Filter policies: ModemManager Reference Manual

Filter policies

The predefined filter policies are:

Allowlist only

This is a policy where only the MM_FILTER_RULE_EXPLICIT_ALLOWLIST rule is enabled.
```
# /usr/sbin/ModemManager --filter-policy=ALLOWLIST-ONLY
```
Strict

This is a policy where the following rules are enabled:
- MM_FILTER_RULE_EXPLICIT_ALLOWLIST
- MM_FILTER_RULE_EXPLICIT_BLOCKLIST
- MM_FILTER_RULE_PLUGIN_ALLOWLIST
- MM_FILTER_RULE_QRTR
- MM_FILTER_RULE_VIRTUAL
- MM_FILTER_RULE_NET
- MM_FILTER_RULE_USBMISC
- MM_FILTER_RULE_RPMSG
- MM_FILTER_RULE_TTY
- MM_FILTER_RULE_TTY_PLATFORM_DRIVER
- MM_FILTER_RULE_TTY_DRIVER
- MM_FILTER_RULE_TTY_ACM_INTERFACE
- MM_FILTER_RULE_TTY_WITH_NET
- MM_FILTER_RULE_TTY_DEFAULT_FORBIDDEN
- MM_FILTER_RULE_WWAN
This policy is the default one when a different one is not explicitly selected. In this policy, all TTYs are forbidden except for the ones explicitly allowed by one of the TTY-specific rules.
```
# /usr/sbin/ModemManager --filter-policy=STRICT
```
Custom

Any of the previously defined predefined policies may be modified rule per rule by explicitly enabling or disabling rules via environment variables.

E.g. this would launch ModemManager with the Strict filter policy but with all net and cdc-wdm ports forbidden completely:
```
# MM_FILTER_RULE_NET=0 \
  MM_FILTER_RULE_USBMISC=0 \
  /usr/sbin/ModemManager --filter-policy=STRICT
```
E.g. this would launch ModemManager with the allowlist-only filter policy but also explicitly allowing all net and cdc-wdm ports. Note that in this case, all virtual net ports (e.g. 'lo') are also being allowed.
```
# MM_FILTER_RULE_NET=1 \
  MM_FILTER_RULE_USBMISC=1 \
  /usr/sbin/ModemManager --filter-policy=ALLOWLIST-ONLY
```