Jeremy, I agree that this is a long-term security-hardening opportunity and not a specific exploit that needs patching. Exploiting this would (or should) require escaping some service as that user (i.e. nova) in order to be able to run nova's privsep routines. If that's possible, that's something we would want to patch under embargo. Any user on the system shouldn't be able to exploit nova's privsep rules if the sudo rule properly restricts running privsep as the nova user.
Jeremy, I agree that this is a long-term security-hardening opportunity and not a specific exploit that needs patching. Exploiting this would (or should) require escaping some service as that user (i.e. nova) in order to be able to run nova's privsep routines. If that's possible, that's something we would want to patch under embargo. Any user on the system shouldn't be able to exploit nova's privsep rules if the sudo rule properly restricts running privsep as the nova user.