Revert "subtree updates"
Needs to go through CI
This reverts commit fc7e7973f3119e2bad511209aa336537dc5ffbed.
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index 3e8db1f..a436f97 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -9,7 +9,7 @@
BBFILE_PATTERN_security = "^${LAYERDIR}/"
BBFILE_PRIORITY_security = "8"
-LAYERSERIES_COMPAT_security = "nanbield"
+LAYERSERIES_COMPAT_security = "mickledore"
LAYERDEPENDS_security = "core openembedded-layer"
diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf
index c499e60..4bc1cac 100644
--- a/meta-security/meta-hardening/conf/layer.conf
+++ b/meta-security/meta-hardening/conf/layer.conf
@@ -8,7 +8,7 @@
BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
BBFILE_PRIORITY_harden-layer = "6"
-LAYERSERIES_COMPAT_harden-layer = "nanbield"
+LAYERSERIES_COMPAT_harden-layer = "mickledore"
LAYERDEPENDS_harden-layer = "core openembedded-layer"
diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf
index d00298a..7a9c1d1 100644
--- a/meta-security/meta-integrity/conf/layer.conf
+++ b/meta-security/meta-integrity/conf/layer.conf
@@ -20,7 +20,7 @@
# interactive shell is enough.
OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
-LAYERSERIES_COMPAT_integrity = "nanbield"
+LAYERSERIES_COMPAT_integrity = "mickledore"
# ima-evm-utils depends on keyutils from meta-oe
LAYERDEPENDS_integrity = "core openembedded-layer"
diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf
index 503953a..b162289 100644
--- a/meta-security/meta-parsec/conf/layer.conf
+++ b/meta-security/meta-parsec/conf/layer.conf
@@ -8,7 +8,7 @@
BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/"
BBFILE_PRIORITY_parsec-layer = "5"
-LAYERSERIES_COMPAT_parsec-layer = "nanbield"
+LAYERSERIES_COMPAT_parsec-layer = "mickledore"
LAYERDEPENDS_parsec-layer = "core clang-layer"
BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec"
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index 8075706..1f27031 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -8,7 +8,7 @@
BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
BBFILE_PRIORITY_tpm-layer = "6"
-LAYERSERIES_COMPAT_tpm-layer = "nanbield"
+LAYERSERIES_COMPAT_tpm-layer = "mickledore"
LAYERDEPENDS_tpm-layer = " \
core \
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch
new file mode 100644
index 0000000..0db2b12
--- /dev/null
+++ b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch
@@ -0,0 +1,388 @@
+From 826dd5b109f79270819703a23cc8066895d68042 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 14 Jun 2023 07:46:55 -0400
+Subject: [PATCH 1/2] scap-security-guide: add openembedded distro support
+
+includes a standard profile for out-of-the-box checks
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upstream-Status: Pending
+https://github.com/ComplianceAsCode/content/pull/10793
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ CMakeLists.txt | 5 +
+ build_product | 1 +
+ products/openembedded/CMakeLists.txt | 6 +
+ products/openembedded/product.yml | 19 ++
+ .../openembedded/profiles/standard.profile | 166 ++++++++++++++++++
+ .../openembedded/transforms/constants.xslt | 10 ++
+ .../oval/installed_OS_is_openembedded.xml | 33 ++++
+ .../oval/sysctl_kernel_ipv6_disable.xml | 1 +
+ ssg/constants.py | 5 +-
+ 9 files changed, 245 insertions(+), 1 deletion(-)
+ create mode 100644 products/openembedded/CMakeLists.txt
+ create mode 100644 products/openembedded/product.yml
+ create mode 100644 products/openembedded/profiles/standard.profile
+ create mode 100644 products/openembedded/transforms/constants.xslt
+ create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 6b1ac00ff9..e4191f2cef 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -97,6 +97,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be
+ option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
++option(SSG_PRODUCT_OE "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+
+
+ option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
+@@ -291,6 +292,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}")
+ message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}")
+ message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}")
+ message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}")
++message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OE}")
+
+
+ message(STATUS " ")
+@@ -409,6 +411,9 @@ endif()
+ if(SSG_PRODUCT_UOS20)
+ add_subdirectory("products/uos20" "uos20")
+ endif()
++if (SSG_PRODUCT_OE)
++ add_subdirectory("products/openembedded" "openembedded")
++endif()
+
+ # ZIP only contains source datastreams and kickstarts, people who
+ # want sources to build from should get the tarball instead.
+diff --git a/build_product b/build_product
+index fc793cbe70..7bdc03edfe 100755
+--- a/build_product
++++ b/build_product
+@@ -333,6 +333,7 @@ all_cmake_products=(
+ UBUNTU2204
+ UOS20
+ MACOS1015
++ OPENEMBEDDED
+ )
+
+ DEFAULT_OVAL_MAJOR_VERSION=5
+diff --git a/products/openembedded/CMakeLists.txt b/products/openembedded/CMakeLists.txt
+new file mode 100644
+index 0000000000..1981adf53e
+--- /dev/null
++++ b/products/openembedded/CMakeLists.txt
+@@ -0,0 +1,6 @@
++# Sometimes our users will try to do: "cd openembedded; cmake ." That needs to error in a nice way.
++if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
++ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
++endif()
++
++ssg_build_product("openembedded")
+diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml
+new file mode 100644
+index 0000000000..debf6870ef
+--- /dev/null
++++ b/products/openembedded/product.yml
+@@ -0,0 +1,19 @@
++product: openembedded
++full_name: OpemEmbedded
++type: platform
++
++benchmark_id: OPENEMBEDDED
++benchmark_root: "../../linux_os/guide"
++
++profiles_root: "./profiles"
++
++pkg_manager: "dnf"
++
++init_system: "systemd"
++
++cpes_root: "../../shared/applicability"
++cpes:
++ - openembedded:
++ name: "cpe:/o:openembedded:nodistro:"
++ title: "OpenEmbedded nodistro"
++ check_id: installed_OS_is_openembedded
+diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
+new file mode 100644
+index 0000000000..fcb9e0e5c2
+--- /dev/null
++++ b/products/openembedded/profiles/standard.profile
+@@ -0,0 +1,166 @@
++documentation_complete: true
++
++title: 'Sample Security Profile for OpenEmbedded Distros'
++
++description: |-
++ This profile is an sample for use in documentation and example content.
++ The selected rules are standard and should pass quickly on most systems.
++
++selections:
++ - file_owner_etc_passwd
++ - file_groupowner_etc_passwd
++ - service_crond_enabled
++ - file_groupowner_crontab
++ - file_owner_crontab
++ - file_permissions_crontab
++ - file_groupowner_cron_hourly
++ - file_owner_cron_hourly
++ - file_permissions_cron_hourly
++ - file_groupowner_cron_daily
++ - file_owner_cron_daily
++ - file_permissions_cron_daily
++ - file_groupowner_cron_weekly
++ - file_owner_cron_weekly
++ - file_permissions_cron_weekly
++ - file_groupowner_cron_monthly
++ - file_owner_cron_monthly
++ - file_permissions_cron_monthly
++ - file_groupowner_cron_d
++ - file_owner_cron_d
++ - file_permissions_cron_d
++ - file_groupowner_cron_allow
++ - file_owner_cron_allow
++ - file_cron_deny_not_exist
++ - file_groupowner_at_allow
++ - file_owner_at_allow
++ - file_at_deny_not_exist
++ - file_permissions_at_allow
++ - file_permissions_cron_allow
++ - file_groupowner_sshd_config
++ - file_owner_sshd_config
++ - file_permissions_sshd_config
++ - file_permissions_sshd_private_key
++ - file_permissions_sshd_pub_key
++ - sshd_set_loglevel_verbose
++ - sshd_set_loglevel_info
++ - sshd_max_auth_tries_value=4
++ - sshd_set_max_auth_tries
++ - sshd_disable_rhosts
++ - disable_host_auth
++ - sshd_disable_root_login
++ - sshd_disable_empty_passwords
++ - sshd_do_not_permit_user_env
++ - sshd_idle_timeout_value=15_minutes
++ - sshd_set_idle_timeout
++ - sshd_set_keepalive
++ - var_sshd_set_keepalive=0
++ - sshd_set_login_grace_time
++ - var_sshd_set_login_grace_time=60
++ - sshd_enable_warning_banner
++ - sshd_enable_pam
++ - sshd_set_maxstartups
++ - var_sshd_set_maxstartups=10:30:60
++ - sshd_set_max_sessions
++ - var_sshd_max_sessions=10
++ - accounts_password_pam_minclass
++ - accounts_password_pam_minlen
++ - accounts_password_pam_retry
++ - var_password_pam_minclass=4
++ - var_password_pam_minlen=14
++ - locking_out_password_attempts
++ - accounts_password_pam_pwhistory_remember_password_auth
++ - accounts_password_pam_pwhistory_remember_system_auth
++ - var_password_pam_remember_control_flag=required
++ - var_password_pam_remember=5
++ - set_password_hashing_algorithm_systemauth
++ - var_accounts_maximum_age_login_defs=365
++ - accounts_password_set_max_life_existing
++ - var_accounts_minimum_age_login_defs=7
++ - accounts_password_set_min_life_existing
++ - var_accounts_password_warn_age_login_defs=7
++ - account_disable_post_pw_expiration
++ - var_account_disable_post_pw_expiration=30
++ - no_shelllogin_for_systemaccounts
++ - accounts_tmout
++ - var_accounts_tmout=15_min
++ - accounts_root_gid_zero
++ - accounts_umask_etc_bashrc
++ - use_pam_wheel_for_su
++ - sshd_allow_only_protocol2
++ - journald_forward_to_syslog
++ - journald_compress
++ - journald_storage
++ - service_auditd_enabled
++ - service_httpd_disabled
++ - service_vsftpd_disabled
++ - service_named_disabled
++ - service_nfs_disabled
++ - service_rpcbind_disabled
++ - service_slapd_disabled
++ - service_dhcpd_disabled
++ - service_cups_disabled
++ - service_ypserv_disabled
++ - service_rsyncd_disabled
++ - service_avahi-daemon_disabled
++ - service_snmpd_disabled
++ - service_squid_disabled
++ - service_smb_disabled
++ - service_dovecot_disabled
++ - banner_etc_motd
++ - login_banner_text=cis_banners
++ - banner_etc_issue
++ - login_banner_text=cis_banners
++ - file_groupowner_etc_motd
++ - file_owner_etc_motd
++ - file_permissions_etc_motd
++ - file_groupowner_etc_issue
++ - file_owner_etc_issue
++ - file_permissions_etc_issue
++ - ensure_gpgcheck_globally_activated
++ - package_aide_installed
++ - aide_periodic_cron_checking
++ - grub2_password
++ - file_groupowner_grub2_cfg
++ - file_owner_grub2_cfg
++ - file_permissions_grub2_cfg
++ - require_singleuser_auth
++ - require_emergency_target_auth
++ - disable_users_coredumps
++ - configure_crypto_policy
++ - var_system_crypto_policy=default_policy
++ - dir_perms_world_writable_sticky_bits
++ - file_permissions_etc_passwd
++ - file_owner_etc_shadow
++ - file_groupowner_etc_shadow
++ - file_groupowner_etc_group
++ - file_owner_etc_group
++ - file_permissions_etc_group
++ - file_groupowner_etc_gshadow
++ - file_owner_etc_gshadow
++ - file_groupowner_backup_etc_passwd
++ - file_owner_backup_etc_passwd
++ - file_permissions_backup_etc_passwd
++ - file_groupowner_backup_etc_shadow
++ - file_owner_backup_etc_shadow
++ - file_permissions_backup_etc_shadow
++ - file_groupowner_backup_etc_group
++ - file_owner_backup_etc_group
++ - file_permissions_backup_etc_group
++ - file_groupowner_backup_etc_gshadow
++ - file_owner_backup_etc_gshadow
++ - file_permissions_unauthorized_world_writable
++ - file_permissions_ungroupowned
++ - accounts_root_path_dirs_no_write
++ - root_path_no_dot
++ - accounts_no_uid_except_zero
++ - file_ownership_home_directories
++ - file_groupownership_home_directories
++ - no_netrc_files
++ - no_rsh_trust_files
++ - account_unique_id
++ - group_unique_id
++ - group_unique_name
++ - wireless_disable_interfaces
++ - package_firewalld_installed
++ - service_firewalld_enabled
++ - package_iptables_installed
+diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt
+new file mode 100644
+index 0000000000..152571e8bb
+--- /dev/null
++++ b/products/openembedded/transforms/constants.xslt
+@@ -0,0 +1,10 @@
++<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
++
++<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
++
++<xsl:variable name="product_long_name">OpenEmbedded</xsl:variable>
++<xsl:variable name="product_short_name">openembedded</xsl:variable>
++<xsl:variable name="product_stig_id_name">empty</xsl:variable>
++<xsl:variable name="prod_type">openembedded</xsl:variable>
++
++</xsl:stylesheet>
+diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml
+new file mode 100644
+index 0000000000..11ebdca913
+--- /dev/null
++++ b/shared/checks/oval/installed_OS_is_openembedded.xml
+@@ -0,0 +1,33 @@
++<def-group>
++ <definition class="inventory" id="installed_OS_is_openembedded" version="1">
++ <metadata>
++ <title>OpenEmbedded</title>
++ <affected family="unix">
++ <platform>multi_platform_all</platform>
++ </affected>
++ <description>The operating system installed is an OpenEmbedded based system</description>
++ </metadata>
++ <criteria comment="System is OpenEmbedded based" operator="AND">
++ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
++ <criterion comment="OpenEmbedded distro" test_ref="test_os_openembedded" />
++ <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" />
++ </criteria>
++ </definition>
++
++ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_openembedded" version="1">
++ <unix:object object_ref="obj_os_openembedded" />
++ </unix:file_test>
++ <unix:file_object comment="check /etc/os-release file" id="obj_os_openembedded" version="1">
++ <unix:filepath>/etc/os-release</unix:filepath>
++ </unix:file_object>
++
++ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_openembedded" version="1">
++ <ind:object object_ref="obj_openembedded" />
++ </ind:textfilecontent54_test>
++ <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded">
++ <ind:filepath>/etc/os-release</ind:filepath>
++ <ind:pattern operation="pattern match">^ID=nodistro$</ind:pattern>
++ <ind:instance datatype="int">1</ind:instance>
++ </ind:textfilecontent54_object>
++
++</def-group>
+diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+index affb9770cb..4f22df262c 100644
+--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+@@ -8,6 +8,7 @@
+ <platform>multi_platform_debian</platform>
+ <platform>multi_platform_example</platform>
+ <platform>multi_platform_fedora</platform>
++ <platform>multi_platform_openembedded</platform>
+ <platform>multi_platform_opensuse</platform>
+ <platform>multi_platform_ol</platform>
+ <platform>multi_platform_rhcos</platform>
+diff --git a/ssg/constants.py b/ssg/constants.py
+index f66ba008fa..630fbdfcb9 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -219,6 +219,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
+ "Ubuntu 20.04": "ubuntu2004",
+ "Ubuntu 22.04": "ubuntu2204",
+ "UnionTech OS Server 20": "uos20",
++ "OpenEmbedded": "openembedded",
+ "Not Applicable" : "example"
+ }
+
+@@ -267,7 +268,7 @@ REFERENCES = dict(
+
+ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
+ "opensuse", "sle", "ol", "ocp", "rhcos",
+- "example", "eks", "alinux", "uos", "anolis"]
++ "example", "eks", "alinux", "uos", "anolis", "openembedded"]
+
+ MULTI_PLATFORM_MAPPING = {
+ "multi_platform_alinux": ["alinux2", "alinux3"],
+@@ -285,6 +286,7 @@ MULTI_PLATFORM_MAPPING = {
+ "multi_platform_sle": ["sle12", "sle15"],
+ "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"],
+ "multi_platform_uos": ["uos20"],
++ "multi_platform_openembedded": ["openembedded"],
+ }
+
+ RHEL_CENTOS_CPE_MAPPING = {
+@@ -454,6 +456,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
+ 'ocp': 'Red Hat OpenShift Container Platform',
+ 'rhcos': 'Red Hat Enterprise Linux CoreOS',
+ 'eks': 'Amazon Elastic Kubernetes Service',
++ 'openembedded': 'OpenEmbedded',
+ }
+
+ # References that can not be used with product-qualifiers
+--
+2.34.1
+
diff --git a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
similarity index 86%
rename from meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb
rename to meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
index ac839de..988e48b 100644
--- a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb
+++ b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
@@ -6,10 +6,11 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
LICENSE = "BSD-3-Clause"
-SRCREV = "d09e81ae00509a9be4b01359166cfbece06e47f4"
+SRCREV = "3a1012bc9ec2b01b3b71c6feefd3cff0f52bd64d"
SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \
file://run_eval.sh \
file://run-ptest \
+ file://0001-scap-security-guide-add-openembedded-distro-support.patch \
file://0002-scap-security-guide-Add-Poky-support.patch \
"
@@ -21,14 +22,9 @@
inherit cmake pkgconfig python3native python3targetconfig ptest
-STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
-export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe"
-export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas"
-export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl"
-
OECMAKE_GENERATOR = "Unix Makefiles"
-EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OPENEMBEDDED=ON"
+EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OE=ON"
do_configure[depends] += "openscap-native:do_install"
diff --git a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
index 8185e51..ff800ce 100644
--- a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
+++ b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
@@ -23,7 +23,7 @@
}
do_install(){
- oe_runmake INSTALLDIR=${D} USRLIBDIR=${libdir} SBINDIR=${sbindir} install
+ oe_runmake INSTALLDIR=${D} USRLIBDIR=${libdir} install
}
PACKAGE="${PN} ${PN}-dbg ${PN}-doc"
diff --git a/meta-security/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch b/meta-security/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch
deleted file mode 100644
index 451cb7f..0000000
--- a/meta-security/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 824c5d7b96aeef1b4e182f657ac002bed6e14cd5 Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@fujitsu.com>
-Date: Thu, 31 Aug 2023 08:20:56 +0000
-Subject: [PATCH] To fix package error if DESTDIR is set to /usr.
-
-Upstream-Status: Inappropriate
-Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 0d7bc0c..46fd664 100644
---- a/Makefile
-+++ b/Makefile
-@@ -19,7 +19,7 @@ $(PROG).o: $(PROG).c $(PROG).h $(PROG)-elf.c
-
- install: $(PROG)
- # $(MKDIR) $(DESTDIR)/sbin $(DESTDIR)$(MANDIR)
-- $(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/sbin/$(PROG)
-+ $(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/usr/sbin/$(PROG)
- $(INSTALL) -D --owner 0 --group 0 --mode a=r $(PROG).1 $(DESTDIR)/$(MANDIR)/$(PROG).1
-
- clean:
---
-2.34.1
diff --git a/meta-security/recipes-security/paxctl/paxctl_0.9.bb b/meta-security/recipes-security/paxctl/paxctl_0.9.bb
index 3d2f2a3..5c9aff1 100644
--- a/meta-security/recipes-security/paxctl/paxctl_0.9.bb
+++ b/meta-security/recipes-security/paxctl/paxctl_0.9.bb
@@ -8,9 +8,7 @@
file://paxctl-elf.c;beginline=1;endline=5;md5=99f453ce7f6d1687ee808982e2924813 \
"
-SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz \
- file://0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch \
-"
+SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz"
SRC_URI[md5sum] = "9bea59b1987dc4e16c2d22d745374e64"
SRC_URI[sha256sum] = "a330ddd812688169802a3ba29e5e3b19956376b8f6f73b8d7e9586eb04423c2e"