release: 0.0.2

Signed-off-by: Ophestra <cat@gensokyo.uk>
cmd/planterette: remove hsu special case
2025-06-25 21:11:11 +09:00 · 2025-06-25 20:50:24 +09:00 · 2025-06-25 20:17:53 +09:00 · 2025-06-25 19:37:45 +09:00 · 2025-06-25 05:05:06 +09:00 · 2025-06-25 04:57:41 +09:00
169 changed files with 5955 additions and 4514 deletions
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@ -20,5 +20,5 @@ jobs:
        uses: https://gitea.com/actions/release-action@main
        with:
          files: |-
-            result/fortify-**
+            result/hakurei-**
          api_key: '${{secrets.RELEASE_TOKEN}}'
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@ -5,42 +5,25 @@ on:
  - pull_request

 jobs:
-  fortify:
-    name: Fortify
+  hakurei:
+    name: Hakurei
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run NixOS test
-        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fortify
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.hakurei

      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
-          name: "fortify-vm-output"
-          path: result/*
-          retention-days: 1
-
-  fpkg:
-    name: Fpkg
-    runs-on: nix
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Run NixOS test
-        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fpkg
-
-      - name: Upload test output
-        uses: actions/upload-artifact@v3
-        with:
-          name: "fpkg-vm-output"
+          name: "hakurei-vm-output"
          path: result/*
          retention-days: 1

  race:
-    name: Data race detector
+    name: Hakurei (race detector)
    runs-on: nix
    steps:
      - name: Checkout
@ -52,16 +35,69 @@ jobs:
      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
-          name: "fortify-race-vm-output"
+          name: "hakurei-race-vm-output"
+          path: result/*
+          retention-days: 1
+
+  sandbox:
+    name: Sandbox
+    runs-on: nix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run NixOS test
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.sandbox
+
+      - name: Upload test output
+        uses: actions/upload-artifact@v3
+        with:
+          name: "sandbox-vm-output"
+          path: result/*
+          retention-days: 1
+
+  sandbox-race:
+    name: Sandbox (race detector)
+    runs-on: nix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run NixOS test
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.sandbox-race
+
+      - name: Upload test output
+        uses: actions/upload-artifact@v3
+        with:
+          name: "sandbox-race-vm-output"
+          path: result/*
+          retention-days: 1
+
+  planterette:
+    name: Planterette
+    runs-on: nix
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run NixOS test
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.planterette
+
+      - name: Upload test output
+        uses: actions/upload-artifact@v3
+        with:
+          name: "planterette-vm-output"
          path: result/*
          retention-days: 1

  check:
    name: Flake checks
    needs:
-      - fortify
-      - fpkg
+      - hakurei
      - race
+      - sandbox
+      - sandbox-race
+      - planterette
    runs-on: nix
    steps:
      - name: Checkout
@ -80,15 +116,15 @@ jobs:
      - name: Build for test
        id: build-test
        run: >-
-          export FORTIFY_REV="$(git rev-parse --short HEAD)" &&
-          sed -i.old 's/version = /version = "0.0.0-'$FORTIFY_REV'"; # version = /' package.nix &&
+          export HAKUREI_REV="$(git rev-parse --short HEAD)" &&
+          sed -i.old 's/version = /version = "0.0.0-'$HAKUREI_REV'"; # version = /' package.nix &&
          nix build --print-out-paths --print-build-logs .#dist &&
          mv package.nix.old package.nix &&
-          echo "rev=$FORTIFY_REV" >> $GITHUB_OUTPUT
+          echo "rev=$HAKUREI_REV" >> $GITHUB_OUTPUT

      - name: Upload test build
        uses: actions/upload-artifact@v3
        with:
-          name: "fortify-${{ steps.build-test.outputs.rev }}"
+          name: "hakurei-${{ steps.build-test.outputs.rev }}"
          path: result/*
          retention-days: 1
--- a/.github/workflows/README
+++ b/.github/workflows/README
@ -0,0 +1 @@
+This port is solely for releasing to the github mirror and serves no purpose during development.
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -0,0 +1,46 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release:
+    name: Create release
+    runs-on: ubuntu-latest
+
+    permissions:
+      packages: write
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: nixbuild/nix-quick-install-action@v32
+        with:
+          nix_conf: |
+            keep-env-derivations = true
+            keep-outputs = true
+
+      - name: Restore and cache Nix store
+        uses: nix-community/cache-nix-action@v6
+        with:
+          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
+          restore-prefixes-first-match: build-${{ runner.os }}-
+          gc-max-store-size-linux: 1G
+          purge: true
+          purge-prefixes: build-${{ runner.os }}-
+          purge-created: 60
+          purge-primary-key: never
+
+      - name: Build for release
+        run: nix build --print-out-paths --print-build-logs .#dist
+
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |-
+            result/hakurei-**
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -0,0 +1,48 @@
+name: Test
+
+on:
+  - push
+
+jobs:
+  dist:
+    name: Create distribution
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: nixbuild/nix-quick-install-action@v32
+        with:
+          nix_conf: |
+            keep-env-derivations = true
+            keep-outputs = true
+
+      - name: Restore and cache Nix store
+        uses: nix-community/cache-nix-action@v6
+        with:
+          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
+          restore-prefixes-first-match: build-${{ runner.os }}-
+          gc-max-store-size-linux: 1G
+          purge: true
+          purge-prefixes: build-${{ runner.os }}-
+          purge-created: 60
+          purge-primary-key: never
+
+      - name: Build for test
+        id: build-test
+        run: >-
+          export HAKUREI_REV="$(git rev-parse --short HEAD)" &&
+          sed -i.old 's/version = /version = "0.0.0-'$HAKUREI_REV'"; # version = /' package.nix &&
+          nix build --print-out-paths --print-build-logs .#dist &&
+          mv package.nix.old package.nix &&
+          echo "rev=$HAKUREI_REV" >> $GITHUB_OUTPUT
+
+      - name: Upload test build
+        uses: actions/upload-artifact@v4
+        with:
+          name: "hakurei-${{ steps.build-test.outputs.rev }}"
+          path: result/*
+          retention-days: 1
--- a/.gitignore
+++ b/.gitignore
@ -5,7 +5,7 @@
 *.so
 *.dylib
 *.pkg
-/fortify
+/hakurei

 # Test binary, built with `go test -c`
 *.test
@ -29,4 +29,4 @@ go.work.sum
 security-context-v1-protocol.*

 # release
-/dist/fortify-*
+/dist/hakurei-*
--- a/README.md
+++ b/README.md
@ -1,77 +1,79 @@
-Fortify
-=======
+<p align="center">
+  <a href="https://git.gensokyo.uk/security/hakurei">
+    <picture>
+      <img src="https://basement.gensokyo.uk/images/yukari1.png" width="200px" alt="Yukari">
+    </picture>
+  </a>
+</p>

-[![Go Reference](https://pkg.go.dev/badge/git.gensokyo.uk/security/fortify.svg)](https://pkg.go.dev/git.gensokyo.uk/security/fortify)
-[![Go Report Card](https://goreportcard.com/badge/git.gensokyo.uk/security/fortify)](https://goreportcard.com/report/git.gensokyo.uk/security/fortify)
+<p align="center">
+  <a href="https://pkg.go.dev/git.gensokyo.uk/security/hakurei"><img src="https://pkg.go.dev/badge/git.gensokyo.uk/security/hakurei.svg" alt="Go Reference" /></a>
+  <a href="https://goreportcard.com/report/git.gensokyo.uk/security/hakurei"><img src="https://goreportcard.com/badge/git.gensokyo.uk/security/hakurei" alt="Go Report Card" /></a>
+</p>

-Lets you run graphical applications as another user in a confined environment with a nice NixOS
-module to configure target users and provide launchers and desktop files for your privileged user.
+Hakurei is a tool for running sandboxed graphical applications as dedicated subordinate users on the Linux kernel.
+It also implements [planterette (WIP)](cmd/planterette), a self-contained Android-like package manager with modern security features.

-Why would you want this?
+## NixOS Module usage

- It protects the desktop environment from applications.
-
- It protects applications from each other.
-
- It provides UID isolation on top of the standard application sandbox.
-
-If you have a flakes-enabled nix environment, you can try out the tool by running:
-
-```shell
-nix run git+https://git.gensokyo.uk/security/fortify -- help
-```
-
-## Module usage
-
-The NixOS module currently requires home-manager to function correctly.
-
-Full module documentation can be found [here](options.md).
+The NixOS module currently requires home-manager to configure subordinate users. Full module documentation can be found [here](options.md).

 To use the module, import it into your configuration with

 ```nix
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";

-    fortify = {
-      url = "git+https://git.gensokyo.uk/security/fortify";
+    hakurei = {
+      url = "git+https://git.gensokyo.uk/security/hakurei";

      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

-  outputs = { self, nixpkgs, fortify, ... }:
+  outputs = { self, nixpkgs, hakurei, ... }:
  {
-    nixosConfigurations.fortify = nixpkgs.lib.nixosSystem {
+    nixosConfigurations.hakurei = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
-        fortify.nixosModules.fortify
+        hakurei.nixosModules.hakurei
      ];
    };
  };
 }
 ```

-This adds the `environment.fortify` option:
+This adds the `environment.hakurei` option:

 ```nix
 { pkgs, ... }:

 {
-  environment.fortify = {
+  environment.hakurei = {
    enable = true;
-    stateDir = "/var/lib/persist/module/fortify";
+    stateDir = "/var/lib/hakurei";
    users = {
      alice = 0;
      nixos = 10;
    };

-    apps = [
+    commonPaths = [
      {
+        src = "/sdcard";
+        write = true;
+      }
+    ];
+
+    extraHomeConfig = {
+      home.stateVersion = "23.05";
+    };
+
+    apps = {
+      "org.chromium.Chromium" = {
        name = "chromium";
-        id = "org.chromium.Chromium";
+        identity = 1;
        packages = [ pkgs.chromium ];
        userns = true;
        mapRealUid = true;
@ -104,16 +106,20 @@ This adds the `environment.fortify` option:
              broadcast = { };
            };
        };
-      }
-      {
+      };
+
+      "org.claws_mail.Claws-Mail" = {
        name = "claws-mail";
-        id = "org.claws_mail.Claws-Mail";
+        identity = 2;
        packages = [ pkgs.claws-mail ];
        gpu = false;
        capability.pulse = false;
-      }
-      {
+      };
+
+      "org.weechat" = {
        name = "weechat";
+        identity = 3;
+        shareUid = true;
        packages = [ pkgs.weechat ];
        capability = {
          wayland = false;
@ -121,10 +127,12 @@ This adds the `environment.fortify` option:
          dbus = true;
          pulse = false;
        };
-      }
-      {
+      };
+
+      "dev.vencord.Vesktop" = {
        name = "discord";
-        id = "dev.vencord.Vesktop";
+        identity = 3;
+        shareUid = true;
        packages = [ pkgs.vesktop ];
        share = pkgs.vesktop;
        command = "vesktop --ozone-platform-hint=wayland";
@ -142,9 +150,12 @@ This adds the `environment.fortify` option:
            };
          system.filter = true;
        };
-      }
-      {
+      };
+
+      "io.looking-glass" = {
        name = "looking-glass-client";
+        identity = 4;
+        useCommonPaths = false;
        groups = [ "plugdev" ];
        extraPaths = [
          {
@ -155,8 +166,8 @@ This adds the `environment.fortify` option:
        extraConfig = {
          programs.looking-glass-client.enable = true;
        };
-      }
-    ];
+      };
+    };
  };
 }
 ```
--- a/acl/acl-update.c
+++ b/acl/acl-update.c
@ -1,69 +1,71 @@
 #include "acl-update.h"
-#include <stdlib.h>
-#include <stdbool.h>
-#include <sys/acl.h>
 #include <acl/libacl.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/acl.h>

-int f_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms, size_t plen) {
-    int ret = -1;
-    bool v;
-    int i;
-    acl_t acl;
-    acl_entry_t entry;
-    acl_tag_t tag_type;
-    void *qualifier_p;
-    acl_permset_t permset;
+int hakurei_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms,
+                             size_t plen) {
+  int ret = -1;
+  bool v;
+  int i;
+  acl_t acl;
+  acl_entry_t entry;
+  acl_tag_t tag_type;
+  void *qualifier_p;
+  acl_permset_t permset;

-    acl = acl_get_file(path_p, ACL_TYPE_ACCESS);
-    if (acl == NULL)
-        goto out;
+  acl = acl_get_file(path_p, ACL_TYPE_ACCESS);
+  if (acl == NULL)
+    goto out;

-    // prune entries by uid
-    for (i = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); i == 1; i = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) {
-        if (acl_get_tag_type(entry, &tag_type) != 0)
-            return -1;
-        if (tag_type != ACL_USER)
-            continue;
+  // prune entries by uid
+  for (i = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); i == 1;
+       i = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) {
+    if (acl_get_tag_type(entry, &tag_type) != 0)
+      return -1;
+    if (tag_type != ACL_USER)
+      continue;

-        qualifier_p = acl_get_qualifier(entry);
-        if (qualifier_p == NULL)
-            return -1;
-        v = *(uid_t *)qualifier_p == uid;
-        acl_free(qualifier_p);
+    qualifier_p = acl_get_qualifier(entry);
+    if (qualifier_p == NULL)
+      return -1;
+    v = *(uid_t *)qualifier_p == uid;
+    acl_free(qualifier_p);

-        if (!v)
-            continue;
+    if (!v)
+      continue;

-        acl_delete_entry(acl, entry);
-    }
+    acl_delete_entry(acl, entry);
+  }

-    if (plen == 0)
-        goto set;
+  if (plen == 0)
+    goto set;

-    if (acl_create_entry(&acl, &entry) != 0)
-        goto out;
-    if (acl_get_permset(entry, &permset) != 0)
-        goto out;
-    for (i = 0; i < plen; i++) {
-        if (acl_add_perm(permset, perms[i]) != 0)
-            goto out;
-    }
-    if (acl_set_tag_type(entry, ACL_USER) != 0)
-        goto out;
-    if (acl_set_qualifier(entry, (void *)&uid) != 0)
-        goto out;
+  if (acl_create_entry(&acl, &entry) != 0)
+    goto out;
+  if (acl_get_permset(entry, &permset) != 0)
+    goto out;
+  for (i = 0; i < plen; i++) {
+    if (acl_add_perm(permset, perms[i]) != 0)
+      goto out;
+  }
+  if (acl_set_tag_type(entry, ACL_USER) != 0)
+    goto out;
+  if (acl_set_qualifier(entry, (void *)&uid) != 0)
+    goto out;

 set:
-    if (acl_calc_mask(&acl) != 0)
-        goto out;
-    if (acl_valid(acl) != 0)
-        goto out;
-    if (acl_set_file(path_p, ACL_TYPE_ACCESS, acl) == 0)
-        ret = 0;
+  if (acl_calc_mask(&acl) != 0)
+    goto out;
+  if (acl_valid(acl) != 0)
+    goto out;
+  if (acl_set_file(path_p, ACL_TYPE_ACCESS, acl) == 0)
+    ret = 0;

 out:
-    free((void *)path_p);
-    if (acl != NULL)
-        acl_free((void *)acl);
-    return ret;
+  free((void *)path_p);
+  if (acl != NULL)
+    acl_free((void *)acl);
+  return ret;
 }
--- a/acl/acl-update.h
+++ b/acl/acl-update.h
@ -1,3 +1,4 @@
 #include <sys/acl.h>

-int f_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms, size_t plen);
+int hakurei_acl_update_file_by_uid(const char *path_p, uid_t uid, acl_perm_t *perms,
+                             size_t plen);
--- a/acl/acl.go
+++ b/acl/acl.go
@ -23,7 +23,7 @@ func Update(name string, uid int, perms ...Perm) error {
 		p = &perms[0]
 	}

-	r, err := C.f_acl_update_file_by_uid(
+	r, err := C.hakurei_acl_update_file_by_uid(
 		C.CString(name),
 		C.uid_t(uid),
 		(*C.acl_perm_t)(p),
--- a/acl/acl_test.go
+++ b/acl/acl_test.go
@ -7,7 +7,7 @@ import (
 	"reflect"
 	"testing"

-	"git.gensokyo.uk/security/fortify/acl"
+	"git.gensokyo.uk/security/hakurei/acl"
 )

 const testFileName = "acl.test"
--- a/cmd/fpkg/app.go
+++ b/cmd/fpkg/app.go
@ -1,149 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"log"
-	"os"
-	"path"
-
-	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
-	"git.gensokyo.uk/security/fortify/system"
-)
-
-type appInfo struct {
-	Name    string `json:"name"`
-	Version string `json:"version"`
-
-	// passed through to [fst.Config]
-	ID string `json:"id"`
-	// passed through to [fst.Config]
-	AppID int `json:"app_id"`
-	// passed through to [fst.Config]
-	Groups []string `json:"groups,omitempty"`
-	// passed through to [fst.Config]
-	Devel bool `json:"devel,omitempty"`
-	// passed through to [fst.Config]
-	Userns bool `json:"userns,omitempty"`
-	// passed through to [fst.Config]
-	Net bool `json:"net,omitempty"`
-	// passed through to [fst.Config]
-	Dev bool `json:"dev,omitempty"`
-	// passed through to [fst.Config]
-	Tty bool `json:"tty,omitempty"`
-	// passed through to [fst.Config]
-	MapRealUID bool `json:"map_real_uid,omitempty"`
-	// passed through to [fst.Config]
-	DirectWayland bool `json:"direct_wayland,omitempty"`
-	// passed through to [fst.Config]
-	SystemBus *dbus.Config `json:"system_bus,omitempty"`
-	// passed through to [fst.Config]
-	SessionBus *dbus.Config `json:"session_bus,omitempty"`
-	// passed through to [fst.Config]
-	Enablements system.Enablement `json:"enablements"`
-
-	// passed through to [fst.Config]
-	Multiarch bool `json:"multiarch,omitempty"`
-	// passed through to [fst.Config]
-	Bluetooth bool `json:"bluetooth,omitempty"`
-
-	// allow gpu access within sandbox
-	GPU bool `json:"gpu"`
-	// store path to nixGL mesa wrappers
-	Mesa string `json:"mesa,omitempty"`
-	// store path to nixGL source
-	NixGL string `json:"nix_gl,omitempty"`
-	// store path to activate-and-exec script
-	Launcher string `json:"launcher"`
-	// store path to /run/current-system
-	CurrentSystem string `json:"current_system"`
-	// store path to home-manager activation package
-	ActivationPackage string `json:"activation_package"`
-}
-
-func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool) *fst.Config {
-	config := &fst.Config{
-		ID:   app.ID,
-		Path: argv[0],
-		Args: argv,
-		Confinement: fst.ConfinementConfig{
-			AppID:    app.AppID,
-			Groups:   app.Groups,
-			Username: "fortify",
-			Inner:    path.Join("/data/data", app.ID),
-			Outer:    pathSet.homeDir,
-			Sandbox: &fst.SandboxConfig{
-				Hostname:      formatHostname(app.Name),
-				Devel:         app.Devel,
-				Userns:        app.Userns,
-				Net:           app.Net,
-				Dev:           app.Dev,
-				Tty:           app.Tty || flagDropShell,
-				MapRealUID:    app.MapRealUID,
-				DirectWayland: app.DirectWayland,
-				Filesystem: []*fst.FilesystemConfig{
-					{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
-					{Src: pathSet.metaPath, Dst: path.Join(fst.Tmp, "app"), Must: true},
-					{Src: "/etc/resolv.conf"},
-					{Src: "/sys/block"},
-					{Src: "/sys/bus"},
-					{Src: "/sys/class"},
-					{Src: "/sys/dev"},
-					{Src: "/sys/devices"},
-				},
-				Link: [][2]string{
-					{app.CurrentSystem, "/run/current-system"},
-					{"/run/current-system/sw/bin", "/bin"},
-					{"/run/current-system/sw/bin", "/usr/bin"},
-				},
-				Etc:     path.Join(pathSet.cacheDir, "etc"),
-				AutoEtc: true,
-			},
-			ExtraPerms: []*fst.ExtraPermConfig{
-				{Path: dataHome, Execute: true},
-				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-			},
-			SystemBus:   app.SystemBus,
-			SessionBus:  app.SessionBus,
-			Enablements: app.Enablements,
-		},
-	}
-	if app.Multiarch {
-		config.Confinement.Sandbox.Seccomp |= seccomp.FlagMultiarch
-	}
-	if app.Bluetooth {
-		config.Confinement.Sandbox.Seccomp |= seccomp.FlagBluetooth
-	}
-	return config
-}
-
-func loadAppInfo(name string, beforeFail func()) *appInfo {
-	bundle := new(appInfo)
-	if f, err := os.Open(name); err != nil {
-		beforeFail()
-		log.Fatalf("cannot open bundle: %v", err)
-	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
-		beforeFail()
-		log.Fatalf("cannot parse bundle metadata: %v", err)
-	} else if err = f.Close(); err != nil {
-		log.Printf("cannot close bundle metadata: %v", err)
-		// not fatal
-	}
-
-	if bundle.ID == "" {
-		beforeFail()
-		log.Fatal("application identifier must not be empty")
-	}
-
-	return bundle
-}
-
-func formatHostname(name string) string {
-	if h, err := os.Hostname(); err != nil {
-		log.Printf("cannot get hostname: %v", err)
-		return "fortify-" + name
-	} else {
-		return h + "-" + name
-	}
-}
--- a/cmd/fpkg/proc.go
+++ b/cmd/fpkg/proc.go
@ -1,28 +0,0 @@
-package main
-
-import (
-	"context"
-	"os"
-
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/app"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-)
-
-func mustRunApp(ctx context.Context, config *fst.Config, beforeFail func()) {
-	rs := new(fst.RunState)
-	a := app.MustNew(ctx, std)
-
-	if sa, err := a.Seal(config); err != nil {
-		fmsg.PrintBaseError(err, "cannot seal app:")
-		rs.ExitCode = 1
-	} else {
-		// this updates ExitCode
-		app.PrintRunStateErr(rs, sa.Run(rs))
-	}
-
-	if rs.ExitCode != 0 {
-		beforeFail()
-		os.Exit(rs.ExitCode)
-	}
-}
--- a/cmd/fpkg/with.go
+++ b/cmd/fpkg/with.go
@ -1,108 +0,0 @@
-package main
-
-import (
-	"context"
-	"path"
-	"strings"
-
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
-)
-
-func withNixDaemon(
-	ctx context.Context,
-	action string, command []string, net bool, updateConfig func(config *fst.Config) *fst.Config,
-	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
-) {
-	mustRunAppDropShell(ctx, updateConfig(&fst.Config{
-		ID:   app.ID,
-		Path: shellPath,
-		Args: []string{shellPath, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
-			// start nix-daemon
-			"nix-daemon --store / & " +
-			// wait for socket to appear
-			"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
-			// create directory so nix stops complaining
-			"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
-			strings.Join(command, " && ") +
-			// terminate nix-daemon
-			" && pkill nix-daemon",
-		},
-		Confinement: fst.ConfinementConfig{
-			AppID:    app.AppID,
-			Username: "fortify",
-			Inner:    path.Join("/data/data", app.ID),
-			Outer:    pathSet.homeDir,
-			Sandbox: &fst.SandboxConfig{
-				Hostname: formatHostname(app.Name) + "-" + action,
-				Userns:   true, // nix sandbox requires userns
-				Net:      net,
-				Seccomp:  seccomp.FlagMultiarch,
-				Tty:      dropShell,
-				Filesystem: []*fst.FilesystemConfig{
-					{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
-				},
-				Link: [][2]string{
-					{app.CurrentSystem, "/run/current-system"},
-					{"/run/current-system/sw/bin", "/bin"},
-					{"/run/current-system/sw/bin", "/usr/bin"},
-				},
-				Etc:     path.Join(pathSet.cacheDir, "etc"),
-				AutoEtc: true,
-			},
-			ExtraPerms: []*fst.ExtraPermConfig{
-				{Path: dataHome, Execute: true},
-				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-			},
-		},
-	}), dropShell, beforeFail)
-}
-
-func withCacheDir(
-	ctx context.Context,
-	action string, command []string, workDir string,
-	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
-	mustRunAppDropShell(ctx, &fst.Config{
-		ID:   app.ID,
-		Path: shellPath,
-		Args: []string{shellPath, "-lc", strings.Join(command, " && ")},
-		Confinement: fst.ConfinementConfig{
-			AppID:    app.AppID,
-			Username: "nixos",
-			Inner:    path.Join("/data/data", app.ID, "cache"),
-			Outer:    pathSet.cacheDir, // this also ensures cacheDir via shim
-			Sandbox: &fst.SandboxConfig{
-				Hostname: formatHostname(app.Name) + "-" + action,
-				Seccomp:  seccomp.FlagMultiarch,
-				Tty:      dropShell,
-				Filesystem: []*fst.FilesystemConfig{
-					{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
-					{Src: workDir, Dst: path.Join(fst.Tmp, "bundle"), Must: true},
-				},
-				Link: [][2]string{
-					{app.CurrentSystem, "/run/current-system"},
-					{"/run/current-system/sw/bin", "/bin"},
-					{"/run/current-system/sw/bin", "/usr/bin"},
-				},
-				Etc:     path.Join(workDir, "etc"),
-				AutoEtc: true,
-			},
-			ExtraPerms: []*fst.ExtraPermConfig{
-				{Path: dataHome, Execute: true},
-				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-				{Path: workDir, Execute: true},
-			},
-		},
-	}, dropShell, beforeFail)
-}
-
-func mustRunAppDropShell(ctx context.Context, config *fst.Config, dropShell bool, beforeFail func()) {
-	if dropShell {
-		config.Args = []string{shellPath, "-l"}
-		mustRunApp(ctx, config, beforeFail)
-		beforeFail()
-		internal.Exit(0)
-	}
-	mustRunApp(ctx, config, beforeFail)
-}
--- a/cmd/fsu/package.nix
+++ b/cmd/fsu/package.nix
@ -1,30 +0,0 @@
-{
-  lib,
-  buildGoModule,
-  fortify ? abort "fortify package required",
-}:
-
-buildGoModule {
-  pname = "${fortify.pname}-fsu";
-  inherit (fortify) version;
-
-  src = ./.;
-  inherit (fortify) vendorHash;
-  CGO_ENABLED = 0;
-
-  preBuild = ''
-    go mod init fsu >& /dev/null
-  '';
-
-  ldflags =
-    lib.attrsets.foldlAttrs
-      (
-        ldflags: name: value:
-        ldflags ++ [ "-X main.${name}=${value}" ]
-      )
-      [ "-s -w" ]
-      {
-        fmain = "${fortify}/libexec/fortify";
-        fpkg = "${fortify}/libexec/fpkg";
-      };
-}
--- a/cmd/hsu/main.go
+++ b/cmd/hsu/main.go
@ -13,17 +13,17 @@ import (
 )

 const (
-	fsuConfFile = "/etc/fsurc"
-	envShim     = "FORTIFY_SHIM"
-	envAID      = "FORTIFY_APP_ID"
-	envGroups   = "FORTIFY_GROUPS"
+	hsuConfFile = "/etc/hsurc"
+	envShim     = "HAKUREI_SHIM"
+	envAID      = "HAKUREI_APP_ID"
+	envGroups   = "HAKUREI_GROUPS"

 	PR_SET_NO_NEW_PRIVS = 0x26
 )

 func main() {
 	log.SetFlags(0)
-	log.SetPrefix("fsu: ")
+	log.SetPrefix("hsu: ")
 	log.SetOutput(os.Stderr)

 	if os.Geteuid() != 0 {
@ -40,9 +40,9 @@ func main() {
 	if p, err := os.Readlink(pexe); err != nil {
 		log.Fatalf("cannot read parent executable path: %v", err)
 	} else if strings.HasSuffix(p, " (deleted)") {
-		log.Fatal("fortify executable has been deleted")
-	} else if p != mustCheckPath(fmain) && p != mustCheckPath(fpkg) {
-		log.Fatal("this program must be started by fortify")
+		log.Fatal("hakurei executable has been deleted")
+	} else if p != mustCheckPath(hmain) {
+		log.Fatal("this program must be started by hakurei")
 	} else {
 		toolPath = p
 	}
@ -52,27 +52,27 @@ func main() {
 	//           aid
 	uid := 1000000

-	// refuse to run if fsurc is not protected correctly
-	if s, err := os.Stat(fsuConfFile); err != nil {
+	// refuse to run if hsurc is not protected correctly
+	if s, err := os.Stat(hsuConfFile); err != nil {
 		log.Fatal(err)
 	} else if s.Mode().Perm() != 0400 {
-		log.Fatal("bad fsurc perm")
+		log.Fatal("bad hsurc perm")
 	} else if st := s.Sys().(*syscall.Stat_t); st.Uid != 0 || st.Gid != 0 {
-		log.Fatal("fsurc must be owned by uid 0")
+		log.Fatal("hsurc must be owned by uid 0")
 	}

 	// authenticate before accepting user input
-	if f, err := os.Open(fsuConfFile); err != nil {
+	if f, err := os.Open(hsuConfFile); err != nil {
 		log.Fatal(err)
 	} else if fid, ok := mustParseConfig(f, puid); !ok {
-		log.Fatalf("uid %d is not in the fsurc file", puid)
+		log.Fatalf("uid %d is not in the hsurc file", puid)
 	} else {
 		uid += fid * 10000
 	}

 	// allowed aid range 0 to 9999
 	if as, ok := os.LookupEnv(envAID); !ok {
-		log.Fatal("FORTIFY_APP_ID not set")
+		log.Fatal("HAKUREI_APP_ID not set")
 	} else if aid, err := parseUint32Fast(as); err != nil || aid < 0 || aid > 9999 {
 		log.Fatal("invalid aid")
 	} else {
@ -82,12 +82,12 @@ func main() {
 	// pass through setup fd to shim
 	var shimSetupFd string
 	if s, ok := os.LookupEnv(envShim); !ok {
-		// fortify requests target uid
+		// hakurei requests target uid
 		// print resolved uid and exit
 		fmt.Print(uid)
 		os.Exit(0)
 	} else if len(s) != 1 || s[0] > '9' || s[0] < '3' {
-		log.Fatal("FORTIFY_SHIM holds an invalid value")
+		log.Fatal("HAKUREI_SHIM holds an invalid value")
 	} else {
 		shimSetupFd = s
 	}
@ -124,7 +124,7 @@ func main() {
 		panic("uid out of bounds")
 	}

-	// careful! users in the allowlist is effectively allowed to drop groups via fsu
+	// careful! users in the allowlist is effectively allowed to drop groups via hsu

 	if err := syscall.Setresgid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set gid: %v", err)
@ -138,7 +138,7 @@ func main() {
 	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(toolPath, []string{"fortify", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+	if err := syscall.Exec(toolPath, []string{"hakurei", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}

--- a/cmd/hsu/package.nix
+++ b/cmd/hsu/package.nix
@ -0,0 +1,23 @@
+{
+  lib,
+  buildGoModule,
+  hakurei ? abort "hakurei package required",
+}:
+
+buildGoModule {
+  pname = "${hakurei.pname}-hsu";
+  inherit (hakurei) version;
+
+  src = ./.;
+  inherit (hakurei) vendorHash;
+  env.CGO_ENABLED = 0;
+
+  preBuild = ''
+    go mod init hsu >& /dev/null
+  '';
+
+  ldflags = lib.attrsets.foldlAttrs (
+    ldflags: name: value:
+    ldflags ++ [ "-X main.${name}=${value}" ]
+  ) [ "-s -w" ] { hmain = "${hakurei}/libexec/hakurei"; };
+}
--- a/cmd/hsu/parse.go
+++ b/cmd/hsu/parse.go
@ -50,7 +50,7 @@ func parseConfig(r io.Reader, puid int) (fid int, ok bool, err error) {
 		if ok {
 			// allowed fid range 0 to 99
 			if fid, err = parseUint32Fast(lf[1]); err != nil || fid < 0 || fid > 99 {
-				return -1, false, fmt.Errorf("invalid fortify uid on line %d", line)
+				return -1, false, fmt.Errorf("invalid identity on line %d", line)
 			}
 			return
 		}
--- a/cmd/hsu/parse_test.go
+++ b/cmd/hsu/parse_test.go
@ -65,7 +65,7 @@ func Test_parseConfig(t *testing.T) {
 		{"empty", 0, -1, "", ``},
 		{"invalid field", 0, -1, "invalid entry on line 1", `9`},
 		{"invalid puid", 0, -1, "invalid parent uid on line 1", `f 9`},
-		{"invalid fid", 1000, -1, "invalid fortify uid on line 1", `1000 f`},
+		{"invalid fid", 1000, -1, "invalid identity on line 1", `1000 f`},
 		{"match", 1000, 0, "", `1000 0`},
 	}

--- a/cmd/hsu/path.go
+++ b/cmd/hsu/path.go
@ -8,8 +8,7 @@ import (
 const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"

 var (
-	fmain = compPoison
-	fpkg  = compPoison
+	hmain = compPoison
 )

 func mustCheckPath(p string) string {
--- a/cmd/planterette/app.go
+++ b/cmd/planterette/app.go
@ -0,0 +1,154 @@
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"os"
+	"path"
+
+	"git.gensokyo.uk/security/hakurei/dbus"
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
+	"git.gensokyo.uk/security/hakurei/system"
+)
+
+type appInfo struct {
+	Name    string `json:"name"`
+	Version string `json:"version"`
+
+	// passed through to [hst.Config]
+	ID string `json:"id"`
+	// passed through to [hst.Config]
+	Identity int `json:"identity"`
+	// passed through to [hst.Config]
+	Groups []string `json:"groups,omitempty"`
+	// passed through to [hst.Config]
+	Devel bool `json:"devel,omitempty"`
+	// passed through to [hst.Config]
+	Userns bool `json:"userns,omitempty"`
+	// passed through to [hst.Config]
+	Net bool `json:"net,omitempty"`
+	// passed through to [hst.Config]
+	Device bool `json:"dev,omitempty"`
+	// passed through to [hst.Config]
+	Tty bool `json:"tty,omitempty"`
+	// passed through to [hst.Config]
+	MapRealUID bool `json:"map_real_uid,omitempty"`
+	// passed through to [hst.Config]
+	DirectWayland bool `json:"direct_wayland,omitempty"`
+	// passed through to [hst.Config]
+	SystemBus *dbus.Config `json:"system_bus,omitempty"`
+	// passed through to [hst.Config]
+	SessionBus *dbus.Config `json:"session_bus,omitempty"`
+	// passed through to [hst.Config]
+	Enablements system.Enablement `json:"enablements"`
+
+	// passed through to [hst.Config]
+	Multiarch bool `json:"multiarch,omitempty"`
+	// passed through to [hst.Config]
+	Bluetooth bool `json:"bluetooth,omitempty"`
+
+	// allow gpu access within sandbox
+	GPU bool `json:"gpu"`
+	// store path to nixGL mesa wrappers
+	Mesa string `json:"mesa,omitempty"`
+	// store path to nixGL source
+	NixGL string `json:"nix_gl,omitempty"`
+	// store path to activate-and-exec script
+	Launcher string `json:"launcher"`
+	// store path to /run/current-system
+	CurrentSystem string `json:"current_system"`
+	// store path to home-manager activation package
+	ActivationPackage string `json:"activation_package"`
+}
+
+func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool) *hst.Config {
+	config := &hst.Config{
+		ID: app.ID,
+
+		Path: argv[0],
+		Args: argv,
+
+		Enablements: app.Enablements,
+
+		SystemBus:     app.SystemBus,
+		SessionBus:    app.SessionBus,
+		DirectWayland: app.DirectWayland,
+
+		Username: "hakurei",
+		Shell:    shellPath,
+		Data:     pathSet.homeDir,
+		Dir:      path.Join("/data/data", app.ID),
+
+		Identity: app.Identity,
+		Groups:   app.Groups,
+
+		Container: &hst.ContainerConfig{
+			Hostname:   formatHostname(app.Name),
+			Devel:      app.Devel,
+			Userns:     app.Userns,
+			Net:        app.Net,
+			Device:     app.Device,
+			Tty:        app.Tty || flagDropShell,
+			MapRealUID: app.MapRealUID,
+			Filesystem: []*hst.FilesystemConfig{
+				{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
+				{Src: pathSet.metaPath, Dst: path.Join(hst.Tmp, "app"), Must: true},
+				{Src: "/etc/resolv.conf"},
+				{Src: "/sys/block"},
+				{Src: "/sys/bus"},
+				{Src: "/sys/class"},
+				{Src: "/sys/dev"},
+				{Src: "/sys/devices"},
+			},
+			Link: [][2]string{
+				{app.CurrentSystem, "/run/current-system"},
+				{"/run/current-system/sw/bin", "/bin"},
+				{"/run/current-system/sw/bin", "/usr/bin"},
+			},
+			Etc:     path.Join(pathSet.cacheDir, "etc"),
+			AutoEtc: true,
+		},
+		ExtraPerms: []*hst.ExtraPermConfig{
+			{Path: dataHome, Execute: true},
+			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+		},
+	}
+	if app.Multiarch {
+		config.Container.Seccomp |= seccomp.FilterMultiarch
+	}
+	if app.Bluetooth {
+		config.Container.Seccomp |= seccomp.FilterBluetooth
+	}
+	return config
+}
+
+func loadAppInfo(name string, beforeFail func()) *appInfo {
+	bundle := new(appInfo)
+	if f, err := os.Open(name); err != nil {
+		beforeFail()
+		log.Fatalf("cannot open bundle: %v", err)
+	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
+		beforeFail()
+		log.Fatalf("cannot parse bundle metadata: %v", err)
+	} else if err = f.Close(); err != nil {
+		log.Printf("cannot close bundle metadata: %v", err)
+		// not fatal
+	}
+
+	if bundle.ID == "" {
+		beforeFail()
+		log.Fatal("application identifier must not be empty")
+	}
+
+	return bundle
+}
+
+func formatHostname(name string) string {
+	if h, err := os.Hostname(); err != nil {
+		log.Printf("cannot get hostname: %v", err)
+		return "hakurei-" + name
+	} else {
+		return h + "-" + name
+	}
+}
--- a/cmd/planterette/build.nix
+++ b/cmd/planterette/build.nix
@ -31,7 +31,7 @@
  '',

  id ? name,
-  app_id ? throw "app_id is required",
+  identity ? throw "identity is required",
  groups ? [ ],
  userns ? false,
  net ? true,
@ -57,7 +57,7 @@ let
    modules = modules ++ [
      {
        home = {
-          username = "fortify";
+          username = "hakurei";
          homeDirectory = "/data/data/${id}";
          stateVersion = "22.11";
        };
@ -65,7 +65,7 @@ let
    ];
  };

-  launcher = writeScript "fortify-${pname}" ''
+  launcher = writeScript "hakurei-${pname}" ''
    #!${runtimeShell} -el
    ${script}
  '';
@ -147,7 +147,7 @@ let
      name
      version
      id
-      app_id
+      identity
      launcher
      groups
      userns
--- a/cmd/planterette/main.go
+++ b/cmd/planterette/main.go
@ -10,39 +10,26 @@ import (
 	"path"
 	"syscall"

-	"git.gensokyo.uk/security/fortify/command"
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/app"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/sys"
-	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/hakurei/command"
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
 )

 const shellPath = "/run/current-system/sw/bin/bash"

 var (
 	errSuccess = errors.New("success")
-
-	std sys.State = new(sys.Std)
 )

 func init() {
-	fmsg.Prepare("fpkg")
+	hlog.Prepare("planterette")
 	if err := os.Setenv("SHELL", shellPath); err != nil {
 		log.Fatalf("cannot set $SHELL: %v", err)
 	}
 }

 func main() {
-	// early init path, skips root check and duplicate PR_SET_DUMPABLE
-	sandbox.TryArgv0(fmsg.Output{}, fmsg.Prepare, internal.InstallFmsg)
-
-	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
-		log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
-		// not fatal: this program runs as the privileged user
-	}
-
 	if os.Geteuid() == 0 {
 		log.Fatal("this program must not run as root")
 	}
@ -55,14 +42,9 @@ func main() {
 		flagVerbose   bool
 		flagDropShell bool
 	)
-	c := command.New(os.Stderr, log.Printf, "fpkg", func([]string) error {
-		internal.InstallFmsg(flagVerbose)
-		return nil
-	}).
+	c := command.New(os.Stderr, log.Printf, "planterette", func([]string) error { internal.InstallFmsg(flagVerbose); return nil }).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
-		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next fortify action")
-
-	c.Command("shim", command.UsageInternal, func([]string) error { app.ShimMain(); return errSuccess })
+		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next hakurei action")

 	{
 		var (
@ -84,7 +66,7 @@ func main() {
 			}

 			/*
-				Look up paths to programs started by fpkg.
+				Look up paths to programs started by planterette.
 				This is done here to ease error handling as cleanup is not yet required.
 			*/

@ -100,7 +82,7 @@ func main() {
 			*/

 			var workDir string
-			if p, err := os.MkdirTemp("", "fpkg.*"); err != nil {
+			if p, err := os.MkdirTemp("", "planterette.*"); err != nil {
 				log.Printf("cannot create temporary directory: %v", err)
 				return err
 			} else {
@ -157,19 +139,19 @@ func main() {
 					return errSuccess
 				}

-				// AppID determines uid
-				if a.AppID != bundle.AppID {
+				// identity determines uid
+				if a.Identity != bundle.Identity {
 					cleanup()
-					log.Printf("package %q app id %d differs from installed %d",
-						pkgPath, bundle.AppID, a.AppID)
+					log.Printf("package %q identity %d differs from installed %d",
+						pkgPath, bundle.Identity, a.Identity)
 					return syscall.EBADE
 				}

 				// sec: should compare version string
-				fmsg.Verbosef("installing application %q version %q over local %q",
+				hlog.Verbosef("installing application %q version %q over local %q",
 					bundle.ID, bundle.Version, a.Version)
 			} else {
-				fmsg.Verbosef("application %q clean installation", bundle.ID)
+				hlog.Verbosef("application %q clean installation", bundle.ID)
 				// sec: should install credentials
 			}

@ -179,7 +161,7 @@ func main() {

 			withCacheDir(ctx, "install", []string{
 				// export inner bundle path in the environment
-				"export BUNDLE=" + fst.Tmp + "/bundle",
+				"export BUNDLE=" + hst.Tmp + "/bundle",
 				// replace inner /etc
 				"mkdir -p etc",
 				"chmod -R +w etc",
@ -218,7 +200,7 @@ func main() {
 				"rm -rf .local/state/{nix,home-manager}",
 				// run activation script
 				bundle.ActivationPackage + "/activate",
-			}, false, func(config *fst.Config) *fst.Config { return config },
+			}, false, func(config *hst.Config) *hst.Config { return config },
 				bundle, pathSet, flagDropShellActivate, cleanup)

 			/*
@ -291,8 +273,8 @@ func main() {
 						"--out-link /nix/.nixGL/auto/vulkan " +
 						"--override-input nixpkgs path:/etc/nixpkgs " +
 						"path:" + a.NixGL + "#nixVulkanNvidia",
-				}, true, func(config *fst.Config) *fst.Config {
-					config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
+				}, true, func(config *hst.Config) *hst.Config {
+					config.Container.Filesystem = append(config.Container.Filesystem, []*hst.FilesystemConfig{
 						{Src: "/etc/resolv.conf"},
 						{Src: "/sys/block"},
 						{Src: "/sys/bus"},
@ -324,8 +306,8 @@ func main() {
 			*/

 			if a.GPU {
-				config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,
-					&fst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(fst.Tmp, "nixGL")})
+				config.Container.Filesystem = append(config.Container.Filesystem,
+					&hst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(hst.Tmp, "nixGL")})
 				appendGPUFilesystem(config)
 			}

@ -341,9 +323,9 @@ func main() {
 	}

 	c.MustParse(os.Args[1:], func(err error) {
-		fmsg.Verbosef("command returned %v", err)
+		hlog.Verbosef("command returned %v", err)
 		if errors.Is(err, errSuccess) {
-			fmsg.BeforeExit()
+			hlog.BeforeExit()
 			os.Exit(0)
 		}
 	})
--- a/cmd/planterette/paths.go
+++ b/cmd/planterette/paths.go
@ -8,8 +8,8 @@ import (
 	"strconv"
 	"sync/atomic"

-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
 )

 var (
@ -18,10 +18,10 @@ var (

 func init() {
 	// dataHome
-	if p, ok := os.LookupEnv("FORTIFY_DATA_HOME"); ok {
+	if p, ok := os.LookupEnv("HAKUREI_DATA_HOME"); ok {
 		dataHome = p
 	} else {
-		dataHome = "/var/lib/fortify/" + strconv.Itoa(os.Getuid())
+		dataHome = "/var/lib/hakurei/" + strconv.Itoa(os.Getuid())
 	}
 }

@ -37,7 +37,7 @@ func lookPath(file string) string {
 var beforeRunFail = new(atomic.Pointer[func()])

 func mustRun(name string, arg ...string) {
-	fmsg.Verbosef("spawning process: %q %q", name, arg)
+	hlog.Verbosef("spawning process: %q %q", name, arg)
 	cmd := exec.Command(name, arg...)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	if err := cmd.Run(); err != nil {
@ -71,8 +71,8 @@ func pathSetByApp(id string) *appPathSet {
 	return pathSet
 }

-func appendGPUFilesystem(config *fst.Config) {
-	config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
+func appendGPUFilesystem(config *hst.Config) {
+	config.Container.Filesystem = append(config.Container.Filesystem, []*hst.FilesystemConfig{
 		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
 		{Src: "/dev/dri", Device: true},
 		// mali
--- a/cmd/planterette/proc.go
+++ b/cmd/planterette/proc.go
@ -0,0 +1,60 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"io"
+	"log"
+	"os"
+	"os/exec"
+
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
+)
+
+var hakureiPath = internal.MustHakureiPath()
+
+func mustRunApp(ctx context.Context, config *hst.Config, beforeFail func()) {
+	var (
+		cmd *exec.Cmd
+		st  io.WriteCloser
+	)
+
+	if r, w, err := os.Pipe(); err != nil {
+		beforeFail()
+		log.Fatalf("cannot pipe: %v", err)
+	} else {
+		if hlog.Load() {
+			cmd = exec.CommandContext(ctx, hakureiPath, "-v", "app", "3")
+		} else {
+			cmd = exec.CommandContext(ctx, hakureiPath, "app", "3")
+		}
+		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+		cmd.ExtraFiles = []*os.File{r}
+		st = w
+	}
+
+	go func() {
+		if err := json.NewEncoder(st).Encode(config); err != nil {
+			beforeFail()
+			log.Fatalf("cannot send configuration: %v", err)
+		}
+	}()
+
+	if err := cmd.Start(); err != nil {
+		beforeFail()
+		log.Fatalf("cannot start hakurei: %v", err)
+	}
+	if err := cmd.Wait(); err != nil {
+		var exitError *exec.ExitError
+		if errors.As(err, &exitError) {
+			beforeFail()
+			internal.Exit(exitError.ExitCode())
+		} else {
+			beforeFail()
+			log.Fatalf("cannot wait: %v", err)
+		}
+	}
+}
--- a/cmd/planterette/test/configuration.nix
+++ b/cmd/planterette/test/configuration.nix
@ -50,11 +50,13 @@
    ];
  };

-  environment.fortify = {
+  environment.hakurei = {
    enable = true;
-    stateDir = "/var/lib/fortify";
+    stateDir = "/var/lib/hakurei";
    users.alice = 0;

-    home-manager = _: _: { home.stateVersion = "23.05"; };
+    extraHomeConfig = {
+      home.stateVersion = "23.05";
+    };
  };
 }
--- a/cmd/planterette/test/default.nix
+++ b/cmd/planterette/test/default.nix
@ -9,7 +9,7 @@ let
  buildPackage = self.buildPackage.${system};
 in
 nixosTest {
-  name = "fpkg";
+  name = "planterette";
  nodes.machine = {
    environment.etc = {
      "foot.pkg".source = callPackage ./foot.nix { inherit buildPackage; };
@ -18,7 +18,7 @@ nixosTest {
    imports = [
      ./configuration.nix

-      self.nixosModules.fortify
+      self.nixosModules.hakurei
      self.inputs.home-manager.nixosModules.home-manager
    ];
  };
--- a/cmd/planterette/test/foot.nix
+++ b/cmd/planterette/test/foot.nix
@ -10,7 +10,7 @@ buildPackage {
  name = "foot";
  inherit (foot) version;

-  app_id = 2;
+  identity = 2;
  id = "org.codeberg.dnkl.foot";

  modules = [
--- a/cmd/planterette/test/test.py
+++ b/cmd/planterette/test/test.py
@ -47,50 +47,50 @@ def wait_for_window(pattern):


 def collect_state_ui(name):
-    swaymsg(f"exec fortify ps > '/tmp/{name}.ps'")
+    swaymsg(f"exec hakurei ps > '/tmp/{name}.ps'")
    machine.copy_from_vm(f"/tmp/{name}.ps", "")
-    swaymsg(f"exec fortify --json ps > '/tmp/{name}.json'")
+    swaymsg(f"exec hakurei --json ps > '/tmp/{name}.json'")
    machine.copy_from_vm(f"/tmp/{name}.json", "")
    machine.screenshot(name)


 def check_state(name, enablements):
-    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 fortify --json ps"))
+    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei --json ps"))
    if len(instances) != 1:
        raise Exception(f"unexpected state length {len(instances)}")
    instance = next(iter(instances.values()))

    config = instance['config']

-    if len(config['args']) != 1 or not (config['args'][0].startswith("/nix/store/")) or f"fortify-{name}-" not in (config['args'][0]):
+    if len(config['args']) != 1 or not (config['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (config['args'][0]):
        raise Exception(f"unexpected args {instance['config']['args']}")

-    if config['confinement']['enablements'] != enablements:
-        raise Exception(f"unexpected enablements {instance['config']['confinement']['enablements']}")
+    if config['enablements'] != enablements:
+        raise Exception(f"unexpected enablements {instance['config']['enablements']}")


 start_all()
 machine.wait_for_unit("multi-user.target")

-# To check fortify's version:
-print(machine.succeed("sudo -u alice -i fortify version"))
+# To check hakurei's version:
+print(machine.succeed("sudo -u alice -i hakurei version"))

 # Wait for Sway to complete startup:
 machine.wait_for_file("/run/user/1000/wayland-1")
 machine.wait_for_file("/tmp/sway-ipc.sock")

-# Prepare fpkg directory:
-machine.succeed("install -dm 0700 -o alice -g users /var/lib/fortify/1000")
+# Prepare planterette directory:
+machine.succeed("install -dm 0700 -o alice -g users /var/lib/hakurei/1000")

-# Install fpkg app:
-swaymsg("exec fpkg -v install /etc/foot.pkg && touch /tmp/fpkg-install-done")
-machine.wait_for_file("/tmp/fpkg-install-done")
+# Install planterette app:
+swaymsg("exec planterette -v install /etc/foot.pkg && touch /tmp/planterette-install-ok")
+machine.wait_for_file("/tmp/planterette-install-ok")

 # Start app (foot) with Wayland enablement:
-swaymsg("exec fpkg -v start org.codeberg.dnkl.foot")
-wait_for_window("fortify@machine-foot")
+swaymsg("exec planterette -v start org.codeberg.dnkl.foot")
+wait_for_window("hakurei@machine-foot")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
-machine.wait_for_file("/tmp/fortify.1000/tmpdir/2/success-client")
+machine.wait_for_file("/tmp/hakurei.1000/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
 check_state("foot", 13)
 # Verify acl on XDG_RUNTIME_DIR:
@ -104,5 +104,5 @@ machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/
 swaymsg("exit", succeed=False)
 machine.wait_for_file("/tmp/sway-exit-ok")

-# Print fortify runDir contents:
-print(machine.succeed("find /run/user/1000/fortify"))
+# Print hakurei runDir contents:
+print(machine.succeed("find /run/user/1000/hakurei"))
--- a/cmd/planterette/with.go
+++ b/cmd/planterette/with.go
@ -0,0 +1,114 @@
+package main
+
+import (
+	"context"
+	"path"
+	"strings"
+
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal"
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
+)
+
+func withNixDaemon(
+	ctx context.Context,
+	action string, command []string, net bool, updateConfig func(config *hst.Config) *hst.Config,
+	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
+) {
+	mustRunAppDropShell(ctx, updateConfig(&hst.Config{
+		ID: app.ID,
+
+		Path: shellPath,
+		Args: []string{shellPath, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
+			// start nix-daemon
+			"nix-daemon --store / & " +
+			// wait for socket to appear
+			"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
+			// create directory so nix stops complaining
+			"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
+			strings.Join(command, " && ") +
+			// terminate nix-daemon
+			" && pkill nix-daemon",
+		},
+
+		Username: "hakurei",
+		Shell:    shellPath,
+		Data:     pathSet.homeDir,
+		Dir:      path.Join("/data/data", app.ID),
+		ExtraPerms: []*hst.ExtraPermConfig{
+			{Path: dataHome, Execute: true},
+			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+		},
+
+		Identity: app.Identity,
+
+		Container: &hst.ContainerConfig{
+			Hostname: formatHostname(app.Name) + "-" + action,
+			Userns:   true, // nix sandbox requires userns
+			Net:      net,
+			Seccomp:  seccomp.FilterMultiarch,
+			Tty:      dropShell,
+			Filesystem: []*hst.FilesystemConfig{
+				{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
+			},
+			Link: [][2]string{
+				{app.CurrentSystem, "/run/current-system"},
+				{"/run/current-system/sw/bin", "/bin"},
+				{"/run/current-system/sw/bin", "/usr/bin"},
+			},
+			Etc:     path.Join(pathSet.cacheDir, "etc"),
+			AutoEtc: true,
+		},
+	}), dropShell, beforeFail)
+}
+
+func withCacheDir(
+	ctx context.Context,
+	action string, command []string, workDir string,
+	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
+	mustRunAppDropShell(ctx, &hst.Config{
+		ID: app.ID,
+
+		Path: shellPath,
+		Args: []string{shellPath, "-lc", strings.Join(command, " && ")},
+
+		Username: "nixos",
+		Shell:    shellPath,
+		Data:     pathSet.cacheDir, // this also ensures cacheDir via shim
+		Dir:      path.Join("/data/data", app.ID, "cache"),
+		ExtraPerms: []*hst.ExtraPermConfig{
+			{Path: dataHome, Execute: true},
+			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+			{Path: workDir, Execute: true},
+		},
+
+		Identity: app.Identity,
+
+		Container: &hst.ContainerConfig{
+			Hostname: formatHostname(app.Name) + "-" + action,
+			Seccomp:  seccomp.FilterMultiarch,
+			Tty:      dropShell,
+			Filesystem: []*hst.FilesystemConfig{
+				{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
+				{Src: workDir, Dst: path.Join(hst.Tmp, "bundle"), Must: true},
+			},
+			Link: [][2]string{
+				{app.CurrentSystem, "/run/current-system"},
+				{"/run/current-system/sw/bin", "/bin"},
+				{"/run/current-system/sw/bin", "/usr/bin"},
+			},
+			Etc:     path.Join(workDir, "etc"),
+			AutoEtc: true,
+		},
+	}, dropShell, beforeFail)
+}
+
+func mustRunAppDropShell(ctx context.Context, config *hst.Config, dropShell bool, beforeFail func()) {
+	if dropShell {
+		config.Args = []string{shellPath, "-l"}
+		mustRunApp(ctx, config, beforeFail)
+		beforeFail()
+		internal.Exit(0)
+	}
+	mustRunApp(ctx, config, beforeFail)
+}
--- a/command/builder_test.go
+++ b/command/builder_test.go
@ -3,7 +3,7 @@ package command_test
 import (
 	"testing"

-	"git.gensokyo.uk/security/fortify/command"
+	"git.gensokyo.uk/security/hakurei/command"
 )

 func TestBuild(t *testing.T) {
--- a/command/parse_test.go
+++ b/command/parse_test.go
@ -10,7 +10,7 @@ import (
 	"strings"
 	"testing"

-	"git.gensokyo.uk/security/fortify/command"
+	"git.gensokyo.uk/security/hakurei/command"
 )

 func TestParse(t *testing.T) {
--- a/comp/_fortify
+++ b/comp/_fortify
@ -1,82 +0,0 @@
-#compdef fortify
-
-_fortify_app() {
-  __fortify_files
-  return $?
-}
-
-_fortify_run() {
-  _arguments \
-    '--id[App ID, leave empty to disable security context app_id]:id' \
-    '-a[Fortify application ID]: :_numbers' \
-    '-g[Groups inherited by the app process]: :_groups' \
-    '-d[Application home directory]: :_files -/' \
-    '-u[Passwd name within sandbox]: :_users' \
-    '--wayland[Share Wayland socket]' \
-    '-X[Share X11 socket and allow connection]' \
-    '--dbus[Proxy D-Bus connection]' \
-    '--pulse[Share PulseAudio socket and cookie]' \
-    '--dbus-config[Path to D-Bus proxy config file]: :_files -g "*.json"' \
-    '--dbus-system[Path to system D-Bus proxy config file]: :_files -g "*.json"' \
-    '--mpris[Allow owning MPRIS D-Bus path]' \
-    '--dbus-log[Force logging in the D-Bus proxy]'
-}
-
-_fortify_ps() {
-  _arguments \
-    '--short[Print instance id]'
-}
-
-_fortify_show() {
-  _alternative \
-    'instances:domains:__fortify_instances' \
-    'files:files:__fortify_files'
-}
-
-__fortify_files() {
-  _files -g "*.(json|ftfy)"
-  return $?
-}
-
-__fortify_instances() {
-  local -a out
-  shift -p
-  out=( ${(f)"$(_call_program commands fortify ps --short 2>&1)"} )
-  if (( $#out == 0 )); then
-    _message "No active instances"
-  else
-    _describe "active instances" out
-  fi
-  return $?
-}
-
-(( $+functions[_fortify_commands] )) || _fortify_commands()
-{
-  local -a _fortify_cmds
-  _fortify_cmds=(
-    "app:Launch app defined by the specified config file"
-    "run:Configure and start a permissive default sandbox"
-    "show:Show the contents of an app configuration"
-    "ps:List active apps and their state"
-    "version:Show fortify version"
-    "license:Show full license text"
-    "template:Produce a config template"
-    "help:Show help message"
-  )
-  if (( CURRENT == 1 )); then
-    _describe -t commands 'action' _fortify_cmds || compadd "$@"
-  else
-    local curcontext="$curcontext"
-    cmd="${${_fortify_cmds[(r)$words[1]:*]%%:*}}"
-    if (( $+functions[_fortify_$cmd] )); then
-      _fortify_$cmd
-    else
-      _message "no more options"
-    fi
-  fi
-}
-
-_arguments -C \
-  '-v[Verbose output]' \
-  '--json[Format output in JSON when applicable]' \
-  '*::fortify command:_fortify_commands'
--- a/dbus/address_test.go
+++ b/dbus/address_test.go
@ -5,7 +5,7 @@ import (
 	"reflect"
 	"testing"

-	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/hakurei/dbus"
 )

 func TestParse(t *testing.T) {
--- a/dbus/config.go
+++ b/dbus/config.go
@ -5,8 +5,12 @@ import (
 	"errors"
 	"io"
 	"os"
+	"strings"
 )

+// ProxyPair is an upstream dbus address and a downstream socket path.
+type ProxyPair [2]string
+
 type Config struct {
 	// See set 'see' policy for NAME (--see=NAME)
 	See []string `json:"see"`
@ -24,7 +28,62 @@ type Config struct {
 	Filter bool `json:"filter"`
 }

-func (c *Config) Args(bus [2]string) (args []string) {
+func (c *Config) interfaces(yield func(string) bool) {
+	for _, iface := range c.See {
+		if !yield(iface) {
+			return
+		}
+	}
+	for _, iface := range c.Talk {
+		if !yield(iface) {
+			return
+		}
+	}
+	for _, iface := range c.Own {
+		if !yield(iface) {
+			return
+		}
+	}
+
+	for iface := range c.Call {
+		if !yield(iface) {
+			return
+		}
+	}
+	for iface := range c.Broadcast {
+		if !yield(iface) {
+			return
+		}
+	}
+}
+
+func (c *Config) checkInterfaces(segment string) error {
+	for iface := range c.interfaces {
+		/*
+			xdg-dbus-proxy fails without output when this condition is not met:
+				char *dot = strrchr (filter->interface, '.');
+				if (dot != NULL)
+				  {
+				    *dot = 0;
+				    if (strcmp (dot + 1, "*") != 0)
+				      filter->member = g_strdup (dot + 1);
+				  }
+
+			trim ".*" since they are removed before searching for '.':
+				if (g_str_has_suffix (name, ".*"))
+				  {
+				    name[strlen (name) - 2] = 0;
+				    wildcard = TRUE;
+				  }
+		*/
+		if strings.IndexByte(strings.TrimSuffix(iface, ".*"), '.') == -1 {
+			return &BadInterfaceError{iface, segment}
+		}
+	}
+	return nil
+}
+
+func (c *Config) Args(bus ProxyPair) (args []string) {
 	argc := 2 + len(c.See) + len(c.Talk) + len(c.Own) + len(c.Call) + len(c.Broadcast)
 	if c.Log {
 		argc++
@ -60,9 +119,7 @@ func (c *Config) Args(bus [2]string) (args []string) {
 	return
 }

-func (c *Config) Load(r io.Reader) error {
-	return json.NewDecoder(r).Decode(&c)
-}
+func (c *Config) Load(r io.Reader) error { return json.NewDecoder(r).Decode(&c) }

 // NewConfigFromFile opens the target config file at path and parses its contents into *Config.
 func NewConfigFromFile(path string) (*Config, error) {
--- a/dbus/config_test.go
+++ b/dbus/config_test.go
@ -9,7 +9,7 @@ import (
 	"strings"
 	"testing"

-	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/hakurei/dbus"
 )

 func TestConfig_Args(t *testing.T) {
--- a/dbus/dbus_test.go
+++ b/dbus/dbus_test.go
@ -5,77 +5,36 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"io"
 	"os"
 	"os/exec"
 	"strings"
+	"syscall"
 	"testing"
 	"time"

-	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/helper"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/hakurei/dbus"
+	"git.gensokyo.uk/security/hakurei/helper"
+	"git.gensokyo.uk/security/hakurei/internal"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
+	"git.gensokyo.uk/security/hakurei/sandbox"
 )

-func TestNew(t *testing.T) {
-	for _, tc := range [][2][2]string{
-		{
-			{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/1ca5d183ef4c99e74c3e544715f32702/bus"},
-			{"unix:path=/run/dbus/system_bus_socket", "/tmp/fortify.1971/1ca5d183ef4c99e74c3e544715f32702/system_bus_socket"},
-		},
-		{
-			{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/881ac3796ff3f3bf0a773824383187a0/bus"},
-			{"unix:path=/run/dbus/system_bus_socket", "/tmp/fortify.1971/881ac3796ff3f3bf0a773824383187a0/system_bus_socket"},
-		},
-		{
-			{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/3d1a5084520ef79c0c6a49a675bac701/bus"},
-			{"unix:path=/run/dbus/system_bus_socket", "/tmp/fortify.1971/3d1a5084520ef79c0c6a49a675bac701/system_bus_socket"},
-		},
-		{
-			{"unix:path=/run/user/1971/bus", "/tmp/fortify.1971/2a1639bab712799788ea0ff7aa280c35/bus"},
-			{"unix:path=/run/dbus/system_bus_socket", "/tmp/fortify.1971/2a1639bab712799788ea0ff7aa280c35/system_bus_socket"},
-		},
-	} {
-		t.Run("create instance for "+tc[0][0]+" and "+tc[1][0], func(t *testing.T) {
-			if got := dbus.New(tc[0], tc[1]); !got.CompareTestNew(tc[0], tc[1]) {
-				t.Errorf("New(%q, %q) = %v",
-					tc[0], tc[1],
-					got)
-			}
-		})
-	}
-}
-
-func TestProxy_Seal(t *testing.T) {
-	t.Run("double seal panic", func(t *testing.T) {
-		defer func() {
-			want := "dbus proxy sealed twice"
-			if r := recover(); r != want {
-				t.Errorf("Seal: panic = %q, want %q",
-					r, want)
-			}
-		}()
-
-		p := dbus.New([2]string{}, [2]string{})
-		_ = p.Seal(dbus.NewConfig("", true, false), nil)
-		_ = p.Seal(dbus.NewConfig("", true, false), nil)
-	})
-
-	ep := dbus.New([2]string{}, [2]string{})
-	if err := ep.Seal(nil, nil); !errors.Is(err, dbus.ErrConfig) {
-		t.Errorf("Seal(nil, nil) error = %v, want %v",
-			err, dbus.ErrConfig)
+func TestFinalise(t *testing.T) {
+	if _, err := dbus.Finalise(dbus.ProxyPair{}, dbus.ProxyPair{}, nil, nil); !errors.Is(err, syscall.EBADE) {
+		t.Errorf("Finalise: error = %v, want %v",
+			err, syscall.EBADE)
 	}

 	for id, tc := range testCasePairs() {
-		t.Run("create seal for "+id, func(t *testing.T) {
-			p := dbus.New(tc[0].bus, tc[1].bus)
-			if err := p.Seal(tc[0].c, tc[1].c); (errors.Is(err, helper.ErrContainsNull)) != tc[0].wantErr {
-				t.Errorf("Seal(%p, %p) error = %v, wantErr %v",
-					tc[0].c, tc[1].c,
+		t.Run("create final for "+id, func(t *testing.T) {
+			var wt io.WriterTo
+			if v, err := dbus.Finalise(tc[0].bus, tc[1].bus, tc[0].c, tc[1].c); (errors.Is(err, syscall.EINVAL)) != tc[0].wantErr {
+				t.Errorf("Finalise: error = %v, wantErr %v",
 					err, tc[0].wantErr)
 				return
+			} else {
+				wt = v
 			}

 			// rest of the tests happen for sealed instances
@ -88,25 +47,23 @@ func TestProxy_Seal(t *testing.T) {
 			args := append(tc[0].want, tc[1].want...)
 			for _, arg := range args {
 				want.WriteString(arg)
-				want.WriteByte('\x00')
+				want.WriteByte(0)
 			}

-			wt := p.AccessTestProxySeal()
 			got := new(strings.Builder)
 			if _, err := wt.WriteTo(got); err != nil {
-				t.Errorf("p.seal.WriteTo(): %v", err)
+				t.Errorf("WriteTo: error = %v", err)
 			}

 			if want.String() != got.String() {
-				t.Errorf("Seal(%p, %p) seal = %v, want %v",
-					tc[0].c, tc[1].c,
+				t.Errorf("Seal: %q, want %q",
 					got.String(), want.String())
 			}
 		})
 	}
 }

-func TestProxy_Start_Wait_Close_String(t *testing.T) {
+func TestProxyStartWaitCloseString(t *testing.T) {
 	oldWaitDelay := helper.WaitDelay
 	helper.WaitDelay = 16 * time.Second
 	t.Cleanup(func() { helper.WaitDelay = oldWaitDelay })
@ -115,29 +72,62 @@ func TestProxy_Start_Wait_Close_String(t *testing.T) {
 		proxyName := dbus.ProxyName
 		dbus.ProxyName = os.Args[0]
 		t.Cleanup(func() { dbus.ProxyName = proxyName })
-		testProxyStartWaitCloseString(t, true)
+		testProxyFinaliseStartWaitCloseString(t, true)
 	})
-	t.Run("direct", func(t *testing.T) { testProxyStartWaitCloseString(t, false) })
+	t.Run("direct", func(t *testing.T) { testProxyFinaliseStartWaitCloseString(t, false) })
 }

-func testProxyStartWaitCloseString(t *testing.T, useSandbox bool) {
+func testProxyFinaliseStartWaitCloseString(t *testing.T, useSandbox bool) {
+	var p *dbus.Proxy
+
+	t.Run("string for nil proxy", func(t *testing.T) {
+		want := "(invalid dbus proxy)"
+		if got := p.String(); got != want {
+			t.Errorf("String: %q, want %q",
+				got, want)
+		}
+	})
+
+	t.Run("invalid start", func(t *testing.T) {
+		if !useSandbox {
+			p = dbus.NewDirect(t.Context(), nil, nil)
+		} else {
+			p = dbus.New(t.Context(), nil, nil)
+		}
+
+		if err := p.Start(); !errors.Is(err, syscall.ENOTRECOVERABLE) {
+			t.Errorf("Start: error = %q, wantErr %q",
+				err, syscall.ENOTRECOVERABLE)
+			return
+		}
+	})
+
 	for id, tc := range testCasePairs() {
 		// this test does not test errors
 		if tc[0].wantErr {
 			continue
 		}

-		t.Run("string for nil proxy", func(t *testing.T) {
-			var p *dbus.Proxy
-			want := "(invalid dbus proxy)"
-			if got := p.String(); got != want {
-				t.Errorf("String() = %v, want %v",
-					got, want)
-			}
-		})
-
 		t.Run("proxy for "+id, func(t *testing.T) {
-			p := dbus.New(tc[0].bus, tc[1].bus)
+			var final *dbus.Final
+			t.Run("finalise", func(t *testing.T) {
+				if v, err := dbus.Finalise(tc[0].bus, tc[1].bus, tc[0].c, tc[1].c); err != nil {
+					t.Errorf("Finalise: error = %v, wantErr %v",
+						err, tc[0].wantErr)
+					return
+				} else {
+					final = v
+				}
+			})
+
+			ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
+			defer cancel()
+			if !useSandbox {
+				p = dbus.NewDirect(ctx, final, nil)
+			} else {
+				p = dbus.New(ctx, final, nil)
+			}
+
 			p.CommandContext = func(ctx context.Context) (cmd *exec.Cmd) {
 				return exec.CommandContext(ctx, os.Args[0], "-test.v",
 					"-test.run=TestHelperInit", "--", "init")
@ -162,79 +152,52 @@ func testProxyStartWaitCloseString(t *testing.T, useSandbox bool) {
 			p.FilterF = func(v []byte) []byte { return bytes.SplitN(v, []byte("TestHelperInit\n"), 2)[1] }
 			output := new(strings.Builder)

-			t.Run("unsealed", func(t *testing.T) {
-				t.Run("string", func(t *testing.T) {
-					want := "(unsealed dbus proxy)"
-					if got := p.String(); got != want {
-						t.Errorf("String() = %v, want %v",
-							got, want)
-						return
-					}
-				})
+			t.Run("invalid wait", func(t *testing.T) {
+				wantErr := "dbus: not started"
+				if err := p.Wait(); err == nil || err.Error() != wantErr {
+					t.Errorf("Wait: error = %v, wantErr %v",
+						err, wantErr)
+				}
+			})

-				t.Run("start", func(t *testing.T) {
-					want := "proxy not sealed"
-					if err := p.Start(context.Background(), nil, useSandbox); err == nil || err.Error() != want {
-						t.Errorf("Start() error = %v, wantErr %q",
-							err, errors.New(want))
+			t.Run("string", func(t *testing.T) {
+				want := "(unused dbus proxy)"
+				if got := p.String(); got != want {
+					t.Errorf("String: %q, want %q",
+						got, want)
+					return
+				}
+			})
+
+			t.Run("start", func(t *testing.T) {
+				if err := p.Start(); err != nil {
+					t.Fatalf("Start: error = %v",
+						err)
+				}
+
+				t.Run("string", func(t *testing.T) {
+					wantSubstr := fmt.Sprintf("%s -test.run=TestHelperStub -- --args=3 --fd=4", os.Args[0])
+					if useSandbox {
+						wantSubstr = fmt.Sprintf(`argv: ["%s" "-test.run=TestHelperStub" "--" "--args=3" "--fd=4"], flags: 0x0, seccomp: 0x3e`, os.Args[0])
+					}
+					if got := p.String(); !strings.Contains(got, wantSubstr) {
+						t.Errorf("String: %q, want %q",
+							got, wantSubstr)
 						return
 					}
 				})

 				t.Run("wait", func(t *testing.T) {
-					wantErr := "dbus: not started"
-					if err := p.Wait(); err == nil || err.Error() != wantErr {
-						t.Errorf("Wait() error = %v, wantErr %v",
-							err, wantErr)
-					}
-				})
-			})
-
-			t.Run("seal with "+id, func(t *testing.T) {
-				if err := p.Seal(tc[0].c, tc[1].c); err != nil {
-					t.Errorf("Seal(%p, %p) error = %v, wantErr %v",
-						tc[0].c, tc[1].c,
-						err, tc[0].wantErr)
-					return
-				}
-			})
-
-			t.Run("sealed", func(t *testing.T) {
-				want := strings.Join(append(tc[0].want, tc[1].want...), " ")
-				if got := p.String(); got != want {
-					t.Errorf("String() = %v, want %v",
-						got, want)
-					return
-				}
-
-				t.Run("start", func(t *testing.T) {
-					ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-					defer cancel()
-
-					if err := p.Start(ctx, output, useSandbox); err != nil {
-						t.Fatalf("Start(nil, nil) error = %v",
-							err)
-					}
-
-					t.Run("string", func(t *testing.T) {
-						wantSubstr := fmt.Sprintf("%s -test.run=TestHelperStub -- --args=3 --fd=4", os.Args[0])
-						if useSandbox {
-							wantSubstr = fmt.Sprintf(`argv: ["%s" "-test.run=TestHelperStub" "--" "--args=3" "--fd=4"], flags: 0x0, seccomp: 0x3e`, os.Args[0])
-						}
-						if got := p.String(); !strings.Contains(got, wantSubstr) {
-							t.Errorf("String() = %v, want %v",
-								p.String(), wantSubstr)
-							return
-						}
-					})
-
-					t.Run("wait", func(t *testing.T) {
-						p.Close()
+					done := make(chan struct{})
+					go func() {
 						if err := p.Wait(); err != nil {
-							t.Errorf("Wait() error = %v\noutput: %s",
+							t.Errorf("Wait: error = %v\noutput: %s",
 								err, output.String())
 						}
-					})
+						close(done)
+					}()
+					p.Close()
+					<-done
 				})
 			})
 		})
@ -245,6 +208,6 @@ func TestHelperInit(t *testing.T) {
 	if len(os.Args) != 5 || os.Args[4] != "init" {
 		return
 	}
-	sandbox.SetOutput(fmsg.Output{})
-	sandbox.Init(fmsg.Prepare, internal.InstallFmsg)
+	sandbox.SetOutput(hlog.Output{})
+	sandbox.Init(hlog.Prepare, internal.InstallFmsg)
 }
--- a/dbus/export_test.go
+++ b/dbus/export_test.go
@ -1,13 +1,13 @@
 package dbus

-import "io"
+import (
+	"context"
+	"io"
+)

-// CompareTestNew provides TestNew with comparison access to unexported Proxy fields.
-func (p *Proxy) CompareTestNew(session, system [2]string) bool {
-	return session == p.session && system == p.system
-}
-
-// AccessTestProxySeal provides TestProxy_Seal with access to unexported Proxy seal field.
-func (p *Proxy) AccessTestProxySeal() io.WriterTo {
-	return p.seal
+// NewDirect returns a new instance of [Proxy] with its sandbox disabled.
+func NewDirect(ctx context.Context, final *Final, output io.Writer) *Proxy {
+	p := New(ctx, final, output)
+	p.useSandbox = false
+	return p
 }
--- a/dbus/proc.go
+++ b/dbus/proc.go
@ -3,41 +3,44 @@ package dbus
 import (
 	"context"
 	"errors"
-	"io"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"slices"
 	"strconv"
-	"strings"
 	"syscall"

-	"git.gensokyo.uk/security/fortify/helper"
-	"git.gensokyo.uk/security/fortify/ldd"
-	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
+	"git.gensokyo.uk/security/hakurei/helper"
+	"git.gensokyo.uk/security/hakurei/ldd"
+	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 )

-// Start launches the D-Bus proxy.
-func (p *Proxy) Start(ctx context.Context, output io.Writer, useSandbox bool) error {
-	p.lock.Lock()
-	defer p.lock.Unlock()
-
-	if p.seal == nil {
-		return errors.New("proxy not sealed")
+// Start starts and configures a D-Bus proxy process.
+func (p *Proxy) Start() error {
+	if p.final == nil || p.final.WriterTo == nil {
+		return syscall.ENOTRECOVERABLE
 	}

-	var h helper.Helper
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	p.pmu.Lock()
+	defer p.pmu.Unlock()

-	c, cancel := context.WithCancelCause(ctx)
-	if !useSandbox {
-		h = helper.NewDirect(c, p.name, p.seal, true, argF, func(cmd *exec.Cmd) {
+	if p.cancel != nil || p.cause != nil {
+		return errors.New("dbus: already started")
+	}
+
+	ctx, cancel := context.WithCancelCause(p.ctx)
+
+	if !p.useSandbox {
+		p.helper = helper.NewDirect(ctx, p.name, p.final, true, argF, func(cmd *exec.Cmd) {
 			if p.CmdF != nil {
 				p.CmdF(cmd)
 			}
-			if output != nil {
-				cmd.Stdout, cmd.Stderr = output, output
+			if p.output != nil {
+				cmd.Stdout, cmd.Stderr = p.output, p.output
 			}
 			cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
 			cmd.Env = make([]string, 0)
@ -59,15 +62,15 @@ func (p *Proxy) Start(ctx context.Context, output io.Writer, useSandbox bool) er
 			libPaths = ldd.Path(entries)
 		}

-		h = helper.New(
-			c, toolPath,
-			p.seal, true,
+		p.helper = helper.New(
+			ctx, toolPath,
+			p.final, true,
 			argF, func(container *sandbox.Container) {
-				container.Seccomp |= seccomp.FlagMultiarch
-				container.Hostname = "fortify-dbus"
+				container.Seccomp |= seccomp.FilterMultiarch
+				container.Hostname = "hakurei-dbus"
 				container.CommandContext = p.CommandContext
-				if output != nil {
-					container.Stdout, container.Stderr = output, output
+				if p.output != nil {
+					container.Stdout, container.Stderr = p.output, p.output
 				}

 				if p.CmdF != nil {
@ -81,10 +84,17 @@ func (p *Proxy) Start(ctx context.Context, output io.Writer, useSandbox bool) er

 				// upstream bus directories
 				upstreamPaths := make([]string, 0, 2)
-				for _, as := range []string{p.session[0], p.system[0]} {
-					if len(as) > 0 && strings.HasPrefix(as, "unix:path=/") {
-						// leave / intact
-						upstreamPaths = append(upstreamPaths, path.Dir(as[10:]))
+				for _, addr := range [][]AddrEntry{p.final.SessionUpstream, p.final.SystemUpstream} {
+					for _, ent := range addr {
+						if ent.Method != "unix" {
+							continue
+						}
+						for _, pair := range ent.Values {
+							if pair[0] != "path" || !path.IsAbs(pair[1]) {
+								continue
+							}
+							upstreamPaths = append(upstreamPaths, path.Dir(pair[1]))
+						}
 					}
 				}
 				slices.Sort(upstreamPaths)
@ -95,10 +105,10 @@ func (p *Proxy) Start(ctx context.Context, output io.Writer, useSandbox bool) er

 				// parent directories of bind paths
 				sockDirPaths := make([]string, 0, 2)
-				if d := path.Dir(p.session[1]); path.IsAbs(d) {
+				if d := path.Dir(p.final.Session[1]); path.IsAbs(d) {
 					sockDirPaths = append(sockDirPaths, d)
 				}
-				if d := path.Dir(p.system[1]); path.IsAbs(d) {
+				if d := path.Dir(p.final.System[1]); path.IsAbs(d) {
 					sockDirPaths = append(sockDirPaths, d)
 				}
 				slices.Sort(sockDirPaths)
@ -113,14 +123,13 @@ func (p *Proxy) Start(ctx context.Context, output io.Writer, useSandbox bool) er
 			}, nil)
 	}

-	if err := h.Start(); err != nil {
+	if err := p.helper.Start(); err != nil {
 		cancel(err)
+		p.helper = nil
 		return err
 	}

-	p.helper = h
-	p.ctx = c
-	p.cancel = cancel
+	p.cancel, p.cause = cancel, func() error { return context.Cause(ctx) }
 	return nil
 }

@ -128,28 +137,30 @@ var proxyClosed = errors.New("proxy closed")

 // Wait blocks until xdg-dbus-proxy exits and releases resources.
 func (p *Proxy) Wait() error {
-	p.lock.RLock()
-	defer p.lock.RUnlock()
+	p.mu.RLock()
+	defer p.mu.RUnlock()

-	if p.helper == nil {
+	p.pmu.RLock()
+	if p.helper == nil || p.cancel == nil || p.cause == nil {
+		p.pmu.RUnlock()
 		return errors.New("dbus: not started")
 	}

 	errs := make([]error, 3)

 	errs[0] = p.helper.Wait()
-	if p.cancel == nil &&
-		errors.Is(errs[0], context.Canceled) &&
-		errors.Is(context.Cause(p.ctx), proxyClosed) {
+	if errors.Is(errs[0], context.Canceled) &&
+		errors.Is(p.cause(), proxyClosed) {
 		errs[0] = nil
 	}
+	p.pmu.RUnlock()

 	// ensure socket removal so ephemeral directory is empty at revert
-	if err := os.Remove(p.session[1]); err != nil && !errors.Is(err, os.ErrNotExist) {
+	if err := os.Remove(p.final.Session[1]); err != nil && !errors.Is(err, os.ErrNotExist) {
 		errs[1] = err
 	}
-	if p.sysP {
-		if err := os.Remove(p.system[1]); err != nil && !errors.Is(err, os.ErrNotExist) {
+	if p.final.System[1] != "" {
+		if err := os.Remove(p.final.System[1]); err != nil && !errors.Is(err, os.ErrNotExist) {
 			errs[2] = err
 		}
 	}
@ -159,14 +170,13 @@ func (p *Proxy) Wait() error {

 // Close cancels the context passed to the helper instance attached to xdg-dbus-proxy.
 func (p *Proxy) Close() {
-	p.lock.Lock()
-	defer p.lock.Unlock()
+	p.pmu.Lock()
+	defer p.pmu.Unlock()

 	if p.cancel == nil {
 		panic("dbus: not started")
 	}
 	p.cancel(proxyClosed)
-	p.cancel = nil
 }

 func argF(argsFd, statFd int) []string {
--- a/dbus/proxy.go
+++ b/dbus/proxy.go
@ -2,97 +2,116 @@ package dbus

 import (
 	"context"
-	"errors"
 	"fmt"
 	"io"
 	"os/exec"
 	"sync"
+	"syscall"

-	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/hakurei/helper"
 )

 // ProxyName is the file name or path to the proxy program.
 // Overriding ProxyName will only affect Proxy instance created after the change.
 var ProxyName = "xdg-dbus-proxy"

-// Proxy holds references to a xdg-dbus-proxy process, and should never be copied.
-// Once sealed, configuration changes will no longer be possible and attempting to do so will result in a panic.
+type BadInterfaceError struct {
+	Interface string
+	Segment   string
+}
+
+func (e *BadInterfaceError) Error() string {
+	return fmt.Sprintf("bad interface string %q in %s bus configuration", e.Interface, e.Segment)
+}
+
+// Proxy holds the state of a xdg-dbus-proxy process, and should never be copied.
 type Proxy struct {
 	helper helper.Helper
 	ctx    context.Context
-	cancel context.CancelCauseFunc

-	name    string
-	session [2]string
-	system  [2]string
-	CmdF    func(any)
-	sysP    bool
+	cancel context.CancelCauseFunc
+	cause  func() error
+
+	final      *Final
+	output     io.Writer
+	useSandbox bool
+
+	name string
+	CmdF func(any)

 	CommandContext func(ctx context.Context) (cmd *exec.Cmd)
 	FilterF        func([]byte) []byte

-	seal io.WriterTo
-	lock sync.RWMutex
+	mu, pmu sync.RWMutex
 }

-func (p *Proxy) Session() [2]string { return p.session }
-func (p *Proxy) System() [2]string  { return p.system }
-func (p *Proxy) Sealed() bool       { p.lock.RLock(); defer p.lock.RUnlock(); return p.seal != nil }
-
-var (
-	ErrConfig = errors.New("no configuration to seal")
-)
-
 func (p *Proxy) String() string {
 	if p == nil {
 		return "(invalid dbus proxy)"
 	}

-	p.lock.RLock()
-	defer p.lock.RUnlock()
+	p.mu.RLock()
+	defer p.mu.RUnlock()

 	if p.helper != nil {
 		return p.helper.String()
 	}

-	if p.seal != nil {
-		return p.seal.(fmt.Stringer).String()
-	}
-
-	return "(unsealed dbus proxy)"
+	return "(unused dbus proxy)"
 }

-// Seal seals the Proxy instance.
-func (p *Proxy) Seal(session, system *Config) error {
-	p.lock.Lock()
-	defer p.lock.Unlock()
-
-	if p.seal != nil {
-		panic("dbus proxy sealed twice")
-	}
+// Final describes the outcome of a proxy configuration.
+type Final struct {
+	Session, System ProxyPair
+	// parsed upstream address
+	SessionUpstream, SystemUpstream []AddrEntry
+	io.WriterTo
+}

+// Finalise creates a checked argument writer for [Proxy].
+func Finalise(sessionBus, systemBus ProxyPair, session, system *Config) (final *Final, err error) {
 	if session == nil && system == nil {
-		return ErrConfig
+		return nil, syscall.EBADE
 	}

 	var args []string
 	if session != nil {
-		args = append(args, session.Args(p.session)...)
+		if err = session.checkInterfaces("session"); err != nil {
+			return
+		}
+		args = append(args, session.Args(sessionBus)...)
 	}
 	if system != nil {
-		args = append(args, system.Args(p.system)...)
-		p.sysP = true
-	}
-	if seal, err := helper.NewCheckedArgs(args); err != nil {
-		return err
-	} else {
-		p.seal = seal
+		if err = system.checkInterfaces("system"); err != nil {
+			return
+		}
+		args = append(args, system.Args(systemBus)...)
 	}

-	return nil
+	final = &Final{Session: sessionBus, System: systemBus}
+
+	final.WriterTo, err = helper.NewCheckedArgs(args)
+	if err != nil {
+		return
+	}
+
+	if session != nil {
+		final.SessionUpstream, err = Parse([]byte(final.Session[0]))
+		if err != nil {
+			return
+		}
+	}
+	if system != nil {
+		final.SystemUpstream, err = Parse([]byte(final.System[0]))
+		if err != nil {
+			return
+		}
+	}
+
+	return
 }

-// New returns a reference to a new unsealed Proxy.
-func New(session, system [2]string) *Proxy {
-	return &Proxy{name: ProxyName, session: session, system: system}
+// New returns a new instance of [Proxy].
+func New(ctx context.Context, final *Final, output io.Writer) *Proxy {
+	return &Proxy{name: ProxyName, ctx: ctx, final: final, output: output, useSandbox: true}
 }
--- a/dbus/samples_test.go
+++ b/dbus/samples_test.go
@ -3,7 +3,7 @@ package dbus_test
 import (
 	"sync"

-	"git.gensokyo.uk/security/fortify/dbus"
+	"git.gensokyo.uk/security/hakurei/dbus"
 )

 const (
--- a/dbus/stub_test.go
+++ b/dbus/stub_test.go
@ -3,7 +3,7 @@ package dbus_test
 import (
 	"testing"

-	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/hakurei/helper"
 )

 func TestHelperStub(t *testing.T) { helper.InternalHelperStub() }
--- a/dist/comp/_hakurei
+++ b/dist/comp/_hakurei
@ -0,0 +1,82 @@
+#compdef hakurei
+
+_hakurei_app() {
+  __hakurei_files
+  return $?
+}
+
+_hakurei_run() {
+  _arguments \
+    '--id[Reverse-DNS style Application identifier, leave empty to inherit instance identifier]:id' \
+    '-a[Application identity]: :_numbers' \
+    '-g[Groups inherited by all container processes]: :_groups' \
+    '-d[Container home directory]: :_files -/' \
+    '-u[Passwd user name within sandbox]: :_users' \
+    '--wayland[Enable connection to Wayland via security-context-v1]' \
+    '-X[Enable direct connection to X11]' \
+    '--dbus[Enable proxied connection to D-Bus]' \
+    '--pulse[Enable direct connection to PulseAudio]' \
+    '--dbus-config[Path to session bus proxy config file]: :_files -g "*.json"' \
+    '--dbus-system[Path to system bus proxy config file]: :_files -g "*.json"' \
+    '--mpris[Allow owning MPRIS D-Bus path]' \
+    '--dbus-log[Force buffered logging in the D-Bus proxy]'
+}
+
+_hakurei_ps() {
+  _arguments \
+    '--short[List instances only]'
+}
+
+_hakurei_show() {
+  _alternative \
+    'instances:domains:__hakurei_instances' \
+    'files:files:__hakurei_files'
+}
+
+__hakurei_files() {
+  _files -g "*.(json|hakurei)"
+  return $?
+}
+
+__hakurei_instances() {
+  local -a out
+  shift -p
+  out=( ${(f)"$(_call_program commands hakurei ps --short 2>&1)"} )
+  if (( $#out == 0 )); then
+    _message "No active instances"
+  else
+    _describe "active instances" out
+  fi
+  return $?
+}
+
+(( $+functions[_hakurei_commands] )) || _hakurei_commands()
+{
+  local -a _hakurei_cmds
+  _hakurei_cmds=(
+    "app:Load app from configuration file"
+    "run:Configure and start a permissive default sandbox"
+    "show:Show live or local app configuration"
+    "ps:List active instances"
+    "version:Display version information"
+    "license:Show full license text"
+    "template:Produce a config template"
+    "help:Show help message"
+  )
+  if (( CURRENT == 1 )); then
+    _describe -t commands 'action' _hakurei_cmds || compadd "$@"
+  else
+    local curcontext="$curcontext"
+    cmd="${${_hakurei_cmds[(r)$words[1]:*]%%:*}}"
+    if (( $+functions[_hakurei_$cmd] )); then
+      _hakurei_$cmd
+    else
+      _message "no more options"
+    fi
+  fi
+}
+
+_arguments -C \
+  '-v[Increase log verbosity]' \
+  '--json[Serialise output in JSON when applicable]' \
+  '*::hakurei command:_hakurei_commands'
--- a/dist/hsurc.default
+++ b/dist/hsurc.default
--- a/dist/install.sh
+++ b/dist/install.sh
@ -1,12 +1,12 @@
 #!/bin/sh
 cd "$(dirname -- "$0")" || exit 1

-install -vDm0755 "bin/fortify" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fortify"
-install -vDm0755 "bin/fpkg" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fpkg"
+install -vDm0755 "bin/hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hakurei"
+install -vDm0755 "bin/planterette" "${HAKUREI_INSTALL_PREFIX}/usr/bin/planterette"

-install -vDm6511 "bin/fsu" "${FORTIFY_INSTALL_PREFIX}/usr/bin/fsu"
-if [ ! -f "${FORTIFY_INSTALL_PREFIX}/etc/fsurc" ]; then
-    install -vDm0400 "fsurc.default" "${FORTIFY_INSTALL_PREFIX}/etc/fsurc"
+install -vDm6511 "bin/hsu" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hsu"
+if [ ! -f "${HAKUREI_INSTALL_PREFIX}/etc/hsurc" ]; then
+    install -vDm0400 "hsurc.default" "${HAKUREI_INSTALL_PREFIX}/etc/hsurc"
 fi

-install -vDm0644 "comp/_fortify" "${FORTIFY_INSTALL_PREFIX}/usr/share/zsh/site-functions/_fortify"
+install -vDm0644 "comp/_hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/share/zsh/site-functions/_hakurei"
--- a/dist/release.sh
+++ b/dist/release.sh
@ -1,19 +1,19 @@
 #!/bin/sh -e
 cd "$(dirname -- "$0")/.."
-VERSION="${FORTIFY_VERSION:-untagged}"
-pname="fortify-${VERSION}"
+VERSION="${HAKUREI_VERSION:-untagged}"
+pname="hakurei-${VERSION}"
 out="dist/${pname}"

 mkdir -p "${out}"
-cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
-cp -rv "comp" "${out}"
+cp -v "README.md" "dist/hsurc.default" "dist/install.sh" "${out}"
+cp -rv "dist/comp" "${out}"

 go generate ./...
 go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
-  -X git.gensokyo.uk/security/fortify/internal.version=${VERSION}
-  -X git.gensokyo.uk/security/fortify/internal.fsu=/usr/bin/fsu
-  -X main.fmain=/usr/bin/fortify
-  -X main.fpkg=/usr/bin/fpkg" ./...
+  -X git.gensokyo.uk/security/hakurei/internal.version=${VERSION}
+  -X git.gensokyo.uk/security/hakurei/internal.hakurei=/usr/bin/hakurei
+  -X git.gensokyo.uk/security/hakurei/internal.hsu=/usr/bin/hsu
+  -X main.hmain=/usr/bin/hakurei" ./...

 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
 rm -rf "./${out}"
--- a/flake.lock
+++ b/flake.lock
@ -7,32 +7,32 @@
        ]
      },
      "locked": {
-        "lastModified": 1742234739,
-        "narHash": "sha256-zFL6zsf/5OztR1NSNQF33dvS1fL/BzVUjabZq4qrtY4=",
+        "lastModified": 1748665073,
+        "narHash": "sha256-RMhjnPKWtCoIIHiuR9QKD7xfsKb3agxzMfJY8V9MOew=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f6af7280a3390e65c2ad8fd059cdc303426cbd59",
+        "rev": "282e1e029cb6ab4811114fc85110613d72771dea",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-24.11",
+        "ref": "release-25.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1742512142,
-        "narHash": "sha256-8XfURTDxOm6+33swQJu/hx6xw1Tznl8vJJN5HwVqckg=",
+        "lastModified": 1749024892,
+        "narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "7105ae3957700a9646cc4b766f5815b23ed0c682",
+        "rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -1,11 +1,11 @@
 {
-  description = "fortify sandbox tool and nixos module";
+  description = "hakurei container tool and nixos module";

  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";

    home-manager = {
-      url = "github:nix-community/home-manager/release-24.11";
+      url = "github:nix-community/home-manager/release-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
@ -27,12 +27,12 @@
      nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; });
    in
    {
-      nixosModules.fortify = import ./nixos.nix self.packages;
+      nixosModules.hakurei = import ./nixos.nix self.packages;

      buildPackage = forAllSystems (
        system:
        nixpkgsFor.${system}.callPackage (
-          import ./cmd/fpkg/build.nix {
+          import ./cmd/planterette/build.nix {
            inherit
              nixpkgsFor
              system
@ -57,13 +57,20 @@
            ;
        in
        {
-          fortify = callPackage ./test { inherit system self; };
-          fpkg = callPackage ./cmd/fpkg/test { inherit system self; };
+          hakurei = callPackage ./test { inherit system self; };
          race = callPackage ./test {
            inherit system self;
            withRace = true;
          };

+          sandbox = callPackage ./test/sandbox { inherit self; };
+          sandbox-race = callPackage ./test/sandbox {
+            inherit self;
+            withRace = true;
+          };
+
+          planterette = callPackage ./cmd/planterette/test { inherit system self; };
+
          formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
            cd ${./.}

@ -98,12 +105,12 @@
      packages = forAllSystems (
        system:
        let
-          inherit (self.packages.${system}) fortify fsu;
+          inherit (self.packages.${system}) hakurei hsu;
          pkgs = nixpkgsFor.${system};
        in
        {
-          default = fortify;
-          fortify = pkgs.pkgsStatic.callPackage ./package.nix {
+          default = hakurei;
+          hakurei = pkgs.pkgsStatic.callPackage ./package.nix {
            inherit (pkgs)
              # passthru.buildInputs
              go
@ -118,26 +125,26 @@
              glibc
              xdg-dbus-proxy

-              # fpkg
+              # planterette
              zstd
              gnutar
              coreutils
              ;
          };
-          fsu = pkgs.callPackage ./cmd/fsu/package.nix { inherit (self.packages.${system}) fortify; };
+          hsu = pkgs.callPackage ./cmd/hsu/package.nix { inherit (self.packages.${system}) hakurei; };

-          dist = pkgs.runCommand "${fortify.name}-dist" { buildInputs = fortify.targetPkgs ++ [ pkgs.pkgsStatic.musl ]; } ''
+          dist = pkgs.runCommand "${hakurei.name}-dist" { buildInputs = hakurei.targetPkgs ++ [ pkgs.pkgsStatic.musl ]; } ''
            # go requires XDG_CACHE_HOME for the build cache
            export XDG_CACHE_HOME="$(mktemp -d)"

            # get a different workdir as go does not like /build
            cd $(mktemp -d) \
-                && cp -r ${fortify.src}/. . \
-                && chmod +w cmd && cp -r ${fsu.src}/. cmd/fsu/ \
+                && cp -r ${hakurei.src}/. . \
+                && chmod +w cmd && cp -r ${hsu.src}/. cmd/hsu/ \
                && chmod -R +w .

-            export FORTIFY_VERSION="v${fortify.version}"
-            ./dist/release.sh && mkdir $out && cp -v "dist/fortify-$FORTIFY_VERSION.tar.gz"* $out
+            export HAKUREI_VERSION="v${hakurei.version}"
+            ./dist/release.sh && mkdir $out && cp -v "dist/hakurei-$HAKUREI_VERSION.tar.gz"* $out
          '';
        }
      );
@ -145,12 +152,12 @@
      devShells = forAllSystems (
        system:
        let
-          inherit (self.packages.${system}) fortify;
+          inherit (self.packages.${system}) hakurei;
          pkgs = nixpkgsFor.${system};
        in
        {
-          default = pkgs.mkShell { buildInputs = fortify.targetPkgs; };
-          withPackage = pkgs.mkShell { buildInputs = [ fortify ] ++ fortify.targetPkgs; };
+          default = pkgs.mkShell { buildInputs = hakurei.targetPkgs; };
+          withPackage = pkgs.mkShell { buildInputs = [ hakurei ] ++ hakurei.targetPkgs; };

          generateDoc =
            let
@ -167,7 +174,7 @@
                  cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
                in
                pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
-              docText = pkgs.runCommand "fortify-module-docs.md" { } ''
+              docText = pkgs.runCommand "hakurei-module-docs.md" { } ''
                cat ${doc.optionsCommonMark} > $out
                sed -i '/*Declared by:*/,+1 d' $out
              '';
--- a/fst/app.go
+++ b/fst/app.go
@ -1,47 +0,0 @@
-// Package fst exports shared fortify types.
-package fst
-
-import (
-	"time"
-)
-
-type App interface {
-	// ID returns a copy of [fst.ID] held by App.
-	ID() ID
-
-	// Seal determines the outcome of config as a [SealedApp].
-	// The value of config might be overwritten and must not be used again.
-	Seal(config *Config) (SealedApp, error)
-
-	String() string
-}
-
-type SealedApp interface {
-	// Run commits sealed system setup and starts the app process.
-	Run(rs *RunState) error
-}
-
-// RunState stores the outcome of a call to [SealedApp.Run].
-type RunState struct {
-	// Time is the exact point in time where the process was created.
-	// Location must be set to UTC.
-	//
-	// Time is nil if no process was ever created.
-	Time *time.Time
-	// ExitCode is the value returned by shim.
-	ExitCode int
-	// RevertErr is stored by the deferred revert call.
-	RevertErr error
-	// WaitErr is error returned by the underlying wait syscall.
-	WaitErr error
-}
-
-// Paths contains environment-dependent paths used by fortify.
-type Paths struct {
-	// path to shared directory (usually `/tmp/fortify.%d`)
-	SharePath string `json:"share_path"`
-	// XDG_RUNTIME_DIR value (usually `/run/user/%d`)
-	RuntimePath string `json:"runtime_path"`
-	// application runtime directory (usually `/run/user/%d/fortify`)
-	RunDirPath string `json:"run_dir_path"`
-}
--- a/fst/config.go
+++ b/fst/config.go
@ -1,159 +0,0 @@
-package fst
-
-import (
-	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
-	"git.gensokyo.uk/security/fortify/system"
-)
-
-const Tmp = "/.fortify"
-
-// Config is used to seal an app
-type Config struct {
-	// reverse-DNS style arbitrary identifier string from config;
-	// passed to wayland security-context-v1 as application ID
-	// and used as part of defaults in dbus session proxy
-	ID string `json:"id"`
-
-	// absolute path to executable file
-	Path string `json:"path,omitempty"`
-	// final args passed to container init
-	Args []string `json:"args"`
-
-	Confinement ConfinementConfig `json:"confinement"`
-}
-
-// ConfinementConfig defines fortified child's confinement
-type ConfinementConfig struct {
-	// numerical application id, determines uid in the init namespace
-	AppID int `json:"app_id"`
-	// list of supplementary groups to inherit
-	Groups []string `json:"groups"`
-	// passwd username in container, defaults to passwd name of target uid or chronos
-	Username string `json:"username,omitempty"`
-	// home directory in container, empty for outer
-	Inner string `json:"home_inner"`
-	// home directory in init namespace
-	Outer string `json:"home"`
-	// abstract sandbox configuration
-	Sandbox *SandboxConfig `json:"sandbox"`
-	// extra acl ops, runs after everything else
-	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
-
-	// reference to a system D-Bus proxy configuration,
-	// nil value disables system bus proxy
-	SystemBus *dbus.Config `json:"system_bus,omitempty"`
-	// reference to a session D-Bus proxy configuration,
-	// nil value makes session bus proxy assume built-in defaults
-	SessionBus *dbus.Config `json:"session_bus,omitempty"`
-
-	// system resources to expose to the container
-	Enablements system.Enablement `json:"enablements"`
-}
-
-type ExtraPermConfig struct {
-	Ensure  bool   `json:"ensure,omitempty"`
-	Path    string `json:"path"`
-	Read    bool   `json:"r,omitempty"`
-	Write   bool   `json:"w,omitempty"`
-	Execute bool   `json:"x,omitempty"`
-}
-
-func (e *ExtraPermConfig) String() string {
-	buf := make([]byte, 0, 5+len(e.Path))
-	buf = append(buf, '-', '-', '-')
-	if e.Ensure {
-		buf = append(buf, '+')
-	}
-	buf = append(buf, ':')
-	buf = append(buf, []byte(e.Path)...)
-	if e.Read {
-		buf[0] = 'r'
-	}
-	if e.Write {
-		buf[1] = 'w'
-	}
-	if e.Execute {
-		buf[2] = 'x'
-	}
-	return string(buf)
-}
-
-// Template returns a fully populated instance of Config.
-func Template() *Config {
-	return &Config{
-		ID:   "org.chromium.Chromium",
-		Path: "/run/current-system/sw/bin/chromium",
-		Args: []string{
-			"chromium",
-			"--ignore-gpu-blocklist",
-			"--disable-smooth-scrolling",
-			"--enable-features=UseOzonePlatform",
-			"--ozone-platform=wayland",
-		},
-		Confinement: ConfinementConfig{
-			AppID:    9,
-			Groups:   []string{"video"},
-			Username: "chronos",
-			Outer:    "/var/lib/persist/home/org.chromium.Chromium",
-			Inner:    "/var/lib/fortify",
-			Sandbox: &SandboxConfig{
-				Hostname:      "localhost",
-				Devel:         true,
-				Userns:        true,
-				Net:           true,
-				Dev:           true,
-				Seccomp:       seccomp.FlagMultiarch,
-				Tty:           true,
-				Multiarch:     true,
-				MapRealUID:    true,
-				DirectWayland: false,
-				// example API credentials pulled from Google Chrome
-				// DO NOT USE THESE IN A REAL BROWSER
-				Env: map[string]string{
-					"GOOGLE_API_KEY":               "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
-					"GOOGLE_DEFAULT_CLIENT_ID":     "77185425430.apps.googleusercontent.com",
-					"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
-				},
-				Filesystem: []*FilesystemConfig{
-					{Src: "/nix/store"},
-					{Src: "/run/current-system"},
-					{Src: "/run/opengl-driver"},
-					{Src: "/var/db/nix-channels"},
-					{Src: "/var/lib/fortify/u0/org.chromium.Chromium",
-						Dst: "/data/data/org.chromium.Chromium", Write: true, Must: true},
-					{Src: "/dev/dri", Device: true},
-				},
-				Link:    [][2]string{{"/run/user/65534", "/run/user/150"}},
-				Etc:     "/etc",
-				AutoEtc: true,
-				Cover:   []string{"/var/run/nscd"},
-			},
-			ExtraPerms: []*ExtraPermConfig{
-				{Path: "/var/lib/fortify/u0", Ensure: true, Execute: true},
-				{Path: "/var/lib/fortify/u0/org.chromium.Chromium", Read: true, Write: true, Execute: true},
-			},
-			SystemBus: &dbus.Config{
-				See:       nil,
-				Talk:      []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
-				Own:       nil,
-				Call:      nil,
-				Broadcast: nil,
-				Log:       false,
-				Filter:    true,
-			},
-			SessionBus: &dbus.Config{
-				See: nil,
-				Talk: []string{"org.freedesktop.Notifications", "org.freedesktop.FileManager1", "org.freedesktop.ScreenSaver",
-					"org.freedesktop.secrets", "org.kde.kwalletd5", "org.kde.kwalletd6", "org.gnome.SessionManager"},
-				Own: []string{"org.chromium.Chromium.*", "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.chromium.*"},
-				Call:      map[string]string{"org.freedesktop.portal.*": "*"},
-				Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
-				Log:       false,
-				Filter:    true,
-			},
-			Enablements: system.EWayland | system.EDBus | system.EPulse,
-		},
-	}
-}
--- a/fst/sandbox.go
+++ b/fst/sandbox.go
@ -1,282 +0,0 @@
-package fst
-
-import (
-	"errors"
-	"fmt"
-	"io/fs"
-	"maps"
-	"path"
-	"slices"
-	"syscall"
-
-	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
-)
-
-// SandboxConfig describes resources made available to the sandbox.
-type (
-	SandboxConfig struct {
-		// container hostname
-		Hostname string `json:"hostname,omitempty"`
-
-		// extra seccomp flags
-		Seccomp seccomp.SyscallOpts `json:"seccomp"`
-		// allow ptrace and friends
-		Devel bool `json:"devel,omitempty"`
-		// allow userns creation in container
-		Userns bool `json:"userns,omitempty"`
-		// share host net namespace
-		Net bool `json:"net,omitempty"`
-		// expose main process tty
-		Tty bool `json:"tty,omitempty"`
-		// allow multiarch
-		Multiarch bool `json:"multiarch,omitempty"`
-
-		// initial process environment variables
-		Env map[string]string `json:"env"`
-		// map target user uid to privileged user uid in the user namespace
-		MapRealUID bool `json:"map_real_uid"`
-
-		// expose all devices
-		Dev bool `json:"dev,omitempty"`
-		// container host filesystem bind mounts
-		Filesystem []*FilesystemConfig `json:"filesystem"`
-		// create symlinks inside container filesystem
-		Link [][2]string `json:"symlink"`
-
-		// direct access to wayland socket; when this gets set no attempt is made to attach security-context-v1
-		// and the bare socket is mounted to the sandbox
-		DirectWayland bool `json:"direct_wayland,omitempty"`
-
-		// read-only /etc directory
-		Etc string `json:"etc,omitempty"`
-		// automatically set up /etc symlinks
-		AutoEtc bool `json:"auto_etc"`
-		// cover these paths or create them if they do not already exist
-		Cover []string `json:"cover"`
-	}
-
-	// SandboxSys encapsulates system functions used during [sandbox.Container] initialisation.
-	SandboxSys interface {
-		Getuid() int
-		Getgid() int
-		Paths() Paths
-		ReadDir(name string) ([]fs.DirEntry, error)
-		EvalSymlinks(path string) (string, error)
-
-		Println(v ...any)
-		Printf(format string, v ...any)
-	}
-
-	// FilesystemConfig is a representation of [sandbox.BindMount].
-	FilesystemConfig struct {
-		// mount point in container, same as src if empty
-		Dst string `json:"dst,omitempty"`
-		// host filesystem path to make available to the container
-		Src string `json:"src"`
-		// do not mount filesystem read-only
-		Write bool `json:"write,omitempty"`
-		// do not disable device files
-		Device bool `json:"dev,omitempty"`
-		// fail if the bind mount cannot be established for any reason
-		Must bool `json:"require,omitempty"`
-	}
-)
-
-// ToContainer initialises [sandbox.Params] via [SandboxConfig].
-// Note that remaining container setup must be queued by the [App] implementation.
-func (s *SandboxConfig) ToContainer(sys SandboxSys, uid, gid *int) (*sandbox.Params, map[string]string, error) {
-	if s == nil {
-		return nil, nil, syscall.EBADE
-	}
-
-	container := &sandbox.Params{
-		Hostname: s.Hostname,
-		Ops:      new(sandbox.Ops),
-		Seccomp:  s.Seccomp,
-	}
-
-	/* this is only 4 KiB of memory on a 64-bit system,
-	permissive defaults on NixOS results in around 100 entries
-	so this capacity should eliminate copies for most setups */
-	*container.Ops = slices.Grow(*container.Ops, 1<<8)
-
-	if s.Devel {
-		container.Flags |= sandbox.FAllowDevel
-	}
-	if s.Userns {
-		container.Flags |= sandbox.FAllowUserns
-	}
-	if s.Net {
-		container.Flags |= sandbox.FAllowNet
-	}
-	if s.Tty {
-		container.Flags |= sandbox.FAllowTTY
-	}
-
-	if s.MapRealUID {
-		/* some programs fail to connect to dbus session running as a different uid
-		so this workaround is introduced to map priv-side caller uid in container */
-		container.Uid = sys.Getuid()
-		*uid = container.Uid
-		container.Gid = sys.Getgid()
-		*gid = container.Gid
-	} else {
-		*uid = sandbox.OverflowUid()
-		*gid = sandbox.OverflowGid()
-	}
-
-	container.
-		Proc("/proc").
-		Tmpfs(Tmp, 1<<12, 0755)
-
-	if !s.Dev {
-		container.Dev("/dev").Mqueue("/dev/mqueue")
-	} else {
-		container.Bind("/dev", "/dev", sandbox.BindDevice)
-	}
-
-	/* retrieve paths and hide them if they're made available in the sandbox;
-	this feature tries to improve user experience of permissive defaults, and
-	to warn about issues in custom configuration; it is NOT a security feature
-	and should not be treated as such, ALWAYS be careful with what you bind */
-	var hidePaths []string
-	sc := sys.Paths()
-	hidePaths = append(hidePaths, sc.RuntimePath, sc.SharePath)
-	_, systemBusAddr := dbus.Address()
-	if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
-		return nil, nil, err
-	} else {
-		// there is usually only one, do not preallocate
-		for _, entry := range entries {
-			if entry.Method != "unix" {
-				continue
-			}
-			for _, pair := range entry.Values {
-				if pair[0] == "path" {
-					if path.IsAbs(pair[1]) {
-						// get parent dir of socket
-						dir := path.Dir(pair[1])
-						if dir == "." || dir == "/" {
-							sys.Printf("dbus socket %q is in an unusual location", pair[1])
-						}
-						hidePaths = append(hidePaths, dir)
-					} else {
-						sys.Printf("dbus socket %q is not absolute", pair[1])
-					}
-				}
-			}
-		}
-	}
-	hidePathMatch := make([]bool, len(hidePaths))
-	for i := range hidePaths {
-		if err := evalSymlinks(sys, &hidePaths[i]); err != nil {
-			return nil, nil, err
-		}
-	}
-
-	for _, c := range s.Filesystem {
-		if c == nil {
-			continue
-		}
-
-		if !path.IsAbs(c.Src) {
-			return nil, nil, fmt.Errorf("src path %q is not absolute", c.Src)
-		}
-
-		dest := c.Dst
-		if c.Dst == "" {
-			dest = c.Src
-		} else if !path.IsAbs(dest) {
-			return nil, nil, fmt.Errorf("dst path %q is not absolute", dest)
-		}
-
-		srcH := c.Src
-		if err := evalSymlinks(sys, &srcH); err != nil {
-			return nil, nil, err
-		}
-
-		for i := range hidePaths {
-			// skip matched entries
-			if hidePathMatch[i] {
-				continue
-			}
-
-			if ok, err := deepContainsH(srcH, hidePaths[i]); err != nil {
-				return nil, nil, err
-			} else if ok {
-				hidePathMatch[i] = true
-				sys.Printf("hiding paths from %q", c.Src)
-			}
-		}
-
-		var flags int
-		if c.Write {
-			flags |= sandbox.BindWritable
-		}
-		if c.Device {
-			flags |= sandbox.BindDevice | sandbox.BindWritable
-		}
-		if !c.Must {
-			flags |= sandbox.BindOptional
-		}
-		container.Bind(c.Src, dest, flags)
-	}
-
-	// cover matched paths
-	for i, ok := range hidePathMatch {
-		if ok {
-			container.Tmpfs(hidePaths[i], 1<<13, 0755)
-		}
-	}
-
-	for _, l := range s.Link {
-		container.Link(l[0], l[1])
-	}
-
-	// perf: this might work better if implemented as a setup op in container init
-	if !s.AutoEtc {
-		if s.Etc != "" {
-			container.Bind(s.Etc, "/etc", 0)
-		}
-	} else {
-		etcPath := s.Etc
-		if etcPath == "" {
-			etcPath = "/etc"
-		}
-		container.Bind(etcPath, Tmp+"/etc", 0)
-
-		// link host /etc contents to prevent dropping passwd/group bind mounts
-		if d, err := sys.ReadDir(etcPath); err != nil {
-			return nil, nil, err
-		} else {
-			for _, ent := range d {
-				n := ent.Name()
-				switch n {
-				case "passwd":
-				case "group":
-
-				case "mtab":
-					container.Link("/proc/mounts", "/etc/"+n)
-				default:
-					container.Link(Tmp+"/etc/"+n, "/etc/"+n)
-				}
-			}
-		}
-	}
-
-	return container, maps.Clone(s.Env), nil
-}
-
-func evalSymlinks(sys SandboxSys, v *string) error {
-	if p, err := sys.EvalSymlinks(*v); err != nil {
-		if !errors.Is(err, fs.ErrNotExist) {
-			return err
-		}
-		sys.Printf("path %q does not yet exist", *v)
-	} else {
-		*v = p
-	}
-	return nil
-}
--- a/go.mod
+++ b/go.mod
@ -1,3 +1,3 @@
-module git.gensokyo.uk/security/fortify
+module git.gensokyo.uk/security/hakurei

-go 1.23
+go 1.24
--- a/helper/args.go
+++ b/helper/args.go
@ -1,38 +1,17 @@
 package helper

 import (
-	"errors"
+	"bytes"
 	"io"
-	"strings"
+	"syscall"
 )

-var (
-	ErrContainsNull = errors.New("argument contains null character")
-)
-
-type argsWt []string
-
-// checks whether any element contains the null character
-// must be called before args use and args must not be modified after call
-func (a argsWt) check() error {
-	for _, arg := range a {
-		for _, b := range arg {
-			if b == '\x00' {
-				return ErrContainsNull
-			}
-		}
-	}
-
-	return nil
-}
+type argsWt [][]byte

 func (a argsWt) WriteTo(w io.Writer) (int64, error) {
-	// assuming already checked
-
 	nt := 0
-	// write null terminated arguments
 	for _, arg := range a {
-		n, err := w.Write([]byte(arg + "\x00"))
+		n, err := w.Write(arg)
 		nt += n

 		if err != nil {
@ -44,18 +23,32 @@ func (a argsWt) WriteTo(w io.Writer) (int64, error) {
 }

 func (a argsWt) String() string {
-	return strings.Join(a, " ")
+	return string(
+		bytes.TrimSuffix(
+			bytes.ReplaceAll(
+				bytes.Join(a, nil),
+				[]byte{0}, []byte{' '},
+			),
+			[]byte{' '},
+		),
+	)
 }

-// NewCheckedArgs returns a checked argument writer for args.
-// Callers must not retain any references to args.
-func NewCheckedArgs(args []string) (io.WriterTo, error) {
-	a := argsWt(args)
-	return a, a.check()
+// NewCheckedArgs returns a checked null-terminated argument writer for a copy of args.
+func NewCheckedArgs(args []string) (wt io.WriterTo, err error) {
+	a := make(argsWt, len(args))
+	for i, arg := range args {
+		a[i], err = syscall.ByteSliceFromString(arg)
+		if err != nil {
+			return
+		}
+	}
+	wt = a
+	return
 }

-// MustNewCheckedArgs returns a checked argument writer for args and panics if check fails.
-// Callers must not retain any references to args.
+// MustNewCheckedArgs returns a checked null-terminated argument writer for a copy of args.
+// If s contains a NUL byte this function panics instead of returning an error.
 func MustNewCheckedArgs(args []string) io.WriterTo {
 	a, err := NewCheckedArgs(args)
 	if err != nil {
--- a/helper/args_test.go
+++ b/helper/args_test.go
@ -4,34 +4,33 @@ import (
 	"errors"
 	"fmt"
 	"strings"
+	"syscall"
 	"testing"

-	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/hakurei/helper"
 )

-func Test_argsFd_String(t *testing.T) {
+func TestArgsString(t *testing.T) {
 	wantString := strings.Join(wantArgs, " ")
 	if got := argsWt.(fmt.Stringer).String(); got != wantString {
-		t.Errorf("String(): got %v; want %v",
+		t.Errorf("String: %q, want %q",
 			got, wantString)
 	}
 }

 func TestNewCheckedArgs(t *testing.T) {
 	args := []string{"\x00"}
-	if _, err := helper.NewCheckedArgs(args); !errors.Is(err, helper.ErrContainsNull) {
-		t.Errorf("NewCheckedArgs(%q) error = %v, wantErr %v",
-			args,
-			err, helper.ErrContainsNull)
+	if _, err := helper.NewCheckedArgs(args); !errors.Is(err, syscall.EINVAL) {
+		t.Errorf("NewCheckedArgs: error = %v, wantErr %v",
+			err, syscall.EINVAL)
 	}

 	t.Run("must panic", func(t *testing.T) {
 		badPayload := []string{"\x00"}
 		defer func() {
-			wantPanic := "argument contains null character"
+			wantPanic := "invalid argument"
 			if r := recover(); r != wantPanic {
-				t.Errorf("MustNewCheckedArgs(%q) panic = %v, wantPanic %v",
-					badPayload,
+				t.Errorf("MustNewCheckedArgs: panic = %v, wantPanic %v",
 					r, wantPanic)
 			}
 		}()
--- a/helper/cmd.go
+++ b/helper/cmd.go
@ -10,7 +10,7 @@ import (
 	"sync"
 	"syscall"

-	"git.gensokyo.uk/security/fortify/helper/proc"
+	"git.gensokyo.uk/security/hakurei/helper/proc"
 )

 // NewDirect initialises a new direct Helper instance with wt as the null-terminated argument writer.
@ -67,17 +67,17 @@ func (h *helperCmd) Start() error {

 	h.Env = slices.Grow(h.Env, 2)
 	if h.useArgsFd {
-		h.Env = append(h.Env, FortifyHelper+"=1")
+		h.Env = append(h.Env, HakureiHelper+"=1")
 	} else {
-		h.Env = append(h.Env, FortifyHelper+"=0")
+		h.Env = append(h.Env, HakureiHelper+"=0")
 	}
 	if h.useStatFd {
-		h.Env = append(h.Env, FortifyStatus+"=1")
+		h.Env = append(h.Env, HakureiStatus+"=1")

 		// stat is populated on fulfill
 		h.Cancel = func() error { return h.stat.Close() }
 	} else {
-		h.Env = append(h.Env, FortifyStatus+"=0")
+		h.Env = append(h.Env, HakureiStatus+"=0")
 	}

 	return proc.Fulfill(h.helperFiles.ctx, &h.ExtraFiles, h.Cmd.Start, h.files, h.extraFiles)
--- a/helper/cmd_test.go
+++ b/helper/cmd_test.go
@ -8,12 +8,12 @@ import (
 	"os/exec"
 	"testing"

-	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/hakurei/helper"
 )

 func TestCmd(t *testing.T) {
 	t.Run("start non-existent helper path", func(t *testing.T) {
-		h := helper.NewDirect(context.Background(), "/proc/nonexistent", argsWt, false, argF, nil, nil)
+		h := helper.NewDirect(t.Context(), "/proc/nonexistent", argsWt, false, argF, nil, nil)

 		if err := h.Start(); !errors.Is(err, os.ErrNotExist) {
 			t.Errorf("Start: error = %v, wantErr %v",
@ -22,9 +22,9 @@ func TestCmd(t *testing.T) {
 	})

 	t.Run("valid new helper nil check", func(t *testing.T) {
-		if got := helper.NewDirect(context.TODO(), "fortify", argsWt, false, argF, nil, nil); got == nil {
+		if got := helper.NewDirect(t.Context(), "hakurei", argsWt, false, argF, nil, nil); got == nil {
 			t.Errorf("NewDirect(%q, %q) got nil",
-				argsWt, "fortify")
+				argsWt, "hakurei")
 			return
 		}
 	})
--- a/helper/container.go
+++ b/helper/container.go
@ -9,8 +9,8 @@ import (
 	"slices"
 	"sync"

-	"git.gensokyo.uk/security/fortify/helper/proc"
-	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/hakurei/helper/proc"
+	"git.gensokyo.uk/security/hakurei/sandbox"
 )

 // New initialises a Helper instance with wt as the null-terminated argument writer.
@ -54,17 +54,17 @@ func (h *helperContainer) Start() error {

 	h.Env = slices.Grow(h.Env, 2)
 	if h.useArgsFd {
-		h.Env = append(h.Env, FortifyHelper+"=1")
+		h.Env = append(h.Env, HakureiHelper+"=1")
 	} else {
-		h.Env = append(h.Env, FortifyHelper+"=0")
+		h.Env = append(h.Env, HakureiHelper+"=0")
 	}
 	if h.useStatFd {
-		h.Env = append(h.Env, FortifyStatus+"=1")
+		h.Env = append(h.Env, HakureiStatus+"=1")

 		// stat is populated on fulfill
 		h.Cancel = func(*exec.Cmd) error { return h.stat.Close() }
 	} else {
-		h.Env = append(h.Env, FortifyStatus+"=0")
+		h.Env = append(h.Env, HakureiStatus+"=0")
 	}

 	return proc.Fulfill(h.helperFiles.ctx, &h.ExtraFiles, func() error {
--- a/helper/container_test.go
+++ b/helper/container_test.go
@ -7,15 +7,15 @@ import (
 	"os/exec"
 	"testing"

-	"git.gensokyo.uk/security/fortify/helper"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/sandbox"
+	"git.gensokyo.uk/security/hakurei/helper"
+	"git.gensokyo.uk/security/hakurei/internal"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
+	"git.gensokyo.uk/security/hakurei/sandbox"
 )

 func TestContainer(t *testing.T) {
 	t.Run("start empty container", func(t *testing.T) {
-		h := helper.New(context.Background(), "/nonexistent", argsWt, false, argF, nil, nil)
+		h := helper.New(t.Context(), "/nonexistent", argsWt, false, argF, nil, nil)

 		wantErr := "sandbox: starting an empty container"
 		if err := h.Start(); err == nil || err.Error() != wantErr {
@ -25,9 +25,9 @@ func TestContainer(t *testing.T) {
 	})

 	t.Run("valid new helper nil check", func(t *testing.T) {
-		if got := helper.New(context.TODO(), "fortify", argsWt, false, argF, nil, nil); got == nil {
+		if got := helper.New(t.Context(), "hakurei", argsWt, false, argF, nil, nil); got == nil {
 			t.Errorf("New(%q, %q) got nil",
-				argsWt, "fortify")
+				argsWt, "hakurei")
 			return
 		}
 	})
@ -52,6 +52,6 @@ func TestHelperInit(t *testing.T) {
 	if len(os.Args) != 5 || os.Args[4] != "init" {
 		return
 	}
-	sandbox.SetOutput(fmsg.Output{})
-	sandbox.Init(fmsg.Prepare, func(bool) { internal.InstallFmsg(false) })
+	sandbox.SetOutput(hlog.Output{})
+	sandbox.Init(hlog.Prepare, func(bool) { internal.InstallFmsg(false) })
 }
--- a/helper/helper.go
+++ b/helper/helper.go
@ -8,16 +8,16 @@ import (
 	"os"
 	"time"

-	"git.gensokyo.uk/security/fortify/helper/proc"
+	"git.gensokyo.uk/security/hakurei/helper/proc"
 )

 var WaitDelay = 2 * time.Second

 const (
-	// FortifyHelper is set to 1 when args fd is enabled and 0 otherwise.
-	FortifyHelper = "FORTIFY_HELPER"
-	// FortifyStatus is set to 1 when stat fd is enabled and 0 otherwise.
-	FortifyStatus = "FORTIFY_STATUS"
+	// HakureiHelper is set to 1 when args fd is enabled and 0 otherwise.
+	HakureiHelper = "HAKUREI_HELPER"
+	// HakureiStatus is set to 1 when stat fd is enabled and 0 otherwise.
+	HakureiStatus = "HAKUREI_STATUS"
 )

 type Helper interface {
--- a/helper/helper_test.go
+++ b/helper/helper_test.go
@ -5,18 +5,19 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"os"
 	"strconv"
 	"strings"
 	"testing"
 	"time"

-	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/hakurei/helper"
 )

 var (
 	wantArgs = []string{
 		"unix:path=/run/dbus/system_bus_socket",
-		"/tmp/fortify.1971/12622d846cc3fe7b4c10359d01f0eb47/system_bus_socket",
+		"/tmp/hakurei.1971/12622d846cc3fe7b4c10359d01f0eb47/system_bus_socket",
 		"--filter",
 		"--talk=org.bluez",
 		"--talk=org.freedesktop.Avahi",
@ -54,9 +55,9 @@ func testHelper(t *testing.T, createHelper func(ctx context.Context, setOutput f
 	t.Cleanup(func() { helper.WaitDelay = oldWaitDelay })

 	t.Run("start helper with status channel and wait", func(t *testing.T) {
-		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		stdout, stderr := new(strings.Builder), new(strings.Builder)
-		h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, stderr }, true)
+		ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
+		stdout := new(strings.Builder)
+		h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, true)

 		t.Run("wait not yet started helper", func(t *testing.T) {
 			defer func() {
@ -88,8 +89,8 @@ func testHelper(t *testing.T, createHelper func(ctx context.Context, setOutput f

 		t.Log("waiting on helper")
 		if err := h.Wait(); !errors.Is(err, context.Canceled) {
-			t.Errorf("Wait() err = %v stderr = %s",
-				err, stderr)
+			t.Errorf("Wait: error = %v",
+				err)
 		}

 		t.Run("wait already finalised helper", func(t *testing.T) {
@ -101,32 +102,36 @@ func testHelper(t *testing.T, createHelper func(ctx context.Context, setOutput f
 			}
 		})

-		if got := stderr.String(); got != wantPayload {
-			t.Errorf("Start: stderr = %v, want %v",
+		if got := trimStdout(stdout); got != wantPayload {
+			t.Errorf("Start: stdout = %q, want %q",
 				got, wantPayload)
 		}
 	})

 	t.Run("start helper and wait", func(t *testing.T) {
-		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
 		defer cancel()
-		stdout, stderr := new(strings.Builder), new(strings.Builder)
-		h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, stderr }, false)
+		stdout := new(strings.Builder)
+		h := createHelper(ctx, func(stdoutP, stderrP *io.Writer) { *stdoutP, *stderrP = stdout, os.Stderr }, false)

 		if err := h.Start(); err != nil {
-			t.Errorf("Start() error = %v",
+			t.Errorf("Start: error = %v",
 				err)
 			return
 		}

 		if err := h.Wait(); err != nil {
-			t.Errorf("Wait() err = %v stdout = %s stderr = %s",
-				err, stdout, stderr)
+			t.Errorf("Wait: error = %v stdout = %q",
+				err, stdout)
 		}

-		if got := stderr.String(); got != wantPayload {
-			t.Errorf("Start() stderr = %v, want %v",
+		if got := trimStdout(stdout); got != wantPayload {
+			t.Errorf("Start: stdout = %q, want %q",
 				got, wantPayload)
 		}
 	})
 }
+
+func trimStdout(stdout fmt.Stringer) string {
+	return strings.TrimPrefix(stdout.String(), "=== RUN   TestHelperInit\n")
+}
--- a/helper/stub.go
+++ b/helper/stub.go
@ -14,13 +14,13 @@ import (
 func InternalHelperStub() {
 	// this test mocks the helper process
 	var ap, sp string
-	if v, ok := os.LookupEnv(FortifyHelper); !ok {
+	if v, ok := os.LookupEnv(HakureiHelper); !ok {
 		return
 	} else {
 		ap = v
 	}
-	if v, ok := os.LookupEnv(FortifyStatus); !ok {
-		panic(FortifyStatus)
+	if v, ok := os.LookupEnv(HakureiStatus); !ok {
+		panic(HakureiStatus)
 	} else {
 		sp = v
 	}
@ -63,7 +63,7 @@ func flagRestoreFiles(offset int, ap, sp string) (argsFile, statFile *os.File) {
 func genericStub(argsFile, statFile *os.File) {
 	if argsFile != nil {
 		// this output is checked by parent
-		if _, err := io.Copy(os.Stderr, argsFile); err != nil {
+		if _, err := io.Copy(os.Stdout, argsFile); err != nil {
 			panic("cannot read args: " + err.Error())
 		}
 	}
--- a/helper/stub_test.go
+++ b/helper/stub_test.go
@ -3,7 +3,7 @@ package helper_test
 import (
 	"testing"

-	"git.gensokyo.uk/security/fortify/helper"
+	"git.gensokyo.uk/security/hakurei/helper"
 )

 func TestHelperStub(t *testing.T) { helper.InternalHelperStub() }
--- a/hst/config.go
+++ b/hst/config.go
@ -0,0 +1,83 @@
+// Package hst exports shared types for invoking hakurei.
+package hst
+
+import (
+	"git.gensokyo.uk/security/hakurei/dbus"
+	"git.gensokyo.uk/security/hakurei/system"
+)
+
+const Tmp = "/.hakurei"
+
+// Config is used to seal an app implementation.
+type Config struct {
+	// reverse-DNS style arbitrary identifier string from config;
+	// passed to wayland security-context-v1 as application ID
+	// and used as part of defaults in dbus session proxy
+	ID string `json:"id"`
+
+	// absolute path to executable file
+	Path string `json:"path,omitempty"`
+	// final args passed to container init
+	Args []string `json:"args"`
+
+	// system services to make available in the container
+	Enablements system.Enablement `json:"enablements"`
+
+	// session D-Bus proxy configuration;
+	// nil makes session bus proxy assume built-in defaults
+	SessionBus *dbus.Config `json:"session_bus,omitempty"`
+	// system D-Bus proxy configuration;
+	// nil disables system bus proxy
+	SystemBus *dbus.Config `json:"system_bus,omitempty"`
+	// direct access to wayland socket; when this gets set no attempt is made to attach security-context-v1
+	// and the bare socket is mounted to the sandbox
+	DirectWayland bool `json:"direct_wayland,omitempty"`
+
+	// passwd username in container, defaults to passwd name of target uid or chronos
+	Username string `json:"username,omitempty"`
+	// absolute path to shell, empty for host shell
+	Shell string `json:"shell,omitempty"`
+	// absolute path to home directory in the init mount namespace
+	Data string `json:"data"`
+	// directory to enter and use as home in the container mount namespace, empty for Data
+	Dir string `json:"dir"`
+	// extra acl ops, dispatches before container init
+	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
+
+	// numerical application id, used for init user namespace credentials
+	Identity int `json:"identity"`
+	// list of supplementary groups inherited by container processes
+	Groups []string `json:"groups"`
+
+	// abstract container configuration baseline
+	Container *ContainerConfig `json:"container"`
+}
+
+// ExtraPermConfig describes an acl update op.
+type ExtraPermConfig struct {
+	Ensure  bool   `json:"ensure,omitempty"`
+	Path    string `json:"path"`
+	Read    bool   `json:"r,omitempty"`
+	Write   bool   `json:"w,omitempty"`
+	Execute bool   `json:"x,omitempty"`
+}
+
+func (e *ExtraPermConfig) String() string {
+	buf := make([]byte, 0, 5+len(e.Path))
+	buf = append(buf, '-', '-', '-')
+	if e.Ensure {
+		buf = append(buf, '+')
+	}
+	buf = append(buf, ':')
+	buf = append(buf, []byte(e.Path)...)
+	if e.Read {
+		buf[0] = 'r'
+	}
+	if e.Write {
+		buf[1] = 'w'
+	}
+	if e.Execute {
+		buf[2] = 'x'
+	}
+	return string(buf)
+}
--- a/hst/container.go
+++ b/hst/container.go
@ -0,0 +1,59 @@
+package hst
+
+import (
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
+)
+
+type (
+	// ContainerConfig describes the container configuration baseline to which the app implementation adds upon.
+	ContainerConfig struct {
+		// container hostname
+		Hostname string `json:"hostname,omitempty"`
+
+		// extra seccomp flags
+		Seccomp seccomp.FilterOpts `json:"seccomp"`
+		// allow ptrace and friends
+		Devel bool `json:"devel,omitempty"`
+		// allow userns creation in container
+		Userns bool `json:"userns,omitempty"`
+		// share host net namespace
+		Net bool `json:"net,omitempty"`
+		// allow dangerous terminal I/O
+		Tty bool `json:"tty,omitempty"`
+		// allow multiarch
+		Multiarch bool `json:"multiarch,omitempty"`
+
+		// initial process environment variables
+		Env map[string]string `json:"env"`
+		// map target user uid to privileged user uid in the user namespace
+		MapRealUID bool `json:"map_real_uid"`
+
+		// pass through all devices
+		Device bool `json:"device,omitempty"`
+		// container host filesystem bind mounts
+		Filesystem []*FilesystemConfig `json:"filesystem"`
+		// create symlinks inside container filesystem
+		Link [][2]string `json:"symlink"`
+
+		// read-only /etc directory
+		Etc string `json:"etc,omitempty"`
+		// automatically set up /etc symlinks
+		AutoEtc bool `json:"auto_etc"`
+		// cover these paths or create them if they do not already exist
+		Cover []string `json:"cover"`
+	}
+
+	// FilesystemConfig is an abstract representation of a bind mount.
+	FilesystemConfig struct {
+		// mount point in container, same as src if empty
+		Dst string `json:"dst,omitempty"`
+		// host filesystem path to make available to the container
+		Src string `json:"src"`
+		// do not mount filesystem read-only
+		Write bool `json:"write,omitempty"`
+		// do not disable device files
+		Device bool `json:"dev,omitempty"`
+		// fail if the bind mount cannot be established for any reason
+		Must bool `json:"require,omitempty"`
+	}
+)
--- a/hst/info.go
+++ b/hst/info.go
@ -1,4 +1,4 @@
-package fst
+package hst

 type Info struct {
 	User int `json:"user"`
--- a/hst/template.go
+++ b/hst/template.go
@ -0,0 +1,91 @@
+package hst
+
+import (
+	"git.gensokyo.uk/security/hakurei/dbus"
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
+	"git.gensokyo.uk/security/hakurei/system"
+)
+
+// Template returns a fully populated instance of Config.
+func Template() *Config {
+	return &Config{
+		ID: "org.chromium.Chromium",
+
+		Path: "/run/current-system/sw/bin/chromium",
+		Args: []string{
+			"chromium",
+			"--ignore-gpu-blocklist",
+			"--disable-smooth-scrolling",
+			"--enable-features=UseOzonePlatform",
+			"--ozone-platform=wayland",
+		},
+
+		Enablements: system.EWayland | system.EDBus | system.EPulse,
+
+		SessionBus: &dbus.Config{
+			See: nil,
+			Talk: []string{"org.freedesktop.Notifications", "org.freedesktop.FileManager1", "org.freedesktop.ScreenSaver",
+				"org.freedesktop.secrets", "org.kde.kwalletd5", "org.kde.kwalletd6", "org.gnome.SessionManager"},
+			Own: []string{"org.chromium.Chromium.*", "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+				"org.mpris.MediaPlayer2.chromium.*"},
+			Call:      map[string]string{"org.freedesktop.portal.*": "*"},
+			Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
+			Log:       false,
+			Filter:    true,
+		},
+		SystemBus: &dbus.Config{
+			See:       nil,
+			Talk:      []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
+			Own:       nil,
+			Call:      nil,
+			Broadcast: nil,
+			Log:       false,
+			Filter:    true,
+		},
+		DirectWayland: false,
+
+		Username: "chronos",
+		Shell:    "/run/current-system/sw/bin/zsh",
+		Data:     "/var/lib/hakurei/u0/org.chromium.Chromium",
+		Dir:      "/data/data/org.chromium.Chromium",
+		ExtraPerms: []*ExtraPermConfig{
+			{Path: "/var/lib/hakurei/u0", Ensure: true, Execute: true},
+			{Path: "/var/lib/hakurei/u0/org.chromium.Chromium", Read: true, Write: true, Execute: true},
+		},
+
+		Identity: 9,
+		Groups:   []string{"video", "dialout", "plugdev"},
+
+		Container: &ContainerConfig{
+			Hostname:   "localhost",
+			Devel:      true,
+			Userns:     true,
+			Net:        true,
+			Device:     true,
+			Seccomp:    seccomp.FilterMultiarch,
+			Tty:        true,
+			Multiarch:  true,
+			MapRealUID: true,
+			// example API credentials pulled from Google Chrome
+			// DO NOT USE THESE IN A REAL BROWSER
+			Env: map[string]string{
+				"GOOGLE_API_KEY":               "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
+				"GOOGLE_DEFAULT_CLIENT_ID":     "77185425430.apps.googleusercontent.com",
+				"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
+			},
+			Filesystem: []*FilesystemConfig{
+				{Src: "/nix/store"},
+				{Src: "/run/current-system"},
+				{Src: "/run/opengl-driver"},
+				{Src: "/var/db/nix-channels"},
+				{Src: "/var/lib/hakurei/u0/org.chromium.Chromium",
+					Dst: "/data/data/org.chromium.Chromium", Write: true, Must: true},
+				{Src: "/dev/dri", Device: true},
+			},
+			Link:    [][2]string{{"/run/user/65534", "/run/user/150"}},
+			Etc:     "/etc",
+			AutoEtc: true,
+			Cover:   []string{"/var/run/nscd"},
+		},
+	}
+}
--- a/hst/template_test.go
+++ b/hst/template_test.go
@ -0,0 +1,140 @@
+package hst_test
+
+import (
+	"encoding/json"
+	"testing"
+
+	"git.gensokyo.uk/security/hakurei/hst"
+)
+
+func TestTemplate(t *testing.T) {
+	const want = `{
+	"id": "org.chromium.Chromium",
+	"path": "/run/current-system/sw/bin/chromium",
+	"args": [
+		"chromium",
+		"--ignore-gpu-blocklist",
+		"--disable-smooth-scrolling",
+		"--enable-features=UseOzonePlatform",
+		"--ozone-platform=wayland"
+	],
+	"enablements": 13,
+	"session_bus": {
+		"see": null,
+		"talk": [
+			"org.freedesktop.Notifications",
+			"org.freedesktop.FileManager1",
+			"org.freedesktop.ScreenSaver",
+			"org.freedesktop.secrets",
+			"org.kde.kwalletd5",
+			"org.kde.kwalletd6",
+			"org.gnome.SessionManager"
+		],
+		"own": [
+			"org.chromium.Chromium.*",
+			"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+			"org.mpris.MediaPlayer2.chromium.*"
+		],
+		"call": {
+			"org.freedesktop.portal.*": "*"
+		},
+		"broadcast": {
+			"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
+		},
+		"filter": true
+	},
+	"system_bus": {
+		"see": null,
+		"talk": [
+			"org.bluez",
+			"org.freedesktop.Avahi",
+			"org.freedesktop.UPower"
+		],
+		"own": null,
+		"call": null,
+		"broadcast": null,
+		"filter": true
+	},
+	"username": "chronos",
+	"shell": "/run/current-system/sw/bin/zsh",
+	"data": "/var/lib/hakurei/u0/org.chromium.Chromium",
+	"dir": "/data/data/org.chromium.Chromium",
+	"extra_perms": [
+		{
+			"ensure": true,
+			"path": "/var/lib/hakurei/u0",
+			"x": true
+		},
+		{
+			"path": "/var/lib/hakurei/u0/org.chromium.Chromium",
+			"r": true,
+			"w": true,
+			"x": true
+		}
+	],
+	"identity": 9,
+	"groups": [
+		"video",
+		"dialout",
+		"plugdev"
+	],
+	"container": {
+		"hostname": "localhost",
+		"seccomp": 32,
+		"devel": true,
+		"userns": true,
+		"net": true,
+		"tty": true,
+		"multiarch": true,
+		"env": {
+			"GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
+			"GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
+			"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
+		},
+		"map_real_uid": true,
+		"device": true,
+		"filesystem": [
+			{
+				"src": "/nix/store"
+			},
+			{
+				"src": "/run/current-system"
+			},
+			{
+				"src": "/run/opengl-driver"
+			},
+			{
+				"src": "/var/db/nix-channels"
+			},
+			{
+				"dst": "/data/data/org.chromium.Chromium",
+				"src": "/var/lib/hakurei/u0/org.chromium.Chromium",
+				"write": true,
+				"require": true
+			},
+			{
+				"src": "/dev/dri",
+				"dev": true
+			}
+		],
+		"symlink": [
+			[
+				"/run/user/65534",
+				"/run/user/150"
+			]
+		],
+		"etc": "/etc",
+		"auto_etc": true,
+		"cover": [
+			"/var/run/nscd"
+		]
+	}
+}`
+
+	if p, err := json.MarshalIndent(hst.Template(), "", "\t"); err != nil {
+		t.Fatalf("cannot marshal: %v", err)
+	} else if s := string(p); s != want {
+		t.Fatalf("Template:\n%s\nwant:\n%s",
+			s, want)
+	}
+}
--- a/internal/app/app.go
+++ b/internal/app/app.go
@ -1,82 +1,59 @@
+// Package app defines the generic [App] interface.
 package app

 import (
-	"context"
-	"fmt"
-	"log"
-	"sync"
+	"syscall"
+	"time"

-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/sys"
+	"git.gensokyo.uk/security/hakurei/hst"
 )

-func New(ctx context.Context, os sys.State) (fst.App, error) {
-	a := new(app)
-	a.sys = os
-	a.ctx = ctx
+type App interface {
+	// ID returns a copy of [ID] held by App.
+	ID() ID

-	id := new(fst.ID)
-	err := fst.NewAppID(id)
-	a.id = newID(id)
+	// Seal determines the outcome of config as a [SealedApp].
+	// The value of config might be overwritten and must not be used again.
+	Seal(config *hst.Config) (SealedApp, error)

-	return a, err
+	String() string
 }

-func MustNew(ctx context.Context, os sys.State) fst.App {
-	a, err := New(ctx, os)
-	if err != nil {
-		log.Fatalf("cannot create app: %v", err)
-	}
-	return a
+type SealedApp interface {
+	// Run commits sealed system setup and starts the app process.
+	Run(rs *RunState) error
 }

-type app struct {
-	id  *stringPair[fst.ID]
-	sys sys.State
-	ctx context.Context
+// RunState stores the outcome of a call to [SealedApp.Run].
+type RunState struct {
+	// Time is the exact point in time where the process was created.
+	// Location must be set to UTC.
+	//
+	// Time is nil if no process was ever created.
+	Time *time.Time
+	// RevertErr is stored by the deferred revert call.
+	RevertErr error
+	// WaitErr is the generic error value created by the standard library.
+	WaitErr error

-	*outcome
-	mu sync.RWMutex
+	syscall.WaitStatus
 }

-func (a *app) ID() fst.ID { a.mu.RLock(); defer a.mu.RUnlock(); return a.id.unwrap() }
-
-func (a *app) String() string {
-	if a == nil {
-		return "(invalid app)"
+// SetStart stores the current time in [RunState] once.
+func (rs *RunState) SetStart() {
+	if rs.Time != nil {
+		panic("attempted to store time twice")
 	}
-
-	a.mu.RLock()
-	defer a.mu.RUnlock()
-
-	if a.outcome != nil {
-		if a.outcome.user.uid == nil {
-			return fmt.Sprintf("(sealed app %s with invalid uid)", a.id)
-		}
-		return fmt.Sprintf("(sealed app %s as uid %s)", a.id, a.outcome.user.uid)
-	}
-
-	return fmt.Sprintf("(unsealed app %s)", a.id)
+	now := time.Now().UTC()
+	rs.Time = &now
 }

-func (a *app) Seal(config *fst.Config) (fst.SealedApp, error) {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-
-	if a.outcome != nil {
-		panic("app sealed twice")
-	}
-	if config == nil {
-		return nil, fmsg.WrapError(ErrConfig,
-			"attempted to seal app with nil config")
-	}
-
-	seal := new(outcome)
-	seal.id = a.id
-	err := seal.finalise(a.ctx, a.sys, config)
-	if err == nil {
-		a.outcome = seal
-	}
-	return seal, err
+// Paths contains environment-dependent paths used by hakurei.
+type Paths struct {
+	// path to shared directory (usually `/tmp/hakurei.%d`)
+	SharePath string `json:"share_path"`
+	// XDG_RUNTIME_DIR value (usually `/run/user/%d`)
+	RuntimePath string `json:"runtime_path"`
+	// application runtime directory (usually `/run/user/%d/hakurei`)
+	RunDirPath string `json:"run_dir_path"`
 }
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@ -1,219 +0,0 @@
-package app_test
-
-import (
-	"git.gensokyo.uk/security/fortify/acl"
-	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/system"
-)
-
-var testCasesNixos = []sealTestCase{
-	{
-		"nixos chromium direct wayland", new(stubNixOS),
-		&fst.Config{
-			ID:   "org.chromium.Chromium",
-			Path: "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
-			Confinement: fst.ConfinementConfig{
-				AppID: 1, Groups: []string{}, Username: "u0_a1",
-				Outer: "/var/lib/persist/module/fortify/0/1",
-				Sandbox: &fst.SandboxConfig{
-					Userns: true, Net: true, MapRealUID: true, DirectWayland: true, Env: nil, AutoEtc: true,
-					Filesystem: []*fst.FilesystemConfig{
-						{Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true},
-						{Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true},
-						{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
-						{Src: "/run/opengl-driver", Must: true}, {Src: "/dev/dri", Device: true},
-					},
-					Cover: []string{"/var/run/nscd"},
-				},
-				SystemBus: &dbus.Config{
-					Talk:   []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
-					Filter: true,
-				},
-				SessionBus: &dbus.Config{
-					Talk: []string{
-						"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
-						"org.freedesktop.ScreenSaver", "org.freedesktop.secrets",
-						"org.kde.kwalletd5", "org.kde.kwalletd6",
-					},
-					Own: []string{
-						"org.chromium.Chromium.*",
-						"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-						"org.mpris.MediaPlayer2.chromium.*",
-					},
-					Call: map[string]string{}, Broadcast: map[string]string{},
-					Filter: true,
-				},
-				Enablements: system.EWayland | system.EDBus | system.EPulse,
-			},
-		},
-		fst.ID{
-			0x8e, 0x2c, 0x76, 0xb0,
-			0x66, 0xda, 0xbe, 0x57,
-			0x4c, 0xf0, 0x73, 0xbd,
-			0xb4, 0x6e, 0xb5, 0xc1,
-		},
-		system.New(1000001).
-			Ensure("/tmp/fortify.1971", 0711).
-			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
-			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
-			Ephemeral(system.Process, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1", 0711).
-			Ephemeral(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute).
-			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
-			Ensure("/tmp/fortify.1971/tmpdir/1", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/1", acl.Read, acl.Write, acl.Execute).
-			UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
-			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse").
-			CopyFile(nil, "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
-			MustProxyDBus("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", &dbus.Config{
-				Talk: []string{
-					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
-					"org.freedesktop.ScreenSaver", "org.freedesktop.secrets",
-					"org.kde.kwalletd5", "org.kde.kwalletd6",
-				},
-				Own: []string{
-					"org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.chromium.*",
-				},
-				Call: map[string]string{}, Broadcast: map[string]string{},
-				Filter: true,
-			}, "/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", &dbus.Config{
-				Talk: []string{
-					"org.bluez",
-					"org.freedesktop.Avahi",
-					"org.freedesktop.UPower",
-				},
-				Filter: true,
-			}).
-			UpdatePerm("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write).
-			UpdatePerm("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write),
-		&sandbox.Params{
-			Uid:   1971,
-			Gid:   100,
-			Flags: sandbox.FAllowNet | sandbox.FAllowUserns,
-			Dir:   "/var/lib/persist/module/fortify/0/1",
-			Path:  "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
-			Args:  []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
-			Env: []string{
-				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
-				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
-				"HOME=/var/lib/persist/module/fortify/0/1",
-				"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
-				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
-				"TERM=xterm-256color",
-				"USER=u0_a1",
-				"WAYLAND_DISPLAY=wayland-0",
-				"XDG_RUNTIME_DIR=/run/user/1971",
-				"XDG_SESSION_CLASS=user",
-				"XDG_SESSION_TYPE=tty",
-			},
-			Ops: new(sandbox.Ops).
-				Proc("/proc").
-				Tmpfs(fst.Tmp, 4096, 0755).
-				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", 0).
-				Bind("/usr/bin", "/usr/bin", 0).
-				Bind("/nix/store", "/nix/store", 0).
-				Bind("/run/current-system", "/run/current-system", 0).
-				Bind("/sys/block", "/sys/block", sandbox.BindOptional).
-				Bind("/sys/bus", "/sys/bus", sandbox.BindOptional).
-				Bind("/sys/class", "/sys/class", sandbox.BindOptional).
-				Bind("/sys/dev", "/sys/dev", sandbox.BindOptional).
-				Bind("/sys/devices", "/sys/devices", sandbox.BindOptional).
-				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
-				Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
-				Bind("/etc", fst.Tmp+"/etc", 0).
-				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
-				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-				Link(fst.Tmp+"/etc/default", "/etc/default").
-				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
-				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
-				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
-				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
-				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
-				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-				Link(fst.Tmp+"/etc/issue", "/etc/issue").
-				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
-				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
-				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
-				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-				Link("/proc/mounts", "/etc/mtab").
-				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-				Link(fst.Tmp+"/etc/nix", "/etc/nix").
-				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
-				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
-				Link(fst.Tmp+"/etc/pam", "/etc/pam").
-				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-				Link(fst.Tmp+"/etc/pki", "/etc/pki").
-				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-				Link(fst.Tmp+"/etc/profile", "/etc/profile").
-				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
-				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
-				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
-				Link(fst.Tmp+"/etc/samba", "/etc/samba").
-				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-				Link(fst.Tmp+"/etc/services", "/etc/services").
-				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
-				Link(fst.Tmp+"/etc/shells", "/etc/shells").
-				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
-				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
-				Link(fst.Tmp+"/etc/static", "/etc/static").
-				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
-				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
-				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
-				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-				Link(fst.Tmp+"/etc/udev", "/etc/udev").
-				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
-				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-				Link(fst.Tmp+"/etc/X11", "/etc/X11").
-				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
-				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
-				Tmpfs("/run/user", 4096, 0755).
-				Tmpfs("/run/user/1971", 8388608, 0700).
-				Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", sandbox.BindWritable).
-				Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", sandbox.BindWritable).
-				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("fortify:x:100:\n")).
-				Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0).
-				Bind("/run/user/1971/fortify/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native", 0).
-				Place(fst.Tmp+"/pulse-cookie", nil).
-				Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus", 0).
-				Bind("/tmp/fortify.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket", 0).
-				Tmpfs("/var/run/nscd", 8192, 0755),
-		},
-	},
-}
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@ -1,382 +0,0 @@
-package app_test
-
-import (
-	"os"
-
-	"git.gensokyo.uk/security/fortify/acl"
-	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/system"
-)
-
-var testCasesPd = []sealTestCase{
-	{
-		"nixos permissive defaults no enablements", new(stubNixOS),
-		&fst.Config{
-			Confinement: fst.ConfinementConfig{
-				AppID:    0,
-				Username: "chronos",
-				Outer:    "/home/chronos",
-			},
-		},
-		fst.ID{
-			0x4a, 0x45, 0x0b, 0x65,
-			0x96, 0xd7, 0xbc, 0x15,
-			0xbd, 0x01, 0x78, 0x0e,
-			0xb9, 0xa6, 0x07, 0xac,
-		},
-		system.New(1000000).
-			Ensure("/tmp/fortify.1971", 0711).
-			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
-			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
-			Ephemeral(system.Process, "/tmp/fortify.1971/4a450b6596d7bc15bd01780eb9a607ac", 0711).
-			Ephemeral(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/4a450b6596d7bc15bd01780eb9a607ac", acl.Execute).
-			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
-			Ensure("/tmp/fortify.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
-		&sandbox.Params{
-			Flags: sandbox.FAllowNet | sandbox.FAllowUserns | sandbox.FAllowTTY,
-			Dir:   "/home/chronos",
-			Path:  "/run/current-system/sw/bin/zsh",
-			Args:  []string{"/run/current-system/sw/bin/zsh"},
-			Env: []string{
-				"HOME=/home/chronos",
-				"TERM=xterm-256color",
-				"USER=chronos",
-				"XDG_RUNTIME_DIR=/run/user/65534",
-				"XDG_SESSION_CLASS=user",
-				"XDG_SESSION_TYPE=tty",
-			},
-			Ops: new(sandbox.Ops).
-				Proc("/proc").
-				Tmpfs(fst.Tmp, 4096, 0755).
-				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", sandbox.BindWritable).
-				Bind("/boot", "/boot", sandbox.BindWritable).
-				Bind("/home", "/home", sandbox.BindWritable).
-				Bind("/lib", "/lib", sandbox.BindWritable).
-				Bind("/lib64", "/lib64", sandbox.BindWritable).
-				Bind("/nix", "/nix", sandbox.BindWritable).
-				Bind("/root", "/root", sandbox.BindWritable).
-				Bind("/run", "/run", sandbox.BindWritable).
-				Bind("/srv", "/srv", sandbox.BindWritable).
-				Bind("/sys", "/sys", sandbox.BindWritable).
-				Bind("/usr", "/usr", sandbox.BindWritable).
-				Bind("/var", "/var", sandbox.BindWritable).
-				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
-				Tmpfs("/run/user/1971", 8192, 0755).
-				Tmpfs("/run/dbus", 8192, 0755).
-				Bind("/etc", fst.Tmp+"/etc", 0).
-				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
-				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-				Link(fst.Tmp+"/etc/default", "/etc/default").
-				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
-				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
-				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
-				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
-				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
-				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-				Link(fst.Tmp+"/etc/issue", "/etc/issue").
-				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
-				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
-				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
-				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-				Link("/proc/mounts", "/etc/mtab").
-				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-				Link(fst.Tmp+"/etc/nix", "/etc/nix").
-				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
-				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
-				Link(fst.Tmp+"/etc/pam", "/etc/pam").
-				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-				Link(fst.Tmp+"/etc/pki", "/etc/pki").
-				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-				Link(fst.Tmp+"/etc/profile", "/etc/profile").
-				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
-				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
-				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
-				Link(fst.Tmp+"/etc/samba", "/etc/samba").
-				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-				Link(fst.Tmp+"/etc/services", "/etc/services").
-				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
-				Link(fst.Tmp+"/etc/shells", "/etc/shells").
-				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
-				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
-				Link(fst.Tmp+"/etc/static", "/etc/static").
-				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
-				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
-				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
-				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-				Link(fst.Tmp+"/etc/udev", "/etc/udev").
-				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
-				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-				Link(fst.Tmp+"/etc/X11", "/etc/X11").
-				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
-				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
-				Tmpfs("/run/user", 4096, 0755).
-				Tmpfs("/run/user/65534", 8388608, 0700).
-				Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", sandbox.BindWritable).
-				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
-				Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("fortify:x:65534:\n")).
-				Tmpfs("/var/run/nscd", 8192, 0755),
-		},
-	},
-	{
-		"nixos permissive defaults chromium", new(stubNixOS),
-		&fst.Config{
-			ID:   "org.chromium.Chromium",
-			Args: []string{"zsh", "-c", "exec chromium "},
-			Confinement: fst.ConfinementConfig{
-				AppID:    9,
-				Groups:   []string{"video"},
-				Username: "chronos",
-				Outer:    "/home/chronos",
-				SessionBus: &dbus.Config{
-					Talk: []string{
-						"org.freedesktop.Notifications",
-						"org.freedesktop.FileManager1",
-						"org.freedesktop.ScreenSaver",
-						"org.freedesktop.secrets",
-						"org.kde.kwalletd5",
-						"org.kde.kwalletd6",
-						"org.gnome.SessionManager",
-					},
-					Own: []string{
-						"org.chromium.Chromium.*",
-						"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-						"org.mpris.MediaPlayer2.chromium.*",
-					},
-					Call: map[string]string{
-						"org.freedesktop.portal.*": "*",
-					},
-					Broadcast: map[string]string{
-						"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
-					},
-					Filter: true,
-				},
-				SystemBus: &dbus.Config{
-					Talk: []string{
-						"org.bluez",
-						"org.freedesktop.Avahi",
-						"org.freedesktop.UPower",
-					},
-					Filter: true,
-				},
-				Enablements: system.EWayland | system.EDBus | system.EPulse,
-			},
-		},
-		fst.ID{
-			0xeb, 0xf0, 0x83, 0xd1,
-			0xb1, 0x75, 0x91, 0x17,
-			0x82, 0xd4, 0x13, 0x36,
-			0x9b, 0x64, 0xce, 0x7c,
-		},
-		system.New(1000009).
-			Ensure("/tmp/fortify.1971", 0711).
-			Ensure("/run/user/1971/fortify", 0700).UpdatePermType(system.User, "/run/user/1971/fortify", acl.Execute).
-			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
-			Ephemeral(system.Process, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c", 0711).
-			Ephemeral(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c", acl.Execute).
-			Ensure("/tmp/fortify.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir", acl.Execute).
-			Ensure("/tmp/fortify.1971/tmpdir/9", 01700).UpdatePermType(system.User, "/tmp/fortify.1971/tmpdir/9", acl.Read, acl.Write, acl.Execute).
-			Ensure("/tmp/fortify.1971/wayland", 0711).
-			Wayland(new(*os.File), "/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
-			Link("/run/user/1971/pulse/native", "/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse").
-			CopyFile(new([]byte), "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
-			MustProxyDBus("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{
-				Talk: []string{
-					"org.freedesktop.Notifications",
-					"org.freedesktop.FileManager1",
-					"org.freedesktop.ScreenSaver",
-					"org.freedesktop.secrets",
-					"org.kde.kwalletd5",
-					"org.kde.kwalletd6",
-					"org.gnome.SessionManager",
-				},
-				Own: []string{
-					"org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.chromium.*",
-				},
-				Call: map[string]string{
-					"org.freedesktop.portal.*": "*",
-				},
-				Broadcast: map[string]string{
-					"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
-				},
-				Filter: true,
-			}, "/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", &dbus.Config{
-				Talk: []string{
-					"org.bluez",
-					"org.freedesktop.Avahi",
-					"org.freedesktop.UPower",
-				},
-				Filter: true,
-			}).
-			UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
-			UpdatePerm("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
-		&sandbox.Params{
-			Flags: sandbox.FAllowNet | sandbox.FAllowUserns | sandbox.FAllowTTY,
-			Dir:   "/home/chronos",
-			Path:  "/run/current-system/sw/bin/zsh",
-			Args:  []string{"zsh", "-c", "exec chromium "},
-			Env: []string{
-				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
-				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
-				"HOME=/home/chronos",
-				"PULSE_COOKIE=" + fst.Tmp + "/pulse-cookie",
-				"PULSE_SERVER=unix:/run/user/65534/pulse/native",
-				"TERM=xterm-256color",
-				"USER=chronos",
-				"WAYLAND_DISPLAY=wayland-0",
-				"XDG_RUNTIME_DIR=/run/user/65534",
-				"XDG_SESSION_CLASS=user",
-				"XDG_SESSION_TYPE=tty",
-			},
-			Ops: new(sandbox.Ops).
-				Proc("/proc").
-				Tmpfs(fst.Tmp, 4096, 0755).
-				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", sandbox.BindWritable).
-				Bind("/boot", "/boot", sandbox.BindWritable).
-				Bind("/home", "/home", sandbox.BindWritable).
-				Bind("/lib", "/lib", sandbox.BindWritable).
-				Bind("/lib64", "/lib64", sandbox.BindWritable).
-				Bind("/nix", "/nix", sandbox.BindWritable).
-				Bind("/root", "/root", sandbox.BindWritable).
-				Bind("/run", "/run", sandbox.BindWritable).
-				Bind("/srv", "/srv", sandbox.BindWritable).
-				Bind("/sys", "/sys", sandbox.BindWritable).
-				Bind("/usr", "/usr", sandbox.BindWritable).
-				Bind("/var", "/var", sandbox.BindWritable).
-				Bind("/dev/dri", "/dev/dri", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
-				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
-				Tmpfs("/run/user/1971", 8192, 0755).
-				Tmpfs("/run/dbus", 8192, 0755).
-				Bind("/etc", fst.Tmp+"/etc", 0).
-				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
-				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
-				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
-				Link(fst.Tmp+"/etc/dbus-1", "/etc/dbus-1").
-				Link(fst.Tmp+"/etc/default", "/etc/default").
-				Link(fst.Tmp+"/etc/ethertypes", "/etc/ethertypes").
-				Link(fst.Tmp+"/etc/fonts", "/etc/fonts").
-				Link(fst.Tmp+"/etc/fstab", "/etc/fstab").
-				Link(fst.Tmp+"/etc/fuse.conf", "/etc/fuse.conf").
-				Link(fst.Tmp+"/etc/host.conf", "/etc/host.conf").
-				Link(fst.Tmp+"/etc/hostid", "/etc/hostid").
-				Link(fst.Tmp+"/etc/hostname", "/etc/hostname").
-				Link(fst.Tmp+"/etc/hostname.CHECKSUM", "/etc/hostname.CHECKSUM").
-				Link(fst.Tmp+"/etc/hosts", "/etc/hosts").
-				Link(fst.Tmp+"/etc/inputrc", "/etc/inputrc").
-				Link(fst.Tmp+"/etc/ipsec.d", "/etc/ipsec.d").
-				Link(fst.Tmp+"/etc/issue", "/etc/issue").
-				Link(fst.Tmp+"/etc/kbd", "/etc/kbd").
-				Link(fst.Tmp+"/etc/libblockdev", "/etc/libblockdev").
-				Link(fst.Tmp+"/etc/locale.conf", "/etc/locale.conf").
-				Link(fst.Tmp+"/etc/localtime", "/etc/localtime").
-				Link(fst.Tmp+"/etc/login.defs", "/etc/login.defs").
-				Link(fst.Tmp+"/etc/lsb-release", "/etc/lsb-release").
-				Link(fst.Tmp+"/etc/lvm", "/etc/lvm").
-				Link(fst.Tmp+"/etc/machine-id", "/etc/machine-id").
-				Link(fst.Tmp+"/etc/man_db.conf", "/etc/man_db.conf").
-				Link(fst.Tmp+"/etc/modprobe.d", "/etc/modprobe.d").
-				Link(fst.Tmp+"/etc/modules-load.d", "/etc/modules-load.d").
-				Link("/proc/mounts", "/etc/mtab").
-				Link(fst.Tmp+"/etc/nanorc", "/etc/nanorc").
-				Link(fst.Tmp+"/etc/netgroup", "/etc/netgroup").
-				Link(fst.Tmp+"/etc/NetworkManager", "/etc/NetworkManager").
-				Link(fst.Tmp+"/etc/nix", "/etc/nix").
-				Link(fst.Tmp+"/etc/nixos", "/etc/nixos").
-				Link(fst.Tmp+"/etc/NIXOS", "/etc/NIXOS").
-				Link(fst.Tmp+"/etc/nscd.conf", "/etc/nscd.conf").
-				Link(fst.Tmp+"/etc/nsswitch.conf", "/etc/nsswitch.conf").
-				Link(fst.Tmp+"/etc/opensnitchd", "/etc/opensnitchd").
-				Link(fst.Tmp+"/etc/os-release", "/etc/os-release").
-				Link(fst.Tmp+"/etc/pam", "/etc/pam").
-				Link(fst.Tmp+"/etc/pam.d", "/etc/pam.d").
-				Link(fst.Tmp+"/etc/pipewire", "/etc/pipewire").
-				Link(fst.Tmp+"/etc/pki", "/etc/pki").
-				Link(fst.Tmp+"/etc/polkit-1", "/etc/polkit-1").
-				Link(fst.Tmp+"/etc/profile", "/etc/profile").
-				Link(fst.Tmp+"/etc/protocols", "/etc/protocols").
-				Link(fst.Tmp+"/etc/qemu", "/etc/qemu").
-				Link(fst.Tmp+"/etc/resolv.conf", "/etc/resolv.conf").
-				Link(fst.Tmp+"/etc/resolvconf.conf", "/etc/resolvconf.conf").
-				Link(fst.Tmp+"/etc/rpc", "/etc/rpc").
-				Link(fst.Tmp+"/etc/samba", "/etc/samba").
-				Link(fst.Tmp+"/etc/sddm.conf", "/etc/sddm.conf").
-				Link(fst.Tmp+"/etc/secureboot", "/etc/secureboot").
-				Link(fst.Tmp+"/etc/services", "/etc/services").
-				Link(fst.Tmp+"/etc/set-environment", "/etc/set-environment").
-				Link(fst.Tmp+"/etc/shadow", "/etc/shadow").
-				Link(fst.Tmp+"/etc/shells", "/etc/shells").
-				Link(fst.Tmp+"/etc/ssh", "/etc/ssh").
-				Link(fst.Tmp+"/etc/ssl", "/etc/ssl").
-				Link(fst.Tmp+"/etc/static", "/etc/static").
-				Link(fst.Tmp+"/etc/subgid", "/etc/subgid").
-				Link(fst.Tmp+"/etc/subuid", "/etc/subuid").
-				Link(fst.Tmp+"/etc/sudoers", "/etc/sudoers").
-				Link(fst.Tmp+"/etc/sysctl.d", "/etc/sysctl.d").
-				Link(fst.Tmp+"/etc/systemd", "/etc/systemd").
-				Link(fst.Tmp+"/etc/terminfo", "/etc/terminfo").
-				Link(fst.Tmp+"/etc/tmpfiles.d", "/etc/tmpfiles.d").
-				Link(fst.Tmp+"/etc/udev", "/etc/udev").
-				Link(fst.Tmp+"/etc/udisks2", "/etc/udisks2").
-				Link(fst.Tmp+"/etc/UPower", "/etc/UPower").
-				Link(fst.Tmp+"/etc/vconsole.conf", "/etc/vconsole.conf").
-				Link(fst.Tmp+"/etc/X11", "/etc/X11").
-				Link(fst.Tmp+"/etc/zfs", "/etc/zfs").
-				Link(fst.Tmp+"/etc/zinputrc", "/etc/zinputrc").
-				Link(fst.Tmp+"/etc/zoneinfo", "/etc/zoneinfo").
-				Link(fst.Tmp+"/etc/zprofile", "/etc/zprofile").
-				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
-				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
-				Tmpfs("/run/user", 4096, 0755).
-				Tmpfs("/run/user/65534", 8388608, 0700).
-				Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", sandbox.BindWritable).
-				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
-				Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("fortify:x:65534:\n")).
-				Bind("/tmp/fortify.1971/wayland/ebf083d1b175911782d413369b64ce7c", "/run/user/65534/wayland-0", 0).
-				Bind("/run/user/1971/fortify/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native", 0).
-				Place(fst.Tmp+"/pulse-cookie", nil).
-				Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0).
-				Bind("/tmp/fortify.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0).
-				Tmpfs("/var/run/nscd", 8192, 0755),
-		},
-	},
-}
--- a/internal/app/app_test.go
+++ b/internal/app/app_test.go
@ -1,148 +0,0 @@
-package app_test
-
-import (
-	"encoding/json"
-	"io/fs"
-	"reflect"
-	"testing"
-	"time"
-
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/app"
-	"git.gensokyo.uk/security/fortify/internal/sys"
-	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/system"
-)
-
-type sealTestCase struct {
-	name          string
-	os            sys.State
-	config        *fst.Config
-	id            fst.ID
-	wantSys       *system.I
-	wantContainer *sandbox.Params
-}
-
-func TestApp(t *testing.T) {
-	testCases := append(testCasesPd, testCasesNixos...)
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			a := app.NewWithID(tc.id, tc.os)
-			var (
-				gotSys       *system.I
-				gotContainer *sandbox.Params
-			)
-			if !t.Run("seal", func(t *testing.T) {
-				if sa, err := a.Seal(tc.config); err != nil {
-					t.Errorf("Seal: error = %v", err)
-					return
-				} else {
-					gotSys, gotContainer = app.AppIParams(a, sa)
-				}
-			}) {
-				return
-			}
-
-			t.Run("compare sys", func(t *testing.T) {
-				if !gotSys.Equal(tc.wantSys) {
-					t.Errorf("Seal: sys = %#v, want %#v",
-						gotSys, tc.wantSys)
-				}
-			})
-
-			t.Run("compare params", func(t *testing.T) {
-				if !reflect.DeepEqual(gotContainer, tc.wantContainer) {
-					t.Errorf("seal: params =\n%s\n, want\n%s",
-						mustMarshal(gotContainer), mustMarshal(tc.wantContainer))
-				}
-			})
-		})
-	}
-}
-
-func mustMarshal(v any) string {
-	if b, err := json.Marshal(v); err != nil {
-		panic(err.Error())
-	} else {
-		return string(b)
-	}
-}
-
-func stubDirEntries(names ...string) (e []fs.DirEntry, err error) {
-	e = make([]fs.DirEntry, len(names))
-	for i, name := range names {
-		e[i] = stubDirEntryPath(name)
-	}
-	return
-}
-
-type stubDirEntryPath string
-
-func (p stubDirEntryPath) Name() string {
-	return string(p)
-}
-
-func (p stubDirEntryPath) IsDir() bool {
-	panic("attempted to call IsDir")
-}
-
-func (p stubDirEntryPath) Type() fs.FileMode {
-	panic("attempted to call Type")
-}
-
-func (p stubDirEntryPath) Info() (fs.FileInfo, error) {
-	panic("attempted to call Info")
-}
-
-type stubFileInfoMode fs.FileMode
-
-func (s stubFileInfoMode) Name() string {
-	panic("attempted to call Name")
-}
-
-func (s stubFileInfoMode) Size() int64 {
-	panic("attempted to call Size")
-}
-
-func (s stubFileInfoMode) Mode() fs.FileMode {
-	return fs.FileMode(s)
-}
-
-func (s stubFileInfoMode) ModTime() time.Time {
-	panic("attempted to call ModTime")
-}
-
-func (s stubFileInfoMode) IsDir() bool {
-	panic("attempted to call IsDir")
-}
-
-func (s stubFileInfoMode) Sys() any {
-	panic("attempted to call Sys")
-}
-
-type stubFileInfoIsDir bool
-
-func (s stubFileInfoIsDir) Name() string {
-	panic("attempted to call Name")
-}
-
-func (s stubFileInfoIsDir) Size() int64 {
-	panic("attempted to call Size")
-}
-
-func (s stubFileInfoIsDir) Mode() fs.FileMode {
-	panic("attempted to call Mode")
-}
-
-func (s stubFileInfoIsDir) ModTime() time.Time {
-	panic("attempted to call ModTime")
-}
-
-func (s stubFileInfoIsDir) IsDir() bool {
-	return bool(s)
-}
-
-func (s stubFileInfoIsDir) Sys() any {
-	panic("attempted to call Sys")
-}
--- a/internal/app/export_test.go
+++ b/internal/app/export_test.go
@ -1,24 +0,0 @@
-package app
-
-import (
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/sys"
-	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/system"
-)
-
-func NewWithID(id fst.ID, os sys.State) fst.App {
-	a := new(app)
-	a.id = newID(&id)
-	a.sys = os
-	return a
-}
-
-func AppIParams(a fst.App, sa fst.SealedApp) (*system.I, *sandbox.Params) {
-	v := a.(*app)
-	seal := sa.(*outcome)
-	if v.outcome != seal || v.id != seal.id {
-		panic("broken app/outcome link")
-	}
-	return seal.sys, seal.container
-}
--- a/internal/app/id.go
+++ b/internal/app/id.go
@ -1,4 +1,4 @@
-package fst
+package app

 import (
 	"crypto/rand"
--- a/internal/app/id_test.go
+++ b/internal/app/id_test.go
@ -1,22 +1,22 @@
-package fst_test
+package app_test

 import (
 	"errors"
 	"testing"

-	"git.gensokyo.uk/security/fortify/fst"
+	. "git.gensokyo.uk/security/hakurei/internal/app"
 )

 func TestParseAppID(t *testing.T) {
 	t.Run("bad length", func(t *testing.T) {
-		if err := fst.ParseAppID(new(fst.ID), "meow"); !errors.Is(err, fst.ErrInvalidLength) {
-			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, fst.ErrInvalidLength)
+		if err := ParseAppID(new(ID), "meow"); !errors.Is(err, ErrInvalidLength) {
+			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, ErrInvalidLength)
 		}
 	})

 	t.Run("bad byte", func(t *testing.T) {
 		wantErr := "invalid char '\\n' at byte 15"
-		if err := fst.ParseAppID(new(fst.ID), "02bc7f8936b2af6\n\ne2535cd71ef0bb7"); err == nil || err.Error() != wantErr {
+		if err := ParseAppID(new(ID), "02bc7f8936b2af6\n\ne2535cd71ef0bb7"); err == nil || err.Error() != wantErr {
 			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, wantErr)
 		}
 	})
@ -30,30 +30,30 @@ func TestParseAppID(t *testing.T) {

 func FuzzParseAppID(f *testing.F) {
 	for i := 0; i < 16; i++ {
-		id := new(fst.ID)
-		if err := fst.NewAppID(id); err != nil {
+		id := new(ID)
+		if err := NewAppID(id); err != nil {
 			panic(err.Error())
 		}
 		f.Add(id[0], id[1], id[2], id[3], id[4], id[5], id[6], id[7], id[8], id[9], id[10], id[11], id[12], id[13], id[14], id[15])
 	}

 	f.Fuzz(func(t *testing.T, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15 byte) {
-		testParseAppID(t, &fst.ID{b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15})
+		testParseAppID(t, &ID{b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15})
 	})
 }

 func testParseAppIDWithRandom(t *testing.T) {
-	id := new(fst.ID)
-	if err := fst.NewAppID(id); err != nil {
+	id := new(ID)
+	if err := NewAppID(id); err != nil {
 		t.Fatalf("cannot generate app ID: %v", err)
 	}
 	testParseAppID(t, id)
 }

-func testParseAppID(t *testing.T, id *fst.ID) {
+func testParseAppID(t *testing.T, id *ID) {
 	s := id.String()
-	got := new(fst.ID)
-	if err := fst.ParseAppID(got, s); err != nil {
+	got := new(ID)
+	if err := ParseAppID(got, s); err != nil {
 		t.Fatalf("cannot parse app ID: %v", err)
 	}

--- a/internal/app/instance/common/container.go
+++ b/internal/app/instance/common/container.go
@ -0,0 +1,189 @@
+package common
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"maps"
+	"path"
+	"syscall"
+
+	"git.gensokyo.uk/security/hakurei/dbus"
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal/sys"
+	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
+)
+
+// in practice there should be less than 30 entries added by the runtime;
+// allocating slightly more as a margin for future expansion
+const preallocateOpsCount = 1 << 5
+
+// NewContainer initialises [sandbox.Params] via [hst.ContainerConfig].
+// Note that remaining container setup must be queued by the caller.
+func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox.Params, map[string]string, error) {
+	if s == nil {
+		return nil, nil, syscall.EBADE
+	}
+
+	container := &sandbox.Params{
+		Hostname: s.Hostname,
+		Seccomp:  s.Seccomp,
+	}
+
+	{
+		ops := make(sandbox.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
+		container.Ops = &ops
+	}
+
+	if s.Multiarch {
+		container.Seccomp |= seccomp.FilterMultiarch
+	}
+
+	if s.Devel {
+		container.Flags |= sandbox.FAllowDevel
+	}
+	if s.Userns {
+		container.Flags |= sandbox.FAllowUserns
+	}
+	if s.Net {
+		container.Flags |= sandbox.FAllowNet
+	}
+	if s.Tty {
+		container.Flags |= sandbox.FAllowTTY
+	}
+
+	if s.MapRealUID {
+		/* some programs fail to connect to dbus session running as a different uid
+		so this workaround is introduced to map priv-side caller uid in container */
+		container.Uid = os.Getuid()
+		*uid = container.Uid
+		container.Gid = os.Getgid()
+		*gid = container.Gid
+	} else {
+		*uid = sandbox.OverflowUid()
+		*gid = sandbox.OverflowGid()
+	}
+
+	container.
+		Proc("/proc").
+		Tmpfs(hst.Tmp, 1<<12, 0755)
+
+	if !s.Device {
+		container.Dev("/dev").Mqueue("/dev/mqueue")
+	} else {
+		container.Bind("/dev", "/dev", sandbox.BindWritable|sandbox.BindDevice)
+	}
+
+	/* retrieve paths and hide them if they're made available in the sandbox;
+	this feature tries to improve user experience of permissive defaults, and
+	to warn about issues in custom configuration; it is NOT a security feature
+	and should not be treated as such, ALWAYS be careful with what you bind */
+	var hidePaths []string
+	sc := os.Paths()
+	hidePaths = append(hidePaths, sc.RuntimePath, sc.SharePath)
+	_, systemBusAddr := dbus.Address()
+	if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
+		return nil, nil, err
+	} else {
+		// there is usually only one, do not preallocate
+		for _, entry := range entries {
+			if entry.Method != "unix" {
+				continue
+			}
+			for _, pair := range entry.Values {
+				if pair[0] == "path" {
+					if path.IsAbs(pair[1]) {
+						// get parent dir of socket
+						dir := path.Dir(pair[1])
+						if dir == "." || dir == "/" {
+							os.Printf("dbus socket %q is in an unusual location", pair[1])
+						}
+						hidePaths = append(hidePaths, dir)
+					} else {
+						os.Printf("dbus socket %q is not absolute", pair[1])
+					}
+				}
+			}
+		}
+	}
+	hidePathMatch := make([]bool, len(hidePaths))
+	for i := range hidePaths {
+		if err := evalSymlinks(os, &hidePaths[i]); err != nil {
+			return nil, nil, err
+		}
+	}
+
+	for _, c := range s.Filesystem {
+		if c == nil {
+			continue
+		}
+
+		if !path.IsAbs(c.Src) {
+			return nil, nil, fmt.Errorf("src path %q is not absolute", c.Src)
+		}
+
+		dest := c.Dst
+		if c.Dst == "" {
+			dest = c.Src
+		} else if !path.IsAbs(dest) {
+			return nil, nil, fmt.Errorf("dst path %q is not absolute", dest)
+		}
+
+		srcH := c.Src
+		if err := evalSymlinks(os, &srcH); err != nil {
+			return nil, nil, err
+		}
+
+		for i := range hidePaths {
+			// skip matched entries
+			if hidePathMatch[i] {
+				continue
+			}
+
+			if ok, err := deepContainsH(srcH, hidePaths[i]); err != nil {
+				return nil, nil, err
+			} else if ok {
+				hidePathMatch[i] = true
+				os.Printf("hiding paths from %q", c.Src)
+			}
+		}
+
+		var flags int
+		if c.Write {
+			flags |= sandbox.BindWritable
+		}
+		if c.Device {
+			flags |= sandbox.BindDevice | sandbox.BindWritable
+		}
+		if !c.Must {
+			flags |= sandbox.BindOptional
+		}
+		container.Bind(c.Src, dest, flags)
+	}
+
+	// cover matched paths
+	for i, ok := range hidePathMatch {
+		if ok {
+			container.Tmpfs(hidePaths[i], 1<<13, 0755)
+		}
+	}
+
+	for _, l := range s.Link {
+		container.Link(l[0], l[1])
+	}
+
+	return container, maps.Clone(s.Env), nil
+}
+
+func evalSymlinks(os sys.State, v *string) error {
+	if p, err := os.EvalSymlinks(*v); err != nil {
+		if !errors.Is(err, fs.ErrNotExist) {
+			return err
+		}
+		os.Printf("path %q does not yet exist", *v)
+	} else {
+		*v = p
+	}
+	return nil
+}
--- a/internal/app/instance/common/path.go
+++ b/internal/app/instance/common/path.go
@ -1,4 +1,4 @@
-package fst
+package common

 import (
 	"path/filepath"
--- a/internal/app/instance/common/path_test.go
+++ b/internal/app/instance/common/path_test.go
@ -1,4 +1,4 @@
-package fst
+package common

 import (
 	"testing"
--- a/internal/app/instance/errors.go
+++ b/internal/app/instance/errors.go
@ -0,0 +1,17 @@
+package instance
+
+import (
+	"syscall"
+
+	"git.gensokyo.uk/security/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/internal/app/internal/setuid"
+)
+
+func PrintRunStateErr(whence int, rs *app.RunState, runErr error) (code int) {
+	switch whence {
+	case ISetuid:
+		return setuid.PrintRunStateErr(rs, runErr)
+	default:
+		panic(syscall.EINVAL)
+	}
+}
--- a/internal/app/instance/new.go
+++ b/internal/app/instance/new.go
@ -0,0 +1,33 @@
+// Package instance exposes cross-package implementation details and provides constructors for builtin implementations.
+package instance
+
+import (
+	"context"
+	"log"
+	"syscall"
+
+	"git.gensokyo.uk/security/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/internal/app/internal/setuid"
+	"git.gensokyo.uk/security/hakurei/internal/sys"
+)
+
+const (
+	ISetuid = iota
+)
+
+func New(whence int, ctx context.Context, os sys.State) (app.App, error) {
+	switch whence {
+	case ISetuid:
+		return setuid.New(ctx, os)
+	default:
+		return nil, syscall.EINVAL
+	}
+}
+
+func MustNew(whence int, ctx context.Context, os sys.State) app.App {
+	a, err := New(whence, ctx, os)
+	if err != nil {
+		log.Fatalf("cannot create app: %v", err)
+	}
+	return a
+}
--- a/internal/app/instance/shim.go
+++ b/internal/app/instance/shim.go
@ -0,0 +1,6 @@
+package instance
+
+import "git.gensokyo.uk/security/hakurei/internal/app/internal/setuid"
+
+// ShimMain is the main function of the shim process and runs as the unconstrained target user.
+func ShimMain() { setuid.ShimMain() }
--- a/internal/app/internal/setuid/app.go
+++ b/internal/app/internal/setuid/app.go
@ -0,0 +1,74 @@
+package setuid
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	"git.gensokyo.uk/security/hakurei/hst"
+	. "git.gensokyo.uk/security/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
+	"git.gensokyo.uk/security/hakurei/internal/sys"
+)
+
+func New(ctx context.Context, os sys.State) (App, error) {
+	a := new(app)
+	a.sys = os
+	a.ctx = ctx
+
+	id := new(ID)
+	err := NewAppID(id)
+	a.id = newID(id)
+
+	return a, err
+}
+
+type app struct {
+	id  *stringPair[ID]
+	sys sys.State
+	ctx context.Context
+
+	*outcome
+	mu sync.RWMutex
+}
+
+func (a *app) ID() ID { a.mu.RLock(); defer a.mu.RUnlock(); return a.id.unwrap() }
+
+func (a *app) String() string {
+	if a == nil {
+		return "(invalid app)"
+	}
+
+	a.mu.RLock()
+	defer a.mu.RUnlock()
+
+	if a.outcome != nil {
+		if a.outcome.user.uid == nil {
+			return fmt.Sprintf("(sealed app %s with invalid uid)", a.id)
+		}
+		return fmt.Sprintf("(sealed app %s as uid %s)", a.id, a.outcome.user.uid)
+	}
+
+	return fmt.Sprintf("(unsealed app %s)", a.id)
+}
+
+func (a *app) Seal(config *hst.Config) (SealedApp, error) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+
+	if a.outcome != nil {
+		panic("app sealed twice")
+	}
+	if config == nil {
+		return nil, hlog.WrapErr(ErrConfig,
+			"attempted to seal app with nil config")
+	}
+
+	seal := new(outcome)
+	seal.id = a.id
+	err := seal.finalise(a.ctx, a.sys, config)
+	if err == nil {
+		a.outcome = seal
+	}
+	return seal, err
+}
--- a/internal/app/internal/setuid/app_nixos_test.go
+++ b/internal/app/internal/setuid/app_nixos_test.go
@ -0,0 +1,147 @@
+package setuid_test
+
+import (
+	"git.gensokyo.uk/security/hakurei/acl"
+	"git.gensokyo.uk/security/hakurei/dbus"
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/system"
+)
+
+var testCasesNixos = []sealTestCase{
+	{
+		"nixos chromium direct wayland", new(stubNixOS),
+		&hst.Config{
+			ID:          "org.chromium.Chromium",
+			Path:        "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
+			Enablements: system.EWayland | system.EDBus | system.EPulse,
+
+			Container: &hst.ContainerConfig{
+				Userns: true, Net: true, MapRealUID: true, Env: nil, AutoEtc: true,
+				Filesystem: []*hst.FilesystemConfig{
+					{Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true},
+					{Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true},
+					{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
+					{Src: "/run/opengl-driver", Must: true}, {Src: "/dev/dri", Device: true},
+				},
+				Cover: []string{"/var/run/nscd"},
+			},
+			SystemBus: &dbus.Config{
+				Talk:   []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
+				Filter: true,
+			},
+			SessionBus: &dbus.Config{
+				Talk: []string{
+					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
+					"org.freedesktop.ScreenSaver", "org.freedesktop.secrets",
+					"org.kde.kwalletd5", "org.kde.kwalletd6",
+				},
+				Own: []string{
+					"org.chromium.Chromium.*",
+					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+					"org.mpris.MediaPlayer2.chromium.*",
+				},
+				Call: map[string]string{}, Broadcast: map[string]string{},
+				Filter: true,
+			},
+			DirectWayland: true,
+
+			Username: "u0_a1",
+			Data:     "/var/lib/persist/module/hakurei/0/1",
+			Identity: 1, Groups: []string{},
+		},
+		app.ID{
+			0x8e, 0x2c, 0x76, 0xb0,
+			0x66, 0xda, 0xbe, 0x57,
+			0x4c, 0xf0, 0x73, 0xbd,
+			0xb4, 0x6e, 0xb5, 0xc1,
+		},
+		system.New(1000001).
+			Ensure("/tmp/hakurei.1971", 0711).
+			Ensure("/tmp/hakurei.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime", acl.Execute).
+			Ensure("/tmp/hakurei.1971/runtime/1", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/1", acl.Read, acl.Write, acl.Execute).
+			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
+			Ensure("/tmp/hakurei.1971/tmpdir/1", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/1", acl.Read, acl.Write, acl.Execute).
+			Ensure("/run/user/1971/hakurei", 0700).UpdatePermType(system.User, "/run/user/1971/hakurei", acl.Execute).
+			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
+			UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
+			Ephemeral(system.Process, "/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute).
+			Link("/run/user/1971/pulse/native", "/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse").
+			CopyFile(nil, "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
+			Ephemeral(system.Process, "/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1", 0711).
+			MustProxyDBus("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", &dbus.Config{
+				Talk: []string{
+					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
+					"org.freedesktop.ScreenSaver", "org.freedesktop.secrets",
+					"org.kde.kwalletd5", "org.kde.kwalletd6",
+				},
+				Own: []string{
+					"org.chromium.Chromium.*",
+					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+					"org.mpris.MediaPlayer2.chromium.*",
+				},
+				Call: map[string]string{}, Broadcast: map[string]string{},
+				Filter: true,
+			}, "/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", &dbus.Config{
+				Talk: []string{
+					"org.bluez",
+					"org.freedesktop.Avahi",
+					"org.freedesktop.UPower",
+				},
+				Filter: true,
+			}).
+			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write).
+			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write),
+		&sandbox.Params{
+			Uid:   1971,
+			Gid:   100,
+			Flags: sandbox.FAllowNet | sandbox.FAllowUserns,
+			Dir:   "/var/lib/persist/module/hakurei/0/1",
+			Path:  "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
+			Args:  []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
+			Env: []string{
+				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
+				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
+				"HOME=/var/lib/persist/module/hakurei/0/1",
+				"PULSE_COOKIE=" + hst.Tmp + "/pulse-cookie",
+				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
+				"SHELL=/run/current-system/sw/bin/zsh",
+				"TERM=xterm-256color",
+				"USER=u0_a1",
+				"WAYLAND_DISPLAY=wayland-0",
+				"XDG_RUNTIME_DIR=/run/user/1971",
+				"XDG_SESSION_CLASS=user",
+				"XDG_SESSION_TYPE=tty",
+			},
+			Ops: new(sandbox.Ops).
+				Proc("/proc").
+				Tmpfs(hst.Tmp, 4096, 0755).
+				Dev("/dev").Mqueue("/dev/mqueue").
+				Bind("/bin", "/bin", 0).
+				Bind("/usr/bin", "/usr/bin", 0).
+				Bind("/nix/store", "/nix/store", 0).
+				Bind("/run/current-system", "/run/current-system", 0).
+				Bind("/sys/block", "/sys/block", sandbox.BindOptional).
+				Bind("/sys/bus", "/sys/bus", sandbox.BindOptional).
+				Bind("/sys/class", "/sys/class", sandbox.BindOptional).
+				Bind("/sys/dev", "/sys/dev", sandbox.BindOptional).
+				Bind("/sys/devices", "/sys/devices", sandbox.BindOptional).
+				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
+				Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
+				Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1").
+				Tmpfs("/run/user", 4096, 0755).
+				Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", sandbox.BindWritable).
+				Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", sandbox.BindWritable).
+				Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", sandbox.BindWritable).
+				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
+				Place("/etc/group", []byte("hakurei:x:100:\n")).
+				Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0).
+				Bind("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native", 0).
+				Place(hst.Tmp+"/pulse-cookie", nil).
+				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus", 0).
+				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket", 0).
+				Tmpfs("/var/run/nscd", 8192, 0755),
+		},
+	},
+}
--- a/internal/app/internal/setuid/app_pd_test.go
+++ b/internal/app/internal/setuid/app_pd_test.go
@ -0,0 +1,220 @@
+package setuid_test
+
+import (
+	"os"
+
+	"git.gensokyo.uk/security/hakurei/acl"
+	"git.gensokyo.uk/security/hakurei/dbus"
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/system"
+)
+
+var testCasesPd = []sealTestCase{
+	{
+		"nixos permissive defaults no enablements", new(stubNixOS),
+		&hst.Config{Username: "chronos", Data: "/home/chronos"},
+		app.ID{
+			0x4a, 0x45, 0x0b, 0x65,
+			0x96, 0xd7, 0xbc, 0x15,
+			0xbd, 0x01, 0x78, 0x0e,
+			0xb9, 0xa6, 0x07, 0xac,
+		},
+		system.New(1000000).
+			Ensure("/tmp/hakurei.1971", 0711).
+			Ensure("/tmp/hakurei.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime", acl.Execute).
+			Ensure("/tmp/hakurei.1971/runtime/0", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/0", acl.Read, acl.Write, acl.Execute).
+			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
+			Ensure("/tmp/hakurei.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
+		&sandbox.Params{
+			Flags: sandbox.FAllowNet | sandbox.FAllowUserns | sandbox.FAllowTTY,
+			Dir:   "/home/chronos",
+			Path:  "/run/current-system/sw/bin/zsh",
+			Args:  []string{"/run/current-system/sw/bin/zsh"},
+			Env: []string{
+				"HOME=/home/chronos",
+				"SHELL=/run/current-system/sw/bin/zsh",
+				"TERM=xterm-256color",
+				"USER=chronos",
+				"XDG_RUNTIME_DIR=/run/user/65534",
+				"XDG_SESSION_CLASS=user",
+				"XDG_SESSION_TYPE=tty",
+			},
+			Ops: new(sandbox.Ops).
+				Proc("/proc").
+				Tmpfs(hst.Tmp, 4096, 0755).
+				Dev("/dev").Mqueue("/dev/mqueue").
+				Bind("/bin", "/bin", sandbox.BindWritable).
+				Bind("/boot", "/boot", sandbox.BindWritable).
+				Bind("/home", "/home", sandbox.BindWritable).
+				Bind("/lib", "/lib", sandbox.BindWritable).
+				Bind("/lib64", "/lib64", sandbox.BindWritable).
+				Bind("/nix", "/nix", sandbox.BindWritable).
+				Bind("/root", "/root", sandbox.BindWritable).
+				Bind("/run", "/run", sandbox.BindWritable).
+				Bind("/srv", "/srv", sandbox.BindWritable).
+				Bind("/sys", "/sys", sandbox.BindWritable).
+				Bind("/usr", "/usr", sandbox.BindWritable).
+				Bind("/var", "/var", sandbox.BindWritable).
+				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
+				Tmpfs("/run/user/1971", 8192, 0755).
+				Tmpfs("/run/dbus", 8192, 0755).
+				Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
+				Tmpfs("/run/user", 4096, 0755).
+				Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", sandbox.BindWritable).
+				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", sandbox.BindWritable).
+				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
+				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
+				Place("/etc/group", []byte("hakurei:x:65534:\n")).
+				Tmpfs("/var/run/nscd", 8192, 0755),
+		},
+	},
+	{
+		"nixos permissive defaults chromium", new(stubNixOS),
+		&hst.Config{
+			ID:       "org.chromium.Chromium",
+			Args:     []string{"zsh", "-c", "exec chromium "},
+			Identity: 9,
+			Groups:   []string{"video"},
+			Username: "chronos",
+			Data:     "/home/chronos",
+			SessionBus: &dbus.Config{
+				Talk: []string{
+					"org.freedesktop.Notifications",
+					"org.freedesktop.FileManager1",
+					"org.freedesktop.ScreenSaver",
+					"org.freedesktop.secrets",
+					"org.kde.kwalletd5",
+					"org.kde.kwalletd6",
+					"org.gnome.SessionManager",
+				},
+				Own: []string{
+					"org.chromium.Chromium.*",
+					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+					"org.mpris.MediaPlayer2.chromium.*",
+				},
+				Call: map[string]string{
+					"org.freedesktop.portal.*": "*",
+				},
+				Broadcast: map[string]string{
+					"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
+				},
+				Filter: true,
+			},
+			SystemBus: &dbus.Config{
+				Talk: []string{
+					"org.bluez",
+					"org.freedesktop.Avahi",
+					"org.freedesktop.UPower",
+				},
+				Filter: true,
+			},
+			Enablements: system.EWayland | system.EDBus | system.EPulse,
+		},
+		app.ID{
+			0xeb, 0xf0, 0x83, 0xd1,
+			0xb1, 0x75, 0x91, 0x17,
+			0x82, 0xd4, 0x13, 0x36,
+			0x9b, 0x64, 0xce, 0x7c,
+		},
+		system.New(1000009).
+			Ensure("/tmp/hakurei.1971", 0711).
+			Ensure("/tmp/hakurei.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime", acl.Execute).
+			Ensure("/tmp/hakurei.1971/runtime/9", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/9", acl.Read, acl.Write, acl.Execute).
+			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
+			Ensure("/tmp/hakurei.1971/tmpdir/9", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/9", acl.Read, acl.Write, acl.Execute).
+			Ephemeral(system.Process, "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c", 0711).
+			Wayland(new(*os.File), "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
+			Ensure("/run/user/1971/hakurei", 0700).UpdatePermType(system.User, "/run/user/1971/hakurei", acl.Execute).
+			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
+			Ephemeral(system.Process, "/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c", acl.Execute).
+			Link("/run/user/1971/pulse/native", "/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse").
+			CopyFile(new([]byte), "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
+			MustProxyDBus("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{
+				Talk: []string{
+					"org.freedesktop.Notifications",
+					"org.freedesktop.FileManager1",
+					"org.freedesktop.ScreenSaver",
+					"org.freedesktop.secrets",
+					"org.kde.kwalletd5",
+					"org.kde.kwalletd6",
+					"org.gnome.SessionManager",
+				},
+				Own: []string{
+					"org.chromium.Chromium.*",
+					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+					"org.mpris.MediaPlayer2.chromium.*",
+				},
+				Call: map[string]string{
+					"org.freedesktop.portal.*": "*",
+				},
+				Broadcast: map[string]string{
+					"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
+				},
+				Filter: true,
+			}, "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", &dbus.Config{
+				Talk: []string{
+					"org.bluez",
+					"org.freedesktop.Avahi",
+					"org.freedesktop.UPower",
+				},
+				Filter: true,
+			}).
+			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
+			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
+		&sandbox.Params{
+			Flags: sandbox.FAllowNet | sandbox.FAllowUserns | sandbox.FAllowTTY,
+			Dir:   "/home/chronos",
+			Path:  "/run/current-system/sw/bin/zsh",
+			Args:  []string{"zsh", "-c", "exec chromium "},
+			Env: []string{
+				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
+				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
+				"HOME=/home/chronos",
+				"PULSE_COOKIE=" + hst.Tmp + "/pulse-cookie",
+				"PULSE_SERVER=unix:/run/user/65534/pulse/native",
+				"SHELL=/run/current-system/sw/bin/zsh",
+				"TERM=xterm-256color",
+				"USER=chronos",
+				"WAYLAND_DISPLAY=wayland-0",
+				"XDG_RUNTIME_DIR=/run/user/65534",
+				"XDG_SESSION_CLASS=user",
+				"XDG_SESSION_TYPE=tty",
+			},
+			Ops: new(sandbox.Ops).
+				Proc("/proc").
+				Tmpfs(hst.Tmp, 4096, 0755).
+				Dev("/dev").Mqueue("/dev/mqueue").
+				Bind("/bin", "/bin", sandbox.BindWritable).
+				Bind("/boot", "/boot", sandbox.BindWritable).
+				Bind("/home", "/home", sandbox.BindWritable).
+				Bind("/lib", "/lib", sandbox.BindWritable).
+				Bind("/lib64", "/lib64", sandbox.BindWritable).
+				Bind("/nix", "/nix", sandbox.BindWritable).
+				Bind("/root", "/root", sandbox.BindWritable).
+				Bind("/run", "/run", sandbox.BindWritable).
+				Bind("/srv", "/srv", sandbox.BindWritable).
+				Bind("/sys", "/sys", sandbox.BindWritable).
+				Bind("/usr", "/usr", sandbox.BindWritable).
+				Bind("/var", "/var", sandbox.BindWritable).
+				Bind("/dev/dri", "/dev/dri", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
+				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
+				Tmpfs("/run/user/1971", 8192, 0755).
+				Tmpfs("/run/dbus", 8192, 0755).
+				Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
+				Tmpfs("/run/user", 4096, 0755).
+				Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", sandbox.BindWritable).
+				Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", sandbox.BindWritable).
+				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
+				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
+				Place("/etc/group", []byte("hakurei:x:65534:\n")).
+				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0).
+				Bind("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native", 0).
+				Place(hst.Tmp+"/pulse-cookie", nil).
+				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0).
+				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0).
+				Tmpfs("/var/run/nscd", 8192, 0755),
+		},
+	},
+}
--- a/internal/app/internal/setuid/app_stub_test.go
+++ b/internal/app/internal/setuid/app_stub_test.go
@ -1,4 +1,4 @@
-package app_test
+package setuid_test

 import (
 	"fmt"
@ -7,7 +7,7 @@ import (
 	"os/user"
 	"strconv"

-	"git.gensokyo.uk/security/fortify/fst"
+	"git.gensokyo.uk/security/hakurei/internal/app"
 )

 // fs methods are not implemented using a real FS
@ -20,7 +20,7 @@ type stubNixOS struct {
 func (s *stubNixOS) Getuid() int                              { return 1971 }
 func (s *stubNixOS) Getgid() int                              { return 100 }
 func (s *stubNixOS) TempDir() string                          { return "/tmp" }
-func (s *stubNixOS) MustExecutable() string                   { return "/run/wrappers/bin/fortify" }
+func (s *stubNixOS) MustExecutable() string                   { return "/run/wrappers/bin/hakurei" }
 func (s *stubNixOS) Exit(code int)                            { panic("called exit on stub with code " + strconv.Itoa(code)) }
 func (s *stubNixOS) EvalSymlinks(path string) (string, error) { return path, nil }
 func (s *stubNixOS) Uid(aid int) (int, error)                 { return 1000000 + 0*10000 + aid, nil }
@ -125,10 +125,10 @@ func (s *stubNixOS) Open(name string) (fs.File, error) {
 	}
 }

-func (s *stubNixOS) Paths() fst.Paths {
-	return fst.Paths{
-		SharePath:   "/tmp/fortify.1971",
+func (s *stubNixOS) Paths() app.Paths {
+	return app.Paths{
+		SharePath:   "/tmp/hakurei.1971",
 		RuntimePath: "/run/user/1971",
-		RunDirPath:  "/run/user/1971/fortify",
+		RunDirPath:  "/run/user/1971/hakurei",
 	}
 }
--- a/internal/app/internal/setuid/app_test.go
+++ b/internal/app/internal/setuid/app_test.go
@ -0,0 +1,104 @@
+package setuid_test
+
+import (
+	"encoding/json"
+	"io/fs"
+	"reflect"
+	"testing"
+	"time"
+
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/internal/app/internal/setuid"
+	"git.gensokyo.uk/security/hakurei/internal/sys"
+	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/system"
+)
+
+type sealTestCase struct {
+	name          string
+	os            sys.State
+	config        *hst.Config
+	id            app.ID
+	wantSys       *system.I
+	wantContainer *sandbox.Params
+}
+
+func TestApp(t *testing.T) {
+	testCases := append(testCasesPd, testCasesNixos...)
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			a := setuid.NewWithID(tc.id, tc.os)
+			var (
+				gotSys       *system.I
+				gotContainer *sandbox.Params
+			)
+			if !t.Run("seal", func(t *testing.T) {
+				if sa, err := a.Seal(tc.config); err != nil {
+					t.Errorf("Seal: error = %v", err)
+					return
+				} else {
+					gotSys, gotContainer = setuid.AppIParams(a, sa)
+				}
+			}) {
+				return
+			}
+
+			t.Run("compare sys", func(t *testing.T) {
+				if !gotSys.Equal(tc.wantSys) {
+					t.Errorf("Seal: sys = %#v, want %#v",
+						gotSys, tc.wantSys)
+				}
+			})
+
+			t.Run("compare params", func(t *testing.T) {
+				if !reflect.DeepEqual(gotContainer, tc.wantContainer) {
+					t.Errorf("seal: params =\n%s\n, want\n%s",
+						mustMarshal(gotContainer), mustMarshal(tc.wantContainer))
+				}
+			})
+		})
+	}
+}
+
+func mustMarshal(v any) string {
+	if b, err := json.Marshal(v); err != nil {
+		panic(err.Error())
+	} else {
+		return string(b)
+	}
+}
+
+func stubDirEntries(names ...string) (e []fs.DirEntry, err error) {
+	e = make([]fs.DirEntry, len(names))
+	for i, name := range names {
+		e[i] = stubDirEntryPath(name)
+	}
+	return
+}
+
+type stubDirEntryPath string
+
+func (p stubDirEntryPath) Name() string               { return string(p) }
+func (p stubDirEntryPath) IsDir() bool                { panic("attempted to call IsDir") }
+func (p stubDirEntryPath) Type() fs.FileMode          { panic("attempted to call Type") }
+func (p stubDirEntryPath) Info() (fs.FileInfo, error) { panic("attempted to call Info") }
+
+type stubFileInfoMode fs.FileMode
+
+func (s stubFileInfoMode) Name() string       { panic("attempted to call Name") }
+func (s stubFileInfoMode) Size() int64        { panic("attempted to call Size") }
+func (s stubFileInfoMode) Mode() fs.FileMode  { return fs.FileMode(s) }
+func (s stubFileInfoMode) ModTime() time.Time { panic("attempted to call ModTime") }
+func (s stubFileInfoMode) IsDir() bool        { panic("attempted to call IsDir") }
+func (s stubFileInfoMode) Sys() any           { panic("attempted to call Sys") }
+
+type stubFileInfoIsDir bool
+
+func (s stubFileInfoIsDir) Name() string       { panic("attempted to call Name") }
+func (s stubFileInfoIsDir) Size() int64        { panic("attempted to call Size") }
+func (s stubFileInfoIsDir) Mode() fs.FileMode  { panic("attempted to call Mode") }
+func (s stubFileInfoIsDir) ModTime() time.Time { panic("attempted to call ModTime") }
+func (s stubFileInfoIsDir) IsDir() bool        { return bool(s) }
+func (s stubFileInfoIsDir) Sys() any           { panic("attempted to call Sys") }
--- a/internal/app/internal/setuid/errors.go
+++ b/internal/app/internal/setuid/errors.go
@ -1,20 +1,22 @@
-package app
+package setuid

 import (
 	"errors"
 	"log"

-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	. "git.gensokyo.uk/security/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
 )

-func PrintRunStateErr(rs *fst.RunState, runErr error) {
+func PrintRunStateErr(rs *RunState, runErr error) (code int) {
+	code = rs.ExitStatus()
+
 	if runErr != nil {
 		if rs.Time == nil {
-			fmsg.PrintBaseError(runErr, "cannot start app:")
+			hlog.PrintBaseError(runErr, "cannot start app:")
 		} else {
-			var e *fmsg.BaseError
-			if !fmsg.AsBaseError(runErr, &e) {
+			var e *hlog.BaseError
+			if !hlog.AsBaseError(runErr, &e) {
 				log.Println("wait failed:", runErr)
 			} else {
 				// Wait only returns either *app.ProcessError or *app.StateStoreError wrapped in a *app.BaseError
@ -35,7 +37,7 @@ func PrintRunStateErr(rs *fst.RunState, runErr error) {

 						// every error here is wrapped in *app.BaseError
 						for _, ei := range errs {
-							var eb *fmsg.BaseError
+							var eb *hlog.BaseError
 							if !errors.As(ei, &eb) {
 								// unreachable
 								log.Println("invalid error type returned by revert:", ei)
@ -49,15 +51,15 @@ func PrintRunStateErr(rs *fst.RunState, runErr error) {
 			}
 		}

-		if rs.ExitCode == 0 {
-			rs.ExitCode = 126
+		if code == 0 {
+			code = 126
 		}
 	}

 	if rs.RevertErr != nil {
 		var stateStoreError *StateStoreError
 		if !errors.As(rs.RevertErr, &stateStoreError) || stateStoreError == nil {
-			fmsg.PrintBaseError(rs.RevertErr, "generic fault during cleanup:")
+			hlog.PrintBaseError(rs.RevertErr, "generic fault during cleanup:")
 			goto out
 		}

@ -65,11 +67,11 @@ func PrintRunStateErr(rs *fst.RunState, runErr error) {
 			if len(stateStoreError.Err) == 2 {
 				if stateStoreError.Err[0] != nil {
 					if joinedErrs, ok := stateStoreError.Err[0].(interface{ Unwrap() []error }); !ok {
-						fmsg.PrintBaseError(stateStoreError.Err[0], "generic fault during revert:")
+						hlog.PrintBaseError(stateStoreError.Err[0], "generic fault during revert:")
 					} else {
 						for _, err := range joinedErrs.Unwrap() {
 							if err != nil {
-								fmsg.PrintBaseError(err, "fault during revert:")
+								hlog.PrintBaseError(err, "fault during revert:")
 							}
 						}
 					}
@ -89,21 +91,22 @@ func PrintRunStateErr(rs *fst.RunState, runErr error) {
 		}

 		if stateStoreError.DoErr != nil {
-			fmsg.PrintBaseError(stateStoreError.DoErr, "state store operation unsuccessful:")
+			hlog.PrintBaseError(stateStoreError.DoErr, "state store operation unsuccessful:")
 		}

 		if stateStoreError.Inner && stateStoreError.InnerErr != nil {
-			fmsg.PrintBaseError(stateStoreError.InnerErr, "cannot destroy state entry:")
+			hlog.PrintBaseError(stateStoreError.InnerErr, "cannot destroy state entry:")
 		}

 	out:
-		if rs.ExitCode == 0 {
-			rs.ExitCode = 128
+		if code == 0 {
+			code = 128
 		}
 	}
 	if rs.WaitErr != nil {
-		log.Println("inner wait failed:", rs.WaitErr)
+		hlog.Verbosef("wait: %v", rs.WaitErr)
 	}
+	return
 }

 // StateStoreError is returned for a failed state save
@ -121,7 +124,7 @@ type StateStoreError struct {
 }

 // save saves arbitrary errors in [StateStoreError] once.
-func (e *StateStoreError) save(errs []error) {
+func (e *StateStoreError) save(errs ...error) {
 	if len(errs) == 0 || e.Err != nil {
 		panic("invalid call to save")
 	}
@ -132,7 +135,7 @@ func (e *StateStoreError) equiv(a ...any) error {
 	if e.Inner && e.InnerErr == nil && e.DoErr == nil && e.OpErr == nil && errors.Join(e.Err...) == nil {
 		return nil
 	} else {
-		return fmsg.WrapErrorSuffix(e, a...)
+		return hlog.WrapErrSuffix(e, a...)
 	}
 }

--- a/internal/app/internal/setuid/export_test.go
+++ b/internal/app/internal/setuid/export_test.go
@ -0,0 +1,24 @@
+package setuid
+
+import (
+	. "git.gensokyo.uk/security/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/internal/sys"
+	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/system"
+)
+
+func NewWithID(id ID, os sys.State) App {
+	a := new(app)
+	a.id = newID(&id)
+	a.sys = os
+	return a
+}
+
+func AppIParams(a App, sa SealedApp) (*system.I, *sandbox.Params) {
+	v := a.(*app)
+	seal := sa.(*outcome)
+	if v.outcome != seal || v.id != seal.id {
+		panic("broken app/outcome link")
+	}
+	return seal.sys, seal.container
+}
--- a/internal/app/internal/setuid/process.go
+++ b/internal/app/internal/setuid/process.go
@ -0,0 +1,195 @@
+package setuid
+
+import (
+	"context"
+	"encoding/gob"
+	"errors"
+	"log"
+	"os"
+	"os/exec"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"git.gensokyo.uk/security/hakurei/internal"
+	. "git.gensokyo.uk/security/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
+	"git.gensokyo.uk/security/hakurei/internal/state"
+	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/system"
+)
+
+const shimWaitTimeout = 5 * time.Second
+
+func (seal *outcome) Run(rs *RunState) error {
+	if !seal.f.CompareAndSwap(false, true) {
+		// run does much more than just starting a process; calling it twice, even if the first call fails, will result
+		// in inconsistent state that is impossible to clean up; return here to limit damage and hopefully give the
+		// other Run a chance to return
+		return errors.New("outcome: attempted to run twice")
+	}
+
+	if rs == nil {
+		panic("invalid state")
+	}
+
+	// read comp value early to allow for early failure
+	hsuPath := internal.MustHsuPath()
+
+	if err := seal.sys.Commit(seal.ctx); err != nil {
+		return err
+	}
+	store := state.NewMulti(seal.runDirPath)
+	deferredStoreFunc := func(c state.Cursor) error { return nil } // noop until state in store
+	defer func() {
+		var revertErr error
+		storeErr := new(StateStoreError)
+		storeErr.Inner, storeErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
+			revertErr = func() error {
+				storeErr.InnerErr = deferredStoreFunc(c)
+
+				var rt system.Enablement
+				ec := system.Process
+				if states, err := c.Load(); err != nil {
+					// revert per-process state here to limit damage
+					storeErr.OpErr = err
+					return seal.sys.Revert((*system.Criteria)(&ec))
+				} else {
+					if l := len(states); l == 0 {
+						ec |= system.User
+					} else {
+						hlog.Verbosef("found %d instances, cleaning up without user-scoped operations", l)
+					}
+
+					// accumulate enablements of remaining launchers
+					for i, s := range states {
+						if s.Config != nil {
+							rt |= s.Config.Enablements
+						} else {
+							log.Printf("state entry %d does not contain config", i)
+						}
+					}
+				}
+				ec |= rt ^ (system.EWayland | system.EX11 | system.EDBus | system.EPulse)
+				if hlog.Load() {
+					if ec > 0 {
+						hlog.Verbose("reverting operations scope", system.TypeString(ec))
+					}
+				}
+
+				return seal.sys.Revert((*system.Criteria)(&ec))
+			}()
+		})
+		storeErr.save(revertErr, store.Close())
+		rs.RevertErr = storeErr.equiv("error during cleanup:")
+	}()
+
+	ctx, cancel := context.WithCancel(seal.ctx)
+	defer cancel()
+	cmd := exec.CommandContext(ctx, hsuPath)
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+	cmd.Dir = "/" // container init enters final working directory
+	// shim runs in the same session as monitor; see shim.go for behaviour
+	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGCONT) }
+
+	var e *gob.Encoder
+	if fd, encoder, err := sandbox.Setup(&cmd.ExtraFiles); err != nil {
+		return hlog.WrapErrSuffix(err,
+			"cannot create shim setup pipe:")
+	} else {
+		e = encoder
+		cmd.Env = []string{
+			// passed through to shim by hsu
+			shimEnv + "=" + strconv.Itoa(fd),
+			// interpreted by hsu
+			"HAKUREI_APP_ID=" + seal.user.aid.String(),
+		}
+	}
+
+	if len(seal.user.supp) > 0 {
+		hlog.Verbosef("attaching supplementary group ids %s", seal.user.supp)
+		// interpreted by hsu
+		cmd.Env = append(cmd.Env, "HAKUREI_GROUPS="+strings.Join(seal.user.supp, " "))
+	}
+
+	hlog.Verbosef("setuid helper at %s", hsuPath)
+	hlog.Suspend()
+	if err := cmd.Start(); err != nil {
+		return hlog.WrapErrSuffix(err,
+			"cannot start setuid wrapper:")
+	}
+	rs.SetStart()
+
+	// this prevents blocking forever on an early failure
+	waitErr, setupErr := make(chan error, 1), make(chan error, 1)
+	go func() { waitErr <- cmd.Wait(); cancel() }()
+	go func() { setupErr <- e.Encode(&shimParams{os.Getpid(), seal.container, seal.user.data, hlog.Load()}) }()
+
+	select {
+	case err := <-setupErr:
+		if err != nil {
+			hlog.Resume()
+			return hlog.WrapErrSuffix(err,
+				"cannot transmit shim config:")
+		}
+
+	case <-ctx.Done():
+		hlog.Resume()
+		return hlog.WrapErr(syscall.ECANCELED,
+			"shim setup canceled")
+	}
+
+	// returned after blocking on waitErr
+	var earlyStoreErr = new(StateStoreError)
+	{
+		// shim accepted setup payload, create process state
+		sd := state.State{
+			ID:   seal.id.unwrap(),
+			PID:  cmd.Process.Pid,
+			Time: *rs.Time,
+		}
+		earlyStoreErr.Inner, earlyStoreErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
+			earlyStoreErr.InnerErr = c.Save(&sd, seal.ct)
+		})
+	}
+
+	// state in store at this point, destroy defunct state entry on return
+	deferredStoreFunc = func(c state.Cursor) error { return c.Destroy(seal.id.unwrap()) }
+
+	waitTimeout := make(chan struct{})
+	go func() { <-seal.ctx.Done(); time.Sleep(shimWaitTimeout); close(waitTimeout) }()
+
+	select {
+	case rs.WaitErr = <-waitErr:
+		rs.WaitStatus = cmd.ProcessState.Sys().(syscall.WaitStatus)
+		if hlog.Load() {
+			switch {
+			case rs.Exited():
+				hlog.Verbosef("process %d exited with code %d", cmd.Process.Pid, rs.ExitStatus())
+			case rs.CoreDump():
+				hlog.Verbosef("process %d dumped core", cmd.Process.Pid)
+			case rs.Signaled():
+				hlog.Verbosef("process %d got %s", cmd.Process.Pid, rs.Signal())
+			default:
+				hlog.Verbosef("process %d exited with status %#x", cmd.Process.Pid, rs.WaitStatus)
+			}
+		}
+	case <-waitTimeout:
+		rs.WaitErr = syscall.ETIMEDOUT
+		hlog.Resume()
+		log.Printf("process %d did not terminate", cmd.Process.Pid)
+	}
+
+	hlog.Resume()
+	if seal.sync != nil {
+		if err := seal.sync.Close(); err != nil {
+			log.Printf("cannot close wayland security context: %v", err)
+		}
+	}
+	if seal.dbusMsg != nil {
+		seal.dbusMsg()
+	}
+
+	return earlyStoreErr.equiv("cannot save process state:")
+}
--- a/internal/app/internal/setuid/seal.go
+++ b/internal/app/internal/setuid/seal.go
@ -1,4 +1,4 @@
-package app
+package setuid

 import (
 	"bytes"
@ -8,7 +8,6 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
-	"maps"
 	"os"
 	"path"
 	"regexp"
@ -17,15 +16,17 @@ import (
 	"sync/atomic"
 	"syscall"

-	"git.gensokyo.uk/security/fortify/acl"
-	"git.gensokyo.uk/security/fortify/dbus"
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/sys"
-	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/sandbox/wl"
-	"git.gensokyo.uk/security/fortify/system"
+	"git.gensokyo.uk/security/hakurei/acl"
+	"git.gensokyo.uk/security/hakurei/dbus"
+	"git.gensokyo.uk/security/hakurei/hst"
+	"git.gensokyo.uk/security/hakurei/internal"
+	. "git.gensokyo.uk/security/hakurei/internal/app"
+	"git.gensokyo.uk/security/hakurei/internal/app/instance/common"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
+	"git.gensokyo.uk/security/hakurei/internal/sys"
+	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/sandbox/wl"
+	"git.gensokyo.uk/security/hakurei/system"
 )

 const (
@ -62,20 +63,20 @@ var (

 var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z0-9_-]{0,30}\\$)$")

-// outcome stores copies of various parts of [fst.Config]
+// outcome stores copies of various parts of [hst.Config]
 type outcome struct {
 	// copied from initialising [app]
-	id *stringPair[fst.ID]
+	id *stringPair[ID]
 	// copied from [sys.State] response
 	runDirPath string

-	// initial [fst.Config] gob stream for state data;
+	// initial [hst.Config] gob stream for state data;
 	// this is prepared ahead of time as config is clobbered during seal creation
 	ct io.WriterTo
 	// dump dbus proxy message buffer
 	dbusMsg func()

-	user fsuUser
+	user hsuUser
 	sys  *system.I
 	ctx  context.Context

@ -86,8 +87,55 @@ type outcome struct {
 	f atomic.Bool
 }

-// fsuUser stores post-fsu credentials and metadata
-type fsuUser struct {
+// shareHost holds optional share directory state that must not be accessed directly
+type shareHost struct {
+	// whether XDG_RUNTIME_DIR is used post hsu
+	useRuntimeDir bool
+	// process-specific directory in tmpdir, empty if unused
+	sharePath string
+	// process-specific directory in XDG_RUNTIME_DIR, empty if unused
+	runtimeSharePath string
+
+	seal *outcome
+	sc   Paths
+}
+
+// ensureRuntimeDir must be called if direct access to paths within XDG_RUNTIME_DIR is required
+func (share *shareHost) ensureRuntimeDir() {
+	if share.useRuntimeDir {
+		return
+	}
+	share.useRuntimeDir = true
+	share.seal.sys.Ensure(share.sc.RunDirPath, 0700)
+	share.seal.sys.UpdatePermType(system.User, share.sc.RunDirPath, acl.Execute)
+	share.seal.sys.Ensure(share.sc.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
+	share.seal.sys.UpdatePermType(system.User, share.sc.RuntimePath, acl.Execute)
+}
+
+// instance returns a process-specific share path within tmpdir
+func (share *shareHost) instance() string {
+	if share.sharePath != "" {
+		return share.sharePath
+	}
+	share.sharePath = path.Join(share.sc.SharePath, share.seal.id.String())
+	share.seal.sys.Ephemeral(system.Process, share.sharePath, 0711)
+	return share.sharePath
+}
+
+// runtime returns a process-specific share path within XDG_RUNTIME_DIR
+func (share *shareHost) runtime() string {
+	if share.runtimeSharePath != "" {
+		return share.runtimeSharePath
+	}
+	share.ensureRuntimeDir()
+	share.runtimeSharePath = path.Join(share.sc.RunDirPath, share.seal.id.String())
+	share.seal.sys.Ephemeral(system.Process, share.runtimeSharePath, 0700)
+	share.seal.sys.UpdatePerm(share.runtimeSharePath, acl.Execute)
+	return share.runtimeSharePath
+}
+
+// hsuUser stores post-hsu credentials and metadata
+type hsuUser struct {
 	// application id
 	aid *stringPair[int]
 	// target uid resolved by fid:aid
@ -104,52 +152,43 @@ type fsuUser struct {
 	username string
 }

-func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Config) error {
+func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Config) error {
 	if seal.ctx != nil {
 		panic("finalise called twice")
 	}
 	seal.ctx = ctx

-	shellPath := "/bin/sh"
-	if s, ok := sys.LookupEnv(shell); ok && path.IsAbs(s) {
-		shellPath = s
-	}
-
 	{
 		// encode initial configuration for state tracking
 		ct := new(bytes.Buffer)
 		if err := gob.NewEncoder(ct).Encode(config); err != nil {
-			return fmsg.WrapErrorSuffix(err,
+			return hlog.WrapErrSuffix(err,
 				"cannot encode initial config:")
 		}
 		seal.ct = ct
 	}

-	// allowed aid range 0 to 9999, this is checked again in fsu
-	if config.Confinement.AppID < 0 || config.Confinement.AppID > 9999 {
-		return fmsg.WrapError(ErrUser,
-			fmt.Sprintf("aid %d out of range", config.Confinement.AppID))
+	// allowed aid range 0 to 9999, this is checked again in hsu
+	if config.Identity < 0 || config.Identity > 9999 {
+		return hlog.WrapErr(ErrUser,
+			fmt.Sprintf("identity %d out of range", config.Identity))
 	}

-	/*
-		Resolve post-fsu user state
-	*/
-
-	seal.user = fsuUser{
-		aid:      newInt(config.Confinement.AppID),
-		data:     config.Confinement.Outer,
-		home:     config.Confinement.Inner,
-		username: config.Confinement.Username,
+	seal.user = hsuUser{
+		aid:      newInt(config.Identity),
+		data:     config.Data,
+		home:     config.Dir,
+		username: config.Username,
 	}
 	if seal.user.username == "" {
 		seal.user.username = "chronos"
 	} else if !posixUsername.MatchString(seal.user.username) ||
 		len(seal.user.username) >= internal.Sysconf_SC_LOGIN_NAME_MAX() {
-		return fmsg.WrapError(ErrName,
+		return hlog.WrapErr(ErrName,
 			fmt.Sprintf("invalid user name %q", seal.user.username))
 	}
 	if seal.user.data == "" || !path.IsAbs(seal.user.data) {
-		return fmsg.WrapError(ErrHome,
+		return hlog.WrapErr(ErrHome,
 			fmt.Sprintf("invalid home directory %q", seal.user.data))
 	}
 	if seal.user.home == "" {
@ -160,38 +199,43 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 	} else {
 		seal.user.uid = newInt(u)
 	}
-	seal.user.supp = make([]string, len(config.Confinement.Groups))
-	for i, name := range config.Confinement.Groups {
+	seal.user.supp = make([]string, len(config.Groups))
+	for i, name := range config.Groups {
 		if g, err := sys.LookupGroup(name); err != nil {
-			return fmsg.WrapError(err,
+			return hlog.WrapErr(err,
 				fmt.Sprintf("unknown group %q", name))
 		} else {
 			seal.user.supp[i] = g.Gid
 		}
 	}

-	/*
-		Resolve initial container state
-	*/
+	// this also falls back to host path if encountering an invalid path
+	if !path.IsAbs(config.Shell) {
+		config.Shell = "/bin/sh"
+		if s, ok := sys.LookupEnv(shell); ok && path.IsAbs(s) {
+			config.Shell = s
+		}
+	}
+	// do not use the value of shell before this point

 	// permissive defaults
-	if config.Confinement.Sandbox == nil {
-		fmsg.Verbose("sandbox configuration not supplied, PROCEED WITH CAUTION")
+	if config.Container == nil {
+		hlog.Verbose("container configuration not supplied, PROCEED WITH CAUTION")

-		// fsu clears the environment so resolve paths early
+		// hsu clears the environment so resolve paths early
 		if !path.IsAbs(config.Path) {
 			if len(config.Args) > 0 {
 				if p, err := sys.LookPath(config.Args[0]); err != nil {
-					return fmsg.WrapError(err, err.Error())
+					return hlog.WrapErr(err, err.Error())
 				} else {
 					config.Path = p
 				}
 			} else {
-				config.Path = shellPath
+				config.Path = config.Shell
 			}
 		}

-		conf := &fst.SandboxConfig{
+		conf := &hst.ContainerConfig{
 			Userns:  true,
 			Net:     true,
 			Tty:     true,
@ -201,7 +245,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		if d, err := sys.ReadDir("/"); err != nil {
 			return err
 		} else {
-			b := make([]*fst.FilesystemConfig, 0, len(d))
+			b := make([]*hst.FilesystemConfig, 0, len(d))
 			for _, ent := range d {
 				p := "/" + ent.Name()
 				switch p {
@ -212,7 +256,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 				case "/etc":

 				default:
-					b = append(b, &fst.FilesystemConfig{Src: p, Write: true, Must: true})
+					b = append(b, &hst.FilesystemConfig{Src: p, Write: true, Must: true})
 				}
 			}
 			conf.Filesystem = append(conf.Filesystem, b...)
@ -224,26 +268,26 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 			conf.Cover = append(conf.Cover, nscd)
 		}
 		// bind GPU stuff
-		if config.Confinement.Enablements&(system.EX11|system.EWayland) != 0 {
-			conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true})
+		if config.Enablements&(system.EX11|system.EWayland) != 0 {
+			conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Src: "/dev/dri", Device: true})
 		}
 		// opportunistically bind kvm
-		conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/kvm", Device: true})
+		conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Src: "/dev/kvm", Device: true})

-		config.Confinement.Sandbox = conf
+		config.Container = conf
 	}

 	var mapuid, mapgid *stringPair[int]
 	{
 		var uid, gid int
 		var err error
-		seal.container, seal.env, err = config.Confinement.Sandbox.ToContainer(sys, &uid, &gid)
+		seal.container, seal.env, err = common.NewContainer(config.Container, sys, &uid, &gid)
 		if err != nil {
-			return fmsg.WrapErrorSuffix(err,
+			return hlog.WrapErrSuffix(err,
 				"cannot initialise container configuration:")
 		}
 		if !path.IsAbs(config.Path) {
-			return fmsg.WrapError(syscall.EINVAL,
+			return hlog.WrapErr(syscall.EINVAL,
 				"invalid program path")
 		}
 		if len(config.Args) == 0 {
@ -255,97 +299,89 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		mapuid = newInt(uid)
 		mapgid = newInt(gid)
 		if seal.env == nil {
-			seal.env = make(map[string]string)
+			seal.env = make(map[string]string, 1<<6)
 		}
 	}

-	/*
-		Initialise externals
-	*/
+	if !config.Container.AutoEtc {
+		if config.Container.Etc != "" {
+			seal.container.Bind(config.Container.Etc, "/etc", 0)
+		}
+	} else {
+		etcPath := config.Container.Etc
+		if etcPath == "" {
+			etcPath = "/etc"
+		}
+		seal.container.Etc(etcPath, seal.id.String())
+	}

-	sc := sys.Paths()
-	seal.runDirPath = sc.RunDirPath
-	seal.sys = system.New(seal.user.uid.unwrap())
-
-	/*
-		Work directories
-	*/
-
-	// base fortify share path
-	seal.sys.Ensure(sc.SharePath, 0711)
-
-	// outer paths used by the main process
-	seal.sys.Ensure(sc.RunDirPath, 0700)
-	seal.sys.UpdatePermType(system.User, sc.RunDirPath, acl.Execute)
-	seal.sys.Ensure(sc.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
-	seal.sys.UpdatePermType(system.User, sc.RuntimePath, acl.Execute)
-
-	// outer process-specific share directory
-	sharePath := path.Join(sc.SharePath, seal.id.String())
-	seal.sys.Ephemeral(system.Process, sharePath, 0711)
-	// similar to share but within XDG_RUNTIME_DIR
-	sharePathLocal := path.Join(sc.RunDirPath, seal.id.String())
-	seal.sys.Ephemeral(system.Process, sharePathLocal, 0700)
-	seal.sys.UpdatePerm(sharePathLocal, acl.Execute)
-
-	// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as post-fsu user
+	// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as mapped uid
 	innerRuntimeDir := path.Join("/run/user", mapuid.String())
-	seal.container.Tmpfs("/run/user", 1<<12, 0755)
-	seal.container.Tmpfs(innerRuntimeDir, 1<<23, 0700)
 	seal.env[xdgRuntimeDir] = innerRuntimeDir
 	seal.env[xdgSessionClass] = "user"
 	seal.env[xdgSessionType] = "tty"

-	// outer path for inner /tmp
+	share := &shareHost{seal: seal, sc: sys.Paths()}
+	seal.runDirPath = share.sc.RunDirPath
+	seal.sys = system.New(seal.user.uid.unwrap())
+	seal.sys.Ensure(share.sc.SharePath, 0711)
+
 	{
-		tmpdir := path.Join(sc.SharePath, "tmpdir")
+		runtimeDir := path.Join(share.sc.SharePath, "runtime")
+		seal.sys.Ensure(runtimeDir, 0700)
+		seal.sys.UpdatePermType(system.User, runtimeDir, acl.Execute)
+		runtimeDirInst := path.Join(runtimeDir, seal.user.aid.String())
+		seal.sys.Ensure(runtimeDirInst, 0700)
+		seal.sys.UpdatePermType(system.User, runtimeDirInst, acl.Read, acl.Write, acl.Execute)
+		seal.container.Tmpfs("/run/user", 1<<12, 0755)
+		seal.container.Bind(runtimeDirInst, innerRuntimeDir, sandbox.BindWritable)
+	}
+
+	{
+		tmpdir := path.Join(share.sc.SharePath, "tmpdir")
 		seal.sys.Ensure(tmpdir, 0700)
 		seal.sys.UpdatePermType(system.User, tmpdir, acl.Execute)
 		tmpdirInst := path.Join(tmpdir, seal.user.aid.String())
 		seal.sys.Ensure(tmpdirInst, 01700)
 		seal.sys.UpdatePermType(system.User, tmpdirInst, acl.Read, acl.Write, acl.Execute)
+		// mount inner /tmp from share so it shares persistence and storage behaviour of host /tmp
 		seal.container.Bind(tmpdirInst, "/tmp", sandbox.BindWritable)
 	}

-	/*
-		Passwd database
-	*/
+	{
+		homeDir := "/var/empty"
+		if seal.user.home != "" {
+			homeDir = seal.user.home
+		}
+		username := "chronos"
+		if seal.user.username != "" {
+			username = seal.user.username
+		}
+		seal.container.Bind(seal.user.data, homeDir, sandbox.BindWritable)
+		seal.container.Dir = homeDir
+		seal.env["HOME"] = homeDir
+		seal.env["USER"] = username
+		seal.env[shell] = config.Shell

-	homeDir := "/var/empty"
-	if seal.user.home != "" {
-		homeDir = seal.user.home
+		seal.container.Place("/etc/passwd",
+			[]byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Hakurei:"+homeDir+":"+config.Shell+"\n"))
+		seal.container.Place("/etc/group",
+			[]byte("hakurei:x:"+mapgid.String()+":\n"))
 	}
-	username := "chronos"
-	if seal.user.username != "" {
-		username = seal.user.username
-	}
-	seal.container.Bind(seal.user.data, homeDir, sandbox.BindWritable)
-	seal.container.Dir = homeDir
-	seal.env["HOME"] = homeDir
-	seal.env["USER"] = username

-	seal.container.Place("/etc/passwd",
-		[]byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Fortify:"+homeDir+":"+shellPath+"\n"))
-	seal.container.Place("/etc/group",
-		[]byte("fortify:x:"+mapgid.String()+":\n"))
-
-	/*
-		Display servers
-	*/
-
-	// pass $TERM for proper terminal I/O in shell
+	// pass TERM for proper terminal I/O in initial process
 	if t, ok := sys.LookupEnv(term); ok {
 		seal.env[term] = t
 	}

-	if config.Confinement.Enablements&system.EWayland != 0 {
+	if config.Enablements&system.EWayland != 0 {
 		// outer wayland socket (usually `/run/user/%d/wayland-%d`)
 		var socketPath string
 		if name, ok := sys.LookupEnv(wl.WaylandDisplay); !ok {
-			fmsg.Verbose(wl.WaylandDisplay + " is not set, assuming " + wl.FallbackName)
-			socketPath = path.Join(sc.RuntimePath, wl.FallbackName)
+			hlog.Verbose(wl.WaylandDisplay + " is not set, assuming " + wl.FallbackName)
+			socketPath = path.Join(share.sc.RuntimePath, wl.FallbackName)
 		} else if !path.IsAbs(name) {
-			socketPath = path.Join(sc.RuntimePath, name)
+			socketPath = path.Join(share.sc.RuntimePath, name)
 		} else {
 			socketPath = name
 		}
@ -353,27 +389,27 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		innerPath := path.Join(innerRuntimeDir, wl.FallbackName)
 		seal.env[wl.WaylandDisplay] = wl.FallbackName

-		if !config.Confinement.Sandbox.DirectWayland { // set up security-context-v1
-			socketDir := path.Join(sc.SharePath, "wayland")
-			outerPath := path.Join(socketDir, seal.id.String())
-			seal.sys.Ensure(socketDir, 0711)
+		if !config.DirectWayland { // set up security-context-v1
 			appID := config.ID
 			if appID == "" {
 				// use instance ID in case app id is not set
-				appID = "uk.gensokyo.fortify." + seal.id.String()
+				appID = "uk.gensokyo.hakurei." + seal.id.String()
 			}
+			// downstream socket paths
+			outerPath := path.Join(share.instance(), "wayland")
 			seal.sys.Wayland(&seal.sync, outerPath, socketPath, appID, seal.id.String())
 			seal.container.Bind(outerPath, innerPath, 0)
 		} else { // bind mount wayland socket (insecure)
-			fmsg.Verbose("direct wayland access, PROCEED WITH CAUTION")
+			hlog.Verbose("direct wayland access, PROCEED WITH CAUTION")
+			share.ensureRuntimeDir()
 			seal.container.Bind(socketPath, innerPath, 0)
 			seal.sys.UpdatePermType(system.EWayland, socketPath, acl.Read, acl.Write, acl.Execute)
 		}
 	}

-	if config.Confinement.Enablements&system.EX11 != 0 {
+	if config.Enablements&system.EX11 != 0 {
 		if d, ok := sys.LookupEnv(display); !ok {
-			return fmsg.WrapError(ErrXDisplay,
+			return hlog.WrapErr(ErrXDisplay,
 				"DISPLAY is not set")
 		} else {
 			seal.sys.ChangeHosts("#" + seal.user.uid.String())
@ -382,41 +418,37 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		}
 	}

-	/*
-		PulseAudio server and authentication
-	*/
-
-	if config.Confinement.Enablements&system.EPulse != 0 {
+	if config.Enablements&system.EPulse != 0 {
 		// PulseAudio runtime directory (usually `/run/user/%d/pulse`)
-		pulseRuntimeDir := path.Join(sc.RuntimePath, "pulse")
+		pulseRuntimeDir := path.Join(share.sc.RuntimePath, "pulse")
 		// PulseAudio socket (usually `/run/user/%d/pulse/native`)
 		pulseSocket := path.Join(pulseRuntimeDir, "native")

 		if _, err := sys.Stat(pulseRuntimeDir); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
-				return fmsg.WrapErrorSuffix(err,
+				return hlog.WrapErrSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio directory %q:", pulseRuntimeDir))
 			}
-			return fmsg.WrapError(ErrPulseSocket,
+			return hlog.WrapErr(ErrPulseSocket,
 				fmt.Sprintf("PulseAudio directory %q not found", pulseRuntimeDir))
 		}

 		if s, err := sys.Stat(pulseSocket); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
-				return fmsg.WrapErrorSuffix(err,
+				return hlog.WrapErrSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio socket %q:", pulseSocket))
 			}
-			return fmsg.WrapError(ErrPulseSocket,
+			return hlog.WrapErr(ErrPulseSocket,
 				fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pulseRuntimeDir))
 		} else {
 			if m := s.Mode(); m&0o006 != 0o006 {
-				return fmsg.WrapError(ErrPulseMode,
+				return hlog.WrapErr(ErrPulseMode,
 					fmt.Sprintf("unexpected permissions on %q:", pulseSocket), m)
 			}
 		}

 		// hard link pulse socket into target-executable share
-		innerPulseRuntimeDir := path.Join(sharePathLocal, "pulse")
+		innerPulseRuntimeDir := path.Join(share.runtime(), "pulse")
 		innerPulseSocket := path.Join(innerRuntimeDir, "pulse", "native")
 		seal.sys.Link(pulseSocket, innerPulseRuntimeDir)
 		seal.container.Bind(innerPulseRuntimeDir, innerPulseSocket, 0)
@ -425,9 +457,9 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		// publish current user's pulse cookie for target user
 		if src, err := discoverPulseCookie(sys); err != nil {
 			// not fatal
-			fmsg.Verbose(strings.TrimSpace(err.(*fmsg.BaseError).Message()))
+			hlog.Verbose(strings.TrimSpace(err.(*hlog.BaseError).Message()))
 		} else {
-			innerDst := fst.Tmp + "/pulse-cookie"
+			innerDst := hst.Tmp + "/pulse-cookie"
 			seal.env[pulseCookie] = innerDst
 			var payload *[]byte
 			seal.container.PlaceP(innerDst, &payload)
@ -435,22 +467,19 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		}
 	}

-	/*
-		D-Bus proxy
-	*/
-
-	if config.Confinement.Enablements&system.EDBus != 0 {
+	if config.Enablements&system.EDBus != 0 {
 		// ensure dbus session bus defaults
-		if config.Confinement.SessionBus == nil {
-			config.Confinement.SessionBus = dbus.NewConfig(config.ID, true, true)
+		if config.SessionBus == nil {
+			config.SessionBus = dbus.NewConfig(config.ID, true, true)
 		}

 		// downstream socket paths
+		sharePath := share.instance()
 		sessionPath, systemPath := path.Join(sharePath, "bus"), path.Join(sharePath, "system_bus_socket")

 		// configure dbus proxy
 		if f, err := seal.sys.ProxyDBus(
-			config.Confinement.SessionBus, config.Confinement.SystemBus,
+			config.SessionBus, config.SystemBus,
 			sessionPath, systemPath,
 		); err != nil {
 			return err
@ -463,7 +492,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		seal.env[dbusSessionBusAddress] = "unix:path=" + sessionInner
 		seal.container.Bind(sessionPath, sessionInner, 0)
 		seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
-		if config.Confinement.SystemBus != nil {
+		if config.SystemBus != nil {
 			systemInner := "/run/dbus/system_bus_socket"
 			seal.env[dbusSystemBusAddress] = "unix:path=" + systemInner
 			seal.container.Bind(systemPath, systemInner, 0)
@ -471,16 +500,12 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 		}
 	}

-	/*
-		Miscellaneous
-	*/
-
-	for _, dest := range config.Confinement.Sandbox.Cover {
+	for _, dest := range config.Container.Cover {
 		seal.container.Tmpfs(dest, 1<<13, 0755)
 	}

 	// append ExtraPerms last
-	for _, p := range config.Confinement.ExtraPerms {
+	for _, p := range config.ExtraPerms {
 		if p == nil {
 			continue
 		}
@ -504,11 +529,19 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co

 	// flatten and sort env for deterministic behaviour
 	seal.container.Env = make([]string, 0, len(seal.env))
-	maps.All(seal.env)(func(k string, v string) bool { seal.container.Env = append(seal.container.Env, k+"="+v); return true })
+	for k, v := range seal.env {
+		if strings.IndexByte(k, '=') != -1 {
+			return hlog.WrapErr(syscall.EINVAL,
+				fmt.Sprintf("invalid environment variable %s", k))
+		}
+		seal.container.Env = append(seal.container.Env, k+"="+v)
+	}
 	slices.Sort(seal.container.Env)

-	fmsg.Verbosef("created application seal for uid %s (%s) groups: %v, argv: %s",
-		seal.user.uid, seal.user.username, config.Confinement.Groups, seal.container.Args)
+	if hlog.Load() {
+		hlog.Verbosef("created application seal for uid %s (%s) groups: %v, argv: %s, ops: %d",
+			seal.user.uid, seal.user.username, config.Groups, seal.container.Args, len(*seal.container.Ops))
+	}

 	return nil
 }
@ -524,7 +557,7 @@ func discoverPulseCookie(sys sys.State) (string, error) {
 		p = path.Join(p, ".pulse-cookie")
 		if s, err := sys.Stat(p); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
-				return p, fmsg.WrapErrorSuffix(err,
+				return p, hlog.WrapErrSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
 			}
 			// not found, try next method
@ -538,7 +571,7 @@ func discoverPulseCookie(sys sys.State) (string, error) {
 		p = path.Join(p, "pulse", "cookie")
 		if s, err := sys.Stat(p); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
-				return p, fmsg.WrapErrorSuffix(err,
+				return p, hlog.WrapErrSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
 			}
 			// not found, try next method
@ -547,7 +580,7 @@ func discoverPulseCookie(sys sys.State) (string, error) {
 		}
 	}

-	return "", fmsg.WrapError(ErrPulseCookie,
+	return "", hlog.WrapErr(ErrPulseCookie,
 		fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
 			pulseCookie, xdgConfigHome, home))
 }
--- a/internal/app/internal/setuid/shim.go
+++ b/internal/app/internal/setuid/shim.go
@ -0,0 +1,181 @@
+package setuid
+
+import (
+	"context"
+	"errors"
+	"log"
+	"os"
+	"os/exec"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"git.gensokyo.uk/security/hakurei/internal"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
+	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
+)
+
+/*
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <signal.h>
+
+static pid_t hakurei_shim_param_ppid = -1;
+
+// this cannot unblock hlog since Go code is not async-signal-safe
+static void hakurei_shim_sigaction(int sig, siginfo_t *si, void *ucontext) {
+  if (sig != SIGCONT || si == NULL) {
+    // unreachable
+    fprintf(stderr, "sigaction: sa_sigaction got invalid siginfo\n");
+    return;
+  }
+
+  // monitor requests shim exit
+  if (si->si_pid == hakurei_shim_param_ppid)
+    exit(254);
+
+  fprintf(stderr, "sigaction: got SIGCONT from process %d\n", si->si_pid);
+
+  // shim orphaned before monitor delivers a signal
+  if (getppid() != hakurei_shim_param_ppid)
+    exit(3);
+}
+
+void hakurei_shim_setup_cont_signal(pid_t ppid) {
+  struct sigaction new_action = {0}, old_action = {0};
+  if (sigaction(SIGCONT, NULL, &old_action) != 0)
+    return;
+  if (old_action.sa_handler != SIG_DFL) {
+    errno = ENOTRECOVERABLE;
+    return;
+  }
+
+  new_action.sa_sigaction = hakurei_shim_sigaction;
+  if (sigemptyset(&new_action.sa_mask) != 0)
+    return;
+  new_action.sa_flags = SA_ONSTACK | SA_SIGINFO;
+
+  if (sigaction(SIGCONT, &new_action, NULL) != 0)
+    return;
+
+  errno = 0;
+  hakurei_shim_param_ppid = ppid;
+}
+*/
+import "C"
+
+const shimEnv = "HAKUREI_SHIM"
+
+type shimParams struct {
+	// monitor pid, checked against ppid in signal handler
+	Monitor int
+
+	// finalised container params
+	Container *sandbox.Params
+	// path to outer home directory
+	Home string
+
+	// verbosity pass through
+	Verbose bool
+}
+
+// ShimMain is the main function of the shim process and runs as the unconstrained target user.
+func ShimMain() {
+	hlog.Prepare("shim")
+
+	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
+		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
+	}
+
+	var (
+		params     shimParams
+		closeSetup func() error
+	)
+	if f, err := sandbox.Receive(shimEnv, &params, nil); err != nil {
+		if errors.Is(err, sandbox.ErrInvalid) {
+			log.Fatal("invalid config descriptor")
+		}
+		if errors.Is(err, sandbox.ErrNotSet) {
+			log.Fatal("HAKUREI_SHIM not set")
+		}
+
+		log.Fatalf("cannot receive shim setup params: %v", err)
+	} else {
+		internal.InstallFmsg(params.Verbose)
+		closeSetup = f
+
+		// the Go runtime does not expose siginfo_t so SIGCONT is handled in C to check si_pid
+		if _, err = C.hakurei_shim_setup_cont_signal(C.pid_t(params.Monitor)); err != nil {
+			log.Fatalf("cannot install SIGCONT handler: %v", err)
+		}
+
+		// pdeath_signal delivery is checked as if the dying process called kill(2), see kernel/exit.c
+		if _, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGCONT), 0); errno != 0 {
+			log.Fatalf("cannot set parent-death signal: %v", errno)
+		}
+	}
+
+	if params.Container == nil || params.Container.Ops == nil {
+		log.Fatal("invalid container params")
+	}
+
+	// close setup socket
+	if err := closeSetup(); err != nil {
+		log.Printf("cannot close setup pipe: %v", err)
+		// not fatal
+	}
+
+	// ensure home directory as target user
+	if s, err := os.Stat(params.Home); err != nil {
+		if os.IsNotExist(err) {
+			if err = os.Mkdir(params.Home, 0700); err != nil {
+				log.Fatalf("cannot create home directory: %v", err)
+			}
+		} else {
+			log.Fatalf("cannot access home directory: %v", err)
+		}
+
+		// home directory is created, proceed
+	} else if !s.IsDir() {
+		log.Fatalf("path %q is not a directory", params.Home)
+	}
+
+	var name string
+	if len(params.Container.Args) > 0 {
+		name = params.Container.Args[0]
+	}
+	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	defer stop() // unreachable
+	container := sandbox.New(ctx, name)
+	container.Params = *params.Container
+	container.Stdin, container.Stdout, container.Stderr = os.Stdin, os.Stdout, os.Stderr
+	container.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) }
+	container.WaitDelay = 2 * time.Second
+
+	if err := container.Start(); err != nil {
+		hlog.PrintBaseError(err, "cannot start container:")
+		os.Exit(1)
+	}
+	if err := container.Serve(); err != nil {
+		hlog.PrintBaseError(err, "cannot configure container:")
+	}
+
+	if err := seccomp.Load(seccomp.PresetCommon); err != nil {
+		log.Fatalf("cannot load syscall filter: %v", err)
+	}
+
+	if err := container.Wait(); err != nil {
+		var exitError *exec.ExitError
+		if !errors.As(err, &exitError) {
+			if errors.Is(err, context.Canceled) {
+				os.Exit(2)
+			}
+			log.Printf("wait: %v", err)
+			os.Exit(127)
+		}
+		os.Exit(exitError.ExitCode())
+	}
+}
--- a/internal/app/internal/setuid/strings.go
+++ b/internal/app/internal/setuid/strings.go
@ -1,13 +1,13 @@
-package app
+package setuid

 import (
 	"strconv"

-	"git.gensokyo.uk/security/fortify/fst"
+	. "git.gensokyo.uk/security/hakurei/internal/app"
 )

-func newInt(v int) *stringPair[int]        { return &stringPair[int]{v, strconv.Itoa(v)} }
-func newID(id *fst.ID) *stringPair[fst.ID] { return &stringPair[fst.ID]{*id, id.String()} }
+func newInt(v int) *stringPair[int] { return &stringPair[int]{v, strconv.Itoa(v)} }
+func newID(id *ID) *stringPair[ID]  { return &stringPair[ID]{*id, id.String()} }

 // stringPair stores a value and its string representation.
 type stringPair[T comparable] struct {
--- a/internal/app/process.go
+++ b/internal/app/process.go
@ -1,180 +0,0 @@
-package app
-
-import (
-	"context"
-	"errors"
-	"log"
-	"os/exec"
-	"time"
-
-	"git.gensokyo.uk/security/fortify/fst"
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/internal/state"
-	"git.gensokyo.uk/security/fortify/system"
-)
-
-const shimSetupTimeout = 5 * time.Second
-
-func (seal *outcome) Run(rs *fst.RunState) error {
-	if !seal.f.CompareAndSwap(false, true) {
-		// run does much more than just starting a process; calling it twice, even if the first call fails, will result
-		// in inconsistent state that is impossible to clean up; return here to limit damage and hopefully give the
-		// other Run a chance to return
-		panic("attempted to run twice")
-	}
-
-	if rs == nil {
-		panic("invalid state")
-	}
-
-	// read comp values early to allow for early failure
-	fmsg.Verbosef("version %s", internal.Version())
-	fmsg.Verbosef("setuid helper at %s", internal.MustFsuPath())
-
-	/*
-		prepare/revert os state
-	*/
-
-	if err := seal.sys.Commit(seal.ctx); err != nil {
-		return err
-	}
-	store := state.NewMulti(seal.runDirPath)
-	deferredStoreFunc := func(c state.Cursor) error { return nil }
-	defer func() {
-		var revertErr error
-		storeErr := new(StateStoreError)
-		storeErr.Inner, storeErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
-			revertErr = func() error {
-				storeErr.InnerErr = deferredStoreFunc(c)
-
-				/*
-					revert app setup transaction
-				*/
-
-				var rt system.Enablement
-				ec := system.Process
-				if states, err := c.Load(); err != nil {
-					// revert per-process state here to limit damage
-					storeErr.OpErr = err
-					return seal.sys.Revert((*system.Criteria)(&ec))
-				} else {
-					if l := len(states); l == 0 {
-						fmsg.Verbose("no other launchers active, will clean up globals")
-						ec |= system.User
-					} else {
-						fmsg.Verbosef("found %d active launchers, cleaning up without globals", l)
-					}
-
-					// accumulate enablements of remaining launchers
-					for i, s := range states {
-						if s.Config != nil {
-							rt |= s.Config.Confinement.Enablements
-						} else {
-							log.Printf("state entry %d does not contain config", i)
-						}
-					}
-				}
-				ec |= rt ^ (system.EWayland | system.EX11 | system.EDBus | system.EPulse)
-				if fmsg.Load() {
-					if ec > 0 {
-						fmsg.Verbose("reverting operations type", system.TypeString(ec))
-					}
-				}
-
-				return seal.sys.Revert((*system.Criteria)(&ec))
-			}()
-		})
-		storeErr.save([]error{revertErr, store.Close()})
-		rs.RevertErr = storeErr.equiv("error returned during cleanup:")
-	}()
-
-	/*
-		shim process lifecycle
-	*/
-
-	waitErr := make(chan error, 1)
-	cmd := new(shimProcess)
-	if startTime, err := cmd.Start(
-		seal.user.aid.String(),
-		seal.user.supp,
-	); err != nil {
-		return err
-	} else {
-		// whether/when the fsu process was created
-		rs.Time = startTime
-	}
-
-	ctx, cancel := context.WithTimeout(seal.ctx, shimSetupTimeout)
-	defer cancel()
-
-	go func() {
-		waitErr <- cmd.Unwrap().Wait()
-		// cancel shim setup in case shim died before receiving payload
-		cancel()
-	}()
-
-	if err := cmd.Serve(ctx, &shimParams{
-		Container: seal.container,
-		Home:      seal.user.data,
-
-		Verbose: fmsg.Load(),
-	}); err != nil {
-		return err
-	}
-
-	// shim accepted setup payload, create process state
-	sd := state.State{
-		ID:   seal.id.unwrap(),
-		PID:  cmd.Unwrap().Process.Pid,
-		Time: *rs.Time,
-	}
-	var earlyStoreErr = new(StateStoreError) // returned after blocking on waitErr
-	earlyStoreErr.Inner, earlyStoreErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
-		earlyStoreErr.InnerErr = c.Save(&sd, seal.ct)
-	})
-	// destroy defunct state entry
-	deferredStoreFunc = func(c state.Cursor) error { return c.Destroy(seal.id.unwrap()) }
-
-	select {
-	case err := <-waitErr: // block until fsu/shim returns
-		if err != nil {
-			var exitError *exec.ExitError
-			if !errors.As(err, &exitError) {
-				// should be unreachable
-				rs.WaitErr = err
-			}
-
-			// store non-zero return code
-			rs.ExitCode = exitError.ExitCode()
-		} else {
-			rs.ExitCode = cmd.Unwrap().ProcessState.ExitCode()
-		}
-		if fmsg.Load() {
-			fmsg.Verbosef("process %d exited with exit code %d", cmd.Unwrap().Process.Pid, rs.ExitCode)
-		}
-
-	// this is reached when a fault makes an already running shim impossible to continue execution
-	// however a kill signal could not be delivered (should actually always happen like that since fsu)
-	// the effects of this is similar to the alternative exit path and ensures shim death
-	case err := <-cmd.Fallback():
-		rs.ExitCode = 255
-		log.Printf("cannot terminate shim on faulted setup: %v", err)
-
-	// alternative exit path relying on shim behaviour on monitor process exit
-	case <-seal.ctx.Done():
-		fmsg.Verbose("alternative exit path selected")
-	}
-
-	fmsg.Resume()
-	if seal.sync != nil {
-		if err := seal.sync.Close(); err != nil {
-			log.Printf("cannot close wayland security context: %v", err)
-		}
-	}
-	if seal.dbusMsg != nil {
-		seal.dbusMsg()
-	}
-
-	return earlyStoreErr.equiv("cannot save process state:")
-}
--- a/internal/app/shim.go
+++ b/internal/app/shim.go
@ -1,212 +0,0 @@
-package app
-
-import (
-	"context"
-	"encoding/gob"
-	"errors"
-	"log"
-	"os"
-	"os/exec"
-	"os/signal"
-	"strconv"
-	"strings"
-	"syscall"
-	"time"
-
-	"git.gensokyo.uk/security/fortify/internal"
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/sandbox"
-)
-
-const shimEnv = "FORTIFY_SHIM"
-
-type shimParams struct {
-	// finalised container params
-	Container *sandbox.Params
-	// path to outer home directory
-	Home string
-
-	// verbosity pass through
-	Verbose bool
-}
-
-// ShimMain is the main function of the shim process and runs as the unconstrained target user.
-func ShimMain() {
-	fmsg.Prepare("shim")
-
-	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
-		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
-	}
-
-	var (
-		params     shimParams
-		closeSetup func() error
-	)
-	if f, err := sandbox.Receive(shimEnv, &params, nil); err != nil {
-		if errors.Is(err, sandbox.ErrInvalid) {
-			log.Fatal("invalid config descriptor")
-		}
-		if errors.Is(err, sandbox.ErrNotSet) {
-			log.Fatal("FORTIFY_SHIM not set")
-		}
-
-		log.Fatalf("cannot receive shim setup params: %v", err)
-	} else {
-		internal.InstallFmsg(params.Verbose)
-		closeSetup = f
-	}
-
-	if params.Container == nil || params.Container.Ops == nil {
-		log.Fatal("invalid container params")
-	}
-
-	// close setup socket
-	if err := closeSetup(); err != nil {
-		log.Printf("cannot close setup pipe: %v", err)
-		// not fatal
-	}
-
-	// ensure home directory as target user
-	if s, err := os.Stat(params.Home); err != nil {
-		if os.IsNotExist(err) {
-			if err = os.Mkdir(params.Home, 0700); err != nil {
-				log.Fatalf("cannot create home directory: %v", err)
-			}
-		} else {
-			log.Fatalf("cannot access home directory: %v", err)
-		}
-
-		// home directory is created, proceed
-	} else if !s.IsDir() {
-		log.Fatalf("path %q is not a directory", params.Home)
-	}
-
-	var name string
-	if len(params.Container.Args) > 0 {
-		name = params.Container.Args[0]
-	}
-	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
-	defer stop() // unreachable
-	container := sandbox.New(ctx, name)
-	container.Params = *params.Container
-	container.Stdin, container.Stdout, container.Stderr = os.Stdin, os.Stdout, os.Stderr
-	container.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) }
-	container.WaitDelay = 2 * time.Second
-
-	if err := container.Start(); err != nil {
-		fmsg.PrintBaseError(err, "cannot start container:")
-		os.Exit(1)
-	}
-	if err := container.Serve(); err != nil {
-		fmsg.PrintBaseError(err, "cannot configure container:")
-	}
-	if err := container.Wait(); err != nil {
-		var exitError *exec.ExitError
-		if !errors.As(err, &exitError) {
-			if errors.Is(err, context.Canceled) {
-				os.Exit(2)
-			}
-			log.Printf("wait: %v", err)
-			os.Exit(127)
-		}
-		os.Exit(exitError.ExitCode())
-	}
-}
-
-type shimProcess struct {
-	// user switcher process
-	cmd *exec.Cmd
-	// fallback exit notifier with error returned killing the process
-	killFallback chan error
-	// monitor to shim encoder
-	encoder *gob.Encoder
-}
-
-func (s *shimProcess) Unwrap() *exec.Cmd    { return s.cmd }
-func (s *shimProcess) Fallback() chan error { return s.killFallback }
-
-func (s *shimProcess) String() string {
-	if s.cmd == nil {
-		return "(unused shim manager)"
-	}
-	return s.cmd.String()
-}
-
-func (s *shimProcess) Start(
-	aid string,
-	supp []string,
-) (*time.Time, error) {
-	// prepare user switcher invocation
-	fsuPath := internal.MustFsuPath()
-	s.cmd = exec.Command(fsuPath)
-
-	// pass shim setup pipe
-	if fd, e, err := sandbox.Setup(&s.cmd.ExtraFiles); err != nil {
-		return nil, fmsg.WrapErrorSuffix(err,
-			"cannot create shim setup pipe:")
-	} else {
-		s.encoder = e
-		s.cmd.Env = []string{
-			shimEnv + "=" + strconv.Itoa(fd),
-			"FORTIFY_APP_ID=" + aid,
-		}
-	}
-
-	// format fsu supplementary groups
-	if len(supp) > 0 {
-		fmsg.Verbosef("attaching supplementary group ids %s", supp)
-		s.cmd.Env = append(s.cmd.Env, "FORTIFY_GROUPS="+strings.Join(supp, " "))
-	}
-	s.cmd.Stdin, s.cmd.Stdout, s.cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	s.cmd.Dir = "/"
-
-	fmsg.Verbose("starting shim via fsu:", s.cmd)
-	// withhold messages to stderr
-	fmsg.Suspend()
-	if err := s.cmd.Start(); err != nil {
-		return nil, fmsg.WrapErrorSuffix(err,
-			"cannot start fsu:")
-	}
-	startTime := time.Now().UTC()
-
-	return &startTime, nil
-}
-
-func (s *shimProcess) Serve(ctx context.Context, params *shimParams) error {
-	// kill shim if something goes wrong and an error is returned
-	s.killFallback = make(chan error, 1)
-	killShim := func() {
-		if err := s.cmd.Process.Signal(os.Interrupt); err != nil {
-			s.killFallback <- err
-		}
-	}
-	defer func() { killShim() }()
-
-	encodeErr := make(chan error)
-	go func() { encodeErr <- s.encoder.Encode(params) }()
-
-	select {
-	// encode return indicates setup completion
-	case err := <-encodeErr:
-		if err != nil {
-			return fmsg.WrapErrorSuffix(err,
-				"cannot transmit shim config:")
-		}
-		killShim = func() {}
-		return nil
-
-	// setup canceled before payload was accepted
-	case <-ctx.Done():
-		err := ctx.Err()
-		if errors.Is(err, context.Canceled) {
-			return fmsg.WrapError(syscall.ECANCELED,
-				"shim setup canceled")
-		}
-		if errors.Is(err, context.DeadlineExceeded) {
-			return fmsg.WrapError(syscall.ETIMEDOUT,
-				"deadline exceeded waiting for shim")
-		}
-		// unreachable
-		return err
-	}
-}
--- a/internal/exit.go
+++ b/internal/exit.go
@ -3,7 +3,7 @@ package internal
 import (
 	"os"

-	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
 )

-func Exit(code int) { fmsg.BeforeExit(); os.Exit(code) }
+func Exit(code int) { hlog.BeforeExit(); os.Exit(code) }
--- a/internal/hlog/errors.go
+++ b/internal/hlog/errors.go
@ -1,4 +1,4 @@
-package fmsg
+package hlog

 import (
 	"fmt"
@ -12,13 +12,8 @@ type baseError struct {
 	Err error
 }

-func (e *baseError) Error() string {
-	return e.Err.Error()
-}
-
-func (e *baseError) Unwrap() error {
-	return e.Err
-}
+func (e *baseError) Error() string { return e.Err.Error() }
+func (e *baseError) Unwrap() error { return e.Err }

 // BaseError implements an error container with a user-facing message
 type BaseError struct {
@ -27,35 +22,33 @@ type BaseError struct {
 }

 // Message returns a user-facing error message
-func (e *BaseError) Message() string {
-	return e.message
-}
+func (e *BaseError) Message() string { return e.message }

-// WrapError wraps an error with a corresponding message.
-func WrapError(err error, a ...any) error {
+// WrapErr wraps an error with a corresponding message.
+func WrapErr(err error, a ...any) error {
 	if err == nil {
 		return nil
 	}
-	return wrapError(err, fmt.Sprintln(a...))
+	return wrapErr(err, fmt.Sprintln(a...))
 }

-// WrapErrorSuffix wraps an error with a corresponding message with err at the end of the message.
-func WrapErrorSuffix(err error, a ...any) error {
+// WrapErrSuffix wraps an error with a corresponding message with err at the end of the message.
+func WrapErrSuffix(err error, a ...any) error {
 	if err == nil {
 		return nil
 	}
-	return wrapError(err, fmt.Sprintln(append(a, err)...))
+	return wrapErr(err, fmt.Sprintln(append(a, err)...))
 }

-// WrapErrorFunc wraps an error with a corresponding message returned by f.
-func WrapErrorFunc(err error, f func(err error) string) error {
+// WrapErrFunc wraps an error with a corresponding message returned by f.
+func WrapErrFunc(err error, f func(err error) string) error {
 	if err == nil {
 		return nil
 	}
-	return wrapError(err, f(err))
+	return wrapErr(err, f(err))
 }

-func wrapError(err error, message string) *BaseError {
+func wrapErr(err error, message string) *BaseError {
 	return &BaseError{message, baseError{err}}
 }

--- a/internal/hlog/hlog.go
+++ b/internal/hlog/hlog.go
@ -1,5 +1,5 @@
-// Package fmsg provides various functions for output messages.
-package fmsg
+// Package hlog provides various functions for output messages.
+package hlog

 import (
 	"bytes"
--- a/internal/hlog/msg.go
+++ b/internal/hlog/msg.go
@ -1,11 +1,11 @@
-package fmsg
+package hlog

 type Output struct{}

 func (Output) IsVerbose() bool                         { return Load() }
 func (Output) Verbose(v ...any)                        { Verbose(v...) }
 func (Output) Verbosef(format string, v ...any)        { Verbosef(format, v...) }
-func (Output) WrapErr(err error, a ...any) error       { return WrapError(err, a...) }
+func (Output) WrapErr(err error, a ...any) error       { return WrapErr(err, a...) }
 func (Output) PrintBaseErr(err error, fallback string) { PrintBaseError(err, fallback) }
 func (Output) Suspend()                                { Suspend() }
 func (Output) Resume() bool                            { return Resume() }
--- a/internal/hlog/verbose.go
+++ b/internal/hlog/verbose.go
@ -1,4 +1,4 @@
-package fmsg
+package hlog

 import (
 	"log"
--- a/internal/output.go
+++ b/internal/output.go
@ -1,17 +1,17 @@
 package internal

 import (
-	"git.gensokyo.uk/security/fortify/internal/fmsg"
-	"git.gensokyo.uk/security/fortify/sandbox"
-	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
-	"git.gensokyo.uk/security/fortify/system"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
+	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
+	"git.gensokyo.uk/security/hakurei/system"
 )

 func InstallFmsg(verbose bool) {
-	fmsg.Store(verbose)
-	sandbox.SetOutput(fmsg.Output{})
-	system.SetOutput(fmsg.Output{})
+	hlog.Store(verbose)
+	sandbox.SetOutput(hlog.Output{})
+	system.SetOutput(hlog.Output{})
 	if verbose {
-		seccomp.SetOutput(fmsg.Verbose)
+		seccomp.SetOutput(hlog.Verbose)
 	}
 }
--- a/internal/path.go
+++ b/internal/path.go
@ -4,20 +4,30 @@ import (
 	"log"
 	"path"

-	"git.gensokyo.uk/security/fortify/internal/fmsg"
+	"git.gensokyo.uk/security/hakurei/internal/hlog"
 )

 var (
-	fsu = compPoison
+	hakurei = compPoison
+	hsu     = compPoison
 )

-func MustFsuPath() string {
-	if name, ok := checkPath(fsu); ok {
+func MustHakureiPath() string {
+	if name, ok := checkPath(hakurei); ok {
 		return name
 	}
-	fmsg.BeforeExit()
-	log.Fatal("invalid fsu path, this program is compiled incorrectly")
-	return compPoison
+	hlog.BeforeExit()
+	log.Fatal("invalid hakurei path, this program is compiled incorrectly")
+	return compPoison // unreachable
+}
+
+func MustHsuPath() string {
+	if name, ok := checkPath(hsu); ok {
+		return name
+	}
+	hlog.BeforeExit()
+	log.Fatal("invalid hsu path, this program is compiled incorrectly")
+	return compPoison // unreachable
 }

 func checkPath(p string) (string, bool) { return p, p != compPoison && p != "" && path.IsAbs(p) }
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`This port is solely for releasing to the github mirror and serves no purpose during development.`