fw/b: Add support for per app network isolation

* Add support for blocking all network access with
  per uid policy (exposed in wifi/data settings).

* When an app is blocked, two things happen:
  ** Add the uid to a new netd firewall chain fw_isolation
     which blocks all network access.
  ** Generate onLost callbacks for ConnectivityManager requests.
     Move the app network requests to a DetachedNetworks map
     and remove them from the normal ConnectivityService
     machinery to ensure no further callbacks are generated.

* When an app is unblocked, perform the reverse of the steps above.
  This includes reattaching the app network requests and triggering
  onAvailable() callbacks (and others) as though the networks have
  just come back up.

* "Isolation" because the terms blocking and blacklisting
  are used all over the place already for dozing, powersave
  and temporary whitelist rules.  So be distinct to try
  to make the code more readable.

This includes bellow fix:

Author: Oliver Scott <olivercscott@gmail.com>
Date:   Wed Dec 2 13:38:38 2020 -0500

    NetworkPolicyManagerService: Fix network isolation for secondary users

    * NetworkManager setFirewallUidRule checks that the caller is system uid

    * Public service entry points are already protected with
      MANAGE_NETWORK_POLICY permission so simply clear calling identity
      around NetworkPolicyManagerService setUidFirewallRule() call to
      resolve crash for secondary users during settings change.

    Change-Id: Id598264c965aafade8e79b9eeca608711ac49028

Change-Id: Id36308bdb8279879ac456b94704007a392b71b0e