Post

Replies

Boosts

Views

Activity

Oracle Java 8u281 failed to obtain 'Files and Folders' permission
I'm trying to run a Java app (Jenkins agent) on macOS Catalina. I've noticed a strange difference in behaviour when I run different JDKs. The app uses an external volume and that requires 'Files and Folders' or 'Full Disk Access' to be given over TCC mechanism. When I run Oracle JDK 8u181 it works perfectly: a dialog popped up and when consent was given it run as expected.   However, when I run the latest Oracle JDK 8u281, it did NOT show the confirmation dialog and the Java process got stuck. I tried to add Full Disk Access (FDA) permission manually over System Preferences / Privacy form, but it didn't help whatsoever.   If it makes any difference, the java process is run through the following sequence: launchd - bash - pwsh - java I tried to look through the log using log stream --info --debug --signpost --predicate 'eventMessage contains[c] "tcc"'/tmp/tcc.log but didn't spot anything apart from the fact of disk access denial. See one of the log entries below: Binary Images: 0x10107f000 - 0x10108dfff java (0) 97808bb8-580d-3f38-9044-b4f6cec58080 /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java 0x101600000 - 0x101c4bfff libjvm.dylib (0) 131bee22-7c2b-3195-a329-718bcdc429cd /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/jre/lib/server/libjvm.dylib 0x7fff324c7000 - 0x7fff32947ff3 com.apple.CoreFoundation (6.9 - 1675.129) db597dfa-08f8-379b-881e-b4fbdef347f1 /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 0x7fff6c571000 - 0x7fff6c5a7fff libdyld.dylib (750.5) ae420e8b-c04f-38f0-9195-7b7acb9ed801 /usr/lib/system/libdyld.dylib 0x7fff6c6cc000 - 0x7fff6c6f8ff7 libsystem_kernel.dylib (6153.101.6) 8c658b3d-4c50-3068-aca1-a69da839a66e /usr/lib/system/libsystem_kernel.dylib 0x7fff6c78e000 - 0x7fff6c798fff libsystem_pthread.dylib (416.100.3) fb288f3d-4c8c-3f35-abd3-aba5844529f1 /usr/lib/system/libsystem_pthread.dylib 2021-02-18 02:56:21.587280-0800 0x1571 Error 0x0 569 0 sandboxd: [com.apple.sandbox.reporting:violation] Sandbox: java(717) System Policy: deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck Violation: System Policy: deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck Process: java [717] Path: /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java Load Address: 0x10107f000 Identifier: java Version: ??? (???) Code Type: x86_64 (Native) Parent Process: pwsh [712] Responsible: /bin/bash [/usr/local/bin/jenkins-runner.sh] User ID: 501 Date/Time: 2021-02-18 02:56:21.535 PST OS Version: Mac OS X 10.15.4 (19E2269) Report Version: 8 MetaData: {"errno":1,"platform-binary":false,"operation":"file-write-data","rdev":0,"build":"Mac OS X 10.15.4 (19E2269)","user-approval":"kTCCServiceSystemPolicyRemovableVolumes","vnode-type":"REGULAR-FILE","responsible-process-path":"/bin/bash","apple-internal":false,"mount-rdev":16777223,"platform-policy":true,"process":"java","profile":"platform","responsible-process-uid":501,"process-path":"/Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java","hardlinked":false,"uid":501,"action":"deny","hardware":"Mac","primary-filter-value":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","signing-id":"com.oracle.java.8u281.java","matched-user-intent-extension":false,"path":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","normalized_target":["Volumes","Data","Jenkins","remoting","logs","remoting.log.0.lck"],"flags":5,"matched-extension":false,"primary-filter":"path","responsible-process-user-uuid":"81D04F01-50FD-4944-8CE2-E23F8879D562","platform_binary":"no","responsible-process-hosted-path":"/usr/local/bin/jenkins-runner.sh","storage-class":"kTCCServiceSystemPolicyRemovableVolumes","pid":717,"team-id":"VB5E2TV963","summary":"deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","target":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","profile-flags":0}
5
0
2.1k
Feb ’21
Automatic control or bypassing of Full Disk Access restriction
I'm working on a CI/CD solution based on VMs deployed from images. Each VM has an external disk attached. Most of the applications I need to run on fresh OS require manual approval in a UI session for using that disk (java, powershell, etc). This is a huge showstopper for my project. Is there a way to allow FDA for certain applications via command line or bypass this check anyhow for testing purposes ?
1
0
915
Feb ’21