diff --git a/include/config/rcxml.h b/include/config/rcxml.h
index 62a06ab6..104d96ac 100644
--- a/include/config/rcxml.h
+++ b/include/config/rcxml.h
@@ -31,6 +31,11 @@ struct window_switcher_field {
 	struct wl_list link; /* struct rcxml.window_switcher.fields */
 };
 
+struct blocked_protocol {
+	struct wl_list link; /* struct rcxml.blocked_protocols */
+	char *interface_name;
+};
+
 struct rcxml {
 	char *config_dir;
 
@@ -95,6 +100,7 @@ struct rcxml {
 	} window_switcher;
 
 	struct wl_list window_rules; /* struct window_rule.link */
+	struct wl_list blocked_protocols; /* struct blocked_protocol.link */
 };
 
 extern struct rcxml rc;
diff --git a/include/server-unpriv.h b/include/server-unpriv.h
new file mode 100644
index 00000000..d8c8eee0
--- /dev/null
+++ b/include/server-unpriv.h
@@ -0,0 +1,11 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+#ifndef LABWC_SERVER_UNPRIV_H
+#define LABWC_SERVER_UNPRIV_H
+
+struct server;
+struct wl_client;
+
+void unpriv_socket_start(struct server *server);
+bool is_unpriv_client(const struct wl_client *wl_client);
+
+#endif /* LABWC_UNPRIV_H */
diff --git a/src/config/rcxml.c b/src/config/rcxml.c
index 735afeb3..523238c3 100644
--- a/src/config/rcxml.c
+++ b/src/config/rcxml.c
@@ -37,6 +37,7 @@ static bool in_mousebind;
 static bool in_libinput_category;
 static bool in_window_switcher_field;
 static bool in_window_rules;
+static bool in_blocked_protocols;
 
 static struct usable_area_override *current_usable_area_override;
 static struct keybind *current_keybind;
@@ -166,6 +167,16 @@ fill_window_rule(char *nodename, char *content)
 	}
 }
 
+static void
+fill_blocked_protocols(char *nodename, char *content)
+{
+	if (!strcasecmp(nodename, "name.interface.blockedProtocols")) {
+		struct blocked_protocol *proto = znew(*proto);
+		proto->interface_name = xstrdup(content);
+		wl_list_append(&rc.blocked_protocols, &proto->link);
+	}
+}
+
 static void
 fill_window_switcher_field(char *nodename, char *content)
 {
@@ -536,6 +547,10 @@ entry(xmlNode *node, char *nodename, char *content)
 		fill_window_rule(nodename, content);
 		return;
 	}
+	if (in_blocked_protocols) {
+		fill_blocked_protocols(nodename, content);
+		return;
+	}
 
 	/* handle nodes without content, e.g. <keyboard><default /> */
 	if (!strcmp(nodename, "default.keyboard")) {
@@ -738,6 +753,12 @@ xml_tree_walk(xmlNode *node)
 			in_window_rules = false;
 			continue;
 		}
+		if (!strcasecmp((char *)n->name, "blockedProtocols")) {
+			in_blocked_protocols = true;
+			traverse(n);
+			in_blocked_protocols = false;
+			continue;
+		}
 		traverse(n);
 	}
 }
@@ -778,6 +799,7 @@ rcxml_init(void)
 		wl_list_init(&rc.regions);
 		wl_list_init(&rc.window_switcher.fields);
 		wl_list_init(&rc.window_rules);
+		wl_list_init(&rc.blocked_protocols);
 	}
 	has_run = true;
 
@@ -1323,6 +1345,13 @@ rcxml_finish(void)
 		rule_destroy(rule);
 	}
 
+	struct blocked_protocol *proto, *proto_tmp;
+	wl_list_for_each_safe(proto, proto_tmp, &rc.blocked_protocols, link) {
+		wl_list_remove(&proto->link);
+		zfree(proto->interface_name);
+		zfree(proto);
+	}
+
 	/* Reset state vars for starting fresh when Reload is triggered */
 	current_usable_area_override = NULL;
 	current_keybind = NULL;
diff --git a/src/meson.build b/src/meson.build
index 58dfacf3..40ba3225 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -19,6 +19,7 @@ labwc_sources = files(
   'resistance.c',
   'seat.c',
   'server.c',
+  'server-unpriv.c',
   'session-lock.c',
   'touch.c',
   'theme.c',
diff --git a/src/server-unpriv.c b/src/server-unpriv.c
new file mode 100644
index 00000000..98549070
--- /dev/null
+++ b/src/server-unpriv.c
@@ -0,0 +1,169 @@
+// SPDX-License-Identifier: GPL-2.0-only
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <wayland-server-core.h>
+#include "common/list.h"
+#include "common/mem.h"
+#include "labwc.h"
+#include "server-unpriv.h"
+
+static struct unpriv_socket {
+	char *path;
+	int listen_fd;
+	struct wl_event_source *event_source;
+	struct wl_listener on_display_destroy;
+
+	struct wl_list clients;
+} unpriv_socket;
+
+struct unpriv_client {
+	struct wl_client *wl_client;
+	struct wl_listener on_destroy;
+
+	struct wl_list link;
+};
+
+static void
+unpriv_socket_finish(void)
+{
+	if (unpriv_socket.listen_fd > 0) {
+		close(unpriv_socket.listen_fd);
+		unpriv_socket.listen_fd = 0;
+	}
+	if (unpriv_socket.event_source) {
+		wl_event_source_remove(unpriv_socket.event_source);
+		unpriv_socket.event_source = NULL;
+	}
+	if (unpriv_socket.path) {
+		unlink(unpriv_socket.path);
+		zfree(unpriv_socket.path);
+	}
+}
+
+static void
+on_unpriv_client_destroy(struct wl_listener *listener, void *data)
+{
+	struct unpriv_client *client = wl_container_of(listener, client, on_destroy);
+	wl_list_remove(&client->on_destroy.link);
+	wl_list_remove(&client->link);
+	free(client);
+	wlr_log(WLR_DEBUG, "unpriv client destroyed");
+}
+
+static int
+on_unpriv_socket_connect(int fd, uint32_t mask, void *data)
+{
+	struct wl_display *display = data;
+
+	if (mask & (WL_EVENT_HANGUP | WL_EVENT_ERROR)) {
+		wlr_log(WLR_DEBUG, "unpriv socket going down, cleaning up");
+		unpriv_socket_finish();
+		return 0;
+	}
+
+	/* FIXME: cloexec / accept4 */
+	if (mask & WL_EVENT_READABLE) {
+		int client_fd = accept(fd, NULL, NULL);
+		if (client_fd < 0) {
+			wlr_log(WLR_ERROR, "Failed to accept unpriv client");
+			return 0;
+		};
+
+		struct unpriv_client *client = znew(*client);
+		client->wl_client = wl_client_create(display, client_fd);
+		if (!client->wl_client) {
+			wlr_log(WLR_ERROR, "Failed to create unpriv client");
+			close(client_fd);
+			free(client);
+			return 0;
+		}
+
+		wlr_log(WLR_DEBUG, "Accepted new unpriv client: %i", client_fd);
+		wl_list_append(&unpriv_socket.clients, &client->link);
+		client->on_destroy.notify = on_unpriv_client_destroy;
+		wl_client_add_destroy_listener(client->wl_client, &client->on_destroy);
+	}
+	return 0;
+}
+
+static void
+on_display_destroy(struct wl_listener *listener, void *data)
+{
+	wl_list_remove(&unpriv_socket.on_display_destroy.link);
+	unpriv_socket_finish();
+}
+
+void
+unpriv_socket_start(struct server *server)
+{
+	wl_list_init(&unpriv_socket.clients);
+
+	/* FIXME: lockfile, CLOEXEC fallback */
+
+	struct sockaddr_un addr = { .sun_family = AF_LOCAL };
+	int addr_size = snprintf(addr.sun_path, sizeof(addr.sun_path), "%s/%s",
+		getenv("XDG_RUNTIME_DIR"), "wayland-unpriv") + 1;
+
+	if (addr_size > (int)sizeof(addr.sun_path)) {
+		addr.sun_path[sizeof(addr.sun_path) - 1] = '\0';
+		wlr_log(WLR_ERROR, "Truncated unpriv socket path to %s", addr.sun_path);
+	}
+
+	/*
+	 * TODO: use close-on-exec fallback like
+	 * https://gitlab.freedesktop.org/wayland/wayland/-/blob/main/src/wayland-os.c#L74
+	 */
+	int fd = socket(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0);
+	if (fd < 0) {
+		wlr_log(WLR_ERROR, "Failed to create unpriv socket");
+		return;
+	}
+	unpriv_socket.listen_fd = fd;
+	wlr_log(WLR_ERROR, "Got unpriv fd: %i", fd);
+
+	/* TODO: why offsetof(addr, sun_path) + strlen(addr.sun_path) ? */
+	if (bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
+		wlr_log(WLR_ERROR, "Failed to bind unpriv socket");
+		goto error;
+	}
+	unpriv_socket.path = xstrdup(addr.sun_path);
+
+	/* A Backlog of 16 seems more than enough for a unprivileged socket */
+	if (listen(fd, 16) < 0) {
+		wlr_log(WLR_ERROR, "Failed to listen in unpriv socket");
+		goto error;
+	}
+
+	unpriv_socket.event_source = wl_event_loop_add_fd(
+		server->wl_event_loop, fd, WL_EVENT_READABLE,
+		on_unpriv_socket_connect, server->wl_display);
+	if (!unpriv_socket.event_source) {
+		wlr_log(WLR_ERROR, "Failed to add unpriv socket to loop");
+		goto error;
+	}
+
+	unpriv_socket.on_display_destroy.notify = on_display_destroy;
+	wl_display_add_destroy_listener(server->wl_display, &unpriv_socket.on_display_destroy);
+
+	wlr_log(WLR_INFO, "Unprivileged socket opened at '%s'", addr.sun_path);
+	return;
+
+error:
+	unpriv_socket_finish();
+}
+
+bool
+is_unpriv_client(const struct wl_client *wl_client)
+{
+	if (unpriv_socket.listen_fd <= 0) {
+		/* TODO: we could return true here to block the protocols for the main socket */
+		return false;
+	}
+	struct unpriv_client *unpriv_client;
+	wl_list_for_each(unpriv_client, &unpriv_socket.clients, link) {
+		if (wl_client == unpriv_client->wl_client) {
+			return true;
+		}
+	}
+	return false;
+}
diff --git a/src/server.c b/src/server.c
index c781f53d..63a7bf8c 100644
--- a/src/server.c
+++ b/src/server.c
@@ -24,6 +24,7 @@
 #include "layers.h"
 #include "menu/menu.h"
 #include "regions.h"
+#include "server-unpriv.h"
 #include "theme.h"
 #include "view.h"
 #include "workspaces.h"
@@ -180,7 +181,18 @@ server_global_filter(const struct wl_client *client, const struct wl_global *glo
 		}
 	}
 #endif
+	if (is_unpriv_client(client)) {
+		struct blocked_protocol *proto;
+		wl_list_for_each(proto, &rc.blocked_protocols, link) {
+			if (!strcmp(iface->name, proto->interface_name)) {
+				wlr_log(WLR_INFO, "blocking protocol %s",
+					proto->interface_name);
+				return false;
+			}
+		}
+	}
 
+	wlr_log(WLR_DEBUG, "protocol not blocked: %s", iface->name);
 	return true;
 }
 
@@ -477,6 +489,10 @@ server_start(struct server *server)
 	} else {
 		wlr_log(WLR_DEBUG, "WAYLAND_DISPLAY=%s", socket);
 	}
+
+	if (!wl_list_empty(&rc.blocked_protocols)) {
+		unpriv_socket_start(server);
+	}
 }
 
 void