release: 0.3.3

Signed-off-by: Ophestra <cat@gensokyo.uk>
test: check shim private dir cleanup
2025-12-15 20:34:45 +09:00 · 2025-12-15 20:30:19 +09:00 · 2025-12-15 12:57:06 +09:00 · 2025-12-15 12:38:39 +09:00 · 2025-12-15 12:32:46 +09:00 · 2025-12-15 12:29:32 +09:00
460 changed files with 50434 additions and 12742 deletions
--- a/.clang-format
+++ b/.clang-format
@@ -0,0 +1,2 @@
+ColumnLimit: 0
+IndentWidth: 4
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -20,5 +20,5 @@ jobs:
        uses: https://gitea.com/actions/release-action@main
        with:
          files: |-
-            result/fortify-**
+            result/hakurei-**
          api_key: '${{secrets.RELEASE_TOKEN}}'
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -2,28 +2,27 @@ name: Test

 on:
  - push
-  - pull_request

 jobs:
-  fortify:
-    name: Fortify
+  hakurei:
+    name: Hakurei
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run NixOS test
-        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fortify
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.hakurei

      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
-          name: "fortify-vm-output"
+          name: "hakurei-vm-output"
          path: result/*
          retention-days: 1

  race:
-    name: Fortify (race detector)
+    name: Hakurei (race detector)
    runs-on: nix
    steps:
      - name: Checkout
@@ -35,7 +34,7 @@ jobs:
      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
-          name: "fortify-race-vm-output"
+          name: "hakurei-race-vm-output"
          path: result/*
          retention-days: 1

@@ -73,31 +72,31 @@ jobs:
          path: result/*
          retention-days: 1

-  fpkg:
-    name: Fpkg
+  hpkg:
+    name: Hpkg
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run NixOS test
-        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fpkg
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.hpkg

      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
-          name: "fpkg-vm-output"
+          name: "hpkg-vm-output"
          path: result/*
          retention-days: 1

  check:
    name: Flake checks
    needs:
-      - fortify
+      - hakurei
      - race
      - sandbox
      - sandbox-race
-      - fpkg
+      - hpkg
    runs-on: nix
    steps:
      - name: Checkout
@@ -116,15 +115,15 @@ jobs:
      - name: Build for test
        id: build-test
        run: >-
-          export FORTIFY_REV="$(git rev-parse --short HEAD)" &&
-          sed -i.old 's/version = /version = "0.0.0-'$FORTIFY_REV'"; # version = /' package.nix &&
+          export HAKUREI_REV="$(git rev-parse --short HEAD)" &&
+          sed -i.old 's/version = /version = "0.0.0-'$HAKUREI_REV'"; # version = /' package.nix &&
          nix build --print-out-paths --print-build-logs .#dist &&
          mv package.nix.old package.nix &&
-          echo "rev=$FORTIFY_REV" >> $GITHUB_OUTPUT
+          echo "rev=$HAKUREI_REV" >> $GITHUB_OUTPUT

      - name: Upload test build
        uses: actions/upload-artifact@v3
        with:
-          name: "fortify-${{ steps.build-test.outputs.rev }}"
+          name: "hakurei-${{ steps.build-test.outputs.rev }}"
          path: result/*
          retention-days: 1
--- a/.github/workflows/README
+++ b/.github/workflows/README
@@ -0,0 +1,5 @@
+DO NOT ADD NEW ACTIONS HERE
+
+This port is solely for releasing to the github mirror and serves no purpose during development.
+All development happens at https://git.gensokyo.uk/security/hakurei. If you wish to contribute,
+request for an account on git.gensokyo.uk.
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,46 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release:
+    name: Create release
+    runs-on: ubuntu-latest
+
+    permissions:
+      packages: write
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: nixbuild/nix-quick-install-action@v32
+        with:
+          nix_conf: |
+            keep-env-derivations = true
+            keep-outputs = true
+
+      - name: Restore and cache Nix store
+        uses: nix-community/cache-nix-action@v6
+        with:
+          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
+          restore-prefixes-first-match: build-${{ runner.os }}-
+          gc-max-store-size-linux: 1G
+          purge: true
+          purge-prefixes: build-${{ runner.os }}-
+          purge-created: 60
+          purge-primary-key: never
+
+      - name: Build for release
+        run: nix build --print-out-paths --print-build-logs .#dist
+
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |-
+            result/hakurei-**
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,48 @@
+name: Test
+
+on:
+  - push
+
+jobs:
+  dist:
+    name: Create distribution
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: nixbuild/nix-quick-install-action@v32
+        with:
+          nix_conf: |
+            keep-env-derivations = true
+            keep-outputs = true
+
+      - name: Restore and cache Nix store
+        uses: nix-community/cache-nix-action@v6
+        with:
+          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
+          restore-prefixes-first-match: build-${{ runner.os }}-
+          gc-max-store-size-linux: 1G
+          purge: true
+          purge-prefixes: build-${{ runner.os }}-
+          purge-created: 60
+          purge-primary-key: never
+
+      - name: Build for test
+        id: build-test
+        run: >-
+          export HAKUREI_REV="$(git rev-parse --short HEAD)" &&
+          sed -i.old 's/version = /version = "0.0.0-'$HAKUREI_REV'"; # version = /' package.nix &&
+          nix build --print-out-paths --print-build-logs .#dist &&
+          mv package.nix.old package.nix &&
+          echo "rev=$HAKUREI_REV" >> $GITHUB_OUTPUT
+
+      - name: Upload test build
+        uses: actions/upload-artifact@v4
+        with:
+          name: "hakurei-${{ steps.build-test.outputs.rev }}"
+          path: result/*
+          retention-days: 1
--- a/.gitignore
+++ b/.gitignore
@@ -5,7 +5,7 @@
 *.so
 *.dylib
 *.pkg
-/fortify
+/hakurei

 # Test binary, built with `go test -c`
 *.test
@@ -26,7 +26,10 @@ go.work.sum
 .vscode

 # go generate
-security-context-v1-protocol.*
+/cmd/hakurei/LICENSE

 # release
-/dist/fortify-*
+/dist/hakurei-*
+
+# interactive nixos vm
+nixos.qcow2
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-Copyright (c) 2024 Ophestra Umiker
+Copyright (c) 2024-2025 Ophestra

 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

--- a/README.md
+++ b/README.md
@@ -1,77 +1,84 @@
-Fortify
-=======
+<p align="center">
+  <a href="https://git.gensokyo.uk/security/hakurei">
+    <picture>
+      <img src="https://basement.gensokyo.uk/images/yukari1.png" width="200px" alt="Yukari">
+    </picture>
+  </a>
+</p>

-[![Go Reference](https://pkg.go.dev/badge/git.gensokyo.uk/security/fortify.svg)](https://pkg.go.dev/git.gensokyo.uk/security/fortify)
-[![Go Report Card](https://goreportcard.com/badge/git.gensokyo.uk/security/fortify)](https://goreportcard.com/report/git.gensokyo.uk/security/fortify)
+<p align="center">
+  <a href="https://pkg.go.dev/hakurei.app"><img src="https://pkg.go.dev/badge/hakurei.app.svg" alt="Go Reference" /></a>
+  <a href="https://git.gensokyo.uk/security/hakurei/actions"><img src="https://git.gensokyo.uk/security/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
+  <br/>
+  <a href="https://git.gensokyo.uk/security/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/security/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
+  <a href="https://goreportcard.com/report/hakurei.app"><img src="https://goreportcard.com/badge/hakurei.app" alt="Go Report Card" /></a>
+  <a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
+</p>

-Lets you run graphical applications as another user in a confined environment with a nice NixOS
-module to configure target users and provide launchers and desktop files for your privileged user.
+Hakurei is a tool for running sandboxed graphical applications as dedicated subordinate users on the Linux kernel.
+It implements the application container of [planterette (WIP)](https://git.gensokyo.uk/security/planterette),
+a self-contained Android-like package manager with modern security features.

-Why would you want this?
+## NixOS Module usage

- It protects the desktop environment from applications.
-
- It protects applications from each other.
-
- It provides UID isolation on top of the standard application sandbox.
-
-If you have a flakes-enabled nix environment, you can try out the tool by running:
-
-```shell
-nix run git+https://git.gensokyo.uk/security/fortify -- help
-```
-
-## Module usage
-
-The NixOS module currently requires home-manager to function correctly.
-
-Full module documentation can be found [here](options.md).
+The NixOS module currently requires home-manager to configure subordinate users. Full module documentation can be found [here](options.md).

 To use the module, import it into your configuration with

 ```nix
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";

-    fortify = {
-      url = "git+https://git.gensokyo.uk/security/fortify";
+    hakurei = {
+      url = "git+https://git.gensokyo.uk/security/hakurei";

      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

-  outputs = { self, nixpkgs, fortify, ... }:
+  outputs = { self, nixpkgs, hakurei, ... }:
  {
-    nixosConfigurations.fortify = nixpkgs.lib.nixosSystem {
+    nixosConfigurations.hakurei = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
-        fortify.nixosModules.fortify
+        hakurei.nixosModules.hakurei
      ];
    };
  };
 }
 ```

-This adds the `environment.fortify` option:
+This adds the `environment.hakurei` option:

 ```nix
 { pkgs, ... }:

 {
-  environment.fortify = {
+  environment.hakurei = {
    enable = true;
-    stateDir = "/var/lib/persist/module/fortify";
+    stateDir = "/var/lib/hakurei";
    users = {
      alice = 0;
      nixos = 10;
    };

-    apps = [
+    commonPaths = [
      {
+        src = "/sdcard";
+        write = true;
+      }
+    ];
+
+    extraHomeConfig = {
+      home.stateVersion = "23.05";
+    };
+
+    apps = {
+      "org.chromium.Chromium" = {
        name = "chromium";
-        id = "org.chromium.Chromium";
+        identity = 1;
        packages = [ pkgs.chromium ];
        userns = true;
        mapRealUid = true;
@@ -104,16 +111,20 @@ This adds the `environment.fortify` option:
              broadcast = { };
            };
        };
-      }
-      {
+      };
+
+      "org.claws_mail.Claws-Mail" = {
        name = "claws-mail";
-        id = "org.claws_mail.Claws-Mail";
+        identity = 2;
        packages = [ pkgs.claws-mail ];
        gpu = false;
        capability.pulse = false;
-      }
-      {
+      };
+
+      "org.weechat" = {
        name = "weechat";
+        identity = 3;
+        shareUid = true;
        packages = [ pkgs.weechat ];
        capability = {
          wayland = false;
@@ -121,10 +132,12 @@ This adds the `environment.fortify` option:
          dbus = true;
          pulse = false;
        };
-      }
-      {
+      };
+
+      "dev.vencord.Vesktop" = {
        name = "discord";
-        id = "dev.vencord.Vesktop";
+        identity = 3;
+        shareUid = true;
        packages = [ pkgs.vesktop ];
        share = pkgs.vesktop;
        command = "vesktop --ozone-platform-hint=wayland";
@@ -142,9 +155,12 @@ This adds the `environment.fortify` option:
            };
          system.filter = true;
        };
-      }
-      {
+      };
+
+      "io.looking-glass" = {
        name = "looking-glass-client";
+        identity = 4;
+        useCommonPaths = false;
        groups = [ "plugdev" ];
        extraPaths = [
          {
@@ -155,8 +171,8 @@ This adds the `environment.fortify` option:
        extraConfig = {
          programs.looking-glass-client.enable = true;
        };
-      }
-    ];
+      };
+    };
  };
 }
 ```
--- a/acl/acl-update.h
+++ b/acl/acl-update.h
@@ -1,3 +0,0 @@
-#include <sys/acl.h>
-
-int f_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms, size_t plen);
--- a/acl/acl_getfacl_test.go
+++ b/acl/acl_getfacl_test.go
@@ -1,156 +0,0 @@
-package acl_test
-
-import (
-	"bufio"
-	"bytes"
-	"errors"
-	"fmt"
-	"io"
-	"os/exec"
-	"strconv"
-)
-
-type (
-	getFAclInvocation struct {
-		cmd *exec.Cmd
-		val []*getFAclResp
-		pe  []error
-	}
-
-	getFAclResp struct {
-		typ  fAclType
-		cred int32
-		val  fAclPerm
-
-		raw []byte
-	}
-
-	fAclPerm uintptr
-	fAclType uint8
-)
-
-const fAclBufSize = 16
-
-const (
-	fAclPermRead fAclPerm = 1 << iota
-	fAclPermWrite
-	fAclPermExecute
-)
-
-const (
-	fAclTypeUser fAclType = iota
-	fAclTypeGroup
-	fAclTypeMask
-	fAclTypeOther
-)
-
-func (c *getFAclInvocation) run(name string) error {
-	if c.cmd != nil {
-		panic("attempted to run twice")
-	}
-
-	c.cmd = exec.Command("getfacl", "--omit-header", "--absolute-names", "--numeric", name)
-
-	scanErr := make(chan error, 1)
-	if p, err := c.cmd.StdoutPipe(); err != nil {
-		return err
-	} else {
-		go c.parse(p, scanErr)
-	}
-
-	if err := c.cmd.Start(); err != nil {
-		return err
-	}
-
-	return errors.Join(<-scanErr, c.cmd.Wait())
-}
-
-func (c *getFAclInvocation) parse(pipe io.Reader, scanErr chan error) {
-	c.val = make([]*getFAclResp, 0, 4+fAclBufSize)
-
-	s := bufio.NewScanner(pipe)
-	for s.Scan() {
-		fields := bytes.SplitN(s.Bytes(), []byte{':'}, 3)
-		if len(fields) != 3 {
-			continue
-		}
-
-		resp := getFAclResp{}
-
-		switch string(fields[0]) {
-		case "user":
-			resp.typ = fAclTypeUser
-		case "group":
-			resp.typ = fAclTypeGroup
-		case "mask":
-			resp.typ = fAclTypeMask
-		case "other":
-			resp.typ = fAclTypeOther
-		default:
-			c.pe = append(c.pe, fmt.Errorf("unknown type %s", string(fields[0])))
-			continue
-		}
-
-		if len(fields[1]) == 0 {
-			resp.cred = -1
-		} else {
-			if cred, err := strconv.Atoi(string(fields[1])); err != nil {
-				c.pe = append(c.pe, err)
-				continue
-			} else {
-				resp.cred = int32(cred)
-				if resp.cred < 0 {
-					c.pe = append(c.pe, fmt.Errorf("credential %d out of range", resp.cred))
-					continue
-				}
-			}
-		}
-
-		if len(fields[2]) != 3 {
-			c.pe = append(c.pe, fmt.Errorf("invalid perm length %d", len(fields[2])))
-			continue
-		} else {
-			switch fields[2][0] {
-			case 'r':
-				resp.val |= fAclPermRead
-			case '-':
-			default:
-				c.pe = append(c.pe, fmt.Errorf("invalid perm %v", fields[2][0]))
-				continue
-			}
-			switch fields[2][1] {
-			case 'w':
-				resp.val |= fAclPermWrite
-			case '-':
-			default:
-				c.pe = append(c.pe, fmt.Errorf("invalid perm %v", fields[2][1]))
-				continue
-			}
-			switch fields[2][2] {
-			case 'x':
-				resp.val |= fAclPermExecute
-			case '-':
-			default:
-				c.pe = append(c.pe, fmt.Errorf("invalid perm %v", fields[2][2]))
-				continue
-			}
-		}
-
-		resp.raw = make([]byte, len(s.Bytes()))
-		copy(resp.raw, s.Bytes())
-		c.val = append(c.val, &resp)
-	}
-	scanErr <- s.Err()
-}
-
-func (r *getFAclResp) String() string {
-	if r.raw != nil && len(r.raw) > 0 {
-		return string(r.raw)
-	}
-
-	return "(user-initialised resp value)"
-}
-
-func (r *getFAclResp) equals(typ fAclType, cred int32, val fAclPerm) bool {
-	return r.typ == typ && r.cred == cred && r.val == val
-}
--- a/acl/acl_test.go
+++ b/acl/acl_test.go
@@ -1,125 +0,0 @@
-package acl_test
-
-import (
-	"errors"
-	"os"
-	"path"
-	"reflect"
-	"testing"
-
-	"git.gensokyo.uk/security/fortify/acl"
-)
-
-const testFileName = "acl.test"
-
-var (
-	uid  = os.Geteuid()
-	cred = int32(os.Geteuid())
-)
-
-func TestUpdatePerm(t *testing.T) {
-	if os.Getenv("GO_TEST_SKIP_ACL") == "1" {
-		t.Log("acl test skipped")
-		t.SkipNow()
-	}
-
-	testFilePath := path.Join(t.TempDir(), testFileName)
-
-	if f, err := os.Create(testFilePath); err != nil {
-		t.Fatalf("Create: error = %v", err)
-	} else {
-		if err = f.Close(); err != nil {
-			t.Fatalf("Close: error = %v", err)
-		}
-	}
-	defer func() {
-		if err := os.Remove(testFilePath); err != nil {
-			t.Fatalf("Remove: error = %v", err)
-		}
-	}()
-
-	cur := getfacl(t, testFilePath)
-
-	t.Run("default entry count", func(t *testing.T) {
-		if len(cur) != 3 {
-			t.Fatalf("unexpected test file acl length %d", len(cur))
-		}
-	})
-
-	t.Run("default clear mask", func(t *testing.T) {
-		if err := acl.Update(testFilePath, uid); err != nil {
-			t.Fatalf("UpdatePerm: error = %v", err)
-		}
-		if cur = getfacl(t, testFilePath); len(cur) != 4 {
-			t.Fatalf("UpdatePerm: %v", cur)
-		}
-	})
-
-	t.Run("default clear consistency", func(t *testing.T) {
-		if err := acl.Update(testFilePath, uid); err != nil {
-			t.Fatalf("UpdatePerm: error = %v", err)
-		}
-		if val := getfacl(t, testFilePath); !reflect.DeepEqual(val, cur) {
-			t.Fatalf("UpdatePerm: %v, want %v", val, cur)
-		}
-	})
-
-	testUpdate(t, testFilePath, "r--", cur, fAclPermRead, acl.Read)
-	testUpdate(t, testFilePath, "-w-", cur, fAclPermWrite, acl.Write)
-	testUpdate(t, testFilePath, "--x", cur, fAclPermExecute, acl.Execute)
-	testUpdate(t, testFilePath, "-wx", cur, fAclPermWrite|fAclPermExecute, acl.Write, acl.Execute)
-	testUpdate(t, testFilePath, "r-x", cur, fAclPermRead|fAclPermExecute, acl.Read, acl.Execute)
-	testUpdate(t, testFilePath, "rw-", cur, fAclPermRead|fAclPermWrite, acl.Read, acl.Write)
-	testUpdate(t, testFilePath, "rwx", cur, fAclPermRead|fAclPermWrite|fAclPermExecute, acl.Read, acl.Write, acl.Execute)
-}
-
-func testUpdate(t *testing.T, testFilePath, name string, cur []*getFAclResp, val fAclPerm, perms ...acl.Perm) {
-	t.Run(name, func(t *testing.T) {
-		t.Cleanup(func() {
-			if err := acl.Update(testFilePath, uid); err != nil {
-				t.Fatalf("UpdatePerm: error = %v", err)
-			}
-			if v := getfacl(t, testFilePath); !reflect.DeepEqual(v, cur) {
-				t.Fatalf("UpdatePerm: %v, want %v", v, cur)
-			}
-		})
-
-		if err := acl.Update(testFilePath, uid, perms...); err != nil {
-			t.Fatalf("UpdatePerm: error = %v", err)
-		}
-		r := respByCred(getfacl(t, testFilePath), fAclTypeUser, cred)
-		if r == nil {
-			t.Fatalf("UpdatePerm did not add an ACL entry")
-		}
-		if !r.equals(fAclTypeUser, cred, val) {
-			t.Fatalf("UpdatePerm(%s) = %s", name, r)
-		}
-	})
-}
-
-func getfacl(t *testing.T, name string) []*getFAclResp {
-	c := new(getFAclInvocation)
-	if err := c.run(name); err != nil {
-		t.Fatalf("getfacl: error = %v", err)
-	}
-	if len(c.pe) != 0 {
-		t.Errorf("errors encountered parsing getfacl output\n%s", errors.Join(c.pe...).Error())
-	}
-	return c.val
-}
-
-func respByCred(v []*getFAclResp, typ fAclType, cred int32) *getFAclResp {
-	j := -1
-	for i, r := range v {
-		if r.typ == typ && r.cred == cred {
-			if j != -1 {
-				panic("invalid acl")
-			}
-			j = i
-		}
-	}
-	if j == -1 {
-		return nil
-	}
-	return v[j]
-}
--- a/cmd/fpkg/app.go
+++ b/cmd/fpkg/app.go
@@ -1,149 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"log"
-	"os"
-	"path"
-
-	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
-	"git.gensokyo.uk/security/fortify/system"
-)
-
-type appInfo struct {
-	Name    string `json:"name"`
-	Version string `json:"version"`
-
-	// passed through to [fst.Config]
-	ID string `json:"id"`
-	// passed through to [fst.Config]
-	AppID int `json:"app_id"`
-	// passed through to [fst.Config]
-	Groups []string `json:"groups,omitempty"`
-	// passed through to [fst.Config]
-	Devel bool `json:"devel,omitempty"`
-	// passed through to [fst.Config]
-	Userns bool `json:"userns,omitempty"`
-	// passed through to [fst.Config]
-	Net bool `json:"net,omitempty"`
-	// passed through to [fst.Config]
-	Dev bool `json:"dev,omitempty"`
-	// passed through to [fst.Config]
-	Tty bool `json:"tty,omitempty"`
-	// passed through to [fst.Config]
-	MapRealUID bool `json:"map_real_uid,omitempty"`
-	// passed through to [fst.Config]
-	DirectWayland bool `json:"direct_wayland,omitempty"`
-	// passed through to [fst.Config]
-	SystemBus *dbus.Config `json:"system_bus,omitempty"`
-	// passed through to [fst.Config]
-	SessionBus *dbus.Config `json:"session_bus,omitempty"`
-	// passed through to [fst.Config]
-	Enablements system.Enablement `json:"enablements"`
-
-	// passed through to [fst.Config]
-	Multiarch bool `json:"multiarch,omitempty"`
-	// passed through to [fst.Config]
-	Bluetooth bool `json:"bluetooth,omitempty"`
-
-	// allow gpu access within sandbox
-	GPU bool `json:"gpu"`
-	// store path to nixGL mesa wrappers
-	Mesa string `json:"mesa,omitempty"`
-	// store path to nixGL source
-	NixGL string `json:"nix_gl,omitempty"`
-	// store path to activate-and-exec script
-	Launcher string `json:"launcher"`
-	// store path to /run/current-system
-	CurrentSystem string `json:"current_system"`
-	// store path to home-manager activation package
-	ActivationPackage string `json:"activation_package"`
-}
-
-func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool) *fst.Config {
-	config := &fst.Config{
-		ID:   app.ID,
-		Path: argv[0],
-		Args: argv,
-		Confinement: fst.ConfinementConfig{
-			AppID:    app.AppID,
-			Groups:   app.Groups,
-			Username: "fortify",
-			Inner:    path.Join("/data/data", app.ID),
-			Outer:    pathSet.homeDir,
-			Sandbox: &fst.SandboxConfig{
-				Hostname:      formatHostname(app.Name),
-				Devel:         app.Devel,
-				Userns:        app.Userns,
-				Net:           app.Net,
-				Dev:           app.Dev,
-				Tty:           app.Tty || flagDropShell,
-				MapRealUID:    app.MapRealUID,
-				DirectWayland: app.DirectWayland,
-				Filesystem: []*fst.FilesystemConfig{
-					{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
-					{Src: pathSet.metaPath, Dst: path.Join(fst.Tmp, "app"), Must: true},
-					{Src: "/etc/resolv.conf"},
-					{Src: "/sys/block"},
-					{Src: "/sys/bus"},
-					{Src: "/sys/class"},
-					{Src: "/sys/dev"},
-					{Src: "/sys/devices"},
-				},
-				Link: [][2]string{
-					{app.CurrentSystem, "/run/current-system"},
-					{"/run/current-system/sw/bin", "/bin"},
-					{"/run/current-system/sw/bin", "/usr/bin"},
-				},
-				Etc:     path.Join(pathSet.cacheDir, "etc"),
-				AutoEtc: true,
-			},
-			ExtraPerms: []*fst.ExtraPermConfig{
-				{Path: dataHome, Execute: true},
-				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-			},
-			SystemBus:   app.SystemBus,
-			SessionBus:  app.SessionBus,
-			Enablements: app.Enablements,
-		},
-	}
-	if app.Multiarch {
-		config.Confinement.Sandbox.Seccomp |= seccomp.FlagMultiarch
-	}
-	if app.Bluetooth {
-		config.Confinement.Sandbox.Seccomp |= seccomp.FlagBluetooth
-	}
-	return config
-}
-
-func loadAppInfo(name string, beforeFail func()) *appInfo {
-	bundle := new(appInfo)
-	if f, err := os.Open(name); err != nil {
-		beforeFail()
-		log.Fatalf("cannot open bundle: %v", err)
-	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
-		beforeFail()
-		log.Fatalf("cannot parse bundle metadata: %v", err)
-	} else if err = f.Close(); err != nil {
-		log.Printf("cannot close bundle metadata: %v", err)
-		// not fatal
-	}
-
-	if bundle.ID == "" {
-		beforeFail()
-		log.Fatal("application identifier must not be empty")
-	}
-
-	return bundle
-}
-
-func formatHostname(name string) string {
-	if h, err := os.Hostname(); err != nil {
-		log.Printf("cannot get hostname: %v", err)
-		return "fortify-" + name
-	} else {
-		return h + "-" + name
-	}
-}
--- a/cmd/fpkg/paths.go
+++ b/cmd/fpkg/paths.go
@@ -1,101 +0,0 @@
-package main
-
-import (
-	"log"
-	"os"
-	"os/exec"
-	"path"
-	"strconv"
-	"sync/atomic"
-
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-)
-
-var (
-	dataHome string
-)
-
-func init() {
-	// dataHome
-	if p, ok := os.LookupEnv("FORTIFY_DATA_HOME"); ok {
-		dataHome = p
-	} else {
-		dataHome = "/var/lib/fortify/" + strconv.Itoa(os.Getuid())
-	}
-}
-
-func lookPath(file string) string {
-	if p, err := exec.LookPath(file); err != nil {
-		log.Fatalf("%s: command not found", file)
-		return ""
-	} else {
-		return p
-	}
-}
-
-var beforeRunFail = new(atomic.Pointer[func()])
-
-func mustRun(name string, arg ...string) {
-	fmsg.Verbosef("spawning process: %q %q", name, arg)
-	cmd := exec.Command(name, arg...)
-	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	if err := cmd.Run(); err != nil {
-		if f := beforeRunFail.Swap(nil); f != nil {
-			(*f)()
-		}
-		log.Fatalf("%s: %v", name, err)
-	}
-}
-
-type appPathSet struct {
-	// ${dataHome}/${id}
-	baseDir string
-	// ${baseDir}/app
-	metaPath string
-	// ${baseDir}/files
-	homeDir string
-	// ${baseDir}/cache
-	cacheDir string
-	// ${baseDir}/cache/nix
-	nixPath string
-}
-
-func pathSetByApp(id string) *appPathSet {
-	pathSet := new(appPathSet)
-	pathSet.baseDir = path.Join(dataHome, id)
-	pathSet.metaPath = path.Join(pathSet.baseDir, "app")
-	pathSet.homeDir = path.Join(pathSet.baseDir, "files")
-	pathSet.cacheDir = path.Join(pathSet.baseDir, "cache")
-	pathSet.nixPath = path.Join(pathSet.cacheDir, "nix")
-	return pathSet
-}
-
-func appendGPUFilesystem(config *fst.Config) {
-	config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
-		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
-		{Src: "/dev/dri", Device: true},
-		// mali
-		{Src: "/dev/mali", Device: true},
-		{Src: "/dev/mali0", Device: true},
-		{Src: "/dev/umplock", Device: true},
-		// nvidia
-		{Src: "/dev/nvidiactl", Device: true},
-		{Src: "/dev/nvidia-modeset", Device: true},
-		// nvidia OpenCL/CUDA
-		{Src: "/dev/nvidia-uvm", Device: true},
-		{Src: "/dev/nvidia-uvm-tools", Device: true},
-
-		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
-		{Src: "/dev/nvidia0", Device: true}, {Src: "/dev/nvidia1", Device: true},
-		{Src: "/dev/nvidia2", Device: true}, {Src: "/dev/nvidia3", Device: true},
-		{Src: "/dev/nvidia4", Device: true}, {Src: "/dev/nvidia5", Device: true},
-		{Src: "/dev/nvidia6", Device: true}, {Src: "/dev/nvidia7", Device: true},
-		{Src: "/dev/nvidia8", Device: true}, {Src: "/dev/nvidia9", Device: true},
-		{Src: "/dev/nvidia10", Device: true}, {Src: "/dev/nvidia11", Device: true},
-		{Src: "/dev/nvidia12", Device: true}, {Src: "/dev/nvidia13", Device: true},
-		{Src: "/dev/nvidia14", Device: true}, {Src: "/dev/nvidia15", Device: true},
-		{Src: "/dev/nvidia16", Device: true}, {Src: "/dev/nvidia17", Device: true},
-		{Src: "/dev/nvidia18", Device: true}, {Src: "/dev/nvidia19", Device: true},
-	}...)
-}
--- a/cmd/fpkg/proc.go
+++ b/cmd/fpkg/proc.go
@@ -1,28 +0,0 @@
-package main
-
-import (
-	"context"
-	"os"
-
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/app"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-)
-
-func mustRunApp(ctx context.Context, config *fst.Config, beforeFail func()) {
-	rs := new(fst.RunState)
-	a := app.MustNew(ctx, std)
-
-	if sa, err := a.Seal(config); err != nil {
-		fmsg.PrintBaseError(err, "cannot seal app:")
-		rs.ExitCode = 1
-	} else {
-		// this updates ExitCode
-		app.PrintRunStateErr(rs, sa.Run(rs))
-	}
-
-	if rs.ExitCode != 0 {
-		beforeFail()
-		os.Exit(rs.ExitCode)
-	}
-}
--- a/cmd/fpkg/with.go
+++ b/cmd/fpkg/with.go
@@ -1,108 +0,0 @@
-package main
-
-import (
-	"context"
-	"path"
-	"strings"
-
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
-)
-
-func withNixDaemon(
-	ctx context.Context,
-	action string, command []string, net bool, updateConfig func(config *fst.Config) *fst.Config,
-	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
-) {
-	mustRunAppDropShell(ctx, updateConfig(&fst.Config{
-		ID:   app.ID,
-		Path: shellPath,
-		Args: []string{shellPath, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
-			// start nix-daemon
-			"nix-daemon --store / & " +
-			// wait for socket to appear
-			"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
-			// create directory so nix stops complaining
-			"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
-			strings.Join(command, " && ") +
-			// terminate nix-daemon
-			" && pkill nix-daemon",
-		},
-		Confinement: fst.ConfinementConfig{
-			AppID:    app.AppID,
-			Username: "fortify",
-			Inner:    path.Join("/data/data", app.ID),
-			Outer:    pathSet.homeDir,
-			Sandbox: &fst.SandboxConfig{
-				Hostname: formatHostname(app.Name) + "-" + action,
-				Userns:   true, // nix sandbox requires userns
-				Net:      net,
-				Seccomp:  seccomp.FlagMultiarch,
-				Tty:      dropShell,
-				Filesystem: []*fst.FilesystemConfig{
-					{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
-				},
-				Link: [][2]string{
-					{app.CurrentSystem, "/run/current-system"},
-					{"/run/current-system/sw/bin", "/bin"},
-					{"/run/current-system/sw/bin", "/usr/bin"},
-				},
-				Etc:     path.Join(pathSet.cacheDir, "etc"),
-				AutoEtc: true,
-			},
-			ExtraPerms: []*fst.ExtraPermConfig{
-				{Path: dataHome, Execute: true},
-				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-			},
-		},
-	}), dropShell, beforeFail)
-}
-
-func withCacheDir(
-	ctx context.Context,
-	action string, command []string, workDir string,
-	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
-	mustRunAppDropShell(ctx, &fst.Config{
-		ID:   app.ID,
-		Path: shellPath,
-		Args: []string{shellPath, "-lc", strings.Join(command, " && ")},
-		Confinement: fst.ConfinementConfig{
-			AppID:    app.AppID,
-			Username: "nixos",
-			Inner:    path.Join("/data/data", app.ID, "cache"),
-			Outer:    pathSet.cacheDir, // this also ensures cacheDir via shim
-			Sandbox: &fst.SandboxConfig{
-				Hostname: formatHostname(app.Name) + "-" + action,
-				Seccomp:  seccomp.FlagMultiarch,
-				Tty:      dropShell,
-				Filesystem: []*fst.FilesystemConfig{
-					{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
-					{Src: workDir, Dst: path.Join(fst.Tmp, "bundle"), Must: true},
-				},
-				Link: [][2]string{
-					{app.CurrentSystem, "/run/current-system"},
-					{"/run/current-system/sw/bin", "/bin"},
-					{"/run/current-system/sw/bin", "/usr/bin"},
-				},
-				Etc:     path.Join(workDir, "etc"),
-				AutoEtc: true,
-			},
-			ExtraPerms: []*fst.ExtraPermConfig{
-				{Path: dataHome, Execute: true},
-				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-				{Path: workDir, Execute: true},
-			},
-		},
-	}, dropShell, beforeFail)
-}
-
-func mustRunAppDropShell(ctx context.Context, config *fst.Config, dropShell bool, beforeFail func()) {
-	if dropShell {
-		config.Args = []string{shellPath, "-l"}
-		mustRunApp(ctx, config, beforeFail)
-		beforeFail()
-		internal.Exit(0)
-	}
-	mustRunApp(ctx, config, beforeFail)
-}
--- a/cmd/fsu/package.nix
+++ b/cmd/fsu/package.nix
@@ -1,30 +0,0 @@
-{
-  lib,
-  buildGoModule,
-  fortify ? abort "fortify package required",
-}:
-
-buildGoModule {
-  pname = "${fortify.pname}-fsu";
-  inherit (fortify) version;
-
-  src = ./.;
-  inherit (fortify) vendorHash;
-  CGO_ENABLED = 0;
-
-  preBuild = ''
-    go mod init fsu >& /dev/null
-  '';
-
-  ldflags =
-    lib.attrsets.foldlAttrs
-      (
-        ldflags: name: value:
-        ldflags ++ [ "-X main.${name}=${value}" ]
-      )
-      [ "-s -w" ]
-      {
-        fmain = "${fortify}/libexec/fortify";
-        fpkg = "${fortify}/libexec/fpkg";
-      };
-}
--- a/cmd/fsu/parse.go
+++ b/cmd/fsu/parse.go
@@ -1,67 +0,0 @@
-package main
-
-import (
-	"bufio"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"strings"
-)
-
-func parseUint32Fast(s string) (int, error) {
-	sLen := len(s)
-	if sLen < 1 {
-		return -1, errors.New("zero length string")
-	}
-	if sLen > 10 {
-		return -1, errors.New("string too long")
-	}
-
-	n := 0
-	for i, ch := range []byte(s) {
-		ch -= '0'
-		if ch > 9 {
-			return -1, fmt.Errorf("invalid character '%s' at index %d", string(ch+'0'), i)
-		}
-		n = n*10 + int(ch)
-	}
-	return n, nil
-}
-
-func parseConfig(r io.Reader, puid int) (fid int, ok bool, err error) {
-	s := bufio.NewScanner(r)
-	var line, puid0 int
-	for s.Scan() {
-		line++
-
-		// <puid> <fid>
-		lf := strings.SplitN(s.Text(), " ", 2)
-		if len(lf) != 2 {
-			return -1, false, fmt.Errorf("invalid entry on line %d", line)
-		}
-
-		puid0, err = parseUint32Fast(lf[0])
-		if err != nil || puid0 < 1 {
-			return -1, false, fmt.Errorf("invalid parent uid on line %d", line)
-		}
-
-		ok = puid0 == puid
-		if ok {
-			// allowed fid range 0 to 99
-			if fid, err = parseUint32Fast(lf[1]); err != nil || fid < 0 || fid > 99 {
-				return -1, false, fmt.Errorf("invalid fortify uid on line %d", line)
-			}
-			return
-		}
-	}
-	return -1, false, s.Err()
-}
-
-func mustParseConfig(r io.Reader, puid int) (int, bool) {
-	fid, ok, err := parseConfig(r, puid)
-	if err != nil {
-		log.Fatal(err)
-	}
-	return fid, ok
-}
--- a/cmd/fsu/path.go
+++ b/cmd/fsu/path.go
@@ -1,21 +0,0 @@
-package main
-
-import (
-	"log"
-	"path"
-)
-
-const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
-
-var (
-	fmain = compPoison
-	fpkg  = compPoison
-)
-
-func mustCheckPath(p string) string {
-	if p != compPoison && p != "" && path.IsAbs(p) {
-		return p
-	}
-	log.Fatal("this program is compiled incorrectly")
-	return compPoison
-}
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@@ -0,0 +1,364 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"os/exec"
+	"os/user"
+	"strconv"
+	"sync"
+	"time"
+	_ "unsafe" // for go:linkname
+
+	"hakurei.app/command"
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/hst"
+	"hakurei.app/internal/dbus"
+	"hakurei.app/internal/env"
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/outcome"
+	"hakurei.app/message"
+)
+
+// optionalErrorUnwrap calls [errors.Unwrap] and returns the resulting value
+// if it is not nil, or the original value if it is.
+//
+//go:linkname optionalErrorUnwrap hakurei.app/container.optionalErrorUnwrap
+func optionalErrorUnwrap(err error) error
+
+func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
+	var (
+		flagVerbose bool
+		flagJSON    bool
+	)
+	c := command.New(out, log.Printf, "hakurei", func([]string) error {
+		msg.SwapVerbose(flagVerbose)
+
+		if early.yamaLSM != nil {
+			msg.Verbosef("cannot enable ptrace protection via Yama LSM: %v", early.yamaLSM)
+			// not fatal
+		}
+
+		if early.dumpable != nil {
+			log.Printf("cannot set SUID_DUMP_DISABLE: %s", early.dumpable)
+			// not fatal
+		}
+
+		return nil
+	}).
+		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
+		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")
+
+	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
+
+	{
+		var (
+			flagIdentifierFile int
+		)
+		c.NewCommand("app", "Load and start container from configuration file", func(args []string) error {
+			if len(args) < 1 {
+				log.Fatal("app requires at least 1 argument")
+			}
+
+			config := tryPath(msg, args[0])
+			if config != nil && config.Container != nil {
+				config.Container.Args = append(config.Container.Args, args[1:]...)
+			}
+
+			outcome.Main(ctx, msg, config, flagIdentifierFile)
+			panic("unreachable")
+		}).
+			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
+				"Write identifier of current instance to fd after successful startup")
+	}
+
+	{
+		var (
+			flagDBusConfigSession string
+			flagDBusConfigSystem  string
+			flagDBusMpris         bool
+			flagDBusVerbose       bool
+
+			flagID       string
+			flagIdentity int
+			flagGroups   command.RepeatableFlag
+			flagHomeDir  string
+			flagUserName string
+
+			flagPrivateRuntime, flagPrivateTmpdir bool
+
+			flagWayland, flagX11, flagDBus, flagPipeWire, flagPulse bool
+		)
+
+		c.NewCommand("run", "Configure and start a permissive container", func(args []string) error {
+			if flagIdentity < hst.IdentityStart || flagIdentity > hst.IdentityEnd {
+				log.Fatalf("identity %d out of range", flagIdentity)
+			}
+
+			// resolve home/username from os when flag is unset
+			var (
+				passwd     *user.User
+				passwdOnce sync.Once
+				passwdFunc = func() {
+					us := strconv.Itoa(hst.ToUser(new(outcome.Hsu).MustID(msg), flagIdentity))
+					if u, err := user.LookupId(us); err != nil {
+						msg.Verbosef("cannot look up uid %s", us)
+						passwd = &user.User{
+							Uid:      us,
+							Gid:      us,
+							Username: "chronos",
+							Name:     "Hakurei Permissive Default",
+							HomeDir:  fhs.VarEmpty,
+						}
+					} else {
+						passwd = u
+					}
+				}
+			)
+
+			// paths are identical, resolve inner shell and program path
+			shell := fhs.AbsRoot.Append("bin", "sh")
+			if a, err := check.NewAbs(os.Getenv("SHELL")); err == nil {
+				shell = a
+			}
+			progPath := shell
+			if len(args) > 0 {
+				if p, err := exec.LookPath(args[0]); err != nil {
+					log.Fatal(optionalErrorUnwrap(err))
+					return err
+				} else if progPath, err = check.NewAbs(p); err != nil {
+					log.Fatal(err.Error())
+					return err
+				}
+			}
+
+			var et hst.Enablement
+			if flagWayland {
+				et |= hst.EWayland
+			}
+			if flagX11 {
+				et |= hst.EX11
+			}
+			if flagDBus {
+				et |= hst.EDBus
+			}
+			if flagPipeWire || flagPulse {
+				et |= hst.EPipeWire
+			}
+
+			config := &hst.Config{
+				ID:          flagID,
+				Identity:    flagIdentity,
+				Groups:      flagGroups,
+				Enablements: hst.NewEnablements(et),
+
+				Container: &hst.ContainerConfig{
+					Filesystem: []hst.FilesystemConfigJSON{
+						// autoroot, includes the home directory
+						{FilesystemConfig: &hst.FSBind{
+							Target:  fhs.AbsRoot,
+							Source:  fhs.AbsRoot,
+							Write:   true,
+							Special: true,
+						}},
+					},
+
+					Username: flagUserName,
+					Shell:    shell,
+
+					Path: progPath,
+					Args: args,
+
+					Flags: hst.FUserns | hst.FHostNet | hst.FHostAbstract | hst.FTty,
+				},
+			}
+
+			// bind GPU stuff
+			if et&(hst.EX11|hst.EWayland) != 0 {
+				config.Container.Filesystem = append(config.Container.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
+					Source:   fhs.AbsDev.Append("dri"),
+					Device:   true,
+					Optional: true,
+				}})
+			}
+
+			config.Container.Filesystem = append(config.Container.Filesystem,
+				// opportunistically bind kvm
+				hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
+					Source:   fhs.AbsDev.Append("kvm"),
+					Device:   true,
+					Optional: true,
+				}},
+
+				// do autoetc last
+				hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
+					Target:  fhs.AbsEtc,
+					Source:  fhs.AbsEtc,
+					Special: true,
+				}},
+			)
+
+			if config.Container.Username == "chronos" {
+				passwdOnce.Do(passwdFunc)
+				config.Container.Username = passwd.Username
+			}
+
+			{
+				homeDir := flagHomeDir
+				if homeDir == "os" {
+					passwdOnce.Do(passwdFunc)
+					homeDir = passwd.HomeDir
+				}
+				if a, err := check.NewAbs(homeDir); err != nil {
+					log.Fatal(err.Error())
+					return err
+				} else {
+					config.Container.Home = a
+				}
+			}
+
+			if !flagPrivateRuntime {
+				config.Container.Flags |= hst.FShareRuntime
+			}
+			if !flagPrivateTmpdir {
+				config.Container.Flags |= hst.FShareTmpdir
+			}
+
+			// parse D-Bus config file from flags if applicable
+			if flagDBus {
+				if flagDBusConfigSession == "builtin" {
+					config.SessionBus = dbus.NewConfig(flagID, true, flagDBusMpris)
+				} else {
+					if f, err := os.Open(flagDBusConfigSession); err != nil {
+						log.Fatal(err.Error())
+					} else {
+						decodeJSON(log.Fatal, "load session bus proxy config", f, &config.SessionBus)
+						if err = f.Close(); err != nil {
+							log.Fatal(err.Error())
+						}
+					}
+				}
+
+				// system bus proxy is optional
+				if flagDBusConfigSystem != "nil" {
+					if f, err := os.Open(flagDBusConfigSystem); err != nil {
+						log.Fatal(err.Error())
+					} else {
+						decodeJSON(log.Fatal, "load system bus proxy config", f, &config.SystemBus)
+						if err = f.Close(); err != nil {
+							log.Fatal(err.Error())
+						}
+					}
+				}
+
+				// override log from configuration
+				if flagDBusVerbose {
+					if config.SessionBus != nil {
+						config.SessionBus.Log = true
+					}
+					if config.SystemBus != nil {
+						config.SystemBus.Log = true
+					}
+				}
+			}
+
+			outcome.Main(ctx, msg, config, -1)
+			panic("unreachable")
+		}).
+			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),
+				"Path to session bus proxy config file, or \"builtin\" for defaults").
+			Flag(&flagDBusConfigSystem, "dbus-system", command.StringFlag("nil"),
+				"Path to system bus proxy config file, or \"nil\" to disable").
+			Flag(&flagDBusMpris, "mpris", command.BoolFlag(false),
+				"Allow owning MPRIS D-Bus path, has no effect if custom config is available").
+			Flag(&flagDBusVerbose, "dbus-log", command.BoolFlag(false),
+				"Force buffered logging in the D-Bus proxy").
+			Flag(&flagID, "id", command.StringFlag(""),
+				"Reverse-DNS style Application identifier, leave empty to inherit instance identifier").
+			Flag(&flagIdentity, "a", command.IntFlag(0),
+				"Application identity").
+			Flag(nil, "g", &flagGroups,
+				"Groups inherited by all container processes").
+			Flag(&flagHomeDir, "d", command.StringFlag("os"),
+				"Container home directory").
+			Flag(&flagUserName, "u", command.StringFlag("chronos"),
+				"Passwd user name within sandbox").
+			Flag(&flagPrivateRuntime, "private-runtime", command.BoolFlag(false),
+				"Do not share XDG_RUNTIME_DIR between containers under the same identity").
+			Flag(&flagPrivateTmpdir, "private-tmpdir", command.BoolFlag(false),
+				"Do not share TMPDIR between containers under the same identity").
+			Flag(&flagWayland, "wayland", command.BoolFlag(false),
+				"Enable connection to Wayland via security-context-v1").
+			Flag(&flagX11, "X", command.BoolFlag(false),
+				"Enable direct connection to X11").
+			Flag(&flagDBus, "dbus", command.BoolFlag(false),
+				"Enable proxied connection to D-Bus").
+			Flag(&flagPipeWire, "pipewire", command.BoolFlag(false),
+				"Enable connection to PipeWire via SecurityContext").
+			Flag(&flagPulse, "pulse", command.BoolFlag(false),
+				"Enable PulseAudio compatibility daemon")
+	}
+
+	{
+		var (
+			flagShort   bool
+			flagNoStore bool
+		)
+		c.NewCommand("show", "Show live or local app configuration", func(args []string) error {
+			switch len(args) {
+			case 0: // system
+				printShowSystem(os.Stdout, flagShort, flagJSON)
+
+			case 1: // instance
+				name := args[0]
+
+				var (
+					config *hst.Config
+					entry  *hst.State
+				)
+				if !flagNoStore {
+					var sc hst.Paths
+					env.CopyPaths().Copy(&sc, new(outcome.Hsu).MustID(nil))
+					entry = tryIdentifier(msg, name, outcome.NewStore(&sc))
+				}
+
+				if entry == nil {
+					config = tryPath(msg, name)
+				} else {
+					config = entry.Config
+				}
+
+				if !printShowInstance(os.Stdout, time.Now().UTC(), entry, config, flagShort, flagJSON) {
+					os.Exit(1)
+				}
+
+			default:
+				log.Fatal("show requires 1 argument")
+			}
+			return errSuccess
+		}).
+			Flag(&flagShort, "short", command.BoolFlag(false), "Omit filesystem information").
+			Flag(&flagNoStore, "no-store", command.BoolFlag(false), "Do not attempt to match from active instances")
+	}
+
+	{
+		var flagShort bool
+		c.NewCommand("ps", "List active instances", func(args []string) error {
+			var sc hst.Paths
+			env.CopyPaths().Copy(&sc, new(outcome.Hsu).MustID(nil))
+			printPs(msg, os.Stdout, time.Now().UTC(), outcome.NewStore(&sc), flagShort, flagJSON)
+			return errSuccess
+		}).Flag(&flagShort, "short", command.BoolFlag(false), "Print instance id")
+	}
+
+	c.Command("version", "Display version information", func(args []string) error { fmt.Println(info.Version()); return errSuccess })
+	c.Command("license", "Show full license text", func(args []string) error { fmt.Println(license); return errSuccess })
+	c.Command("template", "Produce a config template", func(args []string) error { encodeJSON(log.Fatal, os.Stdout, false, hst.Template()); return errSuccess })
+	c.Command("help", "Show this help message", func([]string) error { c.PrintHelp(); return errSuccess })
+
+	return c
+}
--- a/cmd/hakurei/command_test.go
+++ b/cmd/hakurei/command_test.go
@@ -0,0 +1,92 @@
+package main
+
+import (
+	"bytes"
+	"errors"
+	"flag"
+	"testing"
+
+	"hakurei.app/command"
+	"hakurei.app/message"
+)
+
+func TestHelp(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		args []string
+		want string
+	}{
+		{
+			"main", []string{}, `
+Usage:	hakurei [-h | --help] [-v] [--json] COMMAND [OPTIONS]
+
+Commands:
+    app         Load and start container from configuration file
+    run         Configure and start a permissive container
+    show        Show live or local app configuration
+    ps          List active instances
+    version     Display version information
+    license     Show full license text
+    template    Produce a config template
+    help        Show this help message
+
+`,
+		},
+		{
+			"run", []string{"run", "-h"}, `
+Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
+
+Flags:
+  -X	Enable direct connection to X11
+  -a int
+    	Application identity
+  -d string
+    	Container home directory (default "os")
+  -dbus
+    	Enable proxied connection to D-Bus
+  -dbus-config string
+    	Path to session bus proxy config file, or "builtin" for defaults (default "builtin")
+  -dbus-log
+    	Force buffered logging in the D-Bus proxy
+  -dbus-system string
+    	Path to system bus proxy config file, or "nil" to disable (default "nil")
+  -g value
+    	Groups inherited by all container processes
+  -id string
+    	Reverse-DNS style Application identifier, leave empty to inherit instance identifier
+  -mpris
+    	Allow owning MPRIS D-Bus path, has no effect if custom config is available
+  -pipewire
+    	Enable connection to PipeWire via SecurityContext
+  -private-runtime
+    	Do not share XDG_RUNTIME_DIR between containers under the same identity
+  -private-tmpdir
+    	Do not share TMPDIR between containers under the same identity
+  -pulse
+    	Enable PulseAudio compatibility daemon
+  -u string
+    	Passwd user name within sandbox (default "chronos")
+  -wayland
+    	Enable connection to Wayland via security-context-v1
+
+`,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			out := new(bytes.Buffer)
+			c := buildCommand(t.Context(), message.New(nil), new(earlyHardeningErrs), out)
+			if err := c.Parse(tc.args); !errors.Is(err, command.ErrHelp) && !errors.Is(err, flag.ErrHelp) {
+				t.Errorf("Parse: error = %v; want %v",
+					err, command.ErrHelp)
+			}
+			if got := out.String(); got != tc.want {
+				t.Errorf("Parse: %s want %s", got, tc.want)
+			}
+		})
+	}
+}
--- a/cmd/hakurei/json.go
+++ b/cmd/hakurei/json.go
@@ -0,0 +1,60 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"io"
+	"strconv"
+)
+
+// decodeJSON decodes json from r and stores it in v. A non-nil error results in a call to fatal.
+func decodeJSON(fatal func(v ...any), op string, r io.Reader, v any) {
+	err := json.NewDecoder(r).Decode(v)
+	if err == nil {
+		return
+	}
+
+	var (
+		syntaxError        *json.SyntaxError
+		unmarshalTypeError *json.UnmarshalTypeError
+
+		msg string
+	)
+
+	switch {
+	case errors.As(err, &syntaxError) && syntaxError != nil:
+		msg = syntaxError.Error() +
+			" at byte " + strconv.FormatInt(syntaxError.Offset, 10)
+
+	case errors.As(err, &unmarshalTypeError) && unmarshalTypeError != nil:
+		msg = "inappropriate " + unmarshalTypeError.Value +
+			" at byte " + strconv.FormatInt(unmarshalTypeError.Offset, 10)
+
+	default:
+		// InvalidUnmarshalError: incorrect usage, does not need to be handled
+		// io.ErrUnexpectedEOF: no additional error information available
+		msg = err.Error()
+	}
+
+	fatal("cannot " + op + ": " + msg)
+}
+
+// encodeJSON encodes v to output. A non-nil error results in a call to fatal.
+func encodeJSON(fatal func(v ...any), output io.Writer, short bool, v any) {
+	encoder := json.NewEncoder(output)
+	if !short {
+		encoder.SetIndent("", "  ")
+	}
+
+	if err := encoder.Encode(v); err != nil {
+		var marshalerError *json.MarshalerError
+		if errors.As(err, &marshalerError) && marshalerError != nil {
+			// this likely indicates an implementation error in hst
+			fatal("cannot encode json for " + marshalerError.Type.String() + ": " + marshalerError.Err.Error())
+			return
+		}
+
+		// UnsupportedTypeError, UnsupportedValueError: incorrect usage, does not need to be handled
+		fatal("cannot write json: " + err.Error())
+	}
+}
--- a/cmd/hakurei/json_test.go
+++ b/cmd/hakurei/json_test.go
@@ -0,0 +1,99 @@
+package main
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+
+	"hakurei.app/container/stub"
+)
+
+func TestDecodeJSON(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		t    reflect.Type
+		data string
+		want any
+		msg  string
+	}{
+		{"success", reflect.TypeFor[uintptr](), "3735928559\n", uintptr(0xdeadbeef), ""},
+
+		{"syntax", reflect.TypeFor[*int](), "\x00", nil,
+			`cannot load sample: invalid character '\x00' looking for beginning of value at byte 1`},
+		{"type", reflect.TypeFor[uintptr](), "-1", nil,
+			`cannot load sample: inappropriate number -1 at byte 2`},
+		{"default", reflect.TypeFor[*int](), "{", nil,
+			"cannot load sample: unexpected EOF"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				gotP   = reflect.New(tc.t)
+				gotMsg *string
+			)
+			decodeJSON(func(v ...any) {
+				if gotMsg != nil {
+					t.Fatal("fatal called twice")
+				}
+				msg := v[0].(string)
+				gotMsg = &msg
+			}, "load sample", strings.NewReader(tc.data), gotP.Interface())
+			if tc.msg != "" {
+				if gotMsg == nil {
+					t.Errorf("decodeJSON: success, want fatal %q", tc.msg)
+				} else if *gotMsg != tc.msg {
+					t.Errorf("decodeJSON: fatal = %q, want %q", *gotMsg, tc.msg)
+				}
+			} else if gotMsg != nil {
+				t.Errorf("decodeJSON: fatal = %q", *gotMsg)
+			} else if !reflect.DeepEqual(gotP.Elem().Interface(), tc.want) {
+				t.Errorf("decodeJSON: %#v, want %#v", gotP.Elem().Interface(), tc.want)
+			}
+		})
+	}
+}
+
+func TestEncodeJSON(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		v    any
+		want string
+	}{
+		{"marshaler", errorJSONMarshaler{},
+			`cannot encode json for main.errorJSONMarshaler: unique error 3735928559 injected by the test suite`},
+		{"default", func() {},
+			`cannot write json: json: unsupported type: func()`},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var called bool
+			encodeJSON(func(v ...any) {
+				if called {
+					t.Fatal("fatal called twice")
+				}
+				called = true
+
+				if v[0].(string) != tc.want {
+					t.Errorf("encodeJSON: fatal = %q, want %q", v[0].(string), tc.want)
+				}
+			}, nil, false, tc.v)
+
+			if !called {
+				t.Errorf("encodeJSON: success, want fatal %q", tc.want)
+			}
+		})
+	}
+}
+
+// errorJSONMarshaler implements json.Marshaler.
+type errorJSONMarshaler struct{}
+
+func (errorJSONMarshaler) MarshalJSON() ([]byte, error) { return nil, stub.UniqueError(0xdeadbeef) }
--- a/cmd/hakurei/main.go
+++ b/cmd/hakurei/main.go
@@ -0,0 +1,59 @@
+package main
+
+// this works around go:embed '..' limitation
+//go:generate cp ../../LICENSE .
+
+import (
+	"context"
+	_ "embed"
+	"errors"
+	"log"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"hakurei.app/container"
+	"hakurei.app/message"
+)
+
+var (
+	errSuccess = errors.New("success")
+
+	//go:embed LICENSE
+	license string
+)
+
+// earlyHardeningErrs are errors collected while setting up early hardening feature.
+type earlyHardeningErrs struct{ yamaLSM, dumpable error }
+
+func main() {
+	// early init path, skips root check and duplicate PR_SET_DUMPABLE
+	container.TryArgv0(nil)
+
+	log.SetPrefix("hakurei: ")
+	log.SetFlags(0)
+	msg := message.New(log.Default())
+
+	early := earlyHardeningErrs{
+		yamaLSM:  container.SetPtracer(0),
+		dumpable: container.SetDumpable(container.SUID_DUMP_DISABLE),
+	}
+
+	if os.Geteuid() == 0 {
+		log.Fatal("this program must not run as root")
+	}
+
+	ctx, stop := signal.NotifyContext(context.Background(),
+		syscall.SIGINT, syscall.SIGTERM)
+	defer stop() // unreachable
+
+	buildCommand(ctx, msg, &early, os.Stderr).MustParse(os.Args[1:], func(err error) {
+		msg.Verbosef("command returned %v", err)
+		if errors.Is(err, errSuccess) {
+			msg.BeforeExit()
+			os.Exit(0)
+		}
+		// this catches faulty command handlers that fail to return before this point
+	})
+	log.Fatal("unreachable")
+}
--- a/cmd/hakurei/parse.go
+++ b/cmd/hakurei/parse.go
@@ -0,0 +1,172 @@
+package main
+
+import (
+	"encoding/hex"
+	"errors"
+	"io"
+	"log"
+	"os"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"hakurei.app/hst"
+	"hakurei.app/internal/outcome"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
+)
+
+// tryPath attempts to read [hst.Config] from multiple sources.
+// tryPath reads from [os.Stdin] if name has value "-".
+// Otherwise, name is passed to tryFd, and if that returns nil, name is passed to [os.Open].
+func tryPath(msg message.Msg, name string) (config *hst.Config) {
+	var r io.ReadCloser
+	config = new(hst.Config)
+
+	if name != "-" {
+		r = tryFd(msg, name)
+		if r == nil {
+			msg.Verbose("load configuration from file")
+
+			if f, err := os.Open(name); err != nil {
+				log.Fatal(err.Error())
+				return
+			} else {
+				r = f
+			}
+		}
+	} else {
+		r = os.Stdin
+	}
+
+	decodeJSON(log.Fatal, "load configuration", r, &config)
+	if err := r.Close(); err != nil {
+		log.Fatal(err.Error())
+	}
+	return
+}
+
+// tryFd returns a [io.ReadCloser] if name represents an integer corresponding to a valid file descriptor.
+func tryFd(msg message.Msg, name string) io.ReadCloser {
+	if v, err := strconv.Atoi(name); err != nil {
+		if !errors.Is(err, strconv.ErrSyntax) {
+			msg.Verbosef("name cannot be interpreted as int64: %v", err)
+		}
+		return nil
+	} else {
+		if v < 3 { // reject standard streams
+			return nil
+		}
+
+		msg.Verbosef("trying config stream from %d", v)
+		fd := uintptr(v)
+		if _, _, errno := syscall.Syscall(syscall.SYS_FCNTL, fd, syscall.F_GETFD, 0); errno != 0 {
+			if errors.Is(errno, syscall.EBADF) { // reject bad fd
+				return nil
+			}
+			log.Fatalf("cannot get fd %d: %v", fd, errno)
+		}
+
+		if outcome.IsPollDescriptor(fd) { // reject runtime internals
+			log.Fatalf("invalid config stream %d", fd)
+		}
+
+		return os.NewFile(fd, strconv.Itoa(v))
+	}
+}
+
+// shortLengthMin is the minimum length a short form identifier can have and still be interpreted as an identifier.
+const shortLengthMin = 1 << 3
+
+// shortIdentifier returns an eight character short representation of [hst.ID] from its random bytes.
+func shortIdentifier(id *hst.ID) string {
+	return shortIdentifierString(id.String())
+}
+
+// shortIdentifierString implements shortIdentifier on an arbitrary string.
+func shortIdentifierString(s string) string {
+	return s[len(hst.ID{}) : len(hst.ID{})+shortLengthMin]
+}
+
+// tryIdentifier attempts to match [hst.State] from a [hex] representation of [hst.ID] or a prefix of its lower half.
+func tryIdentifier(msg message.Msg, name string, s *store.Store) *hst.State {
+	const (
+		likeShort = 1 << iota
+		likeFull
+	)
+
+	var likely uintptr
+	if len(name) >= shortLengthMin && len(name) <= len(hst.ID{}) { // half the hex representation
+		// cannot safely decode here due to unknown alignment
+		for _, c := range name {
+			if c >= '0' && c <= '9' {
+				continue
+			}
+			if c >= 'a' && c <= 'f' {
+				continue
+			}
+			return nil
+		}
+		likely |= likeShort
+	} else if len(name) == hex.EncodedLen(len(hst.ID{})) {
+		likely |= likeFull
+	}
+
+	if likely == 0 {
+		return nil
+	}
+
+	entries, copyError := s.All()
+	defer func() {
+		if err := copyError(); err != nil {
+			msg.GetLogger().Println(getMessage("cannot iterate over store:", err))
+		}
+	}()
+
+	switch {
+	case likely&likeShort != 0:
+		msg.Verbose("argument looks like short identifier")
+		for eh := range entries {
+			if eh.DecodeErr != nil {
+				msg.Verbose(getMessage("skipping instance:", eh.DecodeErr))
+				continue
+			}
+
+			if strings.HasPrefix(eh.ID.String()[len(hst.ID{}):], name) {
+				var entry hst.State
+				if _, err := eh.Load(&entry); err != nil {
+					msg.GetLogger().Println(getMessage("cannot load state entry:", err))
+					continue
+				}
+				return &entry
+			}
+		}
+		return nil
+
+	case likely&likeFull != 0:
+		var likelyID hst.ID
+		if likelyID.UnmarshalText([]byte(name)) != nil {
+			return nil
+		}
+		msg.Verbose("argument looks like identifier")
+		for eh := range entries {
+			if eh.DecodeErr != nil {
+				msg.Verbose(getMessage("skipping instance:", eh.DecodeErr))
+				continue
+			}
+
+			if eh.ID == likelyID {
+				var entry hst.State
+				if _, err := eh.Load(&entry); err != nil {
+					msg.GetLogger().Println(getMessage("cannot load state entry:", err))
+					continue
+				}
+				return &entry
+			}
+		}
+		return nil
+
+	default:
+		panic("unreachable")
+	}
+}
--- a/cmd/hakurei/parse_test.go
+++ b/cmd/hakurei/parse_test.go
@@ -0,0 +1,117 @@
+package main
+
+import (
+	"bytes"
+	"reflect"
+	"testing"
+	"time"
+
+	"hakurei.app/container/check"
+	"hakurei.app/hst"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
+)
+
+func TestShortIdentifier(t *testing.T) {
+	t.Parallel()
+	id := hst.ID{
+		0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+	}
+
+	const want = "fedcba98"
+	if got := shortIdentifier(&id); got != want {
+		t.Errorf("shortIdentifier: %q, want %q", got, want)
+	}
+}
+
+func TestTryIdentifier(t *testing.T) {
+	t.Parallel()
+
+	msg := message.New(nil)
+	id := hst.ID{
+		0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+	}
+	withBase := func(extra ...hst.State) []hst.State {
+		return append([]hst.State{
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xaa}, len(hst.ID{}))), PID: 0xbeef, ShimPID: 0xcafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef0)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xab}, len(hst.ID{}))), PID: 0x1beef, ShimPID: 0x1cafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef1)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xf0}, len(hst.ID{}))), PID: 0x2beef, ShimPID: 0x2cafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef2)},
+
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xfe}, len(hst.ID{}))), PID: 0xbed, ShimPID: 0xfff, Config: func() *hst.Config {
+				template := hst.Template()
+				template.Identity = hst.IdentityEnd
+				return template
+			}(), Time: time.Unix(0, 0xcafebabe0)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xfc}, len(hst.ID{}))), PID: 0x1bed, ShimPID: 0x1fff, Config: func() *hst.Config {
+				template := hst.Template()
+				template.Identity = 0xfc
+				return template
+			}(), Time: time.Unix(0, 0xcafebabe1)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xce}, len(hst.ID{}))), PID: 0x2bed, ShimPID: 0x2fff, Config: func() *hst.Config {
+				template := hst.Template()
+				template.Identity = 0xce
+				return template
+			}(), Time: time.Unix(0, 0xcafebabe2)},
+		}, extra...)
+	}
+	sampleEntry := hst.State{
+		ID:      id,
+		PID:     0xcafe,
+		ShimPID: 0xdead,
+		Config:  hst.Template(),
+	}
+
+	testCases := []struct {
+		name string
+		s    string
+		data []hst.State
+		want *hst.State
+	}{
+		{"likely entries fault", "ffffffff", nil, nil},
+
+		{"likely short too short", "ff", nil, nil},
+		{"likely short too long", "fffffffffffffffff", nil, nil},
+		{"likely short invalid lower", "fffffff\x00", nil, nil},
+		{"likely short invalid higher", "0000000\xff", nil, nil},
+		{"short no match", "fedcba98", withBase(), nil},
+		{"short match", "fedcba98", withBase(sampleEntry), &sampleEntry},
+		{"short match single", "fedcba98", []hst.State{sampleEntry}, &sampleEntry},
+		{"short match longer", "fedcba98765", withBase(sampleEntry), &sampleEntry},
+
+		{"likely long invalid", "0123456789abcdeffedcba987654321\x00", nil, nil},
+		{"long no match", "0123456789abcdeffedcba9876543210", withBase(), nil},
+		{"long match", "0123456789abcdeffedcba9876543210", withBase(sampleEntry), &sampleEntry},
+		{"long match single", "0123456789abcdeffedcba9876543210", []hst.State{sampleEntry}, &sampleEntry},
+	}
+	for _, tc := range testCases {
+		base := check.MustAbs(t.TempDir()).Append("store")
+		s := store.New(base)
+		for i := range tc.data {
+			if h, err := s.Handle(tc.data[i].Identity); err != nil {
+				t.Fatalf("Handle: error = %v", err)
+			} else {
+				var unlock func()
+				if unlock, err = h.Lock(); err != nil {
+					t.Fatalf("Lock: error = %v", err)
+				}
+				_, err = h.Save(&tc.data[i])
+				unlock()
+				if err != nil {
+					t.Fatalf("Save: error = %v", err)
+				}
+			}
+		}
+
+		// store must not be written to beyond this point
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := tryIdentifier(msg, tc.s, store.New(base))
+			if !reflect.DeepEqual(got, tc.want) {
+				t.Errorf("tryIdentifier: %#v, want %#v", got, tc.want)
+			}
+		})
+	}
+}
--- a/cmd/hakurei/print.go
+++ b/cmd/hakurei/print.go
@@ -0,0 +1,285 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"log"
+	"slices"
+	"strconv"
+	"strings"
+	"text/tabwriter"
+	"time"
+
+	"hakurei.app/hst"
+	"hakurei.app/internal/outcome"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
+)
+
+// printShowSystem populates and writes a representation of [hst.Info] to output.
+func printShowSystem(output io.Writer, short, flagJSON bool) {
+	t := newPrinter(output)
+	defer t.MustFlush()
+	hi := outcome.Info()
+
+	if flagJSON {
+		encodeJSON(log.Fatal, output, short, hi)
+		return
+	}
+
+	t.Printf("Version:\t%s (libwayland %s)\n", hi.Version, hi.WaylandVersion)
+	t.Printf("User:\t%d\n", hi.User)
+	t.Printf("TempDir:\t%s\n", hi.TempDir)
+	t.Printf("SharePath:\t%s\n", hi.SharePath)
+	t.Printf("RuntimePath:\t%s\n", hi.RuntimePath)
+	t.Printf("RunDirPath:\t%s\n", hi.RunDirPath)
+}
+
+// printShowInstance writes a representation of [hst.State] or [hst.Config] to output.
+func printShowInstance(
+	output io.Writer, now time.Time,
+	instance *hst.State, config *hst.Config,
+	short, flagJSON bool,
+) (valid bool) {
+	valid = true
+
+	if flagJSON {
+		if instance != nil {
+			encodeJSON(log.Fatal, output, short, instance)
+		} else {
+			encodeJSON(log.Fatal, output, short, config)
+		}
+		return
+	}
+
+	t := newPrinter(output)
+	defer t.MustFlush()
+
+	if err := config.Validate(); err != nil {
+		valid = false
+		if m, ok := message.GetMessage(err); ok {
+			mustPrint(output, "Error: "+m+"!\n\n")
+		}
+	}
+
+	if config == nil {
+		// nothing to print
+		return
+	}
+
+	if instance != nil {
+		t.Printf("State\n")
+		t.Printf(" Instance:\t%s (%d -> %d)\n", instance.ID.String(), instance.PID, instance.ShimPID)
+		t.Printf(" Uptime:\t%s\n", now.Sub(instance.Time).Round(time.Second).String())
+		t.Printf("\n")
+	}
+
+	t.Printf("App\n")
+	if config.ID != "" {
+		t.Printf(" Identity:\t%d (%s)\n", config.Identity, config.ID)
+	} else {
+		t.Printf(" Identity:\t%d\n", config.Identity)
+	}
+	t.Printf(" Enablements:\t%s\n", config.Enablements.Unwrap().String())
+	if len(config.Groups) > 0 {
+		t.Printf(" Groups:\t%s\n", strings.Join(config.Groups, ", "))
+	}
+	if config.Container != nil {
+		flags := config.Container.Flags.String()
+
+		// this is included in the upper hst.Config struct but is relevant here
+		const flagDirectWayland = "directwl"
+		if config.DirectWayland {
+			// hardcoded value when every flag is unset
+			if flags == "none" {
+				flags = flagDirectWayland
+			} else {
+				flags += ", " + flagDirectWayland
+			}
+		}
+		t.Printf(" Flags:\t%s\n", flags)
+
+		if config.Container.Home != nil {
+			t.Printf(" Home:\t%s\n", config.Container.Home)
+		}
+		if config.Container.Hostname != "" {
+			t.Printf(" Hostname:\t%s\n", config.Container.Hostname)
+		}
+		if config.Container.Path != nil {
+			t.Printf(" Path:\t%s\n", config.Container.Path)
+		}
+		if len(config.Container.Args) > 0 {
+			t.Printf(" Arguments:\t%s\n", strings.Join(config.Container.Args, " "))
+		}
+	}
+	t.Printf("\n")
+
+	if !short {
+		if config.Container != nil && len(config.Container.Filesystem) > 0 {
+			t.Printf("Filesystem\n")
+			for _, f := range config.Container.Filesystem {
+				if !f.Valid() {
+					valid = false
+					t.Println(" <invalid>")
+					continue
+				}
+				t.Printf(" %s\n", f)
+			}
+			t.Printf("\n")
+		}
+		if len(config.ExtraPerms) > 0 {
+			t.Printf("Extra ACL\n")
+			for i := range config.ExtraPerms {
+				t.Printf(" %s\n", config.ExtraPerms[i].String())
+			}
+			t.Printf("\n")
+		}
+	}
+
+	printDBus := func(c *hst.BusConfig) {
+		t.Printf(" Filter:\t%v\n", c.Filter)
+		if len(c.See) > 0 {
+			t.Printf(" See:\t%q\n", c.See)
+		}
+		if len(c.Talk) > 0 {
+			t.Printf(" Talk:\t%q\n", c.Talk)
+		}
+		if len(c.Own) > 0 {
+			t.Printf(" Own:\t%q\n", c.Own)
+		}
+		if len(c.Call) > 0 {
+			t.Printf(" Call:\t%q\n", c.Call)
+		}
+		if len(c.Broadcast) > 0 {
+			t.Printf(" Broadcast:\t%q\n", c.Broadcast)
+		}
+	}
+	if config.SessionBus != nil {
+		t.Printf("Session bus\n")
+		printDBus(config.SessionBus)
+		t.Printf("\n")
+	}
+	if config.SystemBus != nil {
+		t.Printf("System bus\n")
+		printDBus(config.SystemBus)
+		t.Printf("\n")
+	}
+
+	return
+}
+
+// printPs writes a representation of active instances to output.
+func printPs(msg message.Msg, output io.Writer, now time.Time, s *store.Store, short, flagJSON bool) {
+	f := func(a func(eh *store.EntryHandle)) {
+		entries, copyError := s.All()
+		for eh := range entries {
+			a(eh)
+		}
+		if err := copyError(); err != nil {
+			msg.GetLogger().Println(getMessage("cannot iterate over store:", err))
+		}
+	}
+
+	if short { // short output requires identifier only
+		var identifiers []*hst.ID
+		f(func(eh *store.EntryHandle) {
+			if _, err := eh.Load(nil); err != nil { // passes through decode error
+				msg.GetLogger().Println(getMessage("cannot validate state entry header:", err))
+				return
+			}
+			identifiers = append(identifiers, &eh.ID)
+		})
+		slices.SortFunc(identifiers, func(a, b *hst.ID) int { return bytes.Compare(a[:], b[:]) })
+
+		if flagJSON {
+			encodeJSON(log.Fatal, output, short, identifiers)
+		} else {
+			for _, id := range identifiers {
+				mustPrintln(output, shortIdentifier(id))
+			}
+		}
+		return
+	}
+
+	// long output requires full instance state
+	var instances []*hst.State
+	f(func(eh *store.EntryHandle) {
+		var state hst.State
+		if _, err := eh.Load(&state); err != nil { // passes through decode error
+			msg.GetLogger().Println(getMessage("cannot load state entry:", err))
+			return
+		}
+		instances = append(instances, &state)
+	})
+	slices.SortFunc(instances, func(a, b *hst.State) int { return bytes.Compare(a.ID[:], b.ID[:]) })
+
+	if flagJSON {
+		encodeJSON(log.Fatal, output, short, instances)
+		return
+	}
+
+	t := newPrinter(output)
+	defer t.MustFlush()
+
+	t.Println("\tInstance\tPID\tApplication\tUptime")
+	for _, instance := range instances {
+		as := "(No configuration information)"
+		if instance.Config != nil {
+			as = strconv.Itoa(instance.Config.Identity)
+			id := instance.Config.ID
+			if id == "" {
+				id = "app.hakurei." + shortIdentifier(&instance.ID)
+			}
+			as += " (" + id + ")"
+		}
+		t.Printf("\t%s\t%d\t%s\t%s\n",
+			shortIdentifier(&instance.ID), instance.PID, as, now.Sub(instance.Time).Round(time.Second).String())
+	}
+}
+
+// newPrinter returns a configured, wrapped [tabwriter.Writer].
+func newPrinter(output io.Writer) *tp { return &tp{tabwriter.NewWriter(output, 0, 1, 4, ' ', 0)} }
+
+// tp wraps [tabwriter.Writer] to provide additional formatting methods.
+type tp struct{ *tabwriter.Writer }
+
+// Printf calls [fmt.Fprintf] on the underlying [tabwriter.Writer].
+func (p *tp) Printf(format string, a ...any) {
+	if _, err := fmt.Fprintf(p, format, a...); err != nil {
+		log.Fatalf("cannot write to tabwriter: %v", err)
+	}
+}
+
+// Println calls [fmt.Fprintln] on the underlying [tabwriter.Writer].
+func (p *tp) Println(a ...any) {
+	if _, err := fmt.Fprintln(p, a...); err != nil {
+		log.Fatalf("cannot write to tabwriter: %v", err)
+	}
+}
+
+// MustFlush calls the Flush method of [tabwriter.Writer] and calls [log.Fatalf] on a non-nil error.
+func (p *tp) MustFlush() {
+	if err := p.Writer.Flush(); err != nil {
+		log.Fatalf("cannot flush tabwriter: %v", err)
+	}
+}
+
+func mustPrint(output io.Writer, a ...any) {
+	if _, err := fmt.Fprint(output, a...); err != nil {
+		log.Fatalf("cannot print: %v", err)
+	}
+}
+func mustPrintln(output io.Writer, a ...any) {
+	if _, err := fmt.Fprintln(output, a...); err != nil {
+		log.Fatalf("cannot print: %v", err)
+	}
+}
+
+// getMessage returns a [message.Error] message if available, or err prefixed with fallback otherwise.
+func getMessage(fallback string, err error) string {
+	if m, ok := message.GetMessage(err); ok {
+		return m
+	}
+	return fmt.Sprintln(fallback, err)
+}
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
@@ -0,0 +1,777 @@
+package main
+
+import (
+	"bytes"
+	"log"
+	"strings"
+	"testing"
+	"time"
+
+	"hakurei.app/container/check"
+	"hakurei.app/hst"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
+)
+
+var (
+	testID = hst.ID{
+		0x8e, 0x2c, 0x76, 0xb0,
+		0x66, 0xda, 0xbe, 0x57,
+		0x4c, 0xf0, 0x73, 0xbd,
+		0xb4, 0x6e, 0xb5, 0xc1,
+	}
+	testState = hst.State{
+		ID:      testID,
+		PID:     0xcafe,
+		ShimPID: 0xdead,
+		Config:  hst.Template(),
+		Time:    testAppTime,
+	}
+	testStateSmall = hst.State{
+		ID:      (hst.ID)(bytes.Repeat([]byte{0xaa}, len(hst.ID{}))),
+		PID:     0xbeef,
+		ShimPID: 0xcafe,
+		Config: &hst.Config{
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
+			Identity:    1,
+			Container: &hst.ContainerConfig{
+				Shell: check.MustAbs("/bin/sh"),
+				Home:  check.MustAbs("/data/data/uk.gensokyo.cat"),
+				Path:  check.MustAbs("/usr/bin/cat"),
+				Args:  []string{"cat"},
+				Flags: hst.FUserns,
+			},
+		},
+		Time: time.Unix(0, 0xdeadbeef).UTC(),
+	}
+	testTime    = time.Unix(3752, 1).UTC()
+	testAppTime = time.Unix(0, 9).UTC()
+)
+
+func TestPrintShowInstance(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name        string
+		instance    *hst.State
+		config      *hst.Config
+		short, json bool
+		want        string
+		valid       bool
+	}{
+		{"nil", nil, nil, false, false, "Error: invalid configuration!\n\n", false},
+		{"config", nil, hst.Template(), false, false, `App
+ Identity:       9 (org.chromium.Chromium)
+ Enablements:    wayland, dbus, pipewire
+ Groups:         video, dialout, plugdev
+ Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
+ Home:           /data/data/org.chromium.Chromium
+ Hostname:       localhost
+ Path:           /run/current-system/sw/bin/chromium
+ Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
+
+Filesystem
+ autoroot:w:/var/lib/hakurei/base/org.debian
+ autoetc:/etc/
+ w+ephemeral(-rwxr-xr-x):/tmp/
+ w*/nix/store:/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper:/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work:/var/lib/hakurei/base/org.nixos/ro-store
+ /run/current-system@
+ /run/opengl-driver@
+ w-/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium
+ d+/dev/dri
+
+Extra ACL
+ --x+:/var/lib/hakurei/u0
+ rwx:/var/lib/hakurei/u0/org.chromium.Chromium
+
+Session bus
+ Filter:       true
+ Talk:         ["org.freedesktop.Notifications" "org.freedesktop.FileManager1" "org.freedesktop.ScreenSaver" "org.freedesktop.secrets" "org.kde.kwalletd5" "org.kde.kwalletd6" "org.gnome.SessionManager"]
+ Own:          ["org.chromium.Chromium.*" "org.mpris.MediaPlayer2.org.chromium.Chromium.*" "org.mpris.MediaPlayer2.chromium.*"]
+ Call:         map["org.freedesktop.portal.*":"*"]
+ Broadcast:    map["org.freedesktop.portal.*":"@/org/freedesktop/portal/*"]
+
+System bus
+ Filter:    true
+ Talk:      ["org.bluez" "org.freedesktop.Avahi" "org.freedesktop.UPower"]
+
+`, true},
+		{"config pd", nil, new(hst.Config), false, false, `Error: configuration missing container state!
+
+App
+ Identity:       0
+ Enablements:    (no enablements)
+
+`, false},
+		{"config flag none", nil, &hst.Config{Container: new(hst.ContainerConfig)}, false, false, `Error: container configuration missing path to home directory!
+
+App
+ Identity:       0
+ Enablements:    (no enablements)
+ Flags:          none
+
+`, false},
+		{"config flag none directwl", nil, &hst.Config{DirectWayland: true, Container: new(hst.ContainerConfig)}, false, false, `Error: container configuration missing path to home directory!
+
+App
+ Identity:       0
+ Enablements:    (no enablements)
+ Flags:          directwl
+
+`, false},
+		{"config flag directwl", nil, &hst.Config{DirectWayland: true, Container: &hst.ContainerConfig{Flags: hst.FMultiarch}}, false, false, `Error: container configuration missing path to home directory!
+
+App
+ Identity:       0
+ Enablements:    (no enablements)
+ Flags:          multiarch, directwl
+
+`, false},
+		{"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]hst.ExtraPermConfig, 1)}, false, false, `Error: container configuration missing path to home directory!
+
+App
+ Identity:       0
+ Enablements:    (no enablements)
+ Flags:          none
+
+Filesystem
+ <invalid>
+
+Extra ACL
+ <invalid>
+
+`, false},
+		{"config pd dbus see", nil, &hst.Config{SessionBus: &hst.BusConfig{See: []string{"org.example.test"}}}, false, false, `Error: configuration missing container state!
+
+App
+ Identity:       0
+ Enablements:    (no enablements)
+
+Session bus
+ Filter:    false
+ See:       ["org.example.test"]
+
+`, false},
+
+		{"instance", &testState, hst.Template(), false, false, `State
+ Instance:    8e2c76b066dabe574cf073bdb46eb5c1 (51966 -> 57005)
+ Uptime:      1h2m32s
+
+App
+ Identity:       9 (org.chromium.Chromium)
+ Enablements:    wayland, dbus, pipewire
+ Groups:         video, dialout, plugdev
+ Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
+ Home:           /data/data/org.chromium.Chromium
+ Hostname:       localhost
+ Path:           /run/current-system/sw/bin/chromium
+ Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
+
+Filesystem
+ autoroot:w:/var/lib/hakurei/base/org.debian
+ autoetc:/etc/
+ w+ephemeral(-rwxr-xr-x):/tmp/
+ w*/nix/store:/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper:/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work:/var/lib/hakurei/base/org.nixos/ro-store
+ /run/current-system@
+ /run/opengl-driver@
+ w-/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium
+ d+/dev/dri
+
+Extra ACL
+ --x+:/var/lib/hakurei/u0
+ rwx:/var/lib/hakurei/u0/org.chromium.Chromium
+
+Session bus
+ Filter:       true
+ Talk:         ["org.freedesktop.Notifications" "org.freedesktop.FileManager1" "org.freedesktop.ScreenSaver" "org.freedesktop.secrets" "org.kde.kwalletd5" "org.kde.kwalletd6" "org.gnome.SessionManager"]
+ Own:          ["org.chromium.Chromium.*" "org.mpris.MediaPlayer2.org.chromium.Chromium.*" "org.mpris.MediaPlayer2.chromium.*"]
+ Call:         map["org.freedesktop.portal.*":"*"]
+ Broadcast:    map["org.freedesktop.portal.*":"@/org/freedesktop/portal/*"]
+
+System bus
+ Filter:    true
+ Talk:      ["org.bluez" "org.freedesktop.Avahi" "org.freedesktop.UPower"]
+
+`, true},
+		{"instance pd", &testState, new(hst.Config), false, false, `Error: configuration missing container state!
+
+State
+ Instance:    8e2c76b066dabe574cf073bdb46eb5c1 (51966 -> 57005)
+ Uptime:      1h2m32s
+
+App
+ Identity:       0
+ Enablements:    (no enablements)
+
+`, false},
+
+		{"json nil", nil, nil, false, true, `null
+`, true},
+		{"json instance", &testState, nil, false, true, `{
+  "instance": "8e2c76b066dabe574cf073bdb46eb5c1",
+  "pid": 51966,
+  "shim_pid": 57005,
+  "id": "org.chromium.Chromium",
+  "enablements": {
+    "wayland": true,
+    "dbus": true,
+    "pipewire": true
+  },
+  "session_bus": {
+    "see": null,
+    "talk": [
+      "org.freedesktop.Notifications",
+      "org.freedesktop.FileManager1",
+      "org.freedesktop.ScreenSaver",
+      "org.freedesktop.secrets",
+      "org.kde.kwalletd5",
+      "org.kde.kwalletd6",
+      "org.gnome.SessionManager"
+    ],
+    "own": [
+      "org.chromium.Chromium.*",
+      "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+      "org.mpris.MediaPlayer2.chromium.*"
+    ],
+    "call": {
+      "org.freedesktop.portal.*": "*"
+    },
+    "broadcast": {
+      "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
+    },
+    "filter": true
+  },
+  "system_bus": {
+    "see": null,
+    "talk": [
+      "org.bluez",
+      "org.freedesktop.Avahi",
+      "org.freedesktop.UPower"
+    ],
+    "own": null,
+    "call": null,
+    "broadcast": null,
+    "filter": true
+  },
+  "extra_perms": [
+    {
+      "ensure": true,
+      "path": "/var/lib/hakurei/u0",
+      "x": true
+    },
+    {
+      "path": "/var/lib/hakurei/u0/org.chromium.Chromium",
+      "r": true,
+      "w": true,
+      "x": true
+    }
+  ],
+  "identity": 9,
+  "groups": [
+    "video",
+    "dialout",
+    "plugdev"
+  ],
+  "container": {
+    "hostname": "localhost",
+    "wait_delay": -1,
+    "env": {
+      "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
+      "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
+      "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
+    },
+    "filesystem": [
+      {
+        "type": "bind",
+        "dst": "/",
+        "src": "/var/lib/hakurei/base/org.debian",
+        "write": true,
+        "special": true
+      },
+      {
+        "type": "bind",
+        "dst": "/etc/",
+        "src": "/etc/",
+        "special": true
+      },
+      {
+        "type": "ephemeral",
+        "dst": "/tmp/",
+        "write": true,
+        "perm": 493
+      },
+      {
+        "type": "overlay",
+        "dst": "/nix/store",
+        "lower": [
+          "/var/lib/hakurei/base/org.nixos/ro-store"
+        ],
+        "upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
+        "work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
+      },
+      {
+        "type": "link",
+        "dst": "/run/current-system",
+        "linkname": "/run/current-system",
+        "dereference": true
+      },
+      {
+        "type": "link",
+        "dst": "/run/opengl-driver",
+        "linkname": "/run/opengl-driver",
+        "dereference": true
+      },
+      {
+        "type": "bind",
+        "dst": "/data/data/org.chromium.Chromium",
+        "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
+        "write": true,
+        "ensure": true
+      },
+      {
+        "type": "bind",
+        "src": "/dev/dri",
+        "dev": true,
+        "optional": true
+      }
+    ],
+    "username": "chronos",
+    "shell": "/run/current-system/sw/bin/zsh",
+    "home": "/data/data/org.chromium.Chromium",
+    "path": "/run/current-system/sw/bin/chromium",
+    "args": [
+      "chromium",
+      "--ignore-gpu-blocklist",
+      "--disable-smooth-scrolling",
+      "--enable-features=UseOzonePlatform",
+      "--ozone-platform=wayland"
+    ],
+    "seccomp_compat": true,
+    "devel": true,
+    "userns": true,
+    "host_net": true,
+    "host_abstract": true,
+    "tty": true,
+    "multiarch": true,
+    "map_real_uid": true,
+    "device": true,
+    "share_runtime": true,
+    "share_tmpdir": true
+  },
+  "time": "1970-01-01T00:00:00.000000009Z"
+}
+`, true},
+		{"json config", nil, hst.Template(), false, true, `{
+  "id": "org.chromium.Chromium",
+  "enablements": {
+    "wayland": true,
+    "dbus": true,
+    "pipewire": true
+  },
+  "session_bus": {
+    "see": null,
+    "talk": [
+      "org.freedesktop.Notifications",
+      "org.freedesktop.FileManager1",
+      "org.freedesktop.ScreenSaver",
+      "org.freedesktop.secrets",
+      "org.kde.kwalletd5",
+      "org.kde.kwalletd6",
+      "org.gnome.SessionManager"
+    ],
+    "own": [
+      "org.chromium.Chromium.*",
+      "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+      "org.mpris.MediaPlayer2.chromium.*"
+    ],
+    "call": {
+      "org.freedesktop.portal.*": "*"
+    },
+    "broadcast": {
+      "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
+    },
+    "filter": true
+  },
+  "system_bus": {
+    "see": null,
+    "talk": [
+      "org.bluez",
+      "org.freedesktop.Avahi",
+      "org.freedesktop.UPower"
+    ],
+    "own": null,
+    "call": null,
+    "broadcast": null,
+    "filter": true
+  },
+  "extra_perms": [
+    {
+      "ensure": true,
+      "path": "/var/lib/hakurei/u0",
+      "x": true
+    },
+    {
+      "path": "/var/lib/hakurei/u0/org.chromium.Chromium",
+      "r": true,
+      "w": true,
+      "x": true
+    }
+  ],
+  "identity": 9,
+  "groups": [
+    "video",
+    "dialout",
+    "plugdev"
+  ],
+  "container": {
+    "hostname": "localhost",
+    "wait_delay": -1,
+    "env": {
+      "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
+      "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
+      "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
+    },
+    "filesystem": [
+      {
+        "type": "bind",
+        "dst": "/",
+        "src": "/var/lib/hakurei/base/org.debian",
+        "write": true,
+        "special": true
+      },
+      {
+        "type": "bind",
+        "dst": "/etc/",
+        "src": "/etc/",
+        "special": true
+      },
+      {
+        "type": "ephemeral",
+        "dst": "/tmp/",
+        "write": true,
+        "perm": 493
+      },
+      {
+        "type": "overlay",
+        "dst": "/nix/store",
+        "lower": [
+          "/var/lib/hakurei/base/org.nixos/ro-store"
+        ],
+        "upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
+        "work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
+      },
+      {
+        "type": "link",
+        "dst": "/run/current-system",
+        "linkname": "/run/current-system",
+        "dereference": true
+      },
+      {
+        "type": "link",
+        "dst": "/run/opengl-driver",
+        "linkname": "/run/opengl-driver",
+        "dereference": true
+      },
+      {
+        "type": "bind",
+        "dst": "/data/data/org.chromium.Chromium",
+        "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
+        "write": true,
+        "ensure": true
+      },
+      {
+        "type": "bind",
+        "src": "/dev/dri",
+        "dev": true,
+        "optional": true
+      }
+    ],
+    "username": "chronos",
+    "shell": "/run/current-system/sw/bin/zsh",
+    "home": "/data/data/org.chromium.Chromium",
+    "path": "/run/current-system/sw/bin/chromium",
+    "args": [
+      "chromium",
+      "--ignore-gpu-blocklist",
+      "--disable-smooth-scrolling",
+      "--enable-features=UseOzonePlatform",
+      "--ozone-platform=wayland"
+    ],
+    "seccomp_compat": true,
+    "devel": true,
+    "userns": true,
+    "host_net": true,
+    "host_abstract": true,
+    "tty": true,
+    "multiarch": true,
+    "map_real_uid": true,
+    "device": true,
+    "share_runtime": true,
+    "share_tmpdir": true
+  }
+}
+`, true},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			output := new(strings.Builder)
+			gotValid := printShowInstance(output, testTime, tc.instance, tc.config, tc.short, tc.json)
+			if got := output.String(); got != tc.want {
+				t.Errorf("printShowInstance: \n%s\nwant\n%s", got, tc.want)
+				return
+			}
+			if gotValid != tc.valid {
+				t.Errorf("printShowInstance: valid = %v, want %v", gotValid, tc.valid)
+			}
+		})
+	}
+}
+
+func TestPrintPs(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name        string
+		data        []hst.State
+		short, json bool
+		want, log   string
+	}{
+		{"no entries", []hst.State{}, false, false, "    Instance    PID    Application    Uptime\n", ""},
+		{"no entries short", []hst.State{}, true, false, "", ""},
+
+		{"invalid config", []hst.State{{ID: testID, PID: 1 << 8, Config: new(hst.Config), Time: testAppTime}}, false, false, "    Instance    PID    Application    Uptime\n", "check: configuration missing container state\n"},
+
+		{"valid", []hst.State{testStateSmall, testState}, false, false, `    Instance    PID      Application                  Uptime
+    4cf073bd    51966    9 (org.chromium.Chromium)    1h2m32s
+    aaaaaaaa    48879    1 (app.hakurei.aaaaaaaa)     1h2m28s
+`, ""},
+		{"valid single", []hst.State{testState}, false, false, `    Instance    PID      Application                  Uptime
+    4cf073bd    51966    9 (org.chromium.Chromium)    1h2m32s
+`, ""},
+
+		{"valid short", []hst.State{testStateSmall, testState}, true, false, "4cf073bd\naaaaaaaa\n", ""},
+		{"valid short single", []hst.State{testState}, true, false, "4cf073bd\n", ""},
+
+		{"valid json", []hst.State{testState, testStateSmall}, false, true, `[
+  {
+    "instance": "8e2c76b066dabe574cf073bdb46eb5c1",
+    "pid": 51966,
+    "shim_pid": 57005,
+    "id": "org.chromium.Chromium",
+    "enablements": {
+      "wayland": true,
+      "dbus": true,
+      "pipewire": true
+    },
+    "session_bus": {
+      "see": null,
+      "talk": [
+        "org.freedesktop.Notifications",
+        "org.freedesktop.FileManager1",
+        "org.freedesktop.ScreenSaver",
+        "org.freedesktop.secrets",
+        "org.kde.kwalletd5",
+        "org.kde.kwalletd6",
+        "org.gnome.SessionManager"
+      ],
+      "own": [
+        "org.chromium.Chromium.*",
+        "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+        "org.mpris.MediaPlayer2.chromium.*"
+      ],
+      "call": {
+        "org.freedesktop.portal.*": "*"
+      },
+      "broadcast": {
+        "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
+      },
+      "filter": true
+    },
+    "system_bus": {
+      "see": null,
+      "talk": [
+        "org.bluez",
+        "org.freedesktop.Avahi",
+        "org.freedesktop.UPower"
+      ],
+      "own": null,
+      "call": null,
+      "broadcast": null,
+      "filter": true
+    },
+    "extra_perms": [
+      {
+        "ensure": true,
+        "path": "/var/lib/hakurei/u0",
+        "x": true
+      },
+      {
+        "path": "/var/lib/hakurei/u0/org.chromium.Chromium",
+        "r": true,
+        "w": true,
+        "x": true
+      }
+    ],
+    "identity": 9,
+    "groups": [
+      "video",
+      "dialout",
+      "plugdev"
+    ],
+    "container": {
+      "hostname": "localhost",
+      "wait_delay": -1,
+      "env": {
+        "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
+        "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
+        "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
+      },
+      "filesystem": [
+        {
+          "type": "bind",
+          "dst": "/",
+          "src": "/var/lib/hakurei/base/org.debian",
+          "write": true,
+          "special": true
+        },
+        {
+          "type": "bind",
+          "dst": "/etc/",
+          "src": "/etc/",
+          "special": true
+        },
+        {
+          "type": "ephemeral",
+          "dst": "/tmp/",
+          "write": true,
+          "perm": 493
+        },
+        {
+          "type": "overlay",
+          "dst": "/nix/store",
+          "lower": [
+            "/var/lib/hakurei/base/org.nixos/ro-store"
+          ],
+          "upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
+          "work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
+        },
+        {
+          "type": "link",
+          "dst": "/run/current-system",
+          "linkname": "/run/current-system",
+          "dereference": true
+        },
+        {
+          "type": "link",
+          "dst": "/run/opengl-driver",
+          "linkname": "/run/opengl-driver",
+          "dereference": true
+        },
+        {
+          "type": "bind",
+          "dst": "/data/data/org.chromium.Chromium",
+          "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
+          "write": true,
+          "ensure": true
+        },
+        {
+          "type": "bind",
+          "src": "/dev/dri",
+          "dev": true,
+          "optional": true
+        }
+      ],
+      "username": "chronos",
+      "shell": "/run/current-system/sw/bin/zsh",
+      "home": "/data/data/org.chromium.Chromium",
+      "path": "/run/current-system/sw/bin/chromium",
+      "args": [
+        "chromium",
+        "--ignore-gpu-blocklist",
+        "--disable-smooth-scrolling",
+        "--enable-features=UseOzonePlatform",
+        "--ozone-platform=wayland"
+      ],
+      "seccomp_compat": true,
+      "devel": true,
+      "userns": true,
+      "host_net": true,
+      "host_abstract": true,
+      "tty": true,
+      "multiarch": true,
+      "map_real_uid": true,
+      "device": true,
+      "share_runtime": true,
+      "share_tmpdir": true
+    },
+    "time": "1970-01-01T00:00:00.000000009Z"
+  },
+  {
+    "instance": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+    "pid": 48879,
+    "shim_pid": 51966,
+    "enablements": {
+      "wayland": true,
+      "pipewire": true
+    },
+    "identity": 1,
+    "groups": null,
+    "container": {
+      "env": null,
+      "filesystem": null,
+      "shell": "/bin/sh",
+      "home": "/data/data/uk.gensokyo.cat",
+      "path": "/usr/bin/cat",
+      "args": [
+        "cat"
+      ],
+      "userns": true,
+      "map_real_uid": false
+    },
+    "time": "1970-01-01T00:00:03.735928559Z"
+  }
+]
+`, ""},
+		{"valid short json", []hst.State{testStateSmall, testState}, true, true, `["8e2c76b066dabe574cf073bdb46eb5c1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"]
+`, ""},
+	}
+
+	for _, tc := range testCases {
+		s := store.New(check.MustAbs(t.TempDir()).Append("store"))
+		for i := range tc.data {
+			if h, err := s.Handle(tc.data[i].Identity); err != nil {
+				t.Fatalf("Handle: error = %v", err)
+			} else {
+				var unlock func()
+				if unlock, err = h.Lock(); err != nil {
+					t.Fatalf("Lock: error = %v", err)
+				}
+				_, err = h.Save(&tc.data[i])
+				unlock()
+				if err != nil {
+					t.Fatalf("Save: error = %v", err)
+				}
+			}
+		}
+
+		// store must not be written to beyond this point
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var printBuf, logBuf bytes.Buffer
+			msg := message.New(log.New(&logBuf, "check: ", 0))
+			msg.SwapVerbose(true)
+			printPs(msg, &printBuf, testTime, s, tc.short, tc.json)
+			if got := printBuf.String(); got != tc.want {
+				t.Errorf("printPs:\n%s\nwant\n%s", got, tc.want)
+				return
+			}
+			if got := logBuf.String(); got != tc.log {
+				t.Errorf("msg:\n%s\nwant\n%s", got, tc.log)
+			}
+		})
+	}
+}
--- a/cmd/hpkg/README
+++ b/cmd/hpkg/README
@@ -0,0 +1,7 @@
+This program is a proof of concept and is now deprecated. It is only kept
+around for API demonstration purposes and to make the most out of the test
+suite.
+
+This program is replaced by planterette, which can be found at
+https://git.gensokyo.uk/security/planterette. Development effort should be
+focused there instead.
--- a/cmd/hpkg/app.go
+++ b/cmd/hpkg/app.go
@@ -0,0 +1,173 @@
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"os"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/hst"
+)
+
+type appInfo struct {
+	Name    string `json:"name"`
+	Version string `json:"version"`
+
+	// passed through to [hst.Config]
+	ID string `json:"id"`
+	// passed through to [hst.Config]
+	Identity int `json:"identity"`
+	// passed through to [hst.Config]
+	Groups []string `json:"groups,omitempty"`
+	// passed through to [hst.Config]
+	Devel bool `json:"devel,omitempty"`
+	// passed through to [hst.Config]
+	Userns bool `json:"userns,omitempty"`
+	// passed through to [hst.Config]
+	HostNet bool `json:"net,omitempty"`
+	// passed through to [hst.Config]
+	HostAbstract bool `json:"abstract,omitempty"`
+	// passed through to [hst.Config]
+	Device bool `json:"dev,omitempty"`
+	// passed through to [hst.Config]
+	Tty bool `json:"tty,omitempty"`
+	// passed through to [hst.Config]
+	MapRealUID bool `json:"map_real_uid,omitempty"`
+	// passed through to [hst.Config]
+	DirectWayland bool `json:"direct_wayland,omitempty"`
+	// passed through to [hst.Config]
+	SystemBus *hst.BusConfig `json:"system_bus,omitempty"`
+	// passed through to [hst.Config]
+	SessionBus *hst.BusConfig `json:"session_bus,omitempty"`
+	// passed through to [hst.Config]
+	Enablements *hst.Enablements `json:"enablements,omitempty"`
+
+	// passed through to [hst.Config]
+	Multiarch bool `json:"multiarch,omitempty"`
+	// passed through to [hst.Config]
+	Bluetooth bool `json:"bluetooth,omitempty"`
+
+	// allow gpu access within sandbox
+	GPU bool `json:"gpu"`
+	// store path to nixGL mesa wrappers
+	Mesa string `json:"mesa,omitempty"`
+	// store path to nixGL source
+	NixGL string `json:"nix_gl,omitempty"`
+	// store path to activate-and-exec script
+	Launcher *check.Absolute `json:"launcher"`
+	// store path to /run/current-system
+	CurrentSystem *check.Absolute `json:"current_system"`
+	// store path to home-manager activation package
+	ActivationPackage string `json:"activation_package"`
+}
+
+func (app *appInfo) toHst(pathSet *appPathSet, pathname *check.Absolute, argv []string, flagDropShell bool) *hst.Config {
+	config := &hst.Config{
+		ID: app.ID,
+
+		Enablements: app.Enablements,
+
+		SystemBus:     app.SystemBus,
+		SessionBus:    app.SessionBus,
+		DirectWayland: app.DirectWayland,
+
+		Identity: app.Identity,
+		Groups:   app.Groups,
+
+		Container: &hst.ContainerConfig{
+			Hostname: formatHostname(app.Name),
+			Filesystem: []hst.FilesystemConfigJSON{
+				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
+				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}},
+				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
+				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
+				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
+				{FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsPrivateTmp.Append("app")}},
+				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsEtc.Append("resolv.conf"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("class"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("dev"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("devices"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}},
+			},
+
+			Username: "hakurei",
+			Shell:    pathShell,
+			Home:     pathDataData.Append(app.ID),
+
+			Path: pathname,
+			Args: argv,
+		},
+		ExtraPerms: []hst.ExtraPermConfig{
+			{Path: dataHome, Execute: true},
+			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+		},
+	}
+
+	if app.Devel {
+		config.Container.Flags |= hst.FDevel
+	}
+	if app.Userns {
+		config.Container.Flags |= hst.FUserns
+	}
+	if app.HostNet {
+		config.Container.Flags |= hst.FHostNet
+	}
+	if app.HostAbstract {
+		config.Container.Flags |= hst.FHostAbstract
+	}
+	if app.Device {
+		config.Container.Flags |= hst.FDevice
+	}
+	if app.Tty || flagDropShell {
+		config.Container.Flags |= hst.FTty
+	}
+	if app.MapRealUID {
+		config.Container.Flags |= hst.FMapRealUID
+	}
+	if app.Multiarch {
+		config.Container.Flags |= hst.FMultiarch
+	}
+	config.Container.Flags |= hst.FShareRuntime | hst.FShareTmpdir
+	return config
+}
+
+func loadAppInfo(name string, beforeFail func()) *appInfo {
+	bundle := new(appInfo)
+	if f, err := os.Open(name); err != nil {
+		beforeFail()
+		log.Fatalf("cannot open bundle: %v", err)
+	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
+		beforeFail()
+		log.Fatalf("cannot parse bundle metadata: %v", err)
+	} else if err = f.Close(); err != nil {
+		log.Printf("cannot close bundle metadata: %v", err)
+		// not fatal
+	}
+
+	if bundle.ID == "" {
+		beforeFail()
+		log.Fatal("application identifier must not be empty")
+	}
+	if bundle.Launcher == nil {
+		beforeFail()
+		log.Fatal("launcher must not be empty")
+	}
+	if bundle.CurrentSystem == nil {
+		beforeFail()
+		log.Fatal("current-system must not be empty")
+	}
+
+	return bundle
+}
+
+func formatHostname(name string) string {
+	if h, err := os.Hostname(); err != nil {
+		log.Printf("cannot get hostname: %v", err)
+		return "hakurei-" + name
+	} else {
+		return h + "-" + name
+	}
+}
--- a/cmd/hpkg/build.nix
+++ b/cmd/hpkg/build.nix
@@ -31,7 +31,7 @@
  '',

  id ? name,
-  app_id ? throw "app_id is required",
+  identity ? throw "identity is required",
  groups ? [ ],
  userns ? false,
  net ? true,
@@ -45,7 +45,7 @@
  allow_wayland ? true,
  allow_x11 ? false,
  allow_dbus ? true,
-  allow_pulse ? true,
+  allow_audio ? true,
  gpu ? allow_wayland || allow_x11,
 }:

@@ -57,7 +57,7 @@ let
    modules = modules ++ [
      {
        home = {
-          username = "fortify";
+          username = "hakurei";
          homeDirectory = "/data/data/${id}";
          stateVersion = "22.11";
        };
@@ -65,7 +65,7 @@ let
    ];
  };

-  launcher = writeScript "fortify-${pname}" ''
+  launcher = writeScript "hakurei-${pname}" ''
    #!${runtimeShell} -el
    ${script}
  '';
@@ -147,7 +147,7 @@ let
      name
      version
      id
-      app_id
+      identity
      launcher
      groups
      userns
@@ -171,7 +171,12 @@ let
          broadcast = { };
        });

-    enablements = (if allow_wayland then 1 else 0) + (if allow_x11 then 2 else 0) + (if allow_dbus then 4 else 0) + (if allow_pulse then 8 else 0);
+    enablements = {
+      wayland = allow_wayland;
+      x11 = allow_x11;
+      dbus = allow_dbus;
+      pipewire = allow_audio;
+    };

    mesa = if gpu then mesaWrappers else null;
    nix_gl = if gpu then nixGL else null;
@@ -215,15 +220,14 @@ stdenv.mkDerivation {
    # create binary cache
    closureInfo="${
      closureInfo {
-        rootPaths =
-          [
-            homeManagerConfiguration.activationPackage
-            launcher
-          ]
-          ++ optionals gpu [
-            mesaWrappers
-            nixGL
-          ];
+        rootPaths = [
+          homeManagerConfiguration.activationPackage
+          launcher
+        ]
+        ++ optionals gpu [
+          mesaWrappers
+          nixGL
+        ];
      }
    }"
    echo "copying application paths..."
--- a/cmd/hpkg/main.go
+++ b/cmd/hpkg/main.go
@@ -10,37 +10,24 @@ import (
 	"path"
 	"syscall"

-	"git.gensokyo.uk/security/fortify/command"
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/app"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/sys"
-	"git.gensokyo.uk/security/fortify/sandbox"
+	"hakurei.app/command"
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/hst"
+	"hakurei.app/message"
 )

-const shellPath = "/run/current-system/sw/bin/bash"
-
 var (
 	errSuccess = errors.New("success")
-
-	std sys.State = new(sys.Std)
 )

-func init() {
-	fmsg.Prepare("fpkg")
-	if err := os.Setenv("SHELL", shellPath); err != nil {
-		log.Fatalf("cannot set $SHELL: %v", err)
-	}
-}
-
 func main() {
-	// early init path, skips root check and duplicate PR_SET_DUMPABLE
-	sandbox.TryArgv0(fmsg.Output{}, fmsg.Prepare, internal.InstallFmsg)
+	log.SetPrefix("hpkg: ")
+	log.SetFlags(0)
+	msg := message.New(log.Default())

-	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
-		log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
-		// not fatal: this program runs as the privileged user
+	if err := os.Setenv("SHELL", pathShell.String()); err != nil {
+		log.Fatalf("cannot set $SHELL: %v", err)
 	}

 	if os.Geteuid() == 0 {
@@ -55,14 +42,9 @@ func main() {
 		flagVerbose   bool
 		flagDropShell bool
 	)
-	c := command.New(os.Stderr, log.Printf, "fpkg", func([]string) error {
-		internal.InstallFmsg(flagVerbose)
-		return nil
-	}).
+	c := command.New(os.Stderr, log.Printf, "hpkg", func([]string) error { msg.SwapVerbose(flagVerbose); return nil }).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
-		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next fortify action")
-
-	c.Command("shim", command.UsageInternal, func([]string) error { app.ShimMain(); return errSuccess })
+		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next hakurei action")

 	{
 		var (
@@ -84,7 +66,7 @@ func main() {
 			}

 			/*
-				Look up paths to programs started by fpkg.
+				Look up paths to programs started by hpkg.
 				This is done here to ease error handling as cleanup is not yet required.
 			*/

@@ -99,31 +81,32 @@ func main() {
 				Extract package and set up for cleanup.
 			*/

-			var workDir string
-			if p, err := os.MkdirTemp("", "fpkg.*"); err != nil {
+			var workDir *check.Absolute
+			if p, err := os.MkdirTemp("", "hpkg.*"); err != nil {
 				log.Printf("cannot create temporary directory: %v", err)
 				return err
-			} else {
-				workDir = p
+			} else if workDir, err = check.NewAbs(p); err != nil {
+				log.Printf("invalid temporary directory: %v", err)
+				return err
 			}
 			cleanup := func() {
 				// should be faster than a native implementation
-				mustRun(chmod, "-R", "+w", workDir)
-				mustRun(rm, "-rf", workDir)
+				mustRun(msg, chmod, "-R", "+w", workDir.String())
+				mustRun(msg, rm, "-rf", workDir.String())
 			}
 			beforeRunFail.Store(&cleanup)

-			mustRun(tar, "-C", workDir, "-xf", pkgPath)
+			mustRun(msg, tar, "-C", workDir.String(), "-xf", pkgPath)

 			/*
 				Parse bundle and app metadata, do pre-install checks.
 			*/

-			bundle := loadAppInfo(path.Join(workDir, "bundle.json"), cleanup)
+			bundle := loadAppInfo(path.Join(workDir.String(), "bundle.json"), cleanup)
 			pathSet := pathSetByApp(bundle.ID)

 			a := bundle
-			if s, err := os.Stat(pathSet.metaPath); err != nil {
+			if s, err := os.Stat(pathSet.metaPath.String()); err != nil {
 				if !os.IsNotExist(err) {
 					cleanup()
 					log.Printf("cannot access %q: %v", pathSet.metaPath, err)
@@ -135,7 +118,7 @@ func main() {
 				log.Printf("metadata path %q is not a file", pathSet.metaPath)
 				return syscall.EBADMSG
 			} else {
-				a = loadAppInfo(pathSet.metaPath, cleanup)
+				a = loadAppInfo(pathSet.metaPath.String(), cleanup)
 				if a.ID != bundle.ID {
 					cleanup()
 					log.Printf("app %q claims to have identifier %q",
@@ -157,19 +140,19 @@ func main() {
 					return errSuccess
 				}

-				// AppID determines uid
-				if a.AppID != bundle.AppID {
+				// identity determines uid
+				if a.Identity != bundle.Identity {
 					cleanup()
-					log.Printf("package %q app id %d differs from installed %d",
-						pkgPath, bundle.AppID, a.AppID)
+					log.Printf("package %q identity %d differs from installed %d",
+						pkgPath, bundle.Identity, a.Identity)
 					return syscall.EBADE
 				}

 				// sec: should compare version string
-				fmsg.Verbosef("installing application %q version %q over local %q",
+				msg.Verbosef("installing application %q version %q over local %q",
 					bundle.ID, bundle.Version, a.Version)
 			} else {
-				fmsg.Verbosef("application %q clean installation", bundle.ID)
+				msg.Verbosef("application %q clean installation", bundle.ID)
 				// sec: should install credentials
 			}

@@ -177,9 +160,9 @@ func main() {
 				Setup steps for files owned by the target user.
 			*/

-			withCacheDir(ctx, "install", []string{
+			withCacheDir(ctx, msg, "install", []string{
 				// export inner bundle path in the environment
-				"export BUNDLE=" + fst.Tmp + "/bundle",
+				"export BUNDLE=" + hst.PrivateTmp + "/bundle",
 				// replace inner /etc
 				"mkdir -p etc",
 				"chmod -R +w etc",
@@ -199,7 +182,7 @@ func main() {
 			}, workDir, bundle, pathSet, flagDropShell, cleanup)

 			if bundle.GPU {
-				withCacheDir(ctx, "mesa-wrappers", []string{
+				withCacheDir(ctx, msg, "mesa-wrappers", []string{
 					// link nixGL mesa wrappers
 					"mkdir -p nix/.nixGL",
 					"ln -s " + bundle.Mesa + "/bin/nixGLIntel nix/.nixGL/nixGL",
@@ -211,14 +194,14 @@ func main() {
 				Activate home-manager generation.
 			*/

-			withNixDaemon(ctx, "activate", []string{
+			withNixDaemon(ctx, msg, "activate", []string{
 				// clean up broken links
 				"mkdir -p .local/state/{nix,home-manager}",
 				"chmod -R +w .local/state/{nix,home-manager}",
 				"rm -rf .local/state/{nix,home-manager}",
 				// run activation script
 				bundle.ActivationPackage + "/activate",
-			}, false, func(config *fst.Config) *fst.Config { return config },
+			}, false, func(config *hst.Config) *hst.Config { return config },
 				bundle, pathSet, flagDropShellActivate, cleanup)

 			/*
@@ -226,7 +209,7 @@ func main() {
 			*/

 			// serialise metadata to ensure consistency
-			if f, err := os.OpenFile(pathSet.metaPath+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
+			if f, err := os.OpenFile(pathSet.metaPath.String()+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
 				cleanup()
 				log.Printf("cannot create metadata file: %v", err)
 				return err
@@ -239,7 +222,7 @@ func main() {
 				// not fatal
 			}

-			if err := os.Rename(pathSet.metaPath+"~", pathSet.metaPath); err != nil {
+			if err := os.Rename(pathSet.metaPath.String()+"~", pathSet.metaPath.String()); err != nil {
 				cleanup()
 				log.Printf("cannot rename metadata file: %v", err)
 				return err
@@ -268,7 +251,7 @@ func main() {

 			id := args[0]
 			pathSet := pathSetByApp(id)
-			a := loadAppInfo(pathSet.metaPath, func() {})
+			a := loadAppInfo(pathSet.metaPath.String(), func() {})
 			if a.ID != id {
 				log.Printf("app %q claims to have identifier %q", id, a.ID)
 				return syscall.EBADE
@@ -279,7 +262,7 @@ func main() {
 			*/

 			if a.GPU && flagAutoDrivers {
-				withNixDaemon(ctx, "nix-gl", []string{
+				withNixDaemon(ctx, msg, "nix-gl", []string{
 					"mkdir -p /nix/.nixGL/auto",
 					"rm -rf /nix/.nixGL/auto",
 					"export NIXPKGS_ALLOW_UNFREE=1",
@@ -291,14 +274,14 @@ func main() {
 						"--out-link /nix/.nixGL/auto/vulkan " +
 						"--override-input nixpkgs path:/etc/nixpkgs " +
 						"path:" + a.NixGL + "#nixVulkanNvidia",
-				}, true, func(config *fst.Config) *fst.Config {
-					config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
-						{Src: "/etc/resolv.conf"},
-						{Src: "/sys/block"},
-						{Src: "/sys/bus"},
-						{Src: "/sys/class"},
-						{Src: "/sys/dev"},
-						{Src: "/sys/devices"},
+				}, true, func(config *hst.Config) *hst.Config {
+					config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
+						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsEtc.Append("resolv.conf"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("class"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("dev"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("devices"), Optional: true}},
 					}...)
 					appendGPUFilesystem(config)
 					return config
@@ -309,23 +292,24 @@ func main() {
 				Create app configuration.
 			*/

+			pathname := a.Launcher
 			argv := make([]string, 1, len(args))
-			if !flagDropShell {
-				argv[0] = a.Launcher
+			if flagDropShell {
+				pathname = pathShell
+				argv[0] = bash
 			} else {
-				argv[0] = shellPath
+				argv[0] = a.Launcher.String()
 			}
 			argv = append(argv, args[1:]...)
-
-			config := a.toFst(pathSet, argv, flagDropShell)
+			config := a.toHst(pathSet, pathname, argv, flagDropShell)

 			/*
 				Expose GPU devices.
 			*/

 			if a.GPU {
-				config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,
-					&fst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(fst.Tmp, "nixGL")})
+				config.Container.Filesystem = append(config.Container.Filesystem,
+					hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append(".nixGL"), Target: hst.AbsPrivateTmp.Append("nixGL")}})
 				appendGPUFilesystem(config)
 			}

@@ -333,7 +317,7 @@ func main() {
 				Spawn app.
 			*/

-			mustRunApp(ctx, config, func() {})
+			mustRunApp(ctx, msg, config, func() {})
 			return errSuccess
 		}).
 			Flag(&flagDropShellNixGL, "s", command.BoolFlag(false), "Drop to a shell on nixGL build").
@@ -341,9 +325,9 @@ func main() {
 	}

 	c.MustParse(os.Args[1:], func(err error) {
-		fmsg.Verbosef("command returned %v", err)
+		msg.Verbosef("command returned %v", err)
 		if errors.Is(err, errSuccess) {
-			fmsg.BeforeExit()
+			msg.BeforeExit()
 			os.Exit(0)
 		}
 	})
--- a/cmd/hpkg/paths.go
+++ b/cmd/hpkg/paths.go
@@ -0,0 +1,117 @@
+package main
+
+import (
+	"log"
+	"os"
+	"os/exec"
+	"strconv"
+	"sync/atomic"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/hst"
+	"hakurei.app/message"
+)
+
+const bash = "bash"
+
+var (
+	dataHome *check.Absolute
+)
+
+func init() {
+	// dataHome
+	if a, err := check.NewAbs(os.Getenv("HAKUREI_DATA_HOME")); err == nil {
+		dataHome = a
+	} else {
+		dataHome = fhs.AbsVarLib.Append("hakurei/" + strconv.Itoa(os.Getuid()))
+	}
+}
+
+var (
+	pathBin = fhs.AbsRoot.Append("bin")
+
+	pathNix           = check.MustAbs("/nix/")
+	pathNixStore      = pathNix.Append("store/")
+	pathCurrentSystem = fhs.AbsRun.Append("current-system")
+	pathSwBin         = pathCurrentSystem.Append("sw/bin/")
+	pathShell         = pathSwBin.Append(bash)
+
+	pathData     = check.MustAbs("/data")
+	pathDataData = pathData.Append("data")
+)
+
+func lookPath(file string) string {
+	if p, err := exec.LookPath(file); err != nil {
+		log.Fatalf("%s: command not found", file)
+		return ""
+	} else {
+		return p
+	}
+}
+
+var beforeRunFail = new(atomic.Pointer[func()])
+
+func mustRun(msg message.Msg, name string, arg ...string) {
+	msg.Verbosef("spawning process: %q %q", name, arg)
+	cmd := exec.Command(name, arg...)
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+	if err := cmd.Run(); err != nil {
+		if f := beforeRunFail.Swap(nil); f != nil {
+			(*f)()
+		}
+		log.Fatalf("%s: %v", name, err)
+	}
+}
+
+type appPathSet struct {
+	// ${dataHome}/${id}
+	baseDir *check.Absolute
+	// ${baseDir}/app
+	metaPath *check.Absolute
+	// ${baseDir}/files
+	homeDir *check.Absolute
+	// ${baseDir}/cache
+	cacheDir *check.Absolute
+	// ${baseDir}/cache/nix
+	nixPath *check.Absolute
+}
+
+func pathSetByApp(id string) *appPathSet {
+	pathSet := new(appPathSet)
+	pathSet.baseDir = dataHome.Append(id)
+	pathSet.metaPath = pathSet.baseDir.Append("app")
+	pathSet.homeDir = pathSet.baseDir.Append("files")
+	pathSet.cacheDir = pathSet.baseDir.Append("cache")
+	pathSet.nixPath = pathSet.cacheDir.Append("nix")
+	return pathSet
+}
+
+func appendGPUFilesystem(config *hst.Config) {
+	config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
+		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("dri"), Device: true, Optional: true}},
+		// mali
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("mali"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("mali0"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("umplock"), Device: true, Optional: true}},
+		// nvidia
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidiactl"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-modeset"), Device: true, Optional: true}},
+		// nvidia OpenCL/CUDA
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-uvm"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-uvm-tools"), Device: true, Optional: true}},
+
+		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia0"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia1"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia2"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia3"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia4"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia5"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia6"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia7"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia8"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia9"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia10"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia11"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia12"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia13"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia14"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia15"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia16"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia17"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia18"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia19"), Device: true, Optional: true}},
+	}...)
+}
--- a/cmd/hpkg/proc.go
+++ b/cmd/hpkg/proc.go
@@ -0,0 +1,61 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"io"
+	"log"
+	"os"
+	"os/exec"
+
+	"hakurei.app/hst"
+	"hakurei.app/internal/info"
+	"hakurei.app/message"
+)
+
+var hakureiPathVal = info.MustHakureiPath().String()
+
+func mustRunApp(ctx context.Context, msg message.Msg, config *hst.Config, beforeFail func()) {
+	var (
+		cmd *exec.Cmd
+		st  io.WriteCloser
+	)
+
+	if r, w, err := os.Pipe(); err != nil {
+		beforeFail()
+		log.Fatalf("cannot pipe: %v", err)
+	} else {
+		if msg.IsVerbose() {
+			cmd = exec.CommandContext(ctx, hakureiPathVal, "-v", "app", "3")
+		} else {
+			cmd = exec.CommandContext(ctx, hakureiPathVal, "app", "3")
+		}
+		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+		cmd.ExtraFiles = []*os.File{r}
+		st = w
+	}
+
+	go func() {
+		if err := json.NewEncoder(st).Encode(config); err != nil {
+			beforeFail()
+			log.Fatalf("cannot send configuration: %v", err)
+		}
+	}()
+
+	if err := cmd.Start(); err != nil {
+		beforeFail()
+		log.Fatalf("cannot start hakurei: %v", err)
+	}
+	if err := cmd.Wait(); err != nil {
+		var exitError *exec.ExitError
+		if errors.As(err, &exitError) {
+			beforeFail()
+			msg.BeforeExit()
+			os.Exit(exitError.ExitCode())
+		} else {
+			beforeFail()
+			log.Fatalf("cannot wait: %v", err)
+		}
+	}
+}
--- a/cmd/hpkg/test/configuration.nix
+++ b/cmd/hpkg/test/configuration.nix
@@ -50,11 +50,13 @@
    ];
  };

-  environment.fortify = {
+  environment.hakurei = {
    enable = true;
-    stateDir = "/var/lib/fortify";
+    stateDir = "/var/lib/hakurei";
    users.alice = 0;

-    home-manager = _: _: { home.stateVersion = "23.05"; };
+    extraHomeConfig = {
+      home.stateVersion = "23.05";
+    };
  };
 }
--- a/cmd/hpkg/test/default.nix
+++ b/cmd/hpkg/test/default.nix
@@ -1,5 +1,5 @@
 {
-  nixosTest,
+  testers,
  callPackage,

  system,
@@ -8,8 +8,8 @@
 let
  buildPackage = self.buildPackage.${system};
 in
-nixosTest {
-  name = "fpkg";
+testers.nixosTest {
+  name = "hpkg";
  nodes.machine = {
    environment.etc = {
      "foot.pkg".source = callPackage ./foot.nix { inherit buildPackage; };
@@ -18,7 +18,7 @@ nixosTest {
    imports = [
      ./configuration.nix

-      self.nixosModules.fortify
+      self.nixosModules.hakurei
      self.inputs.home-manager.nixosModules.home-manager
    ];
  };
--- a/cmd/hpkg/test/foot.nix
+++ b/cmd/hpkg/test/foot.nix
@@ -10,7 +10,7 @@ buildPackage {
  name = "foot";
  inherit (foot) version;

-  app_id = 2;
+  identity = 2;
  id = "org.codeberg.dnkl.foot";

  modules = [
--- a/cmd/hpkg/test/test.py
+++ b/cmd/hpkg/test/test.py
@@ -47,62 +47,64 @@ def wait_for_window(pattern):


 def collect_state_ui(name):
-    swaymsg(f"exec fortify ps > '/tmp/{name}.ps'")
+    swaymsg(f"exec hakurei ps > '/tmp/{name}.ps'")
    machine.copy_from_vm(f"/tmp/{name}.ps", "")
-    swaymsg(f"exec fortify --json ps > '/tmp/{name}.json'")
+    swaymsg(f"exec hakurei --json ps > '/tmp/{name}.json'")
    machine.copy_from_vm(f"/tmp/{name}.json", "")
    machine.screenshot(name)


 def check_state(name, enablements):
-    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 fortify --json ps"))
+    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei --json ps"))
    if len(instances) != 1:
        raise Exception(f"unexpected state length {len(instances)}")
-    instance = next(iter(instances.values()))
+    instance = instances[0]

-    config = instance['config']
+    if len(instance['container']['args']) != 1 or not (instance['container']['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (instance['container']['args'][0]):
+        raise Exception(f"unexpected args {instance['container']['args']}")

-    if len(config['args']) != 1 or not (config['args'][0].startswith("/nix/store/")) or f"fortify-{name}-" not in (config['args'][0]):
-        raise Exception(f"unexpected args {instance['config']['args']}")
-
-    if config['confinement']['enablements'] != enablements:
-        raise Exception(f"unexpected enablements {instance['config']['confinement']['enablements']}")
+    if instance['enablements'] != enablements:
+        raise Exception(f"unexpected enablements {instance['enablements']}")


 start_all()
 machine.wait_for_unit("multi-user.target")

-# To check fortify's version:
-print(machine.succeed("sudo -u alice -i fortify version"))
+# To check hakurei's version:
+print(machine.succeed("sudo -u alice -i hakurei version"))

 # Wait for Sway to complete startup:
 machine.wait_for_file("/run/user/1000/wayland-1")
 machine.wait_for_file("/tmp/sway-ipc.sock")

-# Prepare fpkg directory:
-machine.succeed("install -dm 0700 -o alice -g users /var/lib/fortify/1000")
+# Prepare hpkg directory:
+machine.succeed("install -dm 0700 -o alice -g users /var/lib/hakurei/1000")

-# Install fpkg app:
-swaymsg("exec fpkg -v install /etc/foot.pkg && touch /tmp/fpkg-install-done")
-machine.wait_for_file("/tmp/fpkg-install-done")
+# Install hpkg app:
+swaymsg("exec hpkg -v install /etc/foot.pkg && touch /tmp/hpkg-install-ok")
+machine.wait_for_file("/tmp/hpkg-install-ok")

 # Start app (foot) with Wayland enablement:
-swaymsg("exec fpkg -v start org.codeberg.dnkl.foot")
-wait_for_window("fortify@machine-foot")
+swaymsg("exec hpkg -v start org.codeberg.dnkl.foot")
+wait_for_window("hakurei@machine-foot")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
-machine.wait_for_file("/tmp/fortify.1000/tmpdir/2/success-client")
+machine.wait_for_file("/tmp/hakurei.0/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
-check_state("foot", 13)
+check_state("foot", {"wayland": True, "dbus": True, "pipewire": True})
 # Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot")
 # Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002")
+machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002")

 # Exit Sway and verify process exit status 0:
 swaymsg("exit", succeed=False)
 machine.wait_for_file("/tmp/sway-exit-ok")

-# Print fortify runDir contents:
-print(machine.succeed("find /run/user/1000/fortify"))
+# Print hakurei share and rundir contents:
+print(machine.succeed("find /tmp/hakurei.0 "
+    + "-path '/tmp/hakurei.0/runtime/*/*' -prune -o "
+    + "-path '/tmp/hakurei.0/tmpdir/*/*' -prune -o "
+    + "-print"))
+print(machine.fail("ls /run/user/1000/hakurei"))
--- a/cmd/hpkg/with.go
+++ b/cmd/hpkg/with.go
@@ -0,0 +1,130 @@
+package main
+
+import (
+	"context"
+	"os"
+	"strings"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/hst"
+	"hakurei.app/message"
+)
+
+func withNixDaemon(
+	ctx context.Context,
+	msg message.Msg,
+	action string, command []string, net bool, updateConfig func(config *hst.Config) *hst.Config,
+	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
+) {
+	flags := hst.FMultiarch | hst.FUserns // nix sandbox requires userns
+	if net {
+		flags |= hst.FHostNet
+	}
+	if dropShell {
+		flags |= hst.FTty
+	}
+
+	mustRunAppDropShell(ctx, msg, updateConfig(&hst.Config{
+		ID: app.ID,
+
+		ExtraPerms: []hst.ExtraPermConfig{
+			{Path: dataHome, Execute: true},
+			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+		},
+
+		Identity: app.Identity,
+
+		Container: &hst.ContainerConfig{
+			Hostname: formatHostname(app.Name) + "-" + action,
+
+			Filesystem: []hst.FilesystemConfigJSON{
+				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
+				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}},
+				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
+				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
+				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
+				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}},
+			},
+
+			Username: "hakurei",
+			Shell:    pathShell,
+			Home:     pathDataData.Append(app.ID),
+
+			Path: pathShell,
+			Args: []string{bash, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
+				// start nix-daemon
+				"nix-daemon --store / & " +
+				// wait for socket to appear
+				"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
+				// create directory so nix stops complaining
+				"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
+				strings.Join(command, " && ") +
+				// terminate nix-daemon
+				" && pkill nix-daemon",
+			},
+
+			Flags: flags,
+		},
+	}), dropShell, beforeFail)
+}
+
+func withCacheDir(
+	ctx context.Context,
+	msg message.Msg,
+	action string, command []string, workDir *check.Absolute,
+	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
+) {
+	flags := hst.FMultiarch
+	if dropShell {
+		flags |= hst.FTty
+	}
+
+	mustRunAppDropShell(ctx, msg, &hst.Config{
+		ID: app.ID,
+
+		ExtraPerms: []hst.ExtraPermConfig{
+			{Path: dataHome, Execute: true},
+			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+			{Path: workDir, Execute: true},
+		},
+
+		Identity: app.Identity,
+
+		Container: &hst.ContainerConfig{
+			Hostname: formatHostname(app.Name) + "-" + action,
+
+			Filesystem: []hst.FilesystemConfigJSON{
+				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: workDir.Append(fhs.Etc), Special: true}},
+				{FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}},
+				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
+				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
+				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
+				{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsPrivateTmp.Append("bundle")}},
+				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID, "cache"), Source: pathSet.cacheDir, Write: true, Ensure: true}},
+			},
+
+			Username: "nixos",
+			Shell:    pathShell,
+			Home:     pathDataData.Append(app.ID, "cache"),
+
+			Path: pathShell,
+			Args: []string{bash, "-lc", strings.Join(command, " && ")},
+
+			Flags: flags,
+		},
+	}, dropShell, beforeFail)
+}
+
+func mustRunAppDropShell(ctx context.Context, msg message.Msg, config *hst.Config, dropShell bool, beforeFail func()) {
+	if dropShell {
+		if config.Container != nil {
+			config.Container.Args = []string{bash, "-l"}
+		}
+		mustRunApp(ctx, msg, config, beforeFail)
+		beforeFail()
+		msg.BeforeExit()
+		os.Exit(0)
+	}
+	mustRunApp(ctx, msg, config, beforeFail)
+}
--- a/cmd/hsu/hst.go
+++ b/cmd/hsu/hst.go
@@ -0,0 +1,16 @@
+package main
+
+/* copied from hst and must never be changed */
+
+const (
+	userOffset = 100000
+	rangeSize  = userOffset / 10
+
+	identityStart = 0
+	identityEnd   = appEnd - appStart
+
+	appStart = rangeSize * 1
+	appEnd   = appStart + rangeSize - 1
+)
+
+func toUser(userid, appid uint32) uint32 { return userid*userOffset + appStart + appid }
--- a/cmd/hsu/main.go
+++ b/cmd/hsu/main.go
@@ -1,11 +1,14 @@
 package main

+// minimise imports to avoid inadvertently calling init or global variable functions
+
 import (
 	"bytes"
 	"fmt"
 	"log"
 	"os"
 	"path"
+	"runtime"
 	"slices"
 	"strconv"
 	"strings"
@@ -13,85 +16,98 @@ import (
 )

 const (
-	fsuConfFile = "/etc/fsurc"
-	envShim     = "FORTIFY_SHIM"
-	envAID      = "FORTIFY_APP_ID"
-	envGroups   = "FORTIFY_GROUPS"
-
-	PR_SET_NO_NEW_PRIVS = 0x26
+	// envIdentity is the name of the environment variable holding a
+	// single byte representing the shim setup pipe file descriptor.
+	envShim = "HAKUREI_SHIM"
+	// envGroups holds a ' ' separated list of string representations of
+	// supplementary group gid. Membership requirements are enforced.
+	envGroups = "HAKUREI_GROUPS"
 )

+// hakureiPath is the absolute path to Hakurei.
+//
+// This is set by the linker.
+var hakureiPath string
+
 func main() {
+	const PR_SET_NO_NEW_PRIVS = 0x26
+	runtime.LockOSThread()
+
 	log.SetFlags(0)
-	log.SetPrefix("fsu: ")
+	log.SetPrefix("hsu: ")
 	log.SetOutput(os.Stderr)

 	if os.Geteuid() != 0 {
 		log.Fatal("this program must be owned by uid 0 and have the setuid bit set")
 	}
+	if os.Getegid() != os.Getgid() {
+		log.Fatal("this program must not have the setgid bit set")
+	}

 	puid := os.Getuid()
 	if puid == 0 {
 		log.Fatal("this program must not be started by root")
 	}

+	if !path.IsAbs(hakureiPath) {
+		log.Fatal("this program is compiled incorrectly")
+		return
+	}
+
 	var toolPath string
 	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
 	if p, err := os.Readlink(pexe); err != nil {
 		log.Fatalf("cannot read parent executable path: %v", err)
 	} else if strings.HasSuffix(p, " (deleted)") {
-		log.Fatal("fortify executable has been deleted")
-	} else if p != mustCheckPath(fmain) && p != mustCheckPath(fpkg) {
-		log.Fatal("this program must be started by fortify")
+		log.Fatal("hakurei executable has been deleted")
+	} else if p != hakureiPath {
+		log.Fatal("this program must be started by hakurei")
 	} else {
 		toolPath = p
 	}

-	// uid = 1000000 +
-	//   fid * 10000 +
-	//           aid
-	uid := 1000000
-
-	// refuse to run if fsurc is not protected correctly
-	if s, err := os.Stat(fsuConfFile); err != nil {
+	// refuse to run if hsurc is not protected correctly
+	if s, err := os.Stat(hsuConfPath); err != nil {
 		log.Fatal(err)
 	} else if s.Mode().Perm() != 0400 {
-		log.Fatal("bad fsurc perm")
+		log.Fatal("bad hsurc perm")
 	} else if st := s.Sys().(*syscall.Stat_t); st.Uid != 0 || st.Gid != 0 {
-		log.Fatal("fsurc must be owned by uid 0")
+		log.Fatal("hsurc must be owned by uid 0")
 	}

 	// authenticate before accepting user input
-	if f, err := os.Open(fsuConfFile); err != nil {
-		log.Fatal(err)
-	} else if fid, ok := mustParseConfig(f, puid); !ok {
-		log.Fatalf("uid %d is not in the fsurc file", puid)
-	} else {
-		uid += fid * 10000
-	}
-
-	// allowed aid range 0 to 9999
-	if as, ok := os.LookupEnv(envAID); !ok {
-		log.Fatal("FORTIFY_APP_ID not set")
-	} else if aid, err := parseUint32Fast(as); err != nil || aid < 0 || aid > 9999 {
-		log.Fatal("invalid aid")
-	} else {
-		uid += aid
-	}
+	userid := mustParseConfig(puid)

 	// pass through setup fd to shim
 	var shimSetupFd string
 	if s, ok := os.LookupEnv(envShim); !ok {
-		// fortify requests target uid
-		// print resolved uid and exit
-		fmt.Print(uid)
+		// hakurei requests hsurc user id
+		fmt.Print(userid)
 		os.Exit(0)
 	} else if len(s) != 1 || s[0] > '9' || s[0] < '3' {
-		log.Fatal("FORTIFY_SHIM holds an invalid value")
+		log.Fatal("HAKUREI_SHIM holds an invalid value")
 	} else {
 		shimSetupFd = s
 	}

+	// start is going ahead at this point
+	identity := mustReadIdentity()
+
+	const (
+		// first possible uid outcome
+		uidStart = 10000
+		// last possible uid outcome
+		uidEnd = 999919999
+	)
+
+	// cast to int for use with library functions
+	uid := int(toUser(userid, identity))
+
+	// final bounds check to catch any bugs
+	if uid < uidStart || uid >= uidEnd {
+		panic("uid out of bounds")
+	}
+
 	// supplementary groups
 	var suppGroups, suppCurrent []int

@@ -119,12 +135,7 @@ func main() {
 		suppGroups = []int{uid}
 	}

-	// final bounds check to catch any bugs
-	if uid < 1000000 || uid >= 2000000 {
-		panic("uid out of bounds")
-	}
-
-	// careful! users in the allowlist is effectively allowed to drop groups via fsu
+	// careful! users in the allowlist is effectively allowed to drop groups via hsu

 	if err := syscall.Setresgid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set gid: %v", err)
@@ -138,7 +149,7 @@ func main() {
 	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(toolPath, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+	if err := syscall.Exec(toolPath, []string{"hakurei", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}

--- a/cmd/hsu/package.nix
+++ b/cmd/hsu/package.nix
@@ -0,0 +1,23 @@
+{
+  lib,
+  buildGoModule,
+  hakurei ? abort "hakurei package required",
+}:
+
+buildGoModule {
+  pname = "${hakurei.pname}-hsu";
+  inherit (hakurei) version;
+
+  src = ./.;
+  inherit (hakurei) vendorHash;
+  env.CGO_ENABLED = 0;
+
+  preBuild = ''
+    go mod init hsu >& /dev/null
+  '';
+
+  ldflags = lib.attrsets.foldlAttrs (
+    ldflags: name: value:
+    ldflags ++ [ "-X main.${name}=${value}" ]
+  ) [ "-s -w" ] { hakureiPath = "${hakurei}/libexec/hakurei"; };
+}
--- a/cmd/hsu/parse.go
+++ b/cmd/hsu/parse.go
@@ -0,0 +1,133 @@
+package main
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"math"
+	"os"
+	"strings"
+)
+
+const (
+	// useridStart is the first userid.
+	useridStart = 0
+	// useridEnd is the last userid.
+	useridEnd = useridStart + rangeSize - 1
+)
+
+// parseUint32Fast parses a string representation of an unsigned 32-bit integer value
+// using the fast path only. This limits the range of values it is defined in.
+func parseUint32Fast(s string) (uint32, error) {
+	sLen := len(s)
+	if sLen < 1 {
+		return 0, errors.New("zero length string")
+	}
+	if sLen > 10 {
+		return 0, errors.New("string too long")
+	}
+
+	var n uint32
+	for i, ch := range []byte(s) {
+		ch -= '0'
+		if ch > 9 {
+			return 0, fmt.Errorf("invalid character '%s' at index %d", string(ch+'0'), i)
+		}
+		n = n*10 + uint32(ch)
+	}
+	return n, nil
+}
+
+// parseConfig reads a list of allowed users from r until it encounters puid or [io.EOF].
+//
+// Each line of the file specifies a hakurei userid to kernel uid mapping. A line consists
+// of the string representation of the uid of the user wishing to start hakurei containers,
+// followed by a space, followed by the string representation of its userid. Duplicate uid
+// entries are ignored, with the first occurrence taking effect.
+//
+// All string representations are parsed by calling parseUint32Fast.
+func parseConfig(r io.Reader, puid uint32) (userid uint32, ok bool, err error) {
+	s := bufio.NewScanner(r)
+	var (
+		line  uintptr
+		puid0 uint32
+	)
+	for s.Scan() {
+		line++
+
+		// <puid> <userid>
+		lf := strings.SplitN(s.Text(), " ", 2)
+		if len(lf) != 2 {
+			return useridEnd + 1, false, fmt.Errorf("invalid entry on line %d", line)
+		}
+
+		puid0, err = parseUint32Fast(lf[0])
+		if err != nil || puid0 < 1 {
+			return useridEnd + 1, false, fmt.Errorf("invalid parent uid on line %d", line)
+		}
+
+		ok = puid0 == puid
+		if ok {
+			// userid bound to a range, uint32 size allows this to be increased if needed
+			if userid, err = parseUint32Fast(lf[1]); err != nil ||
+				userid < useridStart || userid > useridEnd {
+				return useridEnd + 1, false, fmt.Errorf("invalid userid on line %d", line)
+			}
+			return
+		}
+	}
+	return useridEnd + 1, false, s.Err()
+}
+
+// hsuConfPath is an absolute pathname to the hsu configuration file.
+// Its contents are interpreted by parseConfig.
+const hsuConfPath = "/etc/hsurc"
+
+// mustParseConfig calls parseConfig to interpret the contents of hsuConfPath,
+// terminating the program if an error is encountered, the syntax is incorrect,
+// or the current user is not authorised to use hsu because its uid is missing.
+//
+// Therefore, code after this function call can assume an authenticated state.
+//
+// mustParseConfig returns the userid value of the current user.
+func mustParseConfig(puid int) (userid uint32) {
+	if puid > math.MaxUint32 {
+		log.Fatalf("got impossible uid %d", puid)
+	}
+
+	var ok bool
+	if f, err := os.Open(hsuConfPath); err != nil {
+		log.Fatal(err)
+	} else if userid, ok, err = parseConfig(f, uint32(puid)); err != nil {
+		log.Fatal(err)
+	} else if err = f.Close(); err != nil {
+		log.Fatal(err)
+	}
+	if !ok {
+		log.Fatalf("uid %d is not in the hsurc file", puid)
+	}
+
+	return
+}
+
+// envIdentity is the name of the environment variable holding a
+// string representation of the current application identity.
+var envIdentity = "HAKUREI_IDENTITY"
+
+// mustReadIdentity calls parseUint32Fast to interpret the value stored in envIdentity,
+// terminating the program if the value is not set, malformed, or out of bounds.
+func mustReadIdentity() uint32 {
+	// ranges defined in hst and copied to this package to avoid importing hst
+	if as, ok := os.LookupEnv(envIdentity); !ok {
+		log.Fatal("HAKUREI_IDENTITY not set")
+		panic("unreachable")
+	} else if identity, err := parseUint32Fast(as); err != nil ||
+		identity < identityStart || identity > identityEnd {
+		log.Fatal("invalid identity")
+		panic("unreachable")
+	} else {
+		return identity
+	}
+}
--- a/cmd/hsu/parse_test.go
+++ b/cmd/hsu/parse_test.go
@@ -2,94 +2,105 @@ package main

 import (
 	"bytes"
+	"math"
 	"strconv"
 	"testing"
 )

-func Test_parseUint32Fast(t *testing.T) {
+func TestParseUint32Fast(t *testing.T) {
+	t.Parallel()
+
 	t.Run("zero-length", func(t *testing.T) {
+		t.Parallel()
+
 		if _, err := parseUint32Fast(""); err == nil || err.Error() != "zero length string" {
 			t.Errorf(`parseUint32Fast(""): error = %v`, err)
 			return
 		}
 	})
+
 	t.Run("overflow", func(t *testing.T) {
+		t.Parallel()
+
 		if _, err := parseUint32Fast("10000000000"); err == nil || err.Error() != "string too long" {
 			t.Errorf("parseUint32Fast: error = %v", err)
 			return
 		}
 	})
+
 	t.Run("invalid byte", func(t *testing.T) {
+		t.Parallel()
+
 		if _, err := parseUint32Fast("meow"); err == nil || err.Error() != "invalid character 'm' at index 0" {
 			t.Errorf(`parseUint32Fast("meow"): error = %v`, err)
 			return
 		}
 	})
-	t.Run("full range", func(t *testing.T) {
-		testRange := func(i, end int) {
+
+	t.Run("range", func(t *testing.T) {
+		t.Parallel()
+
+		testRange := func(i, end uint32) {
 			for ; i < end; i++ {
-				s := strconv.Itoa(i)
+				s := strconv.Itoa(int(i))
 				w := i
 				t.Run("parse "+s, func(t *testing.T) {
 					t.Parallel()
+
 					v, err := parseUint32Fast(s)
 					if err != nil {
-						t.Errorf("parseUint32Fast(%q): error = %v",
-							s, err)
+						t.Errorf("parseUint32Fast(%q): error = %v", s, err)
 						return
 					}
 					if v != w {
-						t.Errorf("parseUint32Fast(%q): got %v",
-							s, v)
+						t.Errorf("parseUint32Fast(%q): got %v", s, v)
 						return
 					}
 				})
 			}
 		}

-		testRange(0, 5000)
-		testRange(105000, 110000)
-		testRange(23005000, 23010000)
-		testRange(456005000, 456010000)
-		testRange(7890005000, 7890010000)
+		testRange(0, 2500)
+		testRange(23002500, 23005000)
+		testRange(math.MaxUint32-2500, math.MaxUint32)
 	})
 }

-func Test_parseConfig(t *testing.T) {
+func TestParseConfig(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name       string
-		puid, want int
+		puid, want uint32
 		wantErr    string
 		rc         string
 	}{
-		{"empty", 0, -1, "", ``},
-		{"invalid field", 0, -1, "invalid entry on line 1", `9`},
-		{"invalid puid", 0, -1, "invalid parent uid on line 1", `f 9`},
-		{"invalid fid", 1000, -1, "invalid fortify uid on line 1", `1000 f`},
+		{"empty", 0, useridEnd + 1, "", ``},
+		{"invalid field", 0, useridEnd + 1, "invalid entry on line 1", `9`},
+		{"invalid puid", 0, useridEnd + 1, "invalid parent uid on line 1", `f 9`},
+		{"invalid userid", 1000, useridEnd + 1, "invalid userid on line 1", `1000 f`},
 		{"match", 1000, 0, "", `1000 0`},
 	}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			fid, ok, err := parseConfig(bytes.NewBufferString(tc.rc), tc.puid)
+			t.Parallel()
+
+			userid, ok, err := parseConfig(bytes.NewBufferString(tc.rc), tc.puid)
 			if err == nil && tc.wantErr != "" {
-				t.Errorf("parseConfig: error = %v; wantErr %q",
-					err, tc.wantErr)
+				t.Errorf("parseConfig: error = %v; want %q", err, tc.wantErr)
 				return
 			}
 			if err != nil && err.Error() != tc.wantErr {
-				t.Errorf("parseConfig: error = %q; wantErr %q",
-					err, tc.wantErr)
+				t.Errorf("parseConfig: error = %q; want %q", err, tc.wantErr)
 				return
 			}
-			if ok == (tc.want == -1) {
-				t.Errorf("parseConfig: ok = %v; want %v",
-					ok, tc.want)
+			if ok == (tc.want == useridEnd+1) {
+				t.Errorf("parseConfig: ok = %v; want %v", ok, tc.want)
 				return
 			}
-			if fid != tc.want {
-				t.Errorf("parseConfig: fid = %v; want %v",
-					fid, tc.want)
+			if userid != tc.want {
+				t.Errorf("parseConfig: %v; want %v", userid, tc.want)
 			}
 		})
 	}
--- a/command/builder_test.go
+++ b/command/builder_test.go
@@ -3,10 +3,11 @@ package command_test
 import (
 	"testing"

-	"git.gensokyo.uk/security/fortify/command"
+	"hakurei.app/command"
 )

 func TestBuild(t *testing.T) {
+	t.Parallel()
 	c := command.New(nil, nil, "test", nil)
 	stubHandler := func([]string) error { panic("unreachable") }

--- a/command/parse_test.go
+++ b/command/parse_test.go
@@ -10,10 +10,12 @@ import (
 	"strings"
 	"testing"

-	"git.gensokyo.uk/security/fortify/command"
+	"hakurei.app/command"
 )

 func TestParse(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name      string
 		buildTree func(wout, wlog io.Writer) command.Command
@@ -251,6 +253,7 @@ Commands:
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 			wout, wlog := new(bytes.Buffer), new(bytes.Buffer)
 			c := tc.buildTree(wout, wlog)

--- a/command/unreachable_test.go
+++ b/command/unreachable_test.go
@@ -6,15 +6,19 @@ import (
 )

 func TestParseUnreachable(t *testing.T) {
+	t.Parallel()
+
 	// top level bypasses name matching and recursive calls to Parse
 	// returns when encountering zero-length args
 	t.Run("zero-length args", func(t *testing.T) {
+		t.Parallel()
 		defer checkRecover(t, "Parse", "attempted to parse with zero length args")
 		_ = newNode(panicWriter{}, nil, " ", " ").Parse(nil)
 	})

 	// top level must not have siblings
 	t.Run("toplevel siblings", func(t *testing.T) {
+		t.Parallel()
 		defer checkRecover(t, "Parse", "invalid toplevel state")
 		n := newNode(panicWriter{}, nil, " ", "")
 		n.append(newNode(panicWriter{}, nil, "  ", " "))
@@ -23,6 +27,7 @@ func TestParseUnreachable(t *testing.T) {

 	// a node with descendents must not have a direct handler
 	t.Run("sub handle conflict", func(t *testing.T) {
+		t.Parallel()
 		defer checkRecover(t, "Parse", "invalid subcommand tree state")
 		n := newNode(panicWriter{}, nil, " ", " ")
 		n.adopt(newNode(panicWriter{}, nil, " ", " "))
@@ -32,6 +37,7 @@ func TestParseUnreachable(t *testing.T) {

 	// this would only happen if a node was matched twice
 	t.Run("parsed flag set", func(t *testing.T) {
+		t.Parallel()
 		defer checkRecover(t, "Parse", "invalid set state")
 		n := newNode(panicWriter{}, nil, " ", "")
 		set := flag.NewFlagSet("parsed", flag.ContinueOnError)
--- a/comp/_fortify
+++ b/comp/_fortify
@@ -1,82 +0,0 @@
-#compdef fortify
-
-_fortify_app() {
-  __fortify_files
-  return $?
-}
-
-_fortify_run() {
-  _arguments \
-    '--id[App ID, leave empty to disable security context app_id]:id' \
-    '-a[Fortify application ID]: :_numbers' \
-    '-g[Groups inherited by the app process]: :_groups' \
-    '-d[Application home directory]: :_files -/' \
-    '-u[Passwd name within sandbox]: :_users' \
-    '--wayland[Share Wayland socket]' \
-    '-X[Share X11 socket and allow connection]' \
-    '--dbus[Proxy D-Bus connection]' \
-    '--pulse[Share PulseAudio socket and cookie]' \
-    '--dbus-config[Path to D-Bus proxy config file]: :_files -g "*.json"' \
-    '--dbus-system[Path to system D-Bus proxy config file]: :_files -g "*.json"' \
-    '--mpris[Allow owning MPRIS D-Bus path]' \
-    '--dbus-log[Force logging in the D-Bus proxy]'
-}
-
-_fortify_ps() {
-  _arguments \
-    '--short[Print instance id]'
-}
-
-_fortify_show() {
-  _alternative \
-    'instances:domains:__fortify_instances' \
-    'files:files:__fortify_files'
-}
-
-__fortify_files() {
-  _files -g "*.(json|ftfy)"
-  return $?
-}
-
-__fortify_instances() {
-  local -a out
-  shift -p
-  out=( ${(f)"$(_call_program commands fortify ps --short 2>&1)"} )
-  if (( $#out == 0 )); then
-    _message "No active instances"
-  else
-    _describe "active instances" out
-  fi
-  return $?
-}
-
-(( $+functions[_fortify_commands] )) || _fortify_commands()
-{
-  local -a _fortify_cmds
-  _fortify_cmds=(
-    "app:Launch app defined by the specified config file"
-    "run:Configure and start a permissive default sandbox"
-    "show:Show the contents of an app configuration"
-    "ps:List active apps and their state"
-    "version:Show fortify version"
-    "license:Show full license text"
-    "template:Produce a config template"
-    "help:Show help message"
-  )
-  if (( CURRENT == 1 )); then
-    _describe -t commands 'action' _fortify_cmds || compadd "$@"
-  else
-    local curcontext="$curcontext"
-    cmd="${${_fortify_cmds[(r)$words[1]:*]%%:*}}"
-    if (( $+functions[_fortify_$cmd] )); then
-      _fortify_$cmd
-    else
-      _message "no more options"
-    fi
-  fi
-}
-
-_arguments -C \
-  '-v[Verbose output]' \
-  '--json[Format output in JSON when applicable]' \
-  '*::fortify command:_fortify_commands'
--- a/container/autoetc.go
+++ b/container/autoetc.go
@@ -0,0 +1,72 @@
+package container
+
+import (
+	"encoding/gob"
+	"fmt"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+)
+
+func init() { gob.Register(new(AutoEtcOp)) }
+
+// Etc appends an [Op] that expands host /etc into a toplevel symlink mirror with /etc semantics.
+// This is not a generic setup op. It is implemented here to reduce ipc overhead.
+func (f *Ops) Etc(host *check.Absolute, prefix string) *Ops {
+	e := &AutoEtcOp{prefix}
+	f.Mkdir(fhs.AbsEtc, 0755)
+	f.Bind(host, e.hostPath(), 0)
+	*f = append(*f, e)
+	return f
+}
+
+type AutoEtcOp struct{ Prefix string }
+
+func (e *AutoEtcOp) Valid() bool                                { return e != nil }
+func (e *AutoEtcOp) early(*setupState, syscallDispatcher) error { return nil }
+func (e *AutoEtcOp) apply(state *setupState, k syscallDispatcher) error {
+	if state.nonrepeatable&nrAutoEtc != 0 {
+		return OpRepeatError("autoetc")
+	}
+	state.nonrepeatable |= nrAutoEtc
+
+	const target = sysrootPath + fhs.Etc
+	rel := e.hostRel() + "/"
+
+	if err := k.mkdirAll(target, 0755); err != nil {
+		return err
+	}
+	if d, err := k.readdir(toSysroot(e.hostPath().String())); err != nil {
+		return err
+	} else {
+		for _, ent := range d {
+			n := ent.Name()
+			switch n {
+			case ".host", "passwd", "group":
+
+			case "mtab":
+				if err = k.symlink(fhs.Proc+"mounts", target+n); err != nil {
+					return err
+				}
+
+			default:
+				if err = k.symlink(rel+n, target+n); err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	return nil
+}
+func (e *AutoEtcOp) late(*setupState, syscallDispatcher) error { return nil }
+
+func (e *AutoEtcOp) hostPath() *check.Absolute { return fhs.AbsEtc.Append(e.hostRel()) }
+func (e *AutoEtcOp) hostRel() string           { return ".host/" + e.Prefix }
+
+func (e *AutoEtcOp) Is(op Op) bool {
+	ve, ok := op.(*AutoEtcOp)
+	return ok && e.Valid() && ve.Valid() && *e == *ve
+}
+func (*AutoEtcOp) prefix() (string, bool) { return "setting up", true }
+func (e *AutoEtcOp) String() string       { return fmt.Sprintf("auto etc %s", e.Prefix) }
--- a/container/autoetc_test.go
+++ b/container/autoetc_test.go
@@ -0,0 +1,297 @@
+package container
+
+import (
+	"errors"
+	"os"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+)
+
+func TestAutoEtcOp(t *testing.T) {
+	t.Parallel()
+
+	t.Run("nonrepeatable", func(t *testing.T) {
+		t.Parallel()
+		wantErr := OpRepeatError("autoetc")
+		if err := (&AutoEtcOp{Prefix: "81ceabb30d37bbdb3868004629cb84e9"}).apply(&setupState{nonrepeatable: nrAutoEtc}, nil); !errors.Is(err, wantErr) {
+			t.Errorf("apply: error = %v, want %v", err, wantErr)
+		}
+	})
+
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"mkdirAll", new(Params), &AutoEtcOp{
+			Prefix: "81ceabb30d37bbdb3868004629cb84e9",
+		}, nil, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc/", os.FileMode(0755)}, nil, stub.UniqueError(3)),
+		}, stub.UniqueError(3)},
+
+		{"readdir", new(Params), &AutoEtcOp{
+			Prefix: "81ceabb30d37bbdb3868004629cb84e9",
+		}, nil, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc/", os.FileMode(0755)}, nil, nil),
+			call("readdir", stub.ExpectArgs{"/sysroot/etc/.host/81ceabb30d37bbdb3868004629cb84e9"}, stubDir(), stub.UniqueError(2)),
+		}, stub.UniqueError(2)},
+
+		{"symlink", new(Params), &AutoEtcOp{
+			Prefix: "81ceabb30d37bbdb3868004629cb84e9",
+		}, nil, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc/", os.FileMode(0755)}, nil, nil),
+			call("readdir", stub.ExpectArgs{"/sysroot/etc/.host/81ceabb30d37bbdb3868004629cb84e9"}, stubDir(".host",
+				"alsa", "bash_logout", "bashrc", "binfmt.d", "dbus-1", "default", "dhcpcd.exit-hook", "fonts",
+				"fstab", "fuse.conf", "group", "host.conf", "hostname", "hosts", "hsurc", "inputrc", "issue", "kbd",
+				"locale.conf", "login.defs", "lsb-release", "lvm", "machine-id", "man_db.conf", "mdadm.conf",
+				"modprobe.d", "modules-load.d", "mtab", "nanorc", "netgroup", "nix", "nixos", "NIXOS", "nscd.conf",
+				"nsswitch.conf", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1", "profile",
+				"protocols", "resolv.conf", "resolvconf.conf", "rpc", "services", "set-environment", "shadow", "shells",
+				"ssh", "ssl", "static", "subgid", "subuid", "sudoers", "sway", "sysctl.d", "systemd", "terminfo",
+				"tmpfiles.d", "udev", "vconsole.conf", "X11", "xdg", "zoneinfo"), nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/alsa", "/sysroot/etc/alsa"}, nil, stub.UniqueError(1)),
+		}, stub.UniqueError(1)},
+
+		{"symlink mtab", new(Params), &AutoEtcOp{
+			Prefix: "81ceabb30d37bbdb3868004629cb84e9",
+		}, nil, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc/", os.FileMode(0755)}, nil, nil),
+			call("readdir", stub.ExpectArgs{"/sysroot/etc/.host/81ceabb30d37bbdb3868004629cb84e9"}, stubDir(".host",
+				"alsa", "bash_logout", "bashrc", "binfmt.d", "dbus-1", "default", "dhcpcd.exit-hook", "fonts",
+				"fstab", "fuse.conf", "group", "host.conf", "hostname", "hosts", "hsurc", "inputrc", "issue", "kbd",
+				"locale.conf", "login.defs", "lsb-release", "lvm", "machine-id", "man_db.conf", "mdadm.conf",
+				"modprobe.d", "modules-load.d", "mtab", "nanorc", "netgroup", "nix", "nixos", "NIXOS", "nscd.conf",
+				"nsswitch.conf", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1", "profile",
+				"protocols", "resolv.conf", "resolvconf.conf", "rpc", "services", "set-environment", "shadow", "shells",
+				"ssh", "ssl", "static", "subgid", "subuid", "sudoers", "sway", "sysctl.d", "systemd", "terminfo",
+				"tmpfiles.d", "udev", "vconsole.conf", "X11", "xdg", "zoneinfo"), nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/alsa", "/sysroot/etc/alsa"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/bash_logout", "/sysroot/etc/bash_logout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/bashrc", "/sysroot/etc/bashrc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/binfmt.d", "/sysroot/etc/binfmt.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/dbus-1", "/sysroot/etc/dbus-1"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/default", "/sysroot/etc/default"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/dhcpcd.exit-hook", "/sysroot/etc/dhcpcd.exit-hook"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fonts", "/sysroot/etc/fonts"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fstab", "/sysroot/etc/fstab"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fuse.conf", "/sysroot/etc/fuse.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/host.conf", "/sysroot/etc/host.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hostname", "/sysroot/etc/hostname"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hosts", "/sysroot/etc/hosts"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hsurc", "/sysroot/etc/hsurc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/inputrc", "/sysroot/etc/inputrc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/issue", "/sysroot/etc/issue"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/kbd", "/sysroot/etc/kbd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/locale.conf", "/sysroot/etc/locale.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/login.defs", "/sysroot/etc/login.defs"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/lsb-release", "/sysroot/etc/lsb-release"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/lvm", "/sysroot/etc/lvm"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/machine-id", "/sysroot/etc/machine-id"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/man_db.conf", "/sysroot/etc/man_db.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/mdadm.conf", "/sysroot/etc/mdadm.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/modprobe.d", "/sysroot/etc/modprobe.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/modules-load.d", "/sysroot/etc/modules-load.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/mounts", "/sysroot/etc/mtab"}, nil, stub.UniqueError(0)),
+		}, stub.UniqueError(0)},
+
+		{"success nested", new(Params), &AutoEtcOp{
+			Prefix: "81ceabb30d37bbdb3868004629cb84e9",
+		}, nil, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc/", os.FileMode(0755)}, nil, nil),
+			call("readdir", stub.ExpectArgs{"/sysroot/etc/.host/81ceabb30d37bbdb3868004629cb84e9"}, stubDir(".host",
+				"alsa", "bash_logout", "bashrc", "binfmt.d", "dbus-1", "default", "dhcpcd.exit-hook", "fonts",
+				"fstab", "fuse.conf", "group", "host.conf", "hostname", "hosts", "hsurc", "inputrc", "issue", "kbd",
+				"locale.conf", "login.defs", "lsb-release", "lvm", "machine-id", "man_db.conf", "mdadm.conf",
+				"modprobe.d", "modules-load.d", "mtab", "nanorc", "netgroup", "nix", "nixos", "NIXOS", "nscd.conf",
+				"nsswitch.conf", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1", "profile",
+				"protocols", "resolv.conf", "resolvconf.conf", "rpc", "services", "set-environment", "shadow", "shells",
+				"ssh", "ssl", "static", "subgid", "subuid", "sudoers", "sway", "sysctl.d", "systemd", "terminfo",
+				"tmpfiles.d", "udev", "vconsole.conf", "X11", "xdg", "zoneinfo"), nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/alsa", "/sysroot/etc/alsa"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/bash_logout", "/sysroot/etc/bash_logout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/bashrc", "/sysroot/etc/bashrc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/binfmt.d", "/sysroot/etc/binfmt.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/dbus-1", "/sysroot/etc/dbus-1"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/default", "/sysroot/etc/default"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/dhcpcd.exit-hook", "/sysroot/etc/dhcpcd.exit-hook"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fonts", "/sysroot/etc/fonts"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fstab", "/sysroot/etc/fstab"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fuse.conf", "/sysroot/etc/fuse.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/host.conf", "/sysroot/etc/host.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hostname", "/sysroot/etc/hostname"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hosts", "/sysroot/etc/hosts"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hsurc", "/sysroot/etc/hsurc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/inputrc", "/sysroot/etc/inputrc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/issue", "/sysroot/etc/issue"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/kbd", "/sysroot/etc/kbd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/locale.conf", "/sysroot/etc/locale.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/login.defs", "/sysroot/etc/login.defs"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/lsb-release", "/sysroot/etc/lsb-release"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/lvm", "/sysroot/etc/lvm"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/machine-id", "/sysroot/etc/machine-id"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/man_db.conf", "/sysroot/etc/man_db.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/mdadm.conf", "/sysroot/etc/mdadm.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/modprobe.d", "/sysroot/etc/modprobe.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/modules-load.d", "/sysroot/etc/modules-load.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/mounts", "/sysroot/etc/mtab"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nanorc", "/sysroot/etc/nanorc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/netgroup", "/sysroot/etc/netgroup"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nix", "/sysroot/etc/nix"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nixos", "/sysroot/etc/nixos"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/NIXOS", "/sysroot/etc/NIXOS"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nscd.conf", "/sysroot/etc/nscd.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nsswitch.conf", "/sysroot/etc/nsswitch.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/os-release", "/sysroot/etc/os-release"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pam", "/sysroot/etc/pam"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pam.d", "/sysroot/etc/pam.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pipewire", "/sysroot/etc/pipewire"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pki", "/sysroot/etc/pki"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/polkit-1", "/sysroot/etc/polkit-1"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/profile", "/sysroot/etc/profile"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/protocols", "/sysroot/etc/protocols"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/resolv.conf", "/sysroot/etc/resolv.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/resolvconf.conf", "/sysroot/etc/resolvconf.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/rpc", "/sysroot/etc/rpc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/services", "/sysroot/etc/services"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/set-environment", "/sysroot/etc/set-environment"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/shadow", "/sysroot/etc/shadow"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/shells", "/sysroot/etc/shells"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/ssh", "/sysroot/etc/ssh"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/ssl", "/sysroot/etc/ssl"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/static", "/sysroot/etc/static"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/subgid", "/sysroot/etc/subgid"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/subuid", "/sysroot/etc/subuid"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/sudoers", "/sysroot/etc/sudoers"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/sway", "/sysroot/etc/sway"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/sysctl.d", "/sysroot/etc/sysctl.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/systemd", "/sysroot/etc/systemd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/terminfo", "/sysroot/etc/terminfo"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/tmpfiles.d", "/sysroot/etc/tmpfiles.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/udev", "/sysroot/etc/udev"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/vconsole.conf", "/sysroot/etc/vconsole.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/X11", "/sysroot/etc/X11"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/xdg", "/sysroot/etc/xdg"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/zoneinfo", "/sysroot/etc/zoneinfo"}, nil, nil),
+		}, nil},
+
+		{"success", new(Params), &AutoEtcOp{
+			Prefix: "81ceabb30d37bbdb3868004629cb84e9",
+		}, nil, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc/", os.FileMode(0755)}, nil, nil),
+			call("readdir", stub.ExpectArgs{"/sysroot/etc/.host/81ceabb30d37bbdb3868004629cb84e9"}, stubDir(
+				"alsa", "bash_logout", "bashrc", "binfmt.d", "dbus-1", "default", "dhcpcd.exit-hook", "fonts",
+				"fstab", "fuse.conf", "group", "host.conf", "hostname", "hosts", "hsurc", "inputrc", "issue", "kbd",
+				"locale.conf", "login.defs", "lsb-release", "lvm", "machine-id", "man_db.conf", "mdadm.conf",
+				"modprobe.d", "modules-load.d", "mtab", "nanorc", "netgroup", "nix", "nixos", "NIXOS", "nscd.conf",
+				"nsswitch.conf", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1", "profile",
+				"protocols", "resolv.conf", "resolvconf.conf", "rpc", "services", "set-environment", "shadow", "shells",
+				"ssh", "ssl", "static", "subgid", "subuid", "sudoers", "sway", "sysctl.d", "systemd", "terminfo",
+				"tmpfiles.d", "udev", "vconsole.conf", "X11", "xdg", "zoneinfo"), nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/alsa", "/sysroot/etc/alsa"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/bash_logout", "/sysroot/etc/bash_logout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/bashrc", "/sysroot/etc/bashrc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/binfmt.d", "/sysroot/etc/binfmt.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/dbus-1", "/sysroot/etc/dbus-1"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/default", "/sysroot/etc/default"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/dhcpcd.exit-hook", "/sysroot/etc/dhcpcd.exit-hook"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fonts", "/sysroot/etc/fonts"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fstab", "/sysroot/etc/fstab"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fuse.conf", "/sysroot/etc/fuse.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/host.conf", "/sysroot/etc/host.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hostname", "/sysroot/etc/hostname"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hosts", "/sysroot/etc/hosts"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hsurc", "/sysroot/etc/hsurc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/inputrc", "/sysroot/etc/inputrc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/issue", "/sysroot/etc/issue"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/kbd", "/sysroot/etc/kbd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/locale.conf", "/sysroot/etc/locale.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/login.defs", "/sysroot/etc/login.defs"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/lsb-release", "/sysroot/etc/lsb-release"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/lvm", "/sysroot/etc/lvm"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/machine-id", "/sysroot/etc/machine-id"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/man_db.conf", "/sysroot/etc/man_db.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/mdadm.conf", "/sysroot/etc/mdadm.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/modprobe.d", "/sysroot/etc/modprobe.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/modules-load.d", "/sysroot/etc/modules-load.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/mounts", "/sysroot/etc/mtab"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nanorc", "/sysroot/etc/nanorc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/netgroup", "/sysroot/etc/netgroup"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nix", "/sysroot/etc/nix"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nixos", "/sysroot/etc/nixos"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/NIXOS", "/sysroot/etc/NIXOS"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nscd.conf", "/sysroot/etc/nscd.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nsswitch.conf", "/sysroot/etc/nsswitch.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/os-release", "/sysroot/etc/os-release"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pam", "/sysroot/etc/pam"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pam.d", "/sysroot/etc/pam.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pipewire", "/sysroot/etc/pipewire"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pki", "/sysroot/etc/pki"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/polkit-1", "/sysroot/etc/polkit-1"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/profile", "/sysroot/etc/profile"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/protocols", "/sysroot/etc/protocols"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/resolv.conf", "/sysroot/etc/resolv.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/resolvconf.conf", "/sysroot/etc/resolvconf.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/rpc", "/sysroot/etc/rpc"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/services", "/sysroot/etc/services"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/set-environment", "/sysroot/etc/set-environment"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/shadow", "/sysroot/etc/shadow"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/shells", "/sysroot/etc/shells"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/ssh", "/sysroot/etc/ssh"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/ssl", "/sysroot/etc/ssl"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/static", "/sysroot/etc/static"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/subgid", "/sysroot/etc/subgid"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/subuid", "/sysroot/etc/subuid"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/sudoers", "/sysroot/etc/sudoers"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/sway", "/sysroot/etc/sway"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/sysctl.d", "/sysroot/etc/sysctl.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/systemd", "/sysroot/etc/systemd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/terminfo", "/sysroot/etc/terminfo"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/tmpfiles.d", "/sysroot/etc/tmpfiles.d"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/udev", "/sysroot/etc/udev"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/vconsole.conf", "/sysroot/etc/vconsole.conf"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/X11", "/sysroot/etc/X11"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/xdg", "/sysroot/etc/xdg"}, nil, nil),
+			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/zoneinfo", "/sysroot/etc/zoneinfo"}, nil, nil),
+		}, nil},
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*AutoEtcOp)(nil), false},
+		{"zero", new(AutoEtcOp), true},
+		{"populated", &AutoEtcOp{Prefix: ":3"}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"pd", new(Ops).Etc(check.MustAbs("/etc/"), "048090b6ed8f9ebb10e275ff5d8c0659"), Ops{
+			&MkdirOp{Path: check.MustAbs("/etc/"), Perm: 0755},
+			&BindMountOp{
+				Source: check.MustAbs("/etc/"),
+				Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+			},
+			&AutoEtcOp{Prefix: "048090b6ed8f9ebb10e275ff5d8c0659"},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(AutoEtcOp), new(AutoEtcOp), true},
+		{"differs", &AutoEtcOp{Prefix: "\x00"}, &AutoEtcOp{":3"}, false},
+		{"equals", &AutoEtcOp{Prefix: ":3"}, &AutoEtcOp{":3"}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"etc", &AutoEtcOp{
+			Prefix: ":3",
+		}, "setting up", "auto etc :3"},
+	})
+
+	t.Run("host path rel", func(t *testing.T) {
+		t.Parallel()
+		op := &AutoEtcOp{Prefix: "048090b6ed8f9ebb10e275ff5d8c0659"}
+		wantHostPath := "/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"
+		wantHostRel := ".host/048090b6ed8f9ebb10e275ff5d8c0659"
+		if got := op.hostPath(); got.String() != wantHostPath {
+			t.Errorf("hostPath: %q, want %q", got, wantHostPath)
+		}
+		if got := op.hostRel(); got != wantHostRel {
+			t.Errorf("hostRel: %q, want %q", got, wantHostRel)
+		}
+	})
+}
--- a/container/autoroot.go
+++ b/container/autoroot.go
@@ -0,0 +1,98 @@
+package container
+
+import (
+	"encoding/gob"
+	"fmt"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/message"
+)
+
+func init() { gob.Register(new(AutoRootOp)) }
+
+// Root appends an [Op] that expands a directory into a toplevel bind mount mirror on container root.
+// This is not a generic setup op. It is implemented here to reduce ipc overhead.
+func (f *Ops) Root(host *check.Absolute, flags int) *Ops {
+	*f = append(*f, &AutoRootOp{host, flags, nil})
+	return f
+}
+
+type AutoRootOp struct {
+	Host *check.Absolute
+	// passed through to bindMount
+	Flags int
+
+	// obtained during early;
+	// these wrap the underlying Op because BindMountOp is relatively complex,
+	// so duplicating that code would be unwise
+	resolved []*BindMountOp
+}
+
+func (r *AutoRootOp) Valid() bool { return r != nil && r.Host != nil }
+
+func (r *AutoRootOp) early(state *setupState, k syscallDispatcher) error {
+	if d, err := k.readdir(r.Host.String()); err != nil {
+		return err
+	} else {
+		r.resolved = make([]*BindMountOp, 0, len(d))
+		for _, ent := range d {
+			name := ent.Name()
+			if IsAutoRootBindable(state, name) {
+				// careful: the Valid method is skipped, make sure this is always valid
+				op := &BindMountOp{
+					Source: r.Host.Append(name),
+					Target: fhs.AbsRoot.Append(name),
+					Flags:  r.Flags,
+				}
+				if err = op.early(state, k); err != nil {
+					return err
+				}
+				r.resolved = append(r.resolved, op)
+			}
+		}
+		return nil
+	}
+}
+
+func (r *AutoRootOp) apply(state *setupState, k syscallDispatcher) error {
+	if state.nonrepeatable&nrAutoRoot != 0 {
+		return OpRepeatError("autoroot")
+	}
+	state.nonrepeatable |= nrAutoRoot
+
+	for _, op := range r.resolved {
+		// these are exclusively BindMountOp, do not attempt to print identifying message
+		if err := op.apply(state, k); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+func (r *AutoRootOp) late(*setupState, syscallDispatcher) error { return nil }
+
+func (r *AutoRootOp) Is(op Op) bool {
+	vr, ok := op.(*AutoRootOp)
+	return ok && r.Valid() && vr.Valid() &&
+		r.Host.Is(vr.Host) &&
+		r.Flags == vr.Flags
+}
+func (*AutoRootOp) prefix() (string, bool) { return "setting up", true }
+func (r *AutoRootOp) String() string {
+	return fmt.Sprintf("auto root %q flags %#x", r.Host, r.Flags)
+}
+
+// IsAutoRootBindable returns whether a dir entry name is selected for AutoRoot.
+func IsAutoRootBindable(msg message.Msg, name string) bool {
+	switch name {
+	case "proc", "dev", "tmp", "mnt", "etc":
+
+	case "": // guard against accidentally binding /
+		// should be unreachable
+		msg.Verbose("got unexpected root entry")
+
+	default:
+		return true
+	}
+	return false
+}
--- a/container/autoroot_test.go
+++ b/container/autoroot_test.go
@@ -0,0 +1,214 @@
+package container
+
+import (
+	"errors"
+	"os"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/std"
+	"hakurei.app/container/stub"
+	"hakurei.app/message"
+)
+
+func TestAutoRootOp(t *testing.T) {
+	t.Run("nonrepeatable", func(t *testing.T) {
+		t.Parallel()
+		wantErr := OpRepeatError("autoroot")
+		if err := new(AutoRootOp).apply(&setupState{nonrepeatable: nrAutoRoot}, nil); !errors.Is(err, wantErr) {
+			t.Errorf("apply: error = %v, want %v", err, wantErr)
+		}
+	})
+
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"readdir", &Params{ParentPerm: 0750}, &AutoRootOp{
+			Host:  check.MustAbs("/"),
+			Flags: std.BindWritable,
+		}, []stub.Call{
+			call("readdir", stub.ExpectArgs{"/"}, stubDir(), stub.UniqueError(2)),
+		}, stub.UniqueError(2), nil, nil},
+
+		{"early", &Params{ParentPerm: 0750}, &AutoRootOp{
+			Host:  check.MustAbs("/"),
+			Flags: std.BindWritable,
+		}, []stub.Call{
+			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
+				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
+			call("evalSymlinks", stub.ExpectArgs{"/bin"}, "", stub.UniqueError(1)),
+		}, stub.UniqueError(1), nil, nil},
+
+		{"apply", &Params{ParentPerm: 0750}, &AutoRootOp{
+			Host:  check.MustAbs("/"),
+			Flags: std.BindWritable,
+		}, []stub.Call{
+			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
+				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
+			call("evalSymlinks", stub.ExpectArgs{"/bin"}, "/usr/bin", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/home"}, "/home", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/lib64"}, "/lib64", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/lost+found"}, "/lost+found", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/nix"}, "/nix", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/root"}, "/root", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/run"}, "/run", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/srv"}, "/srv", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/sys"}, "/sys", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/usr"}, "/usr", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var"}, "/var", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(false), stub.UniqueError(0)),
+		}, stub.UniqueError(0)},
+
+		{"success pd", &Params{ParentPerm: 0750}, &AutoRootOp{
+			Host:  check.MustAbs("/"),
+			Flags: std.BindWritable,
+		}, []stub.Call{
+			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
+				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
+			call("evalSymlinks", stub.ExpectArgs{"/bin"}, "/usr/bin", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/home"}, "/home", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/lib64"}, "/lib64", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/lost+found"}, "/lost+found", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/nix"}, "/nix", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/root"}, "/root", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/run"}, "/run", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/srv"}, "/srv", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/sys"}, "/sys", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/usr"}, "/usr", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var"}, "/var", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/usr/bin", "/sysroot/bin", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/usr/bin", "/sysroot/bin", uintptr(0x4004), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/home"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/home", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/home", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/home", "/sysroot/home", uintptr(0x4004), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/lib64"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/lib64", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/lib64", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/lib64", "/sysroot/lib64", uintptr(0x4004), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/lost+found"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/lost+found", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/lost+found", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/lost+found", "/sysroot/lost+found", uintptr(0x4004), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/nix"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/nix", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/nix", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/nix", "/sysroot/nix", uintptr(0x4004), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/root"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/root", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/root", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/root", "/sysroot/root", uintptr(0x4004), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/run"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/run", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/run", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/run", "/sysroot/run", uintptr(0x4004), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/srv"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/srv", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/srv", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/srv", "/sysroot/srv", uintptr(0x4004), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/sys"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/sys", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/sys", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/sys", "/sysroot/sys", uintptr(0x4004), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/usr"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/usr", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/usr", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/usr", "/sysroot/usr", uintptr(0x4004), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/var"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/var", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/var", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var", "/sysroot/var", uintptr(0x4004), false}, nil, nil),
+		}, nil},
+
+		{"success", &Params{ParentPerm: 0750}, &AutoRootOp{
+			Host: check.MustAbs("/var/lib/planterette/base/debian:f92c9052"),
+		}, []stub.Call{
+			call("readdir", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052"}, stubDir("bin", "dev", "etc", "home", "lib64",
+				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/bin"}, "/var/lib/planterette/base/debian:f92c9052/usr/bin", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/home"}, "/var/lib/planterette/base/debian:f92c9052/home", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/lib64"}, "/var/lib/planterette/base/debian:f92c9052/lib64", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/lost+found"}, "/var/lib/planterette/base/debian:f92c9052/lost+found", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/nix"}, "/var/lib/planterette/base/debian:f92c9052/nix", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/root"}, "/var/lib/planterette/base/debian:f92c9052/root", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/run"}, "/var/lib/planterette/base/debian:f92c9052/run", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/srv"}, "/var/lib/planterette/base/debian:f92c9052/srv", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/sys"}, "/var/lib/planterette/base/debian:f92c9052/sys", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/usr"}, "/var/lib/planterette/base/debian:f92c9052/usr", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/var"}, "/var/lib/planterette/base/debian:f92c9052/var", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/usr/bin"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/usr/bin", "/sysroot/bin", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/usr/bin", "/sysroot/bin", uintptr(0x4005), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/home"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/home", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/home", "/sysroot/home", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/home", "/sysroot/home", uintptr(0x4005), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/lib64"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/lib64", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/lib64", "/sysroot/lib64", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/lib64", "/sysroot/lib64", uintptr(0x4005), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/lost+found"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/lost+found", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/lost+found", "/sysroot/lost+found", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/lost+found", "/sysroot/lost+found", uintptr(0x4005), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/nix"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/nix", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/nix", "/sysroot/nix", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/nix", "/sysroot/nix", uintptr(0x4005), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/root"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/root", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/root", "/sysroot/root", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/root", "/sysroot/root", uintptr(0x4005), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/run"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/run", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/run", "/sysroot/run", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/run", "/sysroot/run", uintptr(0x4005), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/srv"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/srv", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/srv", "/sysroot/srv", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/srv", "/sysroot/srv", uintptr(0x4005), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/sys"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/sys", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/sys", "/sysroot/sys", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/sys", "/sysroot/sys", uintptr(0x4005), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/usr"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/usr", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/usr", "/sysroot/usr", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/usr", "/sysroot/usr", uintptr(0x4005), false}, nil, nil),
+			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/var"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/var", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/var", "/sysroot/var", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/var", "/sysroot/var", uintptr(0x4005), false}, nil, nil),
+		}, nil},
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*AutoRootOp)(nil), false},
+		{"zero", new(AutoRootOp), false},
+		{"valid", &AutoRootOp{Host: check.MustAbs("/")}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"pd", new(Ops).Root(check.MustAbs("/"), std.BindWritable), Ops{
+			&AutoRootOp{
+				Host:  check.MustAbs("/"),
+				Flags: std.BindWritable,
+			},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(AutoRootOp), new(AutoRootOp), false},
+
+		{"internal ne", &AutoRootOp{
+			Host:  check.MustAbs("/"),
+			Flags: std.BindWritable,
+		}, &AutoRootOp{
+			Host:     check.MustAbs("/"),
+			Flags:    std.BindWritable,
+			resolved: []*BindMountOp{new(BindMountOp)},
+		}, true},
+
+		{"flags differs", &AutoRootOp{
+			Host:  check.MustAbs("/"),
+			Flags: std.BindWritable | std.BindDevice,
+		}, &AutoRootOp{
+			Host:  check.MustAbs("/"),
+			Flags: std.BindWritable,
+		}, false},
+
+		{"host differs", &AutoRootOp{
+			Host:  check.MustAbs("/tmp/"),
+			Flags: std.BindWritable,
+		}, &AutoRootOp{
+			Host:  check.MustAbs("/"),
+			Flags: std.BindWritable,
+		}, false},
+
+		{"equals", &AutoRootOp{
+			Host:  check.MustAbs("/"),
+			Flags: std.BindWritable,
+		}, &AutoRootOp{
+			Host:  check.MustAbs("/"),
+			Flags: std.BindWritable,
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"root", &AutoRootOp{
+			Host:  check.MustAbs("/"),
+			Flags: std.BindWritable,
+		}, "setting up", `auto root "/" flags 0x2`},
+	})
+}
+
+func TestIsAutoRootBindable(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		want bool
+		log  bool
+	}{
+		{"proc", false, false},
+		{"dev", false, false},
+		{"tmp", false, false},
+		{"mnt", false, false},
+		{"etc", false, false},
+		{"", false, true},
+
+		{"var", true, false},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			var msg message.Msg
+			if tc.log {
+				msg = &kstub{nil, nil, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { panic("unreachable") }, stub.Expect{Calls: []stub.Call{
+					call("verbose", stub.ExpectArgs{[]any{"got unexpected root entry"}}, nil, nil),
+				}})}
+			}
+			if got := IsAutoRootBindable(msg, tc.name); got != tc.want {
+				t.Errorf("IsAutoRootBindable: %v, want %v", got, tc.want)
+			}
+		})
+	}
+}
--- a/container/capability.go
+++ b/container/capability.go
@@ -0,0 +1,58 @@
+package container
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+const (
+	_LINUX_CAPABILITY_VERSION_3 = 0x20080522
+
+	PR_CAP_AMBIENT           = 0x2f
+	PR_CAP_AMBIENT_RAISE     = 0x2
+	PR_CAP_AMBIENT_CLEAR_ALL = 0x4
+
+	CAP_SYS_ADMIN    = 0x15
+	CAP_SETPCAP      = 0x8
+	CAP_DAC_OVERRIDE = 0x1
+)
+
+type (
+	capHeader struct {
+		version uint32
+		pid     int32
+	}
+
+	capData struct {
+		effective   uint32
+		permitted   uint32
+		inheritable uint32
+	}
+)
+
+// See CAP_TO_INDEX in linux/capability.h:
+func capToIndex(cap uintptr) uintptr { return cap >> 5 }
+
+// See CAP_TO_MASK in linux/capability.h:
+func capToMask(cap uintptr) uint32 { return 1 << uint(cap&31) }
+
+func capset(hdrp *capHeader, datap *[2]capData) error {
+	r, _, errno := syscall.Syscall(
+		syscall.SYS_CAPSET,
+		uintptr(unsafe.Pointer(hdrp)),
+		uintptr(unsafe.Pointer(&datap[0])), 0,
+	)
+	if r != 0 {
+		return errno
+	}
+	return nil
+}
+
+// capBoundingSetDrop drops a capability from the calling thread's capability bounding set.
+func capBoundingSetDrop(cap uintptr) error { return Prctl(syscall.PR_CAPBSET_DROP, cap, 0) }
+
+// capAmbientClearAll clears the ambient capability set of the calling thread.
+func capAmbientClearAll() error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0) }
+
+// capAmbientRaise adds to the ambient capability set of the calling thread.
+func capAmbientRaise(cap uintptr) error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap) }
--- a/container/capability_test.go
+++ b/container/capability_test.go
@@ -0,0 +1,47 @@
+package container
+
+import "testing"
+
+func TestCapToIndex(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		cap  uintptr
+		want uintptr
+	}{
+		{"CAP_SYS_ADMIN", CAP_SYS_ADMIN, 0},
+		{"CAP_SETPCAP", CAP_SETPCAP, 0},
+		{"CAP_DAC_OVERRIDE", CAP_DAC_OVERRIDE, 0},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := capToIndex(tc.cap); got != tc.want {
+				t.Errorf("capToIndex: %#x, want %#x", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestCapToMask(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		cap  uintptr
+		want uint32
+	}{
+		{"CAP_SYS_ADMIN", CAP_SYS_ADMIN, 0x200000},
+		{"CAP_SETPCAP", CAP_SETPCAP, 0x100},
+		{"CAP_DAC_OVERRIDE", CAP_DAC_OVERRIDE, 0x2},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := capToMask(tc.cap); got != tc.want {
+				t.Errorf("capToMask: %#x, want %#x", got, tc.want)
+			}
+		})
+	}
+}
--- a/container/check/absolute.go
+++ b/container/check/absolute.go
@@ -0,0 +1,104 @@
+// Package check provides types yielding values checked to meet a condition.
+package check
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"path"
+	"slices"
+	"strings"
+	"syscall"
+)
+
+// AbsoluteError is returned by [NewAbs] and holds the invalid pathname.
+type AbsoluteError struct{ Pathname string }
+
+func (e *AbsoluteError) Error() string { return fmt.Sprintf("path %q is not absolute", e.Pathname) }
+func (e *AbsoluteError) Is(target error) bool {
+	var ce *AbsoluteError
+	if !errors.As(target, &ce) {
+		return errors.Is(target, syscall.EINVAL)
+	}
+	return *e == *ce
+}
+
+// Absolute holds a pathname checked to be absolute.
+type Absolute struct{ pathname string }
+
+// unsafeAbs returns [check.Absolute] on any string value.
+func unsafeAbs(pathname string) *Absolute { return &Absolute{pathname} }
+
+func (a *Absolute) String() string {
+	if a.pathname == "" {
+		panic("attempted use of zero Absolute")
+	}
+	return a.pathname
+}
+
+func (a *Absolute) Is(v *Absolute) bool {
+	if a == nil && v == nil {
+		return true
+	}
+	return a != nil && v != nil &&
+		a.pathname != "" && v.pathname != "" &&
+		a.pathname == v.pathname
+}
+
+// NewAbs checks pathname and returns a new [Absolute] if pathname is absolute.
+func NewAbs(pathname string) (*Absolute, error) {
+	if !path.IsAbs(pathname) {
+		return nil, &AbsoluteError{pathname}
+	}
+	return unsafeAbs(pathname), nil
+}
+
+// MustAbs calls [NewAbs] and panics on error.
+func MustAbs(pathname string) *Absolute {
+	if a, err := NewAbs(pathname); err != nil {
+		panic(err)
+	} else {
+		return a
+	}
+}
+
+// Append calls [path.Join] with [Absolute] as the first element.
+func (a *Absolute) Append(elem ...string) *Absolute {
+	return unsafeAbs(path.Join(append([]string{a.String()}, elem...)...))
+}
+
+// Dir calls [path.Dir] with [Absolute] as its argument.
+func (a *Absolute) Dir() *Absolute { return unsafeAbs(path.Dir(a.String())) }
+
+func (a *Absolute) GobEncode() ([]byte, error) { return []byte(a.String()), nil }
+func (a *Absolute) GobDecode(data []byte) error {
+	pathname := string(data)
+	if !path.IsAbs(pathname) {
+		return &AbsoluteError{pathname}
+	}
+	a.pathname = pathname
+	return nil
+}
+
+func (a *Absolute) MarshalJSON() ([]byte, error) { return json.Marshal(a.String()) }
+func (a *Absolute) UnmarshalJSON(data []byte) error {
+	var pathname string
+	if err := json.Unmarshal(data, &pathname); err != nil {
+		return err
+	}
+	if !path.IsAbs(pathname) {
+		return &AbsoluteError{pathname}
+	}
+	a.pathname = pathname
+	return nil
+}
+
+// SortAbs calls [slices.SortFunc] for a slice of [Absolute].
+func SortAbs(x []*Absolute) {
+	slices.SortFunc(x, func(a, b *Absolute) int { return strings.Compare(a.String(), b.String()) })
+}
+
+// CompactAbs calls [slices.CompactFunc] for a slice of [Absolute].
+func CompactAbs(s []*Absolute) []*Absolute {
+	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool { return a.String() == b.String() })
+}
--- a/container/check/absolute_test.go
+++ b/container/check/absolute_test.go
@@ -0,0 +1,401 @@
+package check_test
+
+import (
+	"bytes"
+	"encoding/gob"
+	"encoding/json"
+	"errors"
+	"reflect"
+	"strings"
+	"syscall"
+	"testing"
+	_ "unsafe" // for go:linkname
+
+	. "hakurei.app/container/check"
+)
+
+// unsafeAbs returns check.Absolute on any string value.
+//
+//go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
+func unsafeAbs(pathname string) *Absolute
+
+func TestAbsoluteError(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+
+		err error
+		cmp error
+		ok  bool
+	}{
+		{"EINVAL", new(AbsoluteError), syscall.EINVAL, true},
+		{"not EINVAL", new(AbsoluteError), syscall.EBADE, false},
+		{"ne val", new(AbsoluteError), &AbsoluteError{Pathname: "etc"}, false},
+		{"equals", &AbsoluteError{Pathname: "etc"}, &AbsoluteError{Pathname: "etc"}, true},
+	}
+
+	for _, tc := range testCases {
+		if got := errors.Is(tc.err, tc.cmp); got != tc.ok {
+			t.Errorf("Is: %v, want %v", got, tc.ok)
+		}
+	}
+
+	t.Run("string", func(t *testing.T) {
+		t.Parallel()
+
+		want := `path "etc" is not absolute`
+		if got := (&AbsoluteError{Pathname: "etc"}).Error(); got != want {
+			t.Errorf("Error: %q, want %q", got, want)
+		}
+	})
+}
+
+func TestNewAbs(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+
+		pathname string
+		want     *Absolute
+		wantErr  error
+	}{
+		{"good", "/etc", MustAbs("/etc"), nil},
+		{"not absolute", "etc", nil, &AbsoluteError{Pathname: "etc"}},
+		{"zero", "", nil, &AbsoluteError{Pathname: ""}},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got, err := NewAbs(tc.pathname)
+			if !reflect.DeepEqual(got, tc.want) {
+				t.Errorf("NewAbs: %#v, want %#v", got, tc.want)
+			}
+			if !errors.Is(err, tc.wantErr) {
+				t.Errorf("NewAbs: error = %v, want %v", err, tc.wantErr)
+			}
+		})
+	}
+
+	t.Run("must", func(t *testing.T) {
+		t.Parallel()
+
+		defer func() {
+			wantPanic := &AbsoluteError{Pathname: "etc"}
+
+			if r := recover(); !reflect.DeepEqual(r, wantPanic) {
+				t.Errorf("MustAbs: panic = %v; want %v", r, wantPanic)
+			}
+		}()
+
+		MustAbs("etc")
+	})
+}
+
+func TestAbsoluteString(t *testing.T) {
+	t.Run("passthrough", func(t *testing.T) {
+		t.Parallel()
+
+		pathname := "/etc"
+		if got := unsafeAbs(pathname).String(); got != pathname {
+			t.Errorf("String: %q, want %q", got, pathname)
+		}
+	})
+
+	t.Run("zero", func(t *testing.T) {
+		t.Parallel()
+
+		defer func() {
+			wantPanic := "attempted use of zero Absolute"
+
+			if r := recover(); r != wantPanic {
+				t.Errorf("String: panic = %v, want %v", r, wantPanic)
+			}
+		}()
+
+		panic(new(Absolute).String())
+	})
+}
+
+func TestAbsoluteIs(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		a, v *Absolute
+		want bool
+	}{
+		{"nil", (*Absolute)(nil), (*Absolute)(nil), true},
+		{"nil a", (*Absolute)(nil), MustAbs("/"), false},
+		{"nil v", MustAbs("/"), (*Absolute)(nil), false},
+		{"zero", new(Absolute), new(Absolute), false},
+		{"zero a", new(Absolute), MustAbs("/"), false},
+		{"zero v", MustAbs("/"), new(Absolute), false},
+		{"equals", MustAbs("/"), MustAbs("/"), true},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := tc.a.Is(tc.v); got != tc.want {
+				t.Errorf("Is: %v, want %v", got, tc.want)
+			}
+		})
+	}
+}
+
+type sCheck struct {
+	Pathname *Absolute `json:"val"`
+	Magic    uint64    `json:"magic"`
+}
+
+func TestCodecAbsolute(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		a    *Absolute
+
+		wantErr error
+
+		gob, sGob   string
+		json, sJson string
+	}{
+		{"nil", nil, nil,
+			"\x00", "\x00",
+			`null`, `{"val":null,"magic":3236757504}`},
+
+		{"good", MustAbs("/etc"),
+			nil,
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
+
+			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
+		{"not absolute", nil,
+			&AbsoluteError{Pathname: "etc"},
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+
+			`"etc"`, `{"val":"etc","magic":3236757504}`},
+		{"zero", nil,
+			new(AbsoluteError),
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			`""`, `{"val":"","magic":3236757504}`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("gob", func(t *testing.T) {
+				if tc.gob == "\x00" && tc.sGob == "\x00" {
+					// these values mark the current test to skip gob
+					return
+				}
+				t.Parallel()
+
+				t.Run("encode", func(t *testing.T) {
+					t.Parallel()
+
+					// encode is unchecked
+					if errors.Is(tc.wantErr, syscall.EINVAL) {
+						return
+					}
+
+					{
+						buf := new(bytes.Buffer)
+						err := gob.NewEncoder(buf).Encode(tc.a)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Encode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSEncode
+						}
+						if buf.String() != tc.gob {
+							t.Errorf("Encode:\n%q\nwant:\n%q", buf.String(), tc.gob)
+						}
+					}
+
+				checkSEncode:
+					{
+						buf := new(bytes.Buffer)
+						err := gob.NewEncoder(buf).Encode(&sCheck{tc.a, syscall.MS_MGC_VAL})
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Encode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						if buf.String() != tc.sGob {
+							t.Errorf("Encode:\n%q\nwant:\n%q", buf.String(), tc.sGob)
+						}
+					}
+				})
+
+				t.Run("decode", func(t *testing.T) {
+					t.Parallel()
+
+					{
+						var gotA *Absolute
+						err := gob.NewDecoder(strings.NewReader(tc.gob)).Decode(&gotA)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Decode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSDecode
+						}
+						if !reflect.DeepEqual(tc.a, gotA) {
+							t.Errorf("Decode: %#v, want %#v", tc.a, gotA)
+						}
+					}
+
+				checkSDecode:
+					{
+						var gotSCheck sCheck
+						err := gob.NewDecoder(strings.NewReader(tc.sGob)).Decode(&gotSCheck)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Decode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						want := sCheck{tc.a, syscall.MS_MGC_VAL}
+						if !reflect.DeepEqual(gotSCheck, want) {
+							t.Errorf("Decode: %#v, want %#v", gotSCheck, want)
+						}
+					}
+				})
+
+			})
+
+			t.Run("json", func(t *testing.T) {
+				t.Parallel()
+
+				t.Run("marshal", func(t *testing.T) {
+					t.Parallel()
+
+					// marshal is unchecked
+					if errors.Is(tc.wantErr, syscall.EINVAL) {
+						return
+					}
+
+					{
+						d, err := json.Marshal(tc.a)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSMarshal
+						}
+						if string(d) != tc.json {
+							t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.json)
+						}
+					}
+
+				checkSMarshal:
+					{
+						d, err := json.Marshal(&sCheck{tc.a, syscall.MS_MGC_VAL})
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						if string(d) != tc.sJson {
+							t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.sJson)
+						}
+					}
+				})
+
+				t.Run("unmarshal", func(t *testing.T) {
+					t.Parallel()
+
+					{
+						var gotA *Absolute
+						err := json.Unmarshal([]byte(tc.json), &gotA)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSUnmarshal
+						}
+						if !reflect.DeepEqual(tc.a, gotA) {
+							t.Errorf("Unmarshal: %#v, want %#v", tc.a, gotA)
+						}
+					}
+
+				checkSUnmarshal:
+					{
+						var gotSCheck sCheck
+						err := json.Unmarshal([]byte(tc.sJson), &gotSCheck)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						want := sCheck{tc.a, syscall.MS_MGC_VAL}
+						if !reflect.DeepEqual(gotSCheck, want) {
+							t.Errorf("Unmarshal: %#v, want %#v", gotSCheck, want)
+						}
+					}
+				})
+			})
+		})
+	}
+
+	t.Run("json passthrough", func(t *testing.T) {
+		t.Parallel()
+
+		wantErr := "invalid character ':' looking for beginning of value"
+		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
+			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
+		}
+	})
+}
+
+func TestAbsoluteWrap(t *testing.T) {
+	t.Parallel()
+
+	t.Run("join", func(t *testing.T) {
+		t.Parallel()
+
+		want := "/etc/nix/nix.conf"
+		if got := MustAbs("/etc").Append("nix", "nix.conf"); got.String() != want {
+			t.Errorf("Append: %q, want %q", got, want)
+		}
+	})
+
+	t.Run("dir", func(t *testing.T) {
+		t.Parallel()
+
+		want := "/"
+		if got := MustAbs("/etc").Dir(); got.String() != want {
+			t.Errorf("Dir: %q, want %q", got, want)
+		}
+	})
+
+	t.Run("sort", func(t *testing.T) {
+		t.Parallel()
+
+		want := []*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/sys")}
+		got := []*Absolute{MustAbs("/proc"), MustAbs("/sys"), MustAbs("/etc")}
+		SortAbs(got)
+		if !reflect.DeepEqual(got, want) {
+			t.Errorf("SortAbs: %#v, want %#v", got, want)
+		}
+	})
+
+	t.Run("compact", func(t *testing.T) {
+		t.Parallel()
+
+		want := []*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/sys")}
+		if got := CompactAbs([]*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/proc"), MustAbs("/sys")}); !reflect.DeepEqual(got, want) {
+			t.Errorf("CompactAbs: %#v, want %#v", got, want)
+		}
+	})
+}
--- a/container/check/overlay.go
+++ b/container/check/overlay.go
@@ -0,0 +1,29 @@
+package check
+
+import "strings"
+
+const (
+	// SpecialOverlayEscape is the escape string for overlay mount options.
+	SpecialOverlayEscape = `\`
+	// SpecialOverlayOption is the separator string between overlay mount options.
+	SpecialOverlayOption = ","
+	// SpecialOverlayPath is the separator string between overlay paths.
+	SpecialOverlayPath = ":"
+)
+
+// EscapeOverlayDataSegment escapes a string for formatting into the data argument of an overlay mount call.
+func EscapeOverlayDataSegment(s string) string {
+	if s == "" {
+		return ""
+	}
+
+	if f := strings.SplitN(s, "\x00", 2); len(f) > 0 {
+		s = f[0]
+	}
+
+	return strings.NewReplacer(
+		SpecialOverlayEscape, SpecialOverlayEscape+SpecialOverlayEscape,
+		SpecialOverlayOption, SpecialOverlayEscape+SpecialOverlayOption,
+		SpecialOverlayPath, SpecialOverlayEscape+SpecialOverlayPath,
+	).Replace(s)
+}
--- a/container/check/overlay_test.go
+++ b/container/check/overlay_test.go
@@ -0,0 +1,31 @@
+package check_test
+
+import (
+	"testing"
+
+	"hakurei.app/container/check"
+)
+
+func TestEscapeOverlayDataSegment(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		s    string
+		want string
+	}{
+		{"zero", "", ""},
+		{"multi", `\\\:,:,\\\`, `\\\\\\\:\,\:\,\\\\\\`},
+		{"bwrap", `/path :,\`, `/path \:\,\\`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := check.EscapeOverlayDataSegment(tc.s); got != tc.want {
+				t.Errorf("escapeOverlayDataSegment: %s, want %s", got, tc.want)
+			}
+		})
+	}
+}
--- a/container/container.go
+++ b/container/container.go
@@ -0,0 +1,468 @@
+// Package container implements unprivileged Linux containers with built-in support for syscall filtering.
+package container
+
+import (
+	"context"
+	"encoding/gob"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"runtime"
+	"strconv"
+	"sync"
+	. "syscall"
+	"time"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
+	"hakurei.app/message"
+)
+
+const (
+	// CancelSignal is the signal expected by container init on context cancel.
+	// A custom [Container.Cancel] function must eventually deliver this signal.
+	CancelSignal = SIGUSR2
+
+	// Timeout for writing initParams to Container.setup.
+	initSetupTimeout = 5 * time.Second
+)
+
+type (
+	// Container represents a container environment being prepared or run.
+	// None of [Container] methods are safe for concurrent use.
+	Container struct {
+		// Cgroup fd, nil to disable.
+		Cgroup *int
+		// ExtraFiles passed through to initial process in the container,
+		// with behaviour identical to its [exec.Cmd] counterpart.
+		ExtraFiles []*os.File
+
+		// param pipe for shim and init
+		setup *os.File
+		// cancels cmd
+		cancel context.CancelFunc
+		// closed after Wait returns
+		wait chan struct{}
+
+		Stdin  io.Reader
+		Stdout io.Writer
+		Stderr io.Writer
+
+		Cancel    func(cmd *exec.Cmd) error
+		WaitDelay time.Duration
+
+		cmd *exec.Cmd
+		ctx context.Context
+		msg message.Msg
+		Params
+	}
+
+	// Params holds container configuration and is safe to serialise.
+	Params struct {
+		// Working directory in the container.
+		Dir *check.Absolute
+		// Initial process environment.
+		Env []string
+		// Pathname of initial process in the container.
+		Path *check.Absolute
+		// Initial process argv.
+		Args []string
+		// Deliver SIGINT to the initial process on context cancellation.
+		ForwardCancel bool
+		// Time to wait for processes lingering after the initial process terminates.
+		AdoptWaitDelay time.Duration
+
+		// Mapped Uid in user namespace.
+		Uid int
+		// Mapped Gid in user namespace.
+		Gid int
+		// Hostname value in UTS namespace.
+		Hostname string
+		// Sequential container setup ops.
+		*Ops
+
+		// Seccomp system call filter rules.
+		SeccompRules []std.NativeRule
+		// Extra seccomp flags.
+		SeccompFlags seccomp.ExportFlag
+		// Seccomp presets. Has no effect unless SeccompRules is zero-length.
+		SeccompPresets std.FilterPreset
+		// Do not load seccomp program.
+		SeccompDisable bool
+
+		// Permission bits of newly created parent directories.
+		// The zero value is interpreted as 0755.
+		ParentPerm os.FileMode
+		// Do not syscall.Setsid.
+		RetainSession bool
+		// Do not [syscall.CLONE_NEWNET].
+		HostNet bool
+		// Do not [LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET].
+		HostAbstract bool
+		// Retain CAP_SYS_ADMIN.
+		Privileged bool
+	}
+)
+
+// A StartError contains additional information on a container startup failure.
+type StartError struct {
+	// Fatal suggests whether this error should be considered fatal for the entire program.
+	Fatal bool
+	// Step refers to the part of the setup this error is returned from.
+	Step string
+	// Err is the underlying error.
+	Err error
+	// Origin is whether this error originated from the [Container.Start] method.
+	Origin bool
+	// Passthrough is whether the Error method is passed through to Err.
+	Passthrough bool
+}
+
+func (e *StartError) Unwrap() error { return e.Err }
+func (e *StartError) Error() string {
+	if e.Passthrough {
+		return e.Err.Error()
+	}
+	if e.Origin {
+		return e.Step
+	}
+
+	{
+		var syscallError *os.SyscallError
+		if errors.As(e.Err, &syscallError) && syscallError != nil {
+			return e.Step + " " + syscallError.Error()
+		}
+	}
+
+	return e.Step + ": " + e.Err.Error()
+}
+
+// Message returns a user-facing error message.
+func (e *StartError) Message() string {
+	if e.Passthrough {
+		var (
+			numError *strconv.NumError
+		)
+
+		switch {
+		case errors.As(e.Err, new(*os.PathError)),
+			errors.As(e.Err, new(*os.SyscallError)):
+			return "cannot " + e.Err.Error()
+
+		case errors.As(e.Err, &numError) && numError != nil:
+			return "cannot parse " + strconv.Quote(numError.Num) + ": " + numError.Err.Error()
+
+		default:
+			return e.Err.Error()
+		}
+	}
+	if e.Origin {
+		return e.Step
+	}
+	return "cannot " + e.Error()
+}
+
+// for ensureCloseOnExec
+var (
+	closeOnExecOnce sync.Once
+	closeOnExecErr  error
+)
+
+// ensureCloseOnExec ensures all currently open file descriptors have the syscall.FD_CLOEXEC flag set.
+// This is only ran once as it is intended to handle files left open by the parent, and any file opened
+// on this side should already have syscall.FD_CLOEXEC set.
+func ensureCloseOnExec() error {
+	closeOnExecOnce.Do(func() {
+		const fdPrefixPath = "/proc/self/fd/"
+
+		var entries []os.DirEntry
+		if entries, closeOnExecErr = os.ReadDir(fdPrefixPath); closeOnExecErr != nil {
+			return
+		}
+
+		var fd int
+		for _, ent := range entries {
+			if fd, closeOnExecErr = strconv.Atoi(ent.Name()); closeOnExecErr != nil {
+				break // not reached
+			}
+			CloseOnExec(fd)
+		}
+	})
+
+	if closeOnExecErr == nil {
+		return nil
+	}
+	return &StartError{Fatal: true, Step: "set FD_CLOEXEC on all open files", Err: closeOnExecErr, Passthrough: true}
+}
+
+// Start starts the container init. The init process blocks until Serve is called.
+func (p *Container) Start() error {
+	if p == nil || p.cmd == nil ||
+		p.Ops == nil || len(*p.Ops) == 0 {
+		return errors.New("container: starting an invalid container")
+	}
+	if p.cmd.Process != nil {
+		return errors.New("container: already started")
+	}
+
+	if err := ensureCloseOnExec(); err != nil {
+		return err
+	}
+
+	// map to overflow id to work around ownership checks
+	if p.Uid < 1 {
+		p.Uid = OverflowUid(p.msg)
+	}
+	if p.Gid < 1 {
+		p.Gid = OverflowGid(p.msg)
+	}
+
+	if !p.RetainSession {
+		p.SeccompPresets |= std.PresetDenyTTY
+	}
+
+	if p.AdoptWaitDelay == 0 {
+		p.AdoptWaitDelay = 5 * time.Second
+	}
+	// to allow disabling this behaviour
+	if p.AdoptWaitDelay < 0 {
+		p.AdoptWaitDelay = 0
+	}
+
+	if p.cmd.Stdin == nil {
+		p.cmd.Stdin = p.Stdin
+	}
+	if p.cmd.Stdout == nil {
+		p.cmd.Stdout = p.Stdout
+	}
+	if p.cmd.Stderr == nil {
+		p.cmd.Stderr = p.Stderr
+	}
+
+	p.cmd.Args = []string{initName}
+	p.cmd.WaitDelay = p.WaitDelay
+	if p.Cancel != nil {
+		p.cmd.Cancel = func() error { return p.Cancel(p.cmd) }
+	} else {
+		p.cmd.Cancel = func() error { return p.cmd.Process.Signal(CancelSignal) }
+	}
+	p.cmd.Dir = fhs.Root
+	p.cmd.SysProcAttr = &SysProcAttr{
+		Setsid:    !p.RetainSession,
+		Pdeathsig: SIGKILL,
+		Cloneflags: CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS |
+			CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP,
+
+		AmbientCaps: []uintptr{
+			// general container setup
+			CAP_SYS_ADMIN,
+			// drop capabilities
+			CAP_SETPCAP,
+			// overlay access to upperdir and workdir
+			CAP_DAC_OVERRIDE,
+		},
+
+		UseCgroupFD: p.Cgroup != nil,
+	}
+	if p.cmd.SysProcAttr.UseCgroupFD {
+		p.cmd.SysProcAttr.CgroupFD = *p.Cgroup
+	}
+	if !p.HostNet {
+		p.cmd.SysProcAttr.Cloneflags |= CLONE_NEWNET
+	}
+
+	// place setup pipe before user supplied extra files, this is later restored by init
+	if fd, f, err := Setup(&p.cmd.ExtraFiles); err != nil {
+		return &StartError{true, "set up params stream", err, false, false}
+	} else {
+		p.setup = f
+		p.cmd.Env = []string{setupEnv + "=" + strconv.Itoa(fd)}
+	}
+	p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, p.ExtraFiles...)
+
+	done := make(chan error, 1)
+	go func() {
+		runtime.LockOSThread()
+		p.wait = make(chan struct{})
+
+		done <- func() error { // setup depending on per-thread state must happen here
+			// PR_SET_NO_NEW_PRIVS: depends on per-thread state but acts on all processes created from that thread
+			if err := SetNoNewPrivs(); err != nil {
+				return &StartError{true, "prctl(PR_SET_NO_NEW_PRIVS)", err, false, false}
+			}
+
+			// landlock: depends on per-thread state but acts on a process group
+			{
+				rulesetAttr := &RulesetAttr{Scoped: LANDLOCK_SCOPE_SIGNAL}
+				if !p.HostAbstract {
+					rulesetAttr.Scoped |= LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+				}
+
+				if abi, err := LandlockGetABI(); err != nil {
+					if p.HostAbstract {
+						// landlock can be skipped here as it restricts access to resources
+						// already covered by namespaces (pid)
+						goto landlockOut
+					}
+					return &StartError{false, "get landlock ABI", err, false, false}
+				} else if abi < 6 {
+					if p.HostAbstract {
+						// see above comment
+						goto landlockOut
+					}
+					return &StartError{false, "kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET", ENOSYS, true, false}
+				} else {
+					p.msg.Verbosef("landlock abi version %d", abi)
+				}
+
+				if rulesetFd, err := rulesetAttr.Create(0); err != nil {
+					return &StartError{true, "create landlock ruleset", err, false, false}
+				} else {
+					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
+					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
+						_ = Close(rulesetFd)
+						return &StartError{true, "enforce landlock ruleset", err, false, false}
+					}
+					if err = Close(rulesetFd); err != nil {
+						p.msg.Verbosef("cannot close landlock ruleset: %v", err)
+						// not fatal
+					}
+				}
+
+			landlockOut:
+			}
+
+			p.msg.Verbose("starting container init")
+			if err := p.cmd.Start(); err != nil {
+				return &StartError{false, "start container init", err, false, true}
+			}
+			return nil
+		}()
+
+		// keep this thread alive until Wait returns for cancel
+		<-p.wait
+	}()
+	return <-done
+}
+
+// Serve serves [Container.Params] to the container init.
+// Serve must only be called once.
+func (p *Container) Serve() error {
+	if p.setup == nil {
+		panic("invalid serve")
+	}
+
+	setup := p.setup
+	p.setup = nil
+	if err := setup.SetDeadline(time.Now().Add(initSetupTimeout)); err != nil {
+		return &StartError{true, "set init pipe deadline", err, false, true}
+	}
+
+	if p.Path == nil {
+		p.cancel()
+		return &StartError{false, "invalid executable pathname", EINVAL, true, false}
+	}
+
+	// do not transmit nil
+	if p.Dir == nil {
+		p.Dir = fhs.AbsRoot
+	}
+	if p.SeccompRules == nil {
+		p.SeccompRules = make([]std.NativeRule, 0)
+	}
+
+	err := gob.NewEncoder(setup).Encode(&initParams{
+		p.Params,
+		Getuid(),
+		Getgid(),
+		len(p.ExtraFiles),
+		p.msg.IsVerbose(),
+	})
+	_ = setup.Close()
+	if err != nil {
+		p.cancel()
+	}
+	return err
+}
+
+// Wait waits for the container init process to exit and releases any resources associated with the [Container].
+func (p *Container) Wait() error {
+	if p.cmd == nil || p.cmd.Process == nil {
+		return EINVAL
+	}
+
+	err := p.cmd.Wait()
+	p.cancel()
+	if p.wait != nil && err == nil {
+		close(p.wait)
+	}
+	return err
+}
+
+// StdinPipe calls the [exec.Cmd] method with the same name.
+func (p *Container) StdinPipe() (w io.WriteCloser, err error) {
+	if p.Stdin != nil {
+		return nil, errors.New("container: Stdin already set")
+	}
+	w, err = p.cmd.StdinPipe()
+	p.Stdin = p.cmd.Stdin
+	return
+}
+
+// StdoutPipe calls the [exec.Cmd] method with the same name.
+func (p *Container) StdoutPipe() (r io.ReadCloser, err error) {
+	if p.Stdout != nil {
+		return nil, errors.New("container: Stdout already set")
+	}
+	r, err = p.cmd.StdoutPipe()
+	p.Stdout = p.cmd.Stdout
+	return
+}
+
+// StderrPipe calls the [exec.Cmd] method with the same name.
+func (p *Container) StderrPipe() (r io.ReadCloser, err error) {
+	if p.Stderr != nil {
+		return nil, errors.New("container: Stderr already set")
+	}
+	r, err = p.cmd.StderrPipe()
+	p.Stderr = p.cmd.Stderr
+	return
+}
+
+func (p *Container) String() string {
+	return fmt.Sprintf("argv: %q, filter: %v, rules: %d, flags: %#x, presets: %#x",
+		p.Args, !p.SeccompDisable, len(p.SeccompRules), int(p.SeccompFlags), int(p.SeccompPresets))
+}
+
+// ProcessState returns the address to os.ProcessState held by the underlying [exec.Cmd].
+func (p *Container) ProcessState() *os.ProcessState {
+	if p.cmd == nil {
+		return nil
+	}
+	return p.cmd.ProcessState
+}
+
+// New returns the address to a new instance of [Container] that requires further initialisation before use.
+func New(ctx context.Context, msg message.Msg) *Container {
+	if msg == nil {
+		msg = message.New(nil)
+	}
+
+	p := &Container{ctx: ctx, msg: msg, Params: Params{Ops: new(Ops)}}
+	c, cancel := context.WithCancel(ctx)
+	p.cancel = cancel
+	p.cmd = exec.CommandContext(c, MustExecutable(msg))
+	return p
+}
+
+// NewCommand calls [New] and initialises the [Params.Path] and [Params.Args] fields.
+func NewCommand(ctx context.Context, msg message.Msg, pathname *check.Absolute, name string, args ...string) *Container {
+	z := New(ctx, msg)
+	z.Path = pathname
+	z.Args = append([]string{name}, args...)
+	return z
+}
--- a/container/container_test.go
+++ b/container/container_test.go
@@ -0,0 +1,786 @@
+package container_test
+
+import (
+	"bytes"
+	"context"
+	"encoding/gob"
+	"errors"
+	"fmt"
+	"log"
+	"net"
+	"os"
+	"os/exec"
+	"os/signal"
+	"reflect"
+	"strconv"
+	"strings"
+	"syscall"
+	"testing"
+	"time"
+
+	"hakurei.app/command"
+	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
+	"hakurei.app/container/vfs"
+	"hakurei.app/hst"
+	"hakurei.app/ldd"
+	"hakurei.app/message"
+)
+
+// Note: this package requires cgo, which is unavailable in the Go playground.
+func Example() {
+	// Must be called early if the current process starts containers.
+	container.TryArgv0(nil)
+
+	// Configure the container.
+	z := container.New(context.Background(), nil)
+	z.Hostname = "hakurei-example"
+	z.Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
+	z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
+
+	// Bind / for demonstration.
+	z.Bind(fhs.AbsRoot, fhs.AbsRoot, 0)
+	if name, err := exec.LookPath("hostname"); err != nil {
+		panic(err)
+	} else {
+		z.Path = check.MustAbs(name)
+	}
+
+	// This completes the first stage of container setup and starts the container init process.
+	// The new process blocks until the Serve method is called.
+	if err := z.Start(); err != nil {
+		panic(err)
+	}
+
+	// This serves the setup payload to the container init process,
+	// starting the second stage of container setup.
+	if err := z.Serve(); err != nil {
+		panic(err)
+	}
+
+	// Must be called if the Start method succeeds.
+	if err := z.Wait(); err != nil {
+		panic(err)
+	}
+
+	// Output: hakurei-example
+}
+
+func TestStartError(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		err  error
+		s    string
+		is   error
+		isF  error
+		msg  string
+	}{
+		{"params env", &container.StartError{
+			Fatal: true,
+			Step:  "set up params stream",
+			Err:   container.ErrReceiveEnv,
+		}, "set up params stream: environment variable not set",
+			container.ErrReceiveEnv, syscall.EBADF,
+			"cannot set up params stream: environment variable not set"},
+
+		{"params", &container.StartError{
+			Fatal: true,
+			Step:  "set up params stream",
+			Err:   &os.SyscallError{Syscall: "pipe2", Err: syscall.EBADF},
+		}, "set up params stream pipe2: bad file descriptor",
+			syscall.EBADF, os.ErrInvalid,
+			"cannot set up params stream pipe2: bad file descriptor"},
+
+		{"PR_SET_NO_NEW_PRIVS", &container.StartError{
+			Fatal: true,
+			Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
+			Err:   syscall.EPERM,
+		}, "prctl(PR_SET_NO_NEW_PRIVS): operation not permitted",
+			syscall.EPERM, syscall.EACCES,
+			"cannot prctl(PR_SET_NO_NEW_PRIVS): operation not permitted"},
+
+		{"landlock abi", &container.StartError{
+			Step: "get landlock ABI",
+			Err:  syscall.ENOSYS,
+		}, "get landlock ABI: function not implemented",
+			syscall.ENOSYS, syscall.ENOEXEC,
+			"cannot get landlock ABI: function not implemented"},
+
+		{"landlock old", &container.StartError{
+			Step:   "kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET",
+			Err:    syscall.ENOSYS,
+			Origin: true,
+		}, "kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET",
+			syscall.ENOSYS, syscall.ENOSPC,
+			"kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET"},
+
+		{"landlock create", &container.StartError{
+			Fatal: true,
+			Step:  "create landlock ruleset",
+			Err:   syscall.EBADFD,
+		}, "create landlock ruleset: file descriptor in bad state",
+			syscall.EBADFD, syscall.EBADF,
+			"cannot create landlock ruleset: file descriptor in bad state"},
+
+		{"landlock enforce", &container.StartError{
+			Fatal: true,
+			Step:  "enforce landlock ruleset",
+			Err:   syscall.ENOTRECOVERABLE,
+		}, "enforce landlock ruleset: state not recoverable",
+			syscall.ENOTRECOVERABLE, syscall.ETIMEDOUT,
+			"cannot enforce landlock ruleset: state not recoverable"},
+
+		{"start", &container.StartError{
+			Step: "start container init",
+			Err: &os.PathError{
+				Op:   "fork/exec",
+				Path: "/proc/nonexistent",
+				Err:  syscall.ENOENT,
+			}, Passthrough: true,
+		}, "fork/exec /proc/nonexistent: no such file or directory",
+			syscall.ENOENT, syscall.ENOSYS,
+			"cannot fork/exec /proc/nonexistent: no such file or directory"},
+
+		{"start syscall", &container.StartError{
+			Step: "start container init",
+			Err: &os.SyscallError{
+				Syscall: "open",
+				Err:     syscall.ENOSYS,
+			}, Passthrough: true,
+		}, "open: function not implemented",
+			syscall.ENOSYS, syscall.ENOENT,
+			"cannot open: function not implemented"},
+
+		{"start FD_CLOEXEC", &container.StartError{
+			Fatal:       true,
+			Step:        "set FD_CLOEXEC on all open files",
+			Err:         func() error { _, err := strconv.Atoi("invalid"); return err }(),
+			Passthrough: true,
+		}, `strconv.Atoi: parsing "invalid": invalid syntax`,
+			strconv.ErrSyntax, os.ErrInvalid,
+			`cannot parse "invalid": invalid syntax`},
+
+		{"start other", &container.StartError{
+			Step: "start container init",
+			Err: &net.OpError{
+				Op:  "dial",
+				Net: "unix",
+				Err: syscall.ECONNREFUSED,
+			}, Passthrough: true,
+		}, "dial unix: connection refused",
+			syscall.ECONNREFUSED, syscall.ECONNABORTED,
+			"dial unix: connection refused"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("error", func(t *testing.T) {
+				if got := tc.err.Error(); got != tc.s {
+					t.Errorf("Error: %q, want %q", got, tc.s)
+				}
+			})
+
+			t.Run("is", func(t *testing.T) {
+				if !errors.Is(tc.err, tc.is) {
+					t.Error("Is: unexpected false")
+				}
+				if errors.Is(tc.err, tc.isF) {
+					t.Errorf("Is: unexpected true")
+				}
+			})
+
+			t.Run("msg", func(t *testing.T) {
+				if got, ok := message.GetMessage(tc.err); !ok {
+					if tc.msg != "" {
+						t.Errorf("GetMessage: err does not implement MessageError")
+					}
+					return
+				} else if got != tc.msg {
+					t.Errorf("GetMessage: %q, want %q", got, tc.msg)
+				}
+			})
+		})
+	}
+}
+
+const (
+	ignore  = "\x00"
+	ignoreV = -1
+
+	pathPrefix   = "/etc/hakurei/"
+	pathWantMnt  = pathPrefix + "want-mnt"
+	pathReadonly = pathPrefix + "readonly"
+)
+
+type testVal any
+
+func emptyOps(t *testing.T) (*container.Ops, context.Context) { return new(container.Ops), t.Context() }
+func earlyOps(ops *container.Ops) func(t *testing.T) (*container.Ops, context.Context) {
+	return func(t *testing.T) (*container.Ops, context.Context) { return ops, t.Context() }
+}
+
+func emptyMnt(*testing.T, context.Context) []*vfs.MountInfoEntry { return nil }
+func earlyMnt(mnt ...*vfs.MountInfoEntry) func(*testing.T, context.Context) []*vfs.MountInfoEntry {
+	return func(*testing.T, context.Context) []*vfs.MountInfoEntry { return mnt }
+}
+
+var containerTestCases = []struct {
+	name    string
+	filter  bool
+	session bool
+	net     bool
+	ro      bool
+
+	ops func(t *testing.T) (*container.Ops, context.Context)
+	mnt func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry
+
+	uid int
+	gid int
+
+	rules   []std.NativeRule
+	flags   seccomp.ExportFlag
+	presets std.FilterPreset
+}{
+	{"minimal", true, false, false, true,
+		emptyOps, emptyMnt,
+		1000, 100, nil, 0, std.PresetStrict},
+	{"allow", true, true, true, false,
+		emptyOps, emptyMnt,
+		1000, 100, nil, 0, std.PresetExt | std.PresetDenyDevel},
+	{"no filter", false, true, true, true,
+		emptyOps, emptyMnt,
+		1000, 100, nil, 0, std.PresetExt},
+	{"custom rules", true, true, true, false,
+		emptyOps, emptyMnt,
+		1, 31, []std.NativeRule{{Syscall: std.ScmpSyscall(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
+
+	{"tmpfs", true, false, false, true,
+		earlyOps(new(container.Ops).
+			Tmpfs(hst.AbsPrivateTmp, 0, 0755),
+		),
+		earlyMnt(
+			ent("/", hst.PrivateTmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
+		),
+		9, 9, nil, 0, std.PresetStrict},
+
+	{"dev", true, true /* go test output is not a tty */, false, false,
+		earlyOps(new(container.Ops).
+			Dev(check.MustAbs("/dev"), true),
+		),
+		earlyMnt(
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
+			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
+			ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
+			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
+		),
+		1971, 100, nil, 0, std.PresetStrict},
+
+	{"dev no mqueue", true, true /* go test output is not a tty */, false, false,
+		earlyOps(new(container.Ops).
+			Dev(check.MustAbs("/dev"), false),
+		),
+		earlyMnt(
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
+			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
+			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
+		),
+		1971, 100, nil, 0, std.PresetStrict},
+
+	{"overlay", true, false, false, true,
+		func(t *testing.T) (*container.Ops, context.Context) {
+			tempDir := check.MustAbs(t.TempDir())
+			lower0, lower1, upper, work :=
+				tempDir.Append("lower0"),
+				tempDir.Append("lower1"),
+				tempDir.Append("upper"),
+				tempDir.Append("work")
+			for _, a := range []*check.Absolute{lower0, lower1, upper, work} {
+				if err := os.Mkdir(a.String(), 0755); err != nil {
+					t.Fatalf("Mkdir: error = %v", err)
+				}
+			}
+
+			return new(container.Ops).
+					Overlay(hst.AbsPrivateTmp, upper, work, lower0, lower1),
+				context.WithValue(context.WithValue(context.WithValue(context.WithValue(t.Context(),
+					testVal("lower1"), lower1),
+					testVal("lower0"), lower0),
+					testVal("work"), work),
+					testVal("upper"), upper)
+		},
+		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
+			return []*vfs.MountInfoEntry{
+				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
+					"rw,lowerdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
+						",upperdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("upper")).(*check.Absolute).String())+
+						",workdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("work")).(*check.Absolute).String())+
+						",redirect_dir=nofollow,uuid=on,userxattr"),
+			}
+		},
+		1 << 3, 1 << 14, nil, 0, std.PresetStrict},
+
+	{"overlay ephemeral", true, false, false, true,
+		func(t *testing.T) (*container.Ops, context.Context) {
+			tempDir := check.MustAbs(t.TempDir())
+			lower0, lower1 :=
+				tempDir.Append("lower0"),
+				tempDir.Append("lower1")
+			for _, a := range []*check.Absolute{lower0, lower1} {
+				if err := os.Mkdir(a.String(), 0755); err != nil {
+					t.Fatalf("Mkdir: error = %v", err)
+				}
+			}
+
+			return new(container.Ops).
+					OverlayEphemeral(hst.AbsPrivateTmp, lower0, lower1),
+				t.Context()
+		},
+		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
+			return []*vfs.MountInfoEntry{
+				// contains random suffix
+				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay", ignore),
+			}
+		},
+		1 << 3, 1 << 14, nil, 0, std.PresetStrict},
+
+	{"overlay readonly", true, false, false, true,
+		func(t *testing.T) (*container.Ops, context.Context) {
+			tempDir := check.MustAbs(t.TempDir())
+			lower0, lower1 :=
+				tempDir.Append("lower0"),
+				tempDir.Append("lower1")
+			for _, a := range []*check.Absolute{lower0, lower1} {
+				if err := os.Mkdir(a.String(), 0755); err != nil {
+					t.Fatalf("Mkdir: error = %v", err)
+				}
+			}
+			return new(container.Ops).
+					OverlayReadonly(hst.AbsPrivateTmp, lower0, lower1),
+				context.WithValue(context.WithValue(t.Context(),
+					testVal("lower1"), lower1),
+					testVal("lower0"), lower0)
+		},
+		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
+			return []*vfs.MountInfoEntry{
+				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
+					"ro,lowerdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
+						",redirect_dir=nofollow,userxattr"),
+			}
+		},
+		1 << 3, 1 << 14, nil, 0, std.PresetStrict},
+}
+
+func TestContainer(t *testing.T) {
+	t.Parallel()
+
+	t.Run("cancel", testContainerCancel(nil, func(t *testing.T, c *container.Container) {
+		wantErr := context.Canceled
+		wantExitCode := 0
+		if err := c.Wait(); !reflect.DeepEqual(err, wantErr) {
+			if m, ok := container.InternalMessageFromError(err); ok {
+				t.Error(m)
+			}
+			t.Errorf("Wait: error = %#v, want %#v", err, wantErr)
+		}
+		if ps := c.ProcessState(); ps == nil {
+			t.Errorf("ProcessState unexpectedly returned nil")
+		} else if code := ps.ExitCode(); code != wantExitCode {
+			t.Errorf("ExitCode: %d, want %d", code, wantExitCode)
+		}
+	}))
+
+	t.Run("forward", testContainerCancel(func(c *container.Container) {
+		c.ForwardCancel = true
+	}, func(t *testing.T, c *container.Container) {
+		var exitError *exec.ExitError
+		if err := c.Wait(); !errors.As(err, &exitError) {
+			if m, ok := container.InternalMessageFromError(err); ok {
+				t.Error(m)
+			}
+			t.Errorf("Wait: error = %v", err)
+		}
+		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
+			t.Errorf("ExitCode: %d, want %d", code, blockExitCodeInterrupt)
+		}
+	}))
+
+	for i, tc := range containerTestCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			wantOps, wantOpsCtx := tc.ops(t)
+			wantMnt := tc.mnt(t, wantOpsCtx)
+
+			ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
+			defer cancel()
+
+			var libPaths []*check.Absolute
+			c := helperNewContainerLibPaths(ctx, &libPaths, "container", strconv.Itoa(i))
+			c.Uid = tc.uid
+			c.Gid = tc.gid
+			c.Hostname = hostnameFromTestCase(tc.name)
+			output := new(bytes.Buffer)
+			if !testing.Verbose() {
+				c.Stdout, c.Stderr = output, output
+			} else {
+				c.Stdout, c.Stderr = os.Stdout, os.Stderr
+			}
+			c.WaitDelay = helperDefaultTimeout
+			*c.Ops = append(*c.Ops, *wantOps...)
+			c.SeccompRules = tc.rules
+			c.SeccompFlags = tc.flags | seccomp.AllowMultiarch
+			c.SeccompPresets = tc.presets
+			c.SeccompDisable = !tc.filter
+			c.RetainSession = tc.session
+			c.HostNet = tc.net
+
+			c.
+				Readonly(check.MustAbs(pathReadonly), 0755).
+				Tmpfs(check.MustAbs("/tmp"), 0, 0755).
+				Place(check.MustAbs("/etc/hostname"), []byte(c.Hostname))
+			// needs /proc to check mountinfo
+			c.Proc(check.MustAbs("/proc"))
+
+			// mountinfo cannot be resolved directly by helper due to libPaths nondeterminism
+			mnt := make([]*vfs.MountInfoEntry, 0, 3+len(libPaths))
+			mnt = append(mnt,
+				ent("/sysroot", "/", "rw,nosuid,nodev,relatime", "tmpfs", "rootfs", ignore),
+				// Bind(os.Args[0], helperInnerPath, 0)
+				ent(ignore, helperInnerPath, "ro,nosuid,nodev,relatime", ignore, ignore, ignore),
+			)
+			for _, a := range libPaths {
+				// Bind(name, name, 0)
+				mnt = append(mnt, ent(ignore, a.String(), "ro,nosuid,nodev,relatime", ignore, ignore, ignore))
+			}
+			mnt = append(mnt, wantMnt...)
+			mnt = append(mnt,
+				// Readonly(pathReadonly, 0755)
+				ent("/", pathReadonly, "ro,nosuid,nodev", "tmpfs", "readonly", ignore),
+				// Tmpfs("/tmp", 0, 0755)
+				ent("/", "/tmp", "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
+				// Place("/etc/hostname", []byte(hostname))
+				ent(ignore, "/etc/hostname", "ro,nosuid,nodev,relatime", "tmpfs", "rootfs", ignore),
+				// Proc("/proc")
+				ent("/", "/proc", "rw,nosuid,nodev,noexec,relatime", "proc", "proc", "rw"),
+				// Place(pathWantMnt, want.Bytes())
+				ent(ignore, pathWantMnt, "ro,nosuid,nodev,relatime", "tmpfs", "rootfs", ignore),
+			)
+			want := new(bytes.Buffer)
+			if err := gob.NewEncoder(want).Encode(mnt); err != nil {
+				_, _ = output.WriteTo(os.Stdout)
+				t.Fatalf("cannot serialise expected mount points: %v", err)
+			}
+			c.Place(check.MustAbs(pathWantMnt), want.Bytes())
+
+			if tc.ro {
+				c.Remount(check.MustAbs("/"), syscall.MS_RDONLY)
+			}
+
+			if err := c.Start(); err != nil {
+				_, _ = output.WriteTo(os.Stdout)
+				if m, ok := container.InternalMessageFromError(err); ok {
+					t.Fatal(m)
+				} else {
+					t.Fatalf("cannot start container: %v", err)
+				}
+			} else if err = c.Serve(); err != nil {
+				_, _ = output.WriteTo(os.Stdout)
+				if m, ok := container.InternalMessageFromError(err); ok {
+					t.Error(m)
+				} else {
+					t.Errorf("cannot serve setup params: %v", err)
+				}
+			}
+			if err := c.Wait(); err != nil {
+				_, _ = output.WriteTo(os.Stdout)
+				if m, ok := container.InternalMessageFromError(err); ok {
+					t.Fatal(m)
+				} else {
+					t.Fatalf("wait: %v", err)
+				}
+			}
+		})
+	}
+}
+
+func ent(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoEntry {
+	return &vfs.MountInfoEntry{
+		ID:        ignoreV,
+		Parent:    ignoreV,
+		Devno:     vfs.DevT{ignoreV, ignoreV},
+		Root:      root,
+		Target:    target,
+		VfsOptstr: vfsOptstr,
+		OptFields: []string{ignore},
+		FsType:    fsType,
+		Source:    source,
+		FsOptstr:  fsOptstr,
+	}
+}
+
+func hostnameFromTestCase(name string) string {
+	return "test-" + strings.Join(strings.Fields(name), "-")
+}
+
+func testContainerCancel(
+	containerExtra func(c *container.Container),
+	waitCheck func(t *testing.T, c *container.Container),
+) func(t *testing.T) {
+	return func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
+
+		c := helperNewContainer(ctx, "block")
+		c.Stdout, c.Stderr = os.Stdout, os.Stderr
+		c.WaitDelay = helperDefaultTimeout
+		if containerExtra != nil {
+			containerExtra(c)
+		}
+
+		ready := make(chan struct{})
+		if r, w, err := os.Pipe(); err != nil {
+			t.Fatalf("cannot pipe: %v", err)
+		} else {
+			c.ExtraFiles = append(c.ExtraFiles, w)
+			go func() {
+				defer close(ready)
+				if _, err = r.Read(make([]byte, 1)); err != nil {
+					panic(err.Error())
+				}
+			}()
+		}
+
+		if err := c.Start(); err != nil {
+			if m, ok := container.InternalMessageFromError(err); ok {
+				t.Fatal(m)
+			} else {
+				t.Fatalf("cannot start container: %v", err)
+			}
+		} else if err = c.Serve(); err != nil {
+			if m, ok := container.InternalMessageFromError(err); ok {
+				t.Error(m)
+			} else {
+				t.Errorf("cannot serve setup params: %v", err)
+			}
+		}
+		<-ready
+		cancel()
+		waitCheck(t, c)
+	}
+}
+
+func TestContainerString(t *testing.T) {
+	t.Parallel()
+	msg := message.New(nil)
+	c := container.NewCommand(t.Context(), msg, check.MustAbs("/run/current-system/sw/bin/ldd"), "ldd", "/usr/bin/env")
+	c.SeccompFlags |= seccomp.AllowMultiarch
+	c.SeccompRules = seccomp.Preset(
+		std.PresetExt|std.PresetDenyNS|std.PresetDenyTTY,
+		c.SeccompFlags)
+	c.SeccompPresets = std.PresetStrict
+	want := `argv: ["ldd" "/usr/bin/env"], filter: true, rules: 65, flags: 0x1, presets: 0xf`
+	if got := c.String(); got != want {
+		t.Errorf("String: %s, want %s", got, want)
+	}
+}
+
+const (
+	blockExitCodeInterrupt = 2
+)
+
+func init() {
+	helperCommands = append(helperCommands, func(c command.Command) {
+		c.Command("block", command.UsageInternal, func(args []string) error {
+			sig := make(chan os.Signal, 1)
+			signal.Notify(sig, os.Interrupt)
+			go func() { <-sig; os.Exit(blockExitCodeInterrupt) }()
+
+			if _, err := os.NewFile(3, "sync").Write([]byte{0}); err != nil {
+				return fmt.Errorf("write to sync pipe: %v", err)
+			}
+			select {}
+		})
+
+		c.Command("container", command.UsageInternal, func(args []string) error {
+			if len(args) != 1 {
+				return syscall.EINVAL
+			}
+			tc := containerTestCases[0]
+			if i, err := strconv.Atoi(args[0]); err != nil {
+				return fmt.Errorf("cannot parse test case index: %v", err)
+			} else {
+				tc = containerTestCases[i]
+			}
+
+			if uid := syscall.Getuid(); uid != tc.uid {
+				return fmt.Errorf("uid: %d, want %d", uid, tc.uid)
+			}
+			if gid := syscall.Getgid(); gid != tc.gid {
+				return fmt.Errorf("gid: %d, want %d", gid, tc.gid)
+			}
+
+			wantHost := hostnameFromTestCase(tc.name)
+			if host, err := os.Hostname(); err != nil {
+				return fmt.Errorf("cannot get hostname: %v", err)
+			} else if host != wantHost {
+				return fmt.Errorf("hostname: %q, want %q", host, wantHost)
+			}
+
+			if p, err := os.ReadFile("/etc/hostname"); err != nil {
+				return fmt.Errorf("cannot read /etc/hostname: %v", err)
+			} else if string(p) != wantHost {
+				return fmt.Errorf("/etc/hostname: %q, want %q", string(p), wantHost)
+			}
+
+			if _, err := os.Create(pathReadonly + "/nonexistent"); !errors.Is(err, syscall.EROFS) {
+				return err
+			}
+
+			{
+				var fail bool
+
+				var mnt []*vfs.MountInfoEntry
+				if f, err := os.Open(pathWantMnt); err != nil {
+					return fmt.Errorf("cannot open expected mount points: %v", err)
+				} else if err = gob.NewDecoder(f).Decode(&mnt); err != nil {
+					return fmt.Errorf("cannot parse expected mount points: %v", err)
+				} else if err = f.Close(); err != nil {
+					return fmt.Errorf("cannot close expected mount points: %v", err)
+				}
+
+				if tc.ro && len(mnt) > 0 {
+					// Remount("/", syscall.MS_RDONLY)
+					mnt[0].VfsOptstr = "ro,nosuid,nodev"
+				}
+
+				var d *vfs.MountInfoDecoder
+				if f, err := os.Open("/proc/self/mountinfo"); err != nil {
+					return fmt.Errorf("cannot open mountinfo: %v", err)
+				} else {
+					d = vfs.NewMountInfoDecoder(f)
+				}
+
+				i := 0
+				for cur := range d.Entries() {
+					if i == len(mnt) {
+						return fmt.Errorf("got more than %d entries", len(mnt))
+					}
+
+					// ugly hack but should be reliable and is less likely to false negative than comparing by parsed flags
+					cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ",relatime")
+					cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ",noatime")
+					mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ",relatime")
+					mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ",noatime")
+
+					if !cur.EqualWithIgnore(mnt[i], "\x00") {
+						fail = true
+						log.Printf("[FAIL] %s", cur)
+					} else {
+						log.Printf("[ OK ] %s", cur)
+					}
+
+					i++
+				}
+				if err := d.Err(); err != nil {
+					return fmt.Errorf("cannot parse mountinfo: %v", err)
+				}
+
+				if i != len(mnt) {
+					return fmt.Errorf("got %d entries, want %d", i, len(mnt))
+				}
+
+				if fail {
+					return errors.New("one or more mountinfo entries do not match")
+				}
+			}
+
+			return nil
+		})
+	})
+}
+
+const (
+	envDoCheck = "HAKUREI_TEST_DO_CHECK"
+
+	helperDefaultTimeout = 5 * time.Second
+	helperInnerPath      = "/usr/bin/helper"
+)
+
+var (
+	absHelperInnerPath = check.MustAbs(helperInnerPath)
+)
+
+var helperCommands []func(c command.Command)
+
+func TestMain(m *testing.M) {
+	container.TryArgv0(nil)
+
+	if os.Getenv(envDoCheck) == "1" {
+		c := command.New(os.Stderr, log.Printf, "helper", func(args []string) error {
+			log.SetFlags(0)
+			log.SetPrefix("helper: ")
+			return nil
+		})
+		for _, f := range helperCommands {
+			f(c)
+		}
+		c.MustParse(os.Args[1:], func(err error) {
+			if err != nil {
+				log.Fatal(err.Error())
+			}
+		})
+		return
+	}
+
+	os.Exit(m.Run())
+}
+
+func helperNewContainerLibPaths(ctx context.Context, libPaths *[]*check.Absolute, args ...string) (c *container.Container) {
+	msg := message.New(nil)
+	msg.SwapVerbose(testing.Verbose())
+	executable := check.MustAbs(container.MustExecutable(msg))
+
+	c = container.NewCommand(ctx, msg, absHelperInnerPath, "helper", args...)
+	c.Env = append(c.Env, envDoCheck+"=1")
+	c.Bind(executable, absHelperInnerPath, 0)
+
+	// in case test has cgo enabled
+	if entries, err := ldd.Resolve(ctx, msg, executable); err != nil {
+		log.Fatalf("ldd: %v", err)
+	} else {
+		*libPaths = ldd.Path(entries)
+	}
+	for _, name := range *libPaths {
+		c.Bind(name, name, 0)
+	}
+
+	return
+}
+
+func helperNewContainer(ctx context.Context, args ...string) (c *container.Container) {
+	return helperNewContainerLibPaths(ctx, new([]*check.Absolute), args...)
+}
--- a/container/dispatcher.go
+++ b/container/dispatcher.go
@@ -0,0 +1,228 @@
+package container
+
+import (
+	"io"
+	"io/fs"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+	"syscall"
+
+	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
+	"hakurei.app/message"
+)
+
+type osFile interface {
+	Name() string
+	io.Writer
+	fs.File
+}
+
+// syscallDispatcher provides methods that make state-dependent system calls as part of their behaviour.
+type syscallDispatcher interface {
+	// new starts a goroutine with a new instance of syscallDispatcher.
+	// A syscallDispatcher must never be used in any goroutine other than the one owning it,
+	// just synchronising access is not enough, as this is for test instrumentation.
+	new(f func(k syscallDispatcher))
+
+	// lockOSThread provides [runtime.LockOSThread].
+	lockOSThread()
+
+	// setPtracer provides [SetPtracer].
+	setPtracer(pid uintptr) error
+	// setDumpable provides [SetDumpable].
+	setDumpable(dumpable uintptr) error
+	// setNoNewPrivs provides [SetNoNewPrivs].
+	setNoNewPrivs() error
+
+	// lastcap provides [LastCap].
+	lastcap(msg message.Msg) uintptr
+	// capset provides capset.
+	capset(hdrp *capHeader, datap *[2]capData) error
+	// capBoundingSetDrop provides capBoundingSetDrop.
+	capBoundingSetDrop(cap uintptr) error
+	// capAmbientClearAll provides capAmbientClearAll.
+	capAmbientClearAll() error
+	// capAmbientRaise provides capAmbientRaise.
+	capAmbientRaise(cap uintptr) error
+	// isatty provides [Isatty].
+	isatty(fd int) bool
+	// receive provides [Receive].
+	receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error)
+
+	// bindMount provides procPaths.bindMount.
+	bindMount(msg message.Msg, source, target string, flags uintptr) error
+	// remount provides procPaths.remount.
+	remount(msg message.Msg, target string, flags uintptr) error
+	// mountTmpfs provides mountTmpfs.
+	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
+	// ensureFile provides ensureFile.
+	ensureFile(name string, perm, pperm os.FileMode) error
+
+	// seccompLoad provides [seccomp.Load].
+	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
+	// notify provides [signal.Notify].
+	notify(c chan<- os.Signal, sig ...os.Signal)
+	// start starts [os/exec.Cmd].
+	start(c *exec.Cmd) error
+	// signal signals the underlying process of [os/exec.Cmd].
+	signal(c *exec.Cmd, sig os.Signal) error
+	// evalSymlinks provides [filepath.EvalSymlinks].
+	evalSymlinks(path string) (string, error)
+
+	// exit provides [os.Exit].
+	exit(code int)
+	// getpid provides [os.Getpid].
+	getpid() int
+	// stat provides [os.Stat].
+	stat(name string) (os.FileInfo, error)
+	// mkdir provides [os.Mkdir].
+	mkdir(name string, perm os.FileMode) error
+	// mkdirTemp provides [os.MkdirTemp].
+	mkdirTemp(dir, pattern string) (string, error)
+	// mkdirAll provides [os.MkdirAll].
+	mkdirAll(path string, perm os.FileMode) error
+	// readdir provides [os.ReadDir].
+	readdir(name string) ([]os.DirEntry, error)
+	// openNew provides [os.Open].
+	openNew(name string) (osFile, error)
+	// writeFile provides [os.WriteFile].
+	writeFile(name string, data []byte, perm os.FileMode) error
+	// createTemp provides [os.CreateTemp].
+	createTemp(dir, pattern string) (osFile, error)
+	// remove provides os.Remove.
+	remove(name string) error
+	// newFile provides os.NewFile.
+	newFile(fd uintptr, name string) *os.File
+	// symlink provides os.Symlink.
+	symlink(oldname, newname string) error
+	// readlink provides [os.Readlink].
+	readlink(name string) (string, error)
+
+	// umask provides syscall.Umask.
+	umask(mask int) (oldmask int)
+	// sethostname provides syscall.Sethostname
+	sethostname(p []byte) (err error)
+	// chdir provides syscall.Chdir
+	chdir(path string) (err error)
+	// fchdir provides syscall.Fchdir
+	fchdir(fd int) (err error)
+	// open provides syscall.Open
+	open(path string, mode int, perm uint32) (fd int, err error)
+	// close provides syscall.Close
+	close(fd int) (err error)
+	// pivotRoot provides syscall.PivotRoot
+	pivotRoot(newroot, putold string) (err error)
+	// mount provides syscall.Mount
+	mount(source, target, fstype string, flags uintptr, data string) (err error)
+	// unmount provides syscall.Unmount
+	unmount(target string, flags int) (err error)
+	// wait4 provides syscall.Wait4
+	wait4(pid int, wstatus *syscall.WaitStatus, options int, rusage *syscall.Rusage) (wpid int, err error)
+
+	// printf provides the Printf method of [log.Logger].
+	printf(msg message.Msg, format string, v ...any)
+	// fatal provides the Fatal method of [log.Logger]
+	fatal(msg message.Msg, v ...any)
+	// fatalf provides the Fatalf method of [log.Logger]
+	fatalf(msg message.Msg, format string, v ...any)
+}
+
+// direct implements syscallDispatcher on the current kernel.
+type direct struct{}
+
+func (k direct) new(f func(k syscallDispatcher)) { go f(k) }
+
+func (direct) lockOSThread() { runtime.LockOSThread() }
+
+func (direct) setPtracer(pid uintptr) error       { return SetPtracer(pid) }
+func (direct) setDumpable(dumpable uintptr) error { return SetDumpable(dumpable) }
+func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }
+
+func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
+func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(hdrp, datap) }
+func (direct) capBoundingSetDrop(cap uintptr) error            { return capBoundingSetDrop(cap) }
+func (direct) capAmbientClearAll() error                       { return capAmbientClearAll() }
+func (direct) capAmbientRaise(cap uintptr) error               { return capAmbientRaise(cap) }
+func (direct) isatty(fd int) bool                              { return Isatty(fd) }
+func (direct) receive(key string, e any, fdp *uintptr) (func() error, error) {
+	return Receive(key, e, fdp)
+}
+
+func (direct) bindMount(msg message.Msg, source, target string, flags uintptr) error {
+	return hostProc.bindMount(msg, source, target, flags)
+}
+func (direct) remount(msg message.Msg, target string, flags uintptr) error {
+	return hostProc.remount(msg, target, flags)
+}
+func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
+	return mountTmpfs(k, fsname, target, flags, size, perm)
+}
+func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
+	return ensureFile(name, perm, pperm)
+}
+
+func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
+	return seccomp.Load(rules, flags)
+}
+func (direct) notify(c chan<- os.Signal, sig ...os.Signal) { signal.Notify(c, sig...) }
+func (direct) start(c *exec.Cmd) error                     { return c.Start() }
+func (direct) signal(c *exec.Cmd, sig os.Signal) error     { return c.Process.Signal(sig) }
+func (direct) evalSymlinks(path string) (string, error)    { return filepath.EvalSymlinks(path) }
+
+func (direct) exit(code int)                                 { os.Exit(code) }
+func (direct) getpid() int                                   { return os.Getpid() }
+func (direct) stat(name string) (os.FileInfo, error)         { return os.Stat(name) }
+func (direct) mkdir(name string, perm os.FileMode) error     { return os.Mkdir(name, perm) }
+func (direct) mkdirTemp(dir, pattern string) (string, error) { return os.MkdirTemp(dir, pattern) }
+func (direct) mkdirAll(path string, perm os.FileMode) error  { return os.MkdirAll(path, perm) }
+func (direct) readdir(name string) ([]os.DirEntry, error)    { return os.ReadDir(name) }
+func (direct) openNew(name string) (osFile, error)           { return os.Open(name) }
+func (direct) writeFile(name string, data []byte, perm os.FileMode) error {
+	return os.WriteFile(name, data, perm)
+}
+func (direct) createTemp(dir, pattern string) (osFile, error) {
+	return os.CreateTemp(dir, pattern)
+}
+func (direct) remove(name string) error {
+	return os.Remove(name)
+}
+func (direct) newFile(fd uintptr, name string) *os.File {
+	return os.NewFile(fd, name)
+}
+func (direct) symlink(oldname, newname string) error {
+	return os.Symlink(oldname, newname)
+}
+func (direct) readlink(name string) (string, error) {
+	return os.Readlink(name)
+}
+
+func (direct) umask(mask int) (oldmask int)     { return syscall.Umask(mask) }
+func (direct) sethostname(p []byte) (err error) { return syscall.Sethostname(p) }
+func (direct) chdir(path string) (err error)    { return syscall.Chdir(path) }
+func (direct) fchdir(fd int) (err error)        { return syscall.Fchdir(fd) }
+func (direct) open(path string, mode int, perm uint32) (fd int, err error) {
+	return syscall.Open(path, mode, perm)
+}
+func (direct) close(fd int) (err error) {
+	return syscall.Close(fd)
+}
+func (direct) pivotRoot(newroot, putold string) (err error) {
+	return syscall.PivotRoot(newroot, putold)
+}
+func (direct) mount(source, target, fstype string, flags uintptr, data string) (err error) {
+	return mount(source, target, fstype, flags, data)
+}
+func (direct) unmount(target string, flags int) (err error) {
+	return syscall.Unmount(target, flags)
+}
+func (direct) wait4(pid int, wstatus *syscall.WaitStatus, options int, rusage *syscall.Rusage) (wpid int, err error) {
+	return syscall.Wait4(pid, wstatus, options, rusage)
+}
+
+func (direct) printf(msg message.Msg, format string, v ...any) { msg.GetLogger().Printf(format, v...) }
+func (direct) fatal(msg message.Msg, v ...any)                 { msg.GetLogger().Fatal(v...) }
+func (direct) fatalf(msg message.Msg, format string, v ...any) { msg.GetLogger().Fatalf(format, v...) }
--- a/container/dispatcher_test.go
+++ b/container/dispatcher_test.go
@@ -0,0 +1,806 @@
+package container
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"io/fs"
+	"log"
+	"os"
+	"os/exec"
+	"reflect"
+	"runtime"
+	"slices"
+	"strings"
+	"syscall"
+	"testing"
+	"time"
+
+	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
+	"hakurei.app/container/stub"
+	"hakurei.app/message"
+)
+
+type opValidTestCase struct {
+	name string
+	op   Op
+	want bool
+}
+
+func checkOpsValid(t *testing.T, testCases []opValidTestCase) {
+	t.Helper()
+
+	t.Run("valid", func(t *testing.T) {
+		t.Helper()
+		t.Parallel()
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				t.Helper()
+				t.Parallel()
+
+				if got := tc.op.Valid(); got != tc.want {
+					t.Errorf("Valid: %v, want %v", got, tc.want)
+				}
+			})
+		}
+	})
+}
+
+type opsBuilderTestCase struct {
+	name string
+	ops  *Ops
+	want Ops
+}
+
+func checkOpsBuilder(t *testing.T, testCases []opsBuilderTestCase) {
+	t.Helper()
+
+	t.Run("build", func(t *testing.T) {
+		t.Helper()
+		t.Parallel()
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				t.Helper()
+				t.Parallel()
+
+				if !slices.EqualFunc(*tc.ops, tc.want, func(op Op, v Op) bool { return op.Is(v) }) {
+					t.Errorf("Ops: %#v, want %#v", tc.ops, tc.want)
+				}
+			})
+		}
+	})
+}
+
+type opIsTestCase struct {
+	name  string
+	op, v Op
+	want  bool
+}
+
+func checkOpIs(t *testing.T, testCases []opIsTestCase) {
+	t.Helper()
+
+	t.Run("is", func(t *testing.T) {
+		t.Helper()
+		t.Parallel()
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				t.Helper()
+				t.Parallel()
+
+				if got := tc.op.Is(tc.v); got != tc.want {
+					t.Errorf("Is: %v, want %v", got, tc.want)
+				}
+			})
+		}
+	})
+}
+
+type opMetaTestCase struct {
+	name string
+	op   Op
+
+	wantPrefix string
+	wantString string
+}
+
+func checkOpMeta(t *testing.T, testCases []opMetaTestCase) {
+	t.Helper()
+
+	t.Run("meta", func(t *testing.T) {
+		t.Helper()
+		t.Parallel()
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				t.Helper()
+				t.Parallel()
+
+				t.Run("prefix", func(t *testing.T) {
+					t.Helper()
+
+					if got, _ := tc.op.prefix(); got != tc.wantPrefix {
+						t.Errorf("prefix: %q, want %q", got, tc.wantPrefix)
+					}
+				})
+
+				t.Run("string", func(t *testing.T) {
+					t.Helper()
+
+					if got := tc.op.String(); got != tc.wantString {
+						t.Errorf("String: %s, want %s", got, tc.wantString)
+					}
+				})
+			})
+		}
+	})
+}
+
+// call initialises a [stub.Call].
+// This keeps composites analysis happy without making the test cases too bloated.
+func call(name string, args stub.ExpectArgs, ret any, err error) stub.Call {
+	return stub.Call{Name: name, Args: args, Ret: ret, Err: err}
+}
+
+type simpleTestCase struct {
+	name    string
+	f       func(k *kstub) error
+	want    stub.Expect
+	wantErr error
+}
+
+func checkSimple(t *testing.T, fname string, testCases []simpleTestCase) {
+	t.Helper()
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Helper()
+			t.Parallel()
+
+			wait4signal := make(chan struct{})
+			lockNotify := make(chan struct{})
+			k := &kstub{wait4signal, lockNotify, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{wait4signal, lockNotify, s} }, tc.want)}
+			defer stub.HandleExit(t)
+			if err := tc.f(k); !reflect.DeepEqual(err, tc.wantErr) {
+				t.Errorf("%s: error = %v, want %v", fname, err, tc.wantErr)
+			}
+			k.VisitIncomplete(func(s *stub.Stub[syscallDispatcher]) {
+				t.Helper()
+
+				t.Errorf("%s: %d calls, want %d", fname, s.Pos(), s.Len())
+			})
+		})
+	}
+}
+
+type opBehaviourTestCase struct {
+	name   string
+	params *Params
+	op     Op
+
+	early        []stub.Call
+	wantErrEarly error
+
+	apply        []stub.Call
+	wantErrApply error
+}
+
+func checkOpBehaviour(t *testing.T, testCases []opBehaviourTestCase) {
+	t.Helper()
+
+	t.Run("behaviour", func(t *testing.T) {
+		t.Helper()
+		t.Parallel()
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				t.Helper()
+				t.Parallel()
+
+				k := &kstub{nil, nil, stub.New(t,
+					func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{nil, nil, s} },
+					stub.Expect{Calls: slices.Concat(tc.early, []stub.Call{{Name: stub.CallSeparator}}, tc.apply)},
+				)}
+				state := &setupState{Params: tc.params, Msg: k}
+				defer stub.HandleExit(t)
+				errEarly := tc.op.early(state, k)
+				k.Expects(stub.CallSeparator)
+				if !reflect.DeepEqual(errEarly, tc.wantErrEarly) {
+					t.Errorf("early: error = %v, want %v", errEarly, tc.wantErrEarly)
+				}
+				if errEarly != nil {
+					goto out
+				}
+
+				if err := tc.op.apply(state, k); !reflect.DeepEqual(err, tc.wantErrApply) {
+					t.Errorf("apply: error = %v, want %v", err, tc.wantErrApply)
+				}
+
+			out:
+				k.VisitIncomplete(func(s *stub.Stub[syscallDispatcher]) {
+					count := k.Pos() - 1 // separator
+					if count < len(tc.early) {
+						t.Errorf("early: %d calls, want %d", count, len(tc.early))
+					} else {
+						t.Errorf("apply: %d calls, want %d", count-len(tc.early), len(tc.apply))
+					}
+				})
+			})
+		}
+	})
+}
+
+func sliceAddr[S any](s []S) *[]S { return &s }
+
+func newCheckedFile(t *testing.T, name, wantData string, closeErr error) osFile {
+	f := &checkedOsFile{t: t, name: name, want: wantData, closeErr: closeErr}
+	// check happens in Close, and cleanup is not guaranteed to run, so relying on it for sloppy implementations will cause sporadic test results
+	f.cleanup = runtime.AddCleanup(f, func(name string) { f.t.Fatalf("checkedOsFile %s became unreachable without a call to Close", name) }, f.name)
+	return f
+}
+
+type checkedOsFile struct {
+	t        *testing.T
+	name     string
+	want     string
+	closeErr error
+	cleanup  runtime.Cleanup
+	bytes.Buffer
+}
+
+func (f *checkedOsFile) Name() string               { return f.name }
+func (f *checkedOsFile) Stat() (fs.FileInfo, error) { panic("unreachable") }
+func (f *checkedOsFile) Close() error {
+	defer f.cleanup.Stop()
+	if f.String() != f.want {
+		f.t.Errorf("checkedOsFile:\n%s\nwant\n%s", f.String(), f.want)
+		return syscall.ENOTRECOVERABLE
+	}
+	return f.closeErr
+}
+
+func newConstFile(s string) osFile { return &readerOsFile{Reader: strings.NewReader(s)} }
+
+type readerOsFile struct {
+	closed bool
+	io.Reader
+}
+
+func (*readerOsFile) Name() string               { panic("unreachable") }
+func (*readerOsFile) Write([]byte) (int, error)  { panic("unreachable") }
+func (*readerOsFile) Stat() (fs.FileInfo, error) { panic("unreachable") }
+func (r *readerOsFile) Close() error {
+	if r.closed {
+		return os.ErrClosed
+	}
+	r.closed = true
+	return nil
+}
+
+type writeErrOsFile struct{ err error }
+
+func (writeErrOsFile) Name() string                { panic("unreachable") }
+func (f writeErrOsFile) Write([]byte) (int, error) { return 0, f.err }
+func (writeErrOsFile) Stat() (fs.FileInfo, error)  { panic("unreachable") }
+func (writeErrOsFile) Read([]byte) (int, error)    { panic("unreachable") }
+func (writeErrOsFile) Close() error                { panic("unreachable") }
+
+type isDirFi bool
+
+func (isDirFi) Name() string       { panic("unreachable") }
+func (isDirFi) Size() int64        { panic("unreachable") }
+func (isDirFi) Mode() fs.FileMode  { panic("unreachable") }
+func (isDirFi) ModTime() time.Time { panic("unreachable") }
+func (fi isDirFi) IsDir() bool     { return bool(fi) }
+func (isDirFi) Sys() any           { panic("unreachable") }
+
+func stubDir(names ...string) []os.DirEntry {
+	d := make([]os.DirEntry, len(names))
+	for i, name := range names {
+		d[i] = nameDentry(name)
+	}
+	return d
+}
+
+type nameDentry string
+
+func (e nameDentry) Name() string             { return string(e) }
+func (nameDentry) IsDir() bool                { panic("unreachable") }
+func (nameDentry) Type() fs.FileMode          { panic("unreachable") }
+func (nameDentry) Info() (fs.FileInfo, error) { panic("unreachable") }
+
+const (
+	// magicWait4Signal must be used in a single pair of signal and wait4 calls across two goroutines
+	// originating from the same toplevel kstub.
+	// To enable this behaviour this value must be the last element of the args field in the wait4 call
+	// and the ret value of the signal call.
+	magicWait4Signal = 0xdef
+)
+
+type kstub struct {
+	wait4signal chan struct{}
+	lockNotify  chan struct{}
+	*stub.Stub[syscallDispatcher]
+}
+
+func (k *kstub) new(f func(k syscallDispatcher)) { k.Helper(); k.New(f) }
+
+func (k *kstub) lockOSThread() {
+	k.Helper()
+	expect := k.Expects("lockOSThread")
+	if k.lockNotify != nil && expect.Ret == magicWait4Signal {
+		<-k.lockNotify
+	}
+}
+
+func (k *kstub) setPtracer(pid uintptr) error {
+	k.Helper()
+	return k.Expects("setPtracer").Error(
+		stub.CheckArg(k.Stub, "pid", pid, 0))
+}
+
+func (k *kstub) setDumpable(dumpable uintptr) error {
+	k.Helper()
+	return k.Expects("setDumpable").Error(
+		stub.CheckArg(k.Stub, "dumpable", dumpable, 0))
+}
+
+func (k *kstub) setNoNewPrivs() error { k.Helper(); return k.Expects("setNoNewPrivs").Err }
+func (k *kstub) lastcap(msg message.Msg) uintptr {
+	k.Helper()
+	k.checkMsg(msg)
+	return k.Expects("lastcap").Ret.(uintptr)
+}
+
+func (k *kstub) capset(hdrp *capHeader, datap *[2]capData) error {
+	k.Helper()
+	return k.Expects("capset").Error(
+		stub.CheckArgReflect(k.Stub, "hdrp", hdrp, 0),
+		stub.CheckArgReflect(k.Stub, "datap", datap, 1))
+}
+
+func (k *kstub) capBoundingSetDrop(cap uintptr) error {
+	k.Helper()
+	return k.Expects("capBoundingSetDrop").Error(
+		stub.CheckArg(k.Stub, "cap", cap, 0))
+}
+
+func (k *kstub) capAmbientClearAll() error { k.Helper(); return k.Expects("capAmbientClearAll").Err }
+
+func (k *kstub) capAmbientRaise(cap uintptr) error {
+	k.Helper()
+	return k.Expects("capAmbientRaise").Error(
+		stub.CheckArg(k.Stub, "cap", cap, 0))
+}
+
+func (k *kstub) isatty(fd int) bool {
+	k.Helper()
+	expect := k.Expects("isatty")
+	if !stub.CheckArg(k.Stub, "fd", fd, 0) {
+		k.FailNow()
+	}
+	return expect.Ret.(bool)
+}
+
+func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error) {
+	k.Helper()
+	expect := k.Expects("receive")
+
+	var closed bool
+	closeFunc = func() error {
+		if closed {
+			k.Error("closeFunc called more than once")
+			return os.ErrClosed
+		}
+		closed = true
+
+		if expect.Ret != nil {
+			// use return stored in kexpect for closeFunc instead
+			return expect.Ret.(error)
+		}
+		return nil
+	}
+	err = expect.Error(
+		stub.CheckArg(k.Stub, "key", key, 0),
+		stub.CheckArgReflect(k.Stub, "e", e, 1),
+		stub.CheckArgReflect(k.Stub, "fdp", fdp, 2))
+
+	// 3 is unused so stores params
+	if expect.Args[3] != nil {
+		if v, ok := expect.Args[3].(*initParams); ok && v != nil {
+			if p, ok0 := e.(*initParams); ok0 && p != nil {
+				*p = *v
+			}
+		}
+	}
+
+	// 4 is unused so stores fd
+	if expect.Args[4] != nil {
+		if v, ok := expect.Args[4].(uintptr); ok && v >= 3 {
+			if fdp != nil {
+				*fdp = v
+			}
+		}
+	}
+
+	return
+}
+
+func (k *kstub) bindMount(msg message.Msg, source, target string, flags uintptr) error {
+	k.Helper()
+	k.checkMsg(msg)
+	return k.Expects("bindMount").Error(
+		stub.CheckArg(k.Stub, "source", source, 0),
+		stub.CheckArg(k.Stub, "target", target, 1),
+		stub.CheckArg(k.Stub, "flags", flags, 2))
+}
+
+func (k *kstub) remount(msg message.Msg, target string, flags uintptr) error {
+	k.Helper()
+	k.checkMsg(msg)
+	return k.Expects("remount").Error(
+		stub.CheckArg(k.Stub, "target", target, 0),
+		stub.CheckArg(k.Stub, "flags", flags, 1))
+}
+
+func (k *kstub) mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
+	k.Helper()
+	return k.Expects("mountTmpfs").Error(
+		stub.CheckArg(k.Stub, "fsname", fsname, 0),
+		stub.CheckArg(k.Stub, "target", target, 1),
+		stub.CheckArg(k.Stub, "flags", flags, 2),
+		stub.CheckArg(k.Stub, "size", size, 3),
+		stub.CheckArg(k.Stub, "perm", perm, 4))
+}
+
+func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
+	k.Helper()
+	return k.Expects("ensureFile").Error(
+		stub.CheckArg(k.Stub, "name", name, 0),
+		stub.CheckArg(k.Stub, "perm", perm, 1),
+		stub.CheckArg(k.Stub, "pperm", pperm, 2))
+}
+
+func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
+	k.Helper()
+	return k.Expects("seccompLoad").Error(
+		stub.CheckArgReflect(k.Stub, "rules", rules, 0),
+		stub.CheckArg(k.Stub, "flags", flags, 1))
+}
+
+func (k *kstub) notify(c chan<- os.Signal, sig ...os.Signal) {
+	k.Helper()
+	expect := k.Expects("notify")
+	if c == nil || expect.Error(
+		stub.CheckArgReflect(k.Stub, "sig", sig, 1)) != nil {
+		k.FailNow()
+	}
+
+	if k.lockNotify != nil && expect.Ret == magicWait4Signal {
+		defer close(k.lockNotify)
+	}
+
+	// export channel for external instrumentation
+	if chanf, ok := expect.Args[0].(func(c chan<- os.Signal)); ok && chanf != nil {
+		chanf(c)
+	}
+}
+
+func (k *kstub) start(c *exec.Cmd) error {
+	k.Helper()
+	expect := k.Expects("start")
+	err := expect.Error(
+		stub.CheckArg(k.Stub, "c.Path", c.Path, 0),
+		stub.CheckArgReflect(k.Stub, "c.Args", c.Args, 1),
+		stub.CheckArgReflect(k.Stub, "c.Env", c.Env, 2),
+		stub.CheckArg(k.Stub, "c.Dir", c.Dir, 3))
+
+	if process, ok := expect.Ret.(*os.Process); ok && process != nil {
+		c.Process = process
+	}
+	return err
+}
+
+func (k *kstub) signal(c *exec.Cmd, sig os.Signal) error {
+	k.Helper()
+	expect := k.Expects("signal")
+	if v, ok := expect.Ret.(int); ok && v == magicWait4Signal {
+		if k.wait4signal == nil {
+			panic("kstub not initialised for wait4 simulation")
+		}
+		defer func() { close(k.wait4signal) }()
+	}
+	return expect.Error(
+		stub.CheckArg(k.Stub, "c.Path", c.Path, 0),
+		stub.CheckArgReflect(k.Stub, "c.Args", c.Args, 1),
+		stub.CheckArgReflect(k.Stub, "c.Env", c.Env, 2),
+		stub.CheckArg(k.Stub, "c.Dir", c.Dir, 3),
+		stub.CheckArg(k.Stub, "sig", sig, 4))
+}
+
+func (k *kstub) evalSymlinks(path string) (string, error) {
+	k.Helper()
+	expect := k.Expects("evalSymlinks")
+	return expect.Ret.(string), expect.Error(
+		stub.CheckArg(k.Stub, "path", path, 0))
+}
+
+func (k *kstub) exit(code int) {
+	k.Helper()
+	k.Expects("exit")
+	if !stub.CheckArg(k.Stub, "code", code, 0) {
+		k.FailNow()
+	}
+	panic(stub.PanicExit)
+}
+
+func (k *kstub) getpid() int { k.Helper(); return k.Expects("getpid").Ret.(int) }
+
+func (k *kstub) stat(name string) (os.FileInfo, error) {
+	k.Helper()
+	expect := k.Expects("stat")
+	return expect.Ret.(os.FileInfo), expect.Error(
+		stub.CheckArg(k.Stub, "name", name, 0))
+}
+
+func (k *kstub) mkdir(name string, perm os.FileMode) error {
+	k.Helper()
+	return k.Expects("mkdir").Error(
+		stub.CheckArg(k.Stub, "name", name, 0),
+		stub.CheckArg(k.Stub, "perm", perm, 1))
+}
+
+func (k *kstub) mkdirTemp(dir, pattern string) (string, error) {
+	k.Helper()
+	expect := k.Expects("mkdirTemp")
+	return expect.Ret.(string), expect.Error(
+		stub.CheckArg(k.Stub, "dir", dir, 0),
+		stub.CheckArg(k.Stub, "pattern", pattern, 1))
+}
+
+func (k *kstub) mkdirAll(path string, perm os.FileMode) error {
+	k.Helper()
+	return k.Expects("mkdirAll").Error(
+		stub.CheckArg(k.Stub, "path", path, 0),
+		stub.CheckArg(k.Stub, "perm", perm, 1))
+}
+
+func (k *kstub) readdir(name string) ([]os.DirEntry, error) {
+	k.Helper()
+	expect := k.Expects("readdir")
+	return expect.Ret.([]os.DirEntry), expect.Error(
+		stub.CheckArg(k.Stub, "name", name, 0))
+}
+
+func (k *kstub) openNew(name string) (osFile, error) {
+	k.Helper()
+	expect := k.Expects("openNew")
+	return expect.Ret.(osFile), expect.Error(
+		stub.CheckArg(k.Stub, "name", name, 0))
+}
+
+func (k *kstub) writeFile(name string, data []byte, perm os.FileMode) error {
+	k.Helper()
+	return k.Expects("writeFile").Error(
+		stub.CheckArg(k.Stub, "name", name, 0),
+		stub.CheckArgReflect(k.Stub, "data", data, 1),
+		stub.CheckArg(k.Stub, "perm", perm, 2))
+}
+
+func (k *kstub) createTemp(dir, pattern string) (osFile, error) {
+	k.Helper()
+	expect := k.Expects("createTemp")
+	return expect.Ret.(osFile), expect.Error(
+		stub.CheckArg(k.Stub, "dir", dir, 0),
+		stub.CheckArg(k.Stub, "pattern", pattern, 1))
+}
+
+func (k *kstub) remove(name string) error {
+	k.Helper()
+	return k.Expects("remove").Error(
+		stub.CheckArg(k.Stub, "name", name, 0))
+}
+
+func (k *kstub) newFile(fd uintptr, name string) *os.File {
+	k.Helper()
+	expect := k.Expects("newFile")
+	if expect.Error(
+		stub.CheckArg(k.Stub, "fd", fd, 0),
+		stub.CheckArg(k.Stub, "name", name, 1)) != nil {
+		k.FailNow()
+	}
+	return expect.Ret.(*os.File)
+}
+
+func (k *kstub) symlink(oldname, newname string) error {
+	k.Helper()
+	return k.Expects("symlink").Error(
+		stub.CheckArg(k.Stub, "oldname", oldname, 0),
+		stub.CheckArg(k.Stub, "newname", newname, 1))
+}
+
+func (k *kstub) readlink(name string) (string, error) {
+	k.Helper()
+	expect := k.Expects("readlink")
+	return expect.Ret.(string), expect.Error(
+		stub.CheckArg(k.Stub, "name", name, 0))
+}
+
+func (k *kstub) umask(mask int) (oldmask int) {
+	k.Helper()
+	expect := k.Expects("umask")
+	if !stub.CheckArg(k.Stub, "mask", mask, 0) {
+		k.FailNow()
+	}
+	return expect.Ret.(int)
+}
+
+func (k *kstub) sethostname(p []byte) (err error) {
+	k.Helper()
+	return k.Expects("sethostname").Error(
+		stub.CheckArgReflect(k.Stub, "p", p, 0))
+}
+
+func (k *kstub) chdir(path string) (err error) {
+	k.Helper()
+	return k.Expects("chdir").Error(
+		stub.CheckArg(k.Stub, "path", path, 0))
+}
+
+func (k *kstub) fchdir(fd int) (err error) {
+	k.Helper()
+	return k.Expects("fchdir").Error(
+		stub.CheckArg(k.Stub, "fd", fd, 0))
+}
+
+func (k *kstub) open(path string, mode int, perm uint32) (fd int, err error) {
+	k.Helper()
+	expect := k.Expects("open")
+	return expect.Ret.(int), expect.Error(
+		stub.CheckArg(k.Stub, "path", path, 0),
+		stub.CheckArg(k.Stub, "mode", mode, 1),
+		stub.CheckArg(k.Stub, "perm", perm, 2))
+}
+
+func (k *kstub) close(fd int) (err error) {
+	k.Helper()
+	return k.Expects("close").Error(
+		stub.CheckArg(k.Stub, "fd", fd, 0))
+}
+
+func (k *kstub) pivotRoot(newroot, putold string) (err error) {
+	k.Helper()
+	return k.Expects("pivotRoot").Error(
+		stub.CheckArg(k.Stub, "newroot", newroot, 0),
+		stub.CheckArg(k.Stub, "putold", putold, 1))
+}
+
+func (k *kstub) mount(source, target, fstype string, flags uintptr, data string) (err error) {
+	k.Helper()
+	return k.Expects("mount").Error(
+		stub.CheckArg(k.Stub, "source", source, 0),
+		stub.CheckArg(k.Stub, "target", target, 1),
+		stub.CheckArg(k.Stub, "fstype", fstype, 2),
+		stub.CheckArg(k.Stub, "flags", flags, 3),
+		stub.CheckArg(k.Stub, "data", data, 4))
+}
+
+func (k *kstub) unmount(target string, flags int) (err error) {
+	k.Helper()
+	return k.Expects("unmount").Error(
+		stub.CheckArg(k.Stub, "target", target, 0),
+		stub.CheckArg(k.Stub, "flags", flags, 1))
+}
+
+func (k *kstub) wait4(pid int, wstatus *syscall.WaitStatus, options int, rusage *syscall.Rusage) (wpid int, err error) {
+	k.Helper()
+	expect := k.Expects("wait4")
+	if v, ok := expect.Args[4].(int); ok {
+		switch v {
+		case stub.PanicExit: // special case to prevent leaking the wait4 goroutine while testing initEntrypoint
+			panic(stub.PanicExit)
+
+		case magicWait4Signal: // block until corresponding signal call
+			if k.wait4signal == nil {
+				panic("kstub not initialised for wait4 simulation")
+			}
+			<-k.wait4signal
+		}
+	}
+
+	wpid = expect.Ret.(int)
+	err = expect.Error(
+		stub.CheckArg(k.Stub, "pid", pid, 0),
+		stub.CheckArg(k.Stub, "options", options, 2))
+
+	if wstatusV, ok := expect.Args[1].(syscall.WaitStatus); wstatus != nil && ok {
+		*wstatus = wstatusV
+	}
+	if rusageV, ok := expect.Args[3].(syscall.Rusage); rusage != nil && ok {
+		*rusage = rusageV
+	}
+
+	return
+}
+
+func (k *kstub) printf(_ message.Msg, format string, v ...any) {
+	k.Helper()
+	if k.Expects("printf").Error(
+		stub.CheckArg(k.Stub, "format", format, 0),
+		stub.CheckArgReflect(k.Stub, "v", v, 1)) != nil {
+		k.FailNow()
+	}
+}
+
+func (k *kstub) fatal(_ message.Msg, v ...any) {
+	k.Helper()
+	if k.Expects("fatal").Error(
+		stub.CheckArgReflect(k.Stub, "v", v, 0)) != nil {
+		k.FailNow()
+	}
+	panic(stub.PanicExit)
+}
+
+func (k *kstub) fatalf(_ message.Msg, format string, v ...any) {
+	k.Helper()
+	if k.Expects("fatalf").Error(
+		stub.CheckArg(k.Stub, "format", format, 0),
+		stub.CheckArgReflect(k.Stub, "v", v, 1)) != nil {
+		k.FailNow()
+	}
+	panic(stub.PanicExit)
+}
+
+func (k *kstub) checkMsg(msg message.Msg) {
+	k.Helper()
+	var target *kstub
+
+	if state, ok := msg.(*setupState); ok {
+		target = state.Msg.(*kstub)
+	} else {
+		target = msg.(*kstub)
+	}
+
+	if k != target {
+		panic(fmt.Sprintf("unexpected Msg: %#v", msg))
+	}
+}
+
+func (k *kstub) GetLogger() *log.Logger { panic("unreachable") }
+
+func (k *kstub) IsVerbose() bool { k.Helper(); return k.Expects("isVerbose").Ret.(bool) }
+
+func (k *kstub) SwapVerbose(verbose bool) bool {
+	k.Helper()
+	expect := k.Expects("swapVerbose")
+	if expect.Error(
+		stub.CheckArg(k.Stub, "verbose", verbose, 0)) != nil {
+		k.FailNow()
+	}
+	return expect.Ret.(bool)
+}
+
+func (k *kstub) Verbose(v ...any) {
+	k.Helper()
+	if k.Expects("verbose").Error(
+		stub.CheckArgReflect(k.Stub, "v", v, 0)) != nil {
+		k.FailNow()
+	}
+}
+
+func (k *kstub) Verbosef(format string, v ...any) {
+	k.Helper()
+	if k.Expects("verbosef").Error(
+		stub.CheckArg(k.Stub, "format", format, 0),
+		stub.CheckArgReflect(k.Stub, "v", v, 1)) != nil {
+		k.FailNow()
+	}
+}
+
+func (k *kstub) Suspend() bool { k.Helper(); return k.Expects("suspend").Ret.(bool) }
+func (k *kstub) Resume() bool  { k.Helper(); return k.Expects("resume").Ret.(bool) }
+func (k *kstub) BeforeExit()   { k.Helper(); k.Expects("beforeExit") }
--- a/container/errors.go
+++ b/container/errors.go
@@ -0,0 +1,129 @@
+package container
+
+import (
+	"errors"
+	"os"
+	"syscall"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/vfs"
+	"hakurei.app/message"
+)
+
+// messageFromError returns a printable error message for a supported concrete type.
+func messageFromError(err error) (m string, ok bool) {
+	if m, ok = messagePrefixP[MountError]("cannot ", err); ok {
+		return
+	}
+	if m, ok = messagePrefixP[os.PathError]("cannot ", err); ok {
+		return
+	}
+	if m, ok = messagePrefixP[check.AbsoluteError](zeroString, err); ok {
+		return
+	}
+	if m, ok = messagePrefix[OpRepeatError](zeroString, err); ok {
+		return
+	}
+	if m, ok = messagePrefix[OpStateError](zeroString, err); ok {
+		return
+	}
+
+	if m, ok = messagePrefixP[vfs.DecoderError]("cannot ", err); ok {
+		return
+	}
+	if m, ok = messagePrefix[TmpfsSizeError](zeroString, err); ok {
+		return
+	}
+
+	if m, ok = message.GetMessage(err); ok {
+		return
+	}
+
+	return zeroString, false
+}
+
+// messagePrefix checks and prefixes the error message of a non-pointer error.
+// While this is usable for pointer errors, such use should be avoided as nil check is omitted.
+func messagePrefix[T error](prefix string, err error) (string, bool) {
+	var targetError T
+	if errors.As(err, &targetError) {
+		return prefix + targetError.Error(), true
+	}
+	return zeroString, false
+}
+
+// messagePrefixP checks and prefixes the error message of a pointer error.
+func messagePrefixP[V any, T interface {
+	*V
+	error
+}](prefix string, err error) (string, bool) {
+	var targetError T
+	if errors.As(err, &targetError) && targetError != nil {
+		return prefix + targetError.Error(), true
+	}
+	return zeroString, false
+}
+
+// MountError wraps errors returned by syscall.Mount.
+type MountError struct {
+	Source, Target, Fstype string
+
+	Flags uintptr
+	Data  string
+	syscall.Errno
+}
+
+func (e *MountError) Unwrap() error {
+	if e.Errno == 0 {
+		return nil
+	}
+	return e.Errno
+}
+
+func (e *MountError) Message() string { return "cannot " + e.Error() }
+func (e *MountError) Error() string {
+	if e.Flags&syscall.MS_BIND != 0 {
+		if e.Flags&syscall.MS_REMOUNT != 0 {
+			return "remount " + e.Target + ": " + e.Errno.Error()
+		}
+		return "bind " + e.Source + " on " + e.Target + ": " + e.Errno.Error()
+	}
+
+	if e.Fstype != FstypeNULL {
+		return "mount " + e.Fstype + " on " + e.Target + ": " + e.Errno.Error()
+	}
+
+	// fallback case: if this is reached, the conditions for it to occur should be handled above
+	return "mount " + e.Target + ": " + e.Errno.Error()
+}
+
+// optionalErrorUnwrap calls [errors.Unwrap] and returns the resulting value
+// if it is not nil, or the original value if it is.
+func optionalErrorUnwrap(err error) error {
+	if underlyingErr := errors.Unwrap(err); underlyingErr != nil {
+		return underlyingErr
+	}
+	return err
+}
+
+// errnoFallback returns the concrete errno from an error, or a [os.PathError] fallback.
+func errnoFallback(op, path string, err error) (syscall.Errno, *os.PathError) {
+	var errno syscall.Errno
+	if !errors.As(err, &errno) {
+		return 0, &os.PathError{Op: op, Path: path, Err: err}
+	}
+	return errno, nil
+}
+
+// mount wraps syscall.Mount for error handling.
+func mount(source, target, fstype string, flags uintptr, data string) error {
+	err := syscall.Mount(source, target, fstype, flags, data)
+	if err == nil {
+		return nil
+	}
+	if errno, pathError := errnoFallback("mount", target, err); pathError != nil {
+		return pathError
+	} else {
+		return &MountError{source, target, fstype, flags, data, errno}
+	}
+}
--- a/container/errors_test.go
+++ b/container/errors_test.go
@@ -0,0 +1,179 @@
+package container
+
+import (
+	"errors"
+	"os"
+	"reflect"
+	"strconv"
+	"syscall"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+	"hakurei.app/container/vfs"
+)
+
+func TestMessageFromError(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name   string
+		err    error
+		want   string
+		wantOk bool
+	}{
+		{"mount", &MountError{
+			Source: SourceTmpfsEphemeral,
+			Target: "/sysroot/tmp",
+			Fstype: FstypeTmpfs,
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Data:   zeroString,
+			Errno:  syscall.EINVAL,
+		}, "cannot mount tmpfs on /sysroot/tmp: invalid argument", true},
+
+		{"path", &os.PathError{
+			Op:   "mount",
+			Path: "/sysroot",
+			Err:  stub.UniqueError(0xdeadbeef),
+		}, "cannot mount /sysroot: unique error 3735928559 injected by the test suite", true},
+
+		{"absolute", &check.AbsoluteError{Pathname: "etc/mtab"},
+			`path "etc/mtab" is not absolute`, true},
+
+		{"repeat", OpRepeatError("autoetc"),
+			"autoetc is not repeatable", true},
+
+		{"state", OpStateError("overlay"),
+			"impossible overlay state reached", true},
+
+		{"vfs parse", &vfs.DecoderError{Op: "parse", Line: 0xdead, Err: &strconv.NumError{Func: "Atoi", Num: "meow", Err: strconv.ErrSyntax}},
+			`cannot parse mountinfo at line 57005: numeric field "meow" invalid syntax`, true},
+
+		{"tmpfs", TmpfsSizeError(-1),
+			"tmpfs size -1 out of bounds", true},
+
+		{"unsupported", stub.UniqueError(0xdeadbeef), zeroString, false},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			got, ok := messageFromError(tc.err)
+			if got != tc.want {
+				t.Errorf("messageFromError: %q, want %q", got, tc.want)
+			}
+			if ok != tc.wantOk {
+				t.Errorf("messageFromError: ok = %v, want %v", ok, tc.wantOk)
+			}
+		})
+	}
+}
+
+func TestMountError(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name  string
+		err   error
+		errno syscall.Errno
+		want  string
+	}{
+		{"bind", &MountError{
+			Source: "/host/nix/store",
+			Target: "/sysroot/nix/store",
+			Fstype: FstypeNULL,
+			Flags:  syscall.MS_SILENT | syscall.MS_BIND | syscall.MS_REC,
+			Data:   zeroString,
+			Errno:  syscall.ENOSYS,
+		}, syscall.ENOSYS,
+			"bind /host/nix/store on /sysroot/nix/store: function not implemented"},
+
+		{"remount", &MountError{
+			Source: SourceNone,
+			Target: "/sysroot/nix/store",
+			Fstype: FstypeNULL,
+			Flags:  syscall.MS_SILENT | syscall.MS_BIND | syscall.MS_REMOUNT,
+			Data:   zeroString,
+			Errno:  syscall.EPERM,
+		}, syscall.EPERM,
+			"remount /sysroot/nix/store: operation not permitted"},
+
+		{"overlay", &MountError{
+			Source: SourceOverlay,
+			Target: sysrootPath,
+			Fstype: FstypeOverlay,
+			Data:   `lowerdir=/host/var/lib/planterette/base/debian\:f92c9052`,
+			Errno:  syscall.EINVAL,
+		}, syscall.EINVAL,
+			"mount overlay on /sysroot: invalid argument"},
+
+		{"fallback", &MountError{
+			Source: SourceNone,
+			Target: sysrootPath,
+			Fstype: FstypeNULL,
+			Errno:  syscall.ENOTRECOVERABLE,
+		}, syscall.ENOTRECOVERABLE,
+			"mount /sysroot: state not recoverable"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			t.Run("is", func(t *testing.T) {
+				if !errors.Is(tc.err, tc.errno) {
+					t.Errorf("Is: %#v is not %v", tc.err, tc.errno)
+				}
+			})
+			t.Run("error", func(t *testing.T) {
+				if got := tc.err.Error(); got != tc.want {
+					t.Errorf("Error: %q, want %q", got, tc.want)
+				}
+			})
+		})
+	}
+
+	t.Run("zero", func(t *testing.T) {
+		t.Parallel()
+		if errors.Is(new(MountError), syscall.Errno(0)) {
+			t.Errorf("Is: zero MountError unexpected true")
+		}
+	})
+}
+
+func TestErrnoFallback(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name      string
+		err       error
+		wantErrno syscall.Errno
+		wantPath  *os.PathError
+	}{
+		{"mount", &MountError{
+			Errno: syscall.ENOTRECOVERABLE,
+		}, syscall.ENOTRECOVERABLE, nil},
+
+		{"path errno", &os.PathError{
+			Err: syscall.ETIMEDOUT,
+		}, syscall.ETIMEDOUT, nil},
+
+		{"fallback", stub.UniqueError(0xcafebabe), 0, &os.PathError{
+			Op:   "fallback",
+			Path: "/proc/nonexistent",
+			Err:  stub.UniqueError(0xcafebabe),
+		}},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			errno, err := errnoFallback(tc.name, Nonexistent, tc.err)
+			if errno != tc.wantErrno {
+				t.Errorf("errnoFallback: errno = %v, want %v", errno, tc.wantErrno)
+			}
+			if !reflect.DeepEqual(err, tc.wantPath) {
+				t.Errorf("errnoFallback: pathError = %#v, want %#v", err, tc.wantPath)
+			}
+		})
+	}
+}
+
+// InternalMessageFromError exports messageFromError for other tests.
+func InternalMessageFromError(err error) (string, bool) { return messageFromError(err) }
--- a/container/executable.go
+++ b/container/executable.go
@@ -0,0 +1,34 @@
+package container
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"sync"
+
+	"hakurei.app/message"
+)
+
+var (
+	executable     string
+	executableOnce sync.Once
+)
+
+func copyExecutable(msg message.Msg) {
+	if name, err := os.Executable(); err != nil {
+		m := fmt.Sprintf("cannot read executable path: %v", err)
+		if msg != nil {
+			msg.BeforeExit()
+			msg.GetLogger().Fatal(m)
+		} else {
+			log.Fatal(m)
+		}
+	} else {
+		executable = name
+	}
+}
+
+func MustExecutable(msg message.Msg) string {
+	executableOnce.Do(func() { copyExecutable(msg) })
+	return executable
+}
--- a/container/executable_test.go
+++ b/container/executable_test.go
@@ -0,0 +1,18 @@
+package container_test
+
+import (
+	"os"
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/message"
+)
+
+func TestExecutable(t *testing.T) {
+	t.Parallel()
+	for i := 0; i < 16; i++ {
+		if got := container.MustExecutable(message.New(nil)); got != os.Args[0] {
+			t.Errorf("MustExecutable: %q, want %q", got, os.Args[0])
+		}
+	}
+}
--- a/container/fhs/abs.go
+++ b/container/fhs/abs.go
@@ -0,0 +1,45 @@
+package fhs
+
+import (
+	_ "unsafe" // for go:linkname
+
+	"hakurei.app/container/check"
+)
+
+/* constants in this file bypass abs check, be extremely careful when changing them! */
+
+// unsafeAbs returns check.Absolute on any string value.
+//
+//go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
+func unsafeAbs(pathname string) *check.Absolute
+
+var (
+	// AbsRoot is [Root] as [check.Absolute].
+	AbsRoot = unsafeAbs(Root)
+	// AbsEtc is [Etc] as [check.Absolute].
+	AbsEtc = unsafeAbs(Etc)
+	// AbsTmp is [Tmp] as [check.Absolute].
+	AbsTmp = unsafeAbs(Tmp)
+
+	// AbsRun is [Run] as [check.Absolute].
+	AbsRun = unsafeAbs(Run)
+	// AbsRunUser is [RunUser] as [check.Absolute].
+	AbsRunUser = unsafeAbs(RunUser)
+
+	// AbsUsrBin is [UsrBin] as [check.Absolute].
+	AbsUsrBin = unsafeAbs(UsrBin)
+
+	// AbsVar is [Var] as [check.Absolute].
+	AbsVar = unsafeAbs(Var)
+	// AbsVarLib is [VarLib] as [check.Absolute].
+	AbsVarLib = unsafeAbs(VarLib)
+
+	// AbsDev is [Dev] as [check.Absolute].
+	AbsDev = unsafeAbs(Dev)
+	// AbsDevShm is [DevShm] as [check.Absolute].
+	AbsDevShm = unsafeAbs(DevShm)
+	// AbsProc is [Proc] as [check.Absolute].
+	AbsProc = unsafeAbs(Proc)
+	// AbsSys is [Sys] as [check.Absolute].
+	AbsSys = unsafeAbs(Sys)
+)
--- a/container/fhs/fhs.go
+++ b/container/fhs/fhs.go
@@ -0,0 +1,40 @@
+// Package fhs provides constant and checked pathname values for common FHS paths.
+package fhs
+
+const (
+	// Root points to the file system root.
+	Root = "/"
+	// Etc points to the directory for system-specific configuration.
+	Etc = "/etc/"
+	// Tmp points to the place for small temporary files.
+	Tmp = "/tmp/"
+
+	// Run points to a "tmpfs" file system for system packages to place runtime data, socket files, and similar.
+	Run = "/run/"
+	// RunUser points to a directory containing per-user runtime directories,
+	// each usually individually mounted "tmpfs" instances.
+	RunUser = Run + "user/"
+
+	// Usr points to vendor-supplied operating system resources.
+	Usr = "/usr/"
+	// UsrBin points to binaries and executables for user commands that shall appear in the $PATH search path.
+	UsrBin = Usr + "bin/"
+
+	// Var points to persistent, variable system data. Writable during normal system operation.
+	Var = "/var/"
+	// VarLib points to persistent system data.
+	VarLib = Var + "lib/"
+	// VarEmpty points to a nonstandard directory that is usually empty.
+	VarEmpty = Var + "empty/"
+
+	// Dev points to the root directory for device nodes.
+	Dev = "/dev/"
+	// DevShm is the place for POSIX shared memory segments, as created via shm_open(3).
+	DevShm = "/dev/shm/"
+	// Proc points to a virtual kernel file system exposing the process list and other functionality.
+	Proc = "/proc/"
+	// ProcSys points to a hierarchy below /proc/ that exposes a number of kernel tunables.
+	ProcSys = Proc + "sys/"
+	// Sys points to a virtual kernel file system exposing discovered devices and other functionality.
+	Sys = "/sys/"
+)
--- a/container/init.go
+++ b/container/init.go
@@ -0,0 +1,563 @@
+package container
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"slices"
+	"strconv"
+	"sync"
+	"sync/atomic"
+	. "syscall"
+	"time"
+
+	"hakurei.app/container/fhs"
+	"hakurei.app/container/seccomp"
+	"hakurei.app/message"
+)
+
+const (
+	/* intermediateHostPath is the pathname of the intermediate tmpfs mount point.
+
+	This path might seem like a weird choice, however there are many good reasons to use it:
+	- The contents of this path is never exposed to the container:
+	  The tmpfs root established here effectively becomes anonymous after pivot_root.
+	- It is safe to assume this path exists and is a directory:
+	  This program will not work correctly without a proper /proc and neither will most others.
+	- This path belongs to the container init:
+	  The container init is not any more privileged or trusted than the rest of the container.
+	- This path is only accessible by init and root:
+	  The container init sets SUID_DUMP_DISABLE and terminates if that fails.
+
+	It should be noted that none of this should become relevant at any point since the resulting
+	intermediate root tmpfs should be effectively anonymous. */
+	intermediateHostPath = fhs.Proc + "self/fd"
+
+	// setupEnv is the name of the environment variable holding the string representation of
+	// the read end file descriptor of the setup params pipe.
+	setupEnv = "HAKUREI_SETUP"
+
+	// exitUnexpectedWait4 is the exit code if wait4 returns an unexpected errno.
+	exitUnexpectedWait4 = 2
+)
+
+type (
+	// Ops is a collection of [Op].
+	Ops []Op
+
+	// Op is a generic setup step ran inside the container init.
+	// Implementations of this interface are sent as a stream of gobs.
+	Op interface {
+		// early is called in host root.
+		early(state *setupState, k syscallDispatcher) error
+		// apply is called in intermediate root.
+		apply(state *setupState, k syscallDispatcher) error
+		// late is called right before starting the initial process.
+		late(state *setupState, k syscallDispatcher) error
+
+		// prefix returns a log message prefix, and whether this Op prints no identifying message on its own.
+		prefix() (string, bool)
+
+		Is(op Op) bool
+		Valid() bool
+		fmt.Stringer
+	}
+
+	// setupState persists context between Ops.
+	setupState struct {
+		nonrepeatable uintptr
+
+		// Whether early reaping has concluded. Must only be accessed in the wait4 loop.
+		processConcluded bool
+		// Process to syscall.WaitStatus populated in the wait4 loop. Freed after early reaping concludes.
+		process map[int]WaitStatus
+		// Synchronises access to process.
+		processMu sync.RWMutex
+
+		*Params
+		context.Context
+		message.Msg
+	}
+)
+
+// terminated returns whether the specified pid has been reaped, and its
+// syscall.WaitStatus if it had. This is only usable by [Op].
+func (state *setupState) terminated(pid int) (wstatus WaitStatus, ok bool) {
+	state.processMu.RLock()
+	wstatus, ok = state.process[pid]
+	state.processMu.RUnlock()
+	return
+}
+
+// Grow grows the slice Ops points to using [slices.Grow].
+func (f *Ops) Grow(n int) { *f = slices.Grow(*f, n) }
+
+const (
+	nrAutoEtc = 1 << iota
+	nrAutoRoot
+)
+
+// OpRepeatError is returned applying a repeated nonrepeatable [Op].
+type OpRepeatError string
+
+func (e OpRepeatError) Error() string { return string(e) + " is not repeatable" }
+
+// OpStateError indicates an impossible internal state has been reached in an [Op].
+type OpStateError string
+
+func (o OpStateError) Error() string { return "impossible " + string(o) + " state reached" }
+
+// initParams are params passed from parent.
+type initParams struct {
+	Params
+
+	HostUid, HostGid int
+	// extra files count
+	Count int
+	// verbosity pass through
+	Verbose bool
+}
+
+// Init is called by [TryArgv0] if the current process is the container init.
+func Init(msg message.Msg) { initEntrypoint(direct{}, msg) }
+
+func initEntrypoint(k syscallDispatcher, msg message.Msg) {
+	k.lockOSThread()
+
+	if msg == nil {
+		panic("attempting to call initEntrypoint with nil msg")
+	}
+
+	if k.getpid() != 1 {
+		k.fatal(msg, "this process must run as pid 1")
+	}
+
+	if err := k.setPtracer(0); err != nil {
+		msg.Verbosef("cannot enable ptrace protection via Yama LSM: %v", err)
+		// not fatal: this program has no additional privileges at initial program start
+	}
+
+	var (
+		params      initParams
+		closeSetup  func() error
+		setupFd     uintptr
+		offsetSetup int
+	)
+	if f, err := k.receive(setupEnv, &params, &setupFd); err != nil {
+		if errors.Is(err, EBADF) {
+			k.fatal(msg, "invalid setup descriptor")
+		}
+		if errors.Is(err, ErrReceiveEnv) {
+			k.fatal(msg, setupEnv+" not set")
+		}
+
+		k.fatalf(msg, "cannot decode init setup payload: %v", err)
+	} else {
+		if params.Ops == nil {
+			k.fatal(msg, "invalid setup parameters")
+		}
+		if params.ParentPerm == 0 {
+			params.ParentPerm = 0755
+		}
+
+		msg.SwapVerbose(params.Verbose)
+		msg.Verbose("received setup parameters")
+		closeSetup = f
+		offsetSetup = int(setupFd + 1)
+	}
+
+	// write uid/gid map here so parent does not need to set dumpable
+	if err := k.setDumpable(SUID_DUMP_USER); err != nil {
+		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
+	}
+	if err := k.writeFile(fhs.Proc+"self/uid_map",
+		append([]byte{}, strconv.Itoa(params.Uid)+" "+strconv.Itoa(params.HostUid)+" 1\n"...),
+		0); err != nil {
+		k.fatalf(msg, "%v", err)
+	}
+	if err := k.writeFile(fhs.Proc+"self/setgroups",
+		[]byte("deny\n"),
+		0); err != nil && !os.IsNotExist(err) {
+		k.fatalf(msg, "%v", err)
+	}
+	if err := k.writeFile(fhs.Proc+"self/gid_map",
+		append([]byte{}, strconv.Itoa(params.Gid)+" "+strconv.Itoa(params.HostGid)+" 1\n"...),
+		0); err != nil {
+		k.fatalf(msg, "%v", err)
+	}
+	if err := k.setDumpable(SUID_DUMP_DISABLE); err != nil {
+		k.fatalf(msg, "cannot set SUID_DUMP_DISABLE: %v", err)
+	}
+
+	oldmask := k.umask(0)
+	if params.Hostname != "" {
+		if err := k.sethostname([]byte(params.Hostname)); err != nil {
+			k.fatalf(msg, "cannot set hostname: %v", err)
+		}
+	}
+
+	// cache sysctl before pivot_root
+	lastcap := k.lastcap(msg)
+
+	if err := k.mount(zeroString, fhs.Root, zeroString, MS_SILENT|MS_SLAVE|MS_REC, zeroString); err != nil {
+		k.fatalf(msg, "cannot make / rslave: %v", optionalErrorUnwrap(err))
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	state := &setupState{process: make(map[int]WaitStatus), Params: &params.Params, Msg: msg, Context: ctx}
+	defer cancel()
+
+	/* early is called right before pivot_root into intermediate root;
+	this step is mostly for gathering information that would otherwise be difficult to obtain
+	via library functions after pivot_root, and implementations are expected to avoid changing
+	the state of the mount namespace */
+	for i, op := range *params.Ops {
+		if op == nil || !op.Valid() {
+			k.fatalf(msg, "invalid op at index %d", i)
+		}
+
+		if err := op.early(state, k); err != nil {
+			if m, ok := messageFromError(err); ok {
+				k.fatal(msg, m)
+			} else {
+				k.fatalf(msg, "cannot prepare op at index %d: %v", i, err)
+			}
+		}
+	}
+
+	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
+		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
+	}
+	if err := k.chdir(intermediateHostPath); err != nil {
+		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
+	}
+
+	if err := k.mkdir(sysrootDir, 0755); err != nil {
+		k.fatalf(msg, "%v", err)
+	}
+	if err := k.mount(sysrootDir, sysrootDir, zeroString, MS_SILENT|MS_BIND|MS_REC, zeroString); err != nil {
+		k.fatalf(msg, "cannot bind sysroot: %v", optionalErrorUnwrap(err))
+	}
+
+	if err := k.mkdir(hostDir, 0755); err != nil {
+		k.fatalf(msg, "%v", err)
+	}
+	// pivot_root uncovers intermediateHostPath in hostDir
+	if err := k.pivotRoot(intermediateHostPath, hostDir); err != nil {
+		k.fatalf(msg, "cannot pivot into intermediate root: %v", err)
+	}
+	if err := k.chdir(fhs.Root); err != nil {
+		k.fatalf(msg, "cannot enter intermediate root: %v", err)
+	}
+
+	/* apply is called right after pivot_root and entering the new root;
+	this step sets up the container filesystem, and implementations are expected to keep the host root
+	and sysroot mount points intact but otherwise can do whatever they need to;
+	chdir is allowed but discouraged */
+	for i, op := range *params.Ops {
+		// ops already checked during early setup
+		if prefix, ok := op.prefix(); ok {
+			msg.Verbosef("%s %s", prefix, op)
+		}
+		if err := op.apply(state, k); err != nil {
+			if m, ok := messageFromError(err); ok {
+				k.fatal(msg, m)
+			} else {
+				k.fatalf(msg, "cannot apply op at index %d: %v", i, err)
+			}
+		}
+	}
+
+	// setup requiring host root complete at this point
+	if err := k.mount(hostDir, hostDir, zeroString, MS_SILENT|MS_REC|MS_PRIVATE, zeroString); err != nil {
+		k.fatalf(msg, "cannot make host root rprivate: %v", optionalErrorUnwrap(err))
+	}
+	if err := k.unmount(hostDir, MNT_DETACH); err != nil {
+		k.fatalf(msg, "cannot unmount host root: %v", err)
+	}
+
+	{
+		var fd int
+		if err := IgnoringEINTR(func() (err error) {
+			fd, err = k.open(fhs.Root, O_DIRECTORY|O_RDONLY, 0)
+			return
+		}); err != nil {
+			k.fatalf(msg, "cannot open intermediate root: %v", err)
+		}
+		if err := k.chdir(sysrootPath); err != nil {
+			k.fatalf(msg, "cannot enter sysroot: %v", err)
+		}
+
+		if err := k.pivotRoot(".", "."); err != nil {
+			k.fatalf(msg, "cannot pivot into sysroot: %v", err)
+		}
+		if err := k.fchdir(fd); err != nil {
+			k.fatalf(msg, "cannot re-enter intermediate root: %v", err)
+		}
+		if err := k.unmount(".", MNT_DETACH); err != nil {
+			k.fatalf(msg, "cannot unmount intermediate root: %v", err)
+		}
+		if err := k.chdir(fhs.Root); err != nil {
+			k.fatalf(msg, "cannot enter root: %v", err)
+		}
+
+		if err := k.close(fd); err != nil {
+			k.fatalf(msg, "cannot close intermediate root: %v", err)
+		}
+	}
+
+	if err := k.capAmbientClearAll(); err != nil {
+		k.fatalf(msg, "cannot clear the ambient capability set: %v", err)
+	}
+	for i := uintptr(0); i <= lastcap; i++ {
+		if params.Privileged && i == CAP_SYS_ADMIN {
+			continue
+		}
+		if err := k.capBoundingSetDrop(i); err != nil {
+			k.fatalf(msg, "cannot drop capability from bounding set: %v", err)
+		}
+	}
+
+	var keep [2]uint32
+	if params.Privileged {
+		keep[capToIndex(CAP_SYS_ADMIN)] |= capToMask(CAP_SYS_ADMIN)
+
+		if err := k.capAmbientRaise(CAP_SYS_ADMIN); err != nil {
+			k.fatalf(msg, "cannot raise CAP_SYS_ADMIN: %v", err)
+		}
+	}
+	if err := k.capset(
+		&capHeader{_LINUX_CAPABILITY_VERSION_3, 0},
+		&[2]capData{{0, keep[0], keep[0]}, {0, keep[1], keep[1]}},
+	); err != nil {
+		k.fatalf(msg, "cannot capset: %v", err)
+	}
+
+	if !params.SeccompDisable {
+		rules := params.SeccompRules
+		if len(rules) == 0 { // non-empty rules slice always overrides presets
+			msg.Verbosef("resolving presets %#x", params.SeccompPresets)
+			rules = seccomp.Preset(params.SeccompPresets, params.SeccompFlags)
+		}
+		if err := k.seccompLoad(rules, params.SeccompFlags); err != nil {
+			// this also indirectly asserts PR_SET_NO_NEW_PRIVS
+			k.fatalf(msg, "cannot load syscall filter: %v", err)
+		}
+		msg.Verbosef("%d filter rules loaded", len(rules))
+	} else {
+		msg.Verbose("syscall filter not configured")
+	}
+
+	extraFiles := make([]*os.File, params.Count)
+	for i := range extraFiles {
+		// setup fd is placed before all extra files
+		extraFiles[i] = k.newFile(uintptr(offsetSetup+i), "extra file "+strconv.Itoa(i))
+	}
+	k.umask(oldmask)
+
+	// winfo represents an exited process from wait4.
+	type winfo struct {
+		wpid    int
+		wstatus WaitStatus
+	}
+
+	// info is closed as the wait4 thread terminates
+	// when there are no longer any processes left to reap
+	info := make(chan winfo, 1)
+
+	// whether initial process has started
+	var initialProcessStarted atomic.Bool
+
+	k.new(func(k syscallDispatcher) {
+		k.lockOSThread()
+
+	wait4:
+		var (
+			err     error
+			wpid    = -2
+			wstatus WaitStatus
+
+			// whether initial process has started
+			started bool
+		)
+
+		// keep going until no child process is left
+		for wpid != -1 {
+			if err != nil {
+				break
+			}
+
+			if wpid != -2 {
+				if !state.processConcluded {
+					state.processMu.Lock()
+					if state.process == nil {
+						// early reaping has already concluded at this point
+						state.processConcluded = true
+						info <- winfo{wpid, wstatus}
+					} else {
+						// initial process has not yet been created, and the
+						// info channel is not yet being received from
+						state.process[wpid] = wstatus
+					}
+					state.processMu.Unlock()
+				} else {
+					info <- winfo{wpid, wstatus}
+				}
+			}
+
+			if !started {
+				started = initialProcessStarted.Load()
+			}
+
+			err = EINTR
+			for errors.Is(err, EINTR) {
+				wpid, err = k.wait4(-1, &wstatus, 0, nil)
+			}
+		}
+
+		if !errors.Is(err, ECHILD) {
+			k.printf(msg, "unexpected wait4 response: %v", err)
+		} else if !started {
+			// initial process has not yet been reached and all daemons
+			// terminated or none were started in the first place
+			time.Sleep(500 * time.Microsecond)
+			goto wait4
+		}
+
+		close(info)
+	})
+
+	// called right before startup of initial process, all state changes to the
+	// current process is prohibited during late
+	for i, op := range *params.Ops {
+		// ops already checked during early setup
+		if err := op.late(state, k); err != nil {
+			if m, ok := messageFromError(err); ok {
+				k.fatal(msg, m)
+			} else if errors.Is(err, context.DeadlineExceeded) {
+				k.fatalf(msg, "%s deadline exceeded", op.String())
+			} else {
+				k.fatalf(msg, "cannot complete op at index %d: %v", i, err)
+			}
+		}
+	}
+	// early reaping has concluded, this must happen before initial process is created
+	state.processMu.Lock()
+	state.process = nil
+	state.processMu.Unlock()
+
+	if err := closeSetup(); err != nil {
+		k.fatalf(msg, "cannot close setup pipe: %v", err)
+	}
+
+	cmd := exec.Command(params.Path.String())
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+	cmd.Args = params.Args
+	cmd.Env = params.Env
+	cmd.ExtraFiles = extraFiles
+	cmd.Dir = params.Dir.String()
+
+	msg.Verbosef("starting initial process %s", params.Path)
+	if err := k.start(cmd); err != nil {
+		k.fatalf(msg, "%v", err)
+	}
+	initialProcessStarted.Store(true)
+
+	// handle signals to dump withheld messages
+	sig := make(chan os.Signal, 2)
+	k.notify(sig, CancelSignal,
+		os.Interrupt, SIGTERM, SIGQUIT)
+
+	// closed after residualProcessTimeout has elapsed after initial process death
+	timeout := make(chan struct{})
+
+	r := exitUnexpectedWait4
+	for {
+		select {
+		case s := <-sig:
+			if s == CancelSignal && params.ForwardCancel && cmd.Process != nil {
+				msg.Verbose("forwarding context cancellation")
+				if err := k.signal(cmd, os.Interrupt); err != nil {
+					k.printf(msg, "cannot forward cancellation: %v", err)
+				}
+				continue
+			}
+
+			if s == SIGTERM || s == SIGQUIT {
+				msg.Verbosef("got %s, forwarding to initial process", s.String())
+				if err := k.signal(cmd, s); err != nil {
+					k.printf(msg, "cannot forward signal: %v", err)
+				}
+				continue
+			}
+
+			msg.Verbosef("got %s", s.String())
+			msg.BeforeExit()
+			k.exit(0)
+
+		case w, ok := <-info:
+			if !ok {
+				msg.BeforeExit()
+				k.exit(r)
+				continue // unreachable
+			}
+
+			if w.wpid == cmd.Process.Pid {
+				// cancel Op context early
+				cancel()
+
+				// start timeout early
+				go func() { time.Sleep(params.AdoptWaitDelay); close(timeout) }()
+
+				// close initial process files; this also keeps them alive
+				for _, f := range extraFiles {
+					if err := f.Close(); err != nil {
+						msg.Verbose(err.Error())
+					}
+				}
+
+				switch {
+				case w.wstatus.Exited():
+					r = w.wstatus.ExitStatus()
+					msg.Verbosef("initial process exited with code %d", w.wstatus.ExitStatus())
+
+				case w.wstatus.Signaled():
+					r = 128 + int(w.wstatus.Signal())
+					msg.Verbosef("initial process exited with signal %s", w.wstatus.Signal())
+
+				default:
+					r = 255
+					msg.Verbosef("initial process exited with status %#x", w.wstatus)
+				}
+			}
+
+		case <-timeout:
+			k.printf(msg, "timeout exceeded waiting for lingering processes")
+			msg.BeforeExit()
+			k.exit(r)
+		}
+	}
+}
+
+// initName is the prefix used by log.std in the init process.
+const initName = "init"
+
+// TryArgv0 calls [Init] if the last element of argv0 is "init".
+// If a nil msg is passed, the system logger is used instead.
+func TryArgv0(msg message.Msg) {
+	if msg == nil {
+		log.SetPrefix(initName + ": ")
+		log.SetFlags(0)
+		msg = message.New(log.Default())
+	}
+
+	if len(os.Args) > 0 && path.Base(os.Args[0]) == initName {
+		Init(msg)
+		msg.BeforeExit()
+		os.Exit(0)
+	}
+}
--- a/container/init_test.go
+++ b/container/init_test.go
--- a/container/initbind.go
+++ b/container/initbind.go
@@ -0,0 +1,111 @@
+package container
+
+import (
+	"encoding/gob"
+	"fmt"
+	"os"
+	"syscall"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/std"
+)
+
+func init() { gob.Register(new(BindMountOp)) }
+
+// Bind appends an [Op] that bind mounts host path [BindMountOp.Source] on container path [BindMountOp.Target].
+func (f *Ops) Bind(source, target *check.Absolute, flags int) *Ops {
+	*f = append(*f, &BindMountOp{nil, source, target, flags})
+	return f
+}
+
+// BindMountOp bind mounts host path Source on container path Target.
+// Note that Flags uses bits declared in this package and should not be set with constants in [syscall].
+type BindMountOp struct {
+	sourceFinal, Source, Target *check.Absolute
+
+	Flags int
+}
+
+func (b *BindMountOp) Valid() bool {
+	return b != nil &&
+		b.Source != nil && b.Target != nil &&
+		b.Flags&(std.BindOptional|std.BindEnsure) != (std.BindOptional|std.BindEnsure)
+}
+
+func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {
+	if b.Flags&std.BindEnsure != 0 {
+		if err := k.mkdirAll(b.Source.String(), 0700); err != nil {
+			return err
+		}
+	}
+
+	if pathname, err := k.evalSymlinks(b.Source.String()); err != nil {
+		if os.IsNotExist(err) && b.Flags&std.BindOptional != 0 {
+			// leave sourceFinal as nil
+			return nil
+		}
+		return err
+	} else {
+		b.sourceFinal, err = check.NewAbs(pathname)
+		return err
+	}
+}
+
+func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
+	if b.sourceFinal == nil {
+		if b.Flags&std.BindOptional == 0 {
+			// unreachable
+			return OpStateError("bind")
+		}
+		return nil
+	}
+
+	source := toHost(b.sourceFinal.String())
+	target := toSysroot(b.Target.String())
+
+	// this perm value emulates bwrap behaviour as it clears bits from 0755 based on
+	// op->perms which is never set for any bind setup op so always results in 0700
+	if fi, err := k.stat(source); err != nil {
+		return err
+	} else if fi.IsDir() {
+		if err = k.mkdirAll(target, 0700); err != nil {
+			return err
+		}
+	} else if err = k.ensureFile(target, 0444, 0700); err != nil {
+		return err
+	}
+
+	var flags uintptr = syscall.MS_REC
+	if b.Flags&std.BindWritable == 0 {
+		flags |= syscall.MS_RDONLY
+	}
+	if b.Flags&std.BindDevice == 0 {
+		flags |= syscall.MS_NODEV
+	}
+
+	if b.sourceFinal.String() == b.Target.String() {
+		state.Verbosef("mounting %q flags %#x", target, flags)
+	} else {
+		state.Verbosef("mounting %q on %q flags %#x", source, target, flags)
+	}
+	return k.bindMount(state, source, target, flags)
+}
+func (b *BindMountOp) late(*setupState, syscallDispatcher) error { return nil }
+
+func (b *BindMountOp) Is(op Op) bool {
+	vb, ok := op.(*BindMountOp)
+	return ok && b.Valid() && vb.Valid() &&
+		b.Source.Is(vb.Source) &&
+		b.Target.Is(vb.Target) &&
+		b.Flags == vb.Flags
+}
+func (*BindMountOp) prefix() (string, bool) { return "mounting", false }
+func (b *BindMountOp) String() string {
+	if b.Source == nil || b.Target == nil {
+		return "<invalid>"
+	}
+	if b.Source.String() == b.Target.String() {
+		return fmt.Sprintf("%q flags %#x", b.Source, b.Flags)
+	}
+	return fmt.Sprintf("%q on %q flags %#x", b.Source, b.Target, b.Flags)
+}
--- a/container/initbind_test.go
+++ b/container/initbind_test.go
@@ -0,0 +1,262 @@
+package container
+
+import (
+	"errors"
+	"os"
+	"syscall"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/std"
+	"hakurei.app/container/stub"
+)
+
+func TestBindMountOp(t *testing.T) {
+	t.Parallel()
+
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"ENOENT not optional", new(Params), &BindMountOp{
+			Source: check.MustAbs("/bin/"),
+			Target: check.MustAbs("/bin/"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "", syscall.ENOENT),
+		}, syscall.ENOENT, nil, nil},
+
+		{"skip optional", new(Params), &BindMountOp{
+			Source: check.MustAbs("/bin/"),
+			Target: check.MustAbs("/bin/"),
+			Flags:  std.BindOptional,
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "", syscall.ENOENT),
+		}, nil, nil, nil},
+
+		{"success optional", new(Params), &BindMountOp{
+			Source: check.MustAbs("/bin/"),
+			Target: check.MustAbs("/bin/"),
+			Flags:  std.BindOptional,
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), nil),
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/usr/bin", "/sysroot/bin", uintptr(0x4005)}}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/usr/bin", "/sysroot/bin", uintptr(0x4005), false}, nil, nil),
+		}, nil},
+
+		{"ensureFile device", new(Params), &BindMountOp{
+			Source: check.MustAbs("/dev/null"),
+			Target: check.MustAbs("/dev/null"),
+			Flags:  std.BindWritable | std.BindDevice,
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/dev/null"}, isDirFi(false), nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0700)}, nil, stub.UniqueError(5)),
+		}, stub.UniqueError(5)},
+
+		{"mkdirAll ensure", new(Params), &BindMountOp{
+			Source: check.MustAbs("/bin/"),
+			Target: check.MustAbs("/bin/"),
+			Flags:  std.BindEnsure,
+		}, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, stub.UniqueError(4)),
+		}, stub.UniqueError(4), nil, nil},
+
+		{"success ensure", new(Params), &BindMountOp{
+			Source: check.MustAbs("/bin/"),
+			Target: check.MustAbs("/usr/bin/"),
+			Flags:  std.BindEnsure,
+		}, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, nil),
+			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), nil),
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/usr/bin", os.FileMode(0700)}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/usr/bin", "/sysroot/usr/bin", uintptr(0x4005)}}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/usr/bin", "/sysroot/usr/bin", uintptr(0x4005), false}, nil, nil),
+		}, nil},
+
+		{"success device ro", new(Params), &BindMountOp{
+			Source: check.MustAbs("/dev/null"),
+			Target: check.MustAbs("/dev/null"),
+			Flags:  std.BindDevice,
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/dev/null"}, isDirFi(false), nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/dev/null", uintptr(0x4001)}}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0x4001), false}, nil, nil),
+		}, nil},
+
+		{"success device", new(Params), &BindMountOp{
+			Source: check.MustAbs("/dev/null"),
+			Target: check.MustAbs("/dev/null"),
+			Flags:  std.BindWritable | std.BindDevice,
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/dev/null"}, isDirFi(false), nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/dev/null", uintptr(0x4000)}}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0x4000), false}, nil, nil),
+		}, nil},
+
+		{"evalSymlinks", new(Params), &BindMountOp{
+			Source: check.MustAbs("/bin/"),
+			Target: check.MustAbs("/bin/"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", stub.UniqueError(3)),
+		}, stub.UniqueError(3), nil, nil},
+
+		{"stat", new(Params), &BindMountOp{
+			Source: check.MustAbs("/bin/"),
+			Target: check.MustAbs("/bin/"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), stub.UniqueError(2)),
+		}, stub.UniqueError(2)},
+
+		{"mkdirAll", new(Params), &BindMountOp{
+			Source: check.MustAbs("/bin/"),
+			Target: check.MustAbs("/bin/"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), nil),
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, stub.UniqueError(1)),
+		}, stub.UniqueError(1)},
+
+		{"bindMount", new(Params), &BindMountOp{
+			Source: check.MustAbs("/bin/"),
+			Target: check.MustAbs("/bin/"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), nil),
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/usr/bin", "/sysroot/bin", uintptr(0x4005)}}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/usr/bin", "/sysroot/bin", uintptr(0x4005), false}, nil, stub.UniqueError(0)),
+		}, stub.UniqueError(0)},
+
+		{"success eval equals", new(Params), &BindMountOp{
+			Source: check.MustAbs("/bin/"),
+			Target: check.MustAbs("/bin/"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/bin", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/bin"}, isDirFi(true), nil),
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/bin", "/sysroot/bin", uintptr(0x4005)}}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/bin", "/sysroot/bin", uintptr(0x4005), false}, nil, nil),
+		}, nil},
+
+		{"success", new(Params), &BindMountOp{
+			Source: check.MustAbs("/bin/"),
+			Target: check.MustAbs("/bin/"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
+		}, nil, []stub.Call{
+			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), nil),
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/usr/bin", "/sysroot/bin", uintptr(0x4005)}}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/usr/bin", "/sysroot/bin", uintptr(0x4005), false}, nil, nil),
+		}, nil},
+	})
+
+	t.Run("unreachable", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("nil sourceFinal not optional", func(t *testing.T) {
+			t.Parallel()
+			wantErr := OpStateError("bind")
+			if err := new(BindMountOp).apply(nil, nil); !errors.Is(err, wantErr) {
+				t.Errorf("apply: error = %v, want %v", err, wantErr)
+			}
+		})
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*BindMountOp)(nil), false},
+		{"zero", new(BindMountOp), false},
+		{"nil source", &BindMountOp{Target: check.MustAbs("/")}, false},
+		{"nil target", &BindMountOp{Source: check.MustAbs("/")}, false},
+		{"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: std.BindOptional | std.BindEnsure}, false},
+		{"valid", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/")}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"autoetc", new(Ops).Bind(
+			check.MustAbs("/etc/"),
+			check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+			0,
+		), Ops{
+			&BindMountOp{
+				Source: check.MustAbs("/etc/"),
+				Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+			},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(BindMountOp), new(BindMountOp), false},
+
+		{"internal ne", &BindMountOp{
+			Source: check.MustAbs("/etc/"),
+			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+		}, &BindMountOp{
+			Source:      check.MustAbs("/etc/"),
+			Target:      check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+			sourceFinal: check.MustAbs("/etc/"),
+		}, true},
+
+		{"flags differs", &BindMountOp{
+			Source: check.MustAbs("/etc/"),
+			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+		}, &BindMountOp{
+			Source: check.MustAbs("/etc/"),
+			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+			Flags:  std.BindOptional,
+		}, false},
+
+		{"source differs", &BindMountOp{
+			Source: check.MustAbs("/.hakurei/etc/"),
+			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+		}, &BindMountOp{
+			Source: check.MustAbs("/etc/"),
+			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+		}, false},
+
+		{"target differs", &BindMountOp{
+			Source: check.MustAbs("/etc/"),
+			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+		}, &BindMountOp{
+			Source: check.MustAbs("/etc/"),
+			Target: check.MustAbs("/etc/"),
+		}, false},
+
+		{"equals", &BindMountOp{
+			Source: check.MustAbs("/etc/"),
+			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+		}, &BindMountOp{
+			Source: check.MustAbs("/etc/"),
+			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"invalid", new(BindMountOp), "mounting", "<invalid>"},
+
+		{"autoetc", &BindMountOp{
+			Source: check.MustAbs("/etc/"),
+			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
+		}, "mounting", `"/etc/" on "/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659" flags 0x0`},
+
+		{"hostdev", &BindMountOp{
+			Source: check.MustAbs("/dev/"),
+			Target: check.MustAbs("/dev/"),
+			Flags:  std.BindWritable | std.BindDevice,
+		}, "mounting", `"/dev/" flags 0x6`},
+	})
+}
--- a/container/initdaemon.go
+++ b/container/initdaemon.go
@@ -0,0 +1,134 @@
+package container
+
+import (
+	"context"
+	"encoding/gob"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"slices"
+	"strconv"
+	"syscall"
+	"time"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+)
+
+func init() { gob.Register(new(DaemonOp)) }
+
+const (
+	// daemonTimeout is the duration a [DaemonOp] is allowed to block before the
+	// [DaemonOp.Target] marker becomes available.
+	daemonTimeout = 5 * time.Second
+)
+
+// Daemon appends an [Op] that starts a daemon in the container and blocks until
+// [DaemonOp.Target] appears.
+func (f *Ops) Daemon(target, path *check.Absolute, args ...string) *Ops {
+	*f = append(*f, &DaemonOp{target, path, args})
+	return f
+}
+
+// DaemonOp starts a daemon in the container and blocks until Target appears.
+type DaemonOp struct {
+	// Pathname indicating readiness of daemon.
+	Target *check.Absolute
+	// Absolute pathname passed to [exec.Cmd].
+	Path *check.Absolute
+	// Arguments (excl. first) passed to [exec.Cmd].
+	Args []string
+}
+
+// earlyTerminationError is returned by [DaemonOp] when a daemon terminates
+// before [DaemonOp.Target] appears.
+type earlyTerminationError struct {
+	// Returned by [DaemonOp.String].
+	op string
+	// Copied from wait4 loop.
+	wstatus syscall.WaitStatus
+}
+
+func (e *earlyTerminationError) Error() string {
+	res := ""
+	switch {
+	case e.wstatus.Exited():
+		res = "exit status " + strconv.Itoa(e.wstatus.ExitStatus())
+	case e.wstatus.Signaled():
+		res = "signal: " + e.wstatus.Signal().String()
+	case e.wstatus.Stopped():
+		res = "stop signal: " + e.wstatus.StopSignal().String()
+		if e.wstatus.StopSignal() == syscall.SIGTRAP && e.wstatus.TrapCause() != 0 {
+			res += " (trap " + strconv.Itoa(e.wstatus.TrapCause()) + ")"
+		}
+	case e.wstatus.Continued():
+		res = "continued"
+	}
+	if e.wstatus.CoreDump() {
+		res += " (core dumped)"
+	}
+	return res
+}
+
+func (e *earlyTerminationError) Message() string { return e.op + " " + e.Error() }
+
+func (d *DaemonOp) Valid() bool                                { return d != nil && d.Target != nil && d.Path != nil }
+func (d *DaemonOp) early(*setupState, syscallDispatcher) error { return nil }
+func (d *DaemonOp) apply(*setupState, syscallDispatcher) error { return nil }
+func (d *DaemonOp) late(state *setupState, k syscallDispatcher) error {
+	cmd := exec.CommandContext(state.Context, d.Path.String(), d.Args...)
+	cmd.Env = state.Env
+	cmd.Dir = fhs.Root
+	if state.IsVerbose() {
+		cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
+	}
+	// WaitDelay: left unset because lifetime is bound by AdoptWaitDelay on cancellation
+	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGTERM) }
+
+	state.Verbosef("starting %s", d.String())
+	if err := k.start(cmd); err != nil {
+		return err
+	}
+
+	deadline := time.Now().Add(daemonTimeout)
+	var wstatusErr error
+
+	for {
+		if _, err := k.stat(d.Target.String()); err != nil {
+			if !errors.Is(err, os.ErrNotExist) {
+				_ = k.signal(cmd, os.Kill)
+				return err
+			}
+
+			if time.Now().After(deadline) {
+				_ = k.signal(cmd, os.Kill)
+				return context.DeadlineExceeded
+			}
+
+			if wstatusErr != nil {
+				return wstatusErr
+			}
+			if wstatus, ok := state.terminated(cmd.Process.Pid); ok {
+				// check once again: process could have satisfied Target between stat and the lookup
+				wstatusErr = &earlyTerminationError{d.String(), wstatus}
+				continue
+			}
+
+			time.Sleep(500 * time.Microsecond)
+			continue
+		}
+
+		state.Verbosef("daemon process %d ready", cmd.Process.Pid)
+		return nil
+	}
+}
+
+func (d *DaemonOp) Is(op Op) bool {
+	vd, ok := op.(*DaemonOp)
+	return ok && d.Valid() && vd.Valid() &&
+		d.Target.Is(vd.Target) && d.Path.Is(vd.Path) &&
+		slices.Equal(d.Args, vd.Args)
+}
+func (*DaemonOp) prefix() (string, bool) { return zeroString, false }
+func (d *DaemonOp) String() string       { return fmt.Sprintf("daemon providing %q", d.Target) }
--- a/container/initdaemon_test.go
+++ b/container/initdaemon_test.go
@@ -0,0 +1,127 @@
+package container
+
+import (
+	"os"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+	"hakurei.app/message"
+)
+
+func TestEarlyTerminationError(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		err  error
+		want string
+		msg  string
+	}{
+		{"exited", &earlyTerminationError{
+			`daemon providing "/run/user/1971/pulse/native"`, 127 << 8,
+		}, "exit status 127", `daemon providing "/run/user/1971/pulse/native" exit status 127`},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := tc.err.Error(); got != tc.want {
+				t.Errorf("Error: %q, want %q", got, tc.want)
+			}
+			if got := tc.err.(message.Error).Message(); got != tc.msg {
+				t.Errorf("Message: %s, want %s", got, tc.msg)
+			}
+		})
+	}
+}
+
+func TestDaemonOp(t *testing.T) {
+	t.Parallel()
+
+	checkSimple(t, "DaemonOp.late", []simpleTestCase{
+		{"success", func(k *kstub) error {
+			state := setupState{Params: &Params{Env: []string{"\x00"}}, Context: t.Context(), Msg: k}
+			return (&DaemonOp{
+				Target: check.MustAbs("/run/user/1971/pulse/native"),
+				Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+				Args:   []string{"-v"},
+			}).late(&state, k)
+		}, stub.Expect{Calls: []stub.Call{
+			call("isVerbose", stub.ExpectArgs{}, true, nil),
+			call("verbosef", stub.ExpectArgs{"starting %s", []any{`daemon providing "/run/user/1971/pulse/native"`}}, nil, nil),
+			call("start", stub.ExpectArgs{"/run/current-system/sw/bin/pipewire-pulse", []string{"/run/current-system/sw/bin/pipewire-pulse", "-v"}, []string{"\x00"}, "/"}, &os.Process{Pid: 0xcafe}, nil),
+			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
+			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
+			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
+			call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), nil),
+			call("verbosef", stub.ExpectArgs{"daemon process %d ready", []any{0xcafe}}, nil, nil),
+		}}, nil},
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*DaemonOp)(nil), false},
+		{"zero", new(DaemonOp), false},
+		{"valid", &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+			Args:   []string{"-v"},
+		}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"pipewire-pulse", new(Ops).Daemon(
+			check.MustAbs("/run/user/1971/pulse/native"),
+			check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"), "-v",
+		), Ops{
+			&DaemonOp{
+				Target: check.MustAbs("/run/user/1971/pulse/native"),
+				Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+				Args:   []string{"-v"},
+			},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(DaemonOp), new(DaemonOp), false},
+
+		{"args differs", &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+			Args:   []string{"-v"},
+		}, &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+		}, false},
+
+		{"path differs", &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire"),
+		}, &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+		}, false},
+
+		{"target differs", &DaemonOp{
+			Target: check.MustAbs("/run/user/65534/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+		}, &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+		}, false},
+
+		{"equals", &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+		}, &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+			Path:   check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"pipewire-pulse", &DaemonOp{
+			Target: check.MustAbs("/run/user/1971/pulse/native"),
+		}, zeroString, `daemon providing "/run/user/1971/pulse/native"`},
+	})
+}
--- a/container/initdev.go
+++ b/container/initdev.go
@@ -0,0 +1,144 @@
+package container
+
+import (
+	"encoding/gob"
+	"fmt"
+	"path"
+	. "syscall"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+)
+
+func init() { gob.Register(new(MountDevOp)) }
+
+// Dev appends an [Op] that mounts a subset of host /dev.
+func (f *Ops) Dev(target *check.Absolute, mqueue bool) *Ops {
+	*f = append(*f, &MountDevOp{target, mqueue, false})
+	return f
+}
+
+// DevWritable appends an [Op] that mounts a writable subset of host /dev.
+// There is usually no good reason to write to /dev, so this should always be followed by a [RemountOp].
+func (f *Ops) DevWritable(target *check.Absolute, mqueue bool) *Ops {
+	*f = append(*f, &MountDevOp{target, mqueue, true})
+	return f
+}
+
+// MountDevOp mounts a subset of host /dev on container path Target.
+// If Mqueue is true, a private instance of [FstypeMqueue] is mounted.
+// If Write is true, the resulting mount point is left writable.
+type MountDevOp struct {
+	Target *check.Absolute
+	Mqueue bool
+	Write  bool
+}
+
+func (d *MountDevOp) Valid() bool                                { return d != nil && d.Target != nil }
+func (d *MountDevOp) early(*setupState, syscallDispatcher) error { return nil }
+func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
+	target := toSysroot(d.Target.String())
+
+	if err := k.mountTmpfs(SourceTmpfsDevtmpfs, target, MS_NOSUID|MS_NODEV, 0, state.ParentPerm); err != nil {
+		return err
+	}
+
+	for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} {
+		targetPath := path.Join(target, name)
+		if err := k.ensureFile(targetPath, 0444, state.ParentPerm); err != nil {
+			return err
+		}
+		if err := k.bindMount(
+			state,
+			toHost(fhs.Dev+name),
+			targetPath,
+			0,
+		); err != nil {
+			return err
+		}
+	}
+	for i, name := range []string{"stdin", "stdout", "stderr"} {
+		if err := k.symlink(
+			fhs.Proc+"self/fd/"+string(rune(i+'0')),
+			path.Join(target, name),
+		); err != nil {
+			return err
+		}
+	}
+	for _, pair := range [][2]string{
+		{fhs.Proc + "self/fd", "fd"},
+		{fhs.Proc + "kcore", "core"},
+		{"pts/ptmx", "ptmx"},
+	} {
+		if err := k.symlink(pair[0], path.Join(target, pair[1])); err != nil {
+			return err
+		}
+	}
+
+	devShmPath := path.Join(target, "shm")
+	devPtsPath := path.Join(target, "pts")
+	for _, name := range []string{devShmPath, devPtsPath} {
+		if err := k.mkdir(name, state.ParentPerm); err != nil {
+			return err
+		}
+	}
+
+	if err := k.mount(SourceDevpts, devPtsPath, FstypeDevpts, MS_NOSUID|MS_NOEXEC,
+		"newinstance,ptmxmode=0666,mode=620"); err != nil {
+		return err
+	}
+
+	if state.RetainSession {
+		if k.isatty(Stdout) {
+			consolePath := path.Join(target, "console")
+			if err := k.ensureFile(consolePath, 0444, state.ParentPerm); err != nil {
+				return err
+			}
+			if name, err := k.readlink(hostProc.stdout()); err != nil {
+				return err
+			} else if err = k.bindMount(
+				state,
+				toHost(name),
+				consolePath,
+				0,
+			); err != nil {
+				return err
+			}
+		}
+	}
+
+	if d.Mqueue {
+		mqueueTarget := path.Join(target, "mqueue")
+		if err := k.mkdir(mqueueTarget, state.ParentPerm); err != nil {
+			return err
+		}
+		if err := k.mount(SourceMqueue, mqueueTarget, FstypeMqueue, MS_NOSUID|MS_NOEXEC|MS_NODEV, zeroString); err != nil {
+			return err
+		}
+	}
+
+	if d.Write {
+		return nil
+	}
+
+	if err := k.remount(state, target, MS_RDONLY); err != nil {
+		return err
+	}
+	return k.mountTmpfs(SourceTmpfs, devShmPath, MS_NOSUID|MS_NODEV, 0, 01777)
+}
+func (d *MountDevOp) late(*setupState, syscallDispatcher) error { return nil }
+
+func (d *MountDevOp) Is(op Op) bool {
+	vd, ok := op.(*MountDevOp)
+	return ok && d.Valid() && vd.Valid() &&
+		d.Target.Is(vd.Target) &&
+		d.Mqueue == vd.Mqueue &&
+		d.Write == vd.Write
+}
+func (*MountDevOp) prefix() (string, bool) { return "mounting", true }
+func (d *MountDevOp) String() string {
+	if d.Mqueue {
+		return fmt.Sprintf("dev on %q with mqueue", d.Target)
+	}
+	return fmt.Sprintf("dev on %q", d.Target)
+}
--- a/container/initdev_test.go
+++ b/container/initdev_test.go
@@ -0,0 +1,828 @@
+package container
+
+import (
+	"os"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+)
+
+func TestMountDevOp(t *testing.T) {
+	t.Parallel()
+
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"mountTmpfs", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, stub.UniqueError(27)),
+		}, stub.UniqueError(27)},
+
+		{"ensureFile null", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(26)),
+		}, stub.UniqueError(26)},
+
+		{"bindMount null", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, stub.UniqueError(25)),
+		}, stub.UniqueError(25)},
+
+		{"ensureFile zero", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(24)),
+		}, stub.UniqueError(24)},
+
+		{"bindMount zero", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, stub.UniqueError(23)),
+		}, stub.UniqueError(23)},
+
+		{"ensureFile full", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(22)),
+		}, stub.UniqueError(22)},
+
+		{"bindMount full", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, stub.UniqueError(21)),
+		}, stub.UniqueError(21)},
+
+		{"ensureFile random", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(20)),
+		}, stub.UniqueError(20)},
+
+		{"bindMount random", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, stub.UniqueError(19)),
+		}, stub.UniqueError(19)},
+
+		{"ensureFile urandom", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(18)),
+		}, stub.UniqueError(18)},
+
+		{"bindMount urandom", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, stub.UniqueError(17)),
+		}, stub.UniqueError(17)},
+
+		{"ensureFile tty", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(16)),
+		}, stub.UniqueError(16)},
+
+		{"bindMount tty", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, stub.UniqueError(15)),
+		}, stub.UniqueError(15)},
+
+		{"symlink stdin", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, stub.UniqueError(14)),
+		}, stub.UniqueError(14)},
+
+		{"symlink stdout", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, stub.UniqueError(13)),
+		}, stub.UniqueError(13)},
+
+		{"symlink stderr", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, stub.UniqueError(12)),
+		}, stub.UniqueError(12)},
+
+		{"symlink fd", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, stub.UniqueError(11)),
+		}, stub.UniqueError(11)},
+
+		{"symlink kcore", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, stub.UniqueError(10)),
+		}, stub.UniqueError(10)},
+
+		{"symlink ptmx", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, stub.UniqueError(9)),
+		}, stub.UniqueError(9)},
+
+		{"mkdir shm", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, stub.UniqueError(8)),
+		}, stub.UniqueError(8)},
+
+		{"mkdir devpts", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, stub.UniqueError(7)),
+		}, stub.UniqueError(7)},
+
+		{"mount devpts", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, stub.UniqueError(6)),
+		}, stub.UniqueError(6)},
+
+		{"ensureFile stdout", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
+			call("isatty", stub.ExpectArgs{1}, true, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(5)),
+		}, stub.UniqueError(5)},
+
+		{"readlink stdout", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
+			call("isatty", stub.ExpectArgs{1}, true, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "", stub.UniqueError(4)),
+		}, stub.UniqueError(4)},
+
+		{"bindMount stdout", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
+			call("isatty", stub.ExpectArgs{1}, true, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, stub.UniqueError(3)),
+		}, stub.UniqueError(3)},
+
+		{"mkdir mqueue", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
+			call("isatty", stub.ExpectArgs{1}, true, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/mqueue", os.FileMode(0750)}, nil, stub.UniqueError(2)),
+		}, stub.UniqueError(2)},
+
+		{"mount mqueue", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
+			call("isatty", stub.ExpectArgs{1}, true, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/mqueue", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"mqueue", "/sysroot/dev/mqueue", "mqueue", uintptr(0xe), ""}, nil, stub.UniqueError(1)),
+		}, stub.UniqueError(1)},
+
+		{"success no session", &Params{ParentPerm: 0755}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+			Write:  true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0755)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0755)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0755)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0755)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0755)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0755)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0755)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0755)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0755)}, nil, nil),
+			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/mqueue", os.FileMode(0755)}, nil, nil),
+			call("mount", stub.ExpectArgs{"mqueue", "/sysroot/dev/mqueue", "mqueue", uintptr(0xe), ""}, nil, nil),
+		}, nil},
+
+		{"success no tty", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+			Write:  true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
+			call("isatty", stub.ExpectArgs{1}, false, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/mqueue", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"mqueue", "/sysroot/dev/mqueue", "mqueue", uintptr(0xe), ""}, nil, nil),
+		}, nil},
+
+		{"remount", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
+			call("isatty", stub.ExpectArgs{1}, true, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil),
+			call("remount", stub.ExpectArgs{"/sysroot/dev", uintptr(1)}, nil, stub.UniqueError(0)),
+		}, stub.UniqueError(0)},
+
+		{"success no mqueue", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
+			call("isatty", stub.ExpectArgs{1}, true, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil),
+			call("remount", stub.ExpectArgs{"/sysroot/dev", uintptr(1)}, nil, nil),
+			call("mountTmpfs", stub.ExpectArgs{"tmpfs", "/sysroot/dev/shm", uintptr(0x6), 0, os.FileMode(01777)}, nil, nil),
+		}, nil},
+
+		{"success rw", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+			Write:  true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
+			call("isatty", stub.ExpectArgs{1}, true, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/mqueue", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"mqueue", "/sysroot/dev/mqueue", "mqueue", uintptr(0xe), ""}, nil, nil),
+		}, nil},
+
+		{"success", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
+			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
+			call("isatty", stub.ExpectArgs{1}, true, nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
+			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil),
+			call("mkdir", stub.ExpectArgs{"/sysroot/dev/mqueue", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"mqueue", "/sysroot/dev/mqueue", "mqueue", uintptr(0xe), ""}, nil, nil),
+			call("remount", stub.ExpectArgs{"/sysroot/dev", uintptr(1)}, nil, nil),
+			call("mountTmpfs", stub.ExpectArgs{"tmpfs", "/sysroot/dev/shm", uintptr(0x6), 0, os.FileMode(01777)}, nil, nil),
+		}, nil},
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*MountDevOp)(nil), false},
+		{"zero", new(MountDevOp), false},
+		{"valid", &MountDevOp{Target: check.MustAbs("/dev/")}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"dev", new(Ops).Dev(check.MustAbs("/dev/"), true), Ops{
+			&MountDevOp{
+				Target: check.MustAbs("/dev/"),
+				Mqueue: true,
+			},
+		}},
+
+		{"dev writable", new(Ops).DevWritable(check.MustAbs("/.hakurei/dev/"), false), Ops{
+			&MountDevOp{
+				Target: check.MustAbs("/.hakurei/dev/"),
+				Write:  true,
+			},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(MountDevOp), new(MountDevOp), false},
+
+		{"write differs", &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+			Write:  true,
+		}, false},
+
+		{"mqueue differs", &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+		}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, false},
+
+		{"target differs", &MountDevOp{
+			Target: check.MustAbs("/"),
+			Mqueue: true,
+		}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, false},
+
+		{"equals", &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"mqueue", &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+			Mqueue: true,
+		}, "mounting", `dev on "/dev/" with mqueue`},
+
+		{"dev", &MountDevOp{
+			Target: check.MustAbs("/dev/"),
+		}, "mounting", `dev on "/dev/"`},
+	})
+}
--- a/container/initmkdir.go
+++ b/container/initmkdir.go
@@ -0,0 +1,39 @@
+package container
+
+import (
+	"encoding/gob"
+	"fmt"
+	"os"
+
+	"hakurei.app/container/check"
+)
+
+func init() { gob.Register(new(MkdirOp)) }
+
+// Mkdir appends an [Op] that creates a directory in the container filesystem.
+func (f *Ops) Mkdir(name *check.Absolute, perm os.FileMode) *Ops {
+	*f = append(*f, &MkdirOp{name, perm})
+	return f
+}
+
+// MkdirOp creates a directory at container Path with permission bits set to Perm.
+type MkdirOp struct {
+	Path *check.Absolute
+	Perm os.FileMode
+}
+
+func (m *MkdirOp) Valid() bool                                { return m != nil && m.Path != nil }
+func (m *MkdirOp) early(*setupState, syscallDispatcher) error { return nil }
+func (m *MkdirOp) apply(_ *setupState, k syscallDispatcher) error {
+	return k.mkdirAll(toSysroot(m.Path.String()), m.Perm)
+}
+func (m *MkdirOp) late(*setupState, syscallDispatcher) error { return nil }
+
+func (m *MkdirOp) Is(op Op) bool {
+	vm, ok := op.(*MkdirOp)
+	return ok && m.Valid() && vm.Valid() &&
+		m.Path.Is(vm.Path) &&
+		m.Perm == vm.Perm
+}
+func (*MkdirOp) prefix() (string, bool) { return "creating", true }
+func (m *MkdirOp) String() string       { return fmt.Sprintf("directory %q perm %s", m.Path, m.Perm) }
--- a/container/initmkdir_test.go
+++ b/container/initmkdir_test.go
@@ -0,0 +1,47 @@
+package container
+
+import (
+	"os"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+)
+
+func TestMkdirOp(t *testing.T) {
+	t.Parallel()
+
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"success", new(Params), &MkdirOp{
+			Path: check.MustAbs("/.hakurei"),
+			Perm: 0500,
+		}, nil, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/.hakurei", os.FileMode(0500)}, nil, nil),
+		}, nil},
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*MkdirOp)(nil), false},
+		{"zero", new(MkdirOp), false},
+		{"valid", &MkdirOp{Path: check.MustAbs("/.hakurei")}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"etc", new(Ops).Mkdir(check.MustAbs("/etc/"), 0), Ops{
+			&MkdirOp{Path: check.MustAbs("/etc/")},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(MkdirOp), new(MkdirOp), false},
+		{"path differs", &MkdirOp{Path: check.MustAbs("/"), Perm: 0755}, &MkdirOp{Path: check.MustAbs("/etc/"), Perm: 0755}, false},
+		{"perm differs", &MkdirOp{Path: check.MustAbs("/")}, &MkdirOp{Path: check.MustAbs("/"), Perm: 0755}, false},
+		{"equals", &MkdirOp{Path: check.MustAbs("/")}, &MkdirOp{Path: check.MustAbs("/")}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"etc", &MkdirOp{
+			Path: check.MustAbs("/etc/"),
+		}, "creating", `directory "/etc/" perm ----------`},
+	})
+}
--- a/container/initoverlay.go
+++ b/container/initoverlay.go
@@ -0,0 +1,220 @@
+package container
+
+import (
+	"encoding/gob"
+	"fmt"
+	"slices"
+	"strings"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+)
+
+const (
+	// intermediate root file name pattern for [MountOverlayOp.Upper];
+	// remains after apply returns
+	intermediatePatternOverlayUpper = "overlay.upper.*"
+	// intermediate root file name pattern for [MountOverlayOp.Work];
+	// remains after apply returns
+	intermediatePatternOverlayWork = "overlay.work.*"
+)
+
+func init() { gob.Register(new(MountOverlayOp)) }
+
+const (
+	// OverlayEphemeralUnexpectedUpper is set when [MountOverlayOp.Work] is nil
+	// and [MountOverlayOp.Upper] holds an unexpected value.
+	OverlayEphemeralUnexpectedUpper = iota
+	// OverlayReadonlyLower is set when [MountOverlayOp.Lower] contains less than
+	// two entries when mounting readonly.
+	OverlayReadonlyLower
+	// OverlayEmptyLower is set when [MountOverlayOp.Lower] has length of zero.
+	OverlayEmptyLower
+)
+
+// OverlayArgumentError is returned for [MountOverlayOp] supplied with invalid argument.
+type OverlayArgumentError struct {
+	Type  uintptr
+	Value string
+}
+
+func (e *OverlayArgumentError) Error() string {
+	switch e.Type {
+	case OverlayEphemeralUnexpectedUpper:
+		return fmt.Sprintf("upperdir has unexpected value %q", e.Value)
+
+	case OverlayReadonlyLower:
+		return "readonly overlay requires at least two lowerdir"
+
+	case OverlayEmptyLower:
+		return "overlay requires at least one lowerdir"
+
+	default:
+		return fmt.Sprintf("invalid overlay argument error %#x", e.Type)
+	}
+}
+
+// Overlay appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target].
+func (f *Ops) Overlay(target, state, work *check.Absolute, layers ...*check.Absolute) *Ops {
+	*f = append(*f, &MountOverlayOp{
+		Target: target,
+		Lower:  layers,
+		Upper:  state,
+		Work:   work,
+	})
+	return f
+}
+
+// OverlayEphemeral appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target]
+// with an ephemeral upperdir and workdir.
+func (f *Ops) OverlayEphemeral(target *check.Absolute, layers ...*check.Absolute) *Ops {
+	return f.Overlay(target, fhs.AbsRoot, nil, layers...)
+}
+
+// OverlayReadonly appends an [Op] that mounts the overlay pseudo filesystem readonly on [MountOverlayOp.Target]
+func (f *Ops) OverlayReadonly(target *check.Absolute, layers ...*check.Absolute) *Ops {
+	return f.Overlay(target, nil, nil, layers...)
+}
+
+// MountOverlayOp mounts [FstypeOverlay] on container path Target.
+type MountOverlayOp struct {
+	Target *check.Absolute
+
+	// Any filesystem, does not need to be on a writable filesystem.
+	Lower []*check.Absolute
+	// formatted for [OptionOverlayLowerdir], resolved, prefixed and escaped during early
+	lower []string
+	// The upperdir is normally on a writable filesystem.
+	//
+	// If Work is nil and Upper holds the special value [fhs.AbsRoot],
+	// an ephemeral upperdir and workdir will be set up.
+	//
+	// If both Work and Upper are nil, upperdir and workdir is omitted and the overlay is mounted readonly.
+	Upper *check.Absolute
+	// formatted for [OptionOverlayUpperdir], resolved, prefixed and escaped during early
+	upper string
+	// The workdir needs to be an empty directory on the same filesystem as upperdir.
+	Work *check.Absolute
+	// formatted for [OptionOverlayWorkdir], resolved, prefixed and escaped during early
+	work string
+
+	ephemeral bool
+
+	// used internally for mounting to the intermediate root
+	noPrefix bool
+}
+
+func (o *MountOverlayOp) Valid() bool {
+	if o == nil {
+		return false
+	}
+	if o.Work != nil && o.Upper == nil {
+		return false
+	}
+	if slices.Contains(o.Lower, nil) {
+		return false
+	}
+	return o.Target != nil
+}
+
+func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
+	if o.Work == nil && o.Upper != nil {
+		switch o.Upper.String() {
+		case fhs.Root: // ephemeral
+			o.ephemeral = true // intermediate root not yet available
+
+		default:
+			return &OverlayArgumentError{OverlayEphemeralUnexpectedUpper, o.Upper.String()}
+		}
+	}
+	// readonly handled in apply
+
+	if !o.ephemeral {
+		if o.Upper != o.Work && (o.Upper == nil || o.Work == nil) {
+			// unreachable
+			return OpStateError("overlay")
+		}
+
+		if o.Upper != nil {
+			if v, err := k.evalSymlinks(o.Upper.String()); err != nil {
+				return err
+			} else {
+				o.upper = check.EscapeOverlayDataSegment(toHost(v))
+			}
+		}
+
+		if o.Work != nil {
+			if v, err := k.evalSymlinks(o.Work.String()); err != nil {
+				return err
+			} else {
+				o.work = check.EscapeOverlayDataSegment(toHost(v))
+			}
+		}
+	}
+
+	o.lower = make([]string, len(o.Lower))
+	for i, a := range o.Lower { // nil checked in Valid
+		if v, err := k.evalSymlinks(a.String()); err != nil {
+			return err
+		} else {
+			o.lower[i] = check.EscapeOverlayDataSegment(toHost(v))
+		}
+	}
+	return nil
+}
+
+func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
+	target := o.Target.String()
+	if !o.noPrefix {
+		target = toSysroot(target)
+	}
+	if err := k.mkdirAll(target, state.ParentPerm); err != nil {
+		return err
+	}
+
+	if o.ephemeral {
+		var err error
+		// these directories are created internally, therefore early (absolute, symlink, prefix, escape) is bypassed
+		if o.upper, err = k.mkdirTemp(fhs.Root, intermediatePatternOverlayUpper); err != nil {
+			return err
+		}
+		if o.work, err = k.mkdirTemp(fhs.Root, intermediatePatternOverlayWork); err != nil {
+			return err
+		}
+	}
+
+	options := make([]string, 0, 4)
+
+	if o.upper == zeroString && o.work == zeroString { // readonly
+		if len(o.Lower) < 2 {
+			return &OverlayArgumentError{OverlayReadonlyLower, zeroString}
+		}
+		// "upperdir=" and "workdir=" may be omitted. In that case the overlay will be read-only
+	} else {
+		if len(o.Lower) == 0 {
+			return &OverlayArgumentError{OverlayEmptyLower, zeroString}
+		}
+		options = append(options,
+			OptionOverlayUpperdir+"="+o.upper,
+			OptionOverlayWorkdir+"="+o.work)
+	}
+	options = append(options,
+		OptionOverlayLowerdir+"="+strings.Join(o.lower, check.SpecialOverlayPath),
+		OptionOverlayUserxattr)
+
+	return k.mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, check.SpecialOverlayOption))
+}
+
+func (o *MountOverlayOp) late(*setupState, syscallDispatcher) error { return nil }
+
+func (o *MountOverlayOp) Is(op Op) bool {
+	vo, ok := op.(*MountOverlayOp)
+	return ok && o.Valid() && vo.Valid() &&
+		o.Target.Is(vo.Target) &&
+		slices.EqualFunc(o.Lower, vo.Lower, func(a, v *check.Absolute) bool { return a.Is(v) }) &&
+		o.Upper.Is(vo.Upper) && o.Work.Is(vo.Work)
+}
+func (*MountOverlayOp) prefix() (string, bool) { return "mounting", true }
+func (o *MountOverlayOp) String() string {
+	return fmt.Sprintf("overlay on %q with %d layers", o.Target, len(o.Lower))
+}
--- a/container/initoverlay_test.go
+++ b/container/initoverlay_test.go
@@ -0,0 +1,405 @@
+package container
+
+import (
+	"errors"
+	"os"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+)
+
+func TestMountOverlayOp(t *testing.T) {
+	t.Parallel()
+
+	t.Run("argument error", func(t *testing.T) {
+		t.Parallel()
+
+		testCases := []struct {
+			name string
+			err  *OverlayArgumentError
+			want string
+		}{
+			{"unexpected upper", &OverlayArgumentError{OverlayEphemeralUnexpectedUpper, "/proc/"},
+				`upperdir has unexpected value "/proc/"`},
+
+			{"lower ro short", &OverlayArgumentError{OverlayReadonlyLower, zeroString},
+				"readonly overlay requires at least two lowerdir"},
+
+			{"lower short", &OverlayArgumentError{OverlayEmptyLower, zeroString},
+				"overlay requires at least one lowerdir"},
+
+			{"oob", &OverlayArgumentError{0xdeadbeef, zeroString},
+				"invalid overlay argument error 0xdeadbeef"},
+		}
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+				if got := tc.err.Error(); got != tc.want {
+					t.Errorf("Error: %q, want %q", got, tc.want)
+				}
+			})
+		}
+	})
+
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"mkdirTemp invalid ephemeral", &Params{ParentPerm: 0705}, &MountOverlayOp{
+			Target: check.MustAbs("/"),
+			Lower: []*check.Absolute{
+				check.MustAbs("/var/lib/planterette/base/debian:f92c9052"),
+				check.MustAbs("/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"),
+			},
+			Upper: check.MustAbs("/proc/"),
+		}, nil, &OverlayArgumentError{OverlayEphemeralUnexpectedUpper, "/proc/"}, nil, nil},
+
+		{"mkdirTemp upper ephemeral", &Params{ParentPerm: 0705}, &MountOverlayOp{
+			Target: check.MustAbs("/"),
+			Lower: []*check.Absolute{
+				check.MustAbs("/var/lib/planterette/base/debian:f92c9052"),
+				check.MustAbs("/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"),
+			},
+			Upper: check.MustAbs("/"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052"}, "/var/lib/planterette/base/debian:f92c9052", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"}, "/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052", nil),
+		}, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0705)}, nil, nil),
+			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.upper.*"}, "overlay.upper.32768", stub.UniqueError(6)),
+		}, stub.UniqueError(6)},
+
+		{"mkdirTemp work ephemeral", &Params{ParentPerm: 0705}, &MountOverlayOp{
+			Target: check.MustAbs("/"),
+			Lower: []*check.Absolute{
+				check.MustAbs("/var/lib/planterette/base/debian:f92c9052"),
+				check.MustAbs("/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"),
+			},
+			Upper: check.MustAbs("/"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052"}, "/var/lib/planterette/base/debian:f92c9052", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"}, "/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052", nil),
+		}, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0705)}, nil, nil),
+			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.upper.*"}, "overlay.upper.32768", nil),
+			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.work.*"}, "overlay.work.32768", stub.UniqueError(5)),
+		}, stub.UniqueError(5)},
+
+		{"success ephemeral", &Params{ParentPerm: 0705}, &MountOverlayOp{
+			Target: check.MustAbs("/"),
+			Lower: []*check.Absolute{
+				check.MustAbs("/var/lib/planterette/base/debian:f92c9052"),
+				check.MustAbs("/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"),
+			},
+			Upper: check.MustAbs("/"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052"}, "/var/lib/planterette/base/debian:f92c9052", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"}, "/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052", nil),
+		}, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0705)}, nil, nil),
+			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.upper.*"}, "overlay.upper.32768", nil),
+			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.work.*"}, "overlay.work.32768", nil),
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot", "overlay", uintptr(0), "" +
+				"upperdir=overlay.upper.32768," +
+				"workdir=overlay.work.32768," +
+				"lowerdir=" +
+				`/host/var/lib/planterette/base/debian\:f92c9052:` +
+				`/host/var/lib/planterette/app/org.chromium.Chromium@debian\:f92c9052,` +
+				"userxattr"}, nil, nil),
+		}, nil},
+
+		{"short lower ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower: []*check.Absolute{
+				check.MustAbs("/mnt-root/nix/.ro-store"),
+			},
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/.ro-store", nil),
+		}, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0755)}, nil, nil),
+		}, &OverlayArgumentError{OverlayReadonlyLower, zeroString}},
+
+		{"success ro noPrefix", &Params{ParentPerm: 0755}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower: []*check.Absolute{
+				check.MustAbs("/mnt-root/nix/.ro-store"),
+				check.MustAbs("/mnt-root/nix/.ro-store0"),
+			},
+			noPrefix: true,
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/.ro-store", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
+		}, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/nix/store", os.FileMode(0755)}, nil, nil),
+			call("mount", stub.ExpectArgs{"overlay", "/nix/store", "overlay", uintptr(0), "" +
+				"lowerdir=" +
+				"/host/mnt-root/nix/.ro-store:" +
+				"/host/mnt-root/nix/.ro-store0," +
+				"userxattr"}, nil, nil),
+		}, nil},
+
+		{"success ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower: []*check.Absolute{
+				check.MustAbs("/mnt-root/nix/.ro-store"),
+				check.MustAbs("/mnt-root/nix/.ro-store0"),
+			},
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/.ro-store", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
+		}, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0755)}, nil, nil),
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
+				"lowerdir=" +
+				"/host/mnt-root/nix/.ro-store:" +
+				"/host/mnt-root/nix/.ro-store0," +
+				"userxattr"}, nil, nil),
+		}, nil},
+
+		{"nil lower", &Params{ParentPerm: 0700}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", nil),
+		}, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
+		}, &OverlayArgumentError{OverlayEmptyLower, zeroString}},
+
+		{"evalSymlinks upper", &Params{ParentPerm: 0700}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", stub.UniqueError(4)),
+		}, stub.UniqueError(4), nil, nil},
+
+		{"evalSymlinks work", &Params{ParentPerm: 0700}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", stub.UniqueError(3)),
+		}, stub.UniqueError(3), nil, nil},
+
+		{"evalSymlinks lower", &Params{ParentPerm: 0700}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", stub.UniqueError(2)),
+		}, stub.UniqueError(2), nil, nil},
+
+		{"mkdirAll", &Params{ParentPerm: 0700}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
+		}, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, stub.UniqueError(1)),
+		}, stub.UniqueError(1)},
+
+		{"mount", &Params{ParentPerm: 0700}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
+		}, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "upperdir=/host/mnt-root/nix/.rw-store/.upper,workdir=/host/mnt-root/nix/.rw-store/.work,lowerdir=/host/mnt-root/nix/ro-store,userxattr"}, nil, stub.UniqueError(0)),
+		}, stub.UniqueError(0)},
+
+		{"success single layer", &Params{ParentPerm: 0700}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
+		}, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
+				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
+				"workdir=/host/mnt-root/nix/.rw-store/.work," +
+				"lowerdir=/host/mnt-root/nix/ro-store," +
+				"userxattr"}, nil, nil),
+		}, nil},
+
+		{"success", &Params{ParentPerm: 0700}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower: []*check.Absolute{
+				check.MustAbs("/mnt-root/nix/.ro-store"),
+				check.MustAbs("/mnt-root/nix/.ro-store0"),
+				check.MustAbs("/mnt-root/nix/.ro-store1"),
+				check.MustAbs("/mnt-root/nix/.ro-store2"),
+				check.MustAbs("/mnt-root/nix/.ro-store3"),
+			},
+			Upper: check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:  check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/ro-store0", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store1"}, "/mnt-root/nix/ro-store1", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store2"}, "/mnt-root/nix/ro-store2", nil),
+			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store3"}, "/mnt-root/nix/ro-store3", nil),
+		}, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
+				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
+				"workdir=/host/mnt-root/nix/.rw-store/.work," +
+				"lowerdir=" +
+				"/host/mnt-root/nix/ro-store:" +
+				"/host/mnt-root/nix/ro-store0:" +
+				"/host/mnt-root/nix/ro-store1:" +
+				"/host/mnt-root/nix/ro-store2:" +
+				"/host/mnt-root/nix/ro-store3," +
+				"userxattr"}, nil, nil),
+		}, nil},
+	})
+
+	t.Run("unreachable", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("nil Upper non-nil Work not ephemeral", func(t *testing.T) {
+			t.Parallel()
+			wantErr := OpStateError("overlay")
+			if err := (&MountOverlayOp{
+				Work: check.MustAbs("/"),
+			}).early(nil, nil); !errors.Is(err, wantErr) {
+				t.Errorf("apply: error = %v, want %v", err, wantErr)
+			}
+		})
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*MountOverlayOp)(nil), false},
+		{"zero", new(MountOverlayOp), false},
+		{"nil lower", &MountOverlayOp{Target: check.MustAbs("/"), Lower: []*check.Absolute{nil}}, false},
+		{"ro", &MountOverlayOp{Target: check.MustAbs("/"), Lower: []*check.Absolute{check.MustAbs("/")}}, true},
+		{"ro work", &MountOverlayOp{Target: check.MustAbs("/"), Work: check.MustAbs("/tmp/")}, false},
+		{"rw", &MountOverlayOp{Target: check.MustAbs("/"), Lower: []*check.Absolute{check.MustAbs("/")}, Upper: check.MustAbs("/"), Work: check.MustAbs("/")}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"full", new(Ops).Overlay(
+			check.MustAbs("/nix/store"),
+			check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			check.MustAbs("/mnt-root/nix/.rw-store/work"),
+			check.MustAbs("/mnt-root/nix/.ro-store"),
+		), Ops{
+			&MountOverlayOp{
+				Target: check.MustAbs("/nix/store"),
+				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+				Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+				Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+			},
+		}},
+
+		{"ephemeral", new(Ops).OverlayEphemeral(check.MustAbs("/nix/store"), check.MustAbs("/mnt-root/nix/.ro-store")), Ops{
+			&MountOverlayOp{
+				Target: check.MustAbs("/nix/store"),
+				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+				Upper:  check.MustAbs("/"),
+			},
+		}},
+
+		{"readonly", new(Ops).OverlayReadonly(check.MustAbs("/nix/store"), check.MustAbs("/mnt-root/nix/.ro-store")), Ops{
+			&MountOverlayOp{
+				Target: check.MustAbs("/nix/store"),
+				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(MountOverlayOp), new(MountOverlayOp), false},
+
+		{"differs target", &MountOverlayOp{
+			Target: check.MustAbs("/nix/store/differs"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work")}, false},
+
+		{"differs lower", &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store/differs")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work")}, false},
+
+		{"differs upper", &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper/differs"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work")}, false},
+
+		{"differs work", &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work/differs"),
+		}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work")}, false},
+
+		{"equals ro", &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+		}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")}}, true},
+
+		{"equals", &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work")}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"nix", &MountOverlayOp{
+			Target: check.MustAbs("/nix/store"),
+			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
+			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
+			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
+		}, "mounting", `overlay on "/nix/store" with 1 layers`},
+	})
+}
--- a/container/initplace.go
+++ b/container/initplace.go
@@ -0,0 +1,71 @@
+package container
+
+import (
+	"encoding/gob"
+	"fmt"
+	"syscall"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+)
+
+const (
+	// intermediate root file name pattern for [TmpfileOp]
+	intermediatePatternTmpfile = "tmp.*"
+)
+
+func init() { gob.Register(new(TmpfileOp)) }
+
+// Place appends an [Op] that places a file in container path [TmpfileOp.Path] containing [TmpfileOp.Data].
+func (f *Ops) Place(name *check.Absolute, data []byte) *Ops {
+	*f = append(*f, &TmpfileOp{name, data})
+	return f
+}
+
+// TmpfileOp places a file on container Path containing Data.
+type TmpfileOp struct {
+	Path *check.Absolute
+	Data []byte
+}
+
+func (t *TmpfileOp) Valid() bool                                { return t != nil && t.Path != nil }
+func (t *TmpfileOp) early(*setupState, syscallDispatcher) error { return nil }
+func (t *TmpfileOp) apply(state *setupState, k syscallDispatcher) error {
+	var tmpPath string
+	if f, err := k.createTemp(fhs.Root, intermediatePatternTmpfile); err != nil {
+		return err
+	} else if _, err = f.Write(t.Data); err != nil {
+		return err
+	} else if err = f.Close(); err != nil {
+		return err
+	} else {
+		tmpPath = f.Name()
+	}
+
+	target := toSysroot(t.Path.String())
+	if err := k.ensureFile(target, 0444, state.ParentPerm); err != nil {
+		return err
+	} else if err = k.bindMount(
+		state,
+		tmpPath,
+		target,
+		syscall.MS_RDONLY|syscall.MS_NODEV,
+	); err != nil {
+		return err
+	} else if err = k.remove(tmpPath); err != nil {
+		return err
+	}
+	return nil
+}
+func (t *TmpfileOp) late(*setupState, syscallDispatcher) error { return nil }
+
+func (t *TmpfileOp) Is(op Op) bool {
+	vt, ok := op.(*TmpfileOp)
+	return ok && t.Valid() && vt.Valid() &&
+		t.Path.Is(vt.Path) &&
+		string(t.Data) == string(vt.Data)
+}
+func (*TmpfileOp) prefix() (string, bool) { return "placing", true }
+func (t *TmpfileOp) String() string {
+	return fmt.Sprintf("tmpfile %q (%d bytes)", t.Path, len(t.Data))
+}
--- a/container/initplace_test.go
+++ b/container/initplace_test.go
@@ -0,0 +1,125 @@
+package container
+
+import (
+	"os"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+)
+
+func TestTmpfileOp(t *testing.T) {
+	const sampleDataString = `chronos:x:65534:65534:Hakurei:/var/empty:/bin/zsh`
+	var (
+		samplePath = check.MustAbs("/etc/passwd")
+		sampleData = []byte(sampleDataString)
+	)
+	t.Parallel()
+
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"createTemp", &Params{ParentPerm: 0700}, &TmpfileOp{
+			Path: samplePath,
+			Data: sampleData,
+		}, nil, nil, []stub.Call{
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), stub.UniqueError(5)),
+		}, stub.UniqueError(5)},
+
+		{"Write", &Params{ParentPerm: 0700}, &TmpfileOp{
+			Path: samplePath,
+			Data: sampleData,
+		}, nil, nil, []stub.Call{
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, writeErrOsFile{stub.UniqueError(4)}, nil),
+		}, stub.UniqueError(4)},
+
+		{"Close", &Params{ParentPerm: 0700}, &TmpfileOp{
+			Path: samplePath,
+			Data: sampleData,
+		}, nil, nil, []stub.Call{
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, stub.UniqueError(3)), nil),
+		}, stub.UniqueError(3)},
+
+		{"ensureFile", &Params{ParentPerm: 0700}, &TmpfileOp{
+			Path: samplePath,
+			Data: sampleData,
+		}, nil, nil, []stub.Call{
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, stub.UniqueError(2)),
+		}, stub.UniqueError(2)},
+
+		{"bindMount", &Params{ParentPerm: 0700}, &TmpfileOp{
+			Path: samplePath,
+			Data: sampleData,
+		}, nil, nil, []stub.Call{
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, stub.UniqueError(1)),
+		}, stub.UniqueError(1)},
+
+		{"remove", &Params{ParentPerm: 0700}, &TmpfileOp{
+			Path: samplePath,
+			Data: sampleData,
+		}, nil, nil, []stub.Call{
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
+			call("remove", stub.ExpectArgs{"tmp.32768"}, nil, stub.UniqueError(0)),
+		}, stub.UniqueError(0)},
+
+		{"success", &Params{ParentPerm: 0700}, &TmpfileOp{
+			Path: samplePath,
+			Data: sampleData,
+		}, nil, nil, []stub.Call{
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
+			call("remove", stub.ExpectArgs{"tmp.32768"}, nil, nil),
+		}, nil},
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*TmpfileOp)(nil), false},
+		{"zero", new(TmpfileOp), false},
+		{"valid", &TmpfileOp{Path: samplePath}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"full", new(Ops).Place(samplePath, sampleData), Ops{
+			&TmpfileOp{Path: samplePath, Data: sampleData},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(TmpfileOp), new(TmpfileOp), false},
+
+		{"differs path", &TmpfileOp{
+			Path: check.MustAbs("/etc/group"),
+			Data: sampleData,
+		}, &TmpfileOp{
+			Path: samplePath,
+			Data: sampleData,
+		}, false},
+
+		{"differs data", &TmpfileOp{
+			Path: samplePath,
+			Data: append(sampleData, 0),
+		}, &TmpfileOp{
+			Path: samplePath,
+			Data: sampleData,
+		}, false},
+
+		{"equals", &TmpfileOp{
+			Path: samplePath,
+			Data: sampleData,
+		}, &TmpfileOp{
+			Path: samplePath,
+			Data: sampleData,
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"passwd", &TmpfileOp{
+			Path: samplePath,
+			Data: sampleData,
+		}, "placing", `tmpfile "/etc/passwd" (49 bytes)`},
+	})
+}
--- a/container/initproc.go
+++ b/container/initproc.go
@@ -0,0 +1,39 @@
+package container
+
+import (
+	"encoding/gob"
+	"fmt"
+	. "syscall"
+
+	"hakurei.app/container/check"
+)
+
+func init() { gob.Register(new(MountProcOp)) }
+
+// Proc appends an [Op] that mounts a private instance of proc.
+func (f *Ops) Proc(target *check.Absolute) *Ops {
+	*f = append(*f, &MountProcOp{target})
+	return f
+}
+
+// MountProcOp mounts a new instance of [FstypeProc] on container path Target.
+type MountProcOp struct{ Target *check.Absolute }
+
+func (p *MountProcOp) Valid() bool                                { return p != nil && p.Target != nil }
+func (p *MountProcOp) early(*setupState, syscallDispatcher) error { return nil }
+func (p *MountProcOp) apply(state *setupState, k syscallDispatcher) error {
+	target := toSysroot(p.Target.String())
+	if err := k.mkdirAll(target, state.ParentPerm); err != nil {
+		return err
+	}
+	return k.mount(SourceProc, target, FstypeProc, MS_NOSUID|MS_NOEXEC|MS_NODEV, zeroString)
+}
+func (p *MountProcOp) late(*setupState, syscallDispatcher) error { return nil }
+
+func (p *MountProcOp) Is(op Op) bool {
+	vp, ok := op.(*MountProcOp)
+	return ok && p.Valid() && vp.Valid() &&
+		p.Target.Is(vp.Target)
+}
+func (*MountProcOp) prefix() (string, bool) { return "mounting", true }
+func (p *MountProcOp) String() string       { return fmt.Sprintf("proc on %q", p.Target) }
--- a/container/initproc_test.go
+++ b/container/initproc_test.go
@@ -0,0 +1,63 @@
+package container
+
+import (
+	"os"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+)
+
+func TestMountProcOp(t *testing.T) {
+	t.Parallel()
+
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"mkdir", &Params{ParentPerm: 0755},
+			&MountProcOp{
+				Target: check.MustAbs("/proc/"),
+			}, nil, nil, []stub.Call{
+				call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, stub.UniqueError(0)),
+			}, stub.UniqueError(0)},
+
+		{"success", &Params{ParentPerm: 0700},
+			&MountProcOp{
+				Target: check.MustAbs("/proc/"),
+			}, nil, nil, []stub.Call{
+				call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0700)}, nil, nil),
+				call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
+			}, nil},
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*MountProcOp)(nil), false},
+		{"zero", new(MountProcOp), false},
+		{"valid", &MountProcOp{Target: check.MustAbs("/proc/")}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"proc", new(Ops).Proc(check.MustAbs("/proc/")), Ops{
+			&MountProcOp{Target: check.MustAbs("/proc/")},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(MountProcOp), new(MountProcOp), false},
+
+		{"target differs", &MountProcOp{
+			Target: check.MustAbs("/proc/nonexistent"),
+		}, &MountProcOp{
+			Target: check.MustAbs("/proc/"),
+		}, false},
+
+		{"equals", &MountProcOp{
+			Target: check.MustAbs("/proc/"),
+		}, &MountProcOp{
+			Target: check.MustAbs("/proc/"),
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"proc", &MountProcOp{Target: check.MustAbs("/proc/")},
+			"mounting", `proc on "/proc/"`},
+	})
+}
--- a/container/initremount.go
+++ b/container/initremount.go
@@ -0,0 +1,38 @@
+package container
+
+import (
+	"encoding/gob"
+	"fmt"
+
+	"hakurei.app/container/check"
+)
+
+func init() { gob.Register(new(RemountOp)) }
+
+// Remount appends an [Op] that applies [RemountOp.Flags] on container path [RemountOp.Target].
+func (f *Ops) Remount(target *check.Absolute, flags uintptr) *Ops {
+	*f = append(*f, &RemountOp{target, flags})
+	return f
+}
+
+// RemountOp remounts Target with Flags.
+type RemountOp struct {
+	Target *check.Absolute
+	Flags  uintptr
+}
+
+func (r *RemountOp) Valid() bool                              { return r != nil && r.Target != nil }
+func (*RemountOp) early(*setupState, syscallDispatcher) error { return nil }
+func (r *RemountOp) apply(state *setupState, k syscallDispatcher) error {
+	return k.remount(state, toSysroot(r.Target.String()), r.Flags)
+}
+func (r *RemountOp) late(*setupState, syscallDispatcher) error { return nil }
+
+func (r *RemountOp) Is(op Op) bool {
+	vr, ok := op.(*RemountOp)
+	return ok && r.Valid() && vr.Valid() &&
+		r.Target.Is(vr.Target) &&
+		r.Flags == vr.Flags
+}
+func (*RemountOp) prefix() (string, bool) { return "remounting", true }
+func (r *RemountOp) String() string       { return fmt.Sprintf("%q flags %#x", r.Target, r.Flags) }
--- a/container/initremount_test.go
+++ b/container/initremount_test.go
@@ -0,0 +1,72 @@
+package container
+
+import (
+	"syscall"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+)
+
+func TestRemountOp(t *testing.T) {
+	t.Parallel()
+
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"success", new(Params), &RemountOp{
+			Target: check.MustAbs("/"),
+			Flags:  syscall.MS_RDONLY,
+		}, nil, nil, []stub.Call{
+			call("remount", stub.ExpectArgs{"/sysroot", uintptr(1)}, nil, nil),
+		}, nil},
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*RemountOp)(nil), false},
+		{"zero", new(RemountOp), false},
+		{"valid", &RemountOp{Target: check.MustAbs("/"), Flags: syscall.MS_RDONLY}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"root", new(Ops).Remount(check.MustAbs("/"), syscall.MS_RDONLY), Ops{
+			&RemountOp{
+				Target: check.MustAbs("/"),
+				Flags:  syscall.MS_RDONLY,
+			},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(RemountOp), new(RemountOp), false},
+
+		{"target differs", &RemountOp{
+			Target: check.MustAbs("/dev/"),
+			Flags:  syscall.MS_RDONLY,
+		}, &RemountOp{
+			Target: check.MustAbs("/"),
+			Flags:  syscall.MS_RDONLY,
+		}, false},
+
+		{"flags differs", &RemountOp{
+			Target: check.MustAbs("/"),
+			Flags:  syscall.MS_RDONLY | syscall.MS_NODEV,
+		}, &RemountOp{
+			Target: check.MustAbs("/"),
+			Flags:  syscall.MS_RDONLY,
+		}, false},
+
+		{"equals", &RemountOp{
+			Target: check.MustAbs("/"),
+			Flags:  syscall.MS_RDONLY,
+		}, &RemountOp{
+			Target: check.MustAbs("/"),
+			Flags:  syscall.MS_RDONLY,
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"root", &RemountOp{
+			Target: check.MustAbs("/"),
+			Flags:  syscall.MS_RDONLY,
+		}, "remounting", `"/" flags 0x1`},
+	})
+}
--- a/container/initsymlink.go
+++ b/container/initsymlink.go
@@ -0,0 +1,65 @@
+package container
+
+import (
+	"encoding/gob"
+	"fmt"
+	"path"
+
+	"hakurei.app/container/check"
+)
+
+func init() { gob.Register(new(SymlinkOp)) }
+
+// Link appends an [Op] that creates a symlink in the container filesystem.
+func (f *Ops) Link(target *check.Absolute, linkName string, dereference bool) *Ops {
+	*f = append(*f, &SymlinkOp{target, linkName, dereference})
+	return f
+}
+
+// SymlinkOp optionally dereferences LinkName and creates a symlink at container path Target.
+type SymlinkOp struct {
+	Target *check.Absolute
+	// LinkName is an arbitrary uninterpreted pathname.
+	LinkName string
+
+	// Dereference causes LinkName to be dereferenced during early.
+	Dereference bool
+}
+
+func (l *SymlinkOp) Valid() bool { return l != nil && l.Target != nil && l.LinkName != zeroString }
+
+func (l *SymlinkOp) early(_ *setupState, k syscallDispatcher) error {
+	if l.Dereference {
+		if !path.IsAbs(l.LinkName) {
+			return &check.AbsoluteError{Pathname: l.LinkName}
+		}
+		if name, err := k.readlink(l.LinkName); err != nil {
+			return err
+		} else {
+			l.LinkName = name
+		}
+	}
+	return nil
+}
+
+func (l *SymlinkOp) apply(state *setupState, k syscallDispatcher) error {
+	target := toSysroot(l.Target.String())
+	if err := k.mkdirAll(path.Dir(target), state.ParentPerm); err != nil {
+		return err
+	}
+	return k.symlink(l.LinkName, target)
+}
+
+func (l *SymlinkOp) late(*setupState, syscallDispatcher) error { return nil }
+
+func (l *SymlinkOp) Is(op Op) bool {
+	vl, ok := op.(*SymlinkOp)
+	return ok && l.Valid() && vl.Valid() &&
+		l.Target.Is(vl.Target) &&
+		l.LinkName == vl.LinkName &&
+		l.Dereference == vl.Dereference
+}
+func (*SymlinkOp) prefix() (string, bool) { return "creating", true }
+func (l *SymlinkOp) String() string {
+	return fmt.Sprintf("symlink on %q linkname %q", l.Target, l.LinkName)
+}
--- a/container/initsymlink_test.go
+++ b/container/initsymlink_test.go
@@ -0,0 +1,128 @@
+package container
+
+import (
+	"os"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+)
+
+func TestSymlinkOp(t *testing.T) {
+	t.Parallel()
+
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"mkdir", &Params{ParentPerm: 0700}, &SymlinkOp{
+			Target:   check.MustAbs("/etc/nixos"),
+			LinkName: "/etc/static/nixos",
+		}, nil, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc", os.FileMode(0700)}, nil, stub.UniqueError(1)),
+		}, stub.UniqueError(1)},
+
+		{"abs", &Params{ParentPerm: 0755}, &SymlinkOp{
+			Target:      check.MustAbs("/etc/mtab"),
+			LinkName:    "etc/mtab",
+			Dereference: true,
+		}, nil, &check.AbsoluteError{Pathname: "etc/mtab"}, nil, nil},
+
+		{"readlink", &Params{ParentPerm: 0755}, &SymlinkOp{
+			Target:      check.MustAbs("/etc/mtab"),
+			LinkName:    "/etc/mtab",
+			Dereference: true,
+		}, []stub.Call{
+			call("readlink", stub.ExpectArgs{"/etc/mtab"}, "/proc/mounts", stub.UniqueError(0)),
+		}, stub.UniqueError(0), nil, nil},
+
+		{"success noderef", &Params{ParentPerm: 0700}, &SymlinkOp{
+			Target:   check.MustAbs("/etc/nixos"),
+			LinkName: "/etc/static/nixos",
+		}, nil, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc", os.FileMode(0700)}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/etc/static/nixos", "/sysroot/etc/nixos"}, nil, nil),
+		}, nil},
+
+		{"success", &Params{ParentPerm: 0755}, &SymlinkOp{
+			Target:      check.MustAbs("/etc/mtab"),
+			LinkName:    "/etc/mtab",
+			Dereference: true,
+		}, []stub.Call{
+			call("readlink", stub.ExpectArgs{"/etc/mtab"}, "/proc/mounts", nil),
+		}, nil, []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc", os.FileMode(0755)}, nil, nil),
+			call("symlink", stub.ExpectArgs{"/proc/mounts", "/sysroot/etc/mtab"}, nil, nil),
+		}, nil},
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*SymlinkOp)(nil), false},
+		{"zero", new(SymlinkOp), false},
+		{"nil target", &SymlinkOp{LinkName: "/run/current-system"}, false},
+		{"zero linkname", &SymlinkOp{Target: check.MustAbs("/run/current-system")}, false},
+		{"valid", &SymlinkOp{Target: check.MustAbs("/run/current-system"), LinkName: "/run/current-system", Dereference: true}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"current-system", new(Ops).Link(
+			check.MustAbs("/run/current-system"),
+			"/run/current-system",
+			true,
+		), Ops{
+			&SymlinkOp{
+				Target:      check.MustAbs("/run/current-system"),
+				LinkName:    "/run/current-system",
+				Dereference: true,
+			},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(SymlinkOp), new(SymlinkOp), false},
+
+		{"target differs", &SymlinkOp{
+			Target:      check.MustAbs("/run/current-system/differs"),
+			LinkName:    "/run/current-system",
+			Dereference: true,
+		}, &SymlinkOp{
+			Target:      check.MustAbs("/run/current-system"),
+			LinkName:    "/run/current-system",
+			Dereference: true,
+		}, false},
+
+		{"linkname differs", &SymlinkOp{
+			Target:      check.MustAbs("/run/current-system"),
+			LinkName:    "/run/current-system/differs",
+			Dereference: true,
+		}, &SymlinkOp{
+			Target:      check.MustAbs("/run/current-system"),
+			LinkName:    "/run/current-system",
+			Dereference: true,
+		}, false},
+
+		{"dereference differs", &SymlinkOp{
+			Target:   check.MustAbs("/run/current-system"),
+			LinkName: "/run/current-system",
+		}, &SymlinkOp{
+			Target:      check.MustAbs("/run/current-system"),
+			LinkName:    "/run/current-system",
+			Dereference: true,
+		}, false},
+
+		{"equals", &SymlinkOp{
+			Target:      check.MustAbs("/run/current-system"),
+			LinkName:    "/run/current-system",
+			Dereference: true,
+		}, &SymlinkOp{
+			Target:      check.MustAbs("/run/current-system"),
+			LinkName:    "/run/current-system",
+			Dereference: true,
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"current-system", &SymlinkOp{
+			Target:      check.MustAbs("/run/current-system"),
+			LinkName:    "/run/current-system",
+			Dereference: true,
+		}, "creating", `symlink on "/run/current-system" linkname "/run/current-system"`},
+	})
+}
--- a/container/inittmpfs.go
+++ b/container/inittmpfs.go
@@ -0,0 +1,63 @@
+package container
+
+import (
+	"encoding/gob"
+	"fmt"
+	"math"
+	"os"
+	"strconv"
+	. "syscall"
+
+	"hakurei.app/container/check"
+)
+
+func init() { gob.Register(new(MountTmpfsOp)) }
+
+type TmpfsSizeError int
+
+func (e TmpfsSizeError) Error() string {
+	return "tmpfs size " + strconv.Itoa(int(e)) + " out of bounds"
+}
+
+// Tmpfs appends an [Op] that mounts tmpfs on container path [MountTmpfsOp.Path].
+func (f *Ops) Tmpfs(target *check.Absolute, size int, perm os.FileMode) *Ops {
+	*f = append(*f, &MountTmpfsOp{SourceTmpfsEphemeral, target, MS_NOSUID | MS_NODEV, size, perm})
+	return f
+}
+
+// Readonly appends an [Op] that mounts read-only tmpfs on container path [MountTmpfsOp.Path].
+func (f *Ops) Readonly(target *check.Absolute, perm os.FileMode) *Ops {
+	*f = append(*f, &MountTmpfsOp{SourceTmpfsReadonly, target, MS_RDONLY | MS_NOSUID | MS_NODEV, 0, perm})
+	return f
+}
+
+// MountTmpfsOp mounts [FstypeTmpfs] on container Path.
+type MountTmpfsOp struct {
+	FSName string
+	Path   *check.Absolute
+	Flags  uintptr
+	Size   int
+	Perm   os.FileMode
+}
+
+func (t *MountTmpfsOp) Valid() bool                                { return t != nil && t.Path != nil && t.FSName != zeroString }
+func (t *MountTmpfsOp) early(*setupState, syscallDispatcher) error { return nil }
+func (t *MountTmpfsOp) apply(_ *setupState, k syscallDispatcher) error {
+	if t.Size < 0 || t.Size > math.MaxUint>>1 {
+		return TmpfsSizeError(t.Size)
+	}
+	return k.mountTmpfs(t.FSName, toSysroot(t.Path.String()), t.Flags, t.Size, t.Perm)
+}
+func (t *MountTmpfsOp) late(*setupState, syscallDispatcher) error { return nil }
+
+func (t *MountTmpfsOp) Is(op Op) bool {
+	vt, ok := op.(*MountTmpfsOp)
+	return ok && t.Valid() && vt.Valid() &&
+		t.FSName == vt.FSName &&
+		t.Path.Is(vt.Path) &&
+		t.Flags == vt.Flags &&
+		t.Size == vt.Size &&
+		t.Perm == vt.Perm
+}
+func (*MountTmpfsOp) prefix() (string, bool) { return "mounting", true }
+func (t *MountTmpfsOp) String() string       { return fmt.Sprintf("tmpfs on %q size %d", t.Path, t.Size) }
--- a/container/inittmpfs_test.go
+++ b/container/inittmpfs_test.go
@@ -0,0 +1,178 @@
+package container
+
+import (
+	"os"
+	"syscall"
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+)
+
+func TestMountTmpfsOp(t *testing.T) {
+	t.Parallel()
+
+	t.Run("size error", func(t *testing.T) {
+		t.Parallel()
+		tmpfsSizeError := TmpfsSizeError(-1)
+		want := "tmpfs size -1 out of bounds"
+		if got := tmpfsSizeError.Error(); got != want {
+			t.Errorf("Error: %q, want %q", got, want)
+		}
+	})
+
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"size oob", new(Params), &MountTmpfsOp{
+			Size: -1,
+		}, nil, nil, nil, TmpfsSizeError(-1)},
+
+		{"success", new(Params), &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user/1000/"),
+			Size:   1 << 10,
+			Perm:   0700,
+		}, nil, nil, []stub.Call{
+			call("mountTmpfs", stub.ExpectArgs{
+				"ephemeral",              // fsname
+				"/sysroot/run/user/1000", // target
+				uintptr(0),               // flags
+				0x400,                    // size
+				os.FileMode(0700),        // perm
+			}, nil, nil),
+		}, nil},
+	})
+
+	checkOpsValid(t, []opValidTestCase{
+		{"nil", (*MountTmpfsOp)(nil), false},
+		{"zero", new(MountTmpfsOp), false},
+		{"nil path", &MountTmpfsOp{FSName: "tmpfs"}, false},
+		{"zero fsname", &MountTmpfsOp{Path: check.MustAbs("/tmp/")}, false},
+		{"valid", &MountTmpfsOp{FSName: "tmpfs", Path: check.MustAbs("/tmp/")}, true},
+	})
+
+	checkOpsBuilder(t, []opsBuilderTestCase{
+		{"runtime", new(Ops).Tmpfs(
+			check.MustAbs("/run/user"),
+			1<<10,
+			0755,
+		), Ops{
+			&MountTmpfsOp{
+				FSName: "ephemeral",
+				Path:   check.MustAbs("/run/user"),
+				Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+				Size:   1 << 10,
+				Perm:   0755,
+			},
+		}},
+
+		{"nscd", new(Ops).Readonly(
+			check.MustAbs("/var/run/nscd"),
+			0755,
+		), Ops{
+			&MountTmpfsOp{
+				FSName: "readonly",
+				Path:   check.MustAbs("/var/run/nscd"),
+				Flags:  syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_RDONLY,
+				Perm:   0755,
+			},
+		}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"zero", new(MountTmpfsOp), new(MountTmpfsOp), false},
+
+		{"fsname differs", &MountTmpfsOp{
+			FSName: "readonly",
+			Path:   check.MustAbs("/run/user"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0755,
+		}, &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0755,
+		}, false},
+
+		{"path differs", &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user/differs"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0755,
+		}, &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0755,
+		}, false},
+
+		{"flags differs", &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_RDONLY,
+			Size:   1 << 10,
+			Perm:   0755,
+		}, &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0755,
+		}, false},
+
+		{"size differs", &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1,
+			Perm:   0755,
+		}, &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0755,
+		}, false},
+
+		{"perm differs", &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0700,
+		}, &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0755,
+		}, false},
+
+		{"equals", &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0755,
+		}, &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0755,
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"runtime", &MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   check.MustAbs("/run/user"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0755,
+		}, "mounting", `tmpfs on "/run/user" size 1024`},
+	})
+}
--- a/container/landlock.go
+++ b/container/landlock.go
@@ -0,0 +1,243 @@
+package container
+
+import (
+	"strings"
+	"syscall"
+	"unsafe"
+
+	"hakurei.app/container/std"
+)
+
+// include/uapi/linux/landlock.h
+
+const (
+	LANDLOCK_CREATE_RULESET_VERSION = 1 << iota
+)
+
+// LandlockAccessFS is bitmask of handled filesystem actions.
+type LandlockAccessFS uint64
+
+const (
+	LANDLOCK_ACCESS_FS_EXECUTE LandlockAccessFS = 1 << iota
+	LANDLOCK_ACCESS_FS_WRITE_FILE
+	LANDLOCK_ACCESS_FS_READ_FILE
+	LANDLOCK_ACCESS_FS_READ_DIR
+	LANDLOCK_ACCESS_FS_REMOVE_DIR
+	LANDLOCK_ACCESS_FS_REMOVE_FILE
+	LANDLOCK_ACCESS_FS_MAKE_CHAR
+	LANDLOCK_ACCESS_FS_MAKE_DIR
+	LANDLOCK_ACCESS_FS_MAKE_REG
+	LANDLOCK_ACCESS_FS_MAKE_SOCK
+	LANDLOCK_ACCESS_FS_MAKE_FIFO
+	LANDLOCK_ACCESS_FS_MAKE_BLOCK
+	LANDLOCK_ACCESS_FS_MAKE_SYM
+	LANDLOCK_ACCESS_FS_REFER
+	LANDLOCK_ACCESS_FS_TRUNCATE
+	LANDLOCK_ACCESS_FS_IOCTL_DEV
+
+	_LANDLOCK_ACCESS_FS_DELIM
+)
+
+func (f LandlockAccessFS) String() string {
+	switch f {
+	case LANDLOCK_ACCESS_FS_EXECUTE:
+		return "execute"
+
+	case LANDLOCK_ACCESS_FS_WRITE_FILE:
+		return "write_file"
+
+	case LANDLOCK_ACCESS_FS_READ_FILE:
+		return "read_file"
+
+	case LANDLOCK_ACCESS_FS_READ_DIR:
+		return "read_dir"
+
+	case LANDLOCK_ACCESS_FS_REMOVE_DIR:
+		return "remove_dir"
+
+	case LANDLOCK_ACCESS_FS_REMOVE_FILE:
+		return "remove_file"
+
+	case LANDLOCK_ACCESS_FS_MAKE_CHAR:
+		return "make_char"
+
+	case LANDLOCK_ACCESS_FS_MAKE_DIR:
+		return "make_dir"
+
+	case LANDLOCK_ACCESS_FS_MAKE_REG:
+		return "make_reg"
+
+	case LANDLOCK_ACCESS_FS_MAKE_SOCK:
+		return "make_sock"
+
+	case LANDLOCK_ACCESS_FS_MAKE_FIFO:
+		return "make_fifo"
+
+	case LANDLOCK_ACCESS_FS_MAKE_BLOCK:
+		return "make_block"
+
+	case LANDLOCK_ACCESS_FS_MAKE_SYM:
+		return "make_sym"
+
+	case LANDLOCK_ACCESS_FS_REFER:
+		return "fs_refer"
+
+	case LANDLOCK_ACCESS_FS_TRUNCATE:
+		return "fs_truncate"
+
+	case LANDLOCK_ACCESS_FS_IOCTL_DEV:
+		return "fs_ioctl_dev"
+
+	default:
+		var c []LandlockAccessFS
+		for i := LandlockAccessFS(1); i < _LANDLOCK_ACCESS_FS_DELIM; i <<= 1 {
+			if f&i != 0 {
+				c = append(c, i)
+			}
+		}
+		if len(c) == 0 {
+			return "NULL"
+		}
+		s := make([]string, len(c))
+		for i, v := range c {
+			s[i] = v.String()
+		}
+		return strings.Join(s, " ")
+	}
+}
+
+// LandlockAccessNet is bitmask of handled network actions.
+type LandlockAccessNet uint64
+
+const (
+	LANDLOCK_ACCESS_NET_BIND_TCP LandlockAccessNet = 1 << iota
+	LANDLOCK_ACCESS_NET_CONNECT_TCP
+
+	_LANDLOCK_ACCESS_NET_DELIM
+)
+
+func (f LandlockAccessNet) String() string {
+	switch f {
+	case LANDLOCK_ACCESS_NET_BIND_TCP:
+		return "bind_tcp"
+
+	case LANDLOCK_ACCESS_NET_CONNECT_TCP:
+		return "connect_tcp"
+
+	default:
+		var c []LandlockAccessNet
+		for i := LandlockAccessNet(1); i < _LANDLOCK_ACCESS_NET_DELIM; i <<= 1 {
+			if f&i != 0 {
+				c = append(c, i)
+			}
+		}
+		if len(c) == 0 {
+			return "NULL"
+		}
+		s := make([]string, len(c))
+		for i, v := range c {
+			s[i] = v.String()
+		}
+		return strings.Join(s, " ")
+	}
+}
+
+// LandlockScope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
+type LandlockScope uint64
+
+const (
+	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET LandlockScope = 1 << iota
+	LANDLOCK_SCOPE_SIGNAL
+
+	_LANDLOCK_SCOPE_DELIM
+)
+
+func (f LandlockScope) String() string {
+	switch f {
+	case LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET:
+		return "abstract_unix_socket"
+
+	case LANDLOCK_SCOPE_SIGNAL:
+		return "signal"
+
+	default:
+		var c []LandlockScope
+		for i := LandlockScope(1); i < _LANDLOCK_SCOPE_DELIM; i <<= 1 {
+			if f&i != 0 {
+				c = append(c, i)
+			}
+		}
+		if len(c) == 0 {
+			return "NULL"
+		}
+		s := make([]string, len(c))
+		for i, v := range c {
+			s[i] = v.String()
+		}
+		return strings.Join(s, " ")
+	}
+}
+
+// RulesetAttr is equivalent to struct landlock_ruleset_attr.
+type RulesetAttr struct {
+	// Bitmask of handled filesystem actions.
+	HandledAccessFS LandlockAccessFS
+	// Bitmask of handled network actions.
+	HandledAccessNet LandlockAccessNet
+	// Bitmask of scopes restricting a Landlock domain from accessing outside resources (e.g. IPCs).
+	Scoped LandlockScope
+}
+
+func (rulesetAttr *RulesetAttr) String() string {
+	if rulesetAttr == nil {
+		return "NULL"
+	}
+	elems := make([]string, 0, 3)
+	if rulesetAttr.HandledAccessFS > 0 {
+		elems = append(elems, "fs: "+rulesetAttr.HandledAccessFS.String())
+	}
+	if rulesetAttr.HandledAccessNet > 0 {
+		elems = append(elems, "net: "+rulesetAttr.HandledAccessNet.String())
+	}
+	if rulesetAttr.Scoped > 0 {
+		elems = append(elems, "scoped: "+rulesetAttr.Scoped.String())
+	}
+	if len(elems) == 0 {
+		return "0"
+	}
+	return strings.Join(elems, ", ")
+}
+
+func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
+	var pointer, size uintptr
+	// NULL needed for abi version
+	if rulesetAttr != nil {
+		pointer = uintptr(unsafe.Pointer(rulesetAttr))
+		size = unsafe.Sizeof(*rulesetAttr)
+	}
+
+	rulesetFd, _, errno := syscall.Syscall(std.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
+	fd = int(rulesetFd)
+	err = errno
+
+	if fd < 0 {
+		return
+	}
+
+	if rulesetAttr != nil { // not a fd otherwise
+		syscall.CloseOnExec(fd)
+	}
+	return fd, nil
+}
+
+func LandlockGetABI() (int, error) {
+	return (*RulesetAttr)(nil).Create(LANDLOCK_CREATE_RULESET_VERSION)
+}
+
+func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
+	r, _, errno := syscall.Syscall(std.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
+	if r != 0 {
+		return errno
+	}
+	return nil
+}
--- a/container/landlock_test.go
+++ b/container/landlock_test.go
@@ -0,0 +1,65 @@
+package container_test
+
+import (
+	"testing"
+	"unsafe"
+
+	"hakurei.app/container"
+)
+
+func TestLandlockString(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name        string
+		rulesetAttr *container.RulesetAttr
+		want        string
+	}{
+		{"nil", nil, "NULL"},
+		{"zero", new(container.RulesetAttr), "0"},
+		{"some", &container.RulesetAttr{Scoped: container.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
+		{"set", &container.RulesetAttr{
+			HandledAccessFS:  container.LANDLOCK_ACCESS_FS_MAKE_SYM | container.LANDLOCK_ACCESS_FS_IOCTL_DEV | container.LANDLOCK_ACCESS_FS_WRITE_FILE,
+			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP,
+			Scoped:           container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | container.LANDLOCK_SCOPE_SIGNAL,
+		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
+		{"all", &container.RulesetAttr{
+			HandledAccessFS: container.LANDLOCK_ACCESS_FS_EXECUTE |
+				container.LANDLOCK_ACCESS_FS_WRITE_FILE |
+				container.LANDLOCK_ACCESS_FS_READ_FILE |
+				container.LANDLOCK_ACCESS_FS_READ_DIR |
+				container.LANDLOCK_ACCESS_FS_REMOVE_DIR |
+				container.LANDLOCK_ACCESS_FS_REMOVE_FILE |
+				container.LANDLOCK_ACCESS_FS_MAKE_CHAR |
+				container.LANDLOCK_ACCESS_FS_MAKE_DIR |
+				container.LANDLOCK_ACCESS_FS_MAKE_REG |
+				container.LANDLOCK_ACCESS_FS_MAKE_SOCK |
+				container.LANDLOCK_ACCESS_FS_MAKE_FIFO |
+				container.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
+				container.LANDLOCK_ACCESS_FS_MAKE_SYM |
+				container.LANDLOCK_ACCESS_FS_REFER |
+				container.LANDLOCK_ACCESS_FS_TRUNCATE |
+				container.LANDLOCK_ACCESS_FS_IOCTL_DEV,
+			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP |
+				container.LANDLOCK_ACCESS_NET_CONNECT_TCP,
+			Scoped: container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
+				container.LANDLOCK_SCOPE_SIGNAL,
+		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := tc.rulesetAttr.String(); got != tc.want {
+				t.Errorf("String: %s, want %s", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestLandlockAttrSize(t *testing.T) {
+	t.Parallel()
+	want := 24
+	if got := unsafe.Sizeof(container.RulesetAttr{}); got != uintptr(want) {
+		t.Errorf("Sizeof: %d, want %d", got, want)
+	}
+}
--- a/container/mount.go
+++ b/container/mount.go
@@ -0,0 +1,201 @@
+package container
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	. "syscall"
+
+	"hakurei.app/container/vfs"
+	"hakurei.app/message"
+)
+
+/*
+Holding CAP_SYS_ADMIN within the user namespace that owns a process's mount namespace
+allows that process to create bind mounts and mount the following types of filesystems:
+- /proc (since Linux 3.8)
+- /sys (since Linux 3.8)
+- devpts (since Linux 3.9)
+- tmpfs(5) (since Linux 3.9)
+- ramfs (since Linux 3.9)
+- mqueue (since Linux 3.9)
+- bpf (since Linux 4.4)
+- overlayfs (since Linux 5.11)
+*/
+
+const (
+	// zeroString is a zero value string, it represents NULL when passed to mount.
+	zeroString = ""
+
+	// SourceNone is used when the source value is ignored,
+	// such as when remounting.
+	SourceNone = "none"
+	// SourceProc is used when mounting proc.
+	// Note that any source value is allowed when fstype is [FstypeProc].
+	SourceProc = "proc"
+	// SourceDevpts is used when mounting devpts.
+	// Note that any source value is allowed when fstype is [FstypeDevpts].
+	SourceDevpts = "devpts"
+	// SourceMqueue is used when mounting mqueue.
+	// Note that any source value is allowed when fstype is [FstypeMqueue].
+	SourceMqueue = "mqueue"
+	// SourceOverlay is used when mounting overlay.
+	// Note that any source value is allowed when fstype is [FstypeOverlay].
+	SourceOverlay = "overlay"
+
+	// SourceTmpfs is used when mounting tmpfs.
+	SourceTmpfs = "tmpfs"
+	// SourceTmpfsRootfs is used when mounting the tmpfs instance backing the intermediate root.
+	SourceTmpfsRootfs = "rootfs"
+	// SourceTmpfsDevtmpfs is used when mounting tmpfs representing a subset of host devtmpfs.
+	SourceTmpfsDevtmpfs = "devtmpfs"
+	// SourceTmpfsEphemeral is used when mounting a writable instance of tmpfs.
+	SourceTmpfsEphemeral = "ephemeral"
+	// SourceTmpfsReadonly is used when mounting a readonly instance of tmpfs.
+	SourceTmpfsReadonly = "readonly"
+
+	// FstypeNULL is used when the fstype value is ignored,
+	// such as when bind mounting or remounting.
+	FstypeNULL = zeroString
+	// FstypeProc represents the proc pseudo-filesystem.
+	// A fully visible instance of proc must be available in the mount namespace for proc to be mounted.
+	FstypeProc = "proc"
+	// FstypeDevpts represents the devpts pseudo-filesystem.
+	// This type of filesystem is usually mounted on /dev/pts.
+	FstypeDevpts = "devpts"
+	// FstypeTmpfs represents the tmpfs filesystem.
+	// This filesystem type can be mounted anywhere in the container filesystem.
+	FstypeTmpfs = "tmpfs"
+	// FstypeMqueue represents the mqueue pseudo-filesystem.
+	// This filesystem type is usually mounted on /dev/mqueue.
+	FstypeMqueue = "mqueue"
+	// FstypeOverlay represents the overlay pseudo-filesystem.
+	// This filesystem type can be mounted anywhere in the container filesystem.
+	FstypeOverlay = "overlay"
+
+	// OptionOverlayLowerdir represents the lowerdir option of the overlay pseudo-filesystem.
+	// Any filesystem, does not need to be on a writable filesystem.
+	OptionOverlayLowerdir = "lowerdir"
+	// OptionOverlayUpperdir represents the upperdir option of the overlay pseudo-filesystem.
+	// The upperdir is normally on a writable filesystem.
+	OptionOverlayUpperdir = "upperdir"
+	// OptionOverlayWorkdir represents the workdir option of the overlay pseudo-filesystem.
+	// The workdir needs to be an empty directory on the same filesystem as upperdir.
+	OptionOverlayWorkdir = "workdir"
+	// OptionOverlayUserxattr represents the userxattr option of the overlay pseudo-filesystem.
+	// Use the "user.overlay." xattr namespace instead of "trusted.overlay.".
+	OptionOverlayUserxattr = "userxattr"
+)
+
+// bindMount mounts source on target and recursively applies flags if MS_REC is set.
+func (p *procPaths) bindMount(msg message.Msg, source, target string, flags uintptr) error {
+	// syscallDispatcher.bindMount and procPaths.remount must not be called from this function
+
+	if err := p.k.mount(source, target, FstypeNULL, MS_SILENT|MS_BIND|flags&MS_REC, zeroString); err != nil {
+		return err
+	}
+	return p.k.remount(msg, target, flags)
+}
+
+// remount applies flags on target, recursively if MS_REC is set.
+func (p *procPaths) remount(msg message.Msg, target string, flags uintptr) error {
+	// syscallDispatcher methods bindMount, remount must not be called from this function
+
+	var targetFinal string
+	if v, err := p.k.evalSymlinks(target); err != nil {
+		return err
+	} else {
+		targetFinal = v
+		if targetFinal != target {
+			msg.Verbosef("target resolves to %q", targetFinal)
+		}
+	}
+
+	// final target path according to the kernel through proc
+	var targetKFinal string
+	{
+		var destFd int
+		if err := IgnoringEINTR(func() (err error) {
+			destFd, err = p.k.open(targetFinal, O_PATH|O_CLOEXEC, 0)
+			return
+		}); err != nil {
+			return &os.PathError{Op: "open", Path: targetFinal, Err: err}
+		}
+		if v, err := p.k.readlink(p.fd(destFd)); err != nil {
+			return err
+		} else if err = p.k.close(destFd); err != nil {
+			return &os.PathError{Op: "close", Path: targetFinal, Err: err}
+		} else {
+			targetKFinal = v
+		}
+	}
+
+	mf := MS_NOSUID | flags&MS_NODEV | flags&MS_RDONLY
+	return p.mountinfo(func(d *vfs.MountInfoDecoder) error {
+		n, err := d.Unfold(targetKFinal)
+		if err != nil {
+			return err
+		}
+
+		if err = remountWithFlags(p.k, msg, n, mf); err != nil {
+			return err
+		}
+		if flags&MS_REC == 0 {
+			return nil
+		}
+
+		for cur := range n.Collective() {
+			// avoid remounting twice
+			if cur == n {
+				continue
+			}
+
+			if err = remountWithFlags(p.k, msg, cur, mf); err != nil && !errors.Is(err, EACCES) {
+				return err
+			}
+		}
+
+		return nil
+	})
+}
+
+// remountWithFlags remounts mount point described by [vfs.MountInfoNode].
+func remountWithFlags(k syscallDispatcher, msg message.Msg, n *vfs.MountInfoNode, mf uintptr) error {
+	// syscallDispatcher methods bindMount, remount must not be called from this function
+
+	kf, unmatched := n.Flags()
+	if len(unmatched) != 0 {
+		msg.Verbosef("unmatched vfs options: %q", unmatched)
+	}
+
+	if kf&mf != mf {
+		return k.mount(SourceNone, n.Clean, FstypeNULL, MS_SILENT|MS_BIND|MS_REMOUNT|kf|mf, zeroString)
+	}
+	return nil
+}
+
+// mountTmpfs mounts tmpfs on target;
+// callers who wish to mount to sysroot must pass the return value of toSysroot.
+func mountTmpfs(k syscallDispatcher, fsname, target string, flags uintptr, size int, perm os.FileMode) error {
+	// syscallDispatcher.mountTmpfs must not be called from this function
+
+	if err := k.mkdirAll(target, parentPerm(perm)); err != nil {
+		return err
+	}
+	opt := fmt.Sprintf("mode=%#o", perm)
+	if size > 0 {
+		opt += fmt.Sprintf(",size=%d", size)
+	}
+	return k.mount(fsname, target, FstypeTmpfs, flags, opt)
+}
+
+func parentPerm(perm os.FileMode) os.FileMode {
+	pperm := 0755
+	if perm&0070 == 0 {
+		pperm &= ^0050
+	}
+	if perm&0007 == 0 {
+		pperm &= ^0005
+	}
+	return os.FileMode(pperm)
+}
--- a/container/mount_test.go
+++ b/container/mount_test.go
@@ -0,0 +1,294 @@
+package container
+
+import (
+	"os"
+	"syscall"
+	"testing"
+
+	"hakurei.app/container/stub"
+	"hakurei.app/container/vfs"
+)
+
+func TestBindMount(t *testing.T) {
+	t.Parallel()
+
+	checkSimple(t, "bindMount", []simpleTestCase{
+		{"mount", func(k *kstub) error {
+			return newProcPaths(k, hostPath).bindMount(nil, "/host/nix", "/sysroot/nix", syscall.MS_RDONLY)
+		}, stub.Expect{Calls: []stub.Call{
+			call("mount", stub.ExpectArgs{"/host/nix", "/sysroot/nix", "", uintptr(0x9000), ""}, nil, stub.UniqueError(0xbad)),
+		}}, stub.UniqueError(0xbad)},
+
+		{"success ne", func(k *kstub) error {
+			return newProcPaths(k, hostPath).bindMount(k, "/host/nix", "/sysroot/.host-nix", syscall.MS_RDONLY)
+		}, stub.Expect{Calls: []stub.Call{
+			call("mount", stub.ExpectArgs{"/host/nix", "/sysroot/.host-nix", "", uintptr(0x9000), ""}, nil, nil),
+			call("remount", stub.ExpectArgs{"/sysroot/.host-nix", uintptr(1)}, nil, nil),
+		}}, nil},
+
+		{"success", func(k *kstub) error {
+			return newProcPaths(k, hostPath).bindMount(k, "/host/nix", "/sysroot/nix", syscall.MS_RDONLY)
+		}, stub.Expect{Calls: []stub.Call{
+			call("mount", stub.ExpectArgs{"/host/nix", "/sysroot/nix", "", uintptr(0x9000), ""}, nil, nil),
+			call("remount", stub.ExpectArgs{"/sysroot/nix", uintptr(1)}, nil, nil),
+		}}, nil},
+	})
+}
+
+func TestRemount(t *testing.T) {
+	t.Parallel()
+
+	const sampleMountinfoNix = `254 407 253:0 / /host rw,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
+255 254 0:28 / /host/mnt/.ro-cwd ro,noatime master:2 - 9p cwd ro,access=client,msize=16384,trans=virtio
+256 254 0:29 / /host/nix/.ro-store rw,relatime master:3 - 9p nix-store rw,cache=f,access=client,msize=16384,trans=virtio
+257 254 0:30 / /host/nix/store rw,relatime master:4 - overlay overlay rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work
+258 257 0:30 / /host/nix/store ro,relatime master:5 - overlay overlay rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work
+259 254 0:33 / /host/tmp/shared rw,relatime master:6 - 9p shared rw,access=client,msize=16384,trans=virtio
+260 254 0:34 / /host/tmp/xchg rw,relatime master:7 - 9p xchg rw,access=client,msize=16384,trans=virtio
+261 254 0:22 / /host/proc rw,nosuid,nodev,noexec,relatime master:8 - proc proc rw
+262 254 0:25 / /host/sys rw,nosuid,nodev,noexec,relatime master:9 - sysfs sysfs rw
+263 262 0:7 / /host/sys/kernel/security rw,nosuid,nodev,noexec,relatime master:10 - securityfs securityfs rw
+264 262 0:35 /../../.. /host/sys/fs/cgroup rw,nosuid,nodev,noexec,relatime master:11 - cgroup2 cgroup2 rw,nsdelegate,memory_recursiveprot
+265 262 0:36 / /host/sys/fs/pstore rw,nosuid,nodev,noexec,relatime master:12 - pstore pstore rw
+266 262 0:37 / /host/sys/fs/bpf rw,nosuid,nodev,noexec,relatime master:13 - bpf bpf rw,mode=700
+267 262 0:12 / /host/sys/kernel/tracing rw,nosuid,nodev,noexec,relatime master:20 - tracefs tracefs rw
+268 262 0:8 / /host/sys/kernel/debug rw,nosuid,nodev,noexec,relatime master:21 - debugfs debugfs rw
+269 262 0:44 / /host/sys/kernel/config rw,nosuid,nodev,noexec,relatime master:64 - configfs configfs rw
+270 262 0:45 / /host/sys/fs/fuse/connections rw,nosuid,nodev,noexec,relatime master:66 - fusectl fusectl rw
+271 254 0:6 / /host/dev rw,nosuid master:14 - devtmpfs devtmpfs rw,size=200532k,nr_inodes=498943,mode=755
+324 271 0:20 / /host/dev/pts rw,nosuid,noexec,relatime master:15 - devpts devpts rw,gid=3,mode=620,ptmxmode=666
+378 271 0:21 / /host/dev/shm rw,nosuid,nodev master:16 - tmpfs tmpfs rw
+379 271 0:19 / /host/dev/mqueue rw,nosuid,nodev,noexec,relatime master:19 - mqueue mqueue rw
+388 271 0:38 / /host/dev/hugepages rw,nosuid,nodev,relatime master:22 - hugetlbfs hugetlbfs rw,pagesize=2M
+397 254 0:23 / /host/run rw,nosuid,nodev master:17 - tmpfs tmpfs rw,size=1002656k,mode=755
+398 397 0:24 / /host/run/keys rw,nosuid,nodev,relatime master:18 - ramfs ramfs rw,mode=750
+399 397 0:39 / /host/run/credentials/systemd-journald.service ro,nosuid,nodev,noexec,relatime,nosymfollow master:23 - tmpfs tmpfs rw,size=1024k,nr_inodes=1024,mode=700,noswap
+400 397 0:43 / /host/run/wrappers rw,nodev,relatime master:93 - tmpfs tmpfs rw,mode=755
+401 397 0:61 / /host/run/credentials/getty@tty1.service ro,nosuid,nodev,noexec,relatime,nosymfollow master:240 - tmpfs tmpfs rw,size=1024k,nr_inodes=1024,mode=700,noswap
+402 397 0:62 / /host/run/credentials/serial-getty@ttyS0.service ro,nosuid,nodev,noexec,relatime,nosymfollow master:288 - tmpfs tmpfs rw,size=1024k,nr_inodes=1024,mode=700,noswap
+403 397 0:63 / /host/run/user/1000 rw,nosuid,nodev,relatime master:295 - tmpfs tmpfs rw,size=401060k,nr_inodes=100265,mode=700,uid=1000,gid=100
+404 254 0:46 / /host/mnt/cwd rw,relatime master:96 - overlay overlay rw,lowerdir=/mnt/.ro-cwd,upperdir=/tmp/.cwd/upper,workdir=/tmp/.cwd/work
+405 254 0:47 / /host/mnt/src rw,relatime master:99 - overlay overlay rw,lowerdir=/nix/store/ihcrl3zwvp2002xyylri2wz0drwajx4z-ns0pa7q2b1jpx9pbf1l9352x6rniwxjn-source,upperdir=/tmp/.src/upper,workdir=/tmp/.src/work
+407 253 0:65 / / rw,nosuid,nodev,relatime - tmpfs rootfs rw,uid=10000,gid=10000
+408 407 0:65 /sysroot /sysroot rw,nosuid,nodev,relatime - tmpfs rootfs rw,uid=10000,gid=10000
+409 408 253:0 /bin /sysroot/bin rw,nosuid,nodev,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
+410 408 253:0 /home /sysroot/home rw,nosuid,nodev,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
+411 408 253:0 /lib64 /sysroot/lib64 rw,nosuid,nodev,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
+412 408 253:0 /lost+found /sysroot/lost+found rw,nosuid,nodev,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
+413 408 253:0 /nix /sysroot/nix rw,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
+414 413 0:29 / /sysroot/nix/.ro-store rw,relatime master:3 - 9p nix-store rw,cache=f,access=client,msize=16384,trans=virtio
+415 413 0:30 / /sysroot/nix/store rw,relatime master:4 - overlay overlay rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work
+416 415 0:30 / /sysroot/nix/store ro,relatime master:5 - overlay overlay rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work`
+
+	checkSimple(t, "remount", []simpleTestCase{
+		{"evalSymlinks", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", stub.UniqueError(6)),
+		}}, stub.UniqueError(6)},
+
+		{"open", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, stub.UniqueError(5)),
+		}}, &os.PathError{Op: "open", Path: "/sysroot/nix", Err: stub.UniqueError(5)}},
+
+		{"readlink", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", stub.UniqueError(4)),
+		}}, stub.UniqueError(4)},
+
+		{"close", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, stub.UniqueError(3)),
+		}}, &os.PathError{Op: "close", Path: "/sysroot/nix", Err: stub.UniqueError(3)}},
+
+		{"mountinfo no match", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(k, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/.hakurei", nil),
+			call("verbosef", stub.ExpectArgs{"target resolves to %q", []any{"/sysroot/.hakurei"}}, nil, nil),
+			call("open", stub.ExpectArgs{"/sysroot/.hakurei", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/.hakurei", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
+			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
+		}}, &vfs.DecoderError{Op: "unfold", Line: -1, Err: vfs.UnfoldTargetError("/sysroot/.hakurei")}},
+
+		{"mountinfo", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
+			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile("\x00"), nil),
+		}}, &vfs.DecoderError{Op: "parse", Line: 0, Err: vfs.ErrMountInfoFields}},
+
+		{"mount", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
+			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, stub.UniqueError(2)),
+		}}, stub.UniqueError(2)},
+
+		{"mount propagate", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
+			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/.ro-store", "", uintptr(0x209027), ""}, nil, stub.UniqueError(1)),
+		}}, stub.UniqueError(1)},
+
+		{"success toplevel", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(nil, "/sysroot/bin", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/bin"}, "/sysroot/bin", nil),
+			call("open", stub.ExpectArgs{"/sysroot/bin", 0x280000, uint32(0)}, 0xbabe, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/47806"}, "/sysroot/bin", nil),
+			call("close", stub.ExpectArgs{0xbabe}, nil, nil),
+			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/bin", "", uintptr(0x209027), ""}, nil, nil),
+		}}, nil},
+
+		{"success EACCES", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
+			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/.ro-store", "", uintptr(0x209027), ""}, nil, syscall.EACCES),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/store", "", uintptr(0x209027), ""}, nil, nil),
+		}}, nil},
+
+		{"success no propagate", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
+			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
+		}}, nil},
+
+		{"success case sensitive", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
+			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/.ro-store", "", uintptr(0x209027), ""}, nil, nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/store", "", uintptr(0x209027), ""}, nil, nil),
+		}}, nil},
+
+		{"success", func(k *kstub) error {
+			return newProcPaths(k, hostPath).remount(k, "/sysroot/.nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
+		}, stub.Expect{Calls: []stub.Call{
+			call("evalSymlinks", stub.ExpectArgs{"/sysroot/.nix"}, "/sysroot/NIX", nil),
+			call("verbosef", stub.ExpectArgs{"target resolves to %q", []any{"/sysroot/NIX"}}, nil, nil),
+			call("open", stub.ExpectArgs{"/sysroot/NIX", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
+			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/.ro-store", "", uintptr(0x209027), ""}, nil, nil),
+			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/store", "", uintptr(0x209027), ""}, nil, nil),
+		}}, nil},
+	})
+}
+
+func TestRemountWithFlags(t *testing.T) {
+	t.Parallel()
+
+	checkSimple(t, "remountWithFlags", []simpleTestCase{
+		{"noop unmatched", func(k *kstub) error {
+			return remountWithFlags(k, k, &vfs.MountInfoNode{MountInfoEntry: &vfs.MountInfoEntry{VfsOptstr: "rw,relatime,cat"}}, 0)
+		}, stub.Expect{Calls: []stub.Call{
+			call("verbosef", stub.ExpectArgs{"unmatched vfs options: %q", []any{[]string{"cat"}}}, nil, nil),
+		}}, nil},
+
+		{"noop", func(k *kstub) error {
+			return remountWithFlags(k, nil, &vfs.MountInfoNode{MountInfoEntry: &vfs.MountInfoEntry{VfsOptstr: "rw,relatime"}}, 0)
+		}, stub.Expect{}, nil},
+
+		{"success", func(k *kstub) error {
+			return remountWithFlags(k, nil, &vfs.MountInfoNode{MountInfoEntry: &vfs.MountInfoEntry{VfsOptstr: "rw,relatime"}}, syscall.MS_RDONLY)
+		}, stub.Expect{Calls: []stub.Call{
+			call("mount", stub.ExpectArgs{"none", "", "", uintptr(0x209021), ""}, nil, nil),
+		}}, nil},
+	})
+}
+
+func TestMountTmpfs(t *testing.T) {
+	t.Parallel()
+
+	checkSimple(t, "mountTmpfs", []simpleTestCase{
+		{"mkdirAll", func(k *kstub) error {
+			return mountTmpfs(k, "ephemeral", "/sysroot/run/user/1000", 0, 1<<10, 0700)
+		}, stub.Expect{Calls: []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/run/user/1000", os.FileMode(0700)}, nil, stub.UniqueError(0)),
+		}}, stub.UniqueError(0)},
+
+		{"success no size", func(k *kstub) error {
+			return mountTmpfs(k, "ephemeral", "/sysroot/run/user/1000", 0, 0, 0710)
+		}, stub.Expect{Calls: []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/run/user/1000", os.FileMode(0750)}, nil, nil),
+			call("mount", stub.ExpectArgs{"ephemeral", "/sysroot/run/user/1000", "tmpfs", uintptr(0), "mode=0710"}, nil, nil),
+		}}, nil},
+
+		{"success", func(k *kstub) error {
+			return mountTmpfs(k, "ephemeral", "/sysroot/run/user/1000", 0, 1<<10, 0700)
+		}, stub.Expect{Calls: []stub.Call{
+			call("mkdirAll", stub.ExpectArgs{"/sysroot/run/user/1000", os.FileMode(0700)}, nil, nil),
+			call("mount", stub.ExpectArgs{"ephemeral", "/sysroot/run/user/1000", "tmpfs", uintptr(0), "mode=0700,size=1024"}, nil, nil),
+		}}, nil},
+	})
+}
+
+func TestParentPerm(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		perm os.FileMode
+		want os.FileMode
+	}{
+		{0755, 0755},
+		{0750, 0750},
+		{0705, 0705},
+		{0700, 0700},
+		{050, 0750},
+		{05, 0705},
+		{0, 0700},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.perm.String(), func(t *testing.T) {
+			t.Parallel()
+			if got := parentPerm(tc.perm); got != tc.want {
+				t.Errorf("parentPerm: %#o, want %#o", got, tc.want)
+			}
+		})
+	}
+}
--- a/container/params.go
+++ b/container/params.go
@@ -1,44 +1,44 @@
-package sandbox
+package container

 import (
 	"encoding/gob"
 	"errors"
 	"os"
 	"strconv"
-)
-
-var (
-	ErrNotSet  = errors.New("environment variable not set")
-	ErrInvalid = errors.New("bad file descriptor")
+	"syscall"
 )

 // Setup appends the read end of a pipe for setup params transmission and returns its fd.
-func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
+func Setup(extraFiles *[]*os.File) (int, *os.File, error) {
 	if r, w, err := os.Pipe(); err != nil {
 		return -1, nil, err
 	} else {
 		fd := 3 + len(*extraFiles)
 		*extraFiles = append(*extraFiles, r)
-		return fd, gob.NewEncoder(w), nil
+		return fd, w, nil
 	}
 }

+var (
+	ErrReceiveEnv = errors.New("environment variable not set")
+)
+
 // Receive retrieves setup fd from the environment and receives params.
-func Receive(key string, e any, v **os.File) (func() error, error) {
+func Receive(key string, e any, fdp *uintptr) (func() error, error) {
 	var setup *os.File

 	if s, ok := os.LookupEnv(key); !ok {
-		return nil, ErrNotSet
+		return nil, ErrReceiveEnv
 	} else {
 		if fd, err := strconv.Atoi(s); err != nil {
-			return nil, err
+			return nil, optionalErrorUnwrap(err)
 		} else {
 			setup = os.NewFile(uintptr(fd), "setup")
 			if setup == nil {
-				return nil, ErrInvalid
+				return nil, syscall.EDOM
 			}
-			if v != nil {
-				*v = setup
+			if fdp != nil {
+				*fdp = setup.Fd()
 			}
 		}
 	}
--- a/container/params_test.go
+++ b/container/params_test.go
@@ -0,0 +1,125 @@
+package container_test
+
+import (
+	"encoding/gob"
+	"errors"
+	"os"
+	"slices"
+	"strconv"
+	"syscall"
+	"testing"
+
+	"hakurei.app/container"
+)
+
+func TestSetupReceive(t *testing.T) {
+	t.Run("not set", func(t *testing.T) {
+		const key = "TEST_ENV_NOT_SET"
+		{
+			v, ok := os.LookupEnv(key)
+			t.Cleanup(func() {
+				if ok {
+					if err := os.Setenv(key, v); err != nil {
+						t.Fatalf("Setenv: error = %v", err)
+					}
+				} else {
+					if err := os.Unsetenv(key); err != nil {
+						t.Fatalf("Unsetenv: error = %v", err)
+					}
+				}
+			})
+		}
+
+		if _, err := container.Receive(key, nil, nil); !errors.Is(err, container.ErrReceiveEnv) {
+			t.Errorf("Receive: error = %v, want %v", err, container.ErrReceiveEnv)
+		}
+	})
+
+	t.Run("format", func(t *testing.T) {
+		const key = "TEST_ENV_FORMAT"
+		t.Setenv(key, "")
+
+		if _, err := container.Receive(key, nil, nil); !errors.Is(err, strconv.ErrSyntax) {
+			t.Errorf("Receive: error = %v, want %v", err, strconv.ErrSyntax)
+		}
+	})
+
+	t.Run("range", func(t *testing.T) {
+		const key = "TEST_ENV_RANGE"
+		t.Setenv(key, "-1")
+
+		if _, err := container.Receive(key, nil, nil); !errors.Is(err, syscall.EDOM) {
+			t.Errorf("Receive: error = %v, want %v", err, syscall.EDOM)
+		}
+	})
+
+	t.Run("setup receive", func(t *testing.T) {
+		check := func(t *testing.T, useNilFdp bool) {
+			const key = "TEST_SETUP_RECEIVE"
+			payload := []uint64{syscall.MS_MGC_VAL, syscall.MS_MGC_MSK, syscall.MS_ASYNC, syscall.MS_ACTIVE}
+
+			encoderDone := make(chan error, 1)
+			extraFiles := make([]*os.File, 0, 1)
+			deadline, _ := t.Deadline()
+			if fd, f, err := container.Setup(&extraFiles); err != nil {
+				t.Fatalf("Setup: error = %v", err)
+			} else if fd != 3 {
+				t.Fatalf("Setup: fd = %d, want 3", fd)
+			} else {
+				if err = f.SetDeadline(deadline); err != nil {
+					t.Fatal(err.Error())
+				}
+				go func() { encoderDone <- gob.NewEncoder(f).Encode(payload) }()
+			}
+
+			if len(extraFiles) != 1 {
+				t.Fatalf("extraFiles: len = %v, want 1", len(extraFiles))
+			}
+
+			var dupFd int
+			if fd, err := syscall.Dup(int(extraFiles[0].Fd())); err != nil {
+				t.Fatalf("Dup: error = %v", err)
+			} else {
+				syscall.CloseOnExec(fd)
+				dupFd = fd
+				t.Setenv(key, strconv.Itoa(fd))
+			}
+
+			var (
+				gotPayload []uint64
+				fdp        *uintptr
+			)
+			if !useNilFdp {
+				fdp = new(uintptr)
+			}
+			var closeFile func() error
+			if f, err := container.Receive(key, &gotPayload, fdp); err != nil {
+				t.Fatalf("Receive: error = %v", err)
+			} else {
+				closeFile = f
+
+				if !slices.Equal(payload, gotPayload) {
+					t.Errorf("Receive: %#v, want %#v", gotPayload, payload)
+				}
+			}
+			if !useNilFdp {
+				if int(*fdp) != dupFd {
+					t.Errorf("Fd: %d, want %d", *fdp, dupFd)
+				}
+			}
+
+			if err := <-encoderDone; err != nil {
+				t.Errorf("Encode: error = %v", err)
+			}
+
+			if closeFile != nil {
+				if err := closeFile(); err != nil {
+					t.Errorf("Close: error = %v", err)
+				}
+			}
+		}
+
+		t.Run("fp", func(t *testing.T) { check(t, false) })
+		t.Run("nil", func(t *testing.T) { check(t, true) })
+	})
+}
--- a/container/path.go
+++ b/container/path.go
@@ -1,8 +1,7 @@
-package sandbox
+package container

 import (
 	"errors"
-	"fmt"
 	"io/fs"
 	"os"
 	"path"
@@ -10,13 +9,18 @@ import (
 	"strings"
 	"syscall"

-	"git.gensokyo.uk/security/fortify/sandbox/vfs"
+	"hakurei.app/container/fhs"
+	"hakurei.app/container/vfs"
 )

 const (
-	hostPath    = "/" + hostDir
+	// Nonexistent is a path that cannot exist.
+	// /proc is chosen because a system with covered /proc is unsupported by this package.
+	Nonexistent = fhs.Proc + "nonexistent"
+
+	hostPath    = fhs.Root + hostDir
 	hostDir     = "host"
-	sysrootPath = "/" + sysrootDir
+	sysrootPath = fhs.Root + sysrootDir
 	sysrootDir  = "sysroot"
 )

@@ -32,17 +36,14 @@ func toHost(name string) string {

 func createFile(name string, perm, pperm os.FileMode, content []byte) error {
 	if err := os.MkdirAll(path.Dir(name), pperm); err != nil {
-		return wrapErrSelf(err)
+		return err
 	}
 	f, err := os.OpenFile(name, syscall.O_CREAT|syscall.O_EXCL|syscall.O_WRONLY, perm)
 	if err != nil {
-		return wrapErrSelf(err)
+		return err
 	}
 	if content != nil {
 		_, err = f.Write(content)
-		if err != nil {
-			err = wrapErrSelf(err)
-		}
 	}
 	return errors.Join(f.Close(), err)
 }
@@ -57,19 +58,19 @@ func ensureFile(name string, perm, pperm os.FileMode) error {
 	}

 	if mode := fi.Mode(); mode&fs.ModeDir != 0 || mode&fs.ModeSymlink != 0 {
-		err = msg.WrapErr(syscall.EISDIR,
-			fmt.Sprintf("path %q is a directory", name))
+		err = &os.PathError{Op: "ensure", Path: name, Err: syscall.EISDIR}
 	}
 	return err
 }

-var hostProc = newProcPats(hostPath)
+var hostProc = newProcPaths(direct{}, hostPath)

-func newProcPats(prefix string) *procPaths {
-	return &procPaths{prefix + "/proc", prefix + "/proc/self"}
+func newProcPaths(k syscallDispatcher, prefix string) *procPaths {
+	return &procPaths{k, prefix + "/proc", prefix + "/proc/self"}
 }

 type procPaths struct {
+	k      syscallDispatcher
 	prefix string
 	self   string
 }
@@ -77,17 +78,15 @@ type procPaths struct {
 func (p *procPaths) stdout() string   { return p.self + "/fd/1" }
 func (p *procPaths) fd(fd int) string { return p.self + "/fd/" + strconv.Itoa(fd) }
 func (p *procPaths) mountinfo(f func(d *vfs.MountInfoDecoder) error) error {
-	if r, err := os.Open(p.self + "/mountinfo"); err != nil {
-		return wrapErrSelf(err)
+	if r, err := p.k.openNew(p.self + "/mountinfo"); err != nil {
+		return err
 	} else {
 		d := vfs.NewMountInfoDecoder(r)
 		err0 := f(d)
 		if err = r.Close(); err != nil {
-			return wrapErrSuffix(err,
-				"cannot close mountinfo:")
+			return err
 		} else if err = d.Err(); err != nil {
-			return wrapErrSuffix(err,
-				"cannot parse mountinfo:")
+			return err
 		}
 		return err0
 	}
--- a/container/path_test.go
+++ b/container/path_test.go
@@ -0,0 +1,258 @@
+package container
+
+import (
+	"io"
+	"math"
+	"os"
+	"path"
+	"reflect"
+	"syscall"
+	"testing"
+	"unsafe"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/vfs"
+)
+
+func TestToSysroot(t *testing.T) {
+	testCases := []struct {
+		name string
+		want string
+	}{
+		{"", "/sysroot"},
+		{"/", "/sysroot"},
+		{"//etc///", "/sysroot/etc"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := toSysroot(tc.name); got != tc.want {
+				t.Errorf("toSysroot: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestToHost(t *testing.T) {
+	testCases := []struct {
+		name string
+		want string
+	}{
+		{"", "/host"},
+		{"/", "/host"},
+		{"//etc///", "/host/etc"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := toHost(tc.name); got != tc.want {
+				t.Errorf("toHost: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+// InternalToHostOvlEscape exports toHost passed to [check.EscapeOverlayDataSegment].
+func InternalToHostOvlEscape(s string) string { return check.EscapeOverlayDataSegment(toHost(s)) }
+
+func TestCreateFile(t *testing.T) {
+	t.Run("nonexistent", func(t *testing.T) {
+		t.Run("mkdir", func(t *testing.T) {
+			wantErr := &os.PathError{
+				Op:   "mkdir",
+				Path: "/proc/nonexistent",
+				Err:  syscall.ENOENT,
+			}
+			if err := createFile(path.Join(Nonexistent, ":3"), 0644, 0755, nil); !reflect.DeepEqual(err, wantErr) {
+				t.Errorf("createFile: error = %#v, want %#v", err, wantErr)
+			}
+		})
+
+		t.Run("open", func(t *testing.T) {
+			wantErr := &os.PathError{
+				Op:   "open",
+				Path: "/proc/nonexistent",
+				Err:  syscall.ENOENT,
+			}
+			if err := createFile(path.Join(Nonexistent), 0644, 0755, nil); !reflect.DeepEqual(err, wantErr) {
+				t.Errorf("createFile: error = %#v, want %#v", err, wantErr)
+			}
+		})
+	})
+
+	t.Run("touch", func(t *testing.T) {
+		tempDir := t.TempDir()
+		pathname := path.Join(tempDir, "empty")
+		if err := createFile(pathname, 0644, 0755, nil); err != nil {
+			t.Fatalf("createFile: error = %v", err)
+		}
+		if d, err := os.ReadFile(pathname); err != nil {
+			t.Fatalf("ReadFile: error = %v", err)
+		} else if len(d) != 0 {
+			t.Fatalf("createFile: %q", string(d))
+		}
+	})
+
+	t.Run("write", func(t *testing.T) {
+		tempDir := t.TempDir()
+		pathname := path.Join(tempDir, "zero")
+		if err := createFile(pathname, 0644, 0755, []byte{0}); err != nil {
+			t.Fatalf("createFile: error = %v", err)
+		}
+		if d, err := os.ReadFile(pathname); err != nil {
+			t.Fatalf("ReadFile: error = %v", err)
+		} else if string(d) != "\x00" {
+			t.Fatalf("createFile: %q, want %q", string(d), "\x00")
+		}
+	})
+}
+
+func TestEnsureFile(t *testing.T) {
+	t.Run("create", func(t *testing.T) {
+		if err := ensureFile(path.Join(t.TempDir(), "ensure"), 0644, 0755); err != nil {
+			t.Errorf("ensureFile: error = %v", err)
+		}
+	})
+
+	t.Run("stat", func(t *testing.T) {
+		t.Run("inaccessible", func(t *testing.T) {
+			tempDir := t.TempDir()
+			pathname := path.Join(tempDir, "inaccessible")
+			if f, err := os.Create(pathname); err != nil {
+				t.Fatalf("Create: error = %v", err)
+			} else {
+				_ = f.Close()
+			}
+
+			if err := os.Chmod(tempDir, 0); err != nil {
+				t.Fatalf("Chmod: error = %v", err)
+			}
+
+			wantErr := &os.PathError{
+				Op:   "stat",
+				Path: pathname,
+				Err:  syscall.EACCES,
+			}
+			if err := ensureFile(pathname, 0644, 0755); !reflect.DeepEqual(err, wantErr) {
+				t.Errorf("ensureFile: error = %#v, want %#v", err, wantErr)
+			}
+
+			if err := os.Chmod(tempDir, 0755); err != nil {
+				t.Fatalf("Chmod: error = %v", err)
+			}
+		})
+
+		t.Run("directory", func(t *testing.T) {
+			pathname := t.TempDir()
+			wantErr := &os.PathError{Op: "ensure", Path: pathname, Err: syscall.EISDIR}
+			if err := ensureFile(pathname, 0644, 0755); !reflect.DeepEqual(err, wantErr) {
+				t.Errorf("ensureFile: error = %#v, want %#v", err, wantErr)
+			}
+		})
+
+		t.Run("ensure", func(t *testing.T) {
+			tempDir := t.TempDir()
+			pathname := path.Join(tempDir, "ensure")
+			if f, err := os.Create(pathname); err != nil {
+				t.Fatalf("Create: error = %v", err)
+			} else {
+				_ = f.Close()
+			}
+
+			if err := ensureFile(pathname, 0644, 0755); err != nil {
+				t.Errorf("ensureFile: error = %v", err)
+			}
+		})
+	})
+}
+
+func TestProcPaths(t *testing.T) {
+	t.Run("host", func(t *testing.T) {
+		t.Run("stdout", func(t *testing.T) {
+			want := "/host/proc/self/fd/1"
+			if got := hostProc.stdout(); got != want {
+				t.Errorf("stdout: %q, want %q", got, want)
+			}
+		})
+		t.Run("fd", func(t *testing.T) {
+			want := "/host/proc/self/fd/2147483647"
+			if got := hostProc.fd(math.MaxInt32); got != want {
+				t.Errorf("stdout: %q, want %q", got, want)
+			}
+		})
+	})
+
+	t.Run("mountinfo", func(t *testing.T) {
+		t.Run("nonexistent", func(t *testing.T) {
+			nonexistentProc := newProcPaths(direct{}, t.TempDir())
+			wantErr := &os.PathError{
+				Op:   "open",
+				Path: nonexistentProc.self + "/mountinfo",
+				Err:  syscall.ENOENT,
+			}
+			if err := nonexistentProc.mountinfo(func(*vfs.MountInfoDecoder) error { return syscall.EINVAL }); !reflect.DeepEqual(err, wantErr) {
+				t.Errorf("mountinfo: error = %v, want %v", err, wantErr)
+			}
+		})
+
+		t.Run("sample", func(t *testing.T) {
+			tempDir := t.TempDir()
+			if err := os.MkdirAll(path.Join(tempDir, "proc/self"), 0755); err != nil {
+				t.Fatalf("MkdirAll: error = %v", err)
+			}
+
+			t.Run("clean", func(t *testing.T) {
+				if err := os.WriteFile(path.Join(tempDir, "proc/self/mountinfo"), []byte(`15 20 0:3 / /proc rw,relatime - proc /proc rw
+16 20 0:15 / /sys rw,relatime - sysfs /sys rw
+17 20 0:5 / /dev rw,relatime - devtmpfs udev rw,size=1983516k,nr_inodes=495879,mode=755`), 0644); err != nil {
+					t.Fatalf("WriteFile: error = %v", err)
+				}
+
+				var mountInfo *vfs.MountInfo
+				if err := newProcPaths(direct{}, tempDir).mountinfo(func(d *vfs.MountInfoDecoder) error { return d.Decode(&mountInfo) }); err != nil {
+					t.Fatalf("mountinfo: error = %v", err)
+				}
+
+				wantMountInfo := &vfs.MountInfo{Next: &vfs.MountInfo{Next: &vfs.MountInfo{
+					MountInfoEntry: vfs.MountInfoEntry{ID: 17, Parent: 20, Devno: vfs.DevT{0, 5}, Root: "/", Target: "/dev", VfsOptstr: "rw,relatime", OptFields: []string{}, FsType: "devtmpfs", Source: "udev", FsOptstr: "rw,size=1983516k,nr_inodes=495879,mode=755"}},
+					MountInfoEntry: vfs.MountInfoEntry{ID: 16, Parent: 20, Devno: vfs.DevT{0, 15}, Root: "/", Target: "/sys", VfsOptstr: "rw,relatime", OptFields: []string{}, FsType: "sysfs", Source: "/sys", FsOptstr: "rw"}},
+					MountInfoEntry: vfs.MountInfoEntry{ID: 15, Parent: 20, Devno: vfs.DevT{0, 3}, Root: "/", Target: "/proc", VfsOptstr: "rw,relatime", OptFields: []string{}, FsType: "proc", Source: "/proc", FsOptstr: "rw"},
+				}
+				if !reflect.DeepEqual(mountInfo, wantMountInfo) {
+					t.Errorf("Decode: %#v, want %#v", mountInfo, wantMountInfo)
+				}
+			})
+
+			t.Run("closed", func(t *testing.T) {
+				p := newProcPaths(direct{}, tempDir)
+				wantErr := &os.PathError{
+					Op:   "close",
+					Path: p.self + "/mountinfo",
+					Err:  os.ErrClosed,
+				}
+				if err := p.mountinfo(func(d *vfs.MountInfoDecoder) error {
+					v := reflect.ValueOf(d).Elem().FieldByName("s").Elem().FieldByName("r")
+					v = reflect.NewAt(v.Type(), unsafe.Pointer(v.UnsafeAddr()))
+					if f, ok := v.Elem().Interface().(io.ReadCloser); !ok {
+						t.Fatal("implementation of bufio.Scanner no longer compatible with this fault injection")
+						return syscall.ENOTRECOVERABLE
+					} else {
+						return f.Close()
+					}
+				}); !reflect.DeepEqual(err, wantErr) {
+					t.Errorf("mountinfo: error = %#v, want %#v", err, wantErr)
+				}
+			})
+
+			t.Run("malformed", func(t *testing.T) {
+				path.Join(tempDir, "proc/self/mountinfo")
+				if err := os.WriteFile(path.Join(tempDir, "proc/self/mountinfo"), []byte{0}, 0644); err != nil {
+					t.Fatalf("WriteFile: error = %v", err)
+				}
+
+				wantErr := &vfs.DecoderError{Op: "parse", Line: 0, Err: vfs.ErrMountInfoFields}
+				if err := newProcPaths(direct{}, tempDir).mountinfo(func(d *vfs.MountInfoDecoder) error { return d.Decode(new(*vfs.MountInfo)) }); !reflect.DeepEqual(err, wantErr) {
+					t.Fatalf("mountinfo: error = %v, want %v", err, wantErr)
+				}
+			})
+		})
+	})
+}
--- a/container/seccomp/libseccomp-helper.c
+++ b/container/seccomp/libseccomp-helper.c
@@ -0,0 +1,138 @@
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE /* CLONE_NEWUSER */
+#endif
+
+#include "libseccomp-helper.h"
+#include <assert.h>
+#include <errno.h>
+#include <sys/socket.h>
+
+#define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
+
+int32_t hakurei_scmp_make_filter(
+    int *ret_p, uintptr_t allocate_p,
+    uint32_t arch, uint32_t multiarch,
+    struct hakurei_syscall_rule *rules,
+    size_t rules_sz, hakurei_export_flag flags) {
+    int i;
+    int last_allowed_family;
+    int disallowed;
+    struct hakurei_syscall_rule *rule;
+    void *buf;
+    size_t len = 0;
+
+    int32_t res = 0; /* refer to resPrefix for message */
+
+    /* Blocklist all but unix, inet, inet6 and netlink */
+    struct {
+        int family;
+        hakurei_export_flag flags_mask;
+    } socket_family_allowlist[] = {
+        /* NOTE: Keep in numerical order */
+        {AF_UNSPEC, 0},
+        {AF_LOCAL, 0},
+        {AF_INET, 0},
+        {AF_INET6, 0},
+        {AF_NETLINK, 0},
+        {AF_CAN, HAKUREI_EXPORT_CAN},
+        {AF_BLUETOOTH, HAKUREI_EXPORT_BLUETOOTH},
+    };
+
+    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
+    if (ctx == NULL) {
+        res = 1;
+        goto out;
+    } else
+        errno = 0;
+
+    /* We only really need to handle arches on multiarch systems.
+     * If only one arch is supported the default is fine */
+    if (arch != 0) {
+        /* This *adds* the target arch, instead of replacing the
+         * native one. This is not ideal, because we'd like to only
+         * allow the target arch, but we can't really disallow the
+         * native arch at this point, because then bubblewrap
+         * couldn't continue running. */
+        *ret_p = seccomp_arch_add(ctx, arch);
+        if (*ret_p < 0 && *ret_p != -EEXIST) {
+            res = 2;
+            goto out;
+        }
+
+        if (flags & HAKUREI_EXPORT_MULTIARCH && multiarch != 0) {
+            *ret_p = seccomp_arch_add(ctx, multiarch);
+            if (*ret_p < 0 && *ret_p != -EEXIST) {
+                res = 3;
+                goto out;
+            }
+        }
+    }
+
+    for (i = 0; i < rules_sz; i++) {
+        rule = &rules[i];
+        assert(rule->m_errno == EPERM || rule->m_errno == ENOSYS);
+
+        if (rule->arg)
+            *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), rule->syscall, 1, *rule->arg);
+        else
+            *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), rule->syscall, 0);
+
+        if (*ret_p == -EFAULT) {
+            res = 4;
+            goto out;
+        } else if (*ret_p < 0) {
+            res = 5;
+            goto out;
+        }
+    }
+
+    /* Socket filtering doesn't work on e.g. i386, so ignore failures here
+     * However, we need to user seccomp_rule_add_exact to avoid libseccomp doing
+     * something else: https://github.com/seccomp/libseccomp/issues/8 */
+    last_allowed_family = -1;
+    for (i = 0; i < LEN(socket_family_allowlist); i++) {
+        if (socket_family_allowlist[i].flags_mask != 0 &&
+            (socket_family_allowlist[i].flags_mask & flags) != socket_family_allowlist[i].flags_mask)
+            continue;
+
+        for (disallowed = last_allowed_family + 1; disallowed < socket_family_allowlist[i].family; disallowed++) {
+            /* Blocklist the in-between valid families */
+            seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, disallowed));
+        }
+        last_allowed_family = socket_family_allowlist[i].family;
+    }
+    /* Blocklist the rest */
+    seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
+
+    if (allocate_p == 0) {
+        *ret_p = seccomp_load(ctx);
+        if (*ret_p != 0) {
+            res = 7;
+            goto out;
+        }
+    } else {
+        *ret_p = seccomp_export_bpf_mem(ctx, NULL, &len);
+        if (*ret_p != 0) {
+            res = 6;
+            goto out;
+        }
+
+        buf = hakurei_scmp_allocate(allocate_p, len);
+        if (buf == NULL) {
+            res = 4;
+            goto out;
+        }
+
+        *ret_p = seccomp_export_bpf_mem(ctx, buf, &len);
+        if (*ret_p != 0) {
+            res = 6;
+            goto out;
+        }
+    }
+
+out:
+    if (ctx)
+        seccomp_release(ctx);
+
+    return res;
+}
--- a/container/seccomp/libseccomp-helper.h
+++ b/container/seccomp/libseccomp-helper.h
@@ -0,0 +1,26 @@
+#include <seccomp.h>
+#include <stdint.h>
+
+#if (SCMP_VER_MAJOR < 2) || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) || \
+    (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 5 && SCMP_VER_MICRO < 1)
+#error This package requires libseccomp >= v2.5.1
+#endif
+
+typedef enum {
+    HAKUREI_EXPORT_MULTIARCH = 1 << 0,
+    HAKUREI_EXPORT_CAN = 1 << 1,
+    HAKUREI_EXPORT_BLUETOOTH = 1 << 2,
+} hakurei_export_flag;
+
+struct hakurei_syscall_rule {
+    int syscall;
+    int m_errno;
+    struct scmp_arg_cmp *arg;
+};
+
+extern void *hakurei_scmp_allocate(uintptr_t f, size_t len);
+int32_t hakurei_scmp_make_filter(
+    int *ret_p, uintptr_t allocate_p,
+    uint32_t arch, uint32_t multiarch,
+    struct hakurei_syscall_rule *rules,
+    size_t rules_sz, hakurei_export_flag flags);
--- a/Show More
+++ b/Show More