container: optionally isolate host abstract UNIX domain sockets via landlock

container: move PR_SET_NO_NEW_PRIVS to parent
This allows some LSM setup in the parent. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-08-18 14:35:49 +09:00 · 2025-08-18 11:46:02 +09:00 · 2025-08-18 11:36:13 +09:00 · 2025-08-18 11:30:58 +09:00 · 2025-08-17 17:42:22 +09:00 · 2025-08-17 02:59:37 +09:00
87 changed files with 4243 additions and 1280 deletions
--- a/.github/workflows/README
+++ b/.github/workflows/README
@ -1 +1,5 @@
-This port is solely for releasing to the github mirror and serves no purpose during development.
+DO NOT ADD NEW ACTIONS HERE
+
+This port is solely for releasing to the github mirror and serves no purpose during development.
+All development happens at https://git.gensokyo.uk/security/hakurei. If you wish to contribute,
+request for an account on git.gensokyo.uk.
--- a/.gitignore
+++ b/.gitignore
@ -29,4 +29,7 @@ go.work.sum
 /cmd/hakurei/LICENSE

 # release
-/dist/hakurei-*
+/dist/hakurei-*
+
+# interactive nixos vm
+nixos.qcow2
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@ -14,6 +14,7 @@ import (
 	"time"

 	"hakurei.app/command"
+	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
 	"hakurei.app/internal/app"
@ -94,7 +95,7 @@ func buildCommand(out io.Writer) command.Command {
 							Gid:      us,
 							Username: "chronos",
 							Name:     "Hakurei Permissive Default",
-							HomeDir:  "/var/empty",
+							HomeDir:  container.FHSVarEmpty,
 						}
 					} else {
 						passwd = u
@ -114,21 +115,29 @@ func buildCommand(out io.Writer) command.Command {

 			config.Identity = aid
 			config.Groups = groups
-			config.Data = homeDir
 			config.Username = userName

+			if a, err := container.NewAbs(homeDir); err != nil {
+				log.Fatal(err.Error())
+				return err
+			} else {
+				config.Data = a
+			}
+
+			var e system.Enablement
 			if wayland {
-				config.Enablements |= system.EWayland
+				e |= system.EWayland
 			}
 			if x11 {
-				config.Enablements |= system.EX11
+				e |= system.EX11
 			}
 			if dBus {
-				config.Enablements |= system.EDBus
+				e |= system.EDBus
 			}
 			if pulse {
-				config.Enablements |= system.EPulse
+				e |= system.EPulse
 			}
+			config.Enablements = hst.NewEnablements(e)

 			// parse D-Bus config file from flags if applicable
 			if dBus {
@ -212,7 +221,7 @@ func buildCommand(out io.Writer) command.Command {

 	var psFlagShort bool
 	c.NewCommand("ps", "List active instances", func(args []string) error {
-		printPs(os.Stdout, time.Now().UTC(), state.NewMulti(std.Paths().RunDirPath), psFlagShort, flagJSON)
+		printPs(os.Stdout, time.Now().UTC(), state.NewMulti(std.Paths().RunDirPath.String()), psFlagShort, flagJSON)
 		return errSuccess
 	}).Flag(&psFlagShort, "short", command.BoolFlag(false), "Print instance id")

--- a/cmd/hakurei/parse.go
+++ b/cmd/hakurei/parse.go
@ -87,7 +87,7 @@ func tryShort(name string) (config *hst.Config, entry *state.State) {
 	if likePrefix && len(name) >= 8 {
 		hlog.Verbose("argument looks like prefix")

-		s := state.NewMulti(std.Paths().RunDirPath)
+		s := state.NewMulti(std.Paths().RunDirPath.String())
 		if entries, err := state.Join(s); err != nil {
 			log.Printf("cannot join store: %v", err)
 			// drop to fetch from file
--- a/cmd/hakurei/print.go
+++ b/cmd/hakurei/print.go
@ -12,6 +12,7 @@ import (
 	"text/tabwriter"
 	"time"

+	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal/app/state"
 	"hakurei.app/internal/hlog"
@ -22,9 +23,9 @@ func printShowSystem(output io.Writer, short, flagJSON bool) {
 	t := newPrinter(output)
 	defer t.MustFlush()

-	info := new(hst.Info)
+	info := &hst.Info{Paths: std.Paths()}

-	// get fid by querying uid of aid 0
+	// get hid by querying uid of identity 0
 	if uid, err := std.Uid(0); err != nil {
 		hlog.PrintBaseError(err, "cannot obtain uid from setuid wrapper:")
 		os.Exit(1)
@ -38,6 +39,10 @@ func printShowSystem(output io.Writer, short, flagJSON bool) {
 	}

 	t.Printf("User:\t%d\n", info.User)
+	t.Printf("TempDir:\t%s\n", info.TempDir)
+	t.Printf("SharePath:\t%s\n", info.SharePath)
+	t.Printf("RuntimePath:\t%s\n", info.RuntimePath)
+	t.Printf("RunDirPath:\t%s\n", info.RunDirPath)
 }

 func printShowInstance(
@ -73,17 +78,17 @@ func printShowInstance(
 	} else {
 		t.Printf(" Identity:\t%d\n", config.Identity)
 	}
-	t.Printf(" Enablements:\t%s\n", config.Enablements.String())
+	t.Printf(" Enablements:\t%s\n", config.Enablements.Unwrap().String())
 	if len(config.Groups) > 0 {
 		t.Printf(" Groups:\t%s\n", strings.Join(config.Groups, ", "))
 	}
-	if config.Data != "" {
+	if config.Data != nil {
 		t.Printf(" Data:\t%s\n", config.Data)
 	}
 	if config.Container != nil {
-		container := config.Container
-		if container.Hostname != "" {
-			t.Printf(" Hostname:\t%s\n", container.Hostname)
+		params := config.Container
+		if params.Hostname != "" {
+			t.Printf(" Hostname:\t%s\n", params.Hostname)
 		}
 		flags := make([]string, 0, 7)
 		writeFlag := func(name string, value bool) {
@ -91,34 +96,32 @@ func printShowInstance(
 				flags = append(flags, name)
 			}
 		}
-		writeFlag("userns", container.Userns)
-		writeFlag("devel", container.Devel)
-		writeFlag("net", container.Net)
-		writeFlag("device", container.Device)
-		writeFlag("tty", container.Tty)
-		writeFlag("mapuid", container.MapRealUID)
+		writeFlag("userns", params.Userns)
+		writeFlag("devel", params.Devel)
+		writeFlag("net", params.Net)
+		writeFlag("device", params.Device)
+		writeFlag("tty", params.Tty)
+		writeFlag("mapuid", params.MapRealUID)
 		writeFlag("directwl", config.DirectWayland)
-		writeFlag("autoetc", container.AutoEtc)
+		writeFlag("autoetc", params.AutoEtc)
 		if len(flags) == 0 {
 			flags = append(flags, "none")
 		}
 		t.Printf(" Flags:\t%s\n", strings.Join(flags, " "))

-		if container.AutoRoot != "" {
-			t.Printf(" Root:\t%s (%d)\n", container.AutoRoot, container.RootFlags)
+		if params.AutoRoot != nil {
+			t.Printf(" Root:\t%s (%d)\n", params.AutoRoot, params.RootFlags)
 		}

-		etc := container.Etc
-		if etc == "" {
-			etc = "/etc"
+		etc := params.Etc
+		if etc == nil {
+			etc = container.AbsFHSEtc
 		}
 		t.Printf(" Etc:\t%s\n", etc)

-		if len(container.Cover) > 0 {
-			t.Printf(" Cover:\t%s\n", strings.Join(container.Cover, " "))
+		if config.Path != nil {
+			t.Printf(" Path:\t%s\n", config.Path)
 		}
-
-		t.Printf(" Path:\t%s\n", config.Path)
 	}
 	if len(config.Args) > 0 {
 		t.Printf(" Arguments:\t%s\n", strings.Join(config.Args, " "))
@ -129,30 +132,11 @@ func printShowInstance(
 		if config.Container != nil && len(config.Container.Filesystem) > 0 {
 			t.Printf("Filesystem\n")
 			for _, f := range config.Container.Filesystem {
-				if f == nil {
+				if !f.Valid() {
+					t.Println(" <invalid>")
 					continue
 				}
-
-				expr := new(strings.Builder)
-				expr.Grow(3 + len(f.Src) + 1 + len(f.Dst))
-
-				if f.Device {
-					expr.WriteString(" d")
-				} else if f.Write {
-					expr.WriteString(" w")
-				} else {
-					expr.WriteString(" ")
-				}
-				if f.Must {
-					expr.WriteString("*")
-				} else {
-					expr.WriteString("+")
-				}
-				expr.WriteString(f.Src)
-				if f.Dst != "" {
-					expr.WriteString(":" + f.Dst)
-				}
-				t.Printf("%s\n", expr.String())
+				t.Printf(" %s\n", f)
 			}
 			t.Printf("\n")
 		}
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
@ -43,16 +43,16 @@ func Test_printShowInstance(t *testing.T) {
 Hostname:       localhost
 Flags:          userns devel net device tty mapuid autoetc
 Root:           /var/lib/hakurei/base/org.debian (2)
- Etc:            /etc
- Cover:          /var/run/nscd
+ Etc:            /etc/
 Path:           /run/current-system/sw/bin/chromium
 Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland

 Filesystem
- +/nix/store
- +/run/current-system
- +/run/opengl-driver
- +/var/db/nix-channels
+ w+ephemeral(-rwxr-xr-x):/tmp/
+ w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store
+ */nix/store
+ */run/current-system
+ */run/opengl-driver
 w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium
 d+/dev/dri

@ -83,18 +83,17 @@ App
 Identity:       0
 Enablements:    (no enablements)
 Flags:          none
- Etc:            /etc
- Path:           
+ Etc:            /etc/

 `},
-		{"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]*hst.FilesystemConfig, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `App
+		{"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `App
 Identity:       0
 Enablements:    (no enablements)
 Flags:          none
- Etc:            /etc
- Path:           
+ Etc:            /etc/

 Filesystem
+ <invalid>

 Extra ACL

@ -123,16 +122,16 @@ App
 Hostname:       localhost
 Flags:          userns devel net device tty mapuid autoetc
 Root:           /var/lib/hakurei/base/org.debian (2)
- Etc:            /etc
- Cover:          /var/run/nscd
+ Etc:            /etc/
 Path:           /run/current-system/sw/bin/chromium
 Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland

 Filesystem
- +/nix/store
- +/run/current-system
- +/run/opengl-driver
- +/var/db/nix-channels
+ w+ephemeral(-rwxr-xr-x):/tmp/
+ w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store
+ */nix/store
+ */run/current-system
+ */run/opengl-driver
 w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium
 d+/dev/dri

@ -196,7 +195,11 @@ App
      "--enable-features=UseOzonePlatform",
      "--ozone-platform=wayland"
    ],
-    "enablements": 13,
+    "enablements": {
+      "wayland": true,
+      "dbus": true,
+      "pulse": true
+    },
    "session_bus": {
      "see": null,
      "talk": [
@ -276,41 +279,55 @@ App
      "device": true,
      "filesystem": [
        {
+          "type": "ephemeral",
+          "dst": "/tmp/",
+          "write": true,
+          "perm": 493
+        },
+        {
+          "type": "overlay",
+          "dst": "/nix/store",
+          "lower": [
+            "/mnt-root/nix/.ro-store"
+          ],
+          "upper": "/mnt-root/nix/.rw-store/upper",
+          "work": "/mnt-root/nix/.rw-store/work"
+        },
+        {
+          "type": "bind",
          "src": "/nix/store"
        },
        {
+          "type": "bind",
          "src": "/run/current-system"
        },
        {
+          "type": "bind",
          "src": "/run/opengl-driver"
        },
        {
-          "src": "/var/db/nix-channels"
-        },
-        {
+          "type": "bind",
          "dst": "/data/data/org.chromium.Chromium",
          "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-          "write": true,
-          "require": true
+          "write": true
        },
        {
+          "type": "bind",
          "src": "/dev/dri",
-          "dev": true
+          "dev": true,
+          "optional": true
        }
      ],
      "symlink": [
-        [
-          "/run/user/65534",
-          "/run/user/150"
-        ]
+        {
+          "target": "/run/user/65534",
+          "linkname": "/run/user/150"
+        }
      ],
      "auto_root": "/var/lib/hakurei/base/org.debian",
      "root_flags": 2,
-      "etc": "/etc",
-      "auto_etc": true,
-      "cover": [
-        "/var/run/nscd"
-      ]
+      "etc": "/etc/",
+      "auto_etc": true
    }
  },
  "time": "1970-01-01T00:00:00.000000009Z"
@ -326,7 +343,11 @@ App
    "--enable-features=UseOzonePlatform",
    "--ozone-platform=wayland"
  ],
-  "enablements": 13,
+  "enablements": {
+    "wayland": true,
+    "dbus": true,
+    "pulse": true
+  },
  "session_bus": {
    "see": null,
    "talk": [
@ -406,41 +427,55 @@ App
    "device": true,
    "filesystem": [
      {
+        "type": "ephemeral",
+        "dst": "/tmp/",
+        "write": true,
+        "perm": 493
+      },
+      {
+        "type": "overlay",
+        "dst": "/nix/store",
+        "lower": [
+          "/mnt-root/nix/.ro-store"
+        ],
+        "upper": "/mnt-root/nix/.rw-store/upper",
+        "work": "/mnt-root/nix/.rw-store/work"
+      },
+      {
+        "type": "bind",
        "src": "/nix/store"
      },
      {
+        "type": "bind",
        "src": "/run/current-system"
      },
      {
+        "type": "bind",
        "src": "/run/opengl-driver"
      },
      {
-        "src": "/var/db/nix-channels"
-      },
-      {
+        "type": "bind",
        "dst": "/data/data/org.chromium.Chromium",
        "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-        "write": true,
-        "require": true
+        "write": true
      },
      {
+        "type": "bind",
        "src": "/dev/dri",
-        "dev": true
+        "dev": true,
+        "optional": true
      }
    ],
    "symlink": [
-      [
-        "/run/user/65534",
-        "/run/user/150"
-      ]
+      {
+        "target": "/run/user/65534",
+        "linkname": "/run/user/150"
+      }
    ],
    "auto_root": "/var/lib/hakurei/base/org.debian",
    "root_flags": 2,
-    "etc": "/etc",
-    "auto_etc": true,
-    "cover": [
-      "/var/run/nscd"
-    ]
+    "etc": "/etc/",
+    "auto_etc": true
  }
 }
 `},
@ -510,7 +545,11 @@ func Test_printPs(t *testing.T) {
        "--enable-features=UseOzonePlatform",
        "--ozone-platform=wayland"
      ],
-      "enablements": 13,
+      "enablements": {
+        "wayland": true,
+        "dbus": true,
+        "pulse": true
+      },
      "session_bus": {
        "see": null,
        "talk": [
@ -590,41 +629,55 @@ func Test_printPs(t *testing.T) {
        "device": true,
        "filesystem": [
          {
+            "type": "ephemeral",
+            "dst": "/tmp/",
+            "write": true,
+            "perm": 493
+          },
+          {
+            "type": "overlay",
+            "dst": "/nix/store",
+            "lower": [
+              "/mnt-root/nix/.ro-store"
+            ],
+            "upper": "/mnt-root/nix/.rw-store/upper",
+            "work": "/mnt-root/nix/.rw-store/work"
+          },
+          {
+            "type": "bind",
            "src": "/nix/store"
          },
          {
+            "type": "bind",
            "src": "/run/current-system"
          },
          {
+            "type": "bind",
            "src": "/run/opengl-driver"
          },
          {
-            "src": "/var/db/nix-channels"
-          },
-          {
+            "type": "bind",
            "dst": "/data/data/org.chromium.Chromium",
            "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-            "write": true,
-            "require": true
+            "write": true
          },
          {
+            "type": "bind",
            "src": "/dev/dri",
-            "dev": true
+            "dev": true,
+            "optional": true
          }
        ],
        "symlink": [
-          [
-            "/run/user/65534",
-            "/run/user/150"
-          ]
+          {
+            "target": "/run/user/65534",
+            "linkname": "/run/user/150"
+          }
        ],
        "auto_root": "/var/lib/hakurei/base/org.debian",
        "root_flags": 2,
-        "etc": "/etc",
-        "auto_etc": true,
-        "cover": [
-          "/var/run/nscd"
-        ]
+        "etc": "/etc/",
+        "auto_etc": true
      }
    },
    "time": "1970-01-01T00:00:00.000000009Z"
--- a/cmd/hpkg/app.go
+++ b/cmd/hpkg/app.go
@ -4,11 +4,10 @@ import (
 	"encoding/json"
 	"log"
 	"os"
-	"path"

+	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
-	"hakurei.app/system"
 	"hakurei.app/system/dbus"
 )

@ -29,6 +28,8 @@ type appInfo struct {
 	// passed through to [hst.Config]
 	Net bool `json:"net,omitempty"`
 	// passed through to [hst.Config]
+	ScopeAbstract bool `json:"scope_abstract,omitempty"`
+	// passed through to [hst.Config]
 	Device bool `json:"dev,omitempty"`
 	// passed through to [hst.Config]
 	Tty bool `json:"tty,omitempty"`
@ -41,7 +42,7 @@ type appInfo struct {
 	// passed through to [hst.Config]
 	SessionBus *dbus.Config `json:"session_bus,omitempty"`
 	// passed through to [hst.Config]
-	Enablements system.Enablement `json:"enablements"`
+	Enablements *hst.Enablements `json:"enablements,omitempty"`

 	// passed through to [hst.Config]
 	Multiarch bool `json:"multiarch,omitempty"`
@ -55,18 +56,18 @@ type appInfo struct {
 	// store path to nixGL source
 	NixGL string `json:"nix_gl,omitempty"`
 	// store path to activate-and-exec script
-	Launcher string `json:"launcher"`
+	Launcher *container.Absolute `json:"launcher"`
 	// store path to /run/current-system
-	CurrentSystem string `json:"current_system"`
+	CurrentSystem *container.Absolute `json:"current_system"`
 	// store path to home-manager activation package
 	ActivationPackage string `json:"activation_package"`
 }

-func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool) *hst.Config {
+func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, argv []string, flagDropShell bool) *hst.Config {
 	config := &hst.Config{
 		ID: app.ID,

-		Path: argv[0],
+		Path: pathname,
 		Args: argv,

 		Enablements: app.Enablements,
@ -76,9 +77,9 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
 		DirectWayland: app.DirectWayland,

 		Username: "hakurei",
-		Shell:    shellPath,
+		Shell:    pathShell,
 		Data:     pathSet.homeDir,
-		Dir:      path.Join("/data/data", app.ID),
+		Dir:      pathDataData.Append(app.ID),

 		Identity: app.Identity,
 		Groups:   app.Groups,
@ -91,22 +92,22 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
 			Device:     app.Device,
 			Tty:        app.Tty || flagDropShell,
 			MapRealUID: app.MapRealUID,
-			Filesystem: []*hst.FilesystemConfig{
-				{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
-				{Src: pathSet.metaPath, Dst: path.Join(hst.Tmp, "app"), Must: true},
-				{Src: "/etc/resolv.conf"},
-				{Src: "/sys/block"},
-				{Src: "/sys/bus"},
-				{Src: "/sys/class"},
-				{Src: "/sys/dev"},
-				{Src: "/sys/devices"},
+			Filesystem: []hst.FilesystemConfigJSON{
+				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}},
+				{FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsTmp.Append("app")}},
+				{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("block"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("bus"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("class"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("dev"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("devices"), Optional: true}},
 			},
-			Link: [][2]string{
-				{app.CurrentSystem, "/run/current-system"},
-				{"/run/current-system/sw/bin", "/bin"},
-				{"/run/current-system/sw/bin", "/usr/bin"},
+			Link: []hst.LinkConfig{
+				{pathCurrentSystem, app.CurrentSystem.String()},
+				{pathBin, pathSwBin.String()},
+				{container.AbsFHSUsrBin, pathSwBin.String()},
 			},
-			Etc:     path.Join(pathSet.cacheDir, "etc"),
+			Etc:     pathSet.cacheDir.Append("etc"),
 			AutoEtc: true,
 		},
 		ExtraPerms: []*hst.ExtraPermConfig{
@ -140,6 +141,14 @@ func loadAppInfo(name string, beforeFail func()) *appInfo {
 		beforeFail()
 		log.Fatal("application identifier must not be empty")
 	}
+	if bundle.Launcher == nil {
+		beforeFail()
+		log.Fatal("launcher must not be empty")
+	}
+	if bundle.CurrentSystem == nil {
+		beforeFail()
+		log.Fatal("current-system must not be empty")
+	}

 	return bundle
 }
--- a/cmd/hpkg/build.nix
+++ b/cmd/hpkg/build.nix
@ -171,7 +171,12 @@ let
          broadcast = { };
        });

-    enablements = (if allow_wayland then 1 else 0) + (if allow_x11 then 2 else 0) + (if allow_dbus then 4 else 0) + (if allow_pulse then 8 else 0);
+    enablements = {
+      wayland = allow_wayland;
+      x11 = allow_x11;
+      dbus = allow_dbus;
+      pulse = allow_pulse;
+    };

    mesa = if gpu then mesaWrappers else null;
    nix_gl = if gpu then nixGL else null;
--- a/cmd/hpkg/main.go
+++ b/cmd/hpkg/main.go
@ -11,20 +11,19 @@ import (
 	"syscall"

 	"hakurei.app/command"
+	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
 	"hakurei.app/internal/hlog"
 )

-const shellPath = "/run/current-system/sw/bin/bash"
-
 var (
 	errSuccess = errors.New("success")
 )

 func init() {
 	hlog.Prepare("hpkg")
-	if err := os.Setenv("SHELL", shellPath); err != nil {
+	if err := os.Setenv("SHELL", pathShell.String()); err != nil {
 		log.Fatalf("cannot set $SHELL: %v", err)
 	}
 }
@ -81,31 +80,32 @@ func main() {
 				Extract package and set up for cleanup.
 			*/

-			var workDir string
+			var workDir *container.Absolute
 			if p, err := os.MkdirTemp("", "hpkg.*"); err != nil {
 				log.Printf("cannot create temporary directory: %v", err)
 				return err
-			} else {
-				workDir = p
+			} else if workDir, err = container.NewAbs(p); err != nil {
+				log.Printf("invalid temporary directory: %v", err)
+				return err
 			}
 			cleanup := func() {
 				// should be faster than a native implementation
-				mustRun(chmod, "-R", "+w", workDir)
-				mustRun(rm, "-rf", workDir)
+				mustRun(chmod, "-R", "+w", workDir.String())
+				mustRun(rm, "-rf", workDir.String())
 			}
 			beforeRunFail.Store(&cleanup)

-			mustRun(tar, "-C", workDir, "-xf", pkgPath)
+			mustRun(tar, "-C", workDir.String(), "-xf", pkgPath)

 			/*
 				Parse bundle and app metadata, do pre-install checks.
 			*/

-			bundle := loadAppInfo(path.Join(workDir, "bundle.json"), cleanup)
+			bundle := loadAppInfo(path.Join(workDir.String(), "bundle.json"), cleanup)
 			pathSet := pathSetByApp(bundle.ID)

 			a := bundle
-			if s, err := os.Stat(pathSet.metaPath); err != nil {
+			if s, err := os.Stat(pathSet.metaPath.String()); err != nil {
 				if !os.IsNotExist(err) {
 					cleanup()
 					log.Printf("cannot access %q: %v", pathSet.metaPath, err)
@ -117,7 +117,7 @@ func main() {
 				log.Printf("metadata path %q is not a file", pathSet.metaPath)
 				return syscall.EBADMSG
 			} else {
-				a = loadAppInfo(pathSet.metaPath, cleanup)
+				a = loadAppInfo(pathSet.metaPath.String(), cleanup)
 				if a.ID != bundle.ID {
 					cleanup()
 					log.Printf("app %q claims to have identifier %q",
@ -208,7 +208,7 @@ func main() {
 			*/

 			// serialise metadata to ensure consistency
-			if f, err := os.OpenFile(pathSet.metaPath+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
+			if f, err := os.OpenFile(pathSet.metaPath.String()+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
 				cleanup()
 				log.Printf("cannot create metadata file: %v", err)
 				return err
@ -221,7 +221,7 @@ func main() {
 				// not fatal
 			}

-			if err := os.Rename(pathSet.metaPath+"~", pathSet.metaPath); err != nil {
+			if err := os.Rename(pathSet.metaPath.String()+"~", pathSet.metaPath.String()); err != nil {
 				cleanup()
 				log.Printf("cannot rename metadata file: %v", err)
 				return err
@ -250,7 +250,7 @@ func main() {

 			id := args[0]
 			pathSet := pathSetByApp(id)
-			a := loadAppInfo(pathSet.metaPath, func() {})
+			a := loadAppInfo(pathSet.metaPath.String(), func() {})
 			if a.ID != id {
 				log.Printf("app %q claims to have identifier %q", id, a.ID)
 				return syscall.EBADE
@ -274,13 +274,13 @@ func main() {
 						"--override-input nixpkgs path:/etc/nixpkgs " +
 						"path:" + a.NixGL + "#nixVulkanNvidia",
 				}, true, func(config *hst.Config) *hst.Config {
-					config.Container.Filesystem = append(config.Container.Filesystem, []*hst.FilesystemConfig{
-						{Src: "/etc/resolv.conf"},
-						{Src: "/sys/block"},
-						{Src: "/sys/bus"},
-						{Src: "/sys/class"},
-						{Src: "/sys/dev"},
-						{Src: "/sys/devices"},
+					config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
+						{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("block"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("bus"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("class"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("dev"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("devices"), Optional: true}},
 					}...)
 					appendGPUFilesystem(config)
 					return config
@ -291,15 +291,16 @@ func main() {
 				Create app configuration.
 			*/

+			pathname := a.Launcher
 			argv := make([]string, 1, len(args))
-			if !flagDropShell {
-				argv[0] = a.Launcher
+			if flagDropShell {
+				pathname = pathShell
+				argv[0] = bash
 			} else {
-				argv[0] = shellPath
+				argv[0] = a.Launcher.String()
 			}
 			argv = append(argv, args[1:]...)
-
-			config := a.toFst(pathSet, argv, flagDropShell)
+			config := a.toHst(pathSet, pathname, argv, flagDropShell)

 			/*
 				Expose GPU devices.
@ -307,7 +308,7 @@ func main() {

 			if a.GPU {
 				config.Container.Filesystem = append(config.Container.Filesystem,
-					&hst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(hst.Tmp, "nixGL")})
+					hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append(".nixGL"), Target: hst.AbsTmp.Append("nixGL")}})
 				appendGPUFilesystem(config)
 			}

--- a/cmd/hpkg/paths.go
+++ b/cmd/hpkg/paths.go
@ -4,27 +4,42 @@ import (
 	"log"
 	"os"
 	"os/exec"
-	"path"
 	"strconv"
 	"sync/atomic"

+	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal/hlog"
 )

+const bash = "bash"
+
 var (
-	dataHome string
+	dataHome *container.Absolute
 )

 func init() {
 	// dataHome
-	if p, ok := os.LookupEnv("HAKUREI_DATA_HOME"); ok {
-		dataHome = p
+	if a, err := container.NewAbs(os.Getenv("HAKUREI_DATA_HOME")); err == nil {
+		dataHome = a
 	} else {
-		dataHome = "/var/lib/hakurei/" + strconv.Itoa(os.Getuid())
+		dataHome = container.AbsFHSVarLib.Append("hakurei/" + strconv.Itoa(os.Getuid()))
 	}
 }

+var (
+	pathBin = container.AbsFHSRoot.Append("bin")
+
+	pathNix           = container.MustAbs("/nix/")
+	pathNixStore      = pathNix.Append("store/")
+	pathCurrentSystem = container.AbsFHSRun.Append("current-system")
+	pathSwBin         = pathCurrentSystem.Append("sw/bin/")
+	pathShell         = pathSwBin.Append(bash)
+
+	pathData     = container.MustAbs("/data")
+	pathDataData = pathData.Append("data")
+)
+
 func lookPath(file string) string {
 	if p, err := exec.LookPath(file); err != nil {
 		log.Fatalf("%s: command not found", file)
@ -50,52 +65,52 @@ func mustRun(name string, arg ...string) {

 type appPathSet struct {
 	// ${dataHome}/${id}
-	baseDir string
+	baseDir *container.Absolute
 	// ${baseDir}/app
-	metaPath string
+	metaPath *container.Absolute
 	// ${baseDir}/files
-	homeDir string
+	homeDir *container.Absolute
 	// ${baseDir}/cache
-	cacheDir string
+	cacheDir *container.Absolute
 	// ${baseDir}/cache/nix
-	nixPath string
+	nixPath *container.Absolute
 }

 func pathSetByApp(id string) *appPathSet {
 	pathSet := new(appPathSet)
-	pathSet.baseDir = path.Join(dataHome, id)
-	pathSet.metaPath = path.Join(pathSet.baseDir, "app")
-	pathSet.homeDir = path.Join(pathSet.baseDir, "files")
-	pathSet.cacheDir = path.Join(pathSet.baseDir, "cache")
-	pathSet.nixPath = path.Join(pathSet.cacheDir, "nix")
+	pathSet.baseDir = dataHome.Append(id)
+	pathSet.metaPath = pathSet.baseDir.Append("app")
+	pathSet.homeDir = pathSet.baseDir.Append("files")
+	pathSet.cacheDir = pathSet.baseDir.Append("cache")
+	pathSet.nixPath = pathSet.cacheDir.Append("nix")
 	return pathSet
 }

 func appendGPUFilesystem(config *hst.Config) {
-	config.Container.Filesystem = append(config.Container.Filesystem, []*hst.FilesystemConfig{
+	config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
 		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
-		{Src: "/dev/dri", Device: true},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
 		// mali
-		{Src: "/dev/mali", Device: true},
-		{Src: "/dev/mali0", Device: true},
-		{Src: "/dev/umplock", Device: true},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("mali"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("mali0"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("umplock"), Device: true, Optional: true}},
 		// nvidia
-		{Src: "/dev/nvidiactl", Device: true},
-		{Src: "/dev/nvidia-modeset", Device: true},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidiactl"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia-modeset"), Device: true, Optional: true}},
 		// nvidia OpenCL/CUDA
-		{Src: "/dev/nvidia-uvm", Device: true},
-		{Src: "/dev/nvidia-uvm-tools", Device: true},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia-uvm"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia-uvm-tools"), Device: true, Optional: true}},

 		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
-		{Src: "/dev/nvidia0", Device: true}, {Src: "/dev/nvidia1", Device: true},
-		{Src: "/dev/nvidia2", Device: true}, {Src: "/dev/nvidia3", Device: true},
-		{Src: "/dev/nvidia4", Device: true}, {Src: "/dev/nvidia5", Device: true},
-		{Src: "/dev/nvidia6", Device: true}, {Src: "/dev/nvidia7", Device: true},
-		{Src: "/dev/nvidia8", Device: true}, {Src: "/dev/nvidia9", Device: true},
-		{Src: "/dev/nvidia10", Device: true}, {Src: "/dev/nvidia11", Device: true},
-		{Src: "/dev/nvidia12", Device: true}, {Src: "/dev/nvidia13", Device: true},
-		{Src: "/dev/nvidia14", Device: true}, {Src: "/dev/nvidia15", Device: true},
-		{Src: "/dev/nvidia16", Device: true}, {Src: "/dev/nvidia17", Device: true},
-		{Src: "/dev/nvidia18", Device: true}, {Src: "/dev/nvidia19", Device: true},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia0"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia1"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia2"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia3"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia4"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia5"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia6"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia7"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia8"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia9"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia10"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia11"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia12"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia13"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia14"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia15"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia16"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia17"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia18"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia19"), Device: true, Optional: true}},
 	}...)
 }
--- a/cmd/hpkg/test/test.py
+++ b/cmd/hpkg/test/test.py
@ -92,7 +92,7 @@ wait_for_window("hakurei@machine-foot")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
 machine.wait_for_file("/tmp/hakurei.1000/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
-check_state("foot", 13)
+check_state("foot", {"wayland": True, "dbus": True, "pulse": True})
 # Verify acl on XDG_RUNTIME_DIR:
 print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002"))
 machine.send_chars("exit\n")
--- a/cmd/hpkg/with.go
+++ b/cmd/hpkg/with.go
@ -2,9 +2,9 @@ package main

 import (
 	"context"
-	"path"
 	"strings"

+	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
@ -18,8 +18,8 @@ func withNixDaemon(
 	mustRunAppDropShell(ctx, updateConfig(&hst.Config{
 		ID: app.ID,

-		Path: shellPath,
-		Args: []string{shellPath, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
+		Path: pathShell,
+		Args: []string{bash, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
 			// start nix-daemon
 			"nix-daemon --store / & " +
 			// wait for socket to appear
@ -32,9 +32,9 @@ func withNixDaemon(
 		},

 		Username: "hakurei",
-		Shell:    shellPath,
+		Shell:    pathShell,
 		Data:     pathSet.homeDir,
-		Dir:      path.Join("/data/data", app.ID),
+		Dir:      pathDataData.Append(app.ID),
 		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
@ -48,15 +48,15 @@ func withNixDaemon(
 			Net:          net,
 			SeccompFlags: seccomp.AllowMultiarch,
 			Tty:          dropShell,
-			Filesystem: []*hst.FilesystemConfig{
-				{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
+			Filesystem: []hst.FilesystemConfigJSON{
+				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}},
 			},
-			Link: [][2]string{
-				{app.CurrentSystem, "/run/current-system"},
-				{"/run/current-system/sw/bin", "/bin"},
-				{"/run/current-system/sw/bin", "/usr/bin"},
+			Link: []hst.LinkConfig{
+				{pathCurrentSystem, app.CurrentSystem.String()},
+				{pathBin, pathSwBin.String()},
+				{container.AbsFHSUsrBin, pathSwBin.String()},
 			},
-			Etc:     path.Join(pathSet.cacheDir, "etc"),
+			Etc:     pathSet.cacheDir.Append("etc"),
 			AutoEtc: true,
 		},
 	}), dropShell, beforeFail)
@ -64,18 +64,18 @@ func withNixDaemon(

 func withCacheDir(
 	ctx context.Context,
-	action string, command []string, workDir string,
+	action string, command []string, workDir *container.Absolute,
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
 	mustRunAppDropShell(ctx, &hst.Config{
 		ID: app.ID,

-		Path: shellPath,
-		Args: []string{shellPath, "-lc", strings.Join(command, " && ")},
+		Path: pathShell,
+		Args: []string{bash, "-lc", strings.Join(command, " && ")},

 		Username: "nixos",
-		Shell:    shellPath,
+		Shell:    pathShell,
 		Data:     pathSet.cacheDir, // this also ensures cacheDir via shim
-		Dir:      path.Join("/data/data", app.ID, "cache"),
+		Dir:      pathDataData.Append(app.ID, "cache"),
 		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
@ -88,16 +88,16 @@ func withCacheDir(
 			Hostname:     formatHostname(app.Name) + "-" + action,
 			SeccompFlags: seccomp.AllowMultiarch,
 			Tty:          dropShell,
-			Filesystem: []*hst.FilesystemConfig{
-				{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
-				{Src: workDir, Dst: path.Join(hst.Tmp, "bundle"), Must: true},
+			Filesystem: []hst.FilesystemConfigJSON{
+				{FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}},
+				{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsTmp.Append("bundle")}},
 			},
-			Link: [][2]string{
-				{app.CurrentSystem, "/run/current-system"},
-				{"/run/current-system/sw/bin", "/bin"},
-				{"/run/current-system/sw/bin", "/usr/bin"},
+			Link: []hst.LinkConfig{
+				{pathCurrentSystem, app.CurrentSystem.String()},
+				{pathBin, pathSwBin.String()},
+				{container.AbsFHSUsrBin, pathSwBin.String()},
 			},
-			Etc:     path.Join(workDir, "etc"),
+			Etc:     workDir.Append(container.FHSEtc),
 			AutoEtc: true,
 		},
 	}, dropShell, beforeFail)
@ -105,7 +105,7 @@ func withCacheDir(

 func mustRunAppDropShell(ctx context.Context, config *hst.Config, dropShell bool, beforeFail func()) {
 	if dropShell {
-		config.Args = []string{shellPath, "-l"}
+		config.Args = []string{bash, "-l"}
 		mustRunApp(ctx, config, beforeFail)
 		beforeFail()
 		internal.Exit(0)
--- a/container/absolute.go
+++ b/container/absolute.go
@ -0,0 +1,98 @@
+package container
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"path"
+	"slices"
+	"strings"
+	"syscall"
+)
+
+// AbsoluteError is returned by [NewAbs] and holds the invalid pathname.
+type AbsoluteError struct {
+	Pathname string
+}
+
+func (e *AbsoluteError) Error() string { return fmt.Sprintf("path %q is not absolute", e.Pathname) }
+func (e *AbsoluteError) Is(target error) bool {
+	var ce *AbsoluteError
+	if !errors.As(target, &ce) {
+		return errors.Is(target, syscall.EINVAL)
+	}
+	return *e == *ce
+}
+
+// Absolute holds a pathname checked to be absolute.
+type Absolute struct {
+	pathname string
+}
+
+// isAbs wraps [path.IsAbs] in case additional checks are added in the future.
+func isAbs(pathname string) bool { return path.IsAbs(pathname) }
+
+func (a *Absolute) String() string {
+	if a.pathname == zeroString {
+		panic("attempted use of zero Absolute")
+	}
+	return a.pathname
+}
+
+// NewAbs checks pathname and returns a new [Absolute] if pathname is absolute.
+func NewAbs(pathname string) (*Absolute, error) {
+	if !isAbs(pathname) {
+		return nil, &AbsoluteError{pathname}
+	}
+	return &Absolute{pathname}, nil
+}
+
+// MustAbs calls [NewAbs] and panics on error.
+func MustAbs(pathname string) *Absolute {
+	if a, err := NewAbs(pathname); err != nil {
+		panic(err.Error())
+	} else {
+		return a
+	}
+}
+
+// Append calls [path.Join] with [Absolute] as the first element.
+func (a *Absolute) Append(elem ...string) *Absolute {
+	return &Absolute{path.Join(append([]string{a.String()}, elem...)...)}
+}
+
+// Dir calls [path.Dir] with [Absolute] as its argument.
+func (a *Absolute) Dir() *Absolute { return &Absolute{path.Dir(a.String())} }
+
+func (a *Absolute) GobEncode() ([]byte, error) { return []byte(a.String()), nil }
+func (a *Absolute) GobDecode(data []byte) error {
+	pathname := string(data)
+	if !isAbs(pathname) {
+		return &AbsoluteError{pathname}
+	}
+	a.pathname = pathname
+	return nil
+}
+
+func (a *Absolute) MarshalJSON() ([]byte, error) { return json.Marshal(a.String()) }
+func (a *Absolute) UnmarshalJSON(data []byte) error {
+	var pathname string
+	if err := json.Unmarshal(data, &pathname); err != nil {
+		return err
+	}
+	if !isAbs(pathname) {
+		return &AbsoluteError{pathname}
+	}
+	a.pathname = pathname
+	return nil
+}
+
+// SortAbs calls [slices.SortFunc] for a slice of [Absolute].
+func SortAbs(x []*Absolute) {
+	slices.SortFunc(x, func(a, b *Absolute) int { return strings.Compare(a.String(), b.String()) })
+}
+
+// CompactAbs calls [slices.CompactFunc] for a slice of [Absolute].
+func CompactAbs(s []*Absolute) []*Absolute {
+	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool { return a.String() == b.String() })
+}
--- a/container/absolute_test.go
+++ b/container/absolute_test.go
@ -0,0 +1,325 @@
+package container
+
+import (
+	"bytes"
+	"encoding/gob"
+	"encoding/json"
+	"errors"
+	"reflect"
+	"strings"
+	"syscall"
+	"testing"
+)
+
+func TestAbsoluteError(t *testing.T) {
+	testCases := []struct {
+		name string
+
+		err error
+		cmp error
+		ok  bool
+	}{
+		{"EINVAL", new(AbsoluteError), syscall.EINVAL, true},
+		{"not EINVAL", new(AbsoluteError), syscall.EBADE, false},
+		{"ne val", new(AbsoluteError), &AbsoluteError{"etc"}, false},
+		{"equals", &AbsoluteError{"etc"}, &AbsoluteError{"etc"}, true},
+	}
+
+	for _, tc := range testCases {
+		if got := errors.Is(tc.err, tc.cmp); got != tc.ok {
+			t.Errorf("Is: %v, want %v", got, tc.ok)
+		}
+	}
+
+	t.Run("string", func(t *testing.T) {
+		want := `path "etc" is not absolute`
+		if got := (&AbsoluteError{"etc"}).Error(); got != want {
+			t.Errorf("Error: %q, want %q", got, want)
+		}
+	})
+}
+
+func TestNewAbs(t *testing.T) {
+	testCases := []struct {
+		name string
+
+		pathname string
+		want     *Absolute
+		wantErr  error
+	}{
+		{"good", "/etc", MustAbs("/etc"), nil},
+		{"not absolute", "etc", nil, &AbsoluteError{"etc"}},
+		{"zero", "", nil, &AbsoluteError{""}},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got, err := NewAbs(tc.pathname)
+			if !reflect.DeepEqual(got, tc.want) {
+				t.Errorf("NewAbs: %#v, want %#v", got, tc.want)
+			}
+			if !errors.Is(err, tc.wantErr) {
+				t.Errorf("NewAbs: error = %v, want %v", err, tc.wantErr)
+			}
+		})
+	}
+
+	t.Run("must", func(t *testing.T) {
+		defer func() {
+			wantPanic := `path "etc" is not absolute`
+
+			if r := recover(); r != wantPanic {
+				t.Errorf("MustAbsolute: panic = %v; want %v", r, wantPanic)
+			}
+		}()
+
+		MustAbs("etc")
+	})
+}
+
+func TestAbsoluteString(t *testing.T) {
+	t.Run("passthrough", func(t *testing.T) {
+		pathname := "/etc"
+		if got := (&Absolute{pathname}).String(); got != pathname {
+			t.Errorf("String: %q, want %q", got, pathname)
+		}
+	})
+
+	t.Run("zero", func(t *testing.T) {
+		defer func() {
+			wantPanic := "attempted use of zero Absolute"
+
+			if r := recover(); r != wantPanic {
+				t.Errorf("String: panic = %v, want %v", r, wantPanic)
+			}
+		}()
+
+		panic(new(Absolute).String())
+	})
+}
+
+type sCheck struct {
+	Pathname *Absolute `json:"val"`
+	Magic    int       `json:"magic"`
+}
+
+func TestCodecAbsolute(t *testing.T) {
+	testCases := []struct {
+		name string
+		a    *Absolute
+
+		wantErr error
+
+		gob, sGob   string
+		json, sJson string
+	}{
+		{"nil", nil, nil,
+			"\x00", "\x00",
+			`null`, `{"val":null,"magic":3236757504}`},
+
+		{"good", MustAbs("/etc"),
+			nil,
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x04\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x10\xff\x84\x01\x04/etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+
+			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
+		{"not absolute", nil,
+			&AbsoluteError{"etc"},
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x04\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+
+			`"etc"`, `{"val":"etc","magic":3236757504}`},
+		{"zero", nil,
+			new(AbsoluteError),
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x04\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			`""`, `{"val":"","magic":3236757504}`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Run("gob", func(t *testing.T) {
+				if tc.gob == "\x00" && tc.sGob == "\x00" {
+					// these values mark the current test to skip gob
+					return
+				}
+
+				t.Run("encode", func(t *testing.T) {
+					// encode is unchecked
+					if errors.Is(tc.wantErr, syscall.EINVAL) {
+						return
+					}
+
+					{
+						buf := new(bytes.Buffer)
+						err := gob.NewEncoder(buf).Encode(tc.a)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Encode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSEncode
+						}
+						if buf.String() != tc.gob {
+							t.Errorf("Encode:\n%q\nwant:\n%q", buf.String(), tc.gob)
+						}
+					}
+
+				checkSEncode:
+					{
+						buf := new(bytes.Buffer)
+						err := gob.NewEncoder(buf).Encode(&sCheck{tc.a, syscall.MS_MGC_VAL})
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Encode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						if buf.String() != tc.sGob {
+							t.Errorf("Encode:\n%q\nwant:\n%q", buf.String(), tc.sGob)
+						}
+					}
+				})
+
+				t.Run("decode", func(t *testing.T) {
+					{
+						var gotA *Absolute
+						err := gob.NewDecoder(strings.NewReader(tc.gob)).Decode(&gotA)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Decode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSDecode
+						}
+						if !reflect.DeepEqual(tc.a, gotA) {
+							t.Errorf("Decode: %#v, want %#v", tc.a, gotA)
+						}
+					}
+
+				checkSDecode:
+					{
+						var gotSCheck sCheck
+						err := gob.NewDecoder(strings.NewReader(tc.sGob)).Decode(&gotSCheck)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Decode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						want := sCheck{tc.a, syscall.MS_MGC_VAL}
+						if !reflect.DeepEqual(gotSCheck, want) {
+							t.Errorf("Decode: %#v, want %#v", gotSCheck, want)
+						}
+					}
+				})
+
+			})
+
+			t.Run("json", func(t *testing.T) {
+				t.Run("marshal", func(t *testing.T) {
+					// marshal is unchecked
+					if errors.Is(tc.wantErr, syscall.EINVAL) {
+						return
+					}
+
+					{
+						d, err := json.Marshal(tc.a)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSMarshal
+						}
+						if string(d) != tc.json {
+							t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.json)
+						}
+					}
+
+				checkSMarshal:
+					{
+						d, err := json.Marshal(&sCheck{tc.a, syscall.MS_MGC_VAL})
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						if string(d) != tc.sJson {
+							t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.sJson)
+						}
+					}
+				})
+
+				t.Run("unmarshal", func(t *testing.T) {
+					{
+						var gotA *Absolute
+						err := json.Unmarshal([]byte(tc.json), &gotA)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSUnmarshal
+						}
+						if !reflect.DeepEqual(tc.a, gotA) {
+							t.Errorf("Unmarshal: %#v, want %#v", tc.a, gotA)
+						}
+					}
+
+				checkSUnmarshal:
+					{
+						var gotSCheck sCheck
+						err := json.Unmarshal([]byte(tc.sJson), &gotSCheck)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						want := sCheck{tc.a, syscall.MS_MGC_VAL}
+						if !reflect.DeepEqual(gotSCheck, want) {
+							t.Errorf("Unmarshal: %#v, want %#v", gotSCheck, want)
+						}
+					}
+				})
+			})
+		})
+	}
+
+	t.Run("json passthrough", func(t *testing.T) {
+		wantErr := "invalid character ':' looking for beginning of value"
+		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
+			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
+		}
+	})
+}
+
+func TestAbsoluteWrap(t *testing.T) {
+	t.Run("join", func(t *testing.T) {
+		want := "/etc/nix/nix.conf"
+		if got := MustAbs("/etc").Append("nix", "nix.conf"); got.String() != want {
+			t.Errorf("Append: %q, want %q", got, want)
+		}
+	})
+
+	t.Run("dir", func(t *testing.T) {
+		want := "/"
+		if got := MustAbs("/etc").Dir(); got.String() != want {
+			t.Errorf("Dir: %q, want %q", got, want)
+		}
+	})
+
+	t.Run("sort", func(t *testing.T) {
+		want := []*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/sys")}
+		got := []*Absolute{MustAbs("/proc"), MustAbs("/sys"), MustAbs("/etc")}
+		SortAbs(got)
+		if !reflect.DeepEqual(got, want) {
+			t.Errorf("SortAbs: %#v, want %#v", got, want)
+		}
+	})
+
+	t.Run("compact", func(t *testing.T) {
+		want := []*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/sys")}
+		if got := CompactAbs([]*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/proc"), MustAbs("/sys")}); !reflect.DeepEqual(got, want) {
+			t.Errorf("CompactAbs: %#v, want %#v", got, want)
+		}
+	})
+}
--- a/container/autoetc.go
+++ b/container/autoetc.go
@ -4,15 +4,16 @@ import (
 	"encoding/gob"
 	"fmt"
 	"os"
+	"syscall"
 )

 func init() { gob.Register(new(AutoEtcOp)) }

 // Etc appends an [Op] that expands host /etc into a toplevel symlink mirror with /etc semantics.
 // This is not a generic setup op. It is implemented here to reduce ipc overhead.
-func (f *Ops) Etc(host, prefix string) *Ops {
+func (f *Ops) Etc(host *Absolute, prefix string) *Ops {
 	e := &AutoEtcOp{prefix}
-	f.Mkdir("/etc", 0755)
+	f.Mkdir(AbsFHSEtc, 0755)
 	f.Bind(host, e.hostPath(), 0)
 	*f = append(*f, e)
 	return f
@ -20,15 +21,20 @@ func (f *Ops) Etc(host, prefix string) *Ops {

 type AutoEtcOp struct{ Prefix string }

-func (e *AutoEtcOp) early(*Params) error { return nil }
-func (e *AutoEtcOp) apply(*Params) error {
-	const target = sysrootPath + "/etc/"
+func (e *AutoEtcOp) early(*setupState) error { return nil }
+func (e *AutoEtcOp) apply(state *setupState) error {
+	if state.nonrepeatable&nrAutoEtc != 0 {
+		return msg.WrapErr(syscall.EINVAL, "autoetc is not repeatable")
+	}
+	state.nonrepeatable |= nrAutoEtc
+
+	const target = sysrootPath + FHSEtc
 	rel := e.hostRel() + "/"

 	if err := os.MkdirAll(target, 0755); err != nil {
 		return wrapErrSelf(err)
 	}
-	if d, err := os.ReadDir(toSysroot(e.hostPath())); err != nil {
+	if d, err := os.ReadDir(toSysroot(e.hostPath().String())); err != nil {
 		return wrapErrSelf(err)
 	} else {
 		for _, ent := range d {
@ -40,7 +46,7 @@ func (e *AutoEtcOp) apply(*Params) error {
 			case "group":

 			case "mtab":
-				if err = os.Symlink("/proc/mounts", target+n); err != nil {
+				if err = os.Symlink(FHSProc+"mounts", target+n); err != nil {
 					return wrapErrSelf(err)
 				}

@ -54,8 +60,10 @@ func (e *AutoEtcOp) apply(*Params) error {

 	return nil
 }
-func (e *AutoEtcOp) hostPath() string { return "/etc/" + e.hostRel() }
-func (e *AutoEtcOp) hostRel() string  { return ".host/" + e.Prefix }
+
+// bypasses abs check, use with caution!
+func (e *AutoEtcOp) hostPath() *Absolute { return &Absolute{FHSEtc + e.hostRel()} }
+func (e *AutoEtcOp) hostRel() string     { return ".host/" + e.Prefix }

 func (e *AutoEtcOp) Is(op Op) bool {
 	ve, ok := op.(*AutoEtcOp)
--- a/container/autoroot.go
+++ b/container/autoroot.go
@ -4,21 +4,21 @@ import (
 	"encoding/gob"
 	"fmt"
 	"os"
-	"path"
-	. "syscall"
+	"syscall"
 )

 func init() { gob.Register(new(AutoRootOp)) }

 // Root appends an [Op] that expands a directory into a toplevel bind mount mirror on container root.
 // This is not a generic setup op. It is implemented here to reduce ipc overhead.
-func (f *Ops) Root(host, prefix string, flags int) *Ops {
+func (f *Ops) Root(host *Absolute, prefix string, flags int) *Ops {
 	*f = append(*f, &AutoRootOp{host, prefix, flags, nil})
 	return f
 }

 type AutoRootOp struct {
-	Host, Prefix string
+	Host   *Absolute
+	Prefix string
 	// passed through to bindMount
 	Flags int

@ -28,12 +28,12 @@ type AutoRootOp struct {
 	resolved []Op
 }

-func (r *AutoRootOp) early(params *Params) error {
-	if !path.IsAbs(r.Host) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", r.Host))
+func (r *AutoRootOp) early(state *setupState) error {
+	if r.Host == nil {
+		return syscall.EBADE
 	}

-	if d, err := os.ReadDir(r.Host); err != nil {
+	if d, err := os.ReadDir(r.Host.String()); err != nil {
 		return wrapErrSelf(err)
 	} else {
 		r.resolved = make([]Op, 0, len(d))
@ -41,11 +41,11 @@ func (r *AutoRootOp) early(params *Params) error {
 			name := ent.Name()
 			if IsAutoRootBindable(name) {
 				op := &BindMountOp{
-					Source: path.Join(r.Host, name),
-					Target: "/" + name,
+					Source: r.Host.Append(name),
+					Target: AbsFHSRoot.Append(name),
 					Flags:  r.Flags,
 				}
-				if err = op.early(params); err != nil {
+				if err = op.early(state); err != nil {
 					return err
 				}
 				r.resolved = append(r.resolved, op)
@ -55,10 +55,15 @@ func (r *AutoRootOp) early(params *Params) error {
 	}
 }

-func (r *AutoRootOp) apply(params *Params) error {
+func (r *AutoRootOp) apply(state *setupState) error {
+	if state.nonrepeatable&nrAutoRoot != 0 {
+		return msg.WrapErr(syscall.EINVAL, "autoroot is not repeatable")
+	}
+	state.nonrepeatable |= nrAutoRoot
+
 	for _, op := range r.resolved {
 		msg.Verbosef("%s %s", op.prefix(), op)
-		if err := op.apply(params); err != nil {
+		if err := op.apply(state); err != nil {
 			return err
 		}
 	}
--- a/container/capability.go
+++ b/container/capability.go
@ -12,8 +12,9 @@ const (
 	PR_CAP_AMBIENT_RAISE     = 0x2
 	PR_CAP_AMBIENT_CLEAR_ALL = 0x4

-	CAP_SYS_ADMIN = 0x15
-	CAP_SETPCAP   = 0x8
+	CAP_SYS_ADMIN    = 0x15
+	CAP_SETPCAP      = 0x8
+	CAP_DAC_OVERRIDE = 0x1
 )

 type (
--- a/container/container.go
+++ b/container/container.go
@ -9,7 +9,7 @@ import (
 	"io"
 	"os"
 	"os/exec"
-	"path"
+	"runtime"
 	"strconv"
 	. "syscall"
 	"time"
@ -18,10 +18,6 @@ import (
 )

 const (
-	// Nonexistent is a path that cannot exist.
-	// /proc is chosen because a system with covered /proc is unsupported by this package.
-	Nonexistent = "/proc/nonexistent"
-
 	// CancelSignal is the signal expected by container init on context cancel.
 	// A custom [Container.Cancel] function must eventually deliver this signal.
 	CancelSignal = SIGTERM
@ -31,8 +27,6 @@ type (
 	// Container represents a container environment being prepared or run.
 	// None of [Container] methods are safe for concurrent use.
 	Container struct {
-		// Name of initial process in the container.
-		name string
 		// Cgroup fd, nil to disable.
 		Cgroup *int
 		// ExtraFiles passed through to initial process in the container,
@ -43,6 +37,8 @@ type (
 		setup *gob.Encoder
 		// cancels cmd
 		cancel context.CancelFunc
+		// closed after Wait returns
+		wait chan struct{}

 		Stdin  io.Reader
 		Stdout io.Writer
@ -59,11 +55,11 @@ type (
 	// Params holds container configuration and is safe to serialise.
 	Params struct {
 		// Working directory in the container.
-		Dir string
+		Dir *Absolute
 		// Initial process environment.
 		Env []string
-		// Absolute path of initial process in the container. Overrides name.
-		Path string
+		// Pathname of initial process in the container.
+		Path *Absolute
 		// Initial process argv.
 		Args []string
 		// Deliver SIGINT to the initial process on context cancellation.
@ -96,6 +92,8 @@ type (
 		RetainSession bool
 		// Do not [syscall.CLONE_NEWNET].
 		HostNet bool
+		// Do not [LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET].
+		HostAbstract bool
 		// Retain CAP_SYS_ADMIN.
 		Privileged bool
 	}
@ -113,11 +111,6 @@ func (p *Container) Start() error {
 	ctx, cancel := context.WithCancel(p.ctx)
 	p.cancel = cancel

-	var cloneFlags uintptr = CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP
-	if !p.HostNet {
-		cloneFlags |= CLONE_NEWNET
-	}
-
 	// map to overflow id to work around ownership checks
 	if p.Uid < 1 {
 		p.Uid = OverflowUid()
@ -147,20 +140,30 @@ func (p *Container) Start() error {
 	} else {
 		p.cmd.Cancel = func() error { return p.cmd.Process.Signal(CancelSignal) }
 	}
-	p.cmd.Dir = "/"
+	p.cmd.Dir = FHSRoot
 	p.cmd.SysProcAttr = &SysProcAttr{
-		Setsid:     !p.RetainSession,
-		Pdeathsig:  SIGKILL,
-		Cloneflags: cloneFlags | CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS,
+		Setsid:    !p.RetainSession,
+		Pdeathsig: SIGKILL,
+		Cloneflags: CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS |
+			CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP,

-		// remain privileged for setup
-		AmbientCaps: []uintptr{CAP_SYS_ADMIN, CAP_SETPCAP},
+		AmbientCaps: []uintptr{
+			// general container setup
+			CAP_SYS_ADMIN,
+			// drop capabilities
+			CAP_SETPCAP,
+			// overlay access to upperdir and workdir
+			CAP_DAC_OVERRIDE,
+		},

 		UseCgroupFD: p.Cgroup != nil,
 	}
 	if p.cmd.SysProcAttr.UseCgroupFD {
 		p.cmd.SysProcAttr.CgroupFD = *p.Cgroup
 	}
+	if !p.HostNet {
+		p.cmd.SysProcAttr.Cloneflags |= CLONE_NEWNET
+	}

 	// place setup pipe before user supplied extra files, this is later restored by init
 	if fd, e, err := Setup(&p.cmd.ExtraFiles); err != nil {
@ -172,11 +175,76 @@ func (p *Container) Start() error {
 	}
 	p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, p.ExtraFiles...)

-	msg.Verbose("starting container init")
-	if err := p.cmd.Start(); err != nil {
-		return msg.WrapErr(err, err.Error())
-	}
-	return nil
+	done := make(chan error, 1)
+	go func() {
+		runtime.LockOSThread()
+		p.wait = make(chan struct{})
+
+		done <- func() error { // setup depending on per-thread state must happen here
+			// PR_SET_NO_NEW_PRIVS: depends on per-thread state but acts on all processes created from that thread
+			if err := SetNoNewPrivs(); err != nil {
+				return wrapErrSuffix(err,
+					"prctl(PR_SET_NO_NEW_PRIVS):")
+			}
+
+			// landlock: depends on per-thread state but acts on a process group
+			{
+				scoped := LANDLOCK_SCOPE_SIGNAL
+				if !p.HostAbstract {
+					scoped |= LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+				}
+				rulesetAttr := NewRulesetAttr(scoped)
+
+				if abi, err := LandlockGetABI(); err != nil {
+					if p.HostAbstract {
+						// landlock can be skipped here as it restricts access to resources
+						// already covered by namespaces (pid)
+						goto landlockOut
+					}
+					return wrapErrSuffix(err,
+						"landlock does not appear to be enabled:")
+				} else if abi < 6 {
+					if p.HostAbstract {
+						// see above comment
+						goto landlockOut
+					}
+					return msg.WrapErr(ENOSYS,
+						"kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET")
+				} else {
+					msg.Verbosef("landlock abi version %d", abi)
+				}
+
+				msg.Verbosef("creating landlock ruleset scoped %#x", int(scoped))
+				if rulesetFd, err := LandlockCreateRuleset(&rulesetAttr, 0); err != nil {
+					return wrapErrSuffix(err,
+						"cannot create landlock ruleset:")
+				} else {
+					msg.Verbose("enforcing landlock ruleset")
+					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
+						_ = Close(rulesetFd)
+						return wrapErrSuffix(err,
+							"cannot enforce landlock ruleset:")
+					}
+					if err = Close(rulesetFd); err != nil {
+						msg.Verbosef("cannot close landlock ruleset: %v", err)
+						// not fatal
+					}
+				}
+
+			landlockOut:
+			}
+
+			msg.Verbose("starting container init")
+			if err := p.cmd.Start(); err != nil {
+				return msg.WrapErr(err, err.Error())
+			}
+			return nil
+		}()
+
+		// keep this thread alive until Wait returns for cancel
+		<-p.wait
+	}()
+	return <-done
 }

 // Serve serves [Container.Params] to the container init.
@ -189,33 +257,16 @@ func (p *Container) Serve() error {
 	setup := p.setup
 	p.setup = nil

-	if p.Path != "" && !path.IsAbs(p.Path) {
+	if p.Path == nil {
 		p.cancel()
-		return msg.WrapErr(EINVAL,
-			fmt.Sprintf("invalid executable path %q", p.Path))
+		return msg.WrapErr(EINVAL, "invalid executable pathname")
 	}

-	if p.Path == "" {
-		if p.name == "" {
-			p.Path = os.Getenv("SHELL")
-			if !path.IsAbs(p.Path) {
-				p.cancel()
-				return msg.WrapErr(EBADE,
-					"no command specified and $SHELL is invalid")
-			}
-			p.name = path.Base(p.Path)
-		} else if path.IsAbs(p.name) {
-			p.Path = p.name
-		} else if v, err := exec.LookPath(p.name); err != nil {
-			p.cancel()
-			return msg.WrapErr(err, err.Error())
-		} else {
-			p.Path = v
-		}
+	// do not transmit nil
+	if p.Dir == nil {
+		p.Dir = AbsFHSRoot
 	}
-
 	if p.SeccompRules == nil {
-		// do not transmit nil
 		p.SeccompRules = make([]seccomp.NativeRule, 0)
 	}

@ -234,8 +285,19 @@ func (p *Container) Serve() error {
 	return err
 }

-// Wait waits for the container init process to exit.
-func (p *Container) Wait() error { defer p.cancel(); return p.cmd.Wait() }
+// Wait waits for the container init process to exit and releases any resources associated with the [Container].
+func (p *Container) Wait() error {
+	if p.cmd == nil {
+		return EINVAL
+	}
+
+	err := p.cmd.Wait()
+	p.cancel()
+	if p.wait != nil && err == nil {
+		close(p.wait)
+	}
+	return err
+}

 func (p *Container) String() string {
 	return fmt.Sprintf("argv: %q, filter: %v, rules: %d, flags: %#x, presets: %#x",
@ -250,8 +312,15 @@ func (p *Container) ProcessState() *os.ProcessState {
 	return p.cmd.ProcessState
 }

-func New(ctx context.Context, name string, args ...string) *Container {
-	return &Container{name: name, ctx: ctx,
-		Params: Params{Args: append([]string{name}, args...), Dir: "/", Ops: new(Ops)},
-	}
+// New returns the address to a new instance of [Container] that requires further initialisation before use.
+func New(ctx context.Context) *Container {
+	return &Container{ctx: ctx, Params: Params{Ops: new(Ops)}}
+}
+
+// NewCommand calls [New] and initialises the [Params.Path] and [Params.Args] fields.
+func NewCommand(ctx context.Context, pathname *Absolute, name string, args ...string) *Container {
+	z := New(ctx)
+	z.Path = pathname
+	z.Args = append([]string{name}, args...)
+	return z
 }
--- a/container/container_test.go
+++ b/container/container_test.go
@ -20,8 +20,6 @@ import (
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/vfs"
 	"hakurei.app/hst"
-	"hakurei.app/internal"
-	"hakurei.app/internal/hlog"
 )

 const (
@ -33,15 +31,28 @@ const (
 	pathReadonly = pathPrefix + "readonly"
 )

+type testVal any
+
+func emptyOps(t *testing.T) (*container.Ops, context.Context) { return new(container.Ops), t.Context() }
+func earlyOps(ops *container.Ops) func(t *testing.T) (*container.Ops, context.Context) {
+	return func(t *testing.T) (*container.Ops, context.Context) { return ops, t.Context() }
+}
+
+func emptyMnt(*testing.T, context.Context) []*vfs.MountInfoEntry { return nil }
+func earlyMnt(mnt ...*vfs.MountInfoEntry) func(*testing.T, context.Context) []*vfs.MountInfoEntry {
+	return func(*testing.T, context.Context) []*vfs.MountInfoEntry { return mnt }
+}
+
 var containerTestCases = []struct {
 	name    string
 	filter  bool
 	session bool
 	net     bool
 	ro      bool
-	ops     *container.Ops

-	mnt []*vfs.MountInfoEntry
+	ops func(t *testing.T) (*container.Ops, context.Context)
+	mnt func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry
+
 	uid int
 	gid int

@ -50,30 +61,33 @@ var containerTestCases = []struct {
 	presets seccomp.FilterPreset
 }{
 	{"minimal", true, false, false, true,
-		new(container.Ops), nil,
+		emptyOps, emptyMnt,
 		1000, 100, nil, 0, seccomp.PresetStrict},
 	{"allow", true, true, true, false,
-		new(container.Ops), nil,
+		emptyOps, emptyMnt,
 		1000, 100, nil, 0, seccomp.PresetExt | seccomp.PresetDenyDevel},
 	{"no filter", false, true, true, true,
-		new(container.Ops), nil,
+		emptyOps, emptyMnt,
 		1000, 100, nil, 0, seccomp.PresetExt},
 	{"custom rules", true, true, true, false,
-		new(container.Ops), nil,
+		emptyOps, emptyMnt,
 		1, 31, []seccomp.NativeRule{{seccomp.ScmpSyscall(syscall.SYS_SETUID), seccomp.ScmpErrno(syscall.EPERM), nil}}, 0, seccomp.PresetExt},
+
 	{"tmpfs", true, false, false, true,
-		new(container.Ops).
-			Tmpfs(hst.Tmp, 0, 0755),
-		[]*vfs.MountInfoEntry{
+		earlyOps(new(container.Ops).
+			Tmpfs(hst.AbsTmp, 0, 0755),
+		),
+		earlyMnt(
 			ent("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
-		},
+		),
 		9, 9, nil, 0, seccomp.PresetStrict},
+
 	{"dev", true, true /* go test output is not a tty */, false, false,
-		new(container.Ops).
-			Dev("/dev").
-			Mqueue("/dev/mqueue"),
-		[]*vfs.MountInfoEntry{
-			ent("/", "/dev", "rw,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
+		earlyOps(new(container.Ops).
+			Dev(container.MustAbs("/dev"), true),
+		),
+		earlyMnt(
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
 			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
@ -82,24 +96,123 @@ var containerTestCases = []struct {
 			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
-		},
+		),
 		1971, 100, nil, 0, seccomp.PresetStrict},
+
+	{"dev no mqueue", true, true /* go test output is not a tty */, false, false,
+		earlyOps(new(container.Ops).
+			Dev(container.MustAbs("/dev"), false),
+		),
+		earlyMnt(
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
+			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
+		),
+		1971, 100, nil, 0, seccomp.PresetStrict},
+
+	{"overlay", true, false, false, true,
+		func(t *testing.T) (*container.Ops, context.Context) {
+			tempDir := container.MustAbs(t.TempDir())
+			lower0, lower1, upper, work :=
+				tempDir.Append("lower0"),
+				tempDir.Append("lower1"),
+				tempDir.Append("upper"),
+				tempDir.Append("work")
+			for _, a := range []*container.Absolute{lower0, lower1, upper, work} {
+				if err := os.Mkdir(a.String(), 0755); err != nil {
+					t.Fatalf("Mkdir: error = %v", err)
+				}
+			}
+
+			return new(container.Ops).
+					Overlay(hst.AbsTmp, upper, work, lower0, lower1),
+				context.WithValue(context.WithValue(context.WithValue(context.WithValue(t.Context(),
+					testVal("lower1"), lower1),
+					testVal("lower0"), lower0),
+					testVal("work"), work),
+					testVal("upper"), upper)
+		},
+		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
+			return []*vfs.MountInfoEntry{
+				ent("/", hst.Tmp, "rw", "overlay", "overlay",
+					"rw,lowerdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*container.Absolute).String())+":"+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*container.Absolute).String())+
+						",upperdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("upper")).(*container.Absolute).String())+
+						",workdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("work")).(*container.Absolute).String())+
+						",redirect_dir=nofollow,uuid=on,userxattr"),
+			}
+		},
+		1 << 3, 1 << 14, nil, 0, seccomp.PresetStrict},
+
+	{"overlay ephemeral", true, false, false, true,
+		func(t *testing.T) (*container.Ops, context.Context) {
+			tempDir := container.MustAbs(t.TempDir())
+			lower0, lower1 :=
+				tempDir.Append("lower0"),
+				tempDir.Append("lower1")
+			for _, a := range []*container.Absolute{lower0, lower1} {
+				if err := os.Mkdir(a.String(), 0755); err != nil {
+					t.Fatalf("Mkdir: error = %v", err)
+				}
+			}
+
+			return new(container.Ops).
+					OverlayEphemeral(hst.AbsTmp, lower0, lower1),
+				t.Context()
+		},
+		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
+			return []*vfs.MountInfoEntry{
+				// contains random suffix
+				ent("/", hst.Tmp, "rw", "overlay", "overlay", ignore),
+			}
+		},
+		1 << 3, 1 << 14, nil, 0, seccomp.PresetStrict},
+
+	{"overlay readonly", true, false, false, true,
+		func(t *testing.T) (*container.Ops, context.Context) {
+			tempDir := container.MustAbs(t.TempDir())
+			lower0, lower1 :=
+				tempDir.Append("lower0"),
+				tempDir.Append("lower1")
+			for _, a := range []*container.Absolute{lower0, lower1} {
+				if err := os.Mkdir(a.String(), 0755); err != nil {
+					t.Fatalf("Mkdir: error = %v", err)
+				}
+			}
+			return new(container.Ops).
+					OverlayReadonly(hst.AbsTmp, lower0, lower1),
+				context.WithValue(context.WithValue(t.Context(),
+					testVal("lower1"), lower1),
+					testVal("lower0"), lower0)
+		},
+		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
+			return []*vfs.MountInfoEntry{
+				ent("/", hst.Tmp, "rw", "overlay", "overlay",
+					"ro,lowerdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*container.Absolute).String())+":"+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*container.Absolute).String())+
+						",redirect_dir=nofollow,userxattr"),
+			}
+		},
+		1 << 3, 1 << 14, nil, 0, seccomp.PresetStrict},
 }

 func TestContainer(t *testing.T) {
-	{
-		oldVerbose := hlog.Load()
-		oldOutput := container.GetOutput()
-		internal.InstallOutput(true)
-		t.Cleanup(func() { hlog.Store(oldVerbose) })
-		t.Cleanup(func() { container.SetOutput(oldOutput) })
-	}
+	replaceOutput(t)

 	t.Run("cancel", testContainerCancel(nil, func(t *testing.T, c *container.Container) {
 		wantErr := context.Canceled
 		wantExitCode := 0
 		if err := c.Wait(); !errors.Is(err, wantErr) {
-			hlog.PrintBaseError(err, "wait:")
+			container.GetOutput().PrintBaseErr(err, "wait:")
 			t.Errorf("Wait: error = %v, want %v", err, wantErr)
 		}
 		if ps := c.ProcessState(); ps == nil {
@ -114,7 +227,7 @@ func TestContainer(t *testing.T) {
 	}, func(t *testing.T, c *container.Container) {
 		var exitError *exec.ExitError
 		if err := c.Wait(); !errors.As(err, &exitError) {
-			hlog.PrintBaseError(err, "wait:")
+			container.GetOutput().PrintBaseErr(err, "wait:")
 			t.Errorf("Wait: error = %v", err)
 		}
 		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
@ -124,17 +237,25 @@ func TestContainer(t *testing.T) {

 	for i, tc := range containerTestCases {
 		t.Run(tc.name, func(t *testing.T) {
+			wantOps, wantOpsCtx := tc.ops(t)
+			wantMnt := tc.mnt(t, wantOpsCtx)
+
 			ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
 			defer cancel()

-			var libPaths []string
+			var libPaths []*container.Absolute
 			c := helperNewContainerLibPaths(ctx, &libPaths, "container", strconv.Itoa(i))
 			c.Uid = tc.uid
 			c.Gid = tc.gid
 			c.Hostname = hostnameFromTestCase(tc.name)
-			c.Stdout, c.Stderr = os.Stdout, os.Stderr
+			output := new(bytes.Buffer)
+			if !testing.Verbose() {
+				c.Stdout, c.Stderr = output, output
+			} else {
+				c.Stdout, c.Stderr = os.Stdout, os.Stderr
+			}
 			c.WaitDelay = helperDefaultTimeout
-			*c.Ops = append(*c.Ops, *tc.ops...)
+			*c.Ops = append(*c.Ops, *wantOps...)
 			c.SeccompRules = tc.rules
 			c.SeccompFlags = tc.flags | seccomp.AllowMultiarch
 			c.SeccompPresets = tc.presets
@ -143,11 +264,11 @@ func TestContainer(t *testing.T) {
 			c.HostNet = tc.net

 			c.
-				Readonly(pathReadonly, 0755).
-				Tmpfs("/tmp", 0, 0755).
-				Place("/etc/hostname", []byte(c.Hostname))
+				Readonly(container.MustAbs(pathReadonly), 0755).
+				Tmpfs(container.MustAbs("/tmp"), 0, 0755).
+				Place(container.MustAbs("/etc/hostname"), []byte(c.Hostname))
 			// needs /proc to check mountinfo
-			c.Proc("/proc")
+			c.Proc(container.MustAbs("/proc"))

 			// mountinfo cannot be resolved directly by helper due to libPaths nondeterminism
 			mnt := make([]*vfs.MountInfoEntry, 0, 3+len(libPaths))
@ -156,11 +277,11 @@ func TestContainer(t *testing.T) {
 				// Bind(os.Args[0], helperInnerPath, 0)
 				ent(ignore, helperInnerPath, "ro,nosuid,nodev,relatime", ignore, ignore, ignore),
 			)
-			for _, name := range libPaths {
+			for _, a := range libPaths {
 				// Bind(name, name, 0)
-				mnt = append(mnt, ent(ignore, name, "ro,nosuid,nodev,relatime", ignore, ignore, ignore))
+				mnt = append(mnt, ent(ignore, a.String(), "ro,nosuid,nodev,relatime", ignore, ignore, ignore))
 			}
-			mnt = append(mnt, tc.mnt...)
+			mnt = append(mnt, wantMnt...)
 			mnt = append(mnt,
 				// Readonly(pathReadonly, 0755)
 				ent("/", pathReadonly, "ro,nosuid,nodev", "tmpfs", "readonly", ignore),
@ -175,23 +296,27 @@ func TestContainer(t *testing.T) {
 			)
 			want := new(bytes.Buffer)
 			if err := gob.NewEncoder(want).Encode(mnt); err != nil {
+				_, _ = output.WriteTo(os.Stdout)
 				t.Fatalf("cannot serialise expected mount points: %v", err)
 			}
-			c.Place(pathWantMnt, want.Bytes())
+			c.Place(container.MustAbs(pathWantMnt), want.Bytes())

 			if tc.ro {
-				c.Remount("/", syscall.MS_RDONLY)
+				c.Remount(container.MustAbs("/"), syscall.MS_RDONLY)
 			}

 			if err := c.Start(); err != nil {
-				hlog.PrintBaseError(err, "start:")
+				_, _ = output.WriteTo(os.Stdout)
+				container.GetOutput().PrintBaseErr(err, "start:")
 				t.Fatalf("cannot start container: %v", err)
 			} else if err = c.Serve(); err != nil {
-				hlog.PrintBaseError(err, "serve:")
+				_, _ = output.WriteTo(os.Stdout)
+				container.GetOutput().PrintBaseErr(err, "serve:")
 				t.Errorf("cannot serve setup params: %v", err)
 			}
 			if err := c.Wait(); err != nil {
-				hlog.PrintBaseError(err, "wait:")
+				_, _ = output.WriteTo(os.Stdout)
+				container.GetOutput().PrintBaseErr(err, "wait:")
 				t.Fatalf("wait: %v", err)
 			}
 		})
@ -245,10 +370,10 @@ func testContainerCancel(
 		}

 		if err := c.Start(); err != nil {
-			hlog.PrintBaseError(err, "start:")
+			container.GetOutput().PrintBaseErr(err, "start:")
 			t.Fatalf("cannot start container: %v", err)
 		} else if err = c.Serve(); err != nil {
-			hlog.PrintBaseError(err, "serve:")
+			container.GetOutput().PrintBaseErr(err, "serve:")
 			t.Errorf("cannot serve setup params: %v", err)
 		}
 		<-ready
@ -258,7 +383,7 @@ func testContainerCancel(
 }

 func TestContainerString(t *testing.T) {
-	c := container.New(t.Context(), "ldd", "/usr/bin/env")
+	c := container.NewCommand(t.Context(), container.MustAbs("/run/current-system/sw/bin/ldd"), "ldd", "/usr/bin/env")
 	c.SeccompFlags |= seccomp.AllowMultiarch
 	c.SeccompRules = seccomp.Preset(
 		seccomp.PresetExt|seccomp.PresetDenyNS|seccomp.PresetDenyTTY,
--- a/container/init.go
+++ b/container/init.go
@ -31,7 +31,7 @@ const (

 	it should be noted that none of this should become relevant at any point since the resulting
 	intermediate root tmpfs should be effectively anonymous */
-	intermediateHostPath = "/proc/self/fd"
+	intermediateHostPath = FHSProc + "self/fd"

 	// setup params file descriptor
 	setupEnv = "HAKUREI_SETUP"
@ -62,7 +62,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		offsetSetup int
 	)
 	if f, err := Receive(setupEnv, &params, &setupFile); err != nil {
-		if errors.Is(err, ErrInvalid) {
+		if errors.Is(err, EBADF) {
 			log.Fatal("invalid setup descriptor")
 		}
 		if errors.Is(err, ErrNotSet) {
@ -88,17 +88,17 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	if err := SetDumpable(SUID_DUMP_USER); err != nil {
 		log.Fatalf("cannot set SUID_DUMP_USER: %s", err)
 	}
-	if err := os.WriteFile("/proc/self/uid_map",
+	if err := os.WriteFile(FHSProc+"self/uid_map",
 		append([]byte{}, strconv.Itoa(params.Uid)+" "+strconv.Itoa(params.HostUid)+" 1\n"...),
 		0); err != nil {
 		log.Fatalf("%v", err)
 	}
-	if err := os.WriteFile("/proc/self/setgroups",
+	if err := os.WriteFile(FHSProc+"self/setgroups",
 		[]byte("deny\n"),
 		0); err != nil && !os.IsNotExist(err) {
 		log.Fatalf("%v", err)
 	}
-	if err := os.WriteFile("/proc/self/gid_map",
+	if err := os.WriteFile(FHSProc+"self/gid_map",
 		append([]byte{}, strconv.Itoa(params.Gid)+" "+strconv.Itoa(params.HostGid)+" 1\n"...),
 		0); err != nil {
 		log.Fatalf("%v", err)
@ -117,10 +117,12 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	// cache sysctl before pivot_root
 	LastCap()

-	if err := Mount("", "/", "", MS_SILENT|MS_SLAVE|MS_REC, ""); err != nil {
+	if err := Mount(zeroString, FHSRoot, zeroString, MS_SILENT|MS_SLAVE|MS_REC, zeroString); err != nil {
 		log.Fatalf("cannot make / rslave: %v", err)
 	}

+	state := &setupState{Params: &params.Params}
+
 	/* early is called right before pivot_root into intermediate root;
 	this step is mostly for gathering information that would otherwise be difficult to obtain
 	via library functions after pivot_root, and implementations are expected to avoid changing
@ -130,7 +132,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 			log.Fatalf("invalid op %d", i)
 		}

-		if err := op.early(&params.Params); err != nil {
+		if err := op.early(state); err != nil {
 			msg.PrintBaseErr(err,
 				fmt.Sprintf("cannot prepare op %d:", i))
 			msg.BeforeExit()
@ -138,7 +140,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		}
 	}

-	if err := Mount("rootfs", intermediateHostPath, "tmpfs", MS_NODEV|MS_NOSUID, ""); err != nil {
+	if err := Mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
 		log.Fatalf("cannot mount intermediate root: %v", err)
 	}
 	if err := os.Chdir(intermediateHostPath); err != nil {
@ -148,7 +150,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	if err := os.Mkdir(sysrootDir, 0755); err != nil {
 		log.Fatalf("%v", err)
 	}
-	if err := Mount(sysrootDir, sysrootDir, "", MS_SILENT|MS_MGC_VAL|MS_BIND|MS_REC, ""); err != nil {
+	if err := Mount(sysrootDir, sysrootDir, zeroString, MS_SILENT|MS_BIND|MS_REC, zeroString); err != nil {
 		log.Fatalf("cannot bind sysroot: %v", err)
 	}

@ -159,7 +161,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	if err := PivotRoot(intermediateHostPath, hostDir); err != nil {
 		log.Fatalf("cannot pivot into intermediate root: %v", err)
 	}
-	if err := os.Chdir("/"); err != nil {
+	if err := os.Chdir(FHSRoot); err != nil {
 		log.Fatalf("%v", err)
 	}

@ -170,7 +172,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	for i, op := range *params.Ops {
 		// ops already checked during early setup
 		msg.Verbosef("%s %s", op.prefix(), op)
-		if err := op.apply(&params.Params); err != nil {
+		if err := op.apply(state); err != nil {
 			msg.PrintBaseErr(err,
 				fmt.Sprintf("cannot apply op %d:", i))
 			msg.BeforeExit()
@ -179,7 +181,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	}

 	// setup requiring host root complete at this point
-	if err := Mount(hostDir, hostDir, "", MS_SILENT|MS_REC|MS_PRIVATE, ""); err != nil {
+	if err := Mount(hostDir, hostDir, zeroString, MS_SILENT|MS_REC|MS_PRIVATE, zeroString); err != nil {
 		log.Fatalf("cannot make host root rprivate: %v", err)
 	}
 	if err := Unmount(hostDir, MNT_DETACH); err != nil {
@ -189,7 +191,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	{
 		var fd int
 		if err := IgnoringEINTR(func() (err error) {
-			fd, err = Open("/", O_DIRECTORY|O_RDONLY, 0)
+			fd, err = Open(FHSRoot, O_DIRECTORY|O_RDONLY, 0)
 			return
 		}); err != nil {
 			log.Fatalf("cannot open intermediate root: %v", err)
@ -207,7 +209,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		if err := Unmount(".", MNT_DETACH); err != nil {
 			log.Fatalf("cannot unmount intemediate root: %v", err)
 		}
-		if err := os.Chdir("/"); err != nil {
+		if err := os.Chdir(FHSRoot); err != nil {
 			log.Fatalf("%v", err)
 		}

@ -216,10 +218,6 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		}
 	}

-	if _, _, errno := Syscall(SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
-		log.Fatalf("prctl(PR_SET_NO_NEW_PRIVS): %v", errno)
-	}
-
 	if _, _, errno := Syscall(SYS_PRCTL, PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0); errno != 0 {
 		log.Fatalf("cannot clear the ambient capability set: %v", errno)
 	}
@ -254,6 +252,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 			rules = seccomp.Preset(params.SeccompPresets, params.SeccompFlags)
 		}
 		if err := seccomp.Load(rules, params.SeccompFlags); err != nil {
+			// this also indirectly asserts PR_SET_NO_NEW_PRIVS
 			log.Fatalf("cannot load syscall filter: %v", err)
 		}
 		msg.Verbosef("%d filter rules loaded", len(rules))
@ -268,12 +267,12 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	}
 	Umask(oldmask)

-	cmd := exec.Command(params.Path)
+	cmd := exec.Command(params.Path.String())
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	cmd.Args = params.Args
 	cmd.Env = params.Env
 	cmd.ExtraFiles = extraFiles
-	cmd.Dir = params.Dir
+	cmd.Dir = params.Dir.String()

 	msg.Verbosef("starting initial program %s", params.Path)
 	if err := cmd.Start(); err != nil {
--- a/container/init_test.go
+++ b/container/init_test.go
@ -21,6 +21,10 @@ const (
 	helperInnerPath      = "/usr/bin/helper"
 )

+var (
+	absHelperInnerPath = container.MustAbs(helperInnerPath)
+)
+
 var helperCommands []func(c command.Command)

 func TestMain(m *testing.M) {
@ -46,10 +50,10 @@ func TestMain(m *testing.M) {
 	os.Exit(m.Run())
 }

-func helperNewContainerLibPaths(ctx context.Context, libPaths *[]string, args ...string) (c *container.Container) {
-	c = container.New(ctx, helperInnerPath, args...)
+func helperNewContainerLibPaths(ctx context.Context, libPaths *[]*container.Absolute, args ...string) (c *container.Container) {
+	c = container.NewCommand(ctx, absHelperInnerPath, "helper", args...)
 	c.Env = append(c.Env, envDoCheck+"=1")
-	c.Bind(os.Args[0], helperInnerPath, 0)
+	c.Bind(container.MustAbs(os.Args[0]), absHelperInnerPath, 0)

 	// in case test has cgo enabled
 	if entries, err := ldd.Exec(ctx, os.Args[0]); err != nil {
@ -65,5 +69,5 @@ func helperNewContainerLibPaths(ctx context.Context, libPaths *[]string, args ..
 }

 func helperNewContainer(ctx context.Context, args ...string) (c *container.Container) {
-	return helperNewContainerLibPaths(ctx, new([]string), args...)
+	return helperNewContainerLibPaths(ctx, new([]*container.Absolute), args...)
 }
--- a/container/landlock.go
+++ b/container/landlock.go
@ -0,0 +1,59 @@
+package container
+
+/*
+#include <linux/landlock.h>
+#include <sys/syscall.h>
+*/
+import "C"
+import (
+	"syscall"
+	"unsafe"
+
+	"hakurei.app/container/seccomp"
+)
+
+const (
+	LANDLOCK_CREATE_RULESET_VERSION     = C.LANDLOCK_CREATE_RULESET_VERSION
+	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET = C.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+	LANDLOCK_SCOPE_SIGNAL               = C.LANDLOCK_SCOPE_SIGNAL
+)
+
+type RulesetAttr = C.struct_landlock_ruleset_attr
+
+func NewRulesetAttr(scoped int) RulesetAttr { return RulesetAttr{scoped: C.__u64(scoped)} }
+
+/* TODO: remove everything above this */
+
+func LandlockCreateRuleset(rulesetAttr *RulesetAttr, flags uintptr) (fd int, err error) {
+	var pointer, size uintptr
+	// NULL needed for abi version
+	if rulesetAttr != nil {
+		pointer = uintptr(unsafe.Pointer(rulesetAttr))
+		size = unsafe.Sizeof(*rulesetAttr)
+	}
+
+	rulesetFd, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
+	fd = int(rulesetFd)
+	err = errno
+
+	if fd < 0 {
+		return
+	}
+
+	if rulesetAttr != nil { // not a fd otherwise
+		syscall.CloseOnExec(fd)
+	}
+	return fd, nil
+}
+
+func LandlockGetABI() (int, error) {
+	return LandlockCreateRuleset(nil, LANDLOCK_CREATE_RULESET_VERSION)
+}
+
+func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
+	r, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
+	if r != 0 {
+		return errno
+	}
+	return nil
+}
--- a/container/mount.go
+++ b/container/mount.go
@ -5,11 +5,95 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	. "syscall"

 	"hakurei.app/container/vfs"
 )

+/*
+Holding CAP_SYS_ADMIN within the user namespace that owns a process's mount namespace
+allows that process to create bind mounts and mount the following types of filesystems:
+- /proc (since Linux 3.8)
+- /sys (since Linux 3.8)
+- devpts (since Linux 3.9)
+- tmpfs(5) (since Linux 3.9)
+- ramfs (since Linux 3.9)
+- mqueue (since Linux 3.9)
+- bpf (since Linux 4.4)
+- overlayfs (since Linux 5.11)
+*/
+
+const (
+	// zeroString is a zero value string, it represents NULL when passed to mount.
+	zeroString = ""
+
+	// SourceNone is used when the source value is ignored,
+	// such as when remounting.
+	SourceNone = "none"
+	// SourceProc is used when mounting proc.
+	// Note that any source value is allowed when fstype is [FstypeProc].
+	SourceProc = "proc"
+	// SourceDevpts is used when mounting devpts.
+	// Note that any source value is allowed when fstype is [FstypeDevpts].
+	SourceDevpts = "devpts"
+	// SourceMqueue is used when mounting mqueue.
+	// Note that any source value is allowed when fstype is [FstypeMqueue].
+	SourceMqueue = "mqueue"
+	// SourceOverlay is used when mounting overlay.
+	// Note that any source value is allowed when fstype is [FstypeOverlay].
+	SourceOverlay = "overlay"
+
+	// SourceTmpfsRootfs is used when mounting the tmpfs instance backing the intermediate root.
+	SourceTmpfsRootfs = "rootfs"
+	// SourceTmpfsDevtmpfs is used when mounting tmpfs representing a subset of host devtmpfs.
+	SourceTmpfsDevtmpfs = "devtmpfs"
+	// SourceTmpfsEphemeral is used when mounting a writable instance of tmpfs.
+	SourceTmpfsEphemeral = "ephemeral"
+	// SourceTmpfsReadonly is used when mounting a readonly instance of tmpfs.
+	SourceTmpfsReadonly = "readonly"
+
+	// FstypeNULL is used when the fstype value is ignored,
+	// such as when bind mounting or remounting.
+	FstypeNULL = zeroString
+	// FstypeProc represents the proc pseudo-filesystem.
+	// A fully visible instance of proc must be available in the mount namespace for proc to be mounted.
+	// This filesystem type is usually mounted on [FHSProc].
+	FstypeProc = "proc"
+	// FstypeDevpts represents the devpts pseudo-filesystem.
+	// This type of filesystem is usually mounted on /dev/pts.
+	FstypeDevpts = "devpts"
+	// FstypeTmpfs represents the tmpfs filesystem.
+	// This filesystem type can be mounted anywhere in the container filesystem.
+	FstypeTmpfs = "tmpfs"
+	// FstypeMqueue represents the mqueue pseudo-filesystem.
+	// This filesystem type is usually mounted on /dev/mqueue.
+	FstypeMqueue = "mqueue"
+	// FstypeOverlay represents the overlay pseudo-filesystem.
+	// This filesystem type can be mounted anywhere in the container filesystem.
+	FstypeOverlay = "overlay"
+
+	// OptionOverlayLowerdir represents the lowerdir option of the overlay pseudo-filesystem.
+	// Any filesystem, does not need to be on a writable filesystem.
+	OptionOverlayLowerdir = "lowerdir"
+	// OptionOverlayUpperdir represents the upperdir option of the overlay pseudo-filesystem.
+	// The upperdir is normally on a writable filesystem.
+	OptionOverlayUpperdir = "upperdir"
+	// OptionOverlayWorkdir represents the workdir option of the overlay pseudo-filesystem.
+	// The workdir needs to be an empty directory on the same filesystem as upperdir.
+	OptionOverlayWorkdir = "workdir"
+	// OptionOverlayUserxattr represents the userxattr option of the overlay pseudo-filesystem.
+	// Use the "user.overlay." xattr namespace instead of "trusted.overlay.".
+	OptionOverlayUserxattr = "userxattr"
+
+	// SpecialOverlayEscape is the escape string for overlay mount options.
+	SpecialOverlayEscape = `\`
+	// SpecialOverlayOption is the separator string between overlay mount options.
+	SpecialOverlayOption = ","
+	// SpecialOverlayPath is the separator string between overlay paths.
+	SpecialOverlayPath = ":"
+)
+
 // bindMount mounts source on target and recursively applies flags if MS_REC is set.
 func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) error {
 	if eq {
@ -18,7 +102,7 @@ func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) err
 		msg.Verbosef("resolved %q on %q flags %#x", source, target, flags)
 	}

-	if err := Mount(source, target, "", MS_SILENT|MS_BIND|flags&MS_REC, ""); err != nil {
+	if err := Mount(source, target, FstypeNULL, MS_SILENT|MS_BIND|flags&MS_REC, zeroString); err != nil {
 		return wrapErrSuffix(err,
 			fmt.Sprintf("cannot mount %q on %q:", source, target))
 	}
@ -98,14 +182,15 @@ func remountWithFlags(n *vfs.MountInfoNode, mf uintptr) error {

 	if kf&mf != mf {
 		return wrapErrSuffix(
-			Mount("none", n.Clean, "", MS_SILENT|MS_BIND|MS_REMOUNT|kf|mf, ""),
+			Mount(SourceNone, n.Clean, FstypeNULL, MS_SILENT|MS_BIND|MS_REMOUNT|kf|mf, zeroString),
 			fmt.Sprintf("cannot remount %q:", n.Clean))
 	}
 	return nil
 }

-func mountTmpfs(fsname, name string, flags uintptr, size int, perm os.FileMode) error {
-	target := toSysroot(name)
+// mountTmpfs mounts tmpfs on target;
+// callers who wish to mount to sysroot must pass the return value of toSysroot.
+func mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
 	if err := os.MkdirAll(target, parentPerm(perm)); err != nil {
 		return wrapErrSelf(err)
 	}
@ -114,8 +199,8 @@ func mountTmpfs(fsname, name string, flags uintptr, size int, perm os.FileMode)
 		opt += fmt.Sprintf(",size=%d", size)
 	}
 	return wrapErrSuffix(
-		Mount(fsname, target, "tmpfs", flags, opt),
-		fmt.Sprintf("cannot mount tmpfs on %q:", name))
+		Mount(fsname, target, FstypeTmpfs, flags, opt),
+		fmt.Sprintf("cannot mount tmpfs on %q:", target))
 }

 func parentPerm(perm os.FileMode) os.FileMode {
@ -128,3 +213,20 @@ func parentPerm(perm os.FileMode) os.FileMode {
 	}
 	return os.FileMode(pperm)
 }
+
+// EscapeOverlayDataSegment escapes a string for formatting into the data argument of an overlay mount call.
+func EscapeOverlayDataSegment(s string) string {
+	if s == zeroString {
+		return zeroString
+	}
+
+	if f := strings.SplitN(s, "\x00", 2); len(f) > 0 {
+		s = f[0]
+	}
+
+	return strings.NewReplacer(
+		SpecialOverlayEscape, SpecialOverlayEscape+SpecialOverlayEscape,
+		SpecialOverlayOption, SpecialOverlayEscape+SpecialOverlayOption,
+		SpecialOverlayPath, SpecialOverlayEscape+SpecialOverlayPath,
+	).Replace(s)
+}
--- a/container/mount_test.go
+++ b/container/mount_test.go
@ -0,0 +1,49 @@
+package container
+
+import (
+	"os"
+	"testing"
+)
+
+func TestParentPerm(t *testing.T) {
+	testCases := []struct {
+		perm os.FileMode
+		want os.FileMode
+	}{
+		{0755, 0755},
+		{0750, 0750},
+		{0705, 0705},
+		{0700, 0700},
+		{050, 0750},
+		{05, 0705},
+		{0, 0700},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.perm.String(), func(t *testing.T) {
+			if got := parentPerm(tc.perm); got != tc.want {
+				t.Errorf("parentPerm: %#o, want %#o", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestEscapeOverlayDataSegment(t *testing.T) {
+	testCases := []struct {
+		name string
+		s    string
+		want string
+	}{
+		{"zero", zeroString, zeroString},
+		{"multi", `\\\:,:,\\\`, `\\\\\\\:\,\:\,\\\\\\`},
+		{"bwrap", `/path :,\`, `/path \:\,\\`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := EscapeOverlayDataSegment(tc.s); got != tc.want {
+				t.Errorf("escapeOverlayDataSegment: %s, want %s", got, tc.want)
+			}
+		})
+	}
+}
--- a/container/msg_test.go
+++ b/container/msg_test.go
@ -0,0 +1,139 @@
+package container_test
+
+import (
+	"log"
+	"strings"
+	"sync/atomic"
+	"syscall"
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/internal/hlog"
+)
+
+func TestDefaultMsg(t *testing.T) {
+	{
+		w := log.Writer()
+		f := log.Flags()
+		t.Cleanup(func() { log.SetOutput(w); log.SetFlags(f) })
+	}
+	msg := new(container.DefaultMsg)
+
+	t.Run("is verbose", func(t *testing.T) {
+		if !msg.IsVerbose() {
+			t.Error("IsVerbose unexpected outcome")
+		}
+	})
+
+	t.Run("verbose", func(t *testing.T) {
+		log.SetOutput(panicWriter{})
+		msg.Suspend()
+		msg.Verbose()
+		msg.Verbosef("\x00")
+		msg.Resume()
+
+		buf := new(strings.Builder)
+		log.SetOutput(buf)
+		log.SetFlags(0)
+		msg.Verbose()
+		msg.Verbosef("\x00")
+
+		want := "\n\x00\n"
+		if buf.String() != want {
+			t.Errorf("Verbose: %q, want %q", buf.String(), want)
+		}
+	})
+
+	t.Run("wrapErr", func(t *testing.T) {
+		buf := new(strings.Builder)
+		log.SetOutput(buf)
+		log.SetFlags(0)
+		if err := msg.WrapErr(syscall.EBADE, "\x00", "\x00"); err != syscall.EBADE {
+			t.Errorf("WrapErr: %v", err)
+		}
+		msg.PrintBaseErr(syscall.ENOTRECOVERABLE, "cannot cuddle cat:")
+
+		want := "\x00 \x00\ncannot cuddle cat: state not recoverable\n"
+		if buf.String() != want {
+			t.Errorf("WrapErr: %q, want %q", buf.String(), want)
+		}
+	})
+
+	t.Run("inactive", func(t *testing.T) {
+		{
+			inactive := msg.Resume()
+			if inactive {
+				t.Cleanup(func() { msg.Suspend() })
+			}
+		}
+
+		if msg.Resume() {
+			t.Error("Resume unexpected outcome")
+		}
+
+		msg.Suspend()
+		if !msg.Resume() {
+			t.Error("Resume unexpected outcome")
+		}
+	})
+
+	// the function is a noop
+	t.Run("beforeExit", func(t *testing.T) { msg.BeforeExit() })
+}
+
+type panicWriter struct{}
+
+func (panicWriter) Write([]byte) (int, error) { panic("unreachable") }
+
+func saveRestoreOutput(t *testing.T) {
+	out := container.GetOutput()
+	t.Cleanup(func() { container.SetOutput(out) })
+}
+
+func replaceOutput(t *testing.T) {
+	saveRestoreOutput(t)
+	container.SetOutput(&testOutput{t: t})
+}
+
+type testOutput struct {
+	t         *testing.T
+	suspended atomic.Bool
+}
+
+func (out *testOutput) IsVerbose() bool { return testing.Verbose() }
+
+func (out *testOutput) Verbose(v ...any) {
+	if !out.IsVerbose() {
+		return
+	}
+	out.t.Log(v...)
+}
+
+func (out *testOutput) Verbosef(format string, v ...any) {
+	if !out.IsVerbose() {
+		return
+	}
+	out.t.Logf(format, v...)
+}
+
+func (out *testOutput) WrapErr(err error, a ...any) error       { return hlog.WrapErr(err, a...) }
+func (out *testOutput) PrintBaseErr(err error, fallback string) { hlog.PrintBaseError(err, fallback) }
+
+func (out *testOutput) Suspend() {
+	if out.suspended.CompareAndSwap(false, true) {
+		out.Verbose("suspend called")
+		return
+	}
+	out.Verbose("suspend called on suspended output")
+}
+
+func (out *testOutput) Resume() bool {
+	if out.suspended.CompareAndSwap(true, false) {
+		out.Verbose("resume called")
+		return true
+	}
+	out.Verbose("resume called on unsuspended output")
+	return false
+}
+
+func (out *testOutput) BeforeExit() { out.Verbose("beforeExit called") }
--- a/container/ops.go
+++ b/container/ops.go
@ -13,6 +13,22 @@ import (
 	"unsafe"
 )

+const (
+	// intermediate root file name pattern for [MountOverlayOp.Upper];
+	// remains after apply returns
+	intermediatePatternOverlayUpper = "overlay.upper.*"
+	// intermediate root file name pattern for [MountOverlayOp.Work];
+	// remains after apply returns
+	intermediatePatternOverlayWork = "overlay.work.*"
+	// intermediate root file name pattern for [TmpfileOp]
+	intermediatePatternTmpfile = "tmp.*"
+)
+
+const (
+	nrAutoEtc = 1 << iota
+	nrAutoRoot
+)
+
 type (
 	Ops []Op

@ -20,14 +36,19 @@ type (
 	// Implementations of this interface are sent as a stream of gobs.
 	Op interface {
 		// early is called in host root.
-		early(params *Params) error
+		early(state *setupState) error
 		// apply is called in intermediate root.
-		apply(params *Params) error
+		apply(state *setupState) error

 		prefix() string
 		Is(op Op) bool
 		fmt.Stringer
 	}
+
+	setupState struct {
+		nonrepeatable uintptr
+		*Params
+	}
 )

 // Grow grows the slice Ops points to using [slices.Grow].
@ -36,22 +57,22 @@ func (f *Ops) Grow(n int) { *f = slices.Grow(*f, n) }
 func init() { gob.Register(new(RemountOp)) }

 // Remount appends an [Op] that applies [RemountOp.Flags] on container path [RemountOp.Target].
-func (f *Ops) Remount(target string, flags uintptr) *Ops {
+func (f *Ops) Remount(target *Absolute, flags uintptr) *Ops {
 	*f = append(*f, &RemountOp{target, flags})
 	return f
 }

 type RemountOp struct {
-	Target string
+	Target *Absolute
 	Flags  uintptr
 }

-func (*RemountOp) early(*Params) error { return nil }
-func (r *RemountOp) apply(*Params) error {
-	if !path.IsAbs(r.Target) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", r.Target))
+func (*RemountOp) early(*setupState) error { return nil }
+func (r *RemountOp) apply(*setupState) error {
+	if r.Target == nil {
+		return EBADE
 	}
-	return wrapErrSuffix(hostProc.remount(toSysroot(r.Target), r.Flags),
+	return wrapErrSuffix(hostProc.remount(toSysroot(r.Target.String()), r.Flags),
 		fmt.Sprintf("cannot remount %q:", r.Target))
 }

@ -62,13 +83,13 @@ func (r *RemountOp) String() string { return fmt.Sprintf("%q flags %#x", r.Targe
 func init() { gob.Register(new(BindMountOp)) }

 // Bind appends an [Op] that bind mounts host path [BindMountOp.Source] on container path [BindMountOp.Target].
-func (f *Ops) Bind(source, target string, flags int) *Ops {
-	*f = append(*f, &BindMountOp{source, "", target, flags})
+func (f *Ops) Bind(source, target *Absolute, flags int) *Ops {
+	*f = append(*f, &BindMountOp{nil, source, target, flags})
 	return f
 }

 type BindMountOp struct {
-	Source, SourceFinal, Target string
+	sourceFinal, Source, Target *Absolute

 	Flags int
 }
@ -82,25 +103,25 @@ const (
 	BindDevice
 )

-func (b *BindMountOp) early(*Params) error {
-	if !path.IsAbs(b.Source) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", b.Source))
+func (b *BindMountOp) early(*setupState) error {
+	if b.Source == nil || b.Target == nil {
+		return EBADE
 	}

-	if v, err := filepath.EvalSymlinks(b.Source); err != nil {
+	if pathname, err := filepath.EvalSymlinks(b.Source.String()); err != nil {
 		if os.IsNotExist(err) && b.Flags&BindOptional != 0 {
-			b.SourceFinal = "\x00"
+			// leave sourceFinal as nil
 			return nil
 		}
 		return wrapErrSelf(err)
 	} else {
-		b.SourceFinal = v
-		return nil
+		b.sourceFinal, err = NewAbs(pathname)
+		return err
 	}
 }

-func (b *BindMountOp) apply(*Params) error {
-	if b.SourceFinal == "\x00" {
+func (b *BindMountOp) apply(*setupState) error {
+	if b.sourceFinal == nil {
 		if b.Flags&BindOptional == 0 {
 			// unreachable
 			return EBADE
@ -108,12 +129,8 @@ func (b *BindMountOp) apply(*Params) error {
 		return nil
 	}

-	if !path.IsAbs(b.SourceFinal) || !path.IsAbs(b.Target) {
-		return msg.WrapErr(EBADE, "path is not absolute")
-	}
-
-	source := toHost(b.SourceFinal)
-	target := toSysroot(b.Target)
+	source := toHost(b.sourceFinal.String())
+	target := toSysroot(b.Target.String())

 	// this perm value emulates bwrap behaviour as it clears bits from 0755 based on
 	// op->perms which is never set for any bind setup op so always results in 0700
@ -135,7 +152,7 @@ func (b *BindMountOp) apply(*Params) error {
 		flags |= MS_NODEV
 	}

-	return hostProc.bindMount(source, target, flags, b.SourceFinal == b.Target)
+	return hostProc.bindMount(source, target, flags, b.sourceFinal == b.Target)
 }

 func (b *BindMountOp) Is(op Op) bool { vb, ok := op.(*BindMountOp); return ok && *b == *vb }
@ -150,63 +167,74 @@ func (b *BindMountOp) String() string {
 func init() { gob.Register(new(MountProcOp)) }

 // Proc appends an [Op] that mounts a private instance of proc.
-func (f *Ops) Proc(dest string) *Ops {
-	*f = append(*f, MountProcOp(dest))
+func (f *Ops) Proc(target *Absolute) *Ops {
+	*f = append(*f, &MountProcOp{target})
 	return f
 }

-type MountProcOp string
-
-func (p MountProcOp) early(*Params) error { return nil }
-func (p MountProcOp) apply(params *Params) error {
-	v := string(p)
-
-	if !path.IsAbs(v) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", v))
-	}
-
-	target := toSysroot(v)
-	if err := os.MkdirAll(target, params.ParentPerm); err != nil {
-		return wrapErrSelf(err)
-	}
-	return wrapErrSuffix(Mount("proc", target, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, ""),
-		fmt.Sprintf("cannot mount proc on %q:", v))
+type MountProcOp struct {
+	Target *Absolute
 }

-func (p MountProcOp) Is(op Op) bool  { vp, ok := op.(MountProcOp); return ok && p == vp }
-func (MountProcOp) prefix() string   { return "mounting" }
-func (p MountProcOp) String() string { return fmt.Sprintf("proc on %q", string(p)) }
+func (p *MountProcOp) early(*setupState) error { return nil }
+func (p *MountProcOp) apply(state *setupState) error {
+	if p.Target == nil {
+		return EBADE
+	}
+	target := toSysroot(p.Target.String())
+	if err := os.MkdirAll(target, state.ParentPerm); err != nil {
+		return wrapErrSelf(err)
+	}
+	return wrapErrSuffix(Mount(SourceProc, target, FstypeProc, MS_NOSUID|MS_NOEXEC|MS_NODEV, zeroString),
+		fmt.Sprintf("cannot mount proc on %q:", p.Target.String()))
+}
+
+func (p *MountProcOp) Is(op Op) bool {
+	vp, ok := op.(*MountProcOp)
+	return ok && ((p == nil && vp == nil) || p == vp)
+}
+func (*MountProcOp) prefix() string   { return "mounting" }
+func (p *MountProcOp) String() string { return fmt.Sprintf("proc on %q", p.Target) }

 func init() { gob.Register(new(MountDevOp)) }

 // Dev appends an [Op] that mounts a subset of host /dev.
-func (f *Ops) Dev(dest string) *Ops {
-	*f = append(*f, MountDevOp(dest))
+func (f *Ops) Dev(target *Absolute, mqueue bool) *Ops {
+	*f = append(*f, &MountDevOp{target, mqueue, false})
 	return f
 }

-type MountDevOp string
+// DevWritable appends an [Op] that mounts a writable subset of host /dev.
+// There is usually no good reason to write to /dev, so this should always be followed by a [RemountOp].
+func (f *Ops) DevWritable(target *Absolute, mqueue bool) *Ops {
+	*f = append(*f, &MountDevOp{target, mqueue, true})
+	return f
+}

-func (d MountDevOp) early(*Params) error { return nil }
-func (d MountDevOp) apply(params *Params) error {
-	v := string(d)
+type MountDevOp struct {
+	Target *Absolute
+	Mqueue bool
+	Write  bool
+}

-	if !path.IsAbs(v) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", v))
+func (d *MountDevOp) early(*setupState) error { return nil }
+func (d *MountDevOp) apply(state *setupState) error {
+	if d.Target == nil {
+		return EBADE
 	}
-	target := toSysroot(v)
+	target := toSysroot(d.Target.String())

-	if err := mountTmpfs("devtmpfs", v, MS_NOSUID|MS_NODEV, 0, params.ParentPerm); err != nil {
+	if err := mountTmpfs(SourceTmpfsDevtmpfs, target, MS_NOSUID|MS_NODEV, 0, state.ParentPerm); err != nil {
 		return err
 	}

 	for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} {
-		targetPath := toSysroot(path.Join(v, name))
-		if err := ensureFile(targetPath, 0444, params.ParentPerm); err != nil {
+		targetPath := path.Join(target, name)
+		if err := ensureFile(targetPath, 0444, state.ParentPerm); err != nil {
 			return err
 		}
 		if err := hostProc.bindMount(
-			toHost("/dev/"+name),
+			toHost(FHSDev+name),
 			targetPath,
 			0,
 			true,
@ -216,15 +244,15 @@ func (d MountDevOp) apply(params *Params) error {
 	}
 	for i, name := range []string{"stdin", "stdout", "stderr"} {
 		if err := os.Symlink(
-			"/proc/self/fd/"+string(rune(i+'0')),
+			FHSProc+"self/fd/"+string(rune(i+'0')),
 			path.Join(target, name),
 		); err != nil {
 			return wrapErrSelf(err)
 		}
 	}
 	for _, pair := range [][2]string{
-		{"/proc/self/fd", "fd"},
-		{"/proc/kcore", "core"},
+		{FHSProc + "self/fd", "fd"},
+		{FHSProc + "kcore", "core"},
 		{"pts/ptmx", "ptmx"},
 	} {
 		if err := os.Symlink(pair[0], path.Join(target, pair[1])); err != nil {
@ -234,22 +262,22 @@ func (d MountDevOp) apply(params *Params) error {

 	devPtsPath := path.Join(target, "pts")
 	for _, name := range []string{path.Join(target, "shm"), devPtsPath} {
-		if err := os.Mkdir(name, params.ParentPerm); err != nil {
+		if err := os.Mkdir(name, state.ParentPerm); err != nil {
 			return wrapErrSelf(err)
 		}
 	}

-	if err := Mount("devpts", devPtsPath, "devpts", MS_NOSUID|MS_NOEXEC,
+	if err := Mount(SourceDevpts, devPtsPath, FstypeDevpts, MS_NOSUID|MS_NOEXEC,
 		"newinstance,ptmxmode=0666,mode=620"); err != nil {
 		return wrapErrSuffix(err,
 			fmt.Sprintf("cannot mount devpts on %q:", devPtsPath))
 	}

-	if params.RetainSession {
+	if state.RetainSession {
 		var buf [8]byte
 		if _, _, errno := Syscall(SYS_IOCTL, 1, TIOCGWINSZ, uintptr(unsafe.Pointer(&buf[0]))); errno == 0 {
-			consolePath := toSysroot(path.Join(v, "console"))
-			if err := ensureFile(consolePath, 0444, params.ParentPerm); err != nil {
+			consolePath := path.Join(target, "console")
+			if err := ensureFile(consolePath, 0444, state.ParentPerm); err != nil {
 				return err
 			}
 			if name, err := os.Readlink(hostProc.stdout()); err != nil {
@ -265,147 +293,293 @@ func (d MountDevOp) apply(params *Params) error {
 		}
 	}

-	return nil
-}
-
-func (d MountDevOp) Is(op Op) bool  { vd, ok := op.(MountDevOp); return ok && d == vd }
-func (MountDevOp) prefix() string   { return "mounting" }
-func (d MountDevOp) String() string { return fmt.Sprintf("dev on %q", string(d)) }
-
-func init() { gob.Register(new(MountMqueueOp)) }
-
-// Mqueue appends an [Op] that mounts a private instance of mqueue.
-func (f *Ops) Mqueue(dest string) *Ops {
-	*f = append(*f, MountMqueueOp(dest))
-	return f
-}
-
-type MountMqueueOp string
-
-func (m MountMqueueOp) early(*Params) error { return nil }
-func (m MountMqueueOp) apply(params *Params) error {
-	v := string(m)
-
-	if !path.IsAbs(v) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", v))
+	if d.Mqueue {
+		mqueueTarget := path.Join(target, "mqueue")
+		if err := os.Mkdir(mqueueTarget, state.ParentPerm); err != nil {
+			return wrapErrSelf(err)
+		}
+		if err := Mount(SourceMqueue, mqueueTarget, FstypeMqueue, MS_NOSUID|MS_NOEXEC|MS_NODEV, zeroString); err != nil {
+			return wrapErrSuffix(err, "cannot mount mqueue:")
+		}
 	}

-	target := toSysroot(v)
-	if err := os.MkdirAll(target, params.ParentPerm); err != nil {
-		return wrapErrSelf(err)
+	if d.Write {
+		return nil
 	}
-	return wrapErrSuffix(Mount("mqueue", target, "mqueue", MS_NOSUID|MS_NOEXEC|MS_NODEV, ""),
-		fmt.Sprintf("cannot mount mqueue on %q:", v))
+	return wrapErrSuffix(hostProc.remount(target, MS_RDONLY),
+		fmt.Sprintf("cannot remount %q:", target))
 }

-func (m MountMqueueOp) Is(op Op) bool  { vm, ok := op.(MountMqueueOp); return ok && m == vm }
-func (MountMqueueOp) prefix() string   { return "mounting" }
-func (m MountMqueueOp) String() string { return fmt.Sprintf("mqueue on %q", string(m)) }
+func (d *MountDevOp) Is(op Op) bool { vd, ok := op.(*MountDevOp); return ok && *d == *vd }
+func (*MountDevOp) prefix() string  { return "mounting" }
+func (d *MountDevOp) String() string {
+	if d.Mqueue {
+		return fmt.Sprintf("dev on %q with mqueue", d.Target)
+	}
+	return fmt.Sprintf("dev on %q", d.Target)
+}

 func init() { gob.Register(new(MountTmpfsOp)) }

 // Tmpfs appends an [Op] that mounts tmpfs on container path [MountTmpfsOp.Path].
-func (f *Ops) Tmpfs(dest string, size int, perm os.FileMode) *Ops {
-	*f = append(*f, &MountTmpfsOp{"ephemeral", dest, MS_NOSUID | MS_NODEV, size, perm})
+func (f *Ops) Tmpfs(target *Absolute, size int, perm os.FileMode) *Ops {
+	*f = append(*f, &MountTmpfsOp{SourceTmpfsEphemeral, target, MS_NOSUID | MS_NODEV, size, perm})
 	return f
 }

 // Readonly appends an [Op] that mounts read-only tmpfs on container path [MountTmpfsOp.Path].
-func (f *Ops) Readonly(dest string, perm os.FileMode) *Ops {
-	*f = append(*f, &MountTmpfsOp{"readonly", dest, MS_RDONLY | MS_NOSUID | MS_NODEV, 0, perm})
+func (f *Ops) Readonly(target *Absolute, perm os.FileMode) *Ops {
+	*f = append(*f, &MountTmpfsOp{SourceTmpfsReadonly, target, MS_RDONLY | MS_NOSUID | MS_NODEV, 0, perm})
 	return f
 }

 type MountTmpfsOp struct {
 	FSName string
-	Path   string
+	Path   *Absolute
 	Flags  uintptr
 	Size   int
 	Perm   os.FileMode
 }

-func (t *MountTmpfsOp) early(*Params) error { return nil }
-func (t *MountTmpfsOp) apply(*Params) error {
-	if !path.IsAbs(t.Path) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", t.Path))
+func (t *MountTmpfsOp) early(*setupState) error { return nil }
+func (t *MountTmpfsOp) apply(*setupState) error {
+	if t.Path == nil {
+		return EBADE
 	}
 	if t.Size < 0 || t.Size > math.MaxUint>>1 {
 		return msg.WrapErr(EBADE, fmt.Sprintf("size %d out of bounds", t.Size))
 	}
-	return mountTmpfs(t.FSName, t.Path, t.Flags, t.Size, t.Perm)
+	return mountTmpfs(t.FSName, toSysroot(t.Path.String()), t.Flags, t.Size, t.Perm)
 }

 func (t *MountTmpfsOp) Is(op Op) bool  { vt, ok := op.(*MountTmpfsOp); return ok && *t == *vt }
 func (*MountTmpfsOp) prefix() string   { return "mounting" }
 func (t *MountTmpfsOp) String() string { return fmt.Sprintf("tmpfs on %q size %d", t.Path, t.Size) }

-func init() { gob.Register(new(SymlinkOp)) }
+func init() { gob.Register(new(MountOverlayOp)) }

-// Link appends an [Op] that creates a symlink in the container filesystem.
-func (f *Ops) Link(target, linkName string) *Ops {
-	*f = append(*f, &SymlinkOp{target, linkName})
+// Overlay appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target].
+func (f *Ops) Overlay(target, state, work *Absolute, layers ...*Absolute) *Ops {
+	*f = append(*f, &MountOverlayOp{
+		Target: target,
+		Lower:  layers,
+		Upper:  state,
+		Work:   work,
+	})
 	return f
 }

-type SymlinkOp [2]string
+// OverlayEphemeral appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target]
+// with an ephemeral upperdir and workdir.
+func (f *Ops) OverlayEphemeral(target *Absolute, layers ...*Absolute) *Ops {
+	return f.Overlay(target, AbsFHSRoot, nil, layers...)
+}

-func (l *SymlinkOp) early(*Params) error {
-	if strings.HasPrefix(l[0], "*") {
-		l[0] = l[0][1:]
-		if !path.IsAbs(l[0]) {
-			return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", l[0]))
+// OverlayReadonly appends an [Op] that mounts the overlay pseudo filesystem readonly on [MountOverlayOp.Target]
+func (f *Ops) OverlayReadonly(target *Absolute, layers ...*Absolute) *Ops {
+	return f.Overlay(target, nil, nil, layers...)
+}
+
+type MountOverlayOp struct {
+	Target *Absolute
+
+	// Any filesystem, does not need to be on a writable filesystem.
+	Lower []*Absolute
+	// formatted for [OptionOverlayLowerdir], resolved, prefixed and escaped during early
+	lower []string
+	// The upperdir is normally on a writable filesystem.
+	//
+	// If Work is nil and Upper holds the special value [FHSRoot],
+	// an ephemeral upperdir and workdir will be set up.
+	//
+	// If both Work and Upper are empty strings, upperdir and workdir is omitted and the overlay is mounted readonly.
+	Upper *Absolute
+	// formatted for [OptionOverlayUpperdir], resolved, prefixed and escaped during early
+	upper string
+	// The workdir needs to be an empty directory on the same filesystem as upperdir.
+	Work *Absolute
+	// formatted for [OptionOverlayWorkdir], resolved, prefixed and escaped during early
+	work string
+
+	ephemeral bool
+}
+
+func (o *MountOverlayOp) early(*setupState) error {
+	if o.Work == nil && o.Upper != nil {
+		switch o.Upper.String() {
+		case FHSRoot: // ephemeral
+			o.ephemeral = true // intermediate root not yet available
+
+		default:
+			return msg.WrapErr(EINVAL, fmt.Sprintf("upperdir has unexpected value %q", o.Upper))
 		}
-		if name, err := os.Readlink(l[0]); err != nil {
+	}
+	// readonly handled in apply
+
+	if !o.ephemeral {
+		if o.Upper != o.Work && (o.Upper == nil || o.Work == nil) {
+			// unreachable
+			return msg.WrapErr(ENOTRECOVERABLE, "impossible overlay state reached")
+		}
+
+		if o.Upper != nil {
+			if v, err := filepath.EvalSymlinks(o.Upper.String()); err != nil {
+				return wrapErrSelf(err)
+			} else {
+				o.upper = EscapeOverlayDataSegment(toHost(v))
+			}
+		}
+
+		if o.Work != nil {
+			if v, err := filepath.EvalSymlinks(o.Work.String()); err != nil {
+				return wrapErrSelf(err)
+			} else {
+				o.work = EscapeOverlayDataSegment(toHost(v))
+			}
+		}
+	}
+
+	o.lower = make([]string, len(o.Lower))
+	for i, a := range o.Lower {
+		if a == nil {
+			return EBADE
+		}
+
+		if v, err := filepath.EvalSymlinks(a.String()); err != nil {
 			return wrapErrSelf(err)
 		} else {
-			l[0] = name
+			o.lower[i] = EscapeOverlayDataSegment(toHost(v))
 		}
 	}
 	return nil
 }
-func (l *SymlinkOp) apply(params *Params) error {
-	// symlink target is an arbitrary path value, so only validate link name here
-	if !path.IsAbs(l[1]) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", l[1]))
-	}

-	target := toSysroot(l[1])
-	if err := os.MkdirAll(path.Dir(target), params.ParentPerm); err != nil {
+func (o *MountOverlayOp) apply(state *setupState) error {
+	if o.Target == nil {
+		return EBADE
+	}
+	target := toSysroot(o.Target.String())
+	if err := os.MkdirAll(target, state.ParentPerm); err != nil {
 		return wrapErrSelf(err)
 	}
-	if err := os.Symlink(l[0], target); err != nil {
+
+	if o.ephemeral {
+		var err error
+		// these directories are created internally, therefore early (absolute, symlink, prefix, escape) is bypassed
+		if o.upper, err = os.MkdirTemp(FHSRoot, intermediatePatternOverlayUpper); err != nil {
+			return wrapErrSelf(err)
+		}
+		if o.work, err = os.MkdirTemp(FHSRoot, intermediatePatternOverlayWork); err != nil {
+			return wrapErrSelf(err)
+		}
+	}
+
+	options := make([]string, 0, 4)
+
+	if o.upper == zeroString && o.work == zeroString { // readonly
+		if len(o.Lower) < 2 {
+			return msg.WrapErr(EINVAL, "readonly overlay requires at least two lowerdir")
+		}
+		// "upperdir=" and "workdir=" may be omitted. In that case the overlay will be read-only
+	} else {
+		if len(o.Lower) == 0 {
+			return msg.WrapErr(EINVAL, "overlay requires at least one lowerdir")
+		}
+		options = append(options,
+			OptionOverlayUpperdir+"="+o.upper,
+			OptionOverlayWorkdir+"="+o.work)
+	}
+	options = append(options,
+		OptionOverlayLowerdir+"="+strings.Join(o.lower, SpecialOverlayPath),
+		OptionOverlayUserxattr)
+
+	return wrapErrSuffix(Mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, SpecialOverlayOption)),
+		fmt.Sprintf("cannot mount overlay on %q:", o.Target))
+}
+
+func (o *MountOverlayOp) Is(op Op) bool {
+	vo, ok := op.(*MountOverlayOp)
+	return ok &&
+		o.Target == vo.Target &&
+		slices.Equal(o.Lower, vo.Lower) &&
+		o.Upper == vo.Upper &&
+		o.Work == vo.Work
+}
+func (*MountOverlayOp) prefix() string { return "mounting" }
+func (o *MountOverlayOp) String() string {
+	return fmt.Sprintf("overlay on %q with %d layers", o.Target, len(o.Lower))
+}
+
+func init() { gob.Register(new(SymlinkOp)) }
+
+// Link appends an [Op] that creates a symlink in the container filesystem.
+func (f *Ops) Link(target *Absolute, linkName string, dereference bool) *Ops {
+	*f = append(*f, &SymlinkOp{target, linkName, dereference})
+	return f
+}
+
+type SymlinkOp struct {
+	Target *Absolute
+	// LinkName is an arbitrary uninterpreted pathname.
+	LinkName string
+
+	// Dereference causes LinkName to be dereferenced during early.
+	Dereference bool
+}
+
+func (l *SymlinkOp) early(*setupState) error {
+	if l.Dereference {
+		if !isAbs(l.LinkName) {
+			return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", l.LinkName))
+		}
+		if name, err := os.Readlink(l.LinkName); err != nil {
+			return wrapErrSelf(err)
+		} else {
+			l.LinkName = name
+		}
+	}
+	return nil
+}
+
+func (l *SymlinkOp) apply(state *setupState) error {
+	if l.Target == nil {
+		return EBADE
+	}
+	target := toSysroot(l.Target.String())
+	if err := os.MkdirAll(path.Dir(target), state.ParentPerm); err != nil {
+		return wrapErrSelf(err)
+	}
+	if err := os.Symlink(l.LinkName, target); err != nil {
 		return wrapErrSelf(err)
 	}
 	return nil
 }

-func (l *SymlinkOp) Is(op Op) bool  { vl, ok := op.(*SymlinkOp); return ok && *l == *vl }
-func (*SymlinkOp) prefix() string   { return "creating" }
-func (l *SymlinkOp) String() string { return fmt.Sprintf("symlink on %q target %q", l[1], l[0]) }
+func (l *SymlinkOp) Is(op Op) bool { vl, ok := op.(*SymlinkOp); return ok && *l == *vl }
+func (*SymlinkOp) prefix() string  { return "creating" }
+func (l *SymlinkOp) String() string {
+	return fmt.Sprintf("symlink on %q linkname %q", l.Target, l.LinkName)
+}

 func init() { gob.Register(new(MkdirOp)) }

 // Mkdir appends an [Op] that creates a directory in the container filesystem.
-func (f *Ops) Mkdir(dest string, perm os.FileMode) *Ops {
-	*f = append(*f, &MkdirOp{dest, perm})
+func (f *Ops) Mkdir(name *Absolute, perm os.FileMode) *Ops {
+	*f = append(*f, &MkdirOp{name, perm})
 	return f
 }

 type MkdirOp struct {
-	Path string
+	Path *Absolute
 	Perm os.FileMode
 }

-func (m *MkdirOp) early(*Params) error { return nil }
-func (m *MkdirOp) apply(*Params) error {
-	if !path.IsAbs(m.Path) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", m.Path))
+func (m *MkdirOp) early(*setupState) error { return nil }
+func (m *MkdirOp) apply(*setupState) error {
+	if m.Path == nil {
+		return EBADE
 	}
-
-	if err := os.MkdirAll(toSysroot(m.Path), m.Perm); err != nil {
-		return wrapErrSelf(err)
-	}
-	return nil
+	return wrapErrSelf(os.MkdirAll(toSysroot(m.Path.String()), m.Perm))
 }

 func (m *MkdirOp) Is(op Op) bool  { vm, ok := op.(*MkdirOp); return ok && m == vm }
@ -415,10 +589,13 @@ func (m *MkdirOp) String() string { return fmt.Sprintf("directory %q perm %s", m
 func init() { gob.Register(new(TmpfileOp)) }

 // Place appends an [Op] that places a file in container path [TmpfileOp.Path] containing [TmpfileOp.Data].
-func (f *Ops) Place(name string, data []byte) *Ops { *f = append(*f, &TmpfileOp{name, data}); return f }
+func (f *Ops) Place(name *Absolute, data []byte) *Ops {
+	*f = append(*f, &TmpfileOp{name, data})
+	return f
+}

 // PlaceP is like Place but writes the address of [TmpfileOp.Data] to the pointer dataP points to.
-func (f *Ops) PlaceP(name string, dataP **[]byte) *Ops {
+func (f *Ops) PlaceP(name *Absolute, dataP **[]byte) *Ops {
 	t := &TmpfileOp{Path: name}
 	*dataP = &t.Data

@ -427,18 +604,18 @@ func (f *Ops) PlaceP(name string, dataP **[]byte) *Ops {
 }

 type TmpfileOp struct {
-	Path string
+	Path *Absolute
 	Data []byte
 }

-func (t *TmpfileOp) early(*Params) error { return nil }
-func (t *TmpfileOp) apply(params *Params) error {
-	if !path.IsAbs(t.Path) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", t.Path))
+func (t *TmpfileOp) early(*setupState) error { return nil }
+func (t *TmpfileOp) apply(state *setupState) error {
+	if t.Path == nil {
+		return EBADE
 	}

 	var tmpPath string
-	if f, err := os.CreateTemp("/", "tmp.*"); err != nil {
+	if f, err := os.CreateTemp(FHSRoot, intermediatePatternTmpfile); err != nil {
 		return wrapErrSelf(err)
 	} else if _, err = f.Write(t.Data); err != nil {
 		return wrapErrSuffix(err,
@ -450,8 +627,8 @@ func (t *TmpfileOp) apply(params *Params) error {
 		tmpPath = f.Name()
 	}

-	target := toSysroot(t.Path)
-	if err := ensureFile(target, 0444, params.ParentPerm); err != nil {
+	target := toSysroot(t.Path.String())
+	if err := ensureFile(target, 0444, state.ParentPerm); err != nil {
 		return err
 	} else if err = hostProc.bindMount(
 		tmpPath,
--- a/container/output_test.go
+++ b/container/output_test.go
@ -0,0 +1,110 @@
+package container
+
+import (
+	"reflect"
+	"syscall"
+	"testing"
+)
+
+func TestGetSetOutput(t *testing.T) {
+	{
+		out := GetOutput()
+		t.Cleanup(func() { SetOutput(out) })
+	}
+
+	t.Run("default", func(t *testing.T) {
+		SetOutput(new(stubOutput))
+		if v, ok := GetOutput().(*DefaultMsg); ok {
+			t.Fatalf("SetOutput: got unexpected output %#v", v)
+		}
+		SetOutput(nil)
+		if _, ok := GetOutput().(*DefaultMsg); !ok {
+			t.Fatalf("SetOutput: got unexpected output %#v", GetOutput())
+		}
+	})
+
+	t.Run("stub", func(t *testing.T) {
+		SetOutput(new(stubOutput))
+		if _, ok := GetOutput().(*stubOutput); !ok {
+			t.Fatalf("SetOutput: got unexpected output %#v", GetOutput())
+		}
+	})
+}
+
+func TestWrapErr(t *testing.T) {
+	{
+		out := GetOutput()
+		t.Cleanup(func() { SetOutput(out) })
+	}
+
+	var wrapFp *func(error, ...any) error
+	s := new(stubOutput)
+	SetOutput(s)
+	wrapFp = &s.wrapF
+
+	testCases := []struct {
+		name    string
+		f       func(t *testing.T)
+		wantErr error
+		wantA   []any
+	}{
+		{"suffix nil", func(t *testing.T) {
+			if err := wrapErrSuffix(nil, "\x00"); err != nil {
+				t.Errorf("wrapErrSuffix: %v", err)
+			}
+		}, nil, nil},
+		{"suffix val", func(t *testing.T) {
+			if err := wrapErrSuffix(syscall.ENOTRECOVERABLE, "\x00\x00"); err != syscall.ENOTRECOVERABLE {
+				t.Errorf("wrapErrSuffix: %v", err)
+			}
+		}, syscall.ENOTRECOVERABLE, []any{"\x00\x00", syscall.ENOTRECOVERABLE}},
+		{"self nil", func(t *testing.T) {
+			if err := wrapErrSelf(nil); err != nil {
+				t.Errorf("wrapErrSelf: %v", err)
+			}
+		}, nil, nil},
+		{"self val", func(t *testing.T) {
+			if err := wrapErrSelf(syscall.ENOTRECOVERABLE); err != syscall.ENOTRECOVERABLE {
+				t.Errorf("wrapErrSelf: %v", err)
+			}
+		}, syscall.ENOTRECOVERABLE, []any{"state not recoverable"}},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var (
+				gotErr error
+				gotA   []any
+			)
+			*wrapFp = func(err error, a ...any) error { gotErr = err; gotA = a; return err }
+
+			tc.f(t)
+			if gotErr != tc.wantErr {
+				t.Errorf("WrapErr: err = %v, want %v", gotErr, tc.wantErr)
+			}
+
+			if !reflect.DeepEqual(gotA, tc.wantA) {
+				t.Errorf("WrapErr: a = %v, want %v", gotA, tc.wantA)
+			}
+		})
+	}
+}
+
+type stubOutput struct {
+	wrapF func(error, ...any) error
+}
+
+func (*stubOutput) IsVerbose() bool            { panic("unreachable") }
+func (*stubOutput) Verbose(...any)             { panic("unreachable") }
+func (*stubOutput) Verbosef(string, ...any)    { panic("unreachable") }
+func (*stubOutput) PrintBaseErr(error, string) { panic("unreachable") }
+func (*stubOutput) Suspend()                   { panic("unreachable") }
+func (*stubOutput) Resume() bool               { panic("unreachable") }
+func (*stubOutput) BeforeExit()                { panic("unreachable") }
+
+func (s *stubOutput) WrapErr(err error, v ...any) error {
+	if s.wrapF == nil {
+		panic("unreachable")
+	}
+	return s.wrapF(err, v...)
+}
--- a/container/params.go
+++ b/container/params.go
@ -5,11 +5,11 @@ import (
 	"errors"
 	"os"
 	"strconv"
+	"syscall"
 )

 var (
-	ErrNotSet  = errors.New("environment variable not set")
-	ErrInvalid = errors.New("bad file descriptor")
+	ErrNotSet = errors.New("environment variable not set")
 )

 // Setup appends the read end of a pipe for setup params transmission and returns its fd.
@ -35,7 +35,7 @@ func Receive(key string, e any, v **os.File) (func() error, error) {
 		} else {
 			setup = os.NewFile(uintptr(fd), "setup")
 			if setup == nil {
-				return nil, ErrInvalid
+				return nil, syscall.EBADF
 			}
 			if v != nil {
 				*v = setup
--- a/container/path.go
+++ b/container/path.go
@ -13,10 +13,81 @@ import (
 	"hakurei.app/container/vfs"
 )

+/* constants in this file bypass abs check, be extremely careful when changing them! */
+
 const (
-	hostPath    = "/" + hostDir
+	// FHSRoot points to the file system root.
+	FHSRoot = "/"
+	// FHSEtc points to the directory for system-specific configuration.
+	FHSEtc = "/etc/"
+	// FHSTmp points to the place for small temporary files.
+	FHSTmp = "/tmp/"
+
+	// FHSRun points to a "tmpfs" file system for system packages to place runtime data, socket files, and similar.
+	FHSRun = "/run/"
+	// FHSRunUser points to a directory containing per-user runtime directories,
+	// each usually individually mounted "tmpfs" instances.
+	FHSRunUser = FHSRun + "user/"
+
+	// FHSUsr points to vendor-supplied operating system resources.
+	FHSUsr = "/usr/"
+	// FHSUsrBin points to binaries and executables for user commands that shall appear in the $PATH search path.
+	FHSUsrBin = FHSUsr + "bin/"
+
+	// FHSVar points to persistent, variable system data. Writable during normal system operation.
+	FHSVar = "/var/"
+	// FHSVarLib points to persistent system data.
+	FHSVarLib = FHSVar + "lib/"
+	// FHSVarEmpty points to a nonstandard directory that is usually empty.
+	FHSVarEmpty = FHSVar + "empty/"
+
+	// FHSDev points to the root directory for device nodes.
+	FHSDev = "/dev/"
+	// FHSProc points to a virtual kernel file system exposing the process list and other functionality.
+	FHSProc = "/proc/"
+	// FHSProcSys points to a hierarchy below /proc/ that exposes a number of kernel tunables.
+	FHSProcSys = FHSProc + "sys/"
+	// FHSSys points to a virtual kernel file system exposing discovered devices and other functionality.
+	FHSSys = "/sys/"
+)
+
+var (
+	// AbsFHSRoot is [FHSRoot] as [Absolute].
+	AbsFHSRoot = &Absolute{FHSRoot}
+	// AbsFHSEtc is [FHSEtc] as [Absolute].
+	AbsFHSEtc = &Absolute{FHSEtc}
+	// AbsFHSTmp is [FHSTmp] as [Absolute].
+	AbsFHSTmp = &Absolute{FHSTmp}
+
+	// AbsFHSRun is [FHSRun] as [Absolute].
+	AbsFHSRun = &Absolute{FHSRun}
+	// AbsFHSRunUser is [FHSRunUser] as [Absolute].
+	AbsFHSRunUser = &Absolute{FHSRunUser}
+
+	// AbsFHSUsrBin is [FHSUsrBin] as [Absolute].
+	AbsFHSUsrBin = &Absolute{FHSUsrBin}
+
+	// AbsFHSVar is [FHSVar] as [Absolute].
+	AbsFHSVar = &Absolute{FHSVar}
+	// AbsFHSVarLib is [FHSVarLib] as [Absolute].
+	AbsFHSVarLib = &Absolute{FHSVarLib}
+
+	// AbsFHSDev is [FHSDev] as [Absolute].
+	AbsFHSDev = &Absolute{FHSDev}
+	// AbsFHSProc is [FHSProc] as [Absolute].
+	AbsFHSProc = &Absolute{FHSProc}
+	// AbsFHSSys is [FHSSys] as [Absolute].
+	AbsFHSSys = &Absolute{FHSSys}
+)
+
+const (
+	// Nonexistent is a path that cannot exist.
+	// /proc is chosen because a system with covered /proc is unsupported by this package.
+	Nonexistent = FHSProc + "nonexistent"
+
+	hostPath    = FHSRoot + hostDir
 	hostDir     = "host"
-	sysrootPath = "/" + sysrootDir
+	sysrootPath = FHSRoot + sysrootDir
 	sysrootDir  = "sysroot"
 )

@ -63,9 +134,9 @@ func ensureFile(name string, perm, pperm os.FileMode) error {
 	return err
 }

-var hostProc = newProcPats(hostPath)
+var hostProc = newProcPaths(hostPath)

-func newProcPats(prefix string) *procPaths {
+func newProcPaths(prefix string) *procPaths {
 	return &procPaths{prefix + "/proc", prefix + "/proc/self"}
 }

--- a/container/path_test.go
+++ b/container/path_test.go
@ -0,0 +1,42 @@
+package container
+
+import "testing"
+
+func TestToSysroot(t *testing.T) {
+	testCases := []struct {
+		name string
+		want string
+	}{
+		{"", "/sysroot"},
+		{"/", "/sysroot"},
+		{"//etc///", "/sysroot/etc"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := toSysroot(tc.name); got != tc.want {
+				t.Errorf("toSysroot: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestToHost(t *testing.T) {
+	testCases := []struct {
+		name string
+		want string
+	}{
+		{"", "/host"},
+		{"/", "/host"},
+		{"//etc///", "/host/etc"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := toHost(tc.name); got != tc.want {
+				t.Errorf("toHost: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+// InternalToHostOvlEscape exports toHost passed to EscapeOverlayDataSegment.
+func InternalToHostOvlEscape(s string) string { return EscapeOverlayDataSegment(toHost(s)) }
--- a/container/syscall.go
+++ b/container/syscall.go
@ -18,6 +18,14 @@ func SetDumpable(dumpable uintptr) error {
 	return nil
 }

+func SetNoNewPrivs() error {
+	_, _, errno := syscall.Syscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0)
+	if errno == 0 {
+		return nil
+	}
+	return errno
+}
+
 // IgnoringEINTR makes a function call and repeats it if it returns an
 // EINTR error. This appears to be required even though we install all
 // signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.
--- a/container/sysctl.go
+++ b/container/sysctl.go
@ -17,9 +17,9 @@ var (
 )

 const (
-	kernelOverflowuidPath = "/proc/sys/kernel/overflowuid"
-	kernelOverflowgidPath = "/proc/sys/kernel/overflowgid"
-	kernelCapLastCapPath  = "/proc/sys/kernel/cap_last_cap"
+	kernelOverflowuidPath = FHSProcSys + "kernel/overflowuid"
+	kernelOverflowgidPath = FHSProcSys + "kernel/overflowgid"
+	kernelCapLastCapPath  = FHSProcSys + "kernel/cap_last_cap"
 )

 func mustReadSysctl() {
--- a/flake.nix
+++ b/flake.nix
@ -159,6 +159,54 @@
          default = pkgs.mkShell { buildInputs = hakurei.targetPkgs; };
          withPackage = pkgs.mkShell { buildInputs = [ hakurei ] ++ hakurei.targetPkgs; };

+          vm =
+            let
+              nixos = nixpkgs.lib.nixosSystem {
+                inherit system;
+                modules = [
+                  {
+                    environment = {
+                      systemPackages = [
+                        (pkgs.buildFHSEnv {
+                          pname = "hakurei-fhs";
+                          inherit (hakurei) version;
+                          targetPkgs = _: hakurei.targetPkgs;
+                          extraOutputsToInstall = [ "dev" ];
+                          profile = ''
+                            export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
+                          '';
+                        })
+                      ];
+
+                      hakurei =
+                        let
+                          # this is used for interactive vm testing during development, where tests might be broken
+                          package = self.packages.${pkgs.system}.hakurei.override {
+                            buildGoModule = previousArgs: pkgs.pkgsStatic.buildGoModule (previousArgs // { doCheck = false; });
+                          };
+                        in
+                        {
+                          inherit package;
+                          hsuPackage = self.packages.${pkgs.system}.hsu.override { hakurei = package; };
+                        };
+                    };
+                  }
+
+                  ./test/interactive/configuration.nix
+                  ./test/interactive/vm.nix
+                  ./test/interactive/hakurei.nix
+                  ./test/interactive/trace.nix
+
+                  self.nixosModules.hakurei
+                  self.inputs.home-manager.nixosModules.home-manager
+                ];
+              };
+            in
+            pkgs.mkShell {
+              buildInputs = [ nixos.config.system.build.vm ];
+              shellHook = "exec run-nixos-vm $@";
+            };
+
          generateDoc =
            let
              inherit (pkgs) lib;
--- a/helper/container.go
+++ b/helper/container.go
@ -16,7 +16,7 @@ import (
 // New initialises a Helper instance with wt as the null-terminated argument writer.
 func New(
 	ctx context.Context,
-	name string,
+	pathname *container.Absolute, name string,
 	wt io.WriterTo,
 	stat bool,
 	argF func(argsFd, statFd int) []string,
@ -26,7 +26,7 @@ func New(
 	var args []string
 	h := new(helperContainer)
 	h.helperFiles, args = newHelperFiles(ctx, wt, stat, argF, extraFiles)
-	h.Container = container.New(ctx, name, args...)
+	h.Container = container.NewCommand(ctx, pathname, name, args...)
 	h.WaitDelay = WaitDelay
 	if cmdF != nil {
 		cmdF(h.Container)
--- a/helper/container_test.go
+++ b/helper/container_test.go
@ -12,7 +12,7 @@ import (

 func TestContainer(t *testing.T) {
 	t.Run("start empty container", func(t *testing.T) {
-		h := helper.New(t.Context(), container.Nonexistent, argsWt, false, argF, nil, nil)
+		h := helper.New(t.Context(), container.MustAbs(container.Nonexistent), "hakurei", argsWt, false, argF, nil, nil)

 		wantErr := "container: starting an empty container"
 		if err := h.Start(); err == nil || err.Error() != wantErr {
@ -22,7 +22,7 @@ func TestContainer(t *testing.T) {
 	})

 	t.Run("valid new helper nil check", func(t *testing.T) {
-		if got := helper.New(t.Context(), "hakurei", argsWt, false, argF, nil, nil); got == nil {
+		if got := helper.New(t.Context(), container.MustAbs(container.Nonexistent), "hakurei", argsWt, false, argF, nil, nil); got == nil {
 			t.Errorf("New(%q, %q) got nil",
 				argsWt, "hakurei")
 			return
@ -31,9 +31,12 @@ func TestContainer(t *testing.T) {

 	t.Run("implementation compliance", func(t *testing.T) {
 		testHelper(t, func(ctx context.Context, setOutput func(stdoutP, stderrP *io.Writer), stat bool) helper.Helper {
-			return helper.New(ctx, os.Args[0], argsWt, stat, argF, func(z *container.Container) {
+			return helper.New(ctx, container.MustAbs(os.Args[0]), "helper", argsWt, stat, argF, func(z *container.Container) {
 				setOutput(&z.Stdout, &z.Stderr)
-				z.Bind("/", "/", 0).Proc("/proc").Dev("/dev")
+				z.
+					Bind(container.AbsFHSRoot, container.AbsFHSRoot, 0).
+					Proc(container.AbsFHSProc).
+					Dev(container.AbsFHSDev, true)
 			}, nil)
 		})
 	})
--- a/hst/config.go
+++ b/hst/config.go
@ -1,75 +1,144 @@
-// Package hst exports shared types for invoking hakurei.
 package hst

 import (
-	"hakurei.app/system"
+	"time"
+
+	"hakurei.app/container"
+	"hakurei.app/container/seccomp"
 	"hakurei.app/system/dbus"
 )

 const Tmp = "/.hakurei"

+var AbsTmp = container.MustAbs(Tmp)
+
 // Config is used to seal an app implementation.
-type Config struct {
-	// reverse-DNS style arbitrary identifier string from config;
-	// passed to wayland security-context-v1 as application ID
-	// and used as part of defaults in dbus session proxy
-	ID string `json:"id"`
+type (
+	Config struct {
+		// reverse-DNS style arbitrary identifier string from config;
+		// passed to wayland security-context-v1 as application ID
+		// and used as part of defaults in dbus session proxy
+		ID string `json:"id"`

-	// absolute path to executable file
-	Path string `json:"path,omitempty"`
-	// final args passed to container init
-	Args []string `json:"args"`
+		// absolute path to executable file
+		Path *container.Absolute `json:"path,omitempty"`
+		// final args passed to container init
+		Args []string `json:"args"`

-	// system services to make available in the container
-	Enablements system.Enablement `json:"enablements"`
+		// system services to make available in the container
+		Enablements *Enablements `json:"enablements,omitempty"`

-	// session D-Bus proxy configuration;
-	// nil makes session bus proxy assume built-in defaults
-	SessionBus *dbus.Config `json:"session_bus,omitempty"`
-	// system D-Bus proxy configuration;
-	// nil disables system bus proxy
-	SystemBus *dbus.Config `json:"system_bus,omitempty"`
-	// direct access to wayland socket; when this gets set no attempt is made to attach security-context-v1
-	// and the bare socket is mounted to the sandbox
-	DirectWayland bool `json:"direct_wayland,omitempty"`
+		// session D-Bus proxy configuration;
+		// nil makes session bus proxy assume built-in defaults
+		SessionBus *dbus.Config `json:"session_bus,omitempty"`
+		// system D-Bus proxy configuration;
+		// nil disables system bus proxy
+		SystemBus *dbus.Config `json:"system_bus,omitempty"`
+		// direct access to wayland socket; when this gets set no attempt is made to attach security-context-v1
+		// and the bare socket is mounted to the sandbox
+		DirectWayland bool `json:"direct_wayland,omitempty"`

-	// passwd username in container, defaults to passwd name of target uid or chronos
-	Username string `json:"username,omitempty"`
-	// absolute path to shell, empty for host shell
-	Shell string `json:"shell,omitempty"`
-	// absolute path to home directory in the init mount namespace
-	Data string `json:"data"`
-	// directory to enter and use as home in the container mount namespace, empty for Data
-	Dir string `json:"dir"`
-	// extra acl ops, dispatches before container init
-	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
+		// passwd username in container, defaults to passwd name of target uid or chronos
+		Username string `json:"username,omitempty"`
+		// absolute path to shell
+		Shell *container.Absolute `json:"shell"`
+		// absolute path to home directory in the init mount namespace
+		Data *container.Absolute `json:"data"`
+		// directory to enter and use as home in the container mount namespace, nil for Data
+		Dir *container.Absolute `json:"dir,omitempty"`
+		// extra acl ops, dispatches before container init
+		ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`

-	// numerical application id, used for init user namespace credentials
-	Identity int `json:"identity"`
-	// list of supplementary groups inherited by container processes
-	Groups []string `json:"groups"`
+		// numerical application id, used for init user namespace credentials
+		Identity int `json:"identity"`
+		// list of supplementary groups inherited by container processes
+		Groups []string `json:"groups"`

-	// abstract container configuration baseline
-	Container *ContainerConfig `json:"container"`
-}
+		// abstract container configuration baseline
+		Container *ContainerConfig `json:"container"`
+	}
+
+	// ContainerConfig describes the container configuration baseline to which the app implementation adds upon.
+	ContainerConfig struct {
+		// container hostname
+		Hostname string `json:"hostname,omitempty"`
+
+		// duration to wait for after interrupting a container's initial process in nanoseconds;
+		// a negative value causes the container to be terminated immediately on cancellation
+		WaitDelay time.Duration `json:"wait_delay,omitempty"`
+
+		// extra seccomp flags
+		SeccompFlags seccomp.ExportFlag `json:"seccomp_flags"`
+		// extra seccomp presets
+		SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"`
+		// disable project-specific filter extensions
+		SeccompCompat bool `json:"seccomp_compat,omitempty"`
+		// allow ptrace and friends
+		Devel bool `json:"devel,omitempty"`
+		// allow userns creation in container
+		Userns bool `json:"userns,omitempty"`
+		// share host net namespace
+		Net bool `json:"net,omitempty"`
+		// share abstract unix socket scope
+		Abstract bool `json:"abstract,omitempty"`
+		// allow dangerous terminal I/O
+		Tty bool `json:"tty,omitempty"`
+		// allow multiarch
+		Multiarch bool `json:"multiarch,omitempty"`
+
+		// initial process environment variables
+		Env map[string]string `json:"env"`
+		// map target user uid to privileged user uid in the user namespace
+		MapRealUID bool `json:"map_real_uid"`
+
+		// pass through all devices
+		Device bool `json:"device,omitempty"`
+		// container mount points
+		Filesystem []FilesystemConfigJSON `json:"filesystem"`
+		// create symlinks inside container filesystem
+		Link []LinkConfig `json:"symlink"`
+
+		// automatically bind mount top-level directories to container root;
+		// the zero value disables this behaviour
+		AutoRoot *container.Absolute `json:"auto_root,omitempty"`
+		// extra flags for AutoRoot
+		RootFlags int `json:"root_flags,omitempty"`
+
+		// read-only /etc directory
+		Etc *container.Absolute `json:"etc,omitempty"`
+		// automatically set up /etc symlinks
+		AutoEtc bool `json:"auto_etc"`
+	}
+
+	LinkConfig struct {
+		// symlink target in container
+		Target *container.Absolute `json:"target"`
+		// linkname the symlink points to;
+		// prepend '*' to dereference an absolute pathname on host
+		Linkname string `json:"linkname"`
+	}
+)

 // ExtraPermConfig describes an acl update op.
 type ExtraPermConfig struct {
-	Ensure  bool   `json:"ensure,omitempty"`
-	Path    string `json:"path"`
-	Read    bool   `json:"r,omitempty"`
-	Write   bool   `json:"w,omitempty"`
-	Execute bool   `json:"x,omitempty"`
+	Ensure  bool                `json:"ensure,omitempty"`
+	Path    *container.Absolute `json:"path"`
+	Read    bool                `json:"r,omitempty"`
+	Write   bool                `json:"w,omitempty"`
+	Execute bool                `json:"x,omitempty"`
 }

 func (e *ExtraPermConfig) String() string {
-	buf := make([]byte, 0, 5+len(e.Path))
+	if e == nil || e.Path == nil {
+		return "<invalid>"
+	}
+	buf := make([]byte, 0, 5+len(e.Path.String()))
 	buf = append(buf, '-', '-', '-')
 	if e.Ensure {
 		buf = append(buf, '+')
 	}
 	buf = append(buf, ':')
-	buf = append(buf, []byte(e.Path)...)
+	buf = append(buf, []byte(e.Path.String())...)
 	if e.Read {
 		buf[0] = 'r'
 	}
--- a/hst/config_test.go
+++ b/hst/config_test.go
@ -0,0 +1,35 @@
+package hst_test
+
+import (
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestExtraPermConfig(t *testing.T) {
+	testCases := []struct {
+		name   string
+		config *hst.ExtraPermConfig
+		want   string
+	}{
+		{"nil", nil, "<invalid>"},
+		{"nil path", &hst.ExtraPermConfig{Path: nil}, "<invalid>"},
+		{"r", &hst.ExtraPermConfig{Path: container.AbsFHSRoot, Read: true}, "r--:/"},
+		{"r+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSRoot, Read: true}, "r--+:/"},
+		{"w", &hst.ExtraPermConfig{Path: hst.AbsTmp, Write: true}, "-w-:/.hakurei"},
+		{"w+", &hst.ExtraPermConfig{Ensure: true, Path: hst.AbsTmp, Write: true}, "-w-+:/.hakurei"},
+		{"x", &hst.ExtraPermConfig{Path: container.AbsFHSRunUser, Execute: true}, "--x:/run/user/"},
+		{"x+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSRunUser, Execute: true}, "--x+:/run/user/"},
+		{"rwx", &hst.ExtraPermConfig{Path: container.AbsFHSTmp, Read: true, Write: true, Execute: true}, "rwx:/tmp/"},
+		{"rwx+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSTmp, Read: true, Write: true, Execute: true}, "rwx+:/tmp/"},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := tc.config.String(); got != tc.want {
+				t.Errorf("String: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
--- a/hst/container.go
+++ b/hst/container.go
@ -1,90 +0,0 @@
-package hst
-
-import (
-	"time"
-
-	"hakurei.app/container/seccomp"
-)
-
-const (
-	// SourceTmpfs causes tmpfs to be mounted on [FilesystemConfig.Dst]
-	// when assigned to [FilesystemConfig.Src].
-	SourceTmpfs = "tmpfs"
-
-	// TmpfsPerm is the permission bits for tmpfs mount points
-	// configured through [FilesystemConfig].
-	TmpfsPerm = 0755
-
-	// TmpfsSize is the size for tmpfs mount points
-	// configured through [FilesystemConfig].
-	TmpfsSize = 0
-)
-
-type (
-	// ContainerConfig describes the container configuration baseline to which the app implementation adds upon.
-	ContainerConfig struct {
-		// container hostname
-		Hostname string `json:"hostname,omitempty"`
-
-		// duration to wait for after interrupting a container's initial process in nanoseconds;
-		// a negative value causes the container to be terminated immediately on cancellation
-		WaitDelay time.Duration `json:"wait_delay,omitempty"`
-
-		// extra seccomp flags
-		SeccompFlags seccomp.ExportFlag `json:"seccomp_flags"`
-		// extra seccomp presets
-		SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"`
-		// disable project-specific filter extensions
-		SeccompCompat bool `json:"seccomp_compat,omitempty"`
-		// allow ptrace and friends
-		Devel bool `json:"devel,omitempty"`
-		// allow userns creation in container
-		Userns bool `json:"userns,omitempty"`
-		// share host net namespace
-		Net bool `json:"net,omitempty"`
-		// allow dangerous terminal I/O
-		Tty bool `json:"tty,omitempty"`
-		// allow multiarch
-		Multiarch bool `json:"multiarch,omitempty"`
-
-		// initial process environment variables
-		Env map[string]string `json:"env"`
-		// map target user uid to privileged user uid in the user namespace
-		MapRealUID bool `json:"map_real_uid"`
-
-		// pass through all devices
-		Device bool `json:"device,omitempty"`
-		// container host filesystem bind mounts
-		Filesystem []*FilesystemConfig `json:"filesystem"`
-		// create symlinks inside container filesystem
-		Link [][2]string `json:"symlink"`
-
-		// automatically bind mount top-level directories to container root;
-		// the zero value disables this behaviour
-		AutoRoot string `json:"auto_root,omitempty"`
-		// extra flags for AutoRoot
-		RootFlags int `json:"root_flags,omitempty"`
-
-		// read-only /etc directory
-		Etc string `json:"etc,omitempty"`
-		// automatically set up /etc symlinks
-		AutoEtc bool `json:"auto_etc"`
-
-		// cover these paths or create them if they do not already exist
-		Cover []string `json:"cover"`
-	}
-
-	// FilesystemConfig is an abstract representation of a bind mount.
-	FilesystemConfig struct {
-		// mount point in container, same as src if empty
-		Dst string `json:"dst,omitempty"`
-		// host filesystem path to make available to the container
-		Src string `json:"src"`
-		// do not mount filesystem read-only
-		Write bool `json:"write,omitempty"`
-		// do not disable device files
-		Device bool `json:"dev,omitempty"`
-		// fail if the bind mount cannot be established for any reason
-		Must bool `json:"require,omitempty"`
-	}
-)
--- a/hst/enablement.go
+++ b/hst/enablement.go
@ -0,0 +1,69 @@
+package hst
+
+import (
+	"encoding/json"
+	"syscall"
+
+	"hakurei.app/system"
+)
+
+// NewEnablements returns the address of [system.Enablement] as [Enablements].
+func NewEnablements(e system.Enablement) *Enablements { return (*Enablements)(&e) }
+
+// enablementsJSON is the [json] representation of the [system.Enablement] bit field.
+type enablementsJSON struct {
+	Wayland bool `json:"wayland,omitempty"`
+	X11     bool `json:"x11,omitempty"`
+	DBus    bool `json:"dbus,omitempty"`
+	Pulse   bool `json:"pulse,omitempty"`
+}
+
+// Enablements is the [json] adapter for [system.Enablement].
+type Enablements system.Enablement
+
+// Unwrap returns the underlying [system.Enablement].
+func (e *Enablements) Unwrap() system.Enablement {
+	if e == nil {
+		return 0
+	}
+	return system.Enablement(*e)
+}
+
+func (e *Enablements) MarshalJSON() ([]byte, error) {
+	if e == nil {
+		return nil, syscall.EINVAL
+	}
+	return json.Marshal(&enablementsJSON{
+		Wayland: system.Enablement(*e)&system.EWayland != 0,
+		X11:     system.Enablement(*e)&system.EX11 != 0,
+		DBus:    system.Enablement(*e)&system.EDBus != 0,
+		Pulse:   system.Enablement(*e)&system.EPulse != 0,
+	})
+}
+
+func (e *Enablements) UnmarshalJSON(data []byte) error {
+	if e == nil {
+		return syscall.EINVAL
+	}
+
+	v := new(enablementsJSON)
+	if err := json.Unmarshal(data, &v); err != nil {
+		return err
+	}
+
+	var ve system.Enablement
+	if v.Wayland {
+		ve |= system.EWayland
+	}
+	if v.X11 {
+		ve |= system.EX11
+	}
+	if v.DBus {
+		ve |= system.EDBus
+	}
+	if v.Pulse {
+		ve |= system.EPulse
+	}
+	*e = Enablements(ve)
+	return nil
+}
--- a/hst/enablement_test.go
+++ b/hst/enablement_test.go
@ -0,0 +1,108 @@
+package hst_test
+
+import (
+	"encoding/json"
+	"errors"
+	"syscall"
+	"testing"
+
+	"hakurei.app/hst"
+	"hakurei.app/system"
+)
+
+func TestEnablements(t *testing.T) {
+	testCases := []struct {
+		name  string
+		e     *hst.Enablements
+		data  string
+		sData string
+	}{
+		{"nil", nil, "null", `{"value":null,"magic":3236757504}`},
+		{"zero", hst.NewEnablements(0), `{}`, `{"value":{},"magic":3236757504}`},
+		{"wayland", hst.NewEnablements(system.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
+		{"x11", hst.NewEnablements(system.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
+		{"dbus", hst.NewEnablements(system.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
+		{"pulse", hst.NewEnablements(system.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
+		{"all", hst.NewEnablements(system.EWayland | system.EX11 | system.EDBus | system.EPulse), `{"wayland":true,"x11":true,"dbus":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pulse":true},"magic":3236757504}`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Run("marshal", func(t *testing.T) {
+				if got, err := json.Marshal(tc.e); err != nil {
+					t.Fatalf("Marshal: error = %v", err)
+				} else if string(got) != tc.data {
+					t.Errorf("Marshal:\n%s, want\n%s", string(got), tc.data)
+				}
+
+				if got, err := json.Marshal(struct {
+					Value *hst.Enablements `json:"value"`
+					Magic int              `json:"magic"`
+				}{tc.e, syscall.MS_MGC_VAL}); err != nil {
+					t.Fatalf("Marshal: error = %v", err)
+				} else if string(got) != tc.sData {
+					t.Errorf("Marshal:\n%s, want\n%s", string(got), tc.sData)
+				}
+			})
+
+			t.Run("unmarshal", func(t *testing.T) {
+				{
+					got := new(hst.Enablements)
+					if err := json.Unmarshal([]byte(tc.data), &got); err != nil {
+						t.Fatalf("Unmarshal: error = %v", err)
+					}
+					if tc.e == nil {
+						if got != nil {
+							t.Errorf("Unmarshal: %v", got)
+						}
+					} else if *got != *tc.e {
+						t.Errorf("Unmarshal: %v, want %v", got, tc.e)
+					}
+				}
+
+				{
+					got := *(new(struct {
+						Value *hst.Enablements `json:"value"`
+						Magic int              `json:"magic"`
+					}))
+					if err := json.Unmarshal([]byte(tc.sData), &got); err != nil {
+						t.Fatalf("Unmarshal: error = %v", err)
+					}
+					if tc.e == nil {
+						if got.Value != nil {
+							t.Errorf("Unmarshal: %v", got)
+						}
+					} else if *got.Value != *tc.e {
+						t.Errorf("Unmarshal: %v, want %v", got.Value, tc.e)
+					}
+				}
+			})
+		})
+	}
+
+	t.Run("unwrap", func(t *testing.T) {
+		t.Run("nil", func(t *testing.T) {
+			if got := (*hst.Enablements)(nil).Unwrap(); got != 0 {
+				t.Errorf("Unwrap: %v", got)
+			}
+		})
+
+		t.Run("val", func(t *testing.T) {
+			if got := hst.NewEnablements(system.EWayland | system.EPulse).Unwrap(); got != system.EWayland|system.EPulse {
+				t.Errorf("Unwrap: %v", got)
+			}
+		})
+	})
+
+	t.Run("passthrough", func(t *testing.T) {
+		if _, err := (*hst.Enablements)(nil).MarshalJSON(); !errors.Is(err, syscall.EINVAL) {
+			t.Errorf("MarshalJSON: error = %v", err)
+		}
+		if err := (*hst.Enablements)(nil).UnmarshalJSON(nil); !errors.Is(err, syscall.EINVAL) {
+			t.Errorf("UnmarshalJSON: error = %v", err)
+		}
+		if err := new(hst.Enablements).UnmarshalJSON([]byte{}); err == nil {
+			t.Errorf("UnmarshalJSON: error = %v", err)
+		}
+	})
+}
--- a/hst/fs.go
+++ b/hst/fs.go
@ -0,0 +1,120 @@
+package hst
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"reflect"
+
+	"hakurei.app/container"
+)
+
+// FilesystemConfig is an abstract representation of a mount point.
+type FilesystemConfig interface {
+	// Valid returns whether the configuration is valid.
+	Valid() bool
+	// Path returns the target path in the container.
+	Path() *container.Absolute
+	// Host returns a slice of all host paths used by this operation.
+	Host() []*container.Absolute
+	// Apply appends the [container.Op] implementing this operation.
+	Apply(ops *container.Ops)
+
+	fmt.Stringer
+}
+
+var (
+	ErrFSNull = errors.New("unexpected null in mount point")
+)
+
+// FSTypeError is returned when [ContainerConfig.Filesystem] contains an entry with invalid type.
+type FSTypeError string
+
+func (f FSTypeError) Error() string { return fmt.Sprintf("invalid filesystem type %q", string(f)) }
+
+// FSImplError is returned for unsupported implementations of [FilesystemConfig].
+type FSImplError struct{ Value FilesystemConfig }
+
+func (f FSImplError) Error() string {
+	implType := reflect.TypeOf(f.Value)
+	var name string
+	for implType != nil && implType.Kind() == reflect.Ptr {
+		name += "*"
+		implType = implType.Elem()
+	}
+	if implType != nil {
+		name += implType.Name()
+	} else {
+		name += "nil"
+	}
+	return fmt.Sprintf("implementation %s not supported", name)
+}
+
+// FilesystemConfigJSON is the [json] adapter for [FilesystemConfig].
+type FilesystemConfigJSON struct{ FilesystemConfig }
+
+// Valid returns whether the [FilesystemConfigJSON] is valid.
+func (f *FilesystemConfigJSON) Valid() bool {
+	return f != nil && f.FilesystemConfig != nil && f.FilesystemConfig.Valid()
+}
+
+// fsType holds the string representation of a [FilesystemConfig]'s concrete type.
+type fsType struct {
+	Type string `json:"type"`
+}
+
+func (f *FilesystemConfigJSON) MarshalJSON() ([]byte, error) {
+	if f == nil || f.FilesystemConfig == nil {
+		return nil, ErrFSNull
+	}
+	var v any
+	switch cv := f.FilesystemConfig.(type) {
+	case *FSBind:
+		v = &struct {
+			fsType
+			*FSBind
+		}{fsType{FilesystemBind}, cv}
+
+	case *FSEphemeral:
+		v = &struct {
+			fsType
+			*FSEphemeral
+		}{fsType{FilesystemEphemeral}, cv}
+
+	case *FSOverlay:
+		v = &struct {
+			fsType
+			*FSOverlay
+		}{fsType{FilesystemOverlay}, cv}
+
+	default:
+		return nil, FSImplError{f.FilesystemConfig}
+	}
+
+	return json.Marshal(v)
+}
+
+func (f *FilesystemConfigJSON) UnmarshalJSON(data []byte) error {
+	t := new(fsType)
+	if err := json.Unmarshal(data, &t); err != nil {
+		return err
+	}
+	if t == nil {
+		return ErrFSNull
+	}
+	switch t.Type {
+	case FilesystemBind:
+		*f = FilesystemConfigJSON{new(FSBind)}
+
+	case FilesystemEphemeral:
+		*f = FilesystemConfigJSON{new(FSEphemeral)}
+
+	case FilesystemOverlay:
+		*f = FilesystemConfigJSON{new(FSOverlay)}
+
+	default:
+		return FSTypeError(t.Type)
+	}
+
+	return json.Unmarshal(data, f.FilesystemConfig)
+}
--- a/hst/fs_test.go
+++ b/hst/fs_test.go
@ -0,0 +1,287 @@
+package hst_test
+
+import (
+	"encoding/json"
+	"errors"
+	"reflect"
+	"strings"
+	"syscall"
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestFilesystemConfigJSON(t *testing.T) {
+	testCases := []struct {
+		name string
+		want hst.FilesystemConfigJSON
+
+		wantErr     error
+		data, sData string
+	}{
+		{"nil", hst.FilesystemConfigJSON{FilesystemConfig: nil}, hst.ErrFSNull,
+			`null`, `{"fs":null,"magic":3236757504}`},
+
+		{"bad type", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"cat"}},
+			hst.FSTypeError("cat"),
+			`{"type":"cat","meow":true}`, `{"fs":{"type":"cat","meow":true},"magic":3236757504}`},
+
+		{"bad impl bind", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"bind"}},
+			hst.FSImplError{Value: stubFS{"bind"}},
+			"\x00", "\x00"},
+
+		{"bad impl ephemeral", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"ephemeral"}},
+			hst.FSImplError{Value: stubFS{"ephemeral"}},
+			"\x00", "\x00"},
+
+		{"bad impl overlay", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"overlay"}},
+			hst.FSImplError{Value: stubFS{"overlay"}},
+			"\x00", "\x00"},
+
+		{"bind", hst.FilesystemConfigJSON{
+			FilesystemConfig: &hst.FSBind{
+				Target:   m("/etc"),
+				Source:   m("/mnt/etc"),
+				Optional: true,
+			},
+		}, nil,
+			`{"type":"bind","dst":"/etc","src":"/mnt/etc","optional":true}`,
+			`{"fs":{"type":"bind","dst":"/etc","src":"/mnt/etc","optional":true},"magic":3236757504}`},
+
+		{"ephemeral", hst.FilesystemConfigJSON{
+			FilesystemConfig: &hst.FSEphemeral{
+				Target: m("/run/user/65534"),
+				Write:  true,
+				Size:   1 << 10,
+				Perm:   0700,
+			},
+		}, nil,
+			`{"type":"ephemeral","dst":"/run/user/65534","write":true,"size":1024,"perm":448}`,
+			`{"fs":{"type":"ephemeral","dst":"/run/user/65534","write":true,"size":1024,"perm":448},"magic":3236757504}`},
+
+		{"overlay", hst.FilesystemConfigJSON{
+			FilesystemConfig: &hst.FSOverlay{
+				Target: m("/nix/store"),
+				Lower:  ms("/mnt-root/nix/.ro-store"),
+				Upper:  m("/mnt-root/nix/.rw-store/upper"),
+				Work:   m("/mnt-root/nix/.rw-store/work"),
+			},
+		}, nil,
+			`{"type":"overlay","dst":"/nix/store","lower":["/mnt-root/nix/.ro-store"],"upper":"/mnt-root/nix/.rw-store/upper","work":"/mnt-root/nix/.rw-store/work"}`,
+			`{"fs":{"type":"overlay","dst":"/nix/store","lower":["/mnt-root/nix/.ro-store"],"upper":"/mnt-root/nix/.rw-store/upper","work":"/mnt-root/nix/.rw-store/work"},"magic":3236757504}`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Run("marshal", func(t *testing.T) {
+				wantErr := tc.wantErr
+				if errors.As(wantErr, new(hst.FSTypeError)) {
+					// for unsupported implementation tc
+					wantErr = hst.FSImplError{Value: stubFS{"cat"}}
+				}
+
+				{
+					d, err := json.Marshal(&tc.want)
+					if !errors.Is(err, wantErr) {
+						t.Errorf("Marshal: error = %v, want %v", err, wantErr)
+					}
+					if wantErr != nil {
+						goto checkSMarshal
+					}
+					if string(d) != tc.data {
+						t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.data)
+					}
+				}
+
+			checkSMarshal:
+				{
+					d, err := json.Marshal(&sCheck{tc.want, syscall.MS_MGC_VAL})
+					if !errors.Is(err, wantErr) {
+						t.Errorf("Marshal: error = %v, want %v", err, wantErr)
+					}
+					if wantErr != nil {
+						return
+					}
+					if string(d) != tc.sData {
+						t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.sData)
+					}
+				}
+			})
+
+			t.Run("unmarshal", func(t *testing.T) {
+				if tc.data == "\x00" && tc.sData == "\x00" {
+					if errors.As(tc.wantErr, new(hst.FSImplError)) {
+						// this error is only returned on marshal
+						return
+					}
+				}
+
+				{
+					var got hst.FilesystemConfigJSON
+					err := json.Unmarshal([]byte(tc.data), &got)
+					if !errors.Is(err, tc.wantErr) {
+						t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+					}
+					if tc.wantErr != nil {
+						goto checkSUnmarshal
+					}
+					if !reflect.DeepEqual(&tc.want, &got) {
+						t.Errorf("Unmarshal: %#v, want %#v", &tc.want, &got)
+					}
+				}
+
+			checkSUnmarshal:
+				{
+					var got sCheck
+					err := json.Unmarshal([]byte(tc.sData), &got)
+					if !errors.Is(err, tc.wantErr) {
+						t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+					}
+					if tc.wantErr != nil {
+						return
+					}
+					want := sCheck{tc.want, syscall.MS_MGC_VAL}
+					if !reflect.DeepEqual(&got, &want) {
+						t.Errorf("Unmarshal: %#v, want %#v", &got, &want)
+					}
+				}
+			})
+		})
+	}
+
+	t.Run("valid", func(t *testing.T) {
+		if got := (*hst.FilesystemConfigJSON).Valid(nil); got {
+			t.Errorf("Valid: %v, want false", got)
+		}
+
+		if got := new(hst.FilesystemConfigJSON).Valid(); got {
+			t.Errorf("Valid: %v, want false", got)
+		}
+
+		if got := (&hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: m("/etc")}}).Valid(); !got {
+			t.Errorf("Valid: %v, want true", got)
+		}
+	})
+
+	t.Run("passthrough", func(t *testing.T) {
+		if err := new(hst.FilesystemConfigJSON).UnmarshalJSON(make([]byte, 0)); err == nil {
+			t.Errorf("UnmarshalJSON: error = %v", err)
+		}
+	})
+}
+
+func TestFSErrors(t *testing.T) {
+	t.Run("type", func(t *testing.T) {
+		want := `invalid filesystem type "cat"`
+		if got := hst.FSTypeError("cat").Error(); got != want {
+			t.Errorf("Error: %q, want %q", got, want)
+		}
+	})
+
+	t.Run("impl", func(t *testing.T) {
+		testCases := []struct {
+			name string
+			val  hst.FilesystemConfig
+			want string
+		}{
+			{"nil", nil, "implementation nil not supported"},
+			{"stub", stubFS{"cat"}, "implementation stubFS not supported"},
+			{"*stub", &stubFS{"cat"}, "implementation *stubFS not supported"},
+			{"(*stub)(nil)", (*stubFS)(nil), "implementation *stubFS not supported"},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				err := hst.FSImplError{Value: tc.val}
+				if got := err.Error(); got != tc.want {
+					t.Errorf("Error: %q, want %q", got, tc.want)
+				}
+			})
+		}
+	})
+}
+
+type stubFS struct {
+	typeName string
+}
+
+func (s stubFS) Valid() bool                 { return false }
+func (s stubFS) Path() *container.Absolute   { panic("unreachable") }
+func (s stubFS) Host() []*container.Absolute { panic("unreachable") }
+func (s stubFS) Apply(*container.Ops)        { panic("unreachable") }
+func (s stubFS) String() string              { return "<invalid " + s.typeName + ">" }
+
+type sCheck struct {
+	FS    hst.FilesystemConfigJSON `json:"fs"`
+	Magic int                      `json:"magic"`
+}
+
+type fsTestCase struct {
+	name  string
+	fs    hst.FilesystemConfig
+	valid bool
+	ops   container.Ops
+	path  *container.Absolute
+	host  []*container.Absolute
+	str   string
+}
+
+func checkFs(t *testing.T, testCases []fsTestCase) {
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Run("valid", func(t *testing.T) {
+				if got := tc.fs.Valid(); got != tc.valid {
+					t.Errorf("Valid: %v, want %v", got, tc.valid)
+				}
+			})
+
+			t.Run("ops", func(t *testing.T) {
+				ops := new(container.Ops)
+				tc.fs.Apply(ops)
+				if !reflect.DeepEqual(ops, &tc.ops) {
+					gotString := new(strings.Builder)
+					for _, op := range *ops {
+						gotString.WriteString("\n" + op.String())
+					}
+					wantString := new(strings.Builder)
+					for _, op := range tc.ops {
+						wantString.WriteString("\n" + op.String())
+					}
+					t.Errorf("Apply: %s, want %s", gotString, wantString)
+				}
+			})
+
+			t.Run("path", func(t *testing.T) {
+				if got := tc.fs.Path(); !reflect.DeepEqual(got, tc.path) {
+					t.Errorf("Target: %q, want %q", got, tc.path)
+				}
+			})
+
+			t.Run("host", func(t *testing.T) {
+				if got := tc.fs.Host(); !reflect.DeepEqual(got, tc.host) {
+					t.Errorf("Host: %q, want %q", got, tc.host)
+				}
+			})
+
+			t.Run("string", func(t *testing.T) {
+				if tc.str == "\x00" {
+					return
+				}
+
+				if got := tc.fs.String(); got != tc.str {
+					t.Errorf("String: %q, want %q", got, tc.str)
+				}
+			})
+		})
+	}
+}
+
+func m(pathname string) *container.Absolute { return container.MustAbs(pathname) }
+func ms(pathnames ...string) []*container.Absolute {
+	as := make([]*container.Absolute, len(pathnames))
+	for i, pathname := range pathnames {
+		as[i] = container.MustAbs(pathname)
+	}
+	return as
+}
--- a/hst/fsbind.go
+++ b/hst/fsbind.go
@ -0,0 +1,102 @@
+package hst
+
+import (
+	"encoding/gob"
+	"strings"
+
+	"hakurei.app/container"
+)
+
+func init() { gob.Register(new(FSBind)) }
+
+// FilesystemBind is the [FilesystemConfig.Type] name of a bind mount point.
+const FilesystemBind = "bind"
+
+// FSBind represents a host to container bind mount.
+type FSBind struct {
+	// mount point in container, same as src if empty
+	Target *container.Absolute `json:"dst,omitempty"`
+	// host filesystem path to make available to the container
+	Source *container.Absolute `json:"src"`
+	// do not mount filesystem read-only
+	Write bool `json:"write,omitempty"`
+	// do not disable device files, implies Write
+	Device bool `json:"dev,omitempty"`
+	// skip this mount point if the host path does not exist
+	Optional bool `json:"optional,omitempty"`
+}
+
+func (b *FSBind) Valid() bool { return b != nil && b.Source != nil }
+
+func (b *FSBind) Path() *container.Absolute {
+	if !b.Valid() {
+		return nil
+	}
+	if b.Target == nil {
+		return b.Source
+	}
+	return b.Target
+}
+
+func (b *FSBind) Host() []*container.Absolute {
+	if !b.Valid() {
+		return nil
+	}
+	return []*container.Absolute{b.Source}
+}
+
+func (b *FSBind) Apply(ops *container.Ops) {
+	if !b.Valid() {
+		return
+	}
+
+	target := b.Target
+	if target == nil {
+		target = b.Source
+	}
+	var flags int
+	if b.Write {
+		flags |= container.BindWritable
+	}
+	if b.Device {
+		flags |= container.BindDevice | container.BindWritable
+	}
+	if b.Optional {
+		flags |= container.BindOptional
+	}
+	ops.Bind(b.Source, target, flags)
+}
+
+func (b *FSBind) String() string {
+	g := 4
+	if !b.Valid() {
+		return "<invalid>"
+	}
+
+	g += len(b.Source.String())
+	if b.Target != nil {
+		g += len(b.Target.String())
+	}
+
+	expr := new(strings.Builder)
+	expr.Grow(g)
+
+	if b.Device {
+		expr.WriteString("d")
+	} else if b.Write {
+		expr.WriteString("w")
+	}
+
+	if !b.Optional {
+		expr.WriteString("*")
+	} else {
+		expr.WriteString("+")
+	}
+
+	expr.WriteString(b.Source.String())
+	if b.Target != nil {
+		expr.WriteString(":" + b.Target.String())
+	}
+
+	return expr.String()
+}
--- a/hst/fsbind_test.go
+++ b/hst/fsbind_test.go
@ -0,0 +1,66 @@
+package hst_test
+
+import (
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestFSBind(t *testing.T) {
+	checkFs(t, []fsTestCase{
+		{"nil", (*hst.FSBind)(nil), false, nil, nil, nil, "<invalid>"},
+
+		{"full", &hst.FSBind{
+			Target:   m("/dev"),
+			Source:   m("/mnt/dev"),
+			Optional: true,
+			Device:   true,
+		}, true, container.Ops{&container.BindMountOp{
+			Source: m("/mnt/dev"),
+			Target: m("/dev"),
+			Flags:  container.BindWritable | container.BindDevice | container.BindOptional,
+		}}, m("/dev"), ms("/mnt/dev"),
+			"d+/mnt/dev:/dev"},
+
+		{"full write dev", &hst.FSBind{
+			Target: m("/dev"),
+			Source: m("/mnt/dev"),
+			Write:  true,
+			Device: true,
+		}, true, container.Ops{&container.BindMountOp{
+			Source: m("/mnt/dev"),
+			Target: m("/dev"),
+			Flags:  container.BindWritable | container.BindDevice,
+		}}, m("/dev"), ms("/mnt/dev"),
+			"d*/mnt/dev:/dev"},
+
+		{"full write", &hst.FSBind{
+			Target: m("/tmp"),
+			Source: m("/mnt/tmp"),
+			Write:  true,
+		}, true, container.Ops{&container.BindMountOp{
+			Source: m("/mnt/tmp"),
+			Target: m("/tmp"),
+			Flags:  container.BindWritable,
+		}}, m("/tmp"), ms("/mnt/tmp"),
+			"w*/mnt/tmp:/tmp"},
+
+		{"full no flags", &hst.FSBind{
+			Target: m("/etc"),
+			Source: m("/mnt/etc"),
+		}, true, container.Ops{&container.BindMountOp{
+			Source: m("/mnt/etc"),
+			Target: m("/etc"),
+		}}, m("/etc"), ms("/mnt/etc"),
+			"*/mnt/etc:/etc"},
+
+		{"nil dst", &hst.FSBind{
+			Source: m("/"),
+		}, true, container.Ops{&container.BindMountOp{
+			Source: m("/"),
+			Target: m("/"),
+		}}, m("/"), ms("/"),
+			"*/"},
+	})
+}
--- a/hst/fsephemeral.go
+++ b/hst/fsephemeral.go
@ -0,0 +1,83 @@
+package hst
+
+import (
+	"encoding/gob"
+	"os"
+	"strings"
+
+	"hakurei.app/container"
+)
+
+func init() { gob.Register(new(FSEphemeral)) }
+
+// FilesystemEphemeral is the [FilesystemConfig.Type] name of a mount point with ephemeral state.
+const FilesystemEphemeral = "ephemeral"
+
+// FSEphemeral represents an ephemeral container mount point.
+type FSEphemeral struct {
+	// mount point in container
+	Target *container.Absolute `json:"dst,omitempty"`
+	// do not mount filesystem read-only
+	Write bool `json:"write,omitempty"`
+	// upper limit on the size of the filesystem
+	Size int `json:"size,omitempty"`
+	// initial permission bits of the new filesystem
+	Perm os.FileMode `json:"perm,omitempty"`
+}
+
+func (e *FSEphemeral) Valid() bool { return e != nil && e.Target != nil }
+
+func (e *FSEphemeral) Path() *container.Absolute {
+	if !e.Valid() {
+		return nil
+	}
+	return e.Target
+}
+
+func (e *FSEphemeral) Host() []*container.Absolute { return nil }
+
+const fsEphemeralDefaultPerm = os.FileMode(0755)
+
+func (e *FSEphemeral) Apply(ops *container.Ops) {
+	if !e.Valid() {
+		return
+	}
+
+	size := e.Size
+	if size < 0 {
+		size = 0
+	}
+
+	perm := e.Perm
+	if perm == 0 {
+		perm = fsEphemeralDefaultPerm
+	}
+
+	if e.Write {
+		ops.Tmpfs(e.Target, size, perm)
+	} else {
+		ops.Readonly(e.Target, perm)
+	}
+}
+
+func (e *FSEphemeral) String() string {
+	if !e.Valid() {
+		return "<invalid>"
+	}
+
+	expr := new(strings.Builder)
+	expr.Grow(15 + len(FilesystemEphemeral) + len(e.Target.String()))
+
+	if e.Write {
+		expr.WriteString("w")
+	}
+	expr.WriteString("+" + FilesystemEphemeral + "(")
+	if e.Perm != 0 {
+		expr.WriteString(e.Perm.String())
+	} else {
+		expr.WriteString(fsEphemeralDefaultPerm.String())
+	}
+	expr.WriteString("):" + e.Target.String())
+
+	return expr.String()
+}
--- a/hst/fsephemeral_test.go
+++ b/hst/fsephemeral_test.go
@ -0,0 +1,50 @@
+package hst_test
+
+import (
+	"syscall"
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestFSEphemeral(t *testing.T) {
+	checkFs(t, []fsTestCase{
+		{"nil", (*hst.FSEphemeral)(nil), false, nil, nil, nil, "<invalid>"},
+
+		{"full", &hst.FSEphemeral{
+			Target: m("/run/user/65534"),
+			Write:  true,
+			Size:   1 << 10,
+			Perm:   0700,
+		}, true, container.Ops{&container.MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   m("/run/user/65534"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0700,
+		}}, m("/run/user/65534"), nil,
+			"w+ephemeral(-rwx------):/run/user/65534"},
+
+		{"cover ro", &hst.FSEphemeral{Target: m("/run/nscd")}, true,
+			container.Ops{&container.MountTmpfsOp{
+				FSName: "readonly",
+				Path:   m("/run/nscd"),
+				Flags:  syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_RDONLY,
+				Perm:   0755,
+			}}, m("/run/nscd"), nil,
+			"+ephemeral(-rwxr-xr-x):/run/nscd"},
+
+		{"negative size", &hst.FSEphemeral{
+			Target: hst.AbsTmp,
+			Write:  true,
+			Size:   -1,
+		}, true, container.Ops{&container.MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   hst.AbsTmp,
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Perm:   0755,
+		}}, hst.AbsTmp, nil,
+			"w+ephemeral(-rwxr-xr-x):/.hakurei"},
+	})
+}
--- a/hst/fsoverlay.go
+++ b/hst/fsoverlay.go
@ -0,0 +1,98 @@
+package hst
+
+import (
+	"encoding/gob"
+	"strings"
+
+	"hakurei.app/container"
+)
+
+func init() { gob.Register(new(FSOverlay)) }
+
+// FilesystemOverlay is the [FilesystemConfig.Type] name of an overlay mount point.
+const FilesystemOverlay = "overlay"
+
+// FSOverlay represents an overlay mount point.
+type FSOverlay struct {
+	// mount point in container
+	Target *container.Absolute `json:"dst"`
+
+	// any filesystem, does not need to be on a writable filesystem, must not be nil
+	Lower []*container.Absolute `json:"lower"`
+	// the upperdir is normally on a writable filesystem, leave as nil to mount Lower readonly
+	Upper *container.Absolute `json:"upper,omitempty"`
+	// the workdir needs to be an empty directory on the same filesystem as Upper, must not be nil if Upper is populated
+	Work *container.Absolute `json:"work,omitempty"`
+}
+
+func (o *FSOverlay) Valid() bool {
+	if o == nil || o.Target == nil {
+		return false
+	}
+
+	for _, a := range o.Lower {
+		if a == nil {
+			return false
+		}
+	}
+
+	if o.Upper != nil { // rw
+		return o.Work != nil && len(o.Lower) > 0
+	} else { // ro
+		return len(o.Lower) >= 2
+	}
+}
+
+func (o *FSOverlay) Path() *container.Absolute {
+	if !o.Valid() {
+		return nil
+	}
+	return o.Target
+}
+
+func (o *FSOverlay) Host() []*container.Absolute {
+	if !o.Valid() {
+		return nil
+	}
+	p := make([]*container.Absolute, 0, 2+len(o.Lower))
+	if o.Upper != nil && o.Work != nil {
+		p = append(p, o.Upper, o.Work)
+	}
+	p = append(p, o.Lower...)
+	return p
+}
+
+func (o *FSOverlay) Apply(op *container.Ops) {
+	if !o.Valid() {
+		return
+	}
+
+	if o.Upper != nil && o.Work != nil { // rw
+		op.Overlay(o.Target, o.Upper, o.Work, o.Lower...)
+	} else { // ro
+		op.OverlayReadonly(o.Target, o.Lower...)
+	}
+}
+
+func (o *FSOverlay) String() string {
+	if !o.Valid() {
+		return "<invalid>"
+	}
+
+	lower := make([]string, len(o.Lower))
+	for i, a := range o.Lower {
+		lower[i] = container.EscapeOverlayDataSegment(a.String())
+	}
+
+	if o.Upper != nil && o.Work != nil {
+		return "w*" + strings.Join(append([]string{
+			container.EscapeOverlayDataSegment(o.Target.String()),
+			container.EscapeOverlayDataSegment(o.Upper.String()),
+			container.EscapeOverlayDataSegment(o.Work.String())},
+			lower...), container.SpecialOverlayPath)
+	} else {
+		return "*" + strings.Join(append([]string{
+			container.EscapeOverlayDataSegment(o.Target.String())},
+			lower...), container.SpecialOverlayPath)
+	}
+}
--- a/hst/fsoverlay_test.go
+++ b/hst/fsoverlay_test.go
@ -0,0 +1,50 @@
+package hst_test
+
+import (
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestFSOverlay(t *testing.T) {
+	checkFs(t, []fsTestCase{
+		{"nil", (*hst.FSOverlay)(nil), false, nil, nil, nil, "<invalid>"},
+		{"nil lower", &hst.FSOverlay{Target: m("/etc"), Lower: []*container.Absolute{nil}}, false, nil, nil, nil, "<invalid>"},
+		{"zero lower", &hst.FSOverlay{Target: m("/etc"), Upper: m("/"), Work: m("/")}, false, nil, nil, nil, "<invalid>"},
+		{"zero lower ro", &hst.FSOverlay{Target: m("/etc")}, false, nil, nil, nil, "<invalid>"},
+		{"short lower", &hst.FSOverlay{Target: m("/etc"), Lower: ms("/etc")}, false, nil, nil, nil, "<invalid>"},
+
+		{"full", &hst.FSOverlay{
+			Target: m("/nix/store"),
+			Lower:  ms("/mnt-root/nix/.ro-store"),
+			Upper:  m("/mnt-root/nix/.rw-store/upper"),
+			Work:   m("/mnt-root/nix/.rw-store/work"),
+		}, true, container.Ops{&container.MountOverlayOp{
+			Target: m("/nix/store"),
+			Lower:  ms("/mnt-root/nix/.ro-store"),
+			Upper:  m("/mnt-root/nix/.rw-store/upper"),
+			Work:   m("/mnt-root/nix/.rw-store/work"),
+		}}, m("/nix/store"), ms("/mnt-root/nix/.rw-store/upper", "/mnt-root/nix/.rw-store/work", "/mnt-root/nix/.ro-store"),
+			"w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store"},
+
+		{"ro", &hst.FSOverlay{
+			Target: m("/mnt/src"),
+			Lower:  ms("/tmp/.src0", "/tmp/.src1"),
+		}, true, container.Ops{&container.MountOverlayOp{
+			Target: m("/mnt/src"),
+			Lower:  ms("/tmp/.src0", "/tmp/.src1"),
+		}}, m("/mnt/src"), ms("/tmp/.src0", "/tmp/.src1"),
+			"*/mnt/src:/tmp/.src0:/tmp/.src1"},
+
+		{"ro work", &hst.FSOverlay{
+			Target: m("/mnt/src"),
+			Lower:  ms("/tmp/.src0", "/tmp/.src1"),
+			Work:   m("/tmp"),
+		}, true, container.Ops{&container.MountOverlayOp{
+			Target: m("/mnt/src"),
+			Lower:  ms("/tmp/.src0", "/tmp/.src1"),
+		}}, m("/mnt/src"), ms("/tmp/.src0", "/tmp/.src1"),
+			"*/mnt/src:/tmp/.src0:/tmp/.src1"},
+	})
+}
--- a/hst/hst.go
+++ b/hst/hst.go
@ -0,0 +1,120 @@
+// Package hst exports stable shared types for interacting with hakurei.
+package hst
+
+import (
+	"hakurei.app/container"
+	"hakurei.app/container/seccomp"
+	"hakurei.app/system"
+	"hakurei.app/system/dbus"
+)
+
+// Paths contains environment-dependent paths used by hakurei.
+type Paths struct {
+	// temporary directory returned by [os.TempDir] (usually `/tmp`)
+	TempDir *container.Absolute `json:"temp_dir"`
+	// path to shared directory (usually `/tmp/hakurei.%d`)
+	SharePath *container.Absolute `json:"share_path"`
+	// XDG_RUNTIME_DIR value (usually `/run/user/%d`)
+	RuntimePath *container.Absolute `json:"runtime_path"`
+	// application runtime directory (usually `/run/user/%d/hakurei`)
+	RunDirPath *container.Absolute `json:"run_dir_path"`
+}
+
+type Info struct {
+	User int `json:"user"`
+	Paths
+}
+
+// Template returns a fully populated instance of Config.
+func Template() *Config {
+	return &Config{
+		ID: "org.chromium.Chromium",
+
+		Path: container.AbsFHSRun.Append("current-system/sw/bin/chromium"),
+		Args: []string{
+			"chromium",
+			"--ignore-gpu-blocklist",
+			"--disable-smooth-scrolling",
+			"--enable-features=UseOzonePlatform",
+			"--ozone-platform=wayland",
+		},
+
+		Enablements: NewEnablements(system.EWayland | system.EDBus | system.EPulse),
+
+		SessionBus: &dbus.Config{
+			See: nil,
+			Talk: []string{"org.freedesktop.Notifications", "org.freedesktop.FileManager1", "org.freedesktop.ScreenSaver",
+				"org.freedesktop.secrets", "org.kde.kwalletd5", "org.kde.kwalletd6", "org.gnome.SessionManager"},
+			Own: []string{"org.chromium.Chromium.*", "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
+				"org.mpris.MediaPlayer2.chromium.*"},
+			Call:      map[string]string{"org.freedesktop.portal.*": "*"},
+			Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
+			Log:       false,
+			Filter:    true,
+		},
+		SystemBus: &dbus.Config{
+			See:       nil,
+			Talk:      []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
+			Own:       nil,
+			Call:      nil,
+			Broadcast: nil,
+			Log:       false,
+			Filter:    true,
+		},
+		DirectWayland: false,
+
+		Username: "chronos",
+		Shell:    container.AbsFHSRun.Append("current-system/sw/bin/zsh"),
+		Data:     container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"),
+		Dir:      container.MustAbs("/data/data/org.chromium.Chromium"),
+		ExtraPerms: []*ExtraPermConfig{
+			{Path: container.AbsFHSVarLib.Append("hakurei/u0"), Ensure: true, Execute: true},
+			{Path: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"), Read: true, Write: true, Execute: true},
+		},
+
+		Identity: 9,
+		Groups:   []string{"video", "dialout", "plugdev"},
+
+		Container: &ContainerConfig{
+			Hostname:       "localhost",
+			Devel:          true,
+			Userns:         true,
+			Net:            true,
+			Device:         true,
+			WaitDelay:      -1,
+			SeccompFlags:   seccomp.AllowMultiarch,
+			SeccompPresets: seccomp.PresetExt,
+			SeccompCompat:  true,
+			Tty:            true,
+			Multiarch:      true,
+			MapRealUID:     true,
+			// example API credentials pulled from Google Chrome
+			// DO NOT USE THESE IN A REAL BROWSER
+			Env: map[string]string{
+				"GOOGLE_API_KEY":               "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
+				"GOOGLE_DEFAULT_CLIENT_ID":     "77185425430.apps.googleusercontent.com",
+				"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
+			},
+			Filesystem: []FilesystemConfigJSON{
+				{&FSEphemeral{Target: container.AbsFHSTmp, Write: true, Perm: 0755}},
+				{&FSOverlay{
+					Target: container.MustAbs("/nix/store"),
+					Lower:  []*container.Absolute{container.MustAbs("/mnt-root/nix/.ro-store")},
+					Upper:  container.MustAbs("/mnt-root/nix/.rw-store/upper"),
+					Work:   container.MustAbs("/mnt-root/nix/.rw-store/work"),
+				}},
+				{&FSBind{Source: container.MustAbs("/nix/store")}},
+				{&FSBind{Source: container.AbsFHSRun.Append("current-system")}},
+				{&FSBind{Source: container.AbsFHSRun.Append("opengl-driver")}},
+				{&FSBind{Source: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"),
+					Target: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}},
+				{&FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
+			},
+			Link:      []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}},
+			AutoRoot:  container.AbsFHSVarLib.Append("hakurei/base/org.debian"),
+			RootFlags: container.BindWritable,
+			Etc:       container.AbsFHSEtc,
+			AutoEtc:   true,
+		},
+	}
+}
--- a/hst/template_test.go
+++ b/hst/template_test.go
@ -18,7 +18,11 @@ func TestTemplate(t *testing.T) {
 		"--enable-features=UseOzonePlatform",
 		"--ozone-platform=wayland"
 	],
-	"enablements": 13,
+	"enablements": {
+		"wayland": true,
+		"dbus": true,
+		"pulse": true
+	},
 	"session_bus": {
 		"see": null,
 		"talk": [
@ -98,41 +102,55 @@ func TestTemplate(t *testing.T) {
 		"device": true,
 		"filesystem": [
 			{
+				"type": "ephemeral",
+				"dst": "/tmp/",
+				"write": true,
+				"perm": 493
+			},
+			{
+				"type": "overlay",
+				"dst": "/nix/store",
+				"lower": [
+					"/mnt-root/nix/.ro-store"
+				],
+				"upper": "/mnt-root/nix/.rw-store/upper",
+				"work": "/mnt-root/nix/.rw-store/work"
+			},
+			{
+				"type": "bind",
 				"src": "/nix/store"
 			},
 			{
+				"type": "bind",
 				"src": "/run/current-system"
 			},
 			{
+				"type": "bind",
 				"src": "/run/opengl-driver"
 			},
 			{
-				"src": "/var/db/nix-channels"
-			},
-			{
+				"type": "bind",
 				"dst": "/data/data/org.chromium.Chromium",
 				"src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-				"write": true,
-				"require": true
+				"write": true
 			},
 			{
+				"type": "bind",
 				"src": "/dev/dri",
-				"dev": true
+				"dev": true,
+				"optional": true
 			}
 		],
 		"symlink": [
-			[
-				"/run/user/65534",
-				"/run/user/150"
-			]
+			{
+				"target": "/run/user/65534",
+				"linkname": "/run/user/150"
+			}
 		],
 		"auto_root": "/var/lib/hakurei/base/org.debian",
 		"root_flags": 2,
-		"etc": "/etc",
-		"auto_etc": true,
-		"cover": [
-			"/var/run/nscd"
-		]
+		"etc": "/etc/",
+		"auto_etc": true
 	}
 }`

--- a/hst/info.go
+++ b/hst/info.go
@ -1,5 +0,0 @@
-package hst
-
-type Info struct {
-	User int `json:"user"`
-}
--- a/hst/paths.go
+++ b/hst/paths.go
@ -1,11 +0,0 @@
-package hst
-
-// Paths contains environment-dependent paths used by hakurei.
-type Paths struct {
-	// path to shared directory (usually `/tmp/hakurei.%d`)
-	SharePath string `json:"share_path"`
-	// XDG_RUNTIME_DIR value (usually `/run/user/%d`)
-	RuntimePath string `json:"runtime_path"`
-	// application runtime directory (usually `/run/user/%d/hakurei`)
-	RunDirPath string `json:"run_dir_path"`
-}
--- a/hst/template.go
+++ b/hst/template.go
@ -1,97 +0,0 @@
-package hst
-
-import (
-	"hakurei.app/container"
-	"hakurei.app/container/seccomp"
-	"hakurei.app/system"
-	"hakurei.app/system/dbus"
-)
-
-// Template returns a fully populated instance of Config.
-func Template() *Config {
-	return &Config{
-		ID: "org.chromium.Chromium",
-
-		Path: "/run/current-system/sw/bin/chromium",
-		Args: []string{
-			"chromium",
-			"--ignore-gpu-blocklist",
-			"--disable-smooth-scrolling",
-			"--enable-features=UseOzonePlatform",
-			"--ozone-platform=wayland",
-		},
-
-		Enablements: system.EWayland | system.EDBus | system.EPulse,
-
-		SessionBus: &dbus.Config{
-			See: nil,
-			Talk: []string{"org.freedesktop.Notifications", "org.freedesktop.FileManager1", "org.freedesktop.ScreenSaver",
-				"org.freedesktop.secrets", "org.kde.kwalletd5", "org.kde.kwalletd6", "org.gnome.SessionManager"},
-			Own: []string{"org.chromium.Chromium.*", "org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-				"org.mpris.MediaPlayer2.chromium.*"},
-			Call:      map[string]string{"org.freedesktop.portal.*": "*"},
-			Broadcast: map[string]string{"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"},
-			Log:       false,
-			Filter:    true,
-		},
-		SystemBus: &dbus.Config{
-			See:       nil,
-			Talk:      []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
-			Own:       nil,
-			Call:      nil,
-			Broadcast: nil,
-			Log:       false,
-			Filter:    true,
-		},
-		DirectWayland: false,
-
-		Username: "chronos",
-		Shell:    "/run/current-system/sw/bin/zsh",
-		Data:     "/var/lib/hakurei/u0/org.chromium.Chromium",
-		Dir:      "/data/data/org.chromium.Chromium",
-		ExtraPerms: []*ExtraPermConfig{
-			{Path: "/var/lib/hakurei/u0", Ensure: true, Execute: true},
-			{Path: "/var/lib/hakurei/u0/org.chromium.Chromium", Read: true, Write: true, Execute: true},
-		},
-
-		Identity: 9,
-		Groups:   []string{"video", "dialout", "plugdev"},
-
-		Container: &ContainerConfig{
-			Hostname:       "localhost",
-			Devel:          true,
-			Userns:         true,
-			Net:            true,
-			Device:         true,
-			WaitDelay:      -1,
-			SeccompFlags:   seccomp.AllowMultiarch,
-			SeccompPresets: seccomp.PresetExt,
-			SeccompCompat:  true,
-			Tty:            true,
-			Multiarch:      true,
-			MapRealUID:     true,
-			// example API credentials pulled from Google Chrome
-			// DO NOT USE THESE IN A REAL BROWSER
-			Env: map[string]string{
-				"GOOGLE_API_KEY":               "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
-				"GOOGLE_DEFAULT_CLIENT_ID":     "77185425430.apps.googleusercontent.com",
-				"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
-			},
-			Filesystem: []*FilesystemConfig{
-				{Src: "/nix/store"},
-				{Src: "/run/current-system"},
-				{Src: "/run/opengl-driver"},
-				{Src: "/var/db/nix-channels"},
-				{Src: "/var/lib/hakurei/u0/org.chromium.Chromium",
-					Dst: "/data/data/org.chromium.Chromium", Write: true, Must: true},
-				{Src: "/dev/dri", Device: true},
-			},
-			Link:      [][2]string{{"/run/user/65534", "/run/user/150"}},
-			AutoRoot:  "/var/lib/hakurei/base/org.debian",
-			RootFlags: container.BindWritable,
-			Etc:       "/etc",
-			AutoEtc:   true,
-			Cover:     []string{"/var/run/nscd"},
-		},
-	}
-}
--- a/internal/app/app_linux.go
+++ b/internal/app/app_linux.go
@ -7,7 +7,6 @@ import (

 	"hakurei.app/hst"
 	"hakurei.app/internal/app/state"
-	"hakurei.app/internal/hlog"
 	"hakurei.app/internal/sys"
 )

@ -59,10 +58,6 @@ func (a *app) Seal(config *hst.Config) (SealedApp, error) {
 	if a.outcome != nil {
 		panic("app sealed twice")
 	}
-	if config == nil {
-		return nil, hlog.WrapErr(ErrConfig,
-			"attempted to seal app with nil config")
-	}

 	seal := new(outcome)
 	seal.id = a.id
--- a/internal/app/app_linux_test.go
+++ b/internal/app/app_linux_test.go
@ -11,6 +11,7 @@ import (
 	"hakurei.app/hst"
 	"hakurei.app/internal/app"
 	"hakurei.app/internal/app/state"
+	"hakurei.app/internal/hlog"
 	"hakurei.app/internal/sys"
 	"hakurei.app/system"
 )
@ -36,6 +37,7 @@ func TestApp(t *testing.T) {
 			)
 			if !t.Run("seal", func(t *testing.T) {
 				if sa, err := a.Seal(tc.config); err != nil {
+					hlog.PrintBaseError(err, "got generic error:")
 					t.Errorf("Seal: error = %v", err)
 					return
 				} else {
--- a/internal/app/app_nixos_linux_test.go
+++ b/internal/app/app_nixos_linux_test.go
@ -12,23 +12,35 @@ import (
 	"hakurei.app/system/dbus"
 )

+func m(pathname string) *container.Absolute { return container.MustAbs(pathname) }
+func f(c hst.FilesystemConfig) hst.FilesystemConfigJSON {
+	return hst.FilesystemConfigJSON{FilesystemConfig: c}
+}
+
 var testCasesNixos = []sealTestCase{
 	{
 		"nixos chromium direct wayland", new(stubNixOS),
 		&hst.Config{
 			ID:          "org.chromium.Chromium",
-			Path:        "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
-			Enablements: system.EWayland | system.EDBus | system.EPulse,
+			Path:        m("/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"),
+			Enablements: hst.NewEnablements(system.EWayland | system.EDBus | system.EPulse),
+			Shell:       m("/run/current-system/sw/bin/zsh"),

 			Container: &hst.ContainerConfig{
 				Userns: true, Net: true, MapRealUID: true, Env: nil, AutoEtc: true,
-				Filesystem: []*hst.FilesystemConfig{
-					{Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true},
-					{Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true},
-					{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
-					{Src: "/run/opengl-driver", Must: true}, {Src: "/dev/dri", Device: true},
+				Filesystem: []hst.FilesystemConfigJSON{
+					f(&hst.FSBind{Source: m("/bin")}),
+					f(&hst.FSBind{Source: m("/usr/bin/")}),
+					f(&hst.FSBind{Source: m("/nix/store")}),
+					f(&hst.FSBind{Source: m("/run/current-system")}),
+					f(&hst.FSBind{Source: m("/sys/block"), Optional: true}),
+					f(&hst.FSBind{Source: m("/sys/bus"), Optional: true}),
+					f(&hst.FSBind{Source: m("/sys/class"), Optional: true}),
+					f(&hst.FSBind{Source: m("/sys/dev"), Optional: true}),
+					f(&hst.FSBind{Source: m("/sys/devices"), Optional: true}),
+					f(&hst.FSBind{Source: m("/run/opengl-driver")}),
+					f(&hst.FSBind{Source: m("/dev/dri"), Device: true, Optional: true}),
 				},
-				Cover: []string{"/var/run/nscd"},
 			},
 			SystemBus: &dbus.Config{
 				Talk:   []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
@ -51,7 +63,7 @@ var testCasesNixos = []sealTestCase{
 			DirectWayland: true,

 			Username: "u0_a1",
-			Data:     "/var/lib/persist/module/hakurei/0/1",
+			Data:     m("/var/lib/persist/module/hakurei/0/1"),
 			Identity: 1, Groups: []string{},
 		},
 		state.ID{
@ -99,8 +111,8 @@ var testCasesNixos = []sealTestCase{
 		&container.Params{
 			Uid:  1971,
 			Gid:  100,
-			Dir:  "/var/lib/persist/module/hakurei/0/1",
-			Path: "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
+			Dir:  m("/var/lib/persist/module/hakurei/0/1"),
+			Path: m("/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"),
 			Args: []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
 			Env: []string{
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
@ -117,34 +129,34 @@ var testCasesNixos = []sealTestCase{
 				"XDG_SESSION_TYPE=tty",
 			},
 			Ops: new(container.Ops).
-				Proc("/proc").
-				Tmpfs(hst.Tmp, 4096, 0755).
-				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", 0).
-				Bind("/usr/bin", "/usr/bin", 0).
-				Bind("/nix/store", "/nix/store", 0).
-				Bind("/run/current-system", "/run/current-system", 0).
-				Bind("/sys/block", "/sys/block", container.BindOptional).
-				Bind("/sys/bus", "/sys/bus", container.BindOptional).
-				Bind("/sys/class", "/sys/class", container.BindOptional).
-				Bind("/sys/dev", "/sys/dev", container.BindOptional).
-				Bind("/sys/devices", "/sys/devices", container.BindOptional).
-				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
-				Bind("/dev/dri", "/dev/dri", container.BindDevice|container.BindWritable|container.BindOptional).
-				Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1").
-				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", container.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", container.BindWritable).
-				Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", container.BindWritable).
-				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("hakurei:x:100:\n")).
-				Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0).
-				Bind("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native", 0).
-				Place(hst.Tmp+"/pulse-cookie", nil).
-				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus", 0).
-				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket", 0).
-				Tmpfs("/var/run/nscd", 8192, 0755).
-				Remount("/", syscall.MS_RDONLY),
+				Proc(m("/proc/")).
+				Tmpfs(hst.AbsTmp, 4096, 0755).
+				DevWritable(m("/dev/"), true).
+				Bind(m("/bin"), m("/bin"), 0).
+				Bind(m("/usr/bin/"), m("/usr/bin/"), 0).
+				Bind(m("/nix/store"), m("/nix/store"), 0).
+				Bind(m("/run/current-system"), m("/run/current-system"), 0).
+				Bind(m("/sys/block"), m("/sys/block"), container.BindOptional).
+				Bind(m("/sys/bus"), m("/sys/bus"), container.BindOptional).
+				Bind(m("/sys/class"), m("/sys/class"), container.BindOptional).
+				Bind(m("/sys/dev"), m("/sys/dev"), container.BindOptional).
+				Bind(m("/sys/devices"), m("/sys/devices"), container.BindOptional).
+				Bind(m("/run/opengl-driver"), m("/run/opengl-driver"), 0).
+				Bind(m("/dev/dri"), m("/dev/dri"), container.BindDevice|container.BindWritable|container.BindOptional).
+				Etc(m("/etc/"), "8e2c76b066dabe574cf073bdb46eb5c1").
+				Remount(m("/dev/"), syscall.MS_RDONLY).
+				Tmpfs(m("/run/user/"), 4096, 0755).
+				Bind(m("/tmp/hakurei.1971/runtime/1"), m("/run/user/1971"), container.BindWritable).
+				Bind(m("/tmp/hakurei.1971/tmpdir/1"), m("/tmp/"), container.BindWritable).
+				Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), container.BindWritable).
+				Place(m("/etc/passwd"), []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
+				Place(m("/etc/group"), []byte("hakurei:x:100:\n")).
+				Bind(m("/run/user/1971/wayland-0"), m("/run/user/1971/wayland-0"), 0).
+				Bind(m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse"), m("/run/user/1971/pulse/native"), 0).
+				Place(m(hst.Tmp+"/pulse-cookie"), nil).
+				Bind(m("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus"), m("/run/user/1971/bus"), 0).
+				Bind(m("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket"), m("/run/dbus/system_bus_socket"), 0).
+				Remount(m("/"), syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyTTY | seccomp.PresetDenyDevel,
 			HostNet:        true,
 			ForwardCancel:  true,
--- a/internal/app/app_pd_linux_test.go
+++ b/internal/app/app_pd_linux_test.go
@ -16,7 +16,7 @@ import (
 var testCasesPd = []sealTestCase{
 	{
 		"nixos permissive defaults no enablements", new(stubNixOS),
-		&hst.Config{Username: "chronos", Data: "/home/chronos"},
+		&hst.Config{Username: "chronos", Data: m("/home/chronos")},
 		state.ID{
 			0x4a, 0x45, 0x0b, 0x65,
 			0x96, 0xd7, 0xbc, 0x15,
@ -30,8 +30,8 @@ var testCasesPd = []sealTestCase{
 			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
 		&container.Params{
-			Dir:  "/home/chronos",
-			Path: "/run/current-system/sw/bin/zsh",
+			Dir:  m("/home/chronos"),
+			Path: m("/run/current-system/sw/bin/zsh"),
 			Args: []string{"/run/current-system/sw/bin/zsh"},
 			Env: []string{
 				"HOME=/home/chronos",
@ -43,22 +43,23 @@ var testCasesPd = []sealTestCase{
 				"XDG_SESSION_TYPE=tty",
 			},
 			Ops: new(container.Ops).
-				Root("/", "4a450b6596d7bc15bd01780eb9a607ac", container.BindWritable).
-				Proc("/proc").
-				Tmpfs(hst.Tmp, 4096, 0755).
-				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
-				Readonly("/var/run/nscd", 0755).
-				Tmpfs("/run/user/1971", 8192, 0755).
-				Tmpfs("/run/dbus", 8192, 0755).
-				Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
-				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", container.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", container.BindWritable).
-				Bind("/home/chronos", "/home/chronos", container.BindWritable).
-				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("hakurei:x:65534:\n")).
-				Remount("/", syscall.MS_RDONLY),
+				Root(m("/"), "4a450b6596d7bc15bd01780eb9a607ac", container.BindWritable).
+				Proc(m("/proc/")).
+				Tmpfs(hst.AbsTmp, 4096, 0755).
+				DevWritable(m("/dev/"), true).
+				Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional).
+				Readonly(m("/var/run/nscd"), 0755).
+				Tmpfs(m("/run/user/1971"), 8192, 0755).
+				Tmpfs(m("/run/dbus"), 8192, 0755).
+				Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac").
+				Remount(m("/dev/"), syscall.MS_RDONLY).
+				Tmpfs(m("/run/user/"), 4096, 0755).
+				Bind(m("/tmp/hakurei.1971/runtime/0"), m("/run/user/65534"), container.BindWritable).
+				Bind(m("/tmp/hakurei.1971/tmpdir/0"), m("/tmp/"), container.BindWritable).
+				Bind(m("/home/chronos"), m("/home/chronos"), container.BindWritable).
+				Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
+				Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
+				Remount(m("/"), syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
 			HostNet:        true,
 			RetainSession:  true,
@ -73,7 +74,7 @@ var testCasesPd = []sealTestCase{
 			Identity: 9,
 			Groups:   []string{"video"},
 			Username: "chronos",
-			Data:     "/home/chronos",
+			Data:     m("/home/chronos"),
 			SessionBus: &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.Notifications",
@ -105,7 +106,7 @@ var testCasesPd = []sealTestCase{
 				},
 				Filter: true,
 			},
-			Enablements: system.EWayland | system.EDBus | system.EPulse,
+			Enablements: hst.NewEnablements(system.EWayland | system.EDBus | system.EPulse),
 		},
 		state.ID{
 			0xeb, 0xf0, 0x83, 0xd1,
@ -159,8 +160,8 @@ var testCasesPd = []sealTestCase{
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
 		&container.Params{
-			Dir:  "/home/chronos",
-			Path: "/run/current-system/sw/bin/zsh",
+			Dir:  m("/home/chronos"),
+			Path: m("/run/current-system/sw/bin/zsh"),
 			Args: []string{"zsh", "-c", "exec chromium "},
 			Env: []string{
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
@ -177,28 +178,29 @@ var testCasesPd = []sealTestCase{
 				"XDG_SESSION_TYPE=tty",
 			},
 			Ops: new(container.Ops).
-				Root("/", "ebf083d1b175911782d413369b64ce7c", container.BindWritable).
-				Proc("/proc").
-				Tmpfs(hst.Tmp, 4096, 0755).
-				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/dev/dri", "/dev/dri", container.BindWritable|container.BindDevice|container.BindOptional).
-				Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
-				Readonly("/var/run/nscd", 0755).
-				Tmpfs("/run/user/1971", 8192, 0755).
-				Tmpfs("/run/dbus", 8192, 0755).
-				Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
-				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", container.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", container.BindWritable).
-				Bind("/home/chronos", "/home/chronos", container.BindWritable).
-				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("hakurei:x:65534:\n")).
-				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0).
-				Bind("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native", 0).
-				Place(hst.Tmp+"/pulse-cookie", nil).
-				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0).
-				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0).
-				Remount("/", syscall.MS_RDONLY),
+				Root(m("/"), "ebf083d1b175911782d413369b64ce7c", container.BindWritable).
+				Proc(m("/proc/")).
+				Tmpfs(hst.AbsTmp, 4096, 0755).
+				DevWritable(m("/dev/"), true).
+				Bind(m("/dev/dri"), m("/dev/dri"), container.BindWritable|container.BindDevice|container.BindOptional).
+				Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional).
+				Readonly(m("/var/run/nscd"), 0755).
+				Tmpfs(m("/run/user/1971"), 8192, 0755).
+				Tmpfs(m("/run/dbus"), 8192, 0755).
+				Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c").
+				Remount(m("/dev/"), syscall.MS_RDONLY).
+				Tmpfs(m("/run/user/"), 4096, 0755).
+				Bind(m("/tmp/hakurei.1971/runtime/9"), m("/run/user/65534"), container.BindWritable).
+				Bind(m("/tmp/hakurei.1971/tmpdir/9"), m("/tmp/"), container.BindWritable).
+				Bind(m("/home/chronos"), m("/home/chronos"), container.BindWritable).
+				Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
+				Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
+				Bind(m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/65534/wayland-0"), 0).
+				Bind(m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse"), m("/run/user/65534/pulse/native"), 0).
+				Place(m(hst.Tmp+"/pulse-cookie"), nil).
+				Bind(m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus"), m("/run/user/65534/bus"), 0).
+				Bind(m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket"), m("/run/dbus/system_bus_socket"), 0).
+				Remount(m("/"), syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
 			HostNet:        true,
 			RetainSession:  true,
--- a/internal/app/app_stub_linux_test.go
+++ b/internal/app/app_stub_linux_test.go
@ -127,8 +127,8 @@ func (s *stubNixOS) Open(name string) (fs.File, error) {

 func (s *stubNixOS) Paths() hst.Paths {
 	return hst.Paths{
-		SharePath:   "/tmp/hakurei.1971",
-		RuntimePath: "/run/user/1971",
-		RunDirPath:  "/run/user/1971/hakurei",
+		SharePath:   m("/tmp/hakurei.1971"),
+		RuntimePath: m("/run/user/1971"),
+		RunDirPath:  m("/run/user/1971/hakurei"),
 	}
 }
--- a/internal/app/container_linux.go
+++ b/internal/app/container_linux.go
@ -6,12 +6,12 @@ import (
 	"io/fs"
 	"maps"
 	"path"
-	"slices"
 	"syscall"

 	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
+	"hakurei.app/internal/hlog"
 	"hakurei.app/internal/sys"
 	"hakurei.app/system/dbus"
 )
@ -24,7 +24,7 @@ const preallocateOpsCount = 1 << 5
 // Note that remaining container setup must be queued by the caller.
 func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid *int) (*container.Params, map[string]string, error) {
 	if s == nil {
-		return nil, nil, syscall.EBADE
+		return nil, nil, hlog.WrapErr(syscall.EBADE, "invalid container configuration")
 	}

 	params := &container.Params{
@ -33,6 +33,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 		SeccompPresets: s.SeccompPresets,
 		RetainSession:  s.Tty,
 		HostNet:        s.Net,
+		HostAbstract:   s.Abstract,

 		// the container is canceled when shim is requested to exit or receives an interrupt or termination signal;
 		// this behaviour is implemented in the shim
@ -40,7 +41,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 	}

 	{
-		ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
+		ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link))
 		params.Ops = &ops
 	}

@ -73,21 +74,18 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 		*gid = container.OverflowGid()
 	}

-	if s.AutoRoot != "" {
-		if !path.IsAbs(s.AutoRoot) {
-			return nil, nil, fmt.Errorf("auto root target %q not absolute", s.AutoRoot)
-		}
+	if s.AutoRoot != nil {
 		params.Root(s.AutoRoot, prefix, s.RootFlags)
 	}

 	params.
-		Proc("/proc").
-		Tmpfs(hst.Tmp, 1<<12, 0755)
+		Proc(container.AbsFHSProc).
+		Tmpfs(hst.AbsTmp, 1<<12, 0755)

 	if !s.Device {
-		params.Dev("/dev").Mqueue("/dev/mqueue")
+		params.DevWritable(container.AbsFHSDev, true)
 	} else {
-		params.Bind("/dev", "/dev", container.BindWritable|container.BindDevice)
+		params.Bind(container.AbsFHSDev, container.AbsFHSDev, container.BindWritable|container.BindDevice)
 	}

 	/* retrieve paths and hide them if they're made available in the sandbox;
@ -96,7 +94,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 	and should not be treated as such, ALWAYS be careful with what you bind */
 	var hidePaths []string
 	sc := os.Paths()
-	hidePaths = append(hidePaths, sc.RuntimePath, sc.SharePath)
+	hidePaths = append(hidePaths, sc.RuntimePath.String(), sc.SharePath.String())
 	_, systemBusAddr := dbus.Address()
 	if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
 		return nil, nil, err
@ -111,7 +109,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 					if path.IsAbs(pair[1]) {
 						// get parent dir of socket
 						dir := path.Dir(pair[1])
-						if dir == "." || dir == "/" {
+						if dir == "." || dir == container.FHSRoot {
 							os.Printf("dbus socket %q is in an unusual location", pair[1])
 						}
 						hidePaths = append(hidePaths, dir)
@ -128,79 +126,63 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 			return nil, nil, err
 		}
 	}
-	// evaluated path, input path
-	hidePathSource := make([][2]string, 0, len(s.Filesystem))
+
+	var hidePathSourceCount int
+	for i, c := range s.Filesystem {
+		if !c.Valid() {
+			return nil, nil, fmt.Errorf("invalid filesystem at index %d", i)
+		}
+		c.Apply(params.Ops)
+
+		// fs counter
+		hidePathSourceCount += len(c.Host())
+	}

 	// AutoRoot is a collection of many BindMountOp internally
-	if s.AutoRoot != "" {
-		if d, err := os.ReadDir(s.AutoRoot); err != nil {
+	var autoRootEntries []fs.DirEntry
+	if s.AutoRoot != nil {
+		if d, err := os.ReadDir(s.AutoRoot.String()); err != nil {
 			return nil, nil, err
 		} else {
-			hidePathSource = slices.Grow(hidePathSource, len(d))
-			for _, ent := range d {
-				name := ent.Name()
-				if container.IsAutoRootBindable(name) {
-					name = path.Join(s.AutoRoot, name)
-					srcP := [2]string{name, name}
-					if err = evalSymlinks(os, &srcP[0]); err != nil {
-						return nil, nil, err
-					}
-					hidePathSource = append(hidePathSource, srcP)
-				}
+			// autoroot counter
+			hidePathSourceCount += len(d)
+			autoRootEntries = d
+		}
+	}
+
+	hidePathSource := make([]*container.Absolute, 0, hidePathSourceCount)
+
+	// fs append
+	for _, c := range s.Filesystem {
+		// all entries already checked above
+		hidePathSource = append(hidePathSource, c.Host()...)
+	}
+
+	// autoroot append
+	if s.AutoRoot != nil {
+		for _, ent := range autoRootEntries {
+			name := ent.Name()
+			if container.IsAutoRootBindable(name) {
+				hidePathSource = append(hidePathSource, s.AutoRoot.Append(name))
 			}
 		}
 	}

-	for _, c := range s.Filesystem {
-		if c == nil {
-			continue
+	// evaluated path, input path
+	hidePathSourceEval := make([][2]string, len(hidePathSource))
+	for i, a := range hidePathSource {
+		if a == nil {
+			// unreachable
+			return nil, nil, syscall.ENOTRECOVERABLE
 		}

-		// special filesystems
-		switch c.Src {
-		case hst.SourceTmpfs:
-			if !path.IsAbs(c.Dst) {
-				return nil, nil, fmt.Errorf("tmpfs dst %q is not absolute", c.Dst)
-			}
-			if c.Write {
-				params.Tmpfs(c.Dst, hst.TmpfsSize, hst.TmpfsPerm)
-			} else {
-				params.Readonly(c.Dst, hst.TmpfsPerm)
-			}
-			continue
-		}
-
-		if !path.IsAbs(c.Src) {
-			return nil, nil, fmt.Errorf("src path %q is not absolute", c.Src)
-		}
-
-		dest := c.Dst
-		if c.Dst == "" {
-			dest = c.Src
-		} else if !path.IsAbs(dest) {
-			return nil, nil, fmt.Errorf("dst path %q is not absolute", dest)
-		}
-
-		p := [2]string{c.Src, c.Src}
-		if err := evalSymlinks(os, &p[0]); err != nil {
+		hidePathSourceEval[i] = [2]string{a.String(), a.String()}
+		if err := evalSymlinks(os, &hidePathSourceEval[i][0]); err != nil {
 			return nil, nil, err
 		}
-		hidePathSource = append(hidePathSource, p)
-
-		var flags int
-		if c.Write {
-			flags |= container.BindWritable
-		}
-		if c.Device {
-			flags |= container.BindDevice | container.BindWritable
-		}
-		if !c.Must {
-			flags |= container.BindOptional
-		}
-		params.Bind(c.Src, dest, flags)
 	}

-	for _, p := range hidePathSource {
+	for _, p := range hidePathSourceEval {
 		for i := range hidePaths {
 			// skip matched entries
 			if hidePathMatch[i] {
@ -219,24 +201,49 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 	// cover matched paths
 	for i, ok := range hidePathMatch {
 		if ok {
-			params.Tmpfs(hidePaths[i], 1<<13, 0755)
+			if a, err := container.NewAbs(hidePaths[i]); err != nil {
+				var absoluteError *container.AbsoluteError
+				if !errors.As(err, &absoluteError) {
+					return nil, nil, err
+				}
+				if absoluteError == nil {
+					return nil, nil, syscall.ENOTRECOVERABLE
+				}
+				return nil, nil, fmt.Errorf("invalid path hiding candidate %q", absoluteError.Pathname)
+			} else {
+				params.Tmpfs(a, 1<<13, 0755)
+			}
 		}
 	}

-	for _, l := range s.Link {
-		params.Link(l[0], l[1])
+	for i, l := range s.Link {
+		if l.Target == nil || l.Linkname == "" {
+			return nil, nil, fmt.Errorf("invalid link at index %d", i)
+		}
+		linkname := l.Linkname
+		var dereference bool
+		if linkname[0] == '*' && path.IsAbs(linkname[1:]) {
+			linkname = linkname[1:]
+			dereference = true
+		}
+		params.Link(l.Target, linkname, dereference)
 	}

 	if !s.AutoEtc {
-		if s.Etc != "" {
-			params.Bind(s.Etc, "/etc", 0)
+		if s.Etc != nil {
+			params.Bind(s.Etc, container.AbsFHSEtc, 0)
 		}
 	} else {
-		etcPath := s.Etc
-		if etcPath == "" {
-			etcPath = "/etc"
+		if s.Etc == nil {
+			params.Etc(container.AbsFHSEtc, prefix)
+		} else {
+			params.Etc(s.Etc, prefix)
 		}
-		params.Etc(etcPath, prefix)
+	}
+
+	// no more ContainerConfig paths beyond this point
+	if !s.Device {
+		params.Remount(container.AbsFHSDev, syscall.MS_RDONLY)
 	}

 	return params, maps.Clone(s.Env), nil
--- a/internal/app/process_linux.go
+++ b/internal/app/process_linux.go
@ -39,7 +39,7 @@ func (seal *outcome) Run(rs *RunState) error {
 	if err := seal.sys.Commit(seal.ctx); err != nil {
 		return err
 	}
-	store := state.NewMulti(seal.runDirPath)
+	store := state.NewMulti(seal.runDirPath.String())
 	deferredStoreFunc := func(c state.Cursor) error { return nil } // noop until state in store
 	defer func() {
 		var revertErr error
@ -64,7 +64,7 @@ func (seal *outcome) Run(rs *RunState) error {
 					// accumulate enablements of remaining launchers
 					for i, s := range states {
 						if s.Config != nil {
-							rt |= s.Config.Enablements
+							rt |= s.Config.Enablements.Unwrap()
 						} else {
 							log.Printf("state entry %d does not contain config", i)
 						}
@ -88,7 +88,7 @@ func (seal *outcome) Run(rs *RunState) error {
 	defer cancel()
 	cmd := exec.CommandContext(ctx, hsuPath)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	cmd.Dir = "/" // container init enters final working directory
+	cmd.Dir = container.FHSRoot // container init enters final working directory
 	// shim runs in the same session as monitor; see shim.go for behaviour
 	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGCONT) }

@ -128,7 +128,7 @@ func (seal *outcome) Run(rs *RunState) error {
 			os.Getpid(),
 			seal.waitDelay,
 			seal.container,
-			seal.user.data,
+			seal.user.data.String(),
 			hlog.Load(),
 		})
 	}()
--- a/internal/app/seal_linux.go
+++ b/internal/app/seal_linux.go
@ -12,6 +12,7 @@ import (
 	"path"
 	"regexp"
 	"slices"
+	"strconv"
 	"strings"
 	"sync/atomic"
 	"syscall"
@ -49,10 +50,8 @@ const (
 )

 var (
-	ErrConfig = errors.New("no configuration to seal")
-	ErrUser   = errors.New("invalid aid")
-	ErrHome   = errors.New("invalid home directory")
-	ErrName   = errors.New("invalid username")
+	ErrIdent = errors.New("invalid identity")
+	ErrName  = errors.New("invalid username")

 	ErrXDisplay = errors.New(display + " unset")

@ -67,8 +66,8 @@ var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z
 type outcome struct {
 	// copied from initialising [app]
 	id *stringPair[state.ID]
-	// copied from [sys.State] response
-	runDirPath string
+	// copied from [sys.State]
+	runDirPath *container.Absolute

 	// initial [hst.Config] gob stream for state data;
 	// this is prepared ahead of time as config is clobbered during seal creation
@ -93,9 +92,9 @@ type shareHost struct {
 	// whether XDG_RUNTIME_DIR is used post hsu
 	useRuntimeDir bool
 	// process-specific directory in tmpdir, empty if unused
-	sharePath string
+	sharePath *container.Absolute
 	// process-specific directory in XDG_RUNTIME_DIR, empty if unused
-	runtimeSharePath string
+	runtimeSharePath *container.Absolute

 	seal *outcome
 	sc   hst.Paths
@ -107,48 +106,48 @@ func (share *shareHost) ensureRuntimeDir() {
 		return
 	}
 	share.useRuntimeDir = true
-	share.seal.sys.Ensure(share.sc.RunDirPath, 0700)
-	share.seal.sys.UpdatePermType(system.User, share.sc.RunDirPath, acl.Execute)
-	share.seal.sys.Ensure(share.sc.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
-	share.seal.sys.UpdatePermType(system.User, share.sc.RuntimePath, acl.Execute)
+	share.seal.sys.Ensure(share.sc.RunDirPath.String(), 0700)
+	share.seal.sys.UpdatePermType(system.User, share.sc.RunDirPath.String(), acl.Execute)
+	share.seal.sys.Ensure(share.sc.RuntimePath.String(), 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
+	share.seal.sys.UpdatePermType(system.User, share.sc.RuntimePath.String(), acl.Execute)
 }

 // instance returns a process-specific share path within tmpdir
-func (share *shareHost) instance() string {
-	if share.sharePath != "" {
+func (share *shareHost) instance() *container.Absolute {
+	if share.sharePath != nil {
 		return share.sharePath
 	}
-	share.sharePath = path.Join(share.sc.SharePath, share.seal.id.String())
-	share.seal.sys.Ephemeral(system.Process, share.sharePath, 0711)
+	share.sharePath = share.sc.SharePath.Append(share.seal.id.String())
+	share.seal.sys.Ephemeral(system.Process, share.sharePath.String(), 0711)
 	return share.sharePath
 }

 // runtime returns a process-specific share path within XDG_RUNTIME_DIR
-func (share *shareHost) runtime() string {
-	if share.runtimeSharePath != "" {
+func (share *shareHost) runtime() *container.Absolute {
+	if share.runtimeSharePath != nil {
 		return share.runtimeSharePath
 	}
 	share.ensureRuntimeDir()
-	share.runtimeSharePath = path.Join(share.sc.RunDirPath, share.seal.id.String())
-	share.seal.sys.Ephemeral(system.Process, share.runtimeSharePath, 0700)
-	share.seal.sys.UpdatePerm(share.runtimeSharePath, acl.Execute)
+	share.runtimeSharePath = share.sc.RunDirPath.Append(share.seal.id.String())
+	share.seal.sys.Ephemeral(system.Process, share.runtimeSharePath.String(), 0700)
+	share.seal.sys.UpdatePerm(share.runtimeSharePath.String(), acl.Execute)
 	return share.runtimeSharePath
 }

 // hsuUser stores post-hsu credentials and metadata
 type hsuUser struct {
-	// application id
+	// identity
 	aid *stringPair[int]
-	// target uid resolved by fid:aid
+	// target uid resolved by hid:aid
 	uid *stringPair[int]

 	// supplementary group ids
 	supp []string

 	// home directory host path
-	data string
+	data *container.Absolute
 	// app user home directory
-	home string
+	home *container.Absolute
 	// passwd database username
 	username string
 }
@ -159,6 +158,13 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 	}
 	seal.ctx = ctx

+	if config == nil {
+		return hlog.WrapErr(syscall.EINVAL, syscall.EINVAL.Error())
+	}
+	if config.Data == nil {
+		return hlog.WrapErr(os.ErrInvalid, "invalid data directory")
+	}
+
 	{
 		// encode initial configuration for state tracking
 		ct := new(bytes.Buffer)
@ -171,7 +177,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co

 	// allowed aid range 0 to 9999, this is checked again in hsu
 	if config.Identity < 0 || config.Identity > 9999 {
-		return hlog.WrapErr(ErrUser,
+		return hlog.WrapErr(ErrIdent,
 			fmt.Sprintf("identity %d out of range", config.Identity))
 	}

@ -188,11 +194,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		return hlog.WrapErr(ErrName,
 			fmt.Sprintf("invalid user name %q", seal.user.username))
 	}
-	if seal.user.data == "" || !path.IsAbs(seal.user.data) {
-		return hlog.WrapErr(ErrHome,
-			fmt.Sprintf("invalid home directory %q", seal.user.data))
-	}
-	if seal.user.home == "" {
+	if seal.user.home == nil {
 		seal.user.home = seal.user.data
 	}
 	if u, err := sys.Uid(seal.user.aid.unwrap()); err != nil {
@ -210,26 +212,25 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		}
 	}

-	// this also falls back to host path if encountering an invalid path
-	if !path.IsAbs(config.Shell) {
-		config.Shell = "/bin/sh"
-		if s, ok := sys.LookupEnv(shell); ok && path.IsAbs(s) {
-			config.Shell = s
-		}
-	}
-	// do not use the value of shell before this point
-
 	// permissive defaults
 	if config.Container == nil {
 		hlog.Verbose("container configuration not supplied, PROCEED WITH CAUTION")

+		if config.Shell == nil {
+			config.Shell = container.AbsFHSRoot.Append("bin", "sh")
+			s, _ := sys.LookupEnv(shell)
+			if a, err := container.NewAbs(s); err == nil {
+				config.Shell = a
+			}
+		}
+
 		// hsu clears the environment so resolve paths early
-		if !path.IsAbs(config.Path) {
+		if config.Path == nil {
 			if len(config.Args) > 0 {
 				if p, err := sys.LookPath(config.Args[0]); err != nil {
 					return hlog.WrapErr(err, err.Error())
-				} else {
-					config.Path = p
+				} else if config.Path, err = container.NewAbs(p); err != nil {
+					return hlog.WrapErr(err, err.Error())
 				}
 			} else {
 				config.Path = config.Shell
@ -242,26 +243,34 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 			Tty:     true,
 			AutoEtc: true,

-			AutoRoot:  "/",
+			AutoRoot:  container.AbsFHSRoot,
 			RootFlags: container.BindWritable,
 		}

 		// bind GPU stuff
-		if config.Enablements&(system.EX11|system.EWayland) != 0 {
-			conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Src: "/dev/dri", Device: true})
+		if config.Enablements.Unwrap()&(system.EX11|system.EWayland) != 0 {
+			conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}})
 		}
 		// opportunistically bind kvm
-		conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Src: "/dev/kvm", Device: true})
+		conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("kvm"), Device: true, Optional: true}})

 		// hide nscd from container if present
-		const nscd = "/var/run/nscd"
-		if _, err := sys.Stat(nscd); !errors.Is(err, fs.ErrNotExist) {
-			conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Dst: nscd, Src: hst.SourceTmpfs})
+		nscd := container.AbsFHSVar.Append("run/nscd")
+		if _, err := sys.Stat(nscd.String()); !errors.Is(err, fs.ErrNotExist) {
+			conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSEphemeral{Target: nscd}})
 		}

 		config.Container = conf
 	}

+	// late nil checks for pd behaviour
+	if config.Shell == nil {
+		return hlog.WrapErr(syscall.EINVAL, "invalid shell path")
+	}
+	if config.Path == nil {
+		return hlog.WrapErr(syscall.EINVAL, "invalid program path")
+	}
+
 	var mapuid, mapgid *stringPair[int]
 	{
 		var uid, gid int
@ -272,12 +281,8 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 			return hlog.WrapErrSuffix(err,
 				"cannot initialise container configuration:")
 		}
-		if !path.IsAbs(config.Path) {
-			return hlog.WrapErr(syscall.EINVAL,
-				"invalid program path")
-		}
 		if len(config.Args) == 0 {
-			config.Args = []string{config.Path}
+			config.Args = []string{config.Path.String()}
 		}
 		seal.container.Path = config.Path
 		seal.container.Args = config.Args
@ -290,56 +295,52 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 	}

 	// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as mapped uid
-	innerRuntimeDir := path.Join("/run/user", mapuid.String())
-	seal.env[xdgRuntimeDir] = innerRuntimeDir
+	innerRuntimeDir := container.AbsFHSRunUser.Append(mapuid.String())
+	seal.env[xdgRuntimeDir] = innerRuntimeDir.String()
 	seal.env[xdgSessionClass] = "user"
 	seal.env[xdgSessionType] = "tty"

 	share := &shareHost{seal: seal, sc: sys.Paths()}
 	seal.runDirPath = share.sc.RunDirPath
 	seal.sys = system.New(seal.user.uid.unwrap())
-	seal.sys.Ensure(share.sc.SharePath, 0711)
+	seal.sys.Ensure(share.sc.SharePath.String(), 0711)

 	{
-		runtimeDir := path.Join(share.sc.SharePath, "runtime")
-		seal.sys.Ensure(runtimeDir, 0700)
-		seal.sys.UpdatePermType(system.User, runtimeDir, acl.Execute)
-		runtimeDirInst := path.Join(runtimeDir, seal.user.aid.String())
-		seal.sys.Ensure(runtimeDirInst, 0700)
-		seal.sys.UpdatePermType(system.User, runtimeDirInst, acl.Read, acl.Write, acl.Execute)
-		seal.container.Tmpfs("/run/user", 1<<12, 0755)
+		runtimeDir := share.sc.SharePath.Append("runtime")
+		seal.sys.Ensure(runtimeDir.String(), 0700)
+		seal.sys.UpdatePermType(system.User, runtimeDir.String(), acl.Execute)
+		runtimeDirInst := runtimeDir.Append(seal.user.aid.String())
+		seal.sys.Ensure(runtimeDirInst.String(), 0700)
+		seal.sys.UpdatePermType(system.User, runtimeDirInst.String(), acl.Read, acl.Write, acl.Execute)
+		seal.container.Tmpfs(container.AbsFHSRunUser, 1<<12, 0755)
 		seal.container.Bind(runtimeDirInst, innerRuntimeDir, container.BindWritable)
 	}

 	{
-		tmpdir := path.Join(share.sc.SharePath, "tmpdir")
-		seal.sys.Ensure(tmpdir, 0700)
-		seal.sys.UpdatePermType(system.User, tmpdir, acl.Execute)
-		tmpdirInst := path.Join(tmpdir, seal.user.aid.String())
-		seal.sys.Ensure(tmpdirInst, 01700)
-		seal.sys.UpdatePermType(system.User, tmpdirInst, acl.Read, acl.Write, acl.Execute)
+		tmpdir := share.sc.SharePath.Append("tmpdir")
+		seal.sys.Ensure(tmpdir.String(), 0700)
+		seal.sys.UpdatePermType(system.User, tmpdir.String(), acl.Execute)
+		tmpdirInst := tmpdir.Append(seal.user.aid.String())
+		seal.sys.Ensure(tmpdirInst.String(), 01700)
+		seal.sys.UpdatePermType(system.User, tmpdirInst.String(), acl.Read, acl.Write, acl.Execute)
 		// mount inner /tmp from share so it shares persistence and storage behaviour of host /tmp
-		seal.container.Bind(tmpdirInst, "/tmp", container.BindWritable)
+		seal.container.Bind(tmpdirInst, container.AbsFHSTmp, container.BindWritable)
 	}

 	{
-		homeDir := "/var/empty"
-		if seal.user.home != "" {
-			homeDir = seal.user.home
-		}
 		username := "chronos"
 		if seal.user.username != "" {
 			username = seal.user.username
 		}
-		seal.container.Bind(seal.user.data, homeDir, container.BindWritable)
-		seal.container.Dir = homeDir
-		seal.env["HOME"] = homeDir
+		seal.container.Bind(seal.user.data, seal.user.home, container.BindWritable)
+		seal.container.Dir = seal.user.home
+		seal.env["HOME"] = seal.user.home.String()
 		seal.env["USER"] = username
-		seal.env[shell] = config.Shell
+		seal.env[shell] = config.Shell.String()

-		seal.container.Place("/etc/passwd",
-			[]byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Hakurei:"+homeDir+":"+config.Shell+"\n"))
-		seal.container.Place("/etc/group",
+		seal.container.Place(container.AbsFHSEtc.Append("passwd"),
+			[]byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Hakurei:"+seal.user.home.String()+":"+config.Shell.String()+"\n"))
+		seal.container.Place(container.AbsFHSEtc.Append("group"),
 			[]byte("hakurei:x:"+mapgid.String()+":\n"))
 	}

@ -348,19 +349,19 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		seal.env[term] = t
 	}

-	if config.Enablements&system.EWayland != 0 {
+	if config.Enablements.Unwrap()&system.EWayland != 0 {
 		// outer wayland socket (usually `/run/user/%d/wayland-%d`)
-		var socketPath string
+		var socketPath *container.Absolute
 		if name, ok := sys.LookupEnv(wayland.WaylandDisplay); !ok {
 			hlog.Verbose(wayland.WaylandDisplay + " is not set, assuming " + wayland.FallbackName)
-			socketPath = path.Join(share.sc.RuntimePath, wayland.FallbackName)
-		} else if !path.IsAbs(name) {
-			socketPath = path.Join(share.sc.RuntimePath, name)
+			socketPath = share.sc.RuntimePath.Append(wayland.FallbackName)
+		} else if a, err := container.NewAbs(name); err != nil {
+			socketPath = share.sc.RuntimePath.Append(name)
 		} else {
-			socketPath = name
+			socketPath = a
 		}

-		innerPath := path.Join(innerRuntimeDir, wayland.FallbackName)
+		innerPath := innerRuntimeDir.Append(wayland.FallbackName)
 		seal.env[wayland.WaylandDisplay] = wayland.FallbackName

 		if !config.DirectWayland { // set up security-context-v1
@ -370,35 +371,61 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 				appID = "app.hakurei." + seal.id.String()
 			}
 			// downstream socket paths
-			outerPath := path.Join(share.instance(), "wayland")
-			seal.sys.Wayland(&seal.sync, outerPath, socketPath, appID, seal.id.String())
+			outerPath := share.instance().Append("wayland")
+			seal.sys.Wayland(&seal.sync, outerPath.String(), socketPath.String(), appID, seal.id.String())
 			seal.container.Bind(outerPath, innerPath, 0)
 		} else { // bind mount wayland socket (insecure)
 			hlog.Verbose("direct wayland access, PROCEED WITH CAUTION")
 			share.ensureRuntimeDir()
 			seal.container.Bind(socketPath, innerPath, 0)
-			seal.sys.UpdatePermType(system.EWayland, socketPath, acl.Read, acl.Write, acl.Execute)
+			seal.sys.UpdatePermType(system.EWayland, socketPath.String(), acl.Read, acl.Write, acl.Execute)
 		}
 	}

-	if config.Enablements&system.EX11 != 0 {
+	if config.Enablements.Unwrap()&system.EX11 != 0 {
 		if d, ok := sys.LookupEnv(display); !ok {
 			return hlog.WrapErr(ErrXDisplay,
 				"DISPLAY is not set")
 		} else {
+			socketDir := container.AbsFHSTmp.Append(".X11-unix")
+
+			// the socket file at `/tmp/.X11-unix/X%d` is typically owned by the priv user
+			// and not accessible by the target user
+			var socketPath *container.Absolute
+			if len(d) > 1 && d[0] == ':' { // `:%d`
+				if n, err := strconv.Atoi(d[1:]); err == nil && n >= 0 {
+					socketPath = socketDir.Append("X" + strconv.Itoa(n))
+				}
+			} else if len(d) > 5 && strings.HasPrefix(d, "unix:") { // `unix:%s`
+				if a, err := container.NewAbs(d[5:]); err == nil {
+					socketPath = a
+				}
+			}
+			if socketPath != nil {
+				if _, err := sys.Stat(socketPath.String()); err != nil {
+					if !errors.Is(err, fs.ErrNotExist) {
+						return hlog.WrapErrSuffix(err,
+							fmt.Sprintf("cannot access X11 socket %q:", socketPath))
+					}
+				} else {
+					seal.sys.UpdatePermType(system.EX11, socketPath.String(), acl.Read, acl.Write, acl.Execute)
+					d = "unix:" + socketPath.String()
+				}
+			}
+
 			seal.sys.ChangeHosts("#" + seal.user.uid.String())
 			seal.env[display] = d
-			seal.container.Bind("/tmp/.X11-unix", "/tmp/.X11-unix", 0)
+			seal.container.Bind(socketDir, socketDir, 0)
 		}
 	}

-	if config.Enablements&system.EPulse != 0 {
+	if config.Enablements.Unwrap()&system.EPulse != 0 {
 		// PulseAudio runtime directory (usually `/run/user/%d/pulse`)
-		pulseRuntimeDir := path.Join(share.sc.RuntimePath, "pulse")
+		pulseRuntimeDir := share.sc.RuntimePath.Append("pulse")
 		// PulseAudio socket (usually `/run/user/%d/pulse/native`)
-		pulseSocket := path.Join(pulseRuntimeDir, "native")
+		pulseSocket := pulseRuntimeDir.Append("native")

-		if _, err := sys.Stat(pulseRuntimeDir); err != nil {
+		if _, err := sys.Stat(pulseRuntimeDir.String()); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return hlog.WrapErrSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio directory %q:", pulseRuntimeDir))
@ -407,7 +434,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 				fmt.Sprintf("PulseAudio directory %q not found", pulseRuntimeDir))
 		}

-		if s, err := sys.Stat(pulseSocket); err != nil {
+		if s, err := sys.Stat(pulseSocket.String()); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return hlog.WrapErrSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio socket %q:", pulseSocket))
@ -422,39 +449,38 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		}

 		// hard link pulse socket into target-executable share
-		innerPulseRuntimeDir := path.Join(share.runtime(), "pulse")
-		innerPulseSocket := path.Join(innerRuntimeDir, "pulse", "native")
-		seal.sys.Link(pulseSocket, innerPulseRuntimeDir)
+		innerPulseRuntimeDir := share.runtime().Append("pulse")
+		innerPulseSocket := innerRuntimeDir.Append("pulse", "native")
+		seal.sys.Link(pulseSocket.String(), innerPulseRuntimeDir.String())
 		seal.container.Bind(innerPulseRuntimeDir, innerPulseSocket, 0)
-		seal.env[pulseServer] = "unix:" + innerPulseSocket
+		seal.env[pulseServer] = "unix:" + innerPulseSocket.String()

 		// publish current user's pulse cookie for target user
 		if src, err := discoverPulseCookie(sys); err != nil {
 			// not fatal
 			hlog.Verbose(strings.TrimSpace(err.(*hlog.BaseError).Message()))
 		} else {
-			innerDst := hst.Tmp + "/pulse-cookie"
-			seal.env[pulseCookie] = innerDst
+			innerDst := hst.AbsTmp.Append("/pulse-cookie")
+			seal.env[pulseCookie] = innerDst.String()
 			var payload *[]byte
 			seal.container.PlaceP(innerDst, &payload)
 			seal.sys.CopyFile(payload, src, 256, 256)
 		}
 	}

-	if config.Enablements&system.EDBus != 0 {
+	if config.Enablements.Unwrap()&system.EDBus != 0 {
 		// ensure dbus session bus defaults
 		if config.SessionBus == nil {
 			config.SessionBus = dbus.NewConfig(config.ID, true, true)
 		}

 		// downstream socket paths
-		sharePath := share.instance()
-		sessionPath, systemPath := path.Join(sharePath, "bus"), path.Join(sharePath, "system_bus_socket")
+		sessionPath, systemPath := share.instance().Append("bus"), share.instance().Append("system_bus_socket")

 		// configure dbus proxy
 		if f, err := seal.sys.ProxyDBus(
 			config.SessionBus, config.SystemBus,
-			sessionPath, systemPath,
+			sessionPath.String(), systemPath.String(),
 		); err != nil {
 			return err
 		} else {
@ -462,33 +488,29 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		}

 		// share proxy sockets
-		sessionInner := path.Join(innerRuntimeDir, "bus")
-		seal.env[dbusSessionBusAddress] = "unix:path=" + sessionInner
+		sessionInner := innerRuntimeDir.Append("bus")
+		seal.env[dbusSessionBusAddress] = "unix:path=" + sessionInner.String()
 		seal.container.Bind(sessionPath, sessionInner, 0)
-		seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
+		seal.sys.UpdatePerm(sessionPath.String(), acl.Read, acl.Write)
 		if config.SystemBus != nil {
-			systemInner := "/run/dbus/system_bus_socket"
-			seal.env[dbusSystemBusAddress] = "unix:path=" + systemInner
+			systemInner := container.AbsFHSRun.Append("dbus/system_bus_socket")
+			seal.env[dbusSystemBusAddress] = "unix:path=" + systemInner.String()
 			seal.container.Bind(systemPath, systemInner, 0)
-			seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
+			seal.sys.UpdatePerm(systemPath.String(), acl.Read, acl.Write)
 		}
 	}

-	for _, dest := range config.Container.Cover {
-		seal.container.Tmpfs(dest, 1<<13, 0755)
-	}
-
 	// mount root read-only as the final setup Op
-	seal.container.Remount("/", syscall.MS_RDONLY)
+	seal.container.Remount(container.AbsFHSRoot, syscall.MS_RDONLY)

 	// append ExtraPerms last
 	for _, p := range config.ExtraPerms {
-		if p == nil {
+		if p == nil || p.Path == nil {
 			continue
 		}

 		if p.Ensure {
-			seal.sys.Ensure(p.Path, 0700)
+			seal.sys.Ensure(p.Path.String(), 0700)
 		}

 		perms := make(acl.Perms, 0, 3)
@ -501,7 +523,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		if p.Execute {
 			perms = append(perms, acl.Execute)
 		}
-		seal.sys.UpdatePermType(system.User, p.Path, perms...)
+		seal.sys.UpdatePermType(system.User, p.Path.String(), perms...)
 	}

 	// flatten and sort env for deterministic behaviour
--- a/internal/app/shim_linux.go
+++ b/internal/app/shim_linux.go
@ -64,7 +64,7 @@ func ShimMain() {
 		closeSetup func() error
 	)
 	if f, err := container.Receive(shimEnv, &params, nil); err != nil {
-		if errors.Is(err, container.ErrInvalid) {
+		if errors.Is(err, syscall.EBADF) {
 			log.Fatal("invalid config descriptor")
 		}
 		if errors.Is(err, container.ErrNotSet) {
@ -157,13 +157,9 @@ func ShimMain() {
 		log.Fatalf("path %q is not a directory", params.Home)
 	}

-	var name string
-	if len(params.Container.Args) > 0 {
-		name = params.Container.Args[0]
-	}
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	cancelContainer.Store(&stop)
-	z := container.New(ctx, name)
+	z := container.New(ctx)
 	z.Params = *params.Container
 	z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr

--- a/internal/sys/interface.go
+++ b/internal/sys/interface.go
@ -3,10 +3,11 @@ package sys

 import (
 	"io/fs"
+	"log"
 	"os/user"
-	"path"
 	"strconv"

+	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal/hlog"
 )
@ -50,18 +51,23 @@ type State interface {

 // CopyPaths is a generic implementation of [hst.Paths].
 func CopyPaths(os State, v *hst.Paths) {
-	v.SharePath = path.Join(os.TempDir(), "hakurei."+strconv.Itoa(os.Getuid()))
-
-	hlog.Verbosef("process share directory at %q", v.SharePath)
-
-	if r, ok := os.LookupEnv(xdgRuntimeDir); !ok || r == "" || !path.IsAbs(r) {
-		// fall back to path in share since hakurei has no hard XDG dependency
-		v.RunDirPath = path.Join(v.SharePath, "run")
-		v.RuntimePath = path.Join(v.RunDirPath, "compat")
+	if tempDir, err := container.NewAbs(os.TempDir()); err != nil {
+		log.Fatalf("invalid TMPDIR: %v", err)
 	} else {
-		v.RuntimePath = r
-		v.RunDirPath = path.Join(v.RuntimePath, "hakurei")
+		v.TempDir = tempDir
 	}

+	v.SharePath = v.TempDir.Append("hakurei." + strconv.Itoa(os.Getuid()))
+	hlog.Verbosef("process share directory at %q", v.SharePath)
+
+	r, _ := os.LookupEnv(xdgRuntimeDir)
+	if a, err := container.NewAbs(r); err != nil {
+		// fall back to path in share since hakurei has no hard XDG dependency
+		v.RunDirPath = v.SharePath.Append("run")
+		v.RuntimePath = v.RunDirPath.Append("compat")
+	} else {
+		v.RuntimePath = a
+		v.RunDirPath = v.RuntimePath.Append("hakurei")
+	}
 	hlog.Verbosef("runtime directory at %q", v.RunDirPath)
 }
--- a/internal/sys/std.go
+++ b/internal/sys/std.go
@ -86,7 +86,7 @@ func (s *Std) Uid(aid int) (int, error) {
 	cmd.Path = hsuPath
 	cmd.Stderr = os.Stderr // pass through fatal messages
 	cmd.Env = []string{"HAKUREI_APP_ID=" + strconv.Itoa(aid)}
-	cmd.Dir = "/"
+	cmd.Dir = container.FHSRoot
 	var (
 		p         []byte
 		exitError *exec.ExitError
--- a/ldd/exec.go
+++ b/ldd/exec.go
@ -5,13 +5,17 @@ import (
 	"context"
 	"io"
 	"os"
+	"os/exec"
 	"time"

 	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 )

-const lddTimeout = 2 * time.Second
+const (
+	lddName    = "ldd"
+	lddTimeout = 2 * time.Second
+)

 var (
 	msgStatic      = []byte("Not a valid dynamic program")
@ -21,14 +25,25 @@ var (
 func Exec(ctx context.Context, p string) ([]*Entry, error) {
 	c, cancel := context.WithTimeout(ctx, lddTimeout)
 	defer cancel()
-	z := container.New(c, "ldd", p)
-	z.Hostname = "hakurei-ldd"
+
+	var toolPath *container.Absolute
+	if s, err := exec.LookPath(lddName); err != nil {
+		return nil, err
+	} else if toolPath, err = container.NewAbs(s); err != nil {
+		return nil, err
+	}
+
+	z := container.NewCommand(c, toolPath, lddName, p)
+	z.Hostname = "hakurei-" + lddName
 	z.SeccompFlags |= seccomp.AllowMultiarch
 	z.SeccompPresets |= seccomp.PresetStrict
 	stdout, stderr := new(bytes.Buffer), new(bytes.Buffer)
 	z.Stdout = stdout
 	z.Stderr = stderr
-	z.Bind("/", "/", 0).Proc("/proc").Dev("/dev")
+	z.
+		Bind(container.AbsFHSRoot, container.AbsFHSRoot, 0).
+		Proc(container.AbsFHSProc).
+		Dev(container.AbsFHSDev, false)

 	if err := z.Start(); err != nil {
 		return nil, err
--- a/ldd/path.go
+++ b/ldd/path.go
@ -1,21 +1,20 @@
 package ldd

 import (
-	"path"
-	"slices"
+	"hakurei.app/container"
 )

 // Path returns a deterministic, deduplicated slice of absolute directory paths in entries.
-func Path(entries []*Entry) []string {
-	p := make([]string, 0, len(entries)*2)
+func Path(entries []*Entry) []*container.Absolute {
+	p := make([]*container.Absolute, 0, len(entries)*2)
 	for _, entry := range entries {
-		if path.IsAbs(entry.Path) {
-			p = append(p, path.Dir(entry.Path))
+		if a, err := container.NewAbs(entry.Path); err == nil {
+			p = append(p, a.Dir())
 		}
-		if path.IsAbs(entry.Name) {
-			p = append(p, path.Dir(entry.Name))
+		if a, err := container.NewAbs(entry.Name); err == nil {
+			p = append(p, a.Dir())
 		}
 	}
-	slices.Sort(p)
-	return slices.Compact(p)
+	container.SortAbs(p)
+	return container.CompactAbs(p)
 }
--- a/nixos.nix
+++ b/nixos.nix
@ -102,8 +102,7 @@ in
                    };
                  command = if app.command == null then app.name else app.command;
                  script = if app.script == null then ("exec " + command + " $@") else app.script;
-                  enablements = with app.capability; (if wayland then 1 else 0) + (if x11 then 2 else 0) + (if dbus then 4 else 0) + (if pulse then 8 else 0);
-                  isGraphical = if app.gpu != null then app.gpu else app.capability.wayland || app.capability.x11;
+                  isGraphical = if app.gpu != null then app.gpu else app.enablements.wayland || app.enablements.x11;

                  conf = {
                    path =
@ -116,7 +115,7 @@ in
                        app.path;
                    args = if app.args == null then [ "${app.name}-start" ] else app.args;

-                    inherit id enablements;
+                    inherit id;

                    inherit (dbusConfig) session_bus system_bus;
                    direct_wayland = app.insecureWayland;
@ -124,7 +123,8 @@ in
                    username = getsubname fid app.identity;
                    data = getsubhome fid app.identity;

-                    inherit (app) identity groups;
+                    inherit (cfg) shell;
+                    inherit (app) identity groups enablements;

                    container = {
                      inherit (app)
@ -137,71 +137,87 @@ in
                        multiarch
                        env
                        ;
+                      scope_abstract = app.scopeAbstract;
                      map_real_uid = app.mapRealUid;

                      filesystem =
                        let
-                          bind = src: { inherit src; };
-                          mustBind = src: {
+                          bind = src: {
+                            type = "bind";
                            inherit src;
-                            require = true;
                          };
-                          devBind = src: {
+                          optBind = src: {
+                            type = "bind";
+                            inherit src;
+                            optional = true;
+                          };
+                          optDevBind = src: {
+                            type = "bind";
                            inherit src;
                            dev = true;
+                            optional = true;
                          };
                        in
                        [
-                          (mustBind "/bin")
-                          (mustBind "/usr/bin")
-                          (mustBind "/nix/store")
-                          (bind "/sys/block")
-                          (bind "/sys/bus")
-                          (bind "/sys/class")
-                          (bind "/sys/dev")
-                          (bind "/sys/devices")
+                          (bind "/bin")
+                          (bind "/usr/bin")
+                          (bind "/nix/store")
+                          (optBind "/sys/block")
+                          (optBind "/sys/bus")
+                          (optBind "/sys/class")
+                          (optBind "/sys/dev")
+                          (optBind "/sys/devices")
                        ]
                        ++ optionals app.nix [
-                          (mustBind "/nix/var")
+                          (bind "/nix/var")
                        ]
                        ++ optionals isGraphical [
-                          (devBind "/dev/dri")
-                          (devBind "/dev/nvidiactl")
-                          (devBind "/dev/nvidia-modeset")
-                          (devBind "/dev/nvidia-uvm")
-                          (devBind "/dev/nvidia-uvm-tools")
-                          (devBind "/dev/nvidia0")
+                          (optDevBind "/dev/dri")
+                          (optDevBind "/dev/nvidiactl")
+                          (optDevBind "/dev/nvidia-modeset")
+                          (optDevBind "/dev/nvidia-uvm")
+                          (optDevBind "/dev/nvidia-uvm-tools")
+                          (optDevBind "/dev/nvidia0")
                        ]
                        ++ optionals app.useCommonPaths cfg.commonPaths
                        ++ app.extraPaths;
                      auto_etc = true;

                      symlink = [
-                        [
-                          "*/run/current-system"
-                          "/run/current-system"
-                        ]
+                        {
+                          target = "/run/current-system";
+                          linkname = "*/run/current-system";
+                        }
                      ]
                      ++ optionals (isGraphical && config.hardware.graphics.enable) (
                        [
-                          [
-                            config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver"."L+".argument
-                            "/run/opengl-driver"
-                          ]
+                          {
+                            target = "/run/opengl-driver";
+                            linkname = config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver"."L+".argument;
+                          }
                        ]
                        ++ optionals (app.multiarch && config.hardware.graphics.enable32Bit) [
-                          [
-                            config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver-32"."L+".argument
-                            /run/opengl-driver-32
-                          ]
+                          {
+                            target = "/run/opengl-driver-32";
+                            linkname = config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver-32"."L+".argument;
+                          }
                        ]
                      );
                    };
-
                  };
+
+                  checkedConfig =
+                    name: value:
+                    let
+                      file = pkgs.writeText name (builtins.toJSON value);
+                    in
+                    pkgs.runCommand "checked-${name}" { nativeBuildInputs = [ cfg.package ]; } ''
+                      ln -vs ${file} "$out"
+                      hakurei show ${file}
+                    '';
                in
                pkgs.writeShellScriptBin app.name ''
-                  exec hakurei${if app.verbose then " -v" else ""} app ${pkgs.writeText "hakurei-app-${app.name}.json" (builtins.toJSON conf)} $@
+                  exec hakurei${if app.verbose then " -v" else ""} app ${checkedConfig "hakurei-app-${app.name}.json" conf} $@
                ''
              )
            ]
@ -210,7 +226,7 @@ in
                pkg = if app.share != null then app.share else pkgs.${app.name};
                copy = source: "[ -d '${source}' ] && cp -Lrv '${source}' $out/share || true";
              in
-              optional (app.capability.wayland || app.capability.x11) (
+              optional (app.enablements.wayland || app.enablements.x11) (
                pkgs.runCommand "${app.name}-share" { } ''
                  mkdir -p $out/share
                  ${copy "${pkg}/share/applications"}
--- a/options.md
+++ b/options.md
@ -572,6 +572,28 @@ boolean



+*Example:*
+` true `
+
+
+## environment\.hakurei\.apps\.\<name>\.scopeAbstract
+
+
+
+Whether to restrict abstract UNIX domain socket access\.
+
+
+
+*Type:*
+boolean
+
+
+
+*Default:*
+` true `
+
+
+
 *Example:*
 ` true `

--- a/options.nix
+++ b/options.nix
@ -3,38 +3,6 @@ packages:

 let
  inherit (lib) types mkOption mkEnableOption;
-
-  mountPoint =
-    let
-      inherit (types)
-        str
-        submodule
-        nullOr
-        listOf
-        ;
-    in
-    listOf (submodule {
-      options = {
-        dst = mkOption {
-          type = nullOr str;
-          default = null;
-          description = ''
-            Mount point in container, same as src if null.
-          '';
-        };
-
-        src = mkOption {
-          type = str;
-          description = ''
-            Host filesystem path to make available to the container.
-          '';
-        };
-
-        write = mkEnableOption "mounting path as writable";
-        dev = mkEnableOption "use of device files";
-        require = mkEnableOption "start failure if the bind mount cannot be established for any reason";
-      };
-    });
 in

 {
@ -214,6 +182,9 @@ in
              net = mkEnableOption "network access" // {
                default = true;
              };
+              scopeAbstract = mkEnableOption "abstract unix domain socket access" // {
+                default = true;
+              };

              nix = mkEnableOption "nix daemon access";
              mapRealUid = mkEnableOption "mapping to priv-user uid";
@ -234,16 +205,16 @@ in
              };

              extraPaths = mkOption {
-                type = mountPoint;
+                type = anything;
                default = [ ];
                description = ''
                  Extra paths to make available to the container.
                '';
              };

-              capability = {
+              enablements = {
                wayland = mkOption {
-                  type = bool;
+                  type = nullOr bool;
                  default = true;
                  description = ''
                    Whether to share the Wayland socket.
@ -251,7 +222,7 @@ in
                };

                x11 = mkOption {
-                  type = bool;
+                  type = nullOr bool;
                  default = false;
                  description = ''
                    Whether to share the X11 socket and allow connection.
@ -259,7 +230,7 @@ in
                };

                dbus = mkOption {
-                  type = bool;
+                  type = nullOr bool;
                  default = true;
                  description = ''
                    Whether to proxy D-Bus.
@ -267,7 +238,7 @@ in
                };

                pulse = mkOption {
-                  type = bool;
+                  type = nullOr bool;
                  default = true;
                  description = ''
                    Whether to share the PulseAudio socket and cookie.
@ -292,13 +263,21 @@ in
      };

      commonPaths = mkOption {
-        type = mountPoint;
+        type = types.anything;
        default = [ ];
        description = ''
          Common extra paths to make available to the container.
        '';
      };

+      shell = mkOption {
+        type = types.str;
+        default = "/run/current-system/sw/bin/bash";
+        description = ''
+          Absolute path to preferred shell.
+        '';
+      };
+
      stateDir = mkOption {
        type = types.str;
        description = ''
--- a/system/dbus/dbus_test.go
+++ b/system/dbus/dbus_test.go
@ -153,7 +153,7 @@ func testProxyFinaliseStartWaitCloseString(t *testing.T, useSandbox bool) {
 				t.Run("string", func(t *testing.T) {
 					wantSubstr := fmt.Sprintf("%s --args=3 --fd=4", os.Args[0])
 					if useSandbox {
-						wantSubstr = fmt.Sprintf(`argv: ["%s" "--args=3" "--fd=4"], filter: true, rules: 0, flags: 0x1, presets: 0xf`, os.Args[0])
+						wantSubstr = `argv: ["xdg-dbus-proxy" "--args=3" "--fd=4"], filter: true, rules: 0, flags: 0x1, presets: 0xf`
 					}
 					if got := p.String(); !strings.Contains(got, wantSubstr) {
 						t.Errorf("String: %q, want %q",
--- a/system/dbus/proc.go
+++ b/system/dbus/proc.go
@ -5,9 +5,6 @@ import (
 	"errors"
 	"os"
 	"os/exec"
-	"path"
-	"path/filepath"
-	"slices"
 	"strconv"
 	"syscall"

@ -43,28 +40,34 @@ func (p *Proxy) Start() error {
 			cmd.Env = make([]string, 0)
 		}, nil)
 	} else {
-		toolPath := p.name
-		if filepath.Base(p.name) == p.name {
-			if s, err := exec.LookPath(p.name); err != nil {
+		var toolPath *container.Absolute
+		if a, err := container.NewAbs(p.name); err != nil {
+			if p.name, err = exec.LookPath(p.name); err != nil {
+				return err
+			} else if toolPath, err = container.NewAbs(p.name); err != nil {
 				return err
-			} else {
-				toolPath = s
 			}
+		} else {
+			toolPath = a
 		}

-		var libPaths []string
-		if entries, err := ldd.Exec(ctx, toolPath); err != nil {
+		var libPaths []*container.Absolute
+		if entries, err := ldd.Exec(ctx, toolPath.String()); err != nil {
 			return err
 		} else {
 			libPaths = ldd.Path(entries)
 		}

 		p.helper = helper.New(
-			ctx, toolPath,
+			ctx, toolPath, "xdg-dbus-proxy",
 			p.final, true,
 			argF, func(z *container.Container) {
 				z.SeccompFlags |= seccomp.AllowMultiarch
 				z.SeccompPresets |= seccomp.PresetStrict
+
+				// xdg-dbus-proxy fails with scoped abstract unix sockets despite pathname socket being available
+				z.HostAbstract = true
+
 				z.Hostname = "hakurei-dbus"
 				if p.output != nil {
 					z.Stdout, z.Stderr = p.output, p.output
@ -76,42 +79,46 @@ func (p *Proxy) Start() error {
 				}

 				// upstream bus directories
-				upstreamPaths := make([]string, 0, 2)
+				upstreamPaths := make([]*container.Absolute, 0, 2)
 				for _, addr := range [][]AddrEntry{p.final.SessionUpstream, p.final.SystemUpstream} {
 					for _, ent := range addr {
 						if ent.Method != "unix" {
 							continue
 						}
 						for _, pair := range ent.Values {
-							if pair[0] != "path" || !path.IsAbs(pair[1]) {
+							if pair[0] != "path" {
 								continue
 							}
-							upstreamPaths = append(upstreamPaths, path.Dir(pair[1]))
+							if a, err := container.NewAbs(pair[1]); err != nil {
+								continue
+							} else {
+								upstreamPaths = append(upstreamPaths, a.Dir())
+							}
 						}
 					}
 				}
-				slices.Sort(upstreamPaths)
-				upstreamPaths = slices.Compact(upstreamPaths)
+				container.SortAbs(upstreamPaths)
+				upstreamPaths = container.CompactAbs(upstreamPaths)
 				for _, name := range upstreamPaths {
 					z.Bind(name, name, 0)
 				}

 				// parent directories of bind paths
-				sockDirPaths := make([]string, 0, 2)
-				if d := path.Dir(p.final.Session[1]); path.IsAbs(d) {
-					sockDirPaths = append(sockDirPaths, d)
+				sockDirPaths := make([]*container.Absolute, 0, 2)
+				if a, err := container.NewAbs(p.final.Session[1]); err == nil {
+					sockDirPaths = append(sockDirPaths, a.Dir())
 				}
-				if d := path.Dir(p.final.System[1]); path.IsAbs(d) {
-					sockDirPaths = append(sockDirPaths, d)
+				if a, err := container.NewAbs(p.final.System[1]); err == nil {
+					sockDirPaths = append(sockDirPaths, a.Dir())
 				}
-				slices.Sort(sockDirPaths)
-				sockDirPaths = slices.Compact(sockDirPaths)
+				container.SortAbs(sockDirPaths)
+				sockDirPaths = container.CompactAbs(sockDirPaths)
 				for _, name := range sockDirPaths {
 					z.Bind(name, name, container.BindWritable)
 				}

 				// xdg-dbus-proxy bin path
-				binPath := path.Dir(toolPath)
+				binPath := toolPath.Dir()
 				z.Bind(binPath, binPath, 0)
 			}, nil)
 	}
--- a/test/configuration.nix
+++ b/test/configuration.nix
@ -126,7 +126,7 @@
          wayland-utils
        ];
        command = "foot";
-        capability = {
+        enablements = {
          dbus = false;
          pulse = false;
        };
@ -141,7 +141,7 @@
        share = pkgs.foot;
        packages = [ ];
        command = "foot";
-        capability = {
+        enablements = {
          dbus = false;
          pulse = false;
        };
@ -154,7 +154,7 @@
        share = pkgs.foot;
        packages = [ pkgs.foot ];
        command = "foot";
-        capability.dbus = false;
+        enablements.dbus = false;
      };

      "cat.gensokyo.extern.Alacritty.x11" = {
@ -171,7 +171,7 @@
          mesa-demos
        ];
        command = "alacritty";
-        capability = {
+        enablements = {
          wayland = false;
          x11 = true;
          dbus = false;
@ -192,7 +192,7 @@
          wayland-utils
        ];
        command = "foot";
-        capability = {
+        enablements = {
          dbus = false;
          pulse = false;
        };
@ -204,7 +204,7 @@
        verbose = true;
        share = pkgs.strace;
        command = "strace true";
-        capability = {
+        enablements = {
          wayland = false;
          x11 = false;
          dbus = false;
--- a/test/interactive/configuration.nix
+++ b/test/interactive/configuration.nix
@ -0,0 +1,60 @@
+{ pkgs, ... }:
+{
+  system.stateVersion = "23.05";
+
+  users.users = {
+    alice = {
+      isNormalUser = true;
+      description = "Alice Foobar";
+      password = "foobar";
+      uid = 1000;
+      extraGroups = [ "wheel" ];
+    };
+    untrusted = {
+      isNormalUser = true;
+      description = "Untrusted user";
+      password = "foobar";
+      uid = 1001;
+    };
+  };
+
+  home-manager.users.alice.home.stateVersion = "24.11";
+
+  security = {
+    sudo.wheelNeedsPassword = false;
+    rtkit.enable = true;
+  };
+
+  services = {
+    getty.autologinUser = "alice";
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+    };
+  };
+
+  environment.variables = {
+    SWAYSOCK = "/tmp/sway-ipc.sock";
+    WLR_RENDERER = "pixman";
+  };
+
+  programs = {
+    sway.enable = true;
+
+    bash.loginShellInit = ''
+      if [ "$(tty)" = "/dev/tty1" ]; then
+        set -e
+
+        mkdir -p ~/.config/sway
+        (sed s/Mod4/Mod1/ /etc/sway/config &&
+        echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill') > ~/.config/sway/config
+
+        sway --validate
+        systemd-cat --identifier=session sway && touch /tmp/sway-exit-ok
+      fi
+    '';
+  };
+}
--- a/test/interactive/hakurei.nix
+++ b/test/interactive/hakurei.nix
@ -0,0 +1,25 @@
+{ pkgs, ... }:
+{
+  environment.hakurei = {
+    enable = true;
+    stateDir = "/var/lib/hakurei";
+    users.alice = 0;
+    apps = {
+      "cat.gensokyo.extern.foot.noEnablements" = {
+        name = "ne-foot";
+        identity = 1;
+        shareUid = true;
+        verbose = true;
+        share = pkgs.foot;
+        packages = [ pkgs.foot ];
+        command = "foot";
+        enablements = {
+          dbus = false;
+          pulse = false;
+        };
+      };
+    };
+
+    extraHomeConfig.home.stateVersion = "23.05";
+  };
+}
--- a/test/interactive/trace.nix
+++ b/test/interactive/trace.nix
@ -0,0 +1,28 @@
+{ lib, pkgs, ... }:
+let
+  tracing = name: "\"/sys/kernel/debug/tracing/${name}\"";
+in
+{
+  environment.systemPackages = [
+    (pkgs.writeShellScriptBin "hakurei-set-up-tracing" ''
+      set -e
+      echo "$1" > ${tracing "set_graph_function"}
+      echo function_graph > ${tracing "current_tracer"}
+      echo funcgraph-tail > ${tracing "trace_options"}
+      echo funcgraph-retval > ${tracing "trace_options"}
+      echo nofuncgraph-cpu > ${tracing "trace_options"}
+      echo nofuncgraph-overhead > ${tracing "trace_options"}
+      echo nofuncgraph-duration > ${tracing "trace_options"}
+    '')
+    (pkgs.writeShellScriptBin "hakurei-print-trace" "exec cat ${tracing "trace"}")
+    (pkgs.writeShellScriptBin "hakurei-consume-trace" "exec cat ${tracing "trace_pipe"}")
+  ];
+
+  boot.kernelPatches = [
+    {
+      name = "funcgraph-retval";
+      patch = null;
+      extraStructuredConfig.FUNCTION_GRAPH_RETVAL = lib.kernel.yes;
+    }
+  ];
+}
--- a/test/interactive/vm.nix
+++ b/test/interactive/vm.nix
@ -0,0 +1,56 @@
+{
+  virtualisation.vmVariant.virtualisation = {
+    memorySize = 4096;
+    qemu.options = [
+      "-vga none -device virtio-gpu-pci"
+      "-smp 8"
+    ];
+
+    mountHostNixStore = true;
+    writableStore = true;
+    writableStoreUseTmpfs = false;
+
+    sharedDirectories = {
+      cwd = {
+        target = "/mnt/.ro-cwd";
+        source = ''"$OLDPWD"'';
+        securityModel = "none";
+      };
+    };
+
+    fileSystems = {
+      "/mnt/.ro-cwd".options = [
+        "ro"
+        "noatime"
+      ];
+      "/mnt/cwd".overlay = {
+        lowerdir = [ "/mnt/.ro-cwd" ];
+        upperdir = "/tmp/.cwd/upper";
+        workdir = "/tmp/.cwd/work";
+      };
+
+      "/mnt/src".overlay = {
+        lowerdir = [ ../.. ];
+        upperdir = "/tmp/.src/upper";
+        workdir = "/tmp/.src/work";
+      };
+    };
+  };
+
+  systemd.services = {
+    logrotate-checkconf.enable = false;
+    hakurei-src-fix-ownership = {
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "mnt-src.mount" ];
+      after = [ "mnt-src.mount" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        chown -R alice:users /mnt/src/
+        chmod -R +w /mnt/src/
+      '';
+    };
+  };
+}
--- a/test/sandbox/assert.go
+++ b/test/sandbox/assert.go
@ -15,6 +15,7 @@ import (
 	"errors"
 	"io/fs"
 	"log"
+	"net"
 	"os"
 	"syscall"
 )
@ -33,6 +34,10 @@ type TestCase struct {
 	FS      *FS               `json:"fs"`
 	Mount   []*MountinfoEntry `json:"mount"`
 	Seccomp bool              `json:"seccomp"`
+
+	TrySocket      string `json:"try_socket,omitempty"`
+	SocketAbstract bool   `json:"socket_abstract,omitempty"`
+	SocketPathname bool   `json:"socket_pathname,omitempty"`
 }

 type T struct {
@ -125,6 +130,47 @@ func (t *T) MustCheck(want *TestCase) {
 	} else {
 		printf("[SKIP] skipping seccomp check")
 	}
+
+	if want.TrySocket != "" {
+		abstractConn, abstractErr := net.Dial("unix", "@"+want.TrySocket)
+		pathnameConn, pathnameErr := net.Dial("unix", want.TrySocket)
+		ok := true
+
+		if abstractErr == nil {
+			if err := abstractConn.Close(); err != nil {
+				ok = false
+				log.Printf("Close: %v", err)
+			}
+		}
+		if pathnameErr == nil {
+			if err := pathnameConn.Close(); err != nil {
+				ok = false
+				log.Printf("Close: %v", err)
+			}
+		}
+
+		abstractWantErr := error(syscall.EPERM)
+		pathnameWantErr := error(syscall.ENOENT)
+		if want.SocketAbstract {
+			abstractWantErr = nil
+		}
+		if want.SocketPathname {
+			pathnameWantErr = nil
+		}
+
+		if !errors.Is(abstractErr, abstractWantErr) {
+			ok = false
+			log.Printf("abstractErr: %v, want %v", abstractErr, abstractWantErr)
+		}
+		if !errors.Is(pathnameErr, pathnameWantErr) {
+			ok = false
+			log.Printf("pathnameErr: %v, want %v", pathnameErr, pathnameWantErr)
+		}
+
+		if !ok {
+			os.Exit(1)
+		}
+	}
 }

 func MustCheckFilter(pid int, want string) {
--- a/test/sandbox/case/default.nix
+++ b/test/sandbox/case/default.nix
@ -50,6 +50,9 @@ let
        useCommonPaths
        userns
        ;
+      enablements = {
+        inherit (tc) x11;
+      };
      share = testProgram;
      packages = [ ];
      path = "${testProgram}/bin/hakurei-test";
--- a/test/sandbox/case/device.nix
+++ b/test/sandbox/case/device.nix
@ -25,6 +25,7 @@ in
  mapRealUid = false;
  useCommonPaths = true;
  userns = false;
+  x11 = true;

  # 0, PresetStrict
  expectedFilter = {
@ -35,6 +36,7 @@ in
  want = {
    env = [
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
+      "DISPLAY=unix:/tmp/.X11-unix/X0"
      "HOME=/var/lib/hakurei/u0/a4"
      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
      "SHELL=/run/current-system/sw/bin/bash"
@ -47,7 +49,10 @@ in
    ];

    fs = fs "dead" {
-      ".hakurei" = fs "800001ed" { } null;
+      ".hakurei" = fs "800001ed" {
+        ".ro-store" = fs "801001fd" null null;
+        store = fs "800001ff" null null;
+      } null;
      bin = fs "800001ed" { sh = fs "80001ff" null null; } null;
      dev = fs "800001ed" null null;
      etc = fs "800001ed" {
@ -158,7 +163,9 @@ in
        } null;
        devices = fs "800001ed" null null;
      } null;
-      tmp = fs "800001f8" { } null;
+      tmp = fs "800001f8" {
+        ".X11-unix" = fs "801001ff" { X0 = fs "10001fd" null null; } null;
+      } null;
      usr = fs "800001c0" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null;
      var = fs "800001c0" {
        lib = fs "800001c0" {
@ -218,6 +225,8 @@ in
      (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
      (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/" "/.hakurei/.ro-store" "rw,relatime" "overlay" "overlay" "ro,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,redirect_dir=nofollow,userxattr")
+      (ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,userxattr")
      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
      (ent "/tmp/hakurei.1000/runtime/4" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
@ -226,10 +235,15 @@ in
      (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
      (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
      (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/tmp/.X11-unix" "/tmp/.X11-unix" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
      (ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
    ];

    seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = false;
+    socket_pathname = true;
  };
 }
--- a/test/sandbox/case/mapuid.nix
+++ b/test/sandbox/case/mapuid.nix
@ -34,6 +34,7 @@ in
  mapRealUid = true;
  useCommonPaths = true;
  userns = false;
+  x11 = false;

  # 0, PresetStrict
  expectedFilter = {
@ -56,7 +57,10 @@ in
    ];

    fs = fs "dead" {
-      ".hakurei" = fs "800001ed" { } null;
+      ".hakurei" = fs "800001ed" {
+        ".ro-store" = fs "801001fd" null null;
+        store = fs "800001ff" null null;
+      } null;
      bin = fs "800001ed" { sh = fs "80001ff" null null; } null;
      dev = fs "800001ed" {
        core = fs "80001ff" null null;
@ -229,7 +233,7 @@ in
      (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003")
      (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
      (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
-      (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000003,gid=1000003")
+      (ent "/" "/dev" "ro,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000003,gid=1000003")
      (ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/full" "/dev/full" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
@ -248,6 +252,8 @@ in
      (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
      (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/" "/.hakurei/.ro-store" "rw,relatime" "overlay" "overlay" "ro,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,redirect_dir=nofollow,userxattr")
+      (ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,userxattr")
      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
      (ent "/tmp/hakurei.1000/runtime/3" "/run/user/1000" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
@ -261,5 +267,9 @@ in
    ];

    seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = false;
+    socket_pathname = false;
  };
 }
--- a/test/sandbox/case/pd.nix
+++ b/test/sandbox/case/pd.nix
@ -170,7 +170,7 @@
      (ent "/var" "/var" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
      (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000000,gid=1000000")
-      (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000000,gid=1000000")
+      (ent "/" "/dev" "ro,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000000,gid=1000000")
      (ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/full" "/dev/full" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
--- a/test/sandbox/case/pdlike.nix
+++ b/test/sandbox/case/pdlike.nix
@ -34,6 +34,7 @@ in
  mapRealUid = false;
  useCommonPaths = false;
  userns = true;
+  x11 = false;

  # 0, PresetExt | PresetDenyDevel
  expectedFilter = {
@ -229,7 +230,7 @@ in
      (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000005,gid=1000005")
      (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
      (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000005,gid=1000005")
-      (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000005,gid=1000005")
+      (ent "/" "/dev" "ro,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000005,gid=1000005")
      (ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/full" "/dev/full" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
@ -261,5 +262,9 @@ in
    ];

    seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = false;
+    socket_pathname = false;
  };
 }
--- a/test/sandbox/case/preset.nix
+++ b/test/sandbox/case/preset.nix
@ -34,6 +34,7 @@ in
  mapRealUid = false;
  useCommonPaths = false;
  userns = false;
+  x11 = false;

  # 0, PresetStrict
  expectedFilter = {
@ -228,7 +229,7 @@ in
      (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001")
      (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
      (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
-      (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000001,gid=1000001")
+      (ent "/" "/dev" "ro,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000001,gid=1000001")
      (ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/full" "/dev/full" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
@ -259,5 +260,9 @@ in
    ];

    seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = false;
+    socket_pathname = false;
  };
 }
--- a/test/sandbox/case/tty.nix
+++ b/test/sandbox/case/tty.nix
@ -34,6 +34,7 @@ in
  mapRealUid = false;
  useCommonPaths = true;
  userns = false;
+  x11 = true;

  # 0, PresetExt | PresetDenyNS | PresetDenyDevel
  expectedFilter = {
@ -44,6 +45,7 @@ in
  want = {
    env = [
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
+      "DISPLAY=unix:/tmp/.X11-unix/X0"
      "HOME=/var/lib/hakurei/u0/a2"
      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
      "SHELL=/run/current-system/sw/bin/bash"
@ -56,7 +58,10 @@ in
    ];

    fs = fs "dead" {
-      ".hakurei" = fs "800001ed" { } null;
+      ".hakurei" = fs "800001ed" {
+        ".ro-store" = fs "801001fd" null null;
+        store = fs "800001ff" null null;
+      } null;
      bin = fs "800001ed" { sh = fs "80001ff" null null; } null;
      dev = fs "800001ed" {
        console = fs "4200190" null null;
@ -185,7 +190,9 @@ in
        } null;
        devices = fs "800001ed" null null;
      } null;
-      tmp = fs "800001f8" { } null;
+      tmp = fs "800001f8" {
+        ".X11-unix" = fs "801001ff" { X0 = fs "10001fd" null null; } null;
+      } null;
      usr = fs "800001c0" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null;
      var = fs "800001c0" {
        lib = fs "800001c0" {
@ -230,7 +237,7 @@ in
      (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
      (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
      (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
-      (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000002,gid=1000002")
+      (ent "/" "/dev" "ro,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000002,gid=1000002")
      (ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/full" "/dev/full" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
@ -250,6 +257,8 @@ in
      (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
      (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/" "/.hakurei/.ro-store" "rw,relatime" "overlay" "overlay" "ro,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,redirect_dir=nofollow,userxattr")
+      (ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,uuid=on,userxattr")
      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
      (ent "/tmp/hakurei.1000/runtime/2" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
@ -258,10 +267,15 @@ in
      (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
      (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
      (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
+      (ent "/tmp/.X11-unix" "/tmp/.X11-unix" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
      (ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
    ];

    seccomp = true;
+
+    try_socket = "/tmp/.X11-unix/X0";
+    socket_abstract = false;
+    socket_pathname = true;
  };
 }
--- a/test/sandbox/configuration.nix
+++ b/test/sandbox/configuration.nix
@ -78,9 +78,28 @@ in

    commonPaths = [
      {
+        type = "bind";
        src = "/var/cache";
        write = true;
      }
+      {
+        type = "overlay";
+        dst = "/.hakurei/.ro-store";
+        lower = [
+          "/nix/.ro-store"
+          "/nix/.rw-store/upper"
+        ];
+      }
+      {
+        type = "overlay";
+        dst = "/.hakurei/store";
+        lower = [
+          "/nix/.ro-store"
+          "/nix/.rw-store/upper"
+        ];
+        upper = "/tmp/.hakurei-store-rw/upper";
+        work = "/tmp/.hakurei-store-rw/work";
+      }
    ];

    inherit (testCases) apps;
--- a/test/sandbox/test.py
+++ b/test/sandbox/test.py
@ -27,7 +27,7 @@ def swaymsg(command: str = "", succeed=True, type="command"):

 def check_filter(check_offset, name, pname):
    pid = int(machine.wait_until_succeeds(f"pgrep -U {1000000+check_offset} -x {pname}", timeout=15))
-    hash = machine.succeed(f"sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 WAYLAND_DISPLAY=wayland-1 check-sandbox-{name} hash 2>/dev/null")
+    hash = machine.succeed(f"sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 WAYLAND_DISPLAY=wayland-1 check-sandbox-{name} hash")
    print(machine.succeed(f"hakurei-test -s {hash} filter {pid}"))


@ -55,6 +55,7 @@ print(machine.fail("sudo -u alice -i hakurei run capsh --has-p=CAP_SYS_ADMIN"))
 print(machine.fail("sudo -u alice -i hakurei run umount -R /dev"))

 # Check sandbox outcome:
+machine.succeed("install -dm0777 /tmp/.hakurei-store-rw/{upper,work}")
 check_offset = 0
 def check_sandbox(name):
    global check_offset
--- a/test/test.py
+++ b/test/test.py
@ -206,7 +206,7 @@ wait_for_window(f"u0_a{aid(0)}@machine")
 machine.send_chars("clear; wayland-info && touch /tmp/client-ok\n")
 machine.wait_for_file(tmpdir_path(0, "client-ok"), timeout=15)
 collect_state_ui("foot_wayland")
-check_state("ne-foot", 1)
+check_state("ne-foot", {"wayland": True})
 # Verify lack of acl on XDG_RUNTIME_DIR:
 machine.fail(f"getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep {aid(0) + 1000000}")
 machine.send_chars("exit\n")
@ -219,7 +219,7 @@ wait_for_window(f"u0_a{aid(1)}@machine")
 machine.send_chars("clear; pactl info && touch /tmp/pulse-ok\n")
 machine.wait_for_file(tmpdir_path(1, "pulse-ok"), timeout=15)
 collect_state_ui("pulse_wayland")
-check_state("pa-foot", 9)
+check_state("pa-foot", {"wayland": True, "pulse": True})
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot", timeout=5)

@ -229,7 +229,7 @@ wait_for_window(f"u0_a{aid(0)}@machine")
 machine.send_chars("clear; glinfo && touch /tmp/x11-ok\n")
 machine.wait_for_file(tmpdir_path(0, "x11-ok"), timeout=15)
 collect_state_ui("alacritty_x11")
-check_state("x11-alacritty", 2)
+check_state("x11-alacritty", {"x11": True})
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep alacritty", timeout=5)

@ -239,7 +239,7 @@ wait_for_window(f"u0_a{aid(3)}@machine")
 machine.send_chars("clear; wayland-info && touch /tmp/direct-ok\n")
 collect_state_ui("foot_direct")
 machine.wait_for_file(tmpdir_path(3, "direct-ok"), timeout=15)
-check_state("da-foot", 1)
+check_state("da-foot", {"wayland": True})
 # Verify acl on XDG_RUNTIME_DIR:
 print(machine.succeed(f"getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep {aid(3) + 1000000}"))
 machine.send_chars("exit\n")
@ -259,7 +259,7 @@ machine.send_key("alt-h")
 machine.send_chars("clear; hakurei show $(hakurei ps --short) && touch /tmp/ps-show-ok && exec cat\n")
 machine.wait_for_file("/tmp/ps-show-ok", timeout=5)
 collect_state_ui("foot_wayland_term")
-check_state("ne-foot", 1)
+check_state("ne-foot", {"wayland": True})
 machine.send_key("alt-l")
 machine.send_chars("exit\n")
 wait_for_window("alice@machine")