Starting March 27, 2025, we recommend using android-latest-release instead of aosp-main to build and contribute to AOSP. For more information, see Changes to AOSP.

GPU syscall filtering

Android 16 QPR2 adds an SELinux macro to harden kernel drivers. This macro blocks restricted IOCTLs in production, such as deprecated IOCTLs or those for kernel driver development. It also limits IOCTLs for driver profiling to shell or debuggable apps. Use this macro to enhance your device's security.

Implementation

To harden your device with fine-grained syscall filtering, call the set_xperm_filter macro in your device's SEPolicy, for example:

# set_xperm_filter(target_context, allowed_target, unpriv_ioctls, restricted_ioctls, instrumentation_ioctls)
# Allow targets to harden their IOCTL interfaces by specifying
# unprivileged, blocked, and instrumentation-specific IOCTLs for appdomain.
#
# Parameters:
#   target_context: The target context to apply the filter to.
#   allowed_target: Additional `appdomain` target to exempt from hardened policy.
#     Allows for an allowlist of services, or gating by a target SDK.
#   unpriv_ioctls: IOCTLs to allow across appdomain.
#   restricted_ioctls: IOCTLs to deny across appdomain.
#   instrumentation_ioctls: IOCTLs intended to be used in development.
#     IOCTLs will be allowed from `shell` or `debuggable` applications.

define(`unpriv_gpu_ioctls', `0x0000, 0x0001, 0x0002')
define(`restricted_ioctls', `0x1110, 0x1111, 0x1112')
define(`instrumentation_gpu_ioctls', `0x2220, 0x2221, 0x2222')
set_xperm_filter(
  gpu_device,
  untrusted_app_sdk_gate,
  unpriv_ioctls,
  restricted_ioctls,
  instrumentation_ioctls)

The macro definition for set_xperm_filter is in system/sepolicy/public/te_macros.

The macro allows unpriv_ioctls, blocks restricted_ioctls, and limits instrumentation_ioctls to the shell process or debuggable apps. The filter applies to applications that start from a specified target_sdk.

This feature has been implemented on Pixel devices utilizing the Mali GPU (Pixel 6-9). Arm has provided official categorization of their IOCTLs in Documentation/ioctl-categories.rst of their r54p2 release. This list will continue to be maintained in future driver releases.

Test

Do the following to verify the kernel driver's behavior:

Check that the driver doesn't block legitimate application IOCTLs and,
Verify that untrusted applications can't execute instrumentation and restricted IOCTLs.

GPU syscall filtering Stay organized with collections Save and categorize content based on your preferences.

Implementation

Test

GPU syscall filtering