Add $ORIGIN to fuzzer-coverage sanitized .so's.

Build fuzzer-sanitized libraries with an $ORIGIN DT_RUNPATH. Android's linker
uses DT_RUNPATH, not DT_RPATH. When we deploy cc_fuzz targets and their
libraries to /data/fuzz/<arch>/lib, any transient shared library gets the
DT_RUNPATH from the shared library above it, and not the executable, meaning
that the lookup falls back to the system. Adding the $ORIGIN to the DT_RUNPATH
here means that transient shared libraries can be found colocated with their
parents.

This may have some interesting consequences if:

 1. Your fuzz target depends on a shared library which has `sanitize.fuzzer:
 false` (as the DT_RUNPATH won't have `$ORIGIN`, and so you may get missing
 libraries).
 2. A `SANITIZE_TARGET=fuzzer` platform has a shared object in two
 different directories (like system vs. ndk) and is depending on the linker
 implementation details to resolve this in some manner.

I don't believe either of these instances should reasonably happen in
practise.

Fixes: 145973404
Fixes: 145988908
Test: m example_fuzzer
Change-Id: I94cbf628fc1ce15c43283d72bdabd9817de1fef8