ID-mapped mounts

In order to create idmapped mounts you will need to have CAP_SYS_ADMIN in the user namespace the filesystem was mounted in and the filesystem needs to support them by raising FS_ALLOW_IDMAP. Since no filesystems that support being mounted unprivileged support them - and probably don't need to - this means you need to be CAP_SYS_ADMIN in the initial user namespace. There are no immediate plans to lower the privilege requirements.