Write ENTRIES to FILE-OR-PORT. When FILE-OR-PORT is a file name, write to it atomically and set the appropriate permissions.

Create directory DIRECTORY and all its ancestors.

Additionally, verify no component of DIRECTORY is a symbolic link, without TOCTTOU races. However, if OWNER differs from the the current (process) uid/gid, there is a small window in which DIRECTORY is set to the current (process) uid/gid instead of OWNER. This is not expected to be a problem in practice.

The permission bits and owner of DIRECTORY are set to BITS and OWNER. Anything above DIRECTORY that already exists keeps its old owner and bits. For components that do not exist yet, the owner and bits are set according to the default behaviour of 'mkdir'.

Install the files listed in SPECIAL-FILES. Each element of SPECIAL-FILES is a pair where the first element is the name of the special file and the second element is the name it should appear at, such as:

(("/bin/sh" "/gnu/store/…-bash/bin/sh") ("/usr/bin/env" "/gnu/store/…-coreutils/bin/env"))

Make sure USERS (a list of user account records) and GROUPS (a list of user group records) are all available.

Tell the kernel to look for device firmware under DIRECTORY. This mechanism bypasses udev: it allows Linux to handle firmware loading directly by itself, without having to resort to a "user helper".

Make sure SUBUIDS (a list of subid range records) and SUBGIDS (a list of subid range records) are all available.

Tell the kernel to use MODPROBE to load modules.

Allow users to PTRACE_ATTACH their own processes.

This works around a regression introduced in the default "security" policy found in Linux 3.4 onward that prevents users from attaching to their own processes--see Yama.txt in the Linux source tree for the rationale. This sounds like an unacceptable restriction for little or no security improvement.

Turn PROGRAMS, a list of file privileged-programs records, into privileged copies stored under %PRIVILEGED-PROGRAM-DIRECTORY, using LIBCAP's setcap(8) binary if needed.

Install ETC, a directory in the store, as the source of static files for /etc.

Create and populate the home directory of USERS, a list of tuples, unless they already exist.

Atomically make SYSTEM the current system.

Install in ESP directory the given GRUB-EFI bootloader. Configure it to load the Grub bootloader located in the 'Guix_image' root partition.

If TARGETS is set, use its car as the GRUB image format and its cdr as the output filename. Otherwise, use defaults for the host platform.

Write SIZE bytes from FILE to DEVICE starting at OFFSET.