macOS hardened runtime issue - missing entitlements

Wed May 13 16:15:53 UTC 2020

I mentioned the camera as an example: there might be other resources with restricted access and accessible through Java APIs that are being blocked, but I’ve only confirmed the microphone as I use it everyday for testing.

There is a list of resources here: https://developer.apple.com/documentation/security/hardened_runtime <https://developer.apple.com/documentation/security/hardened_runtime>, at "Topics/Resource Access”. Don’t know which of these resources have a corresponding Java API that may be failing to work under the hardened runtime. I’ve read some of these resources are just really directories (i.e. Calendars, Address Book) that contain sensible information and are not accessible without the corresponding entitlement, just as the microphone.

> El 13 may 2020, a las 17:43, Philip Race <philip.race at oracle.com> escribió:
> 
> What OpenJDK functionality are you using that provides camera access ? I know of no such API.
> 
> -phil.
> 
> 
> On 5/13/20, 1:18 AM, Adrián Ruiz Arroyo wrote:
>> Hello,
>> 
>> I filled an issue a few days ago (https://github.com/AdoptOpenJDK/openjdk-build/issues/1720<https://github.com/AdoptOpenJDK/openjdk-build/issues/1720>) about restrictions on access to some resources when running a Java .jar (tested microphone, but suspect there are more resources involved, like camera):
>> 
>>> Since upgrading to the hardened runtime version of the JDK, I can no longer access microphone input using the standard Java Sound API, only silence is captured when running my .jar file using the command line. While checking Console.app, I found that TCC is blocking microphone access in the background because of a missing entitlement:
>>> 
>>> Prompting policy for hardened runtime; service: kTCCServiceMicrophone requires entitlement com.apple.security.device.audio-input but it is missing for ACC:{ID: net.java.openjdk.cmd, PID[2161], auid: 501, euid: 501, binary path: '/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'}, REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path: '/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'}
>>> This causes microphone access to be blocked without any user action:
>>> 
>>> Policy disallows prompt for ACC:{ID: net.java.openjdk.cmd, PID[2161], auid: 501, euid: 501, binary path: '/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'}, REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path: '/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'}; access to kTCCServiceMicrophone denied
>>> This does not happen with file access: a dialog to provide access to "Documents" and "Downloads" appears when trying to access a file there.
>> The missing entitlements means the hardened runtime will block any access to some resources without showing a dialog for the user to “Accept” or “Deny” it. Moreover, macOS doesn’t allow adding permissions manually, so I found no way to bypass this. The only solution that I can think of right now is to add the required entitlements on JRE’s compilation so that access to this resources can be allowed or denied. Meanwhile, the workaround I found is to return to a version of JRE not using the hardened runtime, as this versions do show the dialog.
>> 
>> Thank you for your time!