rc.subr: Support setting the audit user when starting services

When an unprivileged user restarts a service using, e.g., sudo, the
service runs with the audit user ID set to that of the unprivileged
user. This can have surprising effects: for instance, a user that
restarts a jail that is running sshd will end up with their UID attached
to all audit logs associated with users who log in via that sshd
instance. (sshd will set the audit user, but this is disallowed in
jails by default.)

Add support for rc.conf directives which cause rc to override the audit
user. Specifically, make <name>_audit_user=foo cause the audit user to
be set to "foo" for service <name>. A plain audit_user=foo directive
causes all services to be started as foo.

Note, like other similar rc features, this feature is limited to rc
services which are run by executing a command. Shell functions can't be
wrapped this way.

Reviewed by: 0mp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53747