[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-android-blocks-risky-gpu-ioctls-with-new-selinux-policy":10},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":38,"persona_id":22,"persona_name":22,"section":22,"tags":39,"sources":43,"feedback":47,"feedback_at":22,"cost_usd":47,"total_tokens":47},1039,"android-blocks-risky-gpu-ioctls-with-new-selinux-policy","Android blocks risky GPU ioctls with new SELinux policy","Google hardens Mali GPU drivers by restricting instrumentation ioctls, limiting a common attack surface on Android devices.","Google’s Android team has tightened GPU driver access using SELinux.\n\nThe security group partnered with Arm to audit Mali GPU ioctls and introduced a new SELinux attribute, **gpu_harden**, that blocks instrumentation commands for regular apps. After an opt‑in test phase, the policy switched to an opt‑out model: all apps are denied the risky ioctls unless the device is rooted, the app is marked debug‑gable, or a permanent SELinux exception is granted. The change is rolled out via a macro that lets OEMs list production, instrumentation and debug ioctls per device.\n\nGPU code runs with high privileges, and since 2021 most Android kernel‑driver exploits have targeted the user‑mode to kernel‑mode driver interface. By cutting off the most exploitable ioctls, Google reduces the attack surface faster than patching each bug individually. Developers retain needed debugging tools, while everyday users get a sturdier stack without a visible impact on app behavior.\n\nThe move mirrors similar hardening efforts on desktop Linux, but Android’s scale makes it more consequential. Watch for updates to the macro in future AOSP releases and for OEM adoption rates, which will indicate how quickly the broader ecosystem inherits the protections.","[\"android\",\"security\",\"gpu\"]","2025-12-09T17:00:00.008Z","2026-06-16T05:49:59.474Z","2026-06-16T05:50:05.721Z","published",null,[24,30,34],{"id":25,"reviewer":26,"round":27,"reason":28,"status":29},"editor-r1","editor",1,"Add a concise concluding paragraph that restates the impact of the new SELinux GPU hardening and what readers should watch for next.","resolved",{"id":31,"reviewer":26,"round":32,"reason":33,"status":29},"editor-r2",2,"Add a concise concluding paragraph that restates the impact of the new SELinux GPU hardening and suggests what readers should watch for next.",{"id":35,"reviewer":26,"round":36,"reason":37,"status":29},"editor-r3",3,"Remove the placeholder token in the sentence about GPU exploits, add a clear concluding paragraph that restates the impact of the SELinux GPU hardening and notes what to watch for next.","https:\u002F\u002Fcdn.xyz.onl\u002Farticle-images\u002Fandroid-blocks-risky-gpu-ioctls-with-new-selinux-policy.webp",[40,41,42],"android","security","gpu",[44],{"name":45,"url":46},"Google Security Blog","http:\u002F\u002Fsecurity.googleblog.com\u002F2025\u002F12\u002Ffurther-hardening-android-gpus.html",0]