mediaex: apply seccomp filter

We can safely reduce the number of accessible system calls from ~250
down to ~30.

This commit adds a seccomp filter for arm/arm64 devices. Mediaextractor
runs as a 32 bit process so the same filter is used for both arm and
arm64 devices. The filter is arranged by frequency of the systemcall to
provide the best performance.

Most system calls are whitelisted without argument inspection. The
exception is the socket syscall where the first argument is checked to
ensure only domain=AF_LOCAL sockets are allowed - used for logging.

Vendor additions may be appended to the default filter by creating
mediaextractor-seccomp.policy file and pointing BOARD_SECCOMP_POLICY
to the directory where it resides. For example:

create: device/<oem>/<target>/seccomp/mediaextractor-seccomp.policy

with the necessary syscalls. set:
BOARD_SECCOMP_POLICY=device/<oem>/<target>/seccomp
in the device's BoardConfig.mk

Change-Id: I384a43beaa18f10081c15320a795d9d9d0180de4