Merge pull request #6580 from poettering/nspawn-dm-deviceallow

add DM devices to DeviceAllow for systemd-nspawn@.service
2025-01-10 01:17:44 +03:00 · 2017-09-04 17:12:17 +03:00 · 2017-09-04 17:12:17 +03:00 · 8a12256c9c
commit 8a12256c9c
parent 9a39e1ce31 3982becc92
2 changed files with 16 additions and 7 deletions
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@ -838,15 +838,19 @@ static int decrypt_partition(

        r = crypt_init(&cd, m->node);
        if (r < 0)
-                return r;
+                return log_debug_errno(r, "Failed to initialize dm-crypt: %m");

        r = crypt_load(cd, CRYPT_LUKS1, NULL);
-        if (r < 0)
+        if (r < 0) {
+                log_debug_errno(r, "Failed to load LUKS metadata: %m");
                goto fail;
+        }

        r = crypt_activate_by_passphrase(cd, name, CRYPT_ANY_SLOT, passphrase, strlen(passphrase),
                                         ((flags & DISSECT_IMAGE_READ_ONLY) ? CRYPT_ACTIVATE_READONLY : 0) |
                                         ((flags & DISSECT_IMAGE_DISCARD_ON_CRYPTO) ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0));
+        if (r < 0)
+                log_debug_errno(r, "Failed to activate LUKS device: %m");
        if (r == -EPERM) {
                r = -EKEYREJECTED;
                goto fail;
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@ -23,18 +23,23 @@ Slice=machine.slice
 Delegate=yes
 TasksMax=16384

-## Enforce a strict device policy, similar to the one nspawn configures
-## when it allocates its own scope unit. Make sure to keep these
-## policies in sync if you change them!
+# Enforce a strict device policy, similar to the one nspawn configures when it
+# allocates its own scope unit. Make sure to keep these policies in sync if you
+# change them!
 DevicePolicy=closed
 DeviceAllow=/dev/net/tun rwm
 DeviceAllow=char-pts rw

-# nspawn itself needs access to /dev/loop-control and /dev/loop, to
-# implement the --image= option. Add these here, too.
+# nspawn itself needs access to /dev/loop-control and /dev/loop, to implement
+# the --image= option. Add these here, too.
 DeviceAllow=/dev/loop-control rw
 DeviceAllow=block-loop rw
 DeviceAllow=block-blkext rw

+# nspawn can set up LUKS encrypted loopback files, in which case it needs
+# access to /dev/mapper/control and the block devices /dev/mapper/*.
+DeviceAllow=/dev/mapper/control rw
+DeviceAllow=block-device-mapper rw
+
 [Install]
 WantedBy=machines.target