Limit IsSeparateProfileChallengeAllowed to system callers

Fixes: 128599668
Test: build, set up separate challenge
Change-Id: I2fef9ab13614627c0f1bcca04759d0974fc6181a

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

@@ -3428,6 +3428,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
 
     @Override
     public boolean isSeparateProfileChallengeAllowed(int userHandle) {
+        if (!isCallerWithSystemUid()) {
+            throw new SecurityException("Caller must be system");
+        }
         ComponentName profileOwner = getProfileOwner(userHandle);
         // Profile challenge is supported on N or newer release.
         return profileOwner != null &&