BindReadOnlyPaths=/proc breaks NetworkD sysctl support

[hugotrsd]

Hey there!

I'm having an issue with some changes introduced with #445, more specifically this part of commit c9e314c. It sets both /sys and /proc as read-only for systemd-networkd.service. This was later refactored in 5061186 by #779.

This issue is present (in my case) with the latest archlinux container image from https://images.linuxcontainers.org.

NetworkD supports setting sysctl options on interfaces, like with IPv6AcceptRA=yes|no which translates to net.ipv6.conf.all.accept_ra being set accordingly. However, having /proc mounted as read-only prevents NetworkD from performing these changes, with the following warning:

Cannot disable kernel IPv6 accept_ra for interface, ignoring: Read-only file system.

This is just an example, but there is actually a great deal of those.

I'd like to question the validity of /proc being read-only here. The SystemD container interface recommends mounting /sys and /proc/sys as read-only for added security, but to leave /proc/sys/net read-write if the network stack is namespaced (for LXC/Incus containers, I wonder if /proc/sys could be left read-write entirely). Here, preventing NetworkD from editing sysctl options breaks functionality.

Guessing from the comment above fix_ro_paths, it seems to me the intention was to prevent systemd-udevd.service from running by having /sys mounted as read-only (leveraging the ConditionPathIsReadWrite=/sys check). However, since fix_ro_paths is not called with systemd-udevd.service, this won't work, so I may be missing something here.

Is there any reason to have /proc in the list of restricted paths here?

Thanks!