Create PulseAudio AppArmor profile

From what I’m being told, PulseAudio provides an API which allows clients to tell the daemon to execute arbitrary commands on its behalf. This effectively bypasses all AppArmor profiles which give access to PulseAudio, such as Firefox, Totem, etc. The confined programs can escape their sandboxes by asking PulseAudio to execute whatever commands they want. The solution is to provide the daemon with its own AppArmor profile[1].

There is also a program in development to attempt to mitigate this issue through IPC filtering, called flatpak[2].

[1] https://github.com/subgraph/subgraph-os-apparmor-profiles/blob/master/profiles/usr.bin.pulseaudio
[2] https://github.com/flatpak/flatpak/

Original created by @cypherpunks on 12325 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information