diff --git a/wpa.te b/wpa.te
index 7b1a8751d6faa56eff5b522a2a02f8ff07e5fdb6..d6fae63909f4d6a612b770af803d923cab36d802 100644
--- a/wpa.te
+++ b/wpa.te
@@ -37,3 +37,11 @@ allow wpa keystore:keystore_key {
 userdebug_or_eng(`
   unix_socket_send(wpa, wpa, su)
 ')
+
+###
+### neverallow rules
+###
+
+# wpa_supplicant should not trust any data from sdcards
+neverallow wpa sdcard_type:dir ~getattr;
+neverallow wpa sdcard_type:file *;