Add new feature for running services in "isolated" sandbox processes.

This reserves a range of uids (for each user) in which these processes
run.  These uids are not associated with an application, so they
effectively run with no permissions.  When a Service requests to
run in such a process through android:isolatedProcess="true", each
time it is brought up a new isolated process is started with its
own unique uid.

What we have so far gives us the basic infrastructure; more work
remains to further lock down what these uids have access to.

Change-Id: Ibfd27c75619cba61f528f46ede9113f98dc5f45b