mediacodec: route all libbinder traffic to /dev/vndbinder

This CL provides additional sandboxing to ensure that the ban on using
/dev/binder to communicate between system and vendor is enforced (even
if SE policy might otherwise permit it.)  This is done only on
full-Treble devices.

b/36604251 OMX HAL (aka mediacodec) uses Binder and even exposes a
	   Binder service

Test: marlin

Change-Id: I344f5eb9d8719beec02207be65caca78336afff5
Signed-off-by: Iliyan Malchev <malchev@google.com>