Grant notification Uri permissions as sending app.

For security reasons, the system UID can't make URI permission as
itself; it always needs to do so on behalf of a specific app.  To
handle this, we grant notification Uri permissions as the UID that
sent a given notification.

To give meaningful debug messages to developers, check to see if the
caller has permissions to grant Uri access when they're enqueuing
a notification.  If they're targeting P, throw any security issues
back at the caller; if older SDK, log and ignore that Uri.

Since multiple notifications can grant access to the same content,
we need unique UriPermissionOwner per active notification.  For
example, consider these two notifications:

1. sound=content://sound, image=content://image1
2. sound=content://sound, image=content://image2

When #1 is cancelled, we still need to keep the content://sound
grant active until #2 is also cancelled.  Using unique owners
means that ActivityManagerService tracks reference counting on
our behalf.

Optimizations to avoid allocations in hot code paths.

Test: atest frameworks/base/services/tests/uiservicestests/src/com/android/server/notification
Bug: 9069730
Change-Id: I69601793538adcbf06c4986a2fb1ea2dd9d876eb