From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 9 Aug 2017 16:19:00 +0000 (+0200)
Subject: units: include DM devices in DeviceAllow fpor systemd-nspawn@.service
X-Git-Tag: v235~166^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F6580%2Fhead;p=thirdparty%2Fsystemd.git

units: include DM devices in DeviceAllow fpor systemd-nspawn@.service

We need it to make LUKS devices work.

Fixes: #6525
---

diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
index 5e80054a57e..9893ae2b364 100644
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@@ -23,18 +23,23 @@ Slice=machine.slice
 Delegate=yes
 TasksMax=16384
 
-## Enforce a strict device policy, similar to the one nspawn configures
-## when it allocates its own scope unit. Make sure to keep these
-## policies in sync if you change them!
+# Enforce a strict device policy, similar to the one nspawn configures when it
+# allocates its own scope unit. Make sure to keep these policies in sync if you
+# change them!
 DevicePolicy=closed
 DeviceAllow=/dev/net/tun rwm
 DeviceAllow=char-pts rw
 
-# nspawn itself needs access to /dev/loop-control and /dev/loop, to
-# implement the --image= option. Add these here, too.
+# nspawn itself needs access to /dev/loop-control and /dev/loop, to implement
+# the --image= option. Add these here, too.
 DeviceAllow=/dev/loop-control rw
 DeviceAllow=block-loop rw
 DeviceAllow=block-blkext rw
 
+# nspawn can set up LUKS encrypted loopback files, in which case it needs
+# access to /dev/mapper/control and the block devices /dev/mapper/*.
+DeviceAllow=/dev/mapper/control rw
+DeviceAllow=block-device-mapper rw
+
 [Install]
 WantedBy=machines.target