fix: guestagent audit detection and fallback

[pendo324]

WSL2 just put out a new pre-release version (version 2.0.1 at the time of writing). While testing Lima with the new version, I noticed that AUDIT is enabled in the kernel:

# uname -a
Linux EC2AMAZ-3QHKPN9 5.15.123.1-microsoft-standard-WSL2 #1 SMP Mon Aug 7 19:01:48 UTC 2023 x86_64 GNU/Linux

# zfgrep AUDIT /proc/config.gz
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_ARCH=y
# CONFIG_KVM_MMU_AUDIT is not set
# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set

and cap_audit_read/cap_audit_write are set:

# cat /proc/$$/status | grep Cap
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000

# capsh --decode=000001ffffffffff
0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore

However, lima-guestagent was now failing to start, probably for the same reason auditd was also failing to start.

After some digging, I found this excellent blog post (Google Translate helped out a lot), which led me in the right direction.

I've updated the lima-guestagent logic to detect this new case where auditing is enabled, but not permitted, and added links to the relevant source for reference.

[AkihiroSuda]

Thanks