Yes, we've read that page too :-)
The microphone is the only one that I am sure OpenJDK Java APIs need.
I don't think access to the calendar or address book is needed since
I expect it implies using macOS APIs we do not expose.
-phil.
On 5/13/20, 9:15 AM, Adrián Ruiz Arroyo wrote:
I mentioned the camera as an example: there might be other
resources with restricted access and accessible through Java APIs that
are being blocked, but I’ve only confirmed the microphone as I use it
everyday for testing.
There is a list of resources here:
https://developer.apple.com/documentation/security/hardened_runtime,
at "Topics/Resource Access”. Don’t know which of these resources have
a corresponding Java API that may be failing to work under the
hardened runtime. I’ve read some of these resources are just really
directories (i.e. Calendars, Address Book) that contain sensible
information and are not accessible without the corresponding
entitlement, just as the microphone.
El 13 may 2020, a las 17:43, Philip Race <philip.r...@oracle.com
<mailto:philip.r...@oracle.com>> escribió:
What OpenJDK functionality are you using that provides camera access
? I know of no such API.
-phil.
On 5/13/20, 1:18 AM, Adrián Ruiz Arroyo wrote:
Hello,
I filled an issue a few days ago
(https://github.com/AdoptOpenJDK/openjdk-build/issues/1720<https://github.com/AdoptOpenJDK/openjdk-build/issues/1720>
<https://github.com/AdoptOpenJDK/openjdk-build/issues/1720%3Chttps://github.com/AdoptOpenJDK/openjdk-build/issues/1720%3E>)
about restrictions on access to some resources when running a Java
.jar (tested microphone, but suspect there are more resources
involved, like camera):
Since upgrading to the hardened runtime version of the JDK, I can
no longer access microphone input using the standard Java Sound
API, only silence is captured when running my .jar file using the
command line. While checking Console.app, I found that TCC is
blocking microphone access in the background because of a missing
entitlement:
Prompting policy for hardened runtime; service:
kTCCServiceMicrophone requires entitlement
com.apple.security.device.audio-input but it is missing for
ACC:{ID: net.java.openjdk.cmd, PID[2161], auid: 501, euid: 501,
binary path:
'/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'},
REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path:
'/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'}
This causes microphone access to be blocked without any user action:
Policy disallows prompt for ACC:{ID: net.java.openjdk.cmd,
PID[2161], auid: 501, euid: 501, binary path:
'/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/java'},
REQ:{ID: com.apple.tccd, PID[154], auid: 0, euid: 0, binary path:
'/System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd'};
access to kTCCServiceMicrophone denied
This does not happen with file access: a dialog to provide access
to "Documents" and "Downloads" appears when trying to access a file
there.
The missing entitlements means the hardened runtime will block any
access to some resources without showing a dialog for the user to
“Accept” or “Deny” it. Moreover, macOS doesn’t allow adding
permissions manually, so I found no way to bypass this. The only
solution that I can think of right now is to add the required
entitlements on JRE’s compilation so that access to this resources
can be allowed or denied. Meanwhile, the workaround I found is to
return to a version of JRE not using the hardened runtime, as this
versions do show the dialog.
Thank you for your time!
