Cleanup and update comments SA mark disabling comments
This commit cleans up and upates comments with regard to changes in
aosp/721999, clarifying the restrictions and potential pitfalls we would
see with regards to IPsec tunnel mode without updatable SAs.
Bug: 111854872
Test: Compiles, comment-only change
Change-Id: I07b0063987463c1a3cf42e112839a31739947c80
diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java
index 71a7a2b..7ee3d3b 100644
--- a/services/core/java/com/android/server/IpSecService.java
+++ b/services/core/java/com/android/server/IpSecService.java
@@ -1770,6 +1770,11 @@
// and SPs have matching marks (as VTI are meant to be built).
// Currently update does nothing with marks. Leave empty (defaulting to 0) to ensure the
// config matches the actual allocated resources in the kernel.
+ // All SAs will have zero marks (from creation time), and any policy that matches the
+ // same src/dst could match these SAs. Non-IpSecService governed processes that
+ // establish floating policies with the same src/dst may result in undefined
+ // behavior. This is generally limited to vendor code due to the permissions
+ // (CAP_NET_ADMIN) required.
//
// c.setMarkValue(mark);
// c.setMarkMask(0xffffffff);