Fix access control isAlwaysOnVpnLockdownEnabled
* Let the caller who has PERMISSION_MAINLINE_NETWORK_STACK
bypass the admin authentication check.
* Use getCallerIdentity variant that allows caller to not
be an admin.
* If the caller is a device owner or profile owner, then
the admin must be authenticated
Bug: 171407399
Test: atest com.android.server.devicepolicy.DevicePolicyManagerTest
atest com.android.cts.devicepolicy.MixedDeviceOwnerTest
Change-Id: Id7152425fd774fc79d511c2e95dbb78ca1e0fc01
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index a253f77..866d650 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -5788,8 +5788,9 @@
public boolean isAlwaysOnVpnLockdownEnabled(ComponentName admin) throws SecurityException {
Objects.requireNonNull(admin, "ComponentName is null");
- final CallerIdentity caller = getCallerIdentity(admin);
- Preconditions.checkCallAuthorization(isDeviceOwner(caller) || isProfileOwner(caller)
+ final CallerIdentity caller = getNonPrivilegedOrAdminCallerIdentity(admin);
+ Preconditions.checkCallAuthorization((caller.hasAdminComponent()
+ && (isDeviceOwner(caller) || isProfileOwner(caller)))
|| hasCallingPermission(PERMISSION_MAINLINE_NETWORK_STACK));
return mInjector.binderWithCleanCallingIdentity(