From af511fc1016fdeb034135b14d586d2bdf78b1289 Mon Sep 17 00:00:00 2001 From: dadevel Date: Sat, 2 Nov 2024 23:03:20 +0100 Subject: [PATCH] package pulse secure --- .github/workflows/ci.yaml | 17 ++++++++++++ pulse-secure/PKGBUILD | 26 +++++++++++++++++++ pulse-secure/pulsesecure.service | 44 ++++++++++++++++++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 pulse-secure/PKGBUILD create mode 100644 pulse-secure/pulsesecure.service diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 44319a3f..83cbb745 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -74,6 +74,7 @@ jobs: - package-pkinittools - package-pretender - package-prox-ez + - package-pulse-secure - package-pypykatz - package-pywhisker - package-responder @@ -945,6 +946,22 @@ jobs: path: ./prox-ez/*.pkg.tar.zst retention-days: 1 if-no-files-found: error + package-pulse-secure: + runs-on: ubuntu-24.04 + needs: + - build-container + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Build package + run: ./build-package.sh pulse-secure + - name: Upload package + uses: actions/upload-artifact@v4 + with: + name: package-pulse-secure + path: ./pulse-secure/*.pkg.tar.zst + retention-days: 1 + if-no-files-found: error package-pypykatz: runs-on: ubuntu-24.04 needs: diff --git a/pulse-secure/PKGBUILD b/pulse-secure/PKGBUILD new file mode 100644 index 00000000..89681e99 --- /dev/null +++ b/pulse-secure/PKGBUILD @@ -0,0 +1,26 @@ +pkgname=pulse-secure +pkgver=latest +pkgrel=1 +source=('https://dl.sva.de/pulsesecure/linux/ps-pulse-linux-22.7r1.0-b28369-64bit-installer.rpm' pulsesecure.service) +sha256sums=('f335f1d72e8db6f6c984871c2380d37742fb3aec1736a7e61e3367dd5eb45e50' SKIP) +arch=(x86_64) +license=(custom) +depends=(curl dbus dmidecode gcc-libs gtkmm3 libgnome-keyring libbsd openssl perl webkit2gtk) + +package() { + # directory /opt/pulsesecure is more or less hardcoded into the rpm + + mkdir -p "${pkgdir}/opt/pulsesecure/" + cp -r ./opt/pulsesecure/. "${pkgdir}/opt/pulsesecure/" + + mkdir -p "${pkgdir}/usr/share/dbus-1/system.d/" + ln -s /opt/pulsesecure/lib/JUNS/net.psecure.pulse.conf "${pkgdir}/usr/share/dbus-1/system.d/net.psecure.pulse.conf" + + mkdir -p "${pkgdir}/usr/share/applications/" + ln -s /opt/pulsesecure/resource/pulse.desktop "${pkgdir}/usr/share/applications/pulsesecure.desktop" + + install -D -m 644 ./pulsesecure.service "${pkgdir}/usr/lib/systemd/system/pulsesecure.service" + + mkdir -p "${pkgdir}/etc/pki/ca-trust/extracted/openssl" + ln -sf /etc/ca-certificates/extracted/ca-bundle.trust.crt "${pkgdir}/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt" +} diff --git a/pulse-secure/pulsesecure.service b/pulse-secure/pulsesecure.service new file mode 100644 index 00000000..9c6dbd10 --- /dev/null +++ b/pulse-secure/pulsesecure.service @@ -0,0 +1,44 @@ +[Unit] +Description=Pulse Secure Daemon +After=network.target + +[Service] +Type=simple +ExecStart=/opt/pulsesecure/bin/pulsesecure -d +Restart=on-failure +RestartSec=1 +TimeoutStopSec=3 + +LogsDirectory=pulsesecure/pulse +StateDirectory=pulsesecure/logging + +AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_ADMIN +CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN + +#PrivateDevices=yes +#DeviceAllow=/dev/net/tun rw +#BindPaths=/dev/net/tun + +#PrivateNetwork=no +#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + +ProtectSystem=yes +#ProtectSystem=strict +#ReadWritePaths=/run/dbus/system_bus_socket + +PrivateMounts=yes +PrivateTmp=yes +ProtectHome=yes + +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +ProtectControlGroups=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes + +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes