Support ephemeral permissions

Ephemeral permissions may be mixed in permission groups, avoid trying to
grant non-ephemeral group members and avoid showing a group for an
ephemeral app if all permissions of that group are not ephemeral

Test: Verified that runtime permissions work for ephemeral and that
groups which contain no ephemeral permissions are auto-rejected/not
displayed in settings.
Test: cts-tradefed run cts -m CtsPermission2TestCases
Test: Verified that permissions that cannot be granted are not shown in
the all permissions fragment.
Change-Id: I511689bc540a025e0e3ebdaf9c62e01764028a9f