google · Jakuje · Dec 3, 2020 · Dec 3, 2020 · Dec 3, 2020 · Dec 3, 2020
diff --git a/infra/helper.py b/infra/helper.py
@@ -61,12 +61,22 @@
 # Languages from project.yaml that have code coverage support.
 LANGUAGES_WITH_COVERAGE_SUPPORT = ['c', 'c++', 'go']
 
+# not all the world is docker
+if os.path.exists('/bin/podman'):
+  CONTAINER_ENGINE = 'podman'
+else:
+  CONTAINER_ENGINE = 'docker'
+
 
 def main():  # pylint: disable=too-many-branches,too-many-return-statements,too-many-statements
   """Get subcommand from program arguments and do it."""
   os.chdir(OSS_FUZZ_DIR)
   if not os.path.exists(BUILD_DIR):
     os.mkdir(BUILD_DIR)
+    if CONTAINER_ENGINE == 'podman':
+      # we do not need to do it for the rest of the files under this path
+      # as the context is inherited from the parent directory
+      fix_selinux_context(BUILD_DIR)
 
   parser = argparse.ArgumentParser('helper.py', description='oss-fuzz helpers')
   subparsers = parser.add_subparsers(dest='command')
@@ -239,7 +249,7 @@ def check_project_exists(project_name):
 
 def _check_fuzzer_exists(project_name, fuzzer_name):
   """Checks if a fuzzer exists."""
-  command = ['docker', 'run', '--rm']
+  command = [CONTAINER_ENGINE, 'run', '--rm']
   command.extend(['-v', '%s:/out' % _get_output_dir(project_name)])
   command.append('ubuntu:16.04')
 
@@ -405,7 +415,10 @@ def _workdir_from_dockerfile(project_name):
 
 def docker_run(run_args, print_output=True):
   """Call `docker run`."""
-  command = ['docker', 'run', '--rm', '--privileged']
+  command = [CONTAINER_ENGINE, 'run', '--rm']
+
+  if CONTAINER_ENGINE != 'podman':
+    command.append('--privileged')
 
   # Support environments with a TTY.
   if sys.stdin.isatty():
@@ -428,7 +441,7 @@ def docker_run(run_args, print_output=True):
 
 def docker_build(build_args, pull=False):
   """Call `docker build`."""
-  command = ['docker', 'build']
+  command = [CONTAINER_ENGINE, 'build']
   if pull:
     command.append('--pull')
 
@@ -446,7 +459,7 @@ def docker_build(build_args, pull=False):
 
 def docker_pull(image):
   """Call `docker pull`."""
-  command = ['docker', 'pull', image]
+  command = [CONTAINER_ENGINE, 'pull', image]
   print('Running:', _get_command_string(command))
 
   try:
@@ -847,6 +860,17 @@ def run_fuzzer(args):
   return docker_run(run_args)
 
 
+def fix_selinux_context(path):
+  """Changes SELinux type of given file or directory to make it accessible for container engine"""
+  try:
+    subprocess.check_call(['chcon', path, '-t', 'container_file_t'])
+  except subprocess.CalledProcessError as error:
+    print(
+        'Failed to change SELinux context of %s. It might not be accessible to container'
+        % path)
+    print(error)
+
+
 def reproduce(args):
   """Reproduce a specific test case from a specific project."""
   return reproduce_impl(args.project_name, args.fuzzer_name, args.valgrind,
@@ -883,7 +907,15 @@ def reproduce_impl(  # pylint: disable=too-many-arguments
   if env_to_add:
     env += env_to_add
 
-  run_args = _env_to_docker_args(env) + [
+  run_args = _env_to_docker_args(env)
+
+  # for podman, we need to make sure the mounted testcase has proper SELinux context
+  # to be accessible by the container
+  if CONTAINER_ENGINE == 'podman':
+    fix_selinux_context(testcase_path)
+    run_args += ['--cap-add', 'SYS_PTRACE']
+
+  run_args += [
       '-v',
       '%s:/out' % _get_output_dir(project_name),
       '-v',