more ioctl work

Add a neverallow rule requiring fine-grain ioctl filtering for most file
and socket object classes. Only chr_file and blk_file are excluded. The
goal is to ensure that any file descriptor which supports ioctl commands
uses a whitelist.

Further refine the list of file / socket objects which require ioctl
filtering. The previous ioctl filtering did not cover the following:

1) ioctls on /proc/PID files
2) ioctls on directories in /dev
3) PDX unix domain sockets

Add FIONCLEX to the list of globally safe ioctls. FIOCLEX and FIONCLEX
are alternate, uncommon ways to set the O_CLOEXEC flag on a file
descriptor, which is a harmless operation.

Test: device boots and no problems.
Change-Id: I6ba31fbe2f21935243a344d33d67238d72a8e618