diff --git a/pulsesecure/PKGBUILD b/pulsesecure/PKGBUILD new file mode 100644 index 00000000..5a4fc398 --- /dev/null +++ b/pulsesecure/PKGBUILD @@ -0,0 +1,26 @@ +pkgname=pulsesecure +pkgver=latest +pkgrel=1 +source=('https://dl.sva.de/pulsesecure/linux/ps-pulse-linux-22.7r1.0-b28369-64bit-installer.rpm' pulsesecure.service) +sha256sums=('f335f1d72e8db6f6c984871c2380d37742fb3aec1736a7e61e3367dd5eb45e50' SKIP) +arch=(x86_64) +license=(custom) +depends=(curl dbus dmidecode gcc-libs gtkmm3 libgnome-keyring libbsd openssl perl webkit2gtk) + +package() { + # directory /opt/pulsesecure is more or less hardcoded into the rpm + + mkdir -p "${pkgdir}/opt/pulsesecure/" + cp -r ./opt/pulsesecure/. "${pkgdir}/opt/pulsesecure/" + + mkdir -p "${pkgdir}/usr/share/dbus-1/system.d/" + ln -s /opt/pulsesecure/lib/JUNS/net.psecure.pulse.conf "${pkgdir}/usr/share/dbus-1/system.d/net.psecure.pulse.conf" + + mkdir -p "${pkgdir}/usr/share/applications/" + ln -s /opt/pulsesecure/resource/pulse.desktop "${pkgdir}/usr/share/applications/pulsesecure.desktop" + + install -D -m 644 ./pulsesecure.service "${pkgdir}/usr/lib/systemd/system/pulsesecure.service" + + mkdir -p "${pkgdir}/etc/pki/ca-trust/extracted/openssl" + ln -sf /etc/ca-certificates/extracted/ca-bundle.trust.crt "${pkgdir}/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt" +} diff --git a/pulsesecure/pulsesecure.service b/pulsesecure/pulsesecure.service new file mode 100644 index 00000000..9c6dbd10 --- /dev/null +++ b/pulsesecure/pulsesecure.service @@ -0,0 +1,44 @@ +[Unit] +Description=Pulse Secure Daemon +After=network.target + +[Service] +Type=simple +ExecStart=/opt/pulsesecure/bin/pulsesecure -d +Restart=on-failure +RestartSec=1 +TimeoutStopSec=3 + +LogsDirectory=pulsesecure/pulse +StateDirectory=pulsesecure/logging + +AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_ADMIN +CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN + +#PrivateDevices=yes +#DeviceAllow=/dev/net/tun rw +#BindPaths=/dev/net/tun + +#PrivateNetwork=no +#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + +ProtectSystem=yes +#ProtectSystem=strict +#ReadWritePaths=/run/dbus/system_bus_socket + +PrivateMounts=yes +PrivateTmp=yes +ProtectHome=yes + +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +ProtectControlGroups=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes + +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes