There are a number of things in our content process sandbox policy that are allowed only because PulseAudio needs them. Once bug 1362220 lands, we should go through and rip them all out. Removing network/sockets access and chroot()ing content processes have their own bugs; this bug will cover everything else: system calls like fchown and umask, files like $XAUTHORITY (see bug 1384986 comment #5), and so on.

Comment on attachment 8944633 [details] Bug 1386019 - At sandbox level 4, remove syscalls used only by PulseAudio. https://reviewboard.mozilla.org/r/214784/#review220566

Comment on attachment 8944634 [details] Bug 1386019 - Remove PulseAudio-specific sandbox broker rules when remoting audio. https://reviewboard.mozilla.org/r/214786/#review220568

Comment on attachment 8944635 [details] Bug 1386019 - Also remove ALSA-related sandbox rules if ALSA is remoted. https://reviewboard.mozilla.org/r/214788/#review220570

Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/ff1469e83494 At sandbox level 4, remove syscalls used only by PulseAudio. r=gcp https://hg.mozilla.org/integration/mozilla-inbound/rev/c2836d5bc6bc Remove PulseAudio-specific sandbox broker rules when remoting audio. r=gcp https://hg.mozilla.org/integration/mozilla-inbound/rev/af41b725ff91 Also remove ALSA-related sandbox rules if ALSA is remoted. r=gcp

https://hg.mozilla.org/mozilla-central/rev/ff1469e83494 https://hg.mozilla.org/mozilla-central/rev/c2836d5bc6bc https://hg.mozilla.org/mozilla-central/rev/af41b725ff91