Merge "Fix access control checks getOwnerInstalledCaCerts" into udc-dev

commit: cf16a02e27d2f0a89d95dcf17ad088fca6be2300 [log] [tgz]
author: Alex Johnston <acjohnston@google.com> Mon Feb 20 12:04:53 2023 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Mon Feb 20 12:04:53 2023 +0000
tree: 04354a73f65d168e9691078a370d9437f18ad555
parent: 3d907cca3cac9c5dd947214aa8b17dda5dead326 [diff]
parent: b52f6dae9992b01a27c91407da19671981bc1fbf [diff]
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 64c4d98..3c3cb2b 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

@@ -18611,9 +18611,9 @@
     public StringParceledListSlice getOwnerInstalledCaCerts(@NonNull UserHandle user) {
         final int userId = user.getIdentifier();
         final CallerIdentity caller = getCallerIdentity();
-        Preconditions.checkCallAuthorization((userId == caller.getUserId())
-                || isProfileOwner(caller) || isDefaultDeviceOwner(caller)
-                || hasFullCrossUsersPermission(caller, userId));
+        Preconditions.checkCallAuthorization(
+                (isProfileOwner(caller) || isDefaultDeviceOwner(caller) || canQueryAdminPolicy(
+                        caller)) && hasFullCrossUsersPermission(caller, userId));
 
         synchronized (getLockObject()) {
             return new StringParceledListSlice(
commit	cf16a02e27d2f0a89d95dcf17ad088fca6be2300	[log] [tgz]
author	Alex Johnston <acjohnston@google.com>	Mon Feb 20 12:04:53 2023 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Mon Feb 20 12:04:53 2023 +0000
tree	04354a73f65d168e9691078a370d9437f18ad555
parent	3d907cca3cac9c5dd947214aa8b17dda5dead326 [diff]
parent	b52f6dae9992b01a27c91407da19671981bc1fbf [diff]