[systemd-devel] Proc protection of services and TemporaryFileSystem=/

[John]

TemporaryFileSystem=/ can be used to limit the file system with just some necessary paths set by BindReadOnlyPaths/BindPaths to some files, depending on what the service needs. This does not mount /proc and /sys.

There are some [service] settings regarding proc such as: ProtectProc, ProtectKernelTunables, ProtectControlGroups, ProcSubset which re-introduce /proc. My question is if their most protective functions are active just because /proc is not present. If so, systemd-analyze security could be improved by recognizing that /proc isn't available.

Examples:
ProtectProc=invisible
ProtectKernelTunables=true
ProtectControlGroups=true
ProcSubset=pid

On another note, ProtectHostname=true seems to cause a systemd error in a limited file system.

Any insights are appreciated.