Comment 6 for bug 1729357

Oh, actually, according to https://lwn.net/Articles/626665/ the setgroups file is a namespace specific knob, so flipping it to deny would actually prevent setgroups by anyone who's in the host namespace...