spiiroin
commented
3 years ago The reason behind pulse audio woes seems to be: There are no whitelist rules for runuser. Adding the first one affecs all of runuser -> immediate wholesale visibility reconfiguration of all things in there would be needed.
As long as we do not add whitelist rules, read-only is sufficient for maliit-change and nothing needs to be changed regarding e.g. pulseaudio.
Review commits squashed.
Now that maliit uses regular unix socket instead of an abstract one, applications can be put into private net namespaces via "net none".
Which then needs to be undone for those applications that have been granted internet access.