nspawn: make sure we install the device policy if nspawn is run as unit as on the command line

src/nspawn/nspawn.c

@@ -2014,6 +2014,10 @@ static int register_machine(pid_t pid, int local_ifindex) {
                 if (r < 0)
                         return bus_log_create_error(r);
 
+                /* If you make changes here, also make sure to update
+                 * systemd-nspawn@.service, to keep the device
+                 * policies in sync regardless if we are run with or
+                 * without the --keep-unit switch. */
                 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9,
                                           /* Allow the container to
                                            * access and create the API

units/systemd-nspawn@.service.in

@@ -19,5 +19,19 @@ RestartForceExitStatus=133
 SuccessExitStatus=133
 Delegate=yes
 
+# Enforce a strict device policy, similar to the one nspawn configures
+# when it allocates its own scope unit. Make sure to keep these
+# policies in sync if you change them!
+DevicePolicy=strict
+DeviceAllow=/dev/null rwm
+DeviceAllow=/dev/zero rwm
+DeviceAllow=/dev/full rwm
+DeviceAllow=/dev/random rwm
+DeviceAllow=/dev/urandom rwm
+DeviceAllow=/dev/tty rwm
+DeviceAllow=/dev/net/tun rwm
+DeviceAllow=/dev/pts/ptmx rw
+DeviceAllow=char-pts rw
+
 [Install]
 WantedBy=machines.target