From 89160f68e883296c352ab3e5957fd52d40b12c05 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Wed, 28 Jun 2023 10:30:57 +0000
Subject: [PATCH] mention systemd-run in app containerization todo

---
 TODO.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/TODO.md b/TODO.md
index 5efb4701..107ecfca 100644
--- a/TODO.md
+++ b/TODO.md
@@ -34,6 +34,9 @@
 - have `sane.programs` be wrapped such that they run in a cgroup?
     - at least, only give them access to the portion of the fs they *need*.
     - Android takes approach of giving each app its own user: could hack that in here.
+    - **systemd-run** takes a command and runs it in a temporary scope (cgroup)
+      - presumably uses the same options as systemd services
+      - see e.g. <https://github.com/NixOS/nixpkgs/issues/113903#issuecomment-857296349>
     - flatpak does this, somehow
     - apparmor?  SElinux?  (desktop) "portals"?
     - see Spectrum OS; Alyssa Ross; etc