From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 6 Mar 2025 08:38:25 +0000 (+0100)
Subject: gpt-auto-generator: do not apply image policy on the root fs and /usr/ fs
X-Git-Tag: v258-rc1~1168^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F36629%2Fhead;p=thirdparty%2Fsystemd.git

gpt-auto-generator: do not apply image policy on the root fs and /usr/ fs

At the moment the gpt-auto generator does its things we already
transitioned into the host OS, i.e. the root fs and /usr/ are mounted.
Hence suppress image policy checks for those two partitions.

This actually matters, because the root hash/usr hash is taken into
consideration for the image policy checks, but we don't have that in
gpt-auto and hence would refuse operation claiming policy conflicts
event though we never actually operate on the root fs via the dissection
logic.
---

diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c
index 0f7d089d1cf..8a499487804 100644
--- a/src/gpt-auto-generator/gpt-auto-generator.c
+++ b/src/gpt-auto-generator/gpt-auto-generator.c
@@ -826,6 +826,15 @@ static int enumerate_partitions(dev_t devnum) {
         _cleanup_free_ char *devname = NULL;
         int r;
 
+        static const PartitionDesignator ignore_designators[] = {
+                PARTITION_ROOT,
+                PARTITION_ROOT_VERITY,
+                PARTITION_ROOT_VERITY_SIG,
+                PARTITION_USR,
+                PARTITION_USR_VERITY,
+                PARTITION_USR_VERITY_SIG,
+        };
+
         assert(!in_initrd());
 
         /* Run on the final root fs (not in the initrd), to mount auxiliary partitions, and hook in rw
@@ -841,6 +850,14 @@ static int enumerate_partitions(dev_t devnum) {
                 return log_debug_errno(r, "Failed to get device node of " DEVNUM_FORMAT_STR ": %m",
                                        DEVNUM_FORMAT_VAL(devnum));
 
+        _cleanup_(image_policy_freep) ImagePolicy *image_policy = NULL;
+        r = image_policy_ignore_designators(
+                        arg_image_policy ?: &image_policy_host,
+                        ignore_designators, ELEMENTSOF(ignore_designators),
+                        &image_policy);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to mark root/usr designators as ignore in image policy: %m");
+
         /* Let's take a LOCK_SH lock on the block device, in case udevd is already running. If we don't take
          * the lock, udevd might end up issuing BLKRRPART in the middle, and we don't want that, since that
          * might remove all partitions while we are operating on them. */
@@ -852,7 +869,7 @@ static int enumerate_partitions(dev_t devnum) {
                         loop,
                         /* verity= */ NULL,
                         /* mount_options= */ NULL,
-                        arg_image_policy ?: &image_policy_host,
+                        image_policy,
                         DISSECT_IMAGE_GPT_ONLY|
                         DISSECT_IMAGE_USR_NO_ROOT|
                         DISSECT_IMAGE_DISKSEQ_DEVNODE|