Rename DialTCP to ConnectTCP

The name "DialTCP" is misleading, because it is actually the connect(2) syscall which is being restricted. This makes a difference in the scenario where a future version of Landlock makes socket(2) restrictable. (net.Dial() creates sockets as well, so it would be confusing if permitting landlock.DialTCP() was not enough to net.Dial() a TCP socket) -- It's better to keep the terminology aligned with kernel concepts. I am shamelessly assuming that noone has picked up the DialTCP changes from yesterday yet. (If you did, my apologies.) Better to have a brief window of incompatibility than to carry out long API migrations based on speculative API usages.
landlock-lsm · Jan 10, 2024 · 9e68e65 · 9e68e65
1 parent d5b09cc
commit 9e68e65
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 8 deletions.
diff --git a/cmd/landlock-restrict-net/main.go b/cmd/landlock-restrict-net/main.go
@@ -46,7 +46,7 @@ func main() {
 			return err
 		}
 		log.Println("PERMIT TCP connect to port", p)
-		rules = append(rules, landlock.DialTCP(uint16(p)))
+		rules = append(rules, landlock.ConnectTCP(uint16(p)))
 		return nil
 	})
 

diff --git a/landlock/config.go b/landlock/config.go
@@ -249,7 +249,7 @@ func (c Config) RestrictPaths(rules ...Rule) error {
 // and connect(2) for TCP ports, unless those TCP ports are
 // specifically permitted using these rules:
 //
-//   - [DialTCP] permits connect(2) operations to a given TCP port.
+//   - [ConnectTCP] permits connect(2) operations to a given TCP port.
 //   - [BindTCP] permits bind(2) operations on a given TCP port.
 //
 // These network access rights are documented in more depth in the

diff --git a/landlock/landlock.go b/landlock/landlock.go
@@ -22,7 +22,7 @@
 //
 //	err := landlock.V4.BestEffort().RestrictNet(
 //	    landlock.BindTCP(8080),
-//	    landlock.DialTCP(53),
+//	    landlock.ConnectTCP(53),
 //	)
 //
 // This functionality is available since Landlock V4.
@@ -37,7 +37,7 @@
 //	    landlock.RODirs("/usr", "/bin"),
 //	    landlock.RWDirs("/tmp"),
 //	    landlock.BindTCP(8080),
-//	    landlock.DialTCP(53),
+//	    landlock.ConnectTCP(53),
 //	)
 //
 // # More possible invocations

diff --git a/landlock/net_opt.go b/landlock/net_opt.go
@@ -11,7 +11,7 @@ type NetRule struct {
 	port   uint16
 }
 
-func DialTCP(port uint16) NetRule {
+func ConnectTCP(port uint16) NetRule {
 	return NetRule{
 		access: ll.AccessNetConnectTCP,
 		port:   port,

diff --git a/landlock/restrict_test.go b/landlock/restrict_test.go
@@ -349,7 +349,7 @@ func TestRestrictNet(t *testing.T) {
 			Name:        "PermitTheConnectPort",
 			RequiredABI: 4,
 			EnableLandlock: func() error {
-				return landlock.V4.RestrictNet(landlock.DialTCP(cPort))
+				return landlock.V4.RestrictNet(landlock.ConnectTCP(cPort))
 			},
 			WantConnectErr: nil,
 			WantBindErr:    syscall.EACCES,
@@ -369,7 +369,7 @@ func TestRestrictNet(t *testing.T) {
 			EnableLandlock: func() error {
 				return landlock.V4.RestrictNet(
 					landlock.BindTCP(bPort),
-					landlock.DialTCP(cPort),
+					landlock.ConnectTCP(cPort),
 				)
 			},
 			WantConnectErr: nil,
@@ -381,7 +381,7 @@ func TestRestrictNet(t *testing.T) {
 			EnableLandlock: func() error {
 				return landlock.V4.RestrictNet(
 					landlock.BindTCP(bPort+1),
-					landlock.DialTCP(cPort+1),
+					landlock.ConnectTCP(cPort+1),
 				)
 			},
 			WantConnectErr: syscall.EACCES,