DT-795: enforce snap audio record permissions

This MR adds support for sandboxing permissions in the pulseaudio module, and implements support for the SNAP audio security model, thus forbiding a SNAP application to record audio unless it has permissions to do so.

SNAP containers have two main "audio" rules:

• audio-playback: the applications inside the container can send audio samples into a sink
• audio-record: the applications inside the container can get audio samples from a source

Also, old SNAP containers had the "pulseaudio" rule, which just exposed the pulseaudio socket directly, without limits. This is simmilar to the current Flatpak audio permissions.

In the pulseaudio days, an specific pulseaudio module was used that checked the permissions given to the application and allowed or forbide access to the pulseaudio operations. With the change to pipewire, this functionality must be implemented in pipewire-pulse to guarantee the sandbox security.

The current code include a permission cache, to avoid having to ask for permissions every time an application wants to access the sound card. The cache values are kept until the application closes the connection to the pipewire-pulse server. This means that any change to the permissions of the snap won't take effect until the snapped application is closed an opened again.

The code is designed to allow other sandbox systems (like Flatpak) to implement their models too. Although currently Flatpak only supports an "all-or-nothing" model for pulseaudio applications, with this code in place it would be extremely easy to add extra granularity for them too, greatly improving the security of applications not designed to work inside a sandbox.

Fix https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1995707