diff --git a/public/ioctl_defines b/public/ioctl_defines
index 62d45ab1c..1dd2e3db7 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -827,6 +827,7 @@ define(`FS_IOC_ENABLE_VERITY', `0x6685')
 define(`FS_IOC_FIEMAP', `0xc020660b')
 define(`FS_IOC_FSGETXATTR', `0x801c581f')
 define(`FS_IOC_FSSETXATTR', `0x401c5820')
+define(`FS_IOC_GET_ENCRYPTION_KEY_STATUS', `0xc080661a')
 define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
 define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
 define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
diff --git a/public/vold.te b/public/vold.te
index 209bf4941..3d204e1b0 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -51,6 +51,7 @@ allowxperm vold data_file_type:dir ioctl {
   FS_IOC_SET_ENCRYPTION_POLICY
   FS_IOC_ADD_ENCRYPTION_KEY
   FS_IOC_REMOVE_ENCRYPTION_KEY
+  FS_IOC_GET_ENCRYPTION_KEY_STATUS
 };
 
 # Only vold and init should ever set file-based encryption policies.
@@ -65,7 +66,7 @@ neverallowxperm {
 neverallowxperm {
   domain
   -vold
-} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
+} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS };
 
 # Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
 # tried first. Otherwise, FS_IOC_FIEMAP is needed to get the