container/path: remove unused path

Signed-off-by: Ophestra <cat@gensokyo.uk>
hst/fs: interface filesystem config
2025-08-14 05:00:09 +09:00 · 2025-08-14 04:52:49 +09:00 · 2025-08-11 04:56:42 +09:00 · 2025-08-10 03:11:10 +09:00 · 2025-08-09 19:08:54 +09:00 · 2025-08-09 18:53:46 +09:00
67 changed files with 2962 additions and 946 deletions
--- a/.github/workflows/README
+++ b/.github/workflows/README
@ -1 +1,5 @@
-This port is solely for releasing to the github mirror and serves no purpose during development.
+DO NOT ADD NEW ACTIONS HERE
+
+This port is solely for releasing to the github mirror and serves no purpose during development.
+All development happens at https://git.gensokyo.uk/security/hakurei. If you wish to contribute,
+request for an account on git.gensokyo.uk.
--- a/.gitignore
+++ b/.gitignore
@ -29,4 +29,7 @@ go.work.sum
 /cmd/hakurei/LICENSE

 # release
-/dist/hakurei-*
+/dist/hakurei-*
+
+# interactive nixos vm
+nixos.qcow2
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@ -14,6 +14,7 @@ import (
 	"time"

 	"hakurei.app/command"
+	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
 	"hakurei.app/internal/app"
@ -94,7 +95,7 @@ func buildCommand(out io.Writer) command.Command {
 							Gid:      us,
 							Username: "chronos",
 							Name:     "Hakurei Permissive Default",
-							HomeDir:  "/var/empty",
+							HomeDir:  container.FHSVarEmpty,
 						}
 					} else {
 						passwd = u
@ -114,9 +115,15 @@ func buildCommand(out io.Writer) command.Command {

 			config.Identity = aid
 			config.Groups = groups
-			config.Data = homeDir
 			config.Username = userName

+			if a, err := container.NewAbs(homeDir); err != nil {
+				log.Fatal(err.Error())
+				return err
+			} else {
+				config.Data = a
+			}
+
 			if wayland {
 				config.Enablements |= system.EWayland
 			}
@ -212,7 +219,7 @@ func buildCommand(out io.Writer) command.Command {

 	var psFlagShort bool
 	c.NewCommand("ps", "List active instances", func(args []string) error {
-		printPs(os.Stdout, time.Now().UTC(), state.NewMulti(std.Paths().RunDirPath), psFlagShort, flagJSON)
+		printPs(os.Stdout, time.Now().UTC(), state.NewMulti(std.Paths().RunDirPath.String()), psFlagShort, flagJSON)
 		return errSuccess
 	}).Flag(&psFlagShort, "short", command.BoolFlag(false), "Print instance id")

--- a/cmd/hakurei/parse.go
+++ b/cmd/hakurei/parse.go
@ -87,7 +87,7 @@ func tryShort(name string) (config *hst.Config, entry *state.State) {
 	if likePrefix && len(name) >= 8 {
 		hlog.Verbose("argument looks like prefix")

-		s := state.NewMulti(std.Paths().RunDirPath)
+		s := state.NewMulti(std.Paths().RunDirPath.String())
 		if entries, err := state.Join(s); err != nil {
 			log.Printf("cannot join store: %v", err)
 			// drop to fetch from file
--- a/cmd/hakurei/print.go
+++ b/cmd/hakurei/print.go
@ -12,6 +12,7 @@ import (
 	"text/tabwriter"
 	"time"

+	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal/app/state"
 	"hakurei.app/internal/hlog"
@ -77,13 +78,13 @@ func printShowInstance(
 	if len(config.Groups) > 0 {
 		t.Printf(" Groups:\t%s\n", strings.Join(config.Groups, ", "))
 	}
-	if config.Data != "" {
+	if config.Data != nil {
 		t.Printf(" Data:\t%s\n", config.Data)
 	}
 	if config.Container != nil {
-		container := config.Container
-		if container.Hostname != "" {
-			t.Printf(" Hostname:\t%s\n", container.Hostname)
+		params := config.Container
+		if params.Hostname != "" {
+			t.Printf(" Hostname:\t%s\n", params.Hostname)
 		}
 		flags := make([]string, 0, 7)
 		writeFlag := func(name string, value bool) {
@ -91,34 +92,32 @@ func printShowInstance(
 				flags = append(flags, name)
 			}
 		}
-		writeFlag("userns", container.Userns)
-		writeFlag("devel", container.Devel)
-		writeFlag("net", container.Net)
-		writeFlag("device", container.Device)
-		writeFlag("tty", container.Tty)
-		writeFlag("mapuid", container.MapRealUID)
+		writeFlag("userns", params.Userns)
+		writeFlag("devel", params.Devel)
+		writeFlag("net", params.Net)
+		writeFlag("device", params.Device)
+		writeFlag("tty", params.Tty)
+		writeFlag("mapuid", params.MapRealUID)
 		writeFlag("directwl", config.DirectWayland)
-		writeFlag("autoetc", container.AutoEtc)
+		writeFlag("autoetc", params.AutoEtc)
 		if len(flags) == 0 {
 			flags = append(flags, "none")
 		}
 		t.Printf(" Flags:\t%s\n", strings.Join(flags, " "))

-		if container.AutoRoot != "" {
-			t.Printf(" Root:\t%s (%d)\n", container.AutoRoot, container.RootFlags)
+		if params.AutoRoot != nil {
+			t.Printf(" Root:\t%s (%d)\n", params.AutoRoot, params.RootFlags)
 		}

-		etc := container.Etc
-		if etc == "" {
-			etc = "/etc"
+		etc := params.Etc
+		if etc == nil {
+			etc = container.AbsFHSEtc
 		}
 		t.Printf(" Etc:\t%s\n", etc)

-		if len(container.Cover) > 0 {
-			t.Printf(" Cover:\t%s\n", strings.Join(container.Cover, " "))
+		if config.Path != nil {
+			t.Printf(" Path:\t%s\n", config.Path)
 		}
-
-		t.Printf(" Path:\t%s\n", config.Path)
 	}
 	if len(config.Args) > 0 {
 		t.Printf(" Arguments:\t%s\n", strings.Join(config.Args, " "))
@ -129,30 +128,11 @@ func printShowInstance(
 		if config.Container != nil && len(config.Container.Filesystem) > 0 {
 			t.Printf("Filesystem\n")
 			for _, f := range config.Container.Filesystem {
-				if f == nil {
+				if !f.Valid() {
+					t.Println(" <invalid>")
 					continue
 				}
-
-				expr := new(strings.Builder)
-				expr.Grow(3 + len(f.Src) + 1 + len(f.Dst))
-
-				if f.Device {
-					expr.WriteString(" d")
-				} else if f.Write {
-					expr.WriteString(" w")
-				} else {
-					expr.WriteString(" ")
-				}
-				if f.Must {
-					expr.WriteString("*")
-				} else {
-					expr.WriteString("+")
-				}
-				expr.WriteString(f.Src)
-				if f.Dst != "" {
-					expr.WriteString(":" + f.Dst)
-				}
-				t.Printf("%s\n", expr.String())
+				t.Printf(" %s\n", f)
 			}
 			t.Printf("\n")
 		}
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
@ -43,16 +43,15 @@ func Test_printShowInstance(t *testing.T) {
 Hostname:       localhost
 Flags:          userns devel net device tty mapuid autoetc
 Root:           /var/lib/hakurei/base/org.debian (2)
- Etc:            /etc
- Cover:          /var/run/nscd
+ Etc:            /etc/
 Path:           /run/current-system/sw/bin/chromium
 Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland

 Filesystem
- +/nix/store
- +/run/current-system
- +/run/opengl-driver
- +/var/db/nix-channels
+ w+ephemeral(-rwxr-xr-x):/tmp/
+ */nix/store
+ */run/current-system
+ */run/opengl-driver
 w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium
 d+/dev/dri

@ -83,18 +82,17 @@ App
 Identity:       0
 Enablements:    (no enablements)
 Flags:          none
- Etc:            /etc
- Path:           
+ Etc:            /etc/

 `},
-		{"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]*hst.FilesystemConfig, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `App
+		{"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `App
 Identity:       0
 Enablements:    (no enablements)
 Flags:          none
- Etc:            /etc
- Path:           
+ Etc:            /etc/

 Filesystem
+ <invalid>

 Extra ACL

@ -123,16 +121,15 @@ App
 Hostname:       localhost
 Flags:          userns devel net device tty mapuid autoetc
 Root:           /var/lib/hakurei/base/org.debian (2)
- Etc:            /etc
- Cover:          /var/run/nscd
+ Etc:            /etc/
 Path:           /run/current-system/sw/bin/chromium
 Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland

 Filesystem
- +/nix/store
- +/run/current-system
- +/run/opengl-driver
- +/var/db/nix-channels
+ w+ephemeral(-rwxr-xr-x):/tmp/
+ */nix/store
+ */run/current-system
+ */run/opengl-driver
 w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium
 d+/dev/dri

@ -276,41 +273,46 @@ App
      "device": true,
      "filesystem": [
        {
+          "type": "ephemeral",
+          "dst": "/tmp/",
+          "write": true,
+          "perm": 493
+        },
+        {
+          "type": "bind",
          "src": "/nix/store"
        },
        {
+          "type": "bind",
          "src": "/run/current-system"
        },
        {
+          "type": "bind",
          "src": "/run/opengl-driver"
        },
        {
-          "src": "/var/db/nix-channels"
-        },
-        {
+          "type": "bind",
          "dst": "/data/data/org.chromium.Chromium",
          "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-          "write": true,
-          "require": true
+          "write": true
        },
        {
+          "type": "bind",
          "src": "/dev/dri",
-          "dev": true
+          "dev": true,
+          "optional": true
        }
      ],
      "symlink": [
-        [
-          "/run/user/65534",
-          "/run/user/150"
-        ]
+        {
+          "target": "/run/user/65534",
+          "linkname": "/run/user/150"
+        }
      ],
      "auto_root": "/var/lib/hakurei/base/org.debian",
      "root_flags": 2,
-      "etc": "/etc",
-      "auto_etc": true,
-      "cover": [
-        "/var/run/nscd"
-      ]
+      "etc": "/etc/",
+      "auto_etc": true
    }
  },
  "time": "1970-01-01T00:00:00.000000009Z"
@ -406,41 +408,46 @@ App
    "device": true,
    "filesystem": [
      {
+        "type": "ephemeral",
+        "dst": "/tmp/",
+        "write": true,
+        "perm": 493
+      },
+      {
+        "type": "bind",
        "src": "/nix/store"
      },
      {
+        "type": "bind",
        "src": "/run/current-system"
      },
      {
+        "type": "bind",
        "src": "/run/opengl-driver"
      },
      {
-        "src": "/var/db/nix-channels"
-      },
-      {
+        "type": "bind",
        "dst": "/data/data/org.chromium.Chromium",
        "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-        "write": true,
-        "require": true
+        "write": true
      },
      {
+        "type": "bind",
        "src": "/dev/dri",
-        "dev": true
+        "dev": true,
+        "optional": true
      }
    ],
    "symlink": [
-      [
-        "/run/user/65534",
-        "/run/user/150"
-      ]
+      {
+        "target": "/run/user/65534",
+        "linkname": "/run/user/150"
+      }
    ],
    "auto_root": "/var/lib/hakurei/base/org.debian",
    "root_flags": 2,
-    "etc": "/etc",
-    "auto_etc": true,
-    "cover": [
-      "/var/run/nscd"
-    ]
+    "etc": "/etc/",
+    "auto_etc": true
  }
 }
 `},
@ -590,41 +597,46 @@ func Test_printPs(t *testing.T) {
        "device": true,
        "filesystem": [
          {
+            "type": "ephemeral",
+            "dst": "/tmp/",
+            "write": true,
+            "perm": 493
+          },
+          {
+            "type": "bind",
            "src": "/nix/store"
          },
          {
+            "type": "bind",
            "src": "/run/current-system"
          },
          {
+            "type": "bind",
            "src": "/run/opengl-driver"
          },
          {
-            "src": "/var/db/nix-channels"
-          },
-          {
+            "type": "bind",
            "dst": "/data/data/org.chromium.Chromium",
            "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-            "write": true,
-            "require": true
+            "write": true
          },
          {
+            "type": "bind",
            "src": "/dev/dri",
-            "dev": true
+            "dev": true,
+            "optional": true
          }
        ],
        "symlink": [
-          [
-            "/run/user/65534",
-            "/run/user/150"
-          ]
+          {
+            "target": "/run/user/65534",
+            "linkname": "/run/user/150"
+          }
        ],
        "auto_root": "/var/lib/hakurei/base/org.debian",
        "root_flags": 2,
-        "etc": "/etc",
-        "auto_etc": true,
-        "cover": [
-          "/var/run/nscd"
-        ]
+        "etc": "/etc/",
+        "auto_etc": true
      }
    },
    "time": "1970-01-01T00:00:00.000000009Z"
--- a/cmd/hpkg/app.go
+++ b/cmd/hpkg/app.go
@ -4,8 +4,8 @@ import (
 	"encoding/json"
 	"log"
 	"os"
-	"path"

+	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 	"hakurei.app/system"
@ -55,18 +55,18 @@ type appInfo struct {
 	// store path to nixGL source
 	NixGL string `json:"nix_gl,omitempty"`
 	// store path to activate-and-exec script
-	Launcher string `json:"launcher"`
+	Launcher *container.Absolute `json:"launcher"`
 	// store path to /run/current-system
-	CurrentSystem string `json:"current_system"`
+	CurrentSystem *container.Absolute `json:"current_system"`
 	// store path to home-manager activation package
 	ActivationPackage string `json:"activation_package"`
 }

-func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool) *hst.Config {
+func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, argv []string, flagDropShell bool) *hst.Config {
 	config := &hst.Config{
 		ID: app.ID,

-		Path: argv[0],
+		Path: pathname,
 		Args: argv,

 		Enablements: app.Enablements,
@ -76,9 +76,9 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
 		DirectWayland: app.DirectWayland,

 		Username: "hakurei",
-		Shell:    shellPath,
+		Shell:    pathShell,
 		Data:     pathSet.homeDir,
-		Dir:      path.Join("/data/data", app.ID),
+		Dir:      pathDataData.Append(app.ID),

 		Identity: app.Identity,
 		Groups:   app.Groups,
@ -91,22 +91,22 @@ func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool
 			Device:     app.Device,
 			Tty:        app.Tty || flagDropShell,
 			MapRealUID: app.MapRealUID,
-			Filesystem: []*hst.FilesystemConfig{
-				{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
-				{Src: pathSet.metaPath, Dst: path.Join(hst.Tmp, "app"), Must: true},
-				{Src: "/etc/resolv.conf"},
-				{Src: "/sys/block"},
-				{Src: "/sys/bus"},
-				{Src: "/sys/class"},
-				{Src: "/sys/dev"},
-				{Src: "/sys/devices"},
+			Filesystem: []hst.FilesystemConfigJSON{
+				{FilesystemConfig: &hst.FSBind{Src: pathSet.nixPath.Append("store"), Dst: pathNixStore}},
+				{FilesystemConfig: &hst.FSBind{Src: pathSet.metaPath, Dst: hst.AbsTmp.Append("app")}},
+				{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("block"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("bus"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("class"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("dev"), Optional: true}},
+				{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("devices"), Optional: true}},
 			},
-			Link: [][2]string{
-				{app.CurrentSystem, "/run/current-system"},
-				{"/run/current-system/sw/bin", "/bin"},
-				{"/run/current-system/sw/bin", "/usr/bin"},
+			Link: []hst.LinkConfig{
+				{pathCurrentSystem, app.CurrentSystem.String()},
+				{pathBin, pathSwBin.String()},
+				{container.AbsFHSUsrBin, pathSwBin.String()},
 			},
-			Etc:     path.Join(pathSet.cacheDir, "etc"),
+			Etc:     pathSet.cacheDir.Append("etc"),
 			AutoEtc: true,
 		},
 		ExtraPerms: []*hst.ExtraPermConfig{
@ -140,6 +140,14 @@ func loadAppInfo(name string, beforeFail func()) *appInfo {
 		beforeFail()
 		log.Fatal("application identifier must not be empty")
 	}
+	if bundle.Launcher == nil {
+		beforeFail()
+		log.Fatal("launcher must not be empty")
+	}
+	if bundle.CurrentSystem == nil {
+		beforeFail()
+		log.Fatal("current-system must not be empty")
+	}

 	return bundle
 }
--- a/cmd/hpkg/main.go
+++ b/cmd/hpkg/main.go
@ -11,20 +11,19 @@ import (
 	"syscall"

 	"hakurei.app/command"
+	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
 	"hakurei.app/internal/hlog"
 )

-const shellPath = "/run/current-system/sw/bin/bash"
-
 var (
 	errSuccess = errors.New("success")
 )

 func init() {
 	hlog.Prepare("hpkg")
-	if err := os.Setenv("SHELL", shellPath); err != nil {
+	if err := os.Setenv("SHELL", pathShell.String()); err != nil {
 		log.Fatalf("cannot set $SHELL: %v", err)
 	}
 }
@ -81,31 +80,32 @@ func main() {
 				Extract package and set up for cleanup.
 			*/

-			var workDir string
+			var workDir *container.Absolute
 			if p, err := os.MkdirTemp("", "hpkg.*"); err != nil {
 				log.Printf("cannot create temporary directory: %v", err)
 				return err
-			} else {
-				workDir = p
+			} else if workDir, err = container.NewAbs(p); err != nil {
+				log.Printf("invalid temporary directory: %v", err)
+				return err
 			}
 			cleanup := func() {
 				// should be faster than a native implementation
-				mustRun(chmod, "-R", "+w", workDir)
-				mustRun(rm, "-rf", workDir)
+				mustRun(chmod, "-R", "+w", workDir.String())
+				mustRun(rm, "-rf", workDir.String())
 			}
 			beforeRunFail.Store(&cleanup)

-			mustRun(tar, "-C", workDir, "-xf", pkgPath)
+			mustRun(tar, "-C", workDir.String(), "-xf", pkgPath)

 			/*
 				Parse bundle and app metadata, do pre-install checks.
 			*/

-			bundle := loadAppInfo(path.Join(workDir, "bundle.json"), cleanup)
+			bundle := loadAppInfo(path.Join(workDir.String(), "bundle.json"), cleanup)
 			pathSet := pathSetByApp(bundle.ID)

 			a := bundle
-			if s, err := os.Stat(pathSet.metaPath); err != nil {
+			if s, err := os.Stat(pathSet.metaPath.String()); err != nil {
 				if !os.IsNotExist(err) {
 					cleanup()
 					log.Printf("cannot access %q: %v", pathSet.metaPath, err)
@ -117,7 +117,7 @@ func main() {
 				log.Printf("metadata path %q is not a file", pathSet.metaPath)
 				return syscall.EBADMSG
 			} else {
-				a = loadAppInfo(pathSet.metaPath, cleanup)
+				a = loadAppInfo(pathSet.metaPath.String(), cleanup)
 				if a.ID != bundle.ID {
 					cleanup()
 					log.Printf("app %q claims to have identifier %q",
@ -208,7 +208,7 @@ func main() {
 			*/

 			// serialise metadata to ensure consistency
-			if f, err := os.OpenFile(pathSet.metaPath+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
+			if f, err := os.OpenFile(pathSet.metaPath.String()+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
 				cleanup()
 				log.Printf("cannot create metadata file: %v", err)
 				return err
@ -221,7 +221,7 @@ func main() {
 				// not fatal
 			}

-			if err := os.Rename(pathSet.metaPath+"~", pathSet.metaPath); err != nil {
+			if err := os.Rename(pathSet.metaPath.String()+"~", pathSet.metaPath.String()); err != nil {
 				cleanup()
 				log.Printf("cannot rename metadata file: %v", err)
 				return err
@ -250,7 +250,7 @@ func main() {

 			id := args[0]
 			pathSet := pathSetByApp(id)
-			a := loadAppInfo(pathSet.metaPath, func() {})
+			a := loadAppInfo(pathSet.metaPath.String(), func() {})
 			if a.ID != id {
 				log.Printf("app %q claims to have identifier %q", id, a.ID)
 				return syscall.EBADE
@ -274,13 +274,13 @@ func main() {
 						"--override-input nixpkgs path:/etc/nixpkgs " +
 						"path:" + a.NixGL + "#nixVulkanNvidia",
 				}, true, func(config *hst.Config) *hst.Config {
-					config.Container.Filesystem = append(config.Container.Filesystem, []*hst.FilesystemConfig{
-						{Src: "/etc/resolv.conf"},
-						{Src: "/sys/block"},
-						{Src: "/sys/bus"},
-						{Src: "/sys/class"},
-						{Src: "/sys/dev"},
-						{Src: "/sys/devices"},
+					config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
+						{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("block"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("bus"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("class"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("dev"), Optional: true}},
+						{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("devices"), Optional: true}},
 					}...)
 					appendGPUFilesystem(config)
 					return config
@ -291,15 +291,16 @@ func main() {
 				Create app configuration.
 			*/

+			pathname := a.Launcher
 			argv := make([]string, 1, len(args))
-			if !flagDropShell {
-				argv[0] = a.Launcher
+			if flagDropShell {
+				pathname = pathShell
+				argv[0] = bash
 			} else {
-				argv[0] = shellPath
+				argv[0] = a.Launcher.String()
 			}
 			argv = append(argv, args[1:]...)
-
-			config := a.toFst(pathSet, argv, flagDropShell)
+			config := a.toHst(pathSet, pathname, argv, flagDropShell)

 			/*
 				Expose GPU devices.
@ -307,7 +308,7 @@ func main() {

 			if a.GPU {
 				config.Container.Filesystem = append(config.Container.Filesystem,
-					&hst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(hst.Tmp, "nixGL")})
+					hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: pathSet.nixPath.Append(".nixGL"), Dst: hst.AbsTmp.Append("nixGL")}})
 				appendGPUFilesystem(config)
 			}

--- a/cmd/hpkg/paths.go
+++ b/cmd/hpkg/paths.go
@ -4,27 +4,42 @@ import (
 	"log"
 	"os"
 	"os/exec"
-	"path"
 	"strconv"
 	"sync/atomic"

+	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal/hlog"
 )

+const bash = "bash"
+
 var (
-	dataHome string
+	dataHome *container.Absolute
 )

 func init() {
 	// dataHome
-	if p, ok := os.LookupEnv("HAKUREI_DATA_HOME"); ok {
-		dataHome = p
+	if a, err := container.NewAbs(os.Getenv("HAKUREI_DATA_HOME")); err == nil {
+		dataHome = a
 	} else {
-		dataHome = "/var/lib/hakurei/" + strconv.Itoa(os.Getuid())
+		dataHome = container.AbsFHSVarLib.Append("hakurei/" + strconv.Itoa(os.Getuid()))
 	}
 }

+var (
+	pathBin = container.AbsFHSRoot.Append("bin")
+
+	pathNix           = container.MustAbs("/nix/")
+	pathNixStore      = pathNix.Append("store/")
+	pathCurrentSystem = container.AbsFHSRun.Append("current-system")
+	pathSwBin         = pathCurrentSystem.Append("sw/bin/")
+	pathShell         = pathSwBin.Append(bash)
+
+	pathData     = container.MustAbs("/data")
+	pathDataData = pathData.Append("data")
+)
+
 func lookPath(file string) string {
 	if p, err := exec.LookPath(file); err != nil {
 		log.Fatalf("%s: command not found", file)
@ -50,52 +65,52 @@ func mustRun(name string, arg ...string) {

 type appPathSet struct {
 	// ${dataHome}/${id}
-	baseDir string
+	baseDir *container.Absolute
 	// ${baseDir}/app
-	metaPath string
+	metaPath *container.Absolute
 	// ${baseDir}/files
-	homeDir string
+	homeDir *container.Absolute
 	// ${baseDir}/cache
-	cacheDir string
+	cacheDir *container.Absolute
 	// ${baseDir}/cache/nix
-	nixPath string
+	nixPath *container.Absolute
 }

 func pathSetByApp(id string) *appPathSet {
 	pathSet := new(appPathSet)
-	pathSet.baseDir = path.Join(dataHome, id)
-	pathSet.metaPath = path.Join(pathSet.baseDir, "app")
-	pathSet.homeDir = path.Join(pathSet.baseDir, "files")
-	pathSet.cacheDir = path.Join(pathSet.baseDir, "cache")
-	pathSet.nixPath = path.Join(pathSet.cacheDir, "nix")
+	pathSet.baseDir = dataHome.Append(id)
+	pathSet.metaPath = pathSet.baseDir.Append("app")
+	pathSet.homeDir = pathSet.baseDir.Append("files")
+	pathSet.cacheDir = pathSet.baseDir.Append("cache")
+	pathSet.nixPath = pathSet.cacheDir.Append("nix")
 	return pathSet
 }

 func appendGPUFilesystem(config *hst.Config) {
-	config.Container.Filesystem = append(config.Container.Filesystem, []*hst.FilesystemConfig{
+	config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
 		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
-		{Src: "/dev/dri", Device: true},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
 		// mali
-		{Src: "/dev/mali", Device: true},
-		{Src: "/dev/mali0", Device: true},
-		{Src: "/dev/umplock", Device: true},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("mali"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("mali0"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("umplock"), Device: true, Optional: true}},
 		// nvidia
-		{Src: "/dev/nvidiactl", Device: true},
-		{Src: "/dev/nvidia-modeset", Device: true},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidiactl"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia-modeset"), Device: true, Optional: true}},
 		// nvidia OpenCL/CUDA
-		{Src: "/dev/nvidia-uvm", Device: true},
-		{Src: "/dev/nvidia-uvm-tools", Device: true},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia-uvm"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia-uvm-tools"), Device: true, Optional: true}},

 		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
-		{Src: "/dev/nvidia0", Device: true}, {Src: "/dev/nvidia1", Device: true},
-		{Src: "/dev/nvidia2", Device: true}, {Src: "/dev/nvidia3", Device: true},
-		{Src: "/dev/nvidia4", Device: true}, {Src: "/dev/nvidia5", Device: true},
-		{Src: "/dev/nvidia6", Device: true}, {Src: "/dev/nvidia7", Device: true},
-		{Src: "/dev/nvidia8", Device: true}, {Src: "/dev/nvidia9", Device: true},
-		{Src: "/dev/nvidia10", Device: true}, {Src: "/dev/nvidia11", Device: true},
-		{Src: "/dev/nvidia12", Device: true}, {Src: "/dev/nvidia13", Device: true},
-		{Src: "/dev/nvidia14", Device: true}, {Src: "/dev/nvidia15", Device: true},
-		{Src: "/dev/nvidia16", Device: true}, {Src: "/dev/nvidia17", Device: true},
-		{Src: "/dev/nvidia18", Device: true}, {Src: "/dev/nvidia19", Device: true},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia0"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia1"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia2"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia3"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia4"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia5"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia6"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia7"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia8"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia9"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia10"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia11"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia12"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia13"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia14"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia15"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia16"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia17"), Device: true, Optional: true}},
+		{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia18"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia19"), Device: true, Optional: true}},
 	}...)
 }
--- a/cmd/hpkg/with.go
+++ b/cmd/hpkg/with.go
@ -2,9 +2,9 @@ package main

 import (
 	"context"
-	"path"
 	"strings"

+	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
@ -18,8 +18,8 @@ func withNixDaemon(
 	mustRunAppDropShell(ctx, updateConfig(&hst.Config{
 		ID: app.ID,

-		Path: shellPath,
-		Args: []string{shellPath, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
+		Path: pathShell,
+		Args: []string{bash, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
 			// start nix-daemon
 			"nix-daemon --store / & " +
 			// wait for socket to appear
@ -32,9 +32,9 @@ func withNixDaemon(
 		},

 		Username: "hakurei",
-		Shell:    shellPath,
+		Shell:    pathShell,
 		Data:     pathSet.homeDir,
-		Dir:      path.Join("/data/data", app.ID),
+		Dir:      pathDataData.Append(app.ID),
 		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
@ -48,15 +48,15 @@ func withNixDaemon(
 			Net:          net,
 			SeccompFlags: seccomp.AllowMultiarch,
 			Tty:          dropShell,
-			Filesystem: []*hst.FilesystemConfig{
-				{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
+			Filesystem: []hst.FilesystemConfigJSON{
+				{FilesystemConfig: &hst.FSBind{Src: pathSet.nixPath, Dst: pathNix, Write: true}},
 			},
-			Link: [][2]string{
-				{app.CurrentSystem, "/run/current-system"},
-				{"/run/current-system/sw/bin", "/bin"},
-				{"/run/current-system/sw/bin", "/usr/bin"},
+			Link: []hst.LinkConfig{
+				{pathCurrentSystem, app.CurrentSystem.String()},
+				{pathBin, pathSwBin.String()},
+				{container.AbsFHSUsrBin, pathSwBin.String()},
 			},
-			Etc:     path.Join(pathSet.cacheDir, "etc"),
+			Etc:     pathSet.cacheDir.Append("etc"),
 			AutoEtc: true,
 		},
 	}), dropShell, beforeFail)
@ -64,18 +64,18 @@ func withNixDaemon(

 func withCacheDir(
 	ctx context.Context,
-	action string, command []string, workDir string,
+	action string, command []string, workDir *container.Absolute,
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
 	mustRunAppDropShell(ctx, &hst.Config{
 		ID: app.ID,

-		Path: shellPath,
-		Args: []string{shellPath, "-lc", strings.Join(command, " && ")},
+		Path: pathShell,
+		Args: []string{bash, "-lc", strings.Join(command, " && ")},

 		Username: "nixos",
-		Shell:    shellPath,
+		Shell:    pathShell,
 		Data:     pathSet.cacheDir, // this also ensures cacheDir via shim
-		Dir:      path.Join("/data/data", app.ID, "cache"),
+		Dir:      pathDataData.Append(app.ID, "cache"),
 		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
@ -88,16 +88,16 @@ func withCacheDir(
 			Hostname:     formatHostname(app.Name) + "-" + action,
 			SeccompFlags: seccomp.AllowMultiarch,
 			Tty:          dropShell,
-			Filesystem: []*hst.FilesystemConfig{
-				{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
-				{Src: workDir, Dst: path.Join(hst.Tmp, "bundle"), Must: true},
+			Filesystem: []hst.FilesystemConfigJSON{
+				{FilesystemConfig: &hst.FSBind{Src: workDir.Append("nix"), Dst: pathNix}},
+				{FilesystemConfig: &hst.FSBind{Src: workDir, Dst: hst.AbsTmp.Append("bundle")}},
 			},
-			Link: [][2]string{
-				{app.CurrentSystem, "/run/current-system"},
-				{"/run/current-system/sw/bin", "/bin"},
-				{"/run/current-system/sw/bin", "/usr/bin"},
+			Link: []hst.LinkConfig{
+				{pathCurrentSystem, app.CurrentSystem.String()},
+				{pathBin, pathSwBin.String()},
+				{container.AbsFHSUsrBin, pathSwBin.String()},
 			},
-			Etc:     path.Join(workDir, "etc"),
+			Etc:     workDir.Append(container.FHSEtc),
 			AutoEtc: true,
 		},
 	}, dropShell, beforeFail)
@ -105,7 +105,7 @@ func withCacheDir(

 func mustRunAppDropShell(ctx context.Context, config *hst.Config, dropShell bool, beforeFail func()) {
 	if dropShell {
-		config.Args = []string{shellPath, "-l"}
+		config.Args = []string{bash, "-l"}
 		mustRunApp(ctx, config, beforeFail)
 		beforeFail()
 		internal.Exit(0)
--- a/container/absolute.go
+++ b/container/absolute.go
@ -0,0 +1,98 @@
+package container
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"path"
+	"slices"
+	"strings"
+	"syscall"
+)
+
+// AbsoluteError is returned by [NewAbs] and holds the invalid pathname.
+type AbsoluteError struct {
+	Pathname string
+}
+
+func (e *AbsoluteError) Error() string { return fmt.Sprintf("path %q is not absolute", e.Pathname) }
+func (e *AbsoluteError) Is(target error) bool {
+	var ce *AbsoluteError
+	if !errors.As(target, &ce) {
+		return errors.Is(target, syscall.EINVAL)
+	}
+	return *e == *ce
+}
+
+// Absolute holds a pathname checked to be absolute.
+type Absolute struct {
+	pathname string
+}
+
+// isAbs wraps [path.IsAbs] in case additional checks are added in the future.
+func isAbs(pathname string) bool { return path.IsAbs(pathname) }
+
+func (a *Absolute) String() string {
+	if a.pathname == zeroString {
+		panic("attempted use of zero Absolute")
+	}
+	return a.pathname
+}
+
+// NewAbs checks pathname and returns a new [Absolute] if pathname is absolute.
+func NewAbs(pathname string) (*Absolute, error) {
+	if !isAbs(pathname) {
+		return nil, &AbsoluteError{pathname}
+	}
+	return &Absolute{pathname}, nil
+}
+
+// MustAbs calls [NewAbs] and panics on error.
+func MustAbs(pathname string) *Absolute {
+	if a, err := NewAbs(pathname); err != nil {
+		panic(err.Error())
+	} else {
+		return a
+	}
+}
+
+// Append calls [path.Join] with [Absolute] as the first element.
+func (a *Absolute) Append(elem ...string) *Absolute {
+	return &Absolute{path.Join(append([]string{a.String()}, elem...)...)}
+}
+
+// Dir calls [path.Dir] with [Absolute] as its argument.
+func (a *Absolute) Dir() *Absolute { return &Absolute{path.Dir(a.String())} }
+
+func (a *Absolute) GobEncode() ([]byte, error) { return []byte(a.String()), nil }
+func (a *Absolute) GobDecode(data []byte) error {
+	pathname := string(data)
+	if !isAbs(pathname) {
+		return &AbsoluteError{pathname}
+	}
+	a.pathname = pathname
+	return nil
+}
+
+func (a *Absolute) MarshalJSON() ([]byte, error) { return json.Marshal(a.String()) }
+func (a *Absolute) UnmarshalJSON(data []byte) error {
+	var pathname string
+	if err := json.Unmarshal(data, &pathname); err != nil {
+		return err
+	}
+	if !isAbs(pathname) {
+		return &AbsoluteError{pathname}
+	}
+	a.pathname = pathname
+	return nil
+}
+
+// SortAbs calls [slices.SortFunc] for a slice of [Absolute].
+func SortAbs(x []*Absolute) {
+	slices.SortFunc(x, func(a, b *Absolute) int { return strings.Compare(a.String(), b.String()) })
+}
+
+// CompactAbs calls [slices.CompactFunc] for a slice of [Absolute].
+func CompactAbs(s []*Absolute) []*Absolute {
+	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool { return a.String() == b.String() })
+}
--- a/container/absolute_test.go
+++ b/container/absolute_test.go
@ -0,0 +1,325 @@
+package container
+
+import (
+	"bytes"
+	"encoding/gob"
+	"encoding/json"
+	"errors"
+	"reflect"
+	"strings"
+	"syscall"
+	"testing"
+)
+
+func TestAbsoluteError(t *testing.T) {
+	testCases := []struct {
+		name string
+
+		err error
+		cmp error
+		ok  bool
+	}{
+		{"EINVAL", new(AbsoluteError), syscall.EINVAL, true},
+		{"not EINVAL", new(AbsoluteError), syscall.EBADE, false},
+		{"ne val", new(AbsoluteError), &AbsoluteError{"etc"}, false},
+		{"equals", &AbsoluteError{"etc"}, &AbsoluteError{"etc"}, true},
+	}
+
+	for _, tc := range testCases {
+		if got := errors.Is(tc.err, tc.cmp); got != tc.ok {
+			t.Errorf("Is: %v, want %v", got, tc.ok)
+		}
+	}
+
+	t.Run("string", func(t *testing.T) {
+		want := `path "etc" is not absolute`
+		if got := (&AbsoluteError{"etc"}).Error(); got != want {
+			t.Errorf("Error: %q, want %q", got, want)
+		}
+	})
+}
+
+func TestNewAbs(t *testing.T) {
+	testCases := []struct {
+		name string
+
+		pathname string
+		want     *Absolute
+		wantErr  error
+	}{
+		{"good", "/etc", MustAbs("/etc"), nil},
+		{"not absolute", "etc", nil, &AbsoluteError{"etc"}},
+		{"zero", "", nil, &AbsoluteError{""}},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got, err := NewAbs(tc.pathname)
+			if !reflect.DeepEqual(got, tc.want) {
+				t.Errorf("NewAbs: %#v, want %#v", got, tc.want)
+			}
+			if !errors.Is(err, tc.wantErr) {
+				t.Errorf("NewAbs: error = %v, want %v", err, tc.wantErr)
+			}
+		})
+	}
+
+	t.Run("must", func(t *testing.T) {
+		defer func() {
+			wantPanic := `path "etc" is not absolute`
+
+			if r := recover(); r != wantPanic {
+				t.Errorf("MustAbsolute: panic = %v; want %v", r, wantPanic)
+			}
+		}()
+
+		MustAbs("etc")
+	})
+}
+
+func TestAbsoluteString(t *testing.T) {
+	t.Run("passthrough", func(t *testing.T) {
+		pathname := "/etc"
+		if got := (&Absolute{pathname}).String(); got != pathname {
+			t.Errorf("String: %q, want %q", got, pathname)
+		}
+	})
+
+	t.Run("zero", func(t *testing.T) {
+		defer func() {
+			wantPanic := "attempted use of zero Absolute"
+
+			if r := recover(); r != wantPanic {
+				t.Errorf("String: panic = %v, want %v", r, wantPanic)
+			}
+		}()
+
+		panic(new(Absolute).String())
+	})
+}
+
+type sCheck struct {
+	Pathname *Absolute `json:"val"`
+	Magic    int       `json:"magic"`
+}
+
+func TestCodecAbsolute(t *testing.T) {
+	testCases := []struct {
+		name string
+		a    *Absolute
+
+		wantErr error
+
+		gob, sGob   string
+		json, sJson string
+	}{
+		{"nil", nil, nil,
+			"\x00", "\x00",
+			`null`, `{"val":null,"magic":3236757504}`},
+
+		{"good", MustAbs("/etc"),
+			nil,
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x04\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x10\xff\x84\x01\x04/etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+
+			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
+		{"not absolute", nil,
+			&AbsoluteError{"etc"},
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x04\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+
+			`"etc"`, `{"val":"etc","magic":3236757504}`},
+		{"zero", nil,
+			new(AbsoluteError),
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x04\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			`""`, `{"val":"","magic":3236757504}`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Run("gob", func(t *testing.T) {
+				if tc.gob == "\x00" && tc.sGob == "\x00" {
+					// these values mark the current test to skip gob
+					return
+				}
+
+				t.Run("encode", func(t *testing.T) {
+					// encode is unchecked
+					if errors.Is(tc.wantErr, syscall.EINVAL) {
+						return
+					}
+
+					{
+						buf := new(bytes.Buffer)
+						err := gob.NewEncoder(buf).Encode(tc.a)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Encode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSEncode
+						}
+						if buf.String() != tc.gob {
+							t.Errorf("Encode:\n%q\nwant:\n%q", buf.String(), tc.gob)
+						}
+					}
+
+				checkSEncode:
+					{
+						buf := new(bytes.Buffer)
+						err := gob.NewEncoder(buf).Encode(&sCheck{tc.a, syscall.MS_MGC_VAL})
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Encode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						if buf.String() != tc.sGob {
+							t.Errorf("Encode:\n%q\nwant:\n%q", buf.String(), tc.sGob)
+						}
+					}
+				})
+
+				t.Run("decode", func(t *testing.T) {
+					{
+						var gotA *Absolute
+						err := gob.NewDecoder(strings.NewReader(tc.gob)).Decode(&gotA)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Decode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSDecode
+						}
+						if !reflect.DeepEqual(tc.a, gotA) {
+							t.Errorf("Decode: %#v, want %#v", tc.a, gotA)
+						}
+					}
+
+				checkSDecode:
+					{
+						var gotSCheck sCheck
+						err := gob.NewDecoder(strings.NewReader(tc.sGob)).Decode(&gotSCheck)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Decode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						want := sCheck{tc.a, syscall.MS_MGC_VAL}
+						if !reflect.DeepEqual(gotSCheck, want) {
+							t.Errorf("Decode: %#v, want %#v", gotSCheck, want)
+						}
+					}
+				})
+
+			})
+
+			t.Run("json", func(t *testing.T) {
+				t.Run("marshal", func(t *testing.T) {
+					// marshal is unchecked
+					if errors.Is(tc.wantErr, syscall.EINVAL) {
+						return
+					}
+
+					{
+						d, err := json.Marshal(tc.a)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSMarshal
+						}
+						if string(d) != tc.json {
+							t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.json)
+						}
+					}
+
+				checkSMarshal:
+					{
+						d, err := json.Marshal(&sCheck{tc.a, syscall.MS_MGC_VAL})
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						if string(d) != tc.sJson {
+							t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.sJson)
+						}
+					}
+				})
+
+				t.Run("unmarshal", func(t *testing.T) {
+					{
+						var gotA *Absolute
+						err := json.Unmarshal([]byte(tc.json), &gotA)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSUnmarshal
+						}
+						if !reflect.DeepEqual(tc.a, gotA) {
+							t.Errorf("Unmarshal: %#v, want %#v", tc.a, gotA)
+						}
+					}
+
+				checkSUnmarshal:
+					{
+						var gotSCheck sCheck
+						err := json.Unmarshal([]byte(tc.sJson), &gotSCheck)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						want := sCheck{tc.a, syscall.MS_MGC_VAL}
+						if !reflect.DeepEqual(gotSCheck, want) {
+							t.Errorf("Unmarshal: %#v, want %#v", gotSCheck, want)
+						}
+					}
+				})
+			})
+		})
+	}
+
+	t.Run("json passthrough", func(t *testing.T) {
+		wantErr := "invalid character ':' looking for beginning of value"
+		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
+			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
+		}
+	})
+}
+
+func TestAbsoluteWrap(t *testing.T) {
+	t.Run("join", func(t *testing.T) {
+		want := "/etc/nix/nix.conf"
+		if got := MustAbs("/etc").Append("nix", "nix.conf"); got.String() != want {
+			t.Errorf("Append: %q, want %q", got, want)
+		}
+	})
+
+	t.Run("dir", func(t *testing.T) {
+		want := "/"
+		if got := MustAbs("/etc").Dir(); got.String() != want {
+			t.Errorf("Dir: %q, want %q", got, want)
+		}
+	})
+
+	t.Run("sort", func(t *testing.T) {
+		want := []*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/sys")}
+		got := []*Absolute{MustAbs("/proc"), MustAbs("/sys"), MustAbs("/etc")}
+		SortAbs(got)
+		if !reflect.DeepEqual(got, want) {
+			t.Errorf("SortAbs: %#v, want %#v", got, want)
+		}
+	})
+
+	t.Run("compact", func(t *testing.T) {
+		want := []*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/sys")}
+		if got := CompactAbs([]*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/proc"), MustAbs("/sys")}); !reflect.DeepEqual(got, want) {
+			t.Errorf("CompactAbs: %#v, want %#v", got, want)
+		}
+	})
+}
--- a/container/autoetc.go
+++ b/container/autoetc.go
@ -10,9 +10,9 @@ func init() { gob.Register(new(AutoEtcOp)) }

 // Etc appends an [Op] that expands host /etc into a toplevel symlink mirror with /etc semantics.
 // This is not a generic setup op. It is implemented here to reduce ipc overhead.
-func (f *Ops) Etc(host, prefix string) *Ops {
+func (f *Ops) Etc(host *Absolute, prefix string) *Ops {
 	e := &AutoEtcOp{prefix}
-	f.Mkdir("/etc", 0755)
+	f.Mkdir(AbsFHSEtc, 0755)
 	f.Bind(host, e.hostPath(), 0)
 	*f = append(*f, e)
 	return f
@ -22,13 +22,13 @@ type AutoEtcOp struct{ Prefix string }

 func (e *AutoEtcOp) early(*Params) error { return nil }
 func (e *AutoEtcOp) apply(*Params) error {
-	const target = sysrootPath + "/etc/"
+	const target = sysrootPath + FHSEtc
 	rel := e.hostRel() + "/"

 	if err := os.MkdirAll(target, 0755); err != nil {
 		return wrapErrSelf(err)
 	}
-	if d, err := os.ReadDir(toSysroot(e.hostPath())); err != nil {
+	if d, err := os.ReadDir(toSysroot(e.hostPath().String())); err != nil {
 		return wrapErrSelf(err)
 	} else {
 		for _, ent := range d {
@ -40,7 +40,7 @@ func (e *AutoEtcOp) apply(*Params) error {
 			case "group":

 			case "mtab":
-				if err = os.Symlink("/proc/mounts", target+n); err != nil {
+				if err = os.Symlink(FHSProc+"mounts", target+n); err != nil {
 					return wrapErrSelf(err)
 				}

@ -54,8 +54,10 @@ func (e *AutoEtcOp) apply(*Params) error {

 	return nil
 }
-func (e *AutoEtcOp) hostPath() string { return "/etc/" + e.hostRel() }
-func (e *AutoEtcOp) hostRel() string  { return ".host/" + e.Prefix }
+
+// bypasses abs check, use with caution!
+func (e *AutoEtcOp) hostPath() *Absolute { return &Absolute{FHSEtc + e.hostRel()} }
+func (e *AutoEtcOp) hostRel() string     { return ".host/" + e.Prefix }

 func (e *AutoEtcOp) Is(op Op) bool {
 	ve, ok := op.(*AutoEtcOp)
--- a/container/autoroot.go
+++ b/container/autoroot.go
@ -4,21 +4,21 @@ import (
 	"encoding/gob"
 	"fmt"
 	"os"
-	"path"
-	. "syscall"
+	"syscall"
 )

 func init() { gob.Register(new(AutoRootOp)) }

 // Root appends an [Op] that expands a directory into a toplevel bind mount mirror on container root.
 // This is not a generic setup op. It is implemented here to reduce ipc overhead.
-func (f *Ops) Root(host, prefix string, flags int) *Ops {
+func (f *Ops) Root(host *Absolute, prefix string, flags int) *Ops {
 	*f = append(*f, &AutoRootOp{host, prefix, flags, nil})
 	return f
 }

 type AutoRootOp struct {
-	Host, Prefix string
+	Host   *Absolute
+	Prefix string
 	// passed through to bindMount
 	Flags int

@ -29,11 +29,11 @@ type AutoRootOp struct {
 }

 func (r *AutoRootOp) early(params *Params) error {
-	if !path.IsAbs(r.Host) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", r.Host))
+	if r.Host == nil {
+		return syscall.EBADE
 	}

-	if d, err := os.ReadDir(r.Host); err != nil {
+	if d, err := os.ReadDir(r.Host.String()); err != nil {
 		return wrapErrSelf(err)
 	} else {
 		r.resolved = make([]Op, 0, len(d))
@ -41,8 +41,8 @@ func (r *AutoRootOp) early(params *Params) error {
 			name := ent.Name()
 			if IsAutoRootBindable(name) {
 				op := &BindMountOp{
-					Source: path.Join(r.Host, name),
-					Target: "/" + name,
+					Source: r.Host.Append(name),
+					Target: AbsFHSRoot.Append(name),
 					Flags:  r.Flags,
 				}
 				if err = op.early(params); err != nil {
--- a/container/capability.go
+++ b/container/capability.go
@ -12,8 +12,9 @@ const (
 	PR_CAP_AMBIENT_RAISE     = 0x2
 	PR_CAP_AMBIENT_CLEAR_ALL = 0x4

-	CAP_SYS_ADMIN = 0x15
-	CAP_SETPCAP   = 0x8
+	CAP_SYS_ADMIN    = 0x15
+	CAP_SETPCAP      = 0x8
+	CAP_DAC_OVERRIDE = 0x1
 )

 type (
--- a/container/container.go
+++ b/container/container.go
@ -9,7 +9,6 @@ import (
 	"io"
 	"os"
 	"os/exec"
-	"path"
 	"strconv"
 	. "syscall"
 	"time"
@ -18,10 +17,6 @@ import (
 )

 const (
-	// Nonexistent is a path that cannot exist.
-	// /proc is chosen because a system with covered /proc is unsupported by this package.
-	Nonexistent = "/proc/nonexistent"
-
 	// CancelSignal is the signal expected by container init on context cancel.
 	// A custom [Container.Cancel] function must eventually deliver this signal.
 	CancelSignal = SIGTERM
@ -31,8 +26,6 @@ type (
 	// Container represents a container environment being prepared or run.
 	// None of [Container] methods are safe for concurrent use.
 	Container struct {
-		// Name of initial process in the container.
-		name string
 		// Cgroup fd, nil to disable.
 		Cgroup *int
 		// ExtraFiles passed through to initial process in the container,
@ -59,11 +52,11 @@ type (
 	// Params holds container configuration and is safe to serialise.
 	Params struct {
 		// Working directory in the container.
-		Dir string
+		Dir *Absolute
 		// Initial process environment.
 		Env []string
-		// Absolute path of initial process in the container. Overrides name.
-		Path string
+		// Pathname of initial process in the container.
+		Path *Absolute
 		// Initial process argv.
 		Args []string
 		// Deliver SIGINT to the initial process on context cancellation.
@ -113,11 +106,6 @@ func (p *Container) Start() error {
 	ctx, cancel := context.WithCancel(p.ctx)
 	p.cancel = cancel

-	var cloneFlags uintptr = CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP
-	if !p.HostNet {
-		cloneFlags |= CLONE_NEWNET
-	}
-
 	// map to overflow id to work around ownership checks
 	if p.Uid < 1 {
 		p.Uid = OverflowUid()
@ -147,20 +135,30 @@ func (p *Container) Start() error {
 	} else {
 		p.cmd.Cancel = func() error { return p.cmd.Process.Signal(CancelSignal) }
 	}
-	p.cmd.Dir = "/"
+	p.cmd.Dir = FHSRoot
 	p.cmd.SysProcAttr = &SysProcAttr{
-		Setsid:     !p.RetainSession,
-		Pdeathsig:  SIGKILL,
-		Cloneflags: cloneFlags | CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS,
+		Setsid:    !p.RetainSession,
+		Pdeathsig: SIGKILL,
+		Cloneflags: CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS |
+			CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP,

-		// remain privileged for setup
-		AmbientCaps: []uintptr{CAP_SYS_ADMIN, CAP_SETPCAP},
+		AmbientCaps: []uintptr{
+			// general container setup
+			CAP_SYS_ADMIN,
+			// drop capabilities
+			CAP_SETPCAP,
+			// overlay access to upperdir and workdir
+			CAP_DAC_OVERRIDE,
+		},

 		UseCgroupFD: p.Cgroup != nil,
 	}
 	if p.cmd.SysProcAttr.UseCgroupFD {
 		p.cmd.SysProcAttr.CgroupFD = *p.Cgroup
 	}
+	if !p.HostNet {
+		p.cmd.SysProcAttr.Cloneflags |= CLONE_NEWNET
+	}

 	// place setup pipe before user supplied extra files, this is later restored by init
 	if fd, e, err := Setup(&p.cmd.ExtraFiles); err != nil {
@ -189,33 +187,16 @@ func (p *Container) Serve() error {
 	setup := p.setup
 	p.setup = nil

-	if p.Path != "" && !path.IsAbs(p.Path) {
+	if p.Path == nil {
 		p.cancel()
-		return msg.WrapErr(EINVAL,
-			fmt.Sprintf("invalid executable path %q", p.Path))
+		return msg.WrapErr(EINVAL, "invalid executable pathname")
 	}

-	if p.Path == "" {
-		if p.name == "" {
-			p.Path = os.Getenv("SHELL")
-			if !path.IsAbs(p.Path) {
-				p.cancel()
-				return msg.WrapErr(EBADE,
-					"no command specified and $SHELL is invalid")
-			}
-			p.name = path.Base(p.Path)
-		} else if path.IsAbs(p.name) {
-			p.Path = p.name
-		} else if v, err := exec.LookPath(p.name); err != nil {
-			p.cancel()
-			return msg.WrapErr(err, err.Error())
-		} else {
-			p.Path = v
-		}
+	// do not transmit nil
+	if p.Dir == nil {
+		p.Dir = AbsFHSRoot
 	}
-
 	if p.SeccompRules == nil {
-		// do not transmit nil
 		p.SeccompRules = make([]seccomp.NativeRule, 0)
 	}

@ -250,8 +231,15 @@ func (p *Container) ProcessState() *os.ProcessState {
 	return p.cmd.ProcessState
 }

-func New(ctx context.Context, name string, args ...string) *Container {
-	return &Container{name: name, ctx: ctx,
-		Params: Params{Args: append([]string{name}, args...), Dir: "/", Ops: new(Ops)},
-	}
+// New returns the address to a new instance of [Container] that requires further initialisation before use.
+func New(ctx context.Context) *Container {
+	return &Container{ctx: ctx, Params: Params{Ops: new(Ops)}}
+}
+
+// NewCommand calls [New] and initialises the [Params.Path] and [Params.Args] fields.
+func NewCommand(ctx context.Context, pathname *Absolute, name string, args ...string) *Container {
+	z := New(ctx)
+	z.Path = pathname
+	z.Args = append([]string{name}, args...)
+	return z
 }
--- a/container/container_test.go
+++ b/container/container_test.go
@ -20,7 +20,6 @@ import (
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/vfs"
 	"hakurei.app/hst"
-	"hakurei.app/internal"
 	"hakurei.app/internal/hlog"
 )

@ -33,15 +32,28 @@ const (
 	pathReadonly = pathPrefix + "readonly"
 )

+type testVal any
+
+func emptyOps(t *testing.T) (*container.Ops, context.Context) { return new(container.Ops), t.Context() }
+func earlyOps(ops *container.Ops) func(t *testing.T) (*container.Ops, context.Context) {
+	return func(t *testing.T) (*container.Ops, context.Context) { return ops, t.Context() }
+}
+
+func emptyMnt(*testing.T, context.Context) []*vfs.MountInfoEntry { return nil }
+func earlyMnt(mnt ...*vfs.MountInfoEntry) func(*testing.T, context.Context) []*vfs.MountInfoEntry {
+	return func(*testing.T, context.Context) []*vfs.MountInfoEntry { return mnt }
+}
+
 var containerTestCases = []struct {
 	name    string
 	filter  bool
 	session bool
 	net     bool
 	ro      bool
-	ops     *container.Ops

-	mnt []*vfs.MountInfoEntry
+	ops func(t *testing.T) (*container.Ops, context.Context)
+	mnt func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry
+
 	uid int
 	gid int

@ -50,30 +62,33 @@ var containerTestCases = []struct {
 	presets seccomp.FilterPreset
 }{
 	{"minimal", true, false, false, true,
-		new(container.Ops), nil,
+		emptyOps, emptyMnt,
 		1000, 100, nil, 0, seccomp.PresetStrict},
 	{"allow", true, true, true, false,
-		new(container.Ops), nil,
+		emptyOps, emptyMnt,
 		1000, 100, nil, 0, seccomp.PresetExt | seccomp.PresetDenyDevel},
 	{"no filter", false, true, true, true,
-		new(container.Ops), nil,
+		emptyOps, emptyMnt,
 		1000, 100, nil, 0, seccomp.PresetExt},
 	{"custom rules", true, true, true, false,
-		new(container.Ops), nil,
+		emptyOps, emptyMnt,
 		1, 31, []seccomp.NativeRule{{seccomp.ScmpSyscall(syscall.SYS_SETUID), seccomp.ScmpErrno(syscall.EPERM), nil}}, 0, seccomp.PresetExt},
+
 	{"tmpfs", true, false, false, true,
-		new(container.Ops).
-			Tmpfs(hst.Tmp, 0, 0755),
-		[]*vfs.MountInfoEntry{
+		earlyOps(new(container.Ops).
+			Tmpfs(hst.AbsTmp, 0, 0755),
+		),
+		earlyMnt(
 			ent("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
-		},
+		),
 		9, 9, nil, 0, seccomp.PresetStrict},
+
 	{"dev", true, true /* go test output is not a tty */, false, false,
-		new(container.Ops).
-			Dev("/dev").
-			Mqueue("/dev/mqueue"),
-		[]*vfs.MountInfoEntry{
-			ent("/", "/dev", "rw,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
+		earlyOps(new(container.Ops).
+			Dev(container.MustAbs("/dev"), true),
+		),
+		earlyMnt(
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
 			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
@ -82,15 +97,121 @@ var containerTestCases = []struct {
 			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
-		},
+		),
 		1971, 100, nil, 0, seccomp.PresetStrict},
+
+	{"dev no mqueue", true, true /* go test output is not a tty */, false, false,
+		earlyOps(new(container.Ops).
+			Dev(container.MustAbs("/dev"), false),
+		),
+		earlyMnt(
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
+			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
+		),
+		1971, 100, nil, 0, seccomp.PresetStrict},
+
+	{"overlay", true, false, false, true,
+		func(t *testing.T) (*container.Ops, context.Context) {
+			tempDir := container.MustAbs(t.TempDir())
+			lower0, lower1, upper, work :=
+				tempDir.Append("lower0"),
+				tempDir.Append("lower1"),
+				tempDir.Append("upper"),
+				tempDir.Append("work")
+			for _, a := range []*container.Absolute{lower0, lower1, upper, work} {
+				if err := os.Mkdir(a.String(), 0755); err != nil {
+					t.Fatalf("Mkdir: error = %v", err)
+				}
+			}
+
+			return new(container.Ops).
+					Overlay(hst.AbsTmp, upper, work, lower0, lower1),
+				context.WithValue(context.WithValue(context.WithValue(context.WithValue(t.Context(),
+					testVal("lower1"), lower1),
+					testVal("lower0"), lower0),
+					testVal("work"), work),
+					testVal("upper"), upper)
+		},
+		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
+			return []*vfs.MountInfoEntry{
+				ent("/", hst.Tmp, "rw", "overlay", "overlay",
+					"rw,lowerdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*container.Absolute).String())+":"+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*container.Absolute).String())+
+						",upperdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("upper")).(*container.Absolute).String())+
+						",workdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("work")).(*container.Absolute).String())+
+						",redirect_dir=nofollow,uuid=on,userxattr"),
+			}
+		},
+		1 << 3, 1 << 14, nil, 0, seccomp.PresetStrict},
+
+	{"overlay ephemeral", true, false, false, true,
+		func(t *testing.T) (*container.Ops, context.Context) {
+			tempDir := container.MustAbs(t.TempDir())
+			lower0, lower1 :=
+				tempDir.Append("lower0"),
+				tempDir.Append("lower1")
+			for _, a := range []*container.Absolute{lower0, lower1} {
+				if err := os.Mkdir(a.String(), 0755); err != nil {
+					t.Fatalf("Mkdir: error = %v", err)
+				}
+			}
+
+			return new(container.Ops).
+					OverlayEphemeral(hst.AbsTmp, lower0, lower1),
+				t.Context()
+		},
+		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
+			return []*vfs.MountInfoEntry{
+				// contains random suffix
+				ent("/", hst.Tmp, "rw", "overlay", "overlay", ignore),
+			}
+		},
+		1 << 3, 1 << 14, nil, 0, seccomp.PresetStrict},
+
+	{"overlay readonly", true, false, false, true,
+		func(t *testing.T) (*container.Ops, context.Context) {
+			tempDir := container.MustAbs(t.TempDir())
+			lower0, lower1 :=
+				tempDir.Append("lower0"),
+				tempDir.Append("lower1")
+			for _, a := range []*container.Absolute{lower0, lower1} {
+				if err := os.Mkdir(a.String(), 0755); err != nil {
+					t.Fatalf("Mkdir: error = %v", err)
+				}
+			}
+			return new(container.Ops).
+					OverlayReadonly(hst.AbsTmp, lower0, lower1),
+				context.WithValue(context.WithValue(t.Context(),
+					testVal("lower1"), lower1),
+					testVal("lower0"), lower0)
+		},
+		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
+			return []*vfs.MountInfoEntry{
+				ent("/", hst.Tmp, "rw", "overlay", "overlay",
+					"ro,lowerdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*container.Absolute).String())+":"+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*container.Absolute).String())+
+						",redirect_dir=nofollow,userxattr"),
+			}
+		},
+		1 << 3, 1 << 14, nil, 0, seccomp.PresetStrict},
 }

 func TestContainer(t *testing.T) {
 	{
 		oldVerbose := hlog.Load()
 		oldOutput := container.GetOutput()
-		internal.InstallOutput(true)
+		hlog.Store(testing.Verbose())
+		container.SetOutput(hlog.Output{})
 		t.Cleanup(func() { hlog.Store(oldVerbose) })
 		t.Cleanup(func() { container.SetOutput(oldOutput) })
 	}
@ -124,17 +245,25 @@ func TestContainer(t *testing.T) {

 	for i, tc := range containerTestCases {
 		t.Run(tc.name, func(t *testing.T) {
+			wantOps, wantOpsCtx := tc.ops(t)
+			wantMnt := tc.mnt(t, wantOpsCtx)
+
 			ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
 			defer cancel()

-			var libPaths []string
+			var libPaths []*container.Absolute
 			c := helperNewContainerLibPaths(ctx, &libPaths, "container", strconv.Itoa(i))
 			c.Uid = tc.uid
 			c.Gid = tc.gid
 			c.Hostname = hostnameFromTestCase(tc.name)
-			c.Stdout, c.Stderr = os.Stdout, os.Stderr
+			output := new(bytes.Buffer)
+			if !testing.Verbose() {
+				c.Stdout, c.Stderr = output, output
+			} else {
+				c.Stdout, c.Stderr = os.Stdout, os.Stderr
+			}
 			c.WaitDelay = helperDefaultTimeout
-			*c.Ops = append(*c.Ops, *tc.ops...)
+			*c.Ops = append(*c.Ops, *wantOps...)
 			c.SeccompRules = tc.rules
 			c.SeccompFlags = tc.flags | seccomp.AllowMultiarch
 			c.SeccompPresets = tc.presets
@ -143,11 +272,11 @@ func TestContainer(t *testing.T) {
 			c.HostNet = tc.net

 			c.
-				Readonly(pathReadonly, 0755).
-				Tmpfs("/tmp", 0, 0755).
-				Place("/etc/hostname", []byte(c.Hostname))
+				Readonly(container.MustAbs(pathReadonly), 0755).
+				Tmpfs(container.MustAbs("/tmp"), 0, 0755).
+				Place(container.MustAbs("/etc/hostname"), []byte(c.Hostname))
 			// needs /proc to check mountinfo
-			c.Proc("/proc")
+			c.Proc(container.MustAbs("/proc"))

 			// mountinfo cannot be resolved directly by helper due to libPaths nondeterminism
 			mnt := make([]*vfs.MountInfoEntry, 0, 3+len(libPaths))
@ -156,11 +285,11 @@ func TestContainer(t *testing.T) {
 				// Bind(os.Args[0], helperInnerPath, 0)
 				ent(ignore, helperInnerPath, "ro,nosuid,nodev,relatime", ignore, ignore, ignore),
 			)
-			for _, name := range libPaths {
+			for _, a := range libPaths {
 				// Bind(name, name, 0)
-				mnt = append(mnt, ent(ignore, name, "ro,nosuid,nodev,relatime", ignore, ignore, ignore))
+				mnt = append(mnt, ent(ignore, a.String(), "ro,nosuid,nodev,relatime", ignore, ignore, ignore))
 			}
-			mnt = append(mnt, tc.mnt...)
+			mnt = append(mnt, wantMnt...)
 			mnt = append(mnt,
 				// Readonly(pathReadonly, 0755)
 				ent("/", pathReadonly, "ro,nosuid,nodev", "tmpfs", "readonly", ignore),
@ -175,22 +304,26 @@ func TestContainer(t *testing.T) {
 			)
 			want := new(bytes.Buffer)
 			if err := gob.NewEncoder(want).Encode(mnt); err != nil {
+				_, _ = output.WriteTo(os.Stdout)
 				t.Fatalf("cannot serialise expected mount points: %v", err)
 			}
-			c.Place(pathWantMnt, want.Bytes())
+			c.Place(container.MustAbs(pathWantMnt), want.Bytes())

 			if tc.ro {
-				c.Remount("/", syscall.MS_RDONLY)
+				c.Remount(container.MustAbs("/"), syscall.MS_RDONLY)
 			}

 			if err := c.Start(); err != nil {
+				_, _ = output.WriteTo(os.Stdout)
 				hlog.PrintBaseError(err, "start:")
 				t.Fatalf("cannot start container: %v", err)
 			} else if err = c.Serve(); err != nil {
+				_, _ = output.WriteTo(os.Stdout)
 				hlog.PrintBaseError(err, "serve:")
 				t.Errorf("cannot serve setup params: %v", err)
 			}
 			if err := c.Wait(); err != nil {
+				_, _ = output.WriteTo(os.Stdout)
 				hlog.PrintBaseError(err, "wait:")
 				t.Fatalf("wait: %v", err)
 			}
@ -258,7 +391,7 @@ func testContainerCancel(
 }

 func TestContainerString(t *testing.T) {
-	c := container.New(t.Context(), "ldd", "/usr/bin/env")
+	c := container.NewCommand(t.Context(), container.MustAbs("/run/current-system/sw/bin/ldd"), "ldd", "/usr/bin/env")
 	c.SeccompFlags |= seccomp.AllowMultiarch
 	c.SeccompRules = seccomp.Preset(
 		seccomp.PresetExt|seccomp.PresetDenyNS|seccomp.PresetDenyTTY,
--- a/container/init.go
+++ b/container/init.go
@ -31,7 +31,7 @@ const (

 	it should be noted that none of this should become relevant at any point since the resulting
 	intermediate root tmpfs should be effectively anonymous */
-	intermediateHostPath = "/proc/self/fd"
+	intermediateHostPath = FHSProc + "self/fd"

 	// setup params file descriptor
 	setupEnv = "HAKUREI_SETUP"
@ -62,7 +62,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		offsetSetup int
 	)
 	if f, err := Receive(setupEnv, &params, &setupFile); err != nil {
-		if errors.Is(err, ErrInvalid) {
+		if errors.Is(err, EBADF) {
 			log.Fatal("invalid setup descriptor")
 		}
 		if errors.Is(err, ErrNotSet) {
@ -88,17 +88,17 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	if err := SetDumpable(SUID_DUMP_USER); err != nil {
 		log.Fatalf("cannot set SUID_DUMP_USER: %s", err)
 	}
-	if err := os.WriteFile("/proc/self/uid_map",
+	if err := os.WriteFile(FHSProc+"self/uid_map",
 		append([]byte{}, strconv.Itoa(params.Uid)+" "+strconv.Itoa(params.HostUid)+" 1\n"...),
 		0); err != nil {
 		log.Fatalf("%v", err)
 	}
-	if err := os.WriteFile("/proc/self/setgroups",
+	if err := os.WriteFile(FHSProc+"self/setgroups",
 		[]byte("deny\n"),
 		0); err != nil && !os.IsNotExist(err) {
 		log.Fatalf("%v", err)
 	}
-	if err := os.WriteFile("/proc/self/gid_map",
+	if err := os.WriteFile(FHSProc+"self/gid_map",
 		append([]byte{}, strconv.Itoa(params.Gid)+" "+strconv.Itoa(params.HostGid)+" 1\n"...),
 		0); err != nil {
 		log.Fatalf("%v", err)
@ -117,7 +117,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	// cache sysctl before pivot_root
 	LastCap()

-	if err := Mount("", "/", "", MS_SILENT|MS_SLAVE|MS_REC, ""); err != nil {
+	if err := Mount(zeroString, FHSRoot, zeroString, MS_SILENT|MS_SLAVE|MS_REC, zeroString); err != nil {
 		log.Fatalf("cannot make / rslave: %v", err)
 	}

@ -138,7 +138,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		}
 	}

-	if err := Mount("rootfs", intermediateHostPath, "tmpfs", MS_NODEV|MS_NOSUID, ""); err != nil {
+	if err := Mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
 		log.Fatalf("cannot mount intermediate root: %v", err)
 	}
 	if err := os.Chdir(intermediateHostPath); err != nil {
@ -148,7 +148,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	if err := os.Mkdir(sysrootDir, 0755); err != nil {
 		log.Fatalf("%v", err)
 	}
-	if err := Mount(sysrootDir, sysrootDir, "", MS_SILENT|MS_MGC_VAL|MS_BIND|MS_REC, ""); err != nil {
+	if err := Mount(sysrootDir, sysrootDir, zeroString, MS_SILENT|MS_BIND|MS_REC, zeroString); err != nil {
 		log.Fatalf("cannot bind sysroot: %v", err)
 	}

@ -159,7 +159,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	if err := PivotRoot(intermediateHostPath, hostDir); err != nil {
 		log.Fatalf("cannot pivot into intermediate root: %v", err)
 	}
-	if err := os.Chdir("/"); err != nil {
+	if err := os.Chdir(FHSRoot); err != nil {
 		log.Fatalf("%v", err)
 	}

@ -179,7 +179,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	}

 	// setup requiring host root complete at this point
-	if err := Mount(hostDir, hostDir, "", MS_SILENT|MS_REC|MS_PRIVATE, ""); err != nil {
+	if err := Mount(hostDir, hostDir, zeroString, MS_SILENT|MS_REC|MS_PRIVATE, zeroString); err != nil {
 		log.Fatalf("cannot make host root rprivate: %v", err)
 	}
 	if err := Unmount(hostDir, MNT_DETACH); err != nil {
@ -189,7 +189,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	{
 		var fd int
 		if err := IgnoringEINTR(func() (err error) {
-			fd, err = Open("/", O_DIRECTORY|O_RDONLY, 0)
+			fd, err = Open(FHSRoot, O_DIRECTORY|O_RDONLY, 0)
 			return
 		}); err != nil {
 			log.Fatalf("cannot open intermediate root: %v", err)
@ -207,7 +207,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		if err := Unmount(".", MNT_DETACH); err != nil {
 			log.Fatalf("cannot unmount intemediate root: %v", err)
 		}
-		if err := os.Chdir("/"); err != nil {
+		if err := os.Chdir(FHSRoot); err != nil {
 			log.Fatalf("%v", err)
 		}

@ -268,12 +268,12 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	}
 	Umask(oldmask)

-	cmd := exec.Command(params.Path)
+	cmd := exec.Command(params.Path.String())
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	cmd.Args = params.Args
 	cmd.Env = params.Env
 	cmd.ExtraFiles = extraFiles
-	cmd.Dir = params.Dir
+	cmd.Dir = params.Dir.String()

 	msg.Verbosef("starting initial program %s", params.Path)
 	if err := cmd.Start(); err != nil {
--- a/container/init_test.go
+++ b/container/init_test.go
@ -21,6 +21,10 @@ const (
 	helperInnerPath      = "/usr/bin/helper"
 )

+var (
+	absHelperInnerPath = container.MustAbs(helperInnerPath)
+)
+
 var helperCommands []func(c command.Command)

 func TestMain(m *testing.M) {
@ -46,10 +50,10 @@ func TestMain(m *testing.M) {
 	os.Exit(m.Run())
 }

-func helperNewContainerLibPaths(ctx context.Context, libPaths *[]string, args ...string) (c *container.Container) {
-	c = container.New(ctx, helperInnerPath, args...)
+func helperNewContainerLibPaths(ctx context.Context, libPaths *[]*container.Absolute, args ...string) (c *container.Container) {
+	c = container.NewCommand(ctx, absHelperInnerPath, "helper", args...)
 	c.Env = append(c.Env, envDoCheck+"=1")
-	c.Bind(os.Args[0], helperInnerPath, 0)
+	c.Bind(container.MustAbs(os.Args[0]), absHelperInnerPath, 0)

 	// in case test has cgo enabled
 	if entries, err := ldd.Exec(ctx, os.Args[0]); err != nil {
@ -65,5 +69,5 @@ func helperNewContainerLibPaths(ctx context.Context, libPaths *[]string, args ..
 }

 func helperNewContainer(ctx context.Context, args ...string) (c *container.Container) {
-	return helperNewContainerLibPaths(ctx, new([]string), args...)
+	return helperNewContainerLibPaths(ctx, new([]*container.Absolute), args...)
 }
--- a/container/mount.go
+++ b/container/mount.go
@ -5,11 +5,95 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	. "syscall"

 	"hakurei.app/container/vfs"
 )

+/*
+Holding CAP_SYS_ADMIN within the user namespace that owns a process's mount namespace
+allows that process to create bind mounts and mount the following types of filesystems:
+- /proc (since Linux 3.8)
+- /sys (since Linux 3.8)
+- devpts (since Linux 3.9)
+- tmpfs(5) (since Linux 3.9)
+- ramfs (since Linux 3.9)
+- mqueue (since Linux 3.9)
+- bpf (since Linux 4.4)
+- overlayfs (since Linux 5.11)
+*/
+
+const (
+	// zeroString is a zero value string, it represents NULL when passed to mount.
+	zeroString = ""
+
+	// SourceNone is used when the source value is ignored,
+	// such as when remounting.
+	SourceNone = "none"
+	// SourceProc is used when mounting proc.
+	// Note that any source value is allowed when fstype is [FstypeProc].
+	SourceProc = "proc"
+	// SourceDevpts is used when mounting devpts.
+	// Note that any source value is allowed when fstype is [FstypeDevpts].
+	SourceDevpts = "devpts"
+	// SourceMqueue is used when mounting mqueue.
+	// Note that any source value is allowed when fstype is [FstypeMqueue].
+	SourceMqueue = "mqueue"
+	// SourceOverlay is used when mounting overlay.
+	// Note that any source value is allowed when fstype is [FstypeOverlay].
+	SourceOverlay = "overlay"
+
+	// SourceTmpfsRootfs is used when mounting the tmpfs instance backing the intermediate root.
+	SourceTmpfsRootfs = "rootfs"
+	// SourceTmpfsDevtmpfs is used when mounting tmpfs representing a subset of host devtmpfs.
+	SourceTmpfsDevtmpfs = "devtmpfs"
+	// SourceTmpfsEphemeral is used when mounting a writable instance of tmpfs.
+	SourceTmpfsEphemeral = "ephemeral"
+	// SourceTmpfsReadonly is used when mounting a readonly instance of tmpfs.
+	SourceTmpfsReadonly = "readonly"
+
+	// FstypeNULL is used when the fstype value is ignored,
+	// such as when bind mounting or remounting.
+	FstypeNULL = zeroString
+	// FstypeProc represents the proc pseudo-filesystem.
+	// A fully visible instance of proc must be available in the mount namespace for proc to be mounted.
+	// This filesystem type is usually mounted on [FHSProc].
+	FstypeProc = "proc"
+	// FstypeDevpts represents the devpts pseudo-filesystem.
+	// This type of filesystem is usually mounted on /dev/pts.
+	FstypeDevpts = "devpts"
+	// FstypeTmpfs represents the tmpfs filesystem.
+	// This filesystem type can be mounted anywhere in the container filesystem.
+	FstypeTmpfs = "tmpfs"
+	// FstypeMqueue represents the mqueue pseudo-filesystem.
+	// This filesystem type is usually mounted on /dev/mqueue.
+	FstypeMqueue = "mqueue"
+	// FstypeOverlay represents the overlay pseudo-filesystem.
+	// This filesystem type can be mounted anywhere in the container filesystem.
+	FstypeOverlay = "overlay"
+
+	// OptionOverlayLowerdir represents the lowerdir option of the overlay pseudo-filesystem.
+	// Any filesystem, does not need to be on a writable filesystem.
+	OptionOverlayLowerdir = "lowerdir"
+	// OptionOverlayUpperdir represents the upperdir option of the overlay pseudo-filesystem.
+	// The upperdir is normally on a writable filesystem.
+	OptionOverlayUpperdir = "upperdir"
+	// OptionOverlayWorkdir represents the workdir option of the overlay pseudo-filesystem.
+	// The workdir needs to be an empty directory on the same filesystem as upperdir.
+	OptionOverlayWorkdir = "workdir"
+	// OptionOverlayUserxattr represents the userxattr option of the overlay pseudo-filesystem.
+	// Use the "user.overlay." xattr namespace instead of "trusted.overlay.".
+	OptionOverlayUserxattr = "userxattr"
+
+	// SpecialOverlayEscape is the escape string for overlay mount options.
+	SpecialOverlayEscape = `\`
+	// SpecialOverlayOption is the separator string between overlay mount options.
+	SpecialOverlayOption = ","
+	// SpecialOverlayPath is the separator string between overlay paths.
+	SpecialOverlayPath = ":"
+)
+
 // bindMount mounts source on target and recursively applies flags if MS_REC is set.
 func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) error {
 	if eq {
@ -18,7 +102,7 @@ func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) err
 		msg.Verbosef("resolved %q on %q flags %#x", source, target, flags)
 	}

-	if err := Mount(source, target, "", MS_SILENT|MS_BIND|flags&MS_REC, ""); err != nil {
+	if err := Mount(source, target, FstypeNULL, MS_SILENT|MS_BIND|flags&MS_REC, zeroString); err != nil {
 		return wrapErrSuffix(err,
 			fmt.Sprintf("cannot mount %q on %q:", source, target))
 	}
@ -98,14 +182,15 @@ func remountWithFlags(n *vfs.MountInfoNode, mf uintptr) error {

 	if kf&mf != mf {
 		return wrapErrSuffix(
-			Mount("none", n.Clean, "", MS_SILENT|MS_BIND|MS_REMOUNT|kf|mf, ""),
+			Mount(SourceNone, n.Clean, FstypeNULL, MS_SILENT|MS_BIND|MS_REMOUNT|kf|mf, zeroString),
 			fmt.Sprintf("cannot remount %q:", n.Clean))
 	}
 	return nil
 }

-func mountTmpfs(fsname, name string, flags uintptr, size int, perm os.FileMode) error {
-	target := toSysroot(name)
+// mountTmpfs mounts tmpfs on target;
+// callers who wish to mount to sysroot must pass the return value of toSysroot.
+func mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
 	if err := os.MkdirAll(target, parentPerm(perm)); err != nil {
 		return wrapErrSelf(err)
 	}
@ -114,8 +199,8 @@ func mountTmpfs(fsname, name string, flags uintptr, size int, perm os.FileMode)
 		opt += fmt.Sprintf(",size=%d", size)
 	}
 	return wrapErrSuffix(
-		Mount(fsname, target, "tmpfs", flags, opt),
-		fmt.Sprintf("cannot mount tmpfs on %q:", name))
+		Mount(fsname, target, FstypeTmpfs, flags, opt),
+		fmt.Sprintf("cannot mount tmpfs on %q:", target))
 }

 func parentPerm(perm os.FileMode) os.FileMode {
@ -128,3 +213,20 @@ func parentPerm(perm os.FileMode) os.FileMode {
 	}
 	return os.FileMode(pperm)
 }
+
+// escapeOverlayDataSegment escapes a string for formatting into the data argument of an overlay mount call.
+func escapeOverlayDataSegment(s string) string {
+	if s == zeroString {
+		return zeroString
+	}
+
+	if f := strings.SplitN(s, "\x00", 2); len(f) > 0 {
+		s = f[0]
+	}
+
+	return strings.NewReplacer(
+		SpecialOverlayEscape, SpecialOverlayEscape+SpecialOverlayEscape,
+		SpecialOverlayOption, SpecialOverlayEscape+SpecialOverlayOption,
+		SpecialOverlayPath, SpecialOverlayEscape+SpecialOverlayPath,
+	).Replace(s)
+}
--- a/container/mount_test.go
+++ b/container/mount_test.go
@ -0,0 +1,49 @@
+package container
+
+import (
+	"os"
+	"testing"
+)
+
+func TestParentPerm(t *testing.T) {
+	testCases := []struct {
+		perm os.FileMode
+		want os.FileMode
+	}{
+		{0755, 0755},
+		{0750, 0750},
+		{0705, 0705},
+		{0700, 0700},
+		{050, 0750},
+		{05, 0705},
+		{0, 0700},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.perm.String(), func(t *testing.T) {
+			if got := parentPerm(tc.perm); got != tc.want {
+				t.Errorf("parentPerm: %#o, want %#o", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestEscapeOverlayDataSegment(t *testing.T) {
+	testCases := []struct {
+		name string
+		s    string
+		want string
+	}{
+		{"zero", zeroString, zeroString},
+		{"multi", `\\\:,:,\\\`, `\\\\\\\:\,\:\,\\\\\\`},
+		{"bwrap", `/path :,\`, `/path \:\,\\`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := escapeOverlayDataSegment(tc.s); got != tc.want {
+				t.Errorf("escapeOverlayDataSegment: %s, want %s", got, tc.want)
+			}
+		})
+	}
+}
--- a/container/ops.go
+++ b/container/ops.go
@ -13,6 +13,17 @@ import (
 	"unsafe"
 )

+const (
+	// intermediate root file name pattern for [MountOverlayOp.Upper];
+	// remains after apply returns
+	intermediatePatternOverlayUpper = "overlay.upper.*"
+	// intermediate root file name pattern for [MountOverlayOp.Work];
+	// remains after apply returns
+	intermediatePatternOverlayWork = "overlay.work.*"
+	// intermediate root file name pattern for [TmpfileOp]
+	intermediatePatternTmpfile = "tmp.*"
+)
+
 type (
 	Ops []Op

@ -36,22 +47,22 @@ func (f *Ops) Grow(n int) { *f = slices.Grow(*f, n) }
 func init() { gob.Register(new(RemountOp)) }

 // Remount appends an [Op] that applies [RemountOp.Flags] on container path [RemountOp.Target].
-func (f *Ops) Remount(target string, flags uintptr) *Ops {
+func (f *Ops) Remount(target *Absolute, flags uintptr) *Ops {
 	*f = append(*f, &RemountOp{target, flags})
 	return f
 }

 type RemountOp struct {
-	Target string
+	Target *Absolute
 	Flags  uintptr
 }

 func (*RemountOp) early(*Params) error { return nil }
 func (r *RemountOp) apply(*Params) error {
-	if !path.IsAbs(r.Target) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", r.Target))
+	if r.Target == nil {
+		return EBADE
 	}
-	return wrapErrSuffix(hostProc.remount(toSysroot(r.Target), r.Flags),
+	return wrapErrSuffix(hostProc.remount(toSysroot(r.Target.String()), r.Flags),
 		fmt.Sprintf("cannot remount %q:", r.Target))
 }

@ -62,13 +73,13 @@ func (r *RemountOp) String() string { return fmt.Sprintf("%q flags %#x", r.Targe
 func init() { gob.Register(new(BindMountOp)) }

 // Bind appends an [Op] that bind mounts host path [BindMountOp.Source] on container path [BindMountOp.Target].
-func (f *Ops) Bind(source, target string, flags int) *Ops {
-	*f = append(*f, &BindMountOp{source, "", target, flags})
+func (f *Ops) Bind(source, target *Absolute, flags int) *Ops {
+	*f = append(*f, &BindMountOp{nil, source, target, flags})
 	return f
 }

 type BindMountOp struct {
-	Source, SourceFinal, Target string
+	sourceFinal, Source, Target *Absolute

 	Flags int
 }
@ -83,24 +94,24 @@ const (
 )

 func (b *BindMountOp) early(*Params) error {
-	if !path.IsAbs(b.Source) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", b.Source))
+	if b.Source == nil || b.Target == nil {
+		return EBADE
 	}

-	if v, err := filepath.EvalSymlinks(b.Source); err != nil {
+	if pathname, err := filepath.EvalSymlinks(b.Source.String()); err != nil {
 		if os.IsNotExist(err) && b.Flags&BindOptional != 0 {
-			b.SourceFinal = "\x00"
+			// leave sourceFinal as nil
 			return nil
 		}
 		return wrapErrSelf(err)
 	} else {
-		b.SourceFinal = v
-		return nil
+		b.sourceFinal, err = NewAbs(pathname)
+		return err
 	}
 }

 func (b *BindMountOp) apply(*Params) error {
-	if b.SourceFinal == "\x00" {
+	if b.sourceFinal == nil {
 		if b.Flags&BindOptional == 0 {
 			// unreachable
 			return EBADE
@ -108,12 +119,8 @@ func (b *BindMountOp) apply(*Params) error {
 		return nil
 	}

-	if !path.IsAbs(b.SourceFinal) || !path.IsAbs(b.Target) {
-		return msg.WrapErr(EBADE, "path is not absolute")
-	}
-
-	source := toHost(b.SourceFinal)
-	target := toSysroot(b.Target)
+	source := toHost(b.sourceFinal.String())
+	target := toSysroot(b.Target.String())

 	// this perm value emulates bwrap behaviour as it clears bits from 0755 based on
 	// op->perms which is never set for any bind setup op so always results in 0700
@ -135,7 +142,7 @@ func (b *BindMountOp) apply(*Params) error {
 		flags |= MS_NODEV
 	}

-	return hostProc.bindMount(source, target, flags, b.SourceFinal == b.Target)
+	return hostProc.bindMount(source, target, flags, b.sourceFinal == b.Target)
 }

 func (b *BindMountOp) Is(op Op) bool { vb, ok := op.(*BindMountOp); return ok && *b == *vb }
@ -150,63 +157,74 @@ func (b *BindMountOp) String() string {
 func init() { gob.Register(new(MountProcOp)) }

 // Proc appends an [Op] that mounts a private instance of proc.
-func (f *Ops) Proc(dest string) *Ops {
-	*f = append(*f, MountProcOp(dest))
+func (f *Ops) Proc(target *Absolute) *Ops {
+	*f = append(*f, &MountProcOp{target})
 	return f
 }

-type MountProcOp string
+type MountProcOp struct {
+	Target *Absolute
+}

-func (p MountProcOp) early(*Params) error { return nil }
-func (p MountProcOp) apply(params *Params) error {
-	v := string(p)
-
-	if !path.IsAbs(v) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", v))
+func (p *MountProcOp) early(*Params) error { return nil }
+func (p *MountProcOp) apply(params *Params) error {
+	if p.Target == nil {
+		return EBADE
 	}
-
-	target := toSysroot(v)
+	target := toSysroot(p.Target.String())
 	if err := os.MkdirAll(target, params.ParentPerm); err != nil {
 		return wrapErrSelf(err)
 	}
-	return wrapErrSuffix(Mount("proc", target, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, ""),
-		fmt.Sprintf("cannot mount proc on %q:", v))
+	return wrapErrSuffix(Mount(SourceProc, target, FstypeProc, MS_NOSUID|MS_NOEXEC|MS_NODEV, zeroString),
+		fmt.Sprintf("cannot mount proc on %q:", p.Target.String()))
 }

-func (p MountProcOp) Is(op Op) bool  { vp, ok := op.(MountProcOp); return ok && p == vp }
-func (MountProcOp) prefix() string   { return "mounting" }
-func (p MountProcOp) String() string { return fmt.Sprintf("proc on %q", string(p)) }
+func (p *MountProcOp) Is(op Op) bool {
+	vp, ok := op.(*MountProcOp)
+	return ok && ((p == nil && vp == nil) || p == vp)
+}
+func (*MountProcOp) prefix() string   { return "mounting" }
+func (p *MountProcOp) String() string { return fmt.Sprintf("proc on %q", p.Target) }

 func init() { gob.Register(new(MountDevOp)) }

 // Dev appends an [Op] that mounts a subset of host /dev.
-func (f *Ops) Dev(dest string) *Ops {
-	*f = append(*f, MountDevOp(dest))
+func (f *Ops) Dev(target *Absolute, mqueue bool) *Ops {
+	*f = append(*f, &MountDevOp{target, mqueue, false})
 	return f
 }

-type MountDevOp string
+// DevWritable appends an [Op] that mounts a writable subset of host /dev.
+// There is usually no good reason to write to /dev, so this should always be followed by a [RemountOp].
+func (f *Ops) DevWritable(target *Absolute, mqueue bool) *Ops {
+	*f = append(*f, &MountDevOp{target, mqueue, true})
+	return f
+}

-func (d MountDevOp) early(*Params) error { return nil }
-func (d MountDevOp) apply(params *Params) error {
-	v := string(d)
+type MountDevOp struct {
+	Target *Absolute
+	Mqueue bool
+	Write  bool
+}

-	if !path.IsAbs(v) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", v))
+func (d *MountDevOp) early(*Params) error { return nil }
+func (d *MountDevOp) apply(params *Params) error {
+	if d.Target == nil {
+		return EBADE
 	}
-	target := toSysroot(v)
+	target := toSysroot(d.Target.String())

-	if err := mountTmpfs("devtmpfs", v, MS_NOSUID|MS_NODEV, 0, params.ParentPerm); err != nil {
+	if err := mountTmpfs(SourceTmpfsDevtmpfs, target, MS_NOSUID|MS_NODEV, 0, params.ParentPerm); err != nil {
 		return err
 	}

 	for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} {
-		targetPath := toSysroot(path.Join(v, name))
+		targetPath := path.Join(target, name)
 		if err := ensureFile(targetPath, 0444, params.ParentPerm); err != nil {
 			return err
 		}
 		if err := hostProc.bindMount(
-			toHost("/dev/"+name),
+			toHost(FHSDev+name),
 			targetPath,
 			0,
 			true,
@ -216,15 +234,15 @@ func (d MountDevOp) apply(params *Params) error {
 	}
 	for i, name := range []string{"stdin", "stdout", "stderr"} {
 		if err := os.Symlink(
-			"/proc/self/fd/"+string(rune(i+'0')),
+			FHSProc+"self/fd/"+string(rune(i+'0')),
 			path.Join(target, name),
 		); err != nil {
 			return wrapErrSelf(err)
 		}
 	}
 	for _, pair := range [][2]string{
-		{"/proc/self/fd", "fd"},
-		{"/proc/kcore", "core"},
+		{FHSProc + "self/fd", "fd"},
+		{FHSProc + "kcore", "core"},
 		{"pts/ptmx", "ptmx"},
 	} {
 		if err := os.Symlink(pair[0], path.Join(target, pair[1])); err != nil {
@ -239,7 +257,7 @@ func (d MountDevOp) apply(params *Params) error {
 		}
 	}

-	if err := Mount("devpts", devPtsPath, "devpts", MS_NOSUID|MS_NOEXEC,
+	if err := Mount(SourceDevpts, devPtsPath, FstypeDevpts, MS_NOSUID|MS_NOEXEC,
 		"newinstance,ptmxmode=0666,mode=620"); err != nil {
 		return wrapErrSuffix(err,
 			fmt.Sprintf("cannot mount devpts on %q:", devPtsPath))
@ -248,7 +266,7 @@ func (d MountDevOp) apply(params *Params) error {
 	if params.RetainSession {
 		var buf [8]byte
 		if _, _, errno := Syscall(SYS_IOCTL, 1, TIOCGWINSZ, uintptr(unsafe.Pointer(&buf[0]))); errno == 0 {
-			consolePath := toSysroot(path.Join(v, "console"))
+			consolePath := path.Join(target, "console")
 			if err := ensureFile(consolePath, 0444, params.ParentPerm); err != nil {
 				return err
 			}
@ -265,60 +283,49 @@ func (d MountDevOp) apply(params *Params) error {
 		}
 	}

-	return nil
-}
-
-func (d MountDevOp) Is(op Op) bool  { vd, ok := op.(MountDevOp); return ok && d == vd }
-func (MountDevOp) prefix() string   { return "mounting" }
-func (d MountDevOp) String() string { return fmt.Sprintf("dev on %q", string(d)) }
-
-func init() { gob.Register(new(MountMqueueOp)) }
-
-// Mqueue appends an [Op] that mounts a private instance of mqueue.
-func (f *Ops) Mqueue(dest string) *Ops {
-	*f = append(*f, MountMqueueOp(dest))
-	return f
-}
-
-type MountMqueueOp string
-
-func (m MountMqueueOp) early(*Params) error { return nil }
-func (m MountMqueueOp) apply(params *Params) error {
-	v := string(m)
-
-	if !path.IsAbs(v) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", v))
+	if d.Mqueue {
+		mqueueTarget := path.Join(target, "mqueue")
+		if err := os.Mkdir(mqueueTarget, params.ParentPerm); err != nil {
+			return wrapErrSelf(err)
+		}
+		if err := Mount(SourceMqueue, mqueueTarget, FstypeMqueue, MS_NOSUID|MS_NOEXEC|MS_NODEV, zeroString); err != nil {
+			return wrapErrSuffix(err, "cannot mount mqueue:")
+		}
 	}

-	target := toSysroot(v)
-	if err := os.MkdirAll(target, params.ParentPerm); err != nil {
-		return wrapErrSelf(err)
+	if d.Write {
+		return nil
 	}
-	return wrapErrSuffix(Mount("mqueue", target, "mqueue", MS_NOSUID|MS_NOEXEC|MS_NODEV, ""),
-		fmt.Sprintf("cannot mount mqueue on %q:", v))
+	return wrapErrSuffix(hostProc.remount(target, MS_RDONLY),
+		fmt.Sprintf("cannot remount %q:", target))
 }

-func (m MountMqueueOp) Is(op Op) bool  { vm, ok := op.(MountMqueueOp); return ok && m == vm }
-func (MountMqueueOp) prefix() string   { return "mounting" }
-func (m MountMqueueOp) String() string { return fmt.Sprintf("mqueue on %q", string(m)) }
+func (d *MountDevOp) Is(op Op) bool { vd, ok := op.(*MountDevOp); return ok && *d == *vd }
+func (*MountDevOp) prefix() string  { return "mounting" }
+func (d *MountDevOp) String() string {
+	if d.Mqueue {
+		return fmt.Sprintf("dev on %q with mqueue", d.Target)
+	}
+	return fmt.Sprintf("dev on %q", d.Target)
+}

 func init() { gob.Register(new(MountTmpfsOp)) }

 // Tmpfs appends an [Op] that mounts tmpfs on container path [MountTmpfsOp.Path].
-func (f *Ops) Tmpfs(dest string, size int, perm os.FileMode) *Ops {
-	*f = append(*f, &MountTmpfsOp{"ephemeral", dest, MS_NOSUID | MS_NODEV, size, perm})
+func (f *Ops) Tmpfs(target *Absolute, size int, perm os.FileMode) *Ops {
+	*f = append(*f, &MountTmpfsOp{SourceTmpfsEphemeral, target, MS_NOSUID | MS_NODEV, size, perm})
 	return f
 }

 // Readonly appends an [Op] that mounts read-only tmpfs on container path [MountTmpfsOp.Path].
-func (f *Ops) Readonly(dest string, perm os.FileMode) *Ops {
-	*f = append(*f, &MountTmpfsOp{"readonly", dest, MS_RDONLY | MS_NOSUID | MS_NODEV, 0, perm})
+func (f *Ops) Readonly(target *Absolute, perm os.FileMode) *Ops {
+	*f = append(*f, &MountTmpfsOp{SourceTmpfsReadonly, target, MS_RDONLY | MS_NOSUID | MS_NODEV, 0, perm})
 	return f
 }

 type MountTmpfsOp struct {
 	FSName string
-	Path   string
+	Path   *Absolute
 	Flags  uintptr
 	Size   int
 	Perm   os.FileMode
@ -326,86 +333,243 @@ type MountTmpfsOp struct {

 func (t *MountTmpfsOp) early(*Params) error { return nil }
 func (t *MountTmpfsOp) apply(*Params) error {
-	if !path.IsAbs(t.Path) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", t.Path))
+	if t.Path == nil {
+		return EBADE
 	}
 	if t.Size < 0 || t.Size > math.MaxUint>>1 {
 		return msg.WrapErr(EBADE, fmt.Sprintf("size %d out of bounds", t.Size))
 	}
-	return mountTmpfs(t.FSName, t.Path, t.Flags, t.Size, t.Perm)
+	return mountTmpfs(t.FSName, toSysroot(t.Path.String()), t.Flags, t.Size, t.Perm)
 }

 func (t *MountTmpfsOp) Is(op Op) bool  { vt, ok := op.(*MountTmpfsOp); return ok && *t == *vt }
 func (*MountTmpfsOp) prefix() string   { return "mounting" }
 func (t *MountTmpfsOp) String() string { return fmt.Sprintf("tmpfs on %q size %d", t.Path, t.Size) }

-func init() { gob.Register(new(SymlinkOp)) }
+func init() { gob.Register(new(MountOverlayOp)) }

-// Link appends an [Op] that creates a symlink in the container filesystem.
-func (f *Ops) Link(target, linkName string) *Ops {
-	*f = append(*f, &SymlinkOp{target, linkName})
+// Overlay appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target].
+func (f *Ops) Overlay(target, state, work *Absolute, layers ...*Absolute) *Ops {
+	*f = append(*f, &MountOverlayOp{
+		Target: target,
+		Lower:  layers,
+		Upper:  state,
+		Work:   work,
+	})
 	return f
 }

-type SymlinkOp [2]string
+// OverlayEphemeral appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target]
+// with an ephemeral upperdir and workdir.
+func (f *Ops) OverlayEphemeral(target *Absolute, layers ...*Absolute) *Ops {
+	return f.Overlay(target, AbsFHSRoot, nil, layers...)
+}

-func (l *SymlinkOp) early(*Params) error {
-	if strings.HasPrefix(l[0], "*") {
-		l[0] = l[0][1:]
-		if !path.IsAbs(l[0]) {
-			return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", l[0]))
+// OverlayReadonly appends an [Op] that mounts the overlay pseudo filesystem readonly on [MountOverlayOp.Target]
+func (f *Ops) OverlayReadonly(target *Absolute, layers ...*Absolute) *Ops {
+	return f.Overlay(target, nil, nil, layers...)
+}
+
+type MountOverlayOp struct {
+	Target *Absolute
+
+	// Any filesystem, does not need to be on a writable filesystem.
+	Lower []*Absolute
+	// formatted for [OptionOverlayLowerdir], resolved, prefixed and escaped during early
+	lower []string
+	// The upperdir is normally on a writable filesystem.
+	//
+	// If Work is nil and Upper holds the special value [FHSRoot],
+	// an ephemeral upperdir and workdir will be set up.
+	//
+	// If both Work and Upper are empty strings, upperdir and workdir is omitted and the overlay is mounted readonly.
+	Upper *Absolute
+	// formatted for [OptionOverlayUpperdir], resolved, prefixed and escaped during early
+	upper string
+	// The workdir needs to be an empty directory on the same filesystem as upperdir.
+	Work *Absolute
+	// formatted for [OptionOverlayWorkdir], resolved, prefixed and escaped during early
+	work string
+
+	ephemeral bool
+}
+
+func (o *MountOverlayOp) early(*Params) error {
+	if o.Work == nil && o.Upper != nil {
+		switch o.Upper.String() {
+		case FHSRoot: // ephemeral
+			o.ephemeral = true // intermediate root not yet available
+
+		default:
+			return msg.WrapErr(EINVAL, fmt.Sprintf("upperdir has unexpected value %q", o.Upper))
 		}
-		if name, err := os.Readlink(l[0]); err != nil {
+	}
+	// readonly handled in apply
+
+	if !o.ephemeral {
+		if o.Upper != o.Work && (o.Upper == nil || o.Work == nil) {
+			// unreachable
+			return msg.WrapErr(ENOTRECOVERABLE, "impossible overlay state reached")
+		}
+
+		if o.Upper != nil {
+			if v, err := filepath.EvalSymlinks(o.Upper.String()); err != nil {
+				return wrapErrSelf(err)
+			} else {
+				o.upper = escapeOverlayDataSegment(toHost(v))
+			}
+		}
+
+		if o.Work != nil {
+			if v, err := filepath.EvalSymlinks(o.Work.String()); err != nil {
+				return wrapErrSelf(err)
+			} else {
+				o.work = escapeOverlayDataSegment(toHost(v))
+			}
+		}
+	}
+
+	o.lower = make([]string, len(o.Lower))
+	for i, a := range o.Lower {
+		if a == nil {
+			return EBADE
+		}
+
+		if v, err := filepath.EvalSymlinks(a.String()); err != nil {
 			return wrapErrSelf(err)
 		} else {
-			l[0] = name
+			o.lower[i] = escapeOverlayDataSegment(toHost(v))
 		}
 	}
 	return nil
 }
-func (l *SymlinkOp) apply(params *Params) error {
-	// symlink target is an arbitrary path value, so only validate link name here
-	if !path.IsAbs(l[1]) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", l[1]))
+
+func (o *MountOverlayOp) apply(params *Params) error {
+	if o.Target == nil {
+		return EBADE
+	}
+	target := toSysroot(o.Target.String())
+	if err := os.MkdirAll(target, params.ParentPerm); err != nil {
+		return wrapErrSelf(err)
 	}

-	target := toSysroot(l[1])
+	if o.ephemeral {
+		var err error
+		// these directories are created internally, therefore early (absolute, symlink, prefix, escape) is bypassed
+		if o.upper, err = os.MkdirTemp(FHSRoot, intermediatePatternOverlayUpper); err != nil {
+			return wrapErrSelf(err)
+		}
+		if o.work, err = os.MkdirTemp(FHSRoot, intermediatePatternOverlayWork); err != nil {
+			return wrapErrSelf(err)
+		}
+	}
+
+	options := make([]string, 0, 4)
+
+	if o.upper == zeroString && o.work == zeroString { // readonly
+		if len(o.Lower) < 2 {
+			return msg.WrapErr(EINVAL, "readonly overlay requires at least two lowerdir")
+		}
+		// "upperdir=" and "workdir=" may be omitted. In that case the overlay will be read-only
+	} else {
+		if len(o.Lower) == 0 {
+			return msg.WrapErr(EINVAL, "overlay requires at least one lowerdir")
+		}
+		options = append(options,
+			OptionOverlayUpperdir+"="+o.upper,
+			OptionOverlayWorkdir+"="+o.work)
+	}
+	options = append(options,
+		OptionOverlayLowerdir+"="+strings.Join(o.lower, SpecialOverlayPath),
+		OptionOverlayUserxattr)
+
+	return wrapErrSuffix(Mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, SpecialOverlayOption)),
+		fmt.Sprintf("cannot mount overlay on %q:", o.Target))
+}
+
+func (o *MountOverlayOp) Is(op Op) bool {
+	vo, ok := op.(*MountOverlayOp)
+	return ok &&
+		o.Target == vo.Target &&
+		slices.Equal(o.Lower, vo.Lower) &&
+		o.Upper == vo.Upper &&
+		o.Work == vo.Work
+}
+func (*MountOverlayOp) prefix() string { return "mounting" }
+func (o *MountOverlayOp) String() string {
+	return fmt.Sprintf("overlay on %q with %d layers", o.Target, len(o.Lower))
+}
+
+func init() { gob.Register(new(SymlinkOp)) }
+
+// Link appends an [Op] that creates a symlink in the container filesystem.
+func (f *Ops) Link(target *Absolute, linkName string, dereference bool) *Ops {
+	*f = append(*f, &SymlinkOp{target, linkName, dereference})
+	return f
+}
+
+type SymlinkOp struct {
+	Target *Absolute
+	// LinkName is an arbitrary uninterpreted pathname.
+	LinkName string
+
+	// Dereference causes LinkName to be dereferenced during early.
+	Dereference bool
+}
+
+func (l *SymlinkOp) early(*Params) error {
+	if l.Dereference {
+		if !isAbs(l.LinkName) {
+			return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", l.LinkName))
+		}
+		if name, err := os.Readlink(l.LinkName); err != nil {
+			return wrapErrSelf(err)
+		} else {
+			l.LinkName = name
+		}
+	}
+	return nil
+}
+
+func (l *SymlinkOp) apply(params *Params) error {
+	if l.Target == nil {
+		return EBADE
+	}
+	target := toSysroot(l.Target.String())
 	if err := os.MkdirAll(path.Dir(target), params.ParentPerm); err != nil {
 		return wrapErrSelf(err)
 	}
-	if err := os.Symlink(l[0], target); err != nil {
+	if err := os.Symlink(l.LinkName, target); err != nil {
 		return wrapErrSelf(err)
 	}
 	return nil
 }

-func (l *SymlinkOp) Is(op Op) bool  { vl, ok := op.(*SymlinkOp); return ok && *l == *vl }
-func (*SymlinkOp) prefix() string   { return "creating" }
-func (l *SymlinkOp) String() string { return fmt.Sprintf("symlink on %q target %q", l[1], l[0]) }
+func (l *SymlinkOp) Is(op Op) bool { vl, ok := op.(*SymlinkOp); return ok && *l == *vl }
+func (*SymlinkOp) prefix() string  { return "creating" }
+func (l *SymlinkOp) String() string {
+	return fmt.Sprintf("symlink on %q linkname %q", l.Target, l.LinkName)
+}

 func init() { gob.Register(new(MkdirOp)) }

 // Mkdir appends an [Op] that creates a directory in the container filesystem.
-func (f *Ops) Mkdir(dest string, perm os.FileMode) *Ops {
-	*f = append(*f, &MkdirOp{dest, perm})
+func (f *Ops) Mkdir(name *Absolute, perm os.FileMode) *Ops {
+	*f = append(*f, &MkdirOp{name, perm})
 	return f
 }

 type MkdirOp struct {
-	Path string
+	Path *Absolute
 	Perm os.FileMode
 }

 func (m *MkdirOp) early(*Params) error { return nil }
 func (m *MkdirOp) apply(*Params) error {
-	if !path.IsAbs(m.Path) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", m.Path))
+	if m.Path == nil {
+		return EBADE
 	}
-
-	if err := os.MkdirAll(toSysroot(m.Path), m.Perm); err != nil {
-		return wrapErrSelf(err)
-	}
-	return nil
+	return wrapErrSelf(os.MkdirAll(toSysroot(m.Path.String()), m.Perm))
 }

 func (m *MkdirOp) Is(op Op) bool  { vm, ok := op.(*MkdirOp); return ok && m == vm }
@ -415,10 +579,13 @@ func (m *MkdirOp) String() string { return fmt.Sprintf("directory %q perm %s", m
 func init() { gob.Register(new(TmpfileOp)) }

 // Place appends an [Op] that places a file in container path [TmpfileOp.Path] containing [TmpfileOp.Data].
-func (f *Ops) Place(name string, data []byte) *Ops { *f = append(*f, &TmpfileOp{name, data}); return f }
+func (f *Ops) Place(name *Absolute, data []byte) *Ops {
+	*f = append(*f, &TmpfileOp{name, data})
+	return f
+}

 // PlaceP is like Place but writes the address of [TmpfileOp.Data] to the pointer dataP points to.
-func (f *Ops) PlaceP(name string, dataP **[]byte) *Ops {
+func (f *Ops) PlaceP(name *Absolute, dataP **[]byte) *Ops {
 	t := &TmpfileOp{Path: name}
 	*dataP = &t.Data

@ -427,18 +594,18 @@ func (f *Ops) PlaceP(name string, dataP **[]byte) *Ops {
 }

 type TmpfileOp struct {
-	Path string
+	Path *Absolute
 	Data []byte
 }

 func (t *TmpfileOp) early(*Params) error { return nil }
 func (t *TmpfileOp) apply(params *Params) error {
-	if !path.IsAbs(t.Path) {
-		return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", t.Path))
+	if t.Path == nil {
+		return EBADE
 	}

 	var tmpPath string
-	if f, err := os.CreateTemp("/", "tmp.*"); err != nil {
+	if f, err := os.CreateTemp(FHSRoot, intermediatePatternTmpfile); err != nil {
 		return wrapErrSelf(err)
 	} else if _, err = f.Write(t.Data); err != nil {
 		return wrapErrSuffix(err,
@ -450,7 +617,7 @@ func (t *TmpfileOp) apply(params *Params) error {
 		tmpPath = f.Name()
 	}

-	target := toSysroot(t.Path)
+	target := toSysroot(t.Path.String())
 	if err := ensureFile(target, 0444, params.ParentPerm); err != nil {
 		return err
 	} else if err = hostProc.bindMount(
--- a/container/params.go
+++ b/container/params.go
@ -5,11 +5,11 @@ import (
 	"errors"
 	"os"
 	"strconv"
+	"syscall"
 )

 var (
-	ErrNotSet  = errors.New("environment variable not set")
-	ErrInvalid = errors.New("bad file descriptor")
+	ErrNotSet = errors.New("environment variable not set")
 )

 // Setup appends the read end of a pipe for setup params transmission and returns its fd.
@ -35,7 +35,7 @@ func Receive(key string, e any, v **os.File) (func() error, error) {
 		} else {
 			setup = os.NewFile(uintptr(fd), "setup")
 			if setup == nil {
-				return nil, ErrInvalid
+				return nil, syscall.EBADF
 			}
 			if v != nil {
 				*v = setup
--- a/container/path.go
+++ b/container/path.go
@ -13,10 +13,81 @@ import (
 	"hakurei.app/container/vfs"
 )

+/* constants in this file bypass abs check, be extremely careful when changing them! */
+
 const (
-	hostPath    = "/" + hostDir
+	// FHSRoot points to the file system root.
+	FHSRoot = "/"
+	// FHSEtc points to the directory for system-specific configuration.
+	FHSEtc = "/etc/"
+	// FHSTmp points to the place for small temporary files.
+	FHSTmp = "/tmp/"
+
+	// FHSRun points to a "tmpfs" file system for system packages to place runtime data, socket files, and similar.
+	FHSRun = "/run/"
+	// FHSRunUser points to a directory containing per-user runtime directories,
+	// each usually individually mounted "tmpfs" instances.
+	FHSRunUser = FHSRun + "user/"
+
+	// FHSUsr points to vendor-supplied operating system resources.
+	FHSUsr = "/usr/"
+	// FHSUsrBin points to binaries and executables for user commands that shall appear in the $PATH search path.
+	FHSUsrBin = FHSUsr + "bin/"
+
+	// FHSVar points to persistent, variable system data. Writable during normal system operation.
+	FHSVar = "/var/"
+	// FHSVarLib points to persistent system data.
+	FHSVarLib = FHSVar + "lib/"
+	// FHSVarEmpty points to a nonstandard directory that is usually empty.
+	FHSVarEmpty = FHSVar + "empty/"
+
+	// FHSDev points to the root directory for device nodes.
+	FHSDev = "/dev/"
+	// FHSProc points to a virtual kernel file system exposing the process list and other functionality.
+	FHSProc = "/proc/"
+	// FHSProcSys points to a hierarchy below /proc/ that exposes a number of kernel tunables.
+	FHSProcSys = FHSProc + "sys/"
+	// FHSSys points to a virtual kernel file system exposing discovered devices and other functionality.
+	FHSSys = "/sys/"
+)
+
+var (
+	// AbsFHSRoot is [FHSRoot] as [Absolute].
+	AbsFHSRoot = &Absolute{FHSRoot}
+	// AbsFHSEtc is [FHSEtc] as [Absolute].
+	AbsFHSEtc = &Absolute{FHSEtc}
+	// AbsFHSTmp is [FHSTmp] as [Absolute].
+	AbsFHSTmp = &Absolute{FHSTmp}
+
+	// AbsFHSRun is [FHSRun] as [Absolute].
+	AbsFHSRun = &Absolute{FHSRun}
+	// AbsFHSRunUser is [FHSRunUser] as [Absolute].
+	AbsFHSRunUser = &Absolute{FHSRunUser}
+
+	// AbsFHSUsrBin is [FHSUsrBin] as [Absolute].
+	AbsFHSUsrBin = &Absolute{FHSUsrBin}
+
+	// AbsFHSVar is [FHSVar] as [Absolute].
+	AbsFHSVar = &Absolute{FHSVar}
+	// AbsFHSVarLib is [FHSVarLib] as [Absolute].
+	AbsFHSVarLib = &Absolute{FHSVarLib}
+
+	// AbsFHSDev is [FHSDev] as [Absolute].
+	AbsFHSDev = &Absolute{FHSDev}
+	// AbsFHSProc is [FHSProc] as [Absolute].
+	AbsFHSProc = &Absolute{FHSProc}
+	// AbsFHSSys is [FHSSys] as [Absolute].
+	AbsFHSSys = &Absolute{FHSSys}
+)
+
+const (
+	// Nonexistent is a path that cannot exist.
+	// /proc is chosen because a system with covered /proc is unsupported by this package.
+	Nonexistent = FHSProc + "nonexistent"
+
+	hostPath    = FHSRoot + hostDir
 	hostDir     = "host"
-	sysrootPath = "/" + sysrootDir
+	sysrootPath = FHSRoot + sysrootDir
 	sysrootDir  = "sysroot"
 )

@ -63,9 +134,9 @@ func ensureFile(name string, perm, pperm os.FileMode) error {
 	return err
 }

-var hostProc = newProcPats(hostPath)
+var hostProc = newProcPaths(hostPath)

-func newProcPats(prefix string) *procPaths {
+func newProcPaths(prefix string) *procPaths {
 	return &procPaths{prefix + "/proc", prefix + "/proc/self"}
 }

--- a/container/path_test.go
+++ b/container/path_test.go
@ -0,0 +1,42 @@
+package container
+
+import "testing"
+
+func TestToSysroot(t *testing.T) {
+	testCases := []struct {
+		name string
+		want string
+	}{
+		{"", "/sysroot"},
+		{"/", "/sysroot"},
+		{"//etc///", "/sysroot/etc"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := toSysroot(tc.name); got != tc.want {
+				t.Errorf("toSysroot: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestToHost(t *testing.T) {
+	testCases := []struct {
+		name string
+		want string
+	}{
+		{"", "/host"},
+		{"/", "/host"},
+		{"//etc///", "/host/etc"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := toHost(tc.name); got != tc.want {
+				t.Errorf("toHost: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+// InternalToHostOvlEscape exports toHost passed to escapeOverlayDataSegment.
+func InternalToHostOvlEscape(s string) string { return escapeOverlayDataSegment(toHost(s)) }
--- a/container/sysctl.go
+++ b/container/sysctl.go
@ -17,9 +17,9 @@ var (
 )

 const (
-	kernelOverflowuidPath = "/proc/sys/kernel/overflowuid"
-	kernelOverflowgidPath = "/proc/sys/kernel/overflowgid"
-	kernelCapLastCapPath  = "/proc/sys/kernel/cap_last_cap"
+	kernelOverflowuidPath = FHSProcSys + "kernel/overflowuid"
+	kernelOverflowgidPath = FHSProcSys + "kernel/overflowgid"
+	kernelCapLastCapPath  = FHSProcSys + "kernel/cap_last_cap"
 )

 func mustReadSysctl() {
--- a/flake.nix
+++ b/flake.nix
@ -159,6 +159,54 @@
          default = pkgs.mkShell { buildInputs = hakurei.targetPkgs; };
          withPackage = pkgs.mkShell { buildInputs = [ hakurei ] ++ hakurei.targetPkgs; };

+          vm =
+            let
+              nixos = nixpkgs.lib.nixosSystem {
+                inherit system;
+                modules = [
+                  {
+                    environment = {
+                      systemPackages = [
+                        (pkgs.buildFHSEnv {
+                          pname = "hakurei-fhs";
+                          inherit (hakurei) version;
+                          targetPkgs = _: hakurei.targetPkgs;
+                          extraOutputsToInstall = [ "dev" ];
+                          profile = ''
+                            export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
+                          '';
+                        })
+                      ];
+
+                      hakurei =
+                        let
+                          # this is used for interactive vm testing during development, where tests might be broken
+                          package = self.packages.${pkgs.system}.hakurei.override {
+                            buildGoModule = previousArgs: pkgs.pkgsStatic.buildGoModule (previousArgs // { doCheck = false; });
+                          };
+                        in
+                        {
+                          inherit package;
+                          hsuPackage = self.packages.${pkgs.system}.hsu.override { hakurei = package; };
+                        };
+                    };
+                  }
+
+                  ./test/interactive/configuration.nix
+                  ./test/interactive/vm.nix
+                  ./test/interactive/hakurei.nix
+                  ./test/interactive/trace.nix
+
+                  self.nixosModules.hakurei
+                  self.inputs.home-manager.nixosModules.home-manager
+                ];
+              };
+            in
+            pkgs.mkShell {
+              buildInputs = [ nixos.config.system.build.vm ];
+              shellHook = "exec run-nixos-vm $@";
+            };
+
          generateDoc =
            let
              inherit (pkgs) lib;
--- a/helper/container.go
+++ b/helper/container.go
@ -16,7 +16,7 @@ import (
 // New initialises a Helper instance with wt as the null-terminated argument writer.
 func New(
 	ctx context.Context,
-	name string,
+	pathname *container.Absolute, name string,
 	wt io.WriterTo,
 	stat bool,
 	argF func(argsFd, statFd int) []string,
@ -26,7 +26,7 @@ func New(
 	var args []string
 	h := new(helperContainer)
 	h.helperFiles, args = newHelperFiles(ctx, wt, stat, argF, extraFiles)
-	h.Container = container.New(ctx, name, args...)
+	h.Container = container.NewCommand(ctx, pathname, name, args...)
 	h.WaitDelay = WaitDelay
 	if cmdF != nil {
 		cmdF(h.Container)
--- a/helper/container_test.go
+++ b/helper/container_test.go
@ -12,7 +12,7 @@ import (

 func TestContainer(t *testing.T) {
 	t.Run("start empty container", func(t *testing.T) {
-		h := helper.New(t.Context(), container.Nonexistent, argsWt, false, argF, nil, nil)
+		h := helper.New(t.Context(), container.MustAbs(container.Nonexistent), "hakurei", argsWt, false, argF, nil, nil)

 		wantErr := "container: starting an empty container"
 		if err := h.Start(); err == nil || err.Error() != wantErr {
@ -22,7 +22,7 @@ func TestContainer(t *testing.T) {
 	})

 	t.Run("valid new helper nil check", func(t *testing.T) {
-		if got := helper.New(t.Context(), "hakurei", argsWt, false, argF, nil, nil); got == nil {
+		if got := helper.New(t.Context(), container.MustAbs(container.Nonexistent), "hakurei", argsWt, false, argF, nil, nil); got == nil {
 			t.Errorf("New(%q, %q) got nil",
 				argsWt, "hakurei")
 			return
@ -31,9 +31,12 @@ func TestContainer(t *testing.T) {

 	t.Run("implementation compliance", func(t *testing.T) {
 		testHelper(t, func(ctx context.Context, setOutput func(stdoutP, stderrP *io.Writer), stat bool) helper.Helper {
-			return helper.New(ctx, os.Args[0], argsWt, stat, argF, func(z *container.Container) {
+			return helper.New(ctx, container.MustAbs(os.Args[0]), "helper", argsWt, stat, argF, func(z *container.Container) {
 				setOutput(&z.Stdout, &z.Stderr)
-				z.Bind("/", "/", 0).Proc("/proc").Dev("/dev")
+				z.
+					Bind(container.AbsFHSRoot, container.AbsFHSRoot, 0).
+					Proc(container.AbsFHSProc).
+					Dev(container.AbsFHSDev, true)
 			}, nil)
 		})
 	})
--- a/hst/config.go
+++ b/hst/config.go
@ -2,12 +2,15 @@
 package hst

 import (
+	"hakurei.app/container"
 	"hakurei.app/system"
 	"hakurei.app/system/dbus"
 )

 const Tmp = "/.hakurei"

+var AbsTmp = container.MustAbs(Tmp)
+
 // Config is used to seal an app implementation.
 type Config struct {
 	// reverse-DNS style arbitrary identifier string from config;
@ -16,7 +19,7 @@ type Config struct {
 	ID string `json:"id"`

 	// absolute path to executable file
-	Path string `json:"path,omitempty"`
+	Path *container.Absolute `json:"path,omitempty"`
 	// final args passed to container init
 	Args []string `json:"args"`

@ -35,12 +38,12 @@ type Config struct {

 	// passwd username in container, defaults to passwd name of target uid or chronos
 	Username string `json:"username,omitempty"`
-	// absolute path to shell, empty for host shell
-	Shell string `json:"shell,omitempty"`
+	// absolute path to shell
+	Shell *container.Absolute `json:"shell"`
 	// absolute path to home directory in the init mount namespace
-	Data string `json:"data"`
-	// directory to enter and use as home in the container mount namespace, empty for Data
-	Dir string `json:"dir"`
+	Data *container.Absolute `json:"data"`
+	// directory to enter and use as home in the container mount namespace, nil for Data
+	Dir *container.Absolute `json:"dir,omitempty"`
 	// extra acl ops, dispatches before container init
 	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`

@ -55,21 +58,24 @@ type Config struct {

 // ExtraPermConfig describes an acl update op.
 type ExtraPermConfig struct {
-	Ensure  bool   `json:"ensure,omitempty"`
-	Path    string `json:"path"`
-	Read    bool   `json:"r,omitempty"`
-	Write   bool   `json:"w,omitempty"`
-	Execute bool   `json:"x,omitempty"`
+	Ensure  bool                `json:"ensure,omitempty"`
+	Path    *container.Absolute `json:"path"`
+	Read    bool                `json:"r,omitempty"`
+	Write   bool                `json:"w,omitempty"`
+	Execute bool                `json:"x,omitempty"`
 }

 func (e *ExtraPermConfig) String() string {
-	buf := make([]byte, 0, 5+len(e.Path))
+	if e == nil || e.Path == nil {
+		return "<invalid>"
+	}
+	buf := make([]byte, 0, 5+len(e.Path.String()))
 	buf = append(buf, '-', '-', '-')
 	if e.Ensure {
 		buf = append(buf, '+')
 	}
 	buf = append(buf, ':')
-	buf = append(buf, []byte(e.Path)...)
+	buf = append(buf, []byte(e.Path.String())...)
 	if e.Read {
 		buf[0] = 'r'
 	}
--- a/hst/config_test.go
+++ b/hst/config_test.go
@ -0,0 +1,35 @@
+package hst_test
+
+import (
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestExtraPermConfig(t *testing.T) {
+	testCases := []struct {
+		name   string
+		config *hst.ExtraPermConfig
+		want   string
+	}{
+		{"nil", nil, "<invalid>"},
+		{"nil path", &hst.ExtraPermConfig{Path: nil}, "<invalid>"},
+		{"r", &hst.ExtraPermConfig{Path: container.AbsFHSRoot, Read: true}, "r--:/"},
+		{"r+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSRoot, Read: true}, "r--+:/"},
+		{"w", &hst.ExtraPermConfig{Path: hst.AbsTmp, Write: true}, "-w-:/.hakurei"},
+		{"w+", &hst.ExtraPermConfig{Ensure: true, Path: hst.AbsTmp, Write: true}, "-w-+:/.hakurei"},
+		{"x", &hst.ExtraPermConfig{Path: container.AbsFHSRunUser, Execute: true}, "--x:/run/user/"},
+		{"x+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSRunUser, Execute: true}, "--x+:/run/user/"},
+		{"rwx", &hst.ExtraPermConfig{Path: container.AbsFHSTmp, Read: true, Write: true, Execute: true}, "rwx:/tmp/"},
+		{"rwx+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSTmp, Read: true, Write: true, Execute: true}, "rwx+:/tmp/"},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := tc.config.String(); got != tc.want {
+				t.Errorf("String: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
--- a/hst/container.go
+++ b/hst/container.go
@ -3,14 +3,11 @@ package hst
 import (
 	"time"

+	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 )

 const (
-	// SourceTmpfs causes tmpfs to be mounted on [FilesystemConfig.Dst]
-	// when assigned to [FilesystemConfig.Src].
-	SourceTmpfs = "tmpfs"
-
 	// TmpfsPerm is the permission bits for tmpfs mount points
 	// configured through [FilesystemConfig].
 	TmpfsPerm = 0755
@ -54,37 +51,28 @@ type (

 		// pass through all devices
 		Device bool `json:"device,omitempty"`
-		// container host filesystem bind mounts
-		Filesystem []*FilesystemConfig `json:"filesystem"`
+		// container mount points
+		Filesystem []FilesystemConfigJSON `json:"filesystem"`
 		// create symlinks inside container filesystem
-		Link [][2]string `json:"symlink"`
+		Link []LinkConfig `json:"symlink"`

 		// automatically bind mount top-level directories to container root;
 		// the zero value disables this behaviour
-		AutoRoot string `json:"auto_root,omitempty"`
+		AutoRoot *container.Absolute `json:"auto_root,omitempty"`
 		// extra flags for AutoRoot
 		RootFlags int `json:"root_flags,omitempty"`

 		// read-only /etc directory
-		Etc string `json:"etc,omitempty"`
+		Etc *container.Absolute `json:"etc,omitempty"`
 		// automatically set up /etc symlinks
 		AutoEtc bool `json:"auto_etc"`
-
-		// cover these paths or create them if they do not already exist
-		Cover []string `json:"cover"`
 	}

-	// FilesystemConfig is an abstract representation of a bind mount.
-	FilesystemConfig struct {
-		// mount point in container, same as src if empty
-		Dst string `json:"dst,omitempty"`
-		// host filesystem path to make available to the container
-		Src string `json:"src"`
-		// do not mount filesystem read-only
-		Write bool `json:"write,omitempty"`
-		// do not disable device files
-		Device bool `json:"dev,omitempty"`
-		// fail if the bind mount cannot be established for any reason
-		Must bool `json:"require,omitempty"`
+	LinkConfig struct {
+		// symlink target in container
+		Target *container.Absolute `json:"target"`
+		// linkname the symlink points to;
+		// prepend '*' to dereference an absolute pathname on host
+		Linkname string `json:"linkname"`
 	}
 )
--- a/hst/fs.go
+++ b/hst/fs.go
@ -0,0 +1,121 @@
+package hst
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"reflect"
+
+	"hakurei.app/container"
+)
+
+// FilesystemConfig is an abstract representation of a mount point.
+type FilesystemConfig interface {
+	// Type returns the type of this mount point.
+	Type() string
+	// Target returns the pathname of the mount point in the container.
+	Target() *container.Absolute
+	// Host returns a slice of all host paths used by this mount point.
+	Host() []*container.Absolute
+	// Apply appends the [container.Op] implementing this mount point.
+	Apply(ops *container.Ops)
+
+	fmt.Stringer
+}
+
+var (
+	ErrFSNull = errors.New("unexpected null in mount point")
+)
+
+// FSTypeError is returned when [ContainerConfig.Filesystem] contains an entry with invalid type.
+type FSTypeError string
+
+func (f FSTypeError) Error() string { return fmt.Sprintf("invalid filesystem type %q", string(f)) }
+
+// FSImplError is returned when the underlying struct of [FilesystemConfig] does not match
+// what [FilesystemConfig.Type] claims to be.
+type FSImplError struct {
+	Type  string
+	Value FilesystemConfig
+}
+
+func (f FSImplError) Error() string {
+	implType := reflect.TypeOf(f.Value)
+	var name string
+	for implType != nil && implType.Kind() == reflect.Ptr {
+		name += "*"
+		implType = implType.Elem()
+	}
+	if implType != nil {
+		name += implType.Name()
+	} else {
+		name += "nil"
+	}
+	return fmt.Sprintf("implementation %s is not %s", name, f.Type)
+}
+
+// FilesystemConfigJSON is the [json] adapter for [FilesystemConfig].
+type FilesystemConfigJSON struct {
+	FilesystemConfig
+}
+
+// Valid returns whether the [FilesystemConfigJSON] is valid.
+func (f *FilesystemConfigJSON) Valid() bool { return f != nil && f.FilesystemConfig != nil }
+
+func (f *FilesystemConfigJSON) MarshalJSON() ([]byte, error) {
+	if f == nil || f.FilesystemConfig == nil {
+		return nil, ErrFSNull
+	}
+	var v any
+	t := f.Type()
+	switch t {
+	case FilesystemBind:
+		if ct, ok := f.FilesystemConfig.(*FSBind); !ok {
+			return nil, FSImplError{t, f.FilesystemConfig}
+		} else {
+			v = &struct {
+				Type string `json:"type"`
+				*FSBind
+			}{FilesystemBind, ct}
+		}
+
+	case FilesystemEphemeral:
+		if ct, ok := f.FilesystemConfig.(*FSEphemeral); !ok {
+			return nil, FSImplError{t, f.FilesystemConfig}
+		} else {
+			v = &struct {
+				Type string `json:"type"`
+				*FSEphemeral
+			}{FilesystemEphemeral, ct}
+		}
+
+	default:
+		return nil, FSTypeError(t)
+	}
+
+	return json.Marshal(v)
+}
+
+func (f *FilesystemConfigJSON) UnmarshalJSON(data []byte) error {
+	t := new(struct {
+		Type string `json:"type"`
+	})
+	if err := json.Unmarshal(data, &t); err != nil {
+		return err
+	}
+	if t == nil {
+		return ErrFSNull
+	}
+	switch t.Type {
+	case FilesystemBind:
+		*f = FilesystemConfigJSON{new(FSBind)}
+
+	case FilesystemEphemeral:
+		*f = FilesystemConfigJSON{new(FSEphemeral)}
+
+	default:
+		return FSTypeError(t.Type)
+	}
+
+	return json.Unmarshal(data, f.FilesystemConfig)
+}
--- a/hst/fs_test.go
+++ b/hst/fs_test.go
@ -0,0 +1,269 @@
+package hst_test
+
+import (
+	"encoding/json"
+	"errors"
+	"reflect"
+	"strings"
+	"syscall"
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestFilesystemConfigJSON(t *testing.T) {
+	testCases := []struct {
+		name string
+		want hst.FilesystemConfigJSON
+
+		wantErr     error
+		data, sData string
+	}{
+		{"nil", hst.FilesystemConfigJSON{FilesystemConfig: nil}, hst.ErrFSNull,
+			`null`, `{"fs":null,"magic":3236757504}`},
+
+		{"bad type", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"cat"}},
+			hst.FSTypeError("cat"),
+			`{"type":"cat","meow":true}`, `{"fs":{"type":"cat","meow":true},"magic":3236757504}`},
+
+		{"bad impl bind", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"bind"}},
+			hst.FSImplError{
+				Type:  "bind",
+				Value: stubFS{"bind"},
+			},
+			"\x00", "\x00"},
+
+		{"bad impl ephemeral", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"ephemeral"}},
+			hst.FSImplError{
+				Type:  "ephemeral",
+				Value: stubFS{"ephemeral"},
+			},
+			"\x00", "\x00"},
+
+		{"bind", hst.FilesystemConfigJSON{
+			FilesystemConfig: &hst.FSBind{
+				Dst:      m("/etc"),
+				Src:      m("/mnt/etc"),
+				Optional: true,
+			},
+		}, nil,
+			`{"type":"bind","dst":"/etc","src":"/mnt/etc","optional":true}`,
+			`{"fs":{"type":"bind","dst":"/etc","src":"/mnt/etc","optional":true},"magic":3236757504}`},
+
+		{"ephemeral", hst.FilesystemConfigJSON{
+			FilesystemConfig: &hst.FSEphemeral{
+				Dst:   m("/run/user/65534"),
+				Write: true,
+				Size:  1 << 10,
+				Perm:  0700,
+			},
+		}, nil,
+			`{"type":"ephemeral","dst":"/run/user/65534","write":true,"size":1024,"perm":448}`,
+			`{"fs":{"type":"ephemeral","dst":"/run/user/65534","write":true,"size":1024,"perm":448},"magic":3236757504}`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Run("marshal", func(t *testing.T) {
+				{
+					d, err := json.Marshal(&tc.want)
+					if !errors.Is(err, tc.wantErr) {
+						t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
+					}
+					if tc.wantErr != nil {
+						goto checkSMarshal
+					}
+					if string(d) != tc.data {
+						t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.data)
+					}
+				}
+
+			checkSMarshal:
+				{
+					d, err := json.Marshal(&sCheck{tc.want, syscall.MS_MGC_VAL})
+					if !errors.Is(err, tc.wantErr) {
+						t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
+					}
+					if tc.wantErr != nil {
+						return
+					}
+					if string(d) != tc.sData {
+						t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.sData)
+					}
+				}
+			})
+
+			t.Run("unmarshal", func(t *testing.T) {
+				if tc.data == "\x00" && tc.sData == "\x00" {
+					if errors.As(tc.wantErr, new(hst.FSImplError)) {
+						// this error is only returned on marshal
+						return
+					}
+				}
+
+				{
+					var got hst.FilesystemConfigJSON
+					err := json.Unmarshal([]byte(tc.data), &got)
+					if !errors.Is(err, tc.wantErr) {
+						t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+					}
+					if tc.wantErr != nil {
+						goto checkSUnmarshal
+					}
+					if !reflect.DeepEqual(&tc.want, &got) {
+						t.Errorf("Unmarshal: %#v, want %#v", &tc.want, &got)
+					}
+				}
+
+			checkSUnmarshal:
+				{
+					var got sCheck
+					err := json.Unmarshal([]byte(tc.sData), &got)
+					if !errors.Is(err, tc.wantErr) {
+						t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+					}
+					if tc.wantErr != nil {
+						return
+					}
+					want := sCheck{tc.want, syscall.MS_MGC_VAL}
+					if !reflect.DeepEqual(&got, &want) {
+						t.Errorf("Unmarshal: %#v, want %#v", &got, &want)
+					}
+				}
+			})
+		})
+	}
+
+	t.Run("valid", func(t *testing.T) {
+		if got := (*hst.FilesystemConfigJSON).Valid(nil); got {
+			t.Errorf("Valid: %v, want false", got)
+		}
+
+		if got := new(hst.FilesystemConfigJSON).Valid(); got {
+			t.Errorf("Valid: %v, want false", got)
+		}
+
+		if got := (&hst.FilesystemConfigJSON{FilesystemConfig: new(hst.FSBind)}).Valid(); !got {
+			t.Errorf("Valid: %v, want true", got)
+		}
+	})
+
+	t.Run("passthrough", func(t *testing.T) {
+		if err := new(hst.FilesystemConfigJSON).UnmarshalJSON(make([]byte, 0)); err == nil {
+			t.Errorf("UnmarshalJSON: error = %v", err)
+		}
+	})
+}
+
+func TestFSErrors(t *testing.T) {
+	t.Run("type", func(t *testing.T) {
+		want := `invalid filesystem type "cat"`
+		if got := hst.FSTypeError("cat").Error(); got != want {
+			t.Errorf("Error: %q, want %q", got, want)
+		}
+	})
+
+	t.Run("impl", func(t *testing.T) {
+		testCases := []struct {
+			name string
+			val  hst.FilesystemConfig
+			want string
+		}{
+			{"nil", nil, "implementation nil is not cat"},
+			{"stub", stubFS{"cat"}, "implementation stubFS is not cat"},
+			{"*stub", &stubFS{"cat"}, "implementation *stubFS is not cat"},
+			{"(*stub)(nil)", (*stubFS)(nil), "implementation *stubFS is not cat"},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				err := hst.FSImplError{Type: "cat", Value: tc.val}
+				if got := err.Error(); got != tc.want {
+					t.Errorf("Error: %q, want %q", got, tc.want)
+				}
+			})
+		}
+	})
+}
+
+type stubFS struct {
+	typeName string
+}
+
+func (s stubFS) Type() string                { return s.typeName }
+func (s stubFS) Target() *container.Absolute { panic("unreachable") }
+func (s stubFS) Host() []*container.Absolute { panic("unreachable") }
+func (s stubFS) Apply(*container.Ops)        { panic("unreachable") }
+func (s stubFS) String() string              { return "<invalid " + s.typeName + ">" }
+
+type sCheck struct {
+	FS    hst.FilesystemConfigJSON `json:"fs"`
+	Magic int                      `json:"magic"`
+}
+
+type fsTestCase struct {
+	name   string
+	fs     hst.FilesystemConfig
+	ops    container.Ops
+	target *container.Absolute
+	host   []*container.Absolute
+	str    string
+}
+
+func checkFs(t *testing.T, fstype string, testCases []fsTestCase) {
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := tc.fs.Type(); got != fstype {
+				t.Errorf("Type: %q, want %q", got, fstype)
+			}
+
+			t.Run("ops", func(t *testing.T) {
+				ops := new(container.Ops)
+				tc.fs.Apply(ops)
+				if !reflect.DeepEqual(ops, &tc.ops) {
+					gotString := new(strings.Builder)
+					for _, op := range *ops {
+						gotString.WriteString("\n" + op.String())
+					}
+					wantString := new(strings.Builder)
+					for _, op := range tc.ops {
+						wantString.WriteString("\n" + op.String())
+					}
+					t.Errorf("Apply: %s, want %s", gotString, wantString)
+				}
+			})
+
+			t.Run("target", func(t *testing.T) {
+				if got := tc.fs.Target(); !reflect.DeepEqual(got, tc.target) {
+					t.Errorf("Target: %q, want %q", got, tc.target)
+				}
+			})
+
+			t.Run("host", func(t *testing.T) {
+				if got := tc.fs.Host(); !reflect.DeepEqual(got, tc.host) {
+					t.Errorf("Host: %q, want %q", got, tc.host)
+				}
+			})
+
+			t.Run("string", func(t *testing.T) {
+				if tc.str == "\x00" {
+					return
+				}
+
+				if got := tc.fs.String(); got != tc.str {
+					t.Errorf("String: %q, want %q", got, tc.str)
+				}
+			})
+		})
+	}
+}
+
+func m(pathname string) *container.Absolute { return container.MustAbs(pathname) }
+func ms(pathnames ...string) []*container.Absolute {
+	as := make([]*container.Absolute, len(pathnames))
+	for i, pathname := range pathnames {
+		as[i] = container.MustAbs(pathname)
+	}
+	return as
+}
--- a/hst/fsbind.go
+++ b/hst/fsbind.go
@ -0,0 +1,102 @@
+package hst
+
+import (
+	"encoding/gob"
+	"strings"
+
+	"hakurei.app/container"
+)
+
+func init() { gob.Register(new(FSBind)) }
+
+// FilesystemBind is the [FilesystemConfig.Type] name of a bind mount point.
+const FilesystemBind = "bind"
+
+// FSBind represents a host to container bind mount.
+type FSBind struct {
+	// mount point in container, same as src if empty
+	Dst *container.Absolute `json:"dst,omitempty"`
+	// host filesystem path to make available to the container
+	Src *container.Absolute `json:"src"`
+	// do not mount filesystem read-only
+	Write bool `json:"write,omitempty"`
+	// do not disable device files, implies Write
+	Device bool `json:"dev,omitempty"`
+	// skip this mount point if the host path does not exist
+	Optional bool `json:"optional,omitempty"`
+}
+
+func (b *FSBind) Type() string { return FilesystemBind }
+
+func (b *FSBind) Target() *container.Absolute {
+	if b == nil || b.Src == nil {
+		return nil
+	}
+	if b.Dst == nil {
+		return b.Src
+	}
+	return b.Dst
+}
+
+func (b *FSBind) Host() []*container.Absolute {
+	if b == nil || b.Src == nil {
+		return nil
+	}
+	return []*container.Absolute{b.Src}
+}
+
+func (b *FSBind) Apply(ops *container.Ops) {
+	if b == nil || b.Src == nil {
+		return
+	}
+
+	dst := b.Dst
+	if dst == nil {
+		dst = b.Src
+	}
+	var flags int
+	if b.Write {
+		flags |= container.BindWritable
+	}
+	if b.Device {
+		flags |= container.BindDevice | container.BindWritable
+	}
+	if b.Optional {
+		flags |= container.BindOptional
+	}
+	ops.Bind(b.Src, dst, flags)
+}
+
+func (b *FSBind) String() string {
+	g := 4
+	if b == nil || b.Src == nil {
+		return "<invalid>"
+	}
+
+	g += len(b.Src.String())
+	if b.Dst != nil {
+		g += len(b.Dst.String())
+	}
+
+	expr := new(strings.Builder)
+	expr.Grow(g)
+
+	if b.Device {
+		expr.WriteString("d")
+	} else if b.Write {
+		expr.WriteString("w")
+	}
+
+	if !b.Optional {
+		expr.WriteString("*")
+	} else {
+		expr.WriteString("+")
+	}
+
+	expr.WriteString(b.Src.String())
+	if b.Dst != nil {
+		expr.WriteString(":" + b.Dst.String())
+	}
+
+	return expr.String()
+}
--- a/hst/fsbind_test.go
+++ b/hst/fsbind_test.go
@ -0,0 +1,66 @@
+package hst_test
+
+import (
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestFSBind(t *testing.T) {
+	checkFs(t, "bind", []fsTestCase{
+		{"nil", (*hst.FSBind)(nil), nil, nil, nil, "<invalid>"},
+
+		{"full", &hst.FSBind{
+			Dst:      m("/dev"),
+			Src:      m("/mnt/dev"),
+			Optional: true,
+			Device:   true,
+		}, container.Ops{&container.BindMountOp{
+			Source: m("/mnt/dev"),
+			Target: m("/dev"),
+			Flags:  container.BindWritable | container.BindDevice | container.BindOptional,
+		}}, m("/dev"), ms("/mnt/dev"),
+			"d+/mnt/dev:/dev"},
+
+		{"full write dev", &hst.FSBind{
+			Dst:    m("/dev"),
+			Src:    m("/mnt/dev"),
+			Write:  true,
+			Device: true,
+		}, container.Ops{&container.BindMountOp{
+			Source: m("/mnt/dev"),
+			Target: m("/dev"),
+			Flags:  container.BindWritable | container.BindDevice,
+		}}, m("/dev"), ms("/mnt/dev"),
+			"d*/mnt/dev:/dev"},
+
+		{"full write", &hst.FSBind{
+			Dst:   m("/tmp"),
+			Src:   m("/mnt/tmp"),
+			Write: true,
+		}, container.Ops{&container.BindMountOp{
+			Source: m("/mnt/tmp"),
+			Target: m("/tmp"),
+			Flags:  container.BindWritable,
+		}}, m("/tmp"), ms("/mnt/tmp"),
+			"w*/mnt/tmp:/tmp"},
+
+		{"full no flags", &hst.FSBind{
+			Dst: m("/etc"),
+			Src: m("/mnt/etc"),
+		}, container.Ops{&container.BindMountOp{
+			Source: m("/mnt/etc"),
+			Target: m("/etc"),
+		}}, m("/etc"), ms("/mnt/etc"),
+			"*/mnt/etc:/etc"},
+
+		{"nil dst", &hst.FSBind{
+			Src: m("/"),
+		}, container.Ops{&container.BindMountOp{
+			Source: m("/"),
+			Target: m("/"),
+		}}, m("/"), ms("/"),
+			"*/"},
+	})
+}
--- a/hst/fsephemeral.go
+++ b/hst/fsephemeral.go
@ -0,0 +1,83 @@
+package hst
+
+import (
+	"encoding/gob"
+	"os"
+	"strings"
+
+	"hakurei.app/container"
+)
+
+func init() { gob.Register(new(FSEphemeral)) }
+
+// FilesystemEphemeral is the [FilesystemConfig.Type] name of a mount point with ephemeral state.
+const FilesystemEphemeral = "ephemeral"
+
+// FSEphemeral represents an ephemeral container mount point.
+type FSEphemeral struct {
+	// mount point in container
+	Dst *container.Absolute `json:"dst,omitempty"`
+	// do not mount filesystem read-only
+	Write bool `json:"write,omitempty"`
+	// upper limit on the size of the filesystem
+	Size int `json:"size,omitempty"`
+	// initial permission bits of the new filesystem
+	Perm os.FileMode `json:"perm,omitempty"`
+}
+
+func (e *FSEphemeral) Type() string { return FilesystemEphemeral }
+
+func (e *FSEphemeral) Target() *container.Absolute {
+	if e == nil {
+		return nil
+	}
+	return e.Dst
+}
+
+func (e *FSEphemeral) Host() []*container.Absolute { return nil }
+
+const fsEphemeralDefaultPerm = os.FileMode(0755)
+
+func (e *FSEphemeral) Apply(ops *container.Ops) {
+	if e == nil || e.Dst == nil {
+		return
+	}
+
+	size := e.Size
+	if size < 0 {
+		size = 0
+	}
+
+	perm := e.Perm
+	if perm == 0 {
+		perm = fsEphemeralDefaultPerm
+	}
+
+	if e.Write {
+		ops.Tmpfs(e.Dst, size, perm)
+	} else {
+		ops.Readonly(e.Dst, perm)
+	}
+}
+
+func (e *FSEphemeral) String() string {
+	if e == nil || e.Dst == nil {
+		return "<invalid>"
+	}
+
+	expr := new(strings.Builder)
+	expr.Grow(15 + len(FilesystemEphemeral) + len(e.Dst.String()))
+
+	if e.Write {
+		expr.WriteString("w")
+	}
+	expr.WriteString("+" + FilesystemEphemeral + "(")
+	if e.Perm != 0 {
+		expr.WriteString(e.Perm.String())
+	} else {
+		expr.WriteString(fsEphemeralDefaultPerm.String())
+	}
+	expr.WriteString("):" + e.Dst.String())
+
+	return expr.String()
+}
--- a/hst/fsephemeral_test.go
+++ b/hst/fsephemeral_test.go
@ -0,0 +1,50 @@
+package hst_test
+
+import (
+	"syscall"
+	"testing"
+
+	"hakurei.app/container"
+	"hakurei.app/hst"
+)
+
+func TestFSEphemeral(t *testing.T) {
+	checkFs(t, "ephemeral", []fsTestCase{
+		{"nil", (*hst.FSEphemeral)(nil), nil, nil, nil, "<invalid>"},
+
+		{"full", &hst.FSEphemeral{
+			Dst:   m("/run/user/65534"),
+			Write: true,
+			Size:  1 << 10,
+			Perm:  0700,
+		}, container.Ops{&container.MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   m("/run/user/65534"),
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Size:   1 << 10,
+			Perm:   0700,
+		}}, m("/run/user/65534"), nil,
+			"w+ephemeral(-rwx------):/run/user/65534"},
+
+		{"cover ro", &hst.FSEphemeral{Dst: m("/run/nscd")},
+			container.Ops{&container.MountTmpfsOp{
+				FSName: "readonly",
+				Path:   m("/run/nscd"),
+				Flags:  syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_RDONLY,
+				Perm:   0755,
+			}}, m("/run/nscd"), nil,
+			"+ephemeral(-rwxr-xr-x):/run/nscd"},
+
+		{"negative size", &hst.FSEphemeral{
+			Dst:   hst.AbsTmp,
+			Write: true,
+			Size:  -1,
+		}, container.Ops{&container.MountTmpfsOp{
+			FSName: "ephemeral",
+			Path:   hst.AbsTmp,
+			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
+			Perm:   0755,
+		}}, hst.AbsTmp, nil,
+			"w+ephemeral(-rwxr-xr-x):/.hakurei"},
+	})
+}
--- a/hst/paths.go
+++ b/hst/paths.go
@ -1,11 +1,15 @@
 package hst

+import "hakurei.app/container"
+
 // Paths contains environment-dependent paths used by hakurei.
 type Paths struct {
+	// temporary directory returned by [os.TempDir] (usually `/tmp`)
+	TempDir *container.Absolute `json:"temp_dir"`
 	// path to shared directory (usually `/tmp/hakurei.%d`)
-	SharePath string `json:"share_path"`
+	SharePath *container.Absolute `json:"share_path"`
 	// XDG_RUNTIME_DIR value (usually `/run/user/%d`)
-	RuntimePath string `json:"runtime_path"`
+	RuntimePath *container.Absolute `json:"runtime_path"`
 	// application runtime directory (usually `/run/user/%d/hakurei`)
-	RunDirPath string `json:"run_dir_path"`
+	RunDirPath *container.Absolute `json:"run_dir_path"`
 }
--- a/hst/template.go
+++ b/hst/template.go
@ -12,7 +12,7 @@ func Template() *Config {
 	return &Config{
 		ID: "org.chromium.Chromium",

-		Path: "/run/current-system/sw/bin/chromium",
+		Path: container.AbsFHSRun.Append("current-system/sw/bin/chromium"),
 		Args: []string{
 			"chromium",
 			"--ignore-gpu-blocklist",
@ -46,12 +46,12 @@ func Template() *Config {
 		DirectWayland: false,

 		Username: "chronos",
-		Shell:    "/run/current-system/sw/bin/zsh",
-		Data:     "/var/lib/hakurei/u0/org.chromium.Chromium",
-		Dir:      "/data/data/org.chromium.Chromium",
+		Shell:    container.AbsFHSRun.Append("current-system/sw/bin/zsh"),
+		Data:     container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"),
+		Dir:      container.MustAbs("/data/data/org.chromium.Chromium"),
 		ExtraPerms: []*ExtraPermConfig{
-			{Path: "/var/lib/hakurei/u0", Ensure: true, Execute: true},
-			{Path: "/var/lib/hakurei/u0/org.chromium.Chromium", Read: true, Write: true, Execute: true},
+			{Path: container.AbsFHSVarLib.Append("hakurei/u0"), Ensure: true, Execute: true},
+			{Path: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"), Read: true, Write: true, Execute: true},
 		},

 		Identity: 9,
@ -77,21 +77,20 @@ func Template() *Config {
 				"GOOGLE_DEFAULT_CLIENT_ID":     "77185425430.apps.googleusercontent.com",
 				"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
 			},
-			Filesystem: []*FilesystemConfig{
-				{Src: "/nix/store"},
-				{Src: "/run/current-system"},
-				{Src: "/run/opengl-driver"},
-				{Src: "/var/db/nix-channels"},
-				{Src: "/var/lib/hakurei/u0/org.chromium.Chromium",
-					Dst: "/data/data/org.chromium.Chromium", Write: true, Must: true},
-				{Src: "/dev/dri", Device: true},
+			Filesystem: []FilesystemConfigJSON{
+				{&FSEphemeral{Dst: container.AbsFHSTmp, Write: true, Perm: 0755}},
+				{&FSBind{Src: container.MustAbs("/nix/store")}},
+				{&FSBind{Src: container.AbsFHSRun.Append("current-system")}},
+				{&FSBind{Src: container.AbsFHSRun.Append("opengl-driver")}},
+				{&FSBind{Src: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"),
+					Dst: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}},
+				{&FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
 			},
-			Link:      [][2]string{{"/run/user/65534", "/run/user/150"}},
-			AutoRoot:  "/var/lib/hakurei/base/org.debian",
+			Link:      []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}},
+			AutoRoot:  container.AbsFHSVarLib.Append("hakurei/base/org.debian"),
 			RootFlags: container.BindWritable,
-			Etc:       "/etc",
+			Etc:       container.AbsFHSEtc,
 			AutoEtc:   true,
-			Cover:     []string{"/var/run/nscd"},
 		},
 	}
 }
--- a/hst/template_test.go
+++ b/hst/template_test.go
@ -98,41 +98,46 @@ func TestTemplate(t *testing.T) {
 		"device": true,
 		"filesystem": [
 			{
+				"type": "ephemeral",
+				"dst": "/tmp/",
+				"write": true,
+				"perm": 493
+			},
+			{
+				"type": "bind",
 				"src": "/nix/store"
 			},
 			{
+				"type": "bind",
 				"src": "/run/current-system"
 			},
 			{
+				"type": "bind",
 				"src": "/run/opengl-driver"
 			},
 			{
-				"src": "/var/db/nix-channels"
-			},
-			{
+				"type": "bind",
 				"dst": "/data/data/org.chromium.Chromium",
 				"src": "/var/lib/hakurei/u0/org.chromium.Chromium",
-				"write": true,
-				"require": true
+				"write": true
 			},
 			{
+				"type": "bind",
 				"src": "/dev/dri",
-				"dev": true
+				"dev": true,
+				"optional": true
 			}
 		],
 		"symlink": [
-			[
-				"/run/user/65534",
-				"/run/user/150"
-			]
+			{
+				"target": "/run/user/65534",
+				"linkname": "/run/user/150"
+			}
 		],
 		"auto_root": "/var/lib/hakurei/base/org.debian",
 		"root_flags": 2,
-		"etc": "/etc",
-		"auto_etc": true,
-		"cover": [
-			"/var/run/nscd"
-		]
+		"etc": "/etc/",
+		"auto_etc": true
 	}
 }`

--- a/internal/app/app_linux.go
+++ b/internal/app/app_linux.go
@ -7,7 +7,6 @@ import (

 	"hakurei.app/hst"
 	"hakurei.app/internal/app/state"
-	"hakurei.app/internal/hlog"
 	"hakurei.app/internal/sys"
 )

@ -59,10 +58,6 @@ func (a *app) Seal(config *hst.Config) (SealedApp, error) {
 	if a.outcome != nil {
 		panic("app sealed twice")
 	}
-	if config == nil {
-		return nil, hlog.WrapErr(ErrConfig,
-			"attempted to seal app with nil config")
-	}

 	seal := new(outcome)
 	seal.id = a.id
--- a/internal/app/app_linux_test.go
+++ b/internal/app/app_linux_test.go
@ -11,6 +11,7 @@ import (
 	"hakurei.app/hst"
 	"hakurei.app/internal/app"
 	"hakurei.app/internal/app/state"
+	"hakurei.app/internal/hlog"
 	"hakurei.app/internal/sys"
 	"hakurei.app/system"
 )
@ -36,6 +37,7 @@ func TestApp(t *testing.T) {
 			)
 			if !t.Run("seal", func(t *testing.T) {
 				if sa, err := a.Seal(tc.config); err != nil {
+					hlog.PrintBaseError(err, "got generic error:")
 					t.Errorf("Seal: error = %v", err)
 					return
 				} else {
--- a/internal/app/app_nixos_linux_test.go
+++ b/internal/app/app_nixos_linux_test.go
@ -12,23 +12,35 @@ import (
 	"hakurei.app/system/dbus"
 )

+func m(pathname string) *container.Absolute { return container.MustAbs(pathname) }
+func f(c hst.FilesystemConfig) hst.FilesystemConfigJSON {
+	return hst.FilesystemConfigJSON{FilesystemConfig: c}
+}
+
 var testCasesNixos = []sealTestCase{
 	{
 		"nixos chromium direct wayland", new(stubNixOS),
 		&hst.Config{
 			ID:          "org.chromium.Chromium",
-			Path:        "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
+			Path:        m("/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"),
 			Enablements: system.EWayland | system.EDBus | system.EPulse,
+			Shell:       m("/run/current-system/sw/bin/zsh"),

 			Container: &hst.ContainerConfig{
 				Userns: true, Net: true, MapRealUID: true, Env: nil, AutoEtc: true,
-				Filesystem: []*hst.FilesystemConfig{
-					{Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true},
-					{Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true},
-					{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
-					{Src: "/run/opengl-driver", Must: true}, {Src: "/dev/dri", Device: true},
+				Filesystem: []hst.FilesystemConfigJSON{
+					f(&hst.FSBind{Src: m("/bin")}),
+					f(&hst.FSBind{Src: m("/usr/bin/")}),
+					f(&hst.FSBind{Src: m("/nix/store")}),
+					f(&hst.FSBind{Src: m("/run/current-system")}),
+					f(&hst.FSBind{Src: m("/sys/block"), Optional: true}),
+					f(&hst.FSBind{Src: m("/sys/bus"), Optional: true}),
+					f(&hst.FSBind{Src: m("/sys/class"), Optional: true}),
+					f(&hst.FSBind{Src: m("/sys/dev"), Optional: true}),
+					f(&hst.FSBind{Src: m("/sys/devices"), Optional: true}),
+					f(&hst.FSBind{Src: m("/run/opengl-driver")}),
+					f(&hst.FSBind{Src: m("/dev/dri"), Device: true, Optional: true}),
 				},
-				Cover: []string{"/var/run/nscd"},
 			},
 			SystemBus: &dbus.Config{
 				Talk:   []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
@ -51,7 +63,7 @@ var testCasesNixos = []sealTestCase{
 			DirectWayland: true,

 			Username: "u0_a1",
-			Data:     "/var/lib/persist/module/hakurei/0/1",
+			Data:     m("/var/lib/persist/module/hakurei/0/1"),
 			Identity: 1, Groups: []string{},
 		},
 		state.ID{
@ -99,8 +111,8 @@ var testCasesNixos = []sealTestCase{
 		&container.Params{
 			Uid:  1971,
 			Gid:  100,
-			Dir:  "/var/lib/persist/module/hakurei/0/1",
-			Path: "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
+			Dir:  m("/var/lib/persist/module/hakurei/0/1"),
+			Path: m("/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"),
 			Args: []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
 			Env: []string{
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
@ -117,34 +129,34 @@ var testCasesNixos = []sealTestCase{
 				"XDG_SESSION_TYPE=tty",
 			},
 			Ops: new(container.Ops).
-				Proc("/proc").
-				Tmpfs(hst.Tmp, 4096, 0755).
-				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", 0).
-				Bind("/usr/bin", "/usr/bin", 0).
-				Bind("/nix/store", "/nix/store", 0).
-				Bind("/run/current-system", "/run/current-system", 0).
-				Bind("/sys/block", "/sys/block", container.BindOptional).
-				Bind("/sys/bus", "/sys/bus", container.BindOptional).
-				Bind("/sys/class", "/sys/class", container.BindOptional).
-				Bind("/sys/dev", "/sys/dev", container.BindOptional).
-				Bind("/sys/devices", "/sys/devices", container.BindOptional).
-				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
-				Bind("/dev/dri", "/dev/dri", container.BindDevice|container.BindWritable|container.BindOptional).
-				Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1").
-				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", container.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", container.BindWritable).
-				Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", container.BindWritable).
-				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("hakurei:x:100:\n")).
-				Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0).
-				Bind("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native", 0).
-				Place(hst.Tmp+"/pulse-cookie", nil).
-				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus", 0).
-				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket", 0).
-				Tmpfs("/var/run/nscd", 8192, 0755).
-				Remount("/", syscall.MS_RDONLY),
+				Proc(m("/proc/")).
+				Tmpfs(hst.AbsTmp, 4096, 0755).
+				DevWritable(m("/dev/"), true).
+				Bind(m("/bin"), m("/bin"), 0).
+				Bind(m("/usr/bin/"), m("/usr/bin/"), 0).
+				Bind(m("/nix/store"), m("/nix/store"), 0).
+				Bind(m("/run/current-system"), m("/run/current-system"), 0).
+				Bind(m("/sys/block"), m("/sys/block"), container.BindOptional).
+				Bind(m("/sys/bus"), m("/sys/bus"), container.BindOptional).
+				Bind(m("/sys/class"), m("/sys/class"), container.BindOptional).
+				Bind(m("/sys/dev"), m("/sys/dev"), container.BindOptional).
+				Bind(m("/sys/devices"), m("/sys/devices"), container.BindOptional).
+				Bind(m("/run/opengl-driver"), m("/run/opengl-driver"), 0).
+				Bind(m("/dev/dri"), m("/dev/dri"), container.BindDevice|container.BindWritable|container.BindOptional).
+				Etc(m("/etc/"), "8e2c76b066dabe574cf073bdb46eb5c1").
+				Remount(m("/dev/"), syscall.MS_RDONLY).
+				Tmpfs(m("/run/user/"), 4096, 0755).
+				Bind(m("/tmp/hakurei.1971/runtime/1"), m("/run/user/1971"), container.BindWritable).
+				Bind(m("/tmp/hakurei.1971/tmpdir/1"), m("/tmp/"), container.BindWritable).
+				Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), container.BindWritable).
+				Place(m("/etc/passwd"), []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
+				Place(m("/etc/group"), []byte("hakurei:x:100:\n")).
+				Bind(m("/run/user/1971/wayland-0"), m("/run/user/1971/wayland-0"), 0).
+				Bind(m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse"), m("/run/user/1971/pulse/native"), 0).
+				Place(m(hst.Tmp+"/pulse-cookie"), nil).
+				Bind(m("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus"), m("/run/user/1971/bus"), 0).
+				Bind(m("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket"), m("/run/dbus/system_bus_socket"), 0).
+				Remount(m("/"), syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyTTY | seccomp.PresetDenyDevel,
 			HostNet:        true,
 			ForwardCancel:  true,
--- a/internal/app/app_pd_linux_test.go
+++ b/internal/app/app_pd_linux_test.go
@ -16,7 +16,7 @@ import (
 var testCasesPd = []sealTestCase{
 	{
 		"nixos permissive defaults no enablements", new(stubNixOS),
-		&hst.Config{Username: "chronos", Data: "/home/chronos"},
+		&hst.Config{Username: "chronos", Data: m("/home/chronos")},
 		state.ID{
 			0x4a, 0x45, 0x0b, 0x65,
 			0x96, 0xd7, 0xbc, 0x15,
@ -30,8 +30,8 @@ var testCasesPd = []sealTestCase{
 			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
 		&container.Params{
-			Dir:  "/home/chronos",
-			Path: "/run/current-system/sw/bin/zsh",
+			Dir:  m("/home/chronos"),
+			Path: m("/run/current-system/sw/bin/zsh"),
 			Args: []string{"/run/current-system/sw/bin/zsh"},
 			Env: []string{
 				"HOME=/home/chronos",
@ -43,22 +43,23 @@ var testCasesPd = []sealTestCase{
 				"XDG_SESSION_TYPE=tty",
 			},
 			Ops: new(container.Ops).
-				Root("/", "4a450b6596d7bc15bd01780eb9a607ac", container.BindWritable).
-				Proc("/proc").
-				Tmpfs(hst.Tmp, 4096, 0755).
-				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
-				Readonly("/var/run/nscd", 0755).
-				Tmpfs("/run/user/1971", 8192, 0755).
-				Tmpfs("/run/dbus", 8192, 0755).
-				Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
-				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", container.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", container.BindWritable).
-				Bind("/home/chronos", "/home/chronos", container.BindWritable).
-				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("hakurei:x:65534:\n")).
-				Remount("/", syscall.MS_RDONLY),
+				Root(m("/"), "4a450b6596d7bc15bd01780eb9a607ac", container.BindWritable).
+				Proc(m("/proc/")).
+				Tmpfs(hst.AbsTmp, 4096, 0755).
+				DevWritable(m("/dev/"), true).
+				Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional).
+				Readonly(m("/var/run/nscd"), 0755).
+				Tmpfs(m("/run/user/1971"), 8192, 0755).
+				Tmpfs(m("/run/dbus"), 8192, 0755).
+				Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac").
+				Remount(m("/dev/"), syscall.MS_RDONLY).
+				Tmpfs(m("/run/user/"), 4096, 0755).
+				Bind(m("/tmp/hakurei.1971/runtime/0"), m("/run/user/65534"), container.BindWritable).
+				Bind(m("/tmp/hakurei.1971/tmpdir/0"), m("/tmp/"), container.BindWritable).
+				Bind(m("/home/chronos"), m("/home/chronos"), container.BindWritable).
+				Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
+				Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
+				Remount(m("/"), syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
 			HostNet:        true,
 			RetainSession:  true,
@ -73,7 +74,7 @@ var testCasesPd = []sealTestCase{
 			Identity: 9,
 			Groups:   []string{"video"},
 			Username: "chronos",
-			Data:     "/home/chronos",
+			Data:     m("/home/chronos"),
 			SessionBus: &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.Notifications",
@ -159,8 +160,8 @@ var testCasesPd = []sealTestCase{
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
 		&container.Params{
-			Dir:  "/home/chronos",
-			Path: "/run/current-system/sw/bin/zsh",
+			Dir:  m("/home/chronos"),
+			Path: m("/run/current-system/sw/bin/zsh"),
 			Args: []string{"zsh", "-c", "exec chromium "},
 			Env: []string{
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
@ -177,28 +178,29 @@ var testCasesPd = []sealTestCase{
 				"XDG_SESSION_TYPE=tty",
 			},
 			Ops: new(container.Ops).
-				Root("/", "ebf083d1b175911782d413369b64ce7c", container.BindWritable).
-				Proc("/proc").
-				Tmpfs(hst.Tmp, 4096, 0755).
-				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/dev/dri", "/dev/dri", container.BindWritable|container.BindDevice|container.BindOptional).
-				Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
-				Readonly("/var/run/nscd", 0755).
-				Tmpfs("/run/user/1971", 8192, 0755).
-				Tmpfs("/run/dbus", 8192, 0755).
-				Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
-				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", container.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", container.BindWritable).
-				Bind("/home/chronos", "/home/chronos", container.BindWritable).
-				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("hakurei:x:65534:\n")).
-				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0).
-				Bind("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native", 0).
-				Place(hst.Tmp+"/pulse-cookie", nil).
-				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0).
-				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0).
-				Remount("/", syscall.MS_RDONLY),
+				Root(m("/"), "ebf083d1b175911782d413369b64ce7c", container.BindWritable).
+				Proc(m("/proc/")).
+				Tmpfs(hst.AbsTmp, 4096, 0755).
+				DevWritable(m("/dev/"), true).
+				Bind(m("/dev/dri"), m("/dev/dri"), container.BindWritable|container.BindDevice|container.BindOptional).
+				Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional).
+				Readonly(m("/var/run/nscd"), 0755).
+				Tmpfs(m("/run/user/1971"), 8192, 0755).
+				Tmpfs(m("/run/dbus"), 8192, 0755).
+				Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c").
+				Remount(m("/dev/"), syscall.MS_RDONLY).
+				Tmpfs(m("/run/user/"), 4096, 0755).
+				Bind(m("/tmp/hakurei.1971/runtime/9"), m("/run/user/65534"), container.BindWritable).
+				Bind(m("/tmp/hakurei.1971/tmpdir/9"), m("/tmp/"), container.BindWritable).
+				Bind(m("/home/chronos"), m("/home/chronos"), container.BindWritable).
+				Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
+				Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
+				Bind(m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/65534/wayland-0"), 0).
+				Bind(m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse"), m("/run/user/65534/pulse/native"), 0).
+				Place(m(hst.Tmp+"/pulse-cookie"), nil).
+				Bind(m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus"), m("/run/user/65534/bus"), 0).
+				Bind(m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket"), m("/run/dbus/system_bus_socket"), 0).
+				Remount(m("/"), syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
 			HostNet:        true,
 			RetainSession:  true,
--- a/internal/app/app_stub_linux_test.go
+++ b/internal/app/app_stub_linux_test.go
@ -127,8 +127,8 @@ func (s *stubNixOS) Open(name string) (fs.File, error) {

 func (s *stubNixOS) Paths() hst.Paths {
 	return hst.Paths{
-		SharePath:   "/tmp/hakurei.1971",
-		RuntimePath: "/run/user/1971",
-		RunDirPath:  "/run/user/1971/hakurei",
+		SharePath:   m("/tmp/hakurei.1971"),
+		RuntimePath: m("/run/user/1971"),
+		RunDirPath:  m("/run/user/1971/hakurei"),
 	}
 }
--- a/internal/app/container_linux.go
+++ b/internal/app/container_linux.go
@ -6,12 +6,12 @@ import (
 	"io/fs"
 	"maps"
 	"path"
-	"slices"
 	"syscall"

 	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
+	"hakurei.app/internal/hlog"
 	"hakurei.app/internal/sys"
 	"hakurei.app/system/dbus"
 )
@ -24,7 +24,7 @@ const preallocateOpsCount = 1 << 5
 // Note that remaining container setup must be queued by the caller.
 func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid *int) (*container.Params, map[string]string, error) {
 	if s == nil {
-		return nil, nil, syscall.EBADE
+		return nil, nil, hlog.WrapErr(syscall.EBADE, "invalid container configuration")
 	}

 	params := &container.Params{
@ -40,7 +40,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 	}

 	{
-		ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
+		ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link))
 		params.Ops = &ops
 	}

@ -73,21 +73,18 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 		*gid = container.OverflowGid()
 	}

-	if s.AutoRoot != "" {
-		if !path.IsAbs(s.AutoRoot) {
-			return nil, nil, fmt.Errorf("auto root target %q not absolute", s.AutoRoot)
-		}
+	if s.AutoRoot != nil {
 		params.Root(s.AutoRoot, prefix, s.RootFlags)
 	}

 	params.
-		Proc("/proc").
-		Tmpfs(hst.Tmp, 1<<12, 0755)
+		Proc(container.AbsFHSProc).
+		Tmpfs(hst.AbsTmp, 1<<12, 0755)

 	if !s.Device {
-		params.Dev("/dev").Mqueue("/dev/mqueue")
+		params.DevWritable(container.AbsFHSDev, true)
 	} else {
-		params.Bind("/dev", "/dev", container.BindWritable|container.BindDevice)
+		params.Bind(container.AbsFHSDev, container.AbsFHSDev, container.BindWritable|container.BindDevice)
 	}

 	/* retrieve paths and hide them if they're made available in the sandbox;
@ -96,7 +93,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 	and should not be treated as such, ALWAYS be careful with what you bind */
 	var hidePaths []string
 	sc := os.Paths()
-	hidePaths = append(hidePaths, sc.RuntimePath, sc.SharePath)
+	hidePaths = append(hidePaths, sc.RuntimePath.String(), sc.SharePath.String())
 	_, systemBusAddr := dbus.Address()
 	if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
 		return nil, nil, err
@ -111,7 +108,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 					if path.IsAbs(pair[1]) {
 						// get parent dir of socket
 						dir := path.Dir(pair[1])
-						if dir == "." || dir == "/" {
+						if dir == "." || dir == container.FHSRoot {
 							os.Printf("dbus socket %q is in an unusual location", pair[1])
 						}
 						hidePaths = append(hidePaths, dir)
@ -128,79 +125,63 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 			return nil, nil, err
 		}
 	}
-	// evaluated path, input path
-	hidePathSource := make([][2]string, 0, len(s.Filesystem))
+
+	var hidePathSourceCount int
+	for i, c := range s.Filesystem {
+		if !c.Valid() {
+			return nil, nil, fmt.Errorf("invalid filesystem at index %d", i)
+		}
+		c.Apply(params.Ops)
+
+		// fs counter
+		hidePathSourceCount += len(c.Host())
+	}

 	// AutoRoot is a collection of many BindMountOp internally
-	if s.AutoRoot != "" {
-		if d, err := os.ReadDir(s.AutoRoot); err != nil {
+	var autoRootEntries []fs.DirEntry
+	if s.AutoRoot != nil {
+		if d, err := os.ReadDir(s.AutoRoot.String()); err != nil {
 			return nil, nil, err
 		} else {
-			hidePathSource = slices.Grow(hidePathSource, len(d))
-			for _, ent := range d {
-				name := ent.Name()
-				if container.IsAutoRootBindable(name) {
-					name = path.Join(s.AutoRoot, name)
-					srcP := [2]string{name, name}
-					if err = evalSymlinks(os, &srcP[0]); err != nil {
-						return nil, nil, err
-					}
-					hidePathSource = append(hidePathSource, srcP)
-				}
+			// autoroot counter
+			hidePathSourceCount += len(d)
+			autoRootEntries = d
+		}
+	}
+
+	hidePathSource := make([]*container.Absolute, 0, hidePathSourceCount)
+
+	// fs append
+	for _, c := range s.Filesystem {
+		// all entries already checked above
+		hidePathSource = append(hidePathSource, c.Host()...)
+	}
+
+	// autoroot append
+	if s.AutoRoot != nil {
+		for _, ent := range autoRootEntries {
+			name := ent.Name()
+			if container.IsAutoRootBindable(name) {
+				hidePathSource = append(hidePathSource, s.AutoRoot.Append(name))
 			}
 		}
 	}

-	for _, c := range s.Filesystem {
-		if c == nil {
-			continue
+	// evaluated path, input path
+	hidePathSourceEval := make([][2]string, len(hidePathSource))
+	for i, a := range hidePathSource {
+		if a == nil {
+			// unreachable
+			return nil, nil, syscall.ENOTRECOVERABLE
 		}

-		// special filesystems
-		switch c.Src {
-		case hst.SourceTmpfs:
-			if !path.IsAbs(c.Dst) {
-				return nil, nil, fmt.Errorf("tmpfs dst %q is not absolute", c.Dst)
-			}
-			if c.Write {
-				params.Tmpfs(c.Dst, hst.TmpfsSize, hst.TmpfsPerm)
-			} else {
-				params.Readonly(c.Dst, hst.TmpfsPerm)
-			}
-			continue
-		}
-
-		if !path.IsAbs(c.Src) {
-			return nil, nil, fmt.Errorf("src path %q is not absolute", c.Src)
-		}
-
-		dest := c.Dst
-		if c.Dst == "" {
-			dest = c.Src
-		} else if !path.IsAbs(dest) {
-			return nil, nil, fmt.Errorf("dst path %q is not absolute", dest)
-		}
-
-		p := [2]string{c.Src, c.Src}
-		if err := evalSymlinks(os, &p[0]); err != nil {
+		hidePathSourceEval[i] = [2]string{a.String(), a.String()}
+		if err := evalSymlinks(os, &hidePathSourceEval[i][0]); err != nil {
 			return nil, nil, err
 		}
-		hidePathSource = append(hidePathSource, p)
-
-		var flags int
-		if c.Write {
-			flags |= container.BindWritable
-		}
-		if c.Device {
-			flags |= container.BindDevice | container.BindWritable
-		}
-		if !c.Must {
-			flags |= container.BindOptional
-		}
-		params.Bind(c.Src, dest, flags)
 	}

-	for _, p := range hidePathSource {
+	for _, p := range hidePathSourceEval {
 		for i := range hidePaths {
 			// skip matched entries
 			if hidePathMatch[i] {
@ -219,24 +200,49 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 	// cover matched paths
 	for i, ok := range hidePathMatch {
 		if ok {
-			params.Tmpfs(hidePaths[i], 1<<13, 0755)
+			if a, err := container.NewAbs(hidePaths[i]); err != nil {
+				var absoluteError *container.AbsoluteError
+				if !errors.As(err, &absoluteError) {
+					return nil, nil, err
+				}
+				if absoluteError == nil {
+					return nil, nil, syscall.ENOTRECOVERABLE
+				}
+				return nil, nil, fmt.Errorf("invalid path hiding candidate %q", absoluteError.Pathname)
+			} else {
+				params.Tmpfs(a, 1<<13, 0755)
+			}
 		}
 	}

-	for _, l := range s.Link {
-		params.Link(l[0], l[1])
+	for i, l := range s.Link {
+		if l.Target == nil || l.Linkname == "" {
+			return nil, nil, fmt.Errorf("invalid link at index %d", i)
+		}
+		linkname := l.Linkname
+		var dereference bool
+		if linkname[0] == '*' && path.IsAbs(linkname[1:]) {
+			linkname = linkname[1:]
+			dereference = true
+		}
+		params.Link(l.Target, linkname, dereference)
 	}

 	if !s.AutoEtc {
-		if s.Etc != "" {
-			params.Bind(s.Etc, "/etc", 0)
+		if s.Etc != nil {
+			params.Bind(s.Etc, container.AbsFHSEtc, 0)
 		}
 	} else {
-		etcPath := s.Etc
-		if etcPath == "" {
-			etcPath = "/etc"
+		if s.Etc == nil {
+			params.Etc(container.AbsFHSEtc, prefix)
+		} else {
+			params.Etc(s.Etc, prefix)
 		}
-		params.Etc(etcPath, prefix)
+	}
+
+	// no more ContainerConfig paths beyond this point
+	if !s.Device {
+		params.Remount(container.AbsFHSDev, syscall.MS_RDONLY)
 	}

 	return params, maps.Clone(s.Env), nil
--- a/internal/app/process_linux.go
+++ b/internal/app/process_linux.go
@ -39,7 +39,7 @@ func (seal *outcome) Run(rs *RunState) error {
 	if err := seal.sys.Commit(seal.ctx); err != nil {
 		return err
 	}
-	store := state.NewMulti(seal.runDirPath)
+	store := state.NewMulti(seal.runDirPath.String())
 	deferredStoreFunc := func(c state.Cursor) error { return nil } // noop until state in store
 	defer func() {
 		var revertErr error
@ -88,7 +88,7 @@ func (seal *outcome) Run(rs *RunState) error {
 	defer cancel()
 	cmd := exec.CommandContext(ctx, hsuPath)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	cmd.Dir = "/" // container init enters final working directory
+	cmd.Dir = container.FHSRoot // container init enters final working directory
 	// shim runs in the same session as monitor; see shim.go for behaviour
 	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGCONT) }

@ -128,7 +128,7 @@ func (seal *outcome) Run(rs *RunState) error {
 			os.Getpid(),
 			seal.waitDelay,
 			seal.container,
-			seal.user.data,
+			seal.user.data.String(),
 			hlog.Load(),
 		})
 	}()
--- a/internal/app/seal_linux.go
+++ b/internal/app/seal_linux.go
@ -49,10 +49,8 @@ const (
 )

 var (
-	ErrConfig = errors.New("no configuration to seal")
-	ErrUser   = errors.New("invalid aid")
-	ErrHome   = errors.New("invalid home directory")
-	ErrName   = errors.New("invalid username")
+	ErrIdent = errors.New("invalid identity")
+	ErrName  = errors.New("invalid username")

 	ErrXDisplay = errors.New(display + " unset")

@ -67,8 +65,8 @@ var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z
 type outcome struct {
 	// copied from initialising [app]
 	id *stringPair[state.ID]
-	// copied from [sys.State] response
-	runDirPath string
+	// copied from [sys.State]
+	runDirPath *container.Absolute

 	// initial [hst.Config] gob stream for state data;
 	// this is prepared ahead of time as config is clobbered during seal creation
@ -93,9 +91,9 @@ type shareHost struct {
 	// whether XDG_RUNTIME_DIR is used post hsu
 	useRuntimeDir bool
 	// process-specific directory in tmpdir, empty if unused
-	sharePath string
+	sharePath *container.Absolute
 	// process-specific directory in XDG_RUNTIME_DIR, empty if unused
-	runtimeSharePath string
+	runtimeSharePath *container.Absolute

 	seal *outcome
 	sc   hst.Paths
@ -107,48 +105,48 @@ func (share *shareHost) ensureRuntimeDir() {
 		return
 	}
 	share.useRuntimeDir = true
-	share.seal.sys.Ensure(share.sc.RunDirPath, 0700)
-	share.seal.sys.UpdatePermType(system.User, share.sc.RunDirPath, acl.Execute)
-	share.seal.sys.Ensure(share.sc.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
-	share.seal.sys.UpdatePermType(system.User, share.sc.RuntimePath, acl.Execute)
+	share.seal.sys.Ensure(share.sc.RunDirPath.String(), 0700)
+	share.seal.sys.UpdatePermType(system.User, share.sc.RunDirPath.String(), acl.Execute)
+	share.seal.sys.Ensure(share.sc.RuntimePath.String(), 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
+	share.seal.sys.UpdatePermType(system.User, share.sc.RuntimePath.String(), acl.Execute)
 }

 // instance returns a process-specific share path within tmpdir
-func (share *shareHost) instance() string {
-	if share.sharePath != "" {
+func (share *shareHost) instance() *container.Absolute {
+	if share.sharePath != nil {
 		return share.sharePath
 	}
-	share.sharePath = path.Join(share.sc.SharePath, share.seal.id.String())
-	share.seal.sys.Ephemeral(system.Process, share.sharePath, 0711)
+	share.sharePath = share.sc.SharePath.Append(share.seal.id.String())
+	share.seal.sys.Ephemeral(system.Process, share.sharePath.String(), 0711)
 	return share.sharePath
 }

 // runtime returns a process-specific share path within XDG_RUNTIME_DIR
-func (share *shareHost) runtime() string {
-	if share.runtimeSharePath != "" {
+func (share *shareHost) runtime() *container.Absolute {
+	if share.runtimeSharePath != nil {
 		return share.runtimeSharePath
 	}
 	share.ensureRuntimeDir()
-	share.runtimeSharePath = path.Join(share.sc.RunDirPath, share.seal.id.String())
-	share.seal.sys.Ephemeral(system.Process, share.runtimeSharePath, 0700)
-	share.seal.sys.UpdatePerm(share.runtimeSharePath, acl.Execute)
+	share.runtimeSharePath = share.sc.RunDirPath.Append(share.seal.id.String())
+	share.seal.sys.Ephemeral(system.Process, share.runtimeSharePath.String(), 0700)
+	share.seal.sys.UpdatePerm(share.runtimeSharePath.String(), acl.Execute)
 	return share.runtimeSharePath
 }

 // hsuUser stores post-hsu credentials and metadata
 type hsuUser struct {
-	// application id
+	// identity
 	aid *stringPair[int]
-	// target uid resolved by fid:aid
+	// target uid resolved by hid:aid
 	uid *stringPair[int]

 	// supplementary group ids
 	supp []string

 	// home directory host path
-	data string
+	data *container.Absolute
 	// app user home directory
-	home string
+	home *container.Absolute
 	// passwd database username
 	username string
 }
@ -159,6 +157,13 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 	}
 	seal.ctx = ctx

+	if config == nil {
+		return hlog.WrapErr(syscall.EINVAL, syscall.EINVAL.Error())
+	}
+	if config.Data == nil {
+		return hlog.WrapErr(os.ErrInvalid, "invalid data directory")
+	}
+
 	{
 		// encode initial configuration for state tracking
 		ct := new(bytes.Buffer)
@ -171,7 +176,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co

 	// allowed aid range 0 to 9999, this is checked again in hsu
 	if config.Identity < 0 || config.Identity > 9999 {
-		return hlog.WrapErr(ErrUser,
+		return hlog.WrapErr(ErrIdent,
 			fmt.Sprintf("identity %d out of range", config.Identity))
 	}

@ -188,11 +193,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		return hlog.WrapErr(ErrName,
 			fmt.Sprintf("invalid user name %q", seal.user.username))
 	}
-	if seal.user.data == "" || !path.IsAbs(seal.user.data) {
-		return hlog.WrapErr(ErrHome,
-			fmt.Sprintf("invalid home directory %q", seal.user.data))
-	}
-	if seal.user.home == "" {
+	if seal.user.home == nil {
 		seal.user.home = seal.user.data
 	}
 	if u, err := sys.Uid(seal.user.aid.unwrap()); err != nil {
@ -210,26 +211,25 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		}
 	}

-	// this also falls back to host path if encountering an invalid path
-	if !path.IsAbs(config.Shell) {
-		config.Shell = "/bin/sh"
-		if s, ok := sys.LookupEnv(shell); ok && path.IsAbs(s) {
-			config.Shell = s
-		}
-	}
-	// do not use the value of shell before this point
-
 	// permissive defaults
 	if config.Container == nil {
 		hlog.Verbose("container configuration not supplied, PROCEED WITH CAUTION")

+		if config.Shell == nil {
+			config.Shell = container.AbsFHSRoot.Append("bin", "sh")
+			s, _ := sys.LookupEnv(shell)
+			if a, err := container.NewAbs(s); err == nil {
+				config.Shell = a
+			}
+		}
+
 		// hsu clears the environment so resolve paths early
-		if !path.IsAbs(config.Path) {
+		if config.Path == nil {
 			if len(config.Args) > 0 {
 				if p, err := sys.LookPath(config.Args[0]); err != nil {
 					return hlog.WrapErr(err, err.Error())
-				} else {
-					config.Path = p
+				} else if config.Path, err = container.NewAbs(p); err != nil {
+					return hlog.WrapErr(err, err.Error())
 				}
 			} else {
 				config.Path = config.Shell
@ -242,26 +242,34 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 			Tty:     true,
 			AutoEtc: true,

-			AutoRoot:  "/",
+			AutoRoot:  container.AbsFHSRoot,
 			RootFlags: container.BindWritable,
 		}

 		// bind GPU stuff
 		if config.Enablements&(system.EX11|system.EWayland) != 0 {
-			conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Src: "/dev/dri", Device: true})
+			conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}})
 		}
 		// opportunistically bind kvm
-		conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Src: "/dev/kvm", Device: true})
+		conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("kvm"), Device: true, Optional: true}})

 		// hide nscd from container if present
-		const nscd = "/var/run/nscd"
-		if _, err := sys.Stat(nscd); !errors.Is(err, fs.ErrNotExist) {
-			conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Dst: nscd, Src: hst.SourceTmpfs})
+		nscd := container.AbsFHSVar.Append("run/nscd")
+		if _, err := sys.Stat(nscd.String()); !errors.Is(err, fs.ErrNotExist) {
+			conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSEphemeral{Dst: nscd}})
 		}

 		config.Container = conf
 	}

+	// late nil checks for pd behaviour
+	if config.Shell == nil {
+		return hlog.WrapErr(syscall.EINVAL, "invalid shell path")
+	}
+	if config.Path == nil {
+		return hlog.WrapErr(syscall.EINVAL, "invalid program path")
+	}
+
 	var mapuid, mapgid *stringPair[int]
 	{
 		var uid, gid int
@ -272,12 +280,8 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 			return hlog.WrapErrSuffix(err,
 				"cannot initialise container configuration:")
 		}
-		if !path.IsAbs(config.Path) {
-			return hlog.WrapErr(syscall.EINVAL,
-				"invalid program path")
-		}
 		if len(config.Args) == 0 {
-			config.Args = []string{config.Path}
+			config.Args = []string{config.Path.String()}
 		}
 		seal.container.Path = config.Path
 		seal.container.Args = config.Args
@ -290,56 +294,52 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 	}

 	// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as mapped uid
-	innerRuntimeDir := path.Join("/run/user", mapuid.String())
-	seal.env[xdgRuntimeDir] = innerRuntimeDir
+	innerRuntimeDir := container.AbsFHSRunUser.Append(mapuid.String())
+	seal.env[xdgRuntimeDir] = innerRuntimeDir.String()
 	seal.env[xdgSessionClass] = "user"
 	seal.env[xdgSessionType] = "tty"

 	share := &shareHost{seal: seal, sc: sys.Paths()}
 	seal.runDirPath = share.sc.RunDirPath
 	seal.sys = system.New(seal.user.uid.unwrap())
-	seal.sys.Ensure(share.sc.SharePath, 0711)
+	seal.sys.Ensure(share.sc.SharePath.String(), 0711)

 	{
-		runtimeDir := path.Join(share.sc.SharePath, "runtime")
-		seal.sys.Ensure(runtimeDir, 0700)
-		seal.sys.UpdatePermType(system.User, runtimeDir, acl.Execute)
-		runtimeDirInst := path.Join(runtimeDir, seal.user.aid.String())
-		seal.sys.Ensure(runtimeDirInst, 0700)
-		seal.sys.UpdatePermType(system.User, runtimeDirInst, acl.Read, acl.Write, acl.Execute)
-		seal.container.Tmpfs("/run/user", 1<<12, 0755)
+		runtimeDir := share.sc.SharePath.Append("runtime")
+		seal.sys.Ensure(runtimeDir.String(), 0700)
+		seal.sys.UpdatePermType(system.User, runtimeDir.String(), acl.Execute)
+		runtimeDirInst := runtimeDir.Append(seal.user.aid.String())
+		seal.sys.Ensure(runtimeDirInst.String(), 0700)
+		seal.sys.UpdatePermType(system.User, runtimeDirInst.String(), acl.Read, acl.Write, acl.Execute)
+		seal.container.Tmpfs(container.AbsFHSRunUser, 1<<12, 0755)
 		seal.container.Bind(runtimeDirInst, innerRuntimeDir, container.BindWritable)
 	}

 	{
-		tmpdir := path.Join(share.sc.SharePath, "tmpdir")
-		seal.sys.Ensure(tmpdir, 0700)
-		seal.sys.UpdatePermType(system.User, tmpdir, acl.Execute)
-		tmpdirInst := path.Join(tmpdir, seal.user.aid.String())
-		seal.sys.Ensure(tmpdirInst, 01700)
-		seal.sys.UpdatePermType(system.User, tmpdirInst, acl.Read, acl.Write, acl.Execute)
+		tmpdir := share.sc.SharePath.Append("tmpdir")
+		seal.sys.Ensure(tmpdir.String(), 0700)
+		seal.sys.UpdatePermType(system.User, tmpdir.String(), acl.Execute)
+		tmpdirInst := tmpdir.Append(seal.user.aid.String())
+		seal.sys.Ensure(tmpdirInst.String(), 01700)
+		seal.sys.UpdatePermType(system.User, tmpdirInst.String(), acl.Read, acl.Write, acl.Execute)
 		// mount inner /tmp from share so it shares persistence and storage behaviour of host /tmp
-		seal.container.Bind(tmpdirInst, "/tmp", container.BindWritable)
+		seal.container.Bind(tmpdirInst, container.AbsFHSTmp, container.BindWritable)
 	}

 	{
-		homeDir := "/var/empty"
-		if seal.user.home != "" {
-			homeDir = seal.user.home
-		}
 		username := "chronos"
 		if seal.user.username != "" {
 			username = seal.user.username
 		}
-		seal.container.Bind(seal.user.data, homeDir, container.BindWritable)
-		seal.container.Dir = homeDir
-		seal.env["HOME"] = homeDir
+		seal.container.Bind(seal.user.data, seal.user.home, container.BindWritable)
+		seal.container.Dir = seal.user.home
+		seal.env["HOME"] = seal.user.home.String()
 		seal.env["USER"] = username
-		seal.env[shell] = config.Shell
+		seal.env[shell] = config.Shell.String()

-		seal.container.Place("/etc/passwd",
-			[]byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Hakurei:"+homeDir+":"+config.Shell+"\n"))
-		seal.container.Place("/etc/group",
+		seal.container.Place(container.AbsFHSEtc.Append("passwd"),
+			[]byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Hakurei:"+seal.user.home.String()+":"+config.Shell.String()+"\n"))
+		seal.container.Place(container.AbsFHSEtc.Append("group"),
 			[]byte("hakurei:x:"+mapgid.String()+":\n"))
 	}

@ -350,17 +350,17 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co

 	if config.Enablements&system.EWayland != 0 {
 		// outer wayland socket (usually `/run/user/%d/wayland-%d`)
-		var socketPath string
+		var socketPath *container.Absolute
 		if name, ok := sys.LookupEnv(wayland.WaylandDisplay); !ok {
 			hlog.Verbose(wayland.WaylandDisplay + " is not set, assuming " + wayland.FallbackName)
-			socketPath = path.Join(share.sc.RuntimePath, wayland.FallbackName)
-		} else if !path.IsAbs(name) {
-			socketPath = path.Join(share.sc.RuntimePath, name)
+			socketPath = share.sc.RuntimePath.Append(wayland.FallbackName)
+		} else if a, err := container.NewAbs(name); err != nil {
+			socketPath = share.sc.RuntimePath.Append(name)
 		} else {
-			socketPath = name
+			socketPath = a
 		}

-		innerPath := path.Join(innerRuntimeDir, wayland.FallbackName)
+		innerPath := innerRuntimeDir.Append(wayland.FallbackName)
 		seal.env[wayland.WaylandDisplay] = wayland.FallbackName

 		if !config.DirectWayland { // set up security-context-v1
@ -370,14 +370,14 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 				appID = "app.hakurei." + seal.id.String()
 			}
 			// downstream socket paths
-			outerPath := path.Join(share.instance(), "wayland")
-			seal.sys.Wayland(&seal.sync, outerPath, socketPath, appID, seal.id.String())
+			outerPath := share.instance().Append("wayland")
+			seal.sys.Wayland(&seal.sync, outerPath.String(), socketPath.String(), appID, seal.id.String())
 			seal.container.Bind(outerPath, innerPath, 0)
 		} else { // bind mount wayland socket (insecure)
 			hlog.Verbose("direct wayland access, PROCEED WITH CAUTION")
 			share.ensureRuntimeDir()
 			seal.container.Bind(socketPath, innerPath, 0)
-			seal.sys.UpdatePermType(system.EWayland, socketPath, acl.Read, acl.Write, acl.Execute)
+			seal.sys.UpdatePermType(system.EWayland, socketPath.String(), acl.Read, acl.Write, acl.Execute)
 		}
 	}

@ -388,17 +388,18 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		} else {
 			seal.sys.ChangeHosts("#" + seal.user.uid.String())
 			seal.env[display] = d
-			seal.container.Bind("/tmp/.X11-unix", "/tmp/.X11-unix", 0)
+			socketDir := container.AbsFHSTmp.Append(".X11-unix")
+			seal.container.Bind(socketDir, socketDir, 0)
 		}
 	}

 	if config.Enablements&system.EPulse != 0 {
 		// PulseAudio runtime directory (usually `/run/user/%d/pulse`)
-		pulseRuntimeDir := path.Join(share.sc.RuntimePath, "pulse")
+		pulseRuntimeDir := share.sc.RuntimePath.Append("pulse")
 		// PulseAudio socket (usually `/run/user/%d/pulse/native`)
-		pulseSocket := path.Join(pulseRuntimeDir, "native")
+		pulseSocket := pulseRuntimeDir.Append("native")

-		if _, err := sys.Stat(pulseRuntimeDir); err != nil {
+		if _, err := sys.Stat(pulseRuntimeDir.String()); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return hlog.WrapErrSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio directory %q:", pulseRuntimeDir))
@ -407,7 +408,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 				fmt.Sprintf("PulseAudio directory %q not found", pulseRuntimeDir))
 		}

-		if s, err := sys.Stat(pulseSocket); err != nil {
+		if s, err := sys.Stat(pulseSocket.String()); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return hlog.WrapErrSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio socket %q:", pulseSocket))
@ -422,19 +423,19 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		}

 		// hard link pulse socket into target-executable share
-		innerPulseRuntimeDir := path.Join(share.runtime(), "pulse")
-		innerPulseSocket := path.Join(innerRuntimeDir, "pulse", "native")
-		seal.sys.Link(pulseSocket, innerPulseRuntimeDir)
+		innerPulseRuntimeDir := share.runtime().Append("pulse")
+		innerPulseSocket := innerRuntimeDir.Append("pulse", "native")
+		seal.sys.Link(pulseSocket.String(), innerPulseRuntimeDir.String())
 		seal.container.Bind(innerPulseRuntimeDir, innerPulseSocket, 0)
-		seal.env[pulseServer] = "unix:" + innerPulseSocket
+		seal.env[pulseServer] = "unix:" + innerPulseSocket.String()

 		// publish current user's pulse cookie for target user
 		if src, err := discoverPulseCookie(sys); err != nil {
 			// not fatal
 			hlog.Verbose(strings.TrimSpace(err.(*hlog.BaseError).Message()))
 		} else {
-			innerDst := hst.Tmp + "/pulse-cookie"
-			seal.env[pulseCookie] = innerDst
+			innerDst := hst.AbsTmp.Append("/pulse-cookie")
+			seal.env[pulseCookie] = innerDst.String()
 			var payload *[]byte
 			seal.container.PlaceP(innerDst, &payload)
 			seal.sys.CopyFile(payload, src, 256, 256)
@ -448,13 +449,12 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		}

 		// downstream socket paths
-		sharePath := share.instance()
-		sessionPath, systemPath := path.Join(sharePath, "bus"), path.Join(sharePath, "system_bus_socket")
+		sessionPath, systemPath := share.instance().Append("bus"), share.instance().Append("system_bus_socket")

 		// configure dbus proxy
 		if f, err := seal.sys.ProxyDBus(
 			config.SessionBus, config.SystemBus,
-			sessionPath, systemPath,
+			sessionPath.String(), systemPath.String(),
 		); err != nil {
 			return err
 		} else {
@ -462,24 +462,20 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		}

 		// share proxy sockets
-		sessionInner := path.Join(innerRuntimeDir, "bus")
-		seal.env[dbusSessionBusAddress] = "unix:path=" + sessionInner
+		sessionInner := innerRuntimeDir.Append("bus")
+		seal.env[dbusSessionBusAddress] = "unix:path=" + sessionInner.String()
 		seal.container.Bind(sessionPath, sessionInner, 0)
-		seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
+		seal.sys.UpdatePerm(sessionPath.String(), acl.Read, acl.Write)
 		if config.SystemBus != nil {
-			systemInner := "/run/dbus/system_bus_socket"
-			seal.env[dbusSystemBusAddress] = "unix:path=" + systemInner
+			systemInner := container.AbsFHSRun.Append("dbus/system_bus_socket")
+			seal.env[dbusSystemBusAddress] = "unix:path=" + systemInner.String()
 			seal.container.Bind(systemPath, systemInner, 0)
-			seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
+			seal.sys.UpdatePerm(systemPath.String(), acl.Read, acl.Write)
 		}
 	}

-	for _, dest := range config.Container.Cover {
-		seal.container.Tmpfs(dest, 1<<13, 0755)
-	}
-
 	// mount root read-only as the final setup Op
-	seal.container.Remount("/", syscall.MS_RDONLY)
+	seal.container.Remount(container.AbsFHSRoot, syscall.MS_RDONLY)

 	// append ExtraPerms last
 	for _, p := range config.ExtraPerms {
@ -488,7 +484,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		}

 		if p.Ensure {
-			seal.sys.Ensure(p.Path, 0700)
+			seal.sys.Ensure(p.Path.String(), 0700)
 		}

 		perms := make(acl.Perms, 0, 3)
@ -501,7 +497,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		if p.Execute {
 			perms = append(perms, acl.Execute)
 		}
-		seal.sys.UpdatePermType(system.User, p.Path, perms...)
+		seal.sys.UpdatePermType(system.User, p.Path.String(), perms...)
 	}

 	// flatten and sort env for deterministic behaviour
--- a/internal/app/shim_linux.go
+++ b/internal/app/shim_linux.go
@ -64,7 +64,7 @@ func ShimMain() {
 		closeSetup func() error
 	)
 	if f, err := container.Receive(shimEnv, &params, nil); err != nil {
-		if errors.Is(err, container.ErrInvalid) {
+		if errors.Is(err, syscall.EBADF) {
 			log.Fatal("invalid config descriptor")
 		}
 		if errors.Is(err, container.ErrNotSet) {
@ -157,13 +157,9 @@ func ShimMain() {
 		log.Fatalf("path %q is not a directory", params.Home)
 	}

-	var name string
-	if len(params.Container.Args) > 0 {
-		name = params.Container.Args[0]
-	}
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	cancelContainer.Store(&stop)
-	z := container.New(ctx, name)
+	z := container.New(ctx)
 	z.Params = *params.Container
 	z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr

--- a/internal/sys/interface.go
+++ b/internal/sys/interface.go
@ -3,10 +3,11 @@ package sys

 import (
 	"io/fs"
+	"log"
 	"os/user"
-	"path"
 	"strconv"

+	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal/hlog"
 )
@ -50,18 +51,23 @@ type State interface {

 // CopyPaths is a generic implementation of [hst.Paths].
 func CopyPaths(os State, v *hst.Paths) {
-	v.SharePath = path.Join(os.TempDir(), "hakurei."+strconv.Itoa(os.Getuid()))
-
-	hlog.Verbosef("process share directory at %q", v.SharePath)
-
-	if r, ok := os.LookupEnv(xdgRuntimeDir); !ok || r == "" || !path.IsAbs(r) {
-		// fall back to path in share since hakurei has no hard XDG dependency
-		v.RunDirPath = path.Join(v.SharePath, "run")
-		v.RuntimePath = path.Join(v.RunDirPath, "compat")
+	if tempDir, err := container.NewAbs(os.TempDir()); err != nil {
+		log.Fatalf("invalid TMPDIR: %v", err)
 	} else {
-		v.RuntimePath = r
-		v.RunDirPath = path.Join(v.RuntimePath, "hakurei")
+		v.TempDir = tempDir
 	}

+	v.SharePath = v.TempDir.Append("hakurei." + strconv.Itoa(os.Getuid()))
+	hlog.Verbosef("process share directory at %q", v.SharePath)
+
+	r, _ := os.LookupEnv(xdgRuntimeDir)
+	if a, err := container.NewAbs(r); err != nil {
+		// fall back to path in share since hakurei has no hard XDG dependency
+		v.RunDirPath = v.SharePath.Append("run")
+		v.RuntimePath = v.RunDirPath.Append("compat")
+	} else {
+		v.RuntimePath = a
+		v.RunDirPath = v.RuntimePath.Append("hakurei")
+	}
 	hlog.Verbosef("runtime directory at %q", v.RunDirPath)
 }
--- a/internal/sys/std.go
+++ b/internal/sys/std.go
@ -86,7 +86,7 @@ func (s *Std) Uid(aid int) (int, error) {
 	cmd.Path = hsuPath
 	cmd.Stderr = os.Stderr // pass through fatal messages
 	cmd.Env = []string{"HAKUREI_APP_ID=" + strconv.Itoa(aid)}
-	cmd.Dir = "/"
+	cmd.Dir = container.FHSRoot
 	var (
 		p         []byte
 		exitError *exec.ExitError
--- a/ldd/exec.go
+++ b/ldd/exec.go
@ -5,13 +5,17 @@ import (
 	"context"
 	"io"
 	"os"
+	"os/exec"
 	"time"

 	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 )

-const lddTimeout = 2 * time.Second
+const (
+	lddName    = "ldd"
+	lddTimeout = 2 * time.Second
+)

 var (
 	msgStatic      = []byte("Not a valid dynamic program")
@ -21,14 +25,25 @@ var (
 func Exec(ctx context.Context, p string) ([]*Entry, error) {
 	c, cancel := context.WithTimeout(ctx, lddTimeout)
 	defer cancel()
-	z := container.New(c, "ldd", p)
-	z.Hostname = "hakurei-ldd"
+
+	var toolPath *container.Absolute
+	if s, err := exec.LookPath(lddName); err != nil {
+		return nil, err
+	} else if toolPath, err = container.NewAbs(s); err != nil {
+		return nil, err
+	}
+
+	z := container.NewCommand(c, toolPath, lddName, p)
+	z.Hostname = "hakurei-" + lddName
 	z.SeccompFlags |= seccomp.AllowMultiarch
 	z.SeccompPresets |= seccomp.PresetStrict
 	stdout, stderr := new(bytes.Buffer), new(bytes.Buffer)
 	z.Stdout = stdout
 	z.Stderr = stderr
-	z.Bind("/", "/", 0).Proc("/proc").Dev("/dev")
+	z.
+		Bind(container.AbsFHSRoot, container.AbsFHSRoot, 0).
+		Proc(container.AbsFHSProc).
+		Dev(container.AbsFHSDev, false)

 	if err := z.Start(); err != nil {
 		return nil, err
--- a/ldd/path.go
+++ b/ldd/path.go
@ -1,21 +1,20 @@
 package ldd

 import (
-	"path"
-	"slices"
+	"hakurei.app/container"
 )

 // Path returns a deterministic, deduplicated slice of absolute directory paths in entries.
-func Path(entries []*Entry) []string {
-	p := make([]string, 0, len(entries)*2)
+func Path(entries []*Entry) []*container.Absolute {
+	p := make([]*container.Absolute, 0, len(entries)*2)
 	for _, entry := range entries {
-		if path.IsAbs(entry.Path) {
-			p = append(p, path.Dir(entry.Path))
+		if a, err := container.NewAbs(entry.Path); err == nil {
+			p = append(p, a.Dir())
 		}
-		if path.IsAbs(entry.Name) {
-			p = append(p, path.Dir(entry.Name))
+		if a, err := container.NewAbs(entry.Name); err == nil {
+			p = append(p, a.Dir())
 		}
 	}
-	slices.Sort(p)
-	return slices.Compact(p)
+	container.SortAbs(p)
+	return container.CompactAbs(p)
 }
--- a/nixos.nix
+++ b/nixos.nix
@ -124,6 +124,7 @@ in
                    username = getsubname fid app.identity;
                    data = getsubhome fid app.identity;

+                    inherit (cfg) shell;
                    inherit (app) identity groups;

                    container = {
@ -141,59 +142,65 @@ in

                      filesystem =
                        let
-                          bind = src: { inherit src; };
-                          mustBind = src: {
+                          bind = src: {
+                            type = "bind";
                            inherit src;
-                            require = true;
                          };
-                          devBind = src: {
+                          optBind = src: {
+                            type = "bind";
+                            inherit src;
+                            optional = true;
+                          };
+                          optDevBind = src: {
+                            type = "bind";
                            inherit src;
                            dev = true;
+                            optional = true;
                          };
                        in
                        [
-                          (mustBind "/bin")
-                          (mustBind "/usr/bin")
-                          (mustBind "/nix/store")
-                          (bind "/sys/block")
-                          (bind "/sys/bus")
-                          (bind "/sys/class")
-                          (bind "/sys/dev")
-                          (bind "/sys/devices")
+                          (bind "/bin")
+                          (bind "/usr/bin")
+                          (bind "/nix/store")
+                          (optBind "/sys/block")
+                          (optBind "/sys/bus")
+                          (optBind "/sys/class")
+                          (optBind "/sys/dev")
+                          (optBind "/sys/devices")
                        ]
                        ++ optionals app.nix [
-                          (mustBind "/nix/var")
+                          (bind "/nix/var")
                        ]
                        ++ optionals isGraphical [
-                          (devBind "/dev/dri")
-                          (devBind "/dev/nvidiactl")
-                          (devBind "/dev/nvidia-modeset")
-                          (devBind "/dev/nvidia-uvm")
-                          (devBind "/dev/nvidia-uvm-tools")
-                          (devBind "/dev/nvidia0")
+                          (optDevBind "/dev/dri")
+                          (optDevBind "/dev/nvidiactl")
+                          (optDevBind "/dev/nvidia-modeset")
+                          (optDevBind "/dev/nvidia-uvm")
+                          (optDevBind "/dev/nvidia-uvm-tools")
+                          (optDevBind "/dev/nvidia0")
                        ]
                        ++ optionals app.useCommonPaths cfg.commonPaths
                        ++ app.extraPaths;
                      auto_etc = true;

                      symlink = [
-                        [
-                          "*/run/current-system"
-                          "/run/current-system"
-                        ]
+                        {
+                          target = "/run/current-system";
+                          linkname = "*/run/current-system";
+                        }
                      ]
                      ++ optionals (isGraphical && config.hardware.graphics.enable) (
                        [
-                          [
-                            config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver"."L+".argument
-                            "/run/opengl-driver"
-                          ]
+                          {
+                            target = "/run/opengl-driver";
+                            linkname = config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver"."L+".argument;
+                          }
                        ]
                        ++ optionals (app.multiarch && config.hardware.graphics.enable32Bit) [
-                          [
-                            config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver-32"."L+".argument
-                            /run/opengl-driver-32
-                          ]
+                          {
+                            target = "/run/opengl-driver-32";
+                            linkname = config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver-32"."L+".argument;
+                          }
                        ]
                      );
                    };
--- a/options.nix
+++ b/options.nix
@ -7,6 +7,7 @@ let
  mountPoint =
    let
      inherit (types)
+        enum
        str
        submodule
        nullOr
@ -15,6 +16,14 @@ let
    in
    listOf (submodule {
      options = {
+        type = mkOption {
+          type = enum [ "bind" ];
+          default = "bind";
+          description = ''
+            Type of the mount point;
+          '';
+        };
+
        dst = mkOption {
          type = nullOr str;
          default = null;
@ -32,7 +41,7 @@ let

        write = mkEnableOption "mounting path as writable";
        dev = mkEnableOption "use of device files";
-        require = mkEnableOption "start failure if the bind mount cannot be established for any reason";
+        optional = mkEnableOption "ignore nonexistent source path";
      };
    });
 in
@ -299,6 +308,14 @@ in
        '';
      };

+      shell = mkOption {
+        type = types.str;
+        default = "/run/current-system/sw/bin/bash";
+        description = ''
+          Absolute path to preferred shell.
+        '';
+      };
+
      stateDir = mkOption {
        type = types.str;
        description = ''
--- a/system/dbus/dbus_test.go
+++ b/system/dbus/dbus_test.go
@ -153,7 +153,7 @@ func testProxyFinaliseStartWaitCloseString(t *testing.T, useSandbox bool) {
 				t.Run("string", func(t *testing.T) {
 					wantSubstr := fmt.Sprintf("%s --args=3 --fd=4", os.Args[0])
 					if useSandbox {
-						wantSubstr = fmt.Sprintf(`argv: ["%s" "--args=3" "--fd=4"], filter: true, rules: 0, flags: 0x1, presets: 0xf`, os.Args[0])
+						wantSubstr = `argv: ["xdg-dbus-proxy" "--args=3" "--fd=4"], filter: true, rules: 0, flags: 0x1, presets: 0xf`
 					}
 					if got := p.String(); !strings.Contains(got, wantSubstr) {
 						t.Errorf("String: %q, want %q",
--- a/system/dbus/proc.go
+++ b/system/dbus/proc.go
@ -5,9 +5,6 @@ import (
 	"errors"
 	"os"
 	"os/exec"
-	"path"
-	"path/filepath"
-	"slices"
 	"strconv"
 	"syscall"

@ -43,24 +40,26 @@ func (p *Proxy) Start() error {
 			cmd.Env = make([]string, 0)
 		}, nil)
 	} else {
-		toolPath := p.name
-		if filepath.Base(p.name) == p.name {
-			if s, err := exec.LookPath(p.name); err != nil {
+		var toolPath *container.Absolute
+		if a, err := container.NewAbs(p.name); err != nil {
+			if p.name, err = exec.LookPath(p.name); err != nil {
+				return err
+			} else if toolPath, err = container.NewAbs(p.name); err != nil {
 				return err
-			} else {
-				toolPath = s
 			}
+		} else {
+			toolPath = a
 		}

-		var libPaths []string
-		if entries, err := ldd.Exec(ctx, toolPath); err != nil {
+		var libPaths []*container.Absolute
+		if entries, err := ldd.Exec(ctx, toolPath.String()); err != nil {
 			return err
 		} else {
 			libPaths = ldd.Path(entries)
 		}

 		p.helper = helper.New(
-			ctx, toolPath,
+			ctx, toolPath, "xdg-dbus-proxy",
 			p.final, true,
 			argF, func(z *container.Container) {
 				z.SeccompFlags |= seccomp.AllowMultiarch
@ -76,42 +75,46 @@ func (p *Proxy) Start() error {
 				}

 				// upstream bus directories
-				upstreamPaths := make([]string, 0, 2)
+				upstreamPaths := make([]*container.Absolute, 0, 2)
 				for _, addr := range [][]AddrEntry{p.final.SessionUpstream, p.final.SystemUpstream} {
 					for _, ent := range addr {
 						if ent.Method != "unix" {
 							continue
 						}
 						for _, pair := range ent.Values {
-							if pair[0] != "path" || !path.IsAbs(pair[1]) {
+							if pair[0] != "path" {
 								continue
 							}
-							upstreamPaths = append(upstreamPaths, path.Dir(pair[1]))
+							if a, err := container.NewAbs(pair[1]); err != nil {
+								continue
+							} else {
+								upstreamPaths = append(upstreamPaths, a.Dir())
+							}
 						}
 					}
 				}
-				slices.Sort(upstreamPaths)
-				upstreamPaths = slices.Compact(upstreamPaths)
+				container.SortAbs(upstreamPaths)
+				upstreamPaths = container.CompactAbs(upstreamPaths)
 				for _, name := range upstreamPaths {
 					z.Bind(name, name, 0)
 				}

 				// parent directories of bind paths
-				sockDirPaths := make([]string, 0, 2)
-				if d := path.Dir(p.final.Session[1]); path.IsAbs(d) {
-					sockDirPaths = append(sockDirPaths, d)
+				sockDirPaths := make([]*container.Absolute, 0, 2)
+				if a, err := container.NewAbs(p.final.Session[1]); err == nil {
+					sockDirPaths = append(sockDirPaths, a.Dir())
 				}
-				if d := path.Dir(p.final.System[1]); path.IsAbs(d) {
-					sockDirPaths = append(sockDirPaths, d)
+				if a, err := container.NewAbs(p.final.System[1]); err == nil {
+					sockDirPaths = append(sockDirPaths, a.Dir())
 				}
-				slices.Sort(sockDirPaths)
-				sockDirPaths = slices.Compact(sockDirPaths)
+				container.SortAbs(sockDirPaths)
+				sockDirPaths = container.CompactAbs(sockDirPaths)
 				for _, name := range sockDirPaths {
 					z.Bind(name, name, container.BindWritable)
 				}

 				// xdg-dbus-proxy bin path
-				binPath := path.Dir(toolPath)
+				binPath := toolPath.Dir()
 				z.Bind(binPath, binPath, 0)
 			}, nil)
 	}
--- a/test/interactive/configuration.nix
+++ b/test/interactive/configuration.nix
@ -0,0 +1,60 @@
+{ pkgs, ... }:
+{
+  system.stateVersion = "23.05";
+
+  users.users = {
+    alice = {
+      isNormalUser = true;
+      description = "Alice Foobar";
+      password = "foobar";
+      uid = 1000;
+      extraGroups = [ "wheel" ];
+    };
+    untrusted = {
+      isNormalUser = true;
+      description = "Untrusted user";
+      password = "foobar";
+      uid = 1001;
+    };
+  };
+
+  home-manager.users.alice.home.stateVersion = "24.11";
+
+  security = {
+    sudo.wheelNeedsPassword = false;
+    rtkit.enable = true;
+  };
+
+  services = {
+    getty.autologinUser = "alice";
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+    };
+  };
+
+  environment.variables = {
+    SWAYSOCK = "/tmp/sway-ipc.sock";
+    WLR_RENDERER = "pixman";
+  };
+
+  programs = {
+    sway.enable = true;
+
+    bash.loginShellInit = ''
+      if [ "$(tty)" = "/dev/tty1" ]; then
+        set -e
+
+        mkdir -p ~/.config/sway
+        (sed s/Mod4/Mod1/ /etc/sway/config &&
+        echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill') > ~/.config/sway/config
+
+        sway --validate
+        systemd-cat --identifier=session sway && touch /tmp/sway-exit-ok
+      fi
+    '';
+  };
+}
--- a/test/interactive/hakurei.nix
+++ b/test/interactive/hakurei.nix
@ -0,0 +1,25 @@
+{ pkgs, ... }:
+{
+  environment.hakurei = {
+    enable = true;
+    stateDir = "/var/lib/hakurei";
+    users.alice = 0;
+    apps = {
+      "cat.gensokyo.extern.foot.noEnablements" = {
+        name = "ne-foot";
+        identity = 1;
+        shareUid = true;
+        verbose = true;
+        share = pkgs.foot;
+        packages = [ pkgs.foot ];
+        command = "foot";
+        capability = {
+          dbus = false;
+          pulse = false;
+        };
+      };
+    };
+
+    extraHomeConfig.home.stateVersion = "23.05";
+  };
+}
--- a/test/interactive/trace.nix
+++ b/test/interactive/trace.nix
@ -0,0 +1,28 @@
+{ lib, pkgs, ... }:
+let
+  tracing = name: "\"/sys/kernel/debug/tracing/${name}\"";
+in
+{
+  environment.systemPackages = [
+    (pkgs.writeShellScriptBin "hakurei-set-up-tracing" ''
+      set -e
+      echo "$1" > ${tracing "set_graph_function"}
+      echo function_graph > ${tracing "current_tracer"}
+      echo funcgraph-tail > ${tracing "trace_options"}
+      echo funcgraph-retval > ${tracing "trace_options"}
+      echo nofuncgraph-cpu > ${tracing "trace_options"}
+      echo nofuncgraph-overhead > ${tracing "trace_options"}
+      echo nofuncgraph-duration > ${tracing "trace_options"}
+    '')
+    (pkgs.writeShellScriptBin "hakurei-print-trace" "exec cat ${tracing "trace"}")
+    (pkgs.writeShellScriptBin "hakurei-consume-trace" "exec cat ${tracing "trace_pipe"}")
+  ];
+
+  boot.kernelPatches = [
+    {
+      name = "funcgraph-retval";
+      patch = null;
+      extraStructuredConfig.FUNCTION_GRAPH_RETVAL = lib.kernel.yes;
+    }
+  ];
+}
--- a/test/interactive/vm.nix
+++ b/test/interactive/vm.nix
@ -0,0 +1,56 @@
+{
+  virtualisation.vmVariant.virtualisation = {
+    memorySize = 4096;
+    qemu.options = [
+      "-vga none -device virtio-gpu-pci"
+      "-smp 8"
+    ];
+
+    mountHostNixStore = true;
+    writableStore = true;
+    writableStoreUseTmpfs = false;
+
+    sharedDirectories = {
+      cwd = {
+        target = "/mnt/.ro-cwd";
+        source = ''"$OLDPWD"'';
+        securityModel = "none";
+      };
+    };
+
+    fileSystems = {
+      "/mnt/.ro-cwd".options = [
+        "ro"
+        "noatime"
+      ];
+      "/mnt/cwd".overlay = {
+        lowerdir = [ "/mnt/.ro-cwd" ];
+        upperdir = "/tmp/.cwd/upper";
+        workdir = "/tmp/.cwd/work";
+      };
+
+      "/mnt/src".overlay = {
+        lowerdir = [ ../.. ];
+        upperdir = "/tmp/.src/upper";
+        workdir = "/tmp/.src/work";
+      };
+    };
+  };
+
+  systemd.services = {
+    logrotate-checkconf.enable = false;
+    hakurei-src-fix-ownership = {
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "mnt-src.mount" ];
+      after = [ "mnt-src.mount" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        chown -R alice:users /mnt/src/
+        chmod -R +w /mnt/src/
+      '';
+    };
+  };
+}
--- a/test/sandbox/case/mapuid.nix
+++ b/test/sandbox/case/mapuid.nix
@ -229,7 +229,7 @@ in
      (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003")
      (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
      (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
-      (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000003,gid=1000003")
+      (ent "/" "/dev" "ro,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000003,gid=1000003")
      (ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/full" "/dev/full" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
--- a/test/sandbox/case/pd.nix
+++ b/test/sandbox/case/pd.nix
@ -170,7 +170,7 @@
      (ent "/var" "/var" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
      (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000000,gid=1000000")
-      (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000000,gid=1000000")
+      (ent "/" "/dev" "ro,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000000,gid=1000000")
      (ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/full" "/dev/full" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
--- a/test/sandbox/case/pdlike.nix
+++ b/test/sandbox/case/pdlike.nix
@ -229,7 +229,7 @@ in
      (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000005,gid=1000005")
      (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
      (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000005,gid=1000005")
-      (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000005,gid=1000005")
+      (ent "/" "/dev" "ro,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000005,gid=1000005")
      (ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/full" "/dev/full" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
--- a/test/sandbox/case/preset.nix
+++ b/test/sandbox/case/preset.nix
@ -228,7 +228,7 @@ in
      (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001")
      (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
      (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
-      (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000001,gid=1000001")
+      (ent "/" "/dev" "ro,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000001,gid=1000001")
      (ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/full" "/dev/full" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
--- a/test/sandbox/case/tty.nix
+++ b/test/sandbox/case/tty.nix
@ -230,7 +230,7 @@ in
      (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
      (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
      (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
-      (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000002,gid=1000002")
+      (ent "/" "/dev" "ro,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000002,gid=1000002")
      (ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/full" "/dev/full" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
Author	SHA1	Message	Date
Ophestra	332d90d6c7	container/path: remove unused path Some checks failed Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m9s Details Test / Hakurei (push) Failing after 3m40s Details Test / Sandbox (race detector) (push) Successful in 4m19s Details Test / Hpkg (push) Successful in 4m35s Details Test / Hakurei (race detector) (push) Successful in 5m23s Details Test / Flake checks (push) Has been skipped Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-14 05:00:09 +09:00
Ophestra	99ac96511b	hst/fs: interface filesystem config All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m14s Details Test / Hakurei (push) Successful in 3m37s Details Test / Hpkg (push) Successful in 4m27s Details Test / Sandbox (race detector) (push) Successful in 4m23s Details Test / Hakurei (race detector) (push) Successful in 5m22s Details Test / Flake checks (push) Successful in 1m22s Details This allows mount points to be represented by different underlying structs. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-14 04:52:49 +09:00
Ophestra	e99d7affb0	container: use absolute for pathname All checks were successful Test / Flake checks (push) Successful in 1m26s Details Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 1m59s Details Test / Hakurei (push) Successful in 2m58s Details Test / Hpkg (push) Successful in 3m45s Details Test / Sandbox (race detector) (push) Successful in 4m11s Details Test / Hakurei (race detector) (push) Successful in 4m47s Details This is simultaneously more efficient and less error-prone. This change caused minor API changes in multiple other packages. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-11 04:56:42 +09:00
Ophestra	41ac2be965	container/absolute: wrap safe stdlib functions All checks were successful Test / Create distribution (push) Successful in 34s Details Test / Sandbox (push) Successful in 2m0s Details Test / Hakurei (push) Successful in 2m57s Details Test / Hpkg (push) Successful in 3m52s Details Test / Sandbox (race detector) (push) Successful in 4m4s Details Test / Hakurei (race detector) (push) Successful in 4m49s Details Test / Flake checks (push) Successful in 1m31s Details These functions do not change the absoluteness of a pathname. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-10 03:11:10 +09:00
Ophestra	02271583fb	container: remove PATH lookup behaviour All checks were successful Test / Hakurei (race detector) (push) Successful in 2m42s Details Test / Flake checks (push) Successful in 1m25s Details Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 1m57s Details Test / Hakurei (push) Successful in 2m57s Details Test / Hpkg (push) Successful in 3m58s Details Test / Sandbox (race detector) (push) Successful in 4m7s Details This is way higher level than the container package and does not even work unless every path is mounted in the exact same location. This behaviour causes nothing but confusion and problems, Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-09 19:08:54 +09:00
Ophestra	ef54b2cd08	container/absolute: early absolute pathname check All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m1s Details Test / Hakurei (push) Successful in 2m57s Details Test / Hpkg (push) Successful in 3m50s Details Test / Sandbox (race detector) (push) Successful in 4m13s Details Test / Hakurei (race detector) (push) Successful in 4m48s Details Test / Flake checks (push) Successful in 1m25s Details This is less error-prone, and allows pathname to be checked once. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-09 18:53:46 +09:00
Ophestra	82608164f6	container/params: remove confusingly named error All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m9s Details Test / Hakurei (push) Successful in 2m59s Details Test / Hpkg (push) Successful in 3m53s Details Test / Flake checks (push) Successful in 1m19s Details Test / Sandbox (race detector) (push) Successful in 4m16s Details Test / Hakurei (race detector) (push) Successful in 4m49s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-09 17:37:46 +09:00
Ophestra	edd6f2cfa9	container: document ambient capabilities All checks were successful Test / Hakurei (push) Successful in 2m3s Details Test / Flake checks (push) Successful in 1m22s Details Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 2m3s Details Test / Hpkg (push) Successful in 3m54s Details Test / Sandbox (race detector) (push) Successful in 4m20s Details Test / Hakurei (race detector) (push) Successful in 4m45s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-08 02:11:55 +09:00
Ophestra	acffa76812	container/ops: implement overlay op All checks were successful Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 2m2s Details Test / Hakurei (push) Successful in 2m57s Details Test / Hpkg (push) Successful in 3m54s Details Test / Sandbox (race detector) (push) Successful in 4m6s Details Test / Hakurei (race detector) (push) Successful in 4m51s Details Test / Flake checks (push) Successful in 1m22s Details There are significant limitations to using the overlay mount, and the implementation in the kernel is quite quirky. For now the Op is quite robust, however a higher level interface for it has not been decided yet. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-08 01:54:48 +09:00
Ophestra	8da76483e6	container/path: fix typo "paths" All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 1m57s Details Test / Hakurei (push) Successful in 2m54s Details Test / Hpkg (push) Successful in 3m53s Details Test / Sandbox (race detector) (push) Successful in 3m57s Details Test / Hakurei (race detector) (push) Successful in 4m37s Details Test / Flake checks (push) Successful in 1m25s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-08 01:32:48 +09:00
Ophestra	534c932906	container: test case runtime initialisation All checks were successful Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 2m5s Details Test / Hpkg (push) Successful in 3m49s Details Test / Sandbox (race detector) (push) Successful in 3m53s Details Test / Hakurei (race detector) (push) Successful in 4m36s Details Test / Hakurei (push) Successful in 2m10s Details Test / Flake checks (push) Successful in 1m34s Details This allows for more sophisticated test setup. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-08 01:03:35 +09:00
Ophestra	fee10fed4d	container: test bypass output buffer on verbose All checks were successful Test / Flake checks (push) Successful in 1m25s Details Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 1m55s Details Test / Hakurei (push) Successful in 2m55s Details Test / Sandbox (race detector) (push) Successful in 3m51s Details Test / Hpkg (push) Successful in 3m57s Details Test / Hakurei (race detector) (push) Successful in 4m35s Details This restores verbose behaviour. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-08 00:57:27 +09:00
Ophestra	a4f7e92e1c	test/interactive: helper scripts for tracing All checks were successful Test / Hakurei (push) Successful in 41s Details Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 39s Details Test / Hpkg (push) Successful in 40s Details Test / Hakurei (race detector) (push) Successful in 41s Details Test / Sandbox (race detector) (push) Successful in 39s Details Test / Flake checks (push) Successful in 1m26s Details The vm state is discarded often, and it is quite cumbersome to set everything up again when the shell history is gone. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-08 00:56:25 +09:00
Ophestra	f1a53d6116	container: raise CAP_DAC_OVERRIDE All checks were successful Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 1m59s Details Test / Hakurei (push) Successful in 2m54s Details Test / Sandbox (race detector) (push) Successful in 3m52s Details Test / Hpkg (push) Successful in 3m51s Details Test / Hakurei (race detector) (push) Successful in 4m39s Details Test / Flake checks (push) Successful in 1m25s Details This is required for upperdir and workdir checks in overlayfs. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-08 00:43:19 +09:00
Ophestra	b353c3deea	nix: make src overlay writable All checks were successful Test / Hakurei (push) Successful in 42s Details Test / Create distribution (push) Successful in 33s Details Test / Hakurei (race detector) (push) Successful in 42s Details Test / Sandbox (race detector) (push) Successful in 39s Details Test / Sandbox (push) Successful in 40s Details Test / Hpkg (push) Successful in 40s Details Test / Flake checks (push) Successful in 1m23s Details The lowerdir is in the nix store. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-07 18:07:19 +09:00
Ophestra	fde5f1ca64	container: buffer test output All checks were successful Test / Create distribution (push) Successful in 34s Details Test / Sandbox (push) Successful in 2m2s Details Test / Hakurei (push) Successful in 2m54s Details Test / Hpkg (push) Successful in 3m56s Details Test / Hakurei (race detector) (push) Successful in 4m37s Details Test / Sandbox (race detector) (push) Successful in 4m7s Details Test / Flake checks (push) Successful in 1m26s Details This further reduces noise on test failure by only passing through output of the failed test. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-07 02:55:58 +09:00
Ophestra	4d0bdd84b5	container: test respect verbose flag All checks were successful Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 2m1s Details Test / Hpkg (push) Successful in 3m52s Details Test / Sandbox (race detector) (push) Successful in 4m1s Details Test / Hakurei (race detector) (push) Successful in 4m35s Details Test / Hakurei (push) Successful in 2m4s Details Test / Flake checks (push) Successful in 1m36s Details This reduces noise on test failure. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-07 02:50:00 +09:00
Ophestra	72a931a71a	nix: interactive nixos vm All checks were successful Test / Hakurei (push) Successful in 41s Details Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 39s Details Test / Sandbox (race detector) (push) Successful in 39s Details Test / Hpkg (push) Successful in 40s Details Test / Hakurei (race detector) (push) Successful in 41s Details Test / Flake checks (push) Successful in 1m26s Details This is useful for quickly spinning up an ephemeral hakurei environment for testing changes or reproducing vm test failures. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-07 02:46:04 +09:00
Ophestra	9a25542c6d	container/init: use mount string constants All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m13s Details Test / Sandbox (race detector) (push) Successful in 4m6s Details Test / Hpkg (push) Successful in 4m22s Details Test / Hakurei (race detector) (push) Successful in 4m49s Details Test / Hakurei (push) Successful in 2m4s Details Test / Flake checks (push) Successful in 1m13s Details These literals were missed when the constants were first defined. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-04 04:00:05 +09:00
Ophestra	c6be82bcf9	container/path: fhs path constants All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m6s Details Test / Hakurei (push) Successful in 3m6s Details Test / Sandbox (race detector) (push) Successful in 4m14s Details Test / Hpkg (push) Successful in 4m11s Details Test / Hakurei (race detector) (push) Successful in 4m40s Details Test / Flake checks (push) Successful in 1m18s Details This increases readability since this can help disambiguate absolute paths from similarly named path segments. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-03 21:16:45 +09:00
Ophestra	38245559dc	container/ops: mount dev readonly All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m2s Details Test / Hakurei (push) Successful in 2m57s Details Test / Sandbox (race detector) (push) Successful in 3m53s Details Test / Hpkg (push) Successful in 3m53s Details Test / Hakurei (race detector) (push) Successful in 4m37s Details Test / Flake checks (push) Successful in 1m18s Details There is usually no good reason to write to /dev. This however doesn't work in internal/app because FilesystemConfig supplied by ContainerConfig might add entries to /dev, so internal/app follows DevWritable with Remount instead. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-03 19:18:53 +09:00
Ophestra	7b416d47dc	container/ops: merge mqueue and dev Ops All checks were successful Test / Create distribution (push) Successful in 34s Details Test / Sandbox (push) Successful in 40s Details Test / Sandbox (race detector) (push) Successful in 40s Details Test / Hakurei (push) Successful in 43s Details Test / Hakurei (race detector) (push) Successful in 43s Details Test / Hpkg (push) Successful in 41s Details Test / Flake checks (push) Successful in 1m21s Details There is no reason to mount mqueue anywhere else, and these Ops usually follow each other. This change merges them. This helps decrease IPC overhead and also enables mounting dev readonly. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-03 19:13:46 +09:00
Ophestra	15170735ba	container/mount: move tmpfs sysroot prefixing to caller All checks were successful Test / Hakurei (push) Successful in 2m6s Details Test / Flake checks (push) Successful in 1m18s Details Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m4s Details Test / Sandbox (race detector) (push) Successful in 3m54s Details Test / Hpkg (push) Successful in 4m0s Details Test / Hakurei (race detector) (push) Successful in 4m34s Details The mountTmpfs helper is a relatively low level function that is not exposed as part of the API. Prefixing sysroot here not only introduces overhead but is also quite error-prone. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-03 18:06:41 +09:00
Ophestra	6a3886e9db	container/op: unexport bind resolved source field All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m5s Details Test / Hakurei (push) Successful in 2m57s Details Test / Hpkg (push) Successful in 3m55s Details Test / Sandbox (race detector) (push) Successful in 3m59s Details Test / Hakurei (race detector) (push) Successful in 4m34s Details Test / Flake checks (push) Successful in 1m21s Details This is used for symlink resolution and is only used internally. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-03 17:57:37 +09:00
Ophestra	ff66296378	container/mount: mount data escape helper function All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m0s Details Test / Hakurei (push) Successful in 2m56s Details Test / Sandbox (race detector) (push) Successful in 3m57s Details Test / Hpkg (push) Successful in 4m7s Details Test / Hakurei (race detector) (push) Successful in 4m38s Details Test / Flake checks (push) Successful in 1m18s Details For formatting user-supplied path strings into overlayfs mount data. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-03 17:46:14 +09:00
Ophestra	347a79df72	container: improve clone flags readability All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m0s Details Test / Sandbox (race detector) (push) Successful in 3m50s Details Test / Hpkg (push) Successful in 3m50s Details Test / Hakurei (race detector) (push) Successful in 4m31s Details Test / Hakurei (push) Successful in 2m3s Details Test / Flake checks (push) Successful in 1m15s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-02 18:19:44 +09:00
Ophestra	0f78864a67	container/mount: export mount string constants All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m1s Details Test / Hakurei (push) Successful in 2m56s Details Test / Sandbox (race detector) (push) Successful in 3m47s Details Test / Hpkg (push) Successful in 4m1s Details Test / Hakurei (race detector) (push) Successful in 4m32s Details Test / Flake checks (push) Successful in 1m19s Details This improves code readability and should also be useful for callers choosing to preserve CAP_SYS_ADMIN. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-02 17:20:09 +09:00
Ophestra	b32b1975a8	hst/container: remove cover All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m6s Details Test / Hakurei (push) Successful in 2m56s Details Test / Sandbox (race detector) (push) Successful in 3m55s Details Test / Hpkg (push) Successful in 3m55s Details Test / Hakurei (race detector) (push) Successful in 4m31s Details Test / Flake checks (push) Successful in 1m20s Details This was never useful, and is now completely replaced by regular FilesystemConfig being able to mount tmpfs. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-02 00:34:52 +09:00
Ophestra	2b1eaa62f1	update github notice All checks were successful Test / Create distribution (push) Successful in 33s Details Test / Sandbox (push) Successful in 2m12s Details Test / Hakurei (push) Successful in 3m0s Details Test / Sandbox (race detector) (push) Successful in 3m52s Details Test / Hpkg (push) Successful in 4m2s Details Test / Hakurei (race detector) (push) Successful in 4m31s Details Test / Flake checks (push) Successful in 1m20s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-02 00:21:16 +09:00