> Just curious, why not have a (presumely small) "input server" that would run as root instead of having the whole X server run as root? That server would just serve as an interface to the input devices and implement the equivalent of revoke(), but from userspace.
Perhaps s/root/a privileged but non-root user/ ? And I'm not sure that revoke() would be necessary here, it might be enough just to only allow one process access at a time, and to rely on that process to voluntarily relinquish access. After all, that is what is happening for the graphics part.
This might also be another step along the Wayland path to where the X server is a simple user-space application and the input and graphics hardware is managed elsewhere.