Oh, actually, according to https://lwn.net/Articles/626665/ the setgroups file is a namespace specific knob, so flipping it to deny would actually prevent setgroups by anyone who's in the host namespace...
Oh, actually, according to https:/ /lwn.net/ Articles/ 626665/ the setgroups file is a namespace specific knob, so flipping it to deny would actually prevent setgroups by anyone who's in the host namespace...