What OpenJDK functionality are you using that provides camera access ? I
know of no such API.
-phil.
On 5/13/20, 1:18 AM, Adrián Ruiz Arroyo wrote:
Hello,
I filled an issue a few days ago
(https://github.com/AdoptOpenJDK/openjdk-build/issues/1720<https://github.com/AdoptOpenJDK/openjdk-build/issues/1720>)
about restrictions on access to some resources when running a Java .jar (tested
microphone, but suspect there are more resources involved, like camera):
Since upgrading to the hardened runtime version of the JDK, I can no longer
access microphone input using the standard Java Sound API, only silence is
captured when running my .jar file using the command line. While checking
Console.app, I found that TCC is blocking microphone access in the background
because of a missing entitlement:
Prompting policy for hardened runtime; service: kTCCServiceMicrophone requires
entitlement com.apple.security.device.audio-input but it is missing for
ACC:{ID: net.java.openjdk.cmd, PID[2161], auid: 501, euid: 501, binary path:
'/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'},
REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path:
'/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'}
This causes microphone access to be blocked without any user action:
Policy disallows prompt for ACC:{ID: net.java.openjdk.cmd, PID[2161], auid:
501, euid: 501, binary path:
'/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'},
REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path:
'/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'};
access to kTCCServiceMicrophone denied
This does not happen with file access: a dialog to provide access to "Documents" and
"Downloads" appears when trying to access a file there.
The missing entitlements means the hardened runtime will block any access to
some resources without showing a dialog for the user to “Accept” or “Deny” it.
Moreover, macOS doesn’t allow adding permissions manually, so I found no way to
bypass this. The only solution that I can think of right now is to add the
required entitlements on JRE’s compilation so that access to this resources can
be allowed or denied. Meanwhile, the workaround I found is to return to a
version of JRE not using the hardened runtime, as this versions do show the
dialog.
Thank you for your time!