Comment 4 for bug 1559455

One other thing that might help you is lstat. You can pull up the documentation on this C function using "man lstat". It refers to a POSIX standard macro, S_ISSOCK(stat.st_mode). This macro will tell you if a particular directory entry is a socket, as opposed to a file or a directory or something else. You could hook fopen and similar functions and first branch to lstat followed by this test macro. The hook itself would be installed, or not, per app instance.

If you go this route, I would reject anything that does not return true from S_ISREG, S_ISDIR, or S_ISLNK, as everything else is creepy in a hardware way.

Of course it's possible that a rogue app could take a more indirect route, for example, by following a link (S_ISLNK true) to a network socket (S_ISSOCK true), but again, this is about best efforts, not perfect security.