sepolicy: Dynamically build trust policy into system/vendor

 * Introduce a new board flag TARGET_USES_PREBUILT_VENDOR_SEPOLICY and
   a sepolicy variant: dynamic
 * When TARGET_USES_PREBUILT_VENDOR_SEPOLICY=true, dynamic act as
   private policy, and vendor policy is excluded in order to avoid
   conflicts (it's not integrated to final builds anyway). When the flag
   is not set, dynamic acts as vendor policy to survive from system
   image change i.e. GSI installation.

Change-Id: I8bfd078d6064616c88e2c58a9fa3aa045dddf303