aghnet: imp permissions logic

Updates #5433.

Squashed commit of the following:

commit 4190845e5edb7f3a5f6970ec1d739aabf0a87f57
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Thu Feb 2 18:01:10 2023 +0300

    filtering: fix league of legends icon

CHANGELOG.md

@@ -23,6 +23,12 @@ See also the [v0.107.24 GitHub milestone][ms-v0.107.24].
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
 
+### Fixed
+
+- The icon for League Of Legends on the Blocked services page ([#5433]).
+
+[#5433]: https://github.com/AdguardTeam/AdGuardHome/issues/5433
+
 <!--
 NOTE: Add new changes ABOVE THIS COMMENT.
 -->

internal/aghnet/net.go

@@ -80,6 +80,11 @@ func CanBindPrivilegedPorts() (can bool, err error) {
 	return canBindPrivilegedPorts()
 }
 
+// AcquirePermissions tries to acquire permissions to bind to privileged ports.
+func AcquirePermissions() (err error) {
+	return acquirePermissions()
+}
+
 // NetInterface represents an entry of network interfaces map.
 type NetInterface struct {
 	// Addresses are the network interface addresses.

internal/aghnet/net_bsd.go

@@ -7,3 +7,7 @@ import "github.com/AdguardTeam/AdGuardHome/internal/aghos"
 func canBindPrivilegedPorts() (can bool, err error) {
 	return aghos.HaveAdminRights()
 }
+
+func acquirePermissions() (err error) {
+	return nil
+}

internal/aghnet/net_linux.go

@@ -23,17 +23,17 @@ const dhcpcdConf = "etc/dhcpcd.conf"
 
 func canBindPrivilegedPorts() (can bool, err error) {
 	res, err := unix.PrctlRetInt(
-		unix.PR_CAP_AMBIENT,
+		unix.PR_CAPBSET_READ,
-		unix.PR_CAP_AMBIENT_IS_SET,
 		unix.CAP_NET_BIND_SERVICE,
 		0,
 		0,
+		0,
 	)
 	if err != nil {
 		if errors.Is(err, unix.EINVAL) {
 			// Older versions of Linux kernel do not support this.  Print a
 			// warning and check admin rights.
-			log.Info("warning: cannot check capability cap_net_bind_service: %s", err)
+			log.Info("warning: cannot check cap_net_bind_service: %s", err)
 		} else {
 			return false, err
 		}
@@ -45,6 +45,21 @@ func canBindPrivilegedPorts() (can bool, err error) {
 	return res == 1 || adm, nil
 }
 
+func acquirePermissions() (err error) {
+	_, err = unix.PrctlRetInt(
+		unix.PR_CAP_AMBIENT,
+		unix.PR_CAP_AMBIENT_RAISE,
+		unix.CAP_NET_BIND_SERVICE,
+		0,
+		0,
+	)
+	if err != nil {
+		return fmt.Errorf("raising cap_net_bind_service: %w", err)
+	}
+
+	return nil
+}
+
 // dhcpcdStaticConfig checks if interface is configured by /etc/dhcpcd.conf to
 // have a static IP.
 func (n interfaceName) dhcpcdStaticConfig(r io.Reader) (subsources []string, cont bool, err error) {

internal/aghnet/net_windows.go

@@ -43,3 +43,7 @@ func closePortChecker(c io.Closer) (err error) {
 func isAddrInUse(err syscall.Errno) (ok bool) {
 	return errors.Is(err, windows.WSAEADDRINUSE)
 }
+
+func acquirePermissions() (err error) {
+	return nil
+}

internal/filtering/servicelist.go

@@ -1283,7 +1283,7 @@ var blockedServices = []blockedService{{
 }, {
 	ID:      "leagueoflegends",
 	Name:    "League of Legends",
-	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 30 30\" width=\"60px\" height=\"60px\"><path d=\"M 7 4 L 9 7.25 L 9 22.75 L 6.875 26 L 21.957031 26 L 25 22 L 14 22 L 14 4 L 7 4 z M 16 4.0507812 L 16 6.0585938 C 20.493 6.5575937 24 10.375 24 15 C 24 16.849 23.438516 18.569 22.478516 20 L 24.785156 20 C 25.556156 18.498 26 16.801 26 15 C 26 9.272 21.598 4.5577812 16 4.0507812 z M 6.8730469 7.6113281 C 5.0940469 9.5663281 4 12.155 4 15 C 4 17.837 5.0884219 20.418094 6.8574219 22.371094 L 7 22.154297 L 7 19.105469 C 6.365 17.872469 6 16.479 6 15 C 6 13.521 6.365 12.127531 7 10.894531 L 7 7.8164062 L 6.8730469 7.6113281 z\"/></svg>"),
+	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 0 30 30\"><path d=\"M 7 4 L 9 7.25 L 9 22.75 L 6.875 26 L 21.957031 26 L 25 22 L 14 22 L 14 4 L 7 4 z M 16 4.0507812 L 16 6.0585938 C 20.493 6.5575937 24 10.375 24 15 C 24 16.849 23.438516 18.569 22.478516 20 L 24.785156 20 C 25.556156 18.498 26 16.801 26 15 C 26 9.272 21.598 4.5577812 16 4.0507812 z M 6.8730469 7.6113281 C 5.0940469 9.5663281 4 12.155 4 15 C 4 17.837 5.0884219 20.418094 6.8574219 22.371094 L 7 22.154297 L 7 19.105469 C 6.365 17.872469 6 16.479 6 15 C 6 13.521 6.365 12.127531 7 10.894531 L 7 7.8164062 L 6.8730469 7.6113281 z\"/></svg>"),
 	Rules: []string{
 		"||leagueoflegends.co.kr^",
 		"||leagueoflegends.com^",

internal/home/home.go

@@ -570,14 +570,21 @@ func startMods() (err error) {
 func checkPermissions() {
 	log.Info("Checking if AdGuard Home has necessary permissions")
 
-	if ok, err := aghnet.CanBindPrivilegedPorts(); !ok || err != nil {
+	err := aghnet.AcquirePermissions()
-		log.Fatal("This is the first launch of AdGuard Home. You must run it as Administrator.")
+	if err != nil {
+		log.Debug("acquiring necessary permissions: %s", err)
+
+		var ok bool
+		if ok, err = aghnet.CanBindPrivilegedPorts(); !ok || err != nil {
+			log.Fatal("This is the first launch of AdGuard Home. You must run it as Administrator.")
+		}
 	}
 
 	// We should check if AdGuard Home is able to bind to port 53
-	err := aghnet.CheckPort("tcp", netip.AddrPortFrom(netutil.IPv4Localhost(), defaultPortDNS))
+	err = aghnet.CheckPort("tcp", netip.AddrPortFrom(netutil.IPv4Localhost(), defaultPortDNS))
 	if err != nil {
 		if errors.Is(err, os.ErrPermission) {
+			log.Debug("checking permissions via binding: %v", err)
 			log.Fatal(`Permission check failed.
 
 AdGuard Home is not allowed to bind to privileged ports (for instance, port 53).