Add wpa neverallow rule
wpa should never trust any data coming from the sdcard. Add a compile time assertion to make sure no rules are ever added allowing this access. Change-Id: I5f50a8242aa30f6cc0cfd89d82b2b153625105f6
This commit is contained in:
Nick Kralevich
parent
3bcdec8a1e
commit
35a4ed80a6
1 changed files with 8 additions and 0 deletions
8
wpa.te
8
wpa.te
|
|
@ -37,3 +37,11 @@ allow wpa keystore:keystore_key {
|
|||
userdebug_or_eng(`
|
||||
unix_socket_send(wpa, wpa, su)
|
||||
')
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
||||
# wpa_supplicant should not trust any data from sdcards
|
||||
neverallow wpa sdcard_type:dir ~getattr;
|
||||
neverallow wpa sdcard_type:file *;
|
||||
|
|
|
|||
Loading…
Reference in a new issue