Add signature permission allowlist.

Signature permission allowlist works in a very similar way to privileged
permission and OEM permission allowlists, but is only applicable to apps
that are not preinstalled, i.e. preinstalled apps automatically get all
their signature permissions allowlisted.

If a non-preinstalled platform-signed app tries to obtain a platform
signature permission, it can now only obtain the permission when its
package name and the permission is in this new signature permission
allowlist - otherwise the permission won't be granted as if the app
weren't platform-signed.

Debuggable builds are exempt from this allowlist requirement and the
platform signature permissions may still be granted despite a warning.

Bug: 308573169
Test: manual, automated test approach is still being discussed.
Change-Id: Iccee5b189ac807f9d62984d6e20c3ed5f91a9143