There is one other adjustment for pulseaudio that came up today. If an app is able to handle a file name to pulseaudio (ie, the app process doesn't have to open it first but instead tells pulseaudio to open and play a file), then pulseaudio should also have apparmor integration for playback in addition to trust-store integration for recording. Fortunately, libapparmor makes this easy-- pulseaudio just needs to get the connecting process' apparmor label (profile name) via libapparmor, then make another libapparmor call to ask if a process running under this apparmor label is allowed to access the file that the app process specified.
There is one other adjustment for pulseaudio that came up today. If an app is able to handle a file name to pulseaudio (ie, the app process doesn't have to open it first but instead tells pulseaudio to open and play a file), then pulseaudio should also have apparmor integration for playback in addition to trust-store integration for recording. Fortunately, libapparmor makes this easy-- pulseaudio just needs to get the connecting process' apparmor label (profile name) via libapparmor, then make another libapparmor call to ask if a process running under this apparmor label is allowed to access the file that the app process specified.