From 24ba6f805ec3615e40f78ef83b6b13f81001867a Mon Sep 17 00:00:00 2001
From: Lucas Moura <lucas.moura@canonical.com>
Date: Tue, 10 Sep 2024 14:44:31 -0400
Subject: [PATCH] apt: silence warnings when fetching apt-news

When fetching the apt-news data, APT will try using the _apt
user to store that information on the system. We are now creating
a separate folder that is owned by _apt, which silences an APT
warning when storing the apt-news data

Fixes: #3209
LP: #2070095
---
 debian/apparmor/ubuntu_pro_apt_news.jinja2 | 4 +++-
 uaclient/apt_news.py                       | 7 +++++--
 uaclient/defaults.py                       | 4 ++++
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/debian/apparmor/ubuntu_pro_apt_news.jinja2 b/debian/apparmor/ubuntu_pro_apt_news.jinja2
index 227ee65440..8b963f61b3 100644
--- a/debian/apparmor/ubuntu_pro_apt_news.jinja2
+++ b/debian/apparmor/ubuntu_pro_apt_news.jinja2
@@ -19,6 +19,7 @@ profile ubuntu_pro_apt_news flags=(attach_disconnected) {
   capability dac_read_search,
   # GH: 3079
   capability dac_override,
+  capability kill,
 
   /etc/apt/** r,
   /etc/default/apport r,
@@ -41,7 +42,8 @@ profile ubuntu_pro_apt_news flags=(attach_disconnected) {
   /var/lib/ubuntu-advantage/messages/ rw,
   /var/lib/ubuntu-advantage/messages/* rw,
   /run/ubuntu-advantage/ rw,
-  /run/ubuntu-advantage/* rw,
+  /run/ubuntu-advantage/apt-news/ rw,
+  /run/ubuntu-advantage/apt-news/* rw,
 
   # LP: #2072489
   # the apt-news package selector needs access to packaging information
diff --git a/uaclient/apt_news.py b/uaclient/apt_news.py
index 473c359fcd..2f43835906 100644
--- a/uaclient/apt_news.py
+++ b/uaclient/apt_news.py
@@ -2,6 +2,7 @@
 import json
 import logging
 import os
+import shutil
 import unicodedata
 from typing import List, Optional
 
@@ -199,10 +200,12 @@ def select_message(
 
 @ensure_apt_pkg_init
 def fetch_aptnews_json(cfg: UAConfig):
-    os.makedirs(defaults.UAC_RUN_PATH, exist_ok=True)
+    os.makedirs(defaults.APT_NEWS_PATH, exist_ok=True)
+    shutil.chown(defaults.APT_NEWS_PATH, user="_apt")
+
     acq = apt_pkg.Acquire()
     apt_news_file = apt_pkg.AcquireFile(
-        acq, cfg.apt_news_url, hash="", destdir=defaults.UAC_RUN_PATH
+        acq, cfg.apt_news_url, hash="", destdir=defaults.APT_NEWS_PATH
     )
     acq.run()
     apt_news_contents = system.load_file(apt_news_file.destfile)
diff --git a/uaclient/defaults.py b/uaclient/defaults.py
index be6444c2d4..d15e3cf2b7 100644
--- a/uaclient/defaults.py
+++ b/uaclient/defaults.py
@@ -43,6 +43,10 @@
 ESM_APT_ROOTDIR = os.path.join(DEFAULT_DATA_DIR, PRIVATE_ESM_CACHE_SUBDIR)
 NOTICES_PERMANENT_DIRECTORY = os.path.join(DEFAULT_DATA_DIR, NOTICES_SUBDIR)
 NOTICES_TEMPORARY_DIRECTORY = os.path.join(UAC_RUN_PATH, NOTICES_SUBDIR)
+APT_UPGRADE_HOOK_ERR = os.path.join(
+    DEFAULT_DATA_DIR, "apt-upgrade-hook-err.txt"
+)
+APT_NEWS_PATH = os.path.join(UAC_RUN_PATH, "apt-news")
 
 
 # URLs