Class: RKSeal::SecureWorkspace::LinuxMedium

Inherits:

Object

• Object
• RKSeal::SecureWorkspace::LinuxMedium

Defined in:

lib/rkseal/secure_workspace.rb

Overview

RAM-backed medium for Linux: a 0700 directory on an existing tmpfs mount (‘/dev/shm` or `$XDG_RUNTIME_DIR`). tmpfs is already RAM, so there is nothing to attach or detach – provision makes a private subdirectory and teardown removes it.

Constant Summary

CANDIDATES =

tmpfs mount points to try, in order of preference.

["/dev/shm", ENV.fetch("XDG_RUNTIME_DIR", nil)].freeze

Instance Method Summary

• #initialize ⇒ LinuxMedium constructor

  A new instance of LinuxMedium.

• #provision ⇒ String

  Absolute path to a fresh 0700 scratch directory.

• #teardown ⇒ void

Constructor Details

#initialize ⇒ LinuxMedium

Returns a new instance of LinuxMedium.

# File 'lib/rkseal/secure_workspace.rb', line 273

def initialize
  @dir = nil
end

Instance Method Details

#provision ⇒ String

Returns absolute path to a fresh 0700 scratch directory.

Returns:

• (String) —

  absolute path to a fresh 0700 scratch directory.

Raises:

• (RKSeal::WorkspaceError) —

  if no tmpfs mount is writable.

# File 'lib/rkseal/secure_workspace.rb', line 279

def provision
  base = CANDIDATES.compact.find { |candidate| usable?(candidate) }
  unless base
    raise WorkspaceError,
          "no writable tmpfs mount (/dev/shm or $XDG_RUNTIME_DIR) for the scratch buffer"
  end

  @dir = File.join(base, "rkseal-#{SecureRandom.hex(8)}")
  FileUtils.mkdir(@dir, mode: DIR_MODE)
  @dir
end

#teardown ⇒ void

This method returns an undefined value.

# File 'lib/rkseal/secure_workspace.rb', line 292

def teardown
  return if @dir.nil?

  FileUtils.remove_entry_secure(@dir) if File.directory?(@dir)
  @dir = nil
rescue StandardError
  nil
end