App data directory isolation

- During Zygote fork (before setuid), Zygote will create a tmpfs overlay
(mount namespace) on its DE and CE directories, so app process cannot
access the actual DE CE directory anymore.

- In the overlay tmpfs directory, zygote will create its app and
whitelisted app data directories.

- Bind mount (namespace) the mirror data directory to the directories in
tmpfs overlay.

- When CE storage is ready, ask installd to prepare CE storage's data mirror.

Bug: 143937733
Test: Test app shows it cannot access other apps data directory anymore
Test: Test app shows it can access whitelisted app / same uid app data
directory.
Change-Id: I64e06c1ffd962a7134a176aad33c06b5f661f7cd