We are using nng IPC (basically a UNIX domain socket) inside an AU audio plugin that can be dynamically loaded by a host application at runtime – an AU plugin is basically a dynamic library. We use this IPC connection to communicate between multiple instances of that plugin loaded by the user and to communicate to a separate background process running on the system.
While this works fine in general, this fails when the host application is sandboxed like e.g. Apple Garage Band. All Apple AU hosts allow file access to ~/Music and general network access (we can successfully reach our license servers). Creating a subdirectory in ~/Music and writing files to it works, also querying the permissions of that directory via stat from within the plugin reveals 755. But a call to nng_listen specifying a URL like ipc:///Users/me/Music/subdir/foo.ipc returns NNG_EPERM (e.g. permission denied) and in the Console App I see a notification like Sandbox: GarageBand(92944) deny(1) network-bind /Users/me/Music/subdir/foo.ipc.
I originally assumed that since IPC via UNIX domain sockets works file based in the end, choosing a path with proper file access rights is sufficient to get it working, but this does not seem to be the case. So is there even any option to make IPC sockets work from within a plugin loaded at runtime or is this all about which entitlements Apple sets on their application and we need a completely different approach? If so, what (hopefully Win/macOS cross-platform) approach would you recommend?
