PackageManager: Add and protect configuration APIs for pre-launch checks

This change defines an optional pre-launch check.  Trusted applications
must be granted the INTERCEPT_PACKAGE_LAUNCH permission, defined in this
CR, and are allowed to bootstrap themselves using the protected set, add, remove, and clear APIs.

Additionally, checks have been added to ensure that the custom prelaunch
check activity always resolves to a valid target.

This is a roll-up CR from cm-11.0 and also contains the following Change-Ids:
- I0c80bd9ec6bda3d21557aaa9503f05ff86adf434
- Ib62e25b780df39c4a7d9d1e4eaf3fc98ffa4089c

Change-Id: I7f6be647fde3ce4ed699e6abfbe0392176ec96d3