adguardhome: run as an unprivileged user

Run AdGuard Home without superuser privileges, by granting the binary
capabilities through ujail.

AdGuard Home writes new config files, so it must have r/w access to the
directory where these files live. Which means existing configs must be
migrated to a new directory, /etc/adguardhome, by default.

CAP_NET_BIND_SERVICE and CAP_NET_RAW capabilities are based on the
official documentation linked below.

Link: https://github.com/AdguardTeam/AdGuardHome/wiki/Getting-Started#running-without-superuser-linux-only
Signed-off-by: George Sapkin <george@sapk.in>

net/adguardhome/files/adguardhome.init

@@ -1,4 +1,5 @@
 #!/bin/sh /etc/rc.common
+# shellcheck disable=SC3043 # ash supports local
 
 PROG=/usr/bin/AdGuardHome
 
@@ -10,34 +11,80 @@ START=19
 STOP=89
 
 boot() {
-  adguardhome_boot=1
-  start "$@"
+	ADGUARDHOME_BOOT=1
+	start "$@"
 }
 
 start_service() {
-  if [ -n "$adguardhome_boot" ]; then
-    # Do not start yet, wait for triggers
-    return 0
-  fi
+	if [ -n "$ADGUARDHOME_BOOT" ]; then
+		# Do not start yet, wait for triggers
+		return 0
+	fi
 
-  config_load adguardhome
-  config_get CONFIG_FILE config config "/etc/adguardhome.yaml"
-  config_get PID_FILE config pidfile "/run/adguardhome.pid"
-  config_get WORK_DIR config workdir "/var/lib/adguardhome"
+	local config_file
+	local group
+	local pid_file
+	local user
+	local verbose
+	local work_dir
 
-  [ -d "$WORK_DIR" ] || mkdir -m 0755 -p "$WORK_DIR"
+	config_load adguardhome
+	config_get config_file config config "/etc/adguardhome/adguardhome.yaml"
+	config_get work_dir config workdir "/var/lib/adguardhome"
+	config_get pid_file config pidfile "/run/adguardhome.pid"
+	config_get_bool verbose config verbose
 
-  procd_open_instance
-  procd_set_param command "$PROG" -c "$CONFIG_FILE" -w "$WORK_DIR" --pidfile "$PID_FILE" --no-check-update
-  procd_set_param stdout 1
-  procd_set_param stderr 1
-  procd_close_instance
+	config_get user config user adguardhome
+	config_get group config group adguardhome
+
+	local config_dir
+	config_dir=$(dirname "$config_file")
+	if [ "$config_dir" = '/etc' ]; then
+		echo "AdGuard Home config must be stored in its own directory, and not in /etc" >&2
+		exit 1
+	fi
+	mkdir -m 0700 -p "$config_dir"
+	chown -R "$user":"$group" "$config_dir"
+
+	mkdir -m 0700 -p "$work_dir"
+	chown -R "$user":"$group" "$work_dir"
+
+	procd_open_instance
+
+	procd_set_param command "$PROG"
+	procd_append_param command --config "$config_file"
+	procd_append_param command --work-dir "$work_dir"
+	procd_append_param command --logfile syslog
+	procd_append_param command --no-check-update
+	[ "$verbose" = 1 ] && procd_append_param command --verbose
+
+	procd_set_param pidfile "$pid_file"
+	procd_set_param stdout 1
+	procd_set_param stderr 1
+	procd_set_param user "$user"
+	procd_set_param group "$group"
+	procd_set_param capabilities /etc/capabilities/adguardhome.json
+	procd_set_param no_new_privs 1
+
+	# log is needed for logging to syslog instead of stdout
+	# procfs is needed to readlink /proc/self/exe
+	procd_add_jail adguardhome log procfs
+
+	# config directory must be writable to write new config files
+	procd_add_jail_mount_rw "$config_dir"
+	procd_add_jail_mount_rw "$work_dir"
+
+	procd_add_jail_mount /etc/hosts
+	procd_add_jail_mount /etc/ssl/certs
+	config_list_foreach config jail_mount procd_add_jail_mount
+
+	procd_close_instance
 }
 
 service_triggers() {
-  if [ -n "$adguardhome_boot" ]; then
-    # Wait for interfaces to be up before starting AdGuard Home for real.
-    # Prevents issues like https://github.com/openwrt/packages/issues/21868.
-    procd_add_raw_trigger "interface.*.up" 5000 /etc/init.d/adguardhome restart
-  fi
+	if [ -n "$ADGUARDHOME_BOOT" ]; then
+		# Wait for interfaces to be up before starting AdGuard Home for real.
+		# Prevents issues like https://github.com/openwrt/packages/issues/21868.
+		procd_add_raw_trigger "interface.*.up" 5000 /etc/init.d/adguardhome restart
+	fi
 }