release: 0.3.0

Signed-off-by: Ophestra <cat@gensokyo.uk>
container/std: syscall JSON adapter
2025-11-06 01:37:15 +09:00 · 2025-11-06 00:57:53 +09:00 · 2025-11-05 20:21:14 +09:00 · 2025-11-05 20:13:19 +09:00 · 2025-11-05 06:00:39 +09:00 · 2025-11-05 05:48:59 +09:00
170 changed files with 7779 additions and 3121 deletions
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@@ -18,8 +18,8 @@ import (
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
-	"hakurei.app/internal/app"
-	"hakurei.app/internal/app/state"
+	"hakurei.app/internal/env"
+	"hakurei.app/internal/outcome"
 	"hakurei.app/message"
 	"hakurei.app/system/dbus"
 )
@@ -50,7 +50,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")

-	c.Command("shim", command.UsageInternal, func([]string) error { app.Shim(msg); return errSuccess })
+	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })

 	c.Command("app", "Load and start container from configuration file", func(args []string) error {
 		if len(args) < 1 {
@@ -63,7 +63,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			config.Container.Args = append(config.Container.Args, args[1:]...)
 		}

-		app.Main(ctx, msg, config)
+		outcome.Main(ctx, msg, config)
 		panic("unreachable")
 	})

@@ -86,7 +86,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		)

 		c.NewCommand("run", "Configure and start a permissive container", func(args []string) error {
-			if flagIdentity < hst.IdentityMin || flagIdentity > hst.IdentityMax {
+			if flagIdentity < hst.IdentityStart || flagIdentity > hst.IdentityEnd {
 				log.Fatalf("identity %d out of range", flagIdentity)
 			}

@@ -95,7 +95,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				passwd     *user.User
 				passwdOnce sync.Once
 				passwdFunc = func() {
-					us := strconv.Itoa(app.HsuUid(new(app.Hsu).MustID(msg), flagIdentity))
+					us := strconv.Itoa(hst.ToUser(new(outcome.Hsu).MustID(msg), flagIdentity))
 					if u, err := user.LookupId(us); err != nil {
 						msg.Verbosef("cannot look up uid %s", us)
 						passwd = &user.User{
@@ -257,7 +257,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}

-			app.Main(ctx, msg, config)
+			outcome.Main(ctx, msg, config)
 			panic("unreachable")
 		}).
 			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),
@@ -293,7 +293,10 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 	}

 	{
-		var flagShort bool
+		var (
+			flagShort   bool
+			flagNoStore bool
+		)
 		c.NewCommand("show", "Show live or local app configuration", func(args []string) error {
 			switch len(args) {
 			case 0: // system
@@ -301,10 +304,23 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr

 			case 1: // instance
 				name := args[0]
-				config, entry := tryShort(msg, name)
-				if config == nil {
-					config = tryPath(msg, name)
+
+				var (
+					config *hst.Config
+					entry  *hst.State
+				)
+				if !flagNoStore {
+					var sc hst.Paths
+					env.CopyPaths().Copy(&sc, new(outcome.Hsu).MustID(nil))
+					entry = tryIdentifier(msg, name, outcome.NewStore(&sc))
 				}
+
+				if entry == nil {
+					config = tryPath(msg, name)
+				} else {
+					config = entry.Config
+				}
+
 				if !printShowInstance(os.Stdout, time.Now().UTC(), entry, config, flagShort, flagJSON) {
 					os.Exit(1)
 				}
@@ -313,15 +329,17 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				log.Fatal("show requires 1 argument")
 			}
 			return errSuccess
-		}).Flag(&flagShort, "short", command.BoolFlag(false), "Omit filesystem information")
+		}).
+			Flag(&flagShort, "short", command.BoolFlag(false), "Omit filesystem information").
+			Flag(&flagNoStore, "no-store", command.BoolFlag(false), "Do not attempt to match from active instances")
 	}

 	{
 		var flagShort bool
 		c.NewCommand("ps", "List active instances", func(args []string) error {
 			var sc hst.Paths
-			app.CopyPaths().Copy(&sc, new(app.Hsu).MustID(nil))
-			printPs(os.Stdout, time.Now().UTC(), state.NewMulti(msg, sc.RunDirPath.String()), flagShort, flagJSON)
+			env.CopyPaths().Copy(&sc, new(outcome.Hsu).MustID(nil))
+			printPs(msg, os.Stdout, time.Now().UTC(), outcome.NewStore(&sc), flagShort, flagJSON)
 			return errSuccess
 		}).Flag(&flagShort, "short", command.BoolFlag(false), "Print instance id")
 	}
--- a/cmd/hakurei/command_test.go
+++ b/cmd/hakurei/command_test.go
@@ -77,7 +77,7 @@ Flags:
 			t.Parallel()

 			out := new(bytes.Buffer)
-			c := buildCommand(t.Context(), message.NewMsg(nil), new(earlyHardeningErrs), out)
+			c := buildCommand(t.Context(), message.New(nil), new(earlyHardeningErrs), out)
 			if err := c.Parse(tc.args); !errors.Is(err, command.ErrHelp) && !errors.Is(err, flag.ErrHelp) {
 				t.Errorf("Parse: error = %v; want %v",
 					err, command.ErrHelp)
--- a/cmd/hakurei/main.go
+++ b/cmd/hakurei/main.go
@@ -32,7 +32,7 @@ func main() {

 	log.SetPrefix("hakurei: ")
 	log.SetFlags(0)
-	msg := message.NewMsg(log.Default())
+	msg := message.New(log.Default())

 	early := earlyHardeningErrs{
 		yamaLSM:  container.SetPtracer(0),
--- a/cmd/hakurei/parse.go
+++ b/cmd/hakurei/parse.go
@@ -1,6 +1,7 @@
 package main

 import (
+	"encoding/hex"
 	"errors"
 	"io"
 	"log"
@@ -10,11 +11,13 @@ import (
 	"syscall"

 	"hakurei.app/hst"
-	"hakurei.app/internal/app"
-	"hakurei.app/internal/app/state"
+	"hakurei.app/internal/store"
 	"hakurei.app/message"
 )

+// tryPath attempts to read [hst.Config] from multiple sources.
+// tryPath reads from [os.Stdin] if name has value "-".
+// Otherwise, name is passed to tryFd, and if that returns nil, name is passed to [os.Open].
 func tryPath(msg message.Msg, name string) (config *hst.Config) {
 	var r io.ReadCloser
 	config = new(hst.Config)
@@ -42,6 +45,7 @@ func tryPath(msg message.Msg, name string) (config *hst.Config) {
 	return
 }

+// tryFd returns a [io.ReadCloser] if name represents an integer corresponding to a valid file descriptor.
 func tryFd(msg message.Msg, name string) io.ReadCloser {
 	if v, err := strconv.Atoi(name); err != nil {
 		if !errors.Is(err, strconv.ErrSyntax) {
@@ -61,10 +65,29 @@ func tryFd(msg message.Msg, name string) io.ReadCloser {
 	}
 }

-func tryShort(msg message.Msg, name string) (config *hst.Config, entry *state.State) {
-	likePrefix := false
-	if len(name) <= 32 {
-		likePrefix = true
+// shortLengthMin is the minimum length a short form identifier can have and still be interpreted as an identifier.
+const shortLengthMin = 1 << 3
+
+// shortIdentifier returns an eight character short representation of [hst.ID] from its random bytes.
+func shortIdentifier(id *hst.ID) string {
+	return shortIdentifierString(id.String())
+}
+
+// shortIdentifierString implements shortIdentifier on an arbitrary string.
+func shortIdentifierString(s string) string {
+	return s[len(hst.ID{}) : len(hst.ID{})+shortLengthMin]
+}
+
+// tryIdentifier attempts to match [hst.State] from a [hex] representation of [hst.ID] or a prefix of its lower half.
+func tryIdentifier(msg message.Msg, name string, s *store.Store) *hst.State {
+	const (
+		likeShort = 1 << iota
+		likeFull
+	)
+
+	var likely uintptr
+	if len(name) >= shortLengthMin && len(name) <= len(hst.ID{}) { // half the hex representation
+		// cannot safely decode here due to unknown alignment
 		for _, c := range name {
 			if c >= '0' && c <= '9' {
 				continue
@@ -72,35 +95,68 @@ func tryShort(msg message.Msg, name string) (config *hst.Config, entry *state.St
 			if c >= 'a' && c <= 'f' {
 				continue
 			}
-			likePrefix = false
-			break
+			return nil
 		}
+		likely |= likeShort
+	} else if len(name) == hex.EncodedLen(len(hst.ID{})) {
+		likely |= likeFull
 	}

-	// try to match from state store
-	if likePrefix && len(name) >= 8 {
-		msg.Verbose("argument looks like prefix")
+	if likely == 0 {
+		return nil
+	}

-		var sc hst.Paths
-		app.CopyPaths().Copy(&sc, new(app.Hsu).MustID(nil))
-		s := state.NewMulti(msg, sc.RunDirPath.String())
-		if entries, err := state.Join(s); err != nil {
-			log.Printf("cannot join store: %v", err)
-			// drop to fetch from file
-		} else {
-			for id := range entries {
-				v := id.String()
-				if strings.HasPrefix(v, name) {
-					// match, use config from this state entry
-					entry = entries[id]
-					config = entry.Config
-					break
+	entries, copyError := s.All()
+	defer func() {
+		if err := copyError(); err != nil {
+			msg.GetLogger().Println(getMessage("cannot iterate over store:", err))
+		}
+	}()
+
+	switch {
+	case likely&likeShort != 0:
+		msg.Verbose("argument looks like short identifier")
+		for eh := range entries {
+			if eh.DecodeErr != nil {
+				msg.Verbose(getMessage("skipping instance:", eh.DecodeErr))
+				continue
+			}
+
+			if strings.HasPrefix(eh.ID.String()[len(hst.ID{}):], name) {
+				var entry hst.State
+				if _, err := eh.Load(&entry); err != nil {
+					msg.GetLogger().Println(getMessage("cannot load state entry:", err))
+					continue
 				}
-
-				msg.Verbosef("instance %s skipped", v)
+				return &entry
 			}
 		}
-	}
+		return nil

-	return
+	case likely&likeFull != 0:
+		var likelyID hst.ID
+		if likelyID.UnmarshalText([]byte(name)) != nil {
+			return nil
+		}
+		msg.Verbose("argument looks like identifier")
+		for eh := range entries {
+			if eh.DecodeErr != nil {
+				msg.Verbose(getMessage("skipping instance:", eh.DecodeErr))
+				continue
+			}
+
+			if eh.ID == likelyID {
+				var entry hst.State
+				if _, err := eh.Load(&entry); err != nil {
+					msg.GetLogger().Println(getMessage("cannot load state entry:", err))
+					continue
+				}
+				return &entry
+			}
+		}
+		return nil
+
+	default:
+		panic("unreachable")
+	}
 }
--- a/cmd/hakurei/parse_test.go
+++ b/cmd/hakurei/parse_test.go
@@ -0,0 +1,117 @@
+package main
+
+import (
+	"bytes"
+	"reflect"
+	"testing"
+	"time"
+
+	"hakurei.app/container/check"
+	"hakurei.app/hst"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
+)
+
+func TestShortIdentifier(t *testing.T) {
+	t.Parallel()
+	id := hst.ID{
+		0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+	}
+
+	const want = "fedcba98"
+	if got := shortIdentifier(&id); got != want {
+		t.Errorf("shortIdentifier: %q, want %q", got, want)
+	}
+}
+
+func TestTryIdentifier(t *testing.T) {
+	t.Parallel()
+
+	msg := message.New(nil)
+	id := hst.ID{
+		0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+	}
+	withBase := func(extra ...hst.State) []hst.State {
+		return append([]hst.State{
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xaa}, len(hst.ID{}))), PID: 0xbeef, ShimPID: 0xcafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef0)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xab}, len(hst.ID{}))), PID: 0x1beef, ShimPID: 0x1cafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef1)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xf0}, len(hst.ID{}))), PID: 0x2beef, ShimPID: 0x2cafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef2)},
+
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xfe}, len(hst.ID{}))), PID: 0xbed, ShimPID: 0xfff, Config: func() *hst.Config {
+				template := hst.Template()
+				template.Identity = hst.IdentityEnd
+				return template
+			}(), Time: time.Unix(0, 0xcafebabe0)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xfc}, len(hst.ID{}))), PID: 0x1bed, ShimPID: 0x1fff, Config: func() *hst.Config {
+				template := hst.Template()
+				template.Identity = 0xfc
+				return template
+			}(), Time: time.Unix(0, 0xcafebabe1)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xce}, len(hst.ID{}))), PID: 0x2bed, ShimPID: 0x2fff, Config: func() *hst.Config {
+				template := hst.Template()
+				template.Identity = 0xce
+				return template
+			}(), Time: time.Unix(0, 0xcafebabe2)},
+		}, extra...)
+	}
+	sampleEntry := hst.State{
+		ID:      id,
+		PID:     0xcafe,
+		ShimPID: 0xdead,
+		Config:  hst.Template(),
+	}
+
+	testCases := []struct {
+		name string
+		s    string
+		data []hst.State
+		want *hst.State
+	}{
+		{"likely entries fault", "ffffffff", nil, nil},
+
+		{"likely short too short", "ff", nil, nil},
+		{"likely short too long", "fffffffffffffffff", nil, nil},
+		{"likely short invalid lower", "fffffff\x00", nil, nil},
+		{"likely short invalid higher", "0000000\xff", nil, nil},
+		{"short no match", "fedcba98", withBase(), nil},
+		{"short match", "fedcba98", withBase(sampleEntry), &sampleEntry},
+		{"short match single", "fedcba98", []hst.State{sampleEntry}, &sampleEntry},
+		{"short match longer", "fedcba98765", withBase(sampleEntry), &sampleEntry},
+
+		{"likely long invalid", "0123456789abcdeffedcba987654321\x00", nil, nil},
+		{"long no match", "0123456789abcdeffedcba9876543210", withBase(), nil},
+		{"long match", "0123456789abcdeffedcba9876543210", withBase(sampleEntry), &sampleEntry},
+		{"long match single", "0123456789abcdeffedcba9876543210", []hst.State{sampleEntry}, &sampleEntry},
+	}
+	for _, tc := range testCases {
+		base := check.MustAbs(t.TempDir()).Append("store")
+		s := store.New(base)
+		for i := range tc.data {
+			if h, err := s.Handle(tc.data[i].Identity); err != nil {
+				t.Fatalf("Handle: error = %v", err)
+			} else {
+				var unlock func()
+				if unlock, err = h.Lock(); err != nil {
+					t.Fatalf("Lock: error = %v", err)
+				}
+				_, err = h.Save(&tc.data[i])
+				unlock()
+				if err != nil {
+					t.Fatalf("Save: error = %v", err)
+				}
+			}
+		}
+
+		// store must not be written to beyond this point
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := tryIdentifier(msg, tc.s, store.New(base))
+			if !reflect.DeepEqual(got, tc.want) {
+				t.Errorf("tryIdentifier: %#v, want %#v", got, tc.want)
+			}
+		})
+	}
+}
--- a/cmd/hakurei/print.go
+++ b/cmd/hakurei/print.go
@@ -1,6 +1,7 @@
 package main

 import (
+	"bytes"
 	"fmt"
 	"io"
 	"log"
@@ -12,8 +13,9 @@ import (

 	"hakurei.app/hst"
 	"hakurei.app/internal"
-	"hakurei.app/internal/app"
-	"hakurei.app/internal/app/state"
+	"hakurei.app/internal/env"
+	"hakurei.app/internal/outcome"
+	"hakurei.app/internal/store"
 	"hakurei.app/message"
 )

@@ -22,8 +24,8 @@ func printShowSystem(output io.Writer, short, flagJSON bool) {
 	t := newPrinter(output)
 	defer t.MustFlush()

-	info := &hst.Info{Version: internal.Version(), User: new(app.Hsu).MustID(nil)}
-	app.CopyPaths().Copy(&info.Paths, info.User)
+	info := &hst.Info{Version: internal.Version(), User: new(outcome.Hsu).MustID(nil)}
+	env.CopyPaths().Copy(&info.Paths, info.User)

 	if flagJSON {
 		encodeJSON(log.Fatal, output, short, info)
@@ -38,11 +40,12 @@ func printShowSystem(output io.Writer, short, flagJSON bool) {
 	t.Printf("RunDirPath:\t%s\n", info.RunDirPath)
 }

-// printShowInstance writes a representation of [state.State] or [hst.Config] to output.
+// printShowInstance writes a representation of [hst.State] or [hst.Config] to output.
 func printShowInstance(
 	output io.Writer, now time.Time,
-	instance *state.State, config *hst.Config,
-	short, flagJSON bool) (valid bool) {
+	instance *hst.State, config *hst.Config,
+	short, flagJSON bool,
+) (valid bool) {
 	valid = true

 	if flagJSON {
@@ -64,9 +67,14 @@ func printShowInstance(
 		}
 	}

+	if config == nil {
+		// nothing to print
+		return
+	}
+
 	if instance != nil {
 		t.Printf("State\n")
-		t.Printf(" Instance:\t%s (%d)\n", instance.ID.String(), instance.PID)
+		t.Printf(" Instance:\t%s (%d -> %d)\n", instance.ID.String(), instance.PID, instance.ShimPID)
 		t.Printf(" Uptime:\t%s\n", now.Sub(instance.Time).Round(time.Second).String())
 		t.Printf("\n")
 	}
@@ -82,14 +90,13 @@ func printShowInstance(
 		t.Printf(" Groups:\t%s\n", strings.Join(config.Groups, ", "))
 	}
 	if config.Container != nil {
-		params := config.Container
-		if params.Home != nil {
-			t.Printf(" Home:\t%s\n", params.Home)
+		if config.Container.Home != nil {
+			t.Printf(" Home:\t%s\n", config.Container.Home)
 		}
-		if params.Hostname != "" {
-			t.Printf(" Hostname:\t%s\n", params.Hostname)
+		if config.Container.Hostname != "" {
+			t.Printf(" Hostname:\t%s\n", config.Container.Hostname)
 		}
-		flags := params.Flags.String()
+		flags := config.Container.Flags.String()

 		// this is included in the upper hst.Config struct but is relevant here
 		const flagDirectWayland = "directwl"
@@ -103,11 +110,11 @@ func printShowInstance(
 		}
 		t.Printf(" Flags:\t%s\n", flags)

-		if params.Path != nil {
-			t.Printf(" Path:\t%s\n", params.Path)
+		if config.Container.Path != nil {
+			t.Printf(" Path:\t%s\n", config.Container.Path)
 		}
-		if len(params.Args) > 0 {
-			t.Printf(" Arguments:\t%s\n", strings.Join(params.Args, " "))
+		if len(config.Container.Args) > 0 {
+			t.Printf(" Arguments:\t%s\n", strings.Join(config.Container.Args, " "))
 		}
 	}
 	t.Printf("\n")
@@ -167,57 +174,52 @@ func printShowInstance(
 }

 // printPs writes a representation of active instances to output.
-func printPs(output io.Writer, now time.Time, s state.Store, short, flagJSON bool) {
-	var entries state.Entries
-	if e, err := state.Join(s); err != nil {
-		log.Fatalf("cannot join store: %v", err)
-	} else {
-		entries = e
-	}
-	if err := s.Close(); err != nil {
-		log.Printf("cannot close store: %v", err)
+func printPs(msg message.Msg, output io.Writer, now time.Time, s *store.Store, short, flagJSON bool) {
+	f := func(a func(eh *store.EntryHandle)) {
+		entries, copyError := s.All()
+		for eh := range entries {
+			a(eh)
+		}
+		if err := copyError(); err != nil {
+			msg.GetLogger().Println(getMessage("cannot iterate over store:", err))
+		}
 	}

-	if !short && flagJSON {
-		es := make(map[string]*state.State, len(entries))
-		for id, instance := range entries {
-			es[id.String()] = instance
+	if short { // short output requires identifier only
+		var identifiers []*hst.ID
+		f(func(eh *store.EntryHandle) {
+			if _, err := eh.Load(nil); err != nil { // passes through decode error
+				msg.GetLogger().Println(getMessage("cannot validate state entry header:", err))
+				return
+			}
+			identifiers = append(identifiers, &eh.ID)
+		})
+		slices.SortFunc(identifiers, func(a, b *hst.ID) int { return bytes.Compare(a[:], b[:]) })
+
+		if flagJSON {
+			encodeJSON(log.Fatal, output, short, identifiers)
+		} else {
+			for _, id := range identifiers {
+				mustPrintln(output, shortIdentifier(id))
+			}
 		}
-		encodeJSON(log.Fatal, output, short, es)
 		return
 	}

-	// sort state entries by id string to ensure consistency between runs
-	exp := make([]*expandedStateEntry, 0, len(entries))
-	for id, instance := range entries {
-		// gracefully skip nil states
-		if instance == nil {
-			log.Printf("got invalid state entry %s", id.String())
-			continue
+	// long output requires full instance state
+	var instances []*hst.State
+	f(func(eh *store.EntryHandle) {
+		var state hst.State
+		if _, err := eh.Load(&state); err != nil { // passes through decode error
+			msg.GetLogger().Println(getMessage("cannot load state entry:", err))
+			return
 		}
+		instances = append(instances, &state)
+	})
+	slices.SortFunc(instances, func(a, b *hst.State) int { return bytes.Compare(a.ID[:], b.ID[:]) })

-		// gracefully skip inconsistent states
-		if id != instance.ID {
-			log.Printf("possible store corruption: entry %s has id %s",
-				id.String(), instance.ID.String())
-			continue
-		}
-		exp = append(exp, &expandedStateEntry{s: id.String(), State: instance})
-	}
-	slices.SortFunc(exp, func(a, b *expandedStateEntry) int { return a.Time.Compare(b.Time) })
-
-	if short {
-		if flagJSON {
-			v := make([]string, len(exp))
-			for i, e := range exp {
-				v[i] = e.s
-			}
-			encodeJSON(log.Fatal, output, short, v)
-		} else {
-			for _, e := range exp {
-				mustPrintln(output, e.s[:8])
-			}
-		}
+	if flagJSON {
+		encodeJSON(log.Fatal, output, short, instances)
 		return
 	}

@@ -225,33 +227,21 @@ func printPs(output io.Writer, now time.Time, s state.Store, short, flagJSON boo
 	defer t.MustFlush()

 	t.Println("\tInstance\tPID\tApplication\tUptime")
-	for _, e := range exp {
-		if len(e.s) != 1<<5 {
-			// unreachable
-			log.Printf("possible store corruption: invalid instance string %s", e.s)
-			continue
-		}
-
+	for _, instance := range instances {
 		as := "(No configuration information)"
-		if e.Config != nil {
-			as = strconv.Itoa(e.Config.Identity)
-			id := e.Config.ID
+		if instance.Config != nil {
+			as = strconv.Itoa(instance.Config.Identity)
+			id := instance.Config.ID
 			if id == "" {
-				id = "app.hakurei." + e.s[:8]
+				id = "app.hakurei." + shortIdentifier(&instance.ID)
 			}
 			as += " (" + id + ")"
 		}
 		t.Printf("\t%s\t%d\t%s\t%s\n",
-			e.s[:8], e.PID, as, now.Sub(e.Time).Round(time.Second).String())
+			shortIdentifier(&instance.ID), instance.PID, as, now.Sub(instance.Time).Round(time.Second).String())
 	}
 }

-// expandedStateEntry stores [state.State] alongside a string representation of its [state.ID].
-type expandedStateEntry struct {
-	s string
-	*state.State
-}
-
 // newPrinter returns a configured, wrapped [tabwriter.Writer].
 func newPrinter(output io.Writer) *tp { return &tp{tabwriter.NewWriter(output, 0, 1, 4, ' ', 0)} }

@@ -289,3 +279,11 @@ func mustPrintln(output io.Writer, a ...any) {
 		log.Fatalf("cannot print: %v", err)
 	}
 }
+
+// getMessage returns a [message.Error] message if available, or err prefixed with fallback otherwise.
+func getMessage(fallback string, err error) string {
+	if m, ok := message.GetMessage(err); ok {
+		return m
+	}
+	return fmt.Sprintln(fallback, err)
+}
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
@@ -1,26 +1,48 @@
 package main

 import (
+	"bytes"
+	"log"
 	"strings"
 	"testing"
 	"time"

+	"hakurei.app/container/check"
 	"hakurei.app/hst"
-	"hakurei.app/internal/app/state"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
 )

 var (
-	testID = state.ID{
+	testID = hst.ID{
 		0x8e, 0x2c, 0x76, 0xb0,
 		0x66, 0xda, 0xbe, 0x57,
 		0x4c, 0xf0, 0x73, 0xbd,
 		0xb4, 0x6e, 0xb5, 0xc1,
 	}
-	testState = &state.State{
-		ID:     testID,
-		PID:    0xDEADBEEF,
-		Config: hst.Template(),
-		Time:   testAppTime,
+	testState = hst.State{
+		ID:      testID,
+		PID:     0xcafe,
+		ShimPID: 0xdead,
+		Config:  hst.Template(),
+		Time:    testAppTime,
+	}
+	testStateSmall = hst.State{
+		ID:      (hst.ID)(bytes.Repeat([]byte{0xaa}, len(hst.ID{}))),
+		PID:     0xbeef,
+		ShimPID: 0xcafe,
+		Config: &hst.Config{
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EPulse),
+			Identity:    1,
+			Container: &hst.ContainerConfig{
+				Shell: check.MustAbs("/bin/sh"),
+				Home:  check.MustAbs("/data/data/uk.gensokyo.cat"),
+				Path:  check.MustAbs("/usr/bin/cat"),
+				Args:  []string{"cat"},
+				Flags: hst.FUserns,
+			},
+		},
+		Time: time.Unix(0, 0xdeadbeef).UTC(),
 	}
 	testTime    = time.Unix(3752, 1).UTC()
 	testAppTime = time.Unix(0, 9).UTC()
@@ -31,12 +53,13 @@ func TestPrintShowInstance(t *testing.T) {

 	testCases := []struct {
 		name        string
-		instance    *state.State
+		instance    *hst.State
 		config      *hst.Config
 		short, json bool
 		want        string
 		valid       bool
 	}{
+		{"nil", nil, nil, false, false, "Error: invalid configuration!\n\n", false},
 		{"config", nil, hst.Template(), false, false, `App
 Identity:       9 (org.chromium.Chromium)
 Enablements:    wayland, dbus, pulseaudio
@@ -130,8 +153,8 @@ Session bus

 `, false},

-		{"instance", testState, hst.Template(), false, false, `State
- Instance:    8e2c76b066dabe574cf073bdb46eb5c1 (3735928559)
+		{"instance", &testState, hst.Template(), false, false, `State
+ Instance:    8e2c76b066dabe574cf073bdb46eb5c1 (51966 -> 57005)
 Uptime:      1h2m32s

 App
@@ -170,10 +193,10 @@ System bus
 Talk:      ["org.bluez" "org.freedesktop.Avahi" "org.freedesktop.UPower"]

 `, true},
-		{"instance pd", testState, new(hst.Config), false, false, `Error: configuration missing container state!
+		{"instance pd", &testState, new(hst.Config), false, false, `Error: configuration missing container state!

 State
- Instance:    8e2c76b066dabe574cf073bdb46eb5c1 (3735928559)
+ Instance:    8e2c76b066dabe574cf073bdb46eb5c1 (51966 -> 57005)
 Uptime:      1h2m32s

 App
@@ -184,174 +207,156 @@ App

 		{"json nil", nil, nil, false, true, `null
 `, true},
-		{"json instance", testState, nil, false, true, `{
-  "instance": [
-    142,
-    44,
-    118,
-    176,
-    102,
-    218,
-    190,
-    87,
-    76,
-    240,
-    115,
-    189,
-    180,
-    110,
-    181,
-    193
+		{"json instance", &testState, nil, false, true, `{
+  "instance": "8e2c76b066dabe574cf073bdb46eb5c1",
+  "pid": 51966,
+  "shim_pid": 57005,
+  "id": "org.chromium.Chromium",
+  "enablements": {
+    "wayland": true,
+    "dbus": true,
+    "pulse": true
+  },
+  "session_bus": {
+    "see": null,
+    "talk": [
+      "org.freedesktop.Notifications",
+      "org.freedesktop.FileManager1",
+      "org.freedesktop.ScreenSaver",
+      "org.freedesktop.secrets",
+      "org.kde.kwalletd5",
+      "org.kde.kwalletd6",
+      "org.gnome.SessionManager"
+    ],
+    "own": [
+      "org.chromium.Chromium.*",
+      "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+      "org.mpris.MediaPlayer2.chromium.*"
+    ],
+    "call": {
+      "org.freedesktop.portal.*": "*"
+    },
+    "broadcast": {
+      "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
+    },
+    "filter": true
+  },
+  "system_bus": {
+    "see": null,
+    "talk": [
+      "org.bluez",
+      "org.freedesktop.Avahi",
+      "org.freedesktop.UPower"
+    ],
+    "own": null,
+    "call": null,
+    "broadcast": null,
+    "filter": true
+  },
+  "extra_perms": [
+    {
+      "ensure": true,
+      "path": "/var/lib/hakurei/u0",
+      "x": true
+    },
+    {
+      "path": "/var/lib/hakurei/u0/org.chromium.Chromium",
+      "r": true,
+      "w": true,
+      "x": true
+    }
  ],
-  "pid": 3735928559,
-  "config": {
-    "id": "org.chromium.Chromium",
-    "enablements": {
-      "wayland": true,
-      "dbus": true,
-      "pulse": true
+  "identity": 9,
+  "groups": [
+    "video",
+    "dialout",
+    "plugdev"
+  ],
+  "container": {
+    "hostname": "localhost",
+    "wait_delay": -1,
+    "env": {
+      "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
+      "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
+      "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
    },
-    "session_bus": {
-      "see": null,
-      "talk": [
-        "org.freedesktop.Notifications",
-        "org.freedesktop.FileManager1",
-        "org.freedesktop.ScreenSaver",
-        "org.freedesktop.secrets",
-        "org.kde.kwalletd5",
-        "org.kde.kwalletd6",
-        "org.gnome.SessionManager"
-      ],
-      "own": [
-        "org.chromium.Chromium.*",
-        "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-        "org.mpris.MediaPlayer2.chromium.*"
-      ],
-      "call": {
-        "org.freedesktop.portal.*": "*"
-      },
-      "broadcast": {
-        "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
-      },
-      "filter": true
-    },
-    "system_bus": {
-      "see": null,
-      "talk": [
-        "org.bluez",
-        "org.freedesktop.Avahi",
-        "org.freedesktop.UPower"
-      ],
-      "own": null,
-      "call": null,
-      "broadcast": null,
-      "filter": true
-    },
-    "extra_perms": [
+    "filesystem": [
      {
-        "ensure": true,
-        "path": "/var/lib/hakurei/u0",
-        "x": true
+        "type": "bind",
+        "dst": "/",
+        "src": "/var/lib/hakurei/base/org.debian",
+        "write": true,
+        "special": true
      },
      {
-        "path": "/var/lib/hakurei/u0/org.chromium.Chromium",
-        "r": true,
-        "w": true,
-        "x": true
+        "type": "bind",
+        "dst": "/etc/",
+        "src": "/etc/",
+        "special": true
+      },
+      {
+        "type": "ephemeral",
+        "dst": "/tmp/",
+        "write": true,
+        "perm": 493
+      },
+      {
+        "type": "overlay",
+        "dst": "/nix/store",
+        "lower": [
+          "/var/lib/hakurei/base/org.nixos/ro-store"
+        ],
+        "upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
+        "work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
+      },
+      {
+        "type": "link",
+        "dst": "/run/current-system",
+        "linkname": "/run/current-system",
+        "dereference": true
+      },
+      {
+        "type": "link",
+        "dst": "/run/opengl-driver",
+        "linkname": "/run/opengl-driver",
+        "dereference": true
+      },
+      {
+        "type": "bind",
+        "dst": "/data/data/org.chromium.Chromium",
+        "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
+        "write": true,
+        "ensure": true
+      },
+      {
+        "type": "bind",
+        "src": "/dev/dri",
+        "dev": true,
+        "optional": true
      }
    ],
-    "identity": 9,
-    "groups": [
-      "video",
-      "dialout",
-      "plugdev"
+    "username": "chronos",
+    "shell": "/run/current-system/sw/bin/zsh",
+    "home": "/data/data/org.chromium.Chromium",
+    "path": "/run/current-system/sw/bin/chromium",
+    "args": [
+      "chromium",
+      "--ignore-gpu-blocklist",
+      "--disable-smooth-scrolling",
+      "--enable-features=UseOzonePlatform",
+      "--ozone-platform=wayland"
    ],
-    "container": {
-      "hostname": "localhost",
-      "wait_delay": -1,
-      "env": {
-        "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
-        "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
-        "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
-      },
-      "filesystem": [
-        {
-          "type": "bind",
-          "dst": "/",
-          "src": "/var/lib/hakurei/base/org.debian",
-          "write": true,
-          "special": true
-        },
-        {
-          "type": "bind",
-          "dst": "/etc/",
-          "src": "/etc/",
-          "special": true
-        },
-        {
-          "type": "ephemeral",
-          "dst": "/tmp/",
-          "write": true,
-          "perm": 493
-        },
-        {
-          "type": "overlay",
-          "dst": "/nix/store",
-          "lower": [
-            "/var/lib/hakurei/base/org.nixos/ro-store"
-          ],
-          "upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
-          "work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
-        },
-        {
-          "type": "link",
-          "dst": "/run/current-system",
-          "linkname": "/run/current-system",
-          "dereference": true
-        },
-        {
-          "type": "link",
-          "dst": "/run/opengl-driver",
-          "linkname": "/run/opengl-driver",
-          "dereference": true
-        },
-        {
-          "type": "bind",
-          "dst": "/data/data/org.chromium.Chromium",
-          "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-          "write": true,
-          "ensure": true
-        },
-        {
-          "type": "bind",
-          "src": "/dev/dri",
-          "dev": true,
-          "optional": true
-        }
-      ],
-      "username": "chronos",
-      "shell": "/run/current-system/sw/bin/zsh",
-      "home": "/data/data/org.chromium.Chromium",
-      "path": "/run/current-system/sw/bin/chromium",
-      "args": [
-        "chromium",
-        "--ignore-gpu-blocklist",
-        "--disable-smooth-scrolling",
-        "--enable-features=UseOzonePlatform",
-        "--ozone-platform=wayland"
-      ],
-      "seccomp_compat": true,
-      "devel": true,
-      "userns": true,
-      "host_net": true,
-      "host_abstract": true,
-      "tty": true,
-      "multiarch": true,
-      "map_real_uid": true,
-      "device": true,
-      "share_runtime": true,
-      "share_tmpdir": true
-    }
+    "seccomp_compat": true,
+    "devel": true,
+    "userns": true,
+    "host_net": true,
+    "host_abstract": true,
+    "tty": true,
+    "multiarch": true,
+    "map_real_uid": true,
+    "device": true,
+    "share_runtime": true,
+    "share_tmpdir": true
  },
  "time": "1970-01-01T00:00:00.000000009Z"
 }
@@ -530,220 +535,243 @@ func TestPrintPs(t *testing.T) {

 	testCases := []struct {
 		name        string
-		entries     state.Entries
+		data        []hst.State
 		short, json bool
-		want        string
+		want, log   string
 	}{
-		{"no entries", make(state.Entries), false, false, "    Instance    PID    Application    Uptime\n"},
-		{"no entries short", make(state.Entries), true, false, ""},
-		{"nil instance", state.Entries{testID: nil}, false, false, "    Instance    PID    Application    Uptime\n"},
-		{"state corruption", state.Entries{state.ID{}: testState}, false, false, "    Instance    PID    Application    Uptime\n"},
+		{"no entries", []hst.State{}, false, false, "    Instance    PID    Application    Uptime\n", ""},
+		{"no entries short", []hst.State{}, true, false, "", ""},

-		{"valid pd", state.Entries{testID: &state.State{ID: testID, PID: 1 << 8, Config: new(hst.Config), Time: testAppTime}}, false, false, `    Instance    PID    Application                 Uptime
-    8e2c76b0    256    0 (app.hakurei.8e2c76b0)    1h2m32s
-`},
+		{"invalid config", []hst.State{{ID: testID, PID: 1 << 8, Config: new(hst.Config), Time: testAppTime}}, false, false, "    Instance    PID    Application    Uptime\n", "check: configuration missing container state\n"},

-		{"valid", state.Entries{testID: testState}, false, false, `    Instance    PID           Application                  Uptime
-    8e2c76b0    3735928559    9 (org.chromium.Chromium)    1h2m32s
-`},
-		{"valid short", state.Entries{testID: testState}, true, false, "8e2c76b0\n"},
-		{"valid json", state.Entries{testID: testState}, false, true, `{
-  "8e2c76b066dabe574cf073bdb46eb5c1": {
-    "instance": [
-      142,
-      44,
-      118,
-      176,
-      102,
-      218,
-      190,
-      87,
-      76,
-      240,
-      115,
-      189,
-      180,
-      110,
-      181,
-      193
+		{"valid", []hst.State{testStateSmall, testState}, false, false, `    Instance    PID      Application                  Uptime
+    4cf073bd    51966    9 (org.chromium.Chromium)    1h2m32s
+    aaaaaaaa    48879    1 (app.hakurei.aaaaaaaa)     1h2m28s
+`, ""},
+		{"valid single", []hst.State{testState}, false, false, `    Instance    PID      Application                  Uptime
+    4cf073bd    51966    9 (org.chromium.Chromium)    1h2m32s
+`, ""},
+
+		{"valid short", []hst.State{testStateSmall, testState}, true, false, "4cf073bd\naaaaaaaa\n", ""},
+		{"valid short single", []hst.State{testState}, true, false, "4cf073bd\n", ""},
+
+		{"valid json", []hst.State{testState, testStateSmall}, false, true, `[
+  {
+    "instance": "8e2c76b066dabe574cf073bdb46eb5c1",
+    "pid": 51966,
+    "shim_pid": 57005,
+    "id": "org.chromium.Chromium",
+    "enablements": {
+      "wayland": true,
+      "dbus": true,
+      "pulse": true
+    },
+    "session_bus": {
+      "see": null,
+      "talk": [
+        "org.freedesktop.Notifications",
+        "org.freedesktop.FileManager1",
+        "org.freedesktop.ScreenSaver",
+        "org.freedesktop.secrets",
+        "org.kde.kwalletd5",
+        "org.kde.kwalletd6",
+        "org.gnome.SessionManager"
+      ],
+      "own": [
+        "org.chromium.Chromium.*",
+        "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+        "org.mpris.MediaPlayer2.chromium.*"
+      ],
+      "call": {
+        "org.freedesktop.portal.*": "*"
+      },
+      "broadcast": {
+        "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
+      },
+      "filter": true
+    },
+    "system_bus": {
+      "see": null,
+      "talk": [
+        "org.bluez",
+        "org.freedesktop.Avahi",
+        "org.freedesktop.UPower"
+      ],
+      "own": null,
+      "call": null,
+      "broadcast": null,
+      "filter": true
+    },
+    "extra_perms": [
+      {
+        "ensure": true,
+        "path": "/var/lib/hakurei/u0",
+        "x": true
+      },
+      {
+        "path": "/var/lib/hakurei/u0/org.chromium.Chromium",
+        "r": true,
+        "w": true,
+        "x": true
+      }
    ],
-    "pid": 3735928559,
-    "config": {
-      "id": "org.chromium.Chromium",
-      "enablements": {
-        "wayland": true,
-        "dbus": true,
-        "pulse": true
+    "identity": 9,
+    "groups": [
+      "video",
+      "dialout",
+      "plugdev"
+    ],
+    "container": {
+      "hostname": "localhost",
+      "wait_delay": -1,
+      "env": {
+        "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
+        "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
+        "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
      },
-      "session_bus": {
-        "see": null,
-        "talk": [
-          "org.freedesktop.Notifications",
-          "org.freedesktop.FileManager1",
-          "org.freedesktop.ScreenSaver",
-          "org.freedesktop.secrets",
-          "org.kde.kwalletd5",
-          "org.kde.kwalletd6",
-          "org.gnome.SessionManager"
-        ],
-        "own": [
-          "org.chromium.Chromium.*",
-          "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-          "org.mpris.MediaPlayer2.chromium.*"
-        ],
-        "call": {
-          "org.freedesktop.portal.*": "*"
-        },
-        "broadcast": {
-          "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
-        },
-        "filter": true
-      },
-      "system_bus": {
-        "see": null,
-        "talk": [
-          "org.bluez",
-          "org.freedesktop.Avahi",
-          "org.freedesktop.UPower"
-        ],
-        "own": null,
-        "call": null,
-        "broadcast": null,
-        "filter": true
-      },
-      "extra_perms": [
+      "filesystem": [
        {
-          "ensure": true,
-          "path": "/var/lib/hakurei/u0",
-          "x": true
+          "type": "bind",
+          "dst": "/",
+          "src": "/var/lib/hakurei/base/org.debian",
+          "write": true,
+          "special": true
        },
        {
-          "path": "/var/lib/hakurei/u0/org.chromium.Chromium",
-          "r": true,
-          "w": true,
-          "x": true
+          "type": "bind",
+          "dst": "/etc/",
+          "src": "/etc/",
+          "special": true
+        },
+        {
+          "type": "ephemeral",
+          "dst": "/tmp/",
+          "write": true,
+          "perm": 493
+        },
+        {
+          "type": "overlay",
+          "dst": "/nix/store",
+          "lower": [
+            "/var/lib/hakurei/base/org.nixos/ro-store"
+          ],
+          "upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
+          "work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
+        },
+        {
+          "type": "link",
+          "dst": "/run/current-system",
+          "linkname": "/run/current-system",
+          "dereference": true
+        },
+        {
+          "type": "link",
+          "dst": "/run/opengl-driver",
+          "linkname": "/run/opengl-driver",
+          "dereference": true
+        },
+        {
+          "type": "bind",
+          "dst": "/data/data/org.chromium.Chromium",
+          "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
+          "write": true,
+          "ensure": true
+        },
+        {
+          "type": "bind",
+          "src": "/dev/dri",
+          "dev": true,
+          "optional": true
        }
      ],
-      "identity": 9,
-      "groups": [
-        "video",
-        "dialout",
-        "plugdev"
+      "username": "chronos",
+      "shell": "/run/current-system/sw/bin/zsh",
+      "home": "/data/data/org.chromium.Chromium",
+      "path": "/run/current-system/sw/bin/chromium",
+      "args": [
+        "chromium",
+        "--ignore-gpu-blocklist",
+        "--disable-smooth-scrolling",
+        "--enable-features=UseOzonePlatform",
+        "--ozone-platform=wayland"
      ],
-      "container": {
-        "hostname": "localhost",
-        "wait_delay": -1,
-        "env": {
-          "GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
-          "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
-          "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
-        },
-        "filesystem": [
-          {
-            "type": "bind",
-            "dst": "/",
-            "src": "/var/lib/hakurei/base/org.debian",
-            "write": true,
-            "special": true
-          },
-          {
-            "type": "bind",
-            "dst": "/etc/",
-            "src": "/etc/",
-            "special": true
-          },
-          {
-            "type": "ephemeral",
-            "dst": "/tmp/",
-            "write": true,
-            "perm": 493
-          },
-          {
-            "type": "overlay",
-            "dst": "/nix/store",
-            "lower": [
-              "/var/lib/hakurei/base/org.nixos/ro-store"
-            ],
-            "upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
-            "work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
-          },
-          {
-            "type": "link",
-            "dst": "/run/current-system",
-            "linkname": "/run/current-system",
-            "dereference": true
-          },
-          {
-            "type": "link",
-            "dst": "/run/opengl-driver",
-            "linkname": "/run/opengl-driver",
-            "dereference": true
-          },
-          {
-            "type": "bind",
-            "dst": "/data/data/org.chromium.Chromium",
-            "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-            "write": true,
-            "ensure": true
-          },
-          {
-            "type": "bind",
-            "src": "/dev/dri",
-            "dev": true,
-            "optional": true
-          }
-        ],
-        "username": "chronos",
-        "shell": "/run/current-system/sw/bin/zsh",
-        "home": "/data/data/org.chromium.Chromium",
-        "path": "/run/current-system/sw/bin/chromium",
-        "args": [
-          "chromium",
-          "--ignore-gpu-blocklist",
-          "--disable-smooth-scrolling",
-          "--enable-features=UseOzonePlatform",
-          "--ozone-platform=wayland"
-        ],
-        "seccomp_compat": true,
-        "devel": true,
-        "userns": true,
-        "host_net": true,
-        "host_abstract": true,
-        "tty": true,
-        "multiarch": true,
-        "map_real_uid": true,
-        "device": true,
-        "share_runtime": true,
-        "share_tmpdir": true
-      }
+      "seccomp_compat": true,
+      "devel": true,
+      "userns": true,
+      "host_net": true,
+      "host_abstract": true,
+      "tty": true,
+      "multiarch": true,
+      "map_real_uid": true,
+      "device": true,
+      "share_runtime": true,
+      "share_tmpdir": true
    },
    "time": "1970-01-01T00:00:00.000000009Z"
+  },
+  {
+    "instance": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+    "pid": 48879,
+    "shim_pid": 51966,
+    "enablements": {
+      "wayland": true,
+      "pulse": true
+    },
+    "identity": 1,
+    "groups": null,
+    "container": {
+      "env": null,
+      "filesystem": null,
+      "shell": "/bin/sh",
+      "home": "/data/data/uk.gensokyo.cat",
+      "path": "/usr/bin/cat",
+      "args": [
+        "cat"
+      ],
+      "userns": true,
+      "map_real_uid": false
+    },
+    "time": "1970-01-01T00:00:03.735928559Z"
  }
-}
-`},
-		{"valid short json", state.Entries{testID: testState}, true, true, `["8e2c76b066dabe574cf073bdb46eb5c1"]
-`},
+]
+`, ""},
+		{"valid short json", []hst.State{testStateSmall, testState}, true, true, `["8e2c76b066dabe574cf073bdb46eb5c1","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"]
+`, ""},
 	}

 	for _, tc := range testCases {
+		s := store.New(check.MustAbs(t.TempDir()).Append("store"))
+		for i := range tc.data {
+			if h, err := s.Handle(tc.data[i].Identity); err != nil {
+				t.Fatalf("Handle: error = %v", err)
+			} else {
+				var unlock func()
+				if unlock, err = h.Lock(); err != nil {
+					t.Fatalf("Lock: error = %v", err)
+				}
+				_, err = h.Save(&tc.data[i])
+				unlock()
+				if err != nil {
+					t.Fatalf("Save: error = %v", err)
+				}
+			}
+		}
+
+		// store must not be written to beyond this point
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()

-			output := new(strings.Builder)
-			printPs(output, testTime, stubStore(tc.entries), tc.short, tc.json)
-			if got := output.String(); got != tc.want {
-				t.Errorf("printPs: got\n%s\nwant\n%s",
-					got, tc.want)
+			var printBuf, logBuf bytes.Buffer
+			msg := message.New(log.New(&logBuf, "check: ", 0))
+			msg.SwapVerbose(true)
+			printPs(msg, &printBuf, testTime, s, tc.short, tc.json)
+			if got := printBuf.String(); got != tc.want {
+				t.Errorf("printPs:\n%s\nwant\n%s", got, tc.want)
 				return
 			}
+			if got := logBuf.String(); got != tc.log {
+				t.Errorf("msg:\n%s\nwant\n%s", got, tc.log)
+			}
 		})
 	}
 }
-
-// stubStore implements [state.Store] and returns test samples via [state.Joiner].
-type stubStore state.Entries
-
-func (s stubStore) Join() (state.Entries, error)               { return state.Entries(s), nil }
-func (s stubStore) Do(int, func(c state.Cursor)) (bool, error) { panic("unreachable") }
-func (s stubStore) List() ([]int, error)                       { panic("unreachable") }
-func (s stubStore) Close() error                               { return nil }
--- a/cmd/hpkg/main.go
+++ b/cmd/hpkg/main.go
@@ -24,7 +24,7 @@ var (
 func main() {
 	log.SetPrefix("hpkg: ")
 	log.SetFlags(0)
-	msg := message.NewMsg(log.Default())
+	msg := message.New(log.Default())

 	if err := os.Setenv("SHELL", pathShell.String()); err != nil {
 		log.Fatalf("cannot set $SHELL: %v", err)
--- a/cmd/hpkg/test/test.py
+++ b/cmd/hpkg/test/test.py
@@ -58,15 +58,13 @@ def check_state(name, enablements):
    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei --json ps"))
    if len(instances) != 1:
        raise Exception(f"unexpected state length {len(instances)}")
-    instance = next(iter(instances.values()))
+    instance = instances[0]

-    config = instance['config']
+    if len(instance['container']['args']) != 1 or not (instance['container']['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (instance['container']['args'][0]):
+        raise Exception(f"unexpected args {instance['container']['args']}")

-    if len(config['container']['args']) != 1 or not (config['container']['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (config['container']['args'][0]):
-        raise Exception(f"unexpected args {config['container']['args']}")
-
-    if config['enablements'] != enablements:
-        raise Exception(f"unexpected enablements {config['enablements']}")
+    if instance['enablements'] != enablements:
+        raise Exception(f"unexpected enablements {instance['enablements']}")


 start_all()
@@ -94,15 +92,19 @@ machine.wait_for_file("/tmp/hakurei.0/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
 check_state("foot", {"wayland": True, "dbus": True, "pulse": True})
 # Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot")
 # Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002")
+machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002")

 # Exit Sway and verify process exit status 0:
 swaymsg("exit", succeed=False)
 machine.wait_for_file("/tmp/sway-exit-ok")

-# Print hakurei runDir contents:
-print(machine.succeed("find /run/user/1000/hakurei"))
+# Print hakurei share and rundir contents:
+print(machine.succeed("find /tmp/hakurei.0 "
+    + "-path '/tmp/hakurei.0/runtime/*/*' -prune -o "
+    + "-path '/tmp/hakurei.0/tmpdir/*/*' -prune -o "
+    + "-print"))
+print(machine.succeed("find /run/user/1000/hakurei"))
--- a/cmd/hsu/hst.go
+++ b/cmd/hsu/hst.go
@@ -0,0 +1,16 @@
+package main
+
+/* copied from hst and must never be changed */
+
+const (
+	userOffset = 100000
+	rangeSize  = userOffset / 10
+
+	identityStart = 0
+	identityEnd   = appEnd - appStart
+
+	appStart = rangeSize * 1
+	appEnd   = appStart + rangeSize - 1
+)
+
+func toUser(userid, appid uint32) uint32 { return userid*userOffset + appStart + appid }
--- a/cmd/hsu/main.go
+++ b/cmd/hsu/main.go
@@ -16,15 +16,12 @@ import (
 )

 const (
-	hsuConfFile = "/etc/hsurc"
-	envShim     = "HAKUREI_SHIM"
-	envIdentity = "HAKUREI_IDENTITY"
-	envGroups   = "HAKUREI_GROUPS"
-
-	PR_SET_NO_NEW_PRIVS = 0x26
-
-	identityMin = 0
-	identityMax = 9999
+	// envIdentity is the name of the environment variable holding a
+	// single byte representing the shim setup pipe file descriptor.
+	envShim = "HAKUREI_SHIM"
+	// envGroups holds a ' ' separated list of string representations of
+	// supplementary group gid. Membership requirements are enforced.
+	envGroups = "HAKUREI_GROUPS"
 )

 // hakureiPath is the absolute path to Hakurei.
@@ -33,6 +30,7 @@ const (
 var hakureiPath string

 func main() {
+	const PR_SET_NO_NEW_PRIVS = 0x26
 	runtime.LockOSThread()

 	log.SetFlags(0)
@@ -68,13 +66,8 @@ func main() {
 		toolPath = p
 	}

-	// uid = 1000000 +
-	//    id * 10000 +
-	//      identity
-	uid := 1000000
-
 	// refuse to run if hsurc is not protected correctly
-	if s, err := os.Stat(hsuConfFile); err != nil {
+	if s, err := os.Stat(hsuConfPath); err != nil {
 		log.Fatal(err)
 	} else if s.Mode().Perm() != 0400 {
 		log.Fatal("bad hsurc perm")
@@ -83,25 +76,13 @@ func main() {
 	}

 	// authenticate before accepting user input
-	var id int
-	if f, err := os.Open(hsuConfFile); err != nil {
-		log.Fatal(err)
-	} else if v, ok := mustParseConfig(f, puid); !ok {
-		log.Fatalf("uid %d is not in the hsurc file", puid)
-	} else {
-		id = v
-		if err = f.Close(); err != nil {
-			log.Fatal(err)
-		}
-
-		uid += id * 10000
-	}
+	userid := mustParseConfig(puid)

 	// pass through setup fd to shim
 	var shimSetupFd string
 	if s, ok := os.LookupEnv(envShim); !ok {
 		// hakurei requests hsurc user id
-		fmt.Print(id)
+		fmt.Print(userid)
 		os.Exit(0)
 	} else if len(s) != 1 || s[0] > '9' || s[0] < '3' {
 		log.Fatal("HAKUREI_SHIM holds an invalid value")
@@ -109,13 +90,22 @@ func main() {
 		shimSetupFd = s
 	}

-	// allowed identity range 0 to 9999
-	if as, ok := os.LookupEnv(envIdentity); !ok {
-		log.Fatal("HAKUREI_IDENTITY not set")
-	} else if identity, err := parseUint32Fast(as); err != nil || identity < identityMin || identity > identityMax {
-		log.Fatal("invalid identity")
-	} else {
-		uid += identity
+	// start is going ahead at this point
+	identity := mustReadIdentity()
+
+	const (
+		// first possible uid outcome
+		uidStart = 10000
+		// last possible uid outcome
+		uidEnd = 999919999
+	)
+
+	// cast to int for use with library functions
+	uid := int(toUser(userid, identity))
+
+	// final bounds check to catch any bugs
+	if uid < uidStart || uid >= uidEnd {
+		panic("uid out of bounds")
 	}

 	// supplementary groups
@@ -145,11 +135,6 @@ func main() {
 		suppGroups = []int{uid}
 	}

-	// final bounds check to catch any bugs
-	if uid < 1000000 || uid >= 2000000 {
-		panic("uid out of bounds")
-	}
-
 	// careful! users in the allowlist is effectively allowed to drop groups via hsu

 	if err := syscall.Setresgid(uid, uid, uid); err != nil {
--- a/cmd/hsu/parse.go
+++ b/cmd/hsu/parse.go
@@ -6,62 +6,128 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"math"
+	"os"
 	"strings"
 )

-func parseUint32Fast(s string) (int, error) {
+const (
+	// useridStart is the first userid.
+	useridStart = 0
+	// useridEnd is the last userid.
+	useridEnd = useridStart + rangeSize - 1
+)
+
+// parseUint32Fast parses a string representation of an unsigned 32-bit integer value
+// using the fast path only. This limits the range of values it is defined in.
+func parseUint32Fast(s string) (uint32, error) {
 	sLen := len(s)
 	if sLen < 1 {
-		return -1, errors.New("zero length string")
+		return 0, errors.New("zero length string")
 	}
 	if sLen > 10 {
-		return -1, errors.New("string too long")
+		return 0, errors.New("string too long")
 	}

-	n := 0
+	var n uint32
 	for i, ch := range []byte(s) {
 		ch -= '0'
 		if ch > 9 {
-			return -1, fmt.Errorf("invalid character '%s' at index %d", string(ch+'0'), i)
+			return 0, fmt.Errorf("invalid character '%s' at index %d", string(ch+'0'), i)
 		}
-		n = n*10 + int(ch)
+		n = n*10 + uint32(ch)
 	}
 	return n, nil
 }

-func parseConfig(r io.Reader, puid int) (fid int, ok bool, err error) {
+// parseConfig reads a list of allowed users from r until it encounters puid or [io.EOF].
+//
+// Each line of the file specifies a hakurei userid to kernel uid mapping. A line consists
+// of the string representation of the uid of the user wishing to start hakurei containers,
+// followed by a space, followed by the string representation of its userid. Duplicate uid
+// entries are ignored, with the first occurrence taking effect.
+//
+// All string representations are parsed by calling parseUint32Fast.
+func parseConfig(r io.Reader, puid uint32) (userid uint32, ok bool, err error) {
 	s := bufio.NewScanner(r)
-	var line, puid0 int
+	var (
+		line  uintptr
+		puid0 uint32
+	)
 	for s.Scan() {
 		line++

-		// <puid> <fid>
+		// <puid> <userid>
 		lf := strings.SplitN(s.Text(), " ", 2)
 		if len(lf) != 2 {
-			return -1, false, fmt.Errorf("invalid entry on line %d", line)
+			return useridEnd + 1, false, fmt.Errorf("invalid entry on line %d", line)
 		}

 		puid0, err = parseUint32Fast(lf[0])
 		if err != nil || puid0 < 1 {
-			return -1, false, fmt.Errorf("invalid parent uid on line %d", line)
+			return useridEnd + 1, false, fmt.Errorf("invalid parent uid on line %d", line)
 		}

 		ok = puid0 == puid
 		if ok {
-			// allowed fid range 0 to 99
-			if fid, err = parseUint32Fast(lf[1]); err != nil || fid < 0 || fid > 99 {
-				return -1, false, fmt.Errorf("invalid identity on line %d", line)
+			// userid bound to a range, uint32 size allows this to be increased if needed
+			if userid, err = parseUint32Fast(lf[1]); err != nil ||
+				userid < useridStart || userid > useridEnd {
+				return useridEnd + 1, false, fmt.Errorf("invalid userid on line %d", line)
 			}
 			return
 		}
 	}
-	return -1, false, s.Err()
+	return useridEnd + 1, false, s.Err()
 }

-func mustParseConfig(r io.Reader, puid int) (int, bool) {
-	fid, ok, err := parseConfig(r, puid)
-	if err != nil {
+// hsuConfPath is an absolute pathname to the hsu configuration file.
+// Its contents are interpreted by parseConfig.
+const hsuConfPath = "/etc/hsurc"
+
+// mustParseConfig calls parseConfig to interpret the contents of hsuConfPath,
+// terminating the program if an error is encountered, the syntax is incorrect,
+// or the current user is not authorised to use hsu because its uid is missing.
+//
+// Therefore, code after this function call can assume an authenticated state.
+//
+// mustParseConfig returns the userid value of the current user.
+func mustParseConfig(puid int) (userid uint32) {
+	if puid > math.MaxUint32 {
+		log.Fatalf("got impossible uid %d", puid)
+	}
+
+	var ok bool
+	if f, err := os.Open(hsuConfPath); err != nil {
+		log.Fatal(err)
+	} else if userid, ok, err = parseConfig(f, uint32(puid)); err != nil {
+		log.Fatal(err)
+	} else if err = f.Close(); err != nil {
 		log.Fatal(err)
 	}
-	return fid, ok
+	if !ok {
+		log.Fatalf("uid %d is not in the hsurc file", puid)
+	}
+
+	return
+}
+
+// envIdentity is the name of the environment variable holding a
+// string representation of the current application identity.
+var envIdentity = "HAKUREI_IDENTITY"
+
+// mustReadIdentity calls parseUint32Fast to interpret the value stored in envIdentity,
+// terminating the program if the value is not set, malformed, or out of bounds.
+func mustReadIdentity() uint32 {
+	// ranges defined in hst and copied to this package to avoid importing hst
+	if as, ok := os.LookupEnv(envIdentity); !ok {
+		log.Fatal("HAKUREI_IDENTITY not set")
+		panic("unreachable")
+	} else if identity, err := parseUint32Fast(as); err != nil ||
+		identity < identityStart || identity > identityEnd {
+		log.Fatal("invalid identity")
+		panic("unreachable")
+	} else {
+		return identity
+	}
 }
--- a/cmd/hsu/parse_test.go
+++ b/cmd/hsu/parse_test.go
@@ -2,6 +2,7 @@ package main

 import (
 	"bytes"
+	"math"
 	"strconv"
 	"testing"
 )
@@ -39,22 +40,20 @@ func TestParseUint32Fast(t *testing.T) {
 	t.Run("range", func(t *testing.T) {
 		t.Parallel()

-		testRange := func(i, end int) {
+		testRange := func(i, end uint32) {
 			for ; i < end; i++ {
-				s := strconv.Itoa(i)
+				s := strconv.Itoa(int(i))
 				w := i
 				t.Run("parse "+s, func(t *testing.T) {
 					t.Parallel()

 					v, err := parseUint32Fast(s)
 					if err != nil {
-						t.Errorf("parseUint32Fast(%q): error = %v",
-							s, err)
+						t.Errorf("parseUint32Fast(%q): error = %v", s, err)
 						return
 					}
 					if v != w {
-						t.Errorf("parseUint32Fast(%q): got %v",
-							s, v)
+						t.Errorf("parseUint32Fast(%q): got %v", s, v)
 						return
 					}
 				})
@@ -63,7 +62,7 @@ func TestParseUint32Fast(t *testing.T) {

 		testRange(0, 2500)
 		testRange(23002500, 23005000)
-		testRange(7890002500, 7890005000)
+		testRange(math.MaxUint32-2500, math.MaxUint32)
 	})
 }

@@ -72,14 +71,14 @@ func TestParseConfig(t *testing.T) {

 	testCases := []struct {
 		name       string
-		puid, want int
+		puid, want uint32
 		wantErr    string
 		rc         string
 	}{
-		{"empty", 0, -1, "", ``},
-		{"invalid field", 0, -1, "invalid entry on line 1", `9`},
-		{"invalid puid", 0, -1, "invalid parent uid on line 1", `f 9`},
-		{"invalid fid", 1000, -1, "invalid identity on line 1", `1000 f`},
+		{"empty", 0, useridEnd + 1, "", ``},
+		{"invalid field", 0, useridEnd + 1, "invalid entry on line 1", `9`},
+		{"invalid puid", 0, useridEnd + 1, "invalid parent uid on line 1", `f 9`},
+		{"invalid userid", 1000, useridEnd + 1, "invalid userid on line 1", `1000 f`},
 		{"match", 1000, 0, "", `1000 0`},
 	}

@@ -87,25 +86,21 @@ func TestParseConfig(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()

-			fid, ok, err := parseConfig(bytes.NewBufferString(tc.rc), tc.puid)
+			userid, ok, err := parseConfig(bytes.NewBufferString(tc.rc), tc.puid)
 			if err == nil && tc.wantErr != "" {
-				t.Errorf("parseConfig: error = %v; wantErr %q",
-					err, tc.wantErr)
+				t.Errorf("parseConfig: error = %v; want %q", err, tc.wantErr)
 				return
 			}
 			if err != nil && err.Error() != tc.wantErr {
-				t.Errorf("parseConfig: error = %q; wantErr %q",
-					err, tc.wantErr)
+				t.Errorf("parseConfig: error = %q; want %q", err, tc.wantErr)
 				return
 			}
-			if ok == (tc.want == -1) {
-				t.Errorf("parseConfig: ok = %v; want %v",
-					ok, tc.want)
+			if ok == (tc.want == useridEnd+1) {
+				t.Errorf("parseConfig: ok = %v; want %v", ok, tc.want)
 				return
 			}
-			if fid != tc.want {
-				t.Errorf("parseConfig: fid = %v; want %v",
-					fid, tc.want)
+			if userid != tc.want {
+				t.Errorf("parseConfig: %v; want %v", userid, tc.want)
 			}
 		})
 	}
--- a/container/autoroot_test.go
+++ b/container/autoroot_test.go
@@ -6,7 +6,7 @@ import (
 	"testing"

 	"hakurei.app/container/check"
-	"hakurei.app/container/comp"
+	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/message"
 )
@@ -23,14 +23,14 @@ func TestAutoRootOp(t *testing.T) {
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"readdir", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir(), stub.UniqueError(2)),
 		}, stub.UniqueError(2), nil, nil},

 		{"early", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
@@ -39,7 +39,7 @@ func TestAutoRootOp(t *testing.T) {

 		{"apply", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
@@ -60,7 +60,7 @@ func TestAutoRootOp(t *testing.T) {

 		{"success pd", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
@@ -127,10 +127,10 @@ func TestAutoRootOp(t *testing.T) {
 	})

 	checkOpsBuilder(t, []opsBuilderTestCase{
-		{"pd", new(Ops).Root(check.MustAbs("/"), comp.BindWritable), Ops{
+		{"pd", new(Ops).Root(check.MustAbs("/"), std.BindWritable), Ops{
 			&AutoRootOp{
 				Host:  check.MustAbs("/"),
-				Flags: comp.BindWritable,
+				Flags: std.BindWritable,
 			},
 		}},
 	})
@@ -140,42 +140,42 @@ func TestAutoRootOp(t *testing.T) {

 		{"internal ne", &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}, &AutoRootOp{
 			Host:     check.MustAbs("/"),
-			Flags:    comp.BindWritable,
+			Flags:    std.BindWritable,
 			resolved: []*BindMountOp{new(BindMountOp)},
 		}, true},

 		{"flags differs", &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: comp.BindWritable | comp.BindDevice,
+			Flags: std.BindWritable | std.BindDevice,
 		}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}, false},

 		{"host differs", &AutoRootOp{
 			Host:  check.MustAbs("/tmp/"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}, false},

 		{"equals", &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}, true},
 	})

 	checkOpMeta(t, []opMetaTestCase{
 		{"root", &AutoRootOp{
 			Host:  check.MustAbs("/"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}, "setting up", `auto root "/" flags 0x2`},
 	})
 }
--- a/container/check/absolute_test.go
+++ b/container/check/absolute_test.go
@@ -147,7 +147,7 @@ func TestAbsoluteIs(t *testing.T) {

 type sCheck struct {
 	Pathname *Absolute `json:"val"`
-	Magic    int       `json:"magic"`
+	Magic    uint64    `json:"magic"`
 }

 func TestCodecAbsolute(t *testing.T) {
@@ -169,19 +169,19 @@ func TestCodecAbsolute(t *testing.T) {
 		{"good", MustAbs("/etc"),
 			nil,
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x04\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x10\xff\x84\x01\x04/etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",

 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
 			&AbsoluteError{Pathname: "etc"},
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x04\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",

 			`"etc"`, `{"val":"etc","magic":3236757504}`},
 		{"zero", nil,
 			new(AbsoluteError),
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x04\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
 			`""`, `{"val":"","magic":3236757504}`},
 	}

--- a/container/container.go
+++ b/container/container.go
@@ -15,16 +15,19 @@ import (
 	"time"

 	"hakurei.app/container/check"
-	"hakurei.app/container/comp"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 	"hakurei.app/message"
 )

 const (
 	// CancelSignal is the signal expected by container init on context cancel.
 	// A custom [Container.Cancel] function must eventually deliver this signal.
-	CancelSignal = SIGTERM
+	CancelSignal = SIGUSR2
+
+	// Timeout for writing initParams to Container.setup.
+	initSetupTimeout = 5 * time.Second
 )

 type (
@@ -37,8 +40,8 @@ type (
 		// with behaviour identical to its [exec.Cmd] counterpart.
 		ExtraFiles []*os.File

-		// param encoder for shim and init
-		setup *gob.Encoder
+		// param pipe for shim and init
+		setup *os.File
 		// cancels cmd
 		cancel context.CancelFunc
 		// closed after Wait returns
@@ -82,11 +85,11 @@ type (
 		*Ops

 		// Seccomp system call filter rules.
-		SeccompRules []seccomp.NativeRule
+		SeccompRules []std.NativeRule
 		// Extra seccomp flags.
 		SeccompFlags seccomp.ExportFlag
 		// Seccomp presets. Has no effect unless SeccompRules is zero-length.
-		SeccompPresets comp.FilterPreset
+		SeccompPresets std.FilterPreset
 		// Do not load seccomp program.
 		SeccompDisable bool

@@ -174,7 +177,7 @@ func (p *Container) Start() error {
 	}

 	if !p.RetainSession {
-		p.SeccompPresets |= comp.PresetDenyTTY
+		p.SeccompPresets |= std.PresetDenyTTY
 	}

 	if p.AdoptWaitDelay == 0 {
@@ -228,10 +231,10 @@ func (p *Container) Start() error {
 	}

 	// place setup pipe before user supplied extra files, this is later restored by init
-	if fd, e, err := Setup(&p.cmd.ExtraFiles); err != nil {
+	if fd, f, err := Setup(&p.cmd.ExtraFiles); err != nil {
 		return &StartError{true, "set up params stream", err, false, false}
 	} else {
-		p.setup = e
+		p.setup = f
 		p.cmd.Env = []string{setupEnv + "=" + strconv.Itoa(fd)}
 	}
 	p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, p.ExtraFiles...)
@@ -310,6 +313,9 @@ func (p *Container) Serve() error {

 	setup := p.setup
 	p.setup = nil
+	if err := setup.SetDeadline(time.Now().Add(initSetupTimeout)); err != nil {
+		return &StartError{true, "set init pipe deadline", err, false, true}
+	}

 	if p.Path == nil {
 		p.cancel()
@@ -321,18 +327,17 @@ func (p *Container) Serve() error {
 		p.Dir = fhs.AbsRoot
 	}
 	if p.SeccompRules == nil {
-		p.SeccompRules = make([]seccomp.NativeRule, 0)
+		p.SeccompRules = make([]std.NativeRule, 0)
 	}

-	err := setup.Encode(
-		&initParams{
-			p.Params,
-			Getuid(),
-			Getgid(),
-			len(p.ExtraFiles),
-			p.msg.IsVerbose(),
-		},
-	)
+	err := gob.NewEncoder(setup).Encode(&initParams{
+		p.Params,
+		Getuid(),
+		Getgid(),
+		len(p.ExtraFiles),
+		p.msg.IsVerbose(),
+	})
+	_ = setup.Close()
 	if err != nil {
 		p.cancel()
 	}
@@ -399,7 +404,7 @@ func (p *Container) ProcessState() *os.ProcessState {
 // New returns the address to a new instance of [Container] that requires further initialisation before use.
 func New(ctx context.Context, msg message.Msg) *Container {
 	if msg == nil {
-		msg = message.NewMsg(nil)
+		msg = message.New(nil)
 	}

 	p := &Container{ctx: ctx, msg: msg, Params: Params{Ops: new(Ops)}}
--- a/container/container_test.go
+++ b/container/container_test.go
@@ -21,8 +21,8 @@ import (
 	"hakurei.app/command"
 	"hakurei.app/container"
 	"hakurei.app/container/check"
-	"hakurei.app/container/comp"
 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 	"hakurei.app/container/vfs"
 	"hakurei.app/hst"
 	"hakurei.app/ldd"
@@ -204,22 +204,22 @@ var containerTestCases = []struct {
 	uid int
 	gid int

-	rules   []seccomp.NativeRule
+	rules   []std.NativeRule
 	flags   seccomp.ExportFlag
-	presets comp.FilterPreset
+	presets std.FilterPreset
 }{
 	{"minimal", true, false, false, true,
 		emptyOps, emptyMnt,
-		1000, 100, nil, 0, comp.PresetStrict},
+		1000, 100, nil, 0, std.PresetStrict},
 	{"allow", true, true, true, false,
 		emptyOps, emptyMnt,
-		1000, 100, nil, 0, comp.PresetExt | comp.PresetDenyDevel},
+		1000, 100, nil, 0, std.PresetExt | std.PresetDenyDevel},
 	{"no filter", false, true, true, true,
 		emptyOps, emptyMnt,
-		1000, 100, nil, 0, comp.PresetExt},
+		1000, 100, nil, 0, std.PresetExt},
 	{"custom rules", true, true, true, false,
 		emptyOps, emptyMnt,
-		1, 31, []seccomp.NativeRule{{Syscall: seccomp.ScmpSyscall(syscall.SYS_SETUID), Errno: seccomp.ScmpErrno(syscall.EPERM)}}, 0, comp.PresetExt},
+		1, 31, []std.NativeRule{{Syscall: std.ScmpSyscall(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},

 	{"tmpfs", true, false, false, true,
 		earlyOps(new(container.Ops).
@@ -228,7 +228,7 @@ var containerTestCases = []struct {
 		earlyMnt(
 			ent("/", hst.PrivateTmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
 		),
-		9, 9, nil, 0, comp.PresetStrict},
+		9, 9, nil, 0, std.PresetStrict},

 	{"dev", true, true /* go test output is not a tty */, false, false,
 		earlyOps(new(container.Ops).
@@ -246,7 +246,7 @@ var containerTestCases = []struct {
 			ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
-		1971, 100, nil, 0, comp.PresetStrict},
+		1971, 100, nil, 0, std.PresetStrict},

 	{"dev no mqueue", true, true /* go test output is not a tty */, false, false,
 		earlyOps(new(container.Ops).
@@ -263,7 +263,7 @@ var containerTestCases = []struct {
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
-		1971, 100, nil, 0, comp.PresetStrict},
+		1971, 100, nil, 0, std.PresetStrict},

 	{"overlay", true, false, false, true,
 		func(t *testing.T) (*container.Ops, context.Context) {
@@ -300,7 +300,7 @@ var containerTestCases = []struct {
 						",redirect_dir=nofollow,uuid=on,userxattr"),
 			}
 		},
-		1 << 3, 1 << 14, nil, 0, comp.PresetStrict},
+		1 << 3, 1 << 14, nil, 0, std.PresetStrict},

 	{"overlay ephemeral", true, false, false, true,
 		func(t *testing.T) (*container.Ops, context.Context) {
@@ -324,7 +324,7 @@ var containerTestCases = []struct {
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay", ignore),
 			}
 		},
-		1 << 3, 1 << 14, nil, 0, comp.PresetStrict},
+		1 << 3, 1 << 14, nil, 0, std.PresetStrict},

 	{"overlay readonly", true, false, false, true,
 		func(t *testing.T) (*container.Ops, context.Context) {
@@ -352,7 +352,7 @@ var containerTestCases = []struct {
 						",redirect_dir=nofollow,userxattr"),
 			}
 		},
-		1 << 3, 1 << 14, nil, 0, comp.PresetStrict},
+		1 << 3, 1 << 14, nil, 0, std.PresetStrict},
 }

 func TestContainer(t *testing.T) {
@@ -556,13 +556,13 @@ func testContainerCancel(

 func TestContainerString(t *testing.T) {
 	t.Parallel()
-	msg := message.NewMsg(nil)
+	msg := message.New(nil)
 	c := container.NewCommand(t.Context(), msg, check.MustAbs("/run/current-system/sw/bin/ldd"), "ldd", "/usr/bin/env")
 	c.SeccompFlags |= seccomp.AllowMultiarch
 	c.SeccompRules = seccomp.Preset(
-		comp.PresetExt|comp.PresetDenyNS|comp.PresetDenyTTY,
+		std.PresetExt|std.PresetDenyNS|std.PresetDenyTTY,
 		c.SeccompFlags)
-	c.SeccompPresets = comp.PresetStrict
+	c.SeccompPresets = std.PresetStrict
 	want := `argv: ["ldd" "/usr/bin/env"], filter: true, rules: 65, flags: 0x1, presets: 0xf`
 	if got := c.String(); got != want {
 		t.Errorf("String: %s, want %s", got, want)
@@ -721,7 +721,7 @@ func TestMain(m *testing.M) {
 }

 func helperNewContainerLibPaths(ctx context.Context, libPaths *[]*check.Absolute, args ...string) (c *container.Container) {
-	msg := message.NewMsg(nil)
+	msg := message.New(nil)
 	c = container.NewCommand(ctx, msg, absHelperInnerPath, "helper", args...)
 	c.Env = append(c.Env, envDoCheck+"=1")
 	c.Bind(check.MustAbs(os.Args[0]), absHelperInnerPath, 0)
--- a/container/dispatcher.go
+++ b/container/dispatcher.go
@@ -11,6 +11,7 @@ import (
 	"syscall"

 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 	"hakurei.app/message"
 )

@@ -62,7 +63,7 @@ type syscallDispatcher interface {
 	ensureFile(name string, perm, pperm os.FileMode) error

 	// seccompLoad provides [seccomp.Load].
-	seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error
+	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
 	// notify provides [signal.Notify].
 	notify(c chan<- os.Signal, sig ...os.Signal)
 	// start starts [os/exec.Cmd].
@@ -164,7 +165,7 @@ func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }

-func (direct) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error {
+func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)
 }
 func (direct) notify(c chan<- os.Signal, sig ...os.Signal) { signal.Notify(c, sig...) }
--- a/container/dispatcher_test.go
+++ b/container/dispatcher_test.go
@@ -17,6 +17,7 @@ import (
 	"time"

 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/message"
 )
@@ -456,7 +457,7 @@ func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 		stub.CheckArg(k.Stub, "pperm", pperm, 2))
 }

-func (k *kstub) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error {
+func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	k.Helper()
 	return k.Expects("seccompLoad").Error(
 		stub.CheckArgReflect(k.Stub, "rules", rules, 0),
--- a/container/errors_test.go
+++ b/container/errors_test.go
@@ -46,8 +46,8 @@ func TestMessageFromError(t *testing.T) {
 		{"state", OpStateError("overlay"),
 			"impossible overlay state reached", true},

-		{"vfs parse", &vfs.DecoderError{Op: "parse", Line: 0xdeadbeef, Err: &strconv.NumError{Func: "Atoi", Num: "meow", Err: strconv.ErrSyntax}},
-			`cannot parse mountinfo at line 3735928559: numeric field "meow" invalid syntax`, true},
+		{"vfs parse", &vfs.DecoderError{Op: "parse", Line: 0xdead, Err: &strconv.NumError{Func: "Atoi", Num: "meow", Err: strconv.ErrSyntax}},
+			`cannot parse mountinfo at line 57005: numeric field "meow" invalid syntax`, true},

 		{"tmpfs", TmpfsSizeError(-1),
 			"tmpfs size -1 out of bounds", true},
--- a/container/executable.go
+++ b/container/executable.go
@@ -1,6 +1,8 @@
 package container

 import (
+	"fmt"
+	"log"
 	"os"
 	"sync"

@@ -14,8 +16,13 @@ var (

 func copyExecutable(msg message.Msg) {
 	if name, err := os.Executable(); err != nil {
-		msg.BeforeExit()
-		msg.GetLogger().Fatalf("cannot read executable path: %v", err)
+		m := fmt.Sprintf("cannot read executable path: %v", err)
+		if msg != nil {
+			msg.BeforeExit()
+			msg.GetLogger().Fatal(m)
+		} else {
+			log.Fatal(m)
+		}
 	} else {
 		executable = name
 	}
--- a/container/executable_test.go
+++ b/container/executable_test.go
@@ -11,7 +11,7 @@ import (
 func TestExecutable(t *testing.T) {
 	t.Parallel()
 	for i := 0; i < 16; i++ {
-		if got := container.MustExecutable(message.NewMsg(nil)); got != os.Args[0] {
+		if got := container.MustExecutable(message.New(nil)); got != os.Args[0] {
 			t.Errorf("MustExecutable: %q, want %q", got, os.Args[0])
 		}
 	}
--- a/container/init.go
+++ b/container/init.go
@@ -341,7 +341,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-	msg.Suspend()

 	if err := closeSetup(); err != nil {
 		k.printf(msg, "cannot close setup pipe: %v", err)
@@ -390,7 +389,8 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {

 	// handle signals to dump withheld messages
 	sig := make(chan os.Signal, 2)
-	k.notify(sig, os.Interrupt, CancelSignal)
+	k.notify(sig, CancelSignal,
+		os.Interrupt, SIGTERM, SIGQUIT)

 	// closed after residualProcessTimeout has elapsed after initial process death
 	timeout := make(chan struct{})
@@ -399,11 +399,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	for {
 		select {
 		case s := <-sig:
-			if msg.Resume() {
-				msg.Verbosef("%s after process start", s.String())
-			} else {
-				msg.Verbosef("got %s", s.String())
-			}
 			if s == CancelSignal && params.ForwardCancel && cmd.Process != nil {
 				msg.Verbose("forwarding context cancellation")
 				if err := k.signal(cmd, os.Interrupt); err != nil {
@@ -411,6 +406,16 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 				}
 				continue
 			}
+
+			if s == SIGTERM || s == SIGQUIT {
+				msg.Verbosef("got %s, forwarding to initial process", s.String())
+				if err := k.signal(cmd, s); err != nil {
+					k.printf(msg, "cannot forward signal: %v", err)
+				}
+				continue
+			}
+
+			msg.Verbosef("got %s", s.String())
 			msg.BeforeExit()
 			k.exit(0)

@@ -422,9 +427,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 			}

 			if w.wpid == cmd.Process.Pid {
-				// initial process exited, output is most likely available again
-				msg.Resume()
-
 				switch {
 				case w.wstatus.Exited():
 					r = w.wstatus.ExitStatus()
@@ -459,7 +461,7 @@ func TryArgv0(msg message.Msg) {
 	if msg == nil {
 		log.SetPrefix(initName + ": ")
 		log.SetFlags(0)
-		msg = message.NewMsg(log.Default())
+		msg = message.New(log.Default())
 	}

 	if len(os.Args) > 0 && path.Base(os.Args[0]) == initName {
--- a/container/init_test.go
+++ b/container/init_test.go
--- a/container/initbind.go
+++ b/container/initbind.go
@@ -7,7 +7,7 @@ import (
 	"syscall"

 	"hakurei.app/container/check"
-	"hakurei.app/container/comp"
+	"hakurei.app/container/std"
 )

 func init() { gob.Register(new(BindMountOp)) }
@@ -29,18 +29,18 @@ type BindMountOp struct {
 func (b *BindMountOp) Valid() bool {
 	return b != nil &&
 		b.Source != nil && b.Target != nil &&
-		b.Flags&(comp.BindOptional|comp.BindEnsure) != (comp.BindOptional|comp.BindEnsure)
+		b.Flags&(std.BindOptional|std.BindEnsure) != (std.BindOptional|std.BindEnsure)
 }

 func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {
-	if b.Flags&comp.BindEnsure != 0 {
+	if b.Flags&std.BindEnsure != 0 {
 		if err := k.mkdirAll(b.Source.String(), 0700); err != nil {
 			return err
 		}
 	}

 	if pathname, err := k.evalSymlinks(b.Source.String()); err != nil {
-		if os.IsNotExist(err) && b.Flags&comp.BindOptional != 0 {
+		if os.IsNotExist(err) && b.Flags&std.BindOptional != 0 {
 			// leave sourceFinal as nil
 			return nil
 		}
@@ -53,7 +53,7 @@ func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {

 func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
 	if b.sourceFinal == nil {
-		if b.Flags&comp.BindOptional == 0 {
+		if b.Flags&std.BindOptional == 0 {
 			// unreachable
 			return OpStateError("bind")
 		}
@@ -76,10 +76,10 @@ func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
 	}

 	var flags uintptr = syscall.MS_REC
-	if b.Flags&comp.BindWritable == 0 {
+	if b.Flags&std.BindWritable == 0 {
 		flags |= syscall.MS_RDONLY
 	}
-	if b.Flags&comp.BindDevice == 0 {
+	if b.Flags&std.BindDevice == 0 {
 		flags |= syscall.MS_NODEV
 	}

--- a/container/initbind_test.go
+++ b/container/initbind_test.go
@@ -7,7 +7,7 @@ import (
 	"testing"

 	"hakurei.app/container/check"
-	"hakurei.app/container/comp"
+	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 )

@@ -25,7 +25,7 @@ func TestBindMountOp(t *testing.T) {
 		{"skip optional", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
-			Flags:  comp.BindOptional,
+			Flags:  std.BindOptional,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "", syscall.ENOENT),
 		}, nil, nil, nil},
@@ -33,7 +33,7 @@ func TestBindMountOp(t *testing.T) {
 		{"success optional", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
-			Flags:  comp.BindOptional,
+			Flags:  std.BindOptional,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
 		}, nil, []stub.Call{
@@ -46,7 +46,7 @@ func TestBindMountOp(t *testing.T) {
 		{"ensureFile device", new(Params), &BindMountOp{
 			Source: check.MustAbs("/dev/null"),
 			Target: check.MustAbs("/dev/null"),
-			Flags:  comp.BindWritable | comp.BindDevice,
+			Flags:  std.BindWritable | std.BindDevice,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
 		}, nil, []stub.Call{
@@ -57,7 +57,7 @@ func TestBindMountOp(t *testing.T) {
 		{"mkdirAll ensure", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
-			Flags:  comp.BindEnsure,
+			Flags:  std.BindEnsure,
 		}, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, stub.UniqueError(4)),
 		}, stub.UniqueError(4), nil, nil},
@@ -65,7 +65,7 @@ func TestBindMountOp(t *testing.T) {
 		{"success ensure", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/usr/bin/"),
-			Flags:  comp.BindEnsure,
+			Flags:  std.BindEnsure,
 		}, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, nil),
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
@@ -79,7 +79,7 @@ func TestBindMountOp(t *testing.T) {
 		{"success device ro", new(Params), &BindMountOp{
 			Source: check.MustAbs("/dev/null"),
 			Target: check.MustAbs("/dev/null"),
-			Flags:  comp.BindDevice,
+			Flags:  std.BindDevice,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
 		}, nil, []stub.Call{
@@ -92,7 +92,7 @@ func TestBindMountOp(t *testing.T) {
 		{"success device", new(Params), &BindMountOp{
 			Source: check.MustAbs("/dev/null"),
 			Target: check.MustAbs("/dev/null"),
-			Flags:  comp.BindWritable | comp.BindDevice,
+			Flags:  std.BindWritable | std.BindDevice,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
 		}, nil, []stub.Call{
@@ -182,7 +182,7 @@ func TestBindMountOp(t *testing.T) {
 		{"zero", new(BindMountOp), false},
 		{"nil source", &BindMountOp{Target: check.MustAbs("/")}, false},
 		{"nil target", &BindMountOp{Source: check.MustAbs("/")}, false},
-		{"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: comp.BindOptional | comp.BindEnsure}, false},
+		{"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: std.BindOptional | std.BindEnsure}, false},
 		{"valid", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/")}, true},
 	})

@@ -217,7 +217,7 @@ func TestBindMountOp(t *testing.T) {
 		}, &BindMountOp{
 			Source: check.MustAbs("/etc/"),
 			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
-			Flags:  comp.BindOptional,
+			Flags:  std.BindOptional,
 		}, false},

 		{"source differs", &BindMountOp{
@@ -256,7 +256,7 @@ func TestBindMountOp(t *testing.T) {
 		{"hostdev", &BindMountOp{
 			Source: check.MustAbs("/dev/"),
 			Target: check.MustAbs("/dev/"),
-			Flags:  comp.BindWritable | comp.BindDevice,
+			Flags:  std.BindWritable | std.BindDevice,
 		}, "mounting", `"/dev/" flags 0x6`},
 	})
 }
--- a/container/landlock.go
+++ b/container/landlock.go
@@ -5,7 +5,7 @@ import (
 	"syscall"
 	"unsafe"

-	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 )

 // include/uapi/linux/landlock.h
@@ -14,7 +14,8 @@ const (
 	LANDLOCK_CREATE_RULESET_VERSION = 1 << iota
 )

-type LandlockAccessFS uintptr
+// LandlockAccessFS is bitmask of handled filesystem actions.
+type LandlockAccessFS uint64

 const (
 	LANDLOCK_ACCESS_FS_EXECUTE LandlockAccessFS = 1 << iota
@@ -105,7 +106,8 @@ func (f LandlockAccessFS) String() string {
 	}
 }

-type LandlockAccessNet uintptr
+// LandlockAccessNet is bitmask of handled network actions.
+type LandlockAccessNet uint64

 const (
 	LANDLOCK_ACCESS_NET_BIND_TCP LandlockAccessNet = 1 << iota
@@ -140,7 +142,8 @@ func (f LandlockAccessNet) String() string {
 	}
 }

-type LandlockScope uintptr
+// LandlockScope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
+type LandlockScope uint64

 const (
 	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET LandlockScope = 1 << iota
@@ -175,6 +178,7 @@ func (f LandlockScope) String() string {
 	}
 }

+// RulesetAttr is equivalent to struct landlock_ruleset_attr.
 type RulesetAttr struct {
 	// Bitmask of handled filesystem actions.
 	HandledAccessFS LandlockAccessFS
@@ -212,7 +216,7 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 		size = unsafe.Sizeof(*rulesetAttr)
 	}

-	rulesetFd, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
+	rulesetFd, _, errno := syscall.Syscall(std.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
 	fd = int(rulesetFd)
 	err = errno

@@ -231,7 +235,7 @@ func LandlockGetABI() (int, error) {
 }

 func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
-	r, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
+	r, _, errno := syscall.Syscall(std.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
 	if r != 0 {
 		return errno
 	}
--- a/container/mount_test.go
+++ b/container/mount_test.go
@@ -69,8 +69,8 @@ func TestRemount(t *testing.T) {
 403 397 0:63 / /host/run/user/1000 rw,nosuid,nodev,relatime master:295 - tmpfs tmpfs rw,size=401060k,nr_inodes=100265,mode=700,uid=1000,gid=100
 404 254 0:46 / /host/mnt/cwd rw,relatime master:96 - overlay overlay rw,lowerdir=/mnt/.ro-cwd,upperdir=/tmp/.cwd/upper,workdir=/tmp/.cwd/work
 405 254 0:47 / /host/mnt/src rw,relatime master:99 - overlay overlay rw,lowerdir=/nix/store/ihcrl3zwvp2002xyylri2wz0drwajx4z-ns0pa7q2b1jpx9pbf1l9352x6rniwxjn-source,upperdir=/tmp/.src/upper,workdir=/tmp/.src/work
-407 253 0:65 / / rw,nosuid,nodev,relatime - tmpfs rootfs rw,uid=1000000,gid=1000000
-408 407 0:65 /sysroot /sysroot rw,nosuid,nodev,relatime - tmpfs rootfs rw,uid=1000000,gid=1000000
+407 253 0:65 / / rw,nosuid,nodev,relatime - tmpfs rootfs rw,uid=10000,gid=10000
+408 407 0:65 /sysroot /sysroot rw,nosuid,nodev,relatime - tmpfs rootfs rw,uid=10000,gid=10000
 409 408 253:0 /bin /sysroot/bin rw,nosuid,nodev,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
 410 408 253:0 /home /sysroot/home rw,nosuid,nodev,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
 411 408 253:0 /lib64 /sysroot/lib64 rw,nosuid,nodev,relatime master:1 - ext4 /dev/disk/by-label/nixos rw
@@ -91,24 +91,24 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, stub.UniqueError(5)),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, stub.UniqueError(5)),
 		}}, &os.PathError{Op: "open", Path: "/sysroot/nix", Err: stub.UniqueError(5)}},

 		{"readlink", func(k *kstub) error {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", stub.UniqueError(4)),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", stub.UniqueError(4)),
 		}}, stub.UniqueError(4)},

 		{"close", func(k *kstub) error {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, stub.UniqueError(3)),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, stub.UniqueError(3)),
 		}}, &os.PathError{Op: "close", Path: "/sysroot/nix", Err: stub.UniqueError(3)}},

 		{"mountinfo no match", func(k *kstub) error {
@@ -116,9 +116,9 @@ func TestRemount(t *testing.T) {
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/.hakurei", nil),
 			call("verbosef", stub.ExpectArgs{"target resolves to %q", []any{"/sysroot/.hakurei"}}, nil, nil),
-			call("open", stub.ExpectArgs{"/sysroot/.hakurei", 0x280000, uint32(0)}, 0xdeadbeef, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/.hakurei", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("open", stub.ExpectArgs{"/sysroot/.hakurei", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/.hakurei", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 		}}, &vfs.DecoderError{Op: "unfold", Line: -1, Err: vfs.UnfoldTargetError("/sysroot/.hakurei")}},

@@ -126,9 +126,9 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile("\x00"), nil),
 		}}, &vfs.DecoderError{Op: "parse", Line: 0, Err: vfs.ErrMountInfoFields}},

@@ -136,9 +136,9 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, stub.UniqueError(2)),
 		}}, stub.UniqueError(2)},
@@ -147,9 +147,9 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/.ro-store", "", uintptr(0x209027), ""}, nil, stub.UniqueError(1)),
@@ -170,9 +170,9 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/.ro-store", "", uintptr(0x209027), ""}, nil, syscall.EACCES),
@@ -183,9 +183,9 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
 		}}, nil},
@@ -194,9 +194,9 @@ func TestRemount(t *testing.T) {
 			return newProcPaths(k, hostPath).remount(nil, "/sysroot/nix", syscall.MS_REC|syscall.MS_RDONLY|syscall.MS_NODEV)
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/nix"}, "/sysroot/nix", nil),
-			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdeadbeef, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("open", stub.ExpectArgs{"/sysroot/nix", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/.ro-store", "", uintptr(0x209027), ""}, nil, nil),
@@ -208,9 +208,9 @@ func TestRemount(t *testing.T) {
 		}, stub.Expect{Calls: []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/sysroot/.nix"}, "/sysroot/NIX", nil),
 			call("verbosef", stub.ExpectArgs{"target resolves to %q", []any{"/sysroot/NIX"}}, nil, nil),
-			call("open", stub.ExpectArgs{"/sysroot/NIX", 0x280000, uint32(0)}, 0xdeadbeef, nil),
-			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/3735928559"}, "/sysroot/nix", nil),
-			call("close", stub.ExpectArgs{0xdeadbeef}, nil, nil),
+			call("open", stub.ExpectArgs{"/sysroot/NIX", 0x280000, uint32(0)}, 0xdead, nil),
+			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/57005"}, "/sysroot/nix", nil),
+			call("close", stub.ExpectArgs{0xdead}, nil, nil),
 			call("openNew", stub.ExpectArgs{"/host/proc/self/mountinfo"}, newConstFile(sampleMountinfoNix), nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix", "", uintptr(0x209027), ""}, nil, nil),
 			call("mount", stub.ExpectArgs{"none", "/sysroot/nix/.ro-store", "", uintptr(0x209027), ""}, nil, nil),
--- a/container/params.go
+++ b/container/params.go
@@ -9,13 +9,13 @@ import (
 )

 // Setup appends the read end of a pipe for setup params transmission and returns its fd.
-func Setup(extraFiles *[]*os.File) (int, *gob.Encoder, error) {
+func Setup(extraFiles *[]*os.File) (int, *os.File, error) {
 	if r, w, err := os.Pipe(); err != nil {
 		return -1, nil, err
 	} else {
 		fd := 3 + len(*extraFiles)
 		*extraFiles = append(*extraFiles, r)
-		return fd, gob.NewEncoder(w), nil
+		return fd, w, nil
 	}
 }

--- a/container/params_test.go
+++ b/container/params_test.go
@@ -1,6 +1,7 @@
 package container_test

 import (
+	"encoding/gob"
 	"errors"
 	"os"
 	"slices"
@@ -55,16 +56,20 @@ func TestSetupReceive(t *testing.T) {
 	t.Run("setup receive", func(t *testing.T) {
 		check := func(t *testing.T, useNilFdp bool) {
 			const key = "TEST_SETUP_RECEIVE"
-			payload := []int{syscall.MS_MGC_VAL, syscall.MS_MGC_MSK, syscall.MS_ASYNC, syscall.MS_ACTIVE}
+			payload := []uint64{syscall.MS_MGC_VAL, syscall.MS_MGC_MSK, syscall.MS_ASYNC, syscall.MS_ACTIVE}

 			encoderDone := make(chan error, 1)
 			extraFiles := make([]*os.File, 0, 1)
-			if fd, encoder, err := container.Setup(&extraFiles); err != nil {
+			deadline, _ := t.Deadline()
+			if fd, f, err := container.Setup(&extraFiles); err != nil {
 				t.Fatalf("Setup: error = %v", err)
 			} else if fd != 3 {
 				t.Fatalf("Setup: fd = %d, want 3", fd)
 			} else {
-				go func() { encoderDone <- encoder.Encode(payload) }()
+				if err = f.SetDeadline(deadline); err != nil {
+					t.Fatal(err.Error())
+				}
+				go func() { encoderDone <- gob.NewEncoder(f).Encode(payload) }()
 			}

 			if len(extraFiles) != 1 {
@@ -81,7 +86,7 @@ func TestSetupReceive(t *testing.T) {
 			}

 			var (
-				gotPayload []int
+				gotPayload []uint64
 				fdp        *uintptr
 			)
 			if !useNilFdp {
--- a/container/path_test.go
+++ b/container/path_test.go
@@ -173,8 +173,8 @@ func TestProcPaths(t *testing.T) {
 			}
 		})
 		t.Run("fd", func(t *testing.T) {
-			want := "/host/proc/self/fd/9223372036854775807"
-			if got := hostProc.fd(math.MaxInt64); got != want {
+			want := "/host/proc/self/fd/2147483647"
+			if got := hostProc.fd(math.MaxInt32); got != want {
 				t.Errorf("stdout: %q, want %q", got, want)
 			}
 		})
--- a/container/seccomp/libseccomp.go
+++ b/container/seccomp/libseccomp.go
@@ -14,6 +14,8 @@ import (
 	"runtime/cgo"
 	"syscall"
 	"unsafe"
+
+	"hakurei.app/container/std"
 )

 // ErrInvalidRules is returned for a zero-length rules slice.
@@ -54,22 +56,16 @@ func (e *LibraryError) Is(err error) bool {
 }

 type (
-	// ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall].
-	ScmpSyscall = C.int
-	// ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno].
-	ScmpErrno = C.int
+	// scmpUint is equivalent to [std.ScmpUint].
+	scmpUint = C.uint
+	// scmpInt is equivalent to [std.ScmpInt].
+	scmpInt = C.int
+
+	// syscallRule is equivalent to [std.NativeRule].
+	syscallRule = C.struct_hakurei_syscall_rule
 )

-// A NativeRule specifies an arch-specific action taken by seccomp under certain conditions.
-type NativeRule struct {
-	// Syscall is the arch-dependent syscall number to act against.
-	Syscall ScmpSyscall
-	// Errno is the errno value to return when the condition is satisfied.
-	Errno ScmpErrno
-	// Arg is the optional struct scmp_arg_cmp passed to libseccomp.
-	Arg *ScmpArgCmp
-}
-
+// ExportFlag configures filter behaviour that are not implemented as rules.
 type ExportFlag = C.hakurei_export_flag

 const (
@@ -102,9 +98,9 @@ func hakurei_scmp_allocate(f C.uintptr_t, len C.size_t) (buf unsafe.Pointer) {
 	return cgo.Handle(f).Value().(cbAllocateBuffer)(len)
 }

-// makeFilter generates a bpf program from a slice of [NativeRule] and writes the resulting byte slice to p.
+// makeFilter generates a bpf program from a slice of [std.NativeRule] and writes the resulting byte slice to p.
 // The filter is installed to the current process if p is nil.
-func makeFilter(rules []NativeRule, flags ExportFlag, p *[]byte) error {
+func makeFilter(rules []std.NativeRule, flags ExportFlag, p *[]byte) error {
 	if len(rules) == 0 {
 		return ErrInvalidRules
 	}
@@ -152,7 +148,7 @@ func makeFilter(rules []NativeRule, flags ExportFlag, p *[]byte) error {
 	res, err := C.hakurei_scmp_make_filter(
 		&ret, C.uintptr_t(allocateP),
 		arch, multiarch,
-		(*C.struct_hakurei_syscall_rule)(unsafe.Pointer(&rules[0])),
+		(*syscallRule)(unsafe.Pointer(&rules[0])),
 		C.size_t(len(rules)),
 		flags,
 	)
@@ -167,20 +163,27 @@ func makeFilter(rules []NativeRule, flags ExportFlag, p *[]byte) error {
 	return err
 }

-// Export generates a bpf program from a slice of [NativeRule].
+// Export generates a bpf program from a slice of [std.NativeRule].
 // Errors returned by libseccomp is wrapped in [LibraryError].
-func Export(rules []NativeRule, flags ExportFlag) (data []byte, err error) {
+func Export(rules []std.NativeRule, flags ExportFlag) (data []byte, err error) {
 	err = makeFilter(rules, flags, &data)
 	return
 }

-// Load generates a bpf program from a slice of [NativeRule] and enforces it on the current process.
+// Load generates a bpf program from a slice of [std.NativeRule] and enforces it on the current process.
 // Errors returned by libseccomp is wrapped in [LibraryError].
-func Load(rules []NativeRule, flags ExportFlag) error { return makeFilter(rules, flags, nil) }
+func Load(rules []std.NativeRule, flags ExportFlag) error { return makeFilter(rules, flags, nil) }

-// ScmpCompare is the equivalent of scmp_compare;
-// Comparison operators
-type ScmpCompare = C.enum_scmp_compare
+type (
+	// Comparison operators.
+	scmpCompare = C.enum_scmp_compare
+
+	// Argument datum.
+	scmpDatum = C.scmp_datum_t
+
+	// Argument / Value comparison definition.
+	scmpArgCmp = C.struct_scmp_arg_cmp
+)

 const (
 	_SCMP_CMP_MIN = C._SCMP_CMP_MIN
@@ -203,33 +206,19 @@ const (
 	_SCMP_CMP_MAX = C._SCMP_CMP_MAX
 )

-// ScmpDatum is the equivalent of scmp_datum_t;
-// Argument datum
-type ScmpDatum uint64
-
-// ScmpArgCmp is the equivalent of struct scmp_arg_cmp;
-// Argument / Value comparison definition
-type ScmpArgCmp struct {
-	// argument number, starting at 0
-	Arg C.uint
-	// the comparison op, e.g. SCMP_CMP_*
-	Op ScmpCompare
-
-	DatumA, DatumB ScmpDatum
-}
-
 const (
-	// PersonaLinux is passed in a [ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
+	// PersonaLinux is passed in a [std.ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
 	PersonaLinux = C.PER_LINUX
-	// PersonaLinux32 is passed in a [ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
+	// PersonaLinux32 is passed in a [std.ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
 	PersonaLinux32 = C.PER_LINUX32
 )

 // syscallResolveName resolves a syscall number by name via seccomp_syscall_resolve_name.
 // This function is only for testing the lookup tables and included here for convenience.
-func syscallResolveName(s string) (trap int) {
+func syscallResolveName(s string) (trap int, ok bool) {
 	v := C.CString(s)
 	trap = int(C.seccomp_syscall_resolve_name(v))
 	C.free(unsafe.Pointer(v))
+	ok = trap != C.__NR_SCMP_ERROR
 	return
 }
--- a/container/seccomp/libseccomp_test.go
+++ b/container/seccomp/libseccomp_test.go
@@ -6,8 +6,8 @@ import (
 	"syscall"
 	"testing"

-	. "hakurei.app/container/comp"
 	. "hakurei.app/container/seccomp"
+	. "hakurei.app/container/std"
 )

 func TestLibraryError(t *testing.T) {
--- a/container/seccomp/presets.go
+++ b/container/seccomp/presets.go
@@ -5,32 +5,32 @@ package seccomp
 import (
 	. "syscall"

-	"hakurei.app/container/comp"
+	. "hakurei.app/container/std"
 )

-func Preset(presets comp.FilterPreset, flags ExportFlag) (rules []NativeRule) {
+func Preset(presets FilterPreset, flags ExportFlag) (rules []NativeRule) {
 	allowedPersonality := PersonaLinux
-	if presets&comp.PresetLinux32 != 0 {
+	if presets&PresetLinux32 != 0 {
 		allowedPersonality = PersonaLinux32
 	}
 	presetDevelFinal := presetDevel(ScmpDatum(allowedPersonality))

 	l := len(presetCommon)
-	if presets&comp.PresetDenyNS != 0 {
+	if presets&PresetDenyNS != 0 {
 		l += len(presetNamespace)
 	}
-	if presets&comp.PresetDenyTTY != 0 {
+	if presets&PresetDenyTTY != 0 {
 		l += len(presetTTY)
 	}
-	if presets&comp.PresetDenyDevel != 0 {
+	if presets&PresetDenyDevel != 0 {
 		l += len(presetDevelFinal)
 	}
 	if flags&AllowMultiarch == 0 {
 		l += len(presetEmu)
 	}
-	if presets&comp.PresetExt != 0 {
+	if presets&PresetExt != 0 {
 		l += len(presetCommonExt)
-		if presets&comp.PresetDenyNS != 0 {
+		if presets&PresetDenyNS != 0 {
 			l += len(presetNamespaceExt)
 		}
 		if flags&AllowMultiarch == 0 {
@@ -40,21 +40,21 @@ func Preset(presets comp.FilterPreset, flags ExportFlag) (rules []NativeRule) {

 	rules = make([]NativeRule, 0, l)
 	rules = append(rules, presetCommon...)
-	if presets&comp.PresetDenyNS != 0 {
+	if presets&PresetDenyNS != 0 {
 		rules = append(rules, presetNamespace...)
 	}
-	if presets&comp.PresetDenyTTY != 0 {
+	if presets&PresetDenyTTY != 0 {
 		rules = append(rules, presetTTY...)
 	}
-	if presets&comp.PresetDenyDevel != 0 {
+	if presets&PresetDenyDevel != 0 {
 		rules = append(rules, presetDevelFinal...)
 	}
 	if flags&AllowMultiarch == 0 {
 		rules = append(rules, presetEmu...)
 	}
-	if presets&comp.PresetExt != 0 {
+	if presets&PresetExt != 0 {
 		rules = append(rules, presetCommonExt...)
-		if presets&comp.PresetDenyNS != 0 {
+		if presets&PresetDenyNS != 0 {
 			rules = append(rules, presetNamespaceExt...)
 		}
 		if flags&AllowMultiarch == 0 {
--- a/container/seccomp/presets_386_test.go
+++ b/container/seccomp/presets_386_test.go
@@ -0,0 +1,27 @@
+package seccomp_test
+
+import (
+	. "hakurei.app/container/seccomp"
+	. "hakurei.app/container/std"
+)
+
+var bpfExpected = bpfLookup{
+	{AllowMultiarch | AllowCAN |
+		AllowBluetooth, PresetExt |
+		PresetDenyNS | PresetDenyTTY | PresetDenyDevel |
+		PresetLinux32}: toHash(
+		"e67735d24caba42b6801e829ea4393727a36c5e37b8a51e5648e7886047e8454484ff06872aaef810799c29cbd0c1b361f423ad0ef518e33f68436372cc90eb1"),
+
+	{0, 0}: toHash(
+		"5dbcc08a4a1ccd8c12dd0cf6d9817ea6d4f40246e1db7a60e71a50111c4897d69f6fb6d710382d70c18910c2e4fa2d2aeb2daed835dd2fabe3f71def628ade59"),
+	{0, PresetExt}: toHash(
+		"d6c0f130dbb5c793d1c10f730455701875778138bd2d03ca009d674842fd97a10815a8c539b76b7801a73de19463938701216b756c053ec91cfe304cba04a0ed"),
+	{0, PresetStrict}: toHash(
+		"af7d7b66f2e83f9a850472170c1b83d1371426faa9d0dee4e85b179d3ec75ca92828cb8529eb3012b559497494b2eab4d4b140605e3a26c70dfdbe5efe33c105"),
+	{0, PresetDenyNS | PresetDenyTTY | PresetDenyDevel}: toHash(
+		"adfb4397e6eeae8c477d315d58204aae854d60071687b8df4c758e297780e02deee1af48328cef80e16e4d6ab1a66ef13e42247c3475cf447923f15cbc17a6a6"),
+	{0, PresetExt | PresetDenyDevel}: toHash(
+		"5d641321460cf54a7036a40a08e845082e1f6d65b9dee75db85ef179f2732f321b16aee2258b74273b04e0d24562e8b1e727930a7e787f41eb5c8aaa0bc22793"),
+	{0, PresetExt | PresetDenyNS | PresetDenyDevel}: toHash(
+		"b1f802d39de5897b1e4cb0e82a199f53df0a803ea88e2fd19491fb8c90387c9e2eaa7e323f565fecaa0202a579eb050531f22e6748e04cfd935b8faac35983ec"),
+}
--- a/container/seccomp/presets_amd64_test.go
+++ b/container/seccomp/presets_amd64_test.go
@@ -1,8 +1,8 @@
 package seccomp_test

 import (
-	. "hakurei.app/container/comp"
 	. "hakurei.app/container/seccomp"
+	. "hakurei.app/container/std"
 )

 var bpfExpected = bpfLookup{
--- a/container/seccomp/presets_arm64_test.go
+++ b/container/seccomp/presets_arm64_test.go
@@ -1,8 +1,8 @@
 package seccomp_test

 import (
-	. "hakurei.app/container/comp"
 	. "hakurei.app/container/seccomp"
+	. "hakurei.app/container/std"
 )

 var bpfExpected = bpfLookup{
--- a/container/seccomp/presets_test.go
+++ b/container/seccomp/presets_test.go
@@ -4,14 +4,14 @@ import (
 	"crypto/sha512"
 	"encoding/hex"

-	"hakurei.app/container/comp"
 	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
 )

 type (
 	bpfPreset = struct {
 		seccomp.ExportFlag
-		comp.FilterPreset
+		std.FilterPreset
 	}
 	bpfLookup map[bpfPreset][sha512.Size]byte
 )
--- a/container/seccomp/std_test.go
+++ b/container/seccomp/std_test.go
@@ -0,0 +1,63 @@
+package seccomp
+
+import (
+	"reflect"
+	"testing"
+	"unsafe"
+
+	"hakurei.app/container/std"
+)
+
+func TestSyscallResolveName(t *testing.T) {
+	t.Parallel()
+
+	for name, want := range std.Syscalls() {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			// this checks the std implementation against libseccomp.
+			if got, ok := syscallResolveName(name); !ok || got != want {
+				t.Errorf("syscallResolveName(%q) = %d, want %d", name, got, want)
+			}
+		})
+	}
+}
+
+func TestRuleType(t *testing.T) {
+	assertKind[std.ScmpUint, scmpUint](t)
+	assertKind[std.ScmpInt, scmpInt](t)
+
+	assertSize[std.NativeRule, syscallRule](t)
+	assertKind[std.ScmpDatum, scmpDatum](t)
+	assertKind[std.ScmpCompare, scmpCompare](t)
+	assertSize[std.ScmpArgCmp, scmpArgCmp](t)
+}
+
+// assertSize asserts that native and equivalent are of the same size.
+func assertSize[native, equivalent any](t *testing.T) {
+	t.Helper()
+
+	got, want := unsafe.Sizeof(*new(native)), unsafe.Sizeof(*new(equivalent))
+	if got != want {
+		t.Fatalf("%s: %d, want %d", reflect.TypeFor[native]().Name(), got, want)
+	}
+}
+
+// assertKind asserts that native and equivalent are of the same kind.
+func assertKind[native, equivalent any](t *testing.T) {
+	t.Helper()
+
+	assertSize[native, equivalent](t)
+	nativeType, equivalentType := reflect.TypeFor[native](), reflect.TypeFor[equivalent]()
+	got, want := nativeType.Kind(), equivalentType.Kind()
+
+	if got == reflect.Invalid || want == reflect.Invalid {
+		t.Fatalf("%s: invalid call to assertKind", nativeType.Name())
+	}
+	if got == reflect.Struct {
+		t.Fatalf("%s: struct is unsupported by assertKind", nativeType.Name())
+	}
+	if got != want {
+		t.Fatalf("%s: %s, want %s", nativeType.Name(), nativeType.Kind(), equivalentType.Kind())
+	}
+}
--- a/container/seccomp/syscall_extra_linux_amd64.go
+++ b/container/seccomp/syscall_extra_linux_amd64.go
@@ -1,48 +0,0 @@
-package seccomp
-
-/*
-#cgo linux pkg-config: --static libseccomp
-
-#include <seccomp.h>
-*/
-import "C"
-
-var syscallNumExtra = map[string]int{
-	"umount":          SYS_UMOUNT,
-	"subpage_prot":    SYS_SUBPAGE_PROT,
-	"switch_endian":   SYS_SWITCH_ENDIAN,
-	"vm86":            SYS_VM86,
-	"vm86old":         SYS_VM86OLD,
-	"clock_adjtime64": SYS_CLOCK_ADJTIME64,
-	"clock_settime64": SYS_CLOCK_SETTIME64,
-	"chown32":         SYS_CHOWN32,
-	"fchown32":        SYS_FCHOWN32,
-	"lchown32":        SYS_LCHOWN32,
-	"setgid32":        SYS_SETGID32,
-	"setgroups32":     SYS_SETGROUPS32,
-	"setregid32":      SYS_SETREGID32,
-	"setresgid32":     SYS_SETRESGID32,
-	"setresuid32":     SYS_SETRESUID32,
-	"setreuid32":      SYS_SETREUID32,
-	"setuid32":        SYS_SETUID32,
-}
-
-const (
-	SYS_UMOUNT          = C.__SNR_umount
-	SYS_SUBPAGE_PROT    = C.__SNR_subpage_prot
-	SYS_SWITCH_ENDIAN   = C.__SNR_switch_endian
-	SYS_VM86            = C.__SNR_vm86
-	SYS_VM86OLD         = C.__SNR_vm86old
-	SYS_CLOCK_ADJTIME64 = C.__SNR_clock_adjtime64
-	SYS_CLOCK_SETTIME64 = C.__SNR_clock_settime64
-	SYS_CHOWN32         = C.__SNR_chown32
-	SYS_FCHOWN32        = C.__SNR_fchown32
-	SYS_LCHOWN32        = C.__SNR_lchown32
-	SYS_SETGID32        = C.__SNR_setgid32
-	SYS_SETGROUPS32     = C.__SNR_setgroups32
-	SYS_SETREGID32      = C.__SNR_setregid32
-	SYS_SETRESGID32     = C.__SNR_setresgid32
-	SYS_SETRESUID32     = C.__SNR_setresuid32
-	SYS_SETREUID32      = C.__SNR_setreuid32
-	SYS_SETUID32        = C.__SNR_setuid32
-)
--- a/container/seccomp/syscall_extra_linux_arm64.go
+++ b/container/seccomp/syscall_extra_linux_arm64.go
@@ -1,61 +0,0 @@
-package seccomp
-
-/*
-#cgo linux pkg-config: --static libseccomp
-
-#include <seccomp.h>
-*/
-import "C"
-import "syscall"
-
-const (
-	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
-)
-
-var syscallNumExtra = map[string]int{
-	"uselib":          SYS_USELIB,
-	"clock_adjtime64": SYS_CLOCK_ADJTIME64,
-	"clock_settime64": SYS_CLOCK_SETTIME64,
-	"umount":          SYS_UMOUNT,
-	"chown":           SYS_CHOWN,
-	"chown32":         SYS_CHOWN32,
-	"fchown32":        SYS_FCHOWN32,
-	"lchown":          SYS_LCHOWN,
-	"lchown32":        SYS_LCHOWN32,
-	"setgid32":        SYS_SETGID32,
-	"setgroups32":     SYS_SETGROUPS32,
-	"setregid32":      SYS_SETREGID32,
-	"setresgid32":     SYS_SETRESGID32,
-	"setresuid32":     SYS_SETRESUID32,
-	"setreuid32":      SYS_SETREUID32,
-	"setuid32":        SYS_SETUID32,
-	"modify_ldt":      SYS_MODIFY_LDT,
-	"subpage_prot":    SYS_SUBPAGE_PROT,
-	"switch_endian":   SYS_SWITCH_ENDIAN,
-	"vm86":            SYS_VM86,
-	"vm86old":         SYS_VM86OLD,
-}
-
-const (
-	SYS_USELIB          = C.__SNR_uselib
-	SYS_CLOCK_ADJTIME64 = C.__SNR_clock_adjtime64
-	SYS_CLOCK_SETTIME64 = C.__SNR_clock_settime64
-	SYS_UMOUNT          = C.__SNR_umount
-	SYS_CHOWN           = C.__SNR_chown
-	SYS_CHOWN32         = C.__SNR_chown32
-	SYS_FCHOWN32        = C.__SNR_fchown32
-	SYS_LCHOWN          = C.__SNR_lchown
-	SYS_LCHOWN32        = C.__SNR_lchown32
-	SYS_SETGID32        = C.__SNR_setgid32
-	SYS_SETGROUPS32     = C.__SNR_setgroups32
-	SYS_SETREGID32      = C.__SNR_setregid32
-	SYS_SETRESGID32     = C.__SNR_setresgid32
-	SYS_SETRESUID32     = C.__SNR_setresuid32
-	SYS_SETREUID32      = C.__SNR_setreuid32
-	SYS_SETUID32        = C.__SNR_setuid32
-	SYS_MODIFY_LDT      = C.__SNR_modify_ldt
-	SYS_SUBPAGE_PROT    = C.__SNR_subpage_prot
-	SYS_SWITCH_ENDIAN   = C.__SNR_switch_endian
-	SYS_VM86            = C.__SNR_vm86
-	SYS_VM86OLD         = C.__SNR_vm86old
-)
--- a/container/seccomp/syscall_test.go
+++ b/container/seccomp/syscall_test.go
@@ -1,22 +0,0 @@
-package seccomp
-
-import (
-	"testing"
-)
-
-func TestSyscallResolveName(t *testing.T) {
-	t.Parallel()
-
-	for name, want := range Syscalls() {
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			if got := syscallResolveName(name); got != want {
-				t.Errorf("syscallResolveName(%q) = %d, want %d", name, got, want)
-			}
-			if got, ok := SyscallResolveName(name); !ok || got != want {
-				t.Errorf("SyscallResolveName(%q) = %d, want %d", name, got, want)
-			}
-		})
-	}
-}
--- a/container/comp/bits.go
+++ b/container/comp/bits.go
@@ -1,5 +1,5 @@
-// Package comp contains constants from container packages without depending on cgo.
-package comp
+// Package std contains constants from container packages without depending on cgo.
+package std

 const (
 	// BindOptional skips nonexistent host paths.
--- a/container/seccomp/mksysnum_linux.pl
+++ b/container/seccomp/mksysnum_linux.pl
@@ -9,6 +9,7 @@ use POSIX ();
 my $command = "mksysnum_linux.pl ". join(' ', @ARGV);
 my $uname_arch = (POSIX::uname)[4];
 my %syscall_cutoff_arch = (
+	"x86" => 340,
 	"x86_64" => 302,
 	"aarch64" => 281,
 );
@@ -17,7 +18,7 @@ print <<EOF;
 // $command
 // Code generated by the command above; DO NOT EDIT.

-package seccomp
+package std

 import . "syscall"

--- a/container/std/pnr.go
+++ b/container/std/pnr.go
@@ -0,0 +1,267 @@
+// Code generated from include/seccomp-syscalls.h; DO NOT EDIT.
+
+package std
+
+/*
+ * pseudo syscall definitions
+ */
+
+const (
+
+	/* socket syscalls */
+
+	__PNR_socket      = -101
+	__PNR_bind        = -102
+	__PNR_connect     = -103
+	__PNR_listen      = -104
+	__PNR_accept      = -105
+	__PNR_getsockname = -106
+	__PNR_getpeername = -107
+	__PNR_socketpair  = -108
+	__PNR_send        = -109
+	__PNR_recv        = -110
+	__PNR_sendto      = -111
+	__PNR_recvfrom    = -112
+	__PNR_shutdown    = -113
+	__PNR_setsockopt  = -114
+	__PNR_getsockopt  = -115
+	__PNR_sendmsg     = -116
+	__PNR_recvmsg     = -117
+	__PNR_accept4     = -118
+	__PNR_recvmmsg    = -119
+	__PNR_sendmmsg    = -120
+
+	/* ipc syscalls */
+
+	__PNR_semop      = -201
+	__PNR_semget     = -202
+	__PNR_semctl     = -203
+	__PNR_semtimedop = -204
+	__PNR_msgsnd     = -211
+	__PNR_msgrcv     = -212
+	__PNR_msgget     = -213
+	__PNR_msgctl     = -214
+	__PNR_shmat      = -221
+	__PNR_shmdt      = -222
+	__PNR_shmget     = -223
+	__PNR_shmctl     = -224
+
+	/* single syscalls */
+
+	__PNR_arch_prctl                   = -10001
+	__PNR_bdflush                      = -10002
+	__PNR_break                        = -10003
+	__PNR_chown32                      = -10004
+	__PNR_epoll_ctl_old                = -10005
+	__PNR_epoll_wait_old               = -10006
+	__PNR_fadvise64_64                 = -10007
+	__PNR_fchown32                     = -10008
+	__PNR_fcntl64                      = -10009
+	__PNR_fstat64                      = -10010
+	__PNR_fstatat64                    = -10011
+	__PNR_fstatfs64                    = -10012
+	__PNR_ftime                        = -10013
+	__PNR_ftruncate64                  = -10014
+	__PNR_getegid32                    = -10015
+	__PNR_geteuid32                    = -10016
+	__PNR_getgid32                     = -10017
+	__PNR_getgroups32                  = -10018
+	__PNR_getresgid32                  = -10019
+	__PNR_getresuid32                  = -10020
+	__PNR_getuid32                     = -10021
+	__PNR_gtty                         = -10022
+	__PNR_idle                         = -10023
+	__PNR_ipc                          = -10024
+	__PNR_lchown32                     = -10025
+	__PNR__llseek                      = -10026
+	__PNR_lock                         = -10027
+	__PNR_lstat64                      = -10028
+	__PNR_mmap2                        = -10029
+	__PNR_mpx                          = -10030
+	__PNR_newfstatat                   = -10031
+	__PNR__newselect                   = -10032
+	__PNR_nice                         = -10033
+	__PNR_oldfstat                     = -10034
+	__PNR_oldlstat                     = -10035
+	__PNR_oldolduname                  = -10036
+	__PNR_oldstat                      = -10037
+	__PNR_olduname                     = -10038
+	__PNR_prof                         = -10039
+	__PNR_profil                       = -10040
+	__PNR_readdir                      = -10041
+	__PNR_security                     = -10042
+	__PNR_sendfile64                   = -10043
+	__PNR_setfsgid32                   = -10044
+	__PNR_setfsuid32                   = -10045
+	__PNR_setgid32                     = -10046
+	__PNR_setgroups32                  = -10047
+	__PNR_setregid32                   = -10048
+	__PNR_setresgid32                  = -10049
+	__PNR_setresuid32                  = -10050
+	__PNR_setreuid32                   = -10051
+	__PNR_setuid32                     = -10052
+	__PNR_sgetmask                     = -10053
+	__PNR_sigaction                    = -10054
+	__PNR_signal                       = -10055
+	__PNR_sigpending                   = -10056
+	__PNR_sigprocmask                  = -10057
+	__PNR_sigreturn                    = -10058
+	__PNR_sigsuspend                   = -10059
+	__PNR_socketcall                   = -10060
+	__PNR_ssetmask                     = -10061
+	__PNR_stat64                       = -10062
+	__PNR_statfs64                     = -10063
+	__PNR_stime                        = -10064
+	__PNR_stty                         = -10065
+	__PNR_truncate64                   = -10066
+	__PNR_tuxcall                      = -10067
+	__PNR_ugetrlimit                   = -10068
+	__PNR_ulimit                       = -10069
+	__PNR_umount                       = -10070
+	__PNR_vm86                         = -10071
+	__PNR_vm86old                      = -10072
+	__PNR_waitpid                      = -10073
+	__PNR_create_module                = -10074
+	__PNR_get_kernel_syms              = -10075
+	__PNR_get_thread_area              = -10076
+	__PNR_nfsservctl                   = -10077
+	__PNR_query_module                 = -10078
+	__PNR_set_thread_area              = -10079
+	__PNR__sysctl                      = -10080
+	__PNR_uselib                       = -10081
+	__PNR_vserver                      = -10082
+	__PNR_arm_fadvise64_64             = -10083
+	__PNR_arm_sync_file_range          = -10084
+	__PNR_pciconfig_iobase             = -10086
+	__PNR_pciconfig_read               = -10087
+	__PNR_pciconfig_write              = -10088
+	__PNR_sync_file_range2             = -10089
+	__PNR_syscall                      = -10090
+	__PNR_afs_syscall                  = -10091
+	__PNR_fadvise64                    = -10092
+	__PNR_getpmsg                      = -10093
+	__PNR_ioperm                       = -10094
+	__PNR_iopl                         = -10095
+	__PNR_migrate_pages                = -10097
+	__PNR_modify_ldt                   = -10098
+	__PNR_putpmsg                      = -10099
+	__PNR_sync_file_range              = -10100
+	__PNR_select                       = -10101
+	__PNR_vfork                        = -10102
+	__PNR_cachectl                     = -10103
+	__PNR_cacheflush                   = -10104
+	__PNR_sysmips                      = -10106
+	__PNR_timerfd                      = -10107
+	__PNR_time                         = -10108
+	__PNR_getrandom                    = -10109
+	__PNR_memfd_create                 = -10110
+	__PNR_kexec_file_load              = -10111
+	__PNR_sysfs                        = -10145
+	__PNR_oldwait4                     = -10146
+	__PNR_access                       = -10147
+	__PNR_alarm                        = -10148
+	__PNR_chmod                        = -10149
+	__PNR_chown                        = -10150
+	__PNR_creat                        = -10151
+	__PNR_dup2                         = -10152
+	__PNR_epoll_create                 = -10153
+	__PNR_epoll_wait                   = -10154
+	__PNR_eventfd                      = -10155
+	__PNR_fork                         = -10156
+	__PNR_futimesat                    = -10157
+	__PNR_getdents                     = -10158
+	__PNR_getpgrp                      = -10159
+	__PNR_inotify_init                 = -10160
+	__PNR_lchown                       = -10161
+	__PNR_link                         = -10162
+	__PNR_lstat                        = -10163
+	__PNR_mkdir                        = -10164
+	__PNR_mknod                        = -10165
+	__PNR_open                         = -10166
+	__PNR_pause                        = -10167
+	__PNR_pipe                         = -10168
+	__PNR_poll                         = -10169
+	__PNR_readlink                     = -10170
+	__PNR_rename                       = -10171
+	__PNR_rmdir                        = -10172
+	__PNR_signalfd                     = -10173
+	__PNR_stat                         = -10174
+	__PNR_symlink                      = -10175
+	__PNR_unlink                       = -10176
+	__PNR_ustat                        = -10177
+	__PNR_utime                        = -10178
+	__PNR_utimes                       = -10179
+	__PNR_getrlimit                    = -10180
+	__PNR_mmap                         = -10181
+	__PNR_breakpoint                   = -10182
+	__PNR_set_tls                      = -10183
+	__PNR_usr26                        = -10184
+	__PNR_usr32                        = -10185
+	__PNR_multiplexer                  = -10186
+	__PNR_rtas                         = -10187
+	__PNR_spu_create                   = -10188
+	__PNR_spu_run                      = -10189
+	__PNR_swapcontext                  = -10190
+	__PNR_sys_debug_setcontext         = -10191
+	__PNR_switch_endian                = -10191
+	__PNR_get_mempolicy                = -10192
+	__PNR_move_pages                   = -10193
+	__PNR_mbind                        = -10194
+	__PNR_set_mempolicy                = -10195
+	__PNR_s390_runtime_instr           = -10196
+	__PNR_s390_pci_mmio_read           = -10197
+	__PNR_s390_pci_mmio_write          = -10198
+	__PNR_membarrier                   = -10199
+	__PNR_userfaultfd                  = -10200
+	__PNR_pkey_mprotect                = -10201
+	__PNR_pkey_alloc                   = -10202
+	__PNR_pkey_free                    = -10203
+	__PNR_get_tls                      = -10204
+	__PNR_s390_guarded_storage         = -10205
+	__PNR_s390_sthyi                   = -10206
+	__PNR_subpage_prot                 = -10207
+	__PNR_statx                        = -10208
+	__PNR_io_pgetevents                = -10209
+	__PNR_rseq                         = -10210
+	__PNR_setrlimit                    = -10211
+	__PNR_clock_adjtime64              = -10212
+	__PNR_clock_getres_time64          = -10213
+	__PNR_clock_gettime64              = -10214
+	__PNR_clock_nanosleep_time64       = -10215
+	__PNR_clock_settime64              = -10216
+	__PNR_clone3                       = -10217
+	__PNR_fsconfig                     = -10218
+	__PNR_fsmount                      = -10219
+	__PNR_fsopen                       = -10220
+	__PNR_fspick                       = -10221
+	__PNR_futex_time64                 = -10222
+	__PNR_io_pgetevents_time64         = -10223
+	__PNR_move_mount                   = -10224
+	__PNR_mq_timedreceive_time64       = -10225
+	__PNR_mq_timedsend_time64          = -10226
+	__PNR_open_tree                    = -10227
+	__PNR_pidfd_open                   = -10228
+	__PNR_pidfd_send_signal            = -10229
+	__PNR_ppoll_time64                 = -10230
+	__PNR_pselect6_time64              = -10231
+	__PNR_recvmmsg_time64              = -10232
+	__PNR_rt_sigtimedwait_time64       = -10233
+	__PNR_sched_rr_get_interval_time64 = -10234
+	__PNR_semtimedop_time64            = -10235
+	__PNR_timer_gettime64              = -10236
+	__PNR_timer_settime64              = -10237
+	__PNR_timerfd_gettime64            = -10238
+	__PNR_timerfd_settime64            = -10239
+	__PNR_utimensat_time64             = -10240
+	__PNR_ppoll                        = -10241
+	__PNR_renameat                     = -10242
+	__PNR_riscv_flush_icache           = -10243
+	__PNR_memfd_secret                 = -10244
+	__PNR_map_shadow_stack             = -10245
+	__PNR_fstat                        = -10246
+	__PNR_atomic_barrier               = -10247
+	__PNR_atomic_cmpxchg_32            = -10248
+	__PNR_getpagesize                  = -10249
+	__PNR_riscv_hwprobe                = -10250
+	__PNR_uretprobe                    = -10251
+)
--- a/container/std/seccomp.go
+++ b/container/std/seccomp.go
@@ -0,0 +1,76 @@
+package std
+
+import (
+	"encoding/json"
+	"strconv"
+)
+
+type (
+	// ScmpUint is equivalent to C.uint.
+	ScmpUint uint32
+	// ScmpInt is equivalent to C.int.
+	ScmpInt int32
+
+	// ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall].
+	ScmpSyscall ScmpInt
+	// ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno].
+	ScmpErrno ScmpInt
+
+	// ScmpCompare is equivalent to enum scmp_compare;
+	ScmpCompare ScmpUint
+	// ScmpDatum is equivalent to scmp_datum_t.
+	ScmpDatum uint64
+
+	// ScmpArgCmp is equivalent to struct scmp_arg_cmp.
+	ScmpArgCmp struct {
+		// argument number, starting at 0
+		Arg ScmpUint `json:"arg"`
+		// the comparison op, e.g. SCMP_CMP_*
+		Op ScmpCompare `json:"op"`
+
+		DatumA ScmpDatum `json:"a,omitempty"`
+		DatumB ScmpDatum `json:"b,omitempty"`
+	}
+
+	// A NativeRule specifies an arch-specific action taken by seccomp under certain conditions.
+	NativeRule struct {
+		// Syscall is the arch-dependent syscall number to act against.
+		Syscall ScmpSyscall `json:"syscall"`
+		// Errno is the errno value to return when the condition is satisfied.
+		Errno ScmpErrno `json:"errno"`
+		// Arg is the optional struct scmp_arg_cmp passed to libseccomp.
+		Arg *ScmpArgCmp `json:"arg,omitempty"`
+	}
+)
+
+// MarshalJSON resolves the name of [ScmpSyscall] and encodes it as a [json] string.
+// If such a name does not exist, the syscall number is encoded instead.
+func (num *ScmpSyscall) MarshalJSON() ([]byte, error) {
+	n := int(*num)
+	for name, cur := range Syscalls() {
+		if cur == n {
+			return json.Marshal(name)
+		}
+	}
+	return json.Marshal(n)
+}
+
+// SyscallNameError is returned when trying to unmarshal an invalid syscall name into [ScmpSyscall].
+type SyscallNameError string
+
+func (e SyscallNameError) Error() string { return "invalid syscall name " + strconv.Quote(string(e)) }
+
+// UnmarshalJSON looks up the syscall number corresponding to name encoded in data
+// by calling [SyscallResolveName].
+func (num *ScmpSyscall) UnmarshalJSON(data []byte) error {
+	var name string
+	if err := json.Unmarshal(data, &name); err != nil {
+		return err
+	}
+	if n, ok := SyscallResolveName(name); !ok {
+		return SyscallNameError(name)
+	} else {
+		*num = ScmpSyscall(n)
+		return nil
+	}
+}
--- a/container/std/seccomp_test.go
+++ b/container/std/seccomp_test.go
@@ -0,0 +1,63 @@
+package std_test
+
+import (
+	"encoding/json"
+	"errors"
+	"math"
+	"reflect"
+	"syscall"
+	"testing"
+
+	"hakurei.app/container/std"
+)
+
+func TestScmpSyscall(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		data string
+		want std.ScmpSyscall
+		err  error
+	}{
+		{"select", `"select"`, syscall.SYS_SELECT, nil},
+		{"clone3", `"clone3"`, std.SYS_CLONE3, nil},
+
+		{"oob", `-2147483647`, -math.MaxInt32,
+			&json.UnmarshalTypeError{Value: "number", Type: reflect.TypeFor[string](), Offset: 11}},
+		{"name", `"nonexistent_syscall"`, -math.MaxInt32,
+			std.SyscallNameError("nonexistent_syscall")},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("decode", func(t *testing.T) {
+				var got std.ScmpSyscall
+				if err := json.Unmarshal([]byte(tc.data), &got); !reflect.DeepEqual(err, tc.err) {
+					t.Fatalf("Unmarshal: error = %#v, want %#v", err, tc.err)
+				} else if err == nil && got != tc.want {
+					t.Errorf("Unmarshal: %v, want %v", got, tc.want)
+				}
+			})
+			if errors.As(tc.err, new(std.SyscallNameError)) {
+				return
+			}
+
+			t.Run("encode", func(t *testing.T) {
+				if got, err := json.Marshal(&tc.want); err != nil {
+					t.Fatalf("Marshal: error = %v", err)
+				} else if string(got) != tc.data {
+					t.Errorf("Marshal: %s, want %s", string(got), tc.data)
+				}
+			})
+		})
+	}
+
+	t.Run("error", func(t *testing.T) {
+		const want = `invalid syscall name "\x00"`
+		if got := std.SyscallNameError("\x00").Error(); got != want {
+			t.Fatalf("Error: %q, want %q", got, want)
+		}
+	})
+}
--- a/container/seccomp/syscall.go
+++ b/container/seccomp/syscall.go
@@ -1,4 +1,4 @@
-package seccomp
+package std

 import "iter"

--- a/container/std/syscall_extra_linux_386.go
+++ b/container/std/syscall_extra_linux_386.go
@@ -0,0 +1,13 @@
+package std
+
+var syscallNumExtra = map[string]int{
+	"kexec_file_load": SYS_KEXEC_FILE_LOAD,
+	"subpage_prot":    SYS_SUBPAGE_PROT,
+	"switch_endian":   SYS_SWITCH_ENDIAN,
+}
+
+const (
+	SYS_KEXEC_FILE_LOAD = __PNR_kexec_file_load
+	SYS_SUBPAGE_PROT    = __PNR_subpage_prot
+	SYS_SWITCH_ENDIAN   = __PNR_switch_endian
+)
--- a/container/std/syscall_extra_linux_amd64.go
+++ b/container/std/syscall_extra_linux_amd64.go
@@ -0,0 +1,41 @@
+package std
+
+var syscallNumExtra = map[string]int{
+	"umount":          SYS_UMOUNT,
+	"subpage_prot":    SYS_SUBPAGE_PROT,
+	"switch_endian":   SYS_SWITCH_ENDIAN,
+	"vm86":            SYS_VM86,
+	"vm86old":         SYS_VM86OLD,
+	"clock_adjtime64": SYS_CLOCK_ADJTIME64,
+	"clock_settime64": SYS_CLOCK_SETTIME64,
+	"chown32":         SYS_CHOWN32,
+	"fchown32":        SYS_FCHOWN32,
+	"lchown32":        SYS_LCHOWN32,
+	"setgid32":        SYS_SETGID32,
+	"setgroups32":     SYS_SETGROUPS32,
+	"setregid32":      SYS_SETREGID32,
+	"setresgid32":     SYS_SETRESGID32,
+	"setresuid32":     SYS_SETRESUID32,
+	"setreuid32":      SYS_SETREUID32,
+	"setuid32":        SYS_SETUID32,
+}
+
+const (
+	SYS_UMOUNT          = __PNR_umount
+	SYS_SUBPAGE_PROT    = __PNR_subpage_prot
+	SYS_SWITCH_ENDIAN   = __PNR_switch_endian
+	SYS_VM86            = __PNR_vm86
+	SYS_VM86OLD         = __PNR_vm86old
+	SYS_CLOCK_ADJTIME64 = __PNR_clock_adjtime64
+	SYS_CLOCK_SETTIME64 = __PNR_clock_settime64
+	SYS_CHOWN32         = __PNR_chown32
+	SYS_FCHOWN32        = __PNR_fchown32
+	SYS_LCHOWN32        = __PNR_lchown32
+	SYS_SETGID32        = __PNR_setgid32
+	SYS_SETGROUPS32     = __PNR_setgroups32
+	SYS_SETREGID32      = __PNR_setregid32
+	SYS_SETRESGID32     = __PNR_setresgid32
+	SYS_SETRESUID32     = __PNR_setresuid32
+	SYS_SETREUID32      = __PNR_setreuid32
+	SYS_SETUID32        = __PNR_setuid32
+)
--- a/container/std/syscall_extra_linux_arm64.go
+++ b/container/std/syscall_extra_linux_arm64.go
@@ -0,0 +1,55 @@
+package std
+
+import "syscall"
+
+const (
+	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
+)
+
+var syscallNumExtra = map[string]int{
+	"uselib":          SYS_USELIB,
+	"clock_adjtime64": SYS_CLOCK_ADJTIME64,
+	"clock_settime64": SYS_CLOCK_SETTIME64,
+	"umount":          SYS_UMOUNT,
+	"chown":           SYS_CHOWN,
+	"chown32":         SYS_CHOWN32,
+	"fchown32":        SYS_FCHOWN32,
+	"lchown":          SYS_LCHOWN,
+	"lchown32":        SYS_LCHOWN32,
+	"setgid32":        SYS_SETGID32,
+	"setgroups32":     SYS_SETGROUPS32,
+	"setregid32":      SYS_SETREGID32,
+	"setresgid32":     SYS_SETRESGID32,
+	"setresuid32":     SYS_SETRESUID32,
+	"setreuid32":      SYS_SETREUID32,
+	"setuid32":        SYS_SETUID32,
+	"modify_ldt":      SYS_MODIFY_LDT,
+	"subpage_prot":    SYS_SUBPAGE_PROT,
+	"switch_endian":   SYS_SWITCH_ENDIAN,
+	"vm86":            SYS_VM86,
+	"vm86old":         SYS_VM86OLD,
+}
+
+const (
+	SYS_USELIB          = __PNR_uselib
+	SYS_CLOCK_ADJTIME64 = __PNR_clock_adjtime64
+	SYS_CLOCK_SETTIME64 = __PNR_clock_settime64
+	SYS_UMOUNT          = __PNR_umount
+	SYS_CHOWN           = __PNR_chown
+	SYS_CHOWN32         = __PNR_chown32
+	SYS_FCHOWN32        = __PNR_fchown32
+	SYS_LCHOWN          = __PNR_lchown
+	SYS_LCHOWN32        = __PNR_lchown32
+	SYS_SETGID32        = __PNR_setgid32
+	SYS_SETGROUPS32     = __PNR_setgroups32
+	SYS_SETREGID32      = __PNR_setregid32
+	SYS_SETRESGID32     = __PNR_setresgid32
+	SYS_SETRESUID32     = __PNR_setresuid32
+	SYS_SETREUID32      = __PNR_setreuid32
+	SYS_SETUID32        = __PNR_setuid32
+	SYS_MODIFY_LDT      = __PNR_modify_ldt
+	SYS_SUBPAGE_PROT    = __PNR_subpage_prot
+	SYS_SWITCH_ENDIAN   = __PNR_switch_endian
+	SYS_VM86            = __PNR_vm86
+	SYS_VM86OLD         = __PNR_vm86old
+)
--- a/container/std/syscall_linux_386.go
+++ b/container/std/syscall_linux_386.go
@@ -0,0 +1,579 @@
+// mksysnum_linux.pl /usr/include/asm/unistd_32.h
+// Code generated by the command above; DO NOT EDIT.
+
+package std
+
+import . "syscall"
+
+var syscallNum = map[string]int{
+	"restart_syscall":              SYS_RESTART_SYSCALL,
+	"exit":                         SYS_EXIT,
+	"fork":                         SYS_FORK,
+	"read":                         SYS_READ,
+	"write":                        SYS_WRITE,
+	"open":                         SYS_OPEN,
+	"close":                        SYS_CLOSE,
+	"waitpid":                      SYS_WAITPID,
+	"creat":                        SYS_CREAT,
+	"link":                         SYS_LINK,
+	"unlink":                       SYS_UNLINK,
+	"execve":                       SYS_EXECVE,
+	"chdir":                        SYS_CHDIR,
+	"time":                         SYS_TIME,
+	"mknod":                        SYS_MKNOD,
+	"chmod":                        SYS_CHMOD,
+	"lchown":                       SYS_LCHOWN,
+	"break":                        SYS_BREAK,
+	"oldstat":                      SYS_OLDSTAT,
+	"lseek":                        SYS_LSEEK,
+	"getpid":                       SYS_GETPID,
+	"mount":                        SYS_MOUNT,
+	"umount":                       SYS_UMOUNT,
+	"setuid":                       SYS_SETUID,
+	"getuid":                       SYS_GETUID,
+	"stime":                        SYS_STIME,
+	"ptrace":                       SYS_PTRACE,
+	"alarm":                        SYS_ALARM,
+	"oldfstat":                     SYS_OLDFSTAT,
+	"pause":                        SYS_PAUSE,
+	"utime":                        SYS_UTIME,
+	"stty":                         SYS_STTY,
+	"gtty":                         SYS_GTTY,
+	"access":                       SYS_ACCESS,
+	"nice":                         SYS_NICE,
+	"ftime":                        SYS_FTIME,
+	"sync":                         SYS_SYNC,
+	"kill":                         SYS_KILL,
+	"rename":                       SYS_RENAME,
+	"mkdir":                        SYS_MKDIR,
+	"rmdir":                        SYS_RMDIR,
+	"dup":                          SYS_DUP,
+	"pipe":                         SYS_PIPE,
+	"times":                        SYS_TIMES,
+	"prof":                         SYS_PROF,
+	"brk":                          SYS_BRK,
+	"setgid":                       SYS_SETGID,
+	"getgid":                       SYS_GETGID,
+	"signal":                       SYS_SIGNAL,
+	"geteuid":                      SYS_GETEUID,
+	"getegid":                      SYS_GETEGID,
+	"acct":                         SYS_ACCT,
+	"umount2":                      SYS_UMOUNT2,
+	"lock":                         SYS_LOCK,
+	"ioctl":                        SYS_IOCTL,
+	"fcntl":                        SYS_FCNTL,
+	"mpx":                          SYS_MPX,
+	"setpgid":                      SYS_SETPGID,
+	"ulimit":                       SYS_ULIMIT,
+	"oldolduname":                  SYS_OLDOLDUNAME,
+	"umask":                        SYS_UMASK,
+	"chroot":                       SYS_CHROOT,
+	"ustat":                        SYS_USTAT,
+	"dup2":                         SYS_DUP2,
+	"getppid":                      SYS_GETPPID,
+	"getpgrp":                      SYS_GETPGRP,
+	"setsid":                       SYS_SETSID,
+	"sigaction":                    SYS_SIGACTION,
+	"sgetmask":                     SYS_SGETMASK,
+	"ssetmask":                     SYS_SSETMASK,
+	"setreuid":                     SYS_SETREUID,
+	"setregid":                     SYS_SETREGID,
+	"sigsuspend":                   SYS_SIGSUSPEND,
+	"sigpending":                   SYS_SIGPENDING,
+	"sethostname":                  SYS_SETHOSTNAME,
+	"setrlimit":                    SYS_SETRLIMIT,
+	"getrlimit":                    SYS_GETRLIMIT,
+	"getrusage":                    SYS_GETRUSAGE,
+	"gettimeofday":                 SYS_GETTIMEOFDAY,
+	"settimeofday":                 SYS_SETTIMEOFDAY,
+	"getgroups":                    SYS_GETGROUPS,
+	"setgroups":                    SYS_SETGROUPS,
+	"select":                       SYS_SELECT,
+	"symlink":                      SYS_SYMLINK,
+	"oldlstat":                     SYS_OLDLSTAT,
+	"readlink":                     SYS_READLINK,
+	"uselib":                       SYS_USELIB,
+	"swapon":                       SYS_SWAPON,
+	"reboot":                       SYS_REBOOT,
+	"readdir":                      SYS_READDIR,
+	"mmap":                         SYS_MMAP,
+	"munmap":                       SYS_MUNMAP,
+	"truncate":                     SYS_TRUNCATE,
+	"ftruncate":                    SYS_FTRUNCATE,
+	"fchmod":                       SYS_FCHMOD,
+	"fchown":                       SYS_FCHOWN,
+	"getpriority":                  SYS_GETPRIORITY,
+	"setpriority":                  SYS_SETPRIORITY,
+	"profil":                       SYS_PROFIL,
+	"statfs":                       SYS_STATFS,
+	"fstatfs":                      SYS_FSTATFS,
+	"ioperm":                       SYS_IOPERM,
+	"socketcall":                   SYS_SOCKETCALL,
+	"syslog":                       SYS_SYSLOG,
+	"setitimer":                    SYS_SETITIMER,
+	"getitimer":                    SYS_GETITIMER,
+	"stat":                         SYS_STAT,
+	"lstat":                        SYS_LSTAT,
+	"fstat":                        SYS_FSTAT,
+	"olduname":                     SYS_OLDUNAME,
+	"iopl":                         SYS_IOPL,
+	"vhangup":                      SYS_VHANGUP,
+	"idle":                         SYS_IDLE,
+	"vm86old":                      SYS_VM86OLD,
+	"wait4":                        SYS_WAIT4,
+	"swapoff":                      SYS_SWAPOFF,
+	"sysinfo":                      SYS_SYSINFO,
+	"ipc":                          SYS_IPC,
+	"fsync":                        SYS_FSYNC,
+	"sigreturn":                    SYS_SIGRETURN,
+	"clone":                        SYS_CLONE,
+	"setdomainname":                SYS_SETDOMAINNAME,
+	"uname":                        SYS_UNAME,
+	"modify_ldt":                   SYS_MODIFY_LDT,
+	"adjtimex":                     SYS_ADJTIMEX,
+	"mprotect":                     SYS_MPROTECT,
+	"sigprocmask":                  SYS_SIGPROCMASK,
+	"create_module":                SYS_CREATE_MODULE,
+	"init_module":                  SYS_INIT_MODULE,
+	"delete_module":                SYS_DELETE_MODULE,
+	"get_kernel_syms":              SYS_GET_KERNEL_SYMS,
+	"quotactl":                     SYS_QUOTACTL,
+	"getpgid":                      SYS_GETPGID,
+	"fchdir":                       SYS_FCHDIR,
+	"bdflush":                      SYS_BDFLUSH,
+	"sysfs":                        SYS_SYSFS,
+	"personality":                  SYS_PERSONALITY,
+	"afs_syscall":                  SYS_AFS_SYSCALL,
+	"setfsuid":                     SYS_SETFSUID,
+	"setfsgid":                     SYS_SETFSGID,
+	"_llseek":                      SYS__LLSEEK,
+	"getdents":                     SYS_GETDENTS,
+	"_newselect":                   SYS__NEWSELECT,
+	"flock":                        SYS_FLOCK,
+	"msync":                        SYS_MSYNC,
+	"readv":                        SYS_READV,
+	"writev":                       SYS_WRITEV,
+	"getsid":                       SYS_GETSID,
+	"fdatasync":                    SYS_FDATASYNC,
+	"_sysctl":                      SYS__SYSCTL,
+	"mlock":                        SYS_MLOCK,
+	"munlock":                      SYS_MUNLOCK,
+	"mlockall":                     SYS_MLOCKALL,
+	"munlockall":                   SYS_MUNLOCKALL,
+	"sched_setparam":               SYS_SCHED_SETPARAM,
+	"sched_getparam":               SYS_SCHED_GETPARAM,
+	"sched_setscheduler":           SYS_SCHED_SETSCHEDULER,
+	"sched_getscheduler":           SYS_SCHED_GETSCHEDULER,
+	"sched_yield":                  SYS_SCHED_YIELD,
+	"sched_get_priority_max":       SYS_SCHED_GET_PRIORITY_MAX,
+	"sched_get_priority_min":       SYS_SCHED_GET_PRIORITY_MIN,
+	"sched_rr_get_interval":        SYS_SCHED_RR_GET_INTERVAL,
+	"nanosleep":                    SYS_NANOSLEEP,
+	"mremap":                       SYS_MREMAP,
+	"setresuid":                    SYS_SETRESUID,
+	"getresuid":                    SYS_GETRESUID,
+	"vm86":                         SYS_VM86,
+	"query_module":                 SYS_QUERY_MODULE,
+	"poll":                         SYS_POLL,
+	"nfsservctl":                   SYS_NFSSERVCTL,
+	"setresgid":                    SYS_SETRESGID,
+	"getresgid":                    SYS_GETRESGID,
+	"prctl":                        SYS_PRCTL,
+	"rt_sigreturn":                 SYS_RT_SIGRETURN,
+	"rt_sigaction":                 SYS_RT_SIGACTION,
+	"rt_sigprocmask":               SYS_RT_SIGPROCMASK,
+	"rt_sigpending":                SYS_RT_SIGPENDING,
+	"rt_sigtimedwait":              SYS_RT_SIGTIMEDWAIT,
+	"rt_sigqueueinfo":              SYS_RT_SIGQUEUEINFO,
+	"rt_sigsuspend":                SYS_RT_SIGSUSPEND,
+	"pread64":                      SYS_PREAD64,
+	"pwrite64":                     SYS_PWRITE64,
+	"chown":                        SYS_CHOWN,
+	"getcwd":                       SYS_GETCWD,
+	"capget":                       SYS_CAPGET,
+	"capset":                       SYS_CAPSET,
+	"sigaltstack":                  SYS_SIGALTSTACK,
+	"sendfile":                     SYS_SENDFILE,
+	"getpmsg":                      SYS_GETPMSG,
+	"putpmsg":                      SYS_PUTPMSG,
+	"vfork":                        SYS_VFORK,
+	"ugetrlimit":                   SYS_UGETRLIMIT,
+	"mmap2":                        SYS_MMAP2,
+	"truncate64":                   SYS_TRUNCATE64,
+	"ftruncate64":                  SYS_FTRUNCATE64,
+	"stat64":                       SYS_STAT64,
+	"lstat64":                      SYS_LSTAT64,
+	"fstat64":                      SYS_FSTAT64,
+	"lchown32":                     SYS_LCHOWN32,
+	"getuid32":                     SYS_GETUID32,
+	"getgid32":                     SYS_GETGID32,
+	"geteuid32":                    SYS_GETEUID32,
+	"getegid32":                    SYS_GETEGID32,
+	"setreuid32":                   SYS_SETREUID32,
+	"setregid32":                   SYS_SETREGID32,
+	"getgroups32":                  SYS_GETGROUPS32,
+	"setgroups32":                  SYS_SETGROUPS32,
+	"fchown32":                     SYS_FCHOWN32,
+	"setresuid32":                  SYS_SETRESUID32,
+	"getresuid32":                  SYS_GETRESUID32,
+	"setresgid32":                  SYS_SETRESGID32,
+	"getresgid32":                  SYS_GETRESGID32,
+	"chown32":                      SYS_CHOWN32,
+	"setuid32":                     SYS_SETUID32,
+	"setgid32":                     SYS_SETGID32,
+	"setfsuid32":                   SYS_SETFSUID32,
+	"setfsgid32":                   SYS_SETFSGID32,
+	"pivot_root":                   SYS_PIVOT_ROOT,
+	"mincore":                      SYS_MINCORE,
+	"madvise":                      SYS_MADVISE,
+	"getdents64":                   SYS_GETDENTS64,
+	"fcntl64":                      SYS_FCNTL64,
+	"gettid":                       SYS_GETTID,
+	"readahead":                    SYS_READAHEAD,
+	"setxattr":                     SYS_SETXATTR,
+	"lsetxattr":                    SYS_LSETXATTR,
+	"fsetxattr":                    SYS_FSETXATTR,
+	"getxattr":                     SYS_GETXATTR,
+	"lgetxattr":                    SYS_LGETXATTR,
+	"fgetxattr":                    SYS_FGETXATTR,
+	"listxattr":                    SYS_LISTXATTR,
+	"llistxattr":                   SYS_LLISTXATTR,
+	"flistxattr":                   SYS_FLISTXATTR,
+	"removexattr":                  SYS_REMOVEXATTR,
+	"lremovexattr":                 SYS_LREMOVEXATTR,
+	"fremovexattr":                 SYS_FREMOVEXATTR,
+	"tkill":                        SYS_TKILL,
+	"sendfile64":                   SYS_SENDFILE64,
+	"futex":                        SYS_FUTEX,
+	"sched_setaffinity":            SYS_SCHED_SETAFFINITY,
+	"sched_getaffinity":            SYS_SCHED_GETAFFINITY,
+	"set_thread_area":              SYS_SET_THREAD_AREA,
+	"get_thread_area":              SYS_GET_THREAD_AREA,
+	"io_setup":                     SYS_IO_SETUP,
+	"io_destroy":                   SYS_IO_DESTROY,
+	"io_getevents":                 SYS_IO_GETEVENTS,
+	"io_submit":                    SYS_IO_SUBMIT,
+	"io_cancel":                    SYS_IO_CANCEL,
+	"fadvise64":                    SYS_FADVISE64,
+	"exit_group":                   SYS_EXIT_GROUP,
+	"lookup_dcookie":               SYS_LOOKUP_DCOOKIE,
+	"epoll_create":                 SYS_EPOLL_CREATE,
+	"epoll_ctl":                    SYS_EPOLL_CTL,
+	"epoll_wait":                   SYS_EPOLL_WAIT,
+	"remap_file_pages":             SYS_REMAP_FILE_PAGES,
+	"set_tid_address":              SYS_SET_TID_ADDRESS,
+	"timer_create":                 SYS_TIMER_CREATE,
+	"timer_settime":                SYS_TIMER_SETTIME,
+	"timer_gettime":                SYS_TIMER_GETTIME,
+	"timer_getoverrun":             SYS_TIMER_GETOVERRUN,
+	"timer_delete":                 SYS_TIMER_DELETE,
+	"clock_settime":                SYS_CLOCK_SETTIME,
+	"clock_gettime":                SYS_CLOCK_GETTIME,
+	"clock_getres":                 SYS_CLOCK_GETRES,
+	"clock_nanosleep":              SYS_CLOCK_NANOSLEEP,
+	"statfs64":                     SYS_STATFS64,
+	"fstatfs64":                    SYS_FSTATFS64,
+	"tgkill":                       SYS_TGKILL,
+	"utimes":                       SYS_UTIMES,
+	"fadvise64_64":                 SYS_FADVISE64_64,
+	"vserver":                      SYS_VSERVER,
+	"mbind":                        SYS_MBIND,
+	"get_mempolicy":                SYS_GET_MEMPOLICY,
+	"set_mempolicy":                SYS_SET_MEMPOLICY,
+	"mq_open":                      SYS_MQ_OPEN,
+	"mq_unlink":                    SYS_MQ_UNLINK,
+	"mq_timedsend":                 SYS_MQ_TIMEDSEND,
+	"mq_timedreceive":              SYS_MQ_TIMEDRECEIVE,
+	"mq_notify":                    SYS_MQ_NOTIFY,
+	"mq_getsetattr":                SYS_MQ_GETSETATTR,
+	"kexec_load":                   SYS_KEXEC_LOAD,
+	"waitid":                       SYS_WAITID,
+	"add_key":                      SYS_ADD_KEY,
+	"request_key":                  SYS_REQUEST_KEY,
+	"keyctl":                       SYS_KEYCTL,
+	"ioprio_set":                   SYS_IOPRIO_SET,
+	"ioprio_get":                   SYS_IOPRIO_GET,
+	"inotify_init":                 SYS_INOTIFY_INIT,
+	"inotify_add_watch":            SYS_INOTIFY_ADD_WATCH,
+	"inotify_rm_watch":             SYS_INOTIFY_RM_WATCH,
+	"migrate_pages":                SYS_MIGRATE_PAGES,
+	"openat":                       SYS_OPENAT,
+	"mkdirat":                      SYS_MKDIRAT,
+	"mknodat":                      SYS_MKNODAT,
+	"fchownat":                     SYS_FCHOWNAT,
+	"futimesat":                    SYS_FUTIMESAT,
+	"fstatat64":                    SYS_FSTATAT64,
+	"unlinkat":                     SYS_UNLINKAT,
+	"renameat":                     SYS_RENAMEAT,
+	"linkat":                       SYS_LINKAT,
+	"symlinkat":                    SYS_SYMLINKAT,
+	"readlinkat":                   SYS_READLINKAT,
+	"fchmodat":                     SYS_FCHMODAT,
+	"faccessat":                    SYS_FACCESSAT,
+	"pselect6":                     SYS_PSELECT6,
+	"ppoll":                        SYS_PPOLL,
+	"unshare":                      SYS_UNSHARE,
+	"set_robust_list":              SYS_SET_ROBUST_LIST,
+	"get_robust_list":              SYS_GET_ROBUST_LIST,
+	"splice":                       SYS_SPLICE,
+	"sync_file_range":              SYS_SYNC_FILE_RANGE,
+	"tee":                          SYS_TEE,
+	"vmsplice":                     SYS_VMSPLICE,
+	"move_pages":                   SYS_MOVE_PAGES,
+	"getcpu":                       SYS_GETCPU,
+	"epoll_pwait":                  SYS_EPOLL_PWAIT,
+	"utimensat":                    SYS_UTIMENSAT,
+	"signalfd":                     SYS_SIGNALFD,
+	"timerfd_create":               SYS_TIMERFD_CREATE,
+	"eventfd":                      SYS_EVENTFD,
+	"fallocate":                    SYS_FALLOCATE,
+	"timerfd_settime":              SYS_TIMERFD_SETTIME,
+	"timerfd_gettime":              SYS_TIMERFD_GETTIME,
+	"signalfd4":                    SYS_SIGNALFD4,
+	"eventfd2":                     SYS_EVENTFD2,
+	"epoll_create1":                SYS_EPOLL_CREATE1,
+	"dup3":                         SYS_DUP3,
+	"pipe2":                        SYS_PIPE2,
+	"inotify_init1":                SYS_INOTIFY_INIT1,
+	"preadv":                       SYS_PREADV,
+	"pwritev":                      SYS_PWRITEV,
+	"rt_tgsigqueueinfo":            SYS_RT_TGSIGQUEUEINFO,
+	"perf_event_open":              SYS_PERF_EVENT_OPEN,
+	"recvmmsg":                     __PNR_recvmmsg,
+	"fanotify_init":                SYS_FANOTIFY_INIT,
+	"fanotify_mark":                SYS_FANOTIFY_MARK,
+	"prlimit64":                    SYS_PRLIMIT64,
+	"name_to_handle_at":            SYS_NAME_TO_HANDLE_AT,
+	"open_by_handle_at":            SYS_OPEN_BY_HANDLE_AT,
+	"clock_adjtime":                SYS_CLOCK_ADJTIME,
+	"syncfs":                       SYS_SYNCFS,
+	"sendmmsg":                     __PNR_sendmmsg,
+	"setns":                        SYS_SETNS,
+	"process_vm_readv":             SYS_PROCESS_VM_READV,
+	"process_vm_writev":            SYS_PROCESS_VM_WRITEV,
+	"kcmp":                         SYS_KCMP,
+	"finit_module":                 SYS_FINIT_MODULE,
+	"sched_setattr":                SYS_SCHED_SETATTR,
+	"sched_getattr":                SYS_SCHED_GETATTR,
+	"renameat2":                    SYS_RENAMEAT2,
+	"seccomp":                      SYS_SECCOMP,
+	"getrandom":                    SYS_GETRANDOM,
+	"memfd_create":                 SYS_MEMFD_CREATE,
+	"bpf":                          SYS_BPF,
+	"execveat":                     SYS_EXECVEAT,
+	"socket":                       __PNR_socket,
+	"socketpair":                   __PNR_socketpair,
+	"bind":                         __PNR_bind,
+	"connect":                      __PNR_connect,
+	"listen":                       __PNR_listen,
+	"accept4":                      __PNR_accept4,
+	"getsockopt":                   __PNR_getsockopt,
+	"setsockopt":                   __PNR_setsockopt,
+	"getsockname":                  __PNR_getsockname,
+	"getpeername":                  __PNR_getpeername,
+	"sendto":                       __PNR_sendto,
+	"sendmsg":                      __PNR_sendmsg,
+	"recvfrom":                     __PNR_recvfrom,
+	"recvmsg":                      __PNR_recvmsg,
+	"shutdown":                     __PNR_shutdown,
+	"userfaultfd":                  SYS_USERFAULTFD,
+	"membarrier":                   SYS_MEMBARRIER,
+	"mlock2":                       SYS_MLOCK2,
+	"copy_file_range":              SYS_COPY_FILE_RANGE,
+	"preadv2":                      SYS_PREADV2,
+	"pwritev2":                     SYS_PWRITEV2,
+	"pkey_mprotect":                SYS_PKEY_MPROTECT,
+	"pkey_alloc":                   SYS_PKEY_ALLOC,
+	"pkey_free":                    SYS_PKEY_FREE,
+	"statx":                        SYS_STATX,
+	"arch_prctl":                   SYS_ARCH_PRCTL,
+	"io_pgetevents":                SYS_IO_PGETEVENTS,
+	"rseq":                         SYS_RSEQ,
+	"semget":                       __PNR_semget,
+	"semctl":                       __PNR_semctl,
+	"shmget":                       __PNR_shmget,
+	"shmctl":                       __PNR_shmctl,
+	"shmat":                        __PNR_shmat,
+	"shmdt":                        __PNR_shmdt,
+	"msgget":                       __PNR_msgget,
+	"msgsnd":                       __PNR_msgsnd,
+	"msgrcv":                       __PNR_msgrcv,
+	"msgctl":                       __PNR_msgctl,
+	"clock_gettime64":              SYS_CLOCK_GETTIME64,
+	"clock_settime64":              SYS_CLOCK_SETTIME64,
+	"clock_adjtime64":              SYS_CLOCK_ADJTIME64,
+	"clock_getres_time64":          SYS_CLOCK_GETRES_TIME64,
+	"clock_nanosleep_time64":       SYS_CLOCK_NANOSLEEP_TIME64,
+	"timer_gettime64":              SYS_TIMER_GETTIME64,
+	"timer_settime64":              SYS_TIMER_SETTIME64,
+	"timerfd_gettime64":            SYS_TIMERFD_GETTIME64,
+	"timerfd_settime64":            SYS_TIMERFD_SETTIME64,
+	"utimensat_time64":             SYS_UTIMENSAT_TIME64,
+	"pselect6_time64":              SYS_PSELECT6_TIME64,
+	"ppoll_time64":                 SYS_PPOLL_TIME64,
+	"io_pgetevents_time64":         SYS_IO_PGETEVENTS_TIME64,
+	"recvmmsg_time64":              SYS_RECVMMSG_TIME64,
+	"mq_timedsend_time64":          SYS_MQ_TIMEDSEND_TIME64,
+	"mq_timedreceive_time64":       SYS_MQ_TIMEDRECEIVE_TIME64,
+	"semtimedop_time64":            SYS_SEMTIMEDOP_TIME64,
+	"rt_sigtimedwait_time64":       SYS_RT_SIGTIMEDWAIT_TIME64,
+	"futex_time64":                 SYS_FUTEX_TIME64,
+	"sched_rr_get_interval_time64": SYS_SCHED_RR_GET_INTERVAL_TIME64,
+	"pidfd_send_signal":            SYS_PIDFD_SEND_SIGNAL,
+	"io_uring_setup":               SYS_IO_URING_SETUP,
+	"io_uring_enter":               SYS_IO_URING_ENTER,
+	"io_uring_register":            SYS_IO_URING_REGISTER,
+	"open_tree":                    SYS_OPEN_TREE,
+	"move_mount":                   SYS_MOVE_MOUNT,
+	"fsopen":                       SYS_FSOPEN,
+	"fsconfig":                     SYS_FSCONFIG,
+	"fsmount":                      SYS_FSMOUNT,
+	"fspick":                       SYS_FSPICK,
+	"pidfd_open":                   SYS_PIDFD_OPEN,
+	"clone3":                       SYS_CLONE3,
+	"close_range":                  SYS_CLOSE_RANGE,
+	"openat2":                      SYS_OPENAT2,
+	"pidfd_getfd":                  SYS_PIDFD_GETFD,
+	"faccessat2":                   SYS_FACCESSAT2,
+	"process_madvise":              SYS_PROCESS_MADVISE,
+	"epoll_pwait2":                 SYS_EPOLL_PWAIT2,
+	"mount_setattr":                SYS_MOUNT_SETATTR,
+	"quotactl_fd":                  SYS_QUOTACTL_FD,
+	"landlock_create_ruleset":      SYS_LANDLOCK_CREATE_RULESET,
+	"landlock_add_rule":            SYS_LANDLOCK_ADD_RULE,
+	"landlock_restrict_self":       SYS_LANDLOCK_RESTRICT_SELF,
+	"memfd_secret":                 SYS_MEMFD_SECRET,
+	"process_mrelease":             SYS_PROCESS_MRELEASE,
+	"futex_waitv":                  SYS_FUTEX_WAITV,
+	"set_mempolicy_home_node":      SYS_SET_MEMPOLICY_HOME_NODE,
+	"cachestat":                    SYS_CACHESTAT,
+	"fchmodat2":                    SYS_FCHMODAT2,
+	"map_shadow_stack":             SYS_MAP_SHADOW_STACK,
+	"futex_wake":                   SYS_FUTEX_WAKE,
+	"futex_wait":                   SYS_FUTEX_WAIT,
+	"futex_requeue":                SYS_FUTEX_REQUEUE,
+	"statmount":                    SYS_STATMOUNT,
+	"listmount":                    SYS_LISTMOUNT,
+	"lsm_get_self_attr":            SYS_LSM_GET_SELF_ATTR,
+	"lsm_set_self_attr":            SYS_LSM_SET_SELF_ATTR,
+	"lsm_list_modules":             SYS_LSM_LIST_MODULES,
+	"mseal":                        SYS_MSEAL,
+}
+
+const (
+	SYS_NAME_TO_HANDLE_AT            = 341
+	SYS_OPEN_BY_HANDLE_AT            = 342
+	SYS_CLOCK_ADJTIME                = 343
+	SYS_SYNCFS                       = 344
+	SYS_SENDMMSG                     = 345
+	SYS_SETNS                        = 346
+	SYS_PROCESS_VM_READV             = 347
+	SYS_PROCESS_VM_WRITEV            = 348
+	SYS_KCMP                         = 349
+	SYS_FINIT_MODULE                 = 350
+	SYS_SCHED_SETATTR                = 351
+	SYS_SCHED_GETATTR                = 352
+	SYS_RENAMEAT2                    = 353
+	SYS_SECCOMP                      = 354
+	SYS_GETRANDOM                    = 355
+	SYS_MEMFD_CREATE                 = 356
+	SYS_BPF                          = 357
+	SYS_EXECVEAT                     = 358
+	SYS_SOCKET                       = 359
+	SYS_SOCKETPAIR                   = 360
+	SYS_BIND                         = 361
+	SYS_CONNECT                      = 362
+	SYS_LISTEN                       = 363
+	SYS_ACCEPT4                      = 364
+	SYS_GETSOCKOPT                   = 365
+	SYS_SETSOCKOPT                   = 366
+	SYS_GETSOCKNAME                  = 367
+	SYS_GETPEERNAME                  = 368
+	SYS_SENDTO                       = 369
+	SYS_SENDMSG                      = 370
+	SYS_RECVFROM                     = 371
+	SYS_RECVMSG                      = 372
+	SYS_SHUTDOWN                     = 373
+	SYS_USERFAULTFD                  = 374
+	SYS_MEMBARRIER                   = 375
+	SYS_MLOCK2                       = 376
+	SYS_COPY_FILE_RANGE              = 377
+	SYS_PREADV2                      = 378
+	SYS_PWRITEV2                     = 379
+	SYS_PKEY_MPROTECT                = 380
+	SYS_PKEY_ALLOC                   = 381
+	SYS_PKEY_FREE                    = 382
+	SYS_STATX                        = 383
+	SYS_ARCH_PRCTL                   = 384
+	SYS_IO_PGETEVENTS                = 385
+	SYS_RSEQ                         = 386
+	SYS_SEMGET                       = 393
+	SYS_SEMCTL                       = 394
+	SYS_SHMGET                       = 395
+	SYS_SHMCTL                       = 396
+	SYS_SHMAT                        = 397
+	SYS_SHMDT                        = 398
+	SYS_MSGGET                       = 399
+	SYS_MSGSND                       = 400
+	SYS_MSGRCV                       = 401
+	SYS_MSGCTL                       = 402
+	SYS_CLOCK_GETTIME64              = 403
+	SYS_CLOCK_SETTIME64              = 404
+	SYS_CLOCK_ADJTIME64              = 405
+	SYS_CLOCK_GETRES_TIME64          = 406
+	SYS_CLOCK_NANOSLEEP_TIME64       = 407
+	SYS_TIMER_GETTIME64              = 408
+	SYS_TIMER_SETTIME64              = 409
+	SYS_TIMERFD_GETTIME64            = 410
+	SYS_TIMERFD_SETTIME64            = 411
+	SYS_UTIMENSAT_TIME64             = 412
+	SYS_PSELECT6_TIME64              = 413
+	SYS_PPOLL_TIME64                 = 414
+	SYS_IO_PGETEVENTS_TIME64         = 416
+	SYS_RECVMMSG_TIME64              = 417
+	SYS_MQ_TIMEDSEND_TIME64          = 418
+	SYS_MQ_TIMEDRECEIVE_TIME64       = 419
+	SYS_SEMTIMEDOP_TIME64            = 420
+	SYS_RT_SIGTIMEDWAIT_TIME64       = 421
+	SYS_FUTEX_TIME64                 = 422
+	SYS_SCHED_RR_GET_INTERVAL_TIME64 = 423
+	SYS_PIDFD_SEND_SIGNAL            = 424
+	SYS_IO_URING_SETUP               = 425
+	SYS_IO_URING_ENTER               = 426
+	SYS_IO_URING_REGISTER            = 427
+	SYS_OPEN_TREE                    = 428
+	SYS_MOVE_MOUNT                   = 429
+	SYS_FSOPEN                       = 430
+	SYS_FSCONFIG                     = 431
+	SYS_FSMOUNT                      = 432
+	SYS_FSPICK                       = 433
+	SYS_PIDFD_OPEN                   = 434
+	SYS_CLONE3                       = 435
+	SYS_CLOSE_RANGE                  = 436
+	SYS_OPENAT2                      = 437
+	SYS_PIDFD_GETFD                  = 438
+	SYS_FACCESSAT2                   = 439
+	SYS_PROCESS_MADVISE              = 440
+	SYS_EPOLL_PWAIT2                 = 441
+	SYS_MOUNT_SETATTR                = 442
+	SYS_QUOTACTL_FD                  = 443
+	SYS_LANDLOCK_CREATE_RULESET      = 444
+	SYS_LANDLOCK_ADD_RULE            = 445
+	SYS_LANDLOCK_RESTRICT_SELF       = 446
+	SYS_MEMFD_SECRET                 = 447
+	SYS_PROCESS_MRELEASE             = 448
+	SYS_FUTEX_WAITV                  = 449
+	SYS_SET_MEMPOLICY_HOME_NODE      = 450
+	SYS_CACHESTAT                    = 451
+	SYS_FCHMODAT2                    = 452
+	SYS_MAP_SHADOW_STACK             = 453
+	SYS_FUTEX_WAKE                   = 454
+	SYS_FUTEX_WAIT                   = 455
+	SYS_FUTEX_REQUEUE                = 456
+	SYS_STATMOUNT                    = 457
+	SYS_LISTMOUNT                    = 458
+	SYS_LSM_GET_SELF_ATTR            = 459
+	SYS_LSM_SET_SELF_ATTR            = 460
+	SYS_LSM_LIST_MODULES             = 461
+	SYS_MSEAL                        = 462
+)
--- a/container/seccomp/syscall_linux_amd64.go
+++ b/container/seccomp/syscall_linux_amd64.go
@@ -1,7 +1,7 @@
 // mksysnum_linux.pl /usr/include/asm/unistd_64.h
 // Code generated by the command above; DO NOT EDIT.

-package seccomp
+package std

 import . "syscall"

--- a/container/seccomp/syscall_linux_arm64.go
+++ b/container/seccomp/syscall_linux_arm64.go
@@ -1,7 +1,7 @@
 // mksysnum_linux.pl /usr/include/asm/unistd_64.h
 // Code generated by the command above; DO NOT EDIT.

-package seccomp
+package std

 import . "syscall"

--- a/container/std/syscall_test.go
+++ b/container/std/syscall_test.go
@@ -0,0 +1,21 @@
+package std_test
+
+import (
+	"testing"
+
+	"hakurei.app/container/std"
+)
+
+func TestSyscallResolveName(t *testing.T) {
+	t.Parallel()
+
+	for name, want := range std.Syscalls() {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			if got, ok := std.SyscallResolveName(name); !ok || got != want {
+				t.Errorf("SyscallResolveName(%q) = %d, want %d", name, got, want)
+			}
+		})
+	}
+}
--- a/container/stub/errors.go
+++ b/container/stub/errors.go
@@ -13,7 +13,7 @@ var (
 type UniqueError uintptr

 func (e UniqueError) Error() string {
-	return "unique error " + strconv.Itoa(int(e)) + " injected by the test suite"
+	return "unique error " + strconv.FormatUint(uint64(e), 10) + " injected by the test suite"
 }

 func (e UniqueError) Is(target error) bool {
--- a/container/stub/exit.go
+++ b/container/stub/exit.go
@@ -3,10 +3,10 @@ package stub
 import "testing"

 // PanicExit is a magic panic value treated as a simulated exit.
-const PanicExit = 0xdeadbeef
+const PanicExit = 0xdead

 const (
-	panicFailNow = 0xcafe0000 + iota
+	panicFailNow = 0xcafe0 + iota
 	panicFatal
 	panicFatalf
 )
--- a/container/stub/exit_test.go
+++ b/container/stub/exit_test.go
@@ -53,7 +53,7 @@ func TestHandleExit(t *testing.T) {
 				}
 			}()
 			defer stub.HandleExit(ot)
-			panic(0xcafe0000)
+			panic(0xcafe0)
 		})

 		t.Run("Fail", func(t *testing.T) {
@@ -66,7 +66,7 @@ func TestHandleExit(t *testing.T) {
 				}
 			}()
 			defer handleExitNew(ot)
-			panic(0xcafe0000)
+			panic(0xcafe0)
 		})
 	})

@@ -82,14 +82,14 @@ func TestHandleExit(t *testing.T) {
 			t.Parallel()

 			defer func() {
-				want := 0xcafebabe
+				want := 0xcafe
 				if r := recover(); r != want {
 					t.Errorf("recover: %v, want %v", r, want)
 				}

 			}()
 			defer stub.HandleExit(t)
-			panic(0xcafebabe)
+			panic(0xcafe)
 		})

 		t.Run("new", func(t *testing.T) {
--- a/container/syscall_386.go
+++ b/container/syscall_386.go
@@ -0,0 +1,7 @@
+package container
+
+const (
+	O_PATH = 0x200000
+
+	PR_SET_NO_NEW_PRIVS = 0x26
+)
--- a/container/vfs/mountinfo_test.go
+++ b/container/vfs/mountinfo_test.go
@@ -26,11 +26,11 @@ func TestDecoderError(t *testing.T) {
 		target  error
 		targetF error
 	}{
-		{"errno", &vfs.DecoderError{Op: "parse", Line: 0xdeadbeef, Err: syscall.ENOTRECOVERABLE},
-			"parse mountinfo at line 3735928559: state not recoverable", syscall.ENOTRECOVERABLE, syscall.EROFS},
+		{"errno", &vfs.DecoderError{Op: "parse", Line: 0xdead, Err: syscall.ENOTRECOVERABLE},
+			"parse mountinfo at line 57005: state not recoverable", syscall.ENOTRECOVERABLE, syscall.EROFS},

-		{"strconv", &vfs.DecoderError{Op: "parse", Line: 0xdeadbeef, Err: &strconv.NumError{Func: "Atoi", Num: "meow", Err: strconv.ErrSyntax}},
-			`parse mountinfo at line 3735928559: numeric field "meow" invalid syntax`, strconv.ErrSyntax, os.ErrInvalid},
+		{"strconv", &vfs.DecoderError{Op: "parse", Line: 0xdead, Err: &strconv.NumError{Func: "Atoi", Num: "meow", Err: strconv.ErrSyntax}},
+			`parse mountinfo at line 57005: numeric field "meow" invalid syntax`, strconv.ErrSyntax, os.ErrInvalid},

 		{"unfold", &vfs.DecoderError{Op: "unfold", Line: -1, Err: vfs.UnfoldTargetError("/proc/nonexistent")},
 			"unfold mountinfo: mount point /proc/nonexistent never appeared in mountinfo", vfs.UnfoldTargetError("/proc/nonexistent"), os.ErrNotExist},
--- a/flake.nix
+++ b/flake.nix
@@ -244,10 +244,10 @@
              shellHook = "exec ${pkgs.writeShellScript "generate-syscall-table" ''
                set -e
                ${pkgs.perl}/bin/perl \
-                  container/seccomp/mksysnum_linux.pl \
+                  container/std/mksysnum_linux.pl \
                  ${pkgs.linuxHeaders}/include/asm/unistd_64.h | \
                  ${pkgs.go}/bin/gofmt > \
-                  container/seccomp/syscall_linux_${GOARCH.${system}}.go
+                  container/std/syscall_linux_${GOARCH.${system}}.go
              ''}";
            };
        }
--- a/hst/config.go
+++ b/hst/config.go
@@ -12,7 +12,7 @@ import (
 type Config struct {
 	// Reverse-DNS style configured arbitrary identifier string.
 	// Passed to wayland security-context-v1 and used as part of defaults in dbus session proxy.
-	ID string `json:"id"`
+	ID string `json:"id,omitempty"`

 	// System services to make available in the container.
 	Enablements *Enablements `json:"enablements,omitempty"`
@@ -59,7 +59,7 @@ func (config *Config) Validate() error {
 	}

 	// this is checked again in hsu
-	if config.Identity < IdentityMin || config.Identity > IdentityMax {
+	if config.Identity < IdentityStart || config.Identity > IdentityEnd {
 		return &AppError{Step: "validate configuration", Err: ErrIdentityBounds,
 			Msg: "identity " + strconv.Itoa(config.Identity) + " out of range"}
 	}
--- a/hst/container.go
+++ b/hst/container.go
@@ -20,11 +20,6 @@ const (
 	WaitDelayDefault = 5 * time.Second
 	// WaitDelayMax is used if WaitDelay exceeds its value.
 	WaitDelayMax = 30 * time.Second
-
-	// IdentityMin is the minimum value of [Config.Identity]. This is enforced by cmd/hsu.
-	IdentityMin = 0
-	// IdentityMax is the maximum value of [Config.Identity]. This is enforced by cmd/hsu.
-	IdentityMax = 9999
 )

 const (
--- a/hst/enablement_test.go
+++ b/hst/enablement_test.go
@@ -80,7 +80,7 @@ func TestEnablements(t *testing.T) {

 				if got, err := json.Marshal(struct {
 					Value *hst.Enablements `json:"value"`
-					Magic int              `json:"magic"`
+					Magic uint64           `json:"magic"`
 				}{tc.e, syscall.MS_MGC_VAL}); err != nil {
 					t.Fatalf("Marshal: error = %v", err)
 				} else if string(got) != tc.sData {
@@ -108,7 +108,7 @@ func TestEnablements(t *testing.T) {
 				{
 					got := *(new(struct {
 						Value *hst.Enablements `json:"value"`
-						Magic int              `json:"magic"`
+						Magic uint64           `json:"magic"`
 					}))
 					if err := json.Unmarshal([]byte(tc.sData), &got); err != nil {
 						t.Fatalf("Unmarshal: error = %v", err)
--- a/hst/fs_test.go
+++ b/hst/fs_test.go
@@ -241,7 +241,7 @@ func (s stubFS) String() string          { return "<invalid " + s.typeName + ">"

 type sCheck struct {
 	FS    hst.FilesystemConfigJSON `json:"fs"`
-	Magic int                      `json:"magic"`
+	Magic uint64                   `json:"magic"`
 }

 type fsTestCase struct {
--- a/hst/fsbind.go
+++ b/hst/fsbind.go
@@ -5,8 +5,8 @@ import (
 	"strings"

 	"hakurei.app/container/check"
-	"hakurei.app/container/comp"
 	"hakurei.app/container/fhs"
+	"hakurei.app/container/std"
 )

 func init() { gob.Register(new(FSBind)) }
@@ -97,16 +97,16 @@ func (b *FSBind) Apply(z *ApplyState) {
 	}
 	var flags int
 	if b.Write {
-		flags |= comp.BindWritable
+		flags |= std.BindWritable
 	}
 	if b.Device {
-		flags |= comp.BindDevice | comp.BindWritable
+		flags |= std.BindDevice | std.BindWritable
 	}
 	if b.Ensure {
-		flags |= comp.BindEnsure
+		flags |= std.BindEnsure
 	}
 	if b.Optional {
-		flags |= comp.BindOptional
+		flags |= std.BindOptional
 	}

 	switch {
--- a/hst/fsbind_test.go
+++ b/hst/fsbind_test.go
@@ -4,7 +4,7 @@ import (
 	"testing"

 	"hakurei.app/container"
-	"hakurei.app/container/comp"
+	"hakurei.app/container/std"
 	"hakurei.app/hst"
 )

@@ -24,7 +24,7 @@ func TestFSBind(t *testing.T) {
 		}, true, container.Ops{&container.BindMountOp{
 			Source: m("/mnt/dev"),
 			Target: m("/dev"),
-			Flags:  comp.BindWritable | comp.BindDevice | comp.BindOptional,
+			Flags:  std.BindWritable | std.BindDevice | std.BindOptional,
 		}}, m("/dev"), ms("/mnt/dev"),
 			"d+/mnt/dev:/dev"},

@@ -36,7 +36,7 @@ func TestFSBind(t *testing.T) {
 		}, true, container.Ops{&container.BindMountOp{
 			Source: m("/mnt/dev"),
 			Target: m("/dev"),
-			Flags:  comp.BindWritable | comp.BindDevice | comp.BindEnsure,
+			Flags:  std.BindWritable | std.BindDevice | std.BindEnsure,
 		}}, m("/dev"), ms("/mnt/dev"),
 			"d-/mnt/dev:/dev"},

@@ -48,7 +48,7 @@ func TestFSBind(t *testing.T) {
 		}, true, container.Ops{&container.BindMountOp{
 			Source: m("/mnt/dev"),
 			Target: m("/dev"),
-			Flags:  comp.BindWritable | comp.BindDevice,
+			Flags:  std.BindWritable | std.BindDevice,
 		}}, m("/dev"), ms("/mnt/dev"),
 			"d*/mnt/dev:/dev"},

@@ -59,7 +59,7 @@ func TestFSBind(t *testing.T) {
 		}, true, container.Ops{&container.BindMountOp{
 			Source: m("/mnt/tmp"),
 			Target: m("/tmp"),
-			Flags:  comp.BindWritable,
+			Flags:  std.BindWritable,
 		}}, m("/tmp"), ms("/mnt/tmp"),
 			"w*/mnt/tmp:/tmp"},

@@ -98,7 +98,7 @@ func TestFSBind(t *testing.T) {
 			Special: true,
 		}, true, container.Ops{&container.AutoRootOp{
 			Host:  m("/"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}}, m("/"), ms("/"), "autoroot:w"},

 		{"autoroot silly", &hst.FSBind{
@@ -108,7 +108,7 @@ func TestFSBind(t *testing.T) {
 			Special: true,
 		}, true, container.Ops{&container.AutoRootOp{
 			Host:  m("/etc"),
-			Flags: comp.BindWritable,
+			Flags: std.BindWritable,
 		}}, m("/"), ms("/etc"), "autoroot:w:/etc"},

 		{"autoetc", &hst.FSBind{
--- a/hst/grp_pwd.go
+++ b/hst/grp_pwd.go
@@ -0,0 +1,61 @@
+package hst
+
+import (
+	"fmt"
+	"strconv"
+)
+
+const (
+	// UserOffset is the offset for UID and GID ranges for each user.
+	UserOffset = 100000
+	// RangeSize is the size of each UID and GID range.
+	RangeSize = UserOffset / 10
+
+	// IdentityStart is the first [Config.Identity] value. This is enforced in cmd/hsu.
+	IdentityStart = 0
+	// IdentityEnd is the last [Config.Identity] value. This is enforced in cmd/hsu.
+	IdentityEnd = AppEnd - AppStart
+
+	// AppStart is the first app user UID and GID.
+	AppStart = RangeSize * 1
+	// AppEnd is the last app user UID and GID.
+	AppEnd = AppStart + RangeSize - 1
+
+	/* these are for Rosa OS: use the ranges below to determine whether a process is isolated */
+
+	// IsolatedStart is the start of UID and GID for fully isolated sandboxed processes.
+	IsolatedStart = RangeSize * 9
+	// IsolatedEnd is the end of UID and GID for fully isolated sandboxed processes.
+	IsolatedEnd = IsolatedStart + RangeSize - 1
+)
+
+// A UID represents a kernel uid in the init namespace.
+type UID uint32
+
+// String returns the username corresponding to this uid.
+//
+// Not safe against untrusted input.
+func (uid UID) String() string {
+	appid := uid % UserOffset
+	userid := uid / UserOffset
+	if appid >= IsolatedStart && appid <= IsolatedEnd {
+		return fmt.Sprintf("u%d_i%d", userid, appid-IsolatedStart)
+	} else if appid >= AppStart && appid <= AppEnd {
+		return fmt.Sprintf("u%d_a%d", userid, appid-AppStart)
+	} else {
+		return strconv.Itoa(int(uid))
+	}
+}
+
+// A GID represents a kernel gid in the init namespace.
+type GID uint32
+
+// String returns the group name corresponding to this gid.
+//
+// Not safe against untrusted input.
+func (gid GID) String() string { return UID(gid).String() }
+
+// ToUser returns a [hst.UID] value from userid and appid.
+//
+// Not safe against untrusted input.
+func ToUser[U int | uint32](userid, appid U) U { return userid*UserOffset + AppStart + appid }
--- a/hst/grp_pwd_test.go
+++ b/hst/grp_pwd_test.go
@@ -0,0 +1,40 @@
+package hst_test
+
+import (
+	"strconv"
+	"testing"
+
+	"hakurei.app/hst"
+)
+
+func TestUIDString(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		val  uint32
+		want string
+	}{
+		{hst.AppStart + hst.IdentityStart, "u0_a0"},                           // uidStart
+		{hst.ToUser[uint32](hst.RangeSize-1, hst.IdentityEnd), "u9999_a9999"}, // uidEnd
+
+		{hst.IsolatedStart + hst.IdentityStart, "u0_i0"},                    // isolatedStart
+		{(hst.RangeSize-1)*hst.UserOffset + hst.IsolatedEnd, "u9999_i9999"}, // isolatedEnd
+
+		{hst.ToUser[uint32](10, 127), "u10_a127"},
+		{hst.ToUser[uint32](11, 127), "u11_a127"},
+
+		{0, "0"}, // out of bounds
+	}
+	for _, tc := range testCases {
+		t.Run(strconv.Itoa(int(tc.val)), func(t *testing.T) {
+			t.Parallel()
+
+			if got := hst.UID(tc.val).String(); got != tc.want {
+				t.Fatalf("UID.String: %q, want %q", got, tc.want)
+			}
+			if got := hst.GID(tc.val).String(); got != tc.want {
+				t.Fatalf("GID.String: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
--- a/hst/hst.go
+++ b/hst/hst.go
@@ -16,7 +16,7 @@ type AppError struct {
 	// A user-facing description of where the error occurred.
 	Step string `json:"step"`
 	// The underlying error value.
-	Err error
+	Err error `json:"err"`
 	// An arbitrary error message, overriding the return value of Message if not empty.
 	Msg string `json:"message,omitempty"`
 }
--- a/hst/instance.go
+++ b/hst/instance.go
@@ -0,0 +1,87 @@
+package hst
+
+import (
+	"crypto/rand"
+	"encoding/binary"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"time"
+)
+
+// An ID is a unique identifier held by a running hakurei container.
+type ID [16]byte
+
+// ErrIdentifierLength is returned when encountering a [hex] representation of [ID] with unexpected length.
+var ErrIdentifierLength = errors.New("identifier string has unexpected length")
+
+// IdentifierDecodeError is returned by [ID.UnmarshalText] to provide relevant error descriptions.
+type IdentifierDecodeError struct{ Err error }
+
+func (e IdentifierDecodeError) Unwrap() error { return e.Err }
+func (e IdentifierDecodeError) Error() string {
+	var invalidByteError hex.InvalidByteError
+	switch {
+	case errors.As(e.Err, &invalidByteError):
+		return fmt.Sprintf("got invalid byte %#U in identifier", rune(invalidByteError))
+	case errors.Is(e.Err, hex.ErrLength):
+		return "odd length identifier hex string"
+
+	default:
+		return e.Err.Error()
+	}
+}
+
+// String returns the [hex] string representation of [ID].
+func (a *ID) String() string { return hex.EncodeToString(a[:]) }
+
+// CreationTime returns the point in time [ID] was created.
+func (a *ID) CreationTime() time.Time {
+	return time.Unix(0, int64(binary.BigEndian.Uint64(a[:8]))).UTC()
+}
+
+// NewInstanceID creates a new unique [ID].
+func NewInstanceID(id *ID) error { return newInstanceID(id, uint64(time.Now().UnixNano())) }
+
+// newInstanceID creates a new unique [ID] with the specified timestamp.
+func newInstanceID(id *ID, p uint64) error {
+	binary.BigEndian.PutUint64(id[:8], p)
+	_, err := rand.Read(id[8:])
+	return err
+}
+
+// MarshalText encodes the [hex] representation of [ID].
+func (a *ID) MarshalText() (text []byte, err error) {
+	text = make([]byte, hex.EncodedLen(len(a)))
+	hex.Encode(text, a[:])
+	return
+}
+
+// UnmarshalText decodes a [hex] representation of [ID].
+func (a *ID) UnmarshalText(text []byte) error {
+	dl := hex.DecodedLen(len(text))
+	if dl != len(a) {
+		return IdentifierDecodeError{ErrIdentifierLength}
+	}
+	_, err := hex.Decode(a[:], text)
+	if err == nil {
+		return nil
+	}
+	return IdentifierDecodeError{err}
+}
+
+// A State describes a running hakurei container.
+type State struct {
+	// Unique instance id, created by [NewInstanceID].
+	ID ID `json:"instance"`
+	// Monitoring process pid. Runs as the priv user.
+	PID int `json:"pid"`
+	// Shim process pid. Runs as the target user.
+	ShimPID int `json:"shim_pid"`
+
+	// Configuration used to start the container.
+	*Config
+
+	// Point in time the shim process was created.
+	Time time.Time `json:"time"`
+}
--- a/hst/instance_test.go
+++ b/hst/instance_test.go
@@ -0,0 +1,113 @@
+package hst_test
+
+import (
+	"encoding/hex"
+	"errors"
+	"reflect"
+	"testing"
+	"time"
+	_ "unsafe"
+
+	"hakurei.app/hst"
+)
+
+//go:linkname newInstanceID hakurei.app/hst.newInstanceID
+func newInstanceID(id *hst.ID, p uint64) error
+
+func TestIdentifierDecodeError(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		err  error
+		want string
+	}{
+		{"invalid byte", hst.IdentifierDecodeError{Err: hex.InvalidByteError(0)},
+			"got invalid byte U+0000 in identifier"},
+		{"odd length", hst.IdentifierDecodeError{Err: hex.ErrLength},
+			"odd length identifier hex string"},
+		{"passthrough", hst.IdentifierDecodeError{Err: hst.ErrIdentifierLength},
+			hst.ErrIdentifierLength.Error()},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := tc.err.Error(); got != tc.want {
+				t.Errorf("Error: %q, want %q", got, tc.want)
+			}
+		})
+	}
+
+	t.Run("unwrap", func(t *testing.T) {
+		t.Parallel()
+
+		err := hst.IdentifierDecodeError{Err: hst.ErrIdentifierLength}
+		if !errors.Is(err, hst.ErrIdentifierLength) {
+			t.Errorf("Is unexpected false")
+		}
+	})
+}
+
+func TestID(t *testing.T) {
+	t.Parallel()
+
+	var randomID hst.ID
+	if err := hst.NewInstanceID(&randomID); err != nil {
+		t.Fatalf("NewInstanceID: error = %v", err)
+	}
+
+	testCases := []struct {
+		name string
+		data string
+		want hst.ID
+		err  error
+	}{
+		{"bad length", "meow", hst.ID{},
+			hst.IdentifierDecodeError{Err: hst.ErrIdentifierLength}},
+		{"invalid byte", "02bc7f8936b2af6\x00\x00e2535cd71ef0bb7", hst.ID{},
+			hst.IdentifierDecodeError{Err: hex.InvalidByteError(0)}},
+
+		{"zero", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", hst.ID{}, nil},
+		{"random", randomID.String(), randomID, nil},
+		{"sample", "ba21c9bd33d9d37917288281a2a0d239", hst.ID{
+			0xba, 0x21, 0xc9, 0xbd,
+			0x33, 0xd9, 0xd3, 0x79,
+			0x17, 0x28, 0x82, 0x81,
+			0xa2, 0xa0, 0xd2, 0x39}, nil},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var got hst.ID
+			if err := got.UnmarshalText([]byte(tc.data)); !reflect.DeepEqual(err, tc.err) {
+				t.Errorf("UnmarshalText: error = %#v, want %#v", err, tc.err)
+			}
+
+			if tc.err == nil {
+				if gotString := got.String(); gotString != tc.data {
+					t.Errorf("String: %q, want %q", gotString, tc.data)
+				}
+				if gotData, _ := got.MarshalText(); string(gotData) != tc.data {
+					t.Errorf("MarshalText: %q, want %q", string(gotData), tc.data)
+				}
+			}
+		})
+	}
+
+	t.Run("time", func(t *testing.T) {
+		t.Parallel()
+		var id hst.ID
+
+		now := time.Now()
+		if err := newInstanceID(&id, uint64(now.UnixNano())); err != nil {
+			t.Fatalf("newInstanceID: error = %v", err)
+		}
+
+		got := id.CreationTime()
+		if !got.Equal(now) {
+			t.Fatalf("CreationTime(%q): %s, want %s", id.String(), got, now)
+		}
+	})
+}
--- a/internal/app/env.go
+++ b/internal/app/env.go
@@ -1,59 +0,0 @@
-package app
-
-import (
-	"strconv"
-
-	"hakurei.app/container/check"
-	"hakurei.app/hst"
-)
-
-// EnvPaths holds paths copied from the environment and is used to create [hst.Paths].
-type EnvPaths struct {
-	// TempDir is returned by [os.TempDir].
-	TempDir *check.Absolute
-	// RuntimePath is copied from $XDG_RUNTIME_DIR.
-	RuntimePath *check.Absolute
-}
-
-// Copy expands [EnvPaths] into [hst.Paths].
-func (env *EnvPaths) Copy(v *hst.Paths, userid int) {
-	if env == nil || env.TempDir == nil || v == nil {
-		panic("attempting to use an invalid EnvPaths")
-	}
-
-	v.TempDir = env.TempDir
-	v.SharePath = env.TempDir.Append("hakurei." + strconv.Itoa(userid))
-
-	if env.RuntimePath == nil {
-		// fall back to path in share since hakurei has no hard XDG dependency
-		v.RunDirPath = v.SharePath.Append("run")
-		v.RuntimePath = v.RunDirPath.Append("compat")
-	} else {
-		v.RuntimePath = env.RuntimePath
-		v.RunDirPath = env.RuntimePath.Append("hakurei")
-	}
-}
-
-// CopyPaths returns a populated [EnvPaths].
-func CopyPaths() *EnvPaths { return copyPaths(direct{}) }
-
-// copyPaths returns a populated [EnvPaths].
-func copyPaths(k syscallDispatcher) *EnvPaths {
-	const xdgRuntimeDir = "XDG_RUNTIME_DIR"
-
-	var env EnvPaths
-
-	if tempDir, err := check.NewAbs(k.tempdir()); err != nil {
-		k.fatalf("invalid TMPDIR: %v", err)
-		panic("unreachable")
-	} else {
-		env.TempDir = tempDir
-	}
-
-	r, _ := k.lookupEnv(xdgRuntimeDir)
-	if a, err := check.NewAbs(r); err == nil {
-		env.RuntimePath = a
-	}
-
-	return &env
-}
--- a/internal/app/env_test.go
+++ b/internal/app/env_test.go
@@ -1,137 +0,0 @@
-package app
-
-import (
-	"fmt"
-	"reflect"
-	"testing"
-
-	"hakurei.app/container"
-	"hakurei.app/container/check"
-	"hakurei.app/container/fhs"
-	"hakurei.app/container/stub"
-	"hakurei.app/hst"
-)
-
-func TestEnvPaths(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name string
-		env  *EnvPaths
-		want hst.Paths
-
-		wantPanic string
-	}{
-		{"nil", nil, hst.Paths{}, "attempting to use an invalid EnvPaths"},
-		{"zero", new(EnvPaths), hst.Paths{}, "attempting to use an invalid EnvPaths"},
-
-		{"nil tempdir", &EnvPaths{
-			RuntimePath: fhs.AbsTmp,
-		}, hst.Paths{}, "attempting to use an invalid EnvPaths"},
-
-		{"nil runtime", &EnvPaths{
-			TempDir: fhs.AbsTmp,
-		}, hst.Paths{
-			TempDir:     fhs.AbsTmp,
-			SharePath:   fhs.AbsTmp.Append("hakurei.3735928559"),
-			RuntimePath: fhs.AbsTmp.Append("hakurei.3735928559/run/compat"),
-			RunDirPath:  fhs.AbsTmp.Append("hakurei.3735928559/run"),
-		}, ""},
-
-		{"full", &EnvPaths{
-			TempDir:     fhs.AbsTmp,
-			RuntimePath: fhs.AbsRunUser.Append("1000"),
-		}, hst.Paths{
-			TempDir:     fhs.AbsTmp,
-			SharePath:   fhs.AbsTmp.Append("hakurei.3735928559"),
-			RuntimePath: fhs.AbsRunUser.Append("1000"),
-			RunDirPath:  fhs.AbsRunUser.Append("1000/hakurei"),
-		}, ""},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			if tc.wantPanic != "" {
-				defer func() {
-					if r := recover(); r != tc.wantPanic {
-						t.Errorf("Copy: panic = %#v, want %q", r, tc.wantPanic)
-					}
-				}()
-			}
-
-			var sc hst.Paths
-			tc.env.Copy(&sc, 0xdeadbeef)
-			if !reflect.DeepEqual(&sc, &tc.want) {
-				t.Errorf("Copy: %#v, want %#v", sc, tc.want)
-			}
-		})
-	}
-}
-
-func TestCopyPaths(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name  string
-		env   map[string]string
-		tmp   string
-		fatal string
-		want  EnvPaths
-	}{
-		{"invalid tempdir", nil, "\x00",
-			"invalid TMPDIR: path \"\\x00\" is not absolute", EnvPaths{}},
-		{"empty environment", make(map[string]string), container.Nonexistent,
-			"", EnvPaths{TempDir: check.MustAbs(container.Nonexistent)}},
-		{"invalid XDG_RUNTIME_DIR", map[string]string{"XDG_RUNTIME_DIR": "\x00"}, container.Nonexistent,
-			"", EnvPaths{TempDir: check.MustAbs(container.Nonexistent)}},
-		{"full", map[string]string{"XDG_RUNTIME_DIR": "/\x00"}, container.Nonexistent,
-			"", EnvPaths{TempDir: check.MustAbs(container.Nonexistent), RuntimePath: check.MustAbs("/\x00")}},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			if tc.fatal != "" {
-				defer stub.HandleExit(t)
-			}
-
-			k := copyPathsDispatcher{t: t, env: tc.env, tmp: tc.tmp, expectsFatal: tc.fatal}
-			got := copyPaths(k)
-
-			if tc.fatal != "" {
-				t.Fatalf("copyPaths: expected fatal %q", tc.fatal)
-			}
-
-			if !reflect.DeepEqual(got, &tc.want) {
-				t.Errorf("copyPaths: %#v, want %#v", got, &tc.want)
-			}
-		})
-	}
-}
-
-// copyPathsDispatcher implements enough of syscallDispatcher for all copyPaths code paths.
-type copyPathsDispatcher struct {
-	env map[string]string
-	tmp string
-
-	// must be checked at the conclusion of the test
-	expectsFatal string
-
-	t *testing.T
-	panicDispatcher
-}
-
-func (k copyPathsDispatcher) tempdir() string { return k.tmp }
-func (k copyPathsDispatcher) lookupEnv(key string) (value string, ok bool) {
-	value, ok = k.env[key]
-	return
-}
-func (k copyPathsDispatcher) fatalf(format string, v ...any) {
-	if k.expectsFatal == "" {
-		k.t.Fatalf("unexpected call to fatalf: format = %q, v = %#v", format, v)
-	}
-
-	if got := fmt.Sprintf(format, v...); got != k.expectsFatal {
-		k.t.Fatalf("fatalf: %q, want %q", got, k.expectsFatal)
-	}
-	panic(stub.PanicExit)
-}
--- a/internal/app/path.go
+++ b/internal/app/path.go
@@ -1,15 +0,0 @@
-package app
-
-import (
-	"path/filepath"
-	"strings"
-)
-
-func deepContainsH(basepath, targpath string) (bool, error) {
-	const upper = ".." + string(filepath.Separator)
-
-	rel, err := filepath.Rel(basepath, targpath)
-	return err == nil &&
-		rel != ".." &&
-		!strings.HasPrefix(rel, upper), err
-}
--- a/internal/app/process.go
+++ b/internal/app/process.go
@@ -1,326 +0,0 @@
-package app
-
-import (
-	"context"
-	"encoding/gob"
-	"errors"
-	"log"
-	"os"
-	"os/exec"
-	"strconv"
-	"strings"
-	"syscall"
-	"time"
-
-	"hakurei.app/container"
-	"hakurei.app/container/fhs"
-	"hakurei.app/hst"
-	"hakurei.app/internal"
-	"hakurei.app/internal/app/state"
-	"hakurei.app/message"
-	"hakurei.app/system"
-)
-
-// Duration to wait for shim to exit on top of container WaitDelay.
-const shimWaitTimeout = 5 * time.Second
-
-// mainState holds persistent state bound to outcome.main.
-type mainState struct {
-	// done is whether beforeExit has been called already.
-	done bool
-
-	// Time is the exact point in time where the process was created.
-	// Location must be set to UTC.
-	//
-	// Time is nil if no process was ever created.
-	Time *time.Time
-
-	store   state.Store
-	cancel  context.CancelFunc
-	cmd     *exec.Cmd
-	cmdWait chan error
-
-	k *outcome
-	message.Msg
-	uintptr
-}
-
-const (
-	// mainNeedsRevert indicates the call to Commit has succeeded.
-	mainNeedsRevert uintptr = 1 << iota
-	// mainNeedsDestroy indicates the instance state entry is present in the store.
-	mainNeedsDestroy
-)
-
-// beforeExit must be called immediately before a call to [os.Exit].
-func (ms mainState) beforeExit(isFault bool) {
-	if ms.done {
-		panic("attempting to call beforeExit twice")
-	}
-	ms.done = true
-	defer ms.BeforeExit()
-
-	if isFault && ms.cancel != nil {
-		ms.cancel()
-	}
-
-	var hasErr bool
-	// updates hasErr but does not terminate
-	perror := func(err error, message string) {
-		hasErr = true
-		printMessageError("cannot "+message+":", err)
-	}
-	exitCode := 1
-	defer func() {
-		if hasErr {
-			os.Exit(exitCode)
-		}
-	}()
-
-	// this also handles wait for a non-fault termination
-	if ms.cmd != nil && ms.cmdWait != nil {
-		waitDone := make(chan struct{})
-
-		// this ties waitDone to ctx with the additional compensated timeout duration
-		go func() { <-ms.k.ctx.Done(); time.Sleep(ms.k.state.Shim.WaitDelay + shimWaitTimeout); close(waitDone) }()
-
-		select {
-		case err := <-ms.cmdWait:
-			wstatus, ok := ms.cmd.ProcessState.Sys().(syscall.WaitStatus)
-			if ok {
-				if v := wstatus.ExitStatus(); v != 0 {
-					hasErr = true
-					exitCode = v
-				}
-			}
-
-			if ms.IsVerbose() {
-				if !ok {
-					if err != nil {
-						ms.Verbosef("wait: %v", err)
-					}
-				} else {
-					switch {
-					case wstatus.Exited():
-						ms.Verbosef("process %d exited with code %d", ms.cmd.Process.Pid, wstatus.ExitStatus())
-
-					case wstatus.CoreDump():
-						ms.Verbosef("process %d dumped core", ms.cmd.Process.Pid)
-
-					case wstatus.Signaled():
-						ms.Verbosef("process %d got %s", ms.cmd.Process.Pid, wstatus.Signal())
-
-					default:
-						ms.Verbosef("process %d exited with status %#x", ms.cmd.Process.Pid, wstatus)
-					}
-				}
-			}
-
-		case <-waitDone:
-			ms.Resume()
-			// this is only reachable when shim did not exit within shimWaitTimeout, after its WaitDelay has elapsed.
-			// This is different from the container failing to terminate within its timeout period, as that is enforced
-			// by the shim. This path is instead reached when there is a lockup in shim preventing it from completing.
-			log.Printf("process %d did not terminate", ms.cmd.Process.Pid)
-		}
-
-		ms.Resume()
-	}
-
-	if ms.uintptr&mainNeedsRevert != 0 {
-		if ok, err := ms.store.Do(ms.k.state.identity.unwrap(), func(c state.Cursor) {
-			if ms.uintptr&mainNeedsDestroy != 0 {
-				if err := c.Destroy(ms.k.state.id.unwrap()); err != nil {
-					perror(err, "destroy state entry")
-				}
-			}
-
-			var rt hst.Enablement
-			if states, err := c.Load(); err != nil {
-				// it is impossible to continue from this point;
-				// revert per-process state here to limit damage
-				ec := system.Process
-				if revertErr := ms.k.sys.Revert((*system.Criteria)(&ec)); revertErr != nil {
-					var joinError interface {
-						Unwrap() []error
-						error
-					}
-					if !errors.As(revertErr, &joinError) || joinError == nil {
-						perror(revertErr, "revert system setup")
-					} else {
-						for _, v := range joinError.Unwrap() {
-							perror(v, "revert system setup step")
-						}
-					}
-				}
-				perror(err, "load instance states")
-			} else {
-				ec := system.Process
-				if l := len(states); l == 0 {
-					ec |= system.User
-				} else {
-					ms.Verbosef("found %d instances, cleaning up without user-scoped operations", l)
-				}
-
-				// accumulate enablements of remaining launchers
-				for i, s := range states {
-					if s.Config != nil {
-						rt |= s.Config.Enablements.Unwrap()
-					} else {
-						log.Printf("state entry %d does not contain config", i)
-					}
-				}
-
-				ec |= rt ^ (hst.EWayland | hst.EX11 | hst.EDBus | hst.EPulse)
-				if ms.IsVerbose() {
-					if ec > 0 {
-						ms.Verbose("reverting operations scope", system.TypeString(ec))
-					}
-				}
-
-				if err = ms.k.sys.Revert((*system.Criteria)(&ec)); err != nil {
-					perror(err, "revert system setup")
-				}
-			}
-		}); err != nil {
-			if ok {
-				perror(err, "unlock state store")
-			} else {
-				perror(err, "open state store")
-			}
-		}
-	} else if ms.uintptr&mainNeedsDestroy != 0 {
-		panic("unreachable")
-	}
-
-	if ms.store != nil {
-		if err := ms.store.Close(); err != nil {
-			perror(err, "close state store")
-		}
-	}
-}
-
-// fatal calls printMessageError, performs necessary cleanup, followed by a call to [os.Exit](1).
-func (ms mainState) fatal(fallback string, ferr error) {
-	printMessageError(fallback, ferr)
-	ms.beforeExit(true)
-	os.Exit(1)
-}
-
-// main carries out outcome and terminates. main does not return.
-func (k *outcome) main(msg message.Msg) {
-	if !k.active.CompareAndSwap(false, true) {
-		panic("outcome: attempted to run twice")
-	}
-
-	if k.ctx == nil || k.sys == nil || k.state == nil {
-		panic("outcome: did not finalise")
-	}
-
-	// read comp value early for early failure
-	hsuPath := internal.MustHsuPath()
-
-	// ms.beforeExit required beyond this point
-	ms := &mainState{Msg: msg, k: k}
-
-	if err := k.sys.Commit(); err != nil {
-		ms.fatal("cannot commit system setup:", err)
-	}
-	ms.uintptr |= mainNeedsRevert
-	ms.store = state.NewMulti(msg, k.state.sc.RunDirPath.String())
-
-	ctx, cancel := context.WithCancel(k.ctx)
-	defer cancel()
-	ms.cancel = cancel
-
-	ms.cmd = exec.CommandContext(ctx, hsuPath.String())
-	ms.cmd.Stdin, ms.cmd.Stdout, ms.cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	ms.cmd.Dir = fhs.Root // container init enters final working directory
-	// shim runs in the same session as monitor; see shim.go for behaviour
-	ms.cmd.Cancel = func() error { return ms.cmd.Process.Signal(syscall.SIGCONT) }
-
-	var e *gob.Encoder
-	if fd, encoder, err := container.Setup(&ms.cmd.ExtraFiles); err != nil {
-		ms.fatal("cannot create shim setup pipe:", err)
-	} else {
-		e = encoder
-		ms.cmd.Env = []string{
-			// passed through to shim by hsu
-			shimEnv + "=" + strconv.Itoa(fd),
-			// interpreted by hsu
-			"HAKUREI_IDENTITY=" + k.state.identity.String(),
-		}
-	}
-
-	if len(k.supp) > 0 {
-		msg.Verbosef("attaching supplementary group ids %s", k.supp)
-		// interpreted by hsu
-		ms.cmd.Env = append(ms.cmd.Env, "HAKUREI_GROUPS="+strings.Join(k.supp, " "))
-	}
-
-	msg.Verbosef("setuid helper at %s", hsuPath)
-	msg.Suspend()
-	if err := ms.cmd.Start(); err != nil {
-		ms.fatal("cannot start setuid wrapper:", err)
-	}
-	startTime := time.Now().UTC()
-	ms.cmdWait = make(chan error, 1)
-	// this ties context back to the life of the process
-	go func() { ms.cmdWait <- ms.cmd.Wait(); cancel() }()
-	ms.Time = &startTime
-
-	// unfortunately the I/O here cannot be directly canceled;
-	// the cancellation path leads to fatal in this case so that is fine
-	select {
-	case err := <-func() (setupErr chan error) {
-		setupErr = make(chan error, 1)
-		go func() { setupErr <- e.Encode(k.state) }()
-		return
-	}():
-		if err != nil {
-			msg.Resume()
-			ms.fatal("cannot transmit shim config:", err)
-		}
-
-	case <-ctx.Done():
-		msg.Resume()
-		ms.fatal("shim context canceled:", newWithMessageError("shim setup canceled", ctx.Err()))
-	}
-
-	// shim accepted setup payload, create process state
-	if ok, err := ms.store.Do(k.state.identity.unwrap(), func(c state.Cursor) {
-		if err := c.Save(&state.State{
-			ID:     k.state.id.unwrap(),
-			PID:    ms.cmd.Process.Pid,
-			Config: k.config,
-			Time:   *ms.Time,
-		}); err != nil {
-			ms.fatal("cannot save state entry:", err)
-		}
-	}); err != nil {
-		if ok {
-			ms.uintptr |= mainNeedsDestroy
-			ms.fatal("cannot unlock state store:", err)
-		} else {
-			ms.fatal("cannot open state store:", err)
-		}
-	}
-	// state in store at this point, destroy defunct state entry on termination
-	ms.uintptr |= mainNeedsDestroy
-
-	// beforeExit ties shim process to context
-	ms.beforeExit(false)
-	os.Exit(0)
-}
-
-// printMessageError prints the error message according to [message.GetMessage],
-// or fallback prepended to err if an error message is not available.
-func printMessageError(fallback string, err error) {
-	m, ok := message.GetMessage(err)
-	if !ok {
-		log.Println(fallback, err)
-		return
-	}
-
-	log.Print(m)
-}
--- a/internal/app/shim-signal.h
+++ b/internal/app/shim-signal.h
@@ -1,3 +0,0 @@
-#include <signal.h>
-
-void hakurei_shim_setup_cont_signal(pid_t ppid, int fd);
--- a/internal/app/shim_test.go
+++ b/internal/app/shim_test.go
@@ -1,155 +0,0 @@
-package app
-
-import (
-	"bytes"
-	"context"
-	"log"
-	"os"
-	"syscall"
-	"testing"
-
-	"hakurei.app/container"
-	"hakurei.app/container/comp"
-	"hakurei.app/container/fhs"
-	"hakurei.app/container/seccomp"
-	"hakurei.app/container/stub"
-	"hakurei.app/hst"
-)
-
-func TestShimEntrypoint(t *testing.T) {
-	t.Parallel()
-	shimPreset := seccomp.Preset(comp.PresetStrict, seccomp.AllowMultiarch)
-	templateParams := &container.Params{
-		Dir: m("/data/data/org.chromium.Chromium"),
-		Env: []string{
-			"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus",
-			"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket",
-			"GOOGLE_API_KEY=AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
-			"GOOGLE_DEFAULT_CLIENT_ID=77185425430.apps.googleusercontent.com",
-			"GOOGLE_DEFAULT_CLIENT_SECRET=OTJgUOQcT7lO7GsGZq2G4IlT",
-			"HOME=/data/data/org.chromium.Chromium",
-			"PULSE_COOKIE=/.hakurei/pulse-cookie",
-			"PULSE_SERVER=unix:/run/user/1000/pulse/native",
-			"SHELL=/run/current-system/sw/bin/zsh",
-			"TERM=xterm-256color",
-			"USER=chronos",
-			"WAYLAND_DISPLAY=wayland-0",
-			"XDG_RUNTIME_DIR=/run/user/1000",
-			"XDG_SESSION_CLASS=user",
-			"XDG_SESSION_TYPE=wayland",
-		},
-
-		// spParamsOp
-		Hostname:      "localhost",
-		RetainSession: true,
-		HostNet:       true,
-		HostAbstract:  true,
-		ForwardCancel: true,
-		Path:          m("/run/current-system/sw/bin/chromium"),
-		Args: []string{
-			"chromium",
-			"--ignore-gpu-blocklist",
-			"--disable-smooth-scrolling",
-			"--enable-features=UseOzonePlatform",
-			"--ozone-platform=wayland",
-		},
-		SeccompFlags: seccomp.AllowMultiarch,
-		Uid:          1000,
-		Gid:          100,
-
-		Ops: new(container.Ops).
-			// resolveRoot
-			Root(m("/var/lib/hakurei/base/org.debian"), comp.BindWritable).
-			// spParamsOp
-			Proc(fhs.AbsProc).
-			Tmpfs(hst.AbsPrivateTmp, 1<<12, 0755).
-			Bind(fhs.AbsDev, fhs.AbsDev, comp.BindWritable|comp.BindDevice).
-			Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777).
-
-			// spRuntimeOp
-			Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
-			Bind(m("/tmp/hakurei.10/runtime/9999"), m("/run/user/1000"), comp.BindWritable).
-
-			// spTmpdirOp
-			Bind(m("/tmp/hakurei.10/tmpdir/9999"), fhs.AbsTmp, comp.BindWritable).
-
-			// spAccountOp
-			Place(m("/etc/passwd"), []byte("chronos:x:1000:100:Hakurei:/data/data/org.chromium.Chromium:/run/current-system/sw/bin/zsh\n")).
-			Place(m("/etc/group"), []byte("hakurei:x:100:\n")).
-
-			// spWaylandOp
-			Bind(m("/tmp/hakurei.10/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/wayland"), m("/run/user/1000/wayland-0"), 0).
-
-			// spPulseOp
-			Bind(m("/run/user/1000/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pulse"), m("/run/user/1000/pulse/native"), 0).
-			Place(m("/.hakurei/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
-
-			// spDBusOp
-			Bind(m("/tmp/hakurei.10/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bus"), m("/run/user/1000/bus"), 0).
-			Bind(m("/tmp/hakurei.10/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/system_bus_socket"), m("/var/run/dbus/system_bus_socket"), 0).
-
-			// spFilesystemOp
-			Etc(fhs.AbsEtc, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa").
-			Tmpfs(fhs.AbsTmp, 0, 0755).
-			Overlay(m("/nix/store"),
-				fhs.AbsVarLib.Append("hakurei/nix/u0/org.chromium.Chromium/rw-store/upper"),
-				fhs.AbsVarLib.Append("hakurei/nix/u0/org.chromium.Chromium/rw-store/work"),
-				fhs.AbsVarLib.Append("hakurei/base/org.nixos/ro-store")).
-			Link(m("/run/current-system"), "/run/current-system", true).
-			Link(m("/run/opengl-driver"), "/run/opengl-driver", true).
-			Bind(fhs.AbsVarLib.Append("hakurei/u0/org.chromium.Chromium"),
-				m("/data/data/org.chromium.Chromium"),
-				comp.BindWritable|comp.BindEnsure).
-			Bind(fhs.AbsDev.Append("dri"), fhs.AbsDev.Append("dri"),
-				comp.BindOptional|comp.BindWritable|comp.BindDevice).
-			Remount(fhs.AbsRoot, syscall.MS_RDONLY),
-	}
-
-	checkSimple(t, "shimEntrypoint", []simpleTestCase{
-		{"success", func(k *kstub) error { shimEntrypoint(k); return nil }, stub.Expect{Calls: []stub.Call{
-			call("getMsg", stub.ExpectArgs{}, nil, nil),
-			call("getLogger", stub.ExpectArgs{}, (*log.Logger)(nil), nil),
-			call("setDumpable", stub.ExpectArgs{uintptr(container.SUID_DUMP_DISABLE)}, nil, nil),
-			call("receive", stub.ExpectArgs{"HAKUREI_SHIM", outcomeState{
-				Shim: &shimParams{PrivPID: 0xbad, WaitDelay: 0xf, Verbose: true, Ops: []outcomeOp{
-					&spParamsOp{"xterm-256color", true},
-					&spRuntimeOp{sessionTypeWayland},
-					spTmpdirOp{},
-					spAccountOp{},
-					&spWaylandOp{},
-					&spPulseOp{(*[256]byte)(bytes.Repeat([]byte{0}, pulseCookieSizeMax)), pulseCookieSizeMax},
-					&spDBusOp{true},
-					&spFilesystemOp{},
-				}},
-
-				ID:        &checkExpectInstanceId,
-				Identity:  hst.IdentityMax,
-				UserID:    10,
-				Container: hst.Template().Container,
-				Mapuid:    1000,
-				Mapgid:    100,
-				EnvPaths:  &EnvPaths{TempDir: fhs.AbsTmp, RuntimePath: fhs.AbsRunUser.Append("1000")},
-			}, nil}, nil, nil),
-			call("swapVerbose", stub.ExpectArgs{true}, false, nil),
-			call("verbosef", stub.ExpectArgs{"process share directory at %q, runtime directory at %q", []any{m("/tmp/hakurei.10"), m("/run/user/1000/hakurei")}}, nil, nil),
-			call("setupContSignal", stub.ExpectArgs{0xbad}, 0, nil),
-			call("prctl", stub.ExpectArgs{uintptr(syscall.PR_SET_PDEATHSIG), uintptr(syscall.SIGCONT), uintptr(0)}, nil, nil),
-			call("New", stub.ExpectArgs{}, nil, nil),
-			call("closeReceive", stub.ExpectArgs{}, nil, nil),
-			call("notifyContext", stub.ExpectArgs{context.Background(), []os.Signal{os.Interrupt, syscall.SIGTERM}}, nil, nil),
-			call("containerStart", stub.ExpectArgs{templateParams}, nil, nil),
-			call("containerServe", stub.ExpectArgs{templateParams}, nil, nil),
-			call("seccompLoad", stub.ExpectArgs{shimPreset, seccomp.AllowMultiarch}, nil, nil),
-			call("containerWait", stub.ExpectArgs{templateParams}, nil, nil),
-
-			// deferred
-			call("wKeepAlive", stub.ExpectArgs{}, nil, nil),
-		}, Tracks: []stub.Expect{{Calls: []stub.Call{
-			call("rcRead", stub.ExpectArgs{}, []byte{2}, nil),
-			call("verbose", stub.ExpectArgs{[]any{"sa_sigaction got invalid siginfo"}}, nil, nil),
-			call("rcRead", stub.ExpectArgs{}, []byte{3}, nil),
-			call("verbose", stub.ExpectArgs{[]any{"got SIGCONT from unexpected process"}}, nil, nil),
-			call("rcRead", stub.ExpectArgs{}, nil, nil), // stub terminates this goroutine
-		}}}}, nil},
-	})
-}
--- a/internal/app/state/id.go
+++ b/internal/app/state/id.go
@@ -1,48 +0,0 @@
-package state
-
-import (
-	"crypto/rand"
-	"encoding/hex"
-	"errors"
-	"fmt"
-)
-
-type ID [16]byte
-
-var (
-	ErrInvalidLength = errors.New("string representation must have a length of 32")
-)
-
-func (a *ID) String() string {
-	return hex.EncodeToString(a[:])
-}
-
-func NewAppID(id *ID) error {
-	_, err := rand.Read(id[:])
-	return err
-}
-
-func ParseAppID(id *ID, s string) error {
-	if len(s) != 32 {
-		return ErrInvalidLength
-	}
-
-	for i, b := range s {
-		if b < '0' || b > 'f' {
-			return fmt.Errorf("invalid char %q at byte %d", b, i)
-		}
-
-		v := uint8(b)
-		if v > '9' {
-			v = 10 + v - 'a'
-		} else {
-			v -= '0'
-		}
-		if i%2 == 0 {
-			v <<= 4
-		}
-		id[i/2] += v
-	}
-
-	return nil
-}
--- a/internal/app/state/id_test.go
+++ b/internal/app/state/id_test.go
@@ -1,63 +0,0 @@
-package state_test
-
-import (
-	"errors"
-	"testing"
-
-	"hakurei.app/internal/app/state"
-)
-
-func TestParseAppID(t *testing.T) {
-	t.Run("bad length", func(t *testing.T) {
-		if err := state.ParseAppID(new(state.ID), "meow"); !errors.Is(err, state.ErrInvalidLength) {
-			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, state.ErrInvalidLength)
-		}
-	})
-
-	t.Run("bad byte", func(t *testing.T) {
-		wantErr := "invalid char '\\n' at byte 15"
-		if err := state.ParseAppID(new(state.ID), "02bc7f8936b2af6\n\ne2535cd71ef0bb7"); err == nil || err.Error() != wantErr {
-			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, wantErr)
-		}
-	})
-
-	t.Run("fuzz 16 iterations", func(t *testing.T) {
-		for i := 0; i < 16; i++ {
-			testParseAppIDWithRandom(t)
-		}
-	})
-}
-
-func FuzzParseAppID(f *testing.F) {
-	for i := 0; i < 16; i++ {
-		id := new(state.ID)
-		if err := state.NewAppID(id); err != nil {
-			panic(err.Error())
-		}
-		f.Add(id[0], id[1], id[2], id[3], id[4], id[5], id[6], id[7], id[8], id[9], id[10], id[11], id[12], id[13], id[14], id[15])
-	}
-
-	f.Fuzz(func(t *testing.T, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15 byte) {
-		testParseAppID(t, &state.ID{b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15})
-	})
-}
-
-func testParseAppIDWithRandom(t *testing.T) {
-	id := new(state.ID)
-	if err := state.NewAppID(id); err != nil {
-		t.Fatalf("cannot generate app ID: %v", err)
-	}
-	testParseAppID(t, id)
-}
-
-func testParseAppID(t *testing.T, id *state.ID) {
-	s := id.String()
-	got := new(state.ID)
-	if err := state.ParseAppID(got, s); err != nil {
-		t.Fatalf("cannot parse app ID: %v", err)
-	}
-
-	if *got != *id {
-		t.Fatalf("ParseAppID(%#v) = \n%#v, want \n%#v", s, got, id)
-	}
-}
--- a/internal/app/state/join.go
+++ b/internal/app/state/join.go
@@ -1,60 +0,0 @@
-package state
-
-import (
-	"errors"
-	"maps"
-)
-
-var (
-	ErrDuplicate = errors.New("store contains duplicates")
-)
-
-/*
-Joiner is the interface that wraps the Join method.
-
-The Join function uses Joiner if available.
-*/
-type Joiner interface{ Join() (Entries, error) }
-
-// Join returns joined state entries of all active aids.
-func Join(s Store) (Entries, error) {
-	if j, ok := s.(Joiner); ok {
-		return j.Join()
-	}
-
-	var (
-		aids    []int
-		entries = make(Entries)
-
-		el      int
-		res     Entries
-		loadErr error
-	)
-
-	if ln, err := s.List(); err != nil {
-		return nil, err
-	} else {
-		aids = ln
-	}
-
-	for _, aid := range aids {
-		if _, err := s.Do(aid, func(c Cursor) {
-			res, loadErr = c.Load()
-		}); err != nil {
-			return nil, err
-		}
-
-		if loadErr != nil {
-			return nil, loadErr
-		}
-
-		// save expected length
-		el = len(entries) + len(res)
-		maps.Copy(entries, res)
-		if len(entries) != el {
-			return nil, ErrDuplicate
-		}
-	}
-
-	return entries, nil
-}
--- a/internal/app/state/multi.go
+++ b/internal/app/state/multi.go
@@ -1,289 +0,0 @@
-package state
-
-import (
-	"encoding/gob"
-	"errors"
-	"fmt"
-	"io/fs"
-	"os"
-	"path"
-	"strconv"
-	"sync"
-	"syscall"
-
-	"hakurei.app/hst"
-	"hakurei.app/message"
-)
-
-// fine-grained locking and access
-type multiStore struct {
-	base string
-
-	// initialised backends
-	backends *sync.Map
-
-	msg message.Msg
-	mu  sync.RWMutex
-}
-
-func (s *multiStore) Do(identity int, f func(c Cursor)) (bool, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	// load or initialise new backend
-	b := new(multiBackend)
-	b.mu.Lock()
-	if v, ok := s.backends.LoadOrStore(identity, b); ok {
-		b = v.(*multiBackend)
-	} else {
-		b.path = path.Join(s.base, strconv.Itoa(identity))
-
-		// ensure directory
-		if err := os.MkdirAll(b.path, 0700); err != nil && !errors.Is(err, fs.ErrExist) {
-			s.backends.CompareAndDelete(identity, b)
-			return false, &hst.AppError{Step: "create store segment directory", Err: err}
-		}
-
-		// open locker file
-		if l, err := os.OpenFile(b.path+".lock", os.O_RDWR|os.O_CREATE, 0600); err != nil {
-			s.backends.CompareAndDelete(identity, b)
-			return false, &hst.AppError{Step: "open store segment lock file", Err: err}
-		} else {
-			b.lockfile = l
-		}
-		b.mu.Unlock()
-	}
-
-	// lock backend
-	if err := b.lockFile(); err != nil {
-		return false, &hst.AppError{Step: "lock store segment", Err: err}
-	}
-
-	// expose backend methods without exporting the pointer
-	c := new(struct{ *multiBackend })
-	c.multiBackend = b
-	f(b)
-	// disable access to the backend on a best-effort basis
-	c.multiBackend = nil
-
-	// unlock backend
-	if err := b.unlockFile(); err != nil {
-		return true, &hst.AppError{Step: "unlock store segment", Err: err}
-	}
-	return true, nil
-}
-
-func (s *multiStore) List() ([]int, error) {
-	var entries []os.DirEntry
-
-	// read base directory to get all identities
-	if v, err := os.ReadDir(s.base); err != nil && !errors.Is(err, os.ErrNotExist) {
-		return nil, &hst.AppError{Step: "read store directory", Err: err}
-	} else {
-		entries = v
-	}
-
-	aidsBuf := make([]int, 0, len(entries))
-	for _, e := range entries {
-		// skip non-directories
-		if !e.IsDir() {
-			s.msg.Verbosef("skipped non-directory entry %q", e.Name())
-			continue
-		}
-
-		// skip non-numerical names
-		if v, err := strconv.Atoi(e.Name()); err != nil {
-			s.msg.Verbosef("skipped non-aid entry %q", e.Name())
-			continue
-		} else {
-			if v < hst.IdentityMin || v > hst.IdentityMax {
-				s.msg.Verbosef("skipped out of bounds entry %q", e.Name())
-				continue
-			}
-
-			aidsBuf = append(aidsBuf, v)
-		}
-	}
-
-	return append([]int(nil), aidsBuf...), nil
-}
-
-func (s *multiStore) Close() error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	var errs []error
-	s.backends.Range(func(_, value any) bool {
-		b := value.(*multiBackend)
-		errs = append(errs, b.close())
-		return true
-	})
-
-	return errors.Join(errs...)
-}
-
-type multiBackend struct {
-	path string
-
-	// created/opened by prepare
-	lockfile *os.File
-
-	mu sync.RWMutex
-}
-
-func (b *multiBackend) filename(id *ID) string { return path.Join(b.path, id.String()) }
-
-func (b *multiBackend) lockFileAct(lt int) (err error) {
-	op := "LockAct"
-	switch lt {
-	case syscall.LOCK_EX:
-		op = "Lock"
-	case syscall.LOCK_UN:
-		op = "Unlock"
-	}
-
-	for {
-		err = syscall.Flock(int(b.lockfile.Fd()), lt)
-		if !errors.Is(err, syscall.EINTR) {
-			break
-		}
-	}
-	if err != nil {
-		return &fs.PathError{
-			Op:   op,
-			Path: b.lockfile.Name(),
-			Err:  err,
-		}
-	}
-	return nil
-}
-
-func (b *multiBackend) lockFile() error   { return b.lockFileAct(syscall.LOCK_EX) }
-func (b *multiBackend) unlockFile() error { return b.lockFileAct(syscall.LOCK_UN) }
-
-// reads all launchers in simpleBackend
-// file contents are ignored if decode is false
-func (b *multiBackend) load(decode bool) (Entries, error) {
-	b.mu.RLock()
-	defer b.mu.RUnlock()
-
-	// read directory contents, should only contain files named after ids
-	var entries []os.DirEntry
-	if pl, err := os.ReadDir(b.path); err != nil {
-		return nil, &hst.AppError{Step: "read store segment directory", Err: err}
-	} else {
-		entries = pl
-	}
-
-	// allocate as if every entry is valid
-	// since that should be the case assuming no external interference happens
-	r := make(Entries, len(entries))
-
-	for _, e := range entries {
-		if e.IsDir() {
-			return nil, fmt.Errorf("unexpected directory %q in store", e.Name())
-		}
-
-		var id ID
-		if err := ParseAppID(&id, e.Name()); err != nil {
-			return nil, &hst.AppError{Step: "parse state key", Err: err}
-		}
-
-		// run in a function to better handle file closing
-		if err := func() error {
-			// open state file for reading
-			if f, err := os.Open(path.Join(b.path, e.Name())); err != nil {
-				return &hst.AppError{Step: "open state file", Err: err}
-			} else {
-				var s State
-				r[id] = &s
-
-				// append regardless, but only parse if required, implements Len
-				if decode {
-					if err = gob.NewDecoder(f).Decode(&s); err != nil {
-						_ = f.Close()
-						return &hst.AppError{Step: "decode state data", Err: err}
-					} else if s.ID != id {
-						_ = f.Close()
-						return fmt.Errorf("state entry %s has unexpected id %s", id, &s.ID)
-					} else if err = f.Close(); err != nil {
-						return &hst.AppError{Step: "close state file", Err: err}
-					}
-
-					if s.Config == nil {
-						return ErrNoConfig
-					}
-				}
-
-				return nil
-			}
-		}(); err != nil {
-			return nil, err
-		}
-	}
-
-	return r, nil
-}
-
-// Save writes process state to filesystem
-func (b *multiBackend) Save(state *State) error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	if state.Config == nil {
-		return ErrNoConfig
-	}
-
-	statePath := b.filename(&state.ID)
-
-	if f, err := os.OpenFile(statePath, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600); err != nil {
-		return &hst.AppError{Step: "create state file", Err: err}
-	} else if err = gob.NewEncoder(f).Encode(state); err != nil {
-		_ = f.Close()
-		return &hst.AppError{Step: "encode state data", Err: err}
-	} else if err = f.Close(); err != nil {
-		return &hst.AppError{Step: "close state file", Err: err}
-	}
-	return nil
-}
-
-func (b *multiBackend) Destroy(id ID) error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	if err := os.Remove(b.filename(&id)); err != nil {
-		return &hst.AppError{Step: "destroy state entry", Err: err}
-	}
-	return nil
-}
-
-func (b *multiBackend) Load() (Entries, error) { return b.load(true) }
-
-func (b *multiBackend) Len() (int, error) {
-	// rn consists of only nil entries but has the correct length
-	rn, err := b.load(false)
-	if err != nil {
-		return -1, &hst.AppError{Step: "count state entries", Err: err}
-	}
-	return len(rn), nil
-}
-
-func (b *multiBackend) close() error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	err := b.lockfile.Close()
-	if err == nil || errors.Is(err, os.ErrInvalid) || errors.Is(err, os.ErrClosed) {
-		return nil
-	}
-	return &hst.AppError{Step: "close lock file", Err: err}
-}
-
-// NewMulti returns an instance of the multi-file store.
-func NewMulti(msg message.Msg, runDir string) Store {
-	return &multiStore{
-		msg:      msg,
-		base:     path.Join(runDir, "state"),
-		backends: new(sync.Map),
-	}
-}
--- a/internal/app/state/multi_test.go
+++ b/internal/app/state/multi_test.go
@@ -1,13 +0,0 @@
-package state_test
-
-import (
-	"log"
-	"testing"
-
-	"hakurei.app/internal/app/state"
-	"hakurei.app/message"
-)
-
-func TestMulti(t *testing.T) {
-	testStore(t, state.NewMulti(message.NewMsg(log.New(log.Writer(), "multi: ", 0)), t.TempDir()))
-}
--- a/internal/app/state/state.go
+++ b/internal/app/state/state.go
@@ -1,49 +0,0 @@
-// Package state provides cross-process state tracking for hakurei container instances.
-package state
-
-import (
-	"errors"
-	"time"
-
-	"hakurei.app/hst"
-)
-
-// ErrNoConfig is returned by [Cursor] when used with a nil [hst.Config].
-var ErrNoConfig = errors.New("state does not contain config")
-
-type Entries map[ID]*State
-
-type Store interface {
-	// Do calls f exactly once and ensures store exclusivity until f returns.
-	// Returns whether f is called and any errors during the locking process.
-	// Cursor provided to f becomes invalid as soon as f returns.
-	Do(identity int, f func(c Cursor)) (ok bool, err error)
-
-	// List queries the store and returns a list of identities known to the store.
-	// Note that some or all returned identities might not have any active apps.
-	List() (identities []int, err error)
-
-	// Close releases any resources held by Store.
-	Close() error
-}
-
-// Cursor provides access to the store of an identity.
-type Cursor interface {
-	Save(state *State) error
-	Destroy(id ID) error
-	Load() (Entries, error)
-	Len() (int, error)
-}
-
-// State is the on-disk state of a container instance.
-type State struct {
-	// Unique instance id, generated by internal/app.
-	ID ID `json:"instance"`
-	// Shim process pid. This runs as the target user.
-	PID int `json:"pid"`
-	// Configuration value used to start the container.
-	Config *hst.Config `json:"config"`
-
-	// Exact point in time that the shim process was created.
-	Time time.Time `json:"time"`
-}
--- a/internal/app/state/state_test.go
+++ b/internal/app/state/state_test.go
@@ -1,132 +0,0 @@
-package state_test
-
-import (
-	"math/rand/v2"
-	"reflect"
-	"slices"
-	"testing"
-	"time"
-
-	"hakurei.app/hst"
-	"hakurei.app/internal/app/state"
-)
-
-func testStore(t *testing.T, s state.Store) {
-	t.Run("list empty store", func(t *testing.T) {
-		if identities, err := s.List(); err != nil {
-			t.Fatalf("List: error = %v", err)
-		} else if len(identities) != 0 {
-			t.Fatalf("List: identities = %#v", identities)
-		}
-	})
-
-	const (
-		insertEntryChecked = iota
-		insertEntryNoCheck
-		insertEntryOtherApp
-
-		tl
-	)
-
-	var tc [tl]state.State
-	for i := 0; i < tl; i++ {
-		makeState(t, &tc[i])
-	}
-
-	do := func(identity int, f func(c state.Cursor)) {
-		if ok, err := s.Do(identity, f); err != nil {
-			t.Fatalf("Do: ok = %v, error = %v", ok, err)
-		}
-	}
-
-	insert := func(i, identity int) {
-		do(identity, func(c state.Cursor) {
-			if err := c.Save(&tc[i]); err != nil {
-				t.Fatalf("Save: error = %v", err)
-			}
-		})
-	}
-
-	check := func(i, identity int) {
-		do(identity, func(c state.Cursor) {
-			if entries, err := c.Load(); err != nil {
-				t.Fatalf("Load: error = %v", err)
-			} else if got, ok := entries[tc[i].ID]; !ok {
-				t.Fatalf("Load: entry %s missing", &tc[i].ID)
-			} else {
-				got.Time = tc[i].Time
-				if !reflect.DeepEqual(got, &tc[i]) {
-					t.Fatalf("Load: entry %s got %#v, want %#v", &tc[i].ID, got, &tc[i])
-				}
-			}
-		})
-	}
-
-	t.Run("insert entry checked", func(t *testing.T) {
-		insert(insertEntryChecked, 0)
-		check(insertEntryChecked, 0)
-	})
-
-	t.Run("insert entry unchecked", func(t *testing.T) {
-		insert(insertEntryNoCheck, 0)
-	})
-
-	t.Run("insert entry different identity", func(t *testing.T) {
-		insert(insertEntryOtherApp, 1)
-		check(insertEntryOtherApp, 1)
-	})
-
-	t.Run("check previous insertion", func(t *testing.T) {
-		check(insertEntryNoCheck, 0)
-	})
-
-	t.Run("list identities", func(t *testing.T) {
-		if identities, err := s.List(); err != nil {
-			t.Fatalf("List: error = %v", err)
-		} else {
-			slices.Sort(identities)
-			want := []int{0, 1}
-			if !slices.Equal(identities, want) {
-				t.Fatalf("List() = %#v, want %#v", identities, want)
-			}
-		}
-	})
-
-	t.Run("join store", func(t *testing.T) {
-		if entries, err := state.Join(s); err != nil {
-			t.Fatalf("Join: error = %v", err)
-		} else if len(entries) != 3 {
-			t.Fatalf("Join(s) = %#v", entries)
-		}
-	})
-
-	t.Run("clear identity 1", func(t *testing.T) {
-		do(1, func(c state.Cursor) {
-			if err := c.Destroy(tc[insertEntryOtherApp].ID); err != nil {
-				t.Fatalf("Destroy: error = %v", err)
-			}
-		})
-		do(1, func(c state.Cursor) {
-			if l, err := c.Len(); err != nil {
-				t.Fatalf("Len: error = %v", err)
-			} else if l != 0 {
-				t.Fatalf("Len: %d, want 0", l)
-			}
-		})
-	})
-
-	t.Run("close store", func(t *testing.T) {
-		if err := s.Close(); err != nil {
-			t.Fatalf("Close: error = %v", err)
-		}
-	})
-}
-
-func makeState(t *testing.T, s *state.State) {
-	if err := state.NewAppID(&s.ID); err != nil {
-		t.Fatalf("cannot create dummy state: %v", err)
-	}
-	s.PID = rand.Int()
-	s.Config = hst.Template()
-	s.Time = time.Now()
-}
--- a/internal/app/sysconf.go
+++ b/internal/app/sysconf.go
@@ -1,8 +0,0 @@
-package app
-
-//#include <unistd.h>
-import "C"
-
-const _SC_LOGIN_NAME_MAX = C._SC_LOGIN_NAME_MAX
-
-func sysconf(name C.int) int { return int(C.sysconf(name)) }
--- a/internal/app/username_test.go
+++ b/internal/app/username_test.go
@@ -1,28 +0,0 @@
-package app
-
-import (
-	"strings"
-	"testing"
-)
-
-func TestIsValidUsername(t *testing.T) {
-	t.Parallel()
-
-	t.Run("long", func(t *testing.T) {
-		if isValidUsername(strings.Repeat("a", sysconf(_SC_LOGIN_NAME_MAX))) {
-			t.Errorf("isValidUsername unexpected true")
-		}
-	})
-
-	t.Run("regexp", func(t *testing.T) {
-		if isValidUsername("0") {
-			t.Errorf("isValidUsername unexpected true")
-		}
-	})
-
-	t.Run("valid", func(t *testing.T) {
-		if !isValidUsername("alice") {
-			t.Errorf("isValidUsername unexpected false")
-		}
-	})
-}
--- a/internal/env/env.go
+++ b/internal/env/env.go
@@ -0,0 +1,65 @@
+// Package env provides the [Paths] struct for efficiently building paths from the environment.
+package env
+
+import (
+	"log"
+	"os"
+	"strconv"
+
+	"hakurei.app/container/check"
+	"hakurei.app/hst"
+)
+
+// Paths holds paths copied from the environment and is used to create [hst.Paths].
+type Paths struct {
+	// TempDir is returned by [os.TempDir].
+	TempDir *check.Absolute
+	// RuntimePath is copied from $XDG_RUNTIME_DIR.
+	RuntimePath *check.Absolute
+}
+
+// Copy expands [Paths] into [hst.Paths].
+func (env *Paths) Copy(v *hst.Paths, userid int) {
+	if env == nil || env.TempDir == nil || v == nil {
+		panic("attempting to use an invalid Paths")
+	}
+
+	v.TempDir = env.TempDir
+	v.SharePath = env.TempDir.Append("hakurei." + strconv.Itoa(userid))
+
+	if env.RuntimePath == nil {
+		// fall back to path in share since hakurei has no hard XDG dependency
+		v.RuntimePath = v.SharePath.Append("compat")
+	} else {
+		v.RuntimePath = env.RuntimePath
+	}
+	v.RunDirPath = v.RuntimePath.Append("hakurei")
+}
+
+// CopyPaths returns a populated [Paths].
+func CopyPaths() *Paths { return CopyPathsFunc(log.Fatalf, os.TempDir, os.Getenv) }
+
+// CopyPathsFunc returns a populated [Paths],
+// using the provided [log.Fatalf], [os.TempDir], [os.Getenv] functions.
+func CopyPathsFunc(
+	fatalf func(format string, v ...any),
+	tempdir func() string,
+	getenv func(key string) string,
+) *Paths {
+	const xdgRuntimeDir = "XDG_RUNTIME_DIR"
+
+	var env Paths
+
+	if tempDir, err := check.NewAbs(tempdir()); err != nil {
+		fatalf("invalid TMPDIR: %v", err)
+		panic("unreachable")
+	} else {
+		env.TempDir = tempDir
+	}
+
+	if a, err := check.NewAbs(getenv(xdgRuntimeDir)); err == nil {
+		env.RuntimePath = a
+	}
+
+	return &env
+}
--- a/internal/env/env_test.go
+++ b/internal/env/env_test.go
@@ -0,0 +1,118 @@
+package env_test
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/container/stub"
+	"hakurei.app/hst"
+	"hakurei.app/internal/env"
+)
+
+func TestPaths(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		env  *env.Paths
+		want hst.Paths
+
+		wantPanic string
+	}{
+		{"nil", nil, hst.Paths{}, "attempting to use an invalid Paths"},
+		{"zero", new(env.Paths), hst.Paths{}, "attempting to use an invalid Paths"},
+
+		{"nil tempdir", &env.Paths{
+			RuntimePath: fhs.AbsTmp,
+		}, hst.Paths{}, "attempting to use an invalid Paths"},
+
+		{"nil runtime", &env.Paths{
+			TempDir: fhs.AbsTmp,
+		}, hst.Paths{
+			TempDir:     fhs.AbsTmp,
+			SharePath:   fhs.AbsTmp.Append("hakurei.57005"),
+			RuntimePath: fhs.AbsTmp.Append("hakurei.57005/compat"),
+			RunDirPath:  fhs.AbsTmp.Append("hakurei.57005/compat/hakurei"),
+		}, ""},
+
+		{"full", &env.Paths{
+			TempDir:     fhs.AbsTmp,
+			RuntimePath: fhs.AbsRunUser.Append("1000"),
+		}, hst.Paths{
+			TempDir:     fhs.AbsTmp,
+			SharePath:   fhs.AbsTmp.Append("hakurei.57005"),
+			RuntimePath: fhs.AbsRunUser.Append("1000"),
+			RunDirPath:  fhs.AbsRunUser.Append("1000/hakurei"),
+		}, ""},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if tc.wantPanic != "" {
+				defer func() {
+					if r := recover(); r != tc.wantPanic {
+						t.Errorf("Copy: panic = %#v, want %q", r, tc.wantPanic)
+					}
+				}()
+			}
+
+			var sc hst.Paths
+			tc.env.Copy(&sc, 0xdead)
+			if !reflect.DeepEqual(&sc, &tc.want) {
+				t.Errorf("Copy: %#v, want %#v", sc, tc.want)
+			}
+		})
+	}
+}
+
+func TestCopyPaths(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name  string
+		env   map[string]string
+		tmp   string
+		fatal string
+		want  env.Paths
+	}{
+		{"invalid tempdir", nil, "\x00",
+			"invalid TMPDIR: path \"\\x00\" is not absolute", env.Paths{}},
+		{"empty environment", make(map[string]string), container.Nonexistent,
+			"", env.Paths{TempDir: check.MustAbs(container.Nonexistent)}},
+		{"invalid XDG_RUNTIME_DIR", map[string]string{"XDG_RUNTIME_DIR": "\x00"}, container.Nonexistent,
+			"", env.Paths{TempDir: check.MustAbs(container.Nonexistent)}},
+		{"full", map[string]string{"XDG_RUNTIME_DIR": "/\x00"}, container.Nonexistent,
+			"", env.Paths{TempDir: check.MustAbs(container.Nonexistent), RuntimePath: check.MustAbs("/\x00")}},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if tc.fatal != "" {
+				defer stub.HandleExit(t)
+			}
+
+			got := env.CopyPathsFunc(func(format string, v ...any) {
+				if tc.fatal == "" {
+					t.Fatalf("unexpected call to fatalf: format = %q, v = %#v", format, v)
+				}
+
+				if got := fmt.Sprintf(format, v...); got != tc.fatal {
+					t.Fatalf("fatalf: %q, want %q", got, tc.fatal)
+				}
+				panic(stub.PanicExit)
+			}, func() string { return tc.tmp }, func(key string) string { return tc.env[key] })
+
+			if tc.fatal != "" {
+				t.Fatalf("copyPaths: expected fatal %q", tc.fatal)
+			}
+
+			if !reflect.DeepEqual(got, &tc.want) {
+				t.Errorf("copyPaths: %#v, want %#v", got, &tc.want)
+			}
+		})
+	}
+}
--- a/internal/lockedfile/internal/filelock/filelock.go
+++ b/internal/lockedfile/internal/filelock/filelock.go
@@ -0,0 +1,83 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package filelock provides a platform-independent API for advisory file
+// locking. Calls to functions in this package on platforms that do not support
+// advisory locks will return errors for which IsNotSupported returns true.
+package filelock
+
+import (
+	"errors"
+	"io/fs"
+)
+
+// A File provides the minimal set of methods required to lock an open file.
+// File implementations must be usable as map keys.
+// The usual implementation is *os.File.
+type File interface {
+	// Name returns the name of the file.
+	Name() string
+
+	// Fd returns a valid file descriptor.
+	// (If the File is an *os.File, it must not be closed.)
+	Fd() uintptr
+
+	// Stat returns the FileInfo structure describing file.
+	Stat() (fs.FileInfo, error)
+}
+
+// Lock places an advisory write lock on the file, blocking until it can be
+// locked.
+//
+// If Lock returns nil, no other process will be able to place a read or write
+// lock on the file until this process exits, closes f, or calls Unlock on it.
+//
+// If f's descriptor is already read- or write-locked, the behavior of Lock is
+// unspecified.
+//
+// Closing the file may or may not release the lock promptly. Callers should
+// ensure that Unlock is always called when Lock succeeds.
+func Lock(f File) error {
+	return lock(f, writeLock)
+}
+
+// RLock places an advisory read lock on the file, blocking until it can be locked.
+//
+// If RLock returns nil, no other process will be able to place a write lock on
+// the file until this process exits, closes f, or calls Unlock on it.
+//
+// If f is already read- or write-locked, the behavior of RLock is unspecified.
+//
+// Closing the file may or may not release the lock promptly. Callers should
+// ensure that Unlock is always called if RLock succeeds.
+func RLock(f File) error {
+	return lock(f, readLock)
+}
+
+// Unlock removes an advisory lock placed on f by this process.
+//
+// The caller must not attempt to unlock a file that is not locked.
+func Unlock(f File) error {
+	return unlock(f)
+}
+
+// String returns the name of the function corresponding to lt
+// (Lock, RLock, or Unlock).
+func (lt lockType) String() string {
+	switch lt {
+	case readLock:
+		return "RLock"
+	case writeLock:
+		return "Lock"
+	default:
+		return "Unlock"
+	}
+}
+
+// IsNotSupported returns a boolean indicating whether the error is known to
+// report that a function is not supported (possibly for a specific input).
+// It is satisfied by errors.ErrUnsupported as well as some syscall errors.
+func IsNotSupported(err error) bool {
+	return errors.Is(err, errors.ErrUnsupported)
+}
--- a/internal/lockedfile/internal/filelock/filelock_fcntl.go
+++ b/internal/lockedfile/internal/filelock/filelock_fcntl.go
@@ -0,0 +1,210 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build aix || (solaris && !illumos)
+
+// This code implements the filelock API using POSIX 'fcntl' locks, which attach
+// to an (inode, process) pair rather than a file descriptor. To avoid unlocking
+// files prematurely when the same file is opened through different descriptors,
+// we allow only one read-lock at a time.
+//
+// Most platforms provide some alternative API, such as an 'flock' system call
+// or an F_OFD_SETLK command for 'fcntl', that allows for better concurrency and
+// does not require per-inode bookkeeping in the application.
+
+package filelock
+
+import (
+	"errors"
+	"io"
+	"io/fs"
+	"math/rand"
+	"sync"
+	"syscall"
+	"time"
+)
+
+type lockType int16
+
+const (
+	readLock  lockType = syscall.F_RDLCK
+	writeLock lockType = syscall.F_WRLCK
+)
+
+type inode = uint64 // type of syscall.Stat_t.Ino
+
+type inodeLock struct {
+	owner File
+	queue []<-chan File
+}
+
+var (
+	mu     sync.Mutex
+	inodes = map[File]inode{}
+	locks  = map[inode]inodeLock{}
+)
+
+func lock(f File, lt lockType) (err error) {
+	// POSIX locks apply per inode and process, and the lock for an inode is
+	// released when *any* descriptor for that inode is closed. So we need to
+	// synchronize access to each inode internally, and must serialize lock and
+	// unlock calls that refer to the same inode through different descriptors.
+	fi, err := f.Stat()
+	if err != nil {
+		return err
+	}
+	ino := fi.Sys().(*syscall.Stat_t).Ino
+
+	mu.Lock()
+	if i, dup := inodes[f]; dup && i != ino {
+		mu.Unlock()
+		return &fs.PathError{
+			Op:   lt.String(),
+			Path: f.Name(),
+			Err:  errors.New("inode for file changed since last Lock or RLock"),
+		}
+	}
+	inodes[f] = ino
+
+	var wait chan File
+	l := locks[ino]
+	if l.owner == f {
+		// This file already owns the lock, but the call may change its lock type.
+	} else if l.owner == nil {
+		// No owner: it's ours now.
+		l.owner = f
+	} else {
+		// Already owned: add a channel to wait on.
+		wait = make(chan File)
+		l.queue = append(l.queue, wait)
+	}
+	locks[ino] = l
+	mu.Unlock()
+
+	if wait != nil {
+		wait <- f
+	}
+
+	// Spurious EDEADLK errors arise on platforms that compute deadlock graphs at
+	// the process, rather than thread, level. Consider processes P and Q, with
+	// threads P.1, P.2, and Q.3. The following trace is NOT a deadlock, but will be
+	// reported as a deadlock on systems that consider only process granularity:
+	//
+	// 	P.1 locks file A.
+	// 	Q.3 locks file B.
+	// 	Q.3 blocks on file A.
+	// 	P.2 blocks on file B. (This is erroneously reported as a deadlock.)
+	// 	P.1 unlocks file A.
+	// 	Q.3 unblocks and locks file A.
+	// 	Q.3 unlocks files A and B.
+	// 	P.2 unblocks and locks file B.
+	// 	P.2 unlocks file B.
+	//
+	// These spurious errors were observed in practice on AIX and Solaris in
+	// cmd/go: see https://golang.org/issue/32817.
+	//
+	// We work around this bug by treating EDEADLK as always spurious. If there
+	// really is a lock-ordering bug between the interacting processes, it will
+	// become a livelock instead, but that's not appreciably worse than if we had
+	// a proper flock implementation (which generally does not even attempt to
+	// diagnose deadlocks).
+	//
+	// In the above example, that changes the trace to:
+	//
+	// 	P.1 locks file A.
+	// 	Q.3 locks file B.
+	// 	Q.3 blocks on file A.
+	// 	P.2 spuriously fails to lock file B and goes to sleep.
+	// 	P.1 unlocks file A.
+	// 	Q.3 unblocks and locks file A.
+	// 	Q.3 unlocks files A and B.
+	// 	P.2 wakes up and locks file B.
+	// 	P.2 unlocks file B.
+	//
+	// We know that the retry loop will not introduce a *spurious* livelock
+	// because, according to the POSIX specification, EDEADLK is only to be
+	// returned when “the lock is blocked by a lock from another process”.
+	// If that process is blocked on some lock that we are holding, then the
+	// resulting livelock is due to a real deadlock (and would manifest as such
+	// when using, for example, the flock implementation of this package).
+	// If the other process is *not* blocked on some other lock that we are
+	// holding, then it will eventually release the requested lock.
+
+	nextSleep := 1 * time.Millisecond
+	const maxSleep = 500 * time.Millisecond
+	for {
+		err = setlkw(f.Fd(), lt)
+		if err != syscall.EDEADLK {
+			break
+		}
+		time.Sleep(nextSleep)
+
+		nextSleep += nextSleep
+		if nextSleep > maxSleep {
+			nextSleep = maxSleep
+		}
+		// Apply 10% jitter to avoid synchronizing collisions when we finally unblock.
+		nextSleep += time.Duration((0.1*rand.Float64() - 0.05) * float64(nextSleep))
+	}
+
+	if err != nil {
+		unlock(f)
+		return &fs.PathError{
+			Op:   lt.String(),
+			Path: f.Name(),
+			Err:  err,
+		}
+	}
+
+	return nil
+}
+
+func unlock(f File) error {
+	var owner File
+
+	mu.Lock()
+	ino, ok := inodes[f]
+	if ok {
+		owner = locks[ino].owner
+	}
+	mu.Unlock()
+
+	if owner != f {
+		panic("unlock called on a file that is not locked")
+	}
+
+	err := setlkw(f.Fd(), syscall.F_UNLCK)
+
+	mu.Lock()
+	l := locks[ino]
+	if len(l.queue) == 0 {
+		// No waiters: remove the map entry.
+		delete(locks, ino)
+	} else {
+		// The first waiter is sending us their file now.
+		// Receive it and update the queue.
+		l.owner = <-l.queue[0]
+		l.queue = l.queue[1:]
+		locks[ino] = l
+	}
+	delete(inodes, f)
+	mu.Unlock()
+
+	return err
+}
+
+// setlkw calls FcntlFlock with F_SETLKW for the entire file indicated by fd.
+func setlkw(fd uintptr, lt lockType) error {
+	for {
+		err := syscall.FcntlFlock(fd, syscall.F_SETLKW, &syscall.Flock_t{
+			Type:   int16(lt),
+			Whence: io.SeekStart,
+			Start:  0,
+			Len:    0, // All bytes.
+		})
+		if err != syscall.EINTR {
+			return err
+		}
+	}
+}
--- a/internal/lockedfile/internal/filelock/filelock_other.go
+++ b/internal/lockedfile/internal/filelock/filelock_other.go
@@ -0,0 +1,35 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !unix && !windows
+
+package filelock
+
+import (
+	"errors"
+	"io/fs"
+)
+
+type lockType int8
+
+const (
+	readLock = iota + 1
+	writeLock
+)
+
+func lock(f File, lt lockType) error {
+	return &fs.PathError{
+		Op:   lt.String(),
+		Path: f.Name(),
+		Err:  errors.ErrUnsupported,
+	}
+}
+
+func unlock(f File) error {
+	return &fs.PathError{
+		Op:   "Unlock",
+		Path: f.Name(),
+		Err:  errors.ErrUnsupported,
+	}
+}
--- a/internal/lockedfile/internal/filelock/filelock_test.go
+++ b/internal/lockedfile/internal/filelock/filelock_test.go
@@ -0,0 +1,209 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !js && !plan9 && !wasip1
+
+package filelock_test
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+	"time"
+
+	"hakurei.app/container"
+	"hakurei.app/internal/lockedfile/internal/filelock"
+	"hakurei.app/internal/lockedfile/internal/testexec"
+)
+
+func lock(t *testing.T, f *os.File) {
+	t.Helper()
+	err := filelock.Lock(f)
+	t.Logf("Lock(fd %d) = %v", f.Fd(), err)
+	if err != nil {
+		t.Fail()
+	}
+}
+
+func rLock(t *testing.T, f *os.File) {
+	t.Helper()
+	err := filelock.RLock(f)
+	t.Logf("RLock(fd %d) = %v", f.Fd(), err)
+	if err != nil {
+		t.Fail()
+	}
+}
+
+func unlock(t *testing.T, f *os.File) {
+	t.Helper()
+	err := filelock.Unlock(f)
+	t.Logf("Unlock(fd %d) = %v", f.Fd(), err)
+	if err != nil {
+		t.Fail()
+	}
+}
+
+func mustTempFile(t *testing.T) (f *os.File, remove func()) {
+	t.Helper()
+
+	base := filepath.Base(t.Name())
+	f, err := os.CreateTemp("", base)
+	if err != nil {
+		t.Fatalf(`os.CreateTemp("", %q) = %v`, base, err)
+	}
+	t.Logf("fd %d = %s", f.Fd(), f.Name())
+
+	return f, func() {
+		f.Close()
+		os.Remove(f.Name())
+	}
+}
+
+func mustOpen(t *testing.T, name string) *os.File {
+	t.Helper()
+
+	f, err := os.OpenFile(name, os.O_RDWR, 0)
+	if err != nil {
+		t.Fatalf("os.OpenFile(%q) = %v", name, err)
+	}
+
+	t.Logf("fd %d = os.OpenFile(%q)", f.Fd(), name)
+	return f
+}
+
+const (
+	quiescent            = 10 * time.Millisecond
+	probablyStillBlocked = 10 * time.Second
+)
+
+func mustBlock(t *testing.T, op string, f *os.File) (wait func(*testing.T)) {
+	t.Helper()
+
+	desc := fmt.Sprintf("%s(fd %d)", op, f.Fd())
+
+	done := make(chan struct{})
+	go func() {
+		t.Helper()
+		switch op {
+		case "Lock":
+			lock(t, f)
+		case "RLock":
+			rLock(t, f)
+		default:
+			panic("invalid op: " + op)
+		}
+		close(done)
+	}()
+
+	select {
+	case <-done:
+		t.Fatalf("%s unexpectedly did not block", desc)
+		return nil
+
+	case <-time.After(quiescent):
+		t.Logf("%s is blocked (as expected)", desc)
+		return func(t *testing.T) {
+			t.Helper()
+			select {
+			case <-time.After(probablyStillBlocked):
+				t.Fatalf("%s is unexpectedly still blocked", desc)
+			case <-done:
+			}
+		}
+	}
+}
+
+func TestLockExcludesLock(t *testing.T) {
+	t.Parallel()
+
+	f, remove := mustTempFile(t)
+	defer remove()
+
+	other := mustOpen(t, f.Name())
+	defer other.Close()
+
+	lock(t, f)
+	lockOther := mustBlock(t, "Lock", other)
+	unlock(t, f)
+	lockOther(t)
+	unlock(t, other)
+}
+
+func TestLockExcludesRLock(t *testing.T) {
+	t.Parallel()
+
+	f, remove := mustTempFile(t)
+	defer remove()
+
+	other := mustOpen(t, f.Name())
+	defer other.Close()
+
+	lock(t, f)
+	rLockOther := mustBlock(t, "RLock", other)
+	unlock(t, f)
+	rLockOther(t)
+	unlock(t, other)
+}
+
+func TestRLockExcludesOnlyLock(t *testing.T) {
+	t.Parallel()
+
+	f, remove := mustTempFile(t)
+	defer remove()
+	rLock(t, f)
+
+	f2 := mustOpen(t, f.Name())
+	defer f2.Close()
+
+	doUnlockTF := false
+	switch runtime.GOOS {
+	case "aix", "solaris":
+		// When using POSIX locks (as on Solaris), we can't safely read-lock the
+		// same inode through two different descriptors at the same time: when the
+		// first descriptor is closed, the second descriptor would still be open but
+		// silently unlocked. So a second RLock must block instead of proceeding.
+		lockF2 := mustBlock(t, "RLock", f2)
+		unlock(t, f)
+		lockF2(t)
+	default:
+		rLock(t, f2)
+		doUnlockTF = true
+	}
+
+	other := mustOpen(t, f.Name())
+	defer other.Close()
+	lockOther := mustBlock(t, "Lock", other)
+
+	unlock(t, f2)
+	if doUnlockTF {
+		unlock(t, f)
+	}
+	lockOther(t)
+	unlock(t, other)
+}
+
+func TestLockNotDroppedByExecCommand(t *testing.T) {
+	f, remove := mustTempFile(t)
+	defer remove()
+
+	lock(t, f)
+
+	other := mustOpen(t, f.Name())
+	defer other.Close()
+
+	// Some kinds of file locks are dropped when a duplicated or forked file
+	// descriptor is unlocked. Double-check that the approach used by os/exec does
+	// not accidentally drop locks.
+	cmd := testexec.CommandContext(t, t.Context(), container.MustExecutable(nil), "-test.run=^$")
+	if err := cmd.Run(); err != nil {
+		t.Fatalf("exec failed: %v", err)
+	}
+
+	lockOther := mustBlock(t, "Lock", other)
+	unlock(t, f)
+	lockOther(t)
+	unlock(t, other)
+}
--- a/internal/lockedfile/internal/filelock/filelock_unix.go
+++ b/internal/lockedfile/internal/filelock/filelock_unix.go
@@ -0,0 +1,40 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build darwin || dragonfly || freebsd || illumos || linux || netbsd || openbsd
+
+package filelock
+
+import (
+	"io/fs"
+	"syscall"
+)
+
+type lockType int16
+
+const (
+	readLock  lockType = syscall.LOCK_SH
+	writeLock lockType = syscall.LOCK_EX
+)
+
+func lock(f File, lt lockType) (err error) {
+	for {
+		err = syscall.Flock(int(f.Fd()), int(lt))
+		if err != syscall.EINTR {
+			break
+		}
+	}
+	if err != nil {
+		return &fs.PathError{
+			Op:   lt.String(),
+			Path: f.Name(),
+			Err:  err,
+		}
+	}
+	return nil
+}
+
+func unlock(f File) error {
+	return lock(f, syscall.LOCK_UN)
+}
--- a/internal/lockedfile/internal/filelock/filelock_windows.go
+++ b/internal/lockedfile/internal/filelock/filelock_windows.go
@@ -0,0 +1,57 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build windows
+
+package filelock
+
+import (
+	"internal/syscall/windows"
+	"io/fs"
+	"syscall"
+)
+
+type lockType uint32
+
+const (
+	readLock  lockType = 0
+	writeLock lockType = windows.LOCKFILE_EXCLUSIVE_LOCK
+)
+
+const (
+	reserved = 0
+	allBytes = ^uint32(0)
+)
+
+func lock(f File, lt lockType) error {
+	// Per https://golang.org/issue/19098, “Programs currently expect the Fd
+	// method to return a handle that uses ordinary synchronous I/O.”
+	// However, LockFileEx still requires an OVERLAPPED structure,
+	// which contains the file offset of the beginning of the lock range.
+	// We want to lock the entire file, so we leave the offset as zero.
+	ol := new(syscall.Overlapped)
+
+	err := windows.LockFileEx(syscall.Handle(f.Fd()), uint32(lt), reserved, allBytes, allBytes, ol)
+	if err != nil {
+		return &fs.PathError{
+			Op:   lt.String(),
+			Path: f.Name(),
+			Err:  err,
+		}
+	}
+	return nil
+}
+
+func unlock(f File) error {
+	ol := new(syscall.Overlapped)
+	err := windows.UnlockFileEx(syscall.Handle(f.Fd()), reserved, allBytes, allBytes, ol)
+	if err != nil {
+		return &fs.PathError{
+			Op:   "Unlock",
+			Path: f.Name(),
+			Err:  err,
+		}
+	}
+	return nil
+}
--- a/internal/lockedfile/internal/testexec/exec.go
+++ b/internal/lockedfile/internal/testexec/exec.go
@@ -0,0 +1,43 @@
+package testexec
+
+import (
+	"context"
+	"os/exec"
+	"syscall"
+	"testing"
+)
+
+// CommandContext is like exec.CommandContext, but:
+//   - sends SIGQUIT instead of SIGKILL in its Cancel function
+//   - fails the test if the command does not complete before the context is canceled, and
+//   - sets a Cleanup function that verifies that the test did not leak a subprocess.
+func CommandContext(t testing.TB, ctx context.Context, name string, args ...string) *exec.Cmd {
+	t.Helper()
+
+	cmd := exec.CommandContext(ctx, name, args...)
+	cmd.Cancel = func() error {
+		if ctx.Err() == context.DeadlineExceeded {
+			// The command timed out due to running too close to the test's deadline.
+			// There is no way the test did that intentionally — it's too close to the
+			// wire! — so mark it as a test failure. That way, if the test expects the
+			// command to fail for some other reason, it doesn't have to distinguish
+			// between that reason and a timeout.
+			t.Errorf("test timed out while running command: %v", cmd)
+		} else {
+			// The command is being terminated due to ctx being canceled, but
+			// apparently not due to an explicit test deadline that we added.
+			// Log that information in case it is useful for diagnosing a failure,
+			// but don't actually fail the test because of it.
+			t.Logf("%v: terminating command: %v", ctx.Err(), cmd)
+		}
+		return cmd.Process.Signal(syscall.SIGQUIT)
+	}
+
+	t.Cleanup(func() {
+		if cmd.Process != nil && cmd.ProcessState == nil {
+			t.Errorf("command was started, but test did not wait for it to complete: %v", cmd)
+		}
+	})
+
+	return cmd
+}
--- a/internal/lockedfile/lockedfile.go
+++ b/internal/lockedfile/lockedfile.go
@@ -0,0 +1,189 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package lockedfile creates and manipulates files whose contents should only
+// change atomically.
+package lockedfile
+
+import (
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"runtime"
+)
+
+// A File is a locked *os.File.
+//
+// Closing the file releases the lock.
+//
+// If the program exits while a file is locked, the operating system releases
+// the lock but may not do so promptly: callers must ensure that all locked
+// files are closed before exiting.
+type File struct {
+	osFile
+	closed bool
+	// cleanup panics when the file is no longer referenced and it has not been closed.
+	cleanup runtime.Cleanup
+}
+
+// osFile embeds a *os.File while keeping the pointer itself unexported.
+// (When we close a File, it must be the same file descriptor that we opened!)
+type osFile struct {
+	*os.File
+}
+
+// OpenFile is like os.OpenFile, but returns a locked file.
+// If flag includes os.O_WRONLY or os.O_RDWR, the file is write-locked;
+// otherwise, it is read-locked.
+func OpenFile(name string, flag int, perm fs.FileMode) (*File, error) {
+	var (
+		f   = new(File)
+		err error
+	)
+	f.osFile.File, err = openFile(name, flag, perm)
+	if err != nil {
+		return nil, err
+	}
+
+	// Although the operating system will drop locks for open files when the go
+	// command exits, we want to hold locks for as little time as possible, and we
+	// especially don't want to leave a file locked after we're done with it. Our
+	// Close method is what releases the locks, so use a cleanup to report
+	// missing Close calls on a best-effort basis.
+	f.cleanup = runtime.AddCleanup(f, func(fileName string) {
+		panic(fmt.Sprintf("lockedfile.File %s became unreachable without a call to Close", fileName))
+	}, f.Name())
+
+	return f, nil
+}
+
+// Open is like os.Open, but returns a read-locked file.
+func Open(name string) (*File, error) {
+	return OpenFile(name, os.O_RDONLY, 0)
+}
+
+// Create is like os.Create, but returns a write-locked file.
+func Create(name string) (*File, error) {
+	return OpenFile(name, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0666)
+}
+
+// Edit creates the named file with mode 0666 (before umask),
+// but does not truncate existing contents.
+//
+// If Edit succeeds, methods on the returned File can be used for I/O.
+// The associated file descriptor has mode O_RDWR and the file is write-locked.
+func Edit(name string) (*File, error) {
+	return OpenFile(name, os.O_RDWR|os.O_CREATE, 0666)
+}
+
+// Close unlocks and closes the underlying file.
+//
+// Close may be called multiple times; all calls after the first will return a
+// non-nil error.
+func (f *File) Close() error {
+	if f.closed {
+		return &fs.PathError{
+			Op:   "close",
+			Path: f.Name(),
+			Err:  fs.ErrClosed,
+		}
+	}
+	f.closed = true
+
+	err := closeFile(f.osFile.File)
+	f.cleanup.Stop()
+	return err
+}
+
+// Read opens the named file with a read-lock and returns its contents.
+func Read(name string) ([]byte, error) {
+	f, err := Open(name)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	return io.ReadAll(f)
+}
+
+// Write opens the named file (creating it with the given permissions if needed),
+// then write-locks it and overwrites it with the given content.
+func Write(name string, content io.Reader, perm fs.FileMode) (err error) {
+	f, err := OpenFile(name, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, perm)
+	if err != nil {
+		return err
+	}
+
+	_, err = io.Copy(f, content)
+	if closeErr := f.Close(); err == nil {
+		err = closeErr
+	}
+	return err
+}
+
+// Transform invokes t with the result of reading the named file, with its lock
+// still held.
+//
+// If t returns a nil error, Transform then writes the returned contents back to
+// the file, making a best effort to preserve existing contents on error.
+//
+// t must not modify the slice passed to it.
+func Transform(name string, t func([]byte) ([]byte, error)) (err error) {
+	f, err := Edit(name)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	old, err := io.ReadAll(f)
+	if err != nil {
+		return err
+	}
+
+	new, err := t(old)
+	if err != nil {
+		return err
+	}
+
+	if len(new) > len(old) {
+		// The overall file size is increasing, so write the tail first: if we're
+		// about to run out of space on the disk, we would rather detect that
+		// failure before we have overwritten the original contents.
+		if _, err := f.WriteAt(new[len(old):], int64(len(old))); err != nil {
+			// Make a best effort to remove the incomplete tail.
+			f.Truncate(int64(len(old)))
+			return err
+		}
+	}
+
+	// We're about to overwrite the old contents. In case of failure, make a best
+	// effort to roll back before we close the file.
+	defer func() {
+		if err != nil {
+			if _, err := f.WriteAt(old, 0); err == nil {
+				f.Truncate(int64(len(old)))
+			}
+		}
+	}()
+
+	if len(new) >= len(old) {
+		if _, err := f.WriteAt(new[:len(old)], 0); err != nil {
+			return err
+		}
+	} else {
+		if _, err := f.WriteAt(new, 0); err != nil {
+			return err
+		}
+		// The overall file size is decreasing, so shrink the file to its final size
+		// after writing. We do this after writing (instead of before) so that if
+		// the write fails, enough filesystem space will likely still be reserved
+		// to contain the previous contents.
+		if err := f.Truncate(int64(len(new))); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
--- a/internal/lockedfile/lockedfile_filelock.go
+++ b/internal/lockedfile/lockedfile_filelock.go
@@ -0,0 +1,65 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !plan9
+
+package lockedfile
+
+import (
+	"io/fs"
+	"os"
+
+	"hakurei.app/internal/lockedfile/internal/filelock"
+)
+
+func openFile(name string, flag int, perm fs.FileMode) (*os.File, error) {
+	// On BSD systems, we could add the O_SHLOCK or O_EXLOCK flag to the OpenFile
+	// call instead of locking separately, but we have to support separate locking
+	// calls for Linux and Windows anyway, so it's simpler to use that approach
+	// consistently.
+
+	f, err := os.OpenFile(name, flag&^os.O_TRUNC, perm)
+	if err != nil {
+		return nil, err
+	}
+
+	switch flag & (os.O_RDONLY | os.O_WRONLY | os.O_RDWR) {
+	case os.O_WRONLY, os.O_RDWR:
+		err = filelock.Lock(f)
+	default:
+		err = filelock.RLock(f)
+	}
+	if err != nil {
+		f.Close()
+		return nil, err
+	}
+
+	if flag&os.O_TRUNC == os.O_TRUNC {
+		if err := f.Truncate(0); err != nil {
+			// The documentation for os.O_TRUNC says “if possible, truncate file when
+			// opened”, but doesn't define “possible” (golang.org/issue/28699).
+			// We'll treat regular files (and symlinks to regular files) as “possible”
+			// and ignore errors for the rest.
+			if fi, statErr := f.Stat(); statErr != nil || fi.Mode().IsRegular() {
+				filelock.Unlock(f)
+				f.Close()
+				return nil, err
+			}
+		}
+	}
+
+	return f, nil
+}
+
+func closeFile(f *os.File) error {
+	// Since locking syscalls operate on file descriptors, we must unlock the file
+	// while the descriptor is still valid — that is, before the file is closed —
+	// and avoid unlocking files that are already closed.
+	err := filelock.Unlock(f)
+
+	if closeErr := f.Close(); err == nil {
+		err = closeErr
+	}
+	return err
+}
--- a/internal/lockedfile/lockedfile_plan9.go
+++ b/internal/lockedfile/lockedfile_plan9.go
@@ -0,0 +1,94 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build plan9
+
+package lockedfile
+
+import (
+	"io/fs"
+	"math/rand"
+	"os"
+	"strings"
+	"time"
+)
+
+// Opening an exclusive-use file returns an error.
+// The expected error strings are:
+//
+//   - "open/create -- file is locked" (cwfs, kfs)
+//   - "exclusive lock" (fossil)
+//   - "exclusive use file already open" (ramfs)
+var lockedErrStrings = [...]string{
+	"file is locked",
+	"exclusive lock",
+	"exclusive use file already open",
+}
+
+// Even though plan9 doesn't support the Lock/RLock/Unlock functions to
+// manipulate already-open files, IsLocked is still meaningful: os.OpenFile
+// itself may return errors that indicate that a file with the ModeExclusive bit
+// set is already open.
+func isLocked(err error) bool {
+	s := err.Error()
+
+	for _, frag := range lockedErrStrings {
+		if strings.Contains(s, frag) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func openFile(name string, flag int, perm fs.FileMode) (*os.File, error) {
+	// Plan 9 uses a mode bit instead of explicit lock/unlock syscalls.
+	//
+	// Per http://man.cat-v.org/plan_9/5/stat: “Exclusive use files may be open
+	// for I/O by only one fid at a time across all clients of the server. If a
+	// second open is attempted, it draws an error.”
+	//
+	// So we can try to open a locked file, but if it fails we're on our own to
+	// figure out when it becomes available. We'll use exponential backoff with
+	// some jitter and an arbitrary limit of 500ms.
+
+	// If the file was unpacked or created by some other program, it might not
+	// have the ModeExclusive bit set. Set it before we call OpenFile, so that we
+	// can be confident that a successful OpenFile implies exclusive use.
+	if fi, err := os.Stat(name); err == nil {
+		if fi.Mode()&fs.ModeExclusive == 0 {
+			if err := os.Chmod(name, fi.Mode()|fs.ModeExclusive); err != nil {
+				return nil, err
+			}
+		}
+	} else if !os.IsNotExist(err) {
+		return nil, err
+	}
+
+	nextSleep := 1 * time.Millisecond
+	const maxSleep = 500 * time.Millisecond
+	for {
+		f, err := os.OpenFile(name, flag, perm|fs.ModeExclusive)
+		if err == nil {
+			return f, nil
+		}
+
+		if !isLocked(err) {
+			return nil, err
+		}
+
+		time.Sleep(nextSleep)
+
+		nextSleep += nextSleep
+		if nextSleep > maxSleep {
+			nextSleep = maxSleep
+		}
+		// Apply 10% jitter to avoid synchronizing collisions.
+		nextSleep += time.Duration((0.1*rand.Float64() - 0.05) * float64(nextSleep))
+	}
+}
+
+func closeFile(f *os.File) error {
+	return f.Close()
+}
--- a/internal/lockedfile/lockedfile_test.go
+++ b/internal/lockedfile/lockedfile_test.go
@@ -0,0 +1,263 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// js and wasip1 do not support inter-process file locking.
+//
+//go:build !js && !wasip1
+
+package lockedfile_test
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"hakurei.app/container"
+	"hakurei.app/internal/lockedfile"
+	"hakurei.app/internal/lockedfile/internal/testexec"
+)
+
+const (
+	quiescent            = 10 * time.Millisecond
+	probablyStillBlocked = 10 * time.Second
+)
+
+func mustBlock(t *testing.T, desc string, f func()) (wait func(*testing.T)) {
+	t.Helper()
+
+	done := make(chan struct{})
+	go func() {
+		f()
+		close(done)
+	}()
+
+	timer := time.NewTimer(quiescent)
+	defer timer.Stop()
+	select {
+	case <-done:
+		t.Fatalf("%s unexpectedly did not block", desc)
+	case <-timer.C:
+	}
+
+	return func(t *testing.T) {
+		logTimer := time.NewTimer(quiescent)
+		defer logTimer.Stop()
+
+		select {
+		case <-logTimer.C:
+			// We expect the operation to have unblocked by now,
+			// but maybe it's just slow. Write to the test log
+			// in case the test times out, but don't fail it.
+			t.Helper()
+			t.Logf("%s is unexpectedly still blocked after %v", desc, quiescent)
+
+			// Wait for the operation to actually complete, no matter how long it
+			// takes. If the test has deadlocked, this will cause the test to time out
+			// and dump goroutines.
+			<-done
+
+		case <-done:
+		}
+	}
+}
+
+func TestMutexExcludes(t *testing.T) {
+	t.Parallel()
+
+	path := filepath.Join(t.TempDir(), "lock")
+	mu := lockedfile.MutexAt(path)
+	t.Logf("mu := MutexAt(_)")
+
+	unlock, err := mu.Lock()
+	if err != nil {
+		t.Fatalf("mu.Lock: %v", err)
+	}
+	t.Logf("unlock, _  := mu.Lock()")
+
+	mu2 := lockedfile.MutexAt(mu.Path)
+	t.Logf("mu2 := MutexAt(mu.Path)")
+
+	wait := mustBlock(t, "mu2.Lock()", func() {
+		unlock2, err := mu2.Lock()
+		if err != nil {
+			t.Errorf("mu2.Lock: %v", err)
+			return
+		}
+		t.Logf("unlock2, _ := mu2.Lock()")
+		t.Logf("unlock2()")
+		unlock2()
+	})
+
+	t.Logf("unlock()")
+	unlock()
+	wait(t)
+}
+
+func TestReadWaitsForLock(t *testing.T) {
+	t.Parallel()
+
+	path := filepath.Join(t.TempDir(), "timestamp.txt")
+	f, err := lockedfile.Create(path)
+	if err != nil {
+		t.Fatalf("Create: %v", err)
+	}
+	defer f.Close()
+
+	const (
+		part1 = "part 1\n"
+		part2 = "part 2\n"
+	)
+	_, err = f.WriteString(part1)
+	if err != nil {
+		t.Fatalf("WriteString: %v", err)
+	}
+	t.Logf("WriteString(%q) = <nil>", part1)
+
+	wait := mustBlock(t, "Read", func() {
+		b, err := lockedfile.Read(path)
+		if err != nil {
+			t.Errorf("Read: %v", err)
+			return
+		}
+
+		const want = part1 + part2
+		got := string(b)
+		if got == want {
+			t.Logf("Read(_) = %q", got)
+		} else {
+			t.Errorf("Read(_) = %q, _; want %q", got, want)
+		}
+	})
+
+	_, err = f.WriteString(part2)
+	if err != nil {
+		t.Errorf("WriteString: %v", err)
+	} else {
+		t.Logf("WriteString(%q) = <nil>", part2)
+	}
+	f.Close()
+
+	wait(t)
+}
+
+func TestCanLockExistingFile(t *testing.T) {
+	t.Parallel()
+
+	path := filepath.Join(t.TempDir(), "existing.txt")
+	if err := os.WriteFile(path, []byte("ok"), 0777); err != nil {
+		t.Fatalf("os.WriteFile: %v", err)
+	}
+
+	f, err := lockedfile.Edit(path)
+	if err != nil {
+		t.Fatalf("first Edit: %v", err)
+	}
+
+	wait := mustBlock(t, "Edit", func() {
+		other, err := lockedfile.Edit(path)
+		if err != nil {
+			t.Errorf("second Edit: %v", err)
+		}
+		other.Close()
+	})
+
+	f.Close()
+	wait(t)
+}
+
+// TestSpuriousEDEADLK verifies that the spurious EDEADLK reported in
+// https://golang.org/issue/32817 no longer occurs.
+func TestSpuriousEDEADLK(t *testing.T) {
+	// 	P.1 locks file A.
+	// 	Q.3 locks file B.
+	// 	Q.3 blocks on file A.
+	// 	P.2 blocks on file B. (Spurious EDEADLK occurs here.)
+	// 	P.1 unlocks file A.
+	// 	Q.3 unblocks and locks file A.
+	// 	Q.3 unlocks files A and B.
+	// 	P.2 unblocks and locks file B.
+	// 	P.2 unlocks file B.
+
+	dirVar := t.Name() + "DIR"
+
+	if dir := os.Getenv(dirVar); dir != "" {
+		// Q.3 locks file B.
+		b, err := lockedfile.Edit(filepath.Join(dir, "B"))
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer b.Close()
+
+		if err := os.WriteFile(filepath.Join(dir, "locked"), []byte("ok"), 0666); err != nil {
+			t.Fatal(err)
+		}
+
+		// Q.3 blocks on file A.
+		a, err := lockedfile.Edit(filepath.Join(dir, "A"))
+		// Q.3 unblocks and locks file A.
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer a.Close()
+
+		// Q.3 unlocks files A and B.
+		return
+	}
+
+	dir := t.TempDir()
+
+	// P.1 locks file A.
+	a, err := lockedfile.Edit(filepath.Join(dir, "A"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cmd := testexec.CommandContext(t, t.Context(), container.MustExecutable(nil), "-test.run=^"+t.Name()+"$")
+	cmd.Env = append(os.Environ(), fmt.Sprintf("%s=%s", dirVar, dir))
+
+	qDone := make(chan struct{})
+	waitQ := mustBlock(t, "Edit A and B in subprocess", func() {
+		out, err := cmd.CombinedOutput()
+		if err != nil {
+			t.Errorf("%v:\n%s", err, out)
+		}
+		close(qDone)
+	})
+
+	// Wait until process Q has either failed or locked file B.
+	// Otherwise, P.2 might not block on file B as intended.
+locked:
+	for {
+		if _, err := os.Stat(filepath.Join(dir, "locked")); !os.IsNotExist(err) {
+			break locked
+		}
+		timer := time.NewTimer(1 * time.Millisecond)
+		select {
+		case <-qDone:
+			timer.Stop()
+			break locked
+		case <-timer.C:
+		}
+	}
+
+	waitP2 := mustBlock(t, "Edit B", func() {
+		// P.2 blocks on file B. (Spurious EDEADLK occurs here.)
+		b, err := lockedfile.Edit(filepath.Join(dir, "B"))
+		// P.2 unblocks and locks file B.
+		if err != nil {
+			t.Error(err)
+			return
+		}
+		// P.2 unlocks file B.
+		b.Close()
+	})
+
+	// P.1 unlocks file A.
+	a.Close()
+
+	waitQ(t)
+	waitP2(t)
+}
--- a/Show More
+++ b/Show More