requested to merge sergio-costas/wireplumber:DT-795-update-pipewire-to-enforce-snaps-audio-record-permissions into master
This patch adds to wireplumber code to manage the Snap audio permissions.
SNAP containers have two main "audio" rules:
Also, old SNAP containers had the "pulseaudio" rule, which just exposed the pulseaudio socket directly, without limits. This is similar to the current Flatpak audio permissions.
In the pulseaudio days, an specific pulseaudio module was used that checked the permissions given to the application and allowed or forbide access to the pulseaudio operations. With the change to pipewire, this functionality must be implemented in pipewire-pulse and wireplumber to guarantee the sandbox security.
The current code checks for the presence of the pipewire.snap.id property in a client, in which case it will read the pipewire.snap.audio.playback and pipewire.snap.audio.record properties, and allow or deny access to that client to the nodes with Audio/Sink or Audio/Source media.class property.
Those pipewire.snap.* properties must be added in the pipewire-pulse module. That code is available in a different patch: pipewire!1779 (merged)