Ecrypt Fs Problem

🐞 Bug

EcryptFs is an encrypted overlay file system.

When a file on EcryptFs is accessed, this implicitly performs a separate file access to the encrypted file on the underlying file system. This additional access also happens on behalf of the same process and is subject to the same Landlock file access policies.

Example:

• Landlock policy permits to read ~/.bashrc, but nothing else.
• Process attempts to open .bashrc
• EcryptFs opens an encrypted version of that file on the underlying file system.
• ⚡ This file access fails – only .bashrc, but not the backing file are accessible by policy.

There is no good workaround known, other than not using EcryptFs.