Add ptrace to AppArmorProfile spec

[Edan-Hamilton]

trafficstars

What would you like to be added:

Add the ability to limit ptrace via AppArmorProfile. Allow restricting ptrace peer. I can't think of much of a usecase for the other features of the ptrace AppArmor option.

Why is this needed:

Ptrace is a hugely powerful ability, which should generally be restricted to avoid applications inspecting arbitrary processes. Ptrace is however useful for debugging, and is also used by certain applications such as PRoot, among various others mainly used for nested containerization/confinement. Setting the peer to the profile itself tends to be reasonable, as this way the confined application/container can only inspect itself.