Cleanup and update comments SA mark disabling comments

This commit cleans up and upates comments with regard to changes in
aosp/721999, clarifying the restrictions and potential pitfalls we would
see with regards to IPsec tunnel mode without updatable SAs.

Bug: 111854872
Test: Compiles, comment-only change
Change-Id: I07b0063987463c1a3cf42e112839a31739947c80

services/core/java/com/android/server/IpSecService.java

@@ -1770,6 +1770,11 @@ public class IpSecService extends IIpSecService.Stub {
             //     and SPs have matching marks (as VTI are meant to be built).
             // Currently update does nothing with marks. Leave empty (defaulting to 0) to ensure the
             //     config matches the actual allocated resources in the kernel.
+            // All SAs will have zero marks (from creation time), and any policy that matches the
+            //     same src/dst could match these SAs. Non-IpSecService governed processes that
+            //     establish floating policies with the same src/dst may result in undefined
+            //     behavior. This is generally limited to vendor code due to the permissions
+            //     (CAP_NET_ADMIN) required.
             //
             // c.setMarkValue(mark);
             // c.setMarkMask(0xffffffff);