LPE to Onion Circuits' privileged network namespace due to incorrect sudo configuration

https://git.radicallyopensecurity.com/otf/pen-tails/-/issues/3

User impact

An adversary who can already execute arbitrary code as the amnesia user can leverage this vulnerability to get information about Tor status, such as all circuits and streams, without these actions being visible in the graphical desktop environment. They can also close arbitrary circuits, which may result in denial of service and leading the user to do their activities in a less safe environment.

Note: even without this vulnerability, such an adversary is likely able to gather the same information via accessibility interfaces, assuming Onion Circuits is running already or it's OK to start it (possibly at a time when the user is idle or the screen is locked). We have accepted this risk when we implemented Onion Circuits.

Practical exploitation path

Same as #20701 (closed) due to the need to run sudo.

Proof of concept

cp -af /var/run/user/1000/user-env /tmp/foo && sudo ENVFILE=/tmp/foo /usr/local/bin/onioncircuits --gtk-module 1

… demonstrates that --gtk-module is passed through and honored by the GTK app, which allows loading an arbitrary .so file and thus LPE to the network namespace set up by the onioncircuits wrapper.

We previously had correct configuration that protected against this class of attacks, but 3b50f92e removed it for some reason.

Reported by ROS.