Oracle Java 8u281 failed to obtain 'Files and Folders' permission

App & System Services Core OS
ineshik
ineshik OP
Created Feb ’21
Replies 5
Boosts 0
Views 2.2k
Participants 3
I'm trying to run a Java app (Jenkins agent) on macOS Catalina. I've noticed a strange difference in behaviour when I run different JDKs. The app uses an external volume and that requires 'Files and Folders' or 'Full Disk Access' to be given over TCC mechanism. When I run Oracle JDK 8u181 it works perfectly: a dialog popped up and when consent was given it run as expected.
 
However, when I run the latest Oracle JDK 8u281, it did NOT show the confirmation dialog and the Java process got stuck. I tried to add Full Disk Access (FDA) permission manually over System Preferences / Privacy form, but it didn't help whatsoever.
 
If it makes any difference, the java process is run through the following sequence: 
Code Block launchd -> bash -> pwsh -> java

I tried to look through the log using
Code Block log stream --info --debug --signpost --predicate 'eventMessage contains[c] "tcc"'>/tmp/tcc.log

but didn't spot anything apart from the fact of disk access denial. See one of the log entries below:
Code Block Binary Images:       0x10107f000 -        0x10108dfff  java (0) <97808bb8-580d-3f38-9044-b4f6cec58080> /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java       0x101600000 -        0x101c4bfff  libjvm.dylib (0) <131bee22-7c2b-3195-a329-718bcdc429cd> /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/jre/lib/server/libjvm.dylib    0x7fff324c7000 -     0x7fff32947ff3  com.apple.CoreFoundation (6.9 - 1675.129) <db597dfa-08f8-379b-881e-b4fbdef347f1> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation    0x7fff6c571000 -     0x7fff6c5a7fff  libdyld.dylib (750.5) <ae420e8b-c04f-38f0-9195-7b7acb9ed801> /usr/lib/system/libdyld.dylib    0x7fff6c6cc000 -     0x7fff6c6f8ff7  libsystem_kernel.dylib (6153.101.6) <8c658b3d-4c50-3068-aca1-a69da839a66e> /usr/lib/system/libsystem_kernel.dylib    0x7fff6c78e000 -     0x7fff6c798fff  libsystem_pthread.dylib (416.100.3) <fb288f3d-4c8c-3f35-abd3-aba5844529f1> /usr/lib/system/libsystem_pthread.dylib2021-02-18 02:56:21.587280-0800 0x1571     Error       0x0                  569    0    sandboxd: [com.apple.sandbox.reporting:violation] Sandbox: java(717) System Policy: deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lckViolation:       System Policy: deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck Process:         java [717]Path:            /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/javaLoad Address:    0x10107f000Identifier:      javaVersion:         ??? (???)Code Type:       x86_64 (Native)Parent Process:  pwsh [712]Responsible:     /bin/bash [/usr/local/bin/jenkins-runner.sh]User ID:         501Date/Time:       2021-02-18 02:56:21.535 PSTOS Version:      Mac OS X 10.15.4 (19E2269)Report Version:  8MetaData: {"errno":1,"platform-binary":false,"operation":"file-write-data","rdev":0,"build":"Mac OS X 10.15.4 (19E2269)","user-approval":"kTCCServiceSystemPolicyRemovableVolumes","vnode-type":"REGULAR-FILE","responsible-process-path":"/bin/bash","apple-internal":false,"mount-rdev":16777223,"platform-policy":true,"process":"java","profile":"platform","responsible-process-uid":501,"process-path":"/Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java","hardlinked":false,"uid":501,"action":"deny","hardware":"Mac","primary-filter-value":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","signing-id":"com.oracle.java.8u281.java","matched-user-intent-extension":false,"path":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","normalized_target":["Volumes","Data","Jenkins","remoting","logs","remoting.log.0.lck"],"flags":5,"matched-extension":false,"primary-filter":"path","responsible-process-user-uuid":"81D04F01-50FD-4944-8CE2-E23F8879D562","platform_binary":"no","responsible-process-hosted-path":"/usr/local/bin/jenkins-runner.sh","storage-class":"kTCCServiceSystemPolicyRemovableVolumes","pid":717,"team-id":"VB5E2TV963","summary":"deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","target":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","profile-flags":0}


Replies  5
Boosts  0
Views  2.2k
Participants  3
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Feb ’21

I'm trying to run a Java app

Define app in this context? It is a bundle with the .app extension and an Info.plist file that points to the main executable in Contents/MacOS?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
ineshik
ineshik OP
Feb ’21
By 'app' I mean just a jar package, not a macOS app. So, the java process is run as java -jar agent.jar <ARGS>.
0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Feb ’21

By app I mean just a jar package

Ah. Unfortunately I have no idea how that’s going to interact with TCC )-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
ineshik
ineshik OP
Feb ’21
In fact, there is some difference between Java runtimes. I managed to get 'Files and Folders' popup only for JDK 8u181. All other Java 8 versions (latest Azul, latest Adopt, latest Oracle) just can't do that. In cases not requiring access to external drive all versions work just fine.
0
tresf
tresf OP
Mar ’21
I have a somewhat similar issue. Since Big Sur, one of my machines cannot read files from the Desktop (AdoptOpenJDK 11). Granting java full disk permissions didn't fix it. My app is distributed as an .app. The launcher uses /usr/libexec/java_home to find a suitable Java vendor, which -- in this case -- returns /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home.

What's most troubling is the "Application Foo is trying to Access the Desktop" popup doesn't show on the offending machine.
0
Oracle Java 8u281 failed to obtain 'Files and Folders' permission
First post date Last post date
 
 
Q