Re: macOS hardened runtime issue - missing entitlements

Wed, 13 May 2020 08:46:18 -0700

What OpenJDK functionality are you using that provides camera access ? I know of no such API. 

-phil.


On 5/13/20, 1:18 AM, Adrián Ruiz Arroyo wrote:

Hello,

I filled an issue a few days ago 
(https://github.com/AdoptOpenJDK/openjdk-build/issues/1720<https://github.com/AdoptOpenJDK/openjdk-build/issues/1720>)
 about restrictions on access to some resources when running a Java .jar (tested 
microphone, but suspect there are more resources involved, like camera):


Since upgrading to the hardened runtime version of the JDK, I can no longer 
access microphone input using the standard Java Sound API, only silence is 
captured when running my .jar file using the command line. While checking 
Console.app, I found that TCC is blocking microphone access in the background 
because of a missing entitlement:

Prompting policy for hardened runtime; service: kTCCServiceMicrophone requires 
entitlement com.apple.security.device.audio-input but it is missing for 
ACC:{ID: net.java.openjdk.cmd, PID[2161], auid: 501, euid: 501, binary path: 
'/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'},
 REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path: 
'/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'}
This causes microphone access to be blocked without any user action:

Policy disallows prompt for ACC:{ID: net.java.openjdk.cmd, PID[2161], auid: 
501, euid: 501, binary path: 
'/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'},
 REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path: 
'/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'}; 
access to kTCCServiceMicrophone denied
This does not happen with file access: a dialog to provide access to "Documents" and 
"Downloads" appears when trying to access a file there.

The missing entitlements means the hardened runtime will block any access to 
some resources without showing a dialog for the user to “Accept” or “Deny” it. 
Moreover, macOS doesn’t allow adding permissions manually, so I found no way to 
bypass this. The only solution that I can think of right now is to add the 
required entitlements on JRE’s compilation so that access to this resources can 
be allowed or denied. Meanwhile, the workaround I found is to return to a 
version of JRE not using the hardened runtime, as this versions do show the 
dialog.

Thank you for your time!

Reply via email to