gpt-auto-generator: do not apply image policy on the root fs and /usr/ fs

At the moment the gpt-auto generator does its things we already transitioned into the host OS, i.e. the root fs and /usr/ are mounted. Hence suppress image policy checks for those two partitions. This actually matters, because the root hash/usr hash is taken into consideration for the image policy checks, but we don't have that in gpt-auto and hence would refuse operation claiming policy conflicts event though we never actually operate on the root fs via the dissection logic.
2026-04-14 00:14:32 +09:00 · 2025-03-06 09:38:25 +01:00
parent 87bffa1eae
commit 6d6538fb3f
1 changed files with 18 additions and 1 deletions
--- a/src/gpt-auto-generator/gpt-auto-generator.c
+++ b/src/gpt-auto-generator/gpt-auto-generator.c
@@ -826,6 +826,15 @@ static int enumerate_partitions(dev_t devnum) {
        _cleanup_free_ char *devname = NULL;
        int r;

+        static const PartitionDesignator ignore_designators[] = {
+                PARTITION_ROOT,
+                PARTITION_ROOT_VERITY,
+                PARTITION_ROOT_VERITY_SIG,
+                PARTITION_USR,
+                PARTITION_USR_VERITY,
+                PARTITION_USR_VERITY_SIG,
+        };
+
        assert(!in_initrd());

        /* Run on the final root fs (not in the initrd), to mount auxiliary partitions, and hook in rw
@@ -841,6 +850,14 @@ static int enumerate_partitions(dev_t devnum) {
                return log_debug_errno(r, "Failed to get device node of " DEVNUM_FORMAT_STR ": %m",
                                       DEVNUM_FORMAT_VAL(devnum));

+        _cleanup_(image_policy_freep) ImagePolicy *image_policy = NULL;
+        r = image_policy_ignore_designators(
+                        arg_image_policy ?: &image_policy_host,
+                        ignore_designators, ELEMENTSOF(ignore_designators),
+                        &image_policy);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to mark root/usr designators as ignore in image policy: %m");
+
        /* Let's take a LOCK_SH lock on the block device, in case udevd is already running. If we don't take
         * the lock, udevd might end up issuing BLKRRPART in the middle, and we don't want that, since that
         * might remove all partitions while we are operating on them. */
@@ -852,7 +869,7 @@ static int enumerate_partitions(dev_t devnum) {
                        loop,
                        /* verity= */ NULL,
                        /* mount_options= */ NULL,
-                        arg_image_policy ?: &image_policy_host,
+                        image_policy,
                        DISSECT_IMAGE_GPT_ONLY|
                        DISSECT_IMAGE_USR_NO_ROOT|
                        DISSECT_IMAGE_DISKSEQ_DEVNODE|