Introduce static roles.

Roles which are static will be kept assigned to its default
holders (if qualified of course), nothing more and nothing less.

This is different from the default app use case where the role is user
visible and configurable, so the default holders are only serving as
an initial value and never assigned afterwards. Now that we have a lot
of system-only invisible roles in S for pregrants, it's time to
formalize this use case as well, which is a role that reflects a
platform config resource.

This is more important in the case of role that are upgraded from
exclusive to non-exclusive, where the previous configuration won't
update the role according to an updated platform resource because that
was just an initial value, while static roles can always follow
changes in that platform resource.

This is done by adding the `static` attribute in roles.xml, making
sure only default packages qualifies for static roles, and ensure that
all default packages are added to the role upon reconciliation. The
bypass role qualifications mechanism still works after this change
because it has a higher precedence during package qualification. The
documentation is also updated to reflect this new concept.

Existing roles are also updated to use static roles when applicable.

Bug: 186051103
Test: presubmit
Change-Id: I9d085749b29905b887cfc133e3f9dcc6afde1e20
Merged-In: I9d085749b29905b887cfc133e3f9dcc6afde1e20