test(linux-client): fix linux-group integration test (#4671)

Closes #4669 
(Once I figure out the cause and then fix it)

.github/workflows/_integration_tests.yml

@@ -106,7 +106,7 @@ jobs:
           direct-download-roaming-network,
           dns-failsafe, # Uses the default DNS control method
           dns-nm,
-          # linux-group,  # Stub, doesn't run Firezone code yet. Broken too, see <https://github.com/firezone/firezone/issues/4669>
+          linux-group,  # Stub, doesn't run Firezone code yet.
           relay-graceful-shutdown,
           relayed-curl-api-down,
           relayed-curl-api-restart,

scripts/tests/linux-group.sh

@@ -10,6 +10,12 @@ FZ_GROUP="firezone"
 SERVICE_NAME=firezone-client
 export RUST_LOG=info
 
+function print_debug_info {
+    systemctl status "$SERVICE_NAME"
+}
+
+trap print_debug_info EXIT
+
 # Copy the Linux Client out of its container
 docker compose exec client cat firezone-linux-client > "$BINARY_NAME"
 chmod u+x "$BINARY_NAME"

scripts/tests/systemd/firezone-client.service

@@ -3,7 +3,8 @@ Description=Firezone Client
 
 [Service]
 AmbientCapabilities=CAP_NET_ADMIN
-CapabilityBoundingSet=CAP_NET_ADMIN
+# TODO: Get rid of `CAP_CHOWN` here by asking systemd to make our runtime dir on our behalf
+CapabilityBoundingSet=CAP_CHOWN CAP_NET_ADMIN
 DeviceAllow=/dev/net/tun
 LockPersonality=true
 MemoryDenyWriteExecute=true