macOS hardened runtime issue - missing entitlements

Erik Joelsson erik.joelsson at oracle.com
Wed May 13 12:22:03 UTC 2020 

Hello Adrián,

Your assessment seems correct and we are looking into it.

/Erik

On 2020-05-13 01:18, Adrián Ruiz Arroyo wrote:
> Hello,
>
> I filled an issue a few days ago (https://github.com/AdoptOpenJDK/openjdk-build/issues/1720 <https://github.com/AdoptOpenJDK/openjdk-build/issues/1720>) about restrictions on access to some resources when running a Java .jar (tested microphone, but suspect there are more resources involved, like camera):
>
>> Since upgrading to the hardened runtime version of the JDK, I can no longer access microphone input using the standard Java Sound API, only silence is captured when running my .jar file using the command line. While checking Console.app, I found that TCC is blocking microphone access in the background because of a missing entitlement:
>>
>> Prompting policy for hardened runtime; service: kTCCServiceMicrophone requires entitlement com.apple.security.device.audio-input but it is missing for ACC:{ID: net.java.openjdk.cmd, PID[2161], auid: 501, euid: 501, binary path: '/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'}, REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path: '/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'}
>> This causes microphone access to be blocked without any user action:
>>
>> Policy disallows prompt for ACC:{ID: net.java.openjdk.cmd, PID[2161], auid: 501, euid: 501, binary path: '/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'}, REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path: '/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'}; access to kTCCServiceMicrophone denied
>> This does not happen with file access: a dialog to provide access to "Documents" and "Downloads" appears when trying to access a file there.
> The missing entitlements means the hardened runtime will block any access to some resources without showing a dialog for the user to “Accept” or “Deny” it. Moreover, macOS doesn’t allow adding permissions manually, so I found no way to bypass this. The only solution that I can think of right now is to add the required entitlements on JRE’s compilation so that access to this resources can be allowed or denied. Meanwhile, the workaround I found is to return to a version of JRE not using the hardened runtime, as this versions do show the dialog.
>
> Thank you for your time!

More information about the build-dev mailing list