Is it possible to tell Xorg not to listen on the abstract socket
I found the answer while I was writing the question, so I might as well post both in case that's some help to someone.
X -nolisten abstract
is accepted but doesn't work.
X -nolisten local
seems to work. I would have expected that one to disable all Unix domain sockets, but it doesn't. It disables the abstract namespace one only.
As noted by @imz--IvanZakharyaschev, and as confirmed by reading the code (https://cgit.freedesktop.org/xorg/lib/libxtrans/tree/Xtrans.c?id=c4262efc9688e495261d8b23a12f956ab38e006f#n99 -> https://cgit.freedesktop.org/xorg/lib/libxtrans/tree/Xtranssock.c?id=c4262efc9688e495261d8b23a12f956ab38e006f#n2532), to disable Unix-domain sockets, it's -nolisten unix
.
In addition to the already given answer. If you want to apply this change to your system, consider looking at these files:
For plain "xinit": /etc/X11/xinit/xserverrc
:
#!/bin/sh
exec /usr/bin/X -nolisten tcp -nolisten local "$@"
For "lightdm": /etc/lightdm/lightdm.conf.d/50-X-no-listen.conf
[Seat:*]
xserver-command=X -nolisten tcp -nolisten local
All credits go to this blog post: https://tstarling.com/blog/2016/06/x11-security-isolation/ (Thanks a lot for it!)