diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c index 0f7d089d1c..8a49948780 100644 --- a/src/gpt-auto-generator/gpt-auto-generator.c +++ b/src/gpt-auto-generator/gpt-auto-generator.c @@ -826,6 +826,15 @@ static int enumerate_partitions(dev_t devnum) { _cleanup_free_ char *devname = NULL; int r; + static const PartitionDesignator ignore_designators[] = { + PARTITION_ROOT, + PARTITION_ROOT_VERITY, + PARTITION_ROOT_VERITY_SIG, + PARTITION_USR, + PARTITION_USR_VERITY, + PARTITION_USR_VERITY_SIG, + }; + assert(!in_initrd()); /* Run on the final root fs (not in the initrd), to mount auxiliary partitions, and hook in rw @@ -841,6 +850,14 @@ static int enumerate_partitions(dev_t devnum) { return log_debug_errno(r, "Failed to get device node of " DEVNUM_FORMAT_STR ": %m", DEVNUM_FORMAT_VAL(devnum)); + _cleanup_(image_policy_freep) ImagePolicy *image_policy = NULL; + r = image_policy_ignore_designators( + arg_image_policy ?: &image_policy_host, + ignore_designators, ELEMENTSOF(ignore_designators), + &image_policy); + if (r < 0) + return log_debug_errno(r, "Failed to mark root/usr designators as ignore in image policy: %m"); + /* Let's take a LOCK_SH lock on the block device, in case udevd is already running. If we don't take * the lock, udevd might end up issuing BLKRRPART in the middle, and we don't want that, since that * might remove all partitions while we are operating on them. */ @@ -852,7 +869,7 @@ static int enumerate_partitions(dev_t devnum) { loop, /* verity= */ NULL, /* mount_options= */ NULL, - arg_image_policy ?: &image_policy_host, + image_policy, DISSECT_IMAGE_GPT_ONLY| DISSECT_IMAGE_USR_NO_ROOT| DISSECT_IMAGE_DISKSEQ_DEVNODE|