Class: RKSeal::SecureWorkspace::MacosMedium

Inherits:

Object

Object
RKSeal::SecureWorkspace::MacosMedium

show all

Defined in:: lib/rkseal/secure_workspace.rb

Overview

RAM-backed medium for macOS: an ephemeral ‘hdiutil`-backed RAM disk.

macOS has no tmpfs/‘/dev/shm`, so the only way to keep plaintext off persistent disk is a RAM disk:

1. `hdiutil attach -nomount ram://<sectors>` allocates RAM and returns a
   raw device node (e.g. /dev/disk7) without mounting it.
2. `newfs_hfs -v <volname> <device>` lays down a tiny HFS+ filesystem.
3. mount it under a private 0700 directory in $TMPDIR (the *mount point*
   lives on disk but is empty; the *data* lives only on the RAM device).

Teardown unmounts and ‘hdiutil detach`es the device (with a short retry in case it is transiently busy), then removes the empty mount point.

Constant Summary collapse

DETACH_ATTEMPTS = How many times to retry a transiently-busy ‘hdiutil detach`.

DETACH_BACKOFF = Backoff between detach retries, in seconds.

0.2

Instance Method Summary collapse

#initialize(bytes:) ⇒ MacosMedium constructor

A new instance of MacosMedium.
#provision ⇒ String

Absolute path to the mounted RAM disk root.
#teardown ⇒ void

Constructor Details

#initialize(bytes:) ⇒ `MacosMedium`

Returns a new instance of MacosMedium.

Parameters:

bytes (Integer) —

RAM disk size; rounded up to whole sectors.

# File 'lib/rkseal/secure_workspace.rb', line 326

def initialize(bytes:)
  @sectors = (bytes.to_f / SECTOR_BYTES).ceil
  @device = nil
  @mount_point = nil
end

Instance Method Details

#provision ⇒ `String`

Returns absolute path to the mounted RAM disk root.

Returns:

(String) —

absolute path to the mounted RAM disk root.

Raises:

(RKSeal::WorkspaceError) —

if attach/format/mount fails.

# File 'lib/rkseal/secure_workspace.rb', line 334

def provision
  @device = attach_ram_device
  format_device(@device)
  @mount_point = make_mount_point
  mount(@device, @mount_point)
  @mount_point
end

#teardown ⇒ `void`

This method returns an undefined value.

# File 'lib/rkseal/secure_workspace.rb', line 343

def teardown
  unmount(@mount_point) if @mount_point
  detach_with_retry(@device) if @device
  remove_mount_point(@mount_point) if @mount_point
  @device = nil
  @mount_point = nil
rescue StandardError
  nil
end