Note that the process-control interface allows CAP_SYS_RESOURCE and could probably be made to work. As for pkexec, you are right that this is not currently supported in strict mode, but it could be at a future date. An alternative approach would be extending userd to run pkexec on behalf of your snap. Both needs design and aren’t currently roadmapped. Today, use of pkexec is an unsupported use case for classic.
That said, the need for your snap to adjust RLIMIT_RTTIME suggests there is a bug in pulseaudio and perhaps you should try to get it fixed there. Barring that, once pulseaudio-control is implemented and your snap could otherwise be made strict, I think the path forward would be instead of using pkexec or the process-control interface, for you to use the system-files interface to read /etc/pulse/daemon.conf so you could alert users to make any necessary changes if they’ve set . Alternatively, you could use it for write access to the file so your snap could make the change itself (which could be done in a configure hook or one-shot daemon).
@alexmurray - you’re right that this doesn’t fit any currently supported use cases, but there is a clear path forward with a pulseaudio-control interface and it should be noted that on systems without a mediating pulseaudio (ie, non-Ubuntu and its derivatives currently), this snap should be able to work today in strict mode. As such, I think we don’t need to worry about adding a new use case to our processes at this time; we just need someone to create the pulseaudio-control interface and adjust the Ubuntu patches to check for it. This would likely fall on the desktop team (cc @kenvandine and @jamesh, but it doesn’t have to).
At this point per @pedronis comments (and our agreement that is the path forward), the requirements are understood but I’d like to put a condition on use of classic: @lawl, once the pulseaudio-control interface is implemented and the pulseaudio mediation patches updated, will you move your snap from classic to strict mode? Also, other than potentially writing a configure hook/one-shot daemon for modifying daemon.conf, will your snap ship any services?