Yeah, that is the reason I picked a static name for the inside ~/.ssh.
Then it's either reused on fail or removed upon successful shutdown.

I tried this approach at first, but afaik, neither firefox or chromium
allow you to specify an empty string as the unveil value.

On Tue, Apr 29, 2025 at 02:49:41PM -0500, Jay Acuna wrote:
> I think the SSH socket files are inherently temporary and ~  is not meant
> to be used as app scratch space for temp files.   As mentioned;
> the homedir is commonly a remote mount.
> 
> I would have an alternate suggestion..  create a  mkdir -p
> /tmp/username.private.$$/ssh subdirectory
> within /tmp   and choose that subdirectory for the SSH socket.
> 
> Then use your unveil(2) to subdivide the restrictions on /tmp  further
> and  block access to everything
> below that  user's  /tmp/username.private.$$   subdirectory    that
> has the ssh subdirectory
> while still allowing access at  the  /tmp  folder  level itself.
> 
> --
> -JA
>