landlock-lsm
eCryptfs incompatibilities
https://lore.kernel.org/linux-security-module/[email protected]/
When a process accesses a file on eCryptfs, the kernel accesses the encrypted underlying file for it from a different file system, but it does so with the calling processes' credentials and under the calling processes' enabled Landlock policy.
More concretely speaking, if your home directory is mounted with eCryptfs and you enable a Landlock policy which permits access to ~/Documents, an access to ~/Documents/foo.txt may still be denied, because the Landlock policy does not grant access to the underlying directory with encrypted files.
eCryptfs has a design problem which makes it incompatible with other LSMs. It is planned to be removed in 2025.
