Comment 2 for bug 1721342

The permission output from the kernel is correct. The kernel has a more fine grained view of permission than userspace and there is not a 1:1 mapping.

What is wrong here is the kernel should be reporting that this is a failure in the link subset permission test.

That is that the link being created must have a subset of permission to those of its target so that a link can't be used to circumvent controls placed on the target.

The permissions being reported are the permissions not being allowed. That is the profile does NOT allow access to those requested permissions.