fluentd 1.11.5 → 1.12.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 83bcc9640169d819af2a9336cc0bae773d4104b056467b6656115bba46565e02
-  data.tar.gz: a4e1c27ab6ba4454ae5aa8c2db25072503f10f21b158aecc686f2499e9416d48
+  metadata.gz: ea33aa9fbbca10538b329676df8dc024f38836b8c0a3bd78ff8afe9b21e59a27
+  data.tar.gz: d3500418626d7f49305b4dee07ab6dfa10c84687ee754fd967aee1200a815dc2
 SHA512:
-  metadata.gz: de9b224867b2b9dc5394889246e76b72449b1df6dfb8ddb982260ef0521d3a66d86d7c1cae319ddaa9c8cd00264be1c16539389c42da435c539534b537b567be
-  data.tar.gz: 4a077991b270c84aa8ab21e746ce75e06a5061ec70a2acd43fdac77127eb627d86241b18238f156a510decd56b8a311a54f51eaa723b69947cbd216c03accd9d
+  metadata.gz: 7a43d215a3a026042028643ca627f81411379efe8eb5090c4c98f8886c22efe33595362b82273889b97ecc8a95af8c93d0d2dbf5d8494c3c8e680942dd8c0c67
+  data.tar.gz: a17be6c1b92193649412e223ce7bba96d94f1122b309e459dc72a6e7f0a5339874e2a9d9d352a88612c3d7e603c2276b8109af97b8b26cc3967d81cae7925071

data/.github/stale.yml

@@ -0,0 +1,22 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 90
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 30
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - bug
+  - enhancement
+  - feature request
+  - pending
+  - work_in_progress
+  - v1
+  - v2
+# Label to use when marking an issue as stale
+staleLabel: stale
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: true

data/.travis.yml

@@ -9,44 +9,63 @@ matrix:
   include:
     - rvm: 2.4.9
       os: linux
+      env: USE_CAPNG=false
     - rvm: 2.4.9
       os: linux-ppc64le
+      env: USE_CAPNG=false
     - rvm: 2.5.7
       os: linux
+      env: USE_CAPNG=false
     - rvm: 2.5.7
       os: linux
       arch: s390x
       dist: xenial
+      env: USE_CAPNG=false
     - rvm: 2.6.5
       os: linux
+      env: USE_CAPNG=false
+    - rvm: 2.6.6
+      os: linux
+      env: USE_CAPNG=true
     - rvm: 2.7.0
       os: linux
+      env: USE_CAPNG=false
     - rvm: ruby-head
       os: linux
+      env: USE_CAPNG=false
     - rvm: ruby-head
       os: linux-ppc64le
+      env: USE_CAPNG=false
     - rvm: 2.4.6
       os: osx
       osx_image: xcode8.3 # OSX 10.12
+      env: USE_CAPNG=false
     - rvm: ruby-head
       os: osx
       osx_image: xcode8.3 # OSX 10.12
+      env: USE_CAPNG=false
   allow_failures:
     - rvm: 2.4.6
       os: osx
       osx_image: xcode8.3
+      env: USE_CAPNG=false
     - rvm: 2.5.7
       os: linux
       arch: s390x
       dist: xenial
+      env: USE_CAPNG=false
     - rvm: ruby-head
+      env: USE_CAPNG=false
 
 branches:
   only:
     - master
 
-before_install:
-  - gem update --system=3.1.2
+before_install: |
+  gem update --system=3.1.2
+  if [[ x"${USE_CAPNG}" == "xtrue" ]]; then
+    echo 'gem "capng_c"' >> Gemfile.local
+  fi
 
 sudo: false
 dist: trusty # for TLSv1.2 support
@@ -55,3 +74,4 @@ addons:
   apt:
     packages:
       - libgmp3-dev
+      - libcap-ng-dev

data/CHANGELOG.md

@@ -8,6 +8,7 @@
   https://github.com/fluent/fluentd/pull/3152
 * out_http: adding support for intermediate certificates
   https://github.com/fluent/fluentd/pull/3146
+* Update serverengine dependency to 2.2.2 or later
 
 ### Bug fix
 

data/appveyor.yml

@@ -7,6 +7,9 @@ install:
   - SET PATH=C:\Ruby%ruby_version%\bin;%PATH%
   - ruby --version
   - gem --version
+  # stay 0.14.0 for Windows CI until https://github.com/socketry/protocol-http2/issues/6 will be fixed
+  - ps: Write-Output "gem 'protocol-http2', ['<= 0.14.0']" | Out-File -FilePath Gemfile.local -Encoding default
+  - type Gemfile.local
   - ridk.cmd exec bundle install
 build: off
 test_script:

data/bin/fluent-cap-ctl

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# -*- coding: utf-8 -*-
+here = File.dirname(__FILE__)
+$LOAD_PATH << File.expand_path(File.join(here, '..', 'lib'))
+require 'fluent/command/cap_ctl'
+
+Fluent::CapCtl.new.call

data/fluentd.gemspec

@@ -18,6 +18,7 @@ Gem::Specification.new do |gem|
 
   gem.required_ruby_version = '>= 2.4'
 
+  gem.add_runtime_dependency("bundler")
   gem.add_runtime_dependency("msgpack", [">= 1.3.1", "< 2.0.0"])
   gem.add_runtime_dependency("yajl-ruby", ["~> 1.0"])
   gem.add_runtime_dependency("cool.io", [">= 1.4.5", "< 2.0.0"])

data/lib/fluent/capability.rb

@@ -0,0 +1,87 @@
+#
+# Fluent
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+
+require "fluent/env"
+
+if Fluent.linux?
+  begin
+    require 'capng'
+  rescue LoadError
+  end
+end
+
+module Fluent
+  if defined?(CapNG)
+    class Capability
+      def initialize(target = nil, pid = nil)
+        @capng = CapNG.new(target, pid)
+      end
+
+      def usable?
+        true
+      end
+
+      def apply(select_set)
+        @capng.apply(select_set)
+      end
+
+      def clear(select_set)
+        @capng.clear(select_set)
+      end
+
+      def have_capability?(type, capability)
+        @capng.have_capability?(type, capability)
+      end
+
+      def update(action, type, capability_or_capability_array)
+        @capng.update(action, type, capability_or_capability_array)
+      end
+
+      def have_capabilities?(select_set)
+        @capng.have_capabilities?(select_set)
+      end
+    end
+  else
+    class Capability
+      def initialize(target = nil, pid = nil)
+      end
+
+      def usable?
+        false
+      end
+
+      def apply(select_set)
+        false
+      end
+
+      def clear(select_set)
+        false
+      end
+
+      def have_capability?(type, capability)
+        false
+      end
+
+      def update(action, type, capability_or_capability_array)
+        false
+      end
+
+      def have_capabilities?(select_set)
+        false
+      end
+    end
+  end
+end

data/lib/fluent/command/cap_ctl.rb

@@ -0,0 +1,174 @@
+#
+# Fluentd
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+
+require 'optparse'
+require 'fluent/log'
+require 'fluent/env'
+require 'fluent/capability'
+
+module Fluent
+  class CapCtl
+    def prepare_option_parser
+      @op = OptionParser.new
+
+      @op.on('--clear', "Clear Fluentd Ruby capability") {|s|
+        @opts[:clear_capabilities] = true
+      }
+
+      @op.on('--add [CAPABILITITY1,CAPABILITY2, ...]', "Add capabilities into Fluentd Ruby") {|s|
+        @opts[:add_capabilities] = s
+      }
+
+      @op.on('--drop [CAPABILITITY1,CAPABILITY2, ...]', "Drop capabilities from Fluentd Ruby") {|s|
+        @opts[:drop_capabilities] = s
+      }
+
+      @op.on('--get', "Get capabilities for Fluentd Ruby") {|s|
+        @opts[:get_capabilities] = true
+      }
+
+      @op.on('-f', '--file FILE', "Specify target file to add Linux capabilities") {|s|
+        @opts[:target_file] = s
+      }
+    end
+
+    def usage(msg)
+      puts @op.to_s
+      puts "error: #{msg}" if msg
+      exit 1
+    end
+
+    def initialize(argv = ARGV)
+      @opts = {}
+      @argv = argv
+
+      if Fluent.linux?
+        begin
+          require 'capng'
+
+          @capng = CapNG.new
+        rescue LoadError
+          puts "Error: capng_c is not loaded. Please install it first."
+          exit 1
+        end
+      else
+        puts "Error: This environment is not supported."
+        exit 2
+      end
+
+      prepare_option_parser
+    end
+
+    def call
+      parse_options!(@argv)
+
+      target_file = if !!@opts[:target_file]
+                       @opts[:target_file]
+                     else
+                       File.readlink("/proc/self/exe")
+                     end
+
+      if @opts[:clear_capabilities]
+        clear_capabilities(@opts, target_file)
+      elsif @opts[:add_capabilities]
+        add_capabilities(@opts, target_file)
+      elsif @opts[:drop_capabilities]
+        drop_capabilities(@opts, target_file)
+      end
+      if @opts[:get_capabilities]
+        get_capabilities(@opts, target_file)
+      end
+    end
+
+    def clear_capabilities(opts, target_file)
+      if !!opts[:clear_capabilities]
+        @capng.clear(:caps)
+        ret = @capng.apply_caps_file(target_file)
+        puts "Clear capabilities #{ret ? 'done' : 'fail'}."
+      end
+    end
+
+    def add_capabilities(opts, target_file)
+      if add_caps = opts[:add_capabilities]
+        @capng.clear(:caps)
+        @capng.caps_file(target_file)
+        capabilities = add_caps.split(/\s*,\s*/)
+        check_capabilities(capabilities, get_valid_capabilities)
+        ret = @capng.update(:add,
+                            CapNG::Type::EFFECTIVE | CapNG::Type::INHERITABLE | CapNG::Type::PERMITTED,
+                            capabilities)
+        puts "Updating #{add_caps} #{ret ? 'done' : 'fail'}."
+        ret = @capng.apply_caps_file(target_file)
+        puts "Adding #{add_caps} #{ret ? 'done' : 'fail'}."
+      end
+    end
+
+    def drop_capabilities(opts, target_file)
+      if drop_caps = opts[:drop_capabilities]
+        @capng.clear(:caps)
+        @capng.caps_file(target_file)
+        capabilities = drop_caps.split(/\s*,\s*/)
+        check_capabilities(capabilities, get_valid_capabilities)
+        ret = @capng.update(:drop,
+                            CapNG::Type::EFFECTIVE | CapNG::Type::INHERITABLE | CapNG::Type::PERMITTED,
+                            capabilities)
+        puts "Updating #{drop_caps} #{ret ? 'done' : 'fail'}."
+        @capng.apply_caps_file(target_file)
+        puts "Dropping #{drop_caps} #{ret ? 'done' : 'fail'}."
+      end
+    end
+
+    def get_capabilities(opts, target_file)
+      if opts[:get_capabilities]
+        @capng.caps_file(target_file)
+        print = CapNG::Print.new
+        puts "Capabilities in '#{target_file}',"
+        puts "Effective:   #{print.caps_text(:buffer, :effective)}"
+        puts "Inheritable: #{print.caps_text(:buffer, :inheritable)}"
+        puts "Permitted:   #{print.caps_text(:buffer, :permitted)}"
+      end
+    end
+
+    def get_valid_capabilities
+      capabilities = []
+      cap = CapNG::Capability.new
+      cap.each do |_code, capability|
+        capabilities << capability
+      end
+      capabilities
+    end
+
+    def check_capabilities(capabilities, valid_capabilities)
+      capabilities.each do |capability|
+        unless valid_capabilities.include?(capability)
+          raise ArgumentError, "'#{capability}' is not valid capability. Valid Capabilities are:  #{valid_capabilities.join(", ")}"
+        end
+      end
+    end
+
+    def parse_options!(argv)
+      begin
+        rest = @op.parse(argv)
+
+        if rest.length != 0
+          usage nil
+        end
+      rescue
+        usage $!.to_s
+      end
+    end
+  end
+end

data/lib/fluent/env.rb

@@ -28,4 +28,8 @@ module Fluent
   def self.windows?
     ServerEngine.windows?
   end
+
+  def self.linux?
+    /linux/ === RUBY_PLATFORM
+  end
 end

data/lib/fluent/plugin/buffer.rb

@@ -143,33 +143,14 @@ module Fluent
           end
         end
 
-        # timekey should be unixtime as usual.
-        # So, unixtime should be bigger than 2^30 - 1 (= 1073741823) nowadays.
-        # We should check object_id stability to use object_id as optimization for comparing operations.
-        # e.g.)
-        # irb> Time.parse("2020/07/31 18:30:00+09:00").to_i
-        # => 1596187800
-        # irb> Time.parse("2020/07/31 18:30:00+09:00").to_i > 2**30 -1
-        # => true
-        def self.enable_optimize?
-          a1 = 2**30 - 1
-          a2 = 2**30 - 1
-          b1 = 2**62 - 1
-          b2 = 2**62 - 1
-          (a1.object_id == a2.object_id) && (b1.object_id == b2.object_id)
-        end
-
         # This is an optimization code. Current Struct's implementation is comparing all data.
         # https://github.com/ruby/ruby/blob/0623e2b7cc621b1733a760b72af246b06c30cf96/struct.c#L1200-L1203
         # Actually this overhead is very small but this class is generated *per chunk* (and used in hash object).
         # This means that this class is one of the most called object in Fluentd.
         # See https://github.com/fluent/fluentd/pull/2560
-        # But, this optimization has a side effect on Windows and 32bit environment(s) due to differing object_id.
-        # This difference causes flood of buffer files.
-        # So, this optimization should be enabled on `enable_optimize?` as true platforms.
         def hash
-          timekey.object_id
-        end if enable_optimize?
+          timekey.hash
+        end
       end
 
       # for tests

data/lib/fluent/plugin/formatter.rb

@@ -63,9 +63,9 @@ module Fluent
           super
           @newline = case newline
                      when :lf
-                       "\n"
+                       "\n".freeze
                      when :crlf
-                       "\r\n"
+                       "\r\n".freeze
                      end
         end
       end

data/lib/fluent/plugin/formatter_csv.rb

@@ -27,7 +27,7 @@ module Fluent
       helpers :record_accessor
 
       config_param :delimiter, default: ',' do |val|
-        ['\t', 'TAB'].include?(val) ? "\t" : val
+        ['\t', 'TAB'].include?(val) ? "\t".freeze : val.freeze
       end
       config_param :force_quotes, :bool, default: true
       # "array" looks good for type of :fields, but this implementation removes tailing comma

data/lib/fluent/plugin/formatter_hash.rb

@@ -27,7 +27,7 @@ module Fluent
 
       def format(tag, time, record)
         line = record.to_s
-        line << @newline.freeze if @add_newline
+        line << @newline if @add_newline
         line
       end
     end

data/lib/fluent/plugin/formatter_ltsv.rb

@@ -25,8 +25,8 @@ module Fluent
 
       # http://ltsv.org/
 
-      config_param :delimiter, :string, default: "\t"
-      config_param :label_delimiter, :string, default: ":"
+      config_param :delimiter, :string, default: "\t".freeze
+      config_param :label_delimiter, :string, default: ":".freeze
       config_param :add_newline, :bool, default: true
 
       # TODO: escaping for \t in values
@@ -36,7 +36,7 @@ module Fluent
           formatted << @delimiter if formatted.length.nonzero?
           formatted << "#{label}#{@label_delimiter}#{value}"
         end
-        formatted << @newline.freeze if @add_newline
+        formatted << @newline if @add_newline
         formatted
       end
     end

data/lib/fluent/plugin/formatter_out_file.rb

@@ -29,9 +29,9 @@ module Fluent
       config_param :output_tag, :bool, default: true
       config_param :delimiter, default: "\t" do |val|
         case val
-        when /SPACE/i then ' '
-        when /COMMA/i then ','
-        else "\t"
+        when /SPACE/i then ' '.freeze
+        when /COMMA/i then ','.freeze
+        else "\t".freeze
         end
       end
       config_set_default :time_type, :string

data/lib/fluent/plugin/formatter_single_value.rb

@@ -23,12 +23,12 @@ module Fluent
 
       Plugin.register_formatter('single_value', self)
 
-      config_param :message_key, :string, default: 'message'
+      config_param :message_key, :string, default: 'message'.freeze
       config_param :add_newline, :bool, default: true
 
       def format(tag, time, record)
         text = record[@message_key].to_s.dup
-        text << @newline.freeze if @add_newline
+        text << @newline if @add_newline
         text
       end
     end

data/lib/fluent/plugin/formatter_tsv.rb

@@ -26,13 +26,13 @@ module Fluent
       desc 'Field names included in each lines'
       config_param :keys, :array, value_type: :string
       desc 'The delimiter character (or string) of TSV values'
-      config_param :delimiter, :string, default: "\t"
+      config_param :delimiter, :string, default: "\t".freeze
       desc 'The parameter to enable writing to new lines'
       config_param :add_newline, :bool, default: true
 
       def format(tag, time, record)
         formatted = @keys.map{|k| record[k].to_s }.join(@delimiter)
-        formatted << @newline.freeze if @add_newline
+        formatted << @newline if @add_newline
         formatted
       end
     end

data/lib/fluent/plugin/in_tail.rb

@@ -22,6 +22,7 @@ require 'fluent/event'
 require 'fluent/plugin/buffer'
 require 'fluent/plugin/parser_multiline'
 require 'fluent/variable_store'
+require 'fluent/capability'
 require 'fluent/plugin/in_tail/position_file'
 
 if Fluent.windows?
@@ -171,6 +172,7 @@ module Fluent::Plugin
       @dir_perm = system_config.dir_permission || Fluent::DEFAULT_DIR_PERMISSION
       # parser is already created by parser helper
       @parser = parser_create(usage: parser_config['usage'] || @parser_configs.first.usage)
+      @capability = Fluent::Capability.new(:current_process)
     end
 
     def configure_tag
@@ -250,6 +252,11 @@ module Fluent::Plugin
       close_watcher_handles
     end
 
+    def have_read_capability?
+      @capability.have_capability?(:effective, :dac_read_search) ||
+        @capability.have_capability?(:effective, :dac_override)
+    end
+
     def expand_paths
       date = Fluent::EventTime.now
       paths = []
@@ -263,7 +270,7 @@ module Fluent::Plugin
           paths += Dir.glob(path).select { |p|
             begin
               is_file = !File.directory?(p)
-              if File.readable?(p) && is_file
+              if (File.readable?(p) || have_read_capability?) && is_file
                 if @limit_recently_modified && File.mtime(p) < (date.to_time - @limit_recently_modified)
                   false
                 else

data/lib/fluent/version.rb

@@ -16,6 +16,6 @@
 
 module Fluent
 
-  VERSION = '1.11.5'
+  VERSION = '1.12.0.rc1'
 
 end

data/test/command/test_cap_ctl.rb

@@ -0,0 +1,100 @@
+require_relative '../helper'
+
+require 'tempfile'
+require 'fluent/command/cap_ctl'
+
+class TestFluentCapCtl < Test::Unit::TestCase
+  setup do
+    omit "This environment does not handle Linux capability" unless defined?(CapNG)
+  end
+
+  sub_test_case "success" do
+    test "clear capability" do
+      logs = capture_stdout do
+        Fluent::CapCtl.new(["--clear"]).call
+      end
+      expression = /\AClear capabilities .*\n/m
+      assert_match expression, logs
+    end
+
+    test "add capability" do
+      logs = capture_stdout do
+        Fluent::CapCtl.new(["--add", "dac_override"]).call
+      end
+      expression = /\AUpdating .* done.\nAdding .*\n/m
+      assert_match expression, logs
+    end
+
+    test "drop capability" do
+      logs = capture_stdout do
+        Fluent::CapCtl.new(["--drop", "chown"]).call
+      end
+      expression = /\AUpdating .* done.\nDropping .*\n/m
+      assert_match expression, logs
+    end
+
+    test "get capability" do
+      logs = capture_stdout do
+        Fluent::CapCtl.new(["--get"]).call
+      end
+      expression = /\ACapabilities in .*,\nEffective:   .*\nInheritable: .*\nPermitted:   .*/m
+      assert_match expression, logs
+    end
+  end
+
+  sub_test_case "success with file" do
+    test "clear capability" do
+      logs = capture_stdout do
+        Tempfile.create("fluent-cap-") do |tempfile|
+          Fluent::CapCtl.new(["--clear-cap", "-f", tempfile.path]).call
+        end
+      end
+      expression = /\AClear capabilities .*\n/m
+      assert_match expression, logs
+    end
+
+    test "add capability" do
+      logs = capture_stdout do
+        Tempfile.create("fluent-cap-") do |tempfile|
+          Fluent::CapCtl.new(["--add", "dac_override", "-f", tempfile.path]).call
+        end
+      end
+      expression = /\AUpdating .* done.\nAdding .*\n/m
+      assert_match expression, logs
+    end
+
+    test "drop capability" do
+      logs = capture_stdout do
+        Tempfile.create("fluent-cap-") do |tempfile|
+          Fluent::CapCtl.new(["--drop", "chown", "-f", tempfile.path]).call
+        end
+      end
+      expression = /\AUpdating .* done.\nDropping .*\n/m
+      assert_match expression, logs
+    end
+
+    test "get capability" do
+      logs = capture_stdout do
+        Tempfile.create("fluent-cap-") do |tempfile|
+          Fluent::CapCtl.new(["--get", "-f", tempfile.path]).call
+        end
+      end
+      expression = /\ACapabilities in .*,\nEffective:   .*\nInheritable: .*\nPermitted:   .*/m
+      assert_match expression, logs
+    end
+  end
+
+  sub_test_case "invalid" do
+    test "add capability" do
+      assert_raise(ArgumentError) do
+        Fluent::CapCtl.new(["--add", "nonexitent"]).call
+      end
+    end
+
+    test "drop capability" do
+      assert_raise(ArgumentError) do
+        Fluent::CapCtl.new(["--drop", "invalid"]).call
+      end
+    end
+  end
+end

data/test/plugin/test_in_tail.rb

@@ -86,6 +86,9 @@ class TailInputTest < Test::Unit::TestCase
       assert_equal "#{TMP_DIR}/tail.pos", d.instance.pos_file
       assert_equal 1000, d.instance.read_lines_limit
       assert_equal false, d.instance.ignore_repeated_permission_error
+      assert_nothing_raised do
+        d.instance.have_read_capability?
+      end
     end
 
     data("empty" => config_element,
@@ -229,7 +232,7 @@ class TailInputTest < Test::Unit::TestCase
       d = create_driver(config)
       msg = 'test' * 2000 # in_tail reads 8192 bytes at once.
 
-      d.run(expect_emits: num_events, timeout: 1) do
+      d.run(expect_emits: num_events, timeout: 2) do
         File.open("#{TMP_DIR}/tail.txt", "ab") {|f|
           f.puts msg
           f.puts msg
@@ -1112,6 +1115,49 @@ class TailInputTest < Test::Unit::TestCase
     end
   end
 
+  sub_test_case "path w/ Linux capability" do
+    def capability_enabled?
+      if Fluent.linux?
+        begin
+          require 'capng'
+          true
+        rescue LoadError
+          false
+        end
+      else
+        false
+      end
+    end
+
+    setup do
+      omit "This environment is not enabled Linux capability handling feature" unless capability_enabled?
+
+      @capng = CapNG.new(:current_process)
+      flexstub(Fluent::Capability) do |klass|
+        klass.should_receive(:new).with(:current_process).and_return(@capng)
+      end
+    end
+
+    data("dac_read_search" => [:dac_read_search, true,  1],
+         "dac_override"    => [:dac_override,    true,  1],
+         "chown"           => [:chown,           false, 0],
+        )
+    test "with partially elevated privileges" do |data|
+      cap, result, readable_paths = data
+      @capng.update(:add, :effective, cap)
+
+      d = create_driver(
+        config_element("ROOT", "", {
+                            "path" => "/var/log/ker*.log", # Use /var/log/kern.log
+                            "tag" => "t1",
+                            "rotate_wait" => "2s"
+                       }) + PARSE_SINGLE_LINE_CONFIG, false)
+
+      assert_equal readable_paths, d.instance.expand_paths.length
+      assert_equal result, d.instance.have_read_capability?
+    end
+  end
+
   def test_pos_file_dir_creation
     config = config_element("", "", {
       "tag" => "tail",

data/test/test_capability.rb

@@ -0,0 +1,74 @@
+require_relative 'helper'
+require 'fluent/test'
+require 'fluent/capability'
+
+class FluentCapabilityTest < ::Test::Unit::TestCase
+  setup do
+    @capability = Fluent::Capability.new(:current_process)
+    omit "Fluent::Capability class is not usable on this environment" unless @capability.usable?
+  end
+
+  sub_test_case "check capability" do
+    test "effective" do
+      @capability.clear(:both)
+      assert_true @capability.update(:add, :effective, :dac_read_search)
+      assert_equal CapNG::Result::PARTIAL, @capability.have_capabilities?(:caps)
+      assert_nothing_raised do
+        @capability.apply(:caps)
+      end
+      assert_equal CapNG::Result::NONE, @capability.have_capabilities?(:bounds)
+      assert_true @capability.have_capability?(:effective, :dac_read_search)
+      assert_false @capability.have_capability?(:inheritable, :dac_read_search)
+      assert_false @capability.have_capability?(:permitted, :dac_read_search)
+    end
+
+    test "inheritable" do
+      @capability.clear(:both)
+      capabilities = [:chown, :dac_override]
+      assert_equal [true, true], @capability.update(:add, :inheritable, capabilities)
+      assert_equal CapNG::Result::NONE, @capability.have_capabilities?(:caps)
+      assert_nothing_raised do
+        @capability.apply(:caps)
+      end
+      assert_equal CapNG::Result::NONE, @capability.have_capabilities?(:bounds)
+      capabilities.each do |capability|
+        assert_false @capability.have_capability?(:effective, capability)
+        assert_true @capability.have_capability?(:inheritable, capability)
+        assert_false @capability.have_capability?(:permitted, capability)
+      end
+    end
+
+    test "permitted" do
+      @capability.clear(:both)
+      capabilities = [:fowner, :fsetid, :kill]
+      assert_equal [true, true, true], @capability.update(:add, :permitted, capabilities)
+      assert_equal CapNG::Result::NONE, @capability.have_capabilities?(:caps)
+      assert_nothing_raised do
+        @capability.apply(:caps)
+      end
+      assert_equal CapNG::Result::NONE, @capability.have_capabilities?(:bounds)
+      capabilities.each do |capability|
+        assert_false @capability.have_capability?(:effective, capability)
+        assert_false @capability.have_capability?(:inheritable, capability)
+        assert_true @capability.have_capability?(:permitted, capability)
+      end
+    end
+
+    test "effective/inheritable/permitted" do
+      @capability.clear(:both)
+      capabilities = [:setpcap, :net_admin, :net_raw, :sys_boot, :sys_time]
+      update_type = CapNG::Type::EFFECTIVE | CapNG::Type::INHERITABLE | CapNG::Type::PERMITTED
+      assert_equal [true, true, true, true, true], @capability.update(:add, update_type, capabilities)
+      assert_equal CapNG::Result::PARTIAL, @capability.have_capabilities?(:caps)
+      assert_nothing_raised do
+        @capability.apply(:caps)
+      end
+      assert_equal CapNG::Result::NONE, @capability.have_capabilities?(:bounds)
+      capabilities.each do |capability|
+        assert_true @capability.have_capability?(:effective, capability)
+        assert_true @capability.have_capability?(:inheritable, capability)
+        assert_true @capability.have_capability?(:permitted, capability)
+      end
+    end
+  end
+end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: fluentd
 version: !ruby/object:Gem::Version
-  version: 1.11.5
+  version: 1.12.0.rc1
 platform: ruby
 authors:
 - Sadayuki Furuhashi
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-11-06 00:00:00.000000000 Z
+date: 2020-11-19 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: msgpack
   requirement: !ruby/object:Gem::Requirement
@@ -345,6 +359,7 @@ email:
 executables:
 - fluent-binlog-reader
 - fluent-ca-generate
+- fluent-cap-ctl
 - fluent-cat
 - fluent-debug
 - fluent-gem
@@ -359,6 +374,7 @@ files:
 - ".github/ISSUE_TEMPLATE/bug_report.md"
 - ".github/ISSUE_TEMPLATE/feature_request.md"
 - ".github/PULL_REQUEST_TEMPLATE.md"
+- ".github/stale.yml"
 - ".github/workflows/issue-auto-closer.yml"
 - ".gitignore"
 - ".gitlab-ci.yml"
@@ -377,6 +393,7 @@ files:
 - appveyor.yml
 - bin/fluent-binlog-reader
 - bin/fluent-ca-generate
+- bin/fluent-cap-ctl
 - bin/fluent-cat
 - bin/fluent-debug
 - bin/fluent-gem
@@ -425,10 +442,12 @@ files:
 - fluent.conf
 - fluentd.gemspec
 - lib/fluent/agent.rb
+- lib/fluent/capability.rb
 - lib/fluent/clock.rb
 - lib/fluent/command/binlog_reader.rb
 - lib/fluent/command/bundler_injection.rb
 - lib/fluent/command/ca_generate.rb
+- lib/fluent/command/cap_ctl.rb
 - lib/fluent/command/cat.rb
 - lib/fluent/command/debug.rb
 - lib/fluent/command/fluentd.rb
@@ -675,6 +694,7 @@ files:
 - templates/plugin_config_formatter/section.md.erb
 - test/command/test_binlog_reader.rb
 - test/command/test_ca_generate.rb
+- test/command/test_cap_ctl.rb
 - test/command/test_fluentd.rb
 - test/command/test_plugin_config_formatter.rb
 - test/command/test_plugin_generator.rb
@@ -851,6 +871,7 @@ files:
 - test/scripts/fluent/plugin/out_test.rb
 - test/scripts/fluent/plugin/out_test2.rb
 - test/scripts/fluent/plugin/parser_known.rb
+- test/test_capability.rb
 - test/test_clock.rb
 - test/test_config.rb
 - test/test_configdsl.rb
@@ -898,9 +919,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.0.3
 signing_key: 
@@ -909,6 +930,7 @@ summary: Fluentd event collector
 test_files:
 - test/command/test_binlog_reader.rb
 - test/command/test_ca_generate.rb
+- test/command/test_cap_ctl.rb
 - test/command/test_fluentd.rb
 - test/command/test_plugin_config_formatter.rb
 - test/command/test_plugin_generator.rb
@@ -1085,6 +1107,7 @@ test_files:
 - test/scripts/fluent/plugin/out_test.rb
 - test/scripts/fluent/plugin/out_test2.rb
 - test/scripts/fluent/plugin/parser_known.rb
+- test/test_capability.rb
 - test/test_clock.rb
 - test/test_config.rb
 - test/test_configdsl.rb