IPC sockets and sandboxed AU plugins

We are working on some inter-plugin communication mechanism using nng ipc. While this works great for most hosts, it currently fails with e.g. Garage Band which is a sandboxed host.

From reading Accessing PropertiesFile from Plugin, I learned that we are generally at the mercy of the entitlements of the host (so we cannot do anything from within the plugin that would grant us access to some custom location) but all sandboxed AU hosts should have at least access to the ~/Music folder. So I tried creating a hidden directory in there to serve as the base url for our IPC sockets. Querying the access rights of that hidden folder programatically via stat from within the plugin reveals User: rwx, Group: r-x, Other: r-x (e.g. 755). Writing a dummy text file to that location from within the plugin also succeeds.

But calling nng::listen (socket, "ipc:///Users/me/Music/.hidden/foo.ipc", 0) (e.g. that hidden folder) throws an exception telling me Permission Denied.

That’s a bit confusing to me, since to my understanding IPC sockets work via simple files. I know that this is not the nng support forum here, but since there might be some people with experience regarding sandboxed plugins round here, maybe someone has a clue what’s wrong here. I never had to deal with all this sandboxing stuff, so it’s totally possible that I’m lacking some understanding here.

Quick update: Inspecting the Console app, I find
Sandbox: GarageBand(92944) deny(1) network-bind /Users/me/Music/.hidden/foo.ipc

So it seems that this IPC socket stuff is not simply categorised as file access on the system level as I assumed… Still I wonder why other network operations work. Seems that this is a nasty combination of lacking in depth-knowledge in both IPC sockets and Sandbox :grimacing: