pidfile: open with O_NOFOLLOW to prevent symlink TOCTOU on POSIX

The pidfile path is operator-controlled and typically lives in a
root-owned directory like /var/run, so this is not exploitable in
the standard threat model. However, if an operator configures a
pidfile path in a directory writable by an unprivileged user, that
user could pre-place a symlink to cause Falco (running as root) to
overwrite an arbitrary file with the PID on startup.

Replace the std::ofstream open with a raw POSIX open() using
O_NOFOLLOW | O_CLOEXEC on non-Windows platforms. The open will now
fail with ELOOP if the path is a symlink, closing the
defence-in-depth gap with no behaviour change for legitimate users.

Windows builds retain the original std::ofstream path since
O_NOFOLLOW / O_CLOEXEC are not available on the Windows toolchain
and the Linux-as-root threat model that motivates the hardening
does not apply to Falco's Windows build.

Author: alexmchughdev

userspace/falco/app/actions/pidfile.cpp

@@ -15,9 +15,15 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+#ifndef _WIN32
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <unistd.h>
+#include <cerrno>
+#include <cstdio>
+#include "compat.h"
+#endif
 
 #include "actions.h"
 
@@ -34,6 +40,35 @@ falco::app::run_result falco::app::actions::pidfile(const falco::app::state& sta
 		return run_result::ok();
 	}
 
+#ifndef _WIN32
+	// O_NOFOLLOW makes open() fail with ELOOP if the path is a symlink, so an
+	// unprivileged user who can write to the pidfile's directory cannot
+	// pre-place a symlink and trick a root-running Falco into clobbering an
+	// arbitrary file with the PID.
+	int fd = ::open(state.options.pidfilename.c_str(),
+	                O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW | O_CLOEXEC,
+	                0644);
+	if(fd == -1) {
+		char errbuf[256];
+		const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
+		falco_logger::log(falco_logger::level::ERR,
+		                  "Could not write pid to pidfile " + state.options.pidfilename +
+		                          " (error: " + errstr + "). Exiting.\n");
+		exit(-1);
+	}
+
+	if(dprintf(fd, "%lld\n", (long long)getpid()) < 0) {
+		char errbuf[256];
+		const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
+		falco_logger::log(falco_logger::level::ERR,
+		                  "Could not write pid to pidfile " + state.options.pidfilename +
+		                          " (error: " + errstr + "). Exiting.\n");
+		::close(fd);
+		exit(-1);
+	}
+
+	::close(fd);
+#else
 	int64_t self_pid = getpid();
 
 	std::ofstream stream;
@@ -47,6 +82,7 @@ falco::app::run_result falco::app::actions::pidfile(const falco::app::state& sta
 	}
 	stream << self_pid;
 	stream.close();
+#endif
 
 	return run_result::ok();
 }