idmapped mounts: should they be applied recursively?

[cyphar]

The current text for idmapped mounts doesn't specify whether the attributes should be applied recursively or not (AT_RECURSIVE). At the moment, runc never passes AT_RECURSIVE. The two options I can see are:

• Make rbind imply that the attribute should be recursive, since that's the only case where AT_RECURSIVE is necessary. (This would imply that it's always recursive.) The main downside is that a user wouldn't be able to opt-out of it, and runc's current behaviour would be spec in-compliant. But I suspect this is what most users would expect.
• Make it configurable with a new mount option (ridmap, maybe) which can only be set if you have the uidMappings and gidMappings options enabled. The main downside is that the current rbind (which is counter-intuitive imho) would remain, but that would avoid any possible backwards-compatibility issues with runtime-spec 1.1.0.