Close calls missing arg uuid

[HarkonenBade]

{
"event": "audit:event:aue_close:",
"time": 1490666478859073627,
"pid": 2101, 
"ppid": 2099,
"tid": 100069,
"uid": 8316,
"cpu_id": 2,
"exec": "sshd",
"subjprocuuid": "6bb33456-135a-11e7-a3ef-44a842348b1c",
"subjthruuid": "4838ea80-130f-11e7-a367-44a842348b1c",
"fd": 14,
"retval": 0
}

aue_close calls missing "arg_objuuid1" parameter in small number of cases.

[rwatson]

Just to recap a conversation with @HarkonenBade: It seems likely that this is a result of a call to close(2) being used on a file descriptor with multiple references. Currently we rely on the object implementation layer (e.g., sockets, vnodes, etc) to audit UUID information, as object implementations are what store UUIDs, rather than open file records. Only last close(2) is propagated down to that layer, as reference-count drops occur at the file-descriptor rather than object layer. We can fix this by adding additional logic to capture audit information above the object layer (i.e., which implies a brief drop into the object layer in the audit code rather than the object layer passing it to audit). This is not particularly pretty but will work fine in practice.

[rwatson]

One further note: this could also happen when closing a object type that does not yet support UUIDs -- e.g., kqueue (see #66).