[FEATURE] Add path-scoped Unix socket creation (bind) support in sandbox

Resolved 💬 3 comments Opened Apr 1, 2026 by abumalick Closed Jun 8, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

The sandbox's allowUnixSockets setting only allows connecting to existing Unix sockets, not creating (binding) new ones. Tools like Playwright CLI, which spawn a daemon that creates a Unix socket at runtime, cannot function within the sandbox unless allowAllUnixSockets: true is set — which opens access to ALL Unix sockets (SSH agent, GPG agent, etc.).

There is no path-scoped option for socket creation. The only options are:

  • allowUnixSockets: ["/path/to/sock"] — allows connect() only, not bind()
  • allowAllUnixSockets: true — allows both, but for ALL paths (security concern)

This forces users to choose between security (no socket creation → tool doesn't work) and functionality (allow all sockets → overly permissive).

Proposed Solution

Add path-scoped socket creation support, either by:

  1. Extending allowUnixSockets to cover both connect() and bind() at listed paths. If a path like /tmp/claude/playwright-cli is listed, processes should be able to both connect to and create sockets under that prefix.
  1. Adding a separate allowUnixSocketCreation array for paths where socket bind() is permitted, keeping allowUnixSockets for connect-only.

Option 1 is simpler and likely what users expect — if you're allowing a socket path, you probably want both connect and create.

Alternative Solutions

  • allowAllUnixSockets: true — works but overly permissive. Allows connecting to SSH agent, GPG agent, and any other local daemon socket.
  • excludedCommands — doesn't help because child processes still inherit Seatbelt restrictions.
  • dangerouslyDisableSandbox: true — defeats the purpose of sandboxing.

Priority

Medium - Would be very helpful

Feature Category

Configuration and settings

Use Case Example

  1. User enables sandbox mode with autoAllowBashIfSandboxed: true for autonomous local development
  2. User runs playwright-cli --extension open "https://example.com" (or any tool that spawns a daemon with a Unix socket)
  3. The daemon tries to bind() a Unix socket at $TMPDIR/playwright-cli/<hash>/default.sock
  4. Sandbox blocks the bind() call with EPERM, even though $TMPDIR is writable and the path is listed in allowUnixSockets
  5. User is forced to set allowAllUnixSockets: true, weakening the sandbox

Reproduction:

// .claude/settings.json
{
  "sandbox": {
    "enabled": true,
    "autoAllowBashIfSandboxed": true,
    "network": {
      "allowUnixSockets": ["/tmp/claude/test"]
    }
  }
}
# In Claude Code with sandbox enabled, run:
python3 -c "
import socket, os
s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
s.bind('/tmp/claude/test.sock')  # EPERM - blocked by sandbox
"

With allowAllUnixSockets: true, the same code succeeds.

Additional Context

  • Platform: macOS (Seatbelt sandbox)
  • Claude Code version: 2.1.89
  • Related issues: #16076 (allowUnixSockets ignored), #20263 (security guardrails for socket access)
  • The allowLocalBinding setting only covers TCP binding, not Unix socket binding
  • The sandbox redirects $TMPDIR to /tmp/claude/, so tools create sockets there instead of the real temp dir — making path-based allowlisting viable since the path is predictable

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗