Add security.idmap.size support for non-isolated containers

[foxtrotcz]

Hello,
I propose adding support of security.idmap.size for non-isolated containers.

Currently non-isolated containers take all the IDs available in subuid and subgid.
This can be problem when mixing isolated and non-isolated containers.

Isolated containers take each non-overlapping ID ranges starting with ID 65536.
Non-isolated containers take all the range starting with ID 0.

This can be problem because non-isolated can affect ranges of isolated containers.

Ability to use security.idmap.size for non-isolated containers would allow us to restrict them just to first 65536 IDs which are not used by isolated containers and there wouldnt by any overlap.

This way non-isolated containers could affect each other but couldnt affect any isolated containers.

Related forum post: https://discuss.linuxcontainers.org/t/idmap-behavior-when-setting-unisolated-and-isolated-containers/21769/4

Thanks.