Comment 8 for bug 1729357

I agree that in order to preserve the ability of unprivileged containers to call setgroups we need some root-owned config file (possibly a column in /etc/subgid, possibly a new file) that controls which users newgidmap *won't* set /proc/$pid/setgroups to deny for.

Serge, I'm not much of a C programmer but I'd be happy to try writing a patch once we decide on the solution.