Comment 4 for bug 1692111

So I think we might be able to handle this smarter so that users can actually use the full 5 id map ranges. In order to correctly operate on files on the host that we want to chown to the container root user we need only two mappings.
So let's say you want to chown a file to belong to 1000:165536 where the 1000 is your uid on the host and 166536 is the gid of the container root as seen from the host. In order to run a function that executes chown you need:
- a mapping of 65536 (in our example) onto {u,g}id 1000 in a new user namespace
- a mapping of 0 onto 165536 in a new user namespace
Other mappings are not needed. So we can remove the other mappings when executing a function in a new user namespace. The patch for that is somewhat intricate but I'll whip it up soon.