Fix access control isAlwaysOnVpnLockdownEnabled

* Let the caller who has PERMISSION_MAINLINE_NETWORK_STACK
  bypass the admin authentication check.
* Use getCallerIdentity variant that allows caller to not
  be an admin.
* If the caller is a device owner or profile owner, then
  the admin must be authenticated

Bug: 171407399
Test: atest com.android.server.devicepolicy.DevicePolicyManagerTest
      atest com.android.cts.devicepolicy.MixedDeviceOwnerTest
Change-Id: Id7152425fd774fc79d511c2e95dbb78ca1e0fc01

1 files changed, 3 insertions, 2 deletions

diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index a253f778744a..866d6503960e 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -5788,8 +5788,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
     public boolean isAlwaysOnVpnLockdownEnabled(ComponentName admin) throws SecurityException {
         Objects.requireNonNull(admin, "ComponentName is null");
 
-        final CallerIdentity caller = getCallerIdentity(admin);
-        Preconditions.checkCallAuthorization(isDeviceOwner(caller) || isProfileOwner(caller)
+        final CallerIdentity caller = getNonPrivilegedOrAdminCallerIdentity(admin);
+        Preconditions.checkCallAuthorization((caller.hasAdminComponent()
+                && (isDeviceOwner(caller) || isProfileOwner(caller)))
                 || hasCallingPermission(PERMISSION_MAINLINE_NETWORK_STACK));
 
         return mInjector.binderWithCleanCallingIdentity(