confile: add lxc.init.groups to keep additional groups

src/lxc/conf.c

@@ -3918,6 +3918,7 @@ void lxc_conf_free(struct lxc_conf *conf)
 	free(conf->rcfile);
 	free(conf->execute_cmd);
 	free(conf->init_cmd);
+	free(conf->init_groups.list);
 	free(conf->init_cwd);
 	free(conf->unexpanded_config);
 	free(conf->syslog);

src/lxc/conf.h

@@ -406,6 +406,10 @@ struct lxc_conf {
 	 * should run under when using lxc-execute */
 	uid_t init_uid;
 	gid_t init_gid;
+	struct {
+		int size;
+		gid_t *list;
+	} init_groups;
 
 	/* indicator if the container will be destroyed on shutdown */
 	unsigned int ephemeral;

src/lxc/confile.c

@@ -4618,6 +4618,14 @@ static inline int clr_config_init_gid(const char *key, struct lxc_conf *c,
 	return 0;
 }
 
+static inline int clr_config_init_groups(const char *key, struct lxc_conf *c,
+					 void *data)
+{
+	free_disarm(c->init_groups.list);
+	c->init_groups.size = 0;
+	return 0;
+}
+
 static inline int clr_config_ephemeral(const char *key, struct lxc_conf *c,
 				       void *data)
 {

src/lxc/start.c

@@ -1357,12 +1357,21 @@ static int do_start(void *data)
 	 * we switched to root in the new user namespace further above. Only
 	 * drop groups if we can, so ensure that we have necessary privilege.
 	 */
-	if (lxc_list_empty(&handler->conf->id_map))
+	if (lxc_list_empty(&handler->conf->id_map)) {
 		#if HAVE_LIBCAP
 		if (lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE))
 		#endif
-			if (!lxc_drop_groups())
-				goto out_warn_father;
+		{
+			if (handler->conf->init_groups.size > 0) {
+				if (!lxc_setgroups(handler->conf->init_groups.list,
+						   handler->conf->init_groups.size))
+					goto out_warn_father;
+			} else {
+				if (!lxc_drop_groups())
+					goto out_warn_father;
+			}
+		}
+	}
 
 	if (!lxc_switch_uid_gid(new_uid, new_gid))
 		goto out_warn_father;