Let admin block suspend in some cases

There may be policy critical apps that must not be suspended by the
user in a managed profile. The owner can now use either of the following
to block suspension of apps:
 - DISALLOW_APPS_CONTROL: Blocks suspension of all apps in the user
 - DISALLOW_UNINSTALL_APPS: Blocks suspension of all apps in the user
 - setUninstallBlocked: Blocks suspension of a given package.

The same also block any of the DistractionRestriction to be set via
PackageManager#setDistractingPackageRestrictions. This is to make sure
the apps can still show notifications.

Since the owner should have the final call, these do not block the owner
from adding app suspensions itself. Whenever either of these are set,
any app suspensions that were not originally added by the owner are
lifted immediately and any distraction restrictions that were added are
removed.

Also, clearing restrictions and suspensions if an app with SUSPEND_APPS
permission is disabled. Even though it is expected that UI not allow
such an app to be disabled, it is hard to enforce across all device
implementations. And a missed edge case would lead to permanently
unusable apps on the device.

This change also fixes a bug where any DistractionRestrictions set
weren't cleared on suspending app data clear.

Test: atest GtsSuspendAppsTestCases

Bug: 144826981
Bug: 145735990
Change-Id: I81a492e1d07a8cc9aeb0acd7e5142826824a42ae