adguardhome: use correct capabilities

[graysky2]

📦 Package Details

Maintainer: @GeorgeSapkin @dobo90
_{(You can find this by checking the history of the package Makefile.)}

Description:

The previous json file incorrectly granted CAP_NET_RAW, which AdGuardHome does not use for either DNS or DHCP AFAIK. CAP_NET_BIND_SERVICE is needed for binding privileged DNS and HTTPS ports and CAP_NET_ADMIN for DHCP functionality, matching guidance in the Linux capability documentation (man 7 capabilities, man 7 packet) and consistent with AdGuardHome’s DHCP implementation, which relies on packet sockets and interface operations rather than raw ICMP.

If users are only using adguard for DNS, CAP_NET_ADMIN is not needed at all.

---

🧪 Run Testing Details

• OpenWrt Version: SNAPSHOT
• OpenWrt Target/Subtarget: x86/64-glibc
• OpenWrt Device: generic PC

---

✅ Formalities

• I have reviewed the CONTRIBUTING.md file for detailed contributing guidelines.

If your PR contains a patch:

• It can be applied using git am
• It has been refreshed to avoid offsets, fuzzes, etc., using

  make package/<your-package>/refresh V=s

• It is structured in a way that it is potentially upstreamable
  _{(e.g., subject line, commit description, etc.)
  We must try to upstream patches to reduce maintenance burden.}

[GeorgeSapkin]

This is how it's documented:

• https://github.com/AdguardTeam/AdGuardHome/wiki/Getting-Started#running-without-superuser-linux-only

Isn't CAP_NET_ADMIN quite broad compared to CAP_NET_RAW?

• https://www.man7.org/linux/man-pages/man7/capabilities.7.html

Did you test the DHCP part?

[graysky2]

Well shit. I read it backwards. After reviewing the docs, and the man pages, I believe you had it right. Sorry for the noise.

FYI - I tested with just CAP_NET_BIND_SERVICE as my setup is DNS only and that works.