This is a followup to my question from yesterday, if my application can even run sandboxed.
The conclusion was: no.
My application “noisetorch” needs to load pulseaudio modules into pulseaudio to setup a virtual denoised microphone using xiph.org / mozilla’s rnnoise Library. Similar to NVIDIA’s RTX Voice, but for linux, and open source.
As @jamesh said the pulseaudio commands
PA_COMMAND_UNLOAD_MODULE are not allowed in strict confinement, as they essentially allow you to
dlopen() a shared object outside of the sandbox.
My application however has no way around this, as I need to load/unload a LADSPA plugin, and other pulseaudio modules (loopback, null-sink and remap-source), to make the virtual microphone available to all other applications (e.g. Discord, Mumble, Skype, Browsers for WebRTC websites etc.)
The application has not been “officially” released yet, as I would like to provide sane install options from the get-go. But you can already find and build the source-code here: https://github.com/lawl/NoiseTorch