[FEATURE] Add path-scoped Unix socket creation (bind) support in sandbox
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
The sandbox's allowUnixSockets setting only allows connecting to existing Unix sockets, not creating (binding) new ones. Tools like Playwright CLI, which spawn a daemon that creates a Unix socket at runtime, cannot function within the sandbox unless allowAllUnixSockets: true is set — which opens access to ALL Unix sockets (SSH agent, GPG agent, etc.).
There is no path-scoped option for socket creation. The only options are:
allowUnixSockets: ["/path/to/sock"]— allowsconnect()only, notbind()allowAllUnixSockets: true— allows both, but for ALL paths (security concern)
This forces users to choose between security (no socket creation → tool doesn't work) and functionality (allow all sockets → overly permissive).
Proposed Solution
Add path-scoped socket creation support, either by:
- Extending
allowUnixSocketsto cover bothconnect()andbind()at listed paths. If a path like/tmp/claude/playwright-cliis listed, processes should be able to both connect to and create sockets under that prefix.
- Adding a separate
allowUnixSocketCreationarray for paths where socketbind()is permitted, keepingallowUnixSocketsfor connect-only.
Option 1 is simpler and likely what users expect — if you're allowing a socket path, you probably want both connect and create.
Alternative Solutions
allowAllUnixSockets: true— works but overly permissive. Allows connecting to SSH agent, GPG agent, and any other local daemon socket.excludedCommands— doesn't help because child processes still inherit Seatbelt restrictions.dangerouslyDisableSandbox: true— defeats the purpose of sandboxing.
Priority
Medium - Would be very helpful
Feature Category
Configuration and settings
Use Case Example
- User enables sandbox mode with
autoAllowBashIfSandboxed: truefor autonomous local development - User runs
playwright-cli --extension open "https://example.com"(or any tool that spawns a daemon with a Unix socket) - The daemon tries to
bind()a Unix socket at$TMPDIR/playwright-cli/<hash>/default.sock - Sandbox blocks the
bind()call withEPERM, even though$TMPDIRis writable and the path is listed inallowUnixSockets - User is forced to set
allowAllUnixSockets: true, weakening the sandbox
Reproduction:
// .claude/settings.json
{
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true,
"network": {
"allowUnixSockets": ["/tmp/claude/test"]
}
}
}
# In Claude Code with sandbox enabled, run:
python3 -c "
import socket, os
s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
s.bind('/tmp/claude/test.sock') # EPERM - blocked by sandbox
"
With allowAllUnixSockets: true, the same code succeeds.
Additional Context
- Platform: macOS (Seatbelt sandbox)
- Claude Code version: 2.1.89
- Related issues: #16076 (allowUnixSockets ignored), #20263 (security guardrails for socket access)
- The
allowLocalBindingsetting only covers TCP binding, not Unix socket binding - The sandbox redirects
$TMPDIRto/tmp/claude/, so tools create sockets there instead of the real temp dir — making path-based allowlisting viable since the path is predictable
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗