When a process accesses a file on eCryptfs, the kernel accesses the encrypted underlying file for it from a different file system, but it does so with the calling processes' credentials and under the calling processes' enabled Landlock policy.
More concretely speaking, if your home directory is mounted with eCryptfs and you enable a Landlock policy which permits access to ~/Documents, an access to ~/Documents/foo.txt may still be denied, because the Landlock policy does not grant access to the underlying directory with encrypted files.
https://lore.kernel.org/linux-security-module/c1c9c688-c64d-adf2-cc96-dc2aaaae5944@digikod.net/
When a process accesses a file on eCryptfs, the kernel accesses the encrypted underlying file for it from a different file system, but it does so with the calling processes' credentials and under the calling processes' enabled Landlock policy.
More concretely speaking, if your home directory is mounted with eCryptfs and you enable a Landlock policy which permits access to
~/Documents
, an access to~/Documents/foo.txt
may still be denied, because the Landlock policy does not grant access to the underlying directory with encrypted files.