Add a check to see if any runner is in privileged mode.
A gitlab-ci runner is likely to be in privilege mode if one can perform a command that requires NET_ADMIN capability:
$ ip link add dummy0 type dummy
If this command runs successfully, you can conclude that the container has the NET_ADMIN capability. NET_ADMIN is part of the privileged capabilities set, and containers that don’t have it are not privileged.
This test attempts to do the above command, and if it succeeds (exit code 0), then the test is considered to be a failure, because the runner is in privileged mode.
See: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41332#note_2949030