Make shadow-capable runners available to arti project(s)

I'm working on adding shadow-based integration tests to arti: tpo/core/arti#174 (closed)

I tried running it with the shadow-small tag, but it seems unable to pick up any runners: https://gitlab.torproject.org/jnewsome/arti/-/jobs/156064. Presumably this is because they are specifically linked with the congestion control project, rather than in the shared runner pool: https://gitlab.torproject.org/jnewsome/sponsor-61-sims/-/settings/ci_cd

One solution might be to register the shadow-small runners with core/arti. Though I think for it to run on pull requests it might also need to be added to the corresponding developer's forked repo?

It'd be a bit more convenient if some shadow-capable runners were in the shared pool. Unlike the shadow simulations we don't need massive CPU or RAM or need to worry about disabling sidechannel mitigations for performance etc. Such a runner just needs to be x86-64 Linux. The main hiccup I'm aware of is that Docker's seccomp policy excludes the process_vm_readv and process_vm_writev syscalls (which shadow needs) unless you give the container CAP_SYS_PTRACE. So we'd either need to give such a runner CAP_SYS_PTRACE, or use a custom seccomp policy (which unfortunately means ~forking a policy file IIRC), or disable Docker's seccomp policy entirely.

Wdyt?