:00
59 changed files with 902 additions and 224 deletions
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@@ -14,6 +14,7 @@ import (
 	_ "unsafe" // for go:linkname
 	"hakurei.app/command"
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
@@ -91,7 +92,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			flagPrivateRuntime, flagPrivateTmpdir bool
-			flagWayland, flagX11, flagDBus, flagPulse bool
+			flagWayland, flagX11, flagDBus, flagPipeWire, flagPulse bool
 		)
 		c.NewCommand("run", "Configure and start a permissive container", func(args []string) error {
@@ -146,8 +147,8 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			if flagDBus {
 				et |= hst.EDBus
 			}
-			if flagPulse {
+			if flagPipeWire || flagPulse {
-				et |= hst.EPulse
+				et |= hst.EPipeWire
 			}
 			config := &hst.Config{
@@ -186,6 +187,14 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}})
 			}
 			// start pipewire-pulse: this most likely exists on host if PipeWire is available
 			if flagPulse {
 				config.Container.Filesystem = append(config.Container.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSDaemon{
 					Target: fhs.AbsRunUser.Append(strconv.Itoa(container.OverflowUid(msg)), "pulse/native"),
 					Exec:   shell, Args: []string{"-lc", "exec pipewire-pulse"},
 				}})
 			}
 			config.Container.Filesystem = append(config.Container.Filesystem,
 				// opportunistically bind kvm
 				hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
@@ -297,8 +306,10 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				"Enable direct connection to X11").
 			Flag(&flagDBus, "dbus", command.BoolFlag(false),
 				"Enable proxied connection to D-Bus").
 			Flag(&flagPipeWire, "pipewire", command.BoolFlag(false),
 				"Enable connection to PipeWire via SecurityContext").
 			Flag(&flagPulse, "pulse", command.BoolFlag(false),
-				"Enable direct connection to PulseAudio")
+				"Enable PulseAudio compatibility daemon")
 	}
 	{
--- a/cmd/hakurei/command_test.go
+++ b/cmd/hakurei/command_test.go
@@ -36,7 +36,7 @@ Commands:
 		},
 		{
 			"run", []string{"run", "-h"}, `
-Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pulse] COMMAND [OPTIONS]
+Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
 Flags:
  -X	Enable direct connection to X11
@@ -58,12 +58,14 @@ Flags:
    	Reverse-DNS style Application identifier, leave empty to inherit instance identifier
  -mpris
    	Allow owning MPRIS D-Bus path, has no effect if custom config is available
  -pipewire
    	Enable connection to PipeWire via SecurityContext
  -private-runtime
    	Do not share XDG_RUNTIME_DIR between containers under the same identity
  -private-tmpdir
    	Do not share TMPDIR between containers under the same identity
  -pulse
-    	Enable direct connection to PulseAudio
+    	Enable PulseAudio compatibility daemon
  -u string
    	Passwd user name within sandbox (default "chronos")
  -wayland
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
@@ -32,7 +32,7 @@ var (
 		PID:     0xbeef,
 		ShimPID: 0xcafe,
 		Config: &hst.Config{
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EPulse),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
 			Identity:    1,
 			Container: &hst.ContainerConfig{
 				Shell: check.MustAbs("/bin/sh"),
@@ -62,7 +62,7 @@ func TestPrintShowInstance(t *testing.T) {
 		{"nil", nil, nil, false, false, "Error: invalid configuration!\n\n", false},
 		{"config", nil, hst.Template(), false, false, `App
 Identity:       9 (org.chromium.Chromium)
- Enablements:    wayland, dbus, pulseaudio
+ Enablements:    wayland, dbus, pipewire
 Groups:         video, dialout, plugdev
 Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
 Home:           /data/data/org.chromium.Chromium
@@ -159,7 +159,7 @@ Session bus
 App
 Identity:       9 (org.chromium.Chromium)
- Enablements:    wayland, dbus, pulseaudio
+ Enablements:    wayland, dbus, pipewire
 Groups:         video, dialout, plugdev
 Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
 Home:           /data/data/org.chromium.Chromium
@@ -215,7 +215,7 @@ App
  "enablements": {
    "wayland": true,
    "dbus": true,
-    "pulse": true
+    "pipewire": true
  },
  "session_bus": {
    "see": null,
@@ -366,7 +366,7 @@ App
  "enablements": {
    "wayland": true,
    "dbus": true,
-    "pulse": true
+    "pipewire": true
  },
  "session_bus": {
    "see": null,
@@ -564,7 +564,7 @@ func TestPrintPs(t *testing.T) {
    "enablements": {
      "wayland": true,
      "dbus": true,
-      "pulse": true
+      "pipewire": true
    },
    "session_bus": {
      "see": null,
@@ -715,7 +715,7 @@ func TestPrintPs(t *testing.T) {
    "shim_pid": 51966,
    "enablements": {
      "wayland": true,
-      "pulse": true
+      "pipewire": true
    },
    "identity": 1,
    "groups": null,
--- a/cmd/hpkg/build.nix
+++ b/cmd/hpkg/build.nix
@@ -45,7 +45,7 @@
  allow_wayland ? true,
  allow_x11 ? false,
  allow_dbus ? true,
-  allow_pulse ? true,
+  allow_audio ? true,
  gpu ? allow_wayland || allow_x11,
 }:
@@ -175,7 +175,7 @@ let
      wayland = allow_wayland;
      x11 = allow_x11;
      dbus = allow_dbus;
-      pulse = allow_pulse;
+      pipewire = allow_audio;
    };
    mesa = if gpu then mesaWrappers else null;
--- a/cmd/hpkg/test/test.py
+++ b/cmd/hpkg/test/test.py
@@ -90,13 +90,13 @@ wait_for_window("hakurei@machine-foot")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
 machine.wait_for_file("/tmp/hakurei.0/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
-check_state("foot", {"wayland": True, "dbus": True, "pulse": True})
+check_state("foot", {"wayland": True, "dbus": True, "pipewire": True})
 # Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot")
 # Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002")
+machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002")
 # Exit Sway and verify process exit status 0:
 swaymsg("exit", succeed=False)
@@ -107,4 +107,4 @@ print(machine.succeed("find /tmp/hakurei.0 "
    + "-path '/tmp/hakurei.0/runtime/*/*' -prune -o "
    + "-path '/tmp/hakurei.0/tmpdir/*/*' -prune -o "
    + "-print"))
-print(machine.succeed("find /run/user/1000/hakurei"))
+print(machine.fail("ls /run/user/1000/hakurei"))
--- a/container/autoetc.go
+++ b/container/autoetc.go
@@ -59,6 +59,7 @@ func (e *AutoEtcOp) apply(state *setupState, k syscallDispatcher) error {
 	return nil
 }
 func (e *AutoEtcOp) late(*setupState, syscallDispatcher) error { return nil }
 func (e *AutoEtcOp) hostPath() *check.Absolute { return fhs.AbsEtc.Append(e.hostRel()) }
 func (e *AutoEtcOp) hostRel() string           { return ".host/" + e.Prefix }
--- a/container/autoroot.go
+++ b/container/autoroot.go
@@ -69,6 +69,7 @@ func (r *AutoRootOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return nil
 }
 func (r *AutoRootOp) late(*setupState, syscallDispatcher) error { return nil }
 func (r *AutoRootOp) Is(op Op) bool {
 	vr, ok := op.(*AutoRootOp)
--- a/container/dispatcher_test.go
+++ b/container/dispatcher_test.go
@@ -759,7 +759,8 @@ func (k *kstub) checkMsg(msg message.Msg) {
 }
 func (k *kstub) GetLogger() *log.Logger { panic("unreachable") }
-func (k *kstub) IsVerbose() bool        { panic("unreachable") }
+
 func (k *kstub) IsVerbose() bool { k.Helper(); return k.Expects("isVerbose").Ret.(bool) }
 func (k *kstub) SwapVerbose(verbose bool) bool {
 	k.Helper()
--- a/container/errors.go
+++ b/container/errors.go
@@ -7,31 +7,36 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/vfs"
 	"hakurei.app/message"
 )
 // messageFromError returns a printable error message for a supported concrete type.
-func messageFromError(err error) (string, bool) {
+func messageFromError(err error) (m string, ok bool) {
-	if m, ok := messagePrefixP[MountError]("cannot ", err); ok {
+	if m, ok = messagePrefixP[MountError]("cannot ", err); ok {
-		return m, ok
+		return
 	}
-	if m, ok := messagePrefixP[os.PathError]("cannot ", err); ok {
+	if m, ok = messagePrefixP[os.PathError]("cannot ", err); ok {
-		return m, ok
+		return
 	}
-	if m, ok := messagePrefixP[check.AbsoluteError]("", err); ok {
+	if m, ok = messagePrefixP[check.AbsoluteError](zeroString, err); ok {
-		return m, ok
+		return
 	}
-	if m, ok := messagePrefix[OpRepeatError]("", err); ok {
+	if m, ok = messagePrefix[OpRepeatError](zeroString, err); ok {
-		return m, ok
+		return
 	}
-	if m, ok := messagePrefix[OpStateError]("", err); ok {
+	if m, ok = messagePrefix[OpStateError](zeroString, err); ok {
-		return m, ok
+		return
 	}
-	if m, ok := messagePrefixP[vfs.DecoderError]("cannot ", err); ok {
+	if m, ok = messagePrefixP[vfs.DecoderError]("cannot ", err); ok {
-		return m, ok
+		return
 	}
-	if m, ok := messagePrefix[TmpfsSizeError]("", err); ok {
+	if m, ok = messagePrefix[TmpfsSizeError](zeroString, err); ok {
-		return m, ok
+		return
 	}
 	if m, ok = message.GetMessage(err); ok {
 		return
 	}
 	return zeroString, false
--- a/container/init.go
+++ b/container/init.go
@@ -1,6 +1,7 @@
 package container
 import (
 	"context"
 	"errors"
 	"fmt"
 	"log"
@@ -9,6 +10,8 @@ import (
 	"path"
 	"slices"
 	"strconv"
 	"sync"
 	"sync/atomic"
 	. "syscall"
 	"time"
@@ -18,24 +21,28 @@ import (
 )
 const (
-	/* intermediate tmpfs mount point
+	/* intermediateHostPath is the pathname of the intermediate tmpfs mount point.
-	this path might seem like a weird choice, however there are many good reasons to use it:
+	This path might seem like a weird choice, however there are many good reasons to use it:
-	- the contents of this path is never exposed to the container:
+	- The contents of this path is never exposed to the container:
-	  the tmpfs root established here effectively becomes anonymous after pivot_root
+	  The tmpfs root established here effectively becomes anonymous after pivot_root.
-	- it is safe to assume this path exists and is a directory:
+	- It is safe to assume this path exists and is a directory:
-	  this program will not work correctly without a proper /proc and neither will most others
+	  This program will not work correctly without a proper /proc and neither will most others.
-	- this path belongs to the container init:
+	- This path belongs to the container init:
-	  the container init is not any more privileged or trusted than the rest of the container
+	  The container init is not any more privileged or trusted than the rest of the container.
-	- this path is only accessible by init and root:
+	- This path is only accessible by init and root:
-	  the container init sets SUID_DUMP_DISABLE and terminates if that fails;
+	  The container init sets SUID_DUMP_DISABLE and terminates if that fails.
-	it should be noted that none of this should become relevant at any point since the resulting
+	It should be noted that none of this should become relevant at any point since the resulting
-	intermediate root tmpfs should be effectively anonymous */
+	intermediate root tmpfs should be effectively anonymous. */
 	intermediateHostPath = fhs.Proc + "self/fd"
-	// setup params file descriptor
+	// setupEnv is the name of the environment variable holding the string representation of
 	// the read end file descriptor of the setup params pipe.
 	setupEnv = "HAKUREI_SETUP"
 	// exitUnexpectedWait4 is the exit code if wait4 returns an unexpected errno.
 	exitUnexpectedWait4 = 2
 )
 type (
@@ -49,6 +56,8 @@ type (
 		early(state *setupState, k syscallDispatcher) error
 		// apply is called in intermediate root.
 		apply(state *setupState, k syscallDispatcher) error
 		// late is called right before starting the initial process.
 		late(state *setupState, k syscallDispatcher) error
 		// prefix returns a log message prefix, and whether this Op prints no identifying message on its own.
 		prefix() (string, bool)
@@ -61,11 +70,29 @@ type (
 	// setupState persists context between Ops.
 	setupState struct {
 		nonrepeatable uintptr
 		// Whether early reaping has concluded. Must only be accessed in the wait4 loop.
 		processConcluded bool
 		// Process to syscall.WaitStatus populated in the wait4 loop. Freed after early reaping concludes.
 		process map[int]WaitStatus
 		// Synchronises access to process.
 		processMu sync.RWMutex
 		*Params
 		context.Context
 		message.Msg
 	}
 )
 // terminated returns whether the specified pid has been reaped, and its
 // syscall.WaitStatus if it had. This is only usable by [Op].
 func (state *setupState) terminated(pid int) (wstatus WaitStatus, ok bool) {
 	state.processMu.RLock()
 	wstatus, ok = state.process[pid]
 	state.processMu.RUnlock()
 	return
 }
 // Grow grows the slice Ops points to using [slices.Grow].
 func (f *Ops) Grow(n int) { *f = slices.Grow(*f, n) }
@@ -180,7 +207,9 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot make / rslave: %v", optionalErrorUnwrap(err))
 	}
-	state := &setupState{Params: &params.Params, Msg: msg}
+	ctx, cancel := context.WithCancel(context.Background())
 	state := &setupState{process: make(map[int]WaitStatus), Params: &params.Params, Msg: msg, Context: ctx}
 	defer cancel()
 	/* early is called right before pivot_root into intermediate root;
 	this step is mostly for gathering information that would otherwise be difficult to obtain
@@ -330,6 +359,97 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}
 	k.umask(oldmask)
 	// winfo represents an exited process from wait4.
 	type winfo struct {
 		wpid    int
 		wstatus WaitStatus
 	}
 	// info is closed as the wait4 thread terminates
 	// when there are no longer any processes left to reap
 	info := make(chan winfo, 1)
 	// whether initial process has started
 	var initialProcessStarted atomic.Bool
 	k.new(func(k syscallDispatcher) {
 		k.lockOSThread()
 	wait4:
 		var (
 			err     error
 			wpid    = -2
 			wstatus WaitStatus
 			// whether initial process has started
 			started bool
 		)
 		// keep going until no child process is left
 		for wpid != -1 {
 			if err != nil {
 				break
 			}
 			if wpid != -2 {
 				if !state.processConcluded {
 					state.processMu.Lock()
 					if state.process == nil {
 						// early reaping has already concluded at this point
 						state.processConcluded = true
 						info <- winfo{wpid, wstatus}
 					} else {
 						// initial process has not yet been created, and the
 						// info channel is not yet being received from
 						state.process[wpid] = wstatus
 					}
 					state.processMu.Unlock()
 				} else {
 					info <- winfo{wpid, wstatus}
 				}
 			}
 			if !started {
 				started = initialProcessStarted.Load()
 			}
 			err = EINTR
 			for errors.Is(err, EINTR) {
 				wpid, err = k.wait4(-1, &wstatus, 0, nil)
 			}
 		}
 		if !errors.Is(err, ECHILD) {
 			k.printf(msg, "unexpected wait4 response: %v", err)
 		} else if !started {
 			// initial process has not yet been reached and all daemons
 			// terminated or none were started in the first place
 			time.Sleep(500 * time.Microsecond)
 			goto wait4
 		}
 		close(info)
 	})
 	// called right before startup of initial process, all state changes to the
 	// current process is prohibited during late
 	for i, op := range *params.Ops {
 		// ops already checked during early setup
 		if err := op.late(state, k); err != nil {
 			if m, ok := messageFromError(err); ok {
 				k.fatal(msg, m)
 			} else if errors.Is(err, context.DeadlineExceeded) {
 				k.fatalf(msg, "%s deadline exceeded", op.String())
 			} else {
 				k.fatalf(msg, "cannot complete op at index %d: %v", i, err)
 			}
 		}
 	}
 	// early reaping has concluded, this must happen before initial process is created
 	state.processMu.Lock()
 	state.process = nil
 	state.processMu.Unlock()
 	if err := closeSetup(); err != nil {
 		k.fatalf(msg, "cannot close setup pipe: %v", err)
 	}
@@ -341,50 +461,11 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	cmd.ExtraFiles = extraFiles
 	cmd.Dir = params.Dir.String()
-	msg.Verbosef("starting initial program %s", params.Path)
+	msg.Verbosef("starting initial process %s", params.Path)
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-
+	initialProcessStarted.Store(true)
 	type winfo struct {
 		wpid    int
 		wstatus WaitStatus
 	}
 	// info is closed as the wait4 thread terminates
 	// when there are no longer any processes left to reap
 	info := make(chan winfo, 1)
 	k.new(func(k syscallDispatcher) {
 		k.lockOSThread()
 		var (
 			err     error
 			wpid    = -2
 			wstatus WaitStatus
 		)
 		// keep going until no child process is left
 		for wpid != -1 {
 			if err != nil {
 				break
 			}
 			if wpid != -2 {
 				info <- winfo{wpid, wstatus}
 			}
 			err = EINTR
 			for errors.Is(err, EINTR) {
 				wpid, err = k.wait4(-1, &wstatus, 0, nil)
 			}
 		}
 		if !errors.Is(err, ECHILD) {
 			k.printf(msg, "unexpected wait4 response: %v", err)
 		}
 		close(info)
 	})
 	// handle signals to dump withheld messages
 	sig := make(chan os.Signal, 2)
@@ -394,7 +475,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	// closed after residualProcessTimeout has elapsed after initial process death
 	timeout := make(chan struct{})
-	r := 2
+	r := exitUnexpectedWait4
 	for {
 		select {
 		case s := <-sig:
@@ -426,6 +507,9 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 			}
 			if w.wpid == cmd.Process.Pid {
 				// cancel Op context early
 				cancel()
 				// start timeout early
 				go func() { time.Sleep(params.AdoptWaitDelay); close(timeout) }()
--- a/container/init_test.go
+++ b/container/init_test.go
@@ -1983,11 +1983,20 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(13)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, nil, stub.UniqueError(12)),
 				call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(12)}}, nil, nil),
 			},
 			/* wait4 */
 			Tracks: []stub.Expect{{Calls: []stub.Call{
 				call("lockOSThread", stub.ExpectArgs{}, nil, nil),
 				// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
 				call("wait4", stub.ExpectArgs{-1, nil, 0, nil, stub.PanicExit}, 0, syscall.ECHILD),
 			}}},
 		}, nil},
 		{"lowlastcap signaled cancel forward error", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
@@ -2062,10 +2071,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(10)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- CancelSignal }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{"forwarding context cancellation"}}, nil, nil),
 				// magicWait4Signal as ret causes wait4 stub to unblock
@@ -2162,10 +2171,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(7)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- syscall.SIGQUIT }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"got %s, forwarding to initial process", []any{"quit"}}, nil, nil),
 				// magicWait4Signal as ret causes wait4 stub to unblock
@@ -2262,10 +2271,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(7)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- os.Interrupt }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"got %s", []any{"interrupt"}}, nil, nil),
 				call("beforeExit", stub.ExpectArgs{}, nil, nil),
@@ -2353,10 +2362,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(5)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
@@ -2448,10 +2457,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(3)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
@@ -2586,10 +2595,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(1)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
@@ -2728,10 +2737,10 @@ func TestInitEntrypoint(t *testing.T) {
 				call("newFile", stub.ExpectArgs{uintptr(11), "extra file 1"}, (*os.File)(nil), nil),
 				call("newFile", stub.ExpectArgs{uintptr(12), "extra file 2"}, (*os.File)(nil), nil),
 				call("umask", stub.ExpectArgs{022}, 0, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(0)}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/bin/zsh")}}, nil, nil),
 				call("start", stub.ExpectArgs{"/bin/zsh", []string{"zsh", "-c", "exec vim"}, []string{"DISPLAY=:0"}, "/.hakurei"}, &os.Process{Pid: 0xcafe}, nil),
 				call("New", stub.ExpectArgs{}, nil, nil),
 				call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
 				call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
--- a/container/initbind.go
+++ b/container/initbind.go
@@ -90,6 +90,7 @@ func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return k.bindMount(state, source, target, flags)
 }
 func (b *BindMountOp) late(*setupState, syscallDispatcher) error { return nil }
 func (b *BindMountOp) Is(op Op) bool {
 	vb, ok := op.(*BindMountOp)
--- a/container/initdaemon.go
+++ b/container/initdaemon.go
@@ -0,0 +1,134 @@
 package container
 import (
 	"context"
 	"encoding/gob"
 	"errors"
 	"fmt"
 	"os"
 	"os/exec"
 	"slices"
 	"strconv"
 	"syscall"
 	"time"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 )
 func init() { gob.Register(new(DaemonOp)) }
 const (
 	// daemonTimeout is the duration a [DaemonOp] is allowed to block before the
 	// [DaemonOp.Target] marker becomes available.
 	daemonTimeout = 5 * time.Second
 )
 // Daemon appends an [Op] that starts a daemon in the container and blocks until
 // [DaemonOp.Target] appears.
 func (f *Ops) Daemon(target, path *check.Absolute, args ...string) *Ops {
 	*f = append(*f, &DaemonOp{target, path, args})
 	return f
 }
 // DaemonOp starts a daemon in the container and blocks until Target appears.
 type DaemonOp struct {
 	// Pathname indicating readiness of daemon.
 	Target *check.Absolute
 	// Absolute pathname passed to [exec.Cmd].
 	Path *check.Absolute
 	// Arguments (excl. first) passed to [exec.Cmd].
 	Args []string
 }
 // earlyTerminationError is returned by [DaemonOp] when a daemon terminates
 // before [DaemonOp.Target] appears.
 type earlyTerminationError struct {
 	// Returned by [DaemonOp.String].
 	op string
 	// Copied from wait4 loop.
 	wstatus syscall.WaitStatus
 }
 func (e *earlyTerminationError) Error() string {
 	res := ""
 	switch {
 	case e.wstatus.Exited():
 		res = "exit status " + strconv.Itoa(e.wstatus.ExitStatus())
 	case e.wstatus.Signaled():
 		res = "signal: " + e.wstatus.Signal().String()
 	case e.wstatus.Stopped():
 		res = "stop signal: " + e.wstatus.StopSignal().String()
 		if e.wstatus.StopSignal() == syscall.SIGTRAP && e.wstatus.TrapCause() != 0 {
 			res += " (trap " + strconv.Itoa(e.wstatus.TrapCause()) + ")"
 		}
 	case e.wstatus.Continued():
 		res = "continued"
 	}
 	if e.wstatus.CoreDump() {
 		res += " (core dumped)"
 	}
 	return res
 }
 func (e *earlyTerminationError) Message() string { return e.op + " " + e.Error() }
 func (d *DaemonOp) Valid() bool                                { return d != nil && d.Target != nil && d.Path != nil }
 func (d *DaemonOp) early(*setupState, syscallDispatcher) error { return nil }
 func (d *DaemonOp) apply(*setupState, syscallDispatcher) error { return nil }
 func (d *DaemonOp) late(state *setupState, k syscallDispatcher) error {
 	cmd := exec.CommandContext(state.Context, d.Path.String(), d.Args...)
 	cmd.Env = state.Env
 	cmd.Dir = fhs.Root
 	if state.IsVerbose() {
 		cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
 	}
 	// WaitDelay: left unset because lifetime is bound by AdoptWaitDelay on cancellation
 	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGTERM) }
 	state.Verbosef("starting %s", d.String())
 	if err := k.start(cmd); err != nil {
 		return err
 	}
 	deadline := time.Now().Add(daemonTimeout)
 	var wstatusErr error
 	for {
 		if _, err := k.stat(d.Target.String()); err != nil {
 			if !errors.Is(err, os.ErrNotExist) {
 				_ = k.signal(cmd, os.Kill)
 				return err
 			}
 			if time.Now().After(deadline) {
 				_ = k.signal(cmd, os.Kill)
 				return context.DeadlineExceeded
 			}
 			if wstatusErr != nil {
 				return wstatusErr
 			}
 			if wstatus, ok := state.terminated(cmd.Process.Pid); ok {
 				// check once again: process could have satisfied Target between stat and the lookup
 				wstatusErr = &earlyTerminationError{d.String(), wstatus}
 				continue
 			}
 			time.Sleep(500 * time.Microsecond)
 			continue
 		}
 		state.Verbosef("daemon process %d ready", cmd.Process.Pid)
 		return nil
 	}
 }
 func (d *DaemonOp) Is(op Op) bool {
 	vd, ok := op.(*DaemonOp)
 	return ok && d.Valid() && vd.Valid() &&
 		d.Target.Is(vd.Target) && d.Path.Is(vd.Path) &&
 		slices.Equal(d.Args, vd.Args)
 }
 func (*DaemonOp) prefix() (string, bool) { return zeroString, false }
 func (d *DaemonOp) String() string       { return fmt.Sprintf("daemon providing %q", d.Target) }
--- a/container/initdaemon_test.go
+++ b/container/initdaemon_test.go
@@ -0,0 +1,127 @@
 package container
 import (
 	"os"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 	"hakurei.app/message"
 )
 func TestEarlyTerminationError(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		err  error
 		want string
 		msg  string
 	}{
 		{"exited", &earlyTerminationError{
 			`daemon providing "/run/user/1971/pulse/native"`, 127 << 8,
 		}, "exit status 127", `daemon providing "/run/user/1971/pulse/native" exit status 127`},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			if got := tc.err.Error(); got != tc.want {
 				t.Errorf("Error: %q, want %q", got, tc.want)
 			}
 			if got := tc.err.(message.Error).Message(); got != tc.msg {
 				t.Errorf("Message: %s, want %s", got, tc.msg)
 			}
 		})
 	}
 }
 func TestDaemonOp(t *testing.T) {
 	t.Parallel()
 	checkSimple(t, "DaemonOp.late", []simpleTestCase{
 		{"success", func(k *kstub) error {
 			state := setupState{Params: &Params{Env: []string{"\x00"}}, Context: t.Context(), Msg: k}
 			return (&DaemonOp{
 				Target: check.MustAbs("/run/user/1971/pulse/native"),
 				Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 				Args:   []string{"-v"},
 			}).late(&state, k)
 		}, stub.Expect{Calls: []stub.Call{
 			call("isVerbose", stub.ExpectArgs{}, true, nil),
 			call("verbosef", stub.ExpectArgs{"starting %s", []any{`daemon providing "/run/user/1971/pulse/native"`}}, nil, nil),
 			call("start", stub.ExpectArgs{"/run/current-system/sw/bin/pipewire-pulse", []string{"/run/current-system/sw/bin/pipewire-pulse", "-v"}, []string{"\x00"}, "/"}, &os.Process{Pid: 0xcafe}, nil),
 			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
 			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
 			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
 			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), nil),
 			call("verbosef", stub.ExpectArgs{"daemon process %d ready", []any{0xcafe}}, nil, nil),
 		}}, nil},
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*DaemonOp)(nil), false},
 		{"zero", new(DaemonOp), false},
 		{"valid", &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 			Args:   []string{"-v"},
 		}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"pipewire-pulse", new(Ops).Daemon(
 			check.MustAbs("/run/user/1971/pulse/native"),
 			check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"), "-v",
 		), Ops{
 			&DaemonOp{
 				Target: check.MustAbs("/run/user/1971/pulse/native"),
 				Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 				Args:   []string{"-v"},
 			},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(DaemonOp), new(DaemonOp), false},
 		{"args differs", &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 			Args:   []string{"-v"},
 		}, &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 		}, false},
 		{"path differs", &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire"),
 		}, &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 		}, false},
 		{"target differs", &DaemonOp{
 			Target: check.MustAbs("/run/user/65534/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 		}, &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 		}, false},
 		{"equals", &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 		}, &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
 		}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"pipewire-pulse", &DaemonOp{
 			Target: check.MustAbs("/run/user/1971/pulse/native"),
 		}, zeroString, `daemon providing "/run/user/1971/pulse/native"`},
 	})
 }
--- a/container/initdev.go
+++ b/container/initdev.go
@@ -126,6 +126,7 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return k.mountTmpfs(SourceTmpfs, devShmPath, MS_NOSUID|MS_NODEV, 0, 01777)
 }
 func (d *MountDevOp) late(*setupState, syscallDispatcher) error { return nil }
 func (d *MountDevOp) Is(op Op) bool {
 	vd, ok := op.(*MountDevOp)
--- a/container/initmkdir.go
+++ b/container/initmkdir.go
@@ -27,6 +27,7 @@ func (m *MkdirOp) early(*setupState, syscallDispatcher) error { return nil }
 func (m *MkdirOp) apply(_ *setupState, k syscallDispatcher) error {
 	return k.mkdirAll(toSysroot(m.Path.String()), m.Perm)
 }
 func (m *MkdirOp) late(*setupState, syscallDispatcher) error { return nil }
 func (m *MkdirOp) Is(op Op) bool {
 	vm, ok := op.(*MkdirOp)
--- a/container/initoverlay.go
+++ b/container/initoverlay.go
@@ -205,6 +205,8 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 	return k.mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, check.SpecialOverlayOption))
 }
 func (o *MountOverlayOp) late(*setupState, syscallDispatcher) error { return nil }
 func (o *MountOverlayOp) Is(op Op) bool {
 	vo, ok := op.(*MountOverlayOp)
 	return ok && o.Valid() && vo.Valid() &&
--- a/container/initplace.go
+++ b/container/initplace.go
@@ -57,6 +57,7 @@ func (t *TmpfileOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return nil
 }
 func (t *TmpfileOp) late(*setupState, syscallDispatcher) error { return nil }
 func (t *TmpfileOp) Is(op Op) bool {
 	vt, ok := op.(*TmpfileOp)
--- a/container/initproc.go
+++ b/container/initproc.go
@@ -28,6 +28,7 @@ func (p *MountProcOp) apply(state *setupState, k syscallDispatcher) error {
 	}
 	return k.mount(SourceProc, target, FstypeProc, MS_NOSUID|MS_NOEXEC|MS_NODEV, zeroString)
 }
 func (p *MountProcOp) late(*setupState, syscallDispatcher) error { return nil }
 func (p *MountProcOp) Is(op Op) bool {
 	vp, ok := op.(*MountProcOp)
--- a/container/initremount.go
+++ b/container/initremount.go
@@ -26,6 +26,7 @@ func (*RemountOp) early(*setupState, syscallDispatcher) error { return nil }
 func (r *RemountOp) apply(state *setupState, k syscallDispatcher) error {
 	return k.remount(state, toSysroot(r.Target.String()), r.Flags)
 }
 func (r *RemountOp) late(*setupState, syscallDispatcher) error { return nil }
 func (r *RemountOp) Is(op Op) bool {
 	vr, ok := op.(*RemountOp)
--- a/container/initsymlink.go
+++ b/container/initsymlink.go
@@ -50,6 +50,8 @@ func (l *SymlinkOp) apply(state *setupState, k syscallDispatcher) error {
 	return k.symlink(l.LinkName, target)
 }
 func (l *SymlinkOp) late(*setupState, syscallDispatcher) error { return nil }
 func (l *SymlinkOp) Is(op Op) bool {
 	vl, ok := op.(*SymlinkOp)
 	return ok && l.Valid() && vl.Valid() &&
--- a/container/inittmpfs.go
+++ b/container/inittmpfs.go
@@ -48,6 +48,7 @@ func (t *MountTmpfsOp) apply(_ *setupState, k syscallDispatcher) error {
 	}
 	return k.mountTmpfs(t.FSName, toSysroot(t.Path.String()), t.Flags, t.Size, t.Perm)
 }
 func (t *MountTmpfsOp) late(*setupState, syscallDispatcher) error { return nil }
 func (t *MountTmpfsOp) Is(op Op) bool {
 	vt, ok := op.(*MountTmpfsOp)
--- a/dist/comp/_hakurei
+++ b/dist/comp/_hakurei
@@ -17,7 +17,8 @@ _hakurei_run() {
    '--wayland[Enable connection to Wayland via security-context-v1]' \
    '-X[Enable direct connection to X11]' \
    '--dbus[Enable proxied connection to D-Bus]' \
-    '--pulse[Enable direct connection to PulseAudio]' \
+    '--pipewire[Enable connection to PipeWire via SecurityContext]' \
    '--pulse[Enable PulseAudio compatibility daemon]' \
    '--dbus-config[Path to session bus proxy config file]: :_files -g "*.json"' \
    '--dbus-system[Path to system bus proxy config file]: :_files -g "*.json"' \
    '--mpris[Allow owning MPRIS D-Bus path]' \
--- a/hst/config.go
+++ b/hst/config.go
@@ -23,9 +23,20 @@ type Config struct {
 	// System D-Bus proxy configuration.
 	// If set to nil, system bus proxy is disabled.
 	SystemBus *BusConfig `json:"system_bus,omitempty"`
 	// Direct access to wayland socket, no attempt is made to attach security-context-v1
 	// and the bare socket is made available to the container.
 	//
 	// This option is unsupported and most likely enables full control over the Wayland
 	// session. Do not set this to true unless you are sure you know what you are doing.
 	DirectWayland bool `json:"direct_wayland,omitempty"`
 	// Direct access to PulseAudio socket, no attempt is made to establish pipewire-pulse
 	// server via a PipeWire socket with a SecurityContext attached and the bare socket
 	// is made available to the container.
 	//
 	// This option is unsupported and enables arbitrary code execution as the PulseAudio
 	// server. Do not set this to true, this is insecure under any configuration.
 	DirectPulse bool `json:"direct_pulse,omitempty"`
 	// Extra acl updates to perform before setuid.
 	ExtraPerms []ExtraPermConfig `json:"extra_perms,omitempty"`
@@ -49,6 +60,9 @@ var (
 	// ErrEnviron is returned by [Config.Validate] if an environment variable name contains '=' or NUL.
 	ErrEnviron = errors.New("invalid environment variable name")
 	// ErrInsecure is returned by [Config.Validate] if the configuration is considered insecure.
 	ErrInsecure = errors.New("configuration is insecure")
 )
 // Validate checks [Config] and returns [AppError] if an invalid value is encountered.
@@ -95,6 +109,11 @@ func (config *Config) Validate() error {
 		}
 	}
 	if et := config.Enablements.Unwrap(); !config.DirectPulse && et&EPulse != 0 {
 		return &AppError{Step: "validate configuration", Err: ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}
 	}
 	return nil
 }
--- a/hst/config_test.go
+++ b/hst/config_test.go
@@ -53,6 +53,12 @@ func TestConfigValidate(t *testing.T) {
 			Env:   map[string]string{"TERM\x00": ""},
 		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM\x00"`}},
 		{"insecure pulse", &hst.Config{Enablements: hst.NewEnablements(hst.EPulse), Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}},
 		{"valid", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
--- a/hst/enablement.go
+++ b/hst/enablement.go
@@ -17,6 +17,8 @@ const (
 	EX11
 	// EDBus enables the per-container xdg-dbus-proxy daemon.
 	EDBus
 	// EPipeWire exposes a pipewire pathname socket via SecurityContext.
 	EPipeWire
 	// EPulse copies the PulseAudio cookie to [hst.PrivateTmp] and exposes the PulseAudio socket.
 	EPulse
@@ -35,6 +37,8 @@ func (e Enablement) String() string {
 		return "x11"
 	case EDBus:
 		return "dbus"
 	case EPipeWire:
 		return "pipewire"
 	case EPulse:
 		return "pulseaudio"
 	default:
@@ -62,10 +66,11 @@ type Enablements Enablement
 // enablementsJSON is the [json] representation of [Enablements].
 type enablementsJSON = struct {
-	Wayland bool `json:"wayland,omitempty"`
+	Wayland  bool `json:"wayland,omitempty"`
-	X11     bool `json:"x11,omitempty"`
+	X11      bool `json:"x11,omitempty"`
-	DBus    bool `json:"dbus,omitempty"`
+	DBus     bool `json:"dbus,omitempty"`
-	Pulse   bool `json:"pulse,omitempty"`
+	PipeWire bool `json:"pipewire,omitempty"`
 	Pulse    bool `json:"pulse,omitempty"`
 }
 // Unwrap returns the underlying [Enablement].
@@ -81,10 +86,11 @@ func (e *Enablements) MarshalJSON() ([]byte, error) {
 		return nil, syscall.EINVAL
 	}
 	return json.Marshal(&enablementsJSON{
-		Wayland: Enablement(*e)&EWayland != 0,
+		Wayland:  Enablement(*e)&EWayland != 0,
-		X11:     Enablement(*e)&EX11 != 0,
+		X11:      Enablement(*e)&EX11 != 0,
-		DBus:    Enablement(*e)&EDBus != 0,
+		DBus:     Enablement(*e)&EDBus != 0,
-		Pulse:   Enablement(*e)&EPulse != 0,
+		PipeWire: Enablement(*e)&EPipeWire != 0,
 		Pulse:    Enablement(*e)&EPulse != 0,
 	})
 }
@@ -108,6 +114,9 @@ func (e *Enablements) UnmarshalJSON(data []byte) error {
 	if v.DBus {
 		ve |= EDBus
 	}
 	if v.PipeWire {
 		ve |= EPipeWire
 	}
 	if v.Pulse {
 		ve |= EPulse
 	}
--- a/hst/enablement_test.go
+++ b/hst/enablement_test.go
@@ -32,6 +32,7 @@ func TestEnablementString(t *testing.T) {
 		{hst.EWayland | hst.EDBus | hst.EPulse, "wayland, dbus, pulseaudio"},
 		{hst.EX11 | hst.EDBus | hst.EPulse, "x11, dbus, pulseaudio"},
 		{hst.EWayland | hst.EX11 | hst.EDBus | hst.EPulse, "wayland, x11, dbus, pulseaudio"},
 		{hst.EM - 1, "wayland, x11, dbus, pipewire, pulseaudio"},
 		{1 << 5, "e20"},
 		{1 << 6, "e40"},
@@ -62,8 +63,9 @@ func TestEnablements(t *testing.T) {
 		{"wayland", hst.NewEnablements(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
 		{"x11", hst.NewEnablements(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
 		{"dbus", hst.NewEnablements(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
 		{"pipewire", hst.NewEnablements(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
 		{"pulse", hst.NewEnablements(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
-		{"all", hst.NewEnablements(hst.EWayland | hst.EX11 | hst.EDBus | hst.EPulse), `{"wayland":true,"x11":true,"dbus":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pulse":true},"magic":3236757504}`},
+		{"all", hst.NewEnablements(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
 	}
 	for _, tc := range testCases {
--- a/hst/fs.go
+++ b/hst/fs.go
@@ -45,6 +45,9 @@ type Ops interface {
 	Root(host *check.Absolute, flags int) Ops
 	// Etc appends an op that expands host /etc into a toplevel symlink mirror with /etc semantics.
 	Etc(host *check.Absolute, prefix string) Ops
 	// Daemon appends an op that starts a daemon in the container and blocks until target appears.
 	Daemon(target, path *check.Absolute, args ...string) Ops
 }
 // ApplyState holds the address of [Ops] and any relevant application state.
@@ -124,6 +127,12 @@ func (f *FilesystemConfigJSON) MarshalJSON() ([]byte, error) {
 			*FSLink
 		}{fsType{FilesystemLink}, cv}
 	case *FSDaemon:
 		v = &struct {
 			fsType
 			*FSDaemon
 		}{fsType{FilesystemDaemon}, cv}
 	default:
 		return nil, FSImplError{f.FilesystemConfig}
 	}
@@ -152,6 +161,9 @@ func (f *FilesystemConfigJSON) UnmarshalJSON(data []byte) error {
 	case FilesystemLink:
 		*f = FilesystemConfigJSON{new(FSLink)}
 	case FilesystemDaemon:
 		*f = FilesystemConfigJSON{new(FSDaemon)}
 	default:
 		return FSTypeError(t.Type)
 	}
--- a/hst/fs_test.go
+++ b/hst/fs_test.go
@@ -84,6 +84,16 @@ func TestFilesystemConfigJSON(t *testing.T) {
 		}, nil,
 			`{"type":"link","dst":"/run/current-system","linkname":"/run/current-system","dereference":true}`,
 			`{"fs":{"type":"link","dst":"/run/current-system","linkname":"/run/current-system","dereference":true},"magic":3236757504}`},
 		{"daemon", hst.FilesystemConfigJSON{
 			FilesystemConfig: &hst.FSDaemon{
 				Target: m("/run/user/1971/pulse/native"),
 				Exec:   m("/run/current-system/sw/bin/pipewire-pulse"),
 				Args:   []string{"-v"},
 			},
 		}, nil,
 			`{"type":"daemon","dst":"/run/user/1971/pulse/native","path":"/run/current-system/sw/bin/pipewire-pulse","args":["-v"]}`,
 			`{"fs":{"type":"daemon","dst":"/run/user/1971/pulse/native","path":"/run/current-system/sw/bin/pipewire-pulse","args":["-v"]},"magic":3236757504}`},
 	}
 	for _, tc := range testCases {
@@ -345,6 +355,10 @@ func (p opsAdapter) Etc(host *check.Absolute, prefix string) hst.Ops {
 	return opsAdapter{p.Ops.Etc(host, prefix)}
 }
 func (p opsAdapter) Daemon(target, path *check.Absolute, args ...string) hst.Ops {
 	return opsAdapter{p.Ops.Daemon(target, path, args...)}
 }
 func m(pathname string) *check.Absolute { return check.MustAbs(pathname) }
 func ms(pathnames ...string) []*check.Absolute {
 	as := make([]*check.Absolute, len(pathnames))
--- a/hst/fsdaemon.go
+++ b/hst/fsdaemon.go
@@ -0,0 +1,48 @@
 package hst
 import (
 	"encoding/gob"
 	"hakurei.app/container/check"
 )
 func init() { gob.Register(new(FSDaemon)) }
 // FilesystemDaemon is the type string of a daemon.
 const FilesystemDaemon = "daemon"
 // FSDaemon represents a daemon to be started in the container.
 type FSDaemon struct {
 	// Pathname indicating readiness of daemon.
 	Target *check.Absolute `json:"dst"`
 	// Absolute pathname to daemon executable file.
 	Exec *check.Absolute `json:"path"`
 	// Arguments (excl. first) passed to daemon.
 	Args []string `json:"args"`
 }
 func (d *FSDaemon) Valid() bool { return d != nil && d.Target != nil && d.Exec != nil }
 func (d *FSDaemon) Path() *check.Absolute {
 	if !d.Valid() {
 		return nil
 	}
 	return d.Target
 }
 func (d *FSDaemon) Host() []*check.Absolute { return nil }
 func (d *FSDaemon) Apply(z *ApplyState) {
 	if !d.Valid() {
 		return
 	}
 	z.Daemon(d.Target, d.Exec, d.Args...)
 }
 func (d *FSDaemon) String() string {
 	if !d.Valid() {
 		return "<invalid>"
 	}
 	return "daemon:" + d.Target.String()
 }
--- a/hst/fsdaemon_test.go
+++ b/hst/fsdaemon_test.go
@@ -0,0 +1,29 @@
 package hst_test
 import (
 	"testing"
 	"hakurei.app/container"
 	"hakurei.app/hst"
 )
 func TestFSDaemon(t *testing.T) {
 	t.Parallel()
 	checkFs(t, []fsTestCase{
 		{"nil", (*hst.FSDaemon)(nil), false, nil, nil, nil, "<invalid>"},
 		{"zero", new(hst.FSDaemon), false, nil, nil, nil, "<invalid>"},
 		{"pipewire-pulse", &hst.FSDaemon{
 			Target: m("/run/user/1971/pulse/native"),
 			Exec:   m("/run/current-system/sw/bin/pipewire-pulse"),
 			Args:   []string{"-v"},
 		}, true, container.Ops{
 			&container.DaemonOp{
 				Target: m("/run/user/1971/pulse/native"),
 				Path:   m("/run/current-system/sw/bin/pipewire-pulse"),
 				Args:   []string{"-v"},
 			},
 		}, m("/run/user/1971/pulse/native"), nil, `daemon:/run/user/1971/pulse/native`},
 	})
 }
--- a/hst/hst.go
+++ b/hst/hst.go
@@ -70,7 +70,7 @@ func Template() *Config {
 	return &Config{
 		ID: "org.chromium.Chromium",
-		Enablements: NewEnablements(EWayland | EDBus | EPulse),
+		Enablements: NewEnablements(EWayland | EDBus | EPipeWire),
 		SessionBus: &BusConfig{
 			See: nil,
@@ -92,7 +92,6 @@ func Template() *Config {
 			Log:       false,
 			Filter:    true,
 		},
 		DirectWayland: false,
 		ExtraPerms: []ExtraPermConfig{
 			{Path: fhs.AbsVarLib.Append("hakurei/u0"), Ensure: true, Execute: true},
--- a/hst/hst_test.go
+++ b/hst/hst_test.go
@@ -105,7 +105,7 @@ func TestTemplate(t *testing.T) {
 	"enablements": {
 		"wayland": true,
 		"dbus": true,
-		"pulse": true
+		"pipewire": true
 	},
 	"session_bus": {
 		"see": null,
--- a/internal/outcome/outcome.go
+++ b/internal/outcome/outcome.go
@@ -172,6 +172,8 @@ type outcomeStateSys struct {
 	// Copied from [hst.Config]. Safe for read by spWaylandOp.toSystem only.
 	directWayland bool
 	// Copied from [hst.Config]. Safe for read by spPulseOp.toSystem only.
 	directPulse bool
 	// Copied header from [hst.Config]. Safe for read by spFilesystemOp.toSystem only.
 	extraPerms []hst.ExtraPermConfig
 	// Copied address from [hst.Config]. Safe for read by spDBusOp.toSystem only.
@@ -185,7 +187,8 @@ type outcomeStateSys struct {
 func (s *outcomeState) newSys(config *hst.Config, sys *system.I) *outcomeStateSys {
 	return &outcomeStateSys{
 		appId: config.ID, et: config.Enablements.Unwrap(),
-		directWayland: config.DirectWayland, extraPerms: config.ExtraPerms,
+		directWayland: config.DirectWayland, directPulse: config.DirectPulse,
 		extraPerms: config.ExtraPerms,
 		sessionBus: config.SessionBus, systemBus: config.SystemBus,
 		sys: sys, outcomeState: s,
 	}
@@ -292,6 +295,7 @@ func (state *outcomeStateSys) toSystem() error {
 		// optional via enablements
 		&spWaylandOp{},
 		&spX11Op{},
 		spPipeWireOp{},
 		&spPulseOp{},
 		&spDBusOp{},
--- a/internal/outcome/run_test.go
+++ b/internal/outcome/run_test.go
@@ -27,7 +27,7 @@ import (
 	"hakurei.app/message"
 )
-func TestOutcomeMain(t *testing.T) {
+func TestOutcomeRun(t *testing.T) {
 	t.Parallel()
 	msg := message.New(nil)
 	msg.SwapVerbose(testing.Verbose())
@@ -67,18 +67,8 @@ func TestOutcomeMain(t *testing.T) {
 				"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 			).
-			// ensureRuntimeDir
+			// spPipeWireOp
-			Ensure(m("/run/user/1971"), 0700).
+			PipeWire(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pipewire")).
 			UpdatePermType(system.User, m("/run/user/1971"), acl.Execute).
 			Ensure(m("/run/user/1971/hakurei"), 0700).
 			UpdatePermType(system.User, m("/run/user/1971/hakurei"), acl.Execute).
 			// runtime
 			Ephemeral(system.Process, m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), 0700).
 			UpdatePerm(m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), acl.Execute).
 			// spPulseOp
 			Link(m("/run/user/1971/pulse/native"), m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pulse")).
 			// spDBusOp
 			MustProxyDBus(
@@ -106,8 +96,7 @@ func TestOutcomeMain(t *testing.T) {
 				"GOOGLE_DEFAULT_CLIENT_ID=77185425430.apps.googleusercontent.com",
 				"GOOGLE_DEFAULT_CLIENT_SECRET=OTJgUOQcT7lO7GsGZq2G4IlT",
 				"HOME=/data/data/org.chromium.Chromium",
-				"PULSE_COOKIE=/.hakurei/pulse-cookie",
+				"PIPEWIRE_REMOTE=/run/user/1971/pipewire-0",
 				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=chronos",
@@ -144,7 +133,7 @@ func TestOutcomeMain(t *testing.T) {
 				Tmpfs(fhs.AbsDevShm, 0, 01777).
 				// spRuntimeOp
-				Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
+				Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
 				Bind(m("/tmp/hakurei.0/runtime/9"), m("/run/user/1971"), std.BindWritable).
 				// spTmpdirOp
@@ -157,9 +146,8 @@ func TestOutcomeMain(t *testing.T) {
 				// spWaylandOp
 				Bind(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/wayland"), m("/run/user/1971/wayland-0"), 0).
-				// spPulseOp
+				// spPipeWireOp
-				Bind(m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pulse"), m("/run/user/1971/pulse/native"), 0).
+				Bind(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pipewire"), m("/run/user/1971/pipewire-0"), 0).
 				Place(m("/.hakurei/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
 				// spDBusOp
 				Bind(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bus"), m("/run/user/1971/bus"), 0).
@@ -244,7 +232,7 @@ func TestOutcomeMain(t *testing.T) {
 				Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
 				DevWritable(m("/dev/"), true).
 				Tmpfs(m("/dev/shm/"), 0, 01777).
-				Tmpfs(m("/run/user/"), 4096, 0755).
+				Tmpfs(m("/run/user/"), xdgRuntimeDirSize, 0755).
 				Bind(m("/tmp/hakurei.0/runtime/0"), m("/run/user/65534"), std.BindWritable).
 				Bind(m("/tmp/hakurei.0/tmpdir/0"), m("/tmp/"), std.BindWritable).
 				Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
@@ -298,7 +286,7 @@ func TestOutcomeMain(t *testing.T) {
 				},
 				Filter: true,
 			},
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPulse),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 			Container: &hst.ContainerConfig{
 				Filesystem: []hst.FilesystemConfigJSON{
@@ -347,10 +335,7 @@ func TestOutcomeMain(t *testing.T) {
 			Ensure(m("/tmp/hakurei.0/tmpdir/9"), 01700).UpdatePermType(system.User, m("/tmp/hakurei.0/tmpdir/9"), acl.Read, acl.Write, acl.Execute).
 			Ephemeral(system.Process, m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c"), 0711).
 			Wayland(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
-			Ensure(m("/run/user/1971"), 0700).UpdatePermType(system.User, m("/run/user/1971"), acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
+			PipeWire(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/pipewire")).
 			Ensure(m("/run/user/1971/hakurei"), 0700).UpdatePermType(system.User, m("/run/user/1971/hakurei"), acl.Execute).
 			Ephemeral(system.Process, m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c"), 0700).UpdatePermType(system.Process, m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c"), acl.Execute).
 			Link(m("/run/user/1971/pulse/native"), m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse")).
 			MustProxyDBus(&hst.BusConfig{
 				Talk: []string{
 					"org.freedesktop.Notifications",
@@ -397,8 +382,7 @@ func TestOutcomeMain(t *testing.T) {
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket",
 				"HOME=/home/chronos",
-				"PULSE_COOKIE=" + hst.PrivateTmp + "/pulse-cookie",
+				"PIPEWIRE_REMOTE=/run/user/65534/pipewire-0",
 				"PULSE_SERVER=unix:/run/user/65534/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=chronos",
@@ -413,14 +397,13 @@ func TestOutcomeMain(t *testing.T) {
 				Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
 				DevWritable(m("/dev/"), true).
 				Tmpfs(m("/dev/shm/"), 0, 01777).
-				Tmpfs(m("/run/user/"), 4096, 0755).
+				Tmpfs(m("/run/user/"), xdgRuntimeDirSize, 0755).
 				Bind(m("/tmp/hakurei.0/runtime/9"), m("/run/user/65534"), std.BindWritable).
 				Bind(m("/tmp/hakurei.0/tmpdir/9"), m("/tmp/"), std.BindWritable).
 				Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
 				Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/65534/wayland-0"), 0).
-				Bind(m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse"), m("/run/user/65534/pulse/native"), 0).
+				Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/pipewire"), m("/run/user/65534/pipewire-0"), 0).
 				Place(m(hst.PrivateTmp+"/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
 				Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/bus"), m("/run/user/65534/bus"), 0).
 				Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/system_bus_socket"), m("/var/run/dbus/system_bus_socket"), 0).
 				Bind(m("/dev/dri"), m("/dev/dri"), std.BindWritable|std.BindDevice|std.BindOptional).
@@ -440,7 +423,7 @@ func TestOutcomeMain(t *testing.T) {
 		{"nixos chromium direct wayland", new(stubNixOS), &hst.Config{
 			ID:          "org.chromium.Chromium",
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPulse),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 			Container: &hst.ContainerConfig{
 				Env: nil,
 				Filesystem: []hst.FilesystemConfigJSON{
@@ -502,9 +485,8 @@ func TestOutcomeMain(t *testing.T) {
 			Ensure(m("/run/user/1971"), 0700).UpdatePermType(system.User, m("/run/user/1971"), acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
 			Ensure(m("/run/user/1971/hakurei"), 0700).UpdatePermType(system.User, m("/run/user/1971/hakurei"), acl.Execute).
 			UpdatePermType(hst.EWayland, m("/run/user/1971/wayland-0"), acl.Read, acl.Write, acl.Execute).
 			Ephemeral(system.Process, m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1"), 0700).UpdatePermType(system.Process, m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1"), acl.Execute).
 			Link(m("/run/user/1971/pulse/native"), m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse")).
 			Ephemeral(system.Process, m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1"), 0711).
 			PipeWire(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/pipewire")).
 			MustProxyDBus(&hst.BusConfig{
 				Talk: []string{
 					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
@@ -544,8 +526,7 @@ func TestOutcomeMain(t *testing.T) {
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket",
 				"HOME=/var/lib/persist/module/hakurei/0/1",
-				"PULSE_COOKIE=" + hst.PrivateTmp + "/pulse-cookie",
+				"PIPEWIRE_REMOTE=/run/user/1971/pipewire-0",
 				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=u0_a1",
@@ -559,14 +540,13 @@ func TestOutcomeMain(t *testing.T) {
 				Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
 				DevWritable(m("/dev/"), true).
 				Tmpfs(m("/dev/shm/"), 0, 01777).
-				Tmpfs(m("/run/user/"), 4096, 0755).
+				Tmpfs(m("/run/user/"), xdgRuntimeDirSize, 0755).
 				Bind(m("/tmp/hakurei.0/runtime/1"), m("/run/user/1971"), std.BindWritable).
 				Bind(m("/tmp/hakurei.0/tmpdir/1"), m("/tmp/"), std.BindWritable).
 				Place(m("/etc/passwd"), []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
 				Place(m("/etc/group"), []byte("hakurei:x:100:\n")).
 				Bind(m("/run/user/1971/wayland-0"), m("/run/user/1971/wayland-0"), 0).
-				Bind(m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse"), m("/run/user/1971/pulse/native"), 0).
+				Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/pipewire"), m("/run/user/1971/pipewire-0"), 0).
 				Place(m(hst.PrivateTmp+"/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
 				Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/bus"), m("/run/user/1971/bus"), 0).
 				Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket"), m("/var/run/dbus/system_bus_socket"), 0).
 				Bind(m("/bin"), m("/bin"), 0).
--- a/internal/outcome/shim_test.go
+++ b/internal/outcome/shim_test.go
@@ -69,7 +69,7 @@ func TestShimEntrypoint(t *testing.T) {
 			Tmpfs(fhs.AbsDevShm, 0, 01777).
 			// spRuntimeOp
-			Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
+			Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
 			Bind(m("/tmp/hakurei.10/runtime/9999"), m("/run/user/1000"), std.BindWritable).
 			// spTmpdirOp
--- a/internal/outcome/spcontainer.go
+++ b/internal/outcome/spcontainer.go
@@ -382,6 +382,10 @@ func (p opsAdapter) Link(target *check.Absolute, linkName string, dereference bo
 	return opsAdapter{p.Ops.Link(target, linkName, dereference)}
 }
 func (p opsAdapter) Daemon(target, path *check.Absolute, args ...string) hst.Ops {
 	return opsAdapter{p.Ops.Daemon(target, path, args...)}
 }
 func (p opsAdapter) Root(host *check.Absolute, flags int) hst.Ops {
 	return opsAdapter{p.Ops.Root(host, flags)}
 }
--- a/internal/outcome/sppipewire.go
+++ b/internal/outcome/sppipewire.go
@@ -0,0 +1,31 @@
 package outcome
 import (
 	"encoding/gob"
 	"hakurei.app/hst"
 	"hakurei.app/internal/pipewire"
 )
 func init() { gob.Register(spPipeWireOp{}) }
 // spPipeWireOp exports the PipeWire server to the container via SecurityContext.
 // Runs after spRuntimeOp.
 type spPipeWireOp struct{}
 func (s spPipeWireOp) toSystem(state *outcomeStateSys) error {
 	if state.et&hst.EPipeWire == 0 {
 		return errNotEnabled
 	}
 	state.sys.PipeWire(state.instance().Append("pipewire"))
 	return nil
 }
 func (s spPipeWireOp) toContainer(state *outcomeStateParams) error {
 	innerPath := state.runtimeDir.Append(pipewire.PW_DEFAULT_REMOTE)
 	state.env[pipewire.Remote] = innerPath.String()
 	state.params.Bind(state.instancePath().Append("pipewire"), innerPath, 0)
 	return nil
 }
--- a/internal/outcome/sppipewire_test.go
+++ b/internal/outcome/sppipewire_test.go
@@ -0,0 +1,43 @@
 package outcome
 import (
 	"testing"
 	"hakurei.app/container"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
 	"hakurei.app/internal/pipewire"
 	"hakurei.app/internal/system"
 )
 func TestSpPipeWireOp(t *testing.T) {
 	t.Parallel()
 	config := hst.Template()
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"not enabled", func(bool, bool) outcomeOp {
 			return spPipeWireOp{}
 		}, func() *hst.Config {
 			c := hst.Template()
 			*c.Enablements = 0
 			return c
 		}, nil, nil, nil, nil, errNotEnabled, nil, nil, nil, nil, nil},
 		{"success", func(bool, bool) outcomeOp {
 			return spPipeWireOp{}
 		}, hst.Template, nil, []stub.Call{}, newI().
 			// state.instance
 			Ephemeral(system.Process, m(wantInstancePrefix), 0711).
 			// toSystem
 			PipeWire(
 				m(wantInstancePrefix + "/pipewire"),
 			), sysUsesInstance(nil), nil, insertsOps(afterSpRuntimeOp(nil)), []stub.Call{
 			// this op configures the container state and does not make calls during toContainer
 		}, &container.Params{
 			Ops: new(container.Ops).
 				Bind(m(wantInstancePrefix+"/pipewire"), m("/run/user/1000/pipewire-0"), 0),
 		}, paramsWantEnv(config, map[string]string{
 			pipewire.Remote: "/run/user/1000/pipewire-0",
 		}, nil), nil},
 	})
 }
--- a/internal/outcome/sppulse.go
+++ b/internal/outcome/sppulse.go
@@ -29,7 +29,7 @@ type spPulseOp struct {
 }
 func (s *spPulseOp) toSystem(state *outcomeStateSys) error {
-	if state.et&hst.EPulse == 0 {
+	if !state.directPulse || state.et&hst.EPulse == 0 {
 		return errNotEnabled
 	}
--- a/internal/outcome/sppulse_test.go
+++ b/internal/outcome/sppulse_test.go
@@ -18,24 +18,40 @@ import (
 func TestSpPulseOp(t *testing.T) {
 	t.Parallel()
-	config := hst.Template()
+	newConfig := func() *hst.Config {
 		config := hst.Template()
 		config.DirectPulse = true
 		config.Enablements = hst.NewEnablements(hst.EPulse)
 		return config
 	}
 	config := newConfig()
 	sampleCookie := bytes.Repeat([]byte{0xfc}, pulseCookieSizeMax)
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"not enabled", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
 		}, func() *hst.Config {
-			c := hst.Template()
+			c := newConfig()
 			c.DirectPulse = true
 			*c.Enablements = 0
 			return c
 		}, nil, nil, nil, nil, errNotEnabled, nil, nil, nil, nil, nil},
 		{"not enabled direct", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
 		}, func() *hst.Config {
 			c := newConfig()
 			c.DirectPulse = false
 			return c
 		}, nil, nil, nil, nil, errNotEnabled, nil, nil, nil, nil, nil},
 		{"socketDir stat", func(isShim, _ bool) outcomeOp {
 			if !isShim {
 				return new(spPulseOp)
 			}
 			return &spPulseOp{Cookie: (*[256]byte)(sampleCookie)}
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), stub.UniqueError(2)),
 		}, nil, nil, &hst.AppError{
 			Step: `access PulseAudio directory "/proc/nonexistent/xdg_runtime_dir/pulse"`,
@@ -44,7 +60,7 @@ func TestSpPulseOp(t *testing.T) {
 		{"socketDir nonexistent", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), os.ErrNotExist),
 		}, nil, nil, &hst.AppError{
 			Step: "finalise",
@@ -54,7 +70,7 @@ func TestSpPulseOp(t *testing.T) {
 		{"socket stat", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, (*stubFi)(nil), stub.UniqueError(1)),
 		}, nil, nil, &hst.AppError{
@@ -64,7 +80,7 @@ func TestSpPulseOp(t *testing.T) {
 		{"socket nonexistent", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, (*stubFi)(nil), os.ErrNotExist),
 		}, nil, nil, &hst.AppError{
@@ -75,7 +91,7 @@ func TestSpPulseOp(t *testing.T) {
 		{"socket mode", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0660}, nil),
 		}, nil, nil, &hst.AppError{
@@ -86,7 +102,7 @@ func TestSpPulseOp(t *testing.T) {
 		{"cookie notAbs", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "proc/nonexistent/cookie", nil),
@@ -97,7 +113,7 @@ func TestSpPulseOp(t *testing.T) {
 		{"cookie loadFile", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "/proc/nonexistent/cookie", nil),
@@ -118,7 +134,7 @@ func TestSpPulseOp(t *testing.T) {
 				op.CookieSize += +0xfd
 			}
 			return op
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "/proc/nonexistent/cookie", nil),
@@ -150,7 +166,7 @@ func TestSpPulseOp(t *testing.T) {
 			sampleCookieTrunc := make([]byte, pulseCookieSizeMax)
 			copy(sampleCookieTrunc, sampleCookie[:len(sampleCookie)-0xe])
 			return &spPulseOp{Cookie: (*[pulseCookieSizeMax]byte)(sampleCookieTrunc), CookieSize: pulseCookieSizeMax - 0xe}
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "/proc/nonexistent/cookie", nil),
@@ -183,7 +199,7 @@ func TestSpPulseOp(t *testing.T) {
 				return new(spPulseOp)
 			}
 			return &spPulseOp{Cookie: (*[pulseCookieSizeMax]byte)(sampleCookie), CookieSize: pulseCookieSizeMax}
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "/proc/nonexistent/cookie", nil),
@@ -213,7 +229,7 @@ func TestSpPulseOp(t *testing.T) {
 		{"success", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, nil, nil),
--- a/internal/outcome/spruntime.go
+++ b/internal/outcome/spruntime.go
@@ -91,6 +91,9 @@ func (s *spRuntimeOp) toSystem(state *outcomeStateSys) error {
 	return nil
 }
 // xdgRuntimeDirSize is the size of the filesystem mounted on inner XDG_RUNTIME_DIR.
 const xdgRuntimeDirSize = 1 << 24
 func (s *spRuntimeOp) toContainer(state *outcomeStateParams) error {
 	state.runtimeDir = fhs.AbsRunUser.Append(state.mapuid.String())
 	state.env[envXDGRuntimeDir] = state.runtimeDir.String()
@@ -108,7 +111,7 @@ func (s *spRuntimeOp) toContainer(state *outcomeStateParams) error {
 	}
-	state.params.Tmpfs(fhs.AbsRunUser, 1<<12, 0755)
+	state.params.Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755)
 	if state.Container.Flags&hst.FShareRuntime != 0 {
 		_, runtimeDirInst := s.commonPaths(state.outcomeState)
 		state.params.Bind(runtimeDirInst, state.runtimeDir, std.BindWritable)
--- a/internal/outcome/spruntime_test.go
+++ b/internal/outcome/spruntime_test.go
@@ -40,7 +40,7 @@ func TestSpRuntimeOp(t *testing.T) {
 			// this op configures the container state and does not make calls during toContainer
 		}, &container.Params{
 			Ops: new(container.Ops).
-				Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
+				Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
 				Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), std.BindWritable),
 		}, paramsWantEnv(config, map[string]string{
 			"XDG_RUNTIME_DIR":   "/run/user/1000",
@@ -67,7 +67,7 @@ func TestSpRuntimeOp(t *testing.T) {
 			// this op configures the container state and does not make calls during toContainer
 		}, &container.Params{
 			Ops: new(container.Ops).
-				Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
+				Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
 				Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), std.BindWritable),
 		}, paramsWantEnv(config, map[string]string{
 			"XDG_RUNTIME_DIR":   "/run/user/1000",
@@ -94,7 +94,7 @@ func TestSpRuntimeOp(t *testing.T) {
 			// this op configures the container state and does not make calls during toContainer
 		}, &container.Params{
 			Ops: new(container.Ops).
-				Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
+				Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
 				Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), std.BindWritable),
 		}, paramsWantEnv(config, map[string]string{
 			"XDG_RUNTIME_DIR":   "/run/user/1000",
@@ -117,7 +117,7 @@ func TestSpRuntimeOp(t *testing.T) {
 			// this op configures the container state and does not make calls during toContainer
 		}, &container.Params{
 			Ops: new(container.Ops).
-				Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
+				Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
 				Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), std.BindWritable),
 		}, paramsWantEnv(config, map[string]string{
 			"XDG_RUNTIME_DIR":   "/run/user/1000",
--- a/internal/pipewire/pipewire.go
+++ b/internal/pipewire/pipewire.go
@@ -63,7 +63,7 @@ type Context struct {
 	generation Long
 	// Pending file descriptors to be sent with the next message.
 	pendingFiles []int
-	// File count kept track of in [Header].
+	// File count already kept track of in [Header].
 	headerFiles int
 	// Files from the server. This is discarded on every Roundtrip so eventProxy
 	// implementations must make sure to close them to avoid leaking fds.
@@ -271,16 +271,20 @@ func (ctx *Context) recvmsg(remaining []byte) (payload []byte, err error) {
 		n, oobn, recvflags, err = ctx.conn.Recvmsg(ctx.iovecBuf[len(remaining):], ctx.oobBuf[:], recvmsgFlags)
 		if oob := ctx.oobBuf[:oobn]; len(oob) > 0 {
 			var oobErr error
 			var scm []syscall.SocketControlMessage
-			if scm, err = syscall.ParseSocketControlMessage(oob); err != nil {
+			if scm, oobErr = syscall.ParseSocketControlMessage(oob); oobErr != nil {
 				ctx.closeReceivedFiles()
 				err = oobErr
 				return
 			}
 			var fds []int
 			for i := range scm {
-				if fds, err = syscall.ParseUnixRights(&scm[i]); err != nil {
+				if fds, oobErr = syscall.ParseUnixRights(&scm[i]); oobErr != nil {
 					ctx.closeReceivedFiles()
 					err = oobErr
 					return
 				}
 				ctx.receivedFiles = append(ctx.receivedFiles, fds...)
@@ -310,7 +314,7 @@ func (ctx *Context) recvmsg(remaining []byte) (payload []byte, err error) {
 		err = syscall.EPIPE // not wrapped as it did not come from the syscall
 	}
 	if n > 0 {
-		payload = ctx.iovecBuf[:n]
+		payload = ctx.iovecBuf[:len(remaining)+n]
 	}
 	return
 }
@@ -581,6 +585,9 @@ func (ctx *Context) roundtrip() (err error) {
 	if err = ctx.sendmsg(ctx.buf, ctx.pendingFiles...); err != nil {
 		return
 	}
 	ctx.buf = ctx.buf[:0]
 	ctx.pendingFiles = ctx.pendingFiles[:0]
 	ctx.headerFiles = 0
 	defer func() {
 		var danglingFiles DanglingFilesError
@@ -657,10 +664,6 @@ func (ctx *Context) consume(receiveRemaining []byte) (remaining []byte, err erro
 		return
 	}()
 	ctx.buf = ctx.buf[:0]
 	ctx.pendingFiles = ctx.pendingFiles[:0]
 	ctx.headerFiles = 0
 	if remaining, err = ctx.recvmsg(receiveRemaining); err != nil {
 		return
 	}
@@ -677,11 +680,11 @@ func (ctx *Context) consume(receiveRemaining []byte) (remaining []byte, err erro
 		if header.Sequence != ctx.remoteSequence {
 			return remaining, UnexpectedSequenceError(header.Sequence)
 		}
 		ctx.remoteSequence++
 		if len(remaining) < int(SizeHeader+header.Size) {
 			return
 		}
 		ctx.remoteSequence++
 		proxy, ok := ctx.proxy[header.ID]
 		if !ok {
@@ -783,6 +786,9 @@ func (ctx *Context) Close() (err error) {
 	}
 }
 // Remote is the environment (sic) with the remote name.
 const Remote = "PIPEWIRE_REMOTE"
 /* modules/module-protocol-native/local-socket.c */
 const DEFAULT_SYSTEM_RUNTIME_DIR = "/run/pipewire"
@@ -814,14 +820,13 @@ func connectName(name string, manager bool) (conn *net.UnixConn, err error) {
 }
 // ConnectName connects to a PipeWire remote by name.
-func ConnectName(name string, manager bool) (ctx *Context, err error) {
+func ConnectName(name string, manager bool, props SPADict) (ctx *Context, err error) {
 	var props SPADict
 	if manager {
 		props = append(props, SPADictItem{Key: PW_KEY_REMOTE_INTENTION, Value: "manager"})
 	}
 	if name == "" {
-		if v, ok := os.LookupEnv("PIPEWIRE_REMOTE"); !ok || v == "" {
+		if v, ok := os.LookupEnv(Remote); !ok || v == "" {
 			name = PW_DEFAULT_REMOTE
 		} else {
 			name = v
@@ -841,4 +846,6 @@ func ConnectName(name string, manager bool) (ctx *Context, err error) {
 }
 // Connect connects to the PipeWire remote.
-func Connect(manager bool) (ctx *Context, err error) { return ConnectName("", manager) }
+func Connect(manager bool, props SPADict) (ctx *Context, err error) {
 	return ConnectName("", manager, props)
 }
--- a/internal/store/header_test.go
+++ b/internal/store/header_test.go
@@ -34,7 +34,7 @@ func TestEntryHeader(t *testing.T) {
 		{"success high", [entryHeaderSize]byte{0x00, 0xff, 0xca, 0xfe, 0x00, 0x00,
 			0xff, 0x00}, 0xff, nil},
 		{"success", [entryHeaderSize]byte{0x00, 0xff, 0xca, 0xfe, 0x00, 0x00,
-			0x09, 0xf6}, hst.EWayland | hst.EPulse, nil},
+			0x09, 0xf6}, hst.EWayland | hst.EPipeWire, nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
--- a/internal/system/dispatcher.go
+++ b/internal/system/dispatcher.go
@@ -89,7 +89,7 @@ func (k direct) waylandNew(displayPath, bindPath *check.Absolute, appID, instanc
 	return wayland.New(displayPath, bindPath, appID, instanceID)
 }
-func (k direct) pipewireConnect() (*pipewire.Context, error) { return pipewire.Connect(true) }
+func (k direct) pipewireConnect() (*pipewire.Context, error) { return pipewire.Connect(true, nil) }
 func (k direct) xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error {
 	return xcb.ChangeHosts(mode, family, address)
--- a/nixos.nix
+++ b/nixos.nix
@@ -196,6 +196,15 @@ in
                            }
                          ]
                        )
                        ++ optional (app.enablements.pipewire && app.pulse) {
                          type = "daemon";
                          dst = if app.mapRealUid then "/run/user/${toString config.users.users.${username}.uid}/pulse/native" else "/run/user/65534/pulse/native";
                          path = cfg.shell;
                          args = [
                            "-lc"
                            "exec pipewire-pulse"
                          ];
                        }
                        ++ [
                          {
                            type = "bind";
--- a/options.nix
+++ b/options.nix
@@ -218,7 +218,7 @@ in
                  type = nullOr bool;
                  default = true;
                  description = ''
-                    Whether to share the Wayland socket.
+                    Whether to share the Wayland server via security-context-v1.
                  '';
                };
@@ -238,15 +238,23 @@ in
                  '';
                };
-                pulse = mkOption {
+                pipewire = mkOption {
                  type = nullOr bool;
                  default = true;
                  description = ''
-                    Whether to share the PulseAudio socket and cookie.
+                    Whether to share the PipeWire server via SecurityContext.
                  '';
                };
              };
              pulse = mkOption {
                type = nullOr bool;
                default = true;
                description = ''
                  Whether to run the PulseAudio compatibility daemon.
                '';
              };
              share = mkOption {
                type = nullOr package;
                default = null;
--- a/package.nix
+++ b/package.nix
@@ -32,7 +32,7 @@
 buildGoModule rec {
  pname = "hakurei";
-  version = "0.3.1";
+  version = "0.3.2";
  srcFiltered = builtins.path {
    name = "${pname}-src";
--- a/test/configuration.nix
+++ b/test/configuration.nix
@@ -133,7 +133,7 @@
        wait_delay = 1;
        enablements = {
          wayland = false;
-          pulse = false;
+          pipewire = false;
        };
      };
@@ -152,7 +152,7 @@
        command = "foot";
        enablements = {
          dbus = false;
-          pulse = false;
+          pipewire = false;
        };
      };
@@ -167,7 +167,7 @@
        command = "foot";
        enablements = {
          dbus = false;
-          pulse = false;
+          pipewire = false;
        };
      };
@@ -199,7 +199,7 @@
          wayland = false;
          x11 = true;
          dbus = false;
-          pulse = false;
+          pipewire = false;
        };
      };
@@ -218,7 +218,7 @@
        command = "foot";
        enablements = {
          dbus = false;
-          pulse = false;
+          pipewire = false;
        };
      };
@@ -232,7 +232,7 @@
          wayland = false;
          x11 = false;
          dbus = false;
-          pulse = false;
+          pipewire = false;
        };
      };
    };
--- a/test/interactive/hakurei.nix
+++ b/test/interactive/hakurei.nix
@@ -15,9 +15,30 @@
        command = "foot";
        enablements = {
          dbus = false;
-          pulse = false;
+          pipewire = false;
        };
      };
      "cat.gensokyo.extern.foot.badDaemon" = {
        name = "bd-foot";
        identity = 1;
        shareUid = true;
        verbose = true;
        share = pkgs.foot;
        packages = [ pkgs.foot ];
        command = "foot";
        enablements = {
          dbus = false;
        };
        extraPaths = [
          {
            type = "daemon";
            dst = "/proc/nonexistent";
            path = "/usr/bin/env";
            args = [ "false" ];
          }
        ];
      };
    };
    extraHomeConfig.home.stateVersion = "23.05";
--- a/test/sandbox/case/device.nix
+++ b/test/sandbox/case/device.nix
@@ -41,7 +41,7 @@ in
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
      "DISPLAY=unix:/tmp/.X11-unix/X0"
      "HOME=/var/lib/hakurei/u0/a4"
-      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
+      "PIPEWIRE_REMOTE=/run/user/65534/pipewire-0"
      "SHELL=/run/current-system/sw/bin/bash"
      "TERM=linux"
      "USER=u0_a4"
@@ -137,8 +137,12 @@ in
        user = fs "800001ed" {
          "65534" = fs "800001c0" {
            bus = fs "10001fd" null null;
-            pulse = fs "800001c0" { native = fs "10001b6" null null; } null;
+            pulse = fs "800001c0" {
              native = fs "10001ff" null null;
              pid = fs "1a4" null null;
            } null;
            wayland-0 = fs "1000038" null null;
            pipewire-0 = fs "1000038" null null;
          } null;
        } null;
      } null;
@@ -220,13 +224,13 @@ in
      (ent "/" ignore ignore ignore ignore ignore)
      (ent "/" ignore ignore ignore ignore ignore)
      (ent "/" "/dev/shm" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=10004,gid=10004")
-      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=10004,gid=10004")
+      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=16384k,mode=755,uid=10004,gid=10004")
      (ent "/tmp/hakurei.0/tmpdir/4" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10004,gid=10004")
      (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10004,gid=10004")
      (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/tmp/.X11-unix" "/tmp/.X11-unix" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
-      (ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
+      (ent ignore "/run/user/65534/pipewire-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
--- a/test/sandbox/case/mapuid.nix
+++ b/test/sandbox/case/mapuid.nix
@@ -49,7 +49,7 @@ in
    env = [
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus"
      "HOME=/var/lib/hakurei/u0/a3"
-      "PULSE_SERVER=unix:/run/user/1000/pulse/native"
+      "PIPEWIRE_REMOTE=/run/user/1000/pipewire-0"
      "SHELL=/run/current-system/sw/bin/bash"
      "TERM=linux"
      "USER=u0_a3"
@@ -162,8 +162,12 @@ in
        user = fs "800001ed" {
          "1000" = fs "800001f8" {
            bus = fs "10001fd" null null;
-            pulse = fs "800001c0" { native = fs "10001b6" null null; } null;
+            pulse = fs "800001c0" {
              native = fs "10001ff" null null;
              pid = fs "1a4" null null;
            } null;
            wayland-0 = fs "1000038" null null;
            pipewire-0 = fs "1000038" null null;
          } null;
        } null;
      } null;
@@ -247,13 +251,13 @@ in
      (ent "/" "/dev/pts" "rw,nosuid,noexec,relatime" "devpts" "devpts" "rw,mode=620,ptmxmode=666")
      (ent "/" "/dev/mqueue" "rw,nosuid,nodev,noexec,relatime" "mqueue" "mqueue" "rw")
      (ent "/" "/dev/shm" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=10003,gid=10003")
-      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=10003,gid=10003")
+      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=16384k,mode=755,uid=10003,gid=10003")
      (ent "/tmp/hakurei.0/runtime/3" "/run/user/1000" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/tmp/hakurei.0/tmpdir/3" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10003,gid=10003")
      (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10003,gid=10003")
      (ent ignore "/run/user/1000/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
-      (ent ignore "/run/user/1000/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
+      (ent ignore "/run/user/1000/pipewire-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/run/user/1000/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
--- a/test/sandbox/case/pd.nix
+++ b/test/sandbox/case/pd.nix
@@ -181,7 +181,7 @@
      (ent ignore "/dev/console" "rw,nosuid,noexec,relatime" "devpts" "devpts" "rw,gid=3,mode=620,ptmxmode=666")
      (ent "/" "/dev/mqueue" "rw,nosuid,nodev,noexec,relatime" "mqueue" "mqueue" "rw")
      (ent "/" "/dev/shm" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=10000,gid=10000")
-      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=10000,gid=10000")
+      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=16384k,mode=755,uid=10000,gid=10000")
      (ent "/tmp/hakurei.0/runtime/0" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/tmp/hakurei.0/tmpdir/0" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10000,gid=10000")
--- a/test/sandbox/case/pdlike.nix
+++ b/test/sandbox/case/pdlike.nix
@@ -49,7 +49,7 @@ in
    env = [
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
      "HOME=/var/lib/hakurei/u0/a5"
-      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
+      "PIPEWIRE_REMOTE=/run/user/65534/pipewire-0"
      "SHELL=/run/current-system/sw/bin/bash"
      "TERM=linux"
      "USER=u0_a5"
@@ -160,8 +160,12 @@ in
        user = fs "800001ed" {
          "65534" = fs "800001f8" {
            bus = fs "10001fd" null null;
-            pulse = fs "800001c0" { native = fs "10001b6" null null; } null;
+            pulse = fs "800001c0" {
              native = fs "10001ff" null null;
              pid = fs "1a4" null null;
            } null;
            wayland-0 = fs "1000038" null null;
            pipewire-0 = fs "1000038" null null;
          } null;
        } null;
      } null;
@@ -245,13 +249,13 @@ in
      (ent ignore "/dev/console" "rw,nosuid,noexec,relatime" "devpts" "devpts" "rw,gid=3,mode=620,ptmxmode=666")
      (ent "/" "/dev/mqueue" "rw,nosuid,nodev,noexec,relatime" "mqueue" "mqueue" "rw")
      (ent "/" "/dev/shm" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=10005,gid=10005")
-      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=10005,gid=10005")
+      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=16384k,mode=755,uid=10005,gid=10005")
      (ent "/tmp/hakurei.0/runtime/5" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/tmp/hakurei.0/tmpdir/5" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10005,gid=10005")
      (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10005,gid=10005")
      (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
-      (ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
+      (ent ignore "/run/user/65534/pipewire-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
--- a/test/sandbox/case/preset.nix
+++ b/test/sandbox/case/preset.nix
@@ -49,7 +49,7 @@ in
    env = [
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
      "HOME=/var/lib/hakurei/u0/a1"
-      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
+      "PIPEWIRE_REMOTE=/run/user/65534/pipewire-0"
      "SHELL=/run/current-system/sw/bin/bash"
      "TERM=linux"
      "USER=u0_a1"
@@ -159,8 +159,12 @@ in
        user = fs "800001ed" {
          "65534" = fs "800001c0" {
            bus = fs "10001fd" null null;
-            pulse = fs "800001c0" { native = fs "10001b6" null null; } null;
+            pulse = fs "800001c0" {
              native = fs "10001ff" null null;
              pid = fs "1a4" null null;
            } null;
            wayland-0 = fs "1000038" null null;
            pipewire-0 = fs "1000038" null null;
          } null;
        } null;
      } null;
@@ -243,12 +247,12 @@ in
      (ent "/" "/dev/pts" "rw,nosuid,noexec,relatime" "devpts" "devpts" "rw,mode=620,ptmxmode=666")
      (ent "/" "/dev/mqueue" "rw,nosuid,nodev,noexec,relatime" "mqueue" "mqueue" "rw")
      (ent "/" "/dev/shm" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=10001,gid=10001")
-      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=10001,gid=10001")
+      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=16384k,mode=755,uid=10001,gid=10001")
      (ent "/" "/tmp" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=10001,gid=10001")
      (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10001,gid=10001")
      (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10001,gid=10001")
      (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
-      (ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
+      (ent ignore "/run/user/65534/pipewire-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
--- a/test/sandbox/case/tty.nix
+++ b/test/sandbox/case/tty.nix
@@ -50,7 +50,7 @@ in
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
      "DISPLAY=:0"
      "HOME=/var/lib/hakurei/u0/a2"
-      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
+      "PIPEWIRE_REMOTE=/run/user/65534/pipewire-0"
      "SHELL=/run/current-system/sw/bin/bash"
      "TERM=linux"
      "USER=u0_a2"
@@ -164,8 +164,12 @@ in
        user = fs "800001ed" {
          "65534" = fs "800001f8" {
            bus = fs "10001fd" null null;
-            pulse = fs "800001c0" { native = fs "10001b6" null null; } null;
+            pulse = fs "800001c0" {
              native = fs "10001ff" null null;
              pid = fs "1a4" null null;
            } null;
            wayland-0 = fs "1000038" null null;
            pipewire-0 = fs "1000038" null null;
          } null;
        } null;
      } null;
@@ -252,14 +256,14 @@ in
      (ent ignore "/dev/console" "rw,nosuid,noexec,relatime" "devpts" "devpts" "rw,gid=3,mode=620,ptmxmode=666")
      (ent "/" "/dev/mqueue" "rw,nosuid,nodev,noexec,relatime" "mqueue" "mqueue" "rw")
      (ent "/" "/dev/shm" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=10002,gid=10002")
-      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=10002,gid=10002")
+      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=16384k,mode=755,uid=10002,gid=10002")
      (ent "/tmp/hakurei.0/runtime/2" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/tmp" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=10002,gid=10002")
      (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10002,gid=10002")
      (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10002,gid=10002")
      (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/tmp/.X11-unix" "/tmp/.X11-unix" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
-      (ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
+      (ent ignore "/run/user/65534/pipewire-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
--- a/test/sandbox/test.py
+++ b/test/sandbox/test.py
@@ -83,4 +83,4 @@ swaymsg("exit", succeed=False)
 machine.wait_for_file("/tmp/sway-exit-ok")
 # Print hakurei runDir contents:
-print(machine.succeed("find /run/user/1000/hakurei"))
+print(machine.fail("ls /run/user/1000/hakurei"))
--- a/test/test.py
+++ b/test/test.py
@@ -160,17 +160,17 @@ machine.succeed("pkill -9 mako")
 # Check revert type selection:
 hakurei("-v run --wayland -X --dbus --pulse -u p0 foot && touch /tmp/p0-exit-ok")
 wait_for_window("p0@machine")
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10000"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10000"))
 hakurei("-v run --wayland -X --dbus --pulse -u p1 foot && touch /tmp/p1-exit-ok")
 wait_for_window("p1@machine")
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10000"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10000"))
 machine.send_chars("exit\n")
 machine.wait_for_file("/tmp/p1-exit-ok", timeout=15)
 # Verify acl is kept alive:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10000"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10000"))
 machine.send_chars("exit\n")
 machine.wait_for_file("/tmp/p0-exit-ok", timeout=15)
-machine.fail("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10000")
+machine.fail("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10000")
 # Check invalid identifier fd behaviour:
 machine.fail('echo \'{"container":{"shell":"/proc/nonexistent","home":"/proc/nonexistent","path":"/proc/nonexistent"}}\' | sudo -u alice -i hakurei -v app --identifier-fd 32767 - 2>&1 | tee > /tmp/invalid-identifier-fd')
@@ -219,15 +219,22 @@ machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot", timeout=5)
 machine.fail(f"getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep {hakurei_identity(0) + 10000}", timeout=5)
-# Test PulseAudio (hakurei does not support PipeWire yet):
+# Test pipewire-pulse:
 swaymsg("exec pa-foot")
 wait_for_window(f"u0_a{hakurei_identity(1)}@machine")
 machine.send_chars("clear; pactl info && touch /var/tmp/pulse-ok\n")
 machine.wait_for_file("/var/tmp/pulse-ok", timeout=15)
 collect_state_ui("pulse_wayland")
-check_state("pa-foot", {"wayland": True, "pulse": True})
+check_state("pa-foot", {"wayland": True, "pipewire": True})
 # Test PipeWire:
 machine.send_chars("clear; pw-cli i 0 && touch /var/tmp/pw-ok\n")
 machine.wait_for_file("/var/tmp/pw-ok", timeout=15)
 collect_state_ui("pipewire_wayland")
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot", timeout=5)
 # Test PipeWire SecurityContext:
 machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei -v run --pulse pactl info")
 machine.fail("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei -v run --pulse pactl set-sink-mute @DEFAULT_SINK@ toggle")
 # Test XWayland (foot does not support X):
 swaymsg("exec x11-alacritty")
Author	SHA1	Message	Date
Ophestra	ccc0d98bd7	release: 0.3.2 All checks were successful Release / Create release (push) Successful in 48s Details Test / Create distribution (push) Successful in 28s Details Test / Sandbox (push) Successful in 42s Details Test / Sandbox (race detector) (push) Successful in 41s Details Test / Hpkg (push) Successful in 44s Details Test / Hakurei (race detector) (push) Successful in 7m4s Details Test / Hakurei (push) Successful in 4m2s Details Test / Flake checks (push) Successful in 1m40s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-09 08:12:52 +09:00
Ophestra	a3fd05765e	container: load initial process started before syscall All checks were successful Test / Create distribution (push) Successful in 27s Details Test / Sandbox (push) Successful in 2m50s Details Test / Sandbox (race detector) (push) Successful in 5m3s Details Test / Hpkg (push) Successful in 5m21s Details Test / Hakurei (push) Successful in 5m47s Details Test / Hakurei (race detector) (push) Successful in 7m7s Details Test / Flake checks (push) Successful in 1m39s Details This avoids a race between returning from syscall and checking the state. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-09 08:12:22 +09:00
Ophestra	c538df7daa	internal/pipewire: expose connection props All checks were successful Test / Create distribution (push) Successful in 29s Details Test / Sandbox (push) Successful in 2m53s Details Test / Sandbox (race detector) (push) Successful in 4m47s Details Test / Hpkg (push) Successful in 5m10s Details Test / Hakurei (race detector) (push) Successful in 6m29s Details Test / Hakurei (push) Successful in 45s Details Test / Flake checks (push) Successful in 1m37s Details Unused in hakurei but could be useful when the package is moved out of internal. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-09 06:51:12 +09:00
Ophestra	44e5aa1a36	internal/pipewire: include remaining size in recvmsg wrapper All checks were successful Test / Create distribution (push) Successful in 35s Details Test / Sandbox (push) Successful in 2m36s Details Test / Sandbox (race detector) (push) Successful in 4m44s Details Test / Hpkg (push) Successful in 4m44s Details Test / Hakurei (race detector) (push) Successful in 6m20s Details Test / Hakurei (push) Successful in 3m35s Details Test / Flake checks (push) Successful in 1m22s Details This otherwise truncates the received data by len(remaining) bytes. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-09 06:36:46 +09:00
Ophestra	cf0e7d8c27	internal/pipewire: reset per-roundtrip state once per call All checks were successful Test / Create distribution (push) Successful in 36s Details Test / Sandbox (push) Successful in 2m38s Details Test / Sandbox (race detector) (push) Successful in 4m40s Details Test / Hakurei (push) Successful in 5m1s Details Test / Hpkg (push) Successful in 4m58s Details Test / Hakurei (race detector) (push) Successful in 6m22s Details Test / Flake checks (push) Successful in 1m21s Details This was left in consume when relocating per-roundtrip code out of the per-receive consume method. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-09 06:28:33 +09:00
Ophestra	130add21e5	internal/pipewire: increment remote sequence after establishing bounds All checks were successful Test / Create distribution (push) Successful in 35s Details Test / Sandbox (push) Successful in 2m39s Details Test / Hakurei (push) Successful in 4m45s Details Test / Sandbox (race detector) (push) Successful in 4m47s Details Test / Hpkg (push) Successful in 4m53s Details Test / Hakurei (race detector) (push) Successful in 6m41s Details Test / Flake checks (push) Successful in 1m39s Details This avoids incrementing it twice proceeding from a partial message. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-09 06:21:41 +09:00
Ophestra	5ec4045e24	internal/pipewire: do not clobber error parsing SCMs All checks were successful Test / Create distribution (push) Successful in 35s Details Test / Sandbox (push) Successful in 2m35s Details Test / Sandbox (race detector) (push) Successful in 4m43s Details Test / Hakurei (push) Successful in 4m50s Details Test / Hpkg (push) Successful in 4m54s Details Test / Hakurei (race detector) (push) Successful in 6m29s Details Test / Flake checks (push) Successful in 1m21s Details The error is handled later, clobbering it here breaks error handling when SCMs are present. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-09 06:02:15 +09:00
Ophestra	be2075f169	Revert "internal/pipewire: work around remote sequence quirk" All checks were successful Test / Create distribution (push) Successful in 37s Details Test / Sandbox (push) Successful in 2m38s Details Test / Hakurei (push) Successful in 4m44s Details Test / Sandbox (race detector) (push) Successful in 4m50s Details Test / Hpkg (push) Successful in 4m52s Details Test / Hakurei (race detector) (push) Successful in 6m28s Details Test / Flake checks (push) Successful in 1m21s Details This reverts commit `564db6863b`.	2025-12-09 05:25:41 +09:00
Ophestra	e9fb1d7be5	container/initdaemon: copy wstatus from wait4 loop All checks were successful Test / Create distribution (push) Successful in 27s Details Test / Sandbox (push) Successful in 44s Details Test / Sandbox (race detector) (push) Successful in 42s Details Test / Hakurei (push) Successful in 48s Details Test / Hpkg (push) Successful in 44s Details Test / Hakurei (race detector) (push) Successful in 47s Details Test / Flake checks (push) Successful in 1m37s Details Due to the special nature of the init process, direct use of wait outside the wait4 loop is racy. This change copies the wstatus from wait4 loop state instead. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 22:58:42 +09:00
Ophestra	dafe9f8efc	container: spin instead of block on wait4 ECHILD All checks were successful Test / Create distribution (push) Successful in 36s Details Test / Sandbox (push) Successful in 2m44s Details Test / Sandbox (race detector) (push) Successful in 4m43s Details Test / Hpkg (push) Successful in 4m57s Details Test / Hakurei (push) Successful in 5m2s Details Test / Hakurei (race detector) (push) Successful in 6m27s Details Test / Flake checks (push) Successful in 1m27s Details Blocking prevents further wait4 processing causing ops to never receive their signals. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 22:56:13 +09:00
Ophestra	96dd7abd80	container: improve error message fallback All checks were successful Test / Create distribution (push) Successful in 36s Details Test / Sandbox (push) Successful in 2m38s Details Test / Sandbox (race detector) (push) Successful in 4m42s Details Test / Hpkg (push) Successful in 4m52s Details Test / Hakurei (push) Successful in 5m0s Details Test / Hakurei (race detector) (push) Successful in 6m27s Details Test / Flake checks (push) Successful in 1m28s Details This now falls back to message.Error if no other concrete type is matched. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 22:45:54 +09:00
Ophestra	d5fb179012	cmd/hakurei: exec instead of fork/exec from shell All checks were successful Test / Create distribution (push) Successful in 36s Details Test / Sandbox (push) Successful in 2m44s Details Test / Sandbox (race detector) (push) Successful in 4m40s Details Test / Hakurei (push) Successful in 4m53s Details Test / Hpkg (push) Successful in 5m5s Details Test / Hakurei (race detector) (push) Successful in 6m26s Details Test / Flake checks (push) Successful in 1m27s Details There is no reason to keep the shell process around. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 22:29:41 +09:00
Ophestra	462863e290	container: friendlier error message for op timing out All checks were successful Test / Create distribution (push) Successful in 40s Details Test / Sandbox (push) Successful in 2m38s Details Test / Hakurei (push) Successful in 4m50s Details Test / Sandbox (race detector) (push) Successful in 4m52s Details Test / Hpkg (push) Successful in 5m4s Details Test / Hakurei (race detector) (push) Successful in 6m36s Details Test / Flake checks (push) Successful in 1m26s Details This includes the string for the failing op which helps with troubleshooting. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 22:19:03 +09:00
Ophestra	2786611b88	test/interactive: add app with bad daemon All checks were successful Test / Create distribution (push) Successful in 36s Details Test / Sandbox (push) Successful in 40s Details Test / Sandbox (race detector) (push) Successful in 41s Details Test / Hakurei (push) Successful in 44s Details Test / Hakurei (race detector) (push) Successful in 45s Details Test / Hpkg (push) Successful in 41s Details Test / Flake checks (push) Successful in 1m28s Details This is useful for testing daemon error handling behaviour. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 22:12:07 +09:00
Ophestra	791a1dfa55	container: make wait4 loop available to ops All checks were successful Test / Create distribution (push) Successful in 38s Details Test / Sandbox (push) Successful in 2m36s Details Test / Sandbox (race detector) (push) Successful in 4m43s Details Test / Hpkg (push) Successful in 4m44s Details Test / Hakurei (push) Successful in 4m55s Details Test / Hakurei (race detector) (push) Successful in 6m23s Details Test / Flake checks (push) Successful in 1m32s Details Due to the special nature of the init process, regular wait calls are unavailable. This change provides infrastructure to access wait4 loop state from Op. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 21:43:49 +09:00
Ophestra	564db6863b	internal/pipewire: work around remote sequence quirk All checks were successful Test / Create distribution (push) Successful in 35s Details Test / Sandbox (push) Successful in 2m39s Details Test / Sandbox (race detector) (push) Successful in 4m41s Details Test / Hakurei (push) Successful in 4m57s Details Test / Hpkg (push) Successful in 4m58s Details Test / Hakurei (race detector) (push) Successful in 6m17s Details Test / Flake checks (push) Successful in 1m26s Details Remote sequence sometimes start with a non-zero value, and keeps the same value for a while before going back to zero. Conditions for reproducing this behaviour is not yet known. This change works around this behaviour. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 20:10:01 +09:00
Ophestra	87781c7658	treewide: include PipeWire op and enforce PulseAudio check All checks were successful Test / Create distribution (push) Successful in 29s Details Test / Sandbox (push) Successful in 40s Details Test / Sandbox (race detector) (push) Successful in 41s Details Test / Hakurei (push) Successful in 44s Details Test / Hpkg (push) Successful in 41s Details Test / Hakurei (race detector) (push) Successful in 45s Details Test / Flake checks (push) Successful in 1m29s Details This fully replaces PulseAudio with PipeWire and enforces the PulseAudio check and error message. The pipewire-pulse daemon is handled in the NixOS module. Closes #26. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 08:53:04 +09:00
Ophestra	0c38fb7b6a	hst: expose daemon as fs entry All checks were successful Test / Create distribution (push) Successful in 38s Details Test / Sandbox (push) Successful in 2m48s Details Test / Sandbox (race detector) (push) Successful in 4m48s Details Test / Hakurei (push) Successful in 5m15s Details Test / Hpkg (push) Successful in 5m18s Details Test / Hakurei (race detector) (push) Successful in 6m38s Details Test / Flake checks (push) Successful in 1m25s Details This is slightly counterintuitive, but it turned out well under this framework since the daemon backs its target file. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 07:38:47 +09:00
Ophestra	357cfcddee	container: start daemons within container All checks were successful Test / Create distribution (push) Successful in 36s Details Test / Sandbox (push) Successful in 2m32s Details Test / Sandbox (race detector) (push) Successful in 4m41s Details Test / Hakurei (push) Successful in 5m7s Details Test / Hpkg (push) Successful in 5m5s Details Test / Hakurei (race detector) (push) Successful in 6m26s Details Test / Flake checks (push) Successful in 1m27s Details This is useful for daemons internal to the container. The only current use case is pipewire-pulse. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 07:21:04 +09:00
Ophestra	6bf245cf1b	container: pass context as setup state All checks were successful Test / Create distribution (push) Successful in 29s Details Test / Sandbox (push) Successful in 2m42s Details Test / Sandbox (race detector) (push) Successful in 4m52s Details Test / Hakurei (push) Successful in 5m26s Details Test / Hpkg (push) Successful in 5m28s Details Test / Hakurei (race detector) (push) Successful in 7m1s Details Test / Flake checks (push) Successful in 1m32s Details This is useful currently for daemon Op, but could be used for many other things. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 06:06:19 +09:00
Ophestra	c8eeb4a4d1	internal/outcome: integrate pipewire server All checks were successful Test / Create distribution (push) Successful in 35s Details Test / Sandbox (push) Successful in 2m37s Details Test / Sandbox (race detector) (push) Successful in 4m37s Details Test / Hakurei (push) Successful in 4m47s Details Test / Hpkg (push) Successful in 4m57s Details Test / Hakurei (race detector) (push) Successful in 6m23s Details Test / Flake checks (push) Successful in 1m31s Details This is very simple and takes almost no inputs. This is not yet hooked up to anything to prevent breaking any existing behaviour. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 05:03:16 +09:00
Ophestra	5785714b64	container: call op method right before initial process All checks were successful Test / Create distribution (push) Successful in 35s Details Test / Sandbox (push) Successful in 2m39s Details Test / Sandbox (race detector) (push) Successful in 4m42s Details Test / Hakurei (push) Successful in 4m51s Details Test / Hpkg (push) Successful in 5m1s Details Test / Hakurei (race detector) (push) Successful in 6m23s Details Test / Flake checks (push) Successful in 1m41s Details This is at a point considered to be already "within" the container. Daemons internal to the container can be started here. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 04:57:24 +09:00
Ophestra	422efcf258	hst: check for insecure PulseAudio enablement All checks were successful Test / Create distribution (push) Successful in 37s Details Test / Sandbox (push) Successful in 43s Details Test / Sandbox (race detector) (push) Successful in 42s Details Test / Hakurei (push) Successful in 47s Details Test / Hakurei (race detector) (push) Successful in 46s Details Test / Hpkg (push) Successful in 5m39s Details Test / Flake checks (push) Successful in 1m32s Details This is currently still a noop, but required for #26. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 03:13:02 +09:00
Ophestra	104eeecf65	cmd/hakurei: add pipewire flag All checks were successful Test / Create distribution (push) Successful in 38s Details Test / Sandbox (push) Successful in 2m38s Details Test / Sandbox (race detector) (push) Successful in 4m43s Details Test / Hakurei (push) Successful in 5m3s Details Test / Hpkg (push) Successful in 5m1s Details Test / Hakurei (race detector) (push) Successful in 6m34s Details Test / Flake checks (push) Successful in 1m30s Details This is for "run" command, formerly permissive defaults behaviour. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-08 02:39:55 +09:00
Ophestra	bf856f06e5	internal/pipewire: constant for PIPEWIRE_REMOTE All checks were successful Test / Create distribution (push) Successful in 41s Details Test / Sandbox (push) Successful in 2m43s Details Test / Sandbox (race detector) (push) Successful in 4m45s Details Test / Hakurei (push) Successful in 5m2s Details Test / Hpkg (push) Successful in 5m7s Details Test / Hakurei (race detector) (push) Successful in 6m36s Details Test / Flake checks (push) Successful in 1m30s Details This is not defined anywhere in upstream PipeWire, no idea why. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-07 23:35:29 +09:00
Ophestra	1931b54600	hst: add pipewire flag All checks were successful Test / Create distribution (push) Successful in 36s Details Test / Sandbox (push) Successful in 2m36s Details Test / Sandbox (race detector) (push) Successful in 4m47s Details Test / Hpkg (push) Successful in 4m55s Details Test / Hakurei (push) Successful in 4m59s Details Test / Hakurei (race detector) (push) Successful in 6m26s Details Test / Flake checks (push) Successful in 1m31s Details These are for #26. None of them are implemented yet. This fixes up test cases for the change to happen. Existing source code and JSON configuration continue to have the same effect. Existing flags get its EPulse bit replaced by EPipeWire. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-12-07 22:34:40 +09:00