With sudo disabled, the cracker must also have a local exploit that gets past SELinux. Assuming Ubuntu supports SELinux (does it?)
No, it comes with AppArmor instead.
There are trappings of selinux in Intrepid if not Hardy.
Package: libselinux1
escription: SELinux shared libraries This package provides the shared libraries for Security-enhanced Linux. Security-enhanced Linux is a patch of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. . libselinux1 provides an API for SELinux applications to get and set process and file security contexts and to obtain security policy decisions. Required for any applications that use the SELinux API.