On 2020-05-13 19:48, Erik Joelsson wrote:
As was pointed out by Adrián Ruiz Arroyo, when signing our macosx
builds with hardened runtime enabled, we are currently missing the
entitlement for using the microphone. This patch is correcting that.
It would be good if I could get help verifying that the microphone is
actually usable with this change.
This extra entitlement should only ever bee needed by either the java
launcher or a jpackaged app launcher. Because of this, I made a
special entitlements file for the java launcher. I also took the
liberty of reducing the entitlements granted to the jspawnhelper
executable (something we were already doing internally).
Since this also applies to the file bundled with jpackage, I figured
we shouldn't be maintaining multiple copies of these entitlements
files, so I added a gensrc step to jdk.incubating.jpackage that simply
copies the entitlements file used by the build.
Bug: https://bugs.openjdk.java.net/browse/JDK-8244951
Webrev: http://cr.openjdk.java.net/~erikj/8244951/webrev.01/index.html
Looks good to me.
Maybe, if anything, I'm not entirely sure about the "hidden", automatic
replacement of the default.plist file based on the name of the
executable. An alternative here would be to add an extra argument to
SetupNativeCompilation that points to a different plist file. I think
that would make it more explicit at the creation of jspawnhelper and the
java binary, that they are using a non-standard entitlements file.
I'll leave it up to you if you want to keep things as they are in the
patch, of if you want to modify it to my suggested behavior.
/Magnus
/Erik