How to read tmpfs as a block device in linux?

Question

A typical linux machine mounts a tmpfs to store temporary files:

$ df
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             953M  702M  203M  78% /
tmpfs                 1.5G  111M  1.5G   0% /tmp
...

On a live machine, how can I access the underlying memory of the tmpfs as a block device in order to image it with dd for file recovery / forensic / intrusion detection purposes? There is no device in /dev that properly isolates and maps the memory used by the tmpfs to a block device.

This question has been asked here, but none of the answers were helpful: https://www.linuxquestions.org/questions/linux-general-1/how-to-backup-ramfs-or-tmpfs-using-dd-4175422520/

"how can I access the underlying memory of the tmpfs as a block device" -- You cannot; memory has no "block" interface. "There is no device in /dev" -- Because memory is not a "device". — sawdust, Commented Feb 26, 2022 at 0:38
@sawdust Well, there is /dev/kmem. But that's all of the kernel virtual memory, not just tmpfs. — jpa, Commented Feb 26, 2022 at 11:19
tmpfs is not based on any flat block device in the first place, and it has no file system compatible with any such block device, so there is nothing to 'image'. — Boann, Commented Feb 26, 2022 at 14:49

davidgo · Accepted Answer · 2022-02-26 17:55:17Z

5

From what Ive read there is no underlying block device. tmpfs is dynamically resized through the kernel - from which I deduce it cant be treated as a block. Ypu wpld need to use ramdisk of you want a block device.

edited Feb 26, 2022 at 17:55

answered Feb 25, 2022 at 23:15

davidgo

72.3k14 gold badges115 silver badges177 bronze badges

Thanks for the info. I'm guessing the original question is impossible without messing with custom kernel modules or the kernel itself...
– Duke Nukem
Commented Feb 25, 2022 at 23:23
1

ramfs works identically to tmpfs (except for it being locked into physical memory, while tmpfs can be swapped out). It's ramdisk (brd) that provides a block device.
– grawity
Commented Feb 26, 2022 at 10:16
@user1686 Ive updated my answer. It wmbarrasing it received upvotes while being wrong. Thank you!
– davidgo
Commented Feb 26, 2022 at 17:56

Add a comment |

Stack Exchange Network

How to read tmpfs as a block device in linux?

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
linux
dd
imaging
tmpfs
block-device
.

Hot Network Questions

How to read tmpfs as a block device in linux?

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged linuxddimagingtmpfsblock-device.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
linux
dd
imaging
tmpfs
block-device
.