release: 0.3.1

Signed-off-by: Ophestra <cat@gensokyo.uk>
container: set FD_CLOEXEC on all open files
2025-11-12 00:53:14 +09:00 · 2025-11-12 00:18:29 +09:00 · 2025-11-11 07:31:58 +09:00 · 2025-11-10 20:35:59 +09:00 · 2025-11-10 20:31:26 +09:00 · 2025-11-10 07:52:35 +09:00
355 changed files with 36189 additions and 9852 deletions
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -73,20 +73,20 @@ jobs:
          path: result/*
          retention-days: 1
-  planterette:
+  hpkg:
-    name: Planterette
+    name: Hpkg
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run NixOS test
-        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.planterette
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.hpkg
      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
-          name: "planterette-vm-output"
+          name: "hpkg-vm-output"
          path: result/*
          retention-days: 1
@@ -97,7 +97,7 @@ jobs:
      - race
      - sandbox
      - sandbox-race
-      - planterette
+      - hpkg
    runs-on: nix
    steps:
      - name: Checkout
--- a/.github/workflows/README
+++ b/.github/workflows/README
@@ -1 +1,5 @@
 DO NOT ADD NEW ACTIONS HERE
 This port is solely for releasing to the github mirror and serves no purpose during development.
 All development happens at https://git.gensokyo.uk/security/hakurei. If you wish to contribute,
 request for an account on git.gensokyo.uk.
--- a/.gitignore
+++ b/.gitignore
@@ -30,3 +30,6 @@ go.work.sum
 # release
 /dist/hakurei-*
 # interactive nixos vm
 nixos.qcow2
--- a/README.md
+++ b/README.md
@@ -8,11 +8,16 @@
 <p align="center">
  <a href="https://pkg.go.dev/hakurei.app"><img src="https://pkg.go.dev/badge/hakurei.app.svg" alt="Go Reference" /></a>
  <a href="https://git.gensokyo.uk/security/hakurei/actions"><img src="https://git.gensokyo.uk/security/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
  <br/>
  <a href="https://git.gensokyo.uk/security/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/security/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
  <a href="https://goreportcard.com/report/hakurei.app"><img src="https://goreportcard.com/badge/hakurei.app" alt="Go Report Card" /></a>
  <a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
 </p>
 Hakurei is a tool for running sandboxed graphical applications as dedicated subordinate users on the Linux kernel.
-It also implements [planterette (WIP)](cmd/planterette), a self-contained Android-like package manager with modern security features.
+It implements the application container of [planterette (WIP)](https://git.gensokyo.uk/security/planterette),
 a self-contained Android-like package manager with modern security features.
 ## NixOS Module usage
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@@ -6,73 +6,94 @@ import (
 	"io"
 	"log"
 	"os"
-	"os/signal"
+	"os/exec"
 	"os/user"
 	"strconv"
 	"sync"
 	"syscall"
 	"time"
 	_ "unsafe"
 	"hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/cmd/hakurei/internal/app/instance"
 	"hakurei.app/cmd/hakurei/internal/state"
 	"hakurei.app/command"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
-	"hakurei.app/internal/hlog"
+	"hakurei.app/internal/env"
-	"hakurei.app/system"
+	"hakurei.app/internal/outcome"
 	"hakurei.app/message"
 	"hakurei.app/system/dbus"
 )
-func buildCommand(out io.Writer) command.Command {
+//go:linkname optionalErrorUnwrap hakurei.app/container.optionalErrorUnwrap
 func optionalErrorUnwrap(_ error) error
 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
 		flagVerbose bool
 		flagJSON    bool
 	)
-	c := command.New(out, log.Printf, "hakurei", func([]string) error { internal.InstallOutput(flagVerbose); return nil }).
+	c := command.New(out, log.Printf, "hakurei", func([]string) error {
 		msg.SwapVerbose(flagVerbose)
 		if early.yamaLSM != nil {
 			msg.Verbosef("cannot enable ptrace protection via Yama LSM: %v", early.yamaLSM)
 			// not fatal
 		}
 		if early.dumpable != nil {
 			log.Printf("cannot set SUID_DUMP_DISABLE: %s", early.dumpable)
 			// not fatal
 		}
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")
-	c.Command("shim", command.UsageInternal, func([]string) error { instance.ShimMain(); return errSuccess })
+	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
 	c.Command("app", "Load app from configuration file", func(args []string) error {
 		if len(args) < 1 {
 			log.Fatal("app requires at least 1 argument")
 		}
 		// config extraArgs...
 		config := tryPath(args[0])
 		config.Args = append(config.Args, args[1:]...)
 		runApp(config)
 		panic("unreachable")
 	})
 	{
 		var (
-			dbusConfigSession string
+			flagIdentifierFile int
 			dbusConfigSystem  string
 			mpris             bool
 			dbusVerbose       bool
 			fid      string
 			aid      int
 			groups   command.RepeatableFlag
 			homeDir  string
 			userName string
 			wayland, x11, dBus, pulse bool
 		)
-
+		c.NewCommand("app", "Load and start container from configuration file", func(args []string) error {
-		c.NewCommand("run", "Configure and start a permissive default sandbox", func(args []string) error {
+			if len(args) < 1 {
-			// initialise config from flags
+				log.Fatal("app requires at least 1 argument")
 			config := &hst.Config{
 				ID:   fid,
 				Args: args,
 			}
-			if aid < 0 || aid > 9999 {
+			config := tryPath(msg, args[0])
-				log.Fatalf("aid %d out of range", aid)
+			if config != nil && config.Container != nil {
 				config.Container.Args = append(config.Container.Args, args[1:]...)
 			}
 			outcome.Main(ctx, msg, config, flagIdentifierFile)
 			panic("unreachable")
 		}).
 			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
 				"Write identifier of current instance to fd after successful startup")
 	}
 	{
 		var (
 			flagDBusConfigSession string
 			flagDBusConfigSystem  string
 			flagDBusMpris         bool
 			flagDBusVerbose       bool
 			flagID       string
 			flagIdentity int
 			flagGroups   command.RepeatableFlag
 			flagHomeDir  string
 			flagUserName string
 			flagPrivateRuntime, flagPrivateTmpdir bool
 			flagWayland, flagX11, flagDBus, flagPulse bool
 		)
 		c.NewCommand("run", "Configure and start a permissive container", func(args []string) error {
 			if flagIdentity < hst.IdentityStart || flagIdentity > hst.IdentityEnd {
 				log.Fatalf("identity %d out of range", flagIdentity)
 			}
 			// resolve home/username from os when flag is unset
@@ -80,22 +101,15 @@ func buildCommand(out io.Writer) command.Command {
 				passwd     *user.User
 				passwdOnce sync.Once
 				passwdFunc = func() {
-					var us string
+					us := strconv.Itoa(hst.ToUser(new(outcome.Hsu).MustID(msg), flagIdentity))
 					if uid, err := std.Uid(aid); err != nil {
 						hlog.PrintBaseError(err, "cannot obtain uid from setuid wrapper:")
 						os.Exit(1)
 					} else {
 						us = strconv.Itoa(uid)
 					}
 					if u, err := user.LookupId(us); err != nil {
-						hlog.Verbosef("cannot look up uid %s", us)
+						msg.Verbosef("cannot look up uid %s", us)
 						passwd = &user.User{
 							Uid:      us,
 							Gid:      us,
 							Username: "chronos",
 							Name:     "Hakurei Permissive Default",
-							HomeDir:  "/var/empty",
+							HomeDir:  fhs.VarEmpty,
 						}
 					} else {
 						passwd = u
@@ -103,156 +117,243 @@ func buildCommand(out io.Writer) command.Command {
 				}
 			)
-			if homeDir == "os" {
+			// paths are identical, resolve inner shell and program path
 			shell := fhs.AbsRoot.Append("bin", "sh")
 			if a, err := check.NewAbs(os.Getenv("SHELL")); err == nil {
 				shell = a
 			}
 			progPath := shell
 			if len(args) > 0 {
 				if p, err := exec.LookPath(args[0]); err != nil {
 					log.Fatal(optionalErrorUnwrap(err))
 					return err
 				} else if progPath, err = check.NewAbs(p); err != nil {
 					log.Fatal(err.Error())
 					return err
 				}
 			}
 			var et hst.Enablement
 			if flagWayland {
 				et |= hst.EWayland
 			}
 			if flagX11 {
 				et |= hst.EX11
 			}
 			if flagDBus {
 				et |= hst.EDBus
 			}
 			if flagPulse {
 				et |= hst.EPulse
 			}
 			config := &hst.Config{
 				ID:          flagID,
 				Identity:    flagIdentity,
 				Groups:      flagGroups,
 				Enablements: hst.NewEnablements(et),
 				Container: &hst.ContainerConfig{
 					Filesystem: []hst.FilesystemConfigJSON{
 						// autoroot, includes the home directory
 						{FilesystemConfig: &hst.FSBind{
 							Target:  fhs.AbsRoot,
 							Source:  fhs.AbsRoot,
 							Write:   true,
 							Special: true,
 						}},
 					},
 					Username: flagUserName,
 					Shell:    shell,
 					Path: progPath,
 					Args: args,
 					Flags: hst.FUserns | hst.FHostNet | hst.FHostAbstract | hst.FTty,
 				},
 			}
 			// bind GPU stuff
 			if et&(hst.EX11|hst.EWayland) != 0 {
 				config.Container.Filesystem = append(config.Container.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
 					Source:   fhs.AbsDev.Append("dri"),
 					Device:   true,
 					Optional: true,
 				}})
 			}
 			config.Container.Filesystem = append(config.Container.Filesystem,
 				// opportunistically bind kvm
 				hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
 					Source:   fhs.AbsDev.Append("kvm"),
 					Device:   true,
 					Optional: true,
 				}},
 				// do autoetc last
 				hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
 					Target:  fhs.AbsEtc,
 					Source:  fhs.AbsEtc,
 					Special: true,
 				}},
 			)
 			if config.Container.Username == "chronos" {
 				passwdOnce.Do(passwdFunc)
-				homeDir = passwd.HomeDir
+				config.Container.Username = passwd.Username
 			}
-			if userName == "chronos" {
+			{
-				passwdOnce.Do(passwdFunc)
+				homeDir := flagHomeDir
-				userName = passwd.Username
+				if homeDir == "os" {
 					passwdOnce.Do(passwdFunc)
 					homeDir = passwd.HomeDir
 				}
 				if a, err := check.NewAbs(homeDir); err != nil {
 					log.Fatal(err.Error())
 					return err
 				} else {
 					config.Container.Home = a
 				}
 			}
-			config.Identity = aid
+			if !flagPrivateRuntime {
-			config.Groups = groups
+				config.Container.Flags |= hst.FShareRuntime
 			config.Data = homeDir
 			config.Username = userName
 			if wayland {
 				config.Enablements |= system.EWayland
 			}
-			if x11 {
+			if !flagPrivateTmpdir {
-				config.Enablements |= system.EX11
+				config.Container.Flags |= hst.FShareTmpdir
 			}
 			if dBus {
 				config.Enablements |= system.EDBus
 			}
 			if pulse {
 				config.Enablements |= system.EPulse
 			}
 			// parse D-Bus config file from flags if applicable
-			if dBus {
+			if flagDBus {
-				if dbusConfigSession == "builtin" {
+				if flagDBusConfigSession == "builtin" {
-					config.SessionBus = dbus.NewConfig(fid, true, mpris)
+					config.SessionBus = dbus.NewConfig(flagID, true, flagDBusMpris)
 				} else {
-					if conf, err := dbus.NewConfigFromFile(dbusConfigSession); err != nil {
+					if f, err := os.Open(flagDBusConfigSession); err != nil {
-						log.Fatalf("cannot load session bus proxy config from %q: %s", dbusConfigSession, err)
+						log.Fatal(err.Error())
 					} else {
-						config.SessionBus = conf
+						decodeJSON(log.Fatal, "load session bus proxy config", f, &config.SessionBus)
 						if err = f.Close(); err != nil {
 							log.Fatal(err.Error())
 						}
 					}
 				}
 				// system bus proxy is optional
-				if dbusConfigSystem != "nil" {
+				if flagDBusConfigSystem != "nil" {
-					if conf, err := dbus.NewConfigFromFile(dbusConfigSystem); err != nil {
+					if f, err := os.Open(flagDBusConfigSystem); err != nil {
-						log.Fatalf("cannot load system bus proxy config from %q: %s", dbusConfigSystem, err)
+						log.Fatal(err.Error())
 					} else {
-						config.SystemBus = conf
+						decodeJSON(log.Fatal, "load system bus proxy config", f, &config.SystemBus)
 						if err = f.Close(); err != nil {
 							log.Fatal(err.Error())
 						}
 					}
 				}
 				// override log from configuration
-				if dbusVerbose {
+				if flagDBusVerbose {
-					config.SessionBus.Log = true
+					if config.SessionBus != nil {
-					config.SystemBus.Log = true
+						config.SessionBus.Log = true
 					}
 					if config.SystemBus != nil {
 						config.SystemBus.Log = true
 					}
 				}
 			}
-			// invoke app
+			outcome.Main(ctx, msg, config, -1)
 			runApp(config)
 			panic("unreachable")
 		}).
-			Flag(&dbusConfigSession, "dbus-config", command.StringFlag("builtin"),
+			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),
 				"Path to session bus proxy config file, or \"builtin\" for defaults").
-			Flag(&dbusConfigSystem, "dbus-system", command.StringFlag("nil"),
+			Flag(&flagDBusConfigSystem, "dbus-system", command.StringFlag("nil"),
 				"Path to system bus proxy config file, or \"nil\" to disable").
-			Flag(&mpris, "mpris", command.BoolFlag(false),
+			Flag(&flagDBusMpris, "mpris", command.BoolFlag(false),
 				"Allow owning MPRIS D-Bus path, has no effect if custom config is available").
-			Flag(&dbusVerbose, "dbus-log", command.BoolFlag(false),
+			Flag(&flagDBusVerbose, "dbus-log", command.BoolFlag(false),
 				"Force buffered logging in the D-Bus proxy").
-			Flag(&fid, "id", command.StringFlag(""),
+			Flag(&flagID, "id", command.StringFlag(""),
 				"Reverse-DNS style Application identifier, leave empty to inherit instance identifier").
-			Flag(&aid, "a", command.IntFlag(0),
+			Flag(&flagIdentity, "a", command.IntFlag(0),
 				"Application identity").
-			Flag(nil, "g", &groups,
+			Flag(nil, "g", &flagGroups,
 				"Groups inherited by all container processes").
-			Flag(&homeDir, "d", command.StringFlag("os"),
+			Flag(&flagHomeDir, "d", command.StringFlag("os"),
 				"Container home directory").
-			Flag(&userName, "u", command.StringFlag("chronos"),
+			Flag(&flagUserName, "u", command.StringFlag("chronos"),
 				"Passwd user name within sandbox").
-			Flag(&wayland, "wayland", command.BoolFlag(false),
+			Flag(&flagPrivateRuntime, "private-runtime", command.BoolFlag(false),
 				"Do not share XDG_RUNTIME_DIR between containers under the same identity").
 			Flag(&flagPrivateTmpdir, "private-tmpdir", command.BoolFlag(false),
 				"Do not share TMPDIR between containers under the same identity").
 			Flag(&flagWayland, "wayland", command.BoolFlag(false),
 				"Enable connection to Wayland via security-context-v1").
-			Flag(&x11, "X", command.BoolFlag(false),
+			Flag(&flagX11, "X", command.BoolFlag(false),
 				"Enable direct connection to X11").
-			Flag(&dBus, "dbus", command.BoolFlag(false),
+			Flag(&flagDBus, "dbus", command.BoolFlag(false),
 				"Enable proxied connection to D-Bus").
-			Flag(&pulse, "pulse", command.BoolFlag(false),
+			Flag(&flagPulse, "pulse", command.BoolFlag(false),
 				"Enable direct connection to PulseAudio")
 	}
-	var showFlagShort bool
+	{
-	c.NewCommand("show", "Show live or local app configuration", func(args []string) error {
+		var (
-		switch len(args) {
+			flagShort   bool
-		case 0: // system
+			flagNoStore bool
-			printShowSystem(os.Stdout, showFlagShort, flagJSON)
+		)
 		c.NewCommand("show", "Show live or local app configuration", func(args []string) error {
 			switch len(args) {
 			case 0: // system
 				printShowSystem(os.Stdout, flagShort, flagJSON)
-		case 1: // instance
+			case 1: // instance
-			name := args[0]
+				name := args[0]
-			config, entry := tryShort(name)
+
-			if config == nil {
+				var (
-				config = tryPath(name)
+					config *hst.Config
 					entry  *hst.State
 				)
 				if !flagNoStore {
 					var sc hst.Paths
 					env.CopyPaths().Copy(&sc, new(outcome.Hsu).MustID(nil))
 					entry = tryIdentifier(msg, name, outcome.NewStore(&sc))
 				}
 				if entry == nil {
 					config = tryPath(msg, name)
 				} else {
 					config = entry.Config
 				}
 				if !printShowInstance(os.Stdout, time.Now().UTC(), entry, config, flagShort, flagJSON) {
 					os.Exit(1)
 				}
 			default:
 				log.Fatal("show requires 1 argument")
 			}
-			printShowInstance(os.Stdout, time.Now().UTC(), entry, config, showFlagShort, flagJSON)
+			return errSuccess
 		}).
 			Flag(&flagShort, "short", command.BoolFlag(false), "Omit filesystem information").
 			Flag(&flagNoStore, "no-store", command.BoolFlag(false), "Do not attempt to match from active instances")
 	}
-		default:
+	{
-			log.Fatal("show requires 1 argument")
+		var flagShort bool
-		}
+		c.NewCommand("ps", "List active instances", func(args []string) error {
-		return errSuccess
+			var sc hst.Paths
-	}).Flag(&showFlagShort, "short", command.BoolFlag(false), "Omit filesystem information")
+			env.CopyPaths().Copy(&sc, new(outcome.Hsu).MustID(nil))
 			printPs(msg, os.Stdout, time.Now().UTC(), outcome.NewStore(&sc), flagShort, flagJSON)
 			return errSuccess
 		}).Flag(&flagShort, "short", command.BoolFlag(false), "Print instance id")
 	}
-	var psFlagShort bool
+	c.Command("version", "Display version information", func(args []string) error { fmt.Println(internal.Version()); return errSuccess })
-	c.NewCommand("ps", "List active instances", func(args []string) error {
+	c.Command("license", "Show full license text", func(args []string) error { fmt.Println(license); return errSuccess })
-		printPs(os.Stdout, time.Now().UTC(), state.NewMulti(std.Paths().RunDirPath), psFlagShort, flagJSON)
+	c.Command("template", "Produce a config template", func(args []string) error { encodeJSON(log.Fatal, os.Stdout, false, hst.Template()); return errSuccess })
-		return errSuccess
+	c.Command("help", "Show this help message", func([]string) error { c.PrintHelp(); return errSuccess })
 	}).Flag(&psFlagShort, "short", command.BoolFlag(false), "Print instance id")
 	c.Command("version", "Display version information", func(args []string) error {
 		fmt.Println(internal.Version())
 		return errSuccess
 	})
 	c.Command("license", "Show full license text", func(args []string) error {
 		fmt.Println(license)
 		return errSuccess
 	})
 	c.Command("template", "Produce a config template", func(args []string) error {
 		printJSON(os.Stdout, false, hst.Template())
 		return errSuccess
 	})
 	c.Command("help", "Show this help message", func([]string) error {
 		c.PrintHelp()
 		return errSuccess
 	})
 	return c
 }
 func runApp(config *hst.Config) {
 	ctx, stop := signal.NotifyContext(context.Background(),
 		syscall.SIGINT, syscall.SIGTERM)
 	defer stop() // unreachable
 	a := instance.MustNew(instance.ISetuid, ctx, std)
 	rs := new(app.RunState)
 	if sa, err := a.Seal(config); err != nil {
 		hlog.PrintBaseError(err, "cannot seal app:")
 		internal.Exit(1)
 	} else {
 		internal.Exit(instance.PrintRunStateErr(instance.ISetuid, rs, sa.Run(rs)))
 	}
 	*(*int)(nil) = 0 // not reached
 }
--- a/cmd/hakurei/command_test.go
+++ b/cmd/hakurei/command_test.go
@@ -7,9 +7,12 @@ import (
 	"testing"
 	"hakurei.app/command"
 	"hakurei.app/message"
 )
 func TestHelp(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		args []string
@@ -20,8 +23,8 @@ func TestHelp(t *testing.T) {
 Usage:	hakurei [-h | --help] [-v] [--json] COMMAND [OPTIONS]
 Commands:
-    app         Load app from configuration file
+    app         Load and start container from configuration file
-    run         Configure and start a permissive default sandbox
+    run         Configure and start a permissive container
    show        Show live or local app configuration
    ps          List active instances
    version     Display version information
@@ -33,7 +36,7 @@ Commands:
 		},
 		{
 			"run", []string{"run", "-h"}, `
-Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--wayland] [-X] [--dbus] [--pulse] COMMAND [OPTIONS]
+Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pulse] COMMAND [OPTIONS]
 Flags:
  -X	Enable direct connection to X11
@@ -55,6 +58,10 @@ Flags:
    	Reverse-DNS style Application identifier, leave empty to inherit instance identifier
  -mpris
    	Allow owning MPRIS D-Bus path, has no effect if custom config is available
  -private-runtime
    	Do not share XDG_RUNTIME_DIR between containers under the same identity
  -private-tmpdir
    	Do not share TMPDIR between containers under the same identity
  -pulse
    	Enable direct connection to PulseAudio
  -u string
@@ -67,8 +74,10 @@ Flags:
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			out := new(bytes.Buffer)
-			c := buildCommand(out)
+			c := buildCommand(t.Context(), message.New(nil), new(earlyHardeningErrs), out)
 			if err := c.Parse(tc.args); !errors.Is(err, command.ErrHelp) && !errors.Is(err, flag.ErrHelp) {
 				t.Errorf("Parse: error = %v; want %v",
 					err, command.ErrHelp)
--- a/cmd/hakurei/internal/app/app.go
+++ b/cmd/hakurei/internal/app/app.go
@@ -1,49 +0,0 @@
 // Package app defines the generic [App] interface.
 package app
 import (
 	"syscall"
 	"time"
 	"hakurei.app/hst"
 )
 type App interface {
 	// ID returns a copy of [ID] held by App.
 	ID() ID
 	// Seal determines the outcome of config as a [SealedApp].
 	// The value of config might be overwritten and must not be used again.
 	Seal(config *hst.Config) (SealedApp, error)
 	String() string
 }
 type SealedApp interface {
 	// Run commits sealed system setup and starts the app process.
 	Run(rs *RunState) error
 }
 // RunState stores the outcome of a call to [SealedApp.Run].
 type RunState struct {
 	// Time is the exact point in time where the process was created.
 	// Location must be set to UTC.
 	//
 	// Time is nil if no process was ever created.
 	Time *time.Time
 	// RevertErr is stored by the deferred revert call.
 	RevertErr error
 	// WaitErr is the generic error value created by the standard library.
 	WaitErr error
 	syscall.WaitStatus
 }
 // SetStart stores the current time in [RunState] once.
 func (rs *RunState) SetStart() {
 	if rs.Time != nil {
 		panic("attempted to store time twice")
 	}
 	now := time.Now().UTC()
 	rs.Time = &now
 }
--- a/cmd/hakurei/internal/app/id.go
+++ b/cmd/hakurei/internal/app/id.go
@@ -1,48 +0,0 @@
 package app
 import (
 	"crypto/rand"
 	"encoding/hex"
 	"errors"
 	"fmt"
 )
 type ID [16]byte
 var (
 	ErrInvalidLength = errors.New("string representation must have a length of 32")
 )
 func (a *ID) String() string {
 	return hex.EncodeToString(a[:])
 }
 func NewAppID(id *ID) error {
 	_, err := rand.Read(id[:])
 	return err
 }
 func ParseAppID(id *ID, s string) error {
 	if len(s) != 32 {
 		return ErrInvalidLength
 	}
 	for i, b := range s {
 		if b < '0' || b > 'f' {
 			return fmt.Errorf("invalid char %q at byte %d", b, i)
 		}
 		v := uint8(b)
 		if v > '9' {
 			v = 10 + v - 'a'
 		} else {
 			v -= '0'
 		}
 		if i%2 == 0 {
 			v <<= 4
 		}
 		id[i/2] += v
 	}
 	return nil
 }
--- a/cmd/hakurei/internal/app/id_test.go
+++ b/cmd/hakurei/internal/app/id_test.go
@@ -1,63 +0,0 @@
 package app_test
 import (
 	"errors"
 	"testing"
 	. "hakurei.app/cmd/hakurei/internal/app"
 )
 func TestParseAppID(t *testing.T) {
 	t.Run("bad length", func(t *testing.T) {
 		if err := ParseAppID(new(ID), "meow"); !errors.Is(err, ErrInvalidLength) {
 			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, ErrInvalidLength)
 		}
 	})
 	t.Run("bad byte", func(t *testing.T) {
 		wantErr := "invalid char '\\n' at byte 15"
 		if err := ParseAppID(new(ID), "02bc7f8936b2af6\n\ne2535cd71ef0bb7"); err == nil || err.Error() != wantErr {
 			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, wantErr)
 		}
 	})
 	t.Run("fuzz 16 iterations", func(t *testing.T) {
 		for i := 0; i < 16; i++ {
 			testParseAppIDWithRandom(t)
 		}
 	})
 }
 func FuzzParseAppID(f *testing.F) {
 	for i := 0; i < 16; i++ {
 		id := new(ID)
 		if err := NewAppID(id); err != nil {
 			panic(err.Error())
 		}
 		f.Add(id[0], id[1], id[2], id[3], id[4], id[5], id[6], id[7], id[8], id[9], id[10], id[11], id[12], id[13], id[14], id[15])
 	}
 	f.Fuzz(func(t *testing.T, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15 byte) {
 		testParseAppID(t, &ID{b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15})
 	})
 }
 func testParseAppIDWithRandom(t *testing.T) {
 	id := new(ID)
 	if err := NewAppID(id); err != nil {
 		t.Fatalf("cannot generate app ID: %v", err)
 	}
 	testParseAppID(t, id)
 }
 func testParseAppID(t *testing.T, id *ID) {
 	s := id.String()
 	got := new(ID)
 	if err := ParseAppID(got, s); err != nil {
 		t.Fatalf("cannot parse app ID: %v", err)
 	}
 	if *got != *id {
 		t.Fatalf("ParseAppID(%#v) = \n%#v, want \n%#v", s, got, id)
 	}
 }
--- a/cmd/hakurei/internal/app/instance/common/container.go
+++ b/cmd/hakurei/internal/app/instance/common/container.go
@@ -1,192 +0,0 @@
 package common
 import (
 	"errors"
 	"fmt"
 	"io/fs"
 	"maps"
 	"path"
 	"syscall"
 	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 	"hakurei.app/internal/sys"
 	"hakurei.app/system/dbus"
 )
 // in practice there should be less than 30 entries added by the runtime;
 // allocating slightly more as a margin for future expansion
 const preallocateOpsCount = 1 << 5
 // NewContainer initialises [sandbox.Params] via [hst.ContainerConfig].
 // Note that remaining container setup must be queued by the caller.
 func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*container.Params, map[string]string, error) {
 	if s == nil {
 		return nil, nil, syscall.EBADE
 	}
 	params := &container.Params{
 		Hostname:       s.Hostname,
 		SeccompFlags:   s.SeccompFlags,
 		SeccompPresets: s.SeccompPresets,
 		RetainSession:  s.Tty,
 		HostNet:        s.Net,
 	}
 	{
 		ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
 		params.Ops = &ops
 	}
 	if s.Multiarch {
 		params.SeccompFlags |= seccomp.AllowMultiarch
 	}
 	if !s.SeccompCompat {
 		params.SeccompPresets |= seccomp.PresetExt
 	}
 	if !s.Devel {
 		params.SeccompPresets |= seccomp.PresetDenyDevel
 	}
 	if !s.Userns {
 		params.SeccompPresets |= seccomp.PresetDenyNS
 	}
 	if !s.Tty {
 		params.SeccompPresets |= seccomp.PresetDenyTTY
 	}
 	if s.MapRealUID {
 		/* some programs fail to connect to dbus session running as a different uid
 		so this workaround is introduced to map priv-side caller uid in container */
 		params.Uid = os.Getuid()
 		*uid = params.Uid
 		params.Gid = os.Getgid()
 		*gid = params.Gid
 	} else {
 		*uid = container.OverflowUid()
 		*gid = container.OverflowGid()
 	}
 	params.
 		Proc("/proc").
 		Tmpfs(hst.Tmp, 1<<12, 0755)
 	if !s.Device {
 		params.Dev("/dev").Mqueue("/dev/mqueue")
 	} else {
 		params.Bind("/dev", "/dev", container.BindWritable|container.BindDevice)
 	}
 	/* retrieve paths and hide them if they're made available in the sandbox;
 	this feature tries to improve user experience of permissive defaults, and
 	to warn about issues in custom configuration; it is NOT a security feature
 	and should not be treated as such, ALWAYS be careful with what you bind */
 	var hidePaths []string
 	sc := os.Paths()
 	hidePaths = append(hidePaths, sc.RuntimePath, sc.SharePath)
 	_, systemBusAddr := dbus.Address()
 	if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
 		return nil, nil, err
 	} else {
 		// there is usually only one, do not preallocate
 		for _, entry := range entries {
 			if entry.Method != "unix" {
 				continue
 			}
 			for _, pair := range entry.Values {
 				if pair[0] == "path" {
 					if path.IsAbs(pair[1]) {
 						// get parent dir of socket
 						dir := path.Dir(pair[1])
 						if dir == "." || dir == "/" {
 							os.Printf("dbus socket %q is in an unusual location", pair[1])
 						}
 						hidePaths = append(hidePaths, dir)
 					} else {
 						os.Printf("dbus socket %q is not absolute", pair[1])
 					}
 				}
 			}
 		}
 	}
 	hidePathMatch := make([]bool, len(hidePaths))
 	for i := range hidePaths {
 		if err := evalSymlinks(os, &hidePaths[i]); err != nil {
 			return nil, nil, err
 		}
 	}
 	for _, c := range s.Filesystem {
 		if c == nil {
 			continue
 		}
 		if !path.IsAbs(c.Src) {
 			return nil, nil, fmt.Errorf("src path %q is not absolute", c.Src)
 		}
 		dest := c.Dst
 		if c.Dst == "" {
 			dest = c.Src
 		} else if !path.IsAbs(dest) {
 			return nil, nil, fmt.Errorf("dst path %q is not absolute", dest)
 		}
 		srcH := c.Src
 		if err := evalSymlinks(os, &srcH); err != nil {
 			return nil, nil, err
 		}
 		for i := range hidePaths {
 			// skip matched entries
 			if hidePathMatch[i] {
 				continue
 			}
 			if ok, err := deepContainsH(srcH, hidePaths[i]); err != nil {
 				return nil, nil, err
 			} else if ok {
 				hidePathMatch[i] = true
 				os.Printf("hiding paths from %q", c.Src)
 			}
 		}
 		var flags int
 		if c.Write {
 			flags |= container.BindWritable
 		}
 		if c.Device {
 			flags |= container.BindDevice | container.BindWritable
 		}
 		if !c.Must {
 			flags |= container.BindOptional
 		}
 		params.Bind(c.Src, dest, flags)
 	}
 	// cover matched paths
 	for i, ok := range hidePathMatch {
 		if ok {
 			params.Tmpfs(hidePaths[i], 1<<13, 0755)
 		}
 	}
 	for _, l := range s.Link {
 		params.Link(l[0], l[1])
 	}
 	return params, maps.Clone(s.Env), nil
 }
 func evalSymlinks(os sys.State, v *string) error {
 	if p, err := os.EvalSymlinks(*v); err != nil {
 		if !errors.Is(err, fs.ErrNotExist) {
 			return err
 		}
 		os.Printf("path %q does not yet exist", *v)
 	} else {
 		*v = p
 	}
 	return nil
 }
--- a/cmd/hakurei/internal/app/instance/common/path.go
+++ b/cmd/hakurei/internal/app/instance/common/path.go
@@ -1,11 +0,0 @@
 package common
 import (
 	"path/filepath"
 	"strings"
 )
 func deepContainsH(basepath, targpath string) (bool, error) {
 	rel, err := filepath.Rel(basepath, targpath)
 	return err == nil && rel != ".." && !strings.HasPrefix(rel, string([]byte{'.', '.', filepath.Separator})), err
 }
--- a/cmd/hakurei/internal/app/instance/errors.go
+++ b/cmd/hakurei/internal/app/instance/errors.go
@@ -1,17 +0,0 @@
 package instance
 import (
 	"syscall"
 	"hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/cmd/hakurei/internal/app/internal/setuid"
 )
 func PrintRunStateErr(whence int, rs *app.RunState, runErr error) (code int) {
 	switch whence {
 	case ISetuid:
 		return setuid.PrintRunStateErr(rs, runErr)
 	default:
 		panic(syscall.EINVAL)
 	}
 }
--- a/cmd/hakurei/internal/app/instance/new.go
+++ b/cmd/hakurei/internal/app/instance/new.go
@@ -1,33 +0,0 @@
 // Package instance exposes cross-package implementation details and provides constructors for builtin implementations.
 package instance
 import (
 	"context"
 	"log"
 	"syscall"
 	"hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/cmd/hakurei/internal/app/internal/setuid"
 	"hakurei.app/internal/sys"
 )
 const (
 	ISetuid = iota
 )
 func New(whence int, ctx context.Context, os sys.State) (app.App, error) {
 	switch whence {
 	case ISetuid:
 		return setuid.New(ctx, os)
 	default:
 		return nil, syscall.EINVAL
 	}
 }
 func MustNew(whence int, ctx context.Context, os sys.State) app.App {
 	a, err := New(whence, ctx, os)
 	if err != nil {
 		log.Fatalf("cannot create app: %v", err)
 	}
 	return a
 }
--- a/cmd/hakurei/internal/app/instance/shim.go
+++ b/cmd/hakurei/internal/app/instance/shim.go
@@ -1,6 +0,0 @@
 package instance
 import "hakurei.app/cmd/hakurei/internal/app/internal/setuid"
 // ShimMain is the main function of the shim process and runs as the unconstrained target user.
 func ShimMain() { setuid.ShimMain() }
--- a/cmd/hakurei/internal/app/internal/setuid/app.go
+++ b/cmd/hakurei/internal/app/internal/setuid/app.go
@@ -1,74 +0,0 @@
 package setuid
 import (
 	"context"
 	"fmt"
 	"sync"
 	. "hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/hst"
 	"hakurei.app/internal/hlog"
 	"hakurei.app/internal/sys"
 )
 func New(ctx context.Context, os sys.State) (App, error) {
 	a := new(app)
 	a.sys = os
 	a.ctx = ctx
 	id := new(ID)
 	err := NewAppID(id)
 	a.id = newID(id)
 	return a, err
 }
 type app struct {
 	id  *stringPair[ID]
 	sys sys.State
 	ctx context.Context
 	*outcome
 	mu sync.RWMutex
 }
 func (a *app) ID() ID { a.mu.RLock(); defer a.mu.RUnlock(); return a.id.unwrap() }
 func (a *app) String() string {
 	if a == nil {
 		return "(invalid app)"
 	}
 	a.mu.RLock()
 	defer a.mu.RUnlock()
 	if a.outcome != nil {
 		if a.outcome.user.uid == nil {
 			return fmt.Sprintf("(sealed app %s with invalid uid)", a.id)
 		}
 		return fmt.Sprintf("(sealed app %s as uid %s)", a.id, a.outcome.user.uid)
 	}
 	return fmt.Sprintf("(unsealed app %s)", a.id)
 }
 func (a *app) Seal(config *hst.Config) (SealedApp, error) {
 	a.mu.Lock()
 	defer a.mu.Unlock()
 	if a.outcome != nil {
 		panic("app sealed twice")
 	}
 	if config == nil {
 		return nil, hlog.WrapErr(ErrConfig,
 			"attempted to seal app with nil config")
 	}
 	seal := new(outcome)
 	seal.id = a.id
 	err := seal.finalise(a.ctx, a.sys, config)
 	if err == nil {
 		a.outcome = seal
 	}
 	return seal, err
 }
--- a/cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go
+++ b/cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go
@@ -1,149 +0,0 @@
 package setuid_test
 import (
 	"hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 	"hakurei.app/system"
 	"hakurei.app/system/acl"
 	"hakurei.app/system/dbus"
 )
 var testCasesNixos = []sealTestCase{
 	{
 		"nixos chromium direct wayland", new(stubNixOS),
 		&hst.Config{
 			ID:          "org.chromium.Chromium",
 			Path:        "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
 			Enablements: system.EWayland | system.EDBus | system.EPulse,
 			Container: &hst.ContainerConfig{
 				Userns: true, Net: true, MapRealUID: true, Env: nil, AutoEtc: true,
 				Filesystem: []*hst.FilesystemConfig{
 					{Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true},
 					{Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true},
 					{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
 					{Src: "/run/opengl-driver", Must: true}, {Src: "/dev/dri", Device: true},
 				},
 				Cover: []string{"/var/run/nscd"},
 			},
 			SystemBus: &dbus.Config{
 				Talk:   []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
 				Filter: true,
 			},
 			SessionBus: &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
 					"org.freedesktop.ScreenSaver", "org.freedesktop.secrets",
 					"org.kde.kwalletd5", "org.kde.kwalletd6",
 				},
 				Own: []string{
 					"org.chromium.Chromium.*",
 					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
 					"org.mpris.MediaPlayer2.chromium.*",
 				},
 				Call: map[string]string{}, Broadcast: map[string]string{},
 				Filter: true,
 			},
 			DirectWayland: true,
 			Username: "u0_a1",
 			Data:     "/var/lib/persist/module/hakurei/0/1",
 			Identity: 1, Groups: []string{},
 		},
 		app.ID{
 			0x8e, 0x2c, 0x76, 0xb0,
 			0x66, 0xda, 0xbe, 0x57,
 			0x4c, 0xf0, 0x73, 0xbd,
 			0xb4, 0x6e, 0xb5, 0xc1,
 		},
 		system.New(1000001).
 			Ensure("/tmp/hakurei.1971", 0711).
 			Ensure("/tmp/hakurei.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime", acl.Execute).
 			Ensure("/tmp/hakurei.1971/runtime/1", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/1", acl.Read, acl.Write, acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir/1", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/1", acl.Read, acl.Write, acl.Execute).
 			Ensure("/run/user/1971/hakurei", 0700).UpdatePermType(system.User, "/run/user/1971/hakurei", acl.Execute).
 			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
 			UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
 			Ephemeral(system.Process, "/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute).
 			Link("/run/user/1971/pulse/native", "/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse").
 			CopyFile(nil, "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
 			Ephemeral(system.Process, "/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1", 0711).
 			MustProxyDBus("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
 					"org.freedesktop.ScreenSaver", "org.freedesktop.secrets",
 					"org.kde.kwalletd5", "org.kde.kwalletd6",
 				},
 				Own: []string{
 					"org.chromium.Chromium.*",
 					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
 					"org.mpris.MediaPlayer2.chromium.*",
 				},
 				Call: map[string]string{}, Broadcast: map[string]string{},
 				Filter: true,
 			}, "/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", &dbus.Config{
 				Talk: []string{
 					"org.bluez",
 					"org.freedesktop.Avahi",
 					"org.freedesktop.UPower",
 				},
 				Filter: true,
 			}).
 			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write),
 		&container.Params{
 			Uid:  1971,
 			Gid:  100,
 			Dir:  "/var/lib/persist/module/hakurei/0/1",
 			Path: "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
 			Args: []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
 			Env: []string{
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
 				"HOME=/var/lib/persist/module/hakurei/0/1",
 				"PULSE_COOKIE=" + hst.Tmp + "/pulse-cookie",
 				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=u0_a1",
 				"WAYLAND_DISPLAY=wayland-0",
 				"XDG_RUNTIME_DIR=/run/user/1971",
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
 			Ops: new(container.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
 				Dev("/dev").Mqueue("/dev/mqueue").
 				Bind("/bin", "/bin", 0).
 				Bind("/usr/bin", "/usr/bin", 0).
 				Bind("/nix/store", "/nix/store", 0).
 				Bind("/run/current-system", "/run/current-system", 0).
 				Bind("/sys/block", "/sys/block", container.BindOptional).
 				Bind("/sys/bus", "/sys/bus", container.BindOptional).
 				Bind("/sys/class", "/sys/class", container.BindOptional).
 				Bind("/sys/dev", "/sys/dev", container.BindOptional).
 				Bind("/sys/devices", "/sys/devices", container.BindOptional).
 				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
 				Bind("/dev/dri", "/dev/dri", container.BindDevice|container.BindWritable|container.BindOptional).
 				Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1").
 				Tmpfs("/run/user", 4096, 0755).
 				Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", container.BindWritable).
 				Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", container.BindWritable).
 				Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", container.BindWritable).
 				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:100:\n")).
 				Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0).
 				Bind("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native", 0).
 				Place(hst.Tmp+"/pulse-cookie", nil).
 				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus", 0).
 				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket", 0).
 				Tmpfs("/var/run/nscd", 8192, 0755),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyTTY | seccomp.PresetDenyDevel,
 			HostNet:        true,
 		},
 	},
 }
--- a/cmd/hakurei/internal/app/internal/setuid/app_pd_test.go
+++ b/cmd/hakurei/internal/app/internal/setuid/app_pd_test.go
@@ -1,225 +0,0 @@
 package setuid_test
 import (
 	"os"
 	"hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 	"hakurei.app/system"
 	"hakurei.app/system/acl"
 	"hakurei.app/system/dbus"
 )
 var testCasesPd = []sealTestCase{
 	{
 		"nixos permissive defaults no enablements", new(stubNixOS),
 		&hst.Config{Username: "chronos", Data: "/home/chronos"},
 		app.ID{
 			0x4a, 0x45, 0x0b, 0x65,
 			0x96, 0xd7, 0xbc, 0x15,
 			0xbd, 0x01, 0x78, 0x0e,
 			0xb9, 0xa6, 0x07, 0xac,
 		},
 		system.New(1000000).
 			Ensure("/tmp/hakurei.1971", 0711).
 			Ensure("/tmp/hakurei.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime", acl.Execute).
 			Ensure("/tmp/hakurei.1971/runtime/0", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/0", acl.Read, acl.Write, acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
 		&container.Params{
 			Dir:  "/home/chronos",
 			Path: "/run/current-system/sw/bin/zsh",
 			Args: []string{"/run/current-system/sw/bin/zsh"},
 			Env: []string{
 				"HOME=/home/chronos",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=chronos",
 				"XDG_RUNTIME_DIR=/run/user/65534",
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
 			Ops: new(container.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
 				Dev("/dev").Mqueue("/dev/mqueue").
 				Bind("/bin", "/bin", container.BindWritable).
 				Bind("/boot", "/boot", container.BindWritable).
 				Bind("/home", "/home", container.BindWritable).
 				Bind("/lib", "/lib", container.BindWritable).
 				Bind("/lib64", "/lib64", container.BindWritable).
 				Bind("/nix", "/nix", container.BindWritable).
 				Bind("/root", "/root", container.BindWritable).
 				Bind("/run", "/run", container.BindWritable).
 				Bind("/srv", "/srv", container.BindWritable).
 				Bind("/sys", "/sys", container.BindWritable).
 				Bind("/usr", "/usr", container.BindWritable).
 				Bind("/var", "/var", container.BindWritable).
 				Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
 				Tmpfs("/run/user", 4096, 0755).
 				Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", container.BindWritable).
 				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", container.BindWritable).
 				Bind("/home/chronos", "/home/chronos", container.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:65534:\n")).
 				Tmpfs("/var/run/nscd", 8192, 0755),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
 			HostNet:        true,
 			RetainSession:  true,
 		},
 	},
 	{
 		"nixos permissive defaults chromium", new(stubNixOS),
 		&hst.Config{
 			ID:       "org.chromium.Chromium",
 			Args:     []string{"zsh", "-c", "exec chromium "},
 			Identity: 9,
 			Groups:   []string{"video"},
 			Username: "chronos",
 			Data:     "/home/chronos",
 			SessionBus: &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.Notifications",
 					"org.freedesktop.FileManager1",
 					"org.freedesktop.ScreenSaver",
 					"org.freedesktop.secrets",
 					"org.kde.kwalletd5",
 					"org.kde.kwalletd6",
 					"org.gnome.SessionManager",
 				},
 				Own: []string{
 					"org.chromium.Chromium.*",
 					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
 					"org.mpris.MediaPlayer2.chromium.*",
 				},
 				Call: map[string]string{
 					"org.freedesktop.portal.*": "*",
 				},
 				Broadcast: map[string]string{
 					"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
 				},
 				Filter: true,
 			},
 			SystemBus: &dbus.Config{
 				Talk: []string{
 					"org.bluez",
 					"org.freedesktop.Avahi",
 					"org.freedesktop.UPower",
 				},
 				Filter: true,
 			},
 			Enablements: system.EWayland | system.EDBus | system.EPulse,
 		},
 		app.ID{
 			0xeb, 0xf0, 0x83, 0xd1,
 			0xb1, 0x75, 0x91, 0x17,
 			0x82, 0xd4, 0x13, 0x36,
 			0x9b, 0x64, 0xce, 0x7c,
 		},
 		system.New(1000009).
 			Ensure("/tmp/hakurei.1971", 0711).
 			Ensure("/tmp/hakurei.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime", acl.Execute).
 			Ensure("/tmp/hakurei.1971/runtime/9", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/9", acl.Read, acl.Write, acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir/9", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/9", acl.Read, acl.Write, acl.Execute).
 			Ephemeral(system.Process, "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c", 0711).
 			Wayland(new(*os.File), "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
 			Ensure("/run/user/1971/hakurei", 0700).UpdatePermType(system.User, "/run/user/1971/hakurei", acl.Execute).
 			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
 			Ephemeral(system.Process, "/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c", acl.Execute).
 			Link("/run/user/1971/pulse/native", "/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse").
 			CopyFile(new([]byte), "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
 			MustProxyDBus("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{
 				Talk: []string{
 					"org.freedesktop.Notifications",
 					"org.freedesktop.FileManager1",
 					"org.freedesktop.ScreenSaver",
 					"org.freedesktop.secrets",
 					"org.kde.kwalletd5",
 					"org.kde.kwalletd6",
 					"org.gnome.SessionManager",
 				},
 				Own: []string{
 					"org.chromium.Chromium.*",
 					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
 					"org.mpris.MediaPlayer2.chromium.*",
 				},
 				Call: map[string]string{
 					"org.freedesktop.portal.*": "*",
 				},
 				Broadcast: map[string]string{
 					"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
 				},
 				Filter: true,
 			}, "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", &dbus.Config{
 				Talk: []string{
 					"org.bluez",
 					"org.freedesktop.Avahi",
 					"org.freedesktop.UPower",
 				},
 				Filter: true,
 			}).
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
 		&container.Params{
 			Dir:  "/home/chronos",
 			Path: "/run/current-system/sw/bin/zsh",
 			Args: []string{"zsh", "-c", "exec chromium "},
 			Env: []string{
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
 				"HOME=/home/chronos",
 				"PULSE_COOKIE=" + hst.Tmp + "/pulse-cookie",
 				"PULSE_SERVER=unix:/run/user/65534/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=chronos",
 				"WAYLAND_DISPLAY=wayland-0",
 				"XDG_RUNTIME_DIR=/run/user/65534",
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
 			Ops: new(container.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
 				Dev("/dev").Mqueue("/dev/mqueue").
 				Bind("/bin", "/bin", container.BindWritable).
 				Bind("/boot", "/boot", container.BindWritable).
 				Bind("/home", "/home", container.BindWritable).
 				Bind("/lib", "/lib", container.BindWritable).
 				Bind("/lib64", "/lib64", container.BindWritable).
 				Bind("/nix", "/nix", container.BindWritable).
 				Bind("/root", "/root", container.BindWritable).
 				Bind("/run", "/run", container.BindWritable).
 				Bind("/srv", "/srv", container.BindWritable).
 				Bind("/sys", "/sys", container.BindWritable).
 				Bind("/usr", "/usr", container.BindWritable).
 				Bind("/var", "/var", container.BindWritable).
 				Bind("/dev/dri", "/dev/dri", container.BindWritable|container.BindDevice|container.BindOptional).
 				Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
 				Tmpfs("/run/user", 4096, 0755).
 				Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", container.BindWritable).
 				Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", container.BindWritable).
 				Bind("/home/chronos", "/home/chronos", container.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:65534:\n")).
 				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0).
 				Bind("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native", 0).
 				Place(hst.Tmp+"/pulse-cookie", nil).
 				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0).
 				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0).
 				Tmpfs("/var/run/nscd", 8192, 0755),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
 			HostNet:        true,
 			RetainSession:  true,
 		},
 	},
 }
--- a/cmd/hakurei/internal/app/internal/setuid/app_stub_test.go
+++ b/cmd/hakurei/internal/app/internal/setuid/app_stub_test.go
@@ -1,134 +0,0 @@
 package setuid_test
 import (
 	"fmt"
 	"io/fs"
 	"log"
 	"os/user"
 	"strconv"
 	"hakurei.app/hst"
 )
 // fs methods are not implemented using a real FS
 // to help better understand filesystem access behaviour
 type stubNixOS struct {
 	lookPathErr map[string]error
 	usernameErr map[string]error
 }
 func (s *stubNixOS) Getuid() int                              { return 1971 }
 func (s *stubNixOS) Getgid() int                              { return 100 }
 func (s *stubNixOS) TempDir() string                          { return "/tmp" }
 func (s *stubNixOS) MustExecutable() string                   { return "/run/wrappers/bin/hakurei" }
 func (s *stubNixOS) Exit(code int)                            { panic("called exit on stub with code " + strconv.Itoa(code)) }
 func (s *stubNixOS) EvalSymlinks(path string) (string, error) { return path, nil }
 func (s *stubNixOS) Uid(aid int) (int, error)                 { return 1000000 + 0*10000 + aid, nil }
 func (s *stubNixOS) Println(v ...any)               { log.Println(v...) }
 func (s *stubNixOS) Printf(format string, v ...any) { log.Printf(format, v...) }
 func (s *stubNixOS) LookupEnv(key string) (string, bool) {
 	switch key {
 	case "SHELL":
 		return "/run/current-system/sw/bin/zsh", true
 	case "TERM":
 		return "xterm-256color", true
 	case "WAYLAND_DISPLAY":
 		return "wayland-0", true
 	case "PULSE_COOKIE":
 		return "", false
 	case "HOME":
 		return "/home/ophestra", true
 	case "XDG_CONFIG_HOME":
 		return "/home/ophestra/xdg/config", true
 	default:
 		panic(fmt.Sprintf("attempted to access unexpected environment variable %q", key))
 	}
 }
 func (s *stubNixOS) LookPath(file string) (string, error) {
 	if s.lookPathErr != nil {
 		if err, ok := s.lookPathErr[file]; ok {
 			return "", err
 		}
 	}
 	switch file {
 	case "zsh":
 		return "/run/current-system/sw/bin/zsh", nil
 	default:
 		panic(fmt.Sprintf("attempted to look up unexpected executable %q", file))
 	}
 }
 func (s *stubNixOS) LookupGroup(name string) (*user.Group, error) {
 	switch name {
 	case "video":
 		return &user.Group{Gid: "26", Name: "video"}, nil
 	default:
 		return nil, user.UnknownGroupError(name)
 	}
 }
 func (s *stubNixOS) ReadDir(name string) ([]fs.DirEntry, error) {
 	switch name {
 	case "/":
 		return stubDirEntries("bin", "boot", "dev", "etc", "home", "lib",
 			"lib64", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var")
 	case "/run":
 		return stubDirEntries("agetty.reload", "binfmt", "booted-system",
 			"credentials", "cryptsetup", "current-system", "dbus", "host", "keys",
 			"libvirt", "libvirtd.pid", "lock", "log", "lvm", "mount", "NetworkManager",
 			"nginx", "nixos", "nscd", "opengl-driver", "pppd", "resolvconf", "sddm",
 			"store", "syncoid", "system", "systemd", "tmpfiles.d", "udev", "udisks2",
 			"user", "utmp", "virtlogd.pid", "wrappers", "zed.pid", "zed.state")
 	case "/etc":
 		return stubDirEntries("alsa", "bashrc", "binfmt.d", "dbus-1", "default",
 			"ethertypes", "fonts", "fstab", "fuse.conf", "group", "host.conf", "hostid",
 			"hostname", "hostname.CHECKSUM", "hosts", "inputrc", "ipsec.d", "issue", "kbd",
 			"libblockdev", "locale.conf", "localtime", "login.defs", "lsb-release", "lvm",
 			"machine-id", "man_db.conf", "modprobe.d", "modules-load.d", "mtab", "nanorc",
 			"netgroup", "NetworkManager", "nix", "nixos", "NIXOS", "nscd.conf", "nsswitch.conf",
 			"opensnitchd", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1",
 			"profile", "protocols", "qemu", "resolv.conf", "resolvconf.conf", "rpc", "samba",
 			"sddm.conf", "secureboot", "services", "set-environment", "shadow", "shells", "ssh",
 			"ssl", "static", "subgid", "subuid", "sudoers", "sysctl.d", "systemd", "terminfo",
 			"tmpfiles.d", "udev", "udisks2", "UPower", "vconsole.conf", "X11", "zfs", "zinputrc",
 			"zoneinfo", "zprofile", "zshenv", "zshrc")
 	default:
 		panic(fmt.Sprintf("attempted to read unexpected directory %q", name))
 	}
 }
 func (s *stubNixOS) Stat(name string) (fs.FileInfo, error) {
 	switch name {
 	case "/var/run/nscd":
 		return nil, nil
 	case "/run/user/1971/pulse":
 		return nil, nil
 	case "/run/user/1971/pulse/native":
 		return stubFileInfoMode(0666), nil
 	case "/home/ophestra/.pulse-cookie":
 		return stubFileInfoIsDir(true), nil
 	case "/home/ophestra/xdg/config/pulse/cookie":
 		return stubFileInfoIsDir(false), nil
 	default:
 		panic(fmt.Sprintf("attempted to stat unexpected path %q", name))
 	}
 }
 func (s *stubNixOS) Open(name string) (fs.File, error) {
 	switch name {
 	default:
 		panic(fmt.Sprintf("attempted to open unexpected file %q", name))
 	}
 }
 func (s *stubNixOS) Paths() hst.Paths {
 	return hst.Paths{
 		SharePath:   "/tmp/hakurei.1971",
 		RuntimePath: "/run/user/1971",
 		RunDirPath:  "/run/user/1971/hakurei",
 	}
 }
--- a/cmd/hakurei/internal/app/internal/setuid/app_test.go
+++ b/cmd/hakurei/internal/app/internal/setuid/app_test.go
@@ -1,104 +0,0 @@
 package setuid_test
 import (
 	"encoding/json"
 	"io/fs"
 	"reflect"
 	"testing"
 	"time"
 	"hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/cmd/hakurei/internal/app/internal/setuid"
 	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal/sys"
 	"hakurei.app/system"
 )
 type sealTestCase struct {
 	name          string
 	os            sys.State
 	config        *hst.Config
 	id            app.ID
 	wantSys       *system.I
 	wantContainer *container.Params
 }
 func TestApp(t *testing.T) {
 	testCases := append(testCasesPd, testCasesNixos...)
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			a := setuid.NewWithID(tc.id, tc.os)
 			var (
 				gotSys       *system.I
 				gotContainer *container.Params
 			)
 			if !t.Run("seal", func(t *testing.T) {
 				if sa, err := a.Seal(tc.config); err != nil {
 					t.Errorf("Seal: error = %v", err)
 					return
 				} else {
 					gotSys, gotContainer = setuid.AppIParams(a, sa)
 				}
 			}) {
 				return
 			}
 			t.Run("compare sys", func(t *testing.T) {
 				if !gotSys.Equal(tc.wantSys) {
 					t.Errorf("Seal: sys = %#v, want %#v",
 						gotSys, tc.wantSys)
 				}
 			})
 			t.Run("compare params", func(t *testing.T) {
 				if !reflect.DeepEqual(gotContainer, tc.wantContainer) {
 					t.Errorf("seal: params =\n%s\n, want\n%s",
 						mustMarshal(gotContainer), mustMarshal(tc.wantContainer))
 				}
 			})
 		})
 	}
 }
 func mustMarshal(v any) string {
 	if b, err := json.Marshal(v); err != nil {
 		panic(err.Error())
 	} else {
 		return string(b)
 	}
 }
 func stubDirEntries(names ...string) (e []fs.DirEntry, err error) {
 	e = make([]fs.DirEntry, len(names))
 	for i, name := range names {
 		e[i] = stubDirEntryPath(name)
 	}
 	return
 }
 type stubDirEntryPath string
 func (p stubDirEntryPath) Name() string               { return string(p) }
 func (p stubDirEntryPath) IsDir() bool                { panic("attempted to call IsDir") }
 func (p stubDirEntryPath) Type() fs.FileMode          { panic("attempted to call Type") }
 func (p stubDirEntryPath) Info() (fs.FileInfo, error) { panic("attempted to call Info") }
 type stubFileInfoMode fs.FileMode
 func (s stubFileInfoMode) Name() string       { panic("attempted to call Name") }
 func (s stubFileInfoMode) Size() int64        { panic("attempted to call Size") }
 func (s stubFileInfoMode) Mode() fs.FileMode  { return fs.FileMode(s) }
 func (s stubFileInfoMode) ModTime() time.Time { panic("attempted to call ModTime") }
 func (s stubFileInfoMode) IsDir() bool        { panic("attempted to call IsDir") }
 func (s stubFileInfoMode) Sys() any           { panic("attempted to call Sys") }
 type stubFileInfoIsDir bool
 func (s stubFileInfoIsDir) Name() string       { panic("attempted to call Name") }
 func (s stubFileInfoIsDir) Size() int64        { panic("attempted to call Size") }
 func (s stubFileInfoIsDir) Mode() fs.FileMode  { panic("attempted to call Mode") }
 func (s stubFileInfoIsDir) ModTime() time.Time { panic("attempted to call ModTime") }
 func (s stubFileInfoIsDir) IsDir() bool        { return bool(s) }
 func (s stubFileInfoIsDir) Sys() any           { panic("attempted to call Sys") }
--- a/cmd/hakurei/internal/app/internal/setuid/errors.go
+++ b/cmd/hakurei/internal/app/internal/setuid/errors.go
@@ -1,182 +0,0 @@
 package setuid
 import (
 	"errors"
 	"log"
 	. "hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/internal/hlog"
 )
 func PrintRunStateErr(rs *RunState, runErr error) (code int) {
 	code = rs.ExitStatus()
 	if runErr != nil {
 		if rs.Time == nil {
 			hlog.PrintBaseError(runErr, "cannot start app:")
 		} else {
 			var e *hlog.BaseError
 			if !hlog.AsBaseError(runErr, &e) {
 				log.Println("wait failed:", runErr)
 			} else {
 				// Wait only returns either *app.ProcessError or *app.StateStoreError wrapped in a *app.BaseError
 				var se *StateStoreError
 				if !errors.As(runErr, &se) {
 					// does not need special handling
 					log.Print(e.Message())
 				} else {
 					// inner error are either unwrapped store errors
 					// or joined errors returned by *appSealTx revert
 					// wrapped in *app.BaseError
 					var ej RevertCompoundError
 					if !errors.As(se.InnerErr, &ej) {
 						// does not require special handling
 						log.Print(e.Message())
 					} else {
 						errs := ej.Unwrap()
 						// every error here is wrapped in *app.BaseError
 						for _, ei := range errs {
 							var eb *hlog.BaseError
 							if !errors.As(ei, &eb) {
 								// unreachable
 								log.Println("invalid error type returned by revert:", ei)
 							} else {
 								// print inner *app.BaseError message
 								log.Print(eb.Message())
 							}
 						}
 					}
 				}
 			}
 		}
 		if code == 0 {
 			code = 126
 		}
 	}
 	if rs.RevertErr != nil {
 		var stateStoreError *StateStoreError
 		if !errors.As(rs.RevertErr, &stateStoreError) || stateStoreError == nil {
 			hlog.PrintBaseError(rs.RevertErr, "generic fault during cleanup:")
 			goto out
 		}
 		if stateStoreError.Err != nil {
 			if len(stateStoreError.Err) == 2 {
 				if stateStoreError.Err[0] != nil {
 					if joinedErrs, ok := stateStoreError.Err[0].(interface{ Unwrap() []error }); !ok {
 						hlog.PrintBaseError(stateStoreError.Err[0], "generic fault during revert:")
 					} else {
 						for _, err := range joinedErrs.Unwrap() {
 							if err != nil {
 								hlog.PrintBaseError(err, "fault during revert:")
 							}
 						}
 					}
 				}
 				if stateStoreError.Err[1] != nil {
 					log.Printf("cannot close store: %v", stateStoreError.Err[1])
 				}
 			} else {
 				log.Printf("fault during cleanup: %v",
 					errors.Join(stateStoreError.Err...))
 			}
 		}
 		if stateStoreError.OpErr != nil {
 			log.Printf("blind revert due to store fault: %v",
 				stateStoreError.OpErr)
 		}
 		if stateStoreError.DoErr != nil {
 			hlog.PrintBaseError(stateStoreError.DoErr, "state store operation unsuccessful:")
 		}
 		if stateStoreError.Inner && stateStoreError.InnerErr != nil {
 			hlog.PrintBaseError(stateStoreError.InnerErr, "cannot destroy state entry:")
 		}
 	out:
 		if code == 0 {
 			code = 128
 		}
 	}
 	if rs.WaitErr != nil {
 		hlog.Verbosef("wait: %v", rs.WaitErr)
 	}
 	return
 }
 // StateStoreError is returned for a failed state save
 type StateStoreError struct {
 	// whether inner function was called
 	Inner bool
 	// returned by the Save/Destroy method of [state.Cursor]
 	InnerErr error
 	// returned by the Do method of [state.Store]
 	DoErr error
 	// stores an arbitrary store operation error
 	OpErr error
 	// stores arbitrary errors
 	Err []error
 }
 // save saves arbitrary errors in [StateStoreError] once.
 func (e *StateStoreError) save(errs ...error) {
 	if len(errs) == 0 || e.Err != nil {
 		panic("invalid call to save")
 	}
 	e.Err = errs
 }
 func (e *StateStoreError) equiv(a ...any) error {
 	if e.Inner && e.InnerErr == nil && e.DoErr == nil && e.OpErr == nil && errors.Join(e.Err...) == nil {
 		return nil
 	} else {
 		return hlog.WrapErrSuffix(e, a...)
 	}
 }
 func (e *StateStoreError) Error() string {
 	if e.Inner && e.InnerErr != nil {
 		return e.InnerErr.Error()
 	}
 	if e.DoErr != nil {
 		return e.DoErr.Error()
 	}
 	if e.OpErr != nil {
 		return e.OpErr.Error()
 	}
 	if err := errors.Join(e.Err...); err != nil {
 		return err.Error()
 	}
 	// equiv nullifies e for values where this is reached
 	panic("unreachable")
 }
 func (e *StateStoreError) Unwrap() (errs []error) {
 	errs = make([]error, 0, 3)
 	if e.InnerErr != nil {
 		errs = append(errs, e.InnerErr)
 	}
 	if e.DoErr != nil {
 		errs = append(errs, e.DoErr)
 	}
 	if e.OpErr != nil {
 		errs = append(errs, e.OpErr)
 	}
 	if err := errors.Join(e.Err...); err != nil {
 		errs = append(errs, err)
 	}
 	return
 }
 // A RevertCompoundError encapsulates errors returned by
 // the Revert method of [system.I].
 type RevertCompoundError interface {
 	Error() string
 	Unwrap() []error
 }
--- a/cmd/hakurei/internal/app/internal/setuid/export_test.go
+++ b/cmd/hakurei/internal/app/internal/setuid/export_test.go
@@ -1,24 +0,0 @@
 package setuid
 import (
 	. "hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/container"
 	"hakurei.app/internal/sys"
 	"hakurei.app/system"
 )
 func NewWithID(id ID, os sys.State) App {
 	a := new(app)
 	a.id = newID(&id)
 	a.sys = os
 	return a
 }
 func AppIParams(a App, sa SealedApp) (*system.I, *container.Params) {
 	v := a.(*app)
 	seal := sa.(*outcome)
 	if v.outcome != seal || v.id != seal.id {
 		panic("broken app/outcome link")
 	}
 	return seal.sys, seal.container
 }
--- a/cmd/hakurei/internal/app/internal/setuid/process.go
+++ b/cmd/hakurei/internal/app/internal/setuid/process.go
@@ -1,195 +0,0 @@
 package setuid
 import (
 	"context"
 	"encoding/gob"
 	"errors"
 	"log"
 	"os"
 	"os/exec"
 	"strconv"
 	"strings"
 	"syscall"
 	"time"
 	. "hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/cmd/hakurei/internal/state"
 	"hakurei.app/container"
 	"hakurei.app/internal"
 	"hakurei.app/internal/hlog"
 	"hakurei.app/system"
 )
 const shimWaitTimeout = 5 * time.Second
 func (seal *outcome) Run(rs *RunState) error {
 	if !seal.f.CompareAndSwap(false, true) {
 		// run does much more than just starting a process; calling it twice, even if the first call fails, will result
 		// in inconsistent state that is impossible to clean up; return here to limit damage and hopefully give the
 		// other Run a chance to return
 		return errors.New("outcome: attempted to run twice")
 	}
 	if rs == nil {
 		panic("invalid state")
 	}
 	// read comp value early to allow for early failure
 	hsuPath := internal.MustHsuPath()
 	if err := seal.sys.Commit(seal.ctx); err != nil {
 		return err
 	}
 	store := state.NewMulti(seal.runDirPath)
 	deferredStoreFunc := func(c state.Cursor) error { return nil } // noop until state in store
 	defer func() {
 		var revertErr error
 		storeErr := new(StateStoreError)
 		storeErr.Inner, storeErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
 			revertErr = func() error {
 				storeErr.InnerErr = deferredStoreFunc(c)
 				var rt system.Enablement
 				ec := system.Process
 				if states, err := c.Load(); err != nil {
 					// revert per-process state here to limit damage
 					storeErr.OpErr = err
 					return seal.sys.Revert((*system.Criteria)(&ec))
 				} else {
 					if l := len(states); l == 0 {
 						ec |= system.User
 					} else {
 						hlog.Verbosef("found %d instances, cleaning up without user-scoped operations", l)
 					}
 					// accumulate enablements of remaining launchers
 					for i, s := range states {
 						if s.Config != nil {
 							rt |= s.Config.Enablements
 						} else {
 							log.Printf("state entry %d does not contain config", i)
 						}
 					}
 				}
 				ec |= rt ^ (system.EWayland | system.EX11 | system.EDBus | system.EPulse)
 				if hlog.Load() {
 					if ec > 0 {
 						hlog.Verbose("reverting operations scope", system.TypeString(ec))
 					}
 				}
 				return seal.sys.Revert((*system.Criteria)(&ec))
 			}()
 		})
 		storeErr.save(revertErr, store.Close())
 		rs.RevertErr = storeErr.equiv("error during cleanup:")
 	}()
 	ctx, cancel := context.WithCancel(seal.ctx)
 	defer cancel()
 	cmd := exec.CommandContext(ctx, hsuPath)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	cmd.Dir = "/" // container init enters final working directory
 	// shim runs in the same session as monitor; see shim.go for behaviour
 	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGCONT) }
 	var e *gob.Encoder
 	if fd, encoder, err := container.Setup(&cmd.ExtraFiles); err != nil {
 		return hlog.WrapErrSuffix(err,
 			"cannot create shim setup pipe:")
 	} else {
 		e = encoder
 		cmd.Env = []string{
 			// passed through to shim by hsu
 			shimEnv + "=" + strconv.Itoa(fd),
 			// interpreted by hsu
 			"HAKUREI_APP_ID=" + seal.user.aid.String(),
 		}
 	}
 	if len(seal.user.supp) > 0 {
 		hlog.Verbosef("attaching supplementary group ids %s", seal.user.supp)
 		// interpreted by hsu
 		cmd.Env = append(cmd.Env, "HAKUREI_GROUPS="+strings.Join(seal.user.supp, " "))
 	}
 	hlog.Verbosef("setuid helper at %s", hsuPath)
 	hlog.Suspend()
 	if err := cmd.Start(); err != nil {
 		return hlog.WrapErrSuffix(err,
 			"cannot start setuid wrapper:")
 	}
 	rs.SetStart()
 	// this prevents blocking forever on an early failure
 	waitErr, setupErr := make(chan error, 1), make(chan error, 1)
 	go func() { waitErr <- cmd.Wait(); cancel() }()
 	go func() { setupErr <- e.Encode(&shimParams{os.Getpid(), seal.container, seal.user.data, hlog.Load()}) }()
 	select {
 	case err := <-setupErr:
 		if err != nil {
 			hlog.Resume()
 			return hlog.WrapErrSuffix(err,
 				"cannot transmit shim config:")
 		}
 	case <-ctx.Done():
 		hlog.Resume()
 		return hlog.WrapErr(syscall.ECANCELED,
 			"shim setup canceled")
 	}
 	// returned after blocking on waitErr
 	var earlyStoreErr = new(StateStoreError)
 	{
 		// shim accepted setup payload, create process state
 		sd := state.State{
 			ID:   seal.id.unwrap(),
 			PID:  cmd.Process.Pid,
 			Time: *rs.Time,
 		}
 		earlyStoreErr.Inner, earlyStoreErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
 			earlyStoreErr.InnerErr = c.Save(&sd, seal.ct)
 		})
 	}
 	// state in store at this point, destroy defunct state entry on return
 	deferredStoreFunc = func(c state.Cursor) error { return c.Destroy(seal.id.unwrap()) }
 	waitTimeout := make(chan struct{})
 	go func() { <-seal.ctx.Done(); time.Sleep(shimWaitTimeout); close(waitTimeout) }()
 	select {
 	case rs.WaitErr = <-waitErr:
 		rs.WaitStatus = cmd.ProcessState.Sys().(syscall.WaitStatus)
 		if hlog.Load() {
 			switch {
 			case rs.Exited():
 				hlog.Verbosef("process %d exited with code %d", cmd.Process.Pid, rs.ExitStatus())
 			case rs.CoreDump():
 				hlog.Verbosef("process %d dumped core", cmd.Process.Pid)
 			case rs.Signaled():
 				hlog.Verbosef("process %d got %s", cmd.Process.Pid, rs.Signal())
 			default:
 				hlog.Verbosef("process %d exited with status %#x", cmd.Process.Pid, rs.WaitStatus)
 			}
 		}
 	case <-waitTimeout:
 		rs.WaitErr = syscall.ETIMEDOUT
 		hlog.Resume()
 		log.Printf("process %d did not terminate", cmd.Process.Pid)
 	}
 	hlog.Resume()
 	if seal.sync != nil {
 		if err := seal.sync.Close(); err != nil {
 			log.Printf("cannot close wayland security context: %v", err)
 		}
 	}
 	if seal.dbusMsg != nil {
 		seal.dbusMsg()
 	}
 	return earlyStoreErr.equiv("cannot save process state:")
 }
--- a/cmd/hakurei/internal/app/internal/setuid/seal.go
+++ b/cmd/hakurei/internal/app/internal/setuid/seal.go
@@ -1,586 +0,0 @@
 package setuid
 import (
 	"bytes"
 	"context"
 	"encoding/gob"
 	"errors"
 	"fmt"
 	"io"
 	"io/fs"
 	"os"
 	"path"
 	"regexp"
 	"slices"
 	"strings"
 	"sync/atomic"
 	"syscall"
 	. "hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/cmd/hakurei/internal/app/instance/common"
 	"hakurei.app/container"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
 	"hakurei.app/internal/hlog"
 	"hakurei.app/internal/sys"
 	"hakurei.app/system"
 	"hakurei.app/system/acl"
 	"hakurei.app/system/dbus"
 	"hakurei.app/system/wayland"
 )
 const (
 	home  = "HOME"
 	shell = "SHELL"
 	xdgConfigHome   = "XDG_CONFIG_HOME"
 	xdgRuntimeDir   = "XDG_RUNTIME_DIR"
 	xdgSessionClass = "XDG_SESSION_CLASS"
 	xdgSessionType  = "XDG_SESSION_TYPE"
 	term    = "TERM"
 	display = "DISPLAY"
 	pulseServer = "PULSE_SERVER"
 	pulseCookie = "PULSE_COOKIE"
 	dbusSessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
 	dbusSystemBusAddress  = "DBUS_SYSTEM_BUS_ADDRESS"
 )
 var (
 	ErrConfig = errors.New("no configuration to seal")
 	ErrUser   = errors.New("invalid aid")
 	ErrHome   = errors.New("invalid home directory")
 	ErrName   = errors.New("invalid username")
 	ErrXDisplay = errors.New(display + " unset")
 	ErrPulseCookie = errors.New("pulse cookie not present")
 	ErrPulseSocket = errors.New("pulse socket not present")
 	ErrPulseMode   = errors.New("unexpected pulse socket mode")
 )
 var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z0-9_-]{0,30}\\$)$")
 // outcome stores copies of various parts of [hst.Config]
 type outcome struct {
 	// copied from initialising [app]
 	id *stringPair[ID]
 	// copied from [sys.State] response
 	runDirPath string
 	// initial [hst.Config] gob stream for state data;
 	// this is prepared ahead of time as config is clobbered during seal creation
 	ct io.WriterTo
 	// dump dbus proxy message buffer
 	dbusMsg func()
 	user hsuUser
 	sys  *system.I
 	ctx  context.Context
 	container *container.Params
 	env       map[string]string
 	sync      *os.File
 	f atomic.Bool
 }
 // shareHost holds optional share directory state that must not be accessed directly
 type shareHost struct {
 	// whether XDG_RUNTIME_DIR is used post hsu
 	useRuntimeDir bool
 	// process-specific directory in tmpdir, empty if unused
 	sharePath string
 	// process-specific directory in XDG_RUNTIME_DIR, empty if unused
 	runtimeSharePath string
 	seal *outcome
 	sc   hst.Paths
 }
 // ensureRuntimeDir must be called if direct access to paths within XDG_RUNTIME_DIR is required
 func (share *shareHost) ensureRuntimeDir() {
 	if share.useRuntimeDir {
 		return
 	}
 	share.useRuntimeDir = true
 	share.seal.sys.Ensure(share.sc.RunDirPath, 0700)
 	share.seal.sys.UpdatePermType(system.User, share.sc.RunDirPath, acl.Execute)
 	share.seal.sys.Ensure(share.sc.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
 	share.seal.sys.UpdatePermType(system.User, share.sc.RuntimePath, acl.Execute)
 }
 // instance returns a process-specific share path within tmpdir
 func (share *shareHost) instance() string {
 	if share.sharePath != "" {
 		return share.sharePath
 	}
 	share.sharePath = path.Join(share.sc.SharePath, share.seal.id.String())
 	share.seal.sys.Ephemeral(system.Process, share.sharePath, 0711)
 	return share.sharePath
 }
 // runtime returns a process-specific share path within XDG_RUNTIME_DIR
 func (share *shareHost) runtime() string {
 	if share.runtimeSharePath != "" {
 		return share.runtimeSharePath
 	}
 	share.ensureRuntimeDir()
 	share.runtimeSharePath = path.Join(share.sc.RunDirPath, share.seal.id.String())
 	share.seal.sys.Ephemeral(system.Process, share.runtimeSharePath, 0700)
 	share.seal.sys.UpdatePerm(share.runtimeSharePath, acl.Execute)
 	return share.runtimeSharePath
 }
 // hsuUser stores post-hsu credentials and metadata
 type hsuUser struct {
 	// application id
 	aid *stringPair[int]
 	// target uid resolved by fid:aid
 	uid *stringPair[int]
 	// supplementary group ids
 	supp []string
 	// home directory host path
 	data string
 	// app user home directory
 	home string
 	// passwd database username
 	username string
 }
 func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Config) error {
 	if seal.ctx != nil {
 		panic("finalise called twice")
 	}
 	seal.ctx = ctx
 	{
 		// encode initial configuration for state tracking
 		ct := new(bytes.Buffer)
 		if err := gob.NewEncoder(ct).Encode(config); err != nil {
 			return hlog.WrapErrSuffix(err,
 				"cannot encode initial config:")
 		}
 		seal.ct = ct
 	}
 	// allowed aid range 0 to 9999, this is checked again in hsu
 	if config.Identity < 0 || config.Identity > 9999 {
 		return hlog.WrapErr(ErrUser,
 			fmt.Sprintf("identity %d out of range", config.Identity))
 	}
 	seal.user = hsuUser{
 		aid:      newInt(config.Identity),
 		data:     config.Data,
 		home:     config.Dir,
 		username: config.Username,
 	}
 	if seal.user.username == "" {
 		seal.user.username = "chronos"
 	} else if !posixUsername.MatchString(seal.user.username) ||
 		len(seal.user.username) >= internal.Sysconf(internal.SC_LOGIN_NAME_MAX) {
 		return hlog.WrapErr(ErrName,
 			fmt.Sprintf("invalid user name %q", seal.user.username))
 	}
 	if seal.user.data == "" || !path.IsAbs(seal.user.data) {
 		return hlog.WrapErr(ErrHome,
 			fmt.Sprintf("invalid home directory %q", seal.user.data))
 	}
 	if seal.user.home == "" {
 		seal.user.home = seal.user.data
 	}
 	if u, err := sys.Uid(seal.user.aid.unwrap()); err != nil {
 		return err
 	} else {
 		seal.user.uid = newInt(u)
 	}
 	seal.user.supp = make([]string, len(config.Groups))
 	for i, name := range config.Groups {
 		if g, err := sys.LookupGroup(name); err != nil {
 			return hlog.WrapErr(err,
 				fmt.Sprintf("unknown group %q", name))
 		} else {
 			seal.user.supp[i] = g.Gid
 		}
 	}
 	// this also falls back to host path if encountering an invalid path
 	if !path.IsAbs(config.Shell) {
 		config.Shell = "/bin/sh"
 		if s, ok := sys.LookupEnv(shell); ok && path.IsAbs(s) {
 			config.Shell = s
 		}
 	}
 	// do not use the value of shell before this point
 	// permissive defaults
 	if config.Container == nil {
 		hlog.Verbose("container configuration not supplied, PROCEED WITH CAUTION")
 		// hsu clears the environment so resolve paths early
 		if !path.IsAbs(config.Path) {
 			if len(config.Args) > 0 {
 				if p, err := sys.LookPath(config.Args[0]); err != nil {
 					return hlog.WrapErr(err, err.Error())
 				} else {
 					config.Path = p
 				}
 			} else {
 				config.Path = config.Shell
 			}
 		}
 		conf := &hst.ContainerConfig{
 			Userns:  true,
 			Net:     true,
 			Tty:     true,
 			AutoEtc: true,
 		}
 		// bind entries in /
 		if d, err := sys.ReadDir("/"); err != nil {
 			return err
 		} else {
 			b := make([]*hst.FilesystemConfig, 0, len(d))
 			for _, ent := range d {
 				p := "/" + ent.Name()
 				switch p {
 				case "/proc":
 				case "/dev":
 				case "/tmp":
 				case "/mnt":
 				case "/etc":
 				default:
 					b = append(b, &hst.FilesystemConfig{Src: p, Write: true, Must: true})
 				}
 			}
 			conf.Filesystem = append(conf.Filesystem, b...)
 		}
 		// hide nscd from sandbox if present
 		nscd := "/var/run/nscd"
 		if _, err := sys.Stat(nscd); !errors.Is(err, fs.ErrNotExist) {
 			conf.Cover = append(conf.Cover, nscd)
 		}
 		// bind GPU stuff
 		if config.Enablements&(system.EX11|system.EWayland) != 0 {
 			conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Src: "/dev/dri", Device: true})
 		}
 		// opportunistically bind kvm
 		conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Src: "/dev/kvm", Device: true})
 		config.Container = conf
 	}
 	var mapuid, mapgid *stringPair[int]
 	{
 		var uid, gid int
 		var err error
 		seal.container, seal.env, err = common.NewContainer(config.Container, sys, &uid, &gid)
 		if err != nil {
 			return hlog.WrapErrSuffix(err,
 				"cannot initialise container configuration:")
 		}
 		if !path.IsAbs(config.Path) {
 			return hlog.WrapErr(syscall.EINVAL,
 				"invalid program path")
 		}
 		if len(config.Args) == 0 {
 			config.Args = []string{config.Path}
 		}
 		seal.container.Path = config.Path
 		seal.container.Args = config.Args
 		mapuid = newInt(uid)
 		mapgid = newInt(gid)
 		if seal.env == nil {
 			seal.env = make(map[string]string, 1<<6)
 		}
 	}
 	if !config.Container.AutoEtc {
 		if config.Container.Etc != "" {
 			seal.container.Bind(config.Container.Etc, "/etc", 0)
 		}
 	} else {
 		etcPath := config.Container.Etc
 		if etcPath == "" {
 			etcPath = "/etc"
 		}
 		seal.container.Etc(etcPath, seal.id.String())
 	}
 	// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as mapped uid
 	innerRuntimeDir := path.Join("/run/user", mapuid.String())
 	seal.env[xdgRuntimeDir] = innerRuntimeDir
 	seal.env[xdgSessionClass] = "user"
 	seal.env[xdgSessionType] = "tty"
 	share := &shareHost{seal: seal, sc: sys.Paths()}
 	seal.runDirPath = share.sc.RunDirPath
 	seal.sys = system.New(seal.user.uid.unwrap())
 	seal.sys.Ensure(share.sc.SharePath, 0711)
 	{
 		runtimeDir := path.Join(share.sc.SharePath, "runtime")
 		seal.sys.Ensure(runtimeDir, 0700)
 		seal.sys.UpdatePermType(system.User, runtimeDir, acl.Execute)
 		runtimeDirInst := path.Join(runtimeDir, seal.user.aid.String())
 		seal.sys.Ensure(runtimeDirInst, 0700)
 		seal.sys.UpdatePermType(system.User, runtimeDirInst, acl.Read, acl.Write, acl.Execute)
 		seal.container.Tmpfs("/run/user", 1<<12, 0755)
 		seal.container.Bind(runtimeDirInst, innerRuntimeDir, container.BindWritable)
 	}
 	{
 		tmpdir := path.Join(share.sc.SharePath, "tmpdir")
 		seal.sys.Ensure(tmpdir, 0700)
 		seal.sys.UpdatePermType(system.User, tmpdir, acl.Execute)
 		tmpdirInst := path.Join(tmpdir, seal.user.aid.String())
 		seal.sys.Ensure(tmpdirInst, 01700)
 		seal.sys.UpdatePermType(system.User, tmpdirInst, acl.Read, acl.Write, acl.Execute)
 		// mount inner /tmp from share so it shares persistence and storage behaviour of host /tmp
 		seal.container.Bind(tmpdirInst, "/tmp", container.BindWritable)
 	}
 	{
 		homeDir := "/var/empty"
 		if seal.user.home != "" {
 			homeDir = seal.user.home
 		}
 		username := "chronos"
 		if seal.user.username != "" {
 			username = seal.user.username
 		}
 		seal.container.Bind(seal.user.data, homeDir, container.BindWritable)
 		seal.container.Dir = homeDir
 		seal.env["HOME"] = homeDir
 		seal.env["USER"] = username
 		seal.env[shell] = config.Shell
 		seal.container.Place("/etc/passwd",
 			[]byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Hakurei:"+homeDir+":"+config.Shell+"\n"))
 		seal.container.Place("/etc/group",
 			[]byte("hakurei:x:"+mapgid.String()+":\n"))
 	}
 	// pass TERM for proper terminal I/O in initial process
 	if t, ok := sys.LookupEnv(term); ok {
 		seal.env[term] = t
 	}
 	if config.Enablements&system.EWayland != 0 {
 		// outer wayland socket (usually `/run/user/%d/wayland-%d`)
 		var socketPath string
 		if name, ok := sys.LookupEnv(wayland.WaylandDisplay); !ok {
 			hlog.Verbose(wayland.WaylandDisplay + " is not set, assuming " + wayland.FallbackName)
 			socketPath = path.Join(share.sc.RuntimePath, wayland.FallbackName)
 		} else if !path.IsAbs(name) {
 			socketPath = path.Join(share.sc.RuntimePath, name)
 		} else {
 			socketPath = name
 		}
 		innerPath := path.Join(innerRuntimeDir, wayland.FallbackName)
 		seal.env[wayland.WaylandDisplay] = wayland.FallbackName
 		if !config.DirectWayland { // set up security-context-v1
 			appID := config.ID
 			if appID == "" {
 				// use instance ID in case app id is not set
 				appID = "app.hakurei." + seal.id.String()
 			}
 			// downstream socket paths
 			outerPath := path.Join(share.instance(), "wayland")
 			seal.sys.Wayland(&seal.sync, outerPath, socketPath, appID, seal.id.String())
 			seal.container.Bind(outerPath, innerPath, 0)
 		} else { // bind mount wayland socket (insecure)
 			hlog.Verbose("direct wayland access, PROCEED WITH CAUTION")
 			share.ensureRuntimeDir()
 			seal.container.Bind(socketPath, innerPath, 0)
 			seal.sys.UpdatePermType(system.EWayland, socketPath, acl.Read, acl.Write, acl.Execute)
 		}
 	}
 	if config.Enablements&system.EX11 != 0 {
 		if d, ok := sys.LookupEnv(display); !ok {
 			return hlog.WrapErr(ErrXDisplay,
 				"DISPLAY is not set")
 		} else {
 			seal.sys.ChangeHosts("#" + seal.user.uid.String())
 			seal.env[display] = d
 			seal.container.Bind("/tmp/.X11-unix", "/tmp/.X11-unix", 0)
 		}
 	}
 	if config.Enablements&system.EPulse != 0 {
 		// PulseAudio runtime directory (usually `/run/user/%d/pulse`)
 		pulseRuntimeDir := path.Join(share.sc.RuntimePath, "pulse")
 		// PulseAudio socket (usually `/run/user/%d/pulse/native`)
 		pulseSocket := path.Join(pulseRuntimeDir, "native")
 		if _, err := sys.Stat(pulseRuntimeDir); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return hlog.WrapErrSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio directory %q:", pulseRuntimeDir))
 			}
 			return hlog.WrapErr(ErrPulseSocket,
 				fmt.Sprintf("PulseAudio directory %q not found", pulseRuntimeDir))
 		}
 		if s, err := sys.Stat(pulseSocket); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return hlog.WrapErrSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio socket %q:", pulseSocket))
 			}
 			return hlog.WrapErr(ErrPulseSocket,
 				fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pulseRuntimeDir))
 		} else {
 			if m := s.Mode(); m&0o006 != 0o006 {
 				return hlog.WrapErr(ErrPulseMode,
 					fmt.Sprintf("unexpected permissions on %q:", pulseSocket), m)
 			}
 		}
 		// hard link pulse socket into target-executable share
 		innerPulseRuntimeDir := path.Join(share.runtime(), "pulse")
 		innerPulseSocket := path.Join(innerRuntimeDir, "pulse", "native")
 		seal.sys.Link(pulseSocket, innerPulseRuntimeDir)
 		seal.container.Bind(innerPulseRuntimeDir, innerPulseSocket, 0)
 		seal.env[pulseServer] = "unix:" + innerPulseSocket
 		// publish current user's pulse cookie for target user
 		if src, err := discoverPulseCookie(sys); err != nil {
 			// not fatal
 			hlog.Verbose(strings.TrimSpace(err.(*hlog.BaseError).Message()))
 		} else {
 			innerDst := hst.Tmp + "/pulse-cookie"
 			seal.env[pulseCookie] = innerDst
 			var payload *[]byte
 			seal.container.PlaceP(innerDst, &payload)
 			seal.sys.CopyFile(payload, src, 256, 256)
 		}
 	}
 	if config.Enablements&system.EDBus != 0 {
 		// ensure dbus session bus defaults
 		if config.SessionBus == nil {
 			config.SessionBus = dbus.NewConfig(config.ID, true, true)
 		}
 		// downstream socket paths
 		sharePath := share.instance()
 		sessionPath, systemPath := path.Join(sharePath, "bus"), path.Join(sharePath, "system_bus_socket")
 		// configure dbus proxy
 		if f, err := seal.sys.ProxyDBus(
 			config.SessionBus, config.SystemBus,
 			sessionPath, systemPath,
 		); err != nil {
 			return err
 		} else {
 			seal.dbusMsg = f
 		}
 		// share proxy sockets
 		sessionInner := path.Join(innerRuntimeDir, "bus")
 		seal.env[dbusSessionBusAddress] = "unix:path=" + sessionInner
 		seal.container.Bind(sessionPath, sessionInner, 0)
 		seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
 		if config.SystemBus != nil {
 			systemInner := "/run/dbus/system_bus_socket"
 			seal.env[dbusSystemBusAddress] = "unix:path=" + systemInner
 			seal.container.Bind(systemPath, systemInner, 0)
 			seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
 		}
 	}
 	for _, dest := range config.Container.Cover {
 		seal.container.Tmpfs(dest, 1<<13, 0755)
 	}
 	// append ExtraPerms last
 	for _, p := range config.ExtraPerms {
 		if p == nil {
 			continue
 		}
 		if p.Ensure {
 			seal.sys.Ensure(p.Path, 0700)
 		}
 		perms := make(acl.Perms, 0, 3)
 		if p.Read {
 			perms = append(perms, acl.Read)
 		}
 		if p.Write {
 			perms = append(perms, acl.Write)
 		}
 		if p.Execute {
 			perms = append(perms, acl.Execute)
 		}
 		seal.sys.UpdatePermType(system.User, p.Path, perms...)
 	}
 	// flatten and sort env for deterministic behaviour
 	seal.container.Env = make([]string, 0, len(seal.env))
 	for k, v := range seal.env {
 		if strings.IndexByte(k, '=') != -1 {
 			return hlog.WrapErr(syscall.EINVAL,
 				fmt.Sprintf("invalid environment variable %s", k))
 		}
 		seal.container.Env = append(seal.container.Env, k+"="+v)
 	}
 	slices.Sort(seal.container.Env)
 	if hlog.Load() {
 		hlog.Verbosef("created application seal for uid %s (%s) groups: %v, argv: %s, ops: %d",
 			seal.user.uid, seal.user.username, config.Groups, seal.container.Args, len(*seal.container.Ops))
 	}
 	return nil
 }
 // discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
 func discoverPulseCookie(sys sys.State) (string, error) {
 	if p, ok := sys.LookupEnv(pulseCookie); ok {
 		return p, nil
 	}
 	// dotfile $HOME/.pulse-cookie
 	if p, ok := sys.LookupEnv(home); ok {
 		p = path.Join(p, ".pulse-cookie")
 		if s, err := sys.Stat(p); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return p, hlog.WrapErrSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
 			}
 			// not found, try next method
 		} else if !s.IsDir() {
 			return p, nil
 		}
 	}
 	// $XDG_CONFIG_HOME/pulse/cookie
 	if p, ok := sys.LookupEnv(xdgConfigHome); ok {
 		p = path.Join(p, "pulse", "cookie")
 		if s, err := sys.Stat(p); err != nil {
 			if !errors.Is(err, fs.ErrNotExist) {
 				return p, hlog.WrapErrSuffix(err,
 					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
 			}
 			// not found, try next method
 		} else if !s.IsDir() {
 			return p, nil
 		}
 	}
 	return "", hlog.WrapErr(ErrPulseCookie,
 		fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
 			pulseCookie, xdgConfigHome, home))
 }
--- a/cmd/hakurei/internal/app/internal/setuid/shim.go
+++ b/cmd/hakurei/internal/app/internal/setuid/shim.go
@@ -1,184 +0,0 @@
 package setuid
 import (
 	"context"
 	"errors"
 	"log"
 	"os"
 	"os/exec"
 	"os/signal"
 	"syscall"
 	"time"
 	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/internal"
 	"hakurei.app/internal/hlog"
 )
 /*
 #include <stdlib.h>
 #include <unistd.h>
 #include <stdio.h>
 #include <errno.h>
 #include <signal.h>
 static pid_t hakurei_shim_param_ppid = -1;
 // this cannot unblock hlog since Go code is not async-signal-safe
 static void hakurei_shim_sigaction(int sig, siginfo_t *si, void *ucontext) {
  if (sig != SIGCONT || si == NULL) {
    // unreachable
    fprintf(stderr, "sigaction: sa_sigaction got invalid siginfo\n");
    return;
  }
  // monitor requests shim exit
  if (si->si_pid == hakurei_shim_param_ppid)
    exit(254);
  fprintf(stderr, "sigaction: got SIGCONT from process %d\n", si->si_pid);
  // shim orphaned before monitor delivers a signal
  if (getppid() != hakurei_shim_param_ppid)
    exit(3);
 }
 void hakurei_shim_setup_cont_signal(pid_t ppid) {
  struct sigaction new_action = {0}, old_action = {0};
  if (sigaction(SIGCONT, NULL, &old_action) != 0)
    return;
  if (old_action.sa_handler != SIG_DFL) {
    errno = ENOTRECOVERABLE;
    return;
  }
  new_action.sa_sigaction = hakurei_shim_sigaction;
  if (sigemptyset(&new_action.sa_mask) != 0)
    return;
  new_action.sa_flags = SA_ONSTACK | SA_SIGINFO;
  if (sigaction(SIGCONT, &new_action, NULL) != 0)
    return;
  errno = 0;
  hakurei_shim_param_ppid = ppid;
 }
 */
 import "C"
 const shimEnv = "HAKUREI_SHIM"
 type shimParams struct {
 	// monitor pid, checked against ppid in signal handler
 	Monitor int
 	// finalised container params
 	Container *container.Params
 	// path to outer home directory
 	Home string
 	// verbosity pass through
 	Verbose bool
 }
 // ShimMain is the main function of the shim process and runs as the unconstrained target user.
 func ShimMain() {
 	hlog.Prepare("shim")
 	if err := container.SetDumpable(container.SUID_DUMP_DISABLE); err != nil {
 		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
 	}
 	var (
 		params     shimParams
 		closeSetup func() error
 	)
 	if f, err := container.Receive(shimEnv, &params, nil); err != nil {
 		if errors.Is(err, container.ErrInvalid) {
 			log.Fatal("invalid config descriptor")
 		}
 		if errors.Is(err, container.ErrNotSet) {
 			log.Fatal("HAKUREI_SHIM not set")
 		}
 		log.Fatalf("cannot receive shim setup params: %v", err)
 	} else {
 		internal.InstallOutput(params.Verbose)
 		closeSetup = f
 		// the Go runtime does not expose siginfo_t so SIGCONT is handled in C to check si_pid
 		if _, err = C.hakurei_shim_setup_cont_signal(C.pid_t(params.Monitor)); err != nil {
 			log.Fatalf("cannot install SIGCONT handler: %v", err)
 		}
 		// pdeath_signal delivery is checked as if the dying process called kill(2), see kernel/exit.c
 		if _, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGCONT), 0); errno != 0 {
 			log.Fatalf("cannot set parent-death signal: %v", errno)
 		}
 	}
 	if params.Container == nil || params.Container.Ops == nil {
 		log.Fatal("invalid container params")
 	}
 	// close setup socket
 	if err := closeSetup(); err != nil {
 		log.Printf("cannot close setup pipe: %v", err)
 		// not fatal
 	}
 	// ensure home directory as target user
 	if s, err := os.Stat(params.Home); err != nil {
 		if os.IsNotExist(err) {
 			if err = os.Mkdir(params.Home, 0700); err != nil {
 				log.Fatalf("cannot create home directory: %v", err)
 			}
 		} else {
 			log.Fatalf("cannot access home directory: %v", err)
 		}
 		// home directory is created, proceed
 	} else if !s.IsDir() {
 		log.Fatalf("path %q is not a directory", params.Home)
 	}
 	var name string
 	if len(params.Container.Args) > 0 {
 		name = params.Container.Args[0]
 	}
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	defer stop() // unreachable
 	z := container.New(ctx, name)
 	z.Params = *params.Container
 	z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
 	z.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) }
 	z.WaitDelay = 2 * time.Second
 	if err := z.Start(); err != nil {
 		hlog.PrintBaseError(err, "cannot start container:")
 		os.Exit(1)
 	}
 	if err := z.Serve(); err != nil {
 		hlog.PrintBaseError(err, "cannot configure container:")
 	}
 	if err := seccomp.Load(
 		seccomp.Preset(seccomp.PresetStrict, seccomp.AllowMultiarch),
 		seccomp.AllowMultiarch,
 	); err != nil {
 		log.Fatalf("cannot load syscall filter: %v", err)
 	}
 	if err := z.Wait(); err != nil {
 		var exitError *exec.ExitError
 		if !errors.As(err, &exitError) {
 			if errors.Is(err, context.Canceled) {
 				os.Exit(2)
 			}
 			log.Printf("wait: %v", err)
 			os.Exit(127)
 		}
 		os.Exit(exitError.ExitCode())
 	}
 }
--- a/cmd/hakurei/internal/app/internal/setuid/strings.go
+++ b/cmd/hakurei/internal/app/internal/setuid/strings.go
@@ -1,19 +0,0 @@
 package setuid
 import (
 	"strconv"
 	. "hakurei.app/cmd/hakurei/internal/app"
 )
 func newInt(v int) *stringPair[int] { return &stringPair[int]{v, strconv.Itoa(v)} }
 func newID(id *ID) *stringPair[ID]  { return &stringPair[ID]{*id, id.String()} }
 // stringPair stores a value and its string representation.
 type stringPair[T comparable] struct {
 	v T
 	s string
 }
 func (s *stringPair[T]) unwrap() T      { return s.v }
 func (s *stringPair[T]) String() string { return s.s }
--- a/cmd/hakurei/internal/state/join.go
+++ b/cmd/hakurei/internal/state/join.go
@@ -1,60 +0,0 @@
 package state
 import (
 	"errors"
 	"maps"
 )
 var (
 	ErrDuplicate = errors.New("store contains duplicates")
 )
 /*
 Joiner is the interface that wraps the Join method.
 The Join function uses Joiner if available.
 */
 type Joiner interface{ Join() (Entries, error) }
 // Join returns joined state entries of all active aids.
 func Join(s Store) (Entries, error) {
 	if j, ok := s.(Joiner); ok {
 		return j.Join()
 	}
 	var (
 		aids    []int
 		entries = make(Entries)
 		el      int
 		res     Entries
 		loadErr error
 	)
 	if ln, err := s.List(); err != nil {
 		return nil, err
 	} else {
 		aids = ln
 	}
 	for _, aid := range aids {
 		if _, err := s.Do(aid, func(c Cursor) {
 			res, loadErr = c.Load()
 		}); err != nil {
 			return nil, err
 		}
 		if loadErr != nil {
 			return nil, loadErr
 		}
 		// save expected length
 		el = len(entries) + len(res)
 		maps.Copy(entries, res)
 		if len(entries) != el {
 			return nil, ErrDuplicate
 		}
 	}
 	return entries, nil
 }
--- a/cmd/hakurei/internal/state/multi.go
+++ b/cmd/hakurei/internal/state/multi.go
@@ -1,373 +0,0 @@
 package state
 import (
 	"encoding/binary"
 	"encoding/gob"
 	"errors"
 	"fmt"
 	"io"
 	"io/fs"
 	"os"
 	"path"
 	"strconv"
 	"sync"
 	"syscall"
 	"hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/hst"
 	"hakurei.app/internal/hlog"
 )
 // fine-grained locking and access
 type multiStore struct {
 	base string
 	// initialised backends
 	backends *sync.Map
 	lock sync.RWMutex
 }
 func (s *multiStore) Do(aid int, f func(c Cursor)) (bool, error) {
 	s.lock.RLock()
 	defer s.lock.RUnlock()
 	// load or initialise new backend
 	b := new(multiBackend)
 	b.lock.Lock()
 	if v, ok := s.backends.LoadOrStore(aid, b); ok {
 		b = v.(*multiBackend)
 	} else {
 		b.path = path.Join(s.base, strconv.Itoa(aid))
 		// ensure directory
 		if err := os.MkdirAll(b.path, 0700); err != nil && !errors.Is(err, fs.ErrExist) {
 			s.backends.CompareAndDelete(aid, b)
 			return false, err
 		}
 		// open locker file
 		if l, err := os.OpenFile(b.path+".lock", os.O_RDWR|os.O_CREATE, 0600); err != nil {
 			s.backends.CompareAndDelete(aid, b)
 			return false, err
 		} else {
 			b.lockfile = l
 		}
 		b.lock.Unlock()
 	}
 	// lock backend
 	if err := b.lockFile(); err != nil {
 		return false, err
 	}
 	// expose backend methods without exporting the pointer
 	c := new(struct{ *multiBackend })
 	c.multiBackend = b
 	f(b)
 	// disable access to the backend on a best-effort basis
 	c.multiBackend = nil
 	// unlock backend
 	return true, b.unlockFile()
 }
 func (s *multiStore) List() ([]int, error) {
 	var entries []os.DirEntry
 	// read base directory to get all aids
 	if v, err := os.ReadDir(s.base); err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, err
 	} else {
 		entries = v
 	}
 	aidsBuf := make([]int, 0, len(entries))
 	for _, e := range entries {
 		// skip non-directories
 		if !e.IsDir() {
 			hlog.Verbosef("skipped non-directory entry %q", e.Name())
 			continue
 		}
 		// skip non-numerical names
 		if v, err := strconv.Atoi(e.Name()); err != nil {
 			hlog.Verbosef("skipped non-aid entry %q", e.Name())
 			continue
 		} else {
 			if v < 0 || v > 9999 {
 				hlog.Verbosef("skipped out of bounds entry %q", e.Name())
 				continue
 			}
 			aidsBuf = append(aidsBuf, v)
 		}
 	}
 	return append([]int(nil), aidsBuf...), nil
 }
 func (s *multiStore) Close() error {
 	s.lock.Lock()
 	defer s.lock.Unlock()
 	var errs []error
 	s.backends.Range(func(_, value any) bool {
 		b := value.(*multiBackend)
 		errs = append(errs, b.close())
 		return true
 	})
 	return errors.Join(errs...)
 }
 type multiBackend struct {
 	path string
 	// created/opened by prepare
 	lockfile *os.File
 	lock sync.RWMutex
 }
 func (b *multiBackend) filename(id *app.ID) string {
 	return path.Join(b.path, id.String())
 }
 func (b *multiBackend) lockFileAct(lt int) (err error) {
 	op := "LockAct"
 	switch lt {
 	case syscall.LOCK_EX:
 		op = "Lock"
 	case syscall.LOCK_UN:
 		op = "Unlock"
 	}
 	for {
 		err = syscall.Flock(int(b.lockfile.Fd()), lt)
 		if !errors.Is(err, syscall.EINTR) {
 			break
 		}
 	}
 	if err != nil {
 		return &fs.PathError{
 			Op:   op,
 			Path: b.lockfile.Name(),
 			Err:  err,
 		}
 	}
 	return nil
 }
 func (b *multiBackend) lockFile() error {
 	return b.lockFileAct(syscall.LOCK_EX)
 }
 func (b *multiBackend) unlockFile() error {
 	return b.lockFileAct(syscall.LOCK_UN)
 }
 // reads all launchers in simpleBackend
 // file contents are ignored if decode is false
 func (b *multiBackend) load(decode bool) (Entries, error) {
 	b.lock.RLock()
 	defer b.lock.RUnlock()
 	// read directory contents, should only contain files named after ids
 	var entries []os.DirEntry
 	if pl, err := os.ReadDir(b.path); err != nil {
 		return nil, err
 	} else {
 		entries = pl
 	}
 	// allocate as if every entry is valid
 	// since that should be the case assuming no external interference happens
 	r := make(Entries, len(entries))
 	for _, e := range entries {
 		if e.IsDir() {
 			return nil, fmt.Errorf("unexpected directory %q in store", e.Name())
 		}
 		id := new(app.ID)
 		if err := app.ParseAppID(id, e.Name()); err != nil {
 			return nil, err
 		}
 		// run in a function to better handle file closing
 		if err := func() error {
 			// open state file for reading
 			if f, err := os.Open(path.Join(b.path, e.Name())); err != nil {
 				return err
 			} else {
 				defer func() {
 					if f.Close() != nil {
 						// unreachable
 						panic("foreign state file closed prematurely")
 					}
 				}()
 				s := new(State)
 				r[*id] = s
 				// append regardless, but only parse if required, implements Len
 				if decode {
 					if err = b.decodeState(f, s); err != nil {
 						return err
 					}
 					if s.ID != *id {
 						return fmt.Errorf("state entry %s has unexpected id %s", id, &s.ID)
 					}
 				}
 				return nil
 			}
 		}(); err != nil {
 			return nil, err
 		}
 	}
 	return r, nil
 }
 // state file consists of an eight byte header, followed by concatenated gobs
 // of [hst.Config] and [State], if [State.Config] is not nil or offset < 0,
 // the first gob is skipped
 func (b *multiBackend) decodeState(r io.ReadSeeker, state *State) error {
 	offset := make([]byte, 8)
 	if l, err := r.Read(offset); err != nil {
 		if errors.Is(err, io.EOF) {
 			return fmt.Errorf("state file too short: %d bytes", l)
 		}
 		return err
 	}
 	// decode volatile state first
 	var skipConfig bool
 	{
 		o := int64(binary.LittleEndian.Uint64(offset))
 		skipConfig = o < 0
 		if !skipConfig {
 			if l, err := r.Seek(o, io.SeekCurrent); err != nil {
 				return err
 			} else if l != 8+o {
 				return fmt.Errorf("invalid seek offset %d", l)
 			}
 		}
 	}
 	if err := gob.NewDecoder(r).Decode(state); err != nil {
 		return err
 	}
 	// decode sealed config
 	if state.Config == nil {
 		// config must be provided either as part of volatile state,
 		// or in the config segment
 		if skipConfig {
 			return ErrNoConfig
 		}
 		state.Config = new(hst.Config)
 		if _, err := r.Seek(8, io.SeekStart); err != nil {
 			return err
 		}
 		return gob.NewDecoder(r).Decode(state.Config)
 	} else {
 		return nil
 	}
 }
 // Save writes process state to filesystem
 func (b *multiBackend) Save(state *State, configWriter io.WriterTo) error {
 	b.lock.Lock()
 	defer b.lock.Unlock()
 	if configWriter == nil && state.Config == nil {
 		return ErrNoConfig
 	}
 	statePath := b.filename(&state.ID)
 	if f, err := os.OpenFile(statePath, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600); err != nil {
 		return err
 	} else {
 		defer func() {
 			if f.Close() != nil {
 				// unreachable
 				panic("state file closed prematurely")
 			}
 		}()
 		return b.encodeState(f, state, configWriter)
 	}
 }
 func (b *multiBackend) encodeState(w io.WriteSeeker, state *State, configWriter io.WriterTo) error {
 	offset := make([]byte, 8)
 	// skip header bytes
 	if _, err := w.Seek(8, io.SeekStart); err != nil {
 		return err
 	}
 	if configWriter != nil {
 		// write config gob and encode header
 		if l, err := configWriter.WriteTo(w); err != nil {
 			return err
 		} else {
 			binary.LittleEndian.PutUint64(offset, uint64(l))
 		}
 	} else {
 		// offset == -1 indicates absence of config gob
 		binary.LittleEndian.PutUint64(offset, 0xffffffffffffffff)
 	}
 	// encode volatile state
 	if err := gob.NewEncoder(w).Encode(state); err != nil {
 		return err
 	}
 	// write header
 	if _, err := w.Seek(0, io.SeekStart); err != nil {
 		return err
 	}
 	_, err := w.Write(offset)
 	return err
 }
 func (b *multiBackend) Destroy(id app.ID) error {
 	b.lock.Lock()
 	defer b.lock.Unlock()
 	return os.Remove(b.filename(&id))
 }
 func (b *multiBackend) Load() (Entries, error) {
 	return b.load(true)
 }
 func (b *multiBackend) Len() (int, error) {
 	// rn consists of only nil entries but has the correct length
 	rn, err := b.load(false)
 	return len(rn), err
 }
 func (b *multiBackend) close() error {
 	b.lock.Lock()
 	defer b.lock.Unlock()
 	err := b.lockfile.Close()
 	if err == nil || errors.Is(err, os.ErrInvalid) || errors.Is(err, os.ErrClosed) {
 		return nil
 	}
 	return err
 }
 // NewMulti returns an instance of the multi-file store.
 func NewMulti(runDir string) Store {
 	b := new(multiStore)
 	b.base = path.Join(runDir, "state")
 	b.backends = new(sync.Map)
 	return b
 }
--- a/cmd/hakurei/internal/state/multi_test.go
+++ b/cmd/hakurei/internal/state/multi_test.go
@@ -1,9 +0,0 @@
 package state_test
 import (
 	"testing"
 	"hakurei.app/cmd/hakurei/internal/state"
 )
 func TestMulti(t *testing.T) { testStore(t, state.NewMulti(t.TempDir())) }
--- a/cmd/hakurei/internal/state/state.go
+++ b/cmd/hakurei/internal/state/state.go
@@ -1,49 +0,0 @@
 package state
 import (
 	"errors"
 	"io"
 	"time"
 	"hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/hst"
 )
 var ErrNoConfig = errors.New("state does not contain config")
 type Entries map[app.ID]*State
 type Store interface {
 	// Do calls f exactly once and ensures store exclusivity until f returns.
 	// Returns whether f is called and any errors during the locking process.
 	// Cursor provided to f becomes invalid as soon as f returns.
 	Do(aid int, f func(c Cursor)) (ok bool, err error)
 	// List queries the store and returns a list of aids known to the store.
 	// Note that some or all returned aids might not have any active apps.
 	List() (aids []int, err error)
 	// Close releases any resources held by Store.
 	Close() error
 }
 // Cursor provides access to the store
 type Cursor interface {
 	Save(state *State, configWriter io.WriterTo) error
 	Destroy(id app.ID) error
 	Load() (Entries, error)
 	Len() (int, error)
 }
 // State is an instance state
 type State struct {
 	// hakurei instance id
 	ID app.ID `json:"instance"`
 	// child process PID value
 	PID int `json:"pid"`
 	// sealed app configuration
 	Config *hst.Config `json:"config"`
 	// process start time
 	Time time.Time `json:"time"`
 }
--- a/cmd/hakurei/internal/state/state_test.go
+++ b/cmd/hakurei/internal/state/state_test.go
@@ -1,145 +0,0 @@
 package state_test
 import (
 	"bytes"
 	"encoding/gob"
 	"io"
 	"math/rand/v2"
 	"reflect"
 	"slices"
 	"testing"
 	"time"
 	"hakurei.app/cmd/hakurei/internal/app"
 	"hakurei.app/cmd/hakurei/internal/state"
 	"hakurei.app/hst"
 )
 func testStore(t *testing.T, s state.Store) {
 	t.Run("list empty store", func(t *testing.T) {
 		if aids, err := s.List(); err != nil {
 			t.Fatalf("List: error = %v", err)
 		} else if len(aids) != 0 {
 			t.Fatalf("List: aids = %#v", aids)
 		}
 	})
 	const (
 		insertEntryChecked = iota
 		insertEntryNoCheck
 		insertEntryOtherApp
 		tl
 	)
 	var tc [tl]struct {
 		state state.State
 		ct    bytes.Buffer
 	}
 	for i := 0; i < tl; i++ {
 		makeState(t, &tc[i].state, &tc[i].ct)
 	}
 	do := func(aid int, f func(c state.Cursor)) {
 		if ok, err := s.Do(aid, f); err != nil {
 			t.Fatalf("Do: ok = %v, error = %v", ok, err)
 		}
 	}
 	insert := func(i, aid int) {
 		do(aid, func(c state.Cursor) {
 			if err := c.Save(&tc[i].state, &tc[i].ct); err != nil {
 				t.Fatalf("Save(&tc[%v]): error = %v", i, err)
 			}
 		})
 	}
 	check := func(i, aid int) {
 		do(aid, func(c state.Cursor) {
 			if entries, err := c.Load(); err != nil {
 				t.Fatalf("Load: error = %v", err)
 			} else if got, ok := entries[tc[i].state.ID]; !ok {
 				t.Fatalf("Load: entry %s missing",
 					&tc[i].state.ID)
 			} else {
 				got.Time = tc[i].state.Time
 				tc[i].state.Config = hst.Template()
 				if !reflect.DeepEqual(got, &tc[i].state) {
 					t.Fatalf("Load: entry %s got %#v, want %#v",
 						&tc[i].state.ID, got, &tc[i].state)
 				}
 				tc[i].state.Config = nil
 			}
 		})
 	}
 	t.Run("insert entry checked", func(t *testing.T) {
 		insert(insertEntryChecked, 0)
 		check(insertEntryChecked, 0)
 	})
 	t.Run("insert entry unchecked", func(t *testing.T) {
 		insert(insertEntryNoCheck, 0)
 	})
 	t.Run("insert entry different aid", func(t *testing.T) {
 		insert(insertEntryOtherApp, 1)
 		check(insertEntryOtherApp, 1)
 	})
 	t.Run("check previous insertion", func(t *testing.T) {
 		check(insertEntryNoCheck, 0)
 	})
 	t.Run("list aids", func(t *testing.T) {
 		if aids, err := s.List(); err != nil {
 			t.Fatalf("List: error = %v", err)
 		} else {
 			slices.Sort(aids)
 			want := []int{0, 1}
 			if !slices.Equal(aids, want) {
 				t.Fatalf("List() = %#v, want %#v", aids, want)
 			}
 		}
 	})
 	t.Run("join store", func(t *testing.T) {
 		if entries, err := state.Join(s); err != nil {
 			t.Fatalf("Join: error = %v", err)
 		} else if len(entries) != 3 {
 			t.Fatalf("Join(s) = %#v", entries)
 		}
 	})
 	t.Run("clear aid 1", func(t *testing.T) {
 		do(1, func(c state.Cursor) {
 			if err := c.Destroy(tc[insertEntryOtherApp].state.ID); err != nil {
 				t.Fatalf("Destroy: error = %v", err)
 			}
 		})
 		do(1, func(c state.Cursor) {
 			if l, err := c.Len(); err != nil {
 				t.Fatalf("Len: error = %v", err)
 			} else if l != 0 {
 				t.Fatalf("Len() = %d, want 0", l)
 			}
 		})
 	})
 	t.Run("close store", func(t *testing.T) {
 		if err := s.Close(); err != nil {
 			t.Fatalf("Close: error = %v", err)
 		}
 	})
 }
 func makeState(t *testing.T, s *state.State, ct io.Writer) {
 	if err := app.NewAppID(&s.ID); err != nil {
 		t.Fatalf("cannot create dummy state: %v", err)
 	}
 	if err := gob.NewEncoder(ct).Encode(hst.Template()); err != nil {
 		t.Fatalf("cannot encode dummy config: %v", err)
 	}
 	s.PID = rand.Int()
 	s.Time = time.Now()
 }
--- a/cmd/hakurei/json.go
+++ b/cmd/hakurei/json.go
@@ -0,0 +1,60 @@
 package main
 import (
 	"encoding/json"
 	"errors"
 	"io"
 	"strconv"
 )
 // decodeJSON decodes json from r and stores it in v. A non-nil error results in a call to fatal.
 func decodeJSON(fatal func(v ...any), op string, r io.Reader, v any) {
 	err := json.NewDecoder(r).Decode(v)
 	if err == nil {
 		return
 	}
 	var (
 		syntaxError        *json.SyntaxError
 		unmarshalTypeError *json.UnmarshalTypeError
 		msg string
 	)
 	switch {
 	case errors.As(err, &syntaxError) && syntaxError != nil:
 		msg = syntaxError.Error() +
 			" at byte " + strconv.FormatInt(syntaxError.Offset, 10)
 	case errors.As(err, &unmarshalTypeError) && unmarshalTypeError != nil:
 		msg = "inappropriate " + unmarshalTypeError.Value +
 			" at byte " + strconv.FormatInt(unmarshalTypeError.Offset, 10)
 	default:
 		// InvalidUnmarshalError: incorrect usage, does not need to be handled
 		// io.ErrUnexpectedEOF: no additional error information available
 		msg = err.Error()
 	}
 	fatal("cannot " + op + ": " + msg)
 }
 // encodeJSON encodes v to output. A non-nil error results in a call to fatal.
 func encodeJSON(fatal func(v ...any), output io.Writer, short bool, v any) {
 	encoder := json.NewEncoder(output)
 	if !short {
 		encoder.SetIndent("", "  ")
 	}
 	if err := encoder.Encode(v); err != nil {
 		var marshalerError *json.MarshalerError
 		if errors.As(err, &marshalerError) && marshalerError != nil {
 			// this likely indicates an implementation error in hst
 			fatal("cannot encode json for " + marshalerError.Type.String() + ": " + marshalerError.Err.Error())
 			return
 		}
 		// UnsupportedTypeError, UnsupportedValueError: incorrect usage, does not need to be handled
 		fatal("cannot write json: " + err.Error())
 	}
 }
--- a/cmd/hakurei/json_test.go
+++ b/cmd/hakurei/json_test.go
@@ -0,0 +1,107 @@
 package main_test
 import (
 	"io"
 	"reflect"
 	"strings"
 	"testing"
 	_ "unsafe"
 	"hakurei.app/container/stub"
 )
 //go:linkname decodeJSON hakurei.app/cmd/hakurei.decodeJSON
 func decodeJSON(fatal func(v ...any), op string, r io.Reader, v any)
 func TestDecodeJSON(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		t    reflect.Type
 		data string
 		want any
 		msg  string
 	}{
 		{"success", reflect.TypeFor[uintptr](), "3735928559\n", uintptr(0xdeadbeef), ""},
 		{"syntax", reflect.TypeFor[*int](), "\x00", nil,
 			`cannot load sample: invalid character '\x00' looking for beginning of value at byte 1`},
 		{"type", reflect.TypeFor[uintptr](), "-1", nil,
 			`cannot load sample: inappropriate number -1 at byte 2`},
 		{"default", reflect.TypeFor[*int](), "{", nil,
 			"cannot load sample: unexpected EOF"},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			var (
 				gotP   = reflect.New(tc.t)
 				gotMsg *string
 			)
 			decodeJSON(func(v ...any) {
 				if gotMsg != nil {
 					t.Fatal("fatal called twice")
 				}
 				msg := v[0].(string)
 				gotMsg = &msg
 			}, "load sample", strings.NewReader(tc.data), gotP.Interface())
 			if tc.msg != "" {
 				if gotMsg == nil {
 					t.Errorf("decodeJSON: success, want fatal %q", tc.msg)
 				} else if *gotMsg != tc.msg {
 					t.Errorf("decodeJSON: fatal = %q, want %q", *gotMsg, tc.msg)
 				}
 			} else if gotMsg != nil {
 				t.Errorf("decodeJSON: fatal = %q", *gotMsg)
 			} else if !reflect.DeepEqual(gotP.Elem().Interface(), tc.want) {
 				t.Errorf("decodeJSON: %#v, want %#v", gotP.Elem().Interface(), tc.want)
 			}
 		})
 	}
 }
 //go:linkname encodeJSON hakurei.app/cmd/hakurei.encodeJSON
 func encodeJSON(fatal func(v ...any), output io.Writer, short bool, v any)
 func TestEncodeJSON(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		v    any
 		want string
 	}{
 		{"marshaler", errorJSONMarshaler{},
 			`cannot encode json for main_test.errorJSONMarshaler: unique error 3735928559 injected by the test suite`},
 		{"default", func() {},
 			`cannot write json: json: unsupported type: func()`},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			var called bool
 			encodeJSON(func(v ...any) {
 				if called {
 					t.Fatal("fatal called twice")
 				}
 				called = true
 				if v[0].(string) != tc.want {
 					t.Errorf("encodeJSON: fatal = %q, want %q", v[0].(string), tc.want)
 				}
 			}, nil, false, tc.v)
 			if !called {
 				t.Errorf("encodeJSON: success, want fatal %q", tc.want)
 			}
 		})
 	}
 }
 // errorJSONMarshaler implements json.Marshaler.
 type errorJSONMarshaler struct{}
 func (errorJSONMarshaler) MarshalJSON() ([]byte, error) { return nil, stub.UniqueError(0xdeadbeef) }
--- a/cmd/hakurei/main.go
+++ b/cmd/hakurei/main.go
@@ -4,15 +4,16 @@ package main
 //go:generate cp ../../LICENSE .
 import (
 	"context"
 	_ "embed"
 	"errors"
 	"log"
 	"os"
 	"os/signal"
 	"syscall"
 	"hakurei.app/container"
-	"hakurei.app/internal"
+	"hakurei.app/message"
 	"hakurei.app/internal/hlog"
 	"hakurei.app/internal/sys"
 )
 var (
@@ -22,27 +23,34 @@ var (
 	license string
 )
-func init() { hlog.Prepare("hakurei") }
+// earlyHardeningErrs are errors collected while setting up early hardening feature.
-
+type earlyHardeningErrs struct{ yamaLSM, dumpable error }
 var std sys.State = new(sys.Std)
 func main() {
 	// early init path, skips root check and duplicate PR_SET_DUMPABLE
-	container.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput)
+	container.TryArgv0(nil)
-	if err := container.SetDumpable(container.SUID_DUMP_DISABLE); err != nil {
+	log.SetPrefix("hakurei: ")
-		log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
+	log.SetFlags(0)
-		// not fatal: this program runs as the privileged user
+	msg := message.New(log.Default())
 	early := earlyHardeningErrs{
 		yamaLSM:  container.SetPtracer(0),
 		dumpable: container.SetDumpable(container.SUID_DUMP_DISABLE),
 	}
 	if os.Geteuid() == 0 {
 		log.Fatal("this program must not run as root")
 	}
-	buildCommand(os.Stderr).MustParse(os.Args[1:], func(err error) {
+	ctx, stop := signal.NotifyContext(context.Background(),
-		hlog.Verbosef("command returned %v", err)
+		syscall.SIGINT, syscall.SIGTERM)
 	defer stop() // unreachable
 	buildCommand(ctx, msg, &early, os.Stderr).MustParse(os.Args[1:], func(err error) {
 		msg.Verbosef("command returned %v", err)
 		if errors.Is(err, errSuccess) {
-			hlog.BeforeExit()
+			msg.BeforeExit()
 			os.Exit(0)
 		}
 		// this catches faulty command handlers that fail to return before this point
--- a/cmd/hakurei/parse.go
+++ b/cmd/hakurei/parse.go
@@ -1,7 +1,7 @@
 package main
 import (
-	"encoding/json"
+	"encoding/hex"
 	"errors"
 	"io"
 	"log"
@@ -10,67 +10,94 @@ import (
 	"strings"
 	"syscall"
 	"hakurei.app/cmd/hakurei/internal/state"
 	"hakurei.app/hst"
-	"hakurei.app/internal/hlog"
+	"hakurei.app/internal/outcome"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
 )
-func tryPath(name string) (config *hst.Config) {
+// tryPath attempts to read [hst.Config] from multiple sources.
-	var r io.Reader
+// tryPath reads from [os.Stdin] if name has value "-".
 // Otherwise, name is passed to tryFd, and if that returns nil, name is passed to [os.Open].
 func tryPath(msg message.Msg, name string) (config *hst.Config) {
 	var r io.ReadCloser
 	config = new(hst.Config)
 	if name != "-" {
-		r = tryFd(name)
+		r = tryFd(msg, name)
 		if r == nil {
-			hlog.Verbose("load configuration from file")
+			msg.Verbose("load configuration from file")
 			if f, err := os.Open(name); err != nil {
-				log.Fatalf("cannot access configuration file %q: %s", name, err)
+				log.Fatal(err.Error())
 				return
 			} else {
 				// finalizer closes f
 				r = f
 			}
 		} else {
 			defer func() {
 				if err := r.(io.ReadCloser).Close(); err != nil {
 					log.Printf("cannot close config fd: %v", err)
 				}
 			}()
 		}
 	} else {
 		r = os.Stdin
 	}
-	if err := json.NewDecoder(r).Decode(&config); err != nil {
+	decodeJSON(log.Fatal, "load configuration", r, &config)
-		log.Fatalf("cannot load configuration: %v", err)
+	if err := r.Close(); err != nil {
 		log.Fatal(err.Error())
 	}
 	return
 }
-func tryFd(name string) io.ReadCloser {
+// tryFd returns a [io.ReadCloser] if name represents an integer corresponding to a valid file descriptor.
 func tryFd(msg message.Msg, name string) io.ReadCloser {
 	if v, err := strconv.Atoi(name); err != nil {
 		if !errors.Is(err, strconv.ErrSyntax) {
-			hlog.Verbosef("name cannot be interpreted as int64: %v", err)
+			msg.Verbosef("name cannot be interpreted as int64: %v", err)
 		}
 		return nil
 	} else {
-		hlog.Verbosef("trying config stream from %d", v)
+		if v < 3 { // reject standard streams
 			return nil
 		}
 		msg.Verbosef("trying config stream from %d", v)
 		fd := uintptr(v)
 		if _, _, errno := syscall.Syscall(syscall.SYS_FCNTL, fd, syscall.F_GETFD, 0); errno != 0 {
-			if errors.Is(errno, syscall.EBADF) {
+			if errors.Is(errno, syscall.EBADF) { // reject bad fd
 				return nil
 			}
 			log.Fatalf("cannot get fd %d: %v", fd, errno)
 		}
 		if outcome.IsPollDescriptor(fd) { // reject runtime internals
 			log.Fatalf("invalid config stream %d", fd)
 		}
 		return os.NewFile(fd, strconv.Itoa(v))
 	}
 }
-func tryShort(name string) (config *hst.Config, entry *state.State) {
+// shortLengthMin is the minimum length a short form identifier can have and still be interpreted as an identifier.
-	likePrefix := false
+const shortLengthMin = 1 << 3
-	if len(name) <= 32 {
+
-		likePrefix = true
+// shortIdentifier returns an eight character short representation of [hst.ID] from its random bytes.
 func shortIdentifier(id *hst.ID) string {
 	return shortIdentifierString(id.String())
 }
 // shortIdentifierString implements shortIdentifier on an arbitrary string.
 func shortIdentifierString(s string) string {
 	return s[len(hst.ID{}) : len(hst.ID{})+shortLengthMin]
 }
 // tryIdentifier attempts to match [hst.State] from a [hex] representation of [hst.ID] or a prefix of its lower half.
 func tryIdentifier(msg message.Msg, name string, s *store.Store) *hst.State {
 	const (
 		likeShort = 1 << iota
 		likeFull
 	)
 	var likely uintptr
 	if len(name) >= shortLengthMin && len(name) <= len(hst.ID{}) { // half the hex representation
 		// cannot safely decode here due to unknown alignment
 		for _, c := range name {
 			if c >= '0' && c <= '9' {
 				continue
@@ -78,33 +105,68 @@ func tryShort(name string) (config *hst.Config, entry *state.State) {
 			if c >= 'a' && c <= 'f' {
 				continue
 			}
-			likePrefix = false
+			return nil
 			break
 		}
 		likely |= likeShort
 	} else if len(name) == hex.EncodedLen(len(hst.ID{})) {
 		likely |= likeFull
 	}
-	// try to match from state store
+	if likely == 0 {
-	if likePrefix && len(name) >= 8 {
+		return nil
-		hlog.Verbose("argument looks like prefix")
+	}
-		s := state.NewMulti(std.Paths().RunDirPath)
+	entries, copyError := s.All()
-		if entries, err := state.Join(s); err != nil {
+	defer func() {
-			log.Printf("cannot join store: %v", err)
+		if err := copyError(); err != nil {
-			// drop to fetch from file
+			msg.GetLogger().Println(getMessage("cannot iterate over store:", err))
-		} else {
+		}
-			for id := range entries {
+	}()
-				v := id.String()
+
-				if strings.HasPrefix(v, name) {
+	switch {
-					// match, use config from this state entry
+	case likely&likeShort != 0:
-					entry = entries[id]
+		msg.Verbose("argument looks like short identifier")
-					config = entry.Config
+		for eh := range entries {
-					break
+			if eh.DecodeErr != nil {
 				msg.Verbose(getMessage("skipping instance:", eh.DecodeErr))
 				continue
 			}
 			if strings.HasPrefix(eh.ID.String()[len(hst.ID{}):], name) {
 				var entry hst.State
 				if _, err := eh.Load(&entry); err != nil {
 					msg.GetLogger().Println(getMessage("cannot load state entry:", err))
 					continue
 				}
-
+				return &entry
 				hlog.Verbosef("instance %s skipped", v)
 			}
 		}
-	}
+		return nil
-	return
+	case likely&likeFull != 0:
 		var likelyID hst.ID
 		if likelyID.UnmarshalText([]byte(name)) != nil {
 			return nil
 		}
 		msg.Verbose("argument looks like identifier")
 		for eh := range entries {
 			if eh.DecodeErr != nil {
 				msg.Verbose(getMessage("skipping instance:", eh.DecodeErr))
 				continue
 			}
 			if eh.ID == likelyID {
 				var entry hst.State
 				if _, err := eh.Load(&entry); err != nil {
 					msg.GetLogger().Println(getMessage("cannot load state entry:", err))
 					continue
 				}
 				return &entry
 			}
 		}
 		return nil
 	default:
 		panic("unreachable")
 	}
 }
--- a/cmd/hakurei/parse_test.go
+++ b/cmd/hakurei/parse_test.go
@@ -0,0 +1,117 @@
 package main
 import (
 	"bytes"
 	"reflect"
 	"testing"
 	"time"
 	"hakurei.app/container/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
 )
 func TestShortIdentifier(t *testing.T) {
 	t.Parallel()
 	id := hst.ID{
 		0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
 		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
 	}
 	const want = "fedcba98"
 	if got := shortIdentifier(&id); got != want {
 		t.Errorf("shortIdentifier: %q, want %q", got, want)
 	}
 }
 func TestTryIdentifier(t *testing.T) {
 	t.Parallel()
 	msg := message.New(nil)
 	id := hst.ID{
 		0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
 		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
 	}
 	withBase := func(extra ...hst.State) []hst.State {
 		return append([]hst.State{
 			{ID: (hst.ID)(bytes.Repeat([]byte{0xaa}, len(hst.ID{}))), PID: 0xbeef, ShimPID: 0xcafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef0)},
 			{ID: (hst.ID)(bytes.Repeat([]byte{0xab}, len(hst.ID{}))), PID: 0x1beef, ShimPID: 0x1cafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef1)},
 			{ID: (hst.ID)(bytes.Repeat([]byte{0xf0}, len(hst.ID{}))), PID: 0x2beef, ShimPID: 0x2cafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef2)},
 			{ID: (hst.ID)(bytes.Repeat([]byte{0xfe}, len(hst.ID{}))), PID: 0xbed, ShimPID: 0xfff, Config: func() *hst.Config {
 				template := hst.Template()
 				template.Identity = hst.IdentityEnd
 				return template
 			}(), Time: time.Unix(0, 0xcafebabe0)},
 			{ID: (hst.ID)(bytes.Repeat([]byte{0xfc}, len(hst.ID{}))), PID: 0x1bed, ShimPID: 0x1fff, Config: func() *hst.Config {
 				template := hst.Template()
 				template.Identity = 0xfc
 				return template
 			}(), Time: time.Unix(0, 0xcafebabe1)},
 			{ID: (hst.ID)(bytes.Repeat([]byte{0xce}, len(hst.ID{}))), PID: 0x2bed, ShimPID: 0x2fff, Config: func() *hst.Config {
 				template := hst.Template()
 				template.Identity = 0xce
 				return template
 			}(), Time: time.Unix(0, 0xcafebabe2)},
 		}, extra...)
 	}
 	sampleEntry := hst.State{
 		ID:      id,
 		PID:     0xcafe,
 		ShimPID: 0xdead,
 		Config:  hst.Template(),
 	}
 	testCases := []struct {
 		name string
 		s    string
 		data []hst.State
 		want *hst.State
 	}{
 		{"likely entries fault", "ffffffff", nil, nil},
 		{"likely short too short", "ff", nil, nil},
 		{"likely short too long", "fffffffffffffffff", nil, nil},
 		{"likely short invalid lower", "fffffff\x00", nil, nil},
 		{"likely short invalid higher", "0000000\xff", nil, nil},
 		{"short no match", "fedcba98", withBase(), nil},
 		{"short match", "fedcba98", withBase(sampleEntry), &sampleEntry},
 		{"short match single", "fedcba98", []hst.State{sampleEntry}, &sampleEntry},
 		{"short match longer", "fedcba98765", withBase(sampleEntry), &sampleEntry},
 		{"likely long invalid", "0123456789abcdeffedcba987654321\x00", nil, nil},
 		{"long no match", "0123456789abcdeffedcba9876543210", withBase(), nil},
 		{"long match", "0123456789abcdeffedcba9876543210", withBase(sampleEntry), &sampleEntry},
 		{"long match single", "0123456789abcdeffedcba9876543210", []hst.State{sampleEntry}, &sampleEntry},
 	}
 	for _, tc := range testCases {
 		base := check.MustAbs(t.TempDir()).Append("store")
 		s := store.New(base)
 		for i := range tc.data {
 			if h, err := s.Handle(tc.data[i].Identity); err != nil {
 				t.Fatalf("Handle: error = %v", err)
 			} else {
 				var unlock func()
 				if unlock, err = h.Lock(); err != nil {
 					t.Fatalf("Lock: error = %v", err)
 				}
 				_, err = h.Save(&tc.data[i])
 				unlock()
 				if err != nil {
 					t.Fatalf("Save: error = %v", err)
 				}
 			}
 		}
 		// store must not be written to beyond this point
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			got := tryIdentifier(msg, tc.s, store.New(base))
 			if !reflect.DeepEqual(got, tc.want) {
 				t.Errorf("tryIdentifier: %#v, want %#v", got, tc.want)
 			}
 		})
 	}
 }
--- a/cmd/hakurei/print.go
+++ b/cmd/hakurei/print.go
@@ -1,54 +1,58 @@
 package main
 import (
-	"encoding/json"
+	"bytes"
 	"fmt"
 	"io"
 	"log"
 	"os"
 	"slices"
 	"strconv"
 	"strings"
 	"text/tabwriter"
 	"time"
 	"hakurei.app/cmd/hakurei/internal/state"
 	"hakurei.app/hst"
-	"hakurei.app/internal/hlog"
+	"hakurei.app/internal"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/env"
 	"hakurei.app/internal/outcome"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
 )
 // printShowSystem populates and writes a representation of [hst.Info] to output.
 func printShowSystem(output io.Writer, short, flagJSON bool) {
 	t := newPrinter(output)
 	defer t.MustFlush()
-	info := new(hst.Info)
+	info := &hst.Info{Version: internal.Version(), User: new(outcome.Hsu).MustID(nil)}
-
+	env.CopyPaths().Copy(&info.Paths, info.User)
 	// get fid by querying uid of aid 0
 	if uid, err := std.Uid(0); err != nil {
 		hlog.PrintBaseError(err, "cannot obtain uid from setuid wrapper:")
 		os.Exit(1)
 	} else {
 		info.User = (uid / 10000) - 100
 	}
 	if flagJSON {
-		printJSON(output, short, info)
+		encodeJSON(log.Fatal, output, short, info)
 		return
 	}
 	t.Printf("Version:\t%s\n", info.Version)
 	t.Printf("User:\t%d\n", info.User)
 	t.Printf("TempDir:\t%s\n", info.TempDir)
 	t.Printf("SharePath:\t%s\n", info.SharePath)
 	t.Printf("RuntimePath:\t%s\n", info.RuntimePath)
 	t.Printf("RunDirPath:\t%s\n", info.RunDirPath)
 }
 // printShowInstance writes a representation of [hst.State] or [hst.Config] to output.
 func printShowInstance(
 	output io.Writer, now time.Time,
-	instance *state.State, config *hst.Config,
+	instance *hst.State, config *hst.Config,
-	short, flagJSON bool) {
+	short, flagJSON bool,
 ) (valid bool) {
 	valid = true
 	if flagJSON {
 		if instance != nil {
-			printJSON(output, short, instance)
+			encodeJSON(log.Fatal, output, short, instance)
 		} else {
-			printJSON(output, short, config)
+			encodeJSON(log.Fatal, output, short, config)
 		}
 		return
 	}
@@ -56,13 +60,21 @@ func printShowInstance(
 	t := newPrinter(output)
 	defer t.MustFlush()
-	if config.Container == nil {
+	if err := config.Validate(); err != nil {
-		mustPrint(output, "Warning: this configuration uses permissive defaults!\n\n")
+		valid = false
 		if m, ok := message.GetMessage(err); ok {
 			mustPrint(output, "Error: "+m+"!\n\n")
 		}
 	}
 	if config == nil {
 		// nothing to print
 		return
 	}
 	if instance != nil {
 		t.Printf("State\n")
-		t.Printf(" Instance:\t%s (%d)\n", instance.ID.String(), instance.PID)
+		t.Printf(" Instance:\t%s (%d -> %d)\n", instance.ID.String(), instance.PID, instance.ShimPID)
 		t.Printf(" Uptime:\t%s\n", now.Sub(instance.Time).Round(time.Second).String())
 		t.Printf("\n")
 	}
@@ -73,51 +85,37 @@ func printShowInstance(
 	} else {
 		t.Printf(" Identity:\t%d\n", config.Identity)
 	}
-	t.Printf(" Enablements:\t%s\n", config.Enablements.String())
+	t.Printf(" Enablements:\t%s\n", config.Enablements.Unwrap().String())
 	if len(config.Groups) > 0 {
 		t.Printf(" Groups:\t%s\n", strings.Join(config.Groups, ", "))
 	}
 	if config.Data != "" {
 		t.Printf(" Data:\t%s\n", config.Data)
 	}
 	if config.Container != nil {
-		container := config.Container
+		if config.Container.Home != nil {
-		if container.Hostname != "" {
+			t.Printf(" Home:\t%s\n", config.Container.Home)
 			t.Printf(" Hostname:\t%s\n", container.Hostname)
 		}
-		flags := make([]string, 0, 7)
+		if config.Container.Hostname != "" {
-		writeFlag := func(name string, value bool) {
+			t.Printf(" Hostname:\t%s\n", config.Container.Hostname)
-			if value {
+		}
-				flags = append(flags, name)
+		flags := config.Container.Flags.String()
 		// this is included in the upper hst.Config struct but is relevant here
 		const flagDirectWayland = "directwl"
 		if config.DirectWayland {
 			// hardcoded value when every flag is unset
 			if flags == "none" {
 				flags = flagDirectWayland
 			} else {
 				flags += ", " + flagDirectWayland
 			}
 		}
-		writeFlag("userns", container.Userns)
+		t.Printf(" Flags:\t%s\n", flags)
 		writeFlag("devel", container.Devel)
 		writeFlag("net", container.Net)
 		writeFlag("device", container.Device)
 		writeFlag("tty", container.Tty)
 		writeFlag("mapuid", container.MapRealUID)
 		writeFlag("directwl", config.DirectWayland)
 		writeFlag("autoetc", container.AutoEtc)
 		if len(flags) == 0 {
 			flags = append(flags, "none")
 		}
 		t.Printf(" Flags:\t%s\n", strings.Join(flags, " "))
-		etc := container.Etc
+		if config.Container.Path != nil {
-		if etc == "" {
+			t.Printf(" Path:\t%s\n", config.Container.Path)
 			etc = "/etc"
 		}
-		t.Printf(" Etc:\t%s\n", etc)
+		if len(config.Container.Args) > 0 {
-
+			t.Printf(" Arguments:\t%s\n", strings.Join(config.Container.Args, " "))
 		if len(container.Cover) > 0 {
 			t.Printf(" Cover:\t%s\n", strings.Join(container.Cover, " "))
 		}
 		t.Printf(" Path:\t%s\n", config.Path)
 	}
 	if len(config.Args) > 0 {
 		t.Printf(" Arguments:\t%s\n", strings.Join(config.Args, " "))
 	}
 	t.Printf("\n")
@@ -125,46 +123,25 @@ func printShowInstance(
 		if config.Container != nil && len(config.Container.Filesystem) > 0 {
 			t.Printf("Filesystem\n")
 			for _, f := range config.Container.Filesystem {
-				if f == nil {
+				if !f.Valid() {
 					valid = false
 					t.Println(" <invalid>")
 					continue
 				}
-
+				t.Printf(" %s\n", f)
 				expr := new(strings.Builder)
 				expr.Grow(3 + len(f.Src) + 1 + len(f.Dst))
 				if f.Device {
 					expr.WriteString(" d")
 				} else if f.Write {
 					expr.WriteString(" w")
 				} else {
 					expr.WriteString(" ")
 				}
 				if f.Must {
 					expr.WriteString("*")
 				} else {
 					expr.WriteString("+")
 				}
 				expr.WriteString(f.Src)
 				if f.Dst != "" {
 					expr.WriteString(":" + f.Dst)
 				}
 				t.Printf("%s\n", expr.String())
 			}
 			t.Printf("\n")
 		}
 		if len(config.ExtraPerms) > 0 {
 			t.Printf("Extra ACL\n")
-			for _, p := range config.ExtraPerms {
+			for i := range config.ExtraPerms {
-				if p == nil {
+				t.Printf(" %s\n", config.ExtraPerms[i].String())
 					continue
 				}
 				t.Printf(" %s\n", p.String())
 			}
 			t.Printf("\n")
 		}
 	}
-	printDBus := func(c *dbus.Config) {
+	printDBus := func(c *hst.BusConfig) {
 		t.Printf(" Filter:\t%v\n", c.Filter)
 		if len(c.See) > 0 {
 			t.Printf(" See:\t%q\n", c.See)
@@ -192,59 +169,57 @@ func printShowInstance(
 		printDBus(config.SystemBus)
 		t.Printf("\n")
 	}
 	return
 }
-func printPs(output io.Writer, now time.Time, s state.Store, short, flagJSON bool) {
+// printPs writes a representation of active instances to output.
-	var entries state.Entries
+func printPs(msg message.Msg, output io.Writer, now time.Time, s *store.Store, short, flagJSON bool) {
-	if e, err := state.Join(s); err != nil {
+	f := func(a func(eh *store.EntryHandle)) {
-		log.Fatalf("cannot join store: %v", err)
+		entries, copyError := s.All()
-	} else {
+		for eh := range entries {
-		entries = e
+			a(eh)
-	}
+		}
-	if err := s.Close(); err != nil {
+		if err := copyError(); err != nil {
-		log.Printf("cannot close store: %v", err)
+			msg.GetLogger().Println(getMessage("cannot iterate over store:", err))
 		}
 	}
-	if !short && flagJSON {
+	if short { // short output requires identifier only
-		es := make(map[string]*state.State, len(entries))
+		var identifiers []*hst.ID
-		for id, instance := range entries {
+		f(func(eh *store.EntryHandle) {
-			es[id.String()] = instance
+			if _, err := eh.Load(nil); err != nil { // passes through decode error
 				msg.GetLogger().Println(getMessage("cannot validate state entry header:", err))
 				return
 			}
 			identifiers = append(identifiers, &eh.ID)
 		})
 		slices.SortFunc(identifiers, func(a, b *hst.ID) int { return bytes.Compare(a[:], b[:]) })
 		if flagJSON {
 			encodeJSON(log.Fatal, output, short, identifiers)
 		} else {
 			for _, id := range identifiers {
 				mustPrintln(output, shortIdentifier(id))
 			}
 		}
 		printJSON(output, short, es)
 		return
 	}
-	// sort state entries by id string to ensure consistency between runs
+	// long output requires full instance state
-	exp := make([]*expandedStateEntry, 0, len(entries))
+	var instances []*hst.State
-	for id, instance := range entries {
+	f(func(eh *store.EntryHandle) {
-		// gracefully skip nil states
+		var state hst.State
-		if instance == nil {
+		if _, err := eh.Load(&state); err != nil { // passes through decode error
-			log.Printf("got invalid state entry %s", id.String())
+			msg.GetLogger().Println(getMessage("cannot load state entry:", err))
-			continue
+			return
 		}
 		instances = append(instances, &state)
 	})
 	slices.SortFunc(instances, func(a, b *hst.State) int { return bytes.Compare(a.ID[:], b.ID[:]) })
-		// gracefully skip inconsistent states
+	if flagJSON {
-		if id != instance.ID {
+		encodeJSON(log.Fatal, output, short, instances)
 			log.Printf("possible store corruption: entry %s has id %s",
 				id.String(), instance.ID.String())
 			continue
 		}
 		exp = append(exp, &expandedStateEntry{s: id.String(), State: instance})
 	}
 	slices.SortFunc(exp, func(a, b *expandedStateEntry) int { return a.Time.Compare(b.Time) })
 	if short {
 		if flagJSON {
 			v := make([]string, len(exp))
 			for i, e := range exp {
 				v[i] = e.s
 			}
 			printJSON(output, short, v)
 		} else {
 			for _, e := range exp {
 				mustPrintln(output, e.s[:8])
 			}
 		}
 		return
 	}
@@ -252,61 +227,48 @@ func printPs(output io.Writer, now time.Time, s state.Store, short, flagJSON boo
 	defer t.MustFlush()
 	t.Println("\tInstance\tPID\tApplication\tUptime")
-	for _, e := range exp {
+	for _, instance := range instances {
 		if len(e.s) != 1<<5 {
 			// unreachable
 			log.Printf("possible store corruption: invalid instance string %s", e.s)
 			continue
 		}
 		as := "(No configuration information)"
-		if e.Config != nil {
+		if instance.Config != nil {
-			as = strconv.Itoa(e.Config.Identity)
+			as = strconv.Itoa(instance.Config.Identity)
-			id := e.Config.ID
+			id := instance.Config.ID
 			if id == "" {
-				id = "app.hakurei." + e.s[:8]
+				id = "app.hakurei." + shortIdentifier(&instance.ID)
 			}
 			as += " (" + id + ")"
 		}
 		t.Printf("\t%s\t%d\t%s\t%s\n",
-			e.s[:8], e.PID, as, now.Sub(e.Time).Round(time.Second).String())
+			shortIdentifier(&instance.ID), instance.PID, as, now.Sub(instance.Time).Round(time.Second).String())
 	}
 }
 type expandedStateEntry struct {
 	s string
 	*state.State
 }
 func printJSON(output io.Writer, short bool, v any) {
 	encoder := json.NewEncoder(output)
 	if !short {
 		encoder.SetIndent("", "  ")
 	}
 	if err := encoder.Encode(v); err != nil {
 		log.Fatalf("cannot serialise: %v", err)
 	}
 }
 // newPrinter returns a configured, wrapped [tabwriter.Writer].
 func newPrinter(output io.Writer) *tp { return &tp{tabwriter.NewWriter(output, 0, 1, 4, ' ', 0)} }
 // tp wraps [tabwriter.Writer] to provide additional formatting methods.
 type tp struct{ *tabwriter.Writer }
 // Printf calls [fmt.Fprintf] on the underlying [tabwriter.Writer].
 func (p *tp) Printf(format string, a ...any) {
 	if _, err := fmt.Fprintf(p, format, a...); err != nil {
 		log.Fatalf("cannot write to tabwriter: %v", err)
 	}
 }
 // Println calls [fmt.Fprintln] on the underlying [tabwriter.Writer].
 func (p *tp) Println(a ...any) {
 	if _, err := fmt.Fprintln(p, a...); err != nil {
 		log.Fatalf("cannot write to tabwriter: %v", err)
 	}
 }
 // MustFlush calls the Flush method of [tabwriter.Writer] and calls [log.Fatalf] on a non-nil error.
 func (p *tp) MustFlush() {
 	if err := p.Writer.Flush(); err != nil {
 		log.Fatalf("cannot flush tabwriter: %v", err)
 	}
 }
 func mustPrint(output io.Writer, a ...any) {
 	if _, err := fmt.Fprint(output, a...); err != nil {
 		log.Fatalf("cannot print: %v", err)
@@ -317,3 +279,11 @@ func mustPrintln(output io.Writer, a ...any) {
 		log.Fatalf("cannot print: %v", err)
 	}
 }
 // getMessage returns a [message.Error] message if available, or err prefixed with fallback otherwise.
 func getMessage(fallback string, err error) string {
 	if m, ok := message.GetMessage(err); ok {
 		return m
 	}
 	return fmt.Sprintln(fallback, err)
 }
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
--- a/cmd/hpkg/README
+++ b/cmd/hpkg/README
@@ -0,0 +1,7 @@
 This program is a proof of concept and is now deprecated. It is only kept
 around for API demonstration purposes and to make the most out of the test
 suite.
 This program is replaced by planterette, which can be found at
 https://git.gensokyo.uk/security/planterette. Development effort should be
 focused there instead.
--- a/cmd/hpkg/app.go
+++ b/cmd/hpkg/app.go
@@ -0,0 +1,173 @@
 package main
 import (
 	"encoding/json"
 	"log"
 	"os"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 )
 type appInfo struct {
 	Name    string `json:"name"`
 	Version string `json:"version"`
 	// passed through to [hst.Config]
 	ID string `json:"id"`
 	// passed through to [hst.Config]
 	Identity int `json:"identity"`
 	// passed through to [hst.Config]
 	Groups []string `json:"groups,omitempty"`
 	// passed through to [hst.Config]
 	Devel bool `json:"devel,omitempty"`
 	// passed through to [hst.Config]
 	Userns bool `json:"userns,omitempty"`
 	// passed through to [hst.Config]
 	HostNet bool `json:"net,omitempty"`
 	// passed through to [hst.Config]
 	HostAbstract bool `json:"abstract,omitempty"`
 	// passed through to [hst.Config]
 	Device bool `json:"dev,omitempty"`
 	// passed through to [hst.Config]
 	Tty bool `json:"tty,omitempty"`
 	// passed through to [hst.Config]
 	MapRealUID bool `json:"map_real_uid,omitempty"`
 	// passed through to [hst.Config]
 	DirectWayland bool `json:"direct_wayland,omitempty"`
 	// passed through to [hst.Config]
 	SystemBus *hst.BusConfig `json:"system_bus,omitempty"`
 	// passed through to [hst.Config]
 	SessionBus *hst.BusConfig `json:"session_bus,omitempty"`
 	// passed through to [hst.Config]
 	Enablements *hst.Enablements `json:"enablements,omitempty"`
 	// passed through to [hst.Config]
 	Multiarch bool `json:"multiarch,omitempty"`
 	// passed through to [hst.Config]
 	Bluetooth bool `json:"bluetooth,omitempty"`
 	// allow gpu access within sandbox
 	GPU bool `json:"gpu"`
 	// store path to nixGL mesa wrappers
 	Mesa string `json:"mesa,omitempty"`
 	// store path to nixGL source
 	NixGL string `json:"nix_gl,omitempty"`
 	// store path to activate-and-exec script
 	Launcher *check.Absolute `json:"launcher"`
 	// store path to /run/current-system
 	CurrentSystem *check.Absolute `json:"current_system"`
 	// store path to home-manager activation package
 	ActivationPackage string `json:"activation_package"`
 }
 func (app *appInfo) toHst(pathSet *appPathSet, pathname *check.Absolute, argv []string, flagDropShell bool) *hst.Config {
 	config := &hst.Config{
 		ID: app.ID,
 		Enablements: app.Enablements,
 		SystemBus:     app.SystemBus,
 		SessionBus:    app.SessionBus,
 		DirectWayland: app.DirectWayland,
 		Identity: app.Identity,
 		Groups:   app.Groups,
 		Container: &hst.ContainerConfig{
 			Hostname: formatHostname(app.Name),
 			Filesystem: []hst.FilesystemConfigJSON{
 				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}},
 				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsPrivateTmp.Append("app")}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsEtc.Append("resolv.conf"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("class"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("dev"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("devices"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}},
 			},
 			Username: "hakurei",
 			Shell:    pathShell,
 			Home:     pathDataData.Append(app.ID),
 			Path: pathname,
 			Args: argv,
 		},
 		ExtraPerms: []hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
 	}
 	if app.Devel {
 		config.Container.Flags |= hst.FDevel
 	}
 	if app.Userns {
 		config.Container.Flags |= hst.FUserns
 	}
 	if app.HostNet {
 		config.Container.Flags |= hst.FHostNet
 	}
 	if app.HostAbstract {
 		config.Container.Flags |= hst.FHostAbstract
 	}
 	if app.Device {
 		config.Container.Flags |= hst.FDevice
 	}
 	if app.Tty || flagDropShell {
 		config.Container.Flags |= hst.FTty
 	}
 	if app.MapRealUID {
 		config.Container.Flags |= hst.FMapRealUID
 	}
 	if app.Multiarch {
 		config.Container.Flags |= hst.FMultiarch
 	}
 	config.Container.Flags |= hst.FShareRuntime | hst.FShareTmpdir
 	return config
 }
 func loadAppInfo(name string, beforeFail func()) *appInfo {
 	bundle := new(appInfo)
 	if f, err := os.Open(name); err != nil {
 		beforeFail()
 		log.Fatalf("cannot open bundle: %v", err)
 	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
 		beforeFail()
 		log.Fatalf("cannot parse bundle metadata: %v", err)
 	} else if err = f.Close(); err != nil {
 		log.Printf("cannot close bundle metadata: %v", err)
 		// not fatal
 	}
 	if bundle.ID == "" {
 		beforeFail()
 		log.Fatal("application identifier must not be empty")
 	}
 	if bundle.Launcher == nil {
 		beforeFail()
 		log.Fatal("launcher must not be empty")
 	}
 	if bundle.CurrentSystem == nil {
 		beforeFail()
 		log.Fatal("current-system must not be empty")
 	}
 	return bundle
 }
 func formatHostname(name string) string {
 	if h, err := os.Hostname(); err != nil {
 		log.Printf("cannot get hostname: %v", err)
 		return "hakurei-" + name
 	} else {
 		return h + "-" + name
 	}
 }
--- a/cmd/planterette/build.nix
+++ b/cmd/planterette/build.nix
@@ -171,7 +171,12 @@ let
          broadcast = { };
        });
-    enablements = (if allow_wayland then 1 else 0) + (if allow_x11 then 2 else 0) + (if allow_dbus then 4 else 0) + (if allow_pulse then 8 else 0);
+    enablements = {
      wayland = allow_wayland;
      x11 = allow_x11;
      dbus = allow_dbus;
      pulse = allow_pulse;
    };
    mesa = if gpu then mesaWrappers else null;
    nix_gl = if gpu then nixGL else null;
@@ -215,15 +220,14 @@ stdenv.mkDerivation {
    # create binary cache
    closureInfo="${
      closureInfo {
-        rootPaths =
+        rootPaths = [
-          [
+          homeManagerConfiguration.activationPackage
-            homeManagerConfiguration.activationPackage
+          launcher
-            launcher
+        ]
-          ]
+        ++ optionals gpu [
-          ++ optionals gpu [
+          mesaWrappers
-            mesaWrappers
+          nixGL
-            nixGL
+        ];
          ];
      }
    }"
    echo "copying application paths..."
--- a/cmd/planterette/main.go
+++ b/cmd/planterette/main.go
@@ -11,25 +11,25 @@ import (
 	"syscall"
 	"hakurei.app/command"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
-	"hakurei.app/internal"
+	"hakurei.app/message"
 	"hakurei.app/internal/hlog"
 )
 const shellPath = "/run/current-system/sw/bin/bash"
 var (
 	errSuccess = errors.New("success")
 )
-func init() {
+func main() {
-	hlog.Prepare("planterette")
+	log.SetPrefix("hpkg: ")
-	if err := os.Setenv("SHELL", shellPath); err != nil {
+	log.SetFlags(0)
 	msg := message.New(log.Default())
 	if err := os.Setenv("SHELL", pathShell.String()); err != nil {
 		log.Fatalf("cannot set $SHELL: %v", err)
 	}
 }
 func main() {
 	if os.Geteuid() == 0 {
 		log.Fatal("this program must not run as root")
 	}
@@ -42,7 +42,7 @@ func main() {
 		flagVerbose   bool
 		flagDropShell bool
 	)
-	c := command.New(os.Stderr, log.Printf, "planterette", func([]string) error { internal.InstallOutput(flagVerbose); return nil }).
+	c := command.New(os.Stderr, log.Printf, "hpkg", func([]string) error { msg.SwapVerbose(flagVerbose); return nil }).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
 		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next hakurei action")
@@ -66,7 +66,7 @@ func main() {
 			}
 			/*
-				Look up paths to programs started by planterette.
+				Look up paths to programs started by hpkg.
 				This is done here to ease error handling as cleanup is not yet required.
 			*/
@@ -81,31 +81,32 @@ func main() {
 				Extract package and set up for cleanup.
 			*/
-			var workDir string
+			var workDir *check.Absolute
-			if p, err := os.MkdirTemp("", "planterette.*"); err != nil {
+			if p, err := os.MkdirTemp("", "hpkg.*"); err != nil {
 				log.Printf("cannot create temporary directory: %v", err)
 				return err
-			} else {
+			} else if workDir, err = check.NewAbs(p); err != nil {
-				workDir = p
+				log.Printf("invalid temporary directory: %v", err)
 				return err
 			}
 			cleanup := func() {
 				// should be faster than a native implementation
-				mustRun(chmod, "-R", "+w", workDir)
+				mustRun(msg, chmod, "-R", "+w", workDir.String())
-				mustRun(rm, "-rf", workDir)
+				mustRun(msg, rm, "-rf", workDir.String())
 			}
 			beforeRunFail.Store(&cleanup)
-			mustRun(tar, "-C", workDir, "-xf", pkgPath)
+			mustRun(msg, tar, "-C", workDir.String(), "-xf", pkgPath)
 			/*
 				Parse bundle and app metadata, do pre-install checks.
 			*/
-			bundle := loadAppInfo(path.Join(workDir, "bundle.json"), cleanup)
+			bundle := loadAppInfo(path.Join(workDir.String(), "bundle.json"), cleanup)
 			pathSet := pathSetByApp(bundle.ID)
 			a := bundle
-			if s, err := os.Stat(pathSet.metaPath); err != nil {
+			if s, err := os.Stat(pathSet.metaPath.String()); err != nil {
 				if !os.IsNotExist(err) {
 					cleanup()
 					log.Printf("cannot access %q: %v", pathSet.metaPath, err)
@@ -117,7 +118,7 @@ func main() {
 				log.Printf("metadata path %q is not a file", pathSet.metaPath)
 				return syscall.EBADMSG
 			} else {
-				a = loadAppInfo(pathSet.metaPath, cleanup)
+				a = loadAppInfo(pathSet.metaPath.String(), cleanup)
 				if a.ID != bundle.ID {
 					cleanup()
 					log.Printf("app %q claims to have identifier %q",
@@ -148,10 +149,10 @@ func main() {
 				}
 				// sec: should compare version string
-				hlog.Verbosef("installing application %q version %q over local %q",
+				msg.Verbosef("installing application %q version %q over local %q",
 					bundle.ID, bundle.Version, a.Version)
 			} else {
-				hlog.Verbosef("application %q clean installation", bundle.ID)
+				msg.Verbosef("application %q clean installation", bundle.ID)
 				// sec: should install credentials
 			}
@@ -159,9 +160,9 @@ func main() {
 				Setup steps for files owned by the target user.
 			*/
-			withCacheDir(ctx, "install", []string{
+			withCacheDir(ctx, msg, "install", []string{
 				// export inner bundle path in the environment
-				"export BUNDLE=" + hst.Tmp + "/bundle",
+				"export BUNDLE=" + hst.PrivateTmp + "/bundle",
 				// replace inner /etc
 				"mkdir -p etc",
 				"chmod -R +w etc",
@@ -181,7 +182,7 @@ func main() {
 			}, workDir, bundle, pathSet, flagDropShell, cleanup)
 			if bundle.GPU {
-				withCacheDir(ctx, "mesa-wrappers", []string{
+				withCacheDir(ctx, msg, "mesa-wrappers", []string{
 					// link nixGL mesa wrappers
 					"mkdir -p nix/.nixGL",
 					"ln -s " + bundle.Mesa + "/bin/nixGLIntel nix/.nixGL/nixGL",
@@ -193,7 +194,7 @@ func main() {
 				Activate home-manager generation.
 			*/
-			withNixDaemon(ctx, "activate", []string{
+			withNixDaemon(ctx, msg, "activate", []string{
 				// clean up broken links
 				"mkdir -p .local/state/{nix,home-manager}",
 				"chmod -R +w .local/state/{nix,home-manager}",
@@ -208,7 +209,7 @@ func main() {
 			*/
 			// serialise metadata to ensure consistency
-			if f, err := os.OpenFile(pathSet.metaPath+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
+			if f, err := os.OpenFile(pathSet.metaPath.String()+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
 				cleanup()
 				log.Printf("cannot create metadata file: %v", err)
 				return err
@@ -221,7 +222,7 @@ func main() {
 				// not fatal
 			}
-			if err := os.Rename(pathSet.metaPath+"~", pathSet.metaPath); err != nil {
+			if err := os.Rename(pathSet.metaPath.String()+"~", pathSet.metaPath.String()); err != nil {
 				cleanup()
 				log.Printf("cannot rename metadata file: %v", err)
 				return err
@@ -250,7 +251,7 @@ func main() {
 			id := args[0]
 			pathSet := pathSetByApp(id)
-			a := loadAppInfo(pathSet.metaPath, func() {})
+			a := loadAppInfo(pathSet.metaPath.String(), func() {})
 			if a.ID != id {
 				log.Printf("app %q claims to have identifier %q", id, a.ID)
 				return syscall.EBADE
@@ -261,7 +262,7 @@ func main() {
 			*/
 			if a.GPU && flagAutoDrivers {
-				withNixDaemon(ctx, "nix-gl", []string{
+				withNixDaemon(ctx, msg, "nix-gl", []string{
 					"mkdir -p /nix/.nixGL/auto",
 					"rm -rf /nix/.nixGL/auto",
 					"export NIXPKGS_ALLOW_UNFREE=1",
@@ -274,13 +275,13 @@ func main() {
 						"--override-input nixpkgs path:/etc/nixpkgs " +
 						"path:" + a.NixGL + "#nixVulkanNvidia",
 				}, true, func(config *hst.Config) *hst.Config {
-					config.Container.Filesystem = append(config.Container.Filesystem, []*hst.FilesystemConfig{
+					config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
-						{Src: "/etc/resolv.conf"},
+						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsEtc.Append("resolv.conf"), Optional: true}},
-						{Src: "/sys/block"},
+						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block"), Optional: true}},
-						{Src: "/sys/bus"},
+						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus"), Optional: true}},
-						{Src: "/sys/class"},
+						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("class"), Optional: true}},
-						{Src: "/sys/dev"},
+						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("dev"), Optional: true}},
-						{Src: "/sys/devices"},
+						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("devices"), Optional: true}},
 					}...)
 					appendGPUFilesystem(config)
 					return config
@@ -291,15 +292,16 @@ func main() {
 				Create app configuration.
 			*/
 			pathname := a.Launcher
 			argv := make([]string, 1, len(args))
-			if !flagDropShell {
+			if flagDropShell {
-				argv[0] = a.Launcher
+				pathname = pathShell
 				argv[0] = bash
 			} else {
-				argv[0] = shellPath
+				argv[0] = a.Launcher.String()
 			}
 			argv = append(argv, args[1:]...)
-
+			config := a.toHst(pathSet, pathname, argv, flagDropShell)
 			config := a.toFst(pathSet, argv, flagDropShell)
 			/*
 				Expose GPU devices.
@@ -307,7 +309,7 @@ func main() {
 			if a.GPU {
 				config.Container.Filesystem = append(config.Container.Filesystem,
-					&hst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(hst.Tmp, "nixGL")})
+					hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append(".nixGL"), Target: hst.AbsPrivateTmp.Append("nixGL")}})
 				appendGPUFilesystem(config)
 			}
@@ -315,7 +317,7 @@ func main() {
 				Spawn app.
 			*/
-			mustRunApp(ctx, config, func() {})
+			mustRunApp(ctx, msg, config, func() {})
 			return errSuccess
 		}).
 			Flag(&flagDropShellNixGL, "s", command.BoolFlag(false), "Drop to a shell on nixGL build").
@@ -323,9 +325,9 @@ func main() {
 	}
 	c.MustParse(os.Args[1:], func(err error) {
-		hlog.Verbosef("command returned %v", err)
+		msg.Verbosef("command returned %v", err)
 		if errors.Is(err, errSuccess) {
-			hlog.BeforeExit()
+			msg.BeforeExit()
 			os.Exit(0)
 		}
 	})
--- a/cmd/hpkg/paths.go
+++ b/cmd/hpkg/paths.go
@@ -0,0 +1,117 @@
 package main
 import (
 	"log"
 	"os"
 	"os/exec"
 	"strconv"
 	"sync/atomic"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/message"
 )
 const bash = "bash"
 var (
 	dataHome *check.Absolute
 )
 func init() {
 	// dataHome
 	if a, err := check.NewAbs(os.Getenv("HAKUREI_DATA_HOME")); err == nil {
 		dataHome = a
 	} else {
 		dataHome = fhs.AbsVarLib.Append("hakurei/" + strconv.Itoa(os.Getuid()))
 	}
 }
 var (
 	pathBin = fhs.AbsRoot.Append("bin")
 	pathNix           = check.MustAbs("/nix/")
 	pathNixStore      = pathNix.Append("store/")
 	pathCurrentSystem = fhs.AbsRun.Append("current-system")
 	pathSwBin         = pathCurrentSystem.Append("sw/bin/")
 	pathShell         = pathSwBin.Append(bash)
 	pathData     = check.MustAbs("/data")
 	pathDataData = pathData.Append("data")
 )
 func lookPath(file string) string {
 	if p, err := exec.LookPath(file); err != nil {
 		log.Fatalf("%s: command not found", file)
 		return ""
 	} else {
 		return p
 	}
 }
 var beforeRunFail = new(atomic.Pointer[func()])
 func mustRun(msg message.Msg, name string, arg ...string) {
 	msg.Verbosef("spawning process: %q %q", name, arg)
 	cmd := exec.Command(name, arg...)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	if err := cmd.Run(); err != nil {
 		if f := beforeRunFail.Swap(nil); f != nil {
 			(*f)()
 		}
 		log.Fatalf("%s: %v", name, err)
 	}
 }
 type appPathSet struct {
 	// ${dataHome}/${id}
 	baseDir *check.Absolute
 	// ${baseDir}/app
 	metaPath *check.Absolute
 	// ${baseDir}/files
 	homeDir *check.Absolute
 	// ${baseDir}/cache
 	cacheDir *check.Absolute
 	// ${baseDir}/cache/nix
 	nixPath *check.Absolute
 }
 func pathSetByApp(id string) *appPathSet {
 	pathSet := new(appPathSet)
 	pathSet.baseDir = dataHome.Append(id)
 	pathSet.metaPath = pathSet.baseDir.Append("app")
 	pathSet.homeDir = pathSet.baseDir.Append("files")
 	pathSet.cacheDir = pathSet.baseDir.Append("cache")
 	pathSet.nixPath = pathSet.cacheDir.Append("nix")
 	return pathSet
 }
 func appendGPUFilesystem(config *hst.Config) {
 	config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
 		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("dri"), Device: true, Optional: true}},
 		// mali
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("mali"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("mali0"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("umplock"), Device: true, Optional: true}},
 		// nvidia
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidiactl"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-modeset"), Device: true, Optional: true}},
 		// nvidia OpenCL/CUDA
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-uvm"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-uvm-tools"), Device: true, Optional: true}},
 		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia0"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia1"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia2"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia3"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia4"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia5"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia6"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia7"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia8"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia9"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia10"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia11"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia12"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia13"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia14"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia15"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia16"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia17"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia18"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia19"), Device: true, Optional: true}},
 	}...)
 }
--- a/cmd/planterette/proc.go
+++ b/cmd/planterette/proc.go
@@ -11,12 +11,12 @@ import (
 	"hakurei.app/hst"
 	"hakurei.app/internal"
-	"hakurei.app/internal/hlog"
+	"hakurei.app/message"
 )
-var hakureiPath = internal.MustHakureiPath()
+var hakureiPathVal = internal.MustHakureiPath().String()
-func mustRunApp(ctx context.Context, config *hst.Config, beforeFail func()) {
+func mustRunApp(ctx context.Context, msg message.Msg, config *hst.Config, beforeFail func()) {
 	var (
 		cmd *exec.Cmd
 		st  io.WriteCloser
@@ -26,10 +26,10 @@ func mustRunApp(ctx context.Context, config *hst.Config, beforeFail func()) {
 		beforeFail()
 		log.Fatalf("cannot pipe: %v", err)
 	} else {
-		if hlog.Load() {
+		if msg.IsVerbose() {
-			cmd = exec.CommandContext(ctx, hakureiPath, "-v", "app", "3")
+			cmd = exec.CommandContext(ctx, hakureiPathVal, "-v", "app", "3")
 		} else {
-			cmd = exec.CommandContext(ctx, hakureiPath, "app", "3")
+			cmd = exec.CommandContext(ctx, hakureiPathVal, "app", "3")
 		}
 		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 		cmd.ExtraFiles = []*os.File{r}
@@ -51,7 +51,8 @@ func mustRunApp(ctx context.Context, config *hst.Config, beforeFail func()) {
 		var exitError *exec.ExitError
 		if errors.As(err, &exitError) {
 			beforeFail()
-			internal.Exit(exitError.ExitCode())
+			msg.BeforeExit()
 			os.Exit(exitError.ExitCode())
 		} else {
 			beforeFail()
 			log.Fatalf("cannot wait: %v", err)
--- a/cmd/planterette/test/configuration.nix
+++ b/cmd/planterette/test/configuration.nix
--- a/cmd/planterette/test/default.nix
+++ b/cmd/planterette/test/default.nix
@@ -9,7 +9,7 @@ let
  buildPackage = self.buildPackage.${system};
 in
 nixosTest {
-  name = "planterette";
+  name = "hpkg";
  nodes.machine = {
    environment.etc = {
      "foot.pkg".source = callPackage ./foot.nix { inherit buildPackage; };
--- a/cmd/planterette/test/foot.nix
+++ b/cmd/planterette/test/foot.nix
--- a/cmd/planterette/test/test.py
+++ b/cmd/planterette/test/test.py
@@ -58,15 +58,13 @@ def check_state(name, enablements):
    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei --json ps"))
    if len(instances) != 1:
        raise Exception(f"unexpected state length {len(instances)}")
-    instance = next(iter(instances.values()))
+    instance = instances[0]
-    config = instance['config']
+    if len(instance['container']['args']) != 1 or not (instance['container']['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (instance['container']['args'][0]):
        raise Exception(f"unexpected args {instance['container']['args']}")
-    if len(config['args']) != 1 or not (config['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (config['args'][0]):
+    if instance['enablements'] != enablements:
-        raise Exception(f"unexpected args {instance['config']['args']}")
+        raise Exception(f"unexpected enablements {instance['enablements']}")
    if config['enablements'] != enablements:
        raise Exception(f"unexpected enablements {instance['config']['enablements']}")
 start_all()
@@ -79,30 +77,34 @@ print(machine.succeed("sudo -u alice -i hakurei version"))
 machine.wait_for_file("/run/user/1000/wayland-1")
 machine.wait_for_file("/tmp/sway-ipc.sock")
-# Prepare planterette directory:
+# Prepare hpkg directory:
 machine.succeed("install -dm 0700 -o alice -g users /var/lib/hakurei/1000")
-# Install planterette app:
+# Install hpkg app:
-swaymsg("exec planterette -v install /etc/foot.pkg && touch /tmp/planterette-install-ok")
+swaymsg("exec hpkg -v install /etc/foot.pkg && touch /tmp/hpkg-install-ok")
-machine.wait_for_file("/tmp/planterette-install-ok")
+machine.wait_for_file("/tmp/hpkg-install-ok")
 # Start app (foot) with Wayland enablement:
-swaymsg("exec planterette -v start org.codeberg.dnkl.foot")
+swaymsg("exec hpkg -v start org.codeberg.dnkl.foot")
 wait_for_window("hakurei@machine-foot")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
-machine.wait_for_file("/tmp/hakurei.1000/tmpdir/2/success-client")
+machine.wait_for_file("/tmp/hakurei.0/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
-check_state("foot", 13)
+check_state("foot", {"wayland": True, "dbus": True, "pulse": True})
 # Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot")
 # Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002")
+machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002")
 # Exit Sway and verify process exit status 0:
 swaymsg("exit", succeed=False)
 machine.wait_for_file("/tmp/sway-exit-ok")
-# Print hakurei runDir contents:
+# Print hakurei share and rundir contents:
 print(machine.succeed("find /tmp/hakurei.0 "
    + "-path '/tmp/hakurei.0/runtime/*/*' -prune -o "
    + "-path '/tmp/hakurei.0/tmpdir/*/*' -prune -o "
    + "-print"))
 print(machine.succeed("find /run/user/1000/hakurei"))
--- a/cmd/hpkg/with.go
+++ b/cmd/hpkg/with.go
@@ -0,0 +1,130 @@
 package main
 import (
 	"context"
 	"os"
 	"strings"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/message"
 )
 func withNixDaemon(
 	ctx context.Context,
 	msg message.Msg,
 	action string, command []string, net bool, updateConfig func(config *hst.Config) *hst.Config,
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
 ) {
 	flags := hst.FMultiarch | hst.FUserns // nix sandbox requires userns
 	if net {
 		flags |= hst.FHostNet
 	}
 	if dropShell {
 		flags |= hst.FTty
 	}
 	mustRunAppDropShell(ctx, msg, updateConfig(&hst.Config{
 		ID: app.ID,
 		ExtraPerms: []hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
 		Identity: app.Identity,
 		Container: &hst.ContainerConfig{
 			Hostname: formatHostname(app.Name) + "-" + action,
 			Filesystem: []hst.FilesystemConfigJSON{
 				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}},
 				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}},
 			},
 			Username: "hakurei",
 			Shell:    pathShell,
 			Home:     pathDataData.Append(app.ID),
 			Path: pathShell,
 			Args: []string{bash, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
 				// start nix-daemon
 				"nix-daemon --store / & " +
 				// wait for socket to appear
 				"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
 				// create directory so nix stops complaining
 				"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
 				strings.Join(command, " && ") +
 				// terminate nix-daemon
 				" && pkill nix-daemon",
 			},
 			Flags: flags,
 		},
 	}), dropShell, beforeFail)
 }
 func withCacheDir(
 	ctx context.Context,
 	msg message.Msg,
 	action string, command []string, workDir *check.Absolute,
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
 ) {
 	flags := hst.FMultiarch
 	if dropShell {
 		flags |= hst.FTty
 	}
 	mustRunAppDropShell(ctx, msg, &hst.Config{
 		ID: app.ID,
 		ExtraPerms: []hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 			{Path: workDir, Execute: true},
 		},
 		Identity: app.Identity,
 		Container: &hst.ContainerConfig{
 			Hostname: formatHostname(app.Name) + "-" + action,
 			Filesystem: []hst.FilesystemConfigJSON{
 				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: workDir.Append(fhs.Etc), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}},
 				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsPrivateTmp.Append("bundle")}},
 				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID, "cache"), Source: pathSet.cacheDir, Write: true, Ensure: true}},
 			},
 			Username: "nixos",
 			Shell:    pathShell,
 			Home:     pathDataData.Append(app.ID, "cache"),
 			Path: pathShell,
 			Args: []string{bash, "-lc", strings.Join(command, " && ")},
 			Flags: flags,
 		},
 	}, dropShell, beforeFail)
 }
 func mustRunAppDropShell(ctx context.Context, msg message.Msg, config *hst.Config, dropShell bool, beforeFail func()) {
 	if dropShell {
 		if config.Container != nil {
 			config.Container.Args = []string{bash, "-l"}
 		}
 		mustRunApp(ctx, msg, config, beforeFail)
 		beforeFail()
 		msg.BeforeExit()
 		os.Exit(0)
 	}
 	mustRunApp(ctx, msg, config, beforeFail)
 }
--- a/cmd/hsu/hst.go
+++ b/cmd/hsu/hst.go
@@ -0,0 +1,16 @@
 package main
 /* copied from hst and must never be changed */
 const (
 	userOffset = 100000
 	rangeSize  = userOffset / 10
 	identityStart = 0
 	identityEnd   = appEnd - appStart
 	appStart = rangeSize * 1
 	appEnd   = appStart + rangeSize - 1
 )
 func toUser(userid, appid uint32) uint32 { return userid*userOffset + appStart + appid }
--- a/cmd/hsu/main.go
+++ b/cmd/hsu/main.go
@@ -1,11 +1,14 @@
 package main
 // minimise imports to avoid inadvertently calling init or global variable functions
 import (
 	"bytes"
 	"fmt"
 	"log"
 	"os"
 	"path"
 	"runtime"
 	"slices"
 	"strconv"
 	"strings"
@@ -13,15 +16,23 @@ import (
 )
 const (
-	hsuConfFile = "/etc/hsurc"
+	// envIdentity is the name of the environment variable holding a
-	envShim     = "HAKUREI_SHIM"
+	// single byte representing the shim setup pipe file descriptor.
-	envAID      = "HAKUREI_APP_ID"
+	envShim = "HAKUREI_SHIM"
-	envGroups   = "HAKUREI_GROUPS"
+	// envGroups holds a ' ' separated list of string representations of
-
+	// supplementary group gid. Membership requirements are enforced.
-	PR_SET_NO_NEW_PRIVS = 0x26
+	envGroups = "HAKUREI_GROUPS"
 )
 // hakureiPath is the absolute path to Hakurei.
 //
 // This is set by the linker.
 var hakureiPath string
 func main() {
 	const PR_SET_NO_NEW_PRIVS = 0x26
 	runtime.LockOSThread()
 	log.SetFlags(0)
 	log.SetPrefix("hsu: ")
 	log.SetOutput(os.Stderr)
@@ -29,31 +40,34 @@ func main() {
 	if os.Geteuid() != 0 {
 		log.Fatal("this program must be owned by uid 0 and have the setuid bit set")
 	}
 	if os.Getegid() != os.Getgid() {
 		log.Fatal("this program must not have the setgid bit set")
 	}
 	puid := os.Getuid()
 	if puid == 0 {
 		log.Fatal("this program must not be started by root")
 	}
 	if !path.IsAbs(hakureiPath) {
 		log.Fatal("this program is compiled incorrectly")
 		return
 	}
 	var toolPath string
 	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
 	if p, err := os.Readlink(pexe); err != nil {
 		log.Fatalf("cannot read parent executable path: %v", err)
 	} else if strings.HasSuffix(p, " (deleted)") {
 		log.Fatal("hakurei executable has been deleted")
-	} else if p != mustCheckPath(hmain) {
+	} else if p != hakureiPath {
 		log.Fatal("this program must be started by hakurei")
 	} else {
 		toolPath = p
 	}
 	// uid = 1000000 +
 	//   fid * 10000 +
 	//           aid
 	uid := 1000000
 	// refuse to run if hsurc is not protected correctly
-	if s, err := os.Stat(hsuConfFile); err != nil {
+	if s, err := os.Stat(hsuConfPath); err != nil {
 		log.Fatal(err)
 	} else if s.Mode().Perm() != 0400 {
 		log.Fatal("bad hsurc perm")
@@ -62,29 +76,13 @@ func main() {
 	}
 	// authenticate before accepting user input
-	if f, err := os.Open(hsuConfFile); err != nil {
+	userid := mustParseConfig(puid)
 		log.Fatal(err)
 	} else if fid, ok := mustParseConfig(f, puid); !ok {
 		log.Fatalf("uid %d is not in the hsurc file", puid)
 	} else {
 		uid += fid * 10000
 	}
 	// allowed aid range 0 to 9999
 	if as, ok := os.LookupEnv(envAID); !ok {
 		log.Fatal("HAKUREI_APP_ID not set")
 	} else if aid, err := parseUint32Fast(as); err != nil || aid < 0 || aid > 9999 {
 		log.Fatal("invalid aid")
 	} else {
 		uid += aid
 	}
 	// pass through setup fd to shim
 	var shimSetupFd string
 	if s, ok := os.LookupEnv(envShim); !ok {
-		// hakurei requests target uid
+		// hakurei requests hsurc user id
-		// print resolved uid and exit
+		fmt.Print(userid)
 		fmt.Print(uid)
 		os.Exit(0)
 	} else if len(s) != 1 || s[0] > '9' || s[0] < '3' {
 		log.Fatal("HAKUREI_SHIM holds an invalid value")
@@ -92,6 +90,24 @@ func main() {
 		shimSetupFd = s
 	}
 	// start is going ahead at this point
 	identity := mustReadIdentity()
 	const (
 		// first possible uid outcome
 		uidStart = 10000
 		// last possible uid outcome
 		uidEnd = 999919999
 	)
 	// cast to int for use with library functions
 	uid := int(toUser(userid, identity))
 	// final bounds check to catch any bugs
 	if uid < uidStart || uid >= uidEnd {
 		panic("uid out of bounds")
 	}
 	// supplementary groups
 	var suppGroups, suppCurrent []int
@@ -119,11 +135,6 @@ func main() {
 		suppGroups = []int{uid}
 	}
 	// final bounds check to catch any bugs
 	if uid < 1000000 || uid >= 2000000 {
 		panic("uid out of bounds")
 	}
 	// careful! users in the allowlist is effectively allowed to drop groups via hsu
 	if err := syscall.Setresgid(uid, uid, uid); err != nil {
--- a/cmd/hsu/package.nix
+++ b/cmd/hsu/package.nix
@@ -19,5 +19,5 @@ buildGoModule {
  ldflags = lib.attrsets.foldlAttrs (
    ldflags: name: value:
    ldflags ++ [ "-X main.${name}=${value}" ]
-  ) [ "-s -w" ] { hmain = "${hakurei}/libexec/hakurei"; };
+  ) [ "-s -w" ] { hakureiPath = "${hakurei}/libexec/hakurei"; };
 }
--- a/cmd/hsu/parse.go
+++ b/cmd/hsu/parse.go
@@ -6,62 +6,128 @@ import (
 	"fmt"
 	"io"
 	"log"
 	"math"
 	"os"
 	"strings"
 )
-func parseUint32Fast(s string) (int, error) {
+const (
 	// useridStart is the first userid.
 	useridStart = 0
 	// useridEnd is the last userid.
 	useridEnd = useridStart + rangeSize - 1
 )
 // parseUint32Fast parses a string representation of an unsigned 32-bit integer value
 // using the fast path only. This limits the range of values it is defined in.
 func parseUint32Fast(s string) (uint32, error) {
 	sLen := len(s)
 	if sLen < 1 {
-		return -1, errors.New("zero length string")
+		return 0, errors.New("zero length string")
 	}
 	if sLen > 10 {
-		return -1, errors.New("string too long")
+		return 0, errors.New("string too long")
 	}
-	n := 0
+	var n uint32
 	for i, ch := range []byte(s) {
 		ch -= '0'
 		if ch > 9 {
-			return -1, fmt.Errorf("invalid character '%s' at index %d", string(ch+'0'), i)
+			return 0, fmt.Errorf("invalid character '%s' at index %d", string(ch+'0'), i)
 		}
-		n = n*10 + int(ch)
+		n = n*10 + uint32(ch)
 	}
 	return n, nil
 }
-func parseConfig(r io.Reader, puid int) (fid int, ok bool, err error) {
+// parseConfig reads a list of allowed users from r until it encounters puid or [io.EOF].
 //
 // Each line of the file specifies a hakurei userid to kernel uid mapping. A line consists
 // of the string representation of the uid of the user wishing to start hakurei containers,
 // followed by a space, followed by the string representation of its userid. Duplicate uid
 // entries are ignored, with the first occurrence taking effect.
 //
 // All string representations are parsed by calling parseUint32Fast.
 func parseConfig(r io.Reader, puid uint32) (userid uint32, ok bool, err error) {
 	s := bufio.NewScanner(r)
-	var line, puid0 int
+	var (
 		line  uintptr
 		puid0 uint32
 	)
 	for s.Scan() {
 		line++
-		// <puid> <fid>
+		// <puid> <userid>
 		lf := strings.SplitN(s.Text(), " ", 2)
 		if len(lf) != 2 {
-			return -1, false, fmt.Errorf("invalid entry on line %d", line)
+			return useridEnd + 1, false, fmt.Errorf("invalid entry on line %d", line)
 		}
 		puid0, err = parseUint32Fast(lf[0])
 		if err != nil || puid0 < 1 {
-			return -1, false, fmt.Errorf("invalid parent uid on line %d", line)
+			return useridEnd + 1, false, fmt.Errorf("invalid parent uid on line %d", line)
 		}
 		ok = puid0 == puid
 		if ok {
-			// allowed fid range 0 to 99
+			// userid bound to a range, uint32 size allows this to be increased if needed
-			if fid, err = parseUint32Fast(lf[1]); err != nil || fid < 0 || fid > 99 {
+			if userid, err = parseUint32Fast(lf[1]); err != nil ||
-				return -1, false, fmt.Errorf("invalid identity on line %d", line)
+				userid < useridStart || userid > useridEnd {
 				return useridEnd + 1, false, fmt.Errorf("invalid userid on line %d", line)
 			}
 			return
 		}
 	}
-	return -1, false, s.Err()
+	return useridEnd + 1, false, s.Err()
 }
-func mustParseConfig(r io.Reader, puid int) (int, bool) {
+// hsuConfPath is an absolute pathname to the hsu configuration file.
-	fid, ok, err := parseConfig(r, puid)
+// Its contents are interpreted by parseConfig.
-	if err != nil {
+const hsuConfPath = "/etc/hsurc"
 // mustParseConfig calls parseConfig to interpret the contents of hsuConfPath,
 // terminating the program if an error is encountered, the syntax is incorrect,
 // or the current user is not authorised to use hsu because its uid is missing.
 //
 // Therefore, code after this function call can assume an authenticated state.
 //
 // mustParseConfig returns the userid value of the current user.
 func mustParseConfig(puid int) (userid uint32) {
 	if puid > math.MaxUint32 {
 		log.Fatalf("got impossible uid %d", puid)
 	}
 	var ok bool
 	if f, err := os.Open(hsuConfPath); err != nil {
 		log.Fatal(err)
 	} else if userid, ok, err = parseConfig(f, uint32(puid)); err != nil {
 		log.Fatal(err)
 	} else if err = f.Close(); err != nil {
 		log.Fatal(err)
 	}
-	return fid, ok
+	if !ok {
 		log.Fatalf("uid %d is not in the hsurc file", puid)
 	}
 	return
 }
 // envIdentity is the name of the environment variable holding a
 // string representation of the current application identity.
 var envIdentity = "HAKUREI_IDENTITY"
 // mustReadIdentity calls parseUint32Fast to interpret the value stored in envIdentity,
 // terminating the program if the value is not set, malformed, or out of bounds.
 func mustReadIdentity() uint32 {
 	// ranges defined in hst and copied to this package to avoid importing hst
 	if as, ok := os.LookupEnv(envIdentity); !ok {
 		log.Fatal("HAKUREI_IDENTITY not set")
 		panic("unreachable")
 	} else if identity, err := parseUint32Fast(as); err != nil ||
 		identity < identityStart || identity > identityEnd {
 		log.Fatal("invalid identity")
 		panic("unreachable")
 	} else {
 		return identity
 	}
 }
--- a/cmd/hsu/parse_test.go
+++ b/cmd/hsu/parse_test.go
@@ -2,94 +2,105 @@ package main
 import (
 	"bytes"
 	"math"
 	"strconv"
 	"testing"
 )
-func Test_parseUint32Fast(t *testing.T) {
+func TestParseUint32Fast(t *testing.T) {
 	t.Parallel()
 	t.Run("zero-length", func(t *testing.T) {
 		t.Parallel()
 		if _, err := parseUint32Fast(""); err == nil || err.Error() != "zero length string" {
 			t.Errorf(`parseUint32Fast(""): error = %v`, err)
 			return
 		}
 	})
 	t.Run("overflow", func(t *testing.T) {
 		t.Parallel()
 		if _, err := parseUint32Fast("10000000000"); err == nil || err.Error() != "string too long" {
 			t.Errorf("parseUint32Fast: error = %v", err)
 			return
 		}
 	})
 	t.Run("invalid byte", func(t *testing.T) {
 		t.Parallel()
 		if _, err := parseUint32Fast("meow"); err == nil || err.Error() != "invalid character 'm' at index 0" {
 			t.Errorf(`parseUint32Fast("meow"): error = %v`, err)
 			return
 		}
 	})
-	t.Run("full range", func(t *testing.T) {
+
-		testRange := func(i, end int) {
+	t.Run("range", func(t *testing.T) {
 		t.Parallel()
 		testRange := func(i, end uint32) {
 			for ; i < end; i++ {
-				s := strconv.Itoa(i)
+				s := strconv.Itoa(int(i))
 				w := i
 				t.Run("parse "+s, func(t *testing.T) {
 					t.Parallel()
 					v, err := parseUint32Fast(s)
 					if err != nil {
-						t.Errorf("parseUint32Fast(%q): error = %v",
+						t.Errorf("parseUint32Fast(%q): error = %v", s, err)
 							s, err)
 						return
 					}
 					if v != w {
-						t.Errorf("parseUint32Fast(%q): got %v",
+						t.Errorf("parseUint32Fast(%q): got %v", s, v)
 							s, v)
 						return
 					}
 				})
 			}
 		}
-		testRange(0, 5000)
+		testRange(0, 2500)
-		testRange(105000, 110000)
+		testRange(23002500, 23005000)
-		testRange(23005000, 23010000)
+		testRange(math.MaxUint32-2500, math.MaxUint32)
 		testRange(456005000, 456010000)
 		testRange(7890005000, 7890010000)
 	})
 }
-func Test_parseConfig(t *testing.T) {
+func TestParseConfig(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name       string
-		puid, want int
+		puid, want uint32
 		wantErr    string
 		rc         string
 	}{
-		{"empty", 0, -1, "", ``},
+		{"empty", 0, useridEnd + 1, "", ``},
-		{"invalid field", 0, -1, "invalid entry on line 1", `9`},
+		{"invalid field", 0, useridEnd + 1, "invalid entry on line 1", `9`},
-		{"invalid puid", 0, -1, "invalid parent uid on line 1", `f 9`},
+		{"invalid puid", 0, useridEnd + 1, "invalid parent uid on line 1", `f 9`},
-		{"invalid fid", 1000, -1, "invalid identity on line 1", `1000 f`},
+		{"invalid userid", 1000, useridEnd + 1, "invalid userid on line 1", `1000 f`},
 		{"match", 1000, 0, "", `1000 0`},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			fid, ok, err := parseConfig(bytes.NewBufferString(tc.rc), tc.puid)
+			t.Parallel()
 			userid, ok, err := parseConfig(bytes.NewBufferString(tc.rc), tc.puid)
 			if err == nil && tc.wantErr != "" {
-				t.Errorf("parseConfig: error = %v; wantErr %q",
+				t.Errorf("parseConfig: error = %v; want %q", err, tc.wantErr)
 					err, tc.wantErr)
 				return
 			}
 			if err != nil && err.Error() != tc.wantErr {
-				t.Errorf("parseConfig: error = %q; wantErr %q",
+				t.Errorf("parseConfig: error = %q; want %q", err, tc.wantErr)
 					err, tc.wantErr)
 				return
 			}
-			if ok == (tc.want == -1) {
+			if ok == (tc.want == useridEnd+1) {
-				t.Errorf("parseConfig: ok = %v; want %v",
+				t.Errorf("parseConfig: ok = %v; want %v", ok, tc.want)
 					ok, tc.want)
 				return
 			}
-			if fid != tc.want {
+			if userid != tc.want {
-				t.Errorf("parseConfig: fid = %v; want %v",
+				t.Errorf("parseConfig: %v; want %v", userid, tc.want)
 					fid, tc.want)
 			}
 		})
 	}
--- a/cmd/hsu/path.go
+++ b/cmd/hsu/path.go
@@ -1,20 +0,0 @@
 package main
 import (
 	"log"
 	"path"
 )
 const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
 var (
 	hmain = compPoison
 )
 func mustCheckPath(p string) string {
 	if p != compPoison && p != "" && path.IsAbs(p) {
 		return p
 	}
 	log.Fatal("this program is compiled incorrectly")
 	return compPoison
 }
--- a/cmd/planterette/app.go
+++ b/cmd/planterette/app.go
@@ -1,154 +0,0 @@
 package main
 import (
 	"encoding/json"
 	"log"
 	"os"
 	"path"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 	"hakurei.app/system"
 	"hakurei.app/system/dbus"
 )
 type appInfo struct {
 	Name    string `json:"name"`
 	Version string `json:"version"`
 	// passed through to [hst.Config]
 	ID string `json:"id"`
 	// passed through to [hst.Config]
 	Identity int `json:"identity"`
 	// passed through to [hst.Config]
 	Groups []string `json:"groups,omitempty"`
 	// passed through to [hst.Config]
 	Devel bool `json:"devel,omitempty"`
 	// passed through to [hst.Config]
 	Userns bool `json:"userns,omitempty"`
 	// passed through to [hst.Config]
 	Net bool `json:"net,omitempty"`
 	// passed through to [hst.Config]
 	Device bool `json:"dev,omitempty"`
 	// passed through to [hst.Config]
 	Tty bool `json:"tty,omitempty"`
 	// passed through to [hst.Config]
 	MapRealUID bool `json:"map_real_uid,omitempty"`
 	// passed through to [hst.Config]
 	DirectWayland bool `json:"direct_wayland,omitempty"`
 	// passed through to [hst.Config]
 	SystemBus *dbus.Config `json:"system_bus,omitempty"`
 	// passed through to [hst.Config]
 	SessionBus *dbus.Config `json:"session_bus,omitempty"`
 	// passed through to [hst.Config]
 	Enablements system.Enablement `json:"enablements"`
 	// passed through to [hst.Config]
 	Multiarch bool `json:"multiarch,omitempty"`
 	// passed through to [hst.Config]
 	Bluetooth bool `json:"bluetooth,omitempty"`
 	// allow gpu access within sandbox
 	GPU bool `json:"gpu"`
 	// store path to nixGL mesa wrappers
 	Mesa string `json:"mesa,omitempty"`
 	// store path to nixGL source
 	NixGL string `json:"nix_gl,omitempty"`
 	// store path to activate-and-exec script
 	Launcher string `json:"launcher"`
 	// store path to /run/current-system
 	CurrentSystem string `json:"current_system"`
 	// store path to home-manager activation package
 	ActivationPackage string `json:"activation_package"`
 }
 func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool) *hst.Config {
 	config := &hst.Config{
 		ID: app.ID,
 		Path: argv[0],
 		Args: argv,
 		Enablements: app.Enablements,
 		SystemBus:     app.SystemBus,
 		SessionBus:    app.SessionBus,
 		DirectWayland: app.DirectWayland,
 		Username: "hakurei",
 		Shell:    shellPath,
 		Data:     pathSet.homeDir,
 		Dir:      path.Join("/data/data", app.ID),
 		Identity: app.Identity,
 		Groups:   app.Groups,
 		Container: &hst.ContainerConfig{
 			Hostname:   formatHostname(app.Name),
 			Devel:      app.Devel,
 			Userns:     app.Userns,
 			Net:        app.Net,
 			Device:     app.Device,
 			Tty:        app.Tty || flagDropShell,
 			MapRealUID: app.MapRealUID,
 			Filesystem: []*hst.FilesystemConfig{
 				{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
 				{Src: pathSet.metaPath, Dst: path.Join(hst.Tmp, "app"), Must: true},
 				{Src: "/etc/resolv.conf"},
 				{Src: "/sys/block"},
 				{Src: "/sys/bus"},
 				{Src: "/sys/class"},
 				{Src: "/sys/dev"},
 				{Src: "/sys/devices"},
 			},
 			Link: [][2]string{
 				{app.CurrentSystem, "/run/current-system"},
 				{"/run/current-system/sw/bin", "/bin"},
 				{"/run/current-system/sw/bin", "/usr/bin"},
 			},
 			Etc:     path.Join(pathSet.cacheDir, "etc"),
 			AutoEtc: true,
 		},
 		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
 	}
 	if app.Multiarch {
 		config.Container.SeccompFlags |= seccomp.AllowMultiarch
 	}
 	if app.Bluetooth {
 		config.Container.SeccompFlags |= seccomp.AllowBluetooth
 	}
 	return config
 }
 func loadAppInfo(name string, beforeFail func()) *appInfo {
 	bundle := new(appInfo)
 	if f, err := os.Open(name); err != nil {
 		beforeFail()
 		log.Fatalf("cannot open bundle: %v", err)
 	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
 		beforeFail()
 		log.Fatalf("cannot parse bundle metadata: %v", err)
 	} else if err = f.Close(); err != nil {
 		log.Printf("cannot close bundle metadata: %v", err)
 		// not fatal
 	}
 	if bundle.ID == "" {
 		beforeFail()
 		log.Fatal("application identifier must not be empty")
 	}
 	return bundle
 }
 func formatHostname(name string) string {
 	if h, err := os.Hostname(); err != nil {
 		log.Printf("cannot get hostname: %v", err)
 		return "hakurei-" + name
 	} else {
 		return h + "-" + name
 	}
 }
--- a/cmd/planterette/paths.go
+++ b/cmd/planterette/paths.go
@@ -1,101 +0,0 @@
 package main
 import (
 	"log"
 	"os"
 	"os/exec"
 	"path"
 	"strconv"
 	"sync/atomic"
 	"hakurei.app/hst"
 	"hakurei.app/internal/hlog"
 )
 var (
 	dataHome string
 )
 func init() {
 	// dataHome
 	if p, ok := os.LookupEnv("HAKUREI_DATA_HOME"); ok {
 		dataHome = p
 	} else {
 		dataHome = "/var/lib/hakurei/" + strconv.Itoa(os.Getuid())
 	}
 }
 func lookPath(file string) string {
 	if p, err := exec.LookPath(file); err != nil {
 		log.Fatalf("%s: command not found", file)
 		return ""
 	} else {
 		return p
 	}
 }
 var beforeRunFail = new(atomic.Pointer[func()])
 func mustRun(name string, arg ...string) {
 	hlog.Verbosef("spawning process: %q %q", name, arg)
 	cmd := exec.Command(name, arg...)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	if err := cmd.Run(); err != nil {
 		if f := beforeRunFail.Swap(nil); f != nil {
 			(*f)()
 		}
 		log.Fatalf("%s: %v", name, err)
 	}
 }
 type appPathSet struct {
 	// ${dataHome}/${id}
 	baseDir string
 	// ${baseDir}/app
 	metaPath string
 	// ${baseDir}/files
 	homeDir string
 	// ${baseDir}/cache
 	cacheDir string
 	// ${baseDir}/cache/nix
 	nixPath string
 }
 func pathSetByApp(id string) *appPathSet {
 	pathSet := new(appPathSet)
 	pathSet.baseDir = path.Join(dataHome, id)
 	pathSet.metaPath = path.Join(pathSet.baseDir, "app")
 	pathSet.homeDir = path.Join(pathSet.baseDir, "files")
 	pathSet.cacheDir = path.Join(pathSet.baseDir, "cache")
 	pathSet.nixPath = path.Join(pathSet.cacheDir, "nix")
 	return pathSet
 }
 func appendGPUFilesystem(config *hst.Config) {
 	config.Container.Filesystem = append(config.Container.Filesystem, []*hst.FilesystemConfig{
 		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
 		{Src: "/dev/dri", Device: true},
 		// mali
 		{Src: "/dev/mali", Device: true},
 		{Src: "/dev/mali0", Device: true},
 		{Src: "/dev/umplock", Device: true},
 		// nvidia
 		{Src: "/dev/nvidiactl", Device: true},
 		{Src: "/dev/nvidia-modeset", Device: true},
 		// nvidia OpenCL/CUDA
 		{Src: "/dev/nvidia-uvm", Device: true},
 		{Src: "/dev/nvidia-uvm-tools", Device: true},
 		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
 		{Src: "/dev/nvidia0", Device: true}, {Src: "/dev/nvidia1", Device: true},
 		{Src: "/dev/nvidia2", Device: true}, {Src: "/dev/nvidia3", Device: true},
 		{Src: "/dev/nvidia4", Device: true}, {Src: "/dev/nvidia5", Device: true},
 		{Src: "/dev/nvidia6", Device: true}, {Src: "/dev/nvidia7", Device: true},
 		{Src: "/dev/nvidia8", Device: true}, {Src: "/dev/nvidia9", Device: true},
 		{Src: "/dev/nvidia10", Device: true}, {Src: "/dev/nvidia11", Device: true},
 		{Src: "/dev/nvidia12", Device: true}, {Src: "/dev/nvidia13", Device: true},
 		{Src: "/dev/nvidia14", Device: true}, {Src: "/dev/nvidia15", Device: true},
 		{Src: "/dev/nvidia16", Device: true}, {Src: "/dev/nvidia17", Device: true},
 		{Src: "/dev/nvidia18", Device: true}, {Src: "/dev/nvidia19", Device: true},
 	}...)
 }
--- a/cmd/planterette/with.go
+++ b/cmd/planterette/with.go
@@ -1,114 +0,0 @@
 package main
 import (
 	"context"
 	"path"
 	"strings"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
 )
 func withNixDaemon(
 	ctx context.Context,
 	action string, command []string, net bool, updateConfig func(config *hst.Config) *hst.Config,
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
 ) {
 	mustRunAppDropShell(ctx, updateConfig(&hst.Config{
 		ID: app.ID,
 		Path: shellPath,
 		Args: []string{shellPath, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
 			// start nix-daemon
 			"nix-daemon --store / & " +
 			// wait for socket to appear
 			"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
 			// create directory so nix stops complaining
 			"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
 			strings.Join(command, " && ") +
 			// terminate nix-daemon
 			" && pkill nix-daemon",
 		},
 		Username: "hakurei",
 		Shell:    shellPath,
 		Data:     pathSet.homeDir,
 		Dir:      path.Join("/data/data", app.ID),
 		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
 		Identity: app.Identity,
 		Container: &hst.ContainerConfig{
 			Hostname:     formatHostname(app.Name) + "-" + action,
 			Userns:       true, // nix sandbox requires userns
 			Net:          net,
 			SeccompFlags: seccomp.AllowMultiarch,
 			Tty:          dropShell,
 			Filesystem: []*hst.FilesystemConfig{
 				{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
 			},
 			Link: [][2]string{
 				{app.CurrentSystem, "/run/current-system"},
 				{"/run/current-system/sw/bin", "/bin"},
 				{"/run/current-system/sw/bin", "/usr/bin"},
 			},
 			Etc:     path.Join(pathSet.cacheDir, "etc"),
 			AutoEtc: true,
 		},
 	}), dropShell, beforeFail)
 }
 func withCacheDir(
 	ctx context.Context,
 	action string, command []string, workDir string,
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
 	mustRunAppDropShell(ctx, &hst.Config{
 		ID: app.ID,
 		Path: shellPath,
 		Args: []string{shellPath, "-lc", strings.Join(command, " && ")},
 		Username: "nixos",
 		Shell:    shellPath,
 		Data:     pathSet.cacheDir, // this also ensures cacheDir via shim
 		Dir:      path.Join("/data/data", app.ID, "cache"),
 		ExtraPerms: []*hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 			{Path: workDir, Execute: true},
 		},
 		Identity: app.Identity,
 		Container: &hst.ContainerConfig{
 			Hostname:     formatHostname(app.Name) + "-" + action,
 			SeccompFlags: seccomp.AllowMultiarch,
 			Tty:          dropShell,
 			Filesystem: []*hst.FilesystemConfig{
 				{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
 				{Src: workDir, Dst: path.Join(hst.Tmp, "bundle"), Must: true},
 			},
 			Link: [][2]string{
 				{app.CurrentSystem, "/run/current-system"},
 				{"/run/current-system/sw/bin", "/bin"},
 				{"/run/current-system/sw/bin", "/usr/bin"},
 			},
 			Etc:     path.Join(workDir, "etc"),
 			AutoEtc: true,
 		},
 	}, dropShell, beforeFail)
 }
 func mustRunAppDropShell(ctx context.Context, config *hst.Config, dropShell bool, beforeFail func()) {
 	if dropShell {
 		config.Args = []string{shellPath, "-l"}
 		mustRunApp(ctx, config, beforeFail)
 		beforeFail()
 		internal.Exit(0)
 	}
 	mustRunApp(ctx, config, beforeFail)
 }
--- a/command/builder_test.go
+++ b/command/builder_test.go
@@ -7,6 +7,7 @@ import (
 )
 func TestBuild(t *testing.T) {
 	t.Parallel()
 	c := command.New(nil, nil, "test", nil)
 	stubHandler := func([]string) error { panic("unreachable") }
--- a/command/parse_test.go
+++ b/command/parse_test.go
@@ -14,6 +14,8 @@ import (
 )
 func TestParse(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name      string
 		buildTree func(wout, wlog io.Writer) command.Command
@@ -251,6 +253,7 @@ Commands:
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			wout, wlog := new(bytes.Buffer), new(bytes.Buffer)
 			c := tc.buildTree(wout, wlog)
--- a/command/unreachable_test.go
+++ b/command/unreachable_test.go
@@ -6,15 +6,19 @@ import (
 )
 func TestParseUnreachable(t *testing.T) {
 	t.Parallel()
 	// top level bypasses name matching and recursive calls to Parse
 	// returns when encountering zero-length args
 	t.Run("zero-length args", func(t *testing.T) {
 		t.Parallel()
 		defer checkRecover(t, "Parse", "attempted to parse with zero length args")
 		_ = newNode(panicWriter{}, nil, " ", " ").Parse(nil)
 	})
 	// top level must not have siblings
 	t.Run("toplevel siblings", func(t *testing.T) {
 		t.Parallel()
 		defer checkRecover(t, "Parse", "invalid toplevel state")
 		n := newNode(panicWriter{}, nil, " ", "")
 		n.append(newNode(panicWriter{}, nil, "  ", " "))
@@ -23,6 +27,7 @@ func TestParseUnreachable(t *testing.T) {
 	// a node with descendents must not have a direct handler
 	t.Run("sub handle conflict", func(t *testing.T) {
 		t.Parallel()
 		defer checkRecover(t, "Parse", "invalid subcommand tree state")
 		n := newNode(panicWriter{}, nil, " ", " ")
 		n.adopt(newNode(panicWriter{}, nil, " ", " "))
@@ -32,6 +37,7 @@ func TestParseUnreachable(t *testing.T) {
 	// this would only happen if a node was matched twice
 	t.Run("parsed flag set", func(t *testing.T) {
 		t.Parallel()
 		defer checkRecover(t, "Parse", "invalid set state")
 		n := newNode(panicWriter{}, nil, " ", "")
 		set := flag.NewFlagSet("parsed", flag.ContinueOnError)
--- a/container/autoetc.go
+++ b/container/autoetc.go
@@ -0,0 +1,71 @@
 package container
 import (
 	"encoding/gob"
 	"fmt"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 )
 func init() { gob.Register(new(AutoEtcOp)) }
 // Etc appends an [Op] that expands host /etc into a toplevel symlink mirror with /etc semantics.
 // This is not a generic setup op. It is implemented here to reduce ipc overhead.
 func (f *Ops) Etc(host *check.Absolute, prefix string) *Ops {
 	e := &AutoEtcOp{prefix}
 	f.Mkdir(fhs.AbsEtc, 0755)
 	f.Bind(host, e.hostPath(), 0)
 	*f = append(*f, e)
 	return f
 }
 type AutoEtcOp struct{ Prefix string }
 func (e *AutoEtcOp) Valid() bool                                { return e != nil }
 func (e *AutoEtcOp) early(*setupState, syscallDispatcher) error { return nil }
 func (e *AutoEtcOp) apply(state *setupState, k syscallDispatcher) error {
 	if state.nonrepeatable&nrAutoEtc != 0 {
 		return OpRepeatError("autoetc")
 	}
 	state.nonrepeatable |= nrAutoEtc
 	const target = sysrootPath + fhs.Etc
 	rel := e.hostRel() + "/"
 	if err := k.mkdirAll(target, 0755); err != nil {
 		return err
 	}
 	if d, err := k.readdir(toSysroot(e.hostPath().String())); err != nil {
 		return err
 	} else {
 		for _, ent := range d {
 			n := ent.Name()
 			switch n {
 			case ".host", "passwd", "group":
 			case "mtab":
 				if err = k.symlink(fhs.Proc+"mounts", target+n); err != nil {
 					return err
 				}
 			default:
 				if err = k.symlink(rel+n, target+n); err != nil {
 					return err
 				}
 			}
 		}
 	}
 	return nil
 }
 func (e *AutoEtcOp) hostPath() *check.Absolute { return fhs.AbsEtc.Append(e.hostRel()) }
 func (e *AutoEtcOp) hostRel() string           { return ".host/" + e.Prefix }
 func (e *AutoEtcOp) Is(op Op) bool {
 	ve, ok := op.(*AutoEtcOp)
 	return ok && e.Valid() && ve.Valid() && *e == *ve
 }
 func (*AutoEtcOp) prefix() (string, bool) { return "setting up", true }
 func (e *AutoEtcOp) String() string       { return fmt.Sprintf("auto etc %s", e.Prefix) }
--- a/container/autoetc_test.go
+++ b/container/autoetc_test.go
@@ -0,0 +1,297 @@
 package container
 import (
 	"errors"
 	"os"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 )
 func TestAutoEtcOp(t *testing.T) {
 	t.Parallel()
 	t.Run("nonrepeatable", func(t *testing.T) {
 		t.Parallel()
 		wantErr := OpRepeatError("autoetc")
 		if err := (&AutoEtcOp{Prefix: "81ceabb30d37bbdb3868004629cb84e9"}).apply(&setupState{nonrepeatable: nrAutoEtc}, nil); !errors.Is(err, wantErr) {
 			t.Errorf("apply: error = %v, want %v", err, wantErr)
 		}
 	})
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"mkdirAll", new(Params), &AutoEtcOp{
 			Prefix: "81ceabb30d37bbdb3868004629cb84e9",
 		}, nil, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc/", os.FileMode(0755)}, nil, stub.UniqueError(3)),
 		}, stub.UniqueError(3)},
 		{"readdir", new(Params), &AutoEtcOp{
 			Prefix: "81ceabb30d37bbdb3868004629cb84e9",
 		}, nil, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc/", os.FileMode(0755)}, nil, nil),
 			call("readdir", stub.ExpectArgs{"/sysroot/etc/.host/81ceabb30d37bbdb3868004629cb84e9"}, stubDir(), stub.UniqueError(2)),
 		}, stub.UniqueError(2)},
 		{"symlink", new(Params), &AutoEtcOp{
 			Prefix: "81ceabb30d37bbdb3868004629cb84e9",
 		}, nil, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc/", os.FileMode(0755)}, nil, nil),
 			call("readdir", stub.ExpectArgs{"/sysroot/etc/.host/81ceabb30d37bbdb3868004629cb84e9"}, stubDir(".host",
 				"alsa", "bash_logout", "bashrc", "binfmt.d", "dbus-1", "default", "dhcpcd.exit-hook", "fonts",
 				"fstab", "fuse.conf", "group", "host.conf", "hostname", "hosts", "hsurc", "inputrc", "issue", "kbd",
 				"locale.conf", "login.defs", "lsb-release", "lvm", "machine-id", "man_db.conf", "mdadm.conf",
 				"modprobe.d", "modules-load.d", "mtab", "nanorc", "netgroup", "nix", "nixos", "NIXOS", "nscd.conf",
 				"nsswitch.conf", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1", "profile",
 				"protocols", "resolv.conf", "resolvconf.conf", "rpc", "services", "set-environment", "shadow", "shells",
 				"ssh", "ssl", "static", "subgid", "subuid", "sudoers", "sway", "sysctl.d", "systemd", "terminfo",
 				"tmpfiles.d", "udev", "vconsole.conf", "X11", "xdg", "zoneinfo"), nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/alsa", "/sysroot/etc/alsa"}, nil, stub.UniqueError(1)),
 		}, stub.UniqueError(1)},
 		{"symlink mtab", new(Params), &AutoEtcOp{
 			Prefix: "81ceabb30d37bbdb3868004629cb84e9",
 		}, nil, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc/", os.FileMode(0755)}, nil, nil),
 			call("readdir", stub.ExpectArgs{"/sysroot/etc/.host/81ceabb30d37bbdb3868004629cb84e9"}, stubDir(".host",
 				"alsa", "bash_logout", "bashrc", "binfmt.d", "dbus-1", "default", "dhcpcd.exit-hook", "fonts",
 				"fstab", "fuse.conf", "group", "host.conf", "hostname", "hosts", "hsurc", "inputrc", "issue", "kbd",
 				"locale.conf", "login.defs", "lsb-release", "lvm", "machine-id", "man_db.conf", "mdadm.conf",
 				"modprobe.d", "modules-load.d", "mtab", "nanorc", "netgroup", "nix", "nixos", "NIXOS", "nscd.conf",
 				"nsswitch.conf", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1", "profile",
 				"protocols", "resolv.conf", "resolvconf.conf", "rpc", "services", "set-environment", "shadow", "shells",
 				"ssh", "ssl", "static", "subgid", "subuid", "sudoers", "sway", "sysctl.d", "systemd", "terminfo",
 				"tmpfiles.d", "udev", "vconsole.conf", "X11", "xdg", "zoneinfo"), nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/alsa", "/sysroot/etc/alsa"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/bash_logout", "/sysroot/etc/bash_logout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/bashrc", "/sysroot/etc/bashrc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/binfmt.d", "/sysroot/etc/binfmt.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/dbus-1", "/sysroot/etc/dbus-1"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/default", "/sysroot/etc/default"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/dhcpcd.exit-hook", "/sysroot/etc/dhcpcd.exit-hook"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fonts", "/sysroot/etc/fonts"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fstab", "/sysroot/etc/fstab"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fuse.conf", "/sysroot/etc/fuse.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/host.conf", "/sysroot/etc/host.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hostname", "/sysroot/etc/hostname"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hosts", "/sysroot/etc/hosts"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hsurc", "/sysroot/etc/hsurc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/inputrc", "/sysroot/etc/inputrc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/issue", "/sysroot/etc/issue"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/kbd", "/sysroot/etc/kbd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/locale.conf", "/sysroot/etc/locale.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/login.defs", "/sysroot/etc/login.defs"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/lsb-release", "/sysroot/etc/lsb-release"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/lvm", "/sysroot/etc/lvm"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/machine-id", "/sysroot/etc/machine-id"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/man_db.conf", "/sysroot/etc/man_db.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/mdadm.conf", "/sysroot/etc/mdadm.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/modprobe.d", "/sysroot/etc/modprobe.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/modules-load.d", "/sysroot/etc/modules-load.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/mounts", "/sysroot/etc/mtab"}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},
 		{"success nested", new(Params), &AutoEtcOp{
 			Prefix: "81ceabb30d37bbdb3868004629cb84e9",
 		}, nil, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc/", os.FileMode(0755)}, nil, nil),
 			call("readdir", stub.ExpectArgs{"/sysroot/etc/.host/81ceabb30d37bbdb3868004629cb84e9"}, stubDir(".host",
 				"alsa", "bash_logout", "bashrc", "binfmt.d", "dbus-1", "default", "dhcpcd.exit-hook", "fonts",
 				"fstab", "fuse.conf", "group", "host.conf", "hostname", "hosts", "hsurc", "inputrc", "issue", "kbd",
 				"locale.conf", "login.defs", "lsb-release", "lvm", "machine-id", "man_db.conf", "mdadm.conf",
 				"modprobe.d", "modules-load.d", "mtab", "nanorc", "netgroup", "nix", "nixos", "NIXOS", "nscd.conf",
 				"nsswitch.conf", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1", "profile",
 				"protocols", "resolv.conf", "resolvconf.conf", "rpc", "services", "set-environment", "shadow", "shells",
 				"ssh", "ssl", "static", "subgid", "subuid", "sudoers", "sway", "sysctl.d", "systemd", "terminfo",
 				"tmpfiles.d", "udev", "vconsole.conf", "X11", "xdg", "zoneinfo"), nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/alsa", "/sysroot/etc/alsa"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/bash_logout", "/sysroot/etc/bash_logout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/bashrc", "/sysroot/etc/bashrc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/binfmt.d", "/sysroot/etc/binfmt.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/dbus-1", "/sysroot/etc/dbus-1"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/default", "/sysroot/etc/default"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/dhcpcd.exit-hook", "/sysroot/etc/dhcpcd.exit-hook"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fonts", "/sysroot/etc/fonts"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fstab", "/sysroot/etc/fstab"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fuse.conf", "/sysroot/etc/fuse.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/host.conf", "/sysroot/etc/host.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hostname", "/sysroot/etc/hostname"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hosts", "/sysroot/etc/hosts"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hsurc", "/sysroot/etc/hsurc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/inputrc", "/sysroot/etc/inputrc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/issue", "/sysroot/etc/issue"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/kbd", "/sysroot/etc/kbd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/locale.conf", "/sysroot/etc/locale.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/login.defs", "/sysroot/etc/login.defs"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/lsb-release", "/sysroot/etc/lsb-release"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/lvm", "/sysroot/etc/lvm"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/machine-id", "/sysroot/etc/machine-id"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/man_db.conf", "/sysroot/etc/man_db.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/mdadm.conf", "/sysroot/etc/mdadm.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/modprobe.d", "/sysroot/etc/modprobe.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/modules-load.d", "/sysroot/etc/modules-load.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/mounts", "/sysroot/etc/mtab"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nanorc", "/sysroot/etc/nanorc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/netgroup", "/sysroot/etc/netgroup"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nix", "/sysroot/etc/nix"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nixos", "/sysroot/etc/nixos"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/NIXOS", "/sysroot/etc/NIXOS"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nscd.conf", "/sysroot/etc/nscd.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nsswitch.conf", "/sysroot/etc/nsswitch.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/os-release", "/sysroot/etc/os-release"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pam", "/sysroot/etc/pam"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pam.d", "/sysroot/etc/pam.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pipewire", "/sysroot/etc/pipewire"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pki", "/sysroot/etc/pki"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/polkit-1", "/sysroot/etc/polkit-1"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/profile", "/sysroot/etc/profile"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/protocols", "/sysroot/etc/protocols"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/resolv.conf", "/sysroot/etc/resolv.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/resolvconf.conf", "/sysroot/etc/resolvconf.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/rpc", "/sysroot/etc/rpc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/services", "/sysroot/etc/services"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/set-environment", "/sysroot/etc/set-environment"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/shadow", "/sysroot/etc/shadow"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/shells", "/sysroot/etc/shells"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/ssh", "/sysroot/etc/ssh"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/ssl", "/sysroot/etc/ssl"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/static", "/sysroot/etc/static"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/subgid", "/sysroot/etc/subgid"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/subuid", "/sysroot/etc/subuid"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/sudoers", "/sysroot/etc/sudoers"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/sway", "/sysroot/etc/sway"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/sysctl.d", "/sysroot/etc/sysctl.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/systemd", "/sysroot/etc/systemd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/terminfo", "/sysroot/etc/terminfo"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/tmpfiles.d", "/sysroot/etc/tmpfiles.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/udev", "/sysroot/etc/udev"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/vconsole.conf", "/sysroot/etc/vconsole.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/X11", "/sysroot/etc/X11"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/xdg", "/sysroot/etc/xdg"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/zoneinfo", "/sysroot/etc/zoneinfo"}, nil, nil),
 		}, nil},
 		{"success", new(Params), &AutoEtcOp{
 			Prefix: "81ceabb30d37bbdb3868004629cb84e9",
 		}, nil, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc/", os.FileMode(0755)}, nil, nil),
 			call("readdir", stub.ExpectArgs{"/sysroot/etc/.host/81ceabb30d37bbdb3868004629cb84e9"}, stubDir(
 				"alsa", "bash_logout", "bashrc", "binfmt.d", "dbus-1", "default", "dhcpcd.exit-hook", "fonts",
 				"fstab", "fuse.conf", "group", "host.conf", "hostname", "hosts", "hsurc", "inputrc", "issue", "kbd",
 				"locale.conf", "login.defs", "lsb-release", "lvm", "machine-id", "man_db.conf", "mdadm.conf",
 				"modprobe.d", "modules-load.d", "mtab", "nanorc", "netgroup", "nix", "nixos", "NIXOS", "nscd.conf",
 				"nsswitch.conf", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1", "profile",
 				"protocols", "resolv.conf", "resolvconf.conf", "rpc", "services", "set-environment", "shadow", "shells",
 				"ssh", "ssl", "static", "subgid", "subuid", "sudoers", "sway", "sysctl.d", "systemd", "terminfo",
 				"tmpfiles.d", "udev", "vconsole.conf", "X11", "xdg", "zoneinfo"), nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/alsa", "/sysroot/etc/alsa"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/bash_logout", "/sysroot/etc/bash_logout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/bashrc", "/sysroot/etc/bashrc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/binfmt.d", "/sysroot/etc/binfmt.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/dbus-1", "/sysroot/etc/dbus-1"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/default", "/sysroot/etc/default"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/dhcpcd.exit-hook", "/sysroot/etc/dhcpcd.exit-hook"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fonts", "/sysroot/etc/fonts"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fstab", "/sysroot/etc/fstab"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/fuse.conf", "/sysroot/etc/fuse.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/host.conf", "/sysroot/etc/host.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hostname", "/sysroot/etc/hostname"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hosts", "/sysroot/etc/hosts"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/hsurc", "/sysroot/etc/hsurc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/inputrc", "/sysroot/etc/inputrc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/issue", "/sysroot/etc/issue"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/kbd", "/sysroot/etc/kbd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/locale.conf", "/sysroot/etc/locale.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/login.defs", "/sysroot/etc/login.defs"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/lsb-release", "/sysroot/etc/lsb-release"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/lvm", "/sysroot/etc/lvm"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/machine-id", "/sysroot/etc/machine-id"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/man_db.conf", "/sysroot/etc/man_db.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/mdadm.conf", "/sysroot/etc/mdadm.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/modprobe.d", "/sysroot/etc/modprobe.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/modules-load.d", "/sysroot/etc/modules-load.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/mounts", "/sysroot/etc/mtab"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nanorc", "/sysroot/etc/nanorc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/netgroup", "/sysroot/etc/netgroup"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nix", "/sysroot/etc/nix"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nixos", "/sysroot/etc/nixos"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/NIXOS", "/sysroot/etc/NIXOS"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nscd.conf", "/sysroot/etc/nscd.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/nsswitch.conf", "/sysroot/etc/nsswitch.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/os-release", "/sysroot/etc/os-release"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pam", "/sysroot/etc/pam"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pam.d", "/sysroot/etc/pam.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pipewire", "/sysroot/etc/pipewire"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/pki", "/sysroot/etc/pki"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/polkit-1", "/sysroot/etc/polkit-1"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/profile", "/sysroot/etc/profile"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/protocols", "/sysroot/etc/protocols"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/resolv.conf", "/sysroot/etc/resolv.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/resolvconf.conf", "/sysroot/etc/resolvconf.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/rpc", "/sysroot/etc/rpc"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/services", "/sysroot/etc/services"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/set-environment", "/sysroot/etc/set-environment"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/shadow", "/sysroot/etc/shadow"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/shells", "/sysroot/etc/shells"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/ssh", "/sysroot/etc/ssh"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/ssl", "/sysroot/etc/ssl"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/static", "/sysroot/etc/static"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/subgid", "/sysroot/etc/subgid"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/subuid", "/sysroot/etc/subuid"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/sudoers", "/sysroot/etc/sudoers"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/sway", "/sysroot/etc/sway"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/sysctl.d", "/sysroot/etc/sysctl.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/systemd", "/sysroot/etc/systemd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/terminfo", "/sysroot/etc/terminfo"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/tmpfiles.d", "/sysroot/etc/tmpfiles.d"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/udev", "/sysroot/etc/udev"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/vconsole.conf", "/sysroot/etc/vconsole.conf"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/X11", "/sysroot/etc/X11"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/xdg", "/sysroot/etc/xdg"}, nil, nil),
 			call("symlink", stub.ExpectArgs{".host/81ceabb30d37bbdb3868004629cb84e9/zoneinfo", "/sysroot/etc/zoneinfo"}, nil, nil),
 		}, nil},
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*AutoEtcOp)(nil), false},
 		{"zero", new(AutoEtcOp), true},
 		{"populated", &AutoEtcOp{Prefix: ":3"}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"pd", new(Ops).Etc(check.MustAbs("/etc/"), "048090b6ed8f9ebb10e275ff5d8c0659"), Ops{
 			&MkdirOp{Path: check.MustAbs("/etc/"), Perm: 0755},
 			&BindMountOp{
 				Source: check.MustAbs("/etc/"),
 				Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 			},
 			&AutoEtcOp{Prefix: "048090b6ed8f9ebb10e275ff5d8c0659"},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(AutoEtcOp), new(AutoEtcOp), true},
 		{"differs", &AutoEtcOp{Prefix: "\x00"}, &AutoEtcOp{":3"}, false},
 		{"equals", &AutoEtcOp{Prefix: ":3"}, &AutoEtcOp{":3"}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"etc", &AutoEtcOp{
 			Prefix: ":3",
 		}, "setting up", "auto etc :3"},
 	})
 	t.Run("host path rel", func(t *testing.T) {
 		t.Parallel()
 		op := &AutoEtcOp{Prefix: "048090b6ed8f9ebb10e275ff5d8c0659"}
 		wantHostPath := "/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"
 		wantHostRel := ".host/048090b6ed8f9ebb10e275ff5d8c0659"
 		if got := op.hostPath(); got.String() != wantHostPath {
 			t.Errorf("hostPath: %q, want %q", got, wantHostPath)
 		}
 		if got := op.hostRel(); got != wantHostRel {
 			t.Errorf("hostRel: %q, want %q", got, wantHostRel)
 		}
 	})
 }
--- a/container/autoroot.go
+++ b/container/autoroot.go
@@ -0,0 +1,97 @@
 package container
 import (
 	"encoding/gob"
 	"fmt"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/message"
 )
 func init() { gob.Register(new(AutoRootOp)) }
 // Root appends an [Op] that expands a directory into a toplevel bind mount mirror on container root.
 // This is not a generic setup op. It is implemented here to reduce ipc overhead.
 func (f *Ops) Root(host *check.Absolute, flags int) *Ops {
 	*f = append(*f, &AutoRootOp{host, flags, nil})
 	return f
 }
 type AutoRootOp struct {
 	Host *check.Absolute
 	// passed through to bindMount
 	Flags int
 	// obtained during early;
 	// these wrap the underlying Op because BindMountOp is relatively complex,
 	// so duplicating that code would be unwise
 	resolved []*BindMountOp
 }
 func (r *AutoRootOp) Valid() bool { return r != nil && r.Host != nil }
 func (r *AutoRootOp) early(state *setupState, k syscallDispatcher) error {
 	if d, err := k.readdir(r.Host.String()); err != nil {
 		return err
 	} else {
 		r.resolved = make([]*BindMountOp, 0, len(d))
 		for _, ent := range d {
 			name := ent.Name()
 			if IsAutoRootBindable(state, name) {
 				// careful: the Valid method is skipped, make sure this is always valid
 				op := &BindMountOp{
 					Source: r.Host.Append(name),
 					Target: fhs.AbsRoot.Append(name),
 					Flags:  r.Flags,
 				}
 				if err = op.early(state, k); err != nil {
 					return err
 				}
 				r.resolved = append(r.resolved, op)
 			}
 		}
 		return nil
 	}
 }
 func (r *AutoRootOp) apply(state *setupState, k syscallDispatcher) error {
 	if state.nonrepeatable&nrAutoRoot != 0 {
 		return OpRepeatError("autoroot")
 	}
 	state.nonrepeatable |= nrAutoRoot
 	for _, op := range r.resolved {
 		// these are exclusively BindMountOp, do not attempt to print identifying message
 		if err := op.apply(state, k); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func (r *AutoRootOp) Is(op Op) bool {
 	vr, ok := op.(*AutoRootOp)
 	return ok && r.Valid() && vr.Valid() &&
 		r.Host.Is(vr.Host) &&
 		r.Flags == vr.Flags
 }
 func (*AutoRootOp) prefix() (string, bool) { return "setting up", true }
 func (r *AutoRootOp) String() string {
 	return fmt.Sprintf("auto root %q flags %#x", r.Host, r.Flags)
 }
 // IsAutoRootBindable returns whether a dir entry name is selected for AutoRoot.
 func IsAutoRootBindable(msg message.Msg, name string) bool {
 	switch name {
 	case "proc", "dev", "tmp", "mnt", "etc":
 	case "": // guard against accidentally binding /
 		// should be unreachable
 		msg.Verbose("got unexpected root entry")
 	default:
 		return true
 	}
 	return false
 }
--- a/container/autoroot_test.go
+++ b/container/autoroot_test.go
@@ -0,0 +1,214 @@
 package container
 import (
 	"errors"
 	"os"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/message"
 )
 func TestAutoRootOp(t *testing.T) {
 	t.Run("nonrepeatable", func(t *testing.T) {
 		t.Parallel()
 		wantErr := OpRepeatError("autoroot")
 		if err := new(AutoRootOp).apply(&setupState{nonrepeatable: nrAutoRoot}, nil); !errors.Is(err, wantErr) {
 			t.Errorf("apply: error = %v, want %v", err, wantErr)
 		}
 	})
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"readdir", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
 			Flags: std.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir(), stub.UniqueError(2)),
 		}, stub.UniqueError(2), nil, nil},
 		{"early", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
 			Flags: std.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
 			call("evalSymlinks", stub.ExpectArgs{"/bin"}, "", stub.UniqueError(1)),
 		}, stub.UniqueError(1), nil, nil},
 		{"apply", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
 			Flags: std.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
 			call("evalSymlinks", stub.ExpectArgs{"/bin"}, "/usr/bin", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/home"}, "/home", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/lib64"}, "/lib64", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/lost+found"}, "/lost+found", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/nix"}, "/nix", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/root"}, "/root", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/run"}, "/run", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/srv"}, "/srv", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/sys"}, "/sys", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/usr"}, "/usr", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var"}, "/var", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(false), stub.UniqueError(0)),
 		}, stub.UniqueError(0)},
 		{"success pd", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
 			Flags: std.BindWritable,
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
 			call("evalSymlinks", stub.ExpectArgs{"/bin"}, "/usr/bin", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/home"}, "/home", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/lib64"}, "/lib64", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/lost+found"}, "/lost+found", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/nix"}, "/nix", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/root"}, "/root", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/run"}, "/run", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/srv"}, "/srv", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/sys"}, "/sys", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/usr"}, "/usr", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var"}, "/var", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/usr/bin", "/sysroot/bin", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/usr/bin", "/sysroot/bin", uintptr(0x4004), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/home"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/home", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/home", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/home", "/sysroot/home", uintptr(0x4004), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/lib64"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/lib64", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/lib64", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/lib64", "/sysroot/lib64", uintptr(0x4004), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/lost+found"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/lost+found", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/lost+found", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/lost+found", "/sysroot/lost+found", uintptr(0x4004), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/nix"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/nix", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/nix", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/nix", "/sysroot/nix", uintptr(0x4004), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/root"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/root", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/root", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/root", "/sysroot/root", uintptr(0x4004), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/run"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/run", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/run", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/run", "/sysroot/run", uintptr(0x4004), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/srv"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/srv", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/srv", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/srv", "/sysroot/srv", uintptr(0x4004), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/sys"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/sys", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/sys", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/sys", "/sysroot/sys", uintptr(0x4004), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/usr"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/usr", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/usr", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/usr", "/sysroot/usr", uintptr(0x4004), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/var"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/var", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/var", uintptr(0x4004)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var", "/sysroot/var", uintptr(0x4004), false}, nil, nil),
 		}, nil},
 		{"success", &Params{ParentPerm: 0750}, &AutoRootOp{
 			Host: check.MustAbs("/var/lib/planterette/base/debian:f92c9052"),
 		}, []stub.Call{
 			call("readdir", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052"}, stubDir("bin", "dev", "etc", "home", "lib64",
 				"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/bin"}, "/var/lib/planterette/base/debian:f92c9052/usr/bin", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/home"}, "/var/lib/planterette/base/debian:f92c9052/home", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/lib64"}, "/var/lib/planterette/base/debian:f92c9052/lib64", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/lost+found"}, "/var/lib/planterette/base/debian:f92c9052/lost+found", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/nix"}, "/var/lib/planterette/base/debian:f92c9052/nix", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/root"}, "/var/lib/planterette/base/debian:f92c9052/root", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/run"}, "/var/lib/planterette/base/debian:f92c9052/run", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/srv"}, "/var/lib/planterette/base/debian:f92c9052/srv", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/sys"}, "/var/lib/planterette/base/debian:f92c9052/sys", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/usr"}, "/var/lib/planterette/base/debian:f92c9052/usr", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052/var"}, "/var/lib/planterette/base/debian:f92c9052/var", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/usr/bin"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/usr/bin", "/sysroot/bin", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/usr/bin", "/sysroot/bin", uintptr(0x4005), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/home"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/home", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/home", "/sysroot/home", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/home", "/sysroot/home", uintptr(0x4005), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/lib64"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/lib64", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/lib64", "/sysroot/lib64", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/lib64", "/sysroot/lib64", uintptr(0x4005), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/lost+found"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/lost+found", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/lost+found", "/sysroot/lost+found", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/lost+found", "/sysroot/lost+found", uintptr(0x4005), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/nix"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/nix", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/nix", "/sysroot/nix", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/nix", "/sysroot/nix", uintptr(0x4005), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/root"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/root", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/root", "/sysroot/root", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/root", "/sysroot/root", uintptr(0x4005), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/run"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/run", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/run", "/sysroot/run", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/run", "/sysroot/run", uintptr(0x4005), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/srv"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/srv", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/srv", "/sysroot/srv", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/srv", "/sysroot/srv", uintptr(0x4005), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/sys"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/sys", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/sys", "/sysroot/sys", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/sys", "/sysroot/sys", uintptr(0x4005), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/usr"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/usr", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/usr", "/sysroot/usr", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/usr", "/sysroot/usr", uintptr(0x4005), false}, nil, nil),
 			call("stat", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/var"}, isDirFi(true), nil), call("mkdirAll", stub.ExpectArgs{"/sysroot/var", os.FileMode(0700)}, nil, nil), call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/var/lib/planterette/base/debian:f92c9052/var", "/sysroot/var", uintptr(0x4005)}}, nil, nil), call("bindMount", stub.ExpectArgs{"/host/var/lib/planterette/base/debian:f92c9052/var", "/sysroot/var", uintptr(0x4005), false}, nil, nil),
 		}, nil},
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*AutoRootOp)(nil), false},
 		{"zero", new(AutoRootOp), false},
 		{"valid", &AutoRootOp{Host: check.MustAbs("/")}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"pd", new(Ops).Root(check.MustAbs("/"), std.BindWritable), Ops{
 			&AutoRootOp{
 				Host:  check.MustAbs("/"),
 				Flags: std.BindWritable,
 			},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(AutoRootOp), new(AutoRootOp), false},
 		{"internal ne", &AutoRootOp{
 			Host:  check.MustAbs("/"),
 			Flags: std.BindWritable,
 		}, &AutoRootOp{
 			Host:     check.MustAbs("/"),
 			Flags:    std.BindWritable,
 			resolved: []*BindMountOp{new(BindMountOp)},
 		}, true},
 		{"flags differs", &AutoRootOp{
 			Host:  check.MustAbs("/"),
 			Flags: std.BindWritable | std.BindDevice,
 		}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
 			Flags: std.BindWritable,
 		}, false},
 		{"host differs", &AutoRootOp{
 			Host:  check.MustAbs("/tmp/"),
 			Flags: std.BindWritable,
 		}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
 			Flags: std.BindWritable,
 		}, false},
 		{"equals", &AutoRootOp{
 			Host:  check.MustAbs("/"),
 			Flags: std.BindWritable,
 		}, &AutoRootOp{
 			Host:  check.MustAbs("/"),
 			Flags: std.BindWritable,
 		}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"root", &AutoRootOp{
 			Host:  check.MustAbs("/"),
 			Flags: std.BindWritable,
 		}, "setting up", `auto root "/" flags 0x2`},
 	})
 }
 func TestIsAutoRootBindable(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		want bool
 		log  bool
 	}{
 		{"proc", false, false},
 		{"dev", false, false},
 		{"tmp", false, false},
 		{"mnt", false, false},
 		{"etc", false, false},
 		{"", false, true},
 		{"var", true, false},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			var msg message.Msg
 			if tc.log {
 				msg = &kstub{nil, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { panic("unreachable") }, stub.Expect{Calls: []stub.Call{
 					call("verbose", stub.ExpectArgs{[]any{"got unexpected root entry"}}, nil, nil),
 				}})}
 			}
 			if got := IsAutoRootBindable(msg, tc.name); got != tc.want {
 				t.Errorf("IsAutoRootBindable: %v, want %v", got, tc.want)
 			}
 		})
 	}
 }
--- a/container/capability.go
+++ b/container/capability.go
@@ -0,0 +1,58 @@
 package container
 import (
 	"syscall"
 	"unsafe"
 )
 const (
 	_LINUX_CAPABILITY_VERSION_3 = 0x20080522
 	PR_CAP_AMBIENT           = 0x2f
 	PR_CAP_AMBIENT_RAISE     = 0x2
 	PR_CAP_AMBIENT_CLEAR_ALL = 0x4
 	CAP_SYS_ADMIN    = 0x15
 	CAP_SETPCAP      = 0x8
 	CAP_DAC_OVERRIDE = 0x1
 )
 type (
 	capHeader struct {
 		version uint32
 		pid     int32
 	}
 	capData struct {
 		effective   uint32
 		permitted   uint32
 		inheritable uint32
 	}
 )
 // See CAP_TO_INDEX in linux/capability.h:
 func capToIndex(cap uintptr) uintptr { return cap >> 5 }
 // See CAP_TO_MASK in linux/capability.h:
 func capToMask(cap uintptr) uint32 { return 1 << uint(cap&31) }
 func capset(hdrp *capHeader, datap *[2]capData) error {
 	r, _, errno := syscall.Syscall(
 		syscall.SYS_CAPSET,
 		uintptr(unsafe.Pointer(hdrp)),
 		uintptr(unsafe.Pointer(&datap[0])), 0,
 	)
 	if r != 0 {
 		return errno
 	}
 	return nil
 }
 // capBoundingSetDrop drops a capability from the calling thread's capability bounding set.
 func capBoundingSetDrop(cap uintptr) error { return Prctl(syscall.PR_CAPBSET_DROP, cap, 0) }
 // capAmbientClearAll clears the ambient capability set of the calling thread.
 func capAmbientClearAll() error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0) }
 // capAmbientRaise adds to the ambient capability set of the calling thread.
 func capAmbientRaise(cap uintptr) error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap) }
--- a/container/capability_test.go
+++ b/container/capability_test.go
@@ -0,0 +1,47 @@
 package container
 import "testing"
 func TestCapToIndex(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		cap  uintptr
 		want uintptr
 	}{
 		{"CAP_SYS_ADMIN", CAP_SYS_ADMIN, 0},
 		{"CAP_SETPCAP", CAP_SETPCAP, 0},
 		{"CAP_DAC_OVERRIDE", CAP_DAC_OVERRIDE, 0},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			if got := capToIndex(tc.cap); got != tc.want {
 				t.Errorf("capToIndex: %#x, want %#x", got, tc.want)
 			}
 		})
 	}
 }
 func TestCapToMask(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		cap  uintptr
 		want uint32
 	}{
 		{"CAP_SYS_ADMIN", CAP_SYS_ADMIN, 0x200000},
 		{"CAP_SETPCAP", CAP_SETPCAP, 0x100},
 		{"CAP_DAC_OVERRIDE", CAP_DAC_OVERRIDE, 0x2},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			if got := capToMask(tc.cap); got != tc.want {
 				t.Errorf("capToMask: %#x, want %#x", got, tc.want)
 			}
 		})
 	}
 }
--- a/container/check/absolute.go
+++ b/container/check/absolute.go
@@ -0,0 +1,104 @@
 // Package check provides types yielding values checked to meet a condition.
 package check
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"path"
 	"slices"
 	"strings"
 	"syscall"
 )
 // AbsoluteError is returned by [NewAbs] and holds the invalid pathname.
 type AbsoluteError struct{ Pathname string }
 func (e *AbsoluteError) Error() string { return fmt.Sprintf("path %q is not absolute", e.Pathname) }
 func (e *AbsoluteError) Is(target error) bool {
 	var ce *AbsoluteError
 	if !errors.As(target, &ce) {
 		return errors.Is(target, syscall.EINVAL)
 	}
 	return *e == *ce
 }
 // Absolute holds a pathname checked to be absolute.
 type Absolute struct{ pathname string }
 // unsafeAbs returns [check.Absolute] on any string value.
 func unsafeAbs(pathname string) *Absolute { return &Absolute{pathname} }
 func (a *Absolute) String() string {
 	if a.pathname == "" {
 		panic("attempted use of zero Absolute")
 	}
 	return a.pathname
 }
 func (a *Absolute) Is(v *Absolute) bool {
 	if a == nil && v == nil {
 		return true
 	}
 	return a != nil && v != nil &&
 		a.pathname != "" && v.pathname != "" &&
 		a.pathname == v.pathname
 }
 // NewAbs checks pathname and returns a new [Absolute] if pathname is absolute.
 func NewAbs(pathname string) (*Absolute, error) {
 	if !path.IsAbs(pathname) {
 		return nil, &AbsoluteError{pathname}
 	}
 	return unsafeAbs(pathname), nil
 }
 // MustAbs calls [NewAbs] and panics on error.
 func MustAbs(pathname string) *Absolute {
 	if a, err := NewAbs(pathname); err != nil {
 		panic(err.Error())
 	} else {
 		return a
 	}
 }
 // Append calls [path.Join] with [Absolute] as the first element.
 func (a *Absolute) Append(elem ...string) *Absolute {
 	return unsafeAbs(path.Join(append([]string{a.String()}, elem...)...))
 }
 // Dir calls [path.Dir] with [Absolute] as its argument.
 func (a *Absolute) Dir() *Absolute { return unsafeAbs(path.Dir(a.String())) }
 func (a *Absolute) GobEncode() ([]byte, error) { return []byte(a.String()), nil }
 func (a *Absolute) GobDecode(data []byte) error {
 	pathname := string(data)
 	if !path.IsAbs(pathname) {
 		return &AbsoluteError{pathname}
 	}
 	a.pathname = pathname
 	return nil
 }
 func (a *Absolute) MarshalJSON() ([]byte, error) { return json.Marshal(a.String()) }
 func (a *Absolute) UnmarshalJSON(data []byte) error {
 	var pathname string
 	if err := json.Unmarshal(data, &pathname); err != nil {
 		return err
 	}
 	if !path.IsAbs(pathname) {
 		return &AbsoluteError{pathname}
 	}
 	a.pathname = pathname
 	return nil
 }
 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {
 	slices.SortFunc(x, func(a, b *Absolute) int { return strings.Compare(a.String(), b.String()) })
 }
 // CompactAbs calls [slices.CompactFunc] for a slice of [Absolute].
 func CompactAbs(s []*Absolute) []*Absolute {
 	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool { return a.String() == b.String() })
 }
--- a/container/check/absolute_test.go
+++ b/container/check/absolute_test.go
@@ -0,0 +1,399 @@
 package check_test
 import (
 	"bytes"
 	"encoding/gob"
 	"encoding/json"
 	"errors"
 	"reflect"
 	"strings"
 	"syscall"
 	"testing"
 	_ "unsafe" // for go:linkname
 	. "hakurei.app/container/check"
 )
 //go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
 func unsafeAbs(_ string) *Absolute
 func TestAbsoluteError(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		err error
 		cmp error
 		ok  bool
 	}{
 		{"EINVAL", new(AbsoluteError), syscall.EINVAL, true},
 		{"not EINVAL", new(AbsoluteError), syscall.EBADE, false},
 		{"ne val", new(AbsoluteError), &AbsoluteError{Pathname: "etc"}, false},
 		{"equals", &AbsoluteError{Pathname: "etc"}, &AbsoluteError{Pathname: "etc"}, true},
 	}
 	for _, tc := range testCases {
 		if got := errors.Is(tc.err, tc.cmp); got != tc.ok {
 			t.Errorf("Is: %v, want %v", got, tc.ok)
 		}
 	}
 	t.Run("string", func(t *testing.T) {
 		t.Parallel()
 		want := `path "etc" is not absolute`
 		if got := (&AbsoluteError{Pathname: "etc"}).Error(); got != want {
 			t.Errorf("Error: %q, want %q", got, want)
 		}
 	})
 }
 func TestNewAbs(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		pathname string
 		want     *Absolute
 		wantErr  error
 	}{
 		{"good", "/etc", MustAbs("/etc"), nil},
 		{"not absolute", "etc", nil, &AbsoluteError{Pathname: "etc"}},
 		{"zero", "", nil, &AbsoluteError{Pathname: ""}},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			got, err := NewAbs(tc.pathname)
 			if !reflect.DeepEqual(got, tc.want) {
 				t.Errorf("NewAbs: %#v, want %#v", got, tc.want)
 			}
 			if !errors.Is(err, tc.wantErr) {
 				t.Errorf("NewAbs: error = %v, want %v", err, tc.wantErr)
 			}
 		})
 	}
 	t.Run("must", func(t *testing.T) {
 		t.Parallel()
 		defer func() {
 			wantPanic := `path "etc" is not absolute`
 			if r := recover(); r != wantPanic {
 				t.Errorf("MustAbs: panic = %v; want %v", r, wantPanic)
 			}
 		}()
 		MustAbs("etc")
 	})
 }
 func TestAbsoluteString(t *testing.T) {
 	t.Run("passthrough", func(t *testing.T) {
 		t.Parallel()
 		pathname := "/etc"
 		if got := unsafeAbs(pathname).String(); got != pathname {
 			t.Errorf("String: %q, want %q", got, pathname)
 		}
 	})
 	t.Run("zero", func(t *testing.T) {
 		t.Parallel()
 		defer func() {
 			wantPanic := "attempted use of zero Absolute"
 			if r := recover(); r != wantPanic {
 				t.Errorf("String: panic = %v, want %v", r, wantPanic)
 			}
 		}()
 		panic(new(Absolute).String())
 	})
 }
 func TestAbsoluteIs(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		a, v *Absolute
 		want bool
 	}{
 		{"nil", (*Absolute)(nil), (*Absolute)(nil), true},
 		{"nil a", (*Absolute)(nil), MustAbs("/"), false},
 		{"nil v", MustAbs("/"), (*Absolute)(nil), false},
 		{"zero", new(Absolute), new(Absolute), false},
 		{"zero a", new(Absolute), MustAbs("/"), false},
 		{"zero v", MustAbs("/"), new(Absolute), false},
 		{"equals", MustAbs("/"), MustAbs("/"), true},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			if got := tc.a.Is(tc.v); got != tc.want {
 				t.Errorf("Is: %v, want %v", got, tc.want)
 			}
 		})
 	}
 }
 type sCheck struct {
 	Pathname *Absolute `json:"val"`
 	Magic    uint64    `json:"magic"`
 }
 func TestCodecAbsolute(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		a    *Absolute
 		wantErr error
 		gob, sGob   string
 		json, sJson string
 	}{
 		{"nil", nil, nil,
 			"\x00", "\x00",
 			`null`, `{"val":null,"magic":3236757504}`},
 		{"good", MustAbs("/etc"),
 			nil,
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
 			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
 			&AbsoluteError{Pathname: "etc"},
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
 			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
 			`"etc"`, `{"val":"etc","magic":3236757504}`},
 		{"zero", nil,
 			new(AbsoluteError),
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
 			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
 			`""`, `{"val":"","magic":3236757504}`},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			t.Run("gob", func(t *testing.T) {
 				if tc.gob == "\x00" && tc.sGob == "\x00" {
 					// these values mark the current test to skip gob
 					return
 				}
 				t.Parallel()
 				t.Run("encode", func(t *testing.T) {
 					t.Parallel()
 					// encode is unchecked
 					if errors.Is(tc.wantErr, syscall.EINVAL) {
 						return
 					}
 					{
 						buf := new(bytes.Buffer)
 						err := gob.NewEncoder(buf).Encode(tc.a)
 						if !errors.Is(err, tc.wantErr) {
 							t.Errorf("Encode: error = %v, want %v", err, tc.wantErr)
 						}
 						if tc.wantErr != nil {
 							goto checkSEncode
 						}
 						if buf.String() != tc.gob {
 							t.Errorf("Encode:\n%q\nwant:\n%q", buf.String(), tc.gob)
 						}
 					}
 				checkSEncode:
 					{
 						buf := new(bytes.Buffer)
 						err := gob.NewEncoder(buf).Encode(&sCheck{tc.a, syscall.MS_MGC_VAL})
 						if !errors.Is(err, tc.wantErr) {
 							t.Errorf("Encode: error = %v, want %v", err, tc.wantErr)
 						}
 						if tc.wantErr != nil {
 							return
 						}
 						if buf.String() != tc.sGob {
 							t.Errorf("Encode:\n%q\nwant:\n%q", buf.String(), tc.sGob)
 						}
 					}
 				})
 				t.Run("decode", func(t *testing.T) {
 					t.Parallel()
 					{
 						var gotA *Absolute
 						err := gob.NewDecoder(strings.NewReader(tc.gob)).Decode(&gotA)
 						if !errors.Is(err, tc.wantErr) {
 							t.Errorf("Decode: error = %v, want %v", err, tc.wantErr)
 						}
 						if tc.wantErr != nil {
 							goto checkSDecode
 						}
 						if !reflect.DeepEqual(tc.a, gotA) {
 							t.Errorf("Decode: %#v, want %#v", tc.a, gotA)
 						}
 					}
 				checkSDecode:
 					{
 						var gotSCheck sCheck
 						err := gob.NewDecoder(strings.NewReader(tc.sGob)).Decode(&gotSCheck)
 						if !errors.Is(err, tc.wantErr) {
 							t.Errorf("Decode: error = %v, want %v", err, tc.wantErr)
 						}
 						if tc.wantErr != nil {
 							return
 						}
 						want := sCheck{tc.a, syscall.MS_MGC_VAL}
 						if !reflect.DeepEqual(gotSCheck, want) {
 							t.Errorf("Decode: %#v, want %#v", gotSCheck, want)
 						}
 					}
 				})
 			})
 			t.Run("json", func(t *testing.T) {
 				t.Parallel()
 				t.Run("marshal", func(t *testing.T) {
 					t.Parallel()
 					// marshal is unchecked
 					if errors.Is(tc.wantErr, syscall.EINVAL) {
 						return
 					}
 					{
 						d, err := json.Marshal(tc.a)
 						if !errors.Is(err, tc.wantErr) {
 							t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
 						}
 						if tc.wantErr != nil {
 							goto checkSMarshal
 						}
 						if string(d) != tc.json {
 							t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.json)
 						}
 					}
 				checkSMarshal:
 					{
 						d, err := json.Marshal(&sCheck{tc.a, syscall.MS_MGC_VAL})
 						if !errors.Is(err, tc.wantErr) {
 							t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
 						}
 						if tc.wantErr != nil {
 							return
 						}
 						if string(d) != tc.sJson {
 							t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.sJson)
 						}
 					}
 				})
 				t.Run("unmarshal", func(t *testing.T) {
 					t.Parallel()
 					{
 						var gotA *Absolute
 						err := json.Unmarshal([]byte(tc.json), &gotA)
 						if !errors.Is(err, tc.wantErr) {
 							t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
 						}
 						if tc.wantErr != nil {
 							goto checkSUnmarshal
 						}
 						if !reflect.DeepEqual(tc.a, gotA) {
 							t.Errorf("Unmarshal: %#v, want %#v", tc.a, gotA)
 						}
 					}
 				checkSUnmarshal:
 					{
 						var gotSCheck sCheck
 						err := json.Unmarshal([]byte(tc.sJson), &gotSCheck)
 						if !errors.Is(err, tc.wantErr) {
 							t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
 						}
 						if tc.wantErr != nil {
 							return
 						}
 						want := sCheck{tc.a, syscall.MS_MGC_VAL}
 						if !reflect.DeepEqual(gotSCheck, want) {
 							t.Errorf("Unmarshal: %#v, want %#v", gotSCheck, want)
 						}
 					}
 				})
 			})
 		})
 	}
 	t.Run("json passthrough", func(t *testing.T) {
 		t.Parallel()
 		wantErr := "invalid character ':' looking for beginning of value"
 		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
 			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
 		}
 	})
 }
 func TestAbsoluteWrap(t *testing.T) {
 	t.Parallel()
 	t.Run("join", func(t *testing.T) {
 		t.Parallel()
 		want := "/etc/nix/nix.conf"
 		if got := MustAbs("/etc").Append("nix", "nix.conf"); got.String() != want {
 			t.Errorf("Append: %q, want %q", got, want)
 		}
 	})
 	t.Run("dir", func(t *testing.T) {
 		t.Parallel()
 		want := "/"
 		if got := MustAbs("/etc").Dir(); got.String() != want {
 			t.Errorf("Dir: %q, want %q", got, want)
 		}
 	})
 	t.Run("sort", func(t *testing.T) {
 		t.Parallel()
 		want := []*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/sys")}
 		got := []*Absolute{MustAbs("/proc"), MustAbs("/sys"), MustAbs("/etc")}
 		SortAbs(got)
 		if !reflect.DeepEqual(got, want) {
 			t.Errorf("SortAbs: %#v, want %#v", got, want)
 		}
 	})
 	t.Run("compact", func(t *testing.T) {
 		t.Parallel()
 		want := []*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/sys")}
 		if got := CompactAbs([]*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/proc"), MustAbs("/sys")}); !reflect.DeepEqual(got, want) {
 			t.Errorf("CompactAbs: %#v, want %#v", got, want)
 		}
 	})
 }
--- a/container/check/overlay.go
+++ b/container/check/overlay.go
@@ -0,0 +1,29 @@
 package check
 import "strings"
 const (
 	// SpecialOverlayEscape is the escape string for overlay mount options.
 	SpecialOverlayEscape = `\`
 	// SpecialOverlayOption is the separator string between overlay mount options.
 	SpecialOverlayOption = ","
 	// SpecialOverlayPath is the separator string between overlay paths.
 	SpecialOverlayPath = ":"
 )
 // EscapeOverlayDataSegment escapes a string for formatting into the data argument of an overlay mount call.
 func EscapeOverlayDataSegment(s string) string {
 	if s == "" {
 		return ""
 	}
 	if f := strings.SplitN(s, "\x00", 2); len(f) > 0 {
 		s = f[0]
 	}
 	return strings.NewReplacer(
 		SpecialOverlayEscape, SpecialOverlayEscape+SpecialOverlayEscape,
 		SpecialOverlayOption, SpecialOverlayEscape+SpecialOverlayOption,
 		SpecialOverlayPath, SpecialOverlayEscape+SpecialOverlayPath,
 	).Replace(s)
 }
--- a/container/check/overlay_test.go
+++ b/container/check/overlay_test.go
@@ -0,0 +1,31 @@
 package check_test
 import (
 	"testing"
 	"hakurei.app/container/check"
 )
 func TestEscapeOverlayDataSegment(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		s    string
 		want string
 	}{
 		{"zero", "", ""},
 		{"multi", `\\\:,:,\\\`, `\\\\\\\:\,\:\,\\\\\\`},
 		{"bwrap", `/path :,\`, `/path \:\,\\`},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			if got := check.EscapeOverlayDataSegment(tc.s); got != tc.want {
 				t.Errorf("escapeOverlayDataSegment: %s, want %s", got, tc.want)
 			}
 		})
 	}
 }
--- a/container/container.go
+++ b/container/container.go
@@ -9,33 +9,44 @@ import (
 	"io"
 	"os"
 	"os/exec"
-	"path"
+	"runtime"
 	"strconv"
 	"sync"
 	. "syscall"
 	"time"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/message"
 )
 const (
 	// CancelSignal is the signal expected by container init on context cancel.
 	// A custom [Container.Cancel] function must eventually deliver this signal.
 	CancelSignal = SIGUSR2
 	// Timeout for writing initParams to Container.setup.
 	initSetupTimeout = 5 * time.Second
 )
 type (
 	// Container represents a container environment being prepared or run.
 	// None of [Container] methods are safe for concurrent use.
 	Container struct {
 		// Name of initial process in the container.
 		name string
 		// Cgroup fd, nil to disable.
 		Cgroup *int
 		// ExtraFiles passed through to initial process in the container,
 		// with behaviour identical to its [exec.Cmd] counterpart.
 		ExtraFiles []*os.File
-		// Custom [exec.Cmd] initialisation function.
+		// param pipe for shim and init
-		CommandContext func(ctx context.Context) (cmd *exec.Cmd)
+		setup *os.File
 		// param encoder for shim and init
 		setup *gob.Encoder
 		// cancels cmd
 		cancel context.CancelFunc
 		// closed after Wait returns
 		wait chan struct{}
 		Stdin  io.Reader
 		Stdout io.Writer
@@ -46,19 +57,24 @@ type (
 		cmd *exec.Cmd
 		ctx context.Context
 		msg message.Msg
 		Params
 	}
 	// Params holds container configuration and is safe to serialise.
 	Params struct {
 		// Working directory in the container.
-		Dir string
+		Dir *check.Absolute
 		// Initial process environment.
 		Env []string
-		// Absolute path of initial process in the container. Overrides name.
+		// Pathname of initial process in the container.
-		Path string
+		Path *check.Absolute
 		// Initial process argv.
 		Args []string
 		// Deliver SIGINT to the initial process on context cancellation.
 		ForwardCancel bool
 		// Time to wait for processes lingering after the initial process terminates.
 		AdoptWaitDelay time.Duration
 		// Mapped Uid in user namespace.
 		Uid int
@@ -68,14 +84,16 @@ type (
 		Hostname string
 		// Sequential container setup ops.
 		*Ops
 		// Seccomp system call filter rules.
-		SeccompRules []seccomp.NativeRule
+		SeccompRules []std.NativeRule
 		// Extra seccomp flags.
 		SeccompFlags seccomp.ExportFlag
 		// Seccomp presets. Has no effect unless SeccompRules is zero-length.
-		SeccompPresets seccomp.FilterPreset
+		SeccompPresets std.FilterPreset
 		// Do not load seccomp program.
 		SeccompDisable bool
 		// Permission bits of newly created parent directories.
 		// The zero value is interpreted as 0755.
 		ParentPerm os.FileMode
@@ -83,85 +101,256 @@ type (
 		RetainSession bool
 		// Do not [syscall.CLONE_NEWNET].
 		HostNet bool
 		// Do not [LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET].
 		HostAbstract bool
 		// Retain CAP_SYS_ADMIN.
 		Privileged bool
 	}
 )
 // A StartError contains additional information on a container startup failure.
 type StartError struct {
 	// Fatal suggests whether this error should be considered fatal for the entire program.
 	Fatal bool
 	// Step refers to the part of the setup this error is returned from.
 	Step string
 	// Err is the underlying error.
 	Err error
 	// Origin is whether this error originated from the [Container.Start] method.
 	Origin bool
 	// Passthrough is whether the Error method is passed through to Err.
 	Passthrough bool
 }
 func (e *StartError) Unwrap() error { return e.Err }
 func (e *StartError) Error() string {
 	if e.Passthrough {
 		return e.Err.Error()
 	}
 	if e.Origin {
 		return e.Step
 	}
 	{
 		var syscallError *os.SyscallError
 		if errors.As(e.Err, &syscallError) && syscallError != nil {
 			return e.Step + " " + syscallError.Error()
 		}
 	}
 	return e.Step + ": " + e.Err.Error()
 }
 // Message returns a user-facing error message.
 func (e *StartError) Message() string {
 	if e.Passthrough {
 		var (
 			numError *strconv.NumError
 		)
 		switch {
 		case errors.As(e.Err, new(*os.PathError)),
 			errors.As(e.Err, new(*os.SyscallError)):
 			return "cannot " + e.Err.Error()
 		case errors.As(e.Err, &numError) && numError != nil:
 			return "cannot parse " + strconv.Quote(numError.Num) + ": " + numError.Err.Error()
 		default:
 			return e.Err.Error()
 		}
 	}
 	if e.Origin {
 		return e.Step
 	}
 	return "cannot " + e.Error()
 }
 // for ensureCloseOnExec
 var (
 	closeOnExecOnce sync.Once
 	closeOnExecErr  error
 )
 // ensureCloseOnExec ensures all currently open file descriptors have the syscall.FD_CLOEXEC flag set.
 // This is only ran once as it is intended to handle files left open by the parent, and any file opened
 // on this side should already have syscall.FD_CLOEXEC set.
 func ensureCloseOnExec() error {
 	closeOnExecOnce.Do(func() {
 		const fdPrefixPath = "/proc/self/fd/"
 		var entries []os.DirEntry
 		if entries, closeOnExecErr = os.ReadDir(fdPrefixPath); closeOnExecErr != nil {
 			return
 		}
 		var fd int
 		for _, ent := range entries {
 			if fd, closeOnExecErr = strconv.Atoi(ent.Name()); closeOnExecErr != nil {
 				break // not reached
 			}
 			CloseOnExec(fd)
 		}
 	})
 	if closeOnExecErr == nil {
 		return nil
 	}
 	return &StartError{Fatal: true, Step: "set FD_CLOEXEC on all open files", Err: closeOnExecErr, Passthrough: true}
 }
 // Start starts the container init. The init process blocks until Serve is called.
 func (p *Container) Start() error {
-	if p.cmd != nil {
+	if p == nil || p.cmd == nil ||
-		return errors.New("sandbox: already started")
+		p.Ops == nil || len(*p.Ops) == 0 {
 		return errors.New("container: starting an invalid container")
 	}
-	if p.Ops == nil || len(*p.Ops) == 0 {
+	if p.cmd.Process != nil {
-		return errors.New("sandbox: starting an empty container")
+		return errors.New("container: already started")
 	}
-	ctx, cancel := context.WithCancel(p.ctx)
+	if err := ensureCloseOnExec(); err != nil {
-	p.cancel = cancel
+		return err
 	var cloneFlags uintptr = CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP
 	if !p.HostNet {
 		cloneFlags |= CLONE_NEWNET
 	}
 	// map to overflow id to work around ownership checks
 	if p.Uid < 1 {
-		p.Uid = OverflowUid()
+		p.Uid = OverflowUid(p.msg)
 	}
 	if p.Gid < 1 {
-		p.Gid = OverflowGid()
+		p.Gid = OverflowGid(p.msg)
 	}
 	if !p.RetainSession {
-		p.SeccompPresets |= seccomp.PresetDenyTTY
+		p.SeccompPresets |= std.PresetDenyTTY
 	}
-	if p.CommandContext != nil {
+	if p.AdoptWaitDelay == 0 {
-		p.cmd = p.CommandContext(ctx)
+		p.AdoptWaitDelay = 5 * time.Second
-	} else {
+	}
-		p.cmd = exec.CommandContext(ctx, MustExecutable())
+	// to allow disabling this behaviour
-		p.cmd.Args = []string{"init"}
+	if p.AdoptWaitDelay < 0 {
 		p.AdoptWaitDelay = 0
 	}
-	p.cmd.Stdin, p.cmd.Stdout, p.cmd.Stderr = p.Stdin, p.Stdout, p.Stderr
+	if p.cmd.Stdin == nil {
 		p.cmd.Stdin = p.Stdin
 	}
 	if p.cmd.Stdout == nil {
 		p.cmd.Stdout = p.Stdout
 	}
 	if p.cmd.Stderr == nil {
 		p.cmd.Stderr = p.Stderr
 	}
 	p.cmd.Args = []string{initName}
 	p.cmd.WaitDelay = p.WaitDelay
 	if p.Cancel != nil {
 		p.cmd.Cancel = func() error { return p.Cancel(p.cmd) }
 	} else {
-		p.cmd.Cancel = func() error { return p.cmd.Process.Signal(SIGTERM) }
+		p.cmd.Cancel = func() error { return p.cmd.Process.Signal(CancelSignal) }
 	}
-	p.cmd.Dir = "/"
+	p.cmd.Dir = fhs.Root
 	p.cmd.SysProcAttr = &SysProcAttr{
-		Setsid:     !p.RetainSession,
+		Setsid:    !p.RetainSession,
-		Pdeathsig:  SIGKILL,
+		Pdeathsig: SIGKILL,
-		Cloneflags: cloneFlags | CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS,
+		Cloneflags: CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS |
 			CLONE_NEWIPC | CLONE_NEWUTS | CLONE_NEWCGROUP,
-		// remain privileged for setup
+		AmbientCaps: []uintptr{
-		AmbientCaps: []uintptr{CAP_SYS_ADMIN, CAP_SETPCAP},
+			// general container setup
 			CAP_SYS_ADMIN,
 			// drop capabilities
 			CAP_SETPCAP,
 			// overlay access to upperdir and workdir
 			CAP_DAC_OVERRIDE,
 		},
 		UseCgroupFD: p.Cgroup != nil,
 	}
 	if p.cmd.SysProcAttr.UseCgroupFD {
 		p.cmd.SysProcAttr.CgroupFD = *p.Cgroup
 	}
 	if !p.HostNet {
 		p.cmd.SysProcAttr.Cloneflags |= CLONE_NEWNET
 	}
 	// place setup pipe before user supplied extra files, this is later restored by init
-	if fd, e, err := Setup(&p.cmd.ExtraFiles); err != nil {
+	if fd, f, err := Setup(&p.cmd.ExtraFiles); err != nil {
-		return wrapErrSuffix(err,
+		return &StartError{true, "set up params stream", err, false, false}
 			"cannot create shim setup pipe:")
 	} else {
-		p.setup = e
+		p.setup = f
 		p.cmd.Env = []string{setupEnv + "=" + strconv.Itoa(fd)}
 	}
 	p.cmd.ExtraFiles = append(p.cmd.ExtraFiles, p.ExtraFiles...)
-	msg.Verbose("starting container init")
+	done := make(chan error, 1)
-	if err := p.cmd.Start(); err != nil {
+	go func() {
-		return msg.WrapErr(err, err.Error())
+		runtime.LockOSThread()
-	}
+		p.wait = make(chan struct{})
-	return nil
+
 		done <- func() error { // setup depending on per-thread state must happen here
 			// PR_SET_NO_NEW_PRIVS: depends on per-thread state but acts on all processes created from that thread
 			if err := SetNoNewPrivs(); err != nil {
 				return &StartError{true, "prctl(PR_SET_NO_NEW_PRIVS)", err, false, false}
 			}
 			// landlock: depends on per-thread state but acts on a process group
 			{
 				rulesetAttr := &RulesetAttr{Scoped: LANDLOCK_SCOPE_SIGNAL}
 				if !p.HostAbstract {
 					rulesetAttr.Scoped |= LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
 				}
 				if abi, err := LandlockGetABI(); err != nil {
 					if p.HostAbstract {
 						// landlock can be skipped here as it restricts access to resources
 						// already covered by namespaces (pid)
 						goto landlockOut
 					}
 					return &StartError{false, "get landlock ABI", err, false, false}
 				} else if abi < 6 {
 					if p.HostAbstract {
 						// see above comment
 						goto landlockOut
 					}
 					return &StartError{false, "kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET", ENOSYS, true, false}
 				} else {
 					p.msg.Verbosef("landlock abi version %d", abi)
 				}
 				if rulesetFd, err := rulesetAttr.Create(0); err != nil {
 					return &StartError{true, "create landlock ruleset", err, false, false}
 				} else {
 					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
 					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
 						_ = Close(rulesetFd)
 						return &StartError{true, "enforce landlock ruleset", err, false, false}
 					}
 					if err = Close(rulesetFd); err != nil {
 						p.msg.Verbosef("cannot close landlock ruleset: %v", err)
 						// not fatal
 					}
 				}
 			landlockOut:
 			}
 			p.msg.Verbose("starting container init")
 			if err := p.cmd.Start(); err != nil {
 				return &StartError{false, "start container init", err, false, true}
 			}
 			return nil
 		}()
 		// keep this thread alive until Wait returns for cancel
 		<-p.wait
 	}()
 	return <-done
 }
 // Serve serves [Container.Params] to the container init.
 // Serve must only be called once.
 func (p *Container) Serve() error {
 	if p.setup == nil {
 		panic("invalid serve")
@@ -169,61 +358,111 @@ func (p *Container) Serve() error {
 	setup := p.setup
 	p.setup = nil
 	if err := setup.SetDeadline(time.Now().Add(initSetupTimeout)); err != nil {
 		return &StartError{true, "set init pipe deadline", err, false, true}
 	}
-	if p.Path != "" && !path.IsAbs(p.Path) {
+	if p.Path == nil {
 		p.cancel()
-		return msg.WrapErr(EINVAL,
+		return &StartError{false, "invalid executable pathname", EINVAL, true, false}
 			fmt.Sprintf("invalid executable path %q", p.Path))
 	}
-	if p.Path == "" {
+	// do not transmit nil
-		if p.name == "" {
+	if p.Dir == nil {
-			p.Path = os.Getenv("SHELL")
+		p.Dir = fhs.AbsRoot
 			if !path.IsAbs(p.Path) {
 				p.cancel()
 				return msg.WrapErr(EBADE,
 					"no command specified and $SHELL is invalid")
 			}
 			p.name = path.Base(p.Path)
 		} else if path.IsAbs(p.name) {
 			p.Path = p.name
 		} else if v, err := exec.LookPath(p.name); err != nil {
 			p.cancel()
 			return msg.WrapErr(err, err.Error())
 		} else {
 			p.Path = v
 		}
 	}
 	if p.SeccompRules == nil {
-		// do not transmit nil
+		p.SeccompRules = make([]std.NativeRule, 0)
 		p.SeccompRules = make([]seccomp.NativeRule, 0)
 	}
-	err := setup.Encode(
+	err := gob.NewEncoder(setup).Encode(&initParams{
-		&initParams{
+		p.Params,
-			p.Params,
+		Getuid(),
-			Getuid(),
+		Getgid(),
-			Getgid(),
+		len(p.ExtraFiles),
-			len(p.ExtraFiles),
+		p.msg.IsVerbose(),
-			msg.IsVerbose(),
+	})
-		},
+	_ = setup.Close()
 	)
 	if err != nil {
 		p.cancel()
 	}
 	return err
 }
-func (p *Container) Wait() error { defer p.cancel(); return p.cmd.Wait() }
+// Wait waits for the container init process to exit and releases any resources associated with the [Container].
 func (p *Container) Wait() error {
 	if p.cmd == nil || p.cmd.Process == nil {
 		return EINVAL
 	}
 	err := p.cmd.Wait()
 	p.cancel()
 	if p.wait != nil && err == nil {
 		close(p.wait)
 	}
 	return err
 }
 // StdinPipe calls the [exec.Cmd] method with the same name.
 func (p *Container) StdinPipe() (w io.WriteCloser, err error) {
 	if p.Stdin != nil {
 		return nil, errors.New("container: Stdin already set")
 	}
 	w, err = p.cmd.StdinPipe()
 	p.Stdin = p.cmd.Stdin
 	return
 }
 // StdoutPipe calls the [exec.Cmd] method with the same name.
 func (p *Container) StdoutPipe() (r io.ReadCloser, err error) {
 	if p.Stdout != nil {
 		return nil, errors.New("container: Stdout already set")
 	}
 	r, err = p.cmd.StdoutPipe()
 	p.Stdout = p.cmd.Stdout
 	return
 }
 // StderrPipe calls the [exec.Cmd] method with the same name.
 func (p *Container) StderrPipe() (r io.ReadCloser, err error) {
 	if p.Stderr != nil {
 		return nil, errors.New("container: Stderr already set")
 	}
 	r, err = p.cmd.StderrPipe()
 	p.Stderr = p.cmd.Stderr
 	return
 }
 func (p *Container) String() string {
 	return fmt.Sprintf("argv: %q, filter: %v, rules: %d, flags: %#x, presets: %#x",
 		p.Args, !p.SeccompDisable, len(p.SeccompRules), int(p.SeccompFlags), int(p.SeccompPresets))
 }
-func New(ctx context.Context, name string, args ...string) *Container {
+// ProcessState returns the address to os.ProcessState held by the underlying [exec.Cmd].
-	return &Container{name: name, ctx: ctx,
+func (p *Container) ProcessState() *os.ProcessState {
-		Params: Params{Args: append([]string{name}, args...), Dir: "/", Ops: new(Ops)},
+	if p.cmd == nil {
 		return nil
 	}
 	return p.cmd.ProcessState
 }
 // New returns the address to a new instance of [Container] that requires further initialisation before use.
 func New(ctx context.Context, msg message.Msg) *Container {
 	if msg == nil {
 		msg = message.New(nil)
 	}
 	p := &Container{ctx: ctx, msg: msg, Params: Params{Ops: new(Ops)}}
 	c, cancel := context.WithCancel(ctx)
 	p.cancel = cancel
 	p.cmd = exec.CommandContext(c, MustExecutable(msg))
 	return p
 }
 // NewCommand calls [New] and initialises the [Params.Path] and [Params.Args] fields.
 func NewCommand(ctx context.Context, msg message.Msg, pathname *check.Absolute, name string, args ...string) *Container {
 	z := New(ctx, msg)
 	z.Path = pathname
 	z.Args = append([]string{name}, args...)
 	return z
 }
--- a/container/container_test.go
+++ b/container/container_test.go
@@ -4,172 +4,490 @@ import (
 	"bytes"
 	"context"
 	"encoding/gob"
 	"errors"
 	"fmt"
 	"log"
 	"net"
 	"os"
 	"os/exec"
 	"os/signal"
 	"reflect"
 	"strconv"
 	"strings"
 	"syscall"
 	"testing"
 	"time"
 	"hakurei.app/command"
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/container/vfs"
 	"hakurei.app/hst"
 	"hakurei.app/internal"
 	"hakurei.app/internal/hlog"
 	"hakurei.app/ldd"
 	"hakurei.app/message"
 )
 func TestStartError(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		err  error
 		s    string
 		is   error
 		isF  error
 		msg  string
 	}{
 		{"params env", &container.StartError{
 			Fatal: true,
 			Step:  "set up params stream",
 			Err:   container.ErrReceiveEnv,
 		}, "set up params stream: environment variable not set",
 			container.ErrReceiveEnv, syscall.EBADF,
 			"cannot set up params stream: environment variable not set"},
 		{"params", &container.StartError{
 			Fatal: true,
 			Step:  "set up params stream",
 			Err:   &os.SyscallError{Syscall: "pipe2", Err: syscall.EBADF},
 		}, "set up params stream pipe2: bad file descriptor",
 			syscall.EBADF, os.ErrInvalid,
 			"cannot set up params stream pipe2: bad file descriptor"},
 		{"PR_SET_NO_NEW_PRIVS", &container.StartError{
 			Fatal: true,
 			Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
 			Err:   syscall.EPERM,
 		}, "prctl(PR_SET_NO_NEW_PRIVS): operation not permitted",
 			syscall.EPERM, syscall.EACCES,
 			"cannot prctl(PR_SET_NO_NEW_PRIVS): operation not permitted"},
 		{"landlock abi", &container.StartError{
 			Step: "get landlock ABI",
 			Err:  syscall.ENOSYS,
 		}, "get landlock ABI: function not implemented",
 			syscall.ENOSYS, syscall.ENOEXEC,
 			"cannot get landlock ABI: function not implemented"},
 		{"landlock old", &container.StartError{
 			Step:   "kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET",
 			Err:    syscall.ENOSYS,
 			Origin: true,
 		}, "kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET",
 			syscall.ENOSYS, syscall.ENOSPC,
 			"kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET"},
 		{"landlock create", &container.StartError{
 			Fatal: true,
 			Step:  "create landlock ruleset",
 			Err:   syscall.EBADFD,
 		}, "create landlock ruleset: file descriptor in bad state",
 			syscall.EBADFD, syscall.EBADF,
 			"cannot create landlock ruleset: file descriptor in bad state"},
 		{"landlock enforce", &container.StartError{
 			Fatal: true,
 			Step:  "enforce landlock ruleset",
 			Err:   syscall.ENOTRECOVERABLE,
 		}, "enforce landlock ruleset: state not recoverable",
 			syscall.ENOTRECOVERABLE, syscall.ETIMEDOUT,
 			"cannot enforce landlock ruleset: state not recoverable"},
 		{"start", &container.StartError{
 			Step: "start container init",
 			Err: &os.PathError{
 				Op:   "fork/exec",
 				Path: "/proc/nonexistent",
 				Err:  syscall.ENOENT,
 			}, Passthrough: true,
 		}, "fork/exec /proc/nonexistent: no such file or directory",
 			syscall.ENOENT, syscall.ENOSYS,
 			"cannot fork/exec /proc/nonexistent: no such file or directory"},
 		{"start syscall", &container.StartError{
 			Step: "start container init",
 			Err: &os.SyscallError{
 				Syscall: "open",
 				Err:     syscall.ENOSYS,
 			}, Passthrough: true,
 		}, "open: function not implemented",
 			syscall.ENOSYS, syscall.ENOENT,
 			"cannot open: function not implemented"},
 		{"start FD_CLOEXEC", &container.StartError{
 			Fatal:       true,
 			Step:        "set FD_CLOEXEC on all open files",
 			Err:         func() error { _, err := strconv.Atoi("invalid"); return err }(),
 			Passthrough: true,
 		}, `strconv.Atoi: parsing "invalid": invalid syntax`,
 			strconv.ErrSyntax, os.ErrInvalid,
 			`cannot parse "invalid": invalid syntax`},
 		{"start other", &container.StartError{
 			Step: "start container init",
 			Err: &net.OpError{
 				Op:  "dial",
 				Net: "unix",
 				Err: syscall.ECONNREFUSED,
 			}, Passthrough: true,
 		}, "dial unix: connection refused",
 			syscall.ECONNREFUSED, syscall.ECONNABORTED,
 			"dial unix: connection refused"},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			t.Run("error", func(t *testing.T) {
 				if got := tc.err.Error(); got != tc.s {
 					t.Errorf("Error: %q, want %q", got, tc.s)
 				}
 			})
 			t.Run("is", func(t *testing.T) {
 				if !errors.Is(tc.err, tc.is) {
 					t.Error("Is: unexpected false")
 				}
 				if errors.Is(tc.err, tc.isF) {
 					t.Errorf("Is: unexpected true")
 				}
 			})
 			t.Run("msg", func(t *testing.T) {
 				if got, ok := message.GetMessage(tc.err); !ok {
 					if tc.msg != "" {
 						t.Errorf("GetMessage: err does not implement MessageError")
 					}
 					return
 				} else if got != tc.msg {
 					t.Errorf("GetMessage: %q, want %q", got, tc.msg)
 				}
 			})
 		})
 	}
 }
 const (
 	ignore  = "\x00"
 	ignoreV = -1
 	pathPrefix   = "/etc/hakurei/"
 	pathWantMnt  = pathPrefix + "want-mnt"
 	pathReadonly = pathPrefix + "readonly"
 )
 type testVal any
 func emptyOps(t *testing.T) (*container.Ops, context.Context) { return new(container.Ops), t.Context() }
 func earlyOps(ops *container.Ops) func(t *testing.T) (*container.Ops, context.Context) {
 	return func(t *testing.T) (*container.Ops, context.Context) { return ops, t.Context() }
 }
 func emptyMnt(*testing.T, context.Context) []*vfs.MountInfoEntry { return nil }
 func earlyMnt(mnt ...*vfs.MountInfoEntry) func(*testing.T, context.Context) []*vfs.MountInfoEntry {
 	return func(*testing.T, context.Context) []*vfs.MountInfoEntry { return mnt }
 }
 var containerTestCases = []struct {
 	name    string
 	filter  bool
 	session bool
 	net     bool
 	ro      bool
 	ops func(t *testing.T) (*container.Ops, context.Context)
 	mnt func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry
 	uid int
 	gid int
 	rules   []std.NativeRule
 	flags   seccomp.ExportFlag
 	presets std.FilterPreset
 }{
 	{"minimal", true, false, false, true,
 		emptyOps, emptyMnt,
 		1000, 100, nil, 0, std.PresetStrict},
 	{"allow", true, true, true, false,
 		emptyOps, emptyMnt,
 		1000, 100, nil, 0, std.PresetExt | std.PresetDenyDevel},
 	{"no filter", false, true, true, true,
 		emptyOps, emptyMnt,
 		1000, 100, nil, 0, std.PresetExt},
 	{"custom rules", true, true, true, false,
 		emptyOps, emptyMnt,
 		1, 31, []std.NativeRule{{Syscall: std.ScmpSyscall(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
 	{"tmpfs", true, false, false, true,
 		earlyOps(new(container.Ops).
 			Tmpfs(hst.AbsPrivateTmp, 0, 0755),
 		),
 		earlyMnt(
 			ent("/", hst.PrivateTmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
 		),
 		9, 9, nil, 0, std.PresetStrict},
 	{"dev", true, true /* go test output is not a tty */, false, false,
 		earlyOps(new(container.Ops).
 			Dev(check.MustAbs("/dev"), true),
 		),
 		earlyMnt(
 			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
 			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
 		1971, 100, nil, 0, std.PresetStrict},
 	{"dev no mqueue", true, true /* go test output is not a tty */, false, false,
 		earlyOps(new(container.Ops).
 			Dev(check.MustAbs("/dev"), false),
 		),
 		earlyMnt(
 			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
 			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
 		1971, 100, nil, 0, std.PresetStrict},
 	{"overlay", true, false, false, true,
 		func(t *testing.T) (*container.Ops, context.Context) {
 			tempDir := check.MustAbs(t.TempDir())
 			lower0, lower1, upper, work :=
 				tempDir.Append("lower0"),
 				tempDir.Append("lower1"),
 				tempDir.Append("upper"),
 				tempDir.Append("work")
 			for _, a := range []*check.Absolute{lower0, lower1, upper, work} {
 				if err := os.Mkdir(a.String(), 0755); err != nil {
 					t.Fatalf("Mkdir: error = %v", err)
 				}
 			}
 			return new(container.Ops).
 					Overlay(hst.AbsPrivateTmp, upper, work, lower0, lower1),
 				context.WithValue(context.WithValue(context.WithValue(context.WithValue(t.Context(),
 					testVal("lower1"), lower1),
 					testVal("lower0"), lower0),
 					testVal("work"), work),
 					testVal("upper"), upper)
 		},
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
 					"rw,lowerdir="+
 						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
 						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",upperdir="+
 						container.InternalToHostOvlEscape(ctx.Value(testVal("upper")).(*check.Absolute).String())+
 						",workdir="+
 						container.InternalToHostOvlEscape(ctx.Value(testVal("work")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,uuid=on,userxattr"),
 			}
 		},
 		1 << 3, 1 << 14, nil, 0, std.PresetStrict},
 	{"overlay ephemeral", true, false, false, true,
 		func(t *testing.T) (*container.Ops, context.Context) {
 			tempDir := check.MustAbs(t.TempDir())
 			lower0, lower1 :=
 				tempDir.Append("lower0"),
 				tempDir.Append("lower1")
 			for _, a := range []*check.Absolute{lower0, lower1} {
 				if err := os.Mkdir(a.String(), 0755); err != nil {
 					t.Fatalf("Mkdir: error = %v", err)
 				}
 			}
 			return new(container.Ops).
 					OverlayEphemeral(hst.AbsPrivateTmp, lower0, lower1),
 				t.Context()
 		},
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				// contains random suffix
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay", ignore),
 			}
 		},
 		1 << 3, 1 << 14, nil, 0, std.PresetStrict},
 	{"overlay readonly", true, false, false, true,
 		func(t *testing.T) (*container.Ops, context.Context) {
 			tempDir := check.MustAbs(t.TempDir())
 			lower0, lower1 :=
 				tempDir.Append("lower0"),
 				tempDir.Append("lower1")
 			for _, a := range []*check.Absolute{lower0, lower1} {
 				if err := os.Mkdir(a.String(), 0755); err != nil {
 					t.Fatalf("Mkdir: error = %v", err)
 				}
 			}
 			return new(container.Ops).
 					OverlayReadonly(hst.AbsPrivateTmp, lower0, lower1),
 				context.WithValue(context.WithValue(t.Context(),
 					testVal("lower1"), lower1),
 					testVal("lower0"), lower0)
 		},
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
 					"ro,lowerdir="+
 						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
 						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,userxattr"),
 			}
 		},
 		1 << 3, 1 << 14, nil, 0, std.PresetStrict},
 }
 func TestContainer(t *testing.T) {
-	{
+	t.Parallel()
 		oldVerbose := hlog.Load()
 		oldOutput := container.GetOutput()
 		internal.InstallOutput(true)
 		t.Cleanup(func() { hlog.Store(oldVerbose) })
 		t.Cleanup(func() { container.SetOutput(oldOutput) })
 	}
-	testCases := []struct {
+	t.Run("cancel", testContainerCancel(nil, func(t *testing.T, c *container.Container) {
-		name    string
+		wantErr := context.Canceled
-		filter  bool
+		wantExitCode := 0
-		session bool
+		if err := c.Wait(); !reflect.DeepEqual(err, wantErr) {
-		net     bool
+			if m, ok := container.InternalMessageFromError(err); ok {
-		ops     *container.Ops
+				t.Error(m)
-		mnt     []*vfs.MountInfoEntry
+			}
-		host    string
+			t.Errorf("Wait: error = %#v, want %#v", err, wantErr)
-		rules   []seccomp.NativeRule
+		}
-		flags   seccomp.ExportFlag
+		if ps := c.ProcessState(); ps == nil {
-		presets seccomp.FilterPreset
+			t.Errorf("ProcessState unexpectedly returned nil")
-	}{
+		} else if code := ps.ExitCode(); code != wantExitCode {
-		{"minimal", true, false, false,
+			t.Errorf("ExitCode: %d, want %d", code, wantExitCode)
-			new(container.Ops), nil, "test-minimal",
+		}
-			nil, 0, seccomp.PresetStrict},
+	}))
 		{"allow", true, true, true,
 			new(container.Ops), nil, "test-minimal",
 			nil, 0, seccomp.PresetExt | seccomp.PresetDenyDevel},
 		{"no filter", false, true, true,
 			new(container.Ops), nil, "test-no-filter",
 			nil, 0, seccomp.PresetExt},
 		{"custom rules", true, true, true,
 			new(container.Ops), nil, "test-no-filter",
 			[]seccomp.NativeRule{
 				{seccomp.ScmpSyscall(syscall.SYS_SETUID), seccomp.ScmpErrno(syscall.EPERM), nil},
 			}, 0, seccomp.PresetExt},
 		{"tmpfs", true, false, false,
 			new(container.Ops).
 				Tmpfs(hst.Tmp, 0, 0755),
 			[]*vfs.MountInfoEntry{
 				e("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 			}, "test-tmpfs",
 			nil, 0, seccomp.PresetStrict},
 		{"dev", true, true /* go test output is not a tty */, false,
 			new(container.Ops).
 				Dev("/dev").
 				Mqueue("/dev/mqueue"),
 			[]*vfs.MountInfoEntry{
 				e("/", "/dev", "rw,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
 				e("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 				e("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 				e("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 				e("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 				e("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 				e("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 				e("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 				e("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
 			}, "",
 			nil, 0, seccomp.PresetStrict},
 	}
-	for _, tc := range testCases {
+	t.Run("forward", testContainerCancel(func(c *container.Container) {
 		c.ForwardCancel = true
 	}, func(t *testing.T, c *container.Container) {
 		var exitError *exec.ExitError
 		if err := c.Wait(); !errors.As(err, &exitError) {
 			if m, ok := container.InternalMessageFromError(err); ok {
 				t.Error(m)
 			}
 			t.Errorf("Wait: error = %v", err)
 		}
 		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
 			t.Errorf("ExitCode: %d, want %d", code, blockExitCodeInterrupt)
 		}
 	}))
 	for i, tc := range containerTestCases {
 		t.Run(tc.name, func(t *testing.T) {
-			ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
+			t.Parallel()
 			wantOps, wantOpsCtx := tc.ops(t)
 			wantMnt := tc.mnt(t, wantOpsCtx)
 			ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
 			defer cancel()
-			c := container.New(ctx, "/usr/bin/sandbox.test", "-test.v",
+			var libPaths []*check.Absolute
-				"-test.run=TestHelperCheckContainer", "--", "check", tc.host)
+			c := helperNewContainerLibPaths(ctx, &libPaths, "container", strconv.Itoa(i))
-			c.Uid = 1000
+			c.Uid = tc.uid
-			c.Gid = 100
+			c.Gid = tc.gid
-			c.Hostname = tc.host
+			c.Hostname = hostnameFromTestCase(tc.name)
-			c.CommandContext = commandContext
+			output := new(bytes.Buffer)
-			c.Stdout, c.Stderr = os.Stdout, os.Stderr
+			if !testing.Verbose() {
-			c.Ops = tc.ops
+				c.Stdout, c.Stderr = output, output
 			} else {
 				c.Stdout, c.Stderr = os.Stdout, os.Stderr
 			}
 			c.WaitDelay = helperDefaultTimeout
 			*c.Ops = append(*c.Ops, *wantOps...)
 			c.SeccompRules = tc.rules
 			c.SeccompFlags = tc.flags | seccomp.AllowMultiarch
 			c.SeccompPresets = tc.presets
 			c.SeccompDisable = !tc.filter
 			c.RetainSession = tc.session
 			c.HostNet = tc.net
 			if c.Args[5] == "" {
 				if name, err := os.Hostname(); err != nil {
 					t.Fatalf("cannot get hostname: %v", err)
 				} else {
 					c.Args[5] = name
 				}
 			}
 			c.
-				Tmpfs("/tmp", 0, 0755).
+				Readonly(check.MustAbs(pathReadonly), 0755).
-				Bind(os.Args[0], os.Args[0], 0).
+				Tmpfs(check.MustAbs("/tmp"), 0, 0755).
-				Mkdir("/usr/bin", 0755).
+				Place(check.MustAbs("/etc/hostname"), []byte(c.Hostname))
 				Link(os.Args[0], "/usr/bin/sandbox.test").
 				Place("/etc/hostname", []byte(c.Args[5]))
 			// in case test has cgo enabled
 			var libPaths []string
 			if entries, err := ldd.ExecFilter(ctx,
 				commandContext,
 				func(v []byte) []byte {
 					return bytes.SplitN(v, []byte("TestHelperInit\n"), 2)[1]
 				}, os.Args[0]); err != nil {
 				log.Fatalf("ldd: %v", err)
 			} else {
 				libPaths = ldd.Path(entries)
 			}
 			for _, name := range libPaths {
 				c.Bind(name, name, 0)
 			}
 			// needs /proc to check mountinfo
-			c.Proc("/proc")
+			c.Proc(check.MustAbs("/proc"))
 			// mountinfo cannot be resolved directly by helper due to libPaths nondeterminism
 			mnt := make([]*vfs.MountInfoEntry, 0, 3+len(libPaths))
 			mnt = append(mnt, e("/sysroot", "/", "rw,nosuid,nodev,relatime", "tmpfs", "rootfs", ignore))
 			mnt = append(mnt, tc.mnt...)
 			mnt = append(mnt,
-				e("/", "/tmp", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
+				ent("/sysroot", "/", "rw,nosuid,nodev,relatime", "tmpfs", "rootfs", ignore),
-				e(ignore, os.Args[0], "ro,nosuid,nodev,relatime", ignore, ignore, ignore),
+				// Bind(os.Args[0], helperInnerPath, 0)
-				e(ignore, "/etc/hostname", "ro,nosuid,nodev,relatime", "tmpfs", "rootfs", ignore),
+				ent(ignore, helperInnerPath, "ro,nosuid,nodev,relatime", ignore, ignore, ignore),
 			)
-			for _, name := range libPaths {
+			for _, a := range libPaths {
-				mnt = append(mnt, e(ignore, name, "ro,nosuid,nodev,relatime", ignore, ignore, ignore))
+				// Bind(name, name, 0)
 				mnt = append(mnt, ent(ignore, a.String(), "ro,nosuid,nodev,relatime", ignore, ignore, ignore))
 			}
-			mnt = append(mnt, e("/", "/proc", "rw,nosuid,nodev,noexec,relatime", "proc", "proc", "rw"))
+			mnt = append(mnt, wantMnt...)
 			mnt = append(mnt,
 				// Readonly(pathReadonly, 0755)
 				ent("/", pathReadonly, "ro,nosuid,nodev", "tmpfs", "readonly", ignore),
 				// Tmpfs("/tmp", 0, 0755)
 				ent("/", "/tmp", "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
 				// Place("/etc/hostname", []byte(hostname))
 				ent(ignore, "/etc/hostname", "ro,nosuid,nodev,relatime", "tmpfs", "rootfs", ignore),
 				// Proc("/proc")
 				ent("/", "/proc", "rw,nosuid,nodev,noexec,relatime", "proc", "proc", "rw"),
 				// Place(pathWantMnt, want.Bytes())
 				ent(ignore, pathWantMnt, "ro,nosuid,nodev,relatime", "tmpfs", "rootfs", ignore),
 			)
 			want := new(bytes.Buffer)
 			if err := gob.NewEncoder(want).Encode(mnt); err != nil {
 				_, _ = output.WriteTo(os.Stdout)
 				t.Fatalf("cannot serialise expected mount points: %v", err)
 			}
-			c.Stdin = want
+			c.Place(check.MustAbs(pathWantMnt), want.Bytes())
 			if tc.ro {
 				c.Remount(check.MustAbs("/"), syscall.MS_RDONLY)
 			}
 			if err := c.Start(); err != nil {
-				hlog.PrintBaseError(err, "start:")
+				_, _ = output.WriteTo(os.Stdout)
-				t.Fatalf("cannot start container: %v", err)
+				if m, ok := container.InternalMessageFromError(err); ok {
 					t.Fatal(m)
 				} else {
 					t.Fatalf("cannot start container: %v", err)
 				}
 			} else if err = c.Serve(); err != nil {
-				hlog.PrintBaseError(err, "serve:")
+				_, _ = output.WriteTo(os.Stdout)
-				t.Errorf("cannot serve setup params: %v", err)
+				if m, ok := container.InternalMessageFromError(err); ok {
 					t.Error(m)
 				} else {
 					t.Errorf("cannot serve setup params: %v", err)
 				}
 			}
 			if err := c.Wait(); err != nil {
-				hlog.PrintBaseError(err, "wait:")
+				_, _ = output.WriteTo(os.Stdout)
-				t.Fatalf("wait: %v", err)
+				if m, ok := container.InternalMessageFromError(err); ok {
 					t.Fatal(m)
 				} else {
 					t.Fatalf("wait: %v", err)
 				}
 			}
 		})
 	}
 }
-func e(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoEntry {
+func ent(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoEntry {
 	return &vfs.MountInfoEntry{
 		ID:        ignoreV,
 		Parent:    ignoreV,
@@ -184,98 +502,243 @@ func e(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoE
 	}
 }
 func hostnameFromTestCase(name string) string {
 	return "test-" + strings.Join(strings.Fields(name), "-")
 }
 func testContainerCancel(
 	containerExtra func(c *container.Container),
 	waitCheck func(t *testing.T, c *container.Container),
 ) func(t *testing.T) {
 	return func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(t.Context(), helperDefaultTimeout)
 		c := helperNewContainer(ctx, "block")
 		c.Stdout, c.Stderr = os.Stdout, os.Stderr
 		c.WaitDelay = helperDefaultTimeout
 		if containerExtra != nil {
 			containerExtra(c)
 		}
 		ready := make(chan struct{})
 		if r, w, err := os.Pipe(); err != nil {
 			t.Fatalf("cannot pipe: %v", err)
 		} else {
 			c.ExtraFiles = append(c.ExtraFiles, w)
 			go func() {
 				defer close(ready)
 				if _, err = r.Read(make([]byte, 1)); err != nil {
 					panic(err.Error())
 				}
 			}()
 		}
 		if err := c.Start(); err != nil {
 			if m, ok := container.InternalMessageFromError(err); ok {
 				t.Fatal(m)
 			} else {
 				t.Fatalf("cannot start container: %v", err)
 			}
 		} else if err = c.Serve(); err != nil {
 			if m, ok := container.InternalMessageFromError(err); ok {
 				t.Error(m)
 			} else {
 				t.Errorf("cannot serve setup params: %v", err)
 			}
 		}
 		<-ready
 		cancel()
 		waitCheck(t, c)
 	}
 }
 func TestContainerString(t *testing.T) {
-	c := container.New(t.Context(), "ldd", "/usr/bin/env")
+	t.Parallel()
 	msg := message.New(nil)
 	c := container.NewCommand(t.Context(), msg, check.MustAbs("/run/current-system/sw/bin/ldd"), "ldd", "/usr/bin/env")
 	c.SeccompFlags |= seccomp.AllowMultiarch
 	c.SeccompRules = seccomp.Preset(
-		seccomp.PresetExt|seccomp.PresetDenyNS|seccomp.PresetDenyTTY,
+		std.PresetExt|std.PresetDenyNS|std.PresetDenyTTY,
 		c.SeccompFlags)
-	c.SeccompPresets = seccomp.PresetStrict
+	c.SeccompPresets = std.PresetStrict
 	want := `argv: ["ldd" "/usr/bin/env"], filter: true, rules: 65, flags: 0x1, presets: 0xf`
 	if got := c.String(); got != want {
 		t.Errorf("String: %s, want %s", got, want)
 	}
 }
-func TestHelperInit(t *testing.T) {
+const (
-	if len(os.Args) != 5 || os.Args[4] != "init" {
+	blockExitCodeInterrupt = 2
-		return
+)
 	}
 	container.SetOutput(hlog.Output{})
 	container.Init(hlog.Prepare, internal.InstallOutput)
 }
-func TestHelperCheckContainer(t *testing.T) {
+func init() {
-	if len(os.Args) != 6 || os.Args[4] != "check" {
+	helperCommands = append(helperCommands, func(c command.Command) {
-		return
+		c.Command("block", command.UsageInternal, func(args []string) error {
-	}
+			sig := make(chan os.Signal, 1)
 			signal.Notify(sig, os.Interrupt)
 			go func() { <-sig; os.Exit(blockExitCodeInterrupt) }()
-	t.Run("user", func(t *testing.T) {
+			if _, err := os.NewFile(3, "sync").Write([]byte{0}); err != nil {
-		if uid := syscall.Getuid(); uid != 1000 {
+				return fmt.Errorf("write to sync pipe: %v", err)
 			t.Errorf("Getuid: %d, want 1000", uid)
 		}
 		if gid := syscall.Getgid(); gid != 100 {
 			t.Errorf("Getgid: %d, want 100", gid)
 		}
 	})
 	t.Run("hostname", func(t *testing.T) {
 		if name, err := os.Hostname(); err != nil {
 			t.Fatalf("cannot get hostname: %v", err)
 		} else if name != os.Args[5] {
 			t.Errorf("Hostname: %q, want %q", name, os.Args[5])
 		}
 		if p, err := os.ReadFile("/etc/hostname"); err != nil {
 			t.Fatalf("%v", err)
 		} else if string(p) != os.Args[5] {
 			t.Errorf("/etc/hostname: %q, want %q", string(p), os.Args[5])
 		}
 	})
 	t.Run("mount", func(t *testing.T) {
 		var mnt []*vfs.MountInfoEntry
 		if err := gob.NewDecoder(os.Stdin).Decode(&mnt); err != nil {
 			t.Fatalf("cannot receive expected mount points: %v", err)
 		}
 		var d *vfs.MountInfoDecoder
 		if f, err := os.Open("/proc/self/mountinfo"); err != nil {
 			t.Fatalf("cannot open mountinfo: %v", err)
 		} else {
 			d = vfs.NewMountInfoDecoder(f)
 		}
 		i := 0
 		for cur := range d.Entries() {
 			if i == len(mnt) {
 				t.Errorf("got more than %d entries", len(mnt))
 				break
 			}
 			select {}
 		})
-			// ugly hack but should be reliable and is less likely to false negative than comparing by parsed flags
+		c.Command("container", command.UsageInternal, func(args []string) error {
-			cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ",relatime")
+			if len(args) != 1 {
-			cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ",noatime")
+				return syscall.EINVAL
-			mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ",relatime")
+			}
-			mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ",noatime")
+			tc := containerTestCases[0]
-
+			if i, err := strconv.Atoi(args[0]); err != nil {
-			if !cur.EqualWithIgnore(mnt[i], "\x00") {
+				return fmt.Errorf("cannot parse test case index: %v", err)
 				t.Errorf("[FAIL] %s", cur)
 			} else {
-				t.Logf("[ OK ] %s", cur)
+				tc = containerTestCases[i]
 			}
-			i++
+			if uid := syscall.Getuid(); uid != tc.uid {
-		}
+				return fmt.Errorf("uid: %d, want %d", uid, tc.uid)
-		if err := d.Err(); err != nil {
+			}
-			t.Errorf("cannot parse mountinfo: %v", err)
+			if gid := syscall.Getgid(); gid != tc.gid {
-		}
+				return fmt.Errorf("gid: %d, want %d", gid, tc.gid)
 			}
-		if i != len(mnt) {
+			wantHost := hostnameFromTestCase(tc.name)
-			t.Errorf("got %d entries, want %d", i, len(mnt))
+			if host, err := os.Hostname(); err != nil {
-		}
+				return fmt.Errorf("cannot get hostname: %v", err)
 			} else if host != wantHost {
 				return fmt.Errorf("hostname: %q, want %q", host, wantHost)
 			}
 			if p, err := os.ReadFile("/etc/hostname"); err != nil {
 				return fmt.Errorf("cannot read /etc/hostname: %v", err)
 			} else if string(p) != wantHost {
 				return fmt.Errorf("/etc/hostname: %q, want %q", string(p), wantHost)
 			}
 			if _, err := os.Create(pathReadonly + "/nonexistent"); !errors.Is(err, syscall.EROFS) {
 				return err
 			}
 			{
 				var fail bool
 				var mnt []*vfs.MountInfoEntry
 				if f, err := os.Open(pathWantMnt); err != nil {
 					return fmt.Errorf("cannot open expected mount points: %v", err)
 				} else if err = gob.NewDecoder(f).Decode(&mnt); err != nil {
 					return fmt.Errorf("cannot parse expected mount points: %v", err)
 				} else if err = f.Close(); err != nil {
 					return fmt.Errorf("cannot close expected mount points: %v", err)
 				}
 				if tc.ro && len(mnt) > 0 {
 					// Remount("/", syscall.MS_RDONLY)
 					mnt[0].VfsOptstr = "ro,nosuid,nodev"
 				}
 				var d *vfs.MountInfoDecoder
 				if f, err := os.Open("/proc/self/mountinfo"); err != nil {
 					return fmt.Errorf("cannot open mountinfo: %v", err)
 				} else {
 					d = vfs.NewMountInfoDecoder(f)
 				}
 				i := 0
 				for cur := range d.Entries() {
 					if i == len(mnt) {
 						return fmt.Errorf("got more than %d entries", len(mnt))
 					}
 					// ugly hack but should be reliable and is less likely to false negative than comparing by parsed flags
 					cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ",relatime")
 					cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ",noatime")
 					mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ",relatime")
 					mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ",noatime")
 					if !cur.EqualWithIgnore(mnt[i], "\x00") {
 						fail = true
 						log.Printf("[FAIL] %s", cur)
 					} else {
 						log.Printf("[ OK ] %s", cur)
 					}
 					i++
 				}
 				if err := d.Err(); err != nil {
 					return fmt.Errorf("cannot parse mountinfo: %v", err)
 				}
 				if i != len(mnt) {
 					return fmt.Errorf("got %d entries, want %d", i, len(mnt))
 				}
 				if fail {
 					return errors.New("one or more mountinfo entries do not match")
 				}
 			}
 			return nil
 		})
 	})
 }
-func commandContext(ctx context.Context) *exec.Cmd {
+const (
-	return exec.CommandContext(ctx, os.Args[0], "-test.v",
+	envDoCheck = "HAKUREI_TEST_DO_CHECK"
-		"-test.run=TestHelperInit", "--", "init")
+
 	helperDefaultTimeout = 5 * time.Second
 	helperInnerPath      = "/usr/bin/helper"
 )
 var (
 	absHelperInnerPath = check.MustAbs(helperInnerPath)
 )
 var helperCommands []func(c command.Command)
 func TestMain(m *testing.M) {
 	container.TryArgv0(nil)
 	if os.Getenv(envDoCheck) == "1" {
 		c := command.New(os.Stderr, log.Printf, "helper", func(args []string) error {
 			log.SetFlags(0)
 			log.SetPrefix("helper: ")
 			return nil
 		})
 		for _, f := range helperCommands {
 			f(c)
 		}
 		c.MustParse(os.Args[1:], func(err error) {
 			if err != nil {
 				log.Fatal(err.Error())
 			}
 		})
 		return
 	}
 	os.Exit(m.Run())
 }
 func helperNewContainerLibPaths(ctx context.Context, libPaths *[]*check.Absolute, args ...string) (c *container.Container) {
 	msg := message.New(nil)
 	msg.SwapVerbose(testing.Verbose())
 	c = container.NewCommand(ctx, msg, absHelperInnerPath, "helper", args...)
 	c.Env = append(c.Env, envDoCheck+"=1")
 	c.Bind(check.MustAbs(os.Args[0]), absHelperInnerPath, 0)
 	// in case test has cgo enabled
 	if entries, err := ldd.Exec(ctx, msg, os.Args[0]); err != nil {
 		log.Fatalf("ldd: %v", err)
 	} else {
 		*libPaths = ldd.Path(entries)
 	}
 	for _, name := range *libPaths {
 		c.Bind(name, name, 0)
 	}
 	return
 }
 func helperNewContainer(ctx context.Context, args ...string) (c *container.Container) {
 	return helperNewContainerLibPaths(ctx, new([]*check.Absolute), args...)
 }
--- a/container/dispatcher.go
+++ b/container/dispatcher.go
@@ -0,0 +1,228 @@
 package container
 import (
 	"io"
 	"io/fs"
 	"os"
 	"os/exec"
 	"os/signal"
 	"path/filepath"
 	"runtime"
 	"syscall"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/message"
 )
 type osFile interface {
 	Name() string
 	io.Writer
 	fs.File
 }
 // syscallDispatcher provides methods that make state-dependent system calls as part of their behaviour.
 type syscallDispatcher interface {
 	// new starts a goroutine with a new instance of syscallDispatcher.
 	// A syscallDispatcher must never be used in any goroutine other than the one owning it,
 	// just synchronising access is not enough, as this is for test instrumentation.
 	new(f func(k syscallDispatcher))
 	// lockOSThread provides [runtime.LockOSThread].
 	lockOSThread()
 	// setPtracer provides [SetPtracer].
 	setPtracer(pid uintptr) error
 	// setDumpable provides [SetDumpable].
 	setDumpable(dumpable uintptr) error
 	// setNoNewPrivs provides [SetNoNewPrivs].
 	setNoNewPrivs() error
 	// lastcap provides [LastCap].
 	lastcap(msg message.Msg) uintptr
 	// capset provides capset.
 	capset(hdrp *capHeader, datap *[2]capData) error
 	// capBoundingSetDrop provides capBoundingSetDrop.
 	capBoundingSetDrop(cap uintptr) error
 	// capAmbientClearAll provides capAmbientClearAll.
 	capAmbientClearAll() error
 	// capAmbientRaise provides capAmbientRaise.
 	capAmbientRaise(cap uintptr) error
 	// isatty provides [Isatty].
 	isatty(fd int) bool
 	// receive provides [Receive].
 	receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error)
 	// bindMount provides procPaths.bindMount.
 	bindMount(msg message.Msg, source, target string, flags uintptr) error
 	// remount provides procPaths.remount.
 	remount(msg message.Msg, target string, flags uintptr) error
 	// mountTmpfs provides mountTmpfs.
 	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
 	// seccompLoad provides [seccomp.Load].
 	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
 	// notify provides [signal.Notify].
 	notify(c chan<- os.Signal, sig ...os.Signal)
 	// start starts [os/exec.Cmd].
 	start(c *exec.Cmd) error
 	// signal signals the underlying process of [os/exec.Cmd].
 	signal(c *exec.Cmd, sig os.Signal) error
 	// evalSymlinks provides [filepath.EvalSymlinks].
 	evalSymlinks(path string) (string, error)
 	// exit provides [os.Exit].
 	exit(code int)
 	// getpid provides [os.Getpid].
 	getpid() int
 	// stat provides [os.Stat].
 	stat(name string) (os.FileInfo, error)
 	// mkdir provides [os.Mkdir].
 	mkdir(name string, perm os.FileMode) error
 	// mkdirTemp provides [os.MkdirTemp].
 	mkdirTemp(dir, pattern string) (string, error)
 	// mkdirAll provides [os.MkdirAll].
 	mkdirAll(path string, perm os.FileMode) error
 	// readdir provides [os.ReadDir].
 	readdir(name string) ([]os.DirEntry, error)
 	// openNew provides [os.Open].
 	openNew(name string) (osFile, error)
 	// writeFile provides [os.WriteFile].
 	writeFile(name string, data []byte, perm os.FileMode) error
 	// createTemp provides [os.CreateTemp].
 	createTemp(dir, pattern string) (osFile, error)
 	// remove provides os.Remove.
 	remove(name string) error
 	// newFile provides os.NewFile.
 	newFile(fd uintptr, name string) *os.File
 	// symlink provides os.Symlink.
 	symlink(oldname, newname string) error
 	// readlink provides [os.Readlink].
 	readlink(name string) (string, error)
 	// umask provides syscall.Umask.
 	umask(mask int) (oldmask int)
 	// sethostname provides syscall.Sethostname
 	sethostname(p []byte) (err error)
 	// chdir provides syscall.Chdir
 	chdir(path string) (err error)
 	// fchdir provides syscall.Fchdir
 	fchdir(fd int) (err error)
 	// open provides syscall.Open
 	open(path string, mode int, perm uint32) (fd int, err error)
 	// close provides syscall.Close
 	close(fd int) (err error)
 	// pivotRoot provides syscall.PivotRoot
 	pivotRoot(newroot, putold string) (err error)
 	// mount provides syscall.Mount
 	mount(source, target, fstype string, flags uintptr, data string) (err error)
 	// unmount provides syscall.Unmount
 	unmount(target string, flags int) (err error)
 	// wait4 provides syscall.Wait4
 	wait4(pid int, wstatus *syscall.WaitStatus, options int, rusage *syscall.Rusage) (wpid int, err error)
 	// printf provides the Printf method of [log.Logger].
 	printf(msg message.Msg, format string, v ...any)
 	// fatal provides the Fatal method of [log.Logger]
 	fatal(msg message.Msg, v ...any)
 	// fatalf provides the Fatalf method of [log.Logger]
 	fatalf(msg message.Msg, format string, v ...any)
 }
 // direct implements syscallDispatcher on the current kernel.
 type direct struct{}
 func (k direct) new(f func(k syscallDispatcher)) { go f(k) }
 func (direct) lockOSThread() { runtime.LockOSThread() }
 func (direct) setPtracer(pid uintptr) error       { return SetPtracer(pid) }
 func (direct) setDumpable(dumpable uintptr) error { return SetDumpable(dumpable) }
 func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }
 func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
 func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(hdrp, datap) }
 func (direct) capBoundingSetDrop(cap uintptr) error            { return capBoundingSetDrop(cap) }
 func (direct) capAmbientClearAll() error                       { return capAmbientClearAll() }
 func (direct) capAmbientRaise(cap uintptr) error               { return capAmbientRaise(cap) }
 func (direct) isatty(fd int) bool                              { return Isatty(fd) }
 func (direct) receive(key string, e any, fdp *uintptr) (func() error, error) {
 	return Receive(key, e, fdp)
 }
 func (direct) bindMount(msg message.Msg, source, target string, flags uintptr) error {
 	return hostProc.bindMount(msg, source, target, flags)
 }
 func (direct) remount(msg message.Msg, target string, flags uintptr) error {
 	return hostProc.remount(msg, target, flags)
 }
 func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
 	return mountTmpfs(k, fsname, target, flags, size, perm)
 }
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
 func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)
 }
 func (direct) notify(c chan<- os.Signal, sig ...os.Signal) { signal.Notify(c, sig...) }
 func (direct) start(c *exec.Cmd) error                     { return c.Start() }
 func (direct) signal(c *exec.Cmd, sig os.Signal) error     { return c.Process.Signal(sig) }
 func (direct) evalSymlinks(path string) (string, error)    { return filepath.EvalSymlinks(path) }
 func (direct) exit(code int)                                 { os.Exit(code) }
 func (direct) getpid() int                                   { return os.Getpid() }
 func (direct) stat(name string) (os.FileInfo, error)         { return os.Stat(name) }
 func (direct) mkdir(name string, perm os.FileMode) error     { return os.Mkdir(name, perm) }
 func (direct) mkdirTemp(dir, pattern string) (string, error) { return os.MkdirTemp(dir, pattern) }
 func (direct) mkdirAll(path string, perm os.FileMode) error  { return os.MkdirAll(path, perm) }
 func (direct) readdir(name string) ([]os.DirEntry, error)    { return os.ReadDir(name) }
 func (direct) openNew(name string) (osFile, error)           { return os.Open(name) }
 func (direct) writeFile(name string, data []byte, perm os.FileMode) error {
 	return os.WriteFile(name, data, perm)
 }
 func (direct) createTemp(dir, pattern string) (osFile, error) {
 	return os.CreateTemp(dir, pattern)
 }
 func (direct) remove(name string) error {
 	return os.Remove(name)
 }
 func (direct) newFile(fd uintptr, name string) *os.File {
 	return os.NewFile(fd, name)
 }
 func (direct) symlink(oldname, newname string) error {
 	return os.Symlink(oldname, newname)
 }
 func (direct) readlink(name string) (string, error) {
 	return os.Readlink(name)
 }
 func (direct) umask(mask int) (oldmask int)     { return syscall.Umask(mask) }
 func (direct) sethostname(p []byte) (err error) { return syscall.Sethostname(p) }
 func (direct) chdir(path string) (err error)    { return syscall.Chdir(path) }
 func (direct) fchdir(fd int) (err error)        { return syscall.Fchdir(fd) }
 func (direct) open(path string, mode int, perm uint32) (fd int, err error) {
 	return syscall.Open(path, mode, perm)
 }
 func (direct) close(fd int) (err error) {
 	return syscall.Close(fd)
 }
 func (direct) pivotRoot(newroot, putold string) (err error) {
 	return syscall.PivotRoot(newroot, putold)
 }
 func (direct) mount(source, target, fstype string, flags uintptr, data string) (err error) {
 	return mount(source, target, fstype, flags, data)
 }
 func (direct) unmount(target string, flags int) (err error) {
 	return syscall.Unmount(target, flags)
 }
 func (direct) wait4(pid int, wstatus *syscall.WaitStatus, options int, rusage *syscall.Rusage) (wpid int, err error) {
 	return syscall.Wait4(pid, wstatus, options, rusage)
 }
 func (direct) printf(msg message.Msg, format string, v ...any) { msg.GetLogger().Printf(format, v...) }
 func (direct) fatal(msg message.Msg, v ...any)                 { msg.GetLogger().Fatal(v...) }
 func (direct) fatalf(msg message.Msg, format string, v ...any) { msg.GetLogger().Fatalf(format, v...) }
--- a/container/dispatcher_test.go
+++ b/container/dispatcher_test.go
@@ -0,0 +1,793 @@
 package container
 import (
 	"bytes"
 	"fmt"
 	"io"
 	"io/fs"
 	"log"
 	"os"
 	"os/exec"
 	"reflect"
 	"runtime"
 	"slices"
 	"strings"
 	"syscall"
 	"testing"
 	"time"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/message"
 )
 type opValidTestCase struct {
 	name string
 	op   Op
 	want bool
 }
 func checkOpsValid(t *testing.T, testCases []opValidTestCase) {
 	t.Helper()
 	t.Run("valid", func(t *testing.T) {
 		t.Helper()
 		t.Parallel()
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Helper()
 				t.Parallel()
 				if got := tc.op.Valid(); got != tc.want {
 					t.Errorf("Valid: %v, want %v", got, tc.want)
 				}
 			})
 		}
 	})
 }
 type opsBuilderTestCase struct {
 	name string
 	ops  *Ops
 	want Ops
 }
 func checkOpsBuilder(t *testing.T, testCases []opsBuilderTestCase) {
 	t.Helper()
 	t.Run("build", func(t *testing.T) {
 		t.Helper()
 		t.Parallel()
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Helper()
 				t.Parallel()
 				if !slices.EqualFunc(*tc.ops, tc.want, func(op Op, v Op) bool { return op.Is(v) }) {
 					t.Errorf("Ops: %#v, want %#v", tc.ops, tc.want)
 				}
 			})
 		}
 	})
 }
 type opIsTestCase struct {
 	name  string
 	op, v Op
 	want  bool
 }
 func checkOpIs(t *testing.T, testCases []opIsTestCase) {
 	t.Helper()
 	t.Run("is", func(t *testing.T) {
 		t.Helper()
 		t.Parallel()
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Helper()
 				t.Parallel()
 				if got := tc.op.Is(tc.v); got != tc.want {
 					t.Errorf("Is: %v, want %v", got, tc.want)
 				}
 			})
 		}
 	})
 }
 type opMetaTestCase struct {
 	name string
 	op   Op
 	wantPrefix string
 	wantString string
 }
 func checkOpMeta(t *testing.T, testCases []opMetaTestCase) {
 	t.Helper()
 	t.Run("meta", func(t *testing.T) {
 		t.Helper()
 		t.Parallel()
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Helper()
 				t.Parallel()
 				t.Run("prefix", func(t *testing.T) {
 					t.Helper()
 					if got, _ := tc.op.prefix(); got != tc.wantPrefix {
 						t.Errorf("prefix: %q, want %q", got, tc.wantPrefix)
 					}
 				})
 				t.Run("string", func(t *testing.T) {
 					t.Helper()
 					if got := tc.op.String(); got != tc.wantString {
 						t.Errorf("String: %s, want %s", got, tc.wantString)
 					}
 				})
 			})
 		}
 	})
 }
 // call initialises a [stub.Call].
 // This keeps composites analysis happy without making the test cases too bloated.
 func call(name string, args stub.ExpectArgs, ret any, err error) stub.Call {
 	return stub.Call{Name: name, Args: args, Ret: ret, Err: err}
 }
 type simpleTestCase struct {
 	name    string
 	f       func(k *kstub) error
 	want    stub.Expect
 	wantErr error
 }
 func checkSimple(t *testing.T, fname string, testCases []simpleTestCase) {
 	t.Helper()
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Helper()
 			t.Parallel()
 			wait4signal := make(chan struct{})
 			k := &kstub{wait4signal, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{wait4signal, s} }, tc.want)}
 			defer stub.HandleExit(t)
 			if err := tc.f(k); !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("%s: error = %v, want %v", fname, err, tc.wantErr)
 			}
 			k.VisitIncomplete(func(s *stub.Stub[syscallDispatcher]) {
 				t.Helper()
 				t.Errorf("%s: %d calls, want %d", fname, s.Pos(), s.Len())
 			})
 		})
 	}
 }
 type opBehaviourTestCase struct {
 	name   string
 	params *Params
 	op     Op
 	early        []stub.Call
 	wantErrEarly error
 	apply        []stub.Call
 	wantErrApply error
 }
 func checkOpBehaviour(t *testing.T, testCases []opBehaviourTestCase) {
 	t.Helper()
 	t.Run("behaviour", func(t *testing.T) {
 		t.Helper()
 		t.Parallel()
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Helper()
 				t.Parallel()
 				k := &kstub{nil, stub.New(t,
 					func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{nil, s} },
 					stub.Expect{Calls: slices.Concat(tc.early, []stub.Call{{Name: stub.CallSeparator}}, tc.apply)},
 				)}
 				state := &setupState{Params: tc.params, Msg: k}
 				defer stub.HandleExit(t)
 				errEarly := tc.op.early(state, k)
 				k.Expects(stub.CallSeparator)
 				if !reflect.DeepEqual(errEarly, tc.wantErrEarly) {
 					t.Errorf("early: error = %v, want %v", errEarly, tc.wantErrEarly)
 				}
 				if errEarly != nil {
 					goto out
 				}
 				if err := tc.op.apply(state, k); !reflect.DeepEqual(err, tc.wantErrApply) {
 					t.Errorf("apply: error = %v, want %v", err, tc.wantErrApply)
 				}
 			out:
 				k.VisitIncomplete(func(s *stub.Stub[syscallDispatcher]) {
 					count := k.Pos() - 1 // separator
 					if count < len(tc.early) {
 						t.Errorf("early: %d calls, want %d", count, len(tc.early))
 					} else {
 						t.Errorf("apply: %d calls, want %d", count-len(tc.early), len(tc.apply))
 					}
 				})
 			})
 		}
 	})
 }
 func sliceAddr[S any](s []S) *[]S { return &s }
 func newCheckedFile(t *testing.T, name, wantData string, closeErr error) osFile {
 	f := &checkedOsFile{t: t, name: name, want: wantData, closeErr: closeErr}
 	// check happens in Close, and cleanup is not guaranteed to run, so relying on it for sloppy implementations will cause sporadic test results
 	f.cleanup = runtime.AddCleanup(f, func(name string) { f.t.Fatalf("checkedOsFile %s became unreachable without a call to Close", name) }, f.name)
 	return f
 }
 type checkedOsFile struct {
 	t        *testing.T
 	name     string
 	want     string
 	closeErr error
 	cleanup  runtime.Cleanup
 	bytes.Buffer
 }
 func (f *checkedOsFile) Name() string               { return f.name }
 func (f *checkedOsFile) Stat() (fs.FileInfo, error) { panic("unreachable") }
 func (f *checkedOsFile) Close() error {
 	defer f.cleanup.Stop()
 	if f.String() != f.want {
 		f.t.Errorf("checkedOsFile:\n%s\nwant\n%s", f.String(), f.want)
 		return syscall.ENOTRECOVERABLE
 	}
 	return f.closeErr
 }
 func newConstFile(s string) osFile { return &readerOsFile{Reader: strings.NewReader(s)} }
 type readerOsFile struct {
 	closed bool
 	io.Reader
 }
 func (*readerOsFile) Name() string               { panic("unreachable") }
 func (*readerOsFile) Write([]byte) (int, error)  { panic("unreachable") }
 func (*readerOsFile) Stat() (fs.FileInfo, error) { panic("unreachable") }
 func (r *readerOsFile) Close() error {
 	if r.closed {
 		return os.ErrClosed
 	}
 	r.closed = true
 	return nil
 }
 type writeErrOsFile struct{ err error }
 func (writeErrOsFile) Name() string                { panic("unreachable") }
 func (f writeErrOsFile) Write([]byte) (int, error) { return 0, f.err }
 func (writeErrOsFile) Stat() (fs.FileInfo, error)  { panic("unreachable") }
 func (writeErrOsFile) Read([]byte) (int, error)    { panic("unreachable") }
 func (writeErrOsFile) Close() error                { panic("unreachable") }
 type isDirFi bool
 func (isDirFi) Name() string       { panic("unreachable") }
 func (isDirFi) Size() int64        { panic("unreachable") }
 func (isDirFi) Mode() fs.FileMode  { panic("unreachable") }
 func (isDirFi) ModTime() time.Time { panic("unreachable") }
 func (fi isDirFi) IsDir() bool     { return bool(fi) }
 func (isDirFi) Sys() any           { panic("unreachable") }
 func stubDir(names ...string) []os.DirEntry {
 	d := make([]os.DirEntry, len(names))
 	for i, name := range names {
 		d[i] = nameDentry(name)
 	}
 	return d
 }
 type nameDentry string
 func (e nameDentry) Name() string             { return string(e) }
 func (nameDentry) IsDir() bool                { panic("unreachable") }
 func (nameDentry) Type() fs.FileMode          { panic("unreachable") }
 func (nameDentry) Info() (fs.FileInfo, error) { panic("unreachable") }
 const (
 	// magicWait4Signal must be used in a single pair of signal and wait4 calls across two goroutines
 	// originating from the same toplevel kstub.
 	// To enable this behaviour this value must be the last element of the args field in the wait4 call
 	// and the ret value of the signal call.
 	magicWait4Signal = 0xdef
 )
 type kstub struct {
 	wait4signal chan struct{}
 	*stub.Stub[syscallDispatcher]
 }
 func (k *kstub) new(f func(k syscallDispatcher)) { k.Helper(); k.New(f) }
 func (k *kstub) lockOSThread() { k.Helper(); k.Expects("lockOSThread") }
 func (k *kstub) setPtracer(pid uintptr) error {
 	k.Helper()
 	return k.Expects("setPtracer").Error(
 		stub.CheckArg(k.Stub, "pid", pid, 0))
 }
 func (k *kstub) setDumpable(dumpable uintptr) error {
 	k.Helper()
 	return k.Expects("setDumpable").Error(
 		stub.CheckArg(k.Stub, "dumpable", dumpable, 0))
 }
 func (k *kstub) setNoNewPrivs() error { k.Helper(); return k.Expects("setNoNewPrivs").Err }
 func (k *kstub) lastcap(msg message.Msg) uintptr {
 	k.Helper()
 	k.checkMsg(msg)
 	return k.Expects("lastcap").Ret.(uintptr)
 }
 func (k *kstub) capset(hdrp *capHeader, datap *[2]capData) error {
 	k.Helper()
 	return k.Expects("capset").Error(
 		stub.CheckArgReflect(k.Stub, "hdrp", hdrp, 0),
 		stub.CheckArgReflect(k.Stub, "datap", datap, 1))
 }
 func (k *kstub) capBoundingSetDrop(cap uintptr) error {
 	k.Helper()
 	return k.Expects("capBoundingSetDrop").Error(
 		stub.CheckArg(k.Stub, "cap", cap, 0))
 }
 func (k *kstub) capAmbientClearAll() error { k.Helper(); return k.Expects("capAmbientClearAll").Err }
 func (k *kstub) capAmbientRaise(cap uintptr) error {
 	k.Helper()
 	return k.Expects("capAmbientRaise").Error(
 		stub.CheckArg(k.Stub, "cap", cap, 0))
 }
 func (k *kstub) isatty(fd int) bool {
 	k.Helper()
 	expect := k.Expects("isatty")
 	if !stub.CheckArg(k.Stub, "fd", fd, 0) {
 		k.FailNow()
 	}
 	return expect.Ret.(bool)
 }
 func (k *kstub) receive(key string, e any, fdp *uintptr) (closeFunc func() error, err error) {
 	k.Helper()
 	expect := k.Expects("receive")
 	var closed bool
 	closeFunc = func() error {
 		if closed {
 			k.Error("closeFunc called more than once")
 			return os.ErrClosed
 		}
 		closed = true
 		if expect.Ret != nil {
 			// use return stored in kexpect for closeFunc instead
 			return expect.Ret.(error)
 		}
 		return nil
 	}
 	err = expect.Error(
 		stub.CheckArg(k.Stub, "key", key, 0),
 		stub.CheckArgReflect(k.Stub, "e", e, 1),
 		stub.CheckArgReflect(k.Stub, "fdp", fdp, 2))
 	// 3 is unused so stores params
 	if expect.Args[3] != nil {
 		if v, ok := expect.Args[3].(*initParams); ok && v != nil {
 			if p, ok0 := e.(*initParams); ok0 && p != nil {
 				*p = *v
 			}
 		}
 	}
 	// 4 is unused so stores fd
 	if expect.Args[4] != nil {
 		if v, ok := expect.Args[4].(uintptr); ok && v >= 3 {
 			if fdp != nil {
 				*fdp = v
 			}
 		}
 	}
 	return
 }
 func (k *kstub) bindMount(msg message.Msg, source, target string, flags uintptr) error {
 	k.Helper()
 	k.checkMsg(msg)
 	return k.Expects("bindMount").Error(
 		stub.CheckArg(k.Stub, "source", source, 0),
 		stub.CheckArg(k.Stub, "target", target, 1),
 		stub.CheckArg(k.Stub, "flags", flags, 2))
 }
 func (k *kstub) remount(msg message.Msg, target string, flags uintptr) error {
 	k.Helper()
 	k.checkMsg(msg)
 	return k.Expects("remount").Error(
 		stub.CheckArg(k.Stub, "target", target, 0),
 		stub.CheckArg(k.Stub, "flags", flags, 1))
 }
 func (k *kstub) mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
 	k.Helper()
 	return k.Expects("mountTmpfs").Error(
 		stub.CheckArg(k.Stub, "fsname", fsname, 0),
 		stub.CheckArg(k.Stub, "target", target, 1),
 		stub.CheckArg(k.Stub, "flags", flags, 2),
 		stub.CheckArg(k.Stub, "size", size, 3),
 		stub.CheckArg(k.Stub, "perm", perm, 4))
 }
 func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 	k.Helper()
 	return k.Expects("ensureFile").Error(
 		stub.CheckArg(k.Stub, "name", name, 0),
 		stub.CheckArg(k.Stub, "perm", perm, 1),
 		stub.CheckArg(k.Stub, "pperm", pperm, 2))
 }
 func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	k.Helper()
 	return k.Expects("seccompLoad").Error(
 		stub.CheckArgReflect(k.Stub, "rules", rules, 0),
 		stub.CheckArg(k.Stub, "flags", flags, 1))
 }
 func (k *kstub) notify(c chan<- os.Signal, sig ...os.Signal) {
 	k.Helper()
 	expect := k.Expects("notify")
 	if c == nil || expect.Error(
 		stub.CheckArgReflect(k.Stub, "sig", sig, 1)) != nil {
 		k.FailNow()
 	}
 	// export channel for external instrumentation
 	if chanf, ok := expect.Args[0].(func(c chan<- os.Signal)); ok && chanf != nil {
 		chanf(c)
 	}
 }
 func (k *kstub) start(c *exec.Cmd) error {
 	k.Helper()
 	expect := k.Expects("start")
 	err := expect.Error(
 		stub.CheckArg(k.Stub, "c.Path", c.Path, 0),
 		stub.CheckArgReflect(k.Stub, "c.Args", c.Args, 1),
 		stub.CheckArgReflect(k.Stub, "c.Env", c.Env, 2),
 		stub.CheckArg(k.Stub, "c.Dir", c.Dir, 3))
 	if process, ok := expect.Ret.(*os.Process); ok && process != nil {
 		c.Process = process
 	}
 	return err
 }
 func (k *kstub) signal(c *exec.Cmd, sig os.Signal) error {
 	k.Helper()
 	expect := k.Expects("signal")
 	if v, ok := expect.Ret.(int); ok && v == magicWait4Signal {
 		if k.wait4signal == nil {
 			panic("kstub not initialised for wait4 simulation")
 		}
 		defer func() { close(k.wait4signal) }()
 	}
 	return expect.Error(
 		stub.CheckArg(k.Stub, "c.Path", c.Path, 0),
 		stub.CheckArgReflect(k.Stub, "c.Args", c.Args, 1),
 		stub.CheckArgReflect(k.Stub, "c.Env", c.Env, 2),
 		stub.CheckArg(k.Stub, "c.Dir", c.Dir, 3),
 		stub.CheckArg(k.Stub, "sig", sig, 4))
 }
 func (k *kstub) evalSymlinks(path string) (string, error) {
 	k.Helper()
 	expect := k.Expects("evalSymlinks")
 	return expect.Ret.(string), expect.Error(
 		stub.CheckArg(k.Stub, "path", path, 0))
 }
 func (k *kstub) exit(code int) {
 	k.Helper()
 	k.Expects("exit")
 	if !stub.CheckArg(k.Stub, "code", code, 0) {
 		k.FailNow()
 	}
 	panic(stub.PanicExit)
 }
 func (k *kstub) getpid() int { k.Helper(); return k.Expects("getpid").Ret.(int) }
 func (k *kstub) stat(name string) (os.FileInfo, error) {
 	k.Helper()
 	expect := k.Expects("stat")
 	return expect.Ret.(os.FileInfo), expect.Error(
 		stub.CheckArg(k.Stub, "name", name, 0))
 }
 func (k *kstub) mkdir(name string, perm os.FileMode) error {
 	k.Helper()
 	return k.Expects("mkdir").Error(
 		stub.CheckArg(k.Stub, "name", name, 0),
 		stub.CheckArg(k.Stub, "perm", perm, 1))
 }
 func (k *kstub) mkdirTemp(dir, pattern string) (string, error) {
 	k.Helper()
 	expect := k.Expects("mkdirTemp")
 	return expect.Ret.(string), expect.Error(
 		stub.CheckArg(k.Stub, "dir", dir, 0),
 		stub.CheckArg(k.Stub, "pattern", pattern, 1))
 }
 func (k *kstub) mkdirAll(path string, perm os.FileMode) error {
 	k.Helper()
 	return k.Expects("mkdirAll").Error(
 		stub.CheckArg(k.Stub, "path", path, 0),
 		stub.CheckArg(k.Stub, "perm", perm, 1))
 }
 func (k *kstub) readdir(name string) ([]os.DirEntry, error) {
 	k.Helper()
 	expect := k.Expects("readdir")
 	return expect.Ret.([]os.DirEntry), expect.Error(
 		stub.CheckArg(k.Stub, "name", name, 0))
 }
 func (k *kstub) openNew(name string) (osFile, error) {
 	k.Helper()
 	expect := k.Expects("openNew")
 	return expect.Ret.(osFile), expect.Error(
 		stub.CheckArg(k.Stub, "name", name, 0))
 }
 func (k *kstub) writeFile(name string, data []byte, perm os.FileMode) error {
 	k.Helper()
 	return k.Expects("writeFile").Error(
 		stub.CheckArg(k.Stub, "name", name, 0),
 		stub.CheckArgReflect(k.Stub, "data", data, 1),
 		stub.CheckArg(k.Stub, "perm", perm, 2))
 }
 func (k *kstub) createTemp(dir, pattern string) (osFile, error) {
 	k.Helper()
 	expect := k.Expects("createTemp")
 	return expect.Ret.(osFile), expect.Error(
 		stub.CheckArg(k.Stub, "dir", dir, 0),
 		stub.CheckArg(k.Stub, "pattern", pattern, 1))
 }
 func (k *kstub) remove(name string) error {
 	k.Helper()
 	return k.Expects("remove").Error(
 		stub.CheckArg(k.Stub, "name", name, 0))
 }
 func (k *kstub) newFile(fd uintptr, name string) *os.File {
 	k.Helper()
 	expect := k.Expects("newFile")
 	if expect.Error(
 		stub.CheckArg(k.Stub, "fd", fd, 0),
 		stub.CheckArg(k.Stub, "name", name, 1)) != nil {
 		k.FailNow()
 	}
 	return expect.Ret.(*os.File)
 }
 func (k *kstub) symlink(oldname, newname string) error {
 	k.Helper()
 	return k.Expects("symlink").Error(
 		stub.CheckArg(k.Stub, "oldname", oldname, 0),
 		stub.CheckArg(k.Stub, "newname", newname, 1))
 }
 func (k *kstub) readlink(name string) (string, error) {
 	k.Helper()
 	expect := k.Expects("readlink")
 	return expect.Ret.(string), expect.Error(
 		stub.CheckArg(k.Stub, "name", name, 0))
 }
 func (k *kstub) umask(mask int) (oldmask int) {
 	k.Helper()
 	expect := k.Expects("umask")
 	if !stub.CheckArg(k.Stub, "mask", mask, 0) {
 		k.FailNow()
 	}
 	return expect.Ret.(int)
 }
 func (k *kstub) sethostname(p []byte) (err error) {
 	k.Helper()
 	return k.Expects("sethostname").Error(
 		stub.CheckArgReflect(k.Stub, "p", p, 0))
 }
 func (k *kstub) chdir(path string) (err error) {
 	k.Helper()
 	return k.Expects("chdir").Error(
 		stub.CheckArg(k.Stub, "path", path, 0))
 }
 func (k *kstub) fchdir(fd int) (err error) {
 	k.Helper()
 	return k.Expects("fchdir").Error(
 		stub.CheckArg(k.Stub, "fd", fd, 0))
 }
 func (k *kstub) open(path string, mode int, perm uint32) (fd int, err error) {
 	k.Helper()
 	expect := k.Expects("open")
 	return expect.Ret.(int), expect.Error(
 		stub.CheckArg(k.Stub, "path", path, 0),
 		stub.CheckArg(k.Stub, "mode", mode, 1),
 		stub.CheckArg(k.Stub, "perm", perm, 2))
 }
 func (k *kstub) close(fd int) (err error) {
 	k.Helper()
 	return k.Expects("close").Error(
 		stub.CheckArg(k.Stub, "fd", fd, 0))
 }
 func (k *kstub) pivotRoot(newroot, putold string) (err error) {
 	k.Helper()
 	return k.Expects("pivotRoot").Error(
 		stub.CheckArg(k.Stub, "newroot", newroot, 0),
 		stub.CheckArg(k.Stub, "putold", putold, 1))
 }
 func (k *kstub) mount(source, target, fstype string, flags uintptr, data string) (err error) {
 	k.Helper()
 	return k.Expects("mount").Error(
 		stub.CheckArg(k.Stub, "source", source, 0),
 		stub.CheckArg(k.Stub, "target", target, 1),
 		stub.CheckArg(k.Stub, "fstype", fstype, 2),
 		stub.CheckArg(k.Stub, "flags", flags, 3),
 		stub.CheckArg(k.Stub, "data", data, 4))
 }
 func (k *kstub) unmount(target string, flags int) (err error) {
 	k.Helper()
 	return k.Expects("unmount").Error(
 		stub.CheckArg(k.Stub, "target", target, 0),
 		stub.CheckArg(k.Stub, "flags", flags, 1))
 }
 func (k *kstub) wait4(pid int, wstatus *syscall.WaitStatus, options int, rusage *syscall.Rusage) (wpid int, err error) {
 	k.Helper()
 	expect := k.Expects("wait4")
 	if v, ok := expect.Args[4].(int); ok {
 		switch v {
 		case stub.PanicExit: // special case to prevent leaking the wait4 goroutine while testing initEntrypoint
 			panic(stub.PanicExit)
 		case magicWait4Signal: // block until corresponding signal call
 			if k.wait4signal == nil {
 				panic("kstub not initialised for wait4 simulation")
 			}
 			<-k.wait4signal
 		}
 	}
 	wpid = expect.Ret.(int)
 	err = expect.Error(
 		stub.CheckArg(k.Stub, "pid", pid, 0),
 		stub.CheckArg(k.Stub, "options", options, 2))
 	if wstatusV, ok := expect.Args[1].(syscall.WaitStatus); wstatus != nil && ok {
 		*wstatus = wstatusV
 	}
 	if rusageV, ok := expect.Args[3].(syscall.Rusage); rusage != nil && ok {
 		*rusage = rusageV
 	}
 	return
 }
 func (k *kstub) printf(_ message.Msg, format string, v ...any) {
 	k.Helper()
 	if k.Expects("printf").Error(
 		stub.CheckArg(k.Stub, "format", format, 0),
 		stub.CheckArgReflect(k.Stub, "v", v, 1)) != nil {
 		k.FailNow()
 	}
 }
 func (k *kstub) fatal(_ message.Msg, v ...any) {
 	k.Helper()
 	if k.Expects("fatal").Error(
 		stub.CheckArgReflect(k.Stub, "v", v, 0)) != nil {
 		k.FailNow()
 	}
 	panic(stub.PanicExit)
 }
 func (k *kstub) fatalf(_ message.Msg, format string, v ...any) {
 	k.Helper()
 	if k.Expects("fatalf").Error(
 		stub.CheckArg(k.Stub, "format", format, 0),
 		stub.CheckArgReflect(k.Stub, "v", v, 1)) != nil {
 		k.FailNow()
 	}
 	panic(stub.PanicExit)
 }
 func (k *kstub) checkMsg(msg message.Msg) {
 	k.Helper()
 	var target *kstub
 	if state, ok := msg.(*setupState); ok {
 		target = state.Msg.(*kstub)
 	} else {
 		target = msg.(*kstub)
 	}
 	if k != target {
 		panic(fmt.Sprintf("unexpected Msg: %#v", msg))
 	}
 }
 func (k *kstub) GetLogger() *log.Logger { panic("unreachable") }
 func (k *kstub) IsVerbose() bool        { panic("unreachable") }
 func (k *kstub) SwapVerbose(verbose bool) bool {
 	k.Helper()
 	expect := k.Expects("swapVerbose")
 	if expect.Error(
 		stub.CheckArg(k.Stub, "verbose", verbose, 0)) != nil {
 		k.FailNow()
 	}
 	return expect.Ret.(bool)
 }
 func (k *kstub) Verbose(v ...any) {
 	k.Helper()
 	if k.Expects("verbose").Error(
 		stub.CheckArgReflect(k.Stub, "v", v, 0)) != nil {
 		k.FailNow()
 	}
 }
 func (k *kstub) Verbosef(format string, v ...any) {
 	k.Helper()
 	if k.Expects("verbosef").Error(
 		stub.CheckArg(k.Stub, "format", format, 0),
 		stub.CheckArgReflect(k.Stub, "v", v, 1)) != nil {
 		k.FailNow()
 	}
 }
 func (k *kstub) Suspend() bool { k.Helper(); return k.Expects("suspend").Ret.(bool) }
 func (k *kstub) Resume() bool  { k.Helper(); return k.Expects("resume").Ret.(bool) }
 func (k *kstub) BeforeExit()   { k.Helper(); k.Expects("beforeExit") }
--- a/container/errors.go
+++ b/container/errors.go
@@ -0,0 +1,124 @@
 package container
 import (
 	"errors"
 	"os"
 	"syscall"
 	"hakurei.app/container/check"
 	"hakurei.app/container/vfs"
 )
 // messageFromError returns a printable error message for a supported concrete type.
 func messageFromError(err error) (string, bool) {
 	if m, ok := messagePrefixP[MountError]("cannot ", err); ok {
 		return m, ok
 	}
 	if m, ok := messagePrefixP[os.PathError]("cannot ", err); ok {
 		return m, ok
 	}
 	if m, ok := messagePrefixP[check.AbsoluteError]("", err); ok {
 		return m, ok
 	}
 	if m, ok := messagePrefix[OpRepeatError]("", err); ok {
 		return m, ok
 	}
 	if m, ok := messagePrefix[OpStateError]("", err); ok {
 		return m, ok
 	}
 	if m, ok := messagePrefixP[vfs.DecoderError]("cannot ", err); ok {
 		return m, ok
 	}
 	if m, ok := messagePrefix[TmpfsSizeError]("", err); ok {
 		return m, ok
 	}
 	return zeroString, false
 }
 // messagePrefix checks and prefixes the error message of a non-pointer error.
 // While this is usable for pointer errors, such use should be avoided as nil check is omitted.
 func messagePrefix[T error](prefix string, err error) (string, bool) {
 	var targetError T
 	if errors.As(err, &targetError) {
 		return prefix + targetError.Error(), true
 	}
 	return zeroString, false
 }
 // messagePrefixP checks and prefixes the error message of a pointer error.
 func messagePrefixP[V any, T interface {
 	*V
 	error
 }](prefix string, err error) (string, bool) {
 	var targetError T
 	if errors.As(err, &targetError) && targetError != nil {
 		return prefix + targetError.Error(), true
 	}
 	return zeroString, false
 }
 // MountError wraps errors returned by syscall.Mount.
 type MountError struct {
 	Source, Target, Fstype string
 	Flags uintptr
 	Data  string
 	syscall.Errno
 }
 func (e *MountError) Unwrap() error {
 	if e.Errno == 0 {
 		return nil
 	}
 	return e.Errno
 }
 func (e *MountError) Message() string { return "cannot " + e.Error() }
 func (e *MountError) Error() string {
 	if e.Flags&syscall.MS_BIND != 0 {
 		if e.Flags&syscall.MS_REMOUNT != 0 {
 			return "remount " + e.Target + ": " + e.Errno.Error()
 		}
 		return "bind " + e.Source + " on " + e.Target + ": " + e.Errno.Error()
 	}
 	if e.Fstype != FstypeNULL {
 		return "mount " + e.Fstype + " on " + e.Target + ": " + e.Errno.Error()
 	}
 	// fallback case: if this is reached, the conditions for it to occur should be handled above
 	return "mount " + e.Target + ": " + e.Errno.Error()
 }
 // optionalErrorUnwrap calls [errors.Unwrap] and returns the resulting value
 // if it is not nil, or the original value if it is.
 func optionalErrorUnwrap(err error) error {
 	if underlyingErr := errors.Unwrap(err); underlyingErr != nil {
 		return underlyingErr
 	}
 	return err
 }
 // errnoFallback returns the concrete errno from an error, or a [os.PathError] fallback.
 func errnoFallback(op, path string, err error) (syscall.Errno, *os.PathError) {
 	var errno syscall.Errno
 	if !errors.As(err, &errno) {
 		return 0, &os.PathError{Op: op, Path: path, Err: err}
 	}
 	return errno, nil
 }
 // mount wraps syscall.Mount for error handling.
 func mount(source, target, fstype string, flags uintptr, data string) error {
 	err := syscall.Mount(source, target, fstype, flags, data)
 	if err == nil {
 		return nil
 	}
 	if errno, pathError := errnoFallback("mount", target, err); pathError != nil {
 		return pathError
 	} else {
 		return &MountError{source, target, fstype, flags, data, errno}
 	}
 }
--- a/container/errors_test.go
+++ b/container/errors_test.go
@@ -0,0 +1,179 @@
 package container
 import (
 	"errors"
 	"os"
 	"reflect"
 	"strconv"
 	"syscall"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 	"hakurei.app/container/vfs"
 )
 func TestMessageFromError(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name   string
 		err    error
 		want   string
 		wantOk bool
 	}{
 		{"mount", &MountError{
 			Source: SourceTmpfsEphemeral,
 			Target: "/sysroot/tmp",
 			Fstype: FstypeTmpfs,
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Data:   zeroString,
 			Errno:  syscall.EINVAL,
 		}, "cannot mount tmpfs on /sysroot/tmp: invalid argument", true},
 		{"path", &os.PathError{
 			Op:   "mount",
 			Path: "/sysroot",
 			Err:  stub.UniqueError(0xdeadbeef),
 		}, "cannot mount /sysroot: unique error 3735928559 injected by the test suite", true},
 		{"absolute", &check.AbsoluteError{Pathname: "etc/mtab"},
 			`path "etc/mtab" is not absolute`, true},
 		{"repeat", OpRepeatError("autoetc"),
 			"autoetc is not repeatable", true},
 		{"state", OpStateError("overlay"),
 			"impossible overlay state reached", true},
 		{"vfs parse", &vfs.DecoderError{Op: "parse", Line: 0xdead, Err: &strconv.NumError{Func: "Atoi", Num: "meow", Err: strconv.ErrSyntax}},
 			`cannot parse mountinfo at line 57005: numeric field "meow" invalid syntax`, true},
 		{"tmpfs", TmpfsSizeError(-1),
 			"tmpfs size -1 out of bounds", true},
 		{"unsupported", stub.UniqueError(0xdeadbeef), zeroString, false},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			got, ok := messageFromError(tc.err)
 			if got != tc.want {
 				t.Errorf("messageFromError: %q, want %q", got, tc.want)
 			}
 			if ok != tc.wantOk {
 				t.Errorf("messageFromError: ok = %v, want %v", ok, tc.wantOk)
 			}
 		})
 	}
 }
 func TestMountError(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name  string
 		err   error
 		errno syscall.Errno
 		want  string
 	}{
 		{"bind", &MountError{
 			Source: "/host/nix/store",
 			Target: "/sysroot/nix/store",
 			Fstype: FstypeNULL,
 			Flags:  syscall.MS_SILENT | syscall.MS_BIND | syscall.MS_REC,
 			Data:   zeroString,
 			Errno:  syscall.ENOSYS,
 		}, syscall.ENOSYS,
 			"bind /host/nix/store on /sysroot/nix/store: function not implemented"},
 		{"remount", &MountError{
 			Source: SourceNone,
 			Target: "/sysroot/nix/store",
 			Fstype: FstypeNULL,
 			Flags:  syscall.MS_SILENT | syscall.MS_BIND | syscall.MS_REMOUNT,
 			Data:   zeroString,
 			Errno:  syscall.EPERM,
 		}, syscall.EPERM,
 			"remount /sysroot/nix/store: operation not permitted"},
 		{"overlay", &MountError{
 			Source: SourceOverlay,
 			Target: sysrootPath,
 			Fstype: FstypeOverlay,
 			Data:   `lowerdir=/host/var/lib/planterette/base/debian\:f92c9052`,
 			Errno:  syscall.EINVAL,
 		}, syscall.EINVAL,
 			"mount overlay on /sysroot: invalid argument"},
 		{"fallback", &MountError{
 			Source: SourceNone,
 			Target: sysrootPath,
 			Fstype: FstypeNULL,
 			Errno:  syscall.ENOTRECOVERABLE,
 		}, syscall.ENOTRECOVERABLE,
 			"mount /sysroot: state not recoverable"},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			t.Run("is", func(t *testing.T) {
 				if !errors.Is(tc.err, tc.errno) {
 					t.Errorf("Is: %#v is not %v", tc.err, tc.errno)
 				}
 			})
 			t.Run("error", func(t *testing.T) {
 				if got := tc.err.Error(); got != tc.want {
 					t.Errorf("Error: %q, want %q", got, tc.want)
 				}
 			})
 		})
 	}
 	t.Run("zero", func(t *testing.T) {
 		t.Parallel()
 		if errors.Is(new(MountError), syscall.Errno(0)) {
 			t.Errorf("Is: zero MountError unexpected true")
 		}
 	})
 }
 func TestErrnoFallback(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name      string
 		err       error
 		wantErrno syscall.Errno
 		wantPath  *os.PathError
 	}{
 		{"mount", &MountError{
 			Errno: syscall.ENOTRECOVERABLE,
 		}, syscall.ENOTRECOVERABLE, nil},
 		{"path errno", &os.PathError{
 			Err: syscall.ETIMEDOUT,
 		}, syscall.ETIMEDOUT, nil},
 		{"fallback", stub.UniqueError(0xcafebabe), 0, &os.PathError{
 			Op:   "fallback",
 			Path: "/proc/nonexistent",
 			Err:  stub.UniqueError(0xcafebabe),
 		}},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			errno, err := errnoFallback(tc.name, Nonexistent, tc.err)
 			if errno != tc.wantErrno {
 				t.Errorf("errnoFallback: errno = %v, want %v", errno, tc.wantErrno)
 			}
 			if !reflect.DeepEqual(err, tc.wantPath) {
 				t.Errorf("errnoFallback: pathError = %#v, want %#v", err, tc.wantPath)
 			}
 		})
 	}
 }
 // InternalMessageFromError exports messageFromError for other tests.
 func InternalMessageFromError(err error) (string, bool) { return messageFromError(err) }
--- a/container/executable.go
+++ b/container/executable.go
@@ -1,9 +1,12 @@
 package container
 import (
 	"fmt"
 	"log"
 	"os"
 	"sync"
 	"hakurei.app/message"
 )
 var (
@@ -11,16 +14,21 @@ var (
 	executableOnce sync.Once
 )
-func copyExecutable() {
+func copyExecutable(msg message.Msg) {
 	if name, err := os.Executable(); err != nil {
-		msg.BeforeExit()
+		m := fmt.Sprintf("cannot read executable path: %v", err)
-		log.Fatalf("cannot read executable path: %v", err)
+		if msg != nil {
 			msg.BeforeExit()
 			msg.GetLogger().Fatal(m)
 		} else {
 			log.Fatal(m)
 		}
 	} else {
 		executable = name
 	}
 }
-func MustExecutable() string {
+func MustExecutable(msg message.Msg) string {
-	executableOnce.Do(copyExecutable)
+	executableOnce.Do(func() { copyExecutable(msg) })
 	return executable
 }
--- a/container/executable_test.go
+++ b/container/executable_test.go
@@ -5,13 +5,14 @@ import (
 	"testing"
 	"hakurei.app/container"
 	"hakurei.app/message"
 )
 func TestExecutable(t *testing.T) {
 	t.Parallel()
 	for i := 0; i < 16; i++ {
-		if got := container.MustExecutable(); got != os.Args[0] {
+		if got := container.MustExecutable(message.New(nil)); got != os.Args[0] {
-			t.Errorf("MustExecutable: %q, want %q",
+			t.Errorf("MustExecutable: %q, want %q", got, os.Args[0])
 				got, os.Args[0])
 		}
 	}
 }
--- a/container/fhs/abs.go
+++ b/container/fhs/abs.go
@@ -0,0 +1,41 @@
 package fhs
 import (
 	_ "unsafe" // for go:linkname
 	"hakurei.app/container/check"
 )
 /* constants in this file bypass abs check, be extremely careful when changing them! */
 //go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
 func unsafeAbs(_ string) *check.Absolute
 var (
 	// AbsRoot is [Root] as [check.Absolute].
 	AbsRoot = unsafeAbs(Root)
 	// AbsEtc is [Etc] as [check.Absolute].
 	AbsEtc = unsafeAbs(Etc)
 	// AbsTmp is [Tmp] as [check.Absolute].
 	AbsTmp = unsafeAbs(Tmp)
 	// AbsRun is [Run] as [check.Absolute].
 	AbsRun = unsafeAbs(Run)
 	// AbsRunUser is [RunUser] as [check.Absolute].
 	AbsRunUser = unsafeAbs(RunUser)
 	// AbsUsrBin is [UsrBin] as [check.Absolute].
 	AbsUsrBin = unsafeAbs(UsrBin)
 	// AbsVar is [Var] as [check.Absolute].
 	AbsVar = unsafeAbs(Var)
 	// AbsVarLib is [VarLib] as [check.Absolute].
 	AbsVarLib = unsafeAbs(VarLib)
 	// AbsDev is [Dev] as [check.Absolute].
 	AbsDev = unsafeAbs(Dev)
 	// AbsProc is [Proc] as [check.Absolute].
 	AbsProc = unsafeAbs(Proc)
 	// AbsSys is [Sys] as [check.Absolute].
 	AbsSys = unsafeAbs(Sys)
 )
--- a/container/fhs/fhs.go
+++ b/container/fhs/fhs.go
@@ -0,0 +1,38 @@
 // Package fhs provides constant and checked pathname values for common FHS paths.
 package fhs
 const (
 	// Root points to the file system root.
 	Root = "/"
 	// Etc points to the directory for system-specific configuration.
 	Etc = "/etc/"
 	// Tmp points to the place for small temporary files.
 	Tmp = "/tmp/"
 	// Run points to a "tmpfs" file system for system packages to place runtime data, socket files, and similar.
 	Run = "/run/"
 	// RunUser points to a directory containing per-user runtime directories,
 	// each usually individually mounted "tmpfs" instances.
 	RunUser = Run + "user/"
 	// Usr points to vendor-supplied operating system resources.
 	Usr = "/usr/"
 	// UsrBin points to binaries and executables for user commands that shall appear in the $PATH search path.
 	UsrBin = Usr + "bin/"
 	// Var points to persistent, variable system data. Writable during normal system operation.
 	Var = "/var/"
 	// VarLib points to persistent system data.
 	VarLib = Var + "lib/"
 	// VarEmpty points to a nonstandard directory that is usually empty.
 	VarEmpty = Var + "empty/"
 	// Dev points to the root directory for device nodes.
 	Dev = "/dev/"
 	// Proc points to a virtual kernel file system exposing the process list and other functionality.
 	Proc = "/proc/"
 	// ProcSys points to a hierarchy below /proc/ that exposes a number of kernel tunables.
 	ProcSys = Proc + "sys/"
 	// Sys points to a virtual kernel file system exposing discovered devices and other functionality.
 	Sys = "/sys/"
 )
--- a/container/init.go
+++ b/container/init.go
@@ -6,27 +6,85 @@ import (
 	"log"
 	"os"
 	"os/exec"
 	"os/signal"
 	"path"
-	"runtime"
+	"slices"
 	"strconv"
 	. "syscall"
 	"time"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/message"
 )
 const (
-	// time to wait for linger processes after death of initial process
+	/* intermediate tmpfs mount point
 	residualProcessTimeout = 5 * time.Second
-	// intermediate tmpfs mount point
+	this path might seem like a weird choice, however there are many good reasons to use it:
-	basePath = "/tmp"
+	- the contents of this path is never exposed to the container:
 	  the tmpfs root established here effectively becomes anonymous after pivot_root
 	- it is safe to assume this path exists and is a directory:
 	  this program will not work correctly without a proper /proc and neither will most others
 	- this path belongs to the container init:
 	  the container init is not any more privileged or trusted than the rest of the container
 	- this path is only accessible by init and root:
 	  the container init sets SUID_DUMP_DISABLE and terminates if that fails;
 	it should be noted that none of this should become relevant at any point since the resulting
 	intermediate root tmpfs should be effectively anonymous */
 	intermediateHostPath = fhs.Proc + "self/fd"
 	// setup params file descriptor
 	setupEnv = "HAKUREI_SETUP"
 )
 type (
 	// Ops is a collection of [Op].
 	Ops []Op
 	// Op is a generic setup step ran inside the container init.
 	// Implementations of this interface are sent as a stream of gobs.
 	Op interface {
 		// early is called in host root.
 		early(state *setupState, k syscallDispatcher) error
 		// apply is called in intermediate root.
 		apply(state *setupState, k syscallDispatcher) error
 		// prefix returns a log message prefix, and whether this Op prints no identifying message on its own.
 		prefix() (string, bool)
 		Is(op Op) bool
 		Valid() bool
 		fmt.Stringer
 	}
 	// setupState persists context between Ops.
 	setupState struct {
 		nonrepeatable uintptr
 		*Params
 		message.Msg
 	}
 )
 // Grow grows the slice Ops points to using [slices.Grow].
 func (f *Ops) Grow(n int) { *f = slices.Grow(*f, n) }
 const (
 	nrAutoEtc = 1 << iota
 	nrAutoRoot
 )
 // OpRepeatError is returned applying a repeated nonrepeatable [Op].
 type OpRepeatError string
 func (e OpRepeatError) Error() string { return string(e) + " is not repeatable" }
 // OpStateError indicates an impossible internal state has been reached in an [Op].
 type OpStateError string
 func (o OpStateError) Error() string { return "impossible " + string(o) + " state reached" }
 // initParams are params passed from parent.
 type initParams struct {
 	Params
@@ -37,180 +95,201 @@ type initParams struct {
 	Verbose bool
 }
-func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
+// Init is called by [TryArgv0] if the current process is the container init.
-	runtime.LockOSThread()
+func Init(msg message.Msg) { initEntrypoint(direct{}, msg) }
 	prepare("init")
-	if os.Getpid() != 1 {
+func initEntrypoint(k syscallDispatcher, msg message.Msg) {
-		log.Fatal("this process must run as pid 1")
+	k.lockOSThread()
 	if msg == nil {
 		panic("attempting to call initEntrypoint with nil msg")
 	}
 	if k.getpid() != 1 {
 		k.fatal(msg, "this process must run as pid 1")
 	}
 	if err := k.setPtracer(0); err != nil {
 		msg.Verbosef("cannot enable ptrace protection via Yama LSM: %v", err)
 		// not fatal: this program has no additional privileges at initial program start
 	}
 	var (
 		params      initParams
 		closeSetup  func() error
-		setupFile   *os.File
+		setupFd     uintptr
 		offsetSetup int
 	)
-	if f, err := Receive(setupEnv, &params, &setupFile); err != nil {
+	if f, err := k.receive(setupEnv, &params, &setupFd); err != nil {
-		if errors.Is(err, ErrInvalid) {
+		if errors.Is(err, EBADF) {
-			log.Fatal("invalid setup descriptor")
+			k.fatal(msg, "invalid setup descriptor")
 		}
-		if errors.Is(err, ErrNotSet) {
+		if errors.Is(err, ErrReceiveEnv) {
-			log.Fatal("HAKUREI_SETUP not set")
+			k.fatal(msg, setupEnv+" not set")
 		}
-		log.Fatalf("cannot decode init setup payload: %v", err)
+		k.fatalf(msg, "cannot decode init setup payload: %v", err)
 	} else {
 		if params.Ops == nil {
-			log.Fatal("invalid setup parameters")
+			k.fatal(msg, "invalid setup parameters")
 		}
 		if params.ParentPerm == 0 {
 			params.ParentPerm = 0755
 		}
-		setVerbose(params.Verbose)
+		msg.SwapVerbose(params.Verbose)
 		msg.Verbose("received setup parameters")
 		closeSetup = f
-		offsetSetup = int(setupFile.Fd() + 1)
+		offsetSetup = int(setupFd + 1)
 	}
 	// write uid/gid map here so parent does not need to set dumpable
-	if err := SetDumpable(SUID_DUMP_USER); err != nil {
+	if err := k.setDumpable(SUID_DUMP_USER); err != nil {
-		log.Fatalf("cannot set SUID_DUMP_USER: %s", err)
+		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
 	}
-	if err := os.WriteFile("/proc/self/uid_map",
+	if err := k.writeFile(fhs.Proc+"self/uid_map",
 		append([]byte{}, strconv.Itoa(params.Uid)+" "+strconv.Itoa(params.HostUid)+" 1\n"...),
 		0); err != nil {
-		log.Fatalf("%v", err)
+		k.fatalf(msg, "%v", err)
 	}
-	if err := os.WriteFile("/proc/self/setgroups",
+	if err := k.writeFile(fhs.Proc+"self/setgroups",
 		[]byte("deny\n"),
 		0); err != nil && !os.IsNotExist(err) {
-		log.Fatalf("%v", err)
+		k.fatalf(msg, "%v", err)
 	}
-	if err := os.WriteFile("/proc/self/gid_map",
+	if err := k.writeFile(fhs.Proc+"self/gid_map",
 		append([]byte{}, strconv.Itoa(params.Gid)+" "+strconv.Itoa(params.HostGid)+" 1\n"...),
 		0); err != nil {
-		log.Fatalf("%v", err)
+		k.fatalf(msg, "%v", err)
 	}
-	if err := SetDumpable(SUID_DUMP_DISABLE); err != nil {
+	if err := k.setDumpable(SUID_DUMP_DISABLE); err != nil {
-		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
+		k.fatalf(msg, "cannot set SUID_DUMP_DISABLE: %v", err)
 	}
-	oldmask := Umask(0)
+	oldmask := k.umask(0)
 	if params.Hostname != "" {
-		if err := Sethostname([]byte(params.Hostname)); err != nil {
+		if err := k.sethostname([]byte(params.Hostname)); err != nil {
-			log.Fatalf("cannot set hostname: %v", err)
+			k.fatalf(msg, "cannot set hostname: %v", err)
 		}
 	}
 	// cache sysctl before pivot_root
-	LastCap()
+	lastcap := k.lastcap(msg)
-	if err := Mount("", "/", "", MS_SILENT|MS_SLAVE|MS_REC, ""); err != nil {
+	if err := k.mount(zeroString, fhs.Root, zeroString, MS_SILENT|MS_SLAVE|MS_REC, zeroString); err != nil {
-		log.Fatalf("cannot make / rslave: %v", err)
+		k.fatalf(msg, "cannot make / rslave: %v", optionalErrorUnwrap(err))
 	}
 	state := &setupState{Params: &params.Params, Msg: msg}
 	/* early is called right before pivot_root into intermediate root;
 	this step is mostly for gathering information that would otherwise be difficult to obtain
 	via library functions after pivot_root, and implementations are expected to avoid changing
 	the state of the mount namespace */
 	for i, op := range *params.Ops {
-		if op == nil {
+		if op == nil || !op.Valid() {
-			log.Fatalf("invalid op %d", i)
+			k.fatalf(msg, "invalid op at index %d", i)
 		}
-		if err := op.early(&params.Params); err != nil {
+		if err := op.early(state, k); err != nil {
-			msg.PrintBaseErr(err,
+			if m, ok := messageFromError(err); ok {
-				fmt.Sprintf("cannot prepare op %d:", i))
+				k.fatal(msg, m)
-			msg.BeforeExit()
+			} else {
-			os.Exit(1)
+				k.fatalf(msg, "cannot prepare op at index %d: %v", i, err)
 			}
 		}
 	}
-	if err := Mount("rootfs", basePath, "tmpfs", MS_NODEV|MS_NOSUID, ""); err != nil {
+	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
-		log.Fatalf("cannot mount intermediate root: %v", err)
+		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
 	}
-	if err := os.Chdir(basePath); err != nil {
+	if err := k.chdir(intermediateHostPath); err != nil {
-		log.Fatalf("cannot enter base path: %v", err)
+		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
 	}
-	if err := os.Mkdir(sysrootDir, 0755); err != nil {
+	if err := k.mkdir(sysrootDir, 0755); err != nil {
-		log.Fatalf("%v", err)
+		k.fatalf(msg, "%v", err)
 	}
-	if err := Mount(sysrootDir, sysrootDir, "", MS_SILENT|MS_MGC_VAL|MS_BIND|MS_REC, ""); err != nil {
+	if err := k.mount(sysrootDir, sysrootDir, zeroString, MS_SILENT|MS_BIND|MS_REC, zeroString); err != nil {
-		log.Fatalf("cannot bind sysroot: %v", err)
+		k.fatalf(msg, "cannot bind sysroot: %v", optionalErrorUnwrap(err))
 	}
-	if err := os.Mkdir(hostDir, 0755); err != nil {
+	if err := k.mkdir(hostDir, 0755); err != nil {
-		log.Fatalf("%v", err)
+		k.fatalf(msg, "%v", err)
 	}
-	// pivot_root uncovers basePath in hostDir
+	// pivot_root uncovers intermediateHostPath in hostDir
-	if err := PivotRoot(basePath, hostDir); err != nil {
+	if err := k.pivotRoot(intermediateHostPath, hostDir); err != nil {
-		log.Fatalf("cannot pivot into intermediate root: %v", err)
+		k.fatalf(msg, "cannot pivot into intermediate root: %v", err)
 	}
-	if err := os.Chdir("/"); err != nil {
+	if err := k.chdir(fhs.Root); err != nil {
-		log.Fatalf("%v", err)
+		k.fatalf(msg, "cannot enter intermediate root: %v", err)
 	}
 	/* apply is called right after pivot_root and entering the new root;
 	this step sets up the container filesystem, and implementations are expected to keep the host root
 	and sysroot mount points intact but otherwise can do whatever they need to;
 	chdir is allowed but discouraged */
 	for i, op := range *params.Ops {
 		// ops already checked during early setup
-		msg.Verbosef("%s %s", op.prefix(), op)
+		if prefix, ok := op.prefix(); ok {
-		if err := op.apply(&params.Params); err != nil {
+			msg.Verbosef("%s %s", prefix, op)
-			msg.PrintBaseErr(err,
+		}
-				fmt.Sprintf("cannot apply op %d:", i))
+		if err := op.apply(state, k); err != nil {
-			msg.BeforeExit()
+			if m, ok := messageFromError(err); ok {
-			os.Exit(1)
+				k.fatal(msg, m)
 			} else {
 				k.fatalf(msg, "cannot apply op at index %d: %v", i, err)
 			}
 		}
 	}
 	// setup requiring host root complete at this point
-	if err := Mount(hostDir, hostDir, "", MS_SILENT|MS_REC|MS_PRIVATE, ""); err != nil {
+	if err := k.mount(hostDir, hostDir, zeroString, MS_SILENT|MS_REC|MS_PRIVATE, zeroString); err != nil {
-		log.Fatalf("cannot make host root rprivate: %v", err)
+		k.fatalf(msg, "cannot make host root rprivate: %v", optionalErrorUnwrap(err))
 	}
-	if err := Unmount(hostDir, MNT_DETACH); err != nil {
+	if err := k.unmount(hostDir, MNT_DETACH); err != nil {
-		log.Fatalf("cannot unmount host root: %v", err)
+		k.fatalf(msg, "cannot unmount host root: %v", err)
 	}
 	{
 		var fd int
 		if err := IgnoringEINTR(func() (err error) {
-			fd, err = Open("/", O_DIRECTORY|O_RDONLY, 0)
+			fd, err = k.open(fhs.Root, O_DIRECTORY|O_RDONLY, 0)
 			return
 		}); err != nil {
-			log.Fatalf("cannot open intermediate root: %v", err)
+			k.fatalf(msg, "cannot open intermediate root: %v", err)
 		}
-		if err := os.Chdir(sysrootPath); err != nil {
+		if err := k.chdir(sysrootPath); err != nil {
-			log.Fatalf("%v", err)
+			k.fatalf(msg, "cannot enter sysroot: %v", err)
 		}
-		if err := PivotRoot(".", "."); err != nil {
+		if err := k.pivotRoot(".", "."); err != nil {
-			log.Fatalf("cannot pivot into sysroot: %v", err)
+			k.fatalf(msg, "cannot pivot into sysroot: %v", err)
 		}
-		if err := Fchdir(fd); err != nil {
+		if err := k.fchdir(fd); err != nil {
-			log.Fatalf("cannot re-enter intermediate root: %v", err)
+			k.fatalf(msg, "cannot re-enter intermediate root: %v", err)
 		}
-		if err := Unmount(".", MNT_DETACH); err != nil {
+		if err := k.unmount(".", MNT_DETACH); err != nil {
-			log.Fatalf("cannot unmount intemediate root: %v", err)
+			k.fatalf(msg, "cannot unmount intermediate root: %v", err)
 		}
-		if err := os.Chdir("/"); err != nil {
+		if err := k.chdir(fhs.Root); err != nil {
-			log.Fatalf("%v", err)
+			k.fatalf(msg, "cannot enter root: %v", err)
 		}
-		if err := Close(fd); err != nil {
+		if err := k.close(fd); err != nil {
-			log.Fatalf("cannot close intermediate root: %v", err)
+			k.fatalf(msg, "cannot close intermediate root: %v", err)
 		}
 	}
-	if _, _, errno := Syscall(PR_SET_NO_NEW_PRIVS, 1, 0, 0); errno != 0 {
+	if err := k.capAmbientClearAll(); err != nil {
-		log.Fatalf("prctl(PR_SET_NO_NEW_PRIVS): %v", errno)
+		k.fatalf(msg, "cannot clear the ambient capability set: %v", err)
 	}
-
+	for i := uintptr(0); i <= lastcap; i++ {
 	if _, _, errno := Syscall(SYS_PRCTL, PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0); errno != 0 {
 		log.Fatalf("cannot clear the ambient capability set: %v", errno)
 	}
 	for i := uintptr(0); i <= LastCap(); i++ {
 		if params.Privileged && i == CAP_SYS_ADMIN {
 			continue
 		}
-		if _, _, errno := Syscall(SYS_PRCTL, PR_CAPBSET_DROP, i, 0); errno != 0 {
+		if err := k.capBoundingSetDrop(i); err != nil {
-			log.Fatalf("cannot drop capability from bonding set: %v", errno)
+			k.fatalf(msg, "cannot drop capability from bounding set: %v", err)
 		}
 	}
@@ -218,15 +297,15 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	if params.Privileged {
 		keep[capToIndex(CAP_SYS_ADMIN)] |= capToMask(CAP_SYS_ADMIN)
-		if _, _, errno := Syscall(SYS_PRCTL, PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_SYS_ADMIN); errno != 0 {
+		if err := k.capAmbientRaise(CAP_SYS_ADMIN); err != nil {
-			log.Fatalf("cannot raise CAP_SYS_ADMIN: %v", errno)
+			k.fatalf(msg, "cannot raise CAP_SYS_ADMIN: %v", err)
 		}
 	}
-	if err := capset(
+	if err := k.capset(
 		&capHeader{_LINUX_CAPABILITY_VERSION_3, 0},
 		&[2]capData{{0, keep[0], keep[0]}, {0, keep[1], keep[1]}},
 	); err != nil {
-		log.Fatalf("cannot capset: %v", err)
+		k.fatalf(msg, "cannot capset: %v", err)
 	}
 	if !params.SeccompDisable {
@@ -235,8 +314,9 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 			msg.Verbosef("resolving presets %#x", params.SeccompPresets)
 			rules = seccomp.Preset(params.SeccompPresets, params.SeccompFlags)
 		}
-		if err := seccomp.Load(rules, params.SeccompFlags); err != nil {
+		if err := k.seccompLoad(rules, params.SeccompFlags); err != nil {
-			log.Fatalf("cannot load syscall filter: %v", err)
+			// this also indirectly asserts PR_SET_NO_NEW_PRIVS
 			k.fatalf(msg, "cannot load syscall filter: %v", err)
 		}
 		msg.Verbosef("%d filter rules loaded", len(rules))
 	} else {
@@ -246,35 +326,38 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	extraFiles := make([]*os.File, params.Count)
 	for i := range extraFiles {
 		// setup fd is placed before all extra files
-		extraFiles[i] = os.NewFile(uintptr(offsetSetup+i), "extra file "+strconv.Itoa(i))
+		extraFiles[i] = k.newFile(uintptr(offsetSetup+i), "extra file "+strconv.Itoa(i))
 	}
-	Umask(oldmask)
+	k.umask(oldmask)
-	cmd := exec.Command(params.Path)
+	if err := closeSetup(); err != nil {
 		k.fatalf(msg, "cannot close setup pipe: %v", err)
 	}
 	cmd := exec.Command(params.Path.String())
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	cmd.Args = params.Args
 	cmd.Env = params.Env
 	cmd.ExtraFiles = extraFiles
-	cmd.Dir = params.Dir
+	cmd.Dir = params.Dir.String()
-	if err := cmd.Start(); err != nil {
+	msg.Verbosef("starting initial program %s", params.Path)
-		log.Fatalf("%v", err)
+	if err := k.start(cmd); err != nil {
-	}
+		k.fatalf(msg, "%v", err)
 	msg.Suspend()
 	if err := closeSetup(); err != nil {
 		log.Println("cannot close setup pipe:", err)
 		// not fatal
 	}
 	type winfo struct {
 		wpid    int
 		wstatus WaitStatus
 	}
 	info := make(chan winfo, 1)
 	done := make(chan struct{})
-	go func() {
+	// info is closed as the wait4 thread terminates
 	// when there are no longer any processes left to reap
 	info := make(chan winfo, 1)
 	k.new(func(k syscallDispatcher) {
 		k.lockOSThread()
 		var (
 			err     error
 			wpid    = -2
@@ -293,19 +376,20 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 			err = EINTR
 			for errors.Is(err, EINTR) {
-				wpid, err = Wait4(-1, &wstatus, 0, nil)
+				wpid, err = k.wait4(-1, &wstatus, 0, nil)
 			}
 		}
 		if !errors.Is(err, ECHILD) {
-			log.Println("unexpected wait4 response:", err)
+			k.printf(msg, "unexpected wait4 response: %v", err)
 		}
-		close(done)
+		close(info)
-	}()
+	})
 	// handle signals to dump withheld messages
 	sig := make(chan os.Signal, 2)
-	signal.Notify(sig, SIGINT, SIGTERM)
+	k.notify(sig, CancelSignal,
 		os.Interrupt, SIGTERM, SIGQUIT)
 	// closed after residualProcessTimeout has elapsed after initial process death
 	timeout := make(chan struct{})
@@ -314,50 +398,81 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 	for {
 		select {
 		case s := <-sig:
-			if msg.Resume() {
+			if s == CancelSignal && params.ForwardCancel && cmd.Process != nil {
-				msg.Verbosef("terminating on %s after process start", s.String())
+				msg.Verbose("forwarding context cancellation")
-			} else {
+				if err := k.signal(cmd, os.Interrupt); err != nil {
-				msg.Verbosef("terminating on %s", s.String())
+					k.printf(msg, "cannot forward cancellation: %v", err)
 				}
 				continue
 			}
-			os.Exit(0)
+
-		case w := <-info:
+			if s == SIGTERM || s == SIGQUIT {
 				msg.Verbosef("got %s, forwarding to initial process", s.String())
 				if err := k.signal(cmd, s); err != nil {
 					k.printf(msg, "cannot forward signal: %v", err)
 				}
 				continue
 			}
 			msg.Verbosef("got %s", s.String())
 			msg.BeforeExit()
 			k.exit(0)
 		case w, ok := <-info:
 			if !ok {
 				msg.BeforeExit()
 				k.exit(r)
 				continue // unreachable
 			}
 			if w.wpid == cmd.Process.Pid {
-				// initial process exited, output is most likely available again
+				// start timeout early
-				msg.Resume()
+				go func() { time.Sleep(params.AdoptWaitDelay); close(timeout) }()
 				// close initial process files; this also keeps them alive
 				for _, f := range extraFiles {
 					if err := f.Close(); err != nil {
 						msg.Verbose(err.Error())
 					}
 				}
 				switch {
 				case w.wstatus.Exited():
 					r = w.wstatus.ExitStatus()
 					msg.Verbosef("initial process exited with code %d", w.wstatus.ExitStatus())
 				case w.wstatus.Signaled():
 					r = 128 + int(w.wstatus.Signal())
 					msg.Verbosef("initial process exited with signal %s", w.wstatus.Signal())
 				default:
 					r = 255
 					msg.Verbosef("initial process exited with status %#x", w.wstatus)
 				}
 				go func() {
 					time.Sleep(residualProcessTimeout)
 					close(timeout)
 				}()
 			}
-		case <-done:
+
 			msg.BeforeExit()
 			os.Exit(r)
 		case <-timeout:
-			log.Println("timeout exceeded waiting for lingering processes")
+			k.printf(msg, "timeout exceeded waiting for lingering processes")
 			msg.BeforeExit()
-			os.Exit(r)
+			k.exit(r)
 		}
 	}
 }
 // initName is the prefix used by log.std in the init process.
 const initName = "init"
 // TryArgv0 calls [Init] if the last element of argv0 is "init".
-func TryArgv0(v Msg, prepare func(prefix string), setVerbose func(verbose bool)) {
+// If a nil msg is passed, the system logger is used instead.
-	if len(os.Args) > 0 && path.Base(os.Args[0]) == "init" {
+func TryArgv0(msg message.Msg) {
-		msg = v
+	if msg == nil {
-		Init(prepare, setVerbose)
+		log.SetPrefix(initName + ": ")
 		log.SetFlags(0)
 		msg = message.New(log.Default())
 	}
 	if len(os.Args) > 0 && path.Base(os.Args[0]) == initName {
 		Init(msg)
 		msg.BeforeExit()
 		os.Exit(0)
 	}
--- a/container/init_test.go
+++ b/container/init_test.go
--- a/container/initbind.go
+++ b/container/initbind.go
@@ -0,0 +1,110 @@
 package container
 import (
 	"encoding/gob"
 	"fmt"
 	"os"
 	"syscall"
 	"hakurei.app/container/check"
 	"hakurei.app/container/std"
 )
 func init() { gob.Register(new(BindMountOp)) }
 // Bind appends an [Op] that bind mounts host path [BindMountOp.Source] on container path [BindMountOp.Target].
 func (f *Ops) Bind(source, target *check.Absolute, flags int) *Ops {
 	*f = append(*f, &BindMountOp{nil, source, target, flags})
 	return f
 }
 // BindMountOp bind mounts host path Source on container path Target.
 // Note that Flags uses bits declared in this package and should not be set with constants in [syscall].
 type BindMountOp struct {
 	sourceFinal, Source, Target *check.Absolute
 	Flags int
 }
 func (b *BindMountOp) Valid() bool {
 	return b != nil &&
 		b.Source != nil && b.Target != nil &&
 		b.Flags&(std.BindOptional|std.BindEnsure) != (std.BindOptional|std.BindEnsure)
 }
 func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {
 	if b.Flags&std.BindEnsure != 0 {
 		if err := k.mkdirAll(b.Source.String(), 0700); err != nil {
 			return err
 		}
 	}
 	if pathname, err := k.evalSymlinks(b.Source.String()); err != nil {
 		if os.IsNotExist(err) && b.Flags&std.BindOptional != 0 {
 			// leave sourceFinal as nil
 			return nil
 		}
 		return err
 	} else {
 		b.sourceFinal, err = check.NewAbs(pathname)
 		return err
 	}
 }
 func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
 	if b.sourceFinal == nil {
 		if b.Flags&std.BindOptional == 0 {
 			// unreachable
 			return OpStateError("bind")
 		}
 		return nil
 	}
 	source := toHost(b.sourceFinal.String())
 	target := toSysroot(b.Target.String())
 	// this perm value emulates bwrap behaviour as it clears bits from 0755 based on
 	// op->perms which is never set for any bind setup op so always results in 0700
 	if fi, err := k.stat(source); err != nil {
 		return err
 	} else if fi.IsDir() {
 		if err = k.mkdirAll(target, 0700); err != nil {
 			return err
 		}
 	} else if err = k.ensureFile(target, 0444, 0700); err != nil {
 		return err
 	}
 	var flags uintptr = syscall.MS_REC
 	if b.Flags&std.BindWritable == 0 {
 		flags |= syscall.MS_RDONLY
 	}
 	if b.Flags&std.BindDevice == 0 {
 		flags |= syscall.MS_NODEV
 	}
 	if b.sourceFinal.String() == b.Target.String() {
 		state.Verbosef("mounting %q flags %#x", target, flags)
 	} else {
 		state.Verbosef("mounting %q on %q flags %#x", source, target, flags)
 	}
 	return k.bindMount(state, source, target, flags)
 }
 func (b *BindMountOp) Is(op Op) bool {
 	vb, ok := op.(*BindMountOp)
 	return ok && b.Valid() && vb.Valid() &&
 		b.Source.Is(vb.Source) &&
 		b.Target.Is(vb.Target) &&
 		b.Flags == vb.Flags
 }
 func (*BindMountOp) prefix() (string, bool) { return "mounting", false }
 func (b *BindMountOp) String() string {
 	if b.Source == nil || b.Target == nil {
 		return "<invalid>"
 	}
 	if b.Source.String() == b.Target.String() {
 		return fmt.Sprintf("%q flags %#x", b.Source, b.Flags)
 	}
 	return fmt.Sprintf("%q on %q flags %#x", b.Source, b.Target, b.Flags)
 }
--- a/container/initbind_test.go
+++ b/container/initbind_test.go
@@ -0,0 +1,262 @@
 package container
 import (
 	"errors"
 	"os"
 	"syscall"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 )
 func TestBindMountOp(t *testing.T) {
 	t.Parallel()
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"ENOENT not optional", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "", syscall.ENOENT),
 		}, syscall.ENOENT, nil, nil},
 		{"skip optional", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
 			Flags:  std.BindOptional,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "", syscall.ENOENT),
 		}, nil, nil, nil},
 		{"success optional", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
 			Flags:  std.BindOptional,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), nil),
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, nil),
 			call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/usr/bin", "/sysroot/bin", uintptr(0x4005)}}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/usr/bin", "/sysroot/bin", uintptr(0x4005), false}, nil, nil),
 		}, nil},
 		{"ensureFile device", new(Params), &BindMountOp{
 			Source: check.MustAbs("/dev/null"),
 			Target: check.MustAbs("/dev/null"),
 			Flags:  std.BindWritable | std.BindDevice,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/dev/null"}, isDirFi(false), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0700)}, nil, stub.UniqueError(5)),
 		}, stub.UniqueError(5)},
 		{"mkdirAll ensure", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
 			Flags:  std.BindEnsure,
 		}, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, stub.UniqueError(4)),
 		}, stub.UniqueError(4), nil, nil},
 		{"success ensure", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/usr/bin/"),
 			Flags:  std.BindEnsure,
 		}, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, nil),
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), nil),
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/usr/bin", os.FileMode(0700)}, nil, nil),
 			call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/usr/bin", "/sysroot/usr/bin", uintptr(0x4005)}}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/usr/bin", "/sysroot/usr/bin", uintptr(0x4005), false}, nil, nil),
 		}, nil},
 		{"success device ro", new(Params), &BindMountOp{
 			Source: check.MustAbs("/dev/null"),
 			Target: check.MustAbs("/dev/null"),
 			Flags:  std.BindDevice,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/dev/null"}, isDirFi(false), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
 			call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/dev/null", uintptr(0x4001)}}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0x4001), false}, nil, nil),
 		}, nil},
 		{"success device", new(Params), &BindMountOp{
 			Source: check.MustAbs("/dev/null"),
 			Target: check.MustAbs("/dev/null"),
 			Flags:  std.BindWritable | std.BindDevice,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/dev/null"}, isDirFi(false), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
 			call("verbosef", stub.ExpectArgs{"mounting %q flags %#x", []any{"/sysroot/dev/null", uintptr(0x4000)}}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0x4000), false}, nil, nil),
 		}, nil},
 		{"evalSymlinks", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", stub.UniqueError(3)),
 		}, stub.UniqueError(3), nil, nil},
 		{"stat", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), stub.UniqueError(2)),
 		}, stub.UniqueError(2)},
 		{"mkdirAll", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), nil),
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, stub.UniqueError(1)),
 		}, stub.UniqueError(1)},
 		{"bindMount", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), nil),
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, nil),
 			call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/usr/bin", "/sysroot/bin", uintptr(0x4005)}}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/usr/bin", "/sysroot/bin", uintptr(0x4005), false}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},
 		{"success eval equals", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/bin", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/bin"}, isDirFi(true), nil),
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, nil),
 			call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/bin", "/sysroot/bin", uintptr(0x4005)}}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/bin", "/sysroot/bin", uintptr(0x4005), false}, nil, nil),
 		}, nil},
 		{"success", new(Params), &BindMountOp{
 			Source: check.MustAbs("/bin/"),
 			Target: check.MustAbs("/bin/"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
 		}, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{"/host/usr/bin"}, isDirFi(true), nil),
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/bin", os.FileMode(0700)}, nil, nil),
 			call("verbosef", stub.ExpectArgs{"mounting %q on %q flags %#x", []any{"/host/usr/bin", "/sysroot/bin", uintptr(0x4005)}}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/usr/bin", "/sysroot/bin", uintptr(0x4005), false}, nil, nil),
 		}, nil},
 	})
 	t.Run("unreachable", func(t *testing.T) {
 		t.Parallel()
 		t.Run("nil sourceFinal not optional", func(t *testing.T) {
 			t.Parallel()
 			wantErr := OpStateError("bind")
 			if err := new(BindMountOp).apply(nil, nil); !errors.Is(err, wantErr) {
 				t.Errorf("apply: error = %v, want %v", err, wantErr)
 			}
 		})
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*BindMountOp)(nil), false},
 		{"zero", new(BindMountOp), false},
 		{"nil source", &BindMountOp{Target: check.MustAbs("/")}, false},
 		{"nil target", &BindMountOp{Source: check.MustAbs("/")}, false},
 		{"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: std.BindOptional | std.BindEnsure}, false},
 		{"valid", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/")}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"autoetc", new(Ops).Bind(
 			check.MustAbs("/etc/"),
 			check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 			0,
 		), Ops{
 			&BindMountOp{
 				Source: check.MustAbs("/etc/"),
 				Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 			},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(BindMountOp), new(BindMountOp), false},
 		{"internal ne", &BindMountOp{
 			Source: check.MustAbs("/etc/"),
 			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 		}, &BindMountOp{
 			Source:      check.MustAbs("/etc/"),
 			Target:      check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 			sourceFinal: check.MustAbs("/etc/"),
 		}, true},
 		{"flags differs", &BindMountOp{
 			Source: check.MustAbs("/etc/"),
 			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 		}, &BindMountOp{
 			Source: check.MustAbs("/etc/"),
 			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 			Flags:  std.BindOptional,
 		}, false},
 		{"source differs", &BindMountOp{
 			Source: check.MustAbs("/.hakurei/etc/"),
 			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 		}, &BindMountOp{
 			Source: check.MustAbs("/etc/"),
 			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 		}, false},
 		{"target differs", &BindMountOp{
 			Source: check.MustAbs("/etc/"),
 			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 		}, &BindMountOp{
 			Source: check.MustAbs("/etc/"),
 			Target: check.MustAbs("/etc/"),
 		}, false},
 		{"equals", &BindMountOp{
 			Source: check.MustAbs("/etc/"),
 			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 		}, &BindMountOp{
 			Source: check.MustAbs("/etc/"),
 			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 		}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"invalid", new(BindMountOp), "mounting", "<invalid>"},
 		{"autoetc", &BindMountOp{
 			Source: check.MustAbs("/etc/"),
 			Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
 		}, "mounting", `"/etc/" on "/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659" flags 0x0`},
 		{"hostdev", &BindMountOp{
 			Source: check.MustAbs("/dev/"),
 			Target: check.MustAbs("/dev/"),
 			Flags:  std.BindWritable | std.BindDevice,
 		}, "mounting", `"/dev/" flags 0x6`},
 	})
 }
--- a/container/initdev.go
+++ b/container/initdev.go
@@ -0,0 +1,143 @@
 package container
 import (
 	"encoding/gob"
 	"fmt"
 	"path"
 	. "syscall"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 )
 func init() { gob.Register(new(MountDevOp)) }
 // Dev appends an [Op] that mounts a subset of host /dev.
 func (f *Ops) Dev(target *check.Absolute, mqueue bool) *Ops {
 	*f = append(*f, &MountDevOp{target, mqueue, false})
 	return f
 }
 // DevWritable appends an [Op] that mounts a writable subset of host /dev.
 // There is usually no good reason to write to /dev, so this should always be followed by a [RemountOp].
 func (f *Ops) DevWritable(target *check.Absolute, mqueue bool) *Ops {
 	*f = append(*f, &MountDevOp{target, mqueue, true})
 	return f
 }
 // MountDevOp mounts a subset of host /dev on container path Target.
 // If Mqueue is true, a private instance of [FstypeMqueue] is mounted.
 // If Write is true, the resulting mount point is left writable.
 type MountDevOp struct {
 	Target *check.Absolute
 	Mqueue bool
 	Write  bool
 }
 func (d *MountDevOp) Valid() bool                                { return d != nil && d.Target != nil }
 func (d *MountDevOp) early(*setupState, syscallDispatcher) error { return nil }
 func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	target := toSysroot(d.Target.String())
 	if err := k.mountTmpfs(SourceTmpfsDevtmpfs, target, MS_NOSUID|MS_NODEV, 0, state.ParentPerm); err != nil {
 		return err
 	}
 	for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} {
 		targetPath := path.Join(target, name)
 		if err := k.ensureFile(targetPath, 0444, state.ParentPerm); err != nil {
 			return err
 		}
 		if err := k.bindMount(
 			state,
 			toHost(fhs.Dev+name),
 			targetPath,
 			0,
 		); err != nil {
 			return err
 		}
 	}
 	for i, name := range []string{"stdin", "stdout", "stderr"} {
 		if err := k.symlink(
 			fhs.Proc+"self/fd/"+string(rune(i+'0')),
 			path.Join(target, name),
 		); err != nil {
 			return err
 		}
 	}
 	for _, pair := range [][2]string{
 		{fhs.Proc + "self/fd", "fd"},
 		{fhs.Proc + "kcore", "core"},
 		{"pts/ptmx", "ptmx"},
 	} {
 		if err := k.symlink(pair[0], path.Join(target, pair[1])); err != nil {
 			return err
 		}
 	}
 	devShmPath := path.Join(target, "shm")
 	devPtsPath := path.Join(target, "pts")
 	for _, name := range []string{devShmPath, devPtsPath} {
 		if err := k.mkdir(name, state.ParentPerm); err != nil {
 			return err
 		}
 	}
 	if err := k.mount(SourceDevpts, devPtsPath, FstypeDevpts, MS_NOSUID|MS_NOEXEC,
 		"newinstance,ptmxmode=0666,mode=620"); err != nil {
 		return err
 	}
 	if state.RetainSession {
 		if k.isatty(Stdout) {
 			consolePath := path.Join(target, "console")
 			if err := k.ensureFile(consolePath, 0444, state.ParentPerm); err != nil {
 				return err
 			}
 			if name, err := k.readlink(hostProc.stdout()); err != nil {
 				return err
 			} else if err = k.bindMount(
 				state,
 				toHost(name),
 				consolePath,
 				0,
 			); err != nil {
 				return err
 			}
 		}
 	}
 	if d.Mqueue {
 		mqueueTarget := path.Join(target, "mqueue")
 		if err := k.mkdir(mqueueTarget, state.ParentPerm); err != nil {
 			return err
 		}
 		if err := k.mount(SourceMqueue, mqueueTarget, FstypeMqueue, MS_NOSUID|MS_NOEXEC|MS_NODEV, zeroString); err != nil {
 			return err
 		}
 	}
 	if d.Write {
 		return nil
 	}
 	if err := k.remount(state, target, MS_RDONLY); err != nil {
 		return err
 	}
 	return k.mountTmpfs(SourceTmpfs, devShmPath, MS_NOSUID|MS_NODEV, 0, 01777)
 }
 func (d *MountDevOp) Is(op Op) bool {
 	vd, ok := op.(*MountDevOp)
 	return ok && d.Valid() && vd.Valid() &&
 		d.Target.Is(vd.Target) &&
 		d.Mqueue == vd.Mqueue &&
 		d.Write == vd.Write
 }
 func (*MountDevOp) prefix() (string, bool) { return "mounting", true }
 func (d *MountDevOp) String() string {
 	if d.Mqueue {
 		return fmt.Sprintf("dev on %q with mqueue", d.Target)
 	}
 	return fmt.Sprintf("dev on %q", d.Target)
 }
--- a/container/initdev_test.go
+++ b/container/initdev_test.go
@@ -0,0 +1,828 @@
 package container
 import (
 	"os"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 )
 func TestMountDevOp(t *testing.T) {
 	t.Parallel()
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"mountTmpfs", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, stub.UniqueError(27)),
 		}, stub.UniqueError(27)},
 		{"ensureFile null", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(26)),
 		}, stub.UniqueError(26)},
 		{"bindMount null", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, stub.UniqueError(25)),
 		}, stub.UniqueError(25)},
 		{"ensureFile zero", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(24)),
 		}, stub.UniqueError(24)},
 		{"bindMount zero", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, stub.UniqueError(23)),
 		}, stub.UniqueError(23)},
 		{"ensureFile full", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(22)),
 		}, stub.UniqueError(22)},
 		{"bindMount full", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, stub.UniqueError(21)),
 		}, stub.UniqueError(21)},
 		{"ensureFile random", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(20)),
 		}, stub.UniqueError(20)},
 		{"bindMount random", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, stub.UniqueError(19)),
 		}, stub.UniqueError(19)},
 		{"ensureFile urandom", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(18)),
 		}, stub.UniqueError(18)},
 		{"bindMount urandom", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, stub.UniqueError(17)),
 		}, stub.UniqueError(17)},
 		{"ensureFile tty", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(16)),
 		}, stub.UniqueError(16)},
 		{"bindMount tty", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, stub.UniqueError(15)),
 		}, stub.UniqueError(15)},
 		{"symlink stdin", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, stub.UniqueError(14)),
 		}, stub.UniqueError(14)},
 		{"symlink stdout", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, stub.UniqueError(13)),
 		}, stub.UniqueError(13)},
 		{"symlink stderr", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, stub.UniqueError(12)),
 		}, stub.UniqueError(12)},
 		{"symlink fd", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, stub.UniqueError(11)),
 		}, stub.UniqueError(11)},
 		{"symlink kcore", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, stub.UniqueError(10)),
 		}, stub.UniqueError(10)},
 		{"symlink ptmx", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, stub.UniqueError(9)),
 		}, stub.UniqueError(9)},
 		{"mkdir shm", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, stub.UniqueError(8)),
 		}, stub.UniqueError(8)},
 		{"mkdir devpts", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, stub.UniqueError(7)),
 		}, stub.UniqueError(7)},
 		{"mount devpts", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, stub.UniqueError(6)),
 		}, stub.UniqueError(6)},
 		{"ensureFile stdout", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
 			call("isatty", stub.ExpectArgs{1}, true, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, stub.UniqueError(5)),
 		}, stub.UniqueError(5)},
 		{"readlink stdout", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
 			call("isatty", stub.ExpectArgs{1}, true, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "", stub.UniqueError(4)),
 		}, stub.UniqueError(4)},
 		{"bindMount stdout", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
 			call("isatty", stub.ExpectArgs{1}, true, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, stub.UniqueError(3)),
 		}, stub.UniqueError(3)},
 		{"mkdir mqueue", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
 			call("isatty", stub.ExpectArgs{1}, true, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/mqueue", os.FileMode(0750)}, nil, stub.UniqueError(2)),
 		}, stub.UniqueError(2)},
 		{"mount mqueue", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
 			call("isatty", stub.ExpectArgs{1}, true, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/mqueue", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"mqueue", "/sysroot/dev/mqueue", "mqueue", uintptr(0xe), ""}, nil, stub.UniqueError(1)),
 		}, stub.UniqueError(1)},
 		{"success no session", &Params{ParentPerm: 0755}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 			Write:  true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0755)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0755)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0755)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0755)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0755)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0755)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0755)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0755)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0755)}, nil, nil),
 			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/mqueue", os.FileMode(0755)}, nil, nil),
 			call("mount", stub.ExpectArgs{"mqueue", "/sysroot/dev/mqueue", "mqueue", uintptr(0xe), ""}, nil, nil),
 		}, nil},
 		{"success no tty", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 			Write:  true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
 			call("isatty", stub.ExpectArgs{1}, false, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/mqueue", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"mqueue", "/sysroot/dev/mqueue", "mqueue", uintptr(0xe), ""}, nil, nil),
 		}, nil},
 		{"remount", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
 			call("isatty", stub.ExpectArgs{1}, true, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil),
 			call("remount", stub.ExpectArgs{"/sysroot/dev", uintptr(1)}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},
 		{"success no mqueue", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
 			call("isatty", stub.ExpectArgs{1}, true, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil),
 			call("remount", stub.ExpectArgs{"/sysroot/dev", uintptr(1)}, nil, nil),
 			call("mountTmpfs", stub.ExpectArgs{"tmpfs", "/sysroot/dev/shm", uintptr(0x6), 0, os.FileMode(01777)}, nil, nil),
 		}, nil},
 		{"success rw", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 			Write:  true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
 			call("isatty", stub.ExpectArgs{1}, true, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/mqueue", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"mqueue", "/sysroot/dev/mqueue", "mqueue", uintptr(0xe), ""}, nil, nil),
 		}, nil},
 		{"success", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{"devtmpfs", "/sysroot/dev", uintptr(0x6), 0, os.FileMode(0750)}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/null", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/null", "/sysroot/dev/null", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/zero", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/zero", "/sysroot/dev/zero", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/full", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/full", "/sysroot/dev/full", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/random", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/random", "/sysroot/dev/random", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/urandom", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/urandom", "/sysroot/dev/urandom", uintptr(0), true}, nil, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/tty", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/tty", "/sysroot/dev/tty", uintptr(0), true}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/0", "/sysroot/dev/stdin"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/1", "/sysroot/dev/stdout"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd/2", "/sysroot/dev/stderr"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/self/fd", "/sysroot/dev/fd"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/kcore", "/sysroot/dev/core"}, nil, nil),
 			call("symlink", stub.ExpectArgs{"pts/ptmx", "/sysroot/dev/ptmx"}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/shm", os.FileMode(0750)}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/pts", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"devpts", "/sysroot/dev/pts", "devpts", uintptr(0xa), "newinstance,ptmxmode=0666,mode=620"}, nil, nil),
 			call("isatty", stub.ExpectArgs{1}, true, nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/dev/console", os.FileMode(0444), os.FileMode(0750)}, nil, nil),
 			call("readlink", stub.ExpectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil),
 			call("bindMount", stub.ExpectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil),
 			call("mkdir", stub.ExpectArgs{"/sysroot/dev/mqueue", os.FileMode(0750)}, nil, nil),
 			call("mount", stub.ExpectArgs{"mqueue", "/sysroot/dev/mqueue", "mqueue", uintptr(0xe), ""}, nil, nil),
 			call("remount", stub.ExpectArgs{"/sysroot/dev", uintptr(1)}, nil, nil),
 			call("mountTmpfs", stub.ExpectArgs{"tmpfs", "/sysroot/dev/shm", uintptr(0x6), 0, os.FileMode(01777)}, nil, nil),
 		}, nil},
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*MountDevOp)(nil), false},
 		{"zero", new(MountDevOp), false},
 		{"valid", &MountDevOp{Target: check.MustAbs("/dev/")}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"dev", new(Ops).Dev(check.MustAbs("/dev/"), true), Ops{
 			&MountDevOp{
 				Target: check.MustAbs("/dev/"),
 				Mqueue: true,
 			},
 		}},
 		{"dev writable", new(Ops).DevWritable(check.MustAbs("/.hakurei/dev/"), false), Ops{
 			&MountDevOp{
 				Target: check.MustAbs("/.hakurei/dev/"),
 				Write:  true,
 			},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(MountDevOp), new(MountDevOp), false},
 		{"write differs", &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 			Write:  true,
 		}, false},
 		{"mqueue differs", &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 		}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, false},
 		{"target differs", &MountDevOp{
 			Target: check.MustAbs("/"),
 			Mqueue: true,
 		}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, false},
 		{"equals", &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"mqueue", &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 			Mqueue: true,
 		}, "mounting", `dev on "/dev/" with mqueue`},
 		{"dev", &MountDevOp{
 			Target: check.MustAbs("/dev/"),
 		}, "mounting", `dev on "/dev/"`},
 	})
 }
--- a/container/initmkdir.go
+++ b/container/initmkdir.go
@@ -0,0 +1,38 @@
 package container
 import (
 	"encoding/gob"
 	"fmt"
 	"os"
 	"hakurei.app/container/check"
 )
 func init() { gob.Register(new(MkdirOp)) }
 // Mkdir appends an [Op] that creates a directory in the container filesystem.
 func (f *Ops) Mkdir(name *check.Absolute, perm os.FileMode) *Ops {
 	*f = append(*f, &MkdirOp{name, perm})
 	return f
 }
 // MkdirOp creates a directory at container Path with permission bits set to Perm.
 type MkdirOp struct {
 	Path *check.Absolute
 	Perm os.FileMode
 }
 func (m *MkdirOp) Valid() bool                                { return m != nil && m.Path != nil }
 func (m *MkdirOp) early(*setupState, syscallDispatcher) error { return nil }
 func (m *MkdirOp) apply(_ *setupState, k syscallDispatcher) error {
 	return k.mkdirAll(toSysroot(m.Path.String()), m.Perm)
 }
 func (m *MkdirOp) Is(op Op) bool {
 	vm, ok := op.(*MkdirOp)
 	return ok && m.Valid() && vm.Valid() &&
 		m.Path.Is(vm.Path) &&
 		m.Perm == vm.Perm
 }
 func (*MkdirOp) prefix() (string, bool) { return "creating", true }
 func (m *MkdirOp) String() string       { return fmt.Sprintf("directory %q perm %s", m.Path, m.Perm) }
--- a/container/initmkdir_test.go
+++ b/container/initmkdir_test.go
@@ -0,0 +1,47 @@
 package container
 import (
 	"os"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 )
 func TestMkdirOp(t *testing.T) {
 	t.Parallel()
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"success", new(Params), &MkdirOp{
 			Path: check.MustAbs("/.hakurei"),
 			Perm: 0500,
 		}, nil, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/.hakurei", os.FileMode(0500)}, nil, nil),
 		}, nil},
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*MkdirOp)(nil), false},
 		{"zero", new(MkdirOp), false},
 		{"valid", &MkdirOp{Path: check.MustAbs("/.hakurei")}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"etc", new(Ops).Mkdir(check.MustAbs("/etc/"), 0), Ops{
 			&MkdirOp{Path: check.MustAbs("/etc/")},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(MkdirOp), new(MkdirOp), false},
 		{"path differs", &MkdirOp{Path: check.MustAbs("/"), Perm: 0755}, &MkdirOp{Path: check.MustAbs("/etc/"), Perm: 0755}, false},
 		{"perm differs", &MkdirOp{Path: check.MustAbs("/")}, &MkdirOp{Path: check.MustAbs("/"), Perm: 0755}, false},
 		{"equals", &MkdirOp{Path: check.MustAbs("/")}, &MkdirOp{Path: check.MustAbs("/")}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"etc", &MkdirOp{
 			Path: check.MustAbs("/etc/"),
 		}, "creating", `directory "/etc/" perm ----------`},
 	})
 }
--- a/container/initoverlay.go
+++ b/container/initoverlay.go
@@ -0,0 +1,218 @@
 package container
 import (
 	"encoding/gob"
 	"fmt"
 	"slices"
 	"strings"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 )
 const (
 	// intermediate root file name pattern for [MountOverlayOp.Upper];
 	// remains after apply returns
 	intermediatePatternOverlayUpper = "overlay.upper.*"
 	// intermediate root file name pattern for [MountOverlayOp.Work];
 	// remains after apply returns
 	intermediatePatternOverlayWork = "overlay.work.*"
 )
 func init() { gob.Register(new(MountOverlayOp)) }
 const (
 	// OverlayEphemeralUnexpectedUpper is set when [MountOverlayOp.Work] is nil
 	// and [MountOverlayOp.Upper] holds an unexpected value.
 	OverlayEphemeralUnexpectedUpper = iota
 	// OverlayReadonlyLower is set when [MountOverlayOp.Lower] contains less than
 	// two entries when mounting readonly.
 	OverlayReadonlyLower
 	// OverlayEmptyLower is set when [MountOverlayOp.Lower] has length of zero.
 	OverlayEmptyLower
 )
 // OverlayArgumentError is returned for [MountOverlayOp] supplied with invalid argument.
 type OverlayArgumentError struct {
 	Type  uintptr
 	Value string
 }
 func (e *OverlayArgumentError) Error() string {
 	switch e.Type {
 	case OverlayEphemeralUnexpectedUpper:
 		return fmt.Sprintf("upperdir has unexpected value %q", e.Value)
 	case OverlayReadonlyLower:
 		return "readonly overlay requires at least two lowerdir"
 	case OverlayEmptyLower:
 		return "overlay requires at least one lowerdir"
 	default:
 		return fmt.Sprintf("invalid overlay argument error %#x", e.Type)
 	}
 }
 // Overlay appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target].
 func (f *Ops) Overlay(target, state, work *check.Absolute, layers ...*check.Absolute) *Ops {
 	*f = append(*f, &MountOverlayOp{
 		Target: target,
 		Lower:  layers,
 		Upper:  state,
 		Work:   work,
 	})
 	return f
 }
 // OverlayEphemeral appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target]
 // with an ephemeral upperdir and workdir.
 func (f *Ops) OverlayEphemeral(target *check.Absolute, layers ...*check.Absolute) *Ops {
 	return f.Overlay(target, fhs.AbsRoot, nil, layers...)
 }
 // OverlayReadonly appends an [Op] that mounts the overlay pseudo filesystem readonly on [MountOverlayOp.Target]
 func (f *Ops) OverlayReadonly(target *check.Absolute, layers ...*check.Absolute) *Ops {
 	return f.Overlay(target, nil, nil, layers...)
 }
 // MountOverlayOp mounts [FstypeOverlay] on container path Target.
 type MountOverlayOp struct {
 	Target *check.Absolute
 	// Any filesystem, does not need to be on a writable filesystem.
 	Lower []*check.Absolute
 	// formatted for [OptionOverlayLowerdir], resolved, prefixed and escaped during early
 	lower []string
 	// The upperdir is normally on a writable filesystem.
 	//
 	// If Work is nil and Upper holds the special value [fhs.AbsRoot],
 	// an ephemeral upperdir and workdir will be set up.
 	//
 	// If both Work and Upper are nil, upperdir and workdir is omitted and the overlay is mounted readonly.
 	Upper *check.Absolute
 	// formatted for [OptionOverlayUpperdir], resolved, prefixed and escaped during early
 	upper string
 	// The workdir needs to be an empty directory on the same filesystem as upperdir.
 	Work *check.Absolute
 	// formatted for [OptionOverlayWorkdir], resolved, prefixed and escaped during early
 	work string
 	ephemeral bool
 	// used internally for mounting to the intermediate root
 	noPrefix bool
 }
 func (o *MountOverlayOp) Valid() bool {
 	if o == nil {
 		return false
 	}
 	if o.Work != nil && o.Upper == nil {
 		return false
 	}
 	if slices.Contains(o.Lower, nil) {
 		return false
 	}
 	return o.Target != nil
 }
 func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 	if o.Work == nil && o.Upper != nil {
 		switch o.Upper.String() {
 		case fhs.Root: // ephemeral
 			o.ephemeral = true // intermediate root not yet available
 		default:
 			return &OverlayArgumentError{OverlayEphemeralUnexpectedUpper, o.Upper.String()}
 		}
 	}
 	// readonly handled in apply
 	if !o.ephemeral {
 		if o.Upper != o.Work && (o.Upper == nil || o.Work == nil) {
 			// unreachable
 			return OpStateError("overlay")
 		}
 		if o.Upper != nil {
 			if v, err := k.evalSymlinks(o.Upper.String()); err != nil {
 				return err
 			} else {
 				o.upper = check.EscapeOverlayDataSegment(toHost(v))
 			}
 		}
 		if o.Work != nil {
 			if v, err := k.evalSymlinks(o.Work.String()); err != nil {
 				return err
 			} else {
 				o.work = check.EscapeOverlayDataSegment(toHost(v))
 			}
 		}
 	}
 	o.lower = make([]string, len(o.Lower))
 	for i, a := range o.Lower { // nil checked in Valid
 		if v, err := k.evalSymlinks(a.String()); err != nil {
 			return err
 		} else {
 			o.lower[i] = check.EscapeOverlayDataSegment(toHost(v))
 		}
 	}
 	return nil
 }
 func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 	target := o.Target.String()
 	if !o.noPrefix {
 		target = toSysroot(target)
 	}
 	if err := k.mkdirAll(target, state.ParentPerm); err != nil {
 		return err
 	}
 	if o.ephemeral {
 		var err error
 		// these directories are created internally, therefore early (absolute, symlink, prefix, escape) is bypassed
 		if o.upper, err = k.mkdirTemp(fhs.Root, intermediatePatternOverlayUpper); err != nil {
 			return err
 		}
 		if o.work, err = k.mkdirTemp(fhs.Root, intermediatePatternOverlayWork); err != nil {
 			return err
 		}
 	}
 	options := make([]string, 0, 4)
 	if o.upper == zeroString && o.work == zeroString { // readonly
 		if len(o.Lower) < 2 {
 			return &OverlayArgumentError{OverlayReadonlyLower, zeroString}
 		}
 		// "upperdir=" and "workdir=" may be omitted. In that case the overlay will be read-only
 	} else {
 		if len(o.Lower) == 0 {
 			return &OverlayArgumentError{OverlayEmptyLower, zeroString}
 		}
 		options = append(options,
 			OptionOverlayUpperdir+"="+o.upper,
 			OptionOverlayWorkdir+"="+o.work)
 	}
 	options = append(options,
 		OptionOverlayLowerdir+"="+strings.Join(o.lower, check.SpecialOverlayPath),
 		OptionOverlayUserxattr)
 	return k.mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, check.SpecialOverlayOption))
 }
 func (o *MountOverlayOp) Is(op Op) bool {
 	vo, ok := op.(*MountOverlayOp)
 	return ok && o.Valid() && vo.Valid() &&
 		o.Target.Is(vo.Target) &&
 		slices.EqualFunc(o.Lower, vo.Lower, func(a, v *check.Absolute) bool { return a.Is(v) }) &&
 		o.Upper.Is(vo.Upper) && o.Work.Is(vo.Work)
 }
 func (*MountOverlayOp) prefix() (string, bool) { return "mounting", true }
 func (o *MountOverlayOp) String() string {
 	return fmt.Sprintf("overlay on %q with %d layers", o.Target, len(o.Lower))
 }
--- a/container/initoverlay_test.go
+++ b/container/initoverlay_test.go
@@ -0,0 +1,405 @@
 package container
 import (
 	"errors"
 	"os"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 )
 func TestMountOverlayOp(t *testing.T) {
 	t.Parallel()
 	t.Run("argument error", func(t *testing.T) {
 		t.Parallel()
 		testCases := []struct {
 			name string
 			err  *OverlayArgumentError
 			want string
 		}{
 			{"unexpected upper", &OverlayArgumentError{OverlayEphemeralUnexpectedUpper, "/proc/"},
 				`upperdir has unexpected value "/proc/"`},
 			{"lower ro short", &OverlayArgumentError{OverlayReadonlyLower, zeroString},
 				"readonly overlay requires at least two lowerdir"},
 			{"lower short", &OverlayArgumentError{OverlayEmptyLower, zeroString},
 				"overlay requires at least one lowerdir"},
 			{"oob", &OverlayArgumentError{0xdeadbeef, zeroString},
 				"invalid overlay argument error 0xdeadbeef"},
 		}
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Parallel()
 				if got := tc.err.Error(); got != tc.want {
 					t.Errorf("Error: %q, want %q", got, tc.want)
 				}
 			})
 		}
 	})
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"mkdirTemp invalid ephemeral", &Params{ParentPerm: 0705}, &MountOverlayOp{
 			Target: check.MustAbs("/"),
 			Lower: []*check.Absolute{
 				check.MustAbs("/var/lib/planterette/base/debian:f92c9052"),
 				check.MustAbs("/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"),
 			},
 			Upper: check.MustAbs("/proc/"),
 		}, nil, &OverlayArgumentError{OverlayEphemeralUnexpectedUpper, "/proc/"}, nil, nil},
 		{"mkdirTemp upper ephemeral", &Params{ParentPerm: 0705}, &MountOverlayOp{
 			Target: check.MustAbs("/"),
 			Lower: []*check.Absolute{
 				check.MustAbs("/var/lib/planterette/base/debian:f92c9052"),
 				check.MustAbs("/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"),
 			},
 			Upper: check.MustAbs("/"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052"}, "/var/lib/planterette/base/debian:f92c9052", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"}, "/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0705)}, nil, nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.upper.*"}, "overlay.upper.32768", stub.UniqueError(6)),
 		}, stub.UniqueError(6)},
 		{"mkdirTemp work ephemeral", &Params{ParentPerm: 0705}, &MountOverlayOp{
 			Target: check.MustAbs("/"),
 			Lower: []*check.Absolute{
 				check.MustAbs("/var/lib/planterette/base/debian:f92c9052"),
 				check.MustAbs("/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"),
 			},
 			Upper: check.MustAbs("/"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052"}, "/var/lib/planterette/base/debian:f92c9052", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"}, "/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0705)}, nil, nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.upper.*"}, "overlay.upper.32768", nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.work.*"}, "overlay.work.32768", stub.UniqueError(5)),
 		}, stub.UniqueError(5)},
 		{"success ephemeral", &Params{ParentPerm: 0705}, &MountOverlayOp{
 			Target: check.MustAbs("/"),
 			Lower: []*check.Absolute{
 				check.MustAbs("/var/lib/planterette/base/debian:f92c9052"),
 				check.MustAbs("/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"),
 			},
 			Upper: check.MustAbs("/"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/base/debian:f92c9052"}, "/var/lib/planterette/base/debian:f92c9052", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052"}, "/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0705)}, nil, nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.upper.*"}, "overlay.upper.32768", nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.work.*"}, "overlay.work.32768", nil),
 			call("mount", stub.ExpectArgs{"overlay", "/sysroot", "overlay", uintptr(0), "" +
 				"upperdir=overlay.upper.32768," +
 				"workdir=overlay.work.32768," +
 				"lowerdir=" +
 				`/host/var/lib/planterette/base/debian\:f92c9052:` +
 				`/host/var/lib/planterette/app/org.chromium.Chromium@debian\:f92c9052,` +
 				"userxattr"}, nil, nil),
 		}, nil},
 		{"short lower ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower: []*check.Absolute{
 				check.MustAbs("/mnt-root/nix/.ro-store"),
 			},
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/.ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0755)}, nil, nil),
 		}, &OverlayArgumentError{OverlayReadonlyLower, zeroString}},
 		{"success ro noPrefix", &Params{ParentPerm: 0755}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower: []*check.Absolute{
 				check.MustAbs("/mnt-root/nix/.ro-store"),
 				check.MustAbs("/mnt-root/nix/.ro-store0"),
 			},
 			noPrefix: true,
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/.ro-store", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/nix/store", os.FileMode(0755)}, nil, nil),
 			call("mount", stub.ExpectArgs{"overlay", "/nix/store", "overlay", uintptr(0), "" +
 				"lowerdir=" +
 				"/host/mnt-root/nix/.ro-store:" +
 				"/host/mnt-root/nix/.ro-store0," +
 				"userxattr"}, nil, nil),
 		}, nil},
 		{"success ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower: []*check.Absolute{
 				check.MustAbs("/mnt-root/nix/.ro-store"),
 				check.MustAbs("/mnt-root/nix/.ro-store0"),
 			},
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/.ro-store", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0755)}, nil, nil),
 			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
 				"lowerdir=" +
 				"/host/mnt-root/nix/.ro-store:" +
 				"/host/mnt-root/nix/.ro-store0," +
 				"userxattr"}, nil, nil),
 		}, nil},
 		{"nil lower", &Params{ParentPerm: 0700}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
 		}, &OverlayArgumentError{OverlayEmptyLower, zeroString}},
 		{"evalSymlinks upper", &Params{ParentPerm: 0700}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", stub.UniqueError(4)),
 		}, stub.UniqueError(4), nil, nil},
 		{"evalSymlinks work", &Params{ParentPerm: 0700}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", stub.UniqueError(3)),
 		}, stub.UniqueError(3), nil, nil},
 		{"evalSymlinks lower", &Params{ParentPerm: 0700}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", stub.UniqueError(2)),
 		}, stub.UniqueError(2), nil, nil},
 		{"mkdirAll", &Params{ParentPerm: 0700}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, stub.UniqueError(1)),
 		}, stub.UniqueError(1)},
 		{"mount", &Params{ParentPerm: 0700}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
 			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "upperdir=/host/mnt-root/nix/.rw-store/.upper,workdir=/host/mnt-root/nix/.rw-store/.work,lowerdir=/host/mnt-root/nix/ro-store,userxattr"}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},
 		{"success single layer", &Params{ParentPerm: 0700}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
 			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
 				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
 				"workdir=/host/mnt-root/nix/.rw-store/.work," +
 				"lowerdir=/host/mnt-root/nix/ro-store," +
 				"userxattr"}, nil, nil),
 		}, nil},
 		{"success", &Params{ParentPerm: 0700}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower: []*check.Absolute{
 				check.MustAbs("/mnt-root/nix/.ro-store"),
 				check.MustAbs("/mnt-root/nix/.ro-store0"),
 				check.MustAbs("/mnt-root/nix/.ro-store1"),
 				check.MustAbs("/mnt-root/nix/.ro-store2"),
 				check.MustAbs("/mnt-root/nix/.ro-store3"),
 			},
 			Upper: check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:  check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, []stub.Call{
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/upper"}, "/mnt-root/nix/.rw-store/.upper", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.rw-store/work"}, "/mnt-root/nix/.rw-store/.work", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/ro-store0", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store1"}, "/mnt-root/nix/ro-store1", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store2"}, "/mnt-root/nix/ro-store2", nil),
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store3"}, "/mnt-root/nix/ro-store3", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
 			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
 				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
 				"workdir=/host/mnt-root/nix/.rw-store/.work," +
 				"lowerdir=" +
 				"/host/mnt-root/nix/ro-store:" +
 				"/host/mnt-root/nix/ro-store0:" +
 				"/host/mnt-root/nix/ro-store1:" +
 				"/host/mnt-root/nix/ro-store2:" +
 				"/host/mnt-root/nix/ro-store3," +
 				"userxattr"}, nil, nil),
 		}, nil},
 	})
 	t.Run("unreachable", func(t *testing.T) {
 		t.Parallel()
 		t.Run("nil Upper non-nil Work not ephemeral", func(t *testing.T) {
 			t.Parallel()
 			wantErr := OpStateError("overlay")
 			if err := (&MountOverlayOp{
 				Work: check.MustAbs("/"),
 			}).early(nil, nil); !errors.Is(err, wantErr) {
 				t.Errorf("apply: error = %v, want %v", err, wantErr)
 			}
 		})
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*MountOverlayOp)(nil), false},
 		{"zero", new(MountOverlayOp), false},
 		{"nil lower", &MountOverlayOp{Target: check.MustAbs("/"), Lower: []*check.Absolute{nil}}, false},
 		{"ro", &MountOverlayOp{Target: check.MustAbs("/"), Lower: []*check.Absolute{check.MustAbs("/")}}, true},
 		{"ro work", &MountOverlayOp{Target: check.MustAbs("/"), Work: check.MustAbs("/tmp/")}, false},
 		{"rw", &MountOverlayOp{Target: check.MustAbs("/"), Lower: []*check.Absolute{check.MustAbs("/")}, Upper: check.MustAbs("/"), Work: check.MustAbs("/")}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"full", new(Ops).Overlay(
 			check.MustAbs("/nix/store"),
 			check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			check.MustAbs("/mnt-root/nix/.rw-store/work"),
 			check.MustAbs("/mnt-root/nix/.ro-store"),
 		), Ops{
 			&MountOverlayOp{
 				Target: check.MustAbs("/nix/store"),
 				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 				Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 				Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 			},
 		}},
 		{"ephemeral", new(Ops).OverlayEphemeral(check.MustAbs("/nix/store"), check.MustAbs("/mnt-root/nix/.ro-store")), Ops{
 			&MountOverlayOp{
 				Target: check.MustAbs("/nix/store"),
 				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 				Upper:  check.MustAbs("/"),
 			},
 		}},
 		{"readonly", new(Ops).OverlayReadonly(check.MustAbs("/nix/store"), check.MustAbs("/mnt-root/nix/.ro-store")), Ops{
 			&MountOverlayOp{
 				Target: check.MustAbs("/nix/store"),
 				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(MountOverlayOp), new(MountOverlayOp), false},
 		{"differs target", &MountOverlayOp{
 			Target: check.MustAbs("/nix/store/differs"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work")}, false},
 		{"differs lower", &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store/differs")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work")}, false},
 		{"differs upper", &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper/differs"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work")}, false},
 		{"differs work", &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work/differs"),
 		}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work")}, false},
 		{"equals ro", &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 		}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")}}, true},
 		{"equals", &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work")}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"nix", &MountOverlayOp{
 			Target: check.MustAbs("/nix/store"),
 			Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
 			Upper:  check.MustAbs("/mnt-root/nix/.rw-store/upper"),
 			Work:   check.MustAbs("/mnt-root/nix/.rw-store/work"),
 		}, "mounting", `overlay on "/nix/store" with 1 layers`},
 	})
 }
--- a/container/initplace.go
+++ b/container/initplace.go
@@ -0,0 +1,70 @@
 package container
 import (
 	"encoding/gob"
 	"fmt"
 	"syscall"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 )
 const (
 	// intermediate root file name pattern for [TmpfileOp]
 	intermediatePatternTmpfile = "tmp.*"
 )
 func init() { gob.Register(new(TmpfileOp)) }
 // Place appends an [Op] that places a file in container path [TmpfileOp.Path] containing [TmpfileOp.Data].
 func (f *Ops) Place(name *check.Absolute, data []byte) *Ops {
 	*f = append(*f, &TmpfileOp{name, data})
 	return f
 }
 // TmpfileOp places a file on container Path containing Data.
 type TmpfileOp struct {
 	Path *check.Absolute
 	Data []byte
 }
 func (t *TmpfileOp) Valid() bool                                { return t != nil && t.Path != nil }
 func (t *TmpfileOp) early(*setupState, syscallDispatcher) error { return nil }
 func (t *TmpfileOp) apply(state *setupState, k syscallDispatcher) error {
 	var tmpPath string
 	if f, err := k.createTemp(fhs.Root, intermediatePatternTmpfile); err != nil {
 		return err
 	} else if _, err = f.Write(t.Data); err != nil {
 		return err
 	} else if err = f.Close(); err != nil {
 		return err
 	} else {
 		tmpPath = f.Name()
 	}
 	target := toSysroot(t.Path.String())
 	if err := k.ensureFile(target, 0444, state.ParentPerm); err != nil {
 		return err
 	} else if err = k.bindMount(
 		state,
 		tmpPath,
 		target,
 		syscall.MS_RDONLY|syscall.MS_NODEV,
 	); err != nil {
 		return err
 	} else if err = k.remove(tmpPath); err != nil {
 		return err
 	}
 	return nil
 }
 func (t *TmpfileOp) Is(op Op) bool {
 	vt, ok := op.(*TmpfileOp)
 	return ok && t.Valid() && vt.Valid() &&
 		t.Path.Is(vt.Path) &&
 		string(t.Data) == string(vt.Data)
 }
 func (*TmpfileOp) prefix() (string, bool) { return "placing", true }
 func (t *TmpfileOp) String() string {
 	return fmt.Sprintf("tmpfile %q (%d bytes)", t.Path, len(t.Data))
 }
--- a/container/initplace_test.go
+++ b/container/initplace_test.go
@@ -0,0 +1,125 @@
 package container
 import (
 	"os"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 )
 func TestTmpfileOp(t *testing.T) {
 	const sampleDataString = `chronos:x:65534:65534:Hakurei:/var/empty:/bin/zsh`
 	var (
 		samplePath = check.MustAbs("/etc/passwd")
 		sampleData = []byte(sampleDataString)
 	)
 	t.Parallel()
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"createTemp", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
 			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), stub.UniqueError(5)),
 		}, stub.UniqueError(5)},
 		{"Write", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
 			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, writeErrOsFile{stub.UniqueError(4)}, nil),
 		}, stub.UniqueError(4)},
 		{"Close", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
 			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, stub.UniqueError(3)), nil),
 		}, stub.UniqueError(3)},
 		{"ensureFile", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
 			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, stub.UniqueError(2)),
 		}, stub.UniqueError(2)},
 		{"bindMount", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
 			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, stub.UniqueError(1)),
 		}, stub.UniqueError(1)},
 		{"remove", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
 			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
 			call("remove", stub.ExpectArgs{"tmp.32768"}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},
 		{"success", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
 			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
 			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
 			call("remove", stub.ExpectArgs{"tmp.32768"}, nil, nil),
 		}, nil},
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*TmpfileOp)(nil), false},
 		{"zero", new(TmpfileOp), false},
 		{"valid", &TmpfileOp{Path: samplePath}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"full", new(Ops).Place(samplePath, sampleData), Ops{
 			&TmpfileOp{Path: samplePath, Data: sampleData},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(TmpfileOp), new(TmpfileOp), false},
 		{"differs path", &TmpfileOp{
 			Path: check.MustAbs("/etc/group"),
 			Data: sampleData,
 		}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, false},
 		{"differs data", &TmpfileOp{
 			Path: samplePath,
 			Data: append(sampleData, 0),
 		}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, false},
 		{"equals", &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"passwd", &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, "placing", `tmpfile "/etc/passwd" (49 bytes)`},
 	})
 }
--- a/container/initproc.go
+++ b/container/initproc.go
@@ -0,0 +1,38 @@
 package container
 import (
 	"encoding/gob"
 	"fmt"
 	. "syscall"
 	"hakurei.app/container/check"
 )
 func init() { gob.Register(new(MountProcOp)) }
 // Proc appends an [Op] that mounts a private instance of proc.
 func (f *Ops) Proc(target *check.Absolute) *Ops {
 	*f = append(*f, &MountProcOp{target})
 	return f
 }
 // MountProcOp mounts a new instance of [FstypeProc] on container path Target.
 type MountProcOp struct{ Target *check.Absolute }
 func (p *MountProcOp) Valid() bool                                { return p != nil && p.Target != nil }
 func (p *MountProcOp) early(*setupState, syscallDispatcher) error { return nil }
 func (p *MountProcOp) apply(state *setupState, k syscallDispatcher) error {
 	target := toSysroot(p.Target.String())
 	if err := k.mkdirAll(target, state.ParentPerm); err != nil {
 		return err
 	}
 	return k.mount(SourceProc, target, FstypeProc, MS_NOSUID|MS_NOEXEC|MS_NODEV, zeroString)
 }
 func (p *MountProcOp) Is(op Op) bool {
 	vp, ok := op.(*MountProcOp)
 	return ok && p.Valid() && vp.Valid() &&
 		p.Target.Is(vp.Target)
 }
 func (*MountProcOp) prefix() (string, bool) { return "mounting", true }
 func (p *MountProcOp) String() string       { return fmt.Sprintf("proc on %q", p.Target) }
--- a/container/initproc_test.go
+++ b/container/initproc_test.go
@@ -0,0 +1,63 @@
 package container
 import (
 	"os"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 )
 func TestMountProcOp(t *testing.T) {
 	t.Parallel()
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"mkdir", &Params{ParentPerm: 0755},
 			&MountProcOp{
 				Target: check.MustAbs("/proc/"),
 			}, nil, nil, []stub.Call{
 				call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0755)}, nil, stub.UniqueError(0)),
 			}, stub.UniqueError(0)},
 		{"success", &Params{ParentPerm: 0700},
 			&MountProcOp{
 				Target: check.MustAbs("/proc/"),
 			}, nil, nil, []stub.Call{
 				call("mkdirAll", stub.ExpectArgs{"/sysroot/proc", os.FileMode(0700)}, nil, nil),
 				call("mount", stub.ExpectArgs{"proc", "/sysroot/proc", "proc", uintptr(0xe), ""}, nil, nil),
 			}, nil},
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*MountProcOp)(nil), false},
 		{"zero", new(MountProcOp), false},
 		{"valid", &MountProcOp{Target: check.MustAbs("/proc/")}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"proc", new(Ops).Proc(check.MustAbs("/proc/")), Ops{
 			&MountProcOp{Target: check.MustAbs("/proc/")},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(MountProcOp), new(MountProcOp), false},
 		{"target differs", &MountProcOp{
 			Target: check.MustAbs("/proc/nonexistent"),
 		}, &MountProcOp{
 			Target: check.MustAbs("/proc/"),
 		}, false},
 		{"equals", &MountProcOp{
 			Target: check.MustAbs("/proc/"),
 		}, &MountProcOp{
 			Target: check.MustAbs("/proc/"),
 		}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"proc", &MountProcOp{Target: check.MustAbs("/proc/")},
 			"mounting", `proc on "/proc/"`},
 	})
 }
--- a/container/initremount.go
+++ b/container/initremount.go
@@ -0,0 +1,37 @@
 package container
 import (
 	"encoding/gob"
 	"fmt"
 	"hakurei.app/container/check"
 )
 func init() { gob.Register(new(RemountOp)) }
 // Remount appends an [Op] that applies [RemountOp.Flags] on container path [RemountOp.Target].
 func (f *Ops) Remount(target *check.Absolute, flags uintptr) *Ops {
 	*f = append(*f, &RemountOp{target, flags})
 	return f
 }
 // RemountOp remounts Target with Flags.
 type RemountOp struct {
 	Target *check.Absolute
 	Flags  uintptr
 }
 func (r *RemountOp) Valid() bool                              { return r != nil && r.Target != nil }
 func (*RemountOp) early(*setupState, syscallDispatcher) error { return nil }
 func (r *RemountOp) apply(state *setupState, k syscallDispatcher) error {
 	return k.remount(state, toSysroot(r.Target.String()), r.Flags)
 }
 func (r *RemountOp) Is(op Op) bool {
 	vr, ok := op.(*RemountOp)
 	return ok && r.Valid() && vr.Valid() &&
 		r.Target.Is(vr.Target) &&
 		r.Flags == vr.Flags
 }
 func (*RemountOp) prefix() (string, bool) { return "remounting", true }
 func (r *RemountOp) String() string       { return fmt.Sprintf("%q flags %#x", r.Target, r.Flags) }
--- a/container/initremount_test.go
+++ b/container/initremount_test.go
@@ -0,0 +1,72 @@
 package container
 import (
 	"syscall"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 )
 func TestRemountOp(t *testing.T) {
 	t.Parallel()
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"success", new(Params), &RemountOp{
 			Target: check.MustAbs("/"),
 			Flags:  syscall.MS_RDONLY,
 		}, nil, nil, []stub.Call{
 			call("remount", stub.ExpectArgs{"/sysroot", uintptr(1)}, nil, nil),
 		}, nil},
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*RemountOp)(nil), false},
 		{"zero", new(RemountOp), false},
 		{"valid", &RemountOp{Target: check.MustAbs("/"), Flags: syscall.MS_RDONLY}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"root", new(Ops).Remount(check.MustAbs("/"), syscall.MS_RDONLY), Ops{
 			&RemountOp{
 				Target: check.MustAbs("/"),
 				Flags:  syscall.MS_RDONLY,
 			},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(RemountOp), new(RemountOp), false},
 		{"target differs", &RemountOp{
 			Target: check.MustAbs("/dev/"),
 			Flags:  syscall.MS_RDONLY,
 		}, &RemountOp{
 			Target: check.MustAbs("/"),
 			Flags:  syscall.MS_RDONLY,
 		}, false},
 		{"flags differs", &RemountOp{
 			Target: check.MustAbs("/"),
 			Flags:  syscall.MS_RDONLY | syscall.MS_NODEV,
 		}, &RemountOp{
 			Target: check.MustAbs("/"),
 			Flags:  syscall.MS_RDONLY,
 		}, false},
 		{"equals", &RemountOp{
 			Target: check.MustAbs("/"),
 			Flags:  syscall.MS_RDONLY,
 		}, &RemountOp{
 			Target: check.MustAbs("/"),
 			Flags:  syscall.MS_RDONLY,
 		}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"root", &RemountOp{
 			Target: check.MustAbs("/"),
 			Flags:  syscall.MS_RDONLY,
 		}, "remounting", `"/" flags 0x1`},
 	})
 }
--- a/container/initsymlink.go
+++ b/container/initsymlink.go
@@ -0,0 +1,63 @@
 package container
 import (
 	"encoding/gob"
 	"fmt"
 	"path"
 	"hakurei.app/container/check"
 )
 func init() { gob.Register(new(SymlinkOp)) }
 // Link appends an [Op] that creates a symlink in the container filesystem.
 func (f *Ops) Link(target *check.Absolute, linkName string, dereference bool) *Ops {
 	*f = append(*f, &SymlinkOp{target, linkName, dereference})
 	return f
 }
 // SymlinkOp optionally dereferences LinkName and creates a symlink at container path Target.
 type SymlinkOp struct {
 	Target *check.Absolute
 	// LinkName is an arbitrary uninterpreted pathname.
 	LinkName string
 	// Dereference causes LinkName to be dereferenced during early.
 	Dereference bool
 }
 func (l *SymlinkOp) Valid() bool { return l != nil && l.Target != nil && l.LinkName != zeroString }
 func (l *SymlinkOp) early(_ *setupState, k syscallDispatcher) error {
 	if l.Dereference {
 		if !path.IsAbs(l.LinkName) {
 			return &check.AbsoluteError{Pathname: l.LinkName}
 		}
 		if name, err := k.readlink(l.LinkName); err != nil {
 			return err
 		} else {
 			l.LinkName = name
 		}
 	}
 	return nil
 }
 func (l *SymlinkOp) apply(state *setupState, k syscallDispatcher) error {
 	target := toSysroot(l.Target.String())
 	if err := k.mkdirAll(path.Dir(target), state.ParentPerm); err != nil {
 		return err
 	}
 	return k.symlink(l.LinkName, target)
 }
 func (l *SymlinkOp) Is(op Op) bool {
 	vl, ok := op.(*SymlinkOp)
 	return ok && l.Valid() && vl.Valid() &&
 		l.Target.Is(vl.Target) &&
 		l.LinkName == vl.LinkName &&
 		l.Dereference == vl.Dereference
 }
 func (*SymlinkOp) prefix() (string, bool) { return "creating", true }
 func (l *SymlinkOp) String() string {
 	return fmt.Sprintf("symlink on %q linkname %q", l.Target, l.LinkName)
 }
--- a/container/initsymlink_test.go
+++ b/container/initsymlink_test.go
@@ -0,0 +1,128 @@
 package container
 import (
 	"os"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 )
 func TestSymlinkOp(t *testing.T) {
 	t.Parallel()
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"mkdir", &Params{ParentPerm: 0700}, &SymlinkOp{
 			Target:   check.MustAbs("/etc/nixos"),
 			LinkName: "/etc/static/nixos",
 		}, nil, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc", os.FileMode(0700)}, nil, stub.UniqueError(1)),
 		}, stub.UniqueError(1)},
 		{"abs", &Params{ParentPerm: 0755}, &SymlinkOp{
 			Target:      check.MustAbs("/etc/mtab"),
 			LinkName:    "etc/mtab",
 			Dereference: true,
 		}, nil, &check.AbsoluteError{Pathname: "etc/mtab"}, nil, nil},
 		{"readlink", &Params{ParentPerm: 0755}, &SymlinkOp{
 			Target:      check.MustAbs("/etc/mtab"),
 			LinkName:    "/etc/mtab",
 			Dereference: true,
 		}, []stub.Call{
 			call("readlink", stub.ExpectArgs{"/etc/mtab"}, "/proc/mounts", stub.UniqueError(0)),
 		}, stub.UniqueError(0), nil, nil},
 		{"success noderef", &Params{ParentPerm: 0700}, &SymlinkOp{
 			Target:   check.MustAbs("/etc/nixos"),
 			LinkName: "/etc/static/nixos",
 		}, nil, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc", os.FileMode(0700)}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/etc/static/nixos", "/sysroot/etc/nixos"}, nil, nil),
 		}, nil},
 		{"success", &Params{ParentPerm: 0755}, &SymlinkOp{
 			Target:      check.MustAbs("/etc/mtab"),
 			LinkName:    "/etc/mtab",
 			Dereference: true,
 		}, []stub.Call{
 			call("readlink", stub.ExpectArgs{"/etc/mtab"}, "/proc/mounts", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/etc", os.FileMode(0755)}, nil, nil),
 			call("symlink", stub.ExpectArgs{"/proc/mounts", "/sysroot/etc/mtab"}, nil, nil),
 		}, nil},
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*SymlinkOp)(nil), false},
 		{"zero", new(SymlinkOp), false},
 		{"nil target", &SymlinkOp{LinkName: "/run/current-system"}, false},
 		{"zero linkname", &SymlinkOp{Target: check.MustAbs("/run/current-system")}, false},
 		{"valid", &SymlinkOp{Target: check.MustAbs("/run/current-system"), LinkName: "/run/current-system", Dereference: true}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"current-system", new(Ops).Link(
 			check.MustAbs("/run/current-system"),
 			"/run/current-system",
 			true,
 		), Ops{
 			&SymlinkOp{
 				Target:      check.MustAbs("/run/current-system"),
 				LinkName:    "/run/current-system",
 				Dereference: true,
 			},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(SymlinkOp), new(SymlinkOp), false},
 		{"target differs", &SymlinkOp{
 			Target:      check.MustAbs("/run/current-system/differs"),
 			LinkName:    "/run/current-system",
 			Dereference: true,
 		}, &SymlinkOp{
 			Target:      check.MustAbs("/run/current-system"),
 			LinkName:    "/run/current-system",
 			Dereference: true,
 		}, false},
 		{"linkname differs", &SymlinkOp{
 			Target:      check.MustAbs("/run/current-system"),
 			LinkName:    "/run/current-system/differs",
 			Dereference: true,
 		}, &SymlinkOp{
 			Target:      check.MustAbs("/run/current-system"),
 			LinkName:    "/run/current-system",
 			Dereference: true,
 		}, false},
 		{"dereference differs", &SymlinkOp{
 			Target:   check.MustAbs("/run/current-system"),
 			LinkName: "/run/current-system",
 		}, &SymlinkOp{
 			Target:      check.MustAbs("/run/current-system"),
 			LinkName:    "/run/current-system",
 			Dereference: true,
 		}, false},
 		{"equals", &SymlinkOp{
 			Target:      check.MustAbs("/run/current-system"),
 			LinkName:    "/run/current-system",
 			Dereference: true,
 		}, &SymlinkOp{
 			Target:      check.MustAbs("/run/current-system"),
 			LinkName:    "/run/current-system",
 			Dereference: true,
 		}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"current-system", &SymlinkOp{
 			Target:      check.MustAbs("/run/current-system"),
 			LinkName:    "/run/current-system",
 			Dereference: true,
 		}, "creating", `symlink on "/run/current-system" linkname "/run/current-system"`},
 	})
 }
--- a/container/inittmpfs.go
+++ b/container/inittmpfs.go
@@ -0,0 +1,62 @@
 package container
 import (
 	"encoding/gob"
 	"fmt"
 	"math"
 	"os"
 	"strconv"
 	. "syscall"
 	"hakurei.app/container/check"
 )
 func init() { gob.Register(new(MountTmpfsOp)) }
 type TmpfsSizeError int
 func (e TmpfsSizeError) Error() string {
 	return "tmpfs size " + strconv.Itoa(int(e)) + " out of bounds"
 }
 // Tmpfs appends an [Op] that mounts tmpfs on container path [MountTmpfsOp.Path].
 func (f *Ops) Tmpfs(target *check.Absolute, size int, perm os.FileMode) *Ops {
 	*f = append(*f, &MountTmpfsOp{SourceTmpfsEphemeral, target, MS_NOSUID | MS_NODEV, size, perm})
 	return f
 }
 // Readonly appends an [Op] that mounts read-only tmpfs on container path [MountTmpfsOp.Path].
 func (f *Ops) Readonly(target *check.Absolute, perm os.FileMode) *Ops {
 	*f = append(*f, &MountTmpfsOp{SourceTmpfsReadonly, target, MS_RDONLY | MS_NOSUID | MS_NODEV, 0, perm})
 	return f
 }
 // MountTmpfsOp mounts [FstypeTmpfs] on container Path.
 type MountTmpfsOp struct {
 	FSName string
 	Path   *check.Absolute
 	Flags  uintptr
 	Size   int
 	Perm   os.FileMode
 }
 func (t *MountTmpfsOp) Valid() bool                                { return t != nil && t.Path != nil && t.FSName != zeroString }
 func (t *MountTmpfsOp) early(*setupState, syscallDispatcher) error { return nil }
 func (t *MountTmpfsOp) apply(_ *setupState, k syscallDispatcher) error {
 	if t.Size < 0 || t.Size > math.MaxUint>>1 {
 		return TmpfsSizeError(t.Size)
 	}
 	return k.mountTmpfs(t.FSName, toSysroot(t.Path.String()), t.Flags, t.Size, t.Perm)
 }
 func (t *MountTmpfsOp) Is(op Op) bool {
 	vt, ok := op.(*MountTmpfsOp)
 	return ok && t.Valid() && vt.Valid() &&
 		t.FSName == vt.FSName &&
 		t.Path.Is(vt.Path) &&
 		t.Flags == vt.Flags &&
 		t.Size == vt.Size &&
 		t.Perm == vt.Perm
 }
 func (*MountTmpfsOp) prefix() (string, bool) { return "mounting", true }
 func (t *MountTmpfsOp) String() string       { return fmt.Sprintf("tmpfs on %q size %d", t.Path, t.Size) }
--- a/container/inittmpfs_test.go
+++ b/container/inittmpfs_test.go
@@ -0,0 +1,178 @@
 package container
 import (
 	"os"
 	"syscall"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 )
 func TestMountTmpfsOp(t *testing.T) {
 	t.Parallel()
 	t.Run("size error", func(t *testing.T) {
 		t.Parallel()
 		tmpfsSizeError := TmpfsSizeError(-1)
 		want := "tmpfs size -1 out of bounds"
 		if got := tmpfsSizeError.Error(); got != want {
 			t.Errorf("Error: %q, want %q", got, want)
 		}
 	})
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"size oob", new(Params), &MountTmpfsOp{
 			Size: -1,
 		}, nil, nil, nil, TmpfsSizeError(-1)},
 		{"success", new(Params), &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user/1000/"),
 			Size:   1 << 10,
 			Perm:   0700,
 		}, nil, nil, []stub.Call{
 			call("mountTmpfs", stub.ExpectArgs{
 				"ephemeral",              // fsname
 				"/sysroot/run/user/1000", // target
 				uintptr(0),               // flags
 				0x400,                    // size
 				os.FileMode(0700),        // perm
 			}, nil, nil),
 		}, nil},
 	})
 	checkOpsValid(t, []opValidTestCase{
 		{"nil", (*MountTmpfsOp)(nil), false},
 		{"zero", new(MountTmpfsOp), false},
 		{"nil path", &MountTmpfsOp{FSName: "tmpfs"}, false},
 		{"zero fsname", &MountTmpfsOp{Path: check.MustAbs("/tmp/")}, false},
 		{"valid", &MountTmpfsOp{FSName: "tmpfs", Path: check.MustAbs("/tmp/")}, true},
 	})
 	checkOpsBuilder(t, []opsBuilderTestCase{
 		{"runtime", new(Ops).Tmpfs(
 			check.MustAbs("/run/user"),
 			1<<10,
 			0755,
 		), Ops{
 			&MountTmpfsOp{
 				FSName: "ephemeral",
 				Path:   check.MustAbs("/run/user"),
 				Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 				Size:   1 << 10,
 				Perm:   0755,
 			},
 		}},
 		{"nscd", new(Ops).Readonly(
 			check.MustAbs("/var/run/nscd"),
 			0755,
 		), Ops{
 			&MountTmpfsOp{
 				FSName: "readonly",
 				Path:   check.MustAbs("/var/run/nscd"),
 				Flags:  syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_RDONLY,
 				Perm:   0755,
 			},
 		}},
 	})
 	checkOpIs(t, []opIsTestCase{
 		{"zero", new(MountTmpfsOp), new(MountTmpfsOp), false},
 		{"fsname differs", &MountTmpfsOp{
 			FSName: "readonly",
 			Path:   check.MustAbs("/run/user"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Size:   1 << 10,
 			Perm:   0755,
 		}, &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Size:   1 << 10,
 			Perm:   0755,
 		}, false},
 		{"path differs", &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user/differs"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Size:   1 << 10,
 			Perm:   0755,
 		}, &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Size:   1 << 10,
 			Perm:   0755,
 		}, false},
 		{"flags differs", &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_RDONLY,
 			Size:   1 << 10,
 			Perm:   0755,
 		}, &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Size:   1 << 10,
 			Perm:   0755,
 		}, false},
 		{"size differs", &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Size:   1,
 			Perm:   0755,
 		}, &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Size:   1 << 10,
 			Perm:   0755,
 		}, false},
 		{"perm differs", &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Size:   1 << 10,
 			Perm:   0700,
 		}, &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Size:   1 << 10,
 			Perm:   0755,
 		}, false},
 		{"equals", &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Size:   1 << 10,
 			Perm:   0755,
 		}, &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Size:   1 << 10,
 			Perm:   0755,
 		}, true},
 	})
 	checkOpMeta(t, []opMetaTestCase{
 		{"runtime", &MountTmpfsOp{
 			FSName: "ephemeral",
 			Path:   check.MustAbs("/run/user"),
 			Flags:  syscall.MS_NOSUID | syscall.MS_NODEV,
 			Size:   1 << 10,
 			Perm:   0755,
 		}, "mounting", `tmpfs on "/run/user" size 1024`},
 	})
 }
--- a/Show More
+++ b/Show More