AppArmor: silence denial of sys_ptrace capability

We already allow ptrace for its relevant subprocesses via ptrace
rules, and I'm unsure if the full capability is really needed. I see
lots of other profiles which have ptrace rules without the capability
so I guess not. And I wonder if allowing the capability allows ptrace
for arbitrary processes, which would be really bad.

So let's assume it's not needed and we'll see what happens.

apparmor/torbrowser.Browser.firefox

@@ -12,6 +12,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
   #include <abstractions/opencl>
   #include if exists <abstractions/vulkan>
 
+  deny capability sys_ptrace,
+
   # Uncomment the following lines if you want to give the Tor Browser read-write
   # access to most of your personal files.
   # #include <abstractions/user-download>