RFR: JDK-8244951: Missing entitlements for hardened runtime
Magnus Ihse Bursie
magnus.ihse.bursie at oracle.com
Thu May 14 07:04:43 UTC 2020
On 2020-05-13 19:48, Erik Joelsson wrote:
> As was pointed out by Adrián Ruiz Arroyo, when signing our macosx
> builds with hardened runtime enabled, we are currently missing the
> entitlement for using the microphone. This patch is correcting that.
> It would be good if I could get help verifying that the microphone is
> actually usable with this change.
>
> This extra entitlement should only ever bee needed by either the java
> launcher or a jpackaged app launcher. Because of this, I made a
> special entitlements file for the java launcher. I also took the
> liberty of reducing the entitlements granted to the jspawnhelper
> executable (something we were already doing internally).
>
> Since this also applies to the file bundled with jpackage, I figured
> we shouldn't be maintaining multiple copies of these entitlements
> files, so I added a gensrc step to jdk.incubating.jpackage that simply
> copies the entitlements file used by the build.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8244951
>
> Webrev: http://cr.openjdk.java.net/~erikj/8244951/webrev.01/index.html
Looks good to me.
Maybe, if anything, I'm not entirely sure about the "hidden", automatic
replacement of the default.plist file based on the name of the
executable. An alternative here would be to add an extra argument to
SetupNativeCompilation that points to a different plist file. I think
that would make it more explicit at the creation of jspawnhelper and the
java binary, that they are using a non-standard entitlements file.
I'll leave it up to you if you want to keep things as they are in the
patch, of if you want to modify it to my suggested behavior.
/Magnus
>
> /Erik
>
More information about the build-dev
mailing list