From 1e4a11482cac6571f59ee373a04d8f32c505a536 Mon Sep 17 00:00:00 2001
From: Guillaume Berche <guillaume.berche@orange.com>
Date: Thu, 7 May 2026 14:53:02 +0200
Subject: [PATCH 1/4] Harden monit-access-helper.sh cgroupv2 mount point
 detection

Restrict the inspection of /proc/self/mounts to cgroupv2 device (1st column) in addition to existing cgroup fstype (column 3).

Also fail fast in case of multiple detected mount points.

Fix #585
---
 .../stages/bosh_monit/assets/monit-access-helper.sh          | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
index be95cfa3a8..732e27ead3 100644
--- a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
+++ b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
@@ -29,9 +29,10 @@ permit_monit_access() {
         # cgroupv2 (unified hierarchy)
         # Create a sub-cgroup under the current process's cgroup and move into it.
         # The iptables rules match on this cgroup path.
-        cgroup_mount="$(awk '$3 == "cgroup2" { print $2 }' /proc/self/mounts)"
+        cgroup_mount="$(awk '$1 == "cgroup2" && $3 == "cgroup2" { print $2 }' /proc/self/mounts)"
+        nb_matching_cgroup_mounts=$(echo "$cgroup_mount" | wc -l)
         current_cgroup="$(grep '^0::' /proc/self/cgroup | cut -d: -f3)"
-        if [ -z "${cgroup_mount}" ] || [ -z "${current_cgroup}" ]; then
+        if [ -z "${cgroup_mount}" ] || [ "${nb_matching_cgroup_mounts}" -ne 1 ] || [ -z "${current_cgroup}" ]; then
             echo "permit_monit_access: unable to resolve cgroup v2 mount or path" >&2
             return 1
         fi

From 50cc4d1fc641b0d24e8c3f6474043404ec0509b1 Mon Sep 17 00:00:00 2001
From: Guillaume Berche <guillaume.berche@orange.com>
Date: Wed, 13 May 2026 11:09:34 +0200
Subject: [PATCH 2/4] Refine error message when cgroupsv2 mount or path are not
 resolved

---
 .../stages/bosh_monit/assets/monit-access-helper.sh         | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
index 732e27ead3..fa221aa297 100644
--- a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
+++ b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
@@ -19,13 +19,13 @@ monit_isolation_classid=2958295041
 #
 # Prefer cgroup.controllers; also accept stat(2) filesystem type for hosts where
 # the file is missing from the mount view but the root is still cgroup2fs.
-monit_using_unified_cgroup_v2() {
+system_using_unified_cgroup_v2() {
     [ -f /sys/fs/cgroup/cgroup.controllers ] && return 0
     [ "$(stat -fc %T /sys/fs/cgroup 2>/dev/null)" = "cgroup2fs" ]
 }
 
 permit_monit_access() {
-    if monit_using_unified_cgroup_v2; then
+    if system_using_unified_cgroup_v2; then
         # cgroupv2 (unified hierarchy)
         # Create a sub-cgroup under the current process's cgroup and move into it.
         # The iptables rules match on this cgroup path.
@@ -33,7 +33,7 @@ permit_monit_access() {
         nb_matching_cgroup_mounts=$(echo "$cgroup_mount" | wc -l)
         current_cgroup="$(grep '^0::' /proc/self/cgroup | cut -d: -f3)"
         if [ -z "${cgroup_mount}" ] || [ "${nb_matching_cgroup_mounts}" -ne 1 ] || [ -z "${current_cgroup}" ]; then
-            echo "permit_monit_access: unable to resolve cgroup v2 mount or path" >&2
+            echo "permit_monit_access: unable to resolve cgroup v2 mount or path. current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount}" >&2
             return 1
         fi
         monit_access_cgroup="${cgroup_mount}${current_cgroup}/monit-api-access"

From b35a8f1e76176f82f1b252e719b55be49c54e2be Mon Sep 17 00:00:00 2001
From: Guillaume Berche <guillaume.berche@orange.com>
Date: Fri, 22 May 2026 09:22:22 +0200
Subject: [PATCH 3/4] Refine nb_matching_cgroup_mounts computation through use
 of grep

As suggested in https://github.com/cloudfoundry/bosh-linux-stemcell-builder/pull/599#pullrequestreview-4319526501

Verified manually and through https://stackoverflow.com/a/42399738

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
---
 .../stages/bosh_monit/assets/monit-access-helper.sh             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
index fa221aa297..f0b5eb600e 100644
--- a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
+++ b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
@@ -30,7 +30,7 @@ permit_monit_access() {
         # Create a sub-cgroup under the current process's cgroup and move into it.
         # The iptables rules match on this cgroup path.
         cgroup_mount="$(awk '$1 == "cgroup2" && $3 == "cgroup2" { print $2 }' /proc/self/mounts)"
-        nb_matching_cgroup_mounts=$(echo "$cgroup_mount" | wc -l)
+        nb_matching_cgroup_mounts=$(echo "$cgroup_mount" | grep -c '^.')
         current_cgroup="$(grep '^0::' /proc/self/cgroup | cut -d: -f3)"
         if [ -z "${cgroup_mount}" ] || [ "${nb_matching_cgroup_mounts}" -ne 1 ] || [ -z "${current_cgroup}" ]; then
             echo "permit_monit_access: unable to resolve cgroup v2 mount or path. current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount}" >&2

From e9d01035ba500f30c798a4fa05afd64ee11906f6 Mon Sep 17 00:00:00 2001
From: Guillaume Berche <guillaume.berche@orange.com>
Date: Fri, 22 May 2026 09:24:52 +0200
Subject: [PATCH 4/4] Refine error message when cgroupsv2 mount or path are not
 resolved

Now also display nb_matching_cgroup_mounts
---
 .../stages/bosh_monit/assets/monit-access-helper.sh             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
index f0b5eb600e..e80b3237ec 100644
--- a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
+++ b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
@@ -33,7 +33,7 @@ permit_monit_access() {
         nb_matching_cgroup_mounts=$(echo "$cgroup_mount" | grep -c '^.')
         current_cgroup="$(grep '^0::' /proc/self/cgroup | cut -d: -f3)"
         if [ -z "${cgroup_mount}" ] || [ "${nb_matching_cgroup_mounts}" -ne 1 ] || [ -z "${current_cgroup}" ]; then
-            echo "permit_monit_access: unable to resolve cgroup v2 mount or path. current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount}" >&2
+            echo "permit_monit_access: unable to resolve cgroup v2 mount or path. current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount} nb_matching_cgroup_mounts=${nb_matching_cgroup_mounts}" >&2
             return 1
         fi
         monit_access_cgroup="${cgroup_mount}${current_cgroup}/monit-api-access"