Drop audit/suspend block/checkpoint capabilities from fwupd

[RZR7332]

This PR aims to drop the AUDIT subsystem, suspend block and checkpoint restore capabilties from fwupd, as well as explicitly drops the capabilities which have been implicitly dropped as a result of other settings.

Type of pull request:

• New plugin (Please include new plugin checklist)
• Code fix
• Feature
• Documentation

It is my intention to follow a similar process here as done with SystemCallFilter: drop cautiously, and hopefully transition to a whitelist at the end of the process (although blacklisting will also work - I see no systemd recommendation as to the best option).

Some calls have been implicitly dropped as a result of other settings, assumptions below:

• CAP_SYS_MODULE dropped by ProtectKernelModules;
• CAP_SYS_TIME dropped by ProtectClock;
• CAP_SYSLOG dropped by ProtectKernelLogs.

I shall provide some details for the other capabilities in the comments. Multiple lines are permitted (and combined) if prefaced with ~ - from the man page:

This option may appear more than once, in which case the bounding sets are merged by OR, or by AND if the lines are prefixed with "~"

Source: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html

The details of the respective capabilities can be found at https://man7.org/linux/man-pages/man7/capabilities.7.html

[RZR7332]

Details of dropped capabilities:

  CAP_AUDIT_CONTROL (since Linux 2.6.11)
          Enable and disable kernel auditing; change auditing filter
          rules; retrieve auditing status and filtering rules.

   CAP_AUDIT_READ (since Linux 3.16)
          Allow reading the audit log via a multicast netlink
          socket.

   CAP_AUDIT_WRITE (since Linux 2.6.11)
          Write records to kernel auditing log.

   CAP_BLOCK_SUSPEND (since Linux 3.5)
          Employ features that can block system suspend ([epoll(7)](https://man7.org/linux/man-pages/man7/epoll.7.html)
          EPOLLWAKEUP, /proc/sys/wake_lock).

   CAP_CHECKPOINT_RESTORE (since Linux 5.9)
          •  Update /proc/sys/kernel/ns_last_pid (see
             [pid_namespaces(7)](https://man7.org/linux/man-pages/man7/pid_namespaces.7.html));
          •  employ the set_tid feature of [clone3(2)](https://man7.org/linux/man-pages/man2/clone3.2.html);
          •  read the contents of the symbolic links in
             /proc/pid/map_files for other processes.

          This capability was added in Linux 5.9 to separate out
          checkpoint/restore functionality from the overloaded
          CAP_SYS_ADMIN capability.

[hughsie]

what's the logic to duplicate?

[RZR7332]

Just to be aware of them if whitelisting point is reached, no other purpose. More a note that these have essentially been tested already than anything else.