Harden monit-access-helper.sh cgroupv2 mount point detection

Restrict the inspection of /proc/self/mounts to cgroupv2 device (1st column) in addition to existing cgroup fstype (column 3).

Also fail fast in case of multiple detected mount points.

Fix #585

Author: gberche-orange

stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh

@@ -29,9 +29,10 @@ permit_monit_access() {
         # cgroupv2 (unified hierarchy)
         # Create a sub-cgroup under the current process's cgroup and move into it.
         # The iptables rules match on this cgroup path.
-        cgroup_mount="$(awk '$3 == "cgroup2" { print $2 }' /proc/self/mounts)"
+        cgroup_mount="$(awk '$1 == "cgroup2" && $3 == "cgroup2" { print $2 }' /proc/self/mounts)"
+        nb_matching_cgroup_mounts=$(echo "$cgroup_mount" | wc -l)
         current_cgroup="$(grep '^0::' /proc/self/cgroup | cut -d: -f3)"
-        if [ -z "${cgroup_mount}" ] || [ -z "${current_cgroup}" ]; then
+        if [ -z "${cgroup_mount}" ] || [ "${nb_matching_cgroup_mounts}" -ne 1 ] || [ -z "${current_cgroup}" ]; then
             echo "permit_monit_access: unable to resolve cgroup v2 mount or path" >&2
             return 1
         fi