Add wpa neverallow rule wpa should never trust any data coming from the sdcard. Add a compile time assertion to make sure no rules are ever added allowing this access. Change-Id: I5f50a8242aa30f6cc0cfd89d82b2b153625105f6

commit: 35a4ed80a68d71df2cf138d17ea09fd782a1d73e [log] [tgz]
author: Nick Kralevich <nnk@google.com> Fri Oct 31 13:45:30 2014 -0700
committer: Nick Kralevich <nnk@google.com> Thu Nov 06 10:57:03 2014 -0800
tree: 24ba63e3bd1ebcb7b2d38560c6bad339a2fa4f7f
parent: 3bcdec8a1eb8afe2af48550b4478fe02bf824377 [diff]
diff --git a/wpa.te b/wpa.te
index 7b1a875..d6fae63 100644
--- a/wpa.te
+++ b/wpa.te

@@ -37,3 +37,11 @@
 userdebug_or_eng(`
   unix_socket_send(wpa, wpa, su)
 ')
+
+###
+### neverallow rules
+###
+
+# wpa_supplicant should not trust any data from sdcards
+neverallow wpa sdcard_type:dir ~getattr;
+neverallow wpa sdcard_type:file *;
commit	35a4ed80a68d71df2cf138d17ea09fd782a1d73e	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Fri Oct 31 13:45:30 2014 -0700
committer	Nick Kralevich <nnk@google.com>	Thu Nov 06 10:57:03 2014 -0800
tree	24ba63e3bd1ebcb7b2d38560c6bad339a2fa4f7f
parent	3bcdec8a1eb8afe2af48550b4478fe02bf824377 [diff]