Comment 27 for bug 1305335

ecryptfs_unlocked_ioctl gets passed the (higher) target file struct as the first argument, the command as the second, and the source file descriptor as the third argument. It looks like the source file descriptor has already been converted to the lower file if it is associated with a higher file inside an ecryptfs mount. This makes it harder to compare the mountpoints of the source and target to see if the clone should be allowed - you'd need to figure out if the source file descriptor is associated with a higher file then compare that higher file with the (higher) target file to see if they have the same mountpoint. I'm not sure how to do that - there aren't many comments in the ecryptfs code.