Ignore the AA_CHANGE_PROFILE flag when checking for link permission.

kernel-patches/for-mainline/change_profile-2.diff

@@ -0,0 +1,18 @@
+---
+ security/apparmor/main.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/security/apparmor/main.c
++++ b/security/apparmor/main.c
+@@ -68,6 +68,11 @@ static int aa_link_denied(struct aa_prof
+ 
+ 	l_mode = aa_match(profile->file_rules, link);
+ 	t_mode = aa_match(profile->file_rules, target);
++
++	/* Ignore valid-profile-transition flags. */
++	l_mode &= ~AA_CHANGE_PROFILE;
++	t_mode &= ~AA_CHANGE_PROFILE;
++
+ 	*request_mask = l_mode | AA_MAY_LINK;
+ 
+ 	/* Link always requires 'l' on the link, a subset of the

kernel-patches/for-mainline/series

@@ -62,6 +62,7 @@ audit-remove-buffer.diff
 #multi-profile-load.diff
 fix_link_perm.diff
 change_profile.diff
+change_profile-2.diff
 flatten-hats.diff
 flatten-hats-2.diff
 #change_hat-to-change_profile.diff