apparmor: remove explicit restriction that unconfined cannot use change_hat

apparmor: remove explicit restriction that unconfined cannot use change_hat

There does not need to be an explicit restriction that unconfined
can't use change_hat. Traditionally unconfined doesn't have hats
so change_hat could not be used. But newer unconfined profiles have
the potential of having hats, and even system unconfined will be
able to be replaced with a profile that allows for hats.

To remain backwards compitible with expected return codes, continue
to return -EPERM if the unconfined profile does not have any hats.

Signed-off-by: John Johansen <john.johansen@canonical.com>