Mark uids without rules with PROTECT_MARK

The default result for a uid without a mark should be MARK_PROTECT
because the service using the uid's mark may be covered by a VPN that
should not cover the user it is acting for.

Bug: 12608570
Change-Id: I2402cb86ddb2fe6e670d1793263ff6c2c31d32fe