Unify the specs for 2014.1 and the future cert. systems; revisit configs

The source code of the kernel and the patchset are the same for both
2014.1 and the "current" platform, so are the scripts used during the
build.

1.
I updated create_configs-withBFQ so that it creates different kernel
configuration files depending on its --with-enhanced-security parameter.

If --with-enhanced-security is set,
* SELinux is used instead of TOMOYO;
* Memory sanitization facilities are compiled in (but are disabled by
  default - should be enabled at boot time with boot options
  pax_sanitize_slab=1 paxsanitize_pages=1).

Similar to other packages, I added a conditional in the spec that
enables enhanced security features when building for 'current' (i.e. for
the future cert. systems) and leaves everithing as is.

Besides, I fixed create_configs-withBFQ: even if --user-cpu=... was
given, it still generated the configs for all architectures, a waste
of time. Now it creates the config only for the architecture
corresponding to --user-cpu=... if it is set and for all otherwise.
----------------

The changes in the configs listed below are for i586 and x86_64 only.

2.
Added the following to make lxc-checkconfig happy:
* CONFIG_MEMCG=y
* CONFIG_MEMCG_SWAP=y
* CONFIG_MEMCG_KMEM=y

3.
Added the following options that 'make oldconfig' adds anyway during the
build:
* CONFIG_MM_OWNER=y
* CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
* CONFIG_IOSF_MBI=m
* CONFIG_LRU_CACHE=m
* (x86_64 only) CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y

4.
Removed the following options (they are no longer available in 3.14):
* CONFIG_CPU_FREQ_TABLE
* CONFIG_IP_NF_MATCH_PSD
* CONFIG_IP_NF_TARGET_IFWLOG

5.
Increased CONFIG_SERIAL_8250_NR_UARTS from 4 to 8: some of our users
have unusual boards with more than 4 serial ports.

Also added CONFIG_SERIAL_8250_MANY_PORTS=y: needed for these users too.

6.
Unset CONFIG_DRM_RADEON_UMS: it has been deprecated for quite some time
and was seemingly ignored. 'radeon' driver the kernel provides works
via KMS rather than UMS now and its UMS support is obsolete and buggy.

7.
Finally dropped support for Mach64 GPUs. If there are enough users with
such hardware, we could enable it is some kernel flavour in contrib
(project: https://abf.io/import/kernel-other/).

8.
Changed CONFIG_FB_TILEBLITTING to "y": 'make oldconfig' already does this
during the kernel build because it is needed for Matrox GPUs
(CONFIG_FB_MATROX). BTW, some of our users do seem to have Matrox GPUs.

Consequently, I had to disable CONFIG_FB_CON_DECOR: it needs
CONFIG_FB_TILEBLITTING unset.

9.
Changed
  CONFIG_X86_VERBOSE_BOOTUP=n
to
  # CONFIG_X86_VERBOSE_BOOTUP is not set

10.
(x86_64 only)

Changed
  CONFIG_X86_ESPFIX32=y
to
  CONFIG_X86_ESPFIX64=y

This is what 'make oldconfig' does with that option anyway.

.abf.yml

@@ -1,4 +1,4 @@
 sources:
   "linux-3.14.tar.xz": fc777520e5976caf0d5513502b8156f73748e379
   "patch-3.14.25.xz": 240907ba50ae05164c9a8d1fd53b79fd73ff1e73
-  "kernel-patches-and-configs-3.14.25.tar.xz": a062acfd9c9bbaea506ee51279a99a7a808a8d27
+  "kernel-patches-and-configs-3.14.25.tar.xz": d4f9717759028a96d8520ef912c7ed0e192cc3c7

kernel-1.spec

@@ -1,4 +1,5 @@
-#
+%{?build_selinux}%{?!build_selinux:%bcond_with selinux}
+
 %define kernelversion	3
 %define patchlevel	14
 # sublevel is now used for -stable patches
@@ -28,7 +29,7 @@
 %define rpmrel		%mkrel 0.%{kpatch}.%{mibrel}
 %endif
 %else
-%define rpmrel		2
+%define rpmrel		3
 %endif
 
 # fakerel and fakever never change, they are used to fool
@@ -958,7 +959,7 @@ Buildarch:	noarch
 
 %description -n %{kname}-source-%{buildrel}
 The %{kname}-source package contains the source code files for the Mandriva and
-ROSA kernel. Theese source files are only needed if you want to build your own
+ROSA kernel. These source files are only needed if you want to build your own
 custom kernel that is better tuned to your particular hardware.
 
 If you only want the files needed to build 3rdparty (nVidia, Ati, dkms-*,...)
@@ -1130,12 +1131,8 @@ cd %src_dir
 
 %{patches_dir}/scripts/apply_patches
 %{patches_dir}/scripts/apply_patches-NRJ
-# %{patches_dir}/scripts/apply_patches-NRJ-only
 %{patches_dir}/scripts/apply_patches-geek
 %{patches_dir}/scripts/apply_patches-latest
-# %{patches_dir}/scripts/apply_patches-QL
-# PATCH END
-
 
 #
 # Setup Begin
@@ -1149,9 +1146,14 @@ cd %src_dir
 %define debug --no-debug
 %endif
 
+%if %{with selinux}
+# Enable SELinux, memory sanitization, etc.
+%define enhanced_security --with-enhanced-security
+%else
+%define enhanced_security %{nil}
+%endif
 
-#%{patches_dir}/scripts/create_configs %debug --user_cpu="%{target_arch}"
-%{patches_dir}/scripts/create_configs-withBFQ %debug --user_cpu="%{target_arch}"
+%{patches_dir}/scripts/create_configs-withBFQ %debug %enhanced_security --user_cpu="%{target_arch}"
 
 # make sure the kernel has the sublevel we know it has...
 LC_ALL=C perl -p -i -e "s/^SUBLEVEL.*/SUBLEVEL = %{sublevel}/" Makefile
@@ -1300,6 +1302,11 @@ SaveDevel() {
 	# aufs2 has a special file needed
 	cp -fR fs/aufs/magic.mk $TempDevelRoot/fs/aufs
 
+%if %{with selinux}
+	# SELinux needs security/selinux/include
+	cp -fR security/selinux/include $TempDevelRoot/security/selinux
+%endif
+
 	for i in alpha arc avr32 blackfin c6x cris frv h8300 hexagon ia64 m32r m68k m68knommu metag microblaze \
 		 mips mn10300 openrisc parisc powerpc s390 score sh sparc tile unicore32 xtensa; do
 		rm -rf $TempDevelRoot/arch/$i