libfscrypt: support setting v2 encryption policies

Update libfscrypt to support setting v2 encryption policies.  For this,
the ioctl to use is still FS_IOC_SET_ENCRYPTION_POLICY; we just need to
pass it a slightly different structure.

v2 policies support the same encryption modes and flags as v1 policies,
but internally they use a more standard, secure, and flexible KDF.  Due
to this, some future features will be supported by v2 policies only.

Other notes:

- Use 16 byte filenames padding for all v2 policies.  There's no need to
  use the legacy 4 bytes padding.

- Unlike v1 policies, setting a v2 policy requires CAP_FOWNER if the key
  hasn't been installed.  This isn't an issue for Android, however --
  Android always installs the keys first, and even if it didn't,
  policies are only set by init and vold, which have CAP_FOWNER.

Bug: 140500999
Test: tested as series; see If64028d8580584b2c33c614cabd5d6b93657f608
Change-Id: I325f75fd3e59d6f00a5c66938b99b127981183a5

1 files changed, 3 insertions, 4 deletions

diff --git a/libfscrypt/include/fscrypt/fscrypt.h b/libfscrypt/include/fscrypt/fscrypt.h
index ff82d47a..13358bb7 100644
--- a/libfscrypt/include/fscrypt/fscrypt.h
+++ b/libfscrypt/include/fscrypt/fscrypt.h
@@ -25,10 +25,9 @@ __BEGIN_DECLS
 
 bool fscrypt_is_native();
 
-int fscrypt_policy_ensure(const char *directory, const char *policy,
-                          size_t policy_length,
-                          const char *contents_encryption_mode,
-                          const char *filenames_encryption_mode);
+int fscrypt_policy_ensure(const char* directory, const char* key_raw_ref, size_t key_raw_ref_length,
+                          const char* contents_encryption_mode,
+                          const char* filenames_encryption_mode, int policy_version);
 
 static const char* fscrypt_unencrypted_folder = "/unencrypted";
 static const char* fscrypt_key_ref = "/unencrypted/ref";