fix: allow vllm-metal ZMQ IPC sockets in macOS sandbox

ericcurtin · ericcurtin · commit 2b3f9e2a6fdd · 2026-04-09T14:53:08.000+01:00
vllm-metal uses ZMQ IPC sockets at temporary paths under
/private/var/folders (the macOS TMPDIR) for internal inter-process
communication between API server workers. The Python sandbox profile
only allowed network-bind for Unix sockets matching the
inference.*-[0-9]+\.sock$ pattern and TCP loopback, which caused
a ZMQError: Operation not permitted when vllm-metal tried to bind
those sockets.

Allow network-bind on paths under /private/var/folders so vllm-metal
can create its internal ZMQ IPC sockets in the system temp directory.
diff --git a/pkg/sandbox/sandbox_darwin.go b/pkg/sandbox/sandbox_darwin.go
@@ -26,10 +26,14 @@ const ConfigurationPython = `(version 1)
 ;;; Python backends use either a Unix socket or a TCP loopback port.
 ;;; Allow Unix socket paths that match the inference socket naming convention
 ;;; as well as TCP loopback binding/inbound for backends that use TCP.
+;;; Also allow Unix domain socket binding in the system temp directory
+;;; (/private/var/folders) which vllm-metal uses for internal ZMQ IPC sockets.
 (deny network*)
 (allow network-bind network-inbound
     (regex #"inference.*-[0-9]+\.sock$")
     (local tcp "localhost:*"))
+(allow network-bind
+    (regex #"^/private/var/folders/"))
 
 ;;; Deny access to the camera and microphone.
 (deny device*)
