My naive thought is that, if you unshare the user ID namespace, you should still have the same user_struct; you just wouldn't necessarily find it under your original UID. I'd think that if a whole-system user starts a process in new container, the limits of root of the new container would be those of the original whole-system user, at least until things ran setreuid. I'm also not clear why setreuid wouldn't need all the complicated stuff in any case, since it must be handling the process changing user_structs.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds