If it's possible that unknown other operations may be executing concurrently in the same process then probably a new directory should be created with restricted permissions that could be used for creating the socket, which would then be inaccessible to all processes without CAP_DAC_OVERRIDE and/or CAP_DAC_READ_SEARCH. Once the permissions are set correctly then the directory permissions could be widened.
If it's possible that unknown other operations may be executing concurrently in the same process then probably a new directory should be created with restricted permissions that could be used for creating the socket, which would then be inaccessible to all processes without CAP_DAC_OVERRIDE and/or CAP_DAC_ READ_SEARCH. Once the permissions are set correctly then the directory permissions could be widened.
I didn't find any reference to AF_UNIX on what appears to be the Windows socket(2) analog: https:/ /msdn.microsoft .com/en- us/library/ windows/ desktop/ ms740506( v=vs.85) .aspx
Thanks