Hookup renounced permissions

Propagate renounced permissions from context params
to the context attribution source. Throw if one
tries to request at runtime a renounced permission.

Also make the AttributionSource take null for the
setters to ease usage, otherwise folks should always
check for null before calling a builder method.

Additionally, we allow apps that have UPDATE_APP_OPS_STATS
to register arbitrary trusted AttributionSource for
testing. Note that this permission allows abritrary app
op operations, thus we are not relaxing the security
model.

bug: 158792096

Test: atest CtsPermission5TestCases

Change-Id: I4330684bb8695fb998cf31e9363b94ad981ba2cc