Set underlying block device RO when enabling verity

Currently, when verity is set up on a block device, the underlying
device is still accessible directly. Change the existing function
fs_set_blk_ro visible to other fs_mgr modules, change the behavior
to match the comment above the function definition, and call it to
disable write access to the block device when setting up verity.

Bug: 18609347
Change-Id: I7884175df15f9161174788d74d20a08e4cd472ca