Google's Android Security Team and Arm detail their efforts to harden the Mali GPU driver on Android by reducing its attack surface using SELinux policies. Since 2021, the majority of Android kernel driver exploits have targeted the GPU, specifically the interface between User-Mode and Kernel-Mode drivers. The approach categorizes Mali IOCTLs into unprivileged, instrumentation, and restricted types, then blocks access to deprecated and debug IOCTLs in production via a new SELinux macro. A staged rollout was used: starting with an opt-in policy to audit impact, then moving to opt-out where all apps are hardened by default. A step-by-step guide is provided for OEM partners to implement similar GPU syscall filtering policies, now part of Android 16 behavior changes.
Table of contents
The Growing Threat: Why GPU Security MattersPartnership with ArmThe Right Tool for the Job: Hardening with SELinuxA Staged RolloutStep by Step instructions on how to add your SepolicyStep 1: Utilize the Platform-Level Hardening MacroConclusionAcknowledgmentsSort: