Add DomainVerificationEnforcer

Abstracts the permission/caller enforcement code from
DomainVerificationService.

There's 3 types of callers the service cares about:
1. Able to change internal state, which for now is only system and shell
    - Not currently used, but will be for debug/shell commands
2. Approved verifier, which is system, shell, or the verification agent
3. Approved user state selector, which requires the permission

Exempt-From-Owner-Approval: Already approved by owners on main branch

Bug: 163565712

Test: atest DomainVerificationEnforcerTest

Change-Id: I7c00e4ebd843537e0b20e60c82a1c4abf2904596