diff --git a/include/labwc.h b/include/labwc.h
index 511fdd65..a0dc7fa3 100644
--- a/include/labwc.h
+++ b/include/labwc.h
@@ -298,6 +298,7 @@ struct server {
 
 	struct wlr_tablet_manager_v2 *tablet_manager;
 	struct wlr_security_context_manager_v1 *security_context_manager_v1;
+	struct ext_socket_manager_v1 *ext_socket_manager_v1;
 
 	/* Set when in cycle (alt-tab) mode */
 	struct cycle_state cycle;
diff --git a/include/protocols/ext_socket_manager_v1.h b/include/protocols/ext_socket_manager_v1.h
new file mode 100644
index 00000000..22dab9be
--- /dev/null
+++ b/include/protocols/ext_socket_manager_v1.h
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+#ifndef LABWC_PROTOCOLS_EXT_SOCKET_MANAGER_H
+#define LABWC_PROTOCOLS_EXT_SOCKET_MANAGER_H
+
+#include <wayland-server-core.h>
+
+struct ext_socket_manager_v1 {
+	struct wl_global *global;
+
+	struct {
+		struct wl_signal destroy;
+		struct wl_signal register_socket;
+	} events;
+
+	struct wl_listener display_destroy;
+};
+
+struct ext_socket_manager_v1 *ext_socket_manager_v1_create(
+	struct wl_display *display);
+
+#endif
diff --git a/protocols/ext-socket-manager-unstable-v1.xml b/protocols/ext-socket-manager-unstable-v1.xml
new file mode 100644
index 00000000..82be66cf
--- /dev/null
+++ b/protocols/ext-socket-manager-unstable-v1.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<protocol name="ext_socket_manager_unstable_v1">
+  <copyright>
+    Copyright © 2026 Tobias Bengfort
+
+    Permission to use, copy, modify, distribute, and sell this
+    software and its documentation for any purpose is hereby granted
+    without fee, provided that the above copyright notice appear in
+    all copies and that both that copyright notice and this permission
+    notice appear in supporting documentation, and that the name of
+    the copyright holders not be used in advertising or publicity
+    pertaining to distribution of the software without specific,
+    written prior permission.  The copyright holders make no
+    representations about the suitability of this software for any
+    purpose.  It is provided "as is" without express or implied
+    warranty.
+
+    THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
+    SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+    FITNESS, IN NO EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY
+    SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+    AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+    ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
+    THIS SOFTWARE.
+  </copyright>
+
+  <interface name="ext_socket_manager_v1" version="1">
+    <description summary="register privileged sockets">
+      If a client has received a privileged socket via WAYLAND_SOCKET, it can
+      use this interface to register additional privileged sockets to pass to
+      child processes.
+    </description>
+
+    <request name="destroy" type="destructor">
+      <description summary="destroy the manager object">
+        Destroy the manager. This doesn't destroy objects created with the
+        manager.
+      </description>
+    </request>
+
+    <request name="register_socket">
+      <description summary="register a socket with the same permissions as the current one">
+        Registers a new socket with the same privileges as the current one.
+        The socket must be created by the client. After registraton, it can then
+        be passed to a child process via WAYLAND_SOCKET.
+      </description>
+      <arg name="fd" type="fd"/>
+    </request>
+  </interface>
+</protocol>
diff --git a/protocols/meson.build b/protocols/meson.build
index 928bd601..c28f693b 100644
--- a/protocols/meson.build
+++ b/protocols/meson.build
@@ -16,6 +16,7 @@ wayland_scanner_server = generator(
 server_protocols = [
 	'wlr-layer-shell-unstable-v1.xml',
 	'wlr-output-power-management-unstable-v1.xml',
+	'ext-socket-manager-unstable-v1.xml',
 ]
 
 server_protos_src = []
diff --git a/src/meson.build b/src/meson.build
index 27056552..dfd23a52 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -56,5 +56,6 @@ subdir('foreign-toplevel')
 subdir('img')
 subdir('input')
 subdir('menu')
+subdir('protocols')
 subdir('scaled-buffer')
 subdir('ssd')
diff --git a/src/protocols/ext-socket-manager/ext_socket_manager_v1.c b/src/protocols/ext-socket-manager/ext_socket_manager_v1.c
new file mode 100644
index 00000000..9b833e90
--- /dev/null
+++ b/src/protocols/ext-socket-manager/ext_socket_manager_v1.c
@@ -0,0 +1,76 @@
+// SPDX-License-Identifier: GPL-2.0-only
+#include <stdlib.h>
+#include <protocols/ext_socket_manager_v1.h>
+#include "permissions.h"
+#include "ext-socket-manager-unstable-v1-protocol.h"
+
+#define EXT_SOCKET_MANAGER_V1_VERSION 1
+
+static void
+manager_handle_destroy(struct wl_client *client, struct wl_resource *resource)
+{
+	wl_resource_destroy(resource);
+}
+
+static void
+manager_handle_register_socket(struct wl_client *client,
+		struct wl_resource *manager_resource, int fd)
+{
+	permissions_context_clone(client, fd);
+}
+
+static const struct ext_socket_manager_v1_interface manager_impl = {
+	.destroy = manager_handle_destroy,
+	.register_socket = manager_handle_register_socket,
+};
+
+static void
+manager_bind(struct wl_client *client, void *data, uint32_t version, uint32_t id)
+{
+	struct ext_socket_manager_v1 *manager = data;
+
+	struct wl_resource *resource =
+		wl_resource_create(client, &ext_socket_manager_v1_interface, version, id);
+	if (!resource) {
+		wl_client_post_no_memory(client);
+		return;
+	}
+	wl_resource_set_implementation(resource, &manager_impl, manager, NULL);
+}
+
+static void
+handle_display_destroy(struct wl_listener *listener, void *data)
+{
+	struct ext_socket_manager_v1 *manager =
+		wl_container_of(listener, manager, display_destroy);
+	wl_signal_emit_mutable(&manager->events.destroy, manager);
+
+	wl_global_destroy(manager->global);
+	wl_list_remove(&manager->display_destroy.link);
+	free(manager);
+}
+
+struct ext_socket_manager_v1 *
+ext_socket_manager_v1_create(struct wl_display *display)
+{
+	struct ext_socket_manager_v1 *manager = calloc(1, sizeof(*manager));
+	if (!manager) {
+		return NULL;
+	}
+
+	manager->global = wl_global_create(display,
+		&ext_socket_manager_v1_interface,
+		EXT_SOCKET_MANAGER_V1_VERSION, manager, manager_bind);
+	if (!manager->global) {
+		free(manager);
+		return NULL;
+	}
+
+	wl_signal_init(&manager->events.destroy);
+	wl_signal_init(&manager->events.register_socket);
+
+	manager->display_destroy.notify = handle_display_destroy;
+	wl_display_add_destroy_listener(display, &manager->display_destroy);
+
+	return manager;
+}
diff --git a/src/protocols/ext-socket-manager/meson.build b/src/protocols/ext-socket-manager/meson.build
new file mode 100644
index 00000000..5922e64e
--- /dev/null
+++ b/src/protocols/ext-socket-manager/meson.build
@@ -0,0 +1,3 @@
+labwc_sources += files(
+  'ext_socket_manager_v1.c',
+)
diff --git a/src/protocols/meson.build b/src/protocols/meson.build
new file mode 100644
index 00000000..d42d84b4
--- /dev/null
+++ b/src/protocols/meson.build
@@ -0,0 +1 @@
+subdir('ext-socket-manager')
diff --git a/src/server.c b/src/server.c
index 767ca8d6..aee12905 100644
--- a/src/server.c
+++ b/src/server.c
@@ -76,6 +76,7 @@
 #include "view.h"
 #include "workspaces.h"
 #include "xwayland.h"
+#include "protocols/ext_socket_manager_v1.h"
 
 #define LAB_EXT_DATA_CONTROL_VERSION 1
 #define LAB_EXT_FOREIGN_TOPLEVEL_LIST_VERSION 1
@@ -263,6 +264,7 @@ allow_for_sandbox(const struct wlr_security_context_v1_state *security_state,
 		"zwp_idle_inhibit_manager_v1",
 		"zwp_pointer_constraints_v1",
 		"zxdg_output_manager_v1",
+		"ext_socket_manager_v1",
 	};
 
 	for (size_t i = 0; i < ARRAY_SIZE(allowed_protocols); i++) {
@@ -688,6 +690,8 @@ server_init(void)
 		LAB_EXT_DATA_CONTROL_VERSION);
 	server.security_context_manager_v1 =
 		wlr_security_context_manager_v1_create(server.wl_display);
+	server.ext_socket_manager_v1 =
+		ext_socket_manager_v1_create(server.wl_display);
 	wlr_viewporter_create(server.wl_display);
 	wlr_single_pixel_buffer_manager_v1_create(server.wl_display);
 	wlr_fractional_scale_manager_v1_create(server.wl_display,