Add wpa neverallow rule

wpa should never trust any data coming from the sdcard. Add a compile time assertion to make sure no rules are ever added allowing this access. Change-Id: I5f50a8242aa30f6cc0cfd89d82b2b153625105f6
2014-10-31 13:45:30 -07:00 · 2014-10-31 13:45:30 -07:00 · 35a4ed80a6
commit 35a4ed80a6
parent 3bcdec8a1e
1 changed files with 8 additions and 0 deletions
--- a/wpa.te
+++ b/wpa.te
@ -37,3 +37,11 @@ allow wpa keystore:keystore_key {
 userdebug_or_eng(`
  unix_socket_send(wpa, wpa, su)
 ')
+
+###
+### neverallow rules
+###
+
+# wpa_supplicant should not trust any data from sdcards
+neverallow wpa sdcard_type:dir ~getattr;
+neverallow wpa sdcard_type:file *;