Prepare app data only when storage is available.

Before this change, scanning a package aggressively tried checking
to ensure that private app data was prepared.  However, in an FBE
world we may not have access to that data at scan time.  So this
change shifts the preparing of private app data until later: it
prepares DE storage when a user is started, and CE storage when a
user is unlocked.  Wire ourselves into the user lifecycle so we can
prepare storage at both user start and unlock.

When DE/CE storage becomes available, this change reconciles any
found packages against known installed apps, and deletes any orphaned
data directories.

We now need to store the last-restorecon hash in an xattr on a
per-user directory basis, since we can't restorecon CE storage until
it's unlocked, or adopted storage until it's mounted.  Remove a
bunch of used logic for loading dynamic SELinux policy at runtime;
our policy always comes from the system image.

Bug: 26466827, 26544104
Change-Id: I8d0a4ef862c35f4e4ef5c7f20d3bb8f12ba3fd4b