diff -ur libvirt-9.0.0.orig/src/qemu/qemu_command.c libvirt-9.0.0/src/qemu/qemu_command.c
--- libvirt-9.0.0.orig/src/qemu/qemu_command.c	2023-02-08 18:27:57.203025166 +0100
+++ libvirt-9.0.0/src/qemu/qemu_command.c	2023-02-08 18:28:12.916022463 +0100
@@ -7880,6 +7880,10 @@
             virCommandAddEnvPair(cmd, "SASL_CONF_PATH", cfg->vncSASLdir);
 
         /* TODO: Support ACLs later */
+
+        if (cfg->vncACL)
+           virBufferAddLit(&opt, ",acl");
+
     }
 
     if (graphics->data.vnc.powerControl != VIR_TRISTATE_BOOL_ABSENT) {
diff -ur libvirt-9.0.0.orig/src/qemu/qemu_conf.c libvirt-9.0.0/src/qemu/qemu_conf.c
--- libvirt-9.0.0.orig/src/qemu/qemu_conf.c	2023-02-08 18:27:57.204025166 +0100
+++ libvirt-9.0.0/src/qemu/qemu_conf.c	2023-02-08 18:28:12.917022463 +0100
@@ -444,6 +444,8 @@
         return -1;
     if (virConfGetValueBool(conf, "vnc_allow_host_audio", &cfg->vncAllowHostAudio) < 0)
         return -1;
+    if (virConfGetValueBool(conf, "vnc_acl", &cfg->vncACL) < 0)
+        return -1;
 
     if (cfg->vncPassword &&
         strlen(cfg->vncPassword) > 8) {
diff -ur libvirt-9.0.0.orig/src/qemu/qemu_conf.h libvirt-9.0.0/src/qemu/qemu_conf.h
--- libvirt-9.0.0.orig/src/qemu/qemu_conf.h	2023-02-08 18:27:57.204025166 +0100
+++ libvirt-9.0.0/src/qemu/qemu_conf.h	2023-02-08 18:28:12.917022463 +0100
@@ -119,6 +119,7 @@
     bool vncTLSx509verify;
     bool vncTLSx509verifyPresent;
     bool vncSASL;
+    bool vncACL;
     char *vncTLSx509certdir;
     char *vncTLSx509secretUUID;
     char *vncListen;
diff -ur libvirt-9.0.0.orig/src/qemu/qemu.conf.in libvirt-9.0.0/src/qemu/qemu.conf.in
--- libvirt-9.0.0.orig/src/qemu/qemu.conf.in	2023-02-08 18:27:57.202025167 +0100
+++ libvirt-9.0.0/src/qemu/qemu.conf.in	2023-02-08 18:28:12.917022463 +0100
@@ -147,6 +147,15 @@
 #vnc_sasl = 1
 
 
+# Enable the VNC access control lists. When switched on this will
+# initially block all vnc users from accessing the vnc server. To
+# add and remove ids from the ACLs you will need to send the appropriate
+# commands to the qemu monitor as required by your particular version of
+# QEMU. See the QEMU documentation for more details.
+#
+# vnc_acl = 1
+
+
 # The default SASL configuration file is located in /etc/sasl/
 # When running libvirtd unprivileged, it may be desirable to
 # override the configs in this location. Set this parameter to