# FlipperDroid SELinux rules
# For enforcing mode — KernelSU can set permissive globally

# USB serial device access (ttyACM for Flipper Zero CDC)
allow su tty_device chr_file { open read write ioctl getattr }
allow su serial_device chr_file { open read write ioctl getattr }

# Bluetooth rfcomm
allow su bluetooth_device chr_file { open read write ioctl getattr }
allow su rfcomm_device chr_file { open read write ioctl getattr }

# USB sysfs enumeration
allow su sysfs_usb dir { search read open getattr }
allow su sysfs_usb file { read open getattr }

# Network socket for WebUI
allow su self tcp_socket { create bind listen accept read write getattr setopt }

# proc/sys for CPU sharing
allow su proc file { read open getattr }
allow su sysfs dir { search read open getattr }
allow su sysfs file { read write open getattr }

# Stealth — namespace isolation bind mounts
allow su proc dir { search read open getattr mounton }
allow su proc file { read open getattr mounton }
allow su tmpfs dir { search read open getattr mounton }
allow su tmpfs file { read write open getattr mounton }
allow su self capability { sys_admin sys_ptrace }

# nsenter into other process mount namespaces
allow su domain dir { search getattr }
allow su domain file { read open getattr }

# iptables for port hiding
allow su self rawip_socket { create bind read write getattr setopt }
allow su self netlink_netfilter_socket { create bind read write }