[FEATURE] Linux (bwrap): Add allowUnixSockets / allowAllUnixSockets equivalent for seccomp BPF
Open 💬 5 comments Opened Apr 6, 2026 by nobuhiro-sasaki
Problem
On macOS, allowAllUnixSockets: true and allowUnixSockets path arrays exist to selectively permit AF_UNIX socket operations within the sandbox. On Linux (bwrap + seccomp BPF), no equivalent configuration exists. The seccomp filter unconditionally blocks all socket(AF_UNIX, ...) syscalls with EPERM.
This breaks any tool that requires Unix domain sockets for IPC:
- Playwright / Puppeteer — Chromium requires AF_UNIX for Zygote/Mojo IPC →
socket() failed: Operation not permitted (1) - SSH agent —
ssh-addcannot connect to agent socket - GPG agent —
gpg-agentcannot create/connect to sockets - .NET MSBuild — worker nodes use AF_UNIX for IPC (#39257)
Context
- This worked before v2.1.92 because the
apply-seccompbinary was not bundled (#28576). The v2.1.92 changelog explicitly states: "Linux sandbox now ships the apply-seccomp helper in both npm and native builds, restoring unix-socket blocking for sandboxed commands." - macOS has had
allowAllUnixSocketssince sandbox-runtime PR #140 (2026-02-19), and path-scopedallowUnixSocketsis being worked on (#41817). - Linux has no equivalent — the seccomp BPF filter is binary: all AF_UNIX blocked or none blocked.
excludedCommandsonly bypasses filesystem restrictions, not seccomp (#10524).settings.jsonseccomp configuration is silently ignored (#24238).
Environment
- Linux (WSL2), Claude Code v2.1.92+
sandbox.enabled: true
Reproduction
# Inside Claude Code sandbox:
python3 -c "import socket; s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)"
# → OSError: [Errno 1] Operation not permitted
# Chromium launch:
playwright-cli open https://example.com
# → FATAL: socket() failed: Operation not permitted (1)
Proposed Solution
Add Linux equivalents of the macOS socket configuration:
// settings.json
{
"sandbox": {
// Option 1: Allow all AF_UNIX sockets (parity with macOS)
"allowAllUnixSockets": true,
// Option 2: Path-scoped (preferred, more granular)
"allowUnixSockets": [
"/tmp/claude/**"
],
// Option 3: Command-scoped seccomp exceptions
// (extend excludedCommands to also bypass seccomp)
"excludedFromSeccomp": ["playwright-cli", "chromium"]
}
}
Any of these would unblock browser automation, SSH signing, and GPG operations on Linux.
Related Issues
- #11791 — Browser automation incompatible with sandbox
- #41817 — Path-scoped Unix socket bind() support (macOS)
- #39257 — macOS sandbox blocks bind() for child processes
- #41254 — allowAllUnixSockets does not cover network-bind
- #24238 — seccomp config silently ignored
- #28576 — apply-seccomp binary bundling (the fix that caused this regression)
- OpenAI Codex PR #12702 — Fixed equivalent network-bind issue in their sandbox
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗