apt: silence warnings when fetching apt-news

When fetching the apt-news data, APT will try using the _apt user to store that information on the system. We are now creating a separate folder that is owned by _apt, which silences an APT warning when storing the apt-news data Fixes: #3209 LP: #2070095
canonical · Sep 25, 2024 · 24ba6f8 · 24ba6f8
1 parent 956ee67
commit 24ba6f8
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/debian/apparmor/ubuntu_pro_apt_news.jinja2 b/debian/apparmor/ubuntu_pro_apt_news.jinja2
@@ -19,6 +19,7 @@ profile ubuntu_pro_apt_news flags=(attach_disconnected) {
   capability dac_read_search,
   # GH: 3079
   capability dac_override,
+  capability kill,
 
   /etc/apt/** r,
   /etc/default/apport r,
@@ -41,7 +42,8 @@ profile ubuntu_pro_apt_news flags=(attach_disconnected) {
   /var/lib/ubuntu-advantage/messages/ rw,
   /var/lib/ubuntu-advantage/messages/* rw,
   /run/ubuntu-advantage/ rw,
-  /run/ubuntu-advantage/* rw,
+  /run/ubuntu-advantage/apt-news/ rw,
+  /run/ubuntu-advantage/apt-news/* rw,
 
   # LP: #2072489
   # the apt-news package selector needs access to packaging information

diff --git a/uaclient/apt_news.py b/uaclient/apt_news.py
@@ -2,6 +2,7 @@
 import json
 import logging
 import os
+import shutil
 import unicodedata
 from typing import List, Optional
 
@@ -199,10 +200,12 @@ def select_message(
 
 @ensure_apt_pkg_init
 def fetch_aptnews_json(cfg: UAConfig):
-    os.makedirs(defaults.UAC_RUN_PATH, exist_ok=True)
+    os.makedirs(defaults.APT_NEWS_PATH, exist_ok=True)
+    shutil.chown(defaults.APT_NEWS_PATH, user="_apt")
+
     acq = apt_pkg.Acquire()
     apt_news_file = apt_pkg.AcquireFile(
-        acq, cfg.apt_news_url, hash="", destdir=defaults.UAC_RUN_PATH
+        acq, cfg.apt_news_url, hash="", destdir=defaults.APT_NEWS_PATH
     )
     acq.run()
     apt_news_contents = system.load_file(apt_news_file.destfile)

diff --git a/uaclient/defaults.py b/uaclient/defaults.py
@@ -43,6 +43,10 @@
 ESM_APT_ROOTDIR = os.path.join(DEFAULT_DATA_DIR, PRIVATE_ESM_CACHE_SUBDIR)
 NOTICES_PERMANENT_DIRECTORY = os.path.join(DEFAULT_DATA_DIR, NOTICES_SUBDIR)
 NOTICES_TEMPORARY_DIRECTORY = os.path.join(UAC_RUN_PATH, NOTICES_SUBDIR)
+APT_UPGRADE_HOOK_ERR = os.path.join(
+    DEFAULT_DATA_DIR, "apt-upgrade-hook-err.txt"
+)
+APT_NEWS_PATH = os.path.join(UAC_RUN_PATH, "apt-news")
 
 
 # URLs