macOS hardened runtime issue - missing entitlements

Adrián Ruiz Arroyo adruiza at inst.uc3m.es
Wed May 13 08:18:33 UTC 2020 

Hello,

I filled an issue a few days ago (https://github.com/AdoptOpenJDK/openjdk-build/issues/1720 <https://github.com/AdoptOpenJDK/openjdk-build/issues/1720>) about restrictions on access to some resources when running a Java .jar (tested microphone, but suspect there are more resources involved, like camera):

> Since upgrading to the hardened runtime version of the JDK, I can no longer access microphone input using the standard Java Sound API, only silence is captured when running my .jar file using the command line. While checking Console.app, I found that TCC is blocking microphone access in the background because of a missing entitlement:
> 
> Prompting policy for hardened runtime; service: kTCCServiceMicrophone requires entitlement com.apple.security.device.audio-input but it is missing for ACC:{ID: net.java.openjdk.cmd, PID[2161], auid: 501, euid: 501, binary path: '/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'}, REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path: '/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'}
> This causes microphone access to be blocked without any user action:
> 
> Policy disallows prompt for ACC:{ID: net.java.openjdk.cmd, PID[2161], auid: 501, euid: 501, binary path: '/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'}, REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path: '/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'}; access to kTCCServiceMicrophone denied
> This does not happen with file access: a dialog to provide access to "Documents" and "Downloads" appears when trying to access a file there.

The missing entitlements means the hardened runtime will block any access to some resources without showing a dialog for the user to “Accept” or “Deny” it. Moreover, macOS doesn’t allow adding permissions manually, so I found no way to bypass this. The only solution that I can think of right now is to add the required entitlements on JRE’s compilation so that access to this resources can be allowed or denied. Meanwhile, the workaround I found is to return to a version of JRE not using the hardened runtime, as this versions do show the dialog.

Thank you for your time!

More information about the build-dev mailing list