.clang-format: increase indent width

This significantly increases readability. This patch is pretty big so it is being done after mostly everything has settled.

Signed-off-by: Ophestra <cat@gensokyo.uk>

.clang-format

@@ -0,0 +1,2 @@
+ColumnLimit: 0
+IndentWidth: 4

cmd/hakurei/command.go

@@ -11,21 +11,24 @@ import (
 	"strconv"
 	"sync"
 	"time"
-	_ "unsafe"
+	_ "unsafe" // for go:linkname
 
 	"hakurei.app/command"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
-	"hakurei.app/internal"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/env"
+	"hakurei.app/internal/info"
 	"hakurei.app/internal/outcome"
 	"hakurei.app/message"
-	"hakurei.app/system/dbus"
 )
 
+// optionalErrorUnwrap calls [errors.Unwrap] and returns the resulting value
+// if it is not nil, or the original value if it is.
+//
 //go:linkname optionalErrorUnwrap hakurei.app/container.optionalErrorUnwrap
-func optionalErrorUnwrap(_ error) error
+func optionalErrorUnwrap(err error) error
 
 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
@@ -350,7 +353,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		}).Flag(&flagShort, "short", command.BoolFlag(false), "Print instance id")
 	}
 
-	c.Command("version", "Display version information", func(args []string) error { fmt.Println(internal.Version()); return errSuccess })
+	c.Command("version", "Display version information", func(args []string) error { fmt.Println(info.Version()); return errSuccess })
 	c.Command("license", "Show full license text", func(args []string) error { fmt.Println(license); return errSuccess })
 	c.Command("template", "Produce a config template", func(args []string) error { encodeJSON(log.Fatal, os.Stdout, false, hst.Template()); return errSuccess })
 	c.Command("help", "Show this help message", func([]string) error { c.PrintHelp(); return errSuccess })

cmd/hakurei/json_test.go

@@ -1,18 +1,13 @@
-package main_test
+package main
 
 import (
-	"io"
 	"reflect"
 	"strings"
 	"testing"
-	_ "unsafe"
 
 	"hakurei.app/container/stub"
 )
 
-//go:linkname decodeJSON hakurei.app/cmd/hakurei.decodeJSON
-func decodeJSON(fatal func(v ...any), op string, r io.Reader, v any)
-
 func TestDecodeJSON(t *testing.T) {
 	t.Parallel()
 
@@ -62,9 +57,6 @@ func TestDecodeJSON(t *testing.T) {
 	}
 }
 
-//go:linkname encodeJSON hakurei.app/cmd/hakurei.encodeJSON
-func encodeJSON(fatal func(v ...any), output io.Writer, short bool, v any)
-
 func TestEncodeJSON(t *testing.T) {
 	t.Parallel()
 
@@ -74,7 +66,7 @@ func TestEncodeJSON(t *testing.T) {
 		want string
 	}{
 		{"marshaler", errorJSONMarshaler{},
-			`cannot encode json for main_test.errorJSONMarshaler: unique error 3735928559 injected by the test suite`},
+			`cannot encode json for main.errorJSONMarshaler: unique error 3735928559 injected by the test suite`},
 		{"default", func() {},
 			`cannot write json: json: unsupported type: func()`},
 	}

cmd/hakurei/print.go

@@ -12,8 +12,8 @@ import (
 	"time"
 
 	"hakurei.app/hst"
-	"hakurei.app/internal"
 	"hakurei.app/internal/env"
+	"hakurei.app/internal/info"
 	"hakurei.app/internal/outcome"
 	"hakurei.app/internal/store"
 	"hakurei.app/message"
@@ -24,20 +24,20 @@ func printShowSystem(output io.Writer, short, flagJSON bool) {
 	t := newPrinter(output)
 	defer t.MustFlush()
 
-	info := &hst.Info{Version: internal.Version(), User: new(outcome.Hsu).MustID(nil)}
+	hi := &hst.Info{Version: info.Version(), User: new(outcome.Hsu).MustID(nil)}
-	env.CopyPaths().Copy(&info.Paths, info.User)
+	env.CopyPaths().Copy(&hi.Paths, hi.User)
 
 	if flagJSON {
-		encodeJSON(log.Fatal, output, short, info)
+		encodeJSON(log.Fatal, output, short, hi)
 		return
 	}
 
-	t.Printf("Version:\t%s\n", info.Version)
+	t.Printf("Version:\t%s\n", hi.Version)
-	t.Printf("User:\t%d\n", info.User)
+	t.Printf("User:\t%d\n", hi.User)
-	t.Printf("TempDir:\t%s\n", info.TempDir)
+	t.Printf("TempDir:\t%s\n", hi.TempDir)
-	t.Printf("SharePath:\t%s\n", info.SharePath)
+	t.Printf("SharePath:\t%s\n", hi.SharePath)
-	t.Printf("RuntimePath:\t%s\n", info.RuntimePath)
+	t.Printf("RuntimePath:\t%s\n", hi.RuntimePath)
-	t.Printf("RunDirPath:\t%s\n", info.RunDirPath)
+	t.Printf("RunDirPath:\t%s\n", hi.RunDirPath)
 }
 
 // printShowInstance writes a representation of [hst.State] or [hst.Config] to output.
@@ -90,12 +90,6 @@ func printShowInstance(
 		t.Printf(" Groups:\t%s\n", strings.Join(config.Groups, ", "))
 	}
 	if config.Container != nil {
-		if config.Container.Home != nil {
-			t.Printf(" Home:\t%s\n", config.Container.Home)
-		}
-		if config.Container.Hostname != "" {
-			t.Printf(" Hostname:\t%s\n", config.Container.Hostname)
-		}
 		flags := config.Container.Flags.String()
 
 		// this is included in the upper hst.Config struct but is relevant here
@@ -110,6 +104,12 @@ func printShowInstance(
 		}
 		t.Printf(" Flags:\t%s\n", flags)
 
+		if config.Container.Home != nil {
+			t.Printf(" Home:\t%s\n", config.Container.Home)
+		}
+		if config.Container.Hostname != "" {
+			t.Printf(" Hostname:\t%s\n", config.Container.Hostname)
+		}
 		if config.Container.Path != nil {
 			t.Printf(" Path:\t%s\n", config.Container.Path)
 		}

cmd/hakurei/print_test.go

@@ -64,9 +64,9 @@ func TestPrintShowInstance(t *testing.T) {
  Identity:       9 (org.chromium.Chromium)
  Enablements:    wayland, dbus, pulseaudio
  Groups:         video, dialout, plugdev
+ Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Home:           /data/data/org.chromium.Chromium
  Hostname:       localhost
- Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Path:           /run/current-system/sw/bin/chromium
  Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
 
@@ -161,9 +161,9 @@ App
  Identity:       9 (org.chromium.Chromium)
  Enablements:    wayland, dbus, pulseaudio
  Groups:         video, dialout, plugdev
+ Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Home:           /data/data/org.chromium.Chromium
  Hostname:       localhost
- Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Path:           /run/current-system/sw/bin/chromium
  Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
 

cmd/hpkg/proc.go

@@ -10,11 +10,11 @@ import (
 	"os/exec"
 
 	"hakurei.app/hst"
-	"hakurei.app/internal"
+	"hakurei.app/internal/info"
 	"hakurei.app/message"
 )
 
-var hakureiPathVal = internal.MustHakureiPath().String()
+var hakureiPathVal = info.MustHakureiPath().String()
 
 func mustRunApp(ctx context.Context, msg message.Msg, config *hst.Config, beforeFail func()) {
 	var (

container/check/absolute.go

@@ -56,7 +56,7 @@ func NewAbs(pathname string) (*Absolute, error) {
 // MustAbs calls [NewAbs] and panics on error.
 func MustAbs(pathname string) *Absolute {
 	if a, err := NewAbs(pathname); err != nil {
-		panic(err.Error())
+		panic(err)
 	} else {
 		return a
 	}

container/check/absolute_test.go

@@ -14,8 +14,10 @@ import (
 	. "hakurei.app/container/check"
 )
 
+// unsafeAbs returns check.Absolute on any string value.
+//
 //go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
-func unsafeAbs(_ string) *Absolute
+func unsafeAbs(pathname string) *Absolute
 
 func TestAbsoluteError(t *testing.T) {
 	t.Parallel()
@@ -82,9 +84,9 @@ func TestNewAbs(t *testing.T) {
 		t.Parallel()
 
 		defer func() {
-			wantPanic := `path "etc" is not absolute`
+			wantPanic := &AbsoluteError{Pathname: "etc"}
 
-			if r := recover(); r != wantPanic {
+			if r := recover(); !reflect.DeepEqual(r, wantPanic) {
 				t.Errorf("MustAbs: panic = %v; want %v", r, wantPanic)
 			}
 		}()

container/container_test.go

@@ -21,6 +21,7 @@ import (
 	"hakurei.app/command"
 	"hakurei.app/container"
 	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/container/vfs"
@@ -29,6 +30,45 @@ import (
 	"hakurei.app/message"
 )
 
+// Note: this package requires cgo, which is unavailable in the Go playground.
+func Example() {
+	// Must be called early if the current process starts containers.
+	container.TryArgv0(nil)
+
+	// Configure the container.
+	z := container.New(context.Background(), nil)
+	z.Hostname = "hakurei-example"
+	z.Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
+	z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
+
+	// Bind / for demonstration.
+	z.Bind(fhs.AbsRoot, fhs.AbsRoot, 0)
+	if name, err := exec.LookPath("hostname"); err != nil {
+		panic(err)
+	} else {
+		z.Path = check.MustAbs(name)
+	}
+
+	// This completes the first stage of container setup and starts the container init process.
+	// The new process blocks until the Serve method is called.
+	if err := z.Start(); err != nil {
+		panic(err)
+	}
+
+	// This serves the setup payload to the container init process,
+	// starting the second stage of container setup.
+	if err := z.Serve(); err != nil {
+		panic(err)
+	}
+
+	// Must be called if the Start method succeeds.
+	if err := z.Wait(); err != nil {
+		panic(err)
+	}
+
+	// Output: hakurei-example
+}
+
 func TestStartError(t *testing.T) {
 	t.Parallel()
 
@@ -722,12 +762,14 @@ func TestMain(m *testing.M) {
 func helperNewContainerLibPaths(ctx context.Context, libPaths *[]*check.Absolute, args ...string) (c *container.Container) {
 	msg := message.New(nil)
 	msg.SwapVerbose(testing.Verbose())
+	executable := check.MustAbs(container.MustExecutable(msg))
+
 	c = container.NewCommand(ctx, msg, absHelperInnerPath, "helper", args...)
 	c.Env = append(c.Env, envDoCheck+"=1")
-	c.Bind(check.MustAbs(os.Args[0]), absHelperInnerPath, 0)
+	c.Bind(executable, absHelperInnerPath, 0)
 
 	// in case test has cgo enabled
-	if entries, err := ldd.Exec(ctx, msg, os.Args[0]); err != nil {
+	if entries, err := ldd.Resolve(ctx, msg, executable); err != nil {
 		log.Fatalf("ldd: %v", err)
 	} else {
 		*libPaths = ldd.Path(entries)

container/fhs/abs.go

@@ -8,8 +8,10 @@ import (
 
 /* constants in this file bypass abs check, be extremely careful when changing them! */
 
+// unsafeAbs returns check.Absolute on any string value.
+//
 //go:linkname unsafeAbs hakurei.app/container/check.unsafeAbs
-func unsafeAbs(_ string) *check.Absolute
+func unsafeAbs(pathname string) *check.Absolute
 
 var (
 	// AbsRoot is [Root] as [check.Absolute].
@@ -34,6 +36,8 @@ var (
 
 	// AbsDev is [Dev] as [check.Absolute].
 	AbsDev = unsafeAbs(Dev)
+	// AbsDevShm is [DevShm] as [check.Absolute].
+	AbsDevShm = unsafeAbs(DevShm)
 	// AbsProc is [Proc] as [check.Absolute].
 	AbsProc = unsafeAbs(Proc)
 	// AbsSys is [Sys] as [check.Absolute].

container/fhs/fhs.go

@@ -29,6 +29,8 @@ const (
 
 	// Dev points to the root directory for device nodes.
 	Dev = "/dev/"
+	// DevShm is the place for POSIX shared memory segments, as created via shm_open(3).
+	DevShm = "/dev/shm/"
 	// Proc points to a virtual kernel file system exposing the process list and other functionality.
 	Proc = "/proc/"
 	// ProcSys points to a hierarchy below /proc/ that exposes a number of kernel tunables.

container/seccomp/libseccomp-helper.c

@@ -9,136 +9,130 @@
 
 #define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
 
-int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
+int32_t hakurei_scmp_make_filter(
-                                 uint32_t arch, uint32_t multiarch,
+    int *ret_p, uintptr_t allocate_p,
-                                 struct hakurei_syscall_rule *rules,
+    uint32_t arch, uint32_t multiarch,
-                                 size_t rules_sz, hakurei_export_flag flags) {
+    struct hakurei_syscall_rule *rules,
-  int i;
+    size_t rules_sz, hakurei_export_flag flags) {
-  int last_allowed_family;
+    int i;
-  int disallowed;
+    int last_allowed_family;
-  struct hakurei_syscall_rule *rule;
+    int disallowed;
-  void *buf;
+    struct hakurei_syscall_rule *rule;
-  size_t len = 0;
+    void *buf;
+    size_t len = 0;
 
-  int32_t res = 0; /* refer to resPrefix for message */
+    int32_t res = 0; /* refer to resPrefix for message */
 
-  /* Blocklist all but unix, inet, inet6 and netlink */
+    /* Blocklist all but unix, inet, inet6 and netlink */
-  struct {
+    struct {
-    int family;
+        int family;
-    hakurei_export_flag flags_mask;
+        hakurei_export_flag flags_mask;
-  } socket_family_allowlist[] = {
+    } socket_family_allowlist[] = {
-      /* NOTE: Keep in numerical order */
+        /* NOTE: Keep in numerical order */
-      {AF_UNSPEC, 0},
+        {AF_UNSPEC, 0},
-      {AF_LOCAL, 0},
+        {AF_LOCAL, 0},
-      {AF_INET, 0},
+        {AF_INET, 0},
-      {AF_INET6, 0},
+        {AF_INET6, 0},
-      {AF_NETLINK, 0},
+        {AF_NETLINK, 0},
-      {AF_CAN, HAKUREI_EXPORT_CAN},
+        {AF_CAN, HAKUREI_EXPORT_CAN},
-      {AF_BLUETOOTH, HAKUREI_EXPORT_BLUETOOTH},
+        {AF_BLUETOOTH, HAKUREI_EXPORT_BLUETOOTH},
-  };
+    };
 
-  scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
+    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
-  if (ctx == NULL) {
+    if (ctx == NULL) {
-    res = 1;
+        res = 1;
-    goto out;
-  } else
-    errno = 0;
-
-  /* We only really need to handle arches on multiarch systems.
-   * If only one arch is supported the default is fine */
-  if (arch != 0) {
-    /* This *adds* the target arch, instead of replacing the
-     * native one. This is not ideal, because we'd like to only
-     * allow the target arch, but we can't really disallow the
-     * native arch at this point, because then bubblewrap
-     * couldn't continue running. */
-    *ret_p = seccomp_arch_add(ctx, arch);
-    if (*ret_p < 0 && *ret_p != -EEXIST) {
-      res = 2;
-      goto out;
-    }
-
-    if (flags & HAKUREI_EXPORT_MULTIARCH && multiarch != 0) {
-      *ret_p = seccomp_arch_add(ctx, multiarch);
-      if (*ret_p < 0 && *ret_p != -EEXIST) {
-        res = 3;
         goto out;
-      }
+    } else
-    }
+        errno = 0;
-  }
 
-  for (i = 0; i < rules_sz; i++) {
+    /* We only really need to handle arches on multiarch systems.
-    rule = &rules[i];
+     * If only one arch is supported the default is fine */
-    assert(rule->m_errno == EPERM || rule->m_errno == ENOSYS);
+    if (arch != 0) {
+        /* This *adds* the target arch, instead of replacing the
+         * native one. This is not ideal, because we'd like to only
+         * allow the target arch, but we can't really disallow the
+         * native arch at this point, because then bubblewrap
+         * couldn't continue running. */
+        *ret_p = seccomp_arch_add(ctx, arch);
+        if (*ret_p < 0 && *ret_p != -EEXIST) {
+            res = 2;
+            goto out;
+        }
 
-    if (rule->arg)
+        if (flags & HAKUREI_EXPORT_MULTIARCH && multiarch != 0) {
-      *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno),
+            *ret_p = seccomp_arch_add(ctx, multiarch);
-                                rule->syscall, 1, *rule->arg);
+            if (*ret_p < 0 && *ret_p != -EEXIST) {
-    else
+                res = 3;
-      *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno),
+                goto out;
-                                rule->syscall, 0);
+            }
-
+        }
-    if (*ret_p == -EFAULT) {
-      res = 4;
-      goto out;
-    } else if (*ret_p < 0) {
-      res = 5;
-      goto out;
-    }
-  }
-
-  /* Socket filtering doesn't work on e.g. i386, so ignore failures here
-   * However, we need to user seccomp_rule_add_exact to avoid libseccomp doing
-   * something else: https://github.com/seccomp/libseccomp/issues/8 */
-  last_allowed_family = -1;
-  for (i = 0; i < LEN(socket_family_allowlist); i++) {
-    if (socket_family_allowlist[i].flags_mask != 0 &&
-        (socket_family_allowlist[i].flags_mask & flags) !=
-            socket_family_allowlist[i].flags_mask)
-      continue;
-
-    for (disallowed = last_allowed_family + 1;
-         disallowed < socket_family_allowlist[i].family; disallowed++) {
-      /* Blocklist the in-between valid families */
-      seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT),
-                             SCMP_SYS(socket), 1,
-                             SCMP_A0(SCMP_CMP_EQ, disallowed));
-    }
-    last_allowed_family = socket_family_allowlist[i].family;
-  }
-  /* Blocklist the rest */
-  seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
-                         SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
-
-  if (allocate_p == 0) {
-    *ret_p = seccomp_load(ctx);
-    if (*ret_p != 0) {
-      res = 7;
-      goto out;
-    }
-  } else {
-    *ret_p = seccomp_export_bpf_mem(ctx, NULL, &len);
-    if (*ret_p != 0) {
-      res = 6;
-      goto out;
     }
 
-    buf = hakurei_scmp_allocate(allocate_p, len);
+    for (i = 0; i < rules_sz; i++) {
-    if (buf == NULL) {
+        rule = &rules[i];
-      res = 4;
+        assert(rule->m_errno == EPERM || rule->m_errno == ENOSYS);
-      goto out;
+
+        if (rule->arg)
+            *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), rule->syscall, 1, *rule->arg);
+        else
+            *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), rule->syscall, 0);
+
+        if (*ret_p == -EFAULT) {
+            res = 4;
+            goto out;
+        } else if (*ret_p < 0) {
+            res = 5;
+            goto out;
+        }
     }
 
-    *ret_p = seccomp_export_bpf_mem(ctx, buf, &len);
+    /* Socket filtering doesn't work on e.g. i386, so ignore failures here
-    if (*ret_p != 0) {
+     * However, we need to user seccomp_rule_add_exact to avoid libseccomp doing
-      res = 6;
+     * something else: https://github.com/seccomp/libseccomp/issues/8 */
-      goto out;
+    last_allowed_family = -1;
+    for (i = 0; i < LEN(socket_family_allowlist); i++) {
+        if (socket_family_allowlist[i].flags_mask != 0 &&
+            (socket_family_allowlist[i].flags_mask & flags) != socket_family_allowlist[i].flags_mask)
+            continue;
+
+        for (disallowed = last_allowed_family + 1; disallowed < socket_family_allowlist[i].family; disallowed++) {
+            /* Blocklist the in-between valid families */
+            seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, disallowed));
+        }
+        last_allowed_family = socket_family_allowlist[i].family;
+    }
+    /* Blocklist the rest */
+    seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
+
+    if (allocate_p == 0) {
+        *ret_p = seccomp_load(ctx);
+        if (*ret_p != 0) {
+            res = 7;
+            goto out;
+        }
+    } else {
+        *ret_p = seccomp_export_bpf_mem(ctx, NULL, &len);
+        if (*ret_p != 0) {
+            res = 6;
+            goto out;
+        }
+
+        buf = hakurei_scmp_allocate(allocate_p, len);
+        if (buf == NULL) {
+            res = 4;
+            goto out;
+        }
+
+        *ret_p = seccomp_export_bpf_mem(ctx, buf, &len);
+        if (*ret_p != 0) {
+            res = 6;
+            goto out;
+        }
     }
-  }
 
 out:
-  if (ctx)
+    if (ctx)
-    seccomp_release(ctx);
+        seccomp_release(ctx);
 
-  return res;
+    return res;
 }

container/seccomp/libseccomp-helper.h

@@ -1,25 +1,26 @@
 #include <seccomp.h>
 #include <stdint.h>
 
-#if (SCMP_VER_MAJOR < 2) || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) ||     \
+#if (SCMP_VER_MAJOR < 2) || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5) || \
     (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR == 5 && SCMP_VER_MICRO < 1)
 #error This package requires libseccomp >= v2.5.1
 #endif
 
 typedef enum {
-  HAKUREI_EXPORT_MULTIARCH = 1 << 0,
+    HAKUREI_EXPORT_MULTIARCH = 1 << 0,
-  HAKUREI_EXPORT_CAN = 1 << 1,
+    HAKUREI_EXPORT_CAN = 1 << 1,
-  HAKUREI_EXPORT_BLUETOOTH = 1 << 2,
+    HAKUREI_EXPORT_BLUETOOTH = 1 << 2,
 } hakurei_export_flag;
 
 struct hakurei_syscall_rule {
-  int syscall;
+    int syscall;
-  int m_errno;
+    int m_errno;
-  struct scmp_arg_cmp *arg;
+    struct scmp_arg_cmp *arg;
 };
 
 extern void *hakurei_scmp_allocate(uintptr_t f, size_t len);
-int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
+int32_t hakurei_scmp_make_filter(
-                                 uint32_t arch, uint32_t multiarch,
+    int *ret_p, uintptr_t allocate_p,
-                                 struct hakurei_syscall_rule *rules,
+    uint32_t arch, uint32_t multiarch,
-                                 size_t rules_sz, hakurei_export_flag flags);
+    struct hakurei_syscall_rule *rules,
+    size_t rules_sz, hakurei_export_flag flags);

container/stub/exit_test.go

@@ -7,8 +7,10 @@ import (
 	"hakurei.app/container/stub"
 )
 
+// Made available here to check panic recovery behaviour.
+//
 //go:linkname handleExitNew hakurei.app/container/stub.handleExitNew
-func handleExitNew(_ testing.TB)
+func handleExitNew(t testing.TB)
 
 // overrideTFailNow overrides the Fail and FailNow method.
 type overrideTFailNow struct {

dist/release.sh

@@ -10,9 +10,9 @@ cp -rv "dist/comp" "${out}"
 
 go generate ./...
 go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
-  -X hakurei.app/internal.buildVersion=${VERSION}
+  -X hakurei.app/internal/info.buildVersion=${VERSION}
-  -X hakurei.app/internal.hakureiPath=/usr/bin/hakurei
+  -X hakurei.app/internal/info.hakureiPath=/usr/bin/hakurei
-  -X hakurei.app/internal.hsuPath=/usr/bin/hsu
+  -X hakurei.app/internal/info.hsuPath=/usr/bin/hsu
   -X main.hakureiPath=/usr/bin/hakurei" ./...
 
 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"

flake.nix

@@ -114,7 +114,7 @@
             inherit (pkgs)
               # passthru.buildInputs
               go
-              gcc
+              clang
 
               # nativeBuildInputs
               pkg-config
@@ -129,6 +129,10 @@
               zstd
               gnutar
               coreutils
+
+              # for check
+              util-linux
+              nettools
               ;
           };
           hsu = pkgs.callPackage ./cmd/hsu/package.nix { inherit (self.packages.${system}) hakurei; };
@@ -144,7 +148,7 @@
                 && chmod -R +w .
 
             export HAKUREI_VERSION="v${hakurei.version}"
-            ./dist/release.sh && mkdir $out && cp -v "dist/hakurei-$HAKUREI_VERSION.tar.gz"* $out
+            CC="clang -O3 -Werror" ./dist/release.sh && mkdir $out && cp -v "dist/hakurei-$HAKUREI_VERSION.tar.gz"* $out
           '';
         }
       );

helper/deprecated.go

@@ -0,0 +1,73 @@
+// Package helper exposes the internal/helper package.
+//
+// Deprecated: This package will be removed in 0.4.
+package helper
+
+import (
+	"context"
+	"io"
+	"os"
+	"os/exec"
+	"time"
+	_ "unsafe" // for go:linkname
+
+	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/internal/helper"
+	"hakurei.app/message"
+)
+
+//go:linkname WaitDelay hakurei.app/internal/helper.WaitDelay
+var WaitDelay time.Duration
+
+const (
+	// HakureiHelper is set to 1 when args fd is enabled and 0 otherwise.
+	HakureiHelper = helper.HakureiHelper
+	// HakureiStatus is set to 1 when stat fd is enabled and 0 otherwise.
+	HakureiStatus = helper.HakureiStatus
+)
+
+type Helper = helper.Helper
+
+// NewCheckedArgs returns a checked null-terminated argument writer for a copy of args.
+//
+//go:linkname NewCheckedArgs hakurei.app/internal/helper.NewCheckedArgs
+func NewCheckedArgs(args ...string) (wt io.WriterTo, err error)
+
+// MustNewCheckedArgs returns a checked null-terminated argument writer for a copy of args.
+// If s contains a NUL byte this function panics instead of returning an error.
+//
+//go:linkname MustNewCheckedArgs hakurei.app/internal/helper.MustNewCheckedArgs
+func MustNewCheckedArgs(args ...string) io.WriterTo
+
+// NewDirect initialises a new direct Helper instance with wt as the null-terminated argument writer.
+// Function argF returns an array of arguments passed directly to the child process.
+//
+//go:linkname NewDirect hakurei.app/internal/helper.NewDirect
+func NewDirect(
+	ctx context.Context,
+	name string,
+	wt io.WriterTo,
+	stat bool,
+	argF func(argsFd, statFd int) []string,
+	cmdF func(cmd *exec.Cmd),
+	extraFiles []*os.File,
+) Helper
+
+// New initialises a Helper instance with wt as the null-terminated argument writer.
+//
+//go:linkname New hakurei.app/internal/helper.New
+func New(
+	ctx context.Context,
+	msg message.Msg,
+	pathname *check.Absolute, name string,
+	wt io.WriterTo,
+	stat bool,
+	argF func(argsFd, statFd int) []string,
+	cmdF func(z *container.Container),
+	extraFiles []*os.File,
+) Helper
+
+// InternalHelperStub is an internal function but exported because it is cross-package;
+// it is part of the implementation of the helper stub.
+func InternalHelperStub() { helper.InternalHelperStub() }

helper/proc/deprecated.go

@@ -0,0 +1,63 @@
+// Deprecated: This package will be removed in 0.4.
+package proc
+
+import (
+	"context"
+	"io"
+	"os"
+	"os/exec"
+	"time"
+	_ "unsafe" // for go:linkname
+
+	"hakurei.app/internal/helper/proc"
+)
+
+//go:linkname FulfillmentTimeout hakurei.app/internal/helper/proc.FulfillmentTimeout
+var FulfillmentTimeout time.Duration
+
+// A File is an extra file with deferred initialisation.
+type File = proc.File
+
+// ExtraFilesPre is a linked list storing addresses of [os.File].
+type ExtraFilesPre = proc.ExtraFilesPre
+
+// Fulfill calls the [File.Fulfill] method on all files, starts cmd and blocks until all fulfillment completes.
+//
+//go:linkname Fulfill hakurei.app/internal/helper/proc.Fulfill
+func Fulfill(ctx context.Context,
+	v *[]*os.File, start func() error,
+	files []File, extraFiles *ExtraFilesPre,
+) (err error)
+
+// InitFile initialises f as part of the slice extraFiles points to,
+// and returns its final fd value.
+//
+//go:linkname InitFile hakurei.app/internal/helper/proc.InitFile
+func InitFile(f File, extraFiles *ExtraFilesPre) (fd uintptr)
+
+// BaseFile implements the Init method of the File interface and provides indirect access to extra file state.
+type BaseFile = proc.BaseFile
+
+//go:linkname ExtraFile hakurei.app/internal/helper/proc.ExtraFile
+func ExtraFile(cmd *exec.Cmd, f *os.File) (fd uintptr)
+
+//go:linkname ExtraFileSlice hakurei.app/internal/helper/proc.ExtraFileSlice
+func ExtraFileSlice(extraFiles *[]*os.File, f *os.File) (fd uintptr)
+
+// NewWriterTo returns a [File] that receives content from wt on fulfillment.
+//
+//go:linkname NewWriterTo hakurei.app/internal/helper/proc.NewWriterTo
+func NewWriterTo(wt io.WriterTo) File
+
+// NewStat returns a [File] implementing the behaviour
+// of the receiving end of xdg-dbus-proxy stat fd.
+//
+//go:linkname NewStat hakurei.app/internal/helper/proc.NewStat
+func NewStat(s *io.Closer) File
+
+var (
+	//go:linkname ErrStatFault hakurei.app/internal/helper/proc.ErrStatFault
+	ErrStatFault error
+	//go:linkname ErrStatRead hakurei.app/internal/helper/proc.ErrStatRead
+	ErrStatRead error
+)

hst/instance_test.go

@@ -6,11 +6,13 @@ import (
 	"reflect"
 	"testing"
 	"time"
-	_ "unsafe"
+	_ "unsafe" // for go:linkname
 
 	"hakurei.app/hst"
 )
 
+// Made available here to check time encoding behaviour of [hst.ID].
+//
 //go:linkname newInstanceID hakurei.app/hst.newInstanceID
 func newInstanceID(id *hst.ID, p uint64) error
 

internal/acl/acl_test.go

@@ -13,7 +13,7 @@ import (
 	"strconv"
 	"testing"
 
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 const testFileName = "acl.test"

internal/acl/libacl-helper.c

@@ -0,0 +1,90 @@
+#include "libacl-helper.h"
+#include <acl/libacl.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/acl.h>
+
+int hakurei_acl_update_file_by_uid(const char *path_p, uid_t uid,
+                                   acl_perm_t *perms, size_t plen) {
+    int ret;
+    bool v;
+    int i;
+    acl_t acl;
+    acl_entry_t entry;
+    acl_tag_t tag_type;
+    void *qualifier_p;
+    acl_permset_t permset;
+
+    ret = -1; /* acl_get_file */
+    acl = acl_get_file(path_p, ACL_TYPE_ACCESS);
+    if (acl == NULL)
+        goto out;
+
+    /* prune entries by uid */
+    for (i = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry); i == 1;
+         i = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) {
+        ret = -2; /* acl_get_tag_type */
+        if (acl_get_tag_type(entry, &tag_type) != 0)
+            goto out;
+        if (tag_type != ACL_USER)
+            continue;
+
+        ret = -3; /* acl_get_qualifier */
+        qualifier_p = acl_get_qualifier(entry);
+        if (qualifier_p == NULL)
+            goto out;
+        v = *(uid_t *)qualifier_p == uid;
+        acl_free(qualifier_p);
+
+        if (!v)
+            continue;
+
+        ret = -4; /* acl_delete_entry */
+        if (acl_delete_entry(acl, entry) != 0)
+            goto out;
+    }
+
+    if (plen == 0)
+        goto set;
+
+    ret = -5; /* acl_create_entry */
+    if (acl_create_entry(&acl, &entry) != 0)
+        goto out;
+
+    ret = -6; /* acl_get_permset */
+    if (acl_get_permset(entry, &permset) != 0)
+        goto out;
+
+    ret = -7; /* acl_add_perm */
+    for (i = 0; i < plen; i++) {
+        if (acl_add_perm(permset, perms[i]) != 0)
+            goto out;
+    }
+
+    ret = -8; /* acl_set_tag_type */
+    if (acl_set_tag_type(entry, ACL_USER) != 0)
+        goto out;
+
+    ret = -9; /* acl_set_qualifier */
+    if (acl_set_qualifier(entry, (void *)&uid) != 0)
+        goto out;
+
+set:
+    ret = -10; /* acl_calc_mask */
+    if (acl_calc_mask(&acl) != 0)
+        goto out;
+
+    ret = -11; /* acl_valid */
+    if (acl_valid(acl) != 0)
+        goto out;
+
+    ret = -12; /* acl_set_file */
+    if (acl_set_file(path_p, ACL_TYPE_ACCESS, acl) == 0)
+        ret = 0;
+
+out:
+    free((void *)path_p);
+    if (acl != NULL)
+        acl_free((void *)acl);
+    return ret;
+}

internal/acl/perms_test.go

@@ -3,7 +3,7 @@ package acl_test
 import (
 	"testing"
 
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 func TestPerms(t *testing.T) {

internal/dbus/address_test.go

@@ -5,7 +5,7 @@ import (
 	"reflect"
 	"testing"
 
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/dbus"
 )
 
 func TestParse(t *testing.T) {

internal/dbus/config_test.go

@@ -7,7 +7,7 @@ import (
 	"testing"
 
 	"hakurei.app/hst"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/dbus"
 )
 
 func TestConfigArgs(t *testing.T) {

internal/dbus/dbus_test.go

@@ -11,9 +11,9 @@ import (
 	"testing"
 	"time"
 
-	"hakurei.app/helper"
+	"hakurei.app/internal/dbus"
+	"hakurei.app/internal/helper"
 	"hakurei.app/message"
-	"hakurei.app/system/dbus"
 )
 
 func TestFinalise(t *testing.T) {

internal/dbus/proc.go

@@ -12,7 +12,7 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 	"hakurei.app/ldd"
 )
 
@@ -54,7 +54,7 @@ func (p *Proxy) Start() error {
 		}
 
 		var libPaths []*check.Absolute
-		if entries, err := ldd.Exec(ctx, p.msg, toolPath.String()); err != nil {
+		if entries, err := ldd.Resolve(ctx, p.msg, toolPath); err != nil {
 			return err
 		} else {
 			libPaths = ldd.Path(entries)

internal/dbus/proc_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 
 	"hakurei.app/container"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 
 func TestMain(m *testing.M) { container.TryArgv0(nil); helper.InternalHelperStub(); os.Exit(m.Run()) }

internal/dbus/proxy.go

@@ -6,8 +6,8 @@ import (
 	"sync"
 	"syscall"
 
-	"hakurei.app/helper"
 	"hakurei.app/hst"
+	"hakurei.app/internal/helper"
 	"hakurei.app/message"
 )
 

internal/helper/args_test.go

@@ -7,7 +7,7 @@ import (
 	"syscall"
 	"testing"
 
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 
 func TestArgsString(t *testing.T) {

internal/helper/cmd.go

@@ -10,7 +10,7 @@ import (
 	"sync"
 	"syscall"
 
-	"hakurei.app/helper/proc"
+	"hakurei.app/internal/helper/proc"
 )
 
 // NewDirect initialises a new direct Helper instance with wt as the null-terminated argument writer.

internal/helper/cmd_test.go

@@ -9,7 +9,7 @@ import (
 	"testing"
 
 	"hakurei.app/container"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 
 func TestCmd(t *testing.T) {

internal/helper/container.go

@@ -11,7 +11,7 @@ import (
 
 	"hakurei.app/container"
 	"hakurei.app/container/check"
-	"hakurei.app/helper/proc"
+	"hakurei.app/internal/helper/proc"
 	"hakurei.app/message"
 )
 

internal/helper/container_test.go

@@ -9,7 +9,7 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 
 func TestContainer(t *testing.T) {

internal/helper/helper.go

@@ -8,7 +8,7 @@ import (
 	"os"
 	"time"
 
-	"hakurei.app/helper/proc"
+	"hakurei.app/internal/helper/proc"
 )
 
 var WaitDelay = 2 * time.Second

internal/helper/helper_test.go

@@ -13,7 +13,7 @@ import (
 	"testing"
 	"time"
 
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 
 var (

internal/helper/stub_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 
 	"hakurei.app/container"
-	"hakurei.app/helper"
+	"hakurei.app/internal/helper"
 )
 
 func TestMain(m *testing.M) { container.TryArgv0(nil); helper.InternalHelperStub(); os.Exit(m.Run()) }

internal/info/path.go

@@ -1,4 +1,4 @@
-package internal
+package info
 
 import (
 	"log"

internal/info/path_test.go

@@ -1,4 +1,4 @@
-package internal
+package info
 
 import (
 	"reflect"

internal/info/version.go

@@ -1,4 +1,4 @@
-package internal
+package info
 
 // FallbackVersion is returned when a version string was not set by the linker.
 const FallbackVersion = "dirty"

internal/outcome/dispatcher.go

@@ -14,9 +14,9 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/internal"
+	"hakurei.app/internal/dbus"
+	"hakurei.app/internal/info"
 	"hakurei.app/message"
-	"hakurei.app/system/dbus"
 )
 
 // osFile represents [os.File].
@@ -156,7 +156,7 @@ func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) erro
 	return seccomp.Load(rules, flags)
 }
 
-func (direct) mustHsuPath() *check.Absolute { return internal.MustHsuPath() }
+func (direct) mustHsuPath() *check.Absolute { return info.MustHsuPath() }
 
 func (direct) dbusAddress() (session, system string) { return dbus.Address() }
 

internal/outcome/dispatcher_test.go

@@ -24,8 +24,8 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
+	"hakurei.app/internal/system"
 	"hakurei.app/message"
-	"hakurei.app/system"
 )
 
 // call initialises a [stub.Call].

internal/outcome/finalise.go

@@ -8,8 +8,8 @@ import (
 	"os/user"
 
 	"hakurei.app/hst"
+	"hakurei.app/internal/system"
 	"hakurei.app/message"
-	"hakurei.app/system"
 )
 
 func newWithMessage(msg string) error { return newWithMessageError(msg, os.ErrInvalid) }

internal/outcome/outcome.go

@@ -9,10 +9,10 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
 	"hakurei.app/internal/env"
+	"hakurei.app/internal/system"
 	"hakurei.app/message"
-	"hakurei.app/system"
-	"hakurei.app/system/acl"
 )
 
 // envAllocSize is the initial size of the env map pre-allocated when the configured env map is nil.

internal/outcome/process.go

@@ -16,10 +16,10 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
-	"hakurei.app/internal"
+	"hakurei.app/internal/info"
 	"hakurei.app/internal/store"
+	"hakurei.app/internal/system"
 	"hakurei.app/message"
-	"hakurei.app/system"
 )
 
 const (
@@ -39,7 +39,7 @@ func (k *outcome) main(msg message.Msg, identifierFd int) {
 	}
 
 	// read comp value early for early failure
-	hsuPath := internal.MustHsuPath()
+	hsuPath := info.MustHsuPath()
 
 	const (
 		// transitions to processCommit, or processFinal on failure

internal/outcome/run.go

@@ -12,6 +12,8 @@ import (
 
 // IsPollDescriptor reports whether fd is the descriptor being used by the poller.
 //
+// Made available here to determine and reject impossible fd.
+//
 //go:linkname IsPollDescriptor internal/poll.IsPollDescriptor
 func IsPollDescriptor(fd uintptr) bool
 

internal/outcome/run_test.go

@@ -21,10 +21,10 @@ import (
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
+	"hakurei.app/internal/dbus"
+	"hakurei.app/internal/system"
 	"hakurei.app/message"
-	"hakurei.app/system"
-	"hakurei.app/system/acl"
-	"hakurei.app/system/dbus"
 )
 
 func TestOutcomeMain(t *testing.T) {
@@ -141,7 +141,7 @@ func TestOutcomeMain(t *testing.T) {
 				Proc(fhs.AbsProc).
 				Tmpfs(hst.AbsPrivateTmp, 1<<12, 0755).
 				Bind(fhs.AbsDev, fhs.AbsDev, std.BindWritable|std.BindDevice).
-				Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777).
+				Tmpfs(fhs.AbsDevShm, 0, 01777).
 
 				// spRuntimeOp
 				Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
@@ -243,7 +243,7 @@ func TestOutcomeMain(t *testing.T) {
 				Proc(m("/proc/")).
 				Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
 				DevWritable(m("/dev/"), true).
-				Tmpfs(m("/dev/shm"), 0, 01777).
+				Tmpfs(m("/dev/shm/"), 0, 01777).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.0/runtime/0"), m("/run/user/65534"), std.BindWritable).
 				Bind(m("/tmp/hakurei.0/tmpdir/0"), m("/tmp/"), std.BindWritable).
@@ -412,7 +412,7 @@ func TestOutcomeMain(t *testing.T) {
 				Proc(m("/proc/")).
 				Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
 				DevWritable(m("/dev/"), true).
-				Tmpfs(m("/dev/shm"), 0, 01777).
+				Tmpfs(m("/dev/shm/"), 0, 01777).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.0/runtime/9"), m("/run/user/65534"), std.BindWritable).
 				Bind(m("/tmp/hakurei.0/tmpdir/9"), m("/tmp/"), std.BindWritable).
@@ -558,7 +558,7 @@ func TestOutcomeMain(t *testing.T) {
 				Proc(m("/proc/")).
 				Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
 				DevWritable(m("/dev/"), true).
-				Tmpfs(m("/dev/shm"), 0, 01777).
+				Tmpfs(m("/dev/shm/"), 0, 01777).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.0/runtime/1"), m("/run/user/1971"), std.BindWritable).
 				Bind(m("/tmp/hakurei.0/tmpdir/1"), m("/tmp/"), std.BindWritable).

internal/outcome/shim-signal.c

@@ -10,53 +10,53 @@ static int hakurei_shim_fd = -1;
 
 /* see shim.go for handling of the message */
 static inline ssize_t hakurei_shim_write(hakurei_shim_msg msg) {
-  int savedErrno = errno;
+    int savedErrno = errno;
-  unsigned char buf = (unsigned char)msg;
+    unsigned char buf = (unsigned char)msg;
-  ssize_t ret = write(hakurei_shim_fd, &buf, 1);
+    ssize_t ret = write(hakurei_shim_fd, &buf, 1);
-  if (ret == -1 && errno != EAGAIN)
+    if (ret == -1 && errno != EAGAIN)
-    exit(EXIT_FAILURE);
+        exit(EXIT_FAILURE);
-  errno = savedErrno;
+    errno = savedErrno;
-  return ret;
+    return ret;
 }
 
 static void hakurei_shim_sigaction(int sig, siginfo_t *si, void *ucontext) {
-  if (sig != SIGCONT || si == NULL) {
+    if (sig != SIGCONT || si == NULL) {
-    hakurei_shim_write(HAKUREI_SHIM_INVALID);
+        hakurei_shim_write(HAKUREI_SHIM_INVALID);
-    return;
+        return;
-  }
+    }
 
-  if (si->si_pid == hakurei_shim_param_ppid) {
+    if (si->si_pid == hakurei_shim_param_ppid) {
-    hakurei_shim_write(HAKUREI_SHIM_EXIT_REQUESTED);
+        hakurei_shim_write(HAKUREI_SHIM_EXIT_REQUESTED);
-    return;
+        return;
-  }
+    }
 
-  hakurei_shim_write(HAKUREI_SHIM_BAD_PID);
+    hakurei_shim_write(HAKUREI_SHIM_BAD_PID);
 
-  if (getppid() != hakurei_shim_param_ppid)
+    if (getppid() != hakurei_shim_param_ppid)
-    hakurei_shim_write(HAKUREI_SHIM_ORPHAN);
+        hakurei_shim_write(HAKUREI_SHIM_ORPHAN);
 }
 
 void hakurei_shim_setup_cont_signal(pid_t ppid, int fd) {
-  if (hakurei_shim_param_ppid != -1 || hakurei_shim_fd != -1)
+    if (hakurei_shim_param_ppid != -1 || hakurei_shim_fd != -1)
-    *(int *)NULL = 0; /* unreachable */
+        *(volatile int *)NULL = 0; /* unreachable */
 
-  struct sigaction new_action = {0}, old_action = {0};
+    struct sigaction new_action = {0}, old_action = {0};
-  if (sigaction(SIGCONT, NULL, &old_action) != 0)
+    if (sigaction(SIGCONT, NULL, &old_action) != 0)
-    return;
+        return;
-  if (old_action.sa_handler != SIG_DFL) {
+    if (old_action.sa_handler != SIG_DFL) {
-    errno = ENOTRECOVERABLE;
+        errno = ENOTRECOVERABLE;
-    return;
+        return;
-  }
+    }
 
-  new_action.sa_sigaction = hakurei_shim_sigaction;
+    new_action.sa_sigaction = hakurei_shim_sigaction;
-  if (sigemptyset(&new_action.sa_mask) != 0)
+    if (sigemptyset(&new_action.sa_mask) != 0)
-    return;
+        return;
-  new_action.sa_flags = SA_ONSTACK | SA_SIGINFO;
+    new_action.sa_flags = SA_ONSTACK | SA_SIGINFO;
 
-  if (sigaction(SIGCONT, &new_action, NULL) != 0)
+    if (sigaction(SIGCONT, &new_action, NULL) != 0)
-    return;
+        return;
 
-  errno = 0;
+    errno = 0;
-  hakurei_shim_param_ppid = ppid;
+    hakurei_shim_param_ppid = ppid;
-  hakurei_shim_fd = fd;
+    hakurei_shim_fd = fd;
 }

internal/outcome/shim-signal.h

@@ -2,10 +2,10 @@
 
 /* see shim.go for documentation */
 typedef enum {
-  HAKUREI_SHIM_EXIT_REQUESTED,
+    HAKUREI_SHIM_EXIT_REQUESTED,
-  HAKUREI_SHIM_ORPHAN,
+    HAKUREI_SHIM_ORPHAN,
-  HAKUREI_SHIM_INVALID,
+    HAKUREI_SHIM_INVALID,
-  HAKUREI_SHIM_BAD_PID,
+    HAKUREI_SHIM_BAD_PID,
 } hakurei_shim_msg;
 
 void hakurei_shim_setup_cont_signal(pid_t ppid, int fd);

internal/outcome/shim_test.go

@@ -66,7 +66,7 @@ func TestShimEntrypoint(t *testing.T) {
 			Proc(fhs.AbsProc).
 			Tmpfs(hst.AbsPrivateTmp, 1<<12, 0755).
 			Bind(fhs.AbsDev, fhs.AbsDev, std.BindWritable|std.BindDevice).
-			Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777).
+			Tmpfs(fhs.AbsDevShm, 0, 01777).
 
 			// spRuntimeOp
 			Tmpfs(fhs.AbsRunUser, 1<<12, 0755).

internal/outcome/spcontainer.go

@@ -16,11 +16,11 @@ import (
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
+	"hakurei.app/internal/dbus"
+	"hakurei.app/internal/system"
 	"hakurei.app/internal/validate"
 	"hakurei.app/message"
-	"hakurei.app/system"
-	"hakurei.app/system/acl"
-	"hakurei.app/system/dbus"
 )
 
 const varRunNscd = fhs.Var + "run/nscd"
@@ -116,7 +116,7 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
 		state.params.Bind(fhs.AbsDev, fhs.AbsDev, std.BindWritable|std.BindDevice)
 	}
 	// /dev is mounted readonly later on, this prevents /dev/shm from going readonly with it
-	state.params.Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777)
+	state.params.Tmpfs(fhs.AbsDevShm, 0, 01777)
 
 	return nil
 }

internal/outcome/spcontainer_test.go

@@ -14,9 +14,9 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/system"
+	"hakurei.app/internal/acl"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/dbus"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/system"
 )
 
 func TestSpParamsOp(t *testing.T) {
@@ -72,7 +72,7 @@ func TestSpParamsOp(t *testing.T) {
 				Root(m("/var/lib/hakurei/base/org.debian"), std.BindWritable).
 				Proc(fhs.AbsProc).Tmpfs(hst.AbsPrivateTmp, 1<<12, 0755).
 				DevWritable(fhs.AbsDev, true).
-				Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777),
+				Tmpfs(fhs.AbsDevShm, 0, 01777),
 		}, paramsWantEnv(config, map[string]string{
 			"TERM": "xterm",
 		}, func(t *testing.T, state *outcomeStateParams) {
@@ -110,7 +110,7 @@ func TestSpParamsOp(t *testing.T) {
 				Root(m("/var/lib/hakurei/base/org.debian"), std.BindWritable).
 				Proc(fhs.AbsProc).Tmpfs(hst.AbsPrivateTmp, 1<<12, 0755).
 				Bind(fhs.AbsDev, fhs.AbsDev, std.BindWritable|std.BindDevice).
-				Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777),
+				Tmpfs(fhs.AbsDevShm, 0, 01777),
 		}, paramsWantEnv(config, map[string]string{
 			"TERM": "xterm",
 		}, func(t *testing.T, state *outcomeStateParams) {

internal/outcome/spdbus.go

@@ -5,8 +5,8 @@ import (
 
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/dbus"
 )
 
 func init() { gob.Register(new(spDBusOp)) }

internal/outcome/spdbus_test.go

@@ -6,12 +6,12 @@ import (
 
 	"hakurei.app/container"
 	"hakurei.app/container/stub"
-	"hakurei.app/helper"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
+	"hakurei.app/internal/dbus"
+	"hakurei.app/internal/helper"
+	"hakurei.app/internal/system"
 	"hakurei.app/message"
-	"hakurei.app/system"
-	"hakurei.app/system/acl"
-	"hakurei.app/system/dbus"
 )
 
 func TestSpDBusOp(t *testing.T) {

internal/outcome/sppulse_test.go

@@ -11,8 +11,8 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/system"
+	"hakurei.app/internal/acl"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/system"
 )
 
 func TestSpPulseOp(t *testing.T) {

internal/outcome/spruntime.go

@@ -7,8 +7,8 @@ import (
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/std"
 	"hakurei.app/hst"
-	"hakurei.app/system"
+	"hakurei.app/internal/acl"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/system"
 )
 
 const (

internal/outcome/spruntime_test.go

@@ -8,8 +8,8 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/system"
+	"hakurei.app/internal/acl"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/system"
 )
 
 func TestSpRuntimeOp(t *testing.T) {

internal/outcome/sptmpdir.go

@@ -7,8 +7,8 @@ import (
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/std"
 	"hakurei.app/hst"
-	"hakurei.app/system"
+	"hakurei.app/internal/acl"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/system"
 )
 
 func init() { gob.Register(spTmpdirOp{}) }

internal/outcome/sptmpdir_test.go

@@ -8,8 +8,8 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/system"
+	"hakurei.app/internal/acl"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/system"
 )
 
 func TestSpTmpdirOp(t *testing.T) {

internal/outcome/spwayland.go

@@ -5,8 +5,8 @@ import (
 
 	"hakurei.app/container/check"
 	"hakurei.app/hst"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
-	"hakurei.app/system/wayland"
+	"hakurei.app/internal/wayland"
 )
 
 func init() { gob.Register(new(spWaylandOp)) }
@@ -25,8 +25,8 @@ func (s *spWaylandOp) toSystem(state *outcomeStateSys) error {
 
 	// outer wayland socket (usually `/run/user/%d/wayland-%d`)
 	var socketPath *check.Absolute
-	if name, ok := state.k.lookupEnv(wayland.WaylandDisplay); !ok {
+	if name, ok := state.k.lookupEnv(wayland.Display); !ok {
-		state.msg.Verbose(wayland.WaylandDisplay + " is not set, assuming " + wayland.FallbackName)
+		state.msg.Verbose(wayland.Display + " is not set, assuming " + wayland.FallbackName)
 		socketPath = state.sc.RuntimePath.Append(wayland.FallbackName)
 	} else if a, err := check.NewAbs(name); err != nil {
 		socketPath = state.sc.RuntimePath.Append(name)
@@ -53,7 +53,7 @@ func (s *spWaylandOp) toSystem(state *outcomeStateSys) error {
 
 func (s *spWaylandOp) toContainer(state *outcomeStateParams) error {
 	innerPath := state.runtimeDir.Append(wayland.FallbackName)
-	state.env[wayland.WaylandDisplay] = wayland.FallbackName
+	state.env[wayland.Display] = wayland.FallbackName
 	if s.SocketPath == nil {
 		state.params.Bind(state.instancePath().Append("wayland"), innerPath, 0)
 	} else {

internal/outcome/spwayland_test.go

@@ -6,9 +6,9 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/system"
+	"hakurei.app/internal/acl"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/system"
-	"hakurei.app/system/wayland"
+	"hakurei.app/internal/wayland"
 )
 
 func TestSpWaylandOp(t *testing.T) {
@@ -47,7 +47,7 @@ func TestSpWaylandOp(t *testing.T) {
 			Ops: new(container.Ops).
 				Bind(m(wantInstancePrefix+"/wayland"), m("/run/user/1000/wayland-0"), 0),
 		}, paramsWantEnv(config, map[string]string{
-			wayland.WaylandDisplay: wayland.FallbackName,
+			wayland.Display: wayland.FallbackName,
 		}, nil), nil},
 
 		{"success direct", func(isShim, _ bool) outcomeOp {
@@ -75,7 +75,7 @@ func TestSpWaylandOp(t *testing.T) {
 			Ops: new(container.Ops).
 				Bind(m("/proc/nonexistent/wayland"), m("/run/user/1000/wayland-0"), 0),
 		}, paramsWantEnv(config, map[string]string{
-			wayland.WaylandDisplay: wayland.FallbackName,
+			wayland.Display: wayland.FallbackName,
 		}, nil), nil},
 
 		{"success", func(bool, bool) outcomeOp {
@@ -98,7 +98,7 @@ func TestSpWaylandOp(t *testing.T) {
 			Ops: new(container.Ops).
 				Bind(m(wantInstancePrefix+"/wayland"), m("/run/user/1000/wayland-0"), 0),
 		}, paramsWantEnv(config, map[string]string{
-			wayland.WaylandDisplay: wayland.FallbackName,
+			wayland.Display: wayland.FallbackName,
 		}, nil), nil},
 	})
 }

internal/outcome/spx11.go

@@ -11,7 +11,7 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 var absX11SocketDir = fhs.AbsTmp.Append(".X11-unix")

internal/outcome/spx11_test.go

@@ -7,7 +7,7 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 func TestSpX11Op(t *testing.T) {

internal/store/data_test.go

@@ -27,7 +27,7 @@ func TestEntryData(t *testing.T) {
 			return buf.String()
 		}
 	}
-	templateStateGob := mustEncodeGob(newTemplateState())
+	templateStateGob := mustEncodeGob(NewTemplateState())
 
 	testCases := []struct {
 		name string
@@ -45,11 +45,11 @@ func TestEntryData(t *testing.T) {
 			Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "invalid configuration"}},
 
-		{"inconsistent enablement", "\x00\xff\xca\xfe\x00\x00\xff\x00" + templateStateGob, newTemplateState(), &hst.AppError{
+		{"inconsistent enablement", "\x00\xff\xca\xfe\x00\x00\xff\x00" + templateStateGob, NewTemplateState(), &hst.AppError{
 			Step: "validate state enablement", Err: os.ErrInvalid,
 			Msg: "state entry aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa has unexpected enablement byte 0xd, 0xff"}},
 
-		{"template", "\x00\xff\xca\xfe\x00\x00\x0d\xf2" + templateStateGob, newTemplateState(), nil},
+		{"template", "\x00\xff\xca\xfe\x00\x00\x0d\xf2" + templateStateGob, NewTemplateState(), nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -105,7 +105,7 @@ func TestEntryData(t *testing.T) {
 
 	t.Run("encode fault", func(t *testing.T) {
 		t.Parallel()
-		s := newTemplateState()
+		s := NewTemplateState()
 
 		t.Run("gob", func(t *testing.T) {
 			var want = &hst.AppError{Step: "encode state body", Err: stub.UniqueError(0xcafe)}
@@ -123,8 +123,8 @@ func TestEntryData(t *testing.T) {
 	})
 }
 
-// newTemplateState returns the address of a new template [hst.State] struct.
+// NewTemplateState returns the address of a new template [hst.State] struct.
-func newTemplateState() *hst.State {
+func NewTemplateState() *hst.State {
 	return &hst.State{
 		ID:      hst.ID(bytes.Repeat([]byte{0xaa}, len(hst.ID{}))),
 		PID:     0xcafe,

internal/store/segment_test.go

@@ -10,7 +10,7 @@ import (
 	"strings"
 	"syscall"
 	"testing"
-	_ "unsafe"
+	_ "unsafe" // for go:linkname
 
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
@@ -18,18 +18,23 @@ import (
 	"hakurei.app/internal/store"
 )
 
-//go:linkname newTemplateState hakurei.app/internal/store.newTemplateState
+// Made available here for direct validation of state entry files.
-func newTemplateState() *hst.State
+//
-
 //go:linkname entryDecode hakurei.app/internal/store.entryDecode
 func entryDecode(r io.Reader, p *hst.State) (hst.Enablement, error)
 
+// Made available here for direct access to known segment handles.
+//
 //go:linkname newHandle hakurei.app/internal/store.newHandle
 func newHandle(base *check.Absolute, identity int) *store.Handle
 
+// Made available here to check open error handling behaviour.
+//
 //go:linkname open hakurei.app/internal/store.(*EntryHandle).open
 func open(eh *store.EntryHandle, flag int, perm os.FileMode) (*os.File, error)
 
+// Made available here to check the saveload cycle.
+//
 //go:linkname save hakurei.app/internal/store.(*EntryHandle).save
 func save(eh *store.EntryHandle, state *hst.State) error
 
@@ -91,9 +96,9 @@ func TestStateEntryHandle(t *testing.T) {
 	t.Run("saveload", func(t *testing.T) {
 		t.Parallel()
 		eh := store.EntryHandle{Pathname: check.MustAbs(t.TempDir()).Append("entry"),
-			ID: newTemplateState().ID}
+			ID: store.NewTemplateState().ID}
 
-		if err := save(&eh, newTemplateState()); err != nil {
+		if err := save(&eh, store.NewTemplateState()); err != nil {
 			t.Fatalf("save: error = %v", err)
 		}
 
@@ -112,7 +117,7 @@ func TestStateEntryHandle(t *testing.T) {
 					t.Fatal(f.Close())
 				}
 
-				if want := newTemplateState(); !reflect.DeepEqual(&got, want) {
+				if want := store.NewTemplateState(); !reflect.DeepEqual(&got, want) {
 					t.Errorf("entryDecode: %#v, want %#v", &got, want)
 				}
 			})
@@ -122,7 +127,7 @@ func TestStateEntryHandle(t *testing.T) {
 
 				if et, err := eh.Load(nil); err != nil {
 					t.Fatalf("load: error = %v", err)
-				} else if want := newTemplateState().Enablements.Unwrap(); et != want {
+				} else if want := store.NewTemplateState().Enablements.Unwrap(); et != want {
 					t.Errorf("load: et = %x, want %x", et, want)
 				}
 			})
@@ -133,7 +138,7 @@ func TestStateEntryHandle(t *testing.T) {
 				var got hst.State
 				if _, err := eh.Load(&got); err != nil {
 					t.Fatalf("load: error = %v", err)
-				} else if want := newTemplateState(); !reflect.DeepEqual(&got, want) {
+				} else if want := store.NewTemplateState(); !reflect.DeepEqual(&got, want) {
 					t.Errorf("load: %#v, want %#v", &got, want)
 				}
 			})

internal/store/store_test.go

@@ -12,13 +12,15 @@ import (
 	"syscall"
 	"testing"
 	"time"
-	_ "unsafe"
+	_ "unsafe" // for go:linkname
 
 	"hakurei.app/container/check"
 	"hakurei.app/hst"
 	"hakurei.app/internal/store"
 )
 
+// Made available here to check bigLock error handling behaviour.
+//
 //go:linkname bigLock hakurei.app/internal/store.(*Store).bigLock
 func bigLock(s *store.Store) (unlock func(), err error)
 

internal/system/acl.go

@@ -8,7 +8,7 @@ import (
 
 	"hakurei.app/container/check"
 	"hakurei.app/hst"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 // UpdatePerm calls UpdatePermType with the [Process] criteria.

internal/system/acl_test.go

@@ -7,7 +7,7 @@ import (
 
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 func TestACLUpdateOp(t *testing.T) {

internal/system/dbus.go

@@ -13,7 +13,7 @@ import (
 
 	"hakurei.app/container"
 	"hakurei.app/hst"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/dbus"
 )
 
 // ErrDBusConfig is returned when a required [hst.BusConfig] argument is nil.

internal/system/dbus_test.go

@@ -10,9 +10,9 @@ import (
 	"testing"
 
 	"hakurei.app/container/stub"
-	"hakurei.app/helper"
 	"hakurei.app/hst"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/dbus"
+	"hakurei.app/internal/helper"
 )
 
 func TestDBusProxyOp(t *testing.T) {

internal/system/dispatcher.go

@@ -6,10 +6,12 @@ import (
 	"log"
 	"os"
 
+	"hakurei.app/container/check"
 	"hakurei.app/hst"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/dbus"
-	"hakurei.app/system/internal/xcb"
+	"hakurei.app/internal/wayland"
+	"hakurei.app/internal/xcb"
 )
 
 type osFile interface {
@@ -45,6 +47,8 @@ type syscallDispatcher interface {
 	// aclUpdate provides [acl.Update].
 	aclUpdate(name string, uid int, perms ...acl.Perm) error
 
+	waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error)
+
 	// xcbChangeHosts provides [xcb.ChangeHosts].
 	xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error
 
@@ -76,6 +80,10 @@ func (k direct) aclUpdate(name string, uid int, perms ...acl.Perm) error {
 	return acl.Update(name, uid, perms...)
 }
 
+func (k direct) waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error) {
+	return wayland.New(displayPath, bindPath, appID, instanceID)
+}
+
 func (k direct) xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error {
 	return xcb.ChangeHosts(mode, family, address)
 }

internal/system/dispatcher_test.go

@@ -8,11 +8,13 @@ import (
 	"testing"
 	"unsafe"
 
+	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/system/acl"
+	"hakurei.app/internal/acl"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/dbus"
-	"hakurei.app/system/internal/xcb"
+	"hakurei.app/internal/wayland"
+	"hakurei.app/internal/xcb"
 )
 
 // call initialises a [stub.Call].
@@ -268,6 +270,15 @@ func (k *kstub) aclUpdate(name string, uid int, perms ...acl.Perm) error {
 		stub.CheckArgReflect(k.Stub, "perms", perms, 2))
 }
 
+func (k *kstub) waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error) {
+	k.Helper()
+	return nil, k.Expects("waylandNew").Error(
+		stub.CheckArgReflect(k.Stub, "displayPath", displayPath, 0),
+		stub.CheckArgReflect(k.Stub, "bindPath", bindPath, 1),
+		stub.CheckArg(k.Stub, "appID", appID, 2),
+		stub.CheckArg(k.Stub, "instanceID", instanceID, 3))
+}
+
 func (k *kstub) xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error {
 	k.Helper()
 	return k.Expects("xcbChangeHosts").Error(

internal/system/output.go

@@ -40,6 +40,10 @@ func (e *OpError) Error() string {
 }
 
 func (e *OpError) Message() string {
+	if m, ok := message.GetMessage(e.Err); ok {
+		return m
+	}
+
 	switch {
 	case e.Msg != "":
 		return e.Error()

internal/system/system.go

@@ -44,7 +44,7 @@ type Op interface {
 	String() string
 }
 
-// TypeString extends [Enablement.String] to support [User] and [Process].
+// TypeString extends [hst.Enablement.String] to support [User] and [Process].
 func TypeString(e hst.Enablement) string {
 	switch e {
 	case User:

internal/system/system_test.go

@@ -11,8 +11,8 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
+	"hakurei.app/internal/xcb"
 	"hakurei.app/message"
-	"hakurei.app/system/internal/xcb"
 )
 
 func TestCriteria(t *testing.T) {

internal/system/wayland.go

@@ -0,0 +1,81 @@
+package system
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"hakurei.app/container/check"
+	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
+	"hakurei.app/internal/wayland"
+)
+
+// Wayland maintains a wayland socket with security-context-v1 attached via [wayland].
+// The socket stops accepting connections once the pipe referred to by sync is closed.
+// The socket is pathname only and is destroyed on revert.
+func (sys *I) Wayland(dst, src *check.Absolute, appID, instanceID string) *I {
+	sys.ops = append(sys.ops, &waylandOp{nil,
+		dst, src, appID, instanceID})
+	return sys
+}
+
+// waylandOp implements [I.Wayland].
+type waylandOp struct {
+	ctx               *wayland.SecurityContext
+	dst, src          *check.Absolute
+	appID, instanceID string
+}
+
+func (w *waylandOp) Type() hst.Enablement { return Process }
+
+func (w *waylandOp) apply(sys *I) (err error) {
+	if w.ctx, err = sys.waylandNew(w.src, w.dst, w.appID, w.instanceID); err != nil {
+		return newOpError("wayland", err, false)
+	} else {
+		sys.msg.Verbosef("wayland pathname socket on %q via %q", w.dst, w.src)
+
+		if err = sys.chmod(w.dst.String(), 0); err != nil {
+			if closeErr := w.ctx.Close(); closeErr != nil {
+				return newOpError("wayland", errors.Join(err, closeErr), false)
+			}
+			return newOpError("wayland", err, false)
+		}
+
+		if err = sys.aclUpdate(w.dst.String(), sys.uid, acl.Read, acl.Write, acl.Execute); err != nil {
+			if closeErr := w.ctx.Close(); closeErr != nil {
+				return newOpError("wayland", errors.Join(err, closeErr), false)
+			}
+			return newOpError("wayland", err, false)
+		}
+
+		return nil
+	}
+}
+
+func (w *waylandOp) revert(sys *I, _ *Criteria) error {
+	var (
+		hangupErr error
+		removeErr error
+	)
+
+	sys.msg.Verbosef("hanging up wayland socket on %q", w.dst)
+	if w.ctx != nil {
+		hangupErr = w.ctx.Close()
+	}
+	if err := sys.remove(w.dst.String()); err != nil && !errors.Is(err, os.ErrNotExist) {
+		removeErr = err
+	}
+
+	return newOpError("wayland", errors.Join(hangupErr, removeErr), true)
+}
+
+func (w *waylandOp) Is(o Op) bool {
+	target, ok := o.(*waylandOp)
+	return ok && w != nil && target != nil &&
+		w.dst.Is(target.dst) && w.src.Is(target.src) &&
+		w.appID == target.appID && w.instanceID == target.instanceID
+}
+
+func (w *waylandOp) Path() string   { return w.dst.String() }
+func (w *waylandOp) String() string { return fmt.Sprintf("wayland socket at %q", w.dst) }

internal/system/wayland_test.go

@@ -0,0 +1,157 @@
+package system
+
+import (
+	"errors"
+	"os"
+	"testing"
+
+	"hakurei.app/container/stub"
+	"hakurei.app/internal/acl"
+)
+
+func TestWaylandOp(t *testing.T) {
+	t.Parallel()
+
+	checkOpBehaviour(t, []opBehaviourTestCase{
+		{"chmod", 0xbeef, 0xff, &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, []stub.Call{
+			call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
+			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, stub.UniqueError(3)),
+		}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(3), os.ErrInvalid)}, nil, nil},
+
+		{"aclUpdate", 0xbeef, 0xff, &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, []stub.Call{
+			call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
+			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
+			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, stub.UniqueError(2)),
+		}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(2), os.ErrInvalid)}, nil, nil},
+
+		{"remove", 0xbeef, 0xff, &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, []stub.Call{
+			call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
+			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
+			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
+		}, nil, []stub.Call{
+			call("verbosef", stub.ExpectArgs{"hanging up wayland socket on %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland")}}, nil, nil),
+			call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, stub.UniqueError(1)),
+		}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(1)), Revert: true}},
+
+		{"success", 0xbeef, 0xff, &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, []stub.Call{
+			call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
+			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
+			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
+		}, nil, []stub.Call{
+			call("verbosef", stub.ExpectArgs{"hanging up wayland socket on %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland")}}, nil, nil),
+			call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, nil),
+		}, nil},
+	})
+
+	checkOpsBuilder(t, "Wayland", []opsBuilderTestCase{
+		{"chromium", 0xcafe, func(_ *testing.T, sys *I) {
+			sys.Wayland(
+				m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+				m("/run/user/1971/wayland-0"),
+				"org.chromium.Chromium",
+				"ebf083d1b175911782d413369b64ce7c",
+			)
+		}, []Op{&waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}}, stub.Expect{}},
+	})
+
+	checkOpIs(t, []opIsTestCase{
+		{"dst differs", &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7d/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, false},
+
+		{"src differs", &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-1"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, false},
+
+		{"appID differs", &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, false},
+
+		{"instanceID differs", &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7d",
+		}, &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, false},
+
+		{"equals", &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, true},
+	})
+
+	checkOpMeta(t, []opMetaTestCase{
+		{"chromium", &waylandOp{nil,
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
+			m("/run/user/1971/wayland-0"),
+			"org.chromium.Chromium",
+			"ebf083d1b175911782d413369b64ce7c",
+		}, Process, "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			`wayland socket at "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"`},
+	})
+}