I'm working on a CI/CD solution based on VMs deployed from images. Each VM has an external disk attached. Most of the applications I need to run on fresh OS require manual approval in a UI session for using that disk (java, powershell, etc).
This is a huge showstopper for my project. Is there a way to allow FDA for certain applications via command line or bypass this check anyhow for testing purposes ?
Post
Replies
Boosts
Views
Activity
I'm trying to run a Java app (Jenkins agent) on macOS Catalina. I've noticed a strange difference in behaviour when I run different JDKs. The app uses an external volume and that requires 'Files and Folders' or 'Full Disk Access' to be given over TCC mechanism. When I run Oracle JDK 8u181 it works perfectly: a dialog popped up and when consent was given it run as expected.
However, when I run the latest Oracle JDK 8u281, it did NOT show the confirmation dialog and the Java process got stuck. I tried to add Full Disk Access (FDA) permission manually over System Preferences / Privacy form, but it didn't help whatsoever.
If it makes any difference, the java process is run through the following sequence:
launchd - bash - pwsh - java
I tried to look through the log using
log stream --info --debug --signpost --predicate 'eventMessage contains[c] "tcc"'/tmp/tcc.log
but didn't spot anything apart from the fact of disk access denial. See one of the log entries below:
Binary Images:
0x10107f000 - 0x10108dfff java (0) 97808bb8-580d-3f38-9044-b4f6cec58080 /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java
0x101600000 - 0x101c4bfff libjvm.dylib (0) 131bee22-7c2b-3195-a329-718bcdc429cd /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/jre/lib/server/libjvm.dylib
0x7fff324c7000 - 0x7fff32947ff3 com.apple.CoreFoundation (6.9 - 1675.129) db597dfa-08f8-379b-881e-b4fbdef347f1 /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x7fff6c571000 - 0x7fff6c5a7fff libdyld.dylib (750.5) ae420e8b-c04f-38f0-9195-7b7acb9ed801 /usr/lib/system/libdyld.dylib
0x7fff6c6cc000 - 0x7fff6c6f8ff7 libsystem_kernel.dylib (6153.101.6) 8c658b3d-4c50-3068-aca1-a69da839a66e /usr/lib/system/libsystem_kernel.dylib
0x7fff6c78e000 - 0x7fff6c798fff libsystem_pthread.dylib (416.100.3) fb288f3d-4c8c-3f35-abd3-aba5844529f1 /usr/lib/system/libsystem_pthread.dylib
2021-02-18 02:56:21.587280-0800 0x1571 Error 0x0 569 0 sandboxd: [com.apple.sandbox.reporting:violation] Sandbox: java(717) System Policy: deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck
Violation: System Policy: deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck
Process: java [717]
Path: /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java
Load Address: 0x10107f000
Identifier: java
Version: ??? (???)
Code Type: x86_64 (Native)
Parent Process: pwsh [712]
Responsible: /bin/bash [/usr/local/bin/jenkins-runner.sh]
User ID: 501
Date/Time: 2021-02-18 02:56:21.535 PST
OS Version: Mac OS X 10.15.4 (19E2269)
Report Version: 8
MetaData: {"errno":1,"platform-binary":false,"operation":"file-write-data","rdev":0,"build":"Mac OS X 10.15.4 (19E2269)","user-approval":"kTCCServiceSystemPolicyRemovableVolumes","vnode-type":"REGULAR-FILE","responsible-process-path":"/bin/bash","apple-internal":false,"mount-rdev":16777223,"platform-policy":true,"process":"java","profile":"platform","responsible-process-uid":501,"process-path":"/Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java","hardlinked":false,"uid":501,"action":"deny","hardware":"Mac","primary-filter-value":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","signing-id":"com.oracle.java.8u281.java","matched-user-intent-extension":false,"path":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","normalized_target":["Volumes","Data","Jenkins","remoting","logs","remoting.log.0.lck"],"flags":5,"matched-extension":false,"primary-filter":"path","responsible-process-user-uuid":"81D04F01-50FD-4944-8CE2-E23F8879D562","platform_binary":"no","responsible-process-hosted-path":"/usr/local/bin/jenkins-runner.sh","storage-class":"kTCCServiceSystemPolicyRemovableVolumes","pid":717,"team-id":"VB5E2TV963","summary":"deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","target":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","profile-flags":0}