Oracle Java 8u281 failed to obtain 'Files and Folders' permission

I'm trying to run a Java app (Jenkins agent) on macOS Catalina. I've noticed a strange difference in behaviour when I run different JDKs. The app uses an external volume and that requires 'Files and Folders' or 'Full Disk Access' to be given over TCC mechanism. When I run Oracle JDK 8u181 it works perfectly: a dialog popped up and when consent was given it run as expected.
 
However, when I run the latest Oracle JDK 8u281, it did NOT show the confirmation dialog and the Java process got stuck. I tried to add Full Disk Access (FDA) permission manually over System Preferences / Privacy form, but it didn't help whatsoever.
 
If it makes any difference, the java process is run through the following sequence:
Code Block
launchd -> bash -> pwsh -> java

I tried to look through the log using
Code Block
log stream --info --debug --signpost --predicate 'eventMessage contains[c] "tcc"'>/tmp/tcc.log

but didn't spot anything apart from the fact of disk access denial. See one of the log entries below:
Code Block
Binary Images:
0x10107f000 - 0x10108dfff java (0) <97808bb8-580d-3f38-9044-b4f6cec58080> /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java
0x101600000 - 0x101c4bfff libjvm.dylib (0) <131bee22-7c2b-3195-a329-718bcdc429cd> /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/jre/lib/server/libjvm.dylib
0x7fff324c7000 - 0x7fff32947ff3 com.apple.CoreFoundation (6.9 - 1675.129) <db597dfa-08f8-379b-881e-b4fbdef347f1> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x7fff6c571000 - 0x7fff6c5a7fff libdyld.dylib (750.5) <ae420e8b-c04f-38f0-9195-7b7acb9ed801> /usr/lib/system/libdyld.dylib
0x7fff6c6cc000 - 0x7fff6c6f8ff7 libsystem_kernel.dylib (6153.101.6) <8c658b3d-4c50-3068-aca1-a69da839a66e> /usr/lib/system/libsystem_kernel.dylib
0x7fff6c78e000 - 0x7fff6c798fff libsystem_pthread.dylib (416.100.3) <fb288f3d-4c8c-3f35-abd3-aba5844529f1> /usr/lib/system/libsystem_pthread.dylib
2021-02-18 02:56:21.587280-0800 0x1571 Error 0x0 569 0 sandboxd: [com.apple.sandbox.reporting:violation] Sandbox: java(717) System Policy: deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck
Violation: System Policy: deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck
Process: java [717]
Path: /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java
Load Address: 0x10107f000
Identifier: java
Version: ??? (???)
Code Type: x86_64 (Native)
Parent Process: pwsh [712]
Responsible: /bin/bash [/usr/local/bin/jenkins-runner.sh]
User ID: 501
Date/Time: 2021-02-18 02:56:21.535 PST
OS Version: Mac OS X 10.15.4 (19E2269)
Report Version: 8
MetaData: {"errno":1,"platform-binary":false,"operation":"file-write-data","rdev":0,"build":"Mac OS X 10.15.4 (19E2269)","user-approval":"kTCCServiceSystemPolicyRemovableVolumes","vnode-type":"REGULAR-FILE","responsible-process-path":"/bin/bash","apple-internal":false,"mount-rdev":16777223,"platform-policy":true,"process":"java","profile":"platform","responsible-process-uid":501,"process-path":"/Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java","hardlinked":false,"uid":501,"action":"deny","hardware":"Mac","primary-filter-value":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","signing-id":"com.oracle.java.8u281.java","matched-user-intent-extension":false,"path":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","normalized_target":["Volumes","Data","Jenkins","remoting","logs","remoting.log.0.lck"],"flags":5,"matched-extension":false,"primary-filter":"path","responsible-process-user-uuid":"81D04F01-50FD-4944-8CE2-E23F8879D562","platform_binary":"no","responsible-process-hosted-path":"/usr/local/bin/jenkins-runner.sh","storage-class":"kTCCServiceSystemPolicyRemovableVolumes","pid":717,"team-id":"VB5E2TV963","summary":"deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","target":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","profile-flags":0}


Answers

I'm trying to run a Java app

Define app in this context? It is a bundle with the .app extension and an Info.plist file that points to the main executable in Contents/MacOS?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
By 'app' I mean just a jar package, not a macOS app. So, the java process is run as java -jar agent.jar <ARGS>.

By app I mean just a jar package

Ah. Unfortunately I have no idea how that’s going to interact with TCC )-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
In fact, there is some difference between Java runtimes. I managed to get 'Files and Folders' popup only for JDK 8u181. All other Java 8 versions (latest Azul, latest Adopt, latest Oracle) just can't do that. In cases not requiring access to external drive all versions work just fine.
I have a somewhat similar issue. Since Big Sur, one of my machines cannot read files from the Desktop (AdoptOpenJDK 11). Granting java full disk permissions didn't fix it. My app is distributed as an .app. The launcher uses /usr/libexec/java_home to find a suitable Java vendor, which -- in this case -- returns /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home.

What's most troubling is the "Application Foo is trying to Access the Desktop" popup doesn't show on the offending machine.