In AGL project, the two major components libweston and pipewire,
managing respectively display and audio, are using memfd for creating
and passing a shared memory buffer.
The maintainers of these components are blocked by Smack security that
forbids the service running with label X to pass the file descriptor to
The links  and  point discussions around that issue.
I believe that Tizen solved the issue by using the security manager.
Except if the policy were that memfd gets @ or * label by default, it
appears to me that implementers using memfd in Smack secured system
have to add something. But what?
So let me open the discussion. I can see 3 ways of providing a solution.
1. Tag memfd created object with '*'. Then applications are responsible
of passing the object to clients it trusts (or not).
2. Enforce use of a service to solve the issue (a security-manager).
3. Change smack to handle the case. How? By allowing processes to
change the security.SMACK64 attribute file it created to some precise
values (possibly managed by transmute rules).
On 4/6/2020 5:02 AM, Jordan Glover wrote:
> Hello, during build of Linux 5.6.2 (also happened on 5.5.x series)
> gcc (9.3) prints following warning:
> security/smack/smack_lsm.c: In function ‘smack_socket_connect’:
> security/smack/smack_lsm.c:2838:24: warning: unused variable ‘sip’ [-Wunused-variable]
> 2838 | struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
> My kernel has set CONFIG_IPV6=n during build.
Thank you for reporting this.