diff options
-rw-r--r-- | ext4_utils/ext4_crypt_init_extensions.cpp | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/ext4_utils/ext4_crypt_init_extensions.cpp b/ext4_utils/ext4_crypt_init_extensions.cpp index 2bf88012..35a1c219 100644 --- a/ext4_utils/ext4_crypt_init_extensions.cpp +++ b/ext4_utils/ext4_crypt_init_extensions.cpp @@ -41,6 +41,8 @@ static const std::string arbitrary_sequence_number = "42"; static const int vold_command_timeout_ms = 60 * 1000; +static int set_system_de_policy_on(char const* dir); + int e4crypt_install_keyring() { key_serial_t device_keyring = add_key("keyring", "e4crypt", 0, 0, @@ -58,11 +60,22 @@ int e4crypt_install_keyring() int e4crypt_set_directory_policy(const char* dir) { + if (!dir || strncmp(dir, "/data/", 6)) { + return 0; + } + + // Special-case /data/media/obb per b/64566063 + if (strcmp(dir, "/data/media/obb") == 0) { + // Try to set policy on this directory, but if it is non-empty this may fail. + set_system_de_policy_on(dir); + return 0; + } + // Only set policy on first level /data directories // To make this less restrictive, consider using a policy file. // However this is overkill for as long as the policy is simply // to apply a global policy to all /data folders created via makedir - if (!dir || strncmp(dir, "/data/", 6) || strchr(dir + 6, '/')) { + if (strchr(dir + 6, '/')) { return 0; } @@ -83,7 +96,10 @@ int e4crypt_set_directory_policy(const char* dir) return 0; } } + return set_system_de_policy_on(dir); +} +static int set_system_de_policy_on(char const* dir) { std::string ref_filename = std::string("/data") + e4crypt_key_ref; std::string policy; if (!android::base::ReadFileToString(ref_filename, &policy)) { |