docs: include device filter policies/rules documentation

author: Aleksander Morgado <aleksander@aleksander.es> 2017-10-17 18:21:02 +0200
committer: Aleksander Morgado <aleksander@aleksander.es> 2017-12-05 11:00:11 +0100
commit: ce8c7035746e21e09cf491be1fa1186714abd4b2 (patch)
tree: a3169a1ff81501674d1225bcd4645153a2793e03 /docs/reference/api
parent: 42f4e975c9a22ecde9f4971e014358238dcfe975 (diff)
1 files changed, 277 insertions, 6 deletions
diff --git a/docs/reference/api/ModemManager-overview.xml b/docs/reference/api/ModemManager-overview.xml
index fcd9d625..963c0df2 100644
--- a/docs/reference/api/ModemManager-overview.xml
+++ b/docs/reference/api/ModemManager-overview.xml
@@ -51,17 +51,16 @@
     </formalpara>
   </chapter>
 
-  <chapter id="ref-overview-modem-detection-and-setup">
-    <title>Modem detection and setup</title>
+  <chapter id="ref-overview-modem-detection">
+    <title>Modem detection</title>
 
     <section>
-      <title>Detection mechanisms</title>
+      <title>Builds with udev support</title>
       <para>
         ModemManager requires <emphasis>udev</emphasis>-powered Linux kernels in order
         to get notified of possible available Modems. udev will report each of the ports
-        found in the device, and ModemManager will probe each of the ports marked with
-        the <emphasis>ID_MM_CANDIDATE</emphasis> tag in udev. This includes both "tty"
-        and "net" ports.
+        found in the device, and ModemManager will consider for probing each of the ports
+        marked with the <emphasis>ID_MM_CANDIDATE</emphasis> tag in udev.
       </para>
       <para>
         Aditionally, users of RS232-based devices may need to request additional manual
@@ -70,6 +69,278 @@
         connected, not about the RS232 modem connected to the adapter, if any.
       </para>
     </section>
+
+    <section>
+      <title>Builds without udev support</title>
+      <para>
+        When the udev daemon isn't available in the system, the
+        <link linkend="gdbus-method-org-freedesktop-ModemManager1.ReportKernelEvent">ReportKernelEvent</link>
+        method in the
+        <link linkend="gdbus-org.freedesktop.ModemManager1">Manager interface</link>
+        may be used to notify the ModemManager daemons of device addition and removals.
+      </para>
+      <para>
+        When udev support is disabled in the build, the <emphasis>ID_MM_CANDIDATE</emphasis>
+        tag and manual scan requests are still applicable. ModemManager has a built-in parser
+        of udev rule files that is enabled when udev itself isn't available.
+      </para>
+    </section>
+  </chapter>
+
+  <chapter id="ref-overview-modem-filter">
+    <title>Modem filter</title>
+
+    <para>
+      ModemManager will not probe all TTYs, NET and cdc-wdm ports found in the system,
+      as this may end up interfering e.g. with TTYs that have nothing to do with modem
+      devices.
+    </para>
+    <para>
+      The daemon comes with several predefined <emphasis>filter policies</emphasis>, each
+      of them composed of one or more <emphasis>filter rules</emphasis>.
+    </para>
+
+    <section>
+      <title>Filter rules</title>
+      <para>
+        The device filter in ModemManager defines the following independent filter rules. The
+        predefined filter policies are based on one or more of these predefined filter rules.
+        <itemizedlist>
+          <listitem>
+            <para><emphasis>MM_FILTER_RULE_EXPLICIT_WHITELIST</emphasis></para>
+            <para>
+              This filter allows users to manually tag devices and/or device ports with the
+              <emphasis>ID_MM_DEVICE_PROCESS</emphasis> udev tag. If the filter finds this tag,
+              the device and/or device ports will be automatically accepted and port probing
+              will be allowed.
+            </para>
+            <programlisting>
+$ sudo vim /lib/udev/rules.d/78-mm-whitelist-internal-modem.rules
+    ACTION!="add|change|move", GOTO="mm_whitelist_internal_modem_end"
+    ATTRS{idVendor}=="1199", ATTRS{idProduct}=="a001", ENV{ID_MM_DEVICE_PROCESS}="1"
+    LABEL="mm_whitelist_internal_modem_end"
+// Apply new rules without reboot
+$ sudo udevadm control --reload
+$ sudo udevadm trigger
+            </programlisting>
+          </listitem>
+          <listitem>
+            <para><emphasis>MM_FILTER_RULE_VIRTUAL</emphasis></para>
+            <para>
+              This filter will automatically flag as forbidden all ports exposed by virtual
+              devices, like the 'lo' network interface or the tty0, tty1... virtual terminals.
+              There is no reason to disable this filter, except for testing purposes.
+            </para>
+          </listitem>
+          <listitem>
+            <para><emphasis>MM_FILTER_RULE_NET</emphasis></para>
+            <para>
+              This filter will automatically flag as allowed all network ports exposed by
+              devices. Unless there is a will to explicitly forbid network ports, this filter
+              should always be enabled.
+            </para>
+          </listitem>
+          <listitem>
+            <para><emphasis>MM_FILTER_RULE_CDC_WDM</emphasis></para>
+            <para>
+              This filter will automatically flag as allowed all cdc-wdm ports exposed by
+              devices. Unless there is a will to explicitly forbid the cdc-wdm ports exposed
+              by qmi_wwan, cdc_mbim or huawei-cdc-ncm kernel drivers, this filter should always
+              be enabled.
+            </para>
+          </listitem>
+          <listitem>
+            <para><emphasis>MM_FILTER_RULE_TTY, MM_FILTER_RULE_TTY_DEFAULT_ALLOWED and MM_FILTER_RULE_TTY_DEFAULT_FORBIDDEN</emphasis></para>
+            <para>
+              If the MM_FILTER_RULE_TTY filter is disabled, no TTY port will be allowed. If this
+              filter is enabled, TTY ports will only be allowed if the TTY-specific filters (defined
+              next) allow it.
+            </para>
+            <para>
+              The MM_FILTER_RULE_TTY_DEFAULT_ALLOWED and MM_FILTER_RULE_TTY_DEFAULT_FORBIDDEN rules allow
+              defining what happens when a TTY port isn't explicitly forbidden or accepted by any of
+              the TTY-specific filters. When MM_FILTER_RULE_TTY is enabled, one of these other two options
+              must be set.
+            </para>
+          </listitem>
+          <listitem>
+            <para><emphasis>MM_FILTER_RULE_TTY_BLACKLIST</emphasis></para>
+            <para>
+              This filter will not allow probing any of the devices flagged as
+              <emphasis>ID_MM_DEVICE_IGNORE</emphasis>, like the ones in the default blacklist
+              shipped by ModemManager.
+            </para>
+          </listitem>
+          <listitem>
+            <para><emphasis>MM_FILTER_RULE_TTY_MANUAL_SCAN_ONLY</emphasis></para>
+            <para>
+              This filter will not allow automatic probing any of the devices flagged as
+              <emphasis>ID_MM_DEVICE_MANUAL_SCAN_ONLY</emphasis>, like the ones in the default
+              USB serial adapters greylist shipped by ModemManager. Devices flagged like
+              this will only be probed when a manual scan is requested via the
+              <link linkend="gdbus-method-org-freedesktop-ModemManager1.ScanDevices">ScanDevices</link>
+              method.
+            </para>
+          </listitem>
+          <listitem>
+            <para><emphasis>MM_FILTER_RULE_TTY_PLATFORM_DRIVER</emphasis></para>
+            <para>
+              If this filter is enabled, all platform TTY ports not explicitly flagged with the
+              <emphasis>ID_MM_PLATFORM_DRIVER_PROBE</emphasis> will be forbidden. If the flag
+              is found in a platform TTY port, port probing will be allowed directly.
+            </para>
+            <para>
+              Note that this filter is obsoleted by the more generic MM_FILTER_RULE_EXPLICIT_WHITELIST
+              filter. It is maintained for backwards compatibility with older ModemManager versions.
+            </para>
+          </listitem>
+          <listitem>
+            <para><emphasis>MM_FILTER_RULE_TTY_DRIVER</emphasis></para>
+            <para>
+              If this filter is enabled, all TTY ports managed by modem-specific kernel drivers will be
+              allowed automatically.
+            </para>
+          </listitem>
+          <listitem>
+            <para><emphasis>FILTER_RULE_TTY_ACM_INTERFACE</emphasis></para>
+            <para>
+              If this filter is enabled, all TTY ports managed by the cdc-acm kernel driver with
+              class=2/subclass=2/protocol=1 (AT command capable ttyACM port) will be allowed
+              automatically.
+            </para>
+          </listitem>
+          <listitem>
+            <para><emphasis>MM_FILTER_RULE_TTY_WITH_NET</emphasis></para>
+            <para>
+              If this filter is enabled, all TTY ports for devices that also expose a network
+              interface port will be allowed automatically.
+            </para>
+          </listitem>
+        </itemizedlist>
+      </para>
+    </section>
+
+    <section>
+      <title>Filter policies</title>
+
+      <para>
+        The predefined filter policies are:
+        <itemizedlist>
+          <listitem>
+            <para><emphasis>Whitelist only</emphasis></para>
+            <para>
+              This is a policy where only the MM_FILTER_RULE_EXPLICIT_WHITELIST rule is enabled.
+            </para>
+            <programlisting># /usr/sbin/ModemManager --filter-policy=WHITELIST-ONLY</programlisting>
+          </listitem>
+          <listitem>
+            <para><emphasis>Default</emphasis></para>
+            <para>
+              This is a policy where the following rules are enabled:
+              <itemizedlist>
+                <listitem>MM_FILTER_RULE_EXPLICIT_WHITELIST</listitem>
+                <listitem>MM_FILTER_RULE_VIRTUAL</listitem>
+                <listitem>MM_FILTER_RULE_NET</listitem>
+                <listitem>MM_FILTER_RULE_CDC_WDM</listitem>
+                <listitem>MM_FILTER_RULE_TTY</listitem>
+                <listitem>MM_FILTER_RULE_TTY_BLACKLIST</listitem>
+                <listitem>MM_FILTER_RULE_TTY_MANUAL_SCAN_ONLY</listitem>
+                <listitem>MM_FILTER_RULE_TTY_PLATFORM_DRIVER</listitem>
+                <listitem>MM_FILTER_RULE_TTY_DEFAULT_ALLOWED</listitem>
+              </itemizedlist>
+            </para>
+            <para>
+              This policy is the default one when a different one not explicitly
+              selected, and is equivalent to the way ModemManager has worked in previous
+              releases. This policy is the least restrictive one, and will end up
+              allowing port probing of all TTYs not explicitly blacklisted in one way
+              or another.
+            </para>
+            <programlisting># /usr/sbin/ModemManager --filter-policy=DEFAULT</programlisting>
+          </listitem>
+          <listitem>
+            <para><emphasis>Strict</emphasis></para>
+            <para>
+              This is a policy where the following rules are enabled:
+              <itemizedlist>
+                <listitem>MM_FILTER_RULE_EXPLICIT_WHITELIST</listitem>
+                <listitem>MM_FILTER_RULE_VIRTUAL</listitem>
+                <listitem>MM_FILTER_RULE_NET</listitem>
+                <listitem>MM_FILTER_RULE_CDC_WDM</listitem>
+                <listitem>MM_FILTER_RULE_TTY</listitem>
+                <listitem>MM_FILTER_RULE_TTY_PLATFORM_DRIVER</listitem>
+                <listitem>MM_FILTER_RULE_TTY_DRIVER</listitem>
+                <listitem>MM_FILTER_RULE_TTY_ACM_INTERFACE</listitem>
+                <listitem>MM_FILTER_RULE_TTY_WITH_NET</listitem>
+                <listitem>MM_FILTER_RULE_TTY_DEFAULT_FORBIDDEN</listitem>
+              </itemizedlist>
+            </para>
+            <para>
+              This policy is stricter than the default one, as by default all TTYs are
+              forbidden except for the ones explicitly allowed by one of the TTY-specific
+              rules. Distributions or users should use this policy if they don't want
+              ModemManager to mess around with TTY ports that may not be exposed by
+              actual modems.
+            </para>
+            <programlisting># /usr/sbin/ModemManager --filter-policy=STRICT</programlisting>
+          </listitem>
+          <listitem>
+            <para><emphasis>Paranoid</emphasis></para>
+            <para>
+              This policy is a mix of the Default and Strict ones:
+              <itemizedlist>
+                <listitem>MM_FILTER_RULE_EXPLICIT_WHITELIST</listitem>
+                <listitem>MM_FILTER_RULE_VIRTUAL</listitem>
+                <listitem>MM_FILTER_RULE_NET</listitem>
+                <listitem>MM_FILTER_RULE_CDC_WDM</listitem>
+                <listitem>MM_FILTER_RULE_TTY</listitem>
+                <listitem>MM_FILTER_RULE_TTY_BLACKLIST</listitem>
+                <listitem>MM_FILTER_RULE_TTY_MANUAL_SCAN_ONLY</listitem>
+                <listitem>MM_FILTER_RULE_TTY_PLATFORM_DRIVER</listitem>
+                <listitem>MM_FILTER_RULE_TTY_DRIVER</listitem>
+                <listitem>MM_FILTER_RULE_TTY_ACM_INTERFACE</listitem>
+                <listitem>MM_FILTER_RULE_TTY_WITH_NET</listitem>
+                <listitem>MM_FILTER_RULE_TTY_DEFAULT_FORBIDDEN</listitem>
+              </itemizedlist>
+            </para>
+            <para>
+              This policy is equivalent to the Strict policy, but where the ModemManager
+              provided blacklist and manual scan only greylist are also used. It is not
+              recommended to use this option in normal setups as the blacklists may be
+              obsoleted in future ModemManager versions (in favor of using the Strict
+              policy as default).
+            </para>
+            <programlisting># /usr/sbin/ModemManager --filter-policy=PARANOID</programlisting>
+          </listitem>
+
+          <listitem>
+            <para><emphasis>Custom</emphasis></para>
+            <para>
+              Any of the previously defined predefined policies may be modified rule per rule
+              by explicitly enabling or disabling rules via environment variables.
+            </para>
+            <para>
+              E.g. this would launch ModemManager with the Default filter policy but with all
+              net and cdc-wdm ports forbidden completely:
+              <programlisting>
+# MM_FILTER_RULE_NET=0 \
+  MM_FILTER_RULE_CDC_WDM=0 \
+  /usr/sbin/ModemManager --filter-policy=DEFAULT</programlisting>
+            </para>
+            <para>
+              E.g. this would launch ModemManager with the Whitelist-only filter policy but also
+              explicitly allowing all net and cdc-wdm ports. Note that in this case, all virtual
+              net ports (e.g. 'lo') are also being allowed.
+              <programlisting>
+# MM_FILTER_RULE_NET=1 \
+  MM_FILTER_RULE_CDC_WDM=1 \
+  /usr/sbin/ModemManager --filter-policy=WHITELIST-ONLY</programlisting>
+            </para>
+          </listitem>
+        </itemizedlist>
+      </para>
+
+    </section>
   </chapter>
 
   <chapter id="ref-overview-modem-port-probing">
author	Aleksander Morgado <aleksander@aleksander.es>	2017-10-17 18:21:02 +0200
committer	Aleksander Morgado <aleksander@aleksander.es>	2017-12-05 11:00:11 +0100
commit	ce8c7035746e21e09cf491be1fa1186714abd4b2 (patch)
tree	a3169a1ff81501674d1225bcd4645153a2793e03 /docs/reference/api
parent	42f4e975c9a22ecde9f4971e014358238dcfe975 (diff)