package pulse secure

dadevel · Nov 2, 2024 · 6dcb118 · 6dcb118
1 parent c608d03
commit 6dcb118
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 0 deletions.
diff --git a/pulsesecure/PKGBUILD b/pulsesecure/PKGBUILD
@@ -0,0 +1,26 @@
+pkgname=pulsesecure
+pkgver=latest
+pkgrel=1
+source=('https://dl.sva.de/pulsesecure/linux/ps-pulse-linux-22.7r1.0-b28369-64bit-installer.rpm' pulsesecure.service)
+sha256sums=('f335f1d72e8db6f6c984871c2380d37742fb3aec1736a7e61e3367dd5eb45e50' SKIP)
+arch=(x86_64)
+license=(custom)
+depends=(curl dbus dmidecode gcc-libs gtkmm3 libgnome-keyring libbsd openssl perl webkit2gtk)
+
+package() {
+    # directory /opt/pulsesecure is more or less hardcoded into the rpm
+
+    mkdir -p "${pkgdir}/opt/pulsesecure/"
+    cp -r ./opt/pulsesecure/. "${pkgdir}/opt/pulsesecure/"
+
+    mkdir -p "${pkgdir}/usr/share/dbus-1/system.d/"
+    ln -s /opt/pulsesecure/lib/JUNS/net.psecure.pulse.conf "${pkgdir}/usr/share/dbus-1/system.d/net.psecure.pulse.conf"
+
+    mkdir -p "${pkgdir}/usr/share/applications/"
+    ln -s /opt/pulsesecure/resource/pulse.desktop "${pkgdir}/usr/share/applications/pulsesecure.desktop"
+
+    install -D -m 644 ./pulsesecure.service "${pkgdir}/usr/lib/systemd/system/pulsesecure.service"
+
+    mkdir -p "${pkgdir}/etc/pki/ca-trust/extracted/openssl"
+    ln -sf /etc/ca-certificates/extracted/ca-bundle.trust.crt "${pkgdir}/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt"
+}
diff --git a/pulsesecure/pulsesecure.service b/pulsesecure/pulsesecure.service
@@ -0,0 +1,44 @@
+[Unit]
+Description=Pulse Secure Daemon
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/pulsesecure/bin/pulsesecure -d
+Restart=on-failure
+RestartSec=1
+TimeoutStopSec=3
+
+LogsDirectory=pulsesecure/pulse
+StateDirectory=pulsesecure/logging
+
+AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_ADMIN
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN
+
+#PrivateDevices=yes
+#DeviceAllow=/dev/net/tun rw
+#BindPaths=/dev/net/tun
+
+#PrivateNetwork=no
+#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+ProtectSystem=yes
+#ProtectSystem=strict
+#ReadWritePaths=/run/dbus/system_bus_socket
+
+PrivateMounts=yes
+PrivateTmp=yes
+ProtectHome=yes
+
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes