Add and use prepare_dir_with_policy() helper function

Having prepare_dir() and EnsurePolicy() be separate operations is
error-prone; it lengthens the window of time that files could
accidentally be created in new directories before they are encrypted,
and it makes it easier to accidentally never encrypt a directory.

To partially address this, add a function prepare_dir_with_policy() that
combines the two steps, and use it everywhere possible.  This function
is now the only place in vold that calls EnsurePolicy().

As a follow-up change, we could go a bit further and make this helper
function create the directory under a temporary name and move it into
place already-encrypted.  This change just focuses on getting the helper
function in place, without changing the behavior too much.

Change-Id: I98ab345df235120db6727f7dbe0da6a8b6ef2579