--- a/mklive.sh
+++ b/mklive.sh
@@ -386,13 +387,16 @@ EOF
 
     modprobe -q loop || :
 
-    # Create EFI vfat image.
-    truncate -s 32M "$GRUB_DIR"/efiboot.img >/dev/null 2>&1
-    mkfs.vfat -F12 -S 512 -n "grub_uefi" "$GRUB_DIR/efiboot.img" >/dev/null 2>&1
+    # Create EFI vfat image — use mtools so the build does not depend on
+    # losetup (avoids CAP_SYS_ADMIN on init userns / works inside containers).
+    truncate -s 64M "$GRUB_DIR"/efiboot.img >/dev/null 2>&1
+    mformat -i "$GRUB_DIR/efiboot.img" -F -v "grub_uefi" ::
 
     GRUB_EFI_TMPDIR="$(mktemp --tmpdir="$BUILDDIR" -dt grub-efi.XXXXX)"
-    LOOP_DEVICE="$(losetup --show --find "${GRUB_DIR}"/efiboot.img)"
-    mount -o rw,flush -t vfat "${LOOP_DEVICE}" "${GRUB_EFI_TMPDIR}" >/dev/null 2>&1
+    LOOP_DEVICE="$(losetup --show --find "${GRUB_DIR}"/efiboot.img 2>/dev/null)" || LOOP_DEVICE=""
+    if [ -n "$LOOP_DEVICE" ]; then
+        mount -o rw,flush -t vfat "${LOOP_DEVICE}" "${GRUB_EFI_TMPDIR}" >/dev/null 2>&1
+    fi
 
 	build_grub_image() {
 		local GRUB_ARCH="$1" EFI_ARCH="$2"
@@ -402,8 +406,7 @@ EOF
 			 --output="/tmp/boot${EFI_ARCH,,}.efi" \
 			 "boot/grub/grub.cfg"
 		if [ $? -ne 0 ]; then
-			umount "$GRUB_EFI_TMPDIR"
-			losetup --detach "${LOOP_DEVICE}"
+			[ -n "$LOOP_DEVICE" ] && { umount "$GRUB_EFI_TMPDIR"; losetup --detach "${LOOP_DEVICE}"; }
 			die "Failed to generate EFI loader"
 		fi
 		mkdir -p "${GRUB_EFI_TMPDIR}"/EFI/BOOT
@@ -426,8 +429,17 @@ EOF
 			build_grub_image arm64 aa64
             ;;
     esac
-    umount "$GRUB_EFI_TMPDIR"
-    losetup --detach "${LOOP_DEVICE}"
+    if [ -n "$LOOP_DEVICE" ]; then
+        umount "$GRUB_EFI_TMPDIR"
+        losetup --detach "${LOOP_DEVICE}"
+    else
+        (cd "$GRUB_EFI_TMPDIR" && find . -type d | while read -r d; do
+            mmd -i "$GRUB_DIR/efiboot.img" "::${d#.}" 2>/dev/null || true
+        done)
+        (cd "$GRUB_EFI_TMPDIR" && find . -type f | while read -r f; do
+            mcopy -i "$GRUB_DIR/efiboot.img" "$f" "::${f#.}"
+        done)
+    fi
     rm -rf "$GRUB_EFI_TMPDIR"
 }
 
@@ -442,7 +454,7 @@ generate_squashfs() {
     mkdir -p "$BUILDDIR/tmp-rootfs"
     mkfs.ext3 -F -m1 "$BUILDDIR/tmp/LiveOS/ext3fs.img" >/dev/null 2>&1
     mount -o loop "$BUILDDIR/tmp/LiveOS/ext3fs.img" "$BUILDDIR/tmp-rootfs"
-    cp -a "$ROOTFS"/* "$BUILDDIR"/tmp-rootfs/
+    cp -a --one-file-system "$ROOTFS"/* "$BUILDDIR"/tmp-rootfs/
     umount -f "$BUILDDIR/tmp-rootfs"
     mkdir -p "$IMAGEDIR/LiveOS"