In pseudo-Rust, this is the difference between:I understand this Rust semantics and the difficulty to handle races.
fn convert_to_private(in: &mut Memfd)
and
fn convert_to_private(in: Memfd) -> PrivateMemoryFd
This doesn't map particularly nicely to the kernel, though.
Probably we should not expose F_SEAL_INACCESSIBLE to userspace, instead
we can use a new in-kernel flag to indicate the same thing. That flag
should be set only when the memfd is created with MFD_INACCESSIBLE.