fix(userspace): open pidfile with O_NOFOLLOW to prevent symlink TOCTOU

userspace/falco/app/actions/pidfile.cpp

@@ -15,9 +15,15 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+#ifndef _WIN32
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <unistd.h>
+#include <cerrno>
+#include <cstdio>
+#include "compat.h"
+#endif
 
 #include "actions.h"
 
@@ -34,6 +40,35 @@ falco::app::run_result falco::app::actions::pidfile(const falco::app::state& sta
 		return run_result::ok();
 	}
 
+#ifndef _WIN32
+	// O_NOFOLLOW makes open() fail with ELOOP if the path is a symlink, so an
+	// unprivileged user who can write to the pidfile's directory cannot
+	// pre-place a symlink and trick a root-running Falco into clobbering an
+	// arbitrary file with the PID.
+	int fd = ::open(state.options.pidfilename.c_str(),
+	                O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW | O_CLOEXEC,
+	                0644);
+	if(fd == -1) {
+		char errbuf[256];
+		const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
+		falco_logger::log(falco_logger::level::ERR,
+		                  "Could not write pid to pidfile " + state.options.pidfilename +
+		                          " (error: " + errstr + "). Exiting.\n");
+		exit(-1);
+	}
+
+	if(dprintf(fd, "%lld\n", (long long)getpid()) < 0) {
+		char errbuf[256];
+		const char* errstr = falco_strerror_r(errno, errbuf, sizeof(errbuf));
+		falco_logger::log(falco_logger::level::ERR,
+		                  "Could not write pid to pidfile " + state.options.pidfilename +
+		                          " (error: " + errstr + "). Exiting.\n");
+		::close(fd);
+		exit(-1);
+	}
+
+	::close(fd);
+#else
 	int64_t self_pid = getpid();
 
 	std::ofstream stream;
@@ -47,6 +82,7 @@ falco::app::run_result falco::app::actions::pidfile(const falco::app::state& sta
 	}
 	stream << self_pid;
 	stream.close();
+#endif
 
 	return run_result::ok();
 }