sepolicy/flipperdroid.rule

# FlipperDroid SELinux rules
# For enforcing mode — KernelSU can set permissive globally

# USB serial device access (ttyACM for Flipper Zero CDC)
allow su tty_device chr_file { open read write ioctl getattr }
allow su serial_device chr_file { open read write ioctl getattr }

# Bluetooth rfcomm
allow su bluetooth_device chr_file { open read write ioctl getattr }
allow su rfcomm_device chr_file { open read write ioctl getattr }

# USB sysfs enumeration
allow su sysfs_usb dir { search read open getattr }
allow su sysfs_usb file { read open getattr }

# Network socket for WebUI
allow su self tcp_socket { create bind listen accept read write getattr setopt }

# proc/sys for CPU sharing
allow su proc file { read open getattr }
allow su sysfs dir { search read open getattr }
allow su sysfs file { read write open getattr }

# Stealth — namespace isolation bind mounts
allow su proc dir { search read open getattr mounton }
allow su proc file { read open getattr mounton }
allow su tmpfs dir { search read open getattr mounton }
allow su tmpfs file { read write open getattr mounton }
allow su self capability { sys_admin sys_ptrace }

# nsenter into other process mount namespaces
allow su domain dir { search getattr }
allow su domain file { read open getattr }

# iptables for port hiding
allow su self rawip_socket { create bind read write getattr setopt }
allow su self netlink_netfilter_socket { create bind read write }
Initial commit — FlipperDroid v0.1.0-poc KernelSU module + Flipper Zero FAP that bridges both devices into a unified pentesting platform over USB CDC serial / BT rfcomm. Android side: bridge daemon, WebUI (:8089), bind mount namespace isolation stealth engine. Flipper side: proper FAP with 4-view GUI, GPIO/SubGHz/IR/file command handlers, async event streaming. 2026-03-31 21:26:58 -07:00			`# FlipperDroid SELinux rules`
			`# For enforcing mode — KernelSU can set permissive globally`

			`# USB serial device access (ttyACM for Flipper Zero CDC)`
			`allow su tty_device chr_file { open read write ioctl getattr }`
			`allow su serial_device chr_file { open read write ioctl getattr }`

			`# Bluetooth rfcomm`
			`allow su bluetooth_device chr_file { open read write ioctl getattr }`
			`allow su rfcomm_device chr_file { open read write ioctl getattr }`

			`# USB sysfs enumeration`
			`allow su sysfs_usb dir { search read open getattr }`
			`allow su sysfs_usb file { read open getattr }`

			`# Network socket for WebUI`
			`allow su self tcp_socket { create bind listen accept read write getattr setopt }`

			`# proc/sys for CPU sharing`
			`allow su proc file { read open getattr }`
			`allow su sysfs dir { search read open getattr }`
			`allow su sysfs file { read write open getattr }`

			`# Stealth — namespace isolation bind mounts`
			`allow su proc dir { search read open getattr mounton }`
			`allow su proc file { read open getattr mounton }`
			`allow su tmpfs dir { search read open getattr mounton }`
			`allow su tmpfs file { read write open getattr mounton }`
			`allow su self capability { sys_admin sys_ptrace }`

			`# nsenter into other process mount namespaces`
			`allow su domain dir { search getattr }`
			`allow su domain file { read open getattr }`

			`# iptables for port hiding`
			`allow su self rawip_socket { create bind read write getattr setopt }`
			`allow su self netlink_netfilter_socket { create bind read write }`