macOS hardened runtime issue - missing entitlements

Wed May 13 16:31:20 UTC 2020

Yes, we've read that page too :-)
The microphone is the only one that I am sure OpenJDK Java APIs need.
I don't think access to the calendar or address book is needed since
I expect it implies using macOS APIs we do not expose.

-phil.

On 5/13/20, 9:15 AM, Adrián Ruiz Arroyo wrote:
> I mentioned the camera as an example: there might be other 
> resources with restricted access and accessible through Java APIs that 
> are being blocked, but I’ve only confirmed the microphone as I use it 
> everyday for testing.
>
> There is a list of resources here: 
> https://developer.apple.com/documentation/security/hardened_runtime, 
> at "Topics/Resource Access”. Don’t know which of these resources have 
> a corresponding Java API that may be failing to work under the 
> hardened runtime. I’ve read some of these resources are just really 
> directories (i.e. Calendars, Address Book) that contain sensible 
> information and are not accessible without the corresponding 
> entitlement, just as the microphone.
>
>
>> El 13 may 2020, a las 17:43, Philip Race <philip.race at oracle.com 
>> <mailto:philip.race at oracle.com>> escribió:
>>
>> What OpenJDK functionality are you using that provides camera access 
>> ? I know of no such API.
>>
>> -phil.
>>
>>
>> On 5/13/20, 1:18 AM, Adrián Ruiz Arroyo wrote:
>>> Hello,
>>>
>>> I filled an issue a few days ago 
>>> (https://github.com/AdoptOpenJDK/openjdk-build/issues/1720<https://github.com/AdoptOpenJDK/openjdk-build/issues/1720> 
>>> <https://github.com/AdoptOpenJDK/openjdk-build/issues/1720%3Chttps://github.com/AdoptOpenJDK/openjdk-build/issues/1720%3E>) 
>>> about restrictions on access to some resources when running a Java 
>>> .jar (tested microphone, but suspect there are more resources 
>>> involved, like camera):
>>>
>>>> Since upgrading to the hardened runtime version of the JDK, I can 
>>>> no longer access microphone input using the standard Java Sound 
>>>> API, only silence is captured when running my .jar file using the 
>>>> command line. While checking Console.app, I found that TCC is 
>>>> blocking microphone access in the background because of a missing 
>>>> entitlement:
>>>>
>>>> Prompting policy for hardened runtime; service: 
>>>> kTCCServiceMicrophone requires entitlement 
>>>> com.apple.security.device.audio-input but it is missing for 
>>>> ACC:{ID: net.java.openjdk.cmd, PID[2161], auid: 501, euid: 501, 
>>>> binary path: 
>>>> '/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'}, 
>>>> REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path: 
>>>> '/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'}
>>>> This causes microphone access to be blocked without any user action:
>>>>
>>>> Policy disallows prompt for ACC:{ID: net.java.openjdk.cmd, 
>>>> PID[2161], auid: 501, euid: 501, binary path: 
>>>> '/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'}, 
>>>> REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path: 
>>>> '/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'}; 
>>>> access to kTCCServiceMicrophone denied
>>>> This does not happen with file access: a dialog to provide access 
>>>> to "Documents" and "Downloads" appears when trying to access a file 
>>>> there.
>>> The missing entitlements means the hardened runtime will block any 
>>> access to some resources without showing a dialog for the user to 
>>> “Accept” or “Deny” it. Moreover, macOS doesn’t allow adding 
>>> permissions manually, so I found no way to bypass this. The only 
>>> solution that I can think of right now is to add the required 
>>> entitlements on JRE’s compilation so that access to this resources 
>>> can be allowed or denied. Meanwhile, the workaround I found is to 
>>> return to a version of JRE not using the hardened runtime, as this 
>>> versions do show the dialog.
>>>
>>> Thank you for your time!
>