units: include DM devices in DeviceAllow fpor systemd-nspawn@.service

We need it to make LUKS devices work.

Fixes: #6525

1 files changed, 10 insertions, 5 deletions

diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
index 5e80054a57..9893ae2b36 100644
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@@ -23,18 +23,23 @@ Slice=machine.slice
 Delegate=yes
 TasksMax=16384
 
-## Enforce a strict device policy, similar to the one nspawn configures
-## when it allocates its own scope unit. Make sure to keep these
-## policies in sync if you change them!
+# Enforce a strict device policy, similar to the one nspawn configures when it
+# allocates its own scope unit. Make sure to keep these policies in sync if you
+# change them!
 DevicePolicy=closed
 DeviceAllow=/dev/net/tun rwm
 DeviceAllow=char-pts rw
 
-# nspawn itself needs access to /dev/loop-control and /dev/loop, to
-# implement the --image= option. Add these here, too.
+# nspawn itself needs access to /dev/loop-control and /dev/loop, to implement
+# the --image= option. Add these here, too.
 DeviceAllow=/dev/loop-control rw
 DeviceAllow=block-loop rw
 DeviceAllow=block-blkext rw
 
+# nspawn can set up LUKS encrypted loopback files, in which case it needs
+# access to /dev/mapper/control and the block devices /dev/mapper/*.
+DeviceAllow=/dev/mapper/control rw
+DeviceAllow=block-device-mapper rw
+
 [Install]
 WantedBy=machines.target