add example of not working

Signed-off-by: vsoch <vsoch@users.noreply.github.com>

version_only/Makefile

@@ -0,0 +1,6 @@
+all:
+	g++ -fPIC -shared -O3 -g -o preloadlib.so preloadlib.cpp
+	g++ -fPIC -shared -O3 -g -o auditlib.so auditlib.cpp
+
+run:
+	LD_AUDIT=./auditlib.so LD_PRELOAD=./preloadlib.so whoami

version_only/README.md

@@ -0,0 +1,12 @@
+# Version Only
+
+This example shows that the LD_AUDIT library doesn't seem to trigger in the presence of the
+other, LD_PRELOAD. I was able to get it working at first with just the auditlib here, but
+when I added the second preload library, there was no output.
+
+```bash
+LD_AUDIT=./auditlib.so LD_PRELOAD=./preloadlib.so whoami
+I'm loaded from LD_PRELOAD vanessa
+```
+
+I don't have a good reason for this! If you find one, please [let me know](https://github.com/buildsi/ldaudit-yaml/issues).

version_only/auditlib.cpp

@@ -0,0 +1,51 @@
+// auditlib.so
+
+#include <stdio.h>
+#include <link.h>
+
+// Snippets included from:
+// https://man7.org/linux/man-pages/man7/rtld-audit.7.html
+
+/* 
+   unsigned int la_version(unsigned int version);
+
+   This is the only function that must be defined by an auditing
+   library: it performs the initial handshake between the dynamic
+   linker and the auditing library.  When invoking this function,
+   the dynamic linker passes, in version, the highest version of the
+   auditing interface that the linker supports.
+
+   A typical implementation of this function simply returns the
+   constant LAV_CURRENT, which indicates the version of <link.h>
+   that was used to build the audit module.  If the dynamic linker
+   does not support this version of the audit interface, it will
+   refuse to activate this audit module.  If the function returns
+   zero, the dynamic linker also does not activate this audit
+   module.
+
+   In order to enable backwards compatibility with older dynamic
+   linkers, an audit module can examine the version argument and
+   return an earlier version than LAV_CURRENT, assuming the module
+   can adjust its implementation to match the requirements of the
+   previous version of the audit interface.  The la_version function
+   should not return the value of version without further checks
+   because it could correspond to an interface that does not match
+   the <link.h> definitions used to build the audit module.
+*/
+
+__attribute__((constructor))
+static void init(void) {
+  printf("I'm loaded from LD_AUDIT ");
+}
+
+unsigned int la_version(unsigned int version) {
+  // Prepare output - top of the yaml, and first event (version)
+
+  printf("%d", version);
+
+  // If version == 0 the library will be ignored by the linker.
+  if (version == 0) {
+    return version;
+  } 
+  return LAV_CURRENT;
+}

version_only/preloadlib.cpp

@@ -0,0 +1,9 @@
+// preloadlib.so
+
+#include <stdio.h>
+#include <link.h>
+
+__attribute__((constructor))
+static void init(void) {
+  printf("I'm loaded from LD_PRELOAD ");
+}