[$] Sticky groups in the shadows

Group membership is normally used to grant access to some resource;
examples might include using groups to control access to a shared
directory, a printer, or the ability to use tools like sudo. It
is possible, though, to use group membership to deny access to a
resource instead, and some administrators make use of that feature. But
groups only work as a negative credential if the user cannot shed them at
will. Occasionally, some way to escape a group has turned up, resulting in
vulnerabilities on systems where they are used to block access; despite
fixes in the past, it turns out that there is still a potential problem
with groups and user namespaces; this
patch set from Giuseppe Scrivano seeks to mitigate it through the
creation of 'shadow' groups.