apparmor: allow change_profile for nested container runtimes

[Mohataseem89]

Fixes: podman-container-tools/podman#28992"

Problem

On kernel 6.17, starting a container via the Docker-compat API
(docker compose / docker CLI pointed at the podman socket) from inside a
systemd/Quadlet-launched container fails with:

crun: `/proc/thread-self/attr/apparmor/exec`: OCI runtime error:
unable to assign security attribute

The outer container runs under containers-default-*. When crun inside
that container tries to write an AppArmor profile name to
/proc/thread-self/attr/apparmor/exec for the child container, the
kernel rejects it because change_profile is not permitted by the outer
container's profile.

Native podman run from the host is unaffected (process is unconfined).
podman --remote is also unaffected. Only the compat API path from
inside a confined systemd container triggers this.

Reported: podman-container-tools/podman#28992
Downstream: moghtech/komodo#1488

Fix

Add change_profile -> **, inside the >= 208096 version guard,
alongside the existing signal rules for crun/runc/podman. This gives
OCI runtimes running inside a container permission to assign AppArmor
profiles to their child processes.

Testing

reproduction:

1. launch a container via Quadlet with --cgroups=split --sdnotify=conmon
   and the host's rootful podman socket bind-mounted.
2. from inside that container run docker run alpine echo hi against the
   socket.
3. without this fix: crun: unable to assign security attribute
4. With this fix: container starts successfully

[github-actions]

This repository has been migrated to https://github.com/containers/container-libs. Please open your PR there.