tasket
commented
5 years ago This is more effectively done via explicit support for /home/user that was recently added which uses /etc/skel in combination with the ability to add /home to the privdirs list.
When the service is installed, the user would be asked if either of the above should be done automatically:
Generate a sha256sum list of all the protected files in /home/user dir so they are checked at startup.
Copy protected /home files to /etc/default/vms.
This would cover a gap in the protection of /home when an attack achieves privilege escalation, without the user having to do manual configuration.