If you're sandboxing with Bubblewrap/namespaces, are you bind-mounting /run read-only? Docker, Podman, and libvirt sockets live in /run (or /var/run symlinked to /run), and Unix socket connections bypass read-only restrictions. #linux #sandboxing #greywall