In AGL project, the two major components libweston and pipewire,
managing respectively display and audio, are using memfd for creating
and passing a shared memory buffer.
The maintainers of these components are blocked by Smack security that
forbids the service running with label X to pass the file descriptor to
The links  and  point discussions around that issue.
I believe that Tizen solved the issue by using the security manager.
Except if the policy were that memfd gets @ or * label by default, it
appears to me that implementers using memfd in Smack secured system
have to add something. But what?
So let me open the discussion. I can see 3 ways of providing a solution.
1. Tag memfd created object with '*'. Then applications are responsible
of passing the object to clients it trusts (or not).
2. Enforce use of a service to solve the issue (a security-manager).
3. Change smack to handle the case. How? By allowing processes to
change the security.SMACK64 attribute file it created to some precise
values (possibly managed by transmute rules).