Google’s Android Security and Privacy Team has published details of a collaboration with Arm to harden the Mali GPU driver, which is present on approximately 45% of Android devices. The effort centers on reducing the kernel driver’s attack surface by blocking access to instrumentation and deprecated IOCTLs in production environments using SELinux policy.
Why GPU Drivers Are a High-Value Target
The GPU has become one of the most attractive targets for Android kernel exploits because of its complexity and its privileged position in the system. According to Google, the majority of Android kernel driver-based exploits since 2021 have targeted the GPU, specifically the interface between the User-Mode Driver (UMD) and the Kernel-Mode Driver (KMD). Malicious input at this boundary can trigger memory corruption, making the driver a critical hardening priority.
Categorizing IOCTLs for Policy Enforcement
The team categorized Mali IOCTLs into three groups to guide their policy design:
- Unprivileged: Required for normal application operation and remain accessible to all apps.
- Instrumentation: Used by profiling and debugging tools, and restricted in production to shell or applications marked as debuggable.
- Restricted: Deprecated or GPU-development-only IOCTLs that serve no purpose in production and are blocked entirely from standard applications.
A Staged SELinux Rollout
Rather than applying restrictions all at once, Google used an iterative rollout to validate the policy without breaking legitimate applications. The process moved through two phases:
- Opt-in phase: A new SELinux attribute,
gpu_harden, was applied selectively to certain system apps. Theallowxpermrule was used in audit mode to log but not deny access, allowing the team to monitor for unintended breakage. - Opt-out phase: Once the policy was validated, all applications were hardened by default. Developers needing instrumentation access can opt out by running on a rooted device, setting
android:debuggable="true"in their app manifest, or requesting a permanent SELinux policy exception.
Implementation Guidance for Ecosystem Partners
Google has also published a platform-level SELinux macro in system/sepolicy that device makers can use to define their own IOCTL restriction lists. The macro handles three tiers: granting unprivileged IOCTL access to all application domains, restricting instrumentation IOCTLs to debug contexts, and blocking privileged IOCTLs based on target SDK version to preserve compatibility for older applications. Official documentation is available through Android’s SELinux hardening macro reference and the Android 16 behavior changes guide.
The hardening work complements ongoing bug-finding efforts by reducing the reachability of vulnerable code paths, an approach Google frames as often faster to deploy than eliminating individual vulnerabilities. The changes are being tracked as part of Android 16 behavior changes.
