diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index c898d226a7..0b650fc67a 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -124,7 +124,16 @@
partition table, or a file system within an MBR/MS-DOS or GPT partition table with only a single
Linux-compatible partition, or a set of file systems within a GPT partition table that follows the Discoverable Partitions
- Specification.
+ Specification.
+
+ When DevicePolicy= is set to closed or strict,
+ or set to auto and DeviceAllow= is set, then this setting adds
+ /dev/loop-control with rw mode, block-loop and
+ block-blkext with rwm mode to DeviceAllow=. See
+ systemd.resource-control5
+ for the details about DevicePolicy= or DeviceAllow=. Also, see
+ PrivateDevices= below, as it may change the setting of DevicePolicy=.
+
diff --git a/src/core/unit.c b/src/core/unit.c
index 23433be31c..17f4ff3ebd 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4143,12 +4143,28 @@ int unit_patch_contexts(Unit *u) {
}
cc = unit_get_cgroup_context(u);
- if (cc) {
+ if (cc && ec) {
- if (ec &&
- ec->private_devices &&
+ if (ec->private_devices &&
cc->device_policy == CGROUP_AUTO)
cc->device_policy = CGROUP_CLOSED;
+
+ if (ec->root_image &&
+ (cc->device_policy != CGROUP_AUTO || cc->device_allow)) {
+
+ /* When RootImage= is specified, the following devices are touched. */
+ r = cgroup_add_device_allow(cc, "/dev/loop-control", "rw");
+ if (r < 0)
+ return r;
+
+ r = cgroup_add_device_allow(cc, "block-loop", "rwm");
+ if (r < 0)
+ return r;
+
+ r = cgroup_add_device_allow(cc, "block-blkext", "rwm");
+ if (r < 0)
+ return r;
+ }
}
return 0;