1 files changed, 17 insertions, 1 deletions

diff --git a/ext4_utils/ext4_crypt_init_extensions.cpp b/ext4_utils/ext4_crypt_init_extensions.cpp
index 2bf88012..35a1c219 100644
--- a/ext4_utils/ext4_crypt_init_extensions.cpp
+++ b/ext4_utils/ext4_crypt_init_extensions.cpp
@@ -41,6 +41,8 @@
 static const std::string arbitrary_sequence_number = "42";
 static const int vold_command_timeout_ms = 60 * 1000;
 
+static int set_system_de_policy_on(char const* dir);
+
 int e4crypt_install_keyring()
 {
     key_serial_t device_keyring = add_key("keyring", "e4crypt", 0, 0,
@@ -58,11 +60,22 @@ int e4crypt_install_keyring()
 
 int e4crypt_set_directory_policy(const char* dir)
 {
+    if (!dir || strncmp(dir, "/data/", 6)) {
+        return 0;
+    }
+
+    // Special-case /data/media/obb per b/64566063
+    if (strcmp(dir, "/data/media/obb") == 0) {
+        // Try to set policy on this directory, but if it is non-empty this may fail.
+        set_system_de_policy_on(dir);
+        return 0;
+    }
+
     // Only set policy on first level /data directories
     // To make this less restrictive, consider using a policy file.
     // However this is overkill for as long as the policy is simply
     // to apply a global policy to all /data folders created via makedir
-    if (!dir || strncmp(dir, "/data/", 6) || strchr(dir + 6, '/')) {
+    if (strchr(dir + 6, '/')) {
         return 0;
     }
 
@@ -83,7 +96,10 @@ int e4crypt_set_directory_policy(const char* dir)
             return 0;
         }
     }
+    return set_system_de_policy_on(dir);
+}
 
+static int set_system_de_policy_on(char const* dir) {
     std::string ref_filename = std::string("/data") + e4crypt_key_ref;
     std::string policy;
     if (!android::base::ReadFileToString(ref_filename, &policy)) {