Skip to content

Add a check to see if any runner is in privileged mode.

micah requested to merge privilege_check into main

A gitlab-ci runner is likely to be in privilege mode if one can perform a command that requires NET_ADMIN capability:

$ ip link add dummy0 type dummy

If this command runs successfully, you can conclude that the container has the NET_ADMIN capability. NET_ADMIN is part of the privileged capabilities set, and containers that don’t have it are not privileged.

This test attempts to do the above command, and if it succeeds (exit code 0), then the test is considered to be a failure, because the runner is in privileged mode.

See: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41332#note_2949030

Merge request reports