colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

mention systemd-run in app containerization todo

Browse Source
This commit is contained in:
Colin
2023-06-28 10:30:57 +00:00
parent c19a0af6d7
commit 89160f68e8
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
TODO.md
View File

@@ -34,6 +34,9 @@
- have `sane.programs` be wrapped such that they run in a cgroup? - have `sane.programs` be wrapped such that they run in a cgroup?
- at least, only give them access to the portion of the fs they *need*. - at least, only give them access to the portion of the fs they *need*.
- Android takes approach of giving each app its own user: could hack that in here. - Android takes approach of giving each app its own user: could hack that in here.
- **systemd-run** takes a command and runs it in a temporary scope (cgroup)
- presumably uses the same options as systemd services
- see e.g. <https://github.com/NixOS/nixpkgs/issues/113903#issuecomment-857296349>
- flatpak does this, somehow - flatpak does this, somehow
- apparmor? SElinux? (desktop) "portals"? - apparmor? SElinux? (desktop) "portals"?
- see Spectrum OS; Alyssa Ross; etc - see Spectrum OS; Alyssa Ross; etc