From 2216dad38bc2a4f221959d4d9f8848b20eda8422 Mon Sep 17 00:00:00 2001 From: Eugene Shatokhin Date: Tue, 13 Jan 2015 19:32:41 +0300 Subject: [PATCH] Unify the specs for 2014.1 and the future cert. systems; revisit configs The source code of the kernel and the patchset are the same for both 2014.1 and the "current" platform, so are the scripts used during the build. 1. I updated create_configs-withBFQ so that it creates different kernel configuration files depending on its --with-enhanced-security parameter. If --with-enhanced-security is set, * SELinux is used instead of TOMOYO; * Memory sanitization facilities are compiled in (but are disabled by default - should be enabled at boot time with boot options pax_sanitize_slab=1 paxsanitize_pages=1). Similar to other packages, I added a conditional in the spec that enables enhanced security features when building for 'current' (i.e. for the future cert. systems) and leaves everithing as is. Besides, I fixed create_configs-withBFQ: even if --user-cpu=... was given, it still generated the configs for all architectures, a waste of time. Now it creates the config only for the architecture corresponding to --user-cpu=... if it is set and for all otherwise. ---------------- The changes in the configs listed below are for i586 and x86_64 only. 2. Added the following to make lxc-checkconfig happy: * CONFIG_MEMCG=y * CONFIG_MEMCG_SWAP=y * CONFIG_MEMCG_KMEM=y 3. Added the following options that 'make oldconfig' adds anyway during the build: * CONFIG_MM_OWNER=y * CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y * CONFIG_IOSF_MBI=m * CONFIG_LRU_CACHE=m * (x86_64 only) CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y 4. Removed the following options (they are no longer available in 3.14): * CONFIG_CPU_FREQ_TABLE * CONFIG_IP_NF_MATCH_PSD * CONFIG_IP_NF_TARGET_IFWLOG 5. Increased CONFIG_SERIAL_8250_NR_UARTS from 4 to 8: some of our users have unusual boards with more than 4 serial ports. Also added CONFIG_SERIAL_8250_MANY_PORTS=y: needed for these users too. 6. Unset CONFIG_DRM_RADEON_UMS: it has been deprecated for quite some time and was seemingly ignored. 'radeon' driver the kernel provides works via KMS rather than UMS now and its UMS support is obsolete and buggy. 7. Finally dropped support for Mach64 GPUs. If there are enough users with such hardware, we could enable it is some kernel flavour in contrib (project: https://abf.io/import/kernel-other/). 8. Changed CONFIG_FB_TILEBLITTING to "y": 'make oldconfig' already does this during the kernel build because it is needed for Matrox GPUs (CONFIG_FB_MATROX). BTW, some of our users do seem to have Matrox GPUs. Consequently, I had to disable CONFIG_FB_CON_DECOR: it needs CONFIG_FB_TILEBLITTING unset. 9. Changed CONFIG_X86_VERBOSE_BOOTUP=n to # CONFIG_X86_VERBOSE_BOOTUP is not set 10. (x86_64 only) Changed CONFIG_X86_ESPFIX32=y to CONFIG_X86_ESPFIX64=y This is what 'make oldconfig' does with that option anyway. --- .abf.yml | 2 +- kernel-1.spec | 25 ++++++++++++++++--------- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/.abf.yml b/.abf.yml index 7190359..df79d50 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,4 +1,4 @@ sources: "linux-3.14.tar.xz": fc777520e5976caf0d5513502b8156f73748e379 "patch-3.14.25.xz": 240907ba50ae05164c9a8d1fd53b79fd73ff1e73 - "kernel-patches-and-configs-3.14.25.tar.xz": a062acfd9c9bbaea506ee51279a99a7a808a8d27 + "kernel-patches-and-configs-3.14.25.tar.xz": d4f9717759028a96d8520ef912c7ed0e192cc3c7 diff --git a/kernel-1.spec b/kernel-1.spec index fd48094..0a6b404 100644 --- a/kernel-1.spec +++ b/kernel-1.spec @@ -1,4 +1,5 @@ -# +%{?build_selinux}%{?!build_selinux:%bcond_with selinux} + %define kernelversion 3 %define patchlevel 14 # sublevel is now used for -stable patches @@ -28,7 +29,7 @@ %define rpmrel %mkrel 0.%{kpatch}.%{mibrel} %endif %else -%define rpmrel 2 +%define rpmrel 3 %endif # fakerel and fakever never change, they are used to fool @@ -958,7 +959,7 @@ Buildarch: noarch %description -n %{kname}-source-%{buildrel} The %{kname}-source package contains the source code files for the Mandriva and -ROSA kernel. Theese source files are only needed if you want to build your own +ROSA kernel. These source files are only needed if you want to build your own custom kernel that is better tuned to your particular hardware. If you only want the files needed to build 3rdparty (nVidia, Ati, dkms-*,...) @@ -1130,12 +1131,8 @@ cd %src_dir %{patches_dir}/scripts/apply_patches %{patches_dir}/scripts/apply_patches-NRJ -# %{patches_dir}/scripts/apply_patches-NRJ-only %{patches_dir}/scripts/apply_patches-geek %{patches_dir}/scripts/apply_patches-latest -# %{patches_dir}/scripts/apply_patches-QL -# PATCH END - # # Setup Begin @@ -1149,9 +1146,14 @@ cd %src_dir %define debug --no-debug %endif +%if %{with selinux} +# Enable SELinux, memory sanitization, etc. +%define enhanced_security --with-enhanced-security +%else +%define enhanced_security %{nil} +%endif -#%{patches_dir}/scripts/create_configs %debug --user_cpu="%{target_arch}" -%{patches_dir}/scripts/create_configs-withBFQ %debug --user_cpu="%{target_arch}" +%{patches_dir}/scripts/create_configs-withBFQ %debug %enhanced_security --user_cpu="%{target_arch}" # make sure the kernel has the sublevel we know it has... LC_ALL=C perl -p -i -e "s/^SUBLEVEL.*/SUBLEVEL = %{sublevel}/" Makefile @@ -1300,6 +1302,11 @@ SaveDevel() { # aufs2 has a special file needed cp -fR fs/aufs/magic.mk $TempDevelRoot/fs/aufs +%if %{with selinux} + # SELinux needs security/selinux/include + cp -fR security/selinux/include $TempDevelRoot/security/selinux +%endif + for i in alpha arc avr32 blackfin c6x cris frv h8300 hexagon ia64 m32r m68k m68knommu metag microblaze \ mips mn10300 openrisc parisc powerpc s390 score sh sparc tile unicore32 xtensa; do rm -rf $TempDevelRoot/arch/$i