From 35a4ed80a68d71df2cf138d17ea09fd782a1d73e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 31 Oct 2014 13:45:30 -0700
Subject: [PATCH] Add wpa neverallow rule

wpa should never trust any data coming from the sdcard. Add a
compile time assertion to make sure no rules are ever added
allowing this access.

Change-Id: I5f50a8242aa30f6cc0cfd89d82b2b153625105f6
---
 wpa.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/wpa.te b/wpa.te
index 7b1a8751d..d6fae6390 100644
--- a/wpa.te
+++ b/wpa.te
@@ -37,3 +37,11 @@ allow wpa keystore:keystore_key {
 userdebug_or_eng(`
   unix_socket_send(wpa, wpa, su)
 ')
+
+###
+### neverallow rules
+###
+
+# wpa_supplicant should not trust any data from sdcards
+neverallow wpa sdcard_type:dir ~getattr;
+neverallow wpa sdcard_type:file *;