Isolate app profile directory

- During Zygote fork (before setuid), Zygote will create a tmpfs overlay
(mount namespace) on profile directory.

- Zygote will then bind mount packages with same uid from mirror profile
to actual profile directories.

Bug: 143937733
Test: "adb shell cmd package dump-profiles" shows it works
Change-Id: I8ef889b0185c24c29e871f72a500a048076d1c95