Since I would like to run Spotify on my work laptop, I need to be able to verify what it can do (policy is either open-source software, constrain with AppArmor, or run in Docker container).
I could not find an AppArmor profile. When trying to create one I noticed that the client tries to read /proc/*/cmd. Allowing this would give the app a complete view of all the processes running on the machine. This seems utterly unnecessary. I assume that it's to make sure you don't end up with multiple running spotify instances, but this is much better handled with a pid-file (maybe in /tmp/<userid>/spotify.pid).
Can anybody explain the reason for wanting this permission?