Don't allow seamless handover to networks requiring permissions.
Currently, implicitly-marked sockets continue to work when the
Instead, make it so that sockets implicitly marked to a network
This is consistent with what we do for TCP: when a network
This change should not affect any other behaviour because:
- Netd only ever implicitly marks sockets to the default network
or to a bypassable VPN that applies to the caller.
- In both cases, at the time of marking, the network does not
require permissions because:
- VPNs don't support permissions.
- The default network never requires any permissions:
- ConnectivityService's mDefaultRequest specifies
- The only case where a NOT_RESTRICTED network can require a
permission is if it's a background network, and the default
network is, by definition, never a background network.
- VPNs can't change permissions.
implicit rule doesn't matter.
Therefore, the only case where this rule can alter routing is if