From 058ea7396302d56868a3a6fa1d99e6a1da9e08ff Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 3 Dec 2020 14:38:26 +0100
Subject: [PATCH 1/4] helper: Detect podman container engine and do not set
 unneded flags

---
 infra/helper.py | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/infra/helper.py b/infra/helper.py
index 6c02032c71fb..7cc18437a333 100755
--- a/infra/helper.py
+++ b/infra/helper.py
@@ -61,6 +61,12 @@
 # Languages from project.yaml that have code coverage support.
 LANGUAGES_WITH_COVERAGE_SUPPORT = ['c', 'c++', 'go']
 
+# not all the world is docker
+if os.path.exists('/bin/podman'):
+  CONTAINER_ENGINE = 'podman'
+else:
+  CONTAINER_ENGINE = 'docker'
+
 
 def main():  # pylint: disable=too-many-branches,too-many-return-statements,too-many-statements
   """Get subcommand from program arguments and do it."""
@@ -239,7 +245,7 @@ def check_project_exists(project_name):
 
 def _check_fuzzer_exists(project_name, fuzzer_name):
   """Checks if a fuzzer exists."""
-  command = ['docker', 'run', '--rm']
+  command = [CONTAINER_ENGINE, 'run', '--rm']
   command.extend(['-v', '%s:/out' % _get_output_dir(project_name)])
   command.append('ubuntu:16.04')
 
@@ -405,7 +411,10 @@ def _workdir_from_dockerfile(project_name):
 
 def docker_run(run_args, print_output=True):
   """Call `docker run`."""
-  command = ['docker', 'run', '--rm', '--privileged']
+  command = [CONTAINER_ENGINE, 'run', '--rm']
+
+  if CONTAINER_ENGINE != 'podman':
+    command.append('--privileged')
 
   # Support environments with a TTY.
   if sys.stdin.isatty():
@@ -428,7 +437,7 @@ def docker_run(run_args, print_output=True):
 
 def docker_build(build_args, pull=False):
   """Call `docker build`."""
-  command = ['docker', 'build']
+  command = [CONTAINER_ENGINE, 'build']
   if pull:
     command.append('--pull')
 
@@ -446,7 +455,7 @@ def docker_build(build_args, pull=False):
 
 def docker_pull(image):
   """Call `docker pull`."""
-  command = ['docker', 'pull', image]
+  command = [CONTAINER_ENGINE, 'pull', image]
   print('Running:', _get_command_string(command))
 
   try:

From 0acd7a99fafeac445233616be4581e7612558afd Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 3 Dec 2020 14:39:14 +0100
Subject: [PATCH 2/4] helper: Non-privileged containers require the attached
 files to have specific selinux contexts

---
 infra/helper.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/infra/helper.py b/infra/helper.py
index 7cc18437a333..63e46cf2b076 100755
--- a/infra/helper.py
+++ b/infra/helper.py
@@ -856,6 +856,17 @@ def run_fuzzer(args):
   return docker_run(run_args)
 
 
+def fix_selinux_context(path):
+  """Changes SELinux type of given file or directory to make it accessible for container engine"""
+  try:
+    subprocess.check_call(['chcon', path, '-t', 'container_file_t'])
+  except subprocess.CalledProcessError as error:
+    print(
+        'Failed to change SELinux context of %s. It might not be accessible to container'
+        % path)
+    print(error)
+
+
 def reproduce(args):
   """Reproduce a specific test case from a specific project."""
   return reproduce_impl(args.project_name, args.fuzzer_name, args.valgrind,
@@ -892,6 +903,11 @@ def reproduce_impl(  # pylint: disable=too-many-arguments
   if env_to_add:
     env += env_to_add
 
+  # for podman, we need to make sure the mounted testcase has proper SELinux context
+  # to be accessible by the container
+  if CONTAINER_ENGINE == 'podman':
+    fix_selinux_context(testcase_path)
+
   run_args = _env_to_docker_args(env) + [
       '-v',
       '%s:/out' % _get_output_dir(project_name),

From 5c27ef3e6a1f7911554209024ab76f69408987d1 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 3 Dec 2020 15:01:03 +0100
Subject: [PATCH 3/4] helper: Make sure the build directory has appropriate
 selinux labels

---
 infra/helper.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/infra/helper.py b/infra/helper.py
index 63e46cf2b076..bc7c8de90967 100755
--- a/infra/helper.py
+++ b/infra/helper.py
@@ -73,6 +73,10 @@ def main():  # pylint: disable=too-many-branches,too-many-return-statements,too-
   os.chdir(OSS_FUZZ_DIR)
   if not os.path.exists(BUILD_DIR):
     os.mkdir(BUILD_DIR)
+    if CONTAINER_ENGINE == 'podman':
+      # we do not need to do it for the rest of the files under this path
+      # as the context is inherited from the parent directory
+      fix_selinux_context(BUILD_DIR)
 
   parser = argparse.ArgumentParser('helper.py', description='oss-fuzz helpers')
   subparsers = parser.add_subparsers(dest='command')

From f211e09d2cacb705d0a9255b95ed92215c3da44a Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 3 Dec 2020 15:23:02 +0100
Subject: [PATCH 4/4] helper: Reproduce with SYS_PTRACE capability in podman

---
 infra/helper.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/infra/helper.py b/infra/helper.py
index bc7c8de90967..dbc065d0dbe5 100755
--- a/infra/helper.py
+++ b/infra/helper.py
@@ -907,12 +907,15 @@ def reproduce_impl(  # pylint: disable=too-many-arguments
   if env_to_add:
     env += env_to_add
 
+  run_args = _env_to_docker_args(env)
+
   # for podman, we need to make sure the mounted testcase has proper SELinux context
   # to be accessible by the container
   if CONTAINER_ENGINE == 'podman':
     fix_selinux_context(testcase_path)
+    run_args += ['--cap-add', 'SYS_PTRACE']
 
-  run_args = _env_to_docker_args(env) + [
+  run_args += [
       '-v',
       '%s:/out' % _get_output_dir(project_name),
       '-v',