Thanks @stgraber. I was missing the lxc.cgroup.devices.allow lines. For anyone finding this later, this is the config I used successfully:
config:
security.idmap.isolated: "true"
security.privileged: "true"
linux.kernel_modules: dm_crypt,btrfs,dm_mod,cryptd,crypto_simd,dm_multipath,sha256,sha512,aes_ti,sha3_generic
raw.apparmor: |-
mount fstype=btrfs options=(rw, nosuid, nodev, noexec, relatime) /mnt/test,
mount fstype=btrfs options=(rw, nosuid, nodev, noexec, relatime) /dev/mapper/test,
mount fstype=btrfs options=(rw, nosuid, nodev, noexec, relatime) /dev/dm*,
raw.lxc: |-
$( /bin/ls -l -d -b -w0 -U $( /bin/ls -l -d -b -w0 -U /dev/mapper/* | /bin/grep -Ev -e 'test' -e '/vgData-lvCrypt' | /bin/grep -E '^l' | /bin/sed -r -e 's|^.+\->\s+||' -e 's|^../|/dev/|' ) | /usr/bin/awk '{print $5 ":" $6}' | /bin/sed -r 's/,:/:/' | while read X ; do
echo " lxc.cgroup.devices.deny = b $X rwm"
done )
lxc.cgroup.devices.allow = b 253:* rwm
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
security.mac_filtering: "true"
root:
path: /
pool: local
type: disk
lvCrypt:
path: /dev/test
source: $( /usr/bin/printf '%q' "$( /usr/bin/realpath -e /dev/mapper/vgData-lvCrypt )")
type: unix-block
mapper.control:
path: /dev/mapper/control
source: /dev/mapper/control
type: unix-char
The code denies access to all the dm nodes apart from those needed for the decrypt & mount.
/dev/mapper/control is needed for the device mapper to work.
Note that, unlike in @simos config in https://blog.simos.info/how-to-add-multi-line-raw-lxc-configuration-to-lxd/, in my system (ubuntu LTS 20.04) the device type identifiers are major:minor and it needs the modes (rwm for read write mknod) on the end.