Allow app zygote preload to retain files across fork

The bug proposes to 'move' the /proc/self/fd/ readlink/stat/etc checks
performed by the FileDescriptorAllowlist from before-fork to an earlier
stage.

The original aim was to allow the app zygote Preload hook to open
ashmem/memfd read-only regions to save more RAM (around 5MiB on aarch64)
via sharing more across processes. Potentially other files/sockets can
be opened - the app zygote takes responsibility of managing file
descriptor access controls across its own processes. App Zygote Preload
does not run 3rd party code.

Unfortunately a straightforward move of the checks to
just-before-preload has disadvantages:
* opens more codepaths for potential accidental misuse (the zygote
  accepts commands between preload and fork, there are valid usecases
  for extending these commands)
* this way FileDescriptorAllowlist would need to support more file
  descriptor types (sockets and maybe pipes), which is not needed now
  because these FDs are closed right before forking

The solution proposed here is to:
1. Determine the set of file descriptors open before preload
2. Run the preload hook
3. Determine FDs opened by the hook and allow them to remain open across
   fork
4. Hypothetical new attempts to preload (if ever supported) will not
   affect the allowed FDs - the preload will be able to toss its own FDs
   the way it wants, but not open the new-new ones

Bug: 184808875
Test: Manual: unreleased Chrome patch: while in app zygote preload,
      create ashmem region, passes it to 'untrusted_app' (=browser
      process), and call mmap(2) on it.
Change-Id: Ie302eabca83a0e4f409cb131e4308b73e5f6a580
Merged-In: Ie302eabca83a0e4f409cb131e4308b73e5f6a580