[FEATURE] Linux (bwrap): Add allowUnixSockets / allowAllUnixSockets equivalent for seccomp BPF

Open 💬 5 comments Opened Apr 6, 2026 by nobuhiro-sasaki

Problem

On macOS, allowAllUnixSockets: true and allowUnixSockets path arrays exist to selectively permit AF_UNIX socket operations within the sandbox. On Linux (bwrap + seccomp BPF), no equivalent configuration exists. The seccomp filter unconditionally blocks all socket(AF_UNIX, ...) syscalls with EPERM.

This breaks any tool that requires Unix domain sockets for IPC:

  • Playwright / Puppeteer — Chromium requires AF_UNIX for Zygote/Mojo IPC → socket() failed: Operation not permitted (1)
  • SSH agentssh-add cannot connect to agent socket
  • GPG agentgpg-agent cannot create/connect to sockets
  • .NET MSBuild — worker nodes use AF_UNIX for IPC (#39257)

Context

  • This worked before v2.1.92 because the apply-seccomp binary was not bundled (#28576). The v2.1.92 changelog explicitly states: "Linux sandbox now ships the apply-seccomp helper in both npm and native builds, restoring unix-socket blocking for sandboxed commands."
  • macOS has had allowAllUnixSockets since sandbox-runtime PR #140 (2026-02-19), and path-scoped allowUnixSockets is being worked on (#41817).
  • Linux has no equivalent — the seccomp BPF filter is binary: all AF_UNIX blocked or none blocked.
  • excludedCommands only bypasses filesystem restrictions, not seccomp (#10524).
  • settings.json seccomp configuration is silently ignored (#24238).

Environment

  • Linux (WSL2), Claude Code v2.1.92+
  • sandbox.enabled: true

Reproduction

# Inside Claude Code sandbox:
python3 -c "import socket; s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)"
# → OSError: [Errno 1] Operation not permitted

# Chromium launch:
playwright-cli open https://example.com
# → FATAL: socket() failed: Operation not permitted (1)

Proposed Solution

Add Linux equivalents of the macOS socket configuration:

// settings.json
{
  "sandbox": {
    // Option 1: Allow all AF_UNIX sockets (parity with macOS)
    "allowAllUnixSockets": true,
    
    // Option 2: Path-scoped (preferred, more granular)
    "allowUnixSockets": [
      "/tmp/claude/**"
    ],
    
    // Option 3: Command-scoped seccomp exceptions
    // (extend excludedCommands to also bypass seccomp)
    "excludedFromSeccomp": ["playwright-cli", "chromium"]
  }
}

Any of these would unblock browser automation, SSH signing, and GPG operations on Linux.

Related Issues

  • #11791 — Browser automation incompatible with sandbox
  • #41817 — Path-scoped Unix socket bind() support (macOS)
  • #39257 — macOS sandbox blocks bind() for child processes
  • #41254 — allowAllUnixSockets does not cover network-bind
  • #24238 — seccomp config silently ignored
  • #28576 — apply-seccomp binary bundling (the fix that caused this regression)
  • OpenAI Codex PR #12702 — Fixed equivalent network-bind issue in their sandbox

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗